@openparachute/agent 0.2.2 → 0.2.3-rc.2

package/.parachute/module.json

@@ -52,7 +52,7 @@
         "module": "vault",
         "event": "note.created",
         "filter": {
-          "tags": ["#agent/message/inbound"],
+          "tags": ["agent/message/inbound"],
           "has_metadata": ["channel"],
           "missing_metadata": ["channel_inbound_rendered_at"]
         }
@@ -85,7 +85,7 @@
         "module": "vault",
         "event": "note.created",
         "filter": {
-          "tags": ["#agent/definition"]
+          "tags": ["agent/definition"]
         }
       },
       "sink": {
@@ -110,7 +110,7 @@
         "module": "vault",
         "event": "note.updated",
         "filter": {
-          "tags": ["#agent/definition"]
+          "tags": ["agent/definition"]
         }
       },
       "sink": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/agent",
-  "version": "0.2.2",
+  "version": "0.2.3-rc.2",
   "description": "Vault-native agents for Claude Code — a #agent/definition note + an inbound message becomes a sandboxed claude turn; the reply is written back as a note. Messaging gateway on :1941.",
   "license": "AGPL-3.0",
   "type": "module",

package/src/agent-defs.test.ts

@@ -375,8 +375,8 @@ describe("DefVaultClient", () => {
     const client = new DefVaultClient(binding);
     const notes = await client.listDefNotes();
     expect(urls).toHaveLength(1);
-    // `#agent/definition` → `%23agent%2Fdefinition` (both `#` and `/` encoded).
-    expect(urls[0]).toContain("tag=%23agent%2Fdefinition");
+    // `agent/definition` → `agent%2Fdefinition` (the `/` percent-encoded).
+    expect(urls[0]).toContain("tag=agent%2Fdefinition");
     expect(urls[0]).toContain("include_content=true");
     expect(auth).toBe("Bearer write-token");
     expect(notes.map((n) => n.id)).toEqual(["Agents/uni-dev", "Agents/researcher"]);
@@ -444,7 +444,7 @@ describe("DefVaultClient", () => {
     expect(created.id).toBe("Agents/newbot");
     expect(captured!.method).toBe("POST");
     expect(captured!.url).toContain("/vault/default/api/notes");
-    expect(captured!.body.tags).toEqual(["#agent/definition"]);
+    expect(captured!.body.tags).toEqual(["agent/definition"]);
     expect(captured!.body.content).toBe("P");
     expect((captured!.body.metadata as Record<string, string>).name).toBe("newbot");
     expect(captured!.body.path).toBe("Agents/newbot");
@@ -538,7 +538,7 @@ function vaultFetch(opts: {
       opts.patches?.push({ id, status: meta.status, pending: meta.pending });
       return new Response(null, { status: 200 });
     }
-    if (u.includes("/api/notes?") && u.includes("tag=%23agent%2Fdefinition")) {
+    if (u.includes("/api/notes?") && u.includes("tag=agent%2Fdefinition")) {
       return new Response(JSON.stringify(opts.defs ?? []), {
         status: 200,
         headers: { "content-type": "application/json" },
@@ -678,7 +678,7 @@ describe("AgentDefRegistry — lifecycle", () => {
       const u = String(url);
       const method = init?.method ?? "GET";
       if (method === "PATCH") return new Response(null, { status: 200 });
-      if (u.includes("/api/notes?") && u.includes("tag=%23agent%2Fdefinition")) {
+      if (u.includes("/api/notes?") && u.includes("tag=agent%2Fdefinition")) {
         return new Response(JSON.stringify(present), { status: 200, headers: { "content-type": "application/json" } });
       }
       return new Response("[]", { status: 200 });
@@ -714,7 +714,7 @@ describe("AgentDefRegistry — lifecycle", () => {
       const u = String(url);
       const method = init?.method ?? "GET";
       if (method === "PATCH") return new Response(null, { status: 200 });
-      if (u.includes("/api/notes?") && u.includes("tag=%23agent%2Fdefinition")) {
+      if (u.includes("/api/notes?") && u.includes("tag=agent%2Fdefinition")) {
