@ouro.bot/friends 0.1.0-alpha.5 → 0.1.0-alpha.6

package/dist/identity.js

@@ -0,0 +1,68 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveAgentIdentity = resolveAgentIdentity;
+exports.withMigratedIdentity = withMigratedIdentity;
+// Agent identity migrate-on-read (p11 Item 2 — the DID re-key).
+//
+// The durable identity home is `AgentMeta.identity` ({ did, pinnedKey?, handle?,
+// pinnedAt? }). Legacy records carry only the optional `a2a.did` hint (or nothing).
+// `resolveAgentIdentity` reads either, preferring the durable home and lifting
+// `a2a.did` on a miss (migrate-on-read), mirroring FileGrantStore.normalize's
+// legacy-field handling. `withMigratedIdentity` backfills `identity.did` from
+// `a2a.did` so the next `put` persists it forward (migrate-on-write), matching the
+// resolver's local-id migration + the grant subjectFriendId→subjectKey pattern.
+const observability_1 = require("./observability");
+/** Read an agent's durable identity, preferring `meta.identity` and lifting the
+ * legacy `meta.a2a.did` on a miss (migrate-on-read). Returns `{}` for a did-less
+ * or absent meta. (Unit 4a stub — not implemented.) */
+function resolveAgentIdentity(meta) {
+    if (!meta)
+        return {};
+    // Durable home wins (authoritative). Spread only the present optional fields so
+    // a partial identity ({ did } only) doesn't surface undefined keys. SECURITY
+    // (finding 6, LOW): an empty-string did is NOT a did — omit it so it can never be a
+    // matchable identity key (ties to findFriendByDid's falsy-did guard, finding 4).
+    //
+    // NOTE (finding 5-D): when BOTH meta.identity.did and a legacy meta.a2a.did are
+    // present and DIVERGE, the durable home silently wins here. That divergence can be a
+    // tampering signal (a record's legacy hint disagreeing with its pinned identity).
+    // We don't warn from this hot path (resolveAgentIdentity runs per-record in the
+    // findFriendByDid scan and per-audit-derivation); a divergence audit belongs in a
+    // write-time reconciliation (e.g. withMigratedIdentity / the onboard path), not here.
+    if (meta.identity) {
+        const { did, pinnedKey, handle, pinnedAt } = meta.identity;
+        return {
+            ...(did ? { did } : {}),
+            ...(pinnedKey !== undefined ? { pinnedKey } : {}),
+            ...(handle !== undefined ? { handle } : {}),
+            ...(pinnedAt !== undefined ? { pinnedAt } : {}),
+        };
+    }
+    // Migrate-on-read: lift the legacy a2a.did hint when the durable home is absent.
+    // A falsy (absent or empty-string) hint is treated as no-did.
+    if (meta.a2a?.did)
+        return { did: meta.a2a.did };
+    return {};
+}
+/** Return a meta whose `identity.did` is backfilled from `a2a.did` when the durable
+ * home is absent (migrate-on-write); a meta already carrying `identity` is returned
+ * unchanged (no clobber). Absent meta is returned as-is. (Unit 4a stub.) */
+function withMigratedIdentity(meta) {
+    if (!meta)
+        return undefined;
+    // Already carries the durable home → no clobber.
+    if (meta.identity)
+        return meta;
+    // Nothing to migrate from → unchanged. A falsy (absent or empty-string) a2a.did is
+    // not a real did to backfill (finding 6).
+    if (!meta.a2a?.did)
+        return meta;
+    // Backfill identity.did from the legacy a2a.did so the next put persists forward.
+    (0, observability_1.emitNervesEvent)({
+        component: "friends",
+        event: "friends.identity_migrated",
+        message: "backfilled AgentMeta.identity.did from legacy a2a.did",
+        meta: { did: meta.a2a.did },
+    });
+    return { ...meta, identity: { did: meta.a2a.did } };
+}

package/dist/index.d.ts

@@ -29,8 +29,21 @@ export { upsertGroupContextParticipants } from "./group-context";
 export { accumulateFriendTokens } from "./tokens";
 export { applyFriendNote } from "./notes";
 export { setFriendTrust } from "./trust-mutation";
+export type { SetFriendTrustContext } from "./trust-mutation";
+export { MemoryAuditSink, FileAuditSink, auditPathFor } from "./audit";
+export type { AuditSink, ControlPlaneAuditRecord } from "./audit";
 export { linkExternalId, unlinkExternalId } from "./link-identity";
 export { upsertAgentPeer } from "./agent-peer";
+export { resolveAgentIdentity, withMigratedIdentity } from "./identity";
+export type { ResolvedAgentIdentity } from "./identity";
+export { findFriendByDid } from "./friend-lookup";
+export { FileRosterStore, rostersDirFor } from "./roster-store-file";
+export type { RosterStore, AccountRoster, RosterPin } from "./roster-store";
+export { identityRosterVerifier, DEFAULT_ROSTER_VERIFIER } from "./roster-verifier";
+export type { RosterVerifier } from "./roster-verifier";
+export { MemoryRosterStore } from "./roster-store-memory";
+export { evaluateAccountMembership, verifiedCandidate, _resetRosterVerifierWarningForTest } from "./account-roster";
+export type { AccountMembershipDecision, AccountMembershipResult, EvaluateAccountMembershipInput, VerifiedCandidate, } from "./account-roster";
 export { recordRelationshipOutcome } from "./outcomes";
 export { recordMission } from "./missions";
 export type { RecordMissionInput } from "./missions";