         return new Response(JSON.stringify(current), { status: 200, headers: { "content-type": "application/json" } });
       }
       return new Response("[]", { status: 200 });
@@ -752,7 +752,7 @@ describe("AgentDefRegistry — lifecycle", () => {
     const fetchFn = (async (url: string | URL | Request) => {
       const u = String(url);
       if (u.includes("/vault/default/")) return new Response("boom", { status: 500 });
-      if (u.includes("/vault/research/") && u.includes("tag=%23agent%2Fdefinition")) {
+      if (u.includes("/vault/research/") && u.includes("tag=agent%2Fdefinition")) {
         return new Response(JSON.stringify([{ id: "r1", content: "role", metadata: { name: "r" } }]), {
           status: 200,
         });
@@ -1217,7 +1217,7 @@ describe("AgentDefRegistry — grant-GC reconcile (#96)", () => {
           );
         }
       }
-      if (u.includes("/api/notes?") && u.includes("tag=%23agent%2Fdefinition")) {
+      if (u.includes("/api/notes?") && u.includes("tag=agent%2Fdefinition")) {
         return new Response(JSON.stringify(present), { status: 200, headers: { "content-type": "application/json" } });
       }
       return new Response("[]", { status: 200 });
@@ -1309,7 +1309,7 @@ describe("AgentDefRegistry — grant-GC reconcile (#96)", () => {
         reconciled.push({ agent: body.agent, liveConnections: body.liveConnections });
         return new Response(JSON.stringify({ pruned: 0 }), { status: 200 });
       }
-      if (u.includes("/api/notes?") && u.includes("tag=%23agent%2Fdefinition")) {
+      if (u.includes("/api/notes?") && u.includes("tag=agent%2Fdefinition")) {
         return new Response(JSON.stringify(present), { status: 200, headers: { "content-type": "application/json" } });
       }
       return new Response("[]", { status: 200 });
@@ -1339,7 +1339,7 @@ describe("AgentDefRegistry — grant-GC reconcile (#96)", () => {
         reconciled.push({ agent: body.agent, liveConnections: body.liveConnections });
         return new Response(JSON.stringify({ pruned: 0 }), { status: 200 });
       }
-      if (u.includes("/api/notes?") && u.includes("tag=%23agent%2Fdefinition")) {
+      if (u.includes("/api/notes?") && u.includes("tag=agent%2Fdefinition")) {
         if (listShouldFail) return new Response("boom", { status: 500 });
         return new Response(JSON.stringify(present), { status: 200, headers: { "content-type": "application/json" } });
       }
@@ -1408,7 +1408,7 @@ function vaultFetchWithDelete(opts: {
       return new Response(status >= 400 ? "delete failed" : null, { status });
     }
     if (method === "PATCH") return new Response(null, { status: 200 });
-    if (u.includes("/api/notes?") && u.includes("tag=%23agent%2Fdefinition")) {
+    if (u.includes("/api/notes?") && u.includes("tag=agent%2Fdefinition")) {
       return new Response(JSON.stringify(opts.defs), {
         status: 200,
         headers: { "content-type": "application/json" },

package/src/agents.test.ts

@@ -77,9 +77,9 @@ describe("buildSpecFromBody", () => {
     const spec = buildSpecFromBody({
       name: "a",
       channels: ["c"],
-      vault: { name: "default", access: "write", tags: ["#agent/message"] },
+      vault: { name: "default", access: "write", tags: ["agent/message"] },
     });
-    expect(spec.vault).toEqual({ name: "default", access: "write", tags: ["#agent/message"] });
+    expect(spec.vault).toEqual({ name: "default", access: "write", tags: ["agent/message"] });
   });
 
   test("rejects a bad filesystem / network value", () => {

package/src/backends/programmatic.test.ts

@@ -210,7 +210,7 @@ function specWithVault(name = "eng"): AgentSpec {
   return {
     name,
     channels: [name],
-    vault: { name: "default", access: "read", tags: ["#agent/message"] },
+    vault: { name: "default", access: "read", tags: ["agent/message"] },
   };
 }
 
@@ -222,7 +222,7 @@ function specWithSystemPrompt(
   return {
     name,
     channels: [name],
-    vault: { name: "default", access: "read", tags: ["#agent/message"] },
+    vault: { name: "default", access: "read", tags: ["agent/message"] },
     systemPrompt: prompt,
     ...(mode ? { systemPromptMode: mode } : {}),
   };
@@ -234,7 +234,7 @@ function specMultiThreaded(name = "eng"): AgentSpec {
     name,
     channels: [name],
     mode: "multi-threaded",
-    vault: { name: "default", access: "read", tags: ["#agent/message"] },
+    vault: { name: "default", access: "read", tags: ["agent/message"] },
   };
 }
 
@@ -735,7 +735,7 @@ function specWithWorkspace(workspace: string, name = "eng"): AgentSpec {
   return {
     name,
     channels: [name],
-    vault: { name: "default", access: "read", tags: ["#agent/message"] },
+    vault: { name: "default", access: "read", tags: ["agent/message"] },
     workspace,
   };
 }
@@ -773,7 +773,7 @@ describe("ProgrammaticBackend.deliver — workspace seam: cwd = workspace, secre
       const spec: AgentSpec = {
         name: "eng",
         channels: ["eng"],
-        vault: { name: "default", access: "read", tags: ["#agent/message"] },
+        vault: { name: "default", access: "read", tags: ["agent/message"] },
         workspace: workspaceDir,
         systemPrompt: "Work in the repo.",
       };

package/src/daemon-agent-defs-api.test.ts

@@ -309,7 +309,7 @@ describe("GET /api/agent-defs", () => {
     fake.seed({
       id: "Agents/uni-dev",
       content: "a".repeat(500), // long prompt → preview truncates to 200.
-      tags: ["#agent/definition"],
+      tags: ["agent/definition"],
       metadata: { name: "uni-dev", backend: "attached", mode: "multi-threaded" },
     });
     const { reg } = registryWithFakeVault({ fake });
@@ -351,7 +351,7 @@ describe("GET /api/agent-defs/:noteId (full def)", () => {
     fake.seed({
       id: "Agents/uni-dev",
       content: "F".repeat(500), // long body → list preview truncates; full returns all.
-      tags: ["#agent/definition"],
+      tags: ["agent/definition"],
       metadata: { name: "uni-dev", backend: "attached", mode: "multi-threaded", wants: "vault:research:read" },
     });
     const { reg } = registryWithFakeVault({ fake });
@@ -459,7 +459,7 @@ describe("POST /api/agent-defs", () => {
     // The note was written to the fake vault, tagged the def tag, body = prompt.
     const written = [...fake.notes.values()].find((n) => n.metadata.name === "newbot");
     expect(written).toBeDefined();
-    expect(written!.tags).toContain("#agent/definition");
+    expect(written!.tags).toContain("agent/definition");
     expect(written!.content).toBe("You are newbot.");
     expect(written!.metadata.backend).toBe("programmatic");
     // It instantiated LIVE (the per-note reload ran ensureChannel + register) — not
@@ -555,7 +555,7 @@ describe("POST /api/agent-defs", () => {
     fake.seed({
       id: "Agents/uni-dev",
       content: "p",
-      tags: ["#agent/definition"],
+      tags: ["agent/definition"],
       metadata: { name: "uni-dev", backend: "programmatic" },
     });
     const { reg } = registryWithFakeVault({ fake });
@@ -586,7 +586,7 @@ describe("PATCH /api/agent-defs/:noteId", () => {
     fake.seed({
       id: "Agents/uni-dev",
       content: "old prompt",
-      tags: ["#agent/definition"],
+      tags: ["agent/definition"],
       metadata: { name: "uni-dev", backend: "programmatic" },
     });
     const { reg, calls } = registryWithFakeVault({ fake });
@@ -657,7 +657,7 @@ describe("DELETE /api/agent-defs/:noteId", () => {
     fake.seed({
       id: "Agents/uni-dev",
       content: "p",
-      tags: ["#agent/definition"],
+      tags: ["agent/definition"],
       metadata: { name: "uni-dev", backend: "programmatic" },
     });
     const { reg, calls } = registryWithFakeVault({ fake });