package/dist/index.js

@@ -6,8 +6,8 @@
 // multi-agent (a2a peer) aware, consumed through the FriendStore interface +
 // FriendResolver.
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.revokeShare = exports.grantShare = exports.importCoordination = exports.prepareCoordination = exports.importMissionShare = exports.prepareMissionShare = exports.importProfileShare = exports.prepareProfileShare = exports.DEFAULT_AGENT_VERIFIER = exports.tofuVerifier = exports.DEFAULT_CONSENT_POLICY = exports.tieredPolicy = exports.trustImpliedPolicy = exports.strictPolicy = exports.resolveRoom = exports.whoami = exports.recordMission = exports.recordRelationshipOutcome = exports.upsertAgentPeer = exports.unlinkExternalId = exports.linkExternalId = exports.setFriendTrust = exports.applyFriendNote = exports.accumulateFriendTokens = exports.upsertGroupContextParticipants = exports.DEFAULT_STANDING_RULE = exports.explainStanding = exports.assessStanding = exports.describeTrustContext = exports.getAlwaysOnSenseNames = exports.isRemoteChannel = exports.channelToFacing = exports.getChannelCapabilities = exports._setMachineOwnerUsernameForTest = exports.isLocalMachineOwnerIdentity = exports.machineOwnerUsername = exports.FriendResolver = exports.openFileBundle = exports.missionsDirFor = exports.FileMissionStore = exports.grantsDirFor = exports.FileGrantStore = exports.FileFriendStore = exports.isCoordinationIntent = exports.isShareScope = exports.isIntegration = exports.isIdentityProvider = exports.isTrustedLevel = exports.IDENTITY_SCOPES = exports.TRUSTED_LEVELS = void 0;
-exports.setNervesEmitter = exports.emitNervesEvent = exports.isGrantEffective = exports.listShares = void 0;
+exports.resolveRoom = exports.whoami = exports.recordMission = exports.recordRelationshipOutcome = exports._resetRosterVerifierWarningForTest = exports.verifiedCandidate = exports.evaluateAccountMembership = exports.MemoryRosterStore = exports.DEFAULT_ROSTER_VERIFIER = exports.identityRosterVerifier = exports.rostersDirFor = exports.FileRosterStore = exports.findFriendByDid = exports.withMigratedIdentity = exports.resolveAgentIdentity = exports.upsertAgentPeer = exports.unlinkExternalId = exports.linkExternalId = exports.auditPathFor = exports.FileAuditSink = exports.MemoryAuditSink = exports.setFriendTrust = exports.applyFriendNote = exports.accumulateFriendTokens = exports.upsertGroupContextParticipants = exports.DEFAULT_STANDING_RULE = exports.explainStanding = exports.assessStanding = exports.describeTrustContext = exports.getAlwaysOnSenseNames = exports.isRemoteChannel = exports.channelToFacing = exports.getChannelCapabilities = exports._setMachineOwnerUsernameForTest = exports.isLocalMachineOwnerIdentity = exports.machineOwnerUsername = exports.FriendResolver = exports.openFileBundle = exports.missionsDirFor = exports.FileMissionStore = exports.grantsDirFor = exports.FileGrantStore = exports.FileFriendStore = exports.isCoordinationIntent = exports.isShareScope = exports.isIntegration = exports.isIdentityProvider = exports.isTrustedLevel = exports.IDENTITY_SCOPES = exports.TRUSTED_LEVELS = void 0;
+exports.setNervesEmitter = exports.emitNervesEvent = exports.isGrantEffective = exports.listShares = exports.revokeShare = exports.grantShare = exports.importCoordination = exports.prepareCoordination = exports.importMissionShare = exports.prepareMissionShare = exports.importProfileShare = exports.prepareProfileShare = exports.DEFAULT_AGENT_VERIFIER = exports.tofuVerifier = exports.DEFAULT_CONSENT_POLICY = exports.tieredPolicy = exports.trustImpliedPolicy = exports.strictPolicy = void 0;
 // -- Values --
 var types_1 = require("./types");
 Object.defineProperty(exports, "TRUSTED_LEVELS", { enumerable: true, get: function () { return types_1.TRUSTED_LEVELS; } });
@@ -52,11 +52,40 @@ var notes_1 = require("./notes");
 Object.defineProperty(exports, "applyFriendNote", { enumerable: true, get: function () { return notes_1.applyFriendNote; } });
 var trust_mutation_1 = require("./trust-mutation");
 Object.defineProperty(exports, "setFriendTrust", { enumerable: true, get: function () { return trust_mutation_1.setFriendTrust; } });
+// -- Control-plane audit (Bug B): append-only record of trust mutations --
+var audit_1 = require("./audit");
+Object.defineProperty(exports, "MemoryAuditSink", { enumerable: true, get: function () { return audit_1.MemoryAuditSink; } });
+Object.defineProperty(exports, "FileAuditSink", { enumerable: true, get: function () { return audit_1.FileAuditSink; } });
+Object.defineProperty(exports, "auditPathFor", { enumerable: true, get: function () { return audit_1.auditPathFor; } });
 var link_identity_1 = require("./link-identity");
 Object.defineProperty(exports, "linkExternalId", { enumerable: true, get: function () { return link_identity_1.linkExternalId; } });
 Object.defineProperty(exports, "unlinkExternalId", { enumerable: true, get: function () { return link_identity_1.unlinkExternalId; } });
 var agent_peer_1 = require("./agent-peer");
 Object.defineProperty(exports, "upsertAgentPeer", { enumerable: true, get: function () { return agent_peer_1.upsertAgentPeer; } });
+// -- Agent identity (p11 Item 2 — DID re-key): durable home + migrate-on-read --
+var identity_1 = require("./identity");
+Object.defineProperty(exports, "resolveAgentIdentity", { enumerable: true, get: function () { return identity_1.resolveAgentIdentity; } });
+Object.defineProperty(exports, "withMigratedIdentity", { enumerable: true, get: function () { return identity_1.withMigratedIdentity; } });
+// did-aware friend lookup (the durable cross-agent primary key is the DID).
+var friend_lookup_1 = require("./friend-lookup");
+Object.defineProperty(exports, "findFriendByDid", { enumerable: true, get: function () { return friend_lookup_1.findFriendByDid; } });
+// -- Account roster (p11 Item 3): pinned roster + TOFU roster-key storage seam --
+var roster_store_file_1 = require("./roster-store-file");
+Object.defineProperty(exports, "FileRosterStore", { enumerable: true, get: function () { return roster_store_file_1.FileRosterStore; } });
+Object.defineProperty(exports, "rostersDirFor", { enumerable: true, get: function () { return roster_store_file_1.rostersDirFor; } });
+// -- RosterVerifier seam (Q1): core declares the interface + identity-only default;
+// the a2a-client provides the Ed25519 impl (host-injected). Core stays crypto-free.
+var roster_verifier_1 = require("./roster-verifier");
+Object.defineProperty(exports, "identityRosterVerifier", { enumerable: true, get: function () { return roster_verifier_1.identityRosterVerifier; } });
+Object.defineProperty(exports, "DEFAULT_ROSTER_VERIFIER", { enumerable: true, get: function () { return roster_verifier_1.DEFAULT_ROSTER_VERIFIER; } });
+var roster_store_memory_1 = require("./roster-store-memory");
+Object.defineProperty(exports, "MemoryRosterStore", { enumerable: true, get: function () { return roster_store_memory_1.MemoryRosterStore; } });
+// -- Account-roster membership (Item 3 payoff): family via same_account for a
+// key-verified, TOFU-pinned roster member; changed roster key hard-fails. --
+var account_roster_1 = require("./account-roster");
+Object.defineProperty(exports, "evaluateAccountMembership", { enumerable: true, get: function () { return account_roster_1.evaluateAccountMembership; } });
+Object.defineProperty(exports, "verifiedCandidate", { enumerable: true, get: function () { return account_roster_1.verifiedCandidate; } });
+Object.defineProperty(exports, "_resetRosterVerifierWarningForTest", { enumerable: true, get: function () { return account_roster_1._resetRosterVerifierWarningForTest; } });
 var outcomes_1 = require("./outcomes");
 Object.defineProperty(exports, "recordRelationshipOutcome", { enumerable: true, get: function () { return outcomes_1.recordRelationshipOutcome; } });
 var missions_1 = require("./missions");