package/src/daemon-agent-env-api.test.ts

@@ -226,7 +226,7 @@ describe("GET /api/agents/<name>/env — composes all three sources + precedence
     fake.seed({
       id: "Agents/uni-dev",
       content: "You are uni-dev.",
-      tags: ["#agent/definition"],
+      tags: ["agent/definition"],
       metadata: { name: "uni-dev", backend: "programmatic", mode: "single-threaded", wants: "env:github" },
     });
     const grants = grantsClientWith({ github: githubGrantStatus });
@@ -308,7 +308,7 @@ describe("GET /api/agents/<name>/env — resilient when grants/hub unreachable",
     fake.seed({
       id: "Agents/uni-dev",
       content: "You are uni-dev.",
-      tags: ["#agent/definition"],
+      tags: ["agent/definition"],
       metadata: { name: "uni-dev", backend: "programmatic", mode: "single-threaded", wants: "env:github" },
     });
     // A grants client whose hub fetch always throws — registerGrant fails at instantiate,

package/src/daemon-config-api.test.ts

@@ -130,7 +130,7 @@ function inboundBody(noteId: string, channel = "eng") {
       id: noteId,
       path: `channel/${channel}/${noteId}`,
       content: "wake up session",
-      tags: ["#agent/message", "#agent/message/inbound"],
+      tags: ["agent/message", "agent/message/inbound"],
       metadata: { channel, direction: "inbound", sender: "aaron" },
     },
   });
@@ -596,7 +596,7 @@ describe("C — AGENT_VAULT_TRIGGER_TEMPLATE exposed via /.parachute/config", ()
       // re-registration updates the existing trigger in place. The TAG is
       // #agent/message and the webhook is on the /agent mount.
       expect(body.triggerTemplate.name).toBe("channel_inbound_<channel>");
-      expect(body.triggerTemplate.when.tags).toEqual(["#agent/message/inbound"]);
+      expect(body.triggerTemplate.when.tags).toEqual(["agent/message/inbound"]);
       // CONTRACT: the predicate keys on the `agent` routing key (was `channel`).
       expect(body.triggerTemplate.when.has_metadata).toEqual(["agent"]);
       // The rendered-at marker NAME is unchanged (cosmetic/internal).

package/src/daemon-jobs-api.test.ts

@@ -194,7 +194,7 @@ describe("POST /api/jobs — create + validation", () => {
       expect(body.job.noteId).toBe("Channels/eng/jobs/x"); // vault note id for addressing
       const post = calls.find((c) => c.url.endsWith("/api/notes") && c.init.method === "POST")!;
       const sent = JSON.parse(String(post.init.body));
-      expect(sent.tags).toEqual(["#agent/job"]);
+      expect(sent.tags).toEqual(["agent/job"]);
       expect(sent.content).toBe("do it"); // trimmed
       expect(sent.metadata.enabled).toBe("true");
       expect(sent.metadata.jobId).toBe("x");
@@ -224,7 +224,7 @@ describe("POST /api/jobs/:id/run — fire now", () => {
       // The injected note is INBOUND with the #agent/message tags.
       const inject = calls.find((c) => c.url.endsWith("/api/notes") && c.init.method === "POST")!;
       const sent = JSON.parse(String(inject.init.body));
-      expect(sent.tags).toEqual(["#agent/message", "#agent/message/inbound"]);
+      expect(sent.tags).toEqual(["agent/message", "agent/message/inbound"]);
       expect(sent.metadata.sender).toBe("runner:Channels/eng/jobs/x");
     } finally { srv.stop(true); }
   });