package/dist/mcp/dispatch.d.ts

@@ -1,14 +1,25 @@
 import type { FriendStore } from "../store";
 import type { GrantStore } from "../grant-store";
 import type { MissionStore } from "../mission-store";
+import type { AuditSink } from "../audit";
 type Args = Record<string, unknown>;
 export interface DispatchResult {
     result: unknown;
     isError: boolean;
 }
+/** WHO/WHENCE context stamped onto a control-plane audit record (finding 3). The MCP
+ * server passes the local owner/sense it was constructed with. */
+export interface ControlPlaneContext {
+    actor?: string;
+    originSense?: string;
+}
+/** Whether wiring an AuditSink should also stamp a record for an `onboard_agent` trust
+ * seat: only when the owner explicitly set a trustLevel (a deliberate trust decision).
+ * A cold contact with no trustLevel lands at the safe `stranger` default (Bug A) and is
+ * NOT an owner trust mutation, so it is not audited. */
 export declare function coerceBool(v: unknown): boolean;
 export declare function coerceInt(v: unknown): number | undefined;
 export declare function coerceString(v: unknown): string;
 export declare function coerceOptionalString(v: unknown): string | undefined;
-export declare function dispatchTool(store: FriendStore, name: string, args: Args, grants?: GrantStore, missions?: MissionStore): Promise<DispatchResult>;
+export declare function dispatchTool(store: FriendStore, name: string, args: Args, grants?: GrantStore, missions?: MissionStore, audit?: AuditSink, controlContext?: ControlPlaneContext): Promise<DispatchResult>;
 export {};