package/src/daemon.test.ts

@@ -413,7 +413,7 @@ describe("Vault inbound webhook — POST /api/vault/inbound", () => {
   function body(
     noteId: string,
     extraMeta: Record<string, unknown> = {},
-    tags: string[] = ["#agent/message", "#agent/message/inbound"],
+    tags: string[] = ["agent/message", "agent/message/inbound"],
   ) {
     return JSON.stringify({
       trigger: "channel-inbound",
@@ -546,7 +546,7 @@ describe("Vault inbound webhook — POST /api/vault/inbound", () => {
           note: {
             id: "agent-only-1",
             content: "wake up via agent key",
-            tags: ["#agent/message", "#agent/message/inbound"],
+            tags: ["agent/message", "agent/message/inbound"],
             // NO `channel` field — the routing key is carried ONLY under the new `agent` alias.
             metadata: { agent: "eng", direction: "inbound", sender: "aaron" },
           },
@@ -571,7 +571,7 @@ describe("Vault inbound webhook — POST /api/vault/inbound", () => {
           note: {
             id: "channel-only-1",
             content: "wake up via legacy channel key",
-            tags: ["#agent/message", "#agent/message/inbound"],
+            tags: ["agent/message", "agent/message/inbound"],
             // ONLY the legacy `channel` field — a pre-expand writer; must still route.
             metadata: { channel: "eng", direction: "inbound", sender: "aaron" },
           },
@@ -618,13 +618,13 @@ describe("Vault inbound webhook — POST /api/vault/inbound", () => {
     }
   });
 
-  test("#agent/message/outbound-tagged note is ack'd 200 but NOT emitted (belt-and-suspenders)", async () => {
+  test("agent/message/outbound-tagged note is ack'd 200 but NOT emitted (belt-and-suspenders)", async () => {
     const { srv, base, emitted } = buildVaultServer();
     try {
       const res = await fetch(`${base}/api/vault/inbound?secret=${SECRET}`, {
         method: "POST",
         headers: { "content-type": "application/json" },
-        body: body("ob-1", { direction: "outbound" }, ["#agent/message", "#agent/message/outbound"]),
+        body: body("ob-1", { direction: "outbound" }, ["agent/message", "agent/message/outbound"]),
       });
       expect(res.status).toBe(200);
       expect(emitted).toHaveLength(0);

package/src/jobs.test.ts

@@ -126,7 +126,7 @@ describe("VaultJobStore — vault-native CRUD", () => {
     const jobs = await store.listAll();
     // Only ONE vault transport in the map → queried exactly once (telegram is skipped).
     expect(urls.filter((u) => u.includes("/api/notes")).length).toBe(1);
-    expect(urls[0]).toContain("tag=%23agent%2Fjob");
+    expect(urls[0]).toContain("tag=agent%2Fjob");
     expect(jobs).toHaveLength(2);
     expect(jobs[0]).toMatchObject({
       id: "note-1",
@@ -190,7 +190,7 @@ describe("VaultJobStore — vault-native CRUD", () => {
     expect(saved.noteId).toBe("Channels/uni-dev/jobs/morning");
     expect(calls).toHaveLength(1);
     const body = JSON.parse(String(calls[0]!.init.body));
-    expect(body.tags).toEqual(["#agent/job"]);
+    expect(body.tags).toEqual(["agent/job"]);
     expect(body.path).toBe("Channels/uni-dev/jobs/morning");
     expect(body.metadata.jobId).toBe("morning"); // slug persisted for stable display
     expect(body.content).toBe("Run the morning weave");

package/src/mint-token.test.ts

@@ -68,12 +68,12 @@ describe("mintScopedToken — happy path", () => {
       {
         scope: "vault:default:read",
         audience: "vault.default",
-        permissions: { scoped_tags: ["#agent/message"] },
+        permissions: { scoped_tags: ["agent/message"] },
       },
       depsWith(hub.fetchFn),
     );
     expect(hub.calls[0]!.body.audience).toBe("vault.default");
-    expect(hub.calls[0]!.body.permissions).toEqual({ scoped_tags: ["#agent/message"] });
+    expect(hub.calls[0]!.body.permissions).toEqual({ scoped_tags: ["agent/message"] });
   });
 });
 

package/src/module-manifest.test.ts

@@ -74,7 +74,7 @@ describe("module.json — modular-UI declaration", () => {
     expect(tmpl?.requestedBy).toBe("agent");
     expect(tmpl?.source?.module).toBe("vault");
     expect(tmpl?.source?.event).toBe("note.created");
-    expect(tmpl?.source?.filter?.tags).toContain("#agent/message/inbound");
+    expect(tmpl?.source?.filter?.tags).toContain("agent/message/inbound");
     expect(tmpl?.sink?.module).toBe("agent");
     expect(tmpl?.sink?.action).toBe("message.deliver");
     // It's PARAMETERIZED — the operator picks the vault + names the channel.
@@ -128,7 +128,7 @@ describe("module.json — modular-UI declaration", () => {
       expect(tmpl?.requestedBy).toBe("agent");
       expect(tmpl?.source?.module).toBe("vault");
       // Filters on the def tag — and ONLY that tag (no inbound-message keys).
-      expect(tmpl?.source?.filter?.tags).toEqual(["#agent/definition"]);
+      expect(tmpl?.source?.filter?.tags).toEqual(["agent/definition"]);
       expect(tmpl?.sink?.module).toBe("agent");
       expect(tmpl?.sink?.action).toBe("definition.reload");
       // Parameterized: the operator picks which def-vault. No channel param

package/src/programmatic-wiring.test.ts

@@ -264,7 +264,7 @@ describe("inbound for a programmatic channel → deliver → outbound note", ()
         note: {
           id: noteId,
           content,
-          tags: ["#agent/message", "#agent/message/inbound"],
+          tags: ["agent/message", "agent/message/inbound"],
           metadata: { channel, direction: "inbound", sender: "aaron", ts: "2026-06-16T00:00:01Z" },
         },
       }),
@@ -356,7 +356,7 @@ describe("inbound for an EXPECTED-but-not-yet-registered channel → queued pend
         note: {
           id: noteId,
           content,
-          tags: ["#agent/message", "#agent/message/inbound"],
+          tags: ["agent/message", "agent/message/inbound"],
           metadata: { channel, direction: "inbound", sender: "aaron", ts: "2026-06-16T00:00:01Z" },
         },
       }),

package/src/spawn-agent-cli.test.ts

@@ -16,7 +16,7 @@ describe("parseArgs — name + channels + vault + egress + mounts → the right
       "--channel",
       "ops:read",
       "--vault",
-      "default:read:#agent/message,#decision",
+      "default:read:agent/message,#decision",
       "--egress",
       "registry.npmjs.org,github.com",
       "--mount",
@@ -38,7 +38,7 @@ describe("parseArgs — name + channels + vault + egress + mounts → the right
     expect(spec!.vault).toEqual({
       name: "default",
       access: "read",
-      tags: ["#agent/message", "#decision"],
+      tags: ["agent/message", "#decision"],
     });
 
     // Egress: additive host list, comma-split.

package/src/spawn-agent.test.ts

@@ -448,7 +448,7 @@ describe("spawnAgent — full wiring with stubs (no real token)", () => {
     const spec: AgentSpec = {
       name: "aaron-dev",
       channels: ["aaron-dev"],
-      vault: { name: "default", access: "read", tags: ["#agent/message"] },
+      vault: { name: "default", access: "read", tags: ["agent/message"] },
       network: "restricted", // exercise the egress floor; scoped reads are the default (step 6)
     };
     const res = await spawnAgent(spec, baseDeps({ tmux, sandboxEngine: engine }));
@@ -570,13 +570,13 @@ describe("spawnAgent — full wiring with stubs (no real token)", () => {
     const spec: AgentSpec = {
       name: "weaver",
       channels: ["c"],
-      vault: { name: "default", access: "read", tags: ["#agent/message"] },
+      vault: { name: "default", access: "read", tags: ["agent/message"] },
     };
     await spawnAgent(spec, baseDeps({ fetchFn }));
     const vaultCall = calls.find((c) => String(c.scope).startsWith("vault:"));
     expect(vaultCall).toBeDefined();
     expect(vaultCall!.scope).toBe("vault:default:read");
-    expect(vaultCall!.permissions).toEqual({ scoped_tags: ["#agent/message"] });
+    expect(vaultCall!.permissions).toEqual({ scoped_tags: ["agent/message"] });
   });
 
   test("idempotent: an already-running session is a no-op", async () => {
@@ -674,7 +674,7 @@ describe("spawnAgent — full wiring with stubs (no real token)", () => {
     const spec: AgentSpec = {
       name: "weaver",
       channels: [{ name: "weave", access: "read" }],
-      vault: { name: "default", access: "read", tags: ["#agent/message"] },
+      vault: { name: "default", access: "read", tags: ["agent/message"] },
       network: "restricted",
       egress: ["registry.npmjs.org"],
     };