package/dist/mcp/dispatch.js

@@ -11,6 +11,7 @@ exports.dispatchTool = dispatchTool;
 // the library fns. `dispatchTool` is a flat tool → library-fn map (D9/D10) with
 // NO domain logic of its own — every behavior lives in the friends library.
 const observability_1 = require("../observability");
+const identity_1 = require("../identity");
 const types_1 = require("../types");
 const resolver_1 = require("../resolver");
 const trust_explanation_1 = require("../trust-explanation");
@@ -31,6 +32,17 @@ const missions_1 = require("../missions");
 const mission_share_1 = require("../mission-share");
 const coordination_1 = require("../coordination");
 const types_2 = require("../types");
+/** SECURITY (finding 3-A): the friends MCP server speaks JSON-RPC over **stdio**, and
+ * stdio is an owner-only channel — the local user who launched the process is the only
+ * actor. So when no explicit controlContext is wired, audited mutations are attributed
+ * to the stdio owner boundary rather than the generic "unknown". A network/multi-tenant
+ * transport MUST pass its own authenticated actor instead of relying on these. */
+const STDIO_OWNER_ACTOR = "owner:stdio";
+const STDIO_ORIGIN_SENSE = "stdio";
+/** Whether wiring an AuditSink should also stamp a record for an `onboard_agent` trust
+ * seat: only when the owner explicitly set a trustLevel (a deliberate trust decision).
+ * A cold contact with no trustLevel lands at the safe `stranger` default (Bug A) and is
+ * NOT an owner trust mutation, so it is not audited. */
 function coerceBool(v) {
     return v === true || v === "true";
 }
@@ -69,13 +81,18 @@ const NO_GRANT_STORE = { ok: false, status: "unsupported", message: "no grant st
  * embedding). The mission ledger needs mission persistence, so report it cleanly
  * rather than guessing. */
 const NO_MISSION_STORE = { ok: false, status: "unsupported", message: "no mission store configured (mission tools require one)" };
-async function dispatchTool(store, name, args, grants, missions) {
+async function dispatchTool(store, name, args, grants, missions, audit, controlContext) {
     (0, observability_1.emitNervesEvent)({
         component: "clients",
         event: "clients.mcp_dispatch",
         message: "dispatching friends mcp tool",
         meta: { tool: name },
     });
+    // SECURITY (finding 3 / 3-A): resolve the WHO/WHENCE for an audited mutation. With
+    // no explicit context, attribute to the stdio owner boundary (the only actor on an
+    // owner-only stdio channel) rather than the generic "unknown".
+    const auditActor = controlContext?.actor ?? STDIO_OWNER_ACTOR;
+    const auditOriginSense = controlContext?.originSense ?? STDIO_ORIGIN_SENSE;
     switch (name) {
         case "resolve_party": {
             const provider = coerceString(args.provider);
@@ -188,7 +205,14 @@ async function dispatchTool(store, name, args, grants, missions) {
             return { result: results, isError: false };
         }
         case "set_trust": {
-            const result = await (0, trust_mutation_1.setFriendTrust)(store, coerceString(args.friendId), coerceString(args.trustLevel));
+            // SECURITY (finding 3): thread the audit sink + owner/sense context so the LIVE
+            // trust mutation actually writes a control-plane record. With no sink wired,
+            // setFriendTrust treats the ctx as a no-op (back-compat).
+            const result = await (0, trust_mutation_1.setFriendTrust)(store, coerceString(args.friendId), coerceString(args.trustLevel), {
+                ...(audit ? { sink: audit } : {}),
+                actor: auditActor,
+                originSense: auditOriginSense,
+            });
             return { result, isError: result.ok === false };
         }
         case "link_identity": {
@@ -207,14 +231,32 @@ async function dispatchTool(store, name, args, grants, missions) {
             return { result, isError: result.ok === false };
         }
         case "onboard_agent": {
+            const explicitTrustLevel = coerceOptionalString(args.trustLevel);
             const record = await (0, agent_peer_1.upsertAgentPeer)(store, {
                 name: coerceString(args.name),
                 agentId: coerceString(args.agentId),
-                trustLevel: coerceOptionalString(args.trustLevel),
+                trustLevel: explicitTrustLevel,
                 a2a: parseMaybeJson(args.a2a),
                 mailbox: parseMaybeJson(args.mailbox),
                 bundleName: coerceOptionalString(args.bundleName),
             });
+            // SECURITY (finding 3): an owner-initiated trust SEAT (an explicit trustLevel) is
+            // a control-plane trust mutation, so audit it through the wired sink. A cold
+            // contact with no trustLevel falls to the safe `stranger` default (Bug A) — not
+            // an owner trust decision — so it is left unaudited.
+            if (audit && explicitTrustLevel !== undefined) {
+                const targetDid = (0, identity_1.resolveAgentIdentity)(record.agentMeta).did;
+                const auditRecord = {
+                    action: "set_trust",
+                    targetId: record.id,
+                    ...(targetDid !== undefined ? { targetDid } : {}),
+                    level: explicitTrustLevel,
+                    actor: auditActor,
+                    originSense: auditOriginSense,
+                    ts: record.updatedAt,
+                };
+                await audit.append(auditRecord);
+            }
             return { result: record, isError: false };
         }
         case "whoami": {

package/dist/mcp/run-main.js

@@ -35,11 +35,14 @@ function runMain(argv, env, io) {
         message: "friends mcp run-main",
         meta: { source },
     });
-    // The consent-grant + mission collections are sibling `_grants/` + `_missions/`
-    // dirs under the friends dir, so the single `--dir` wires the whole substrate
-    // (friends + consent + missions). `openFileBundle` encapsulates that convention.
-    const { store, grants, missions } = (0, file_bundle_1.openFileBundle)(dir);
-    const server = (0, server_1.createFriendsMcpServer)({ store, grants, missions, stdin: io.stdin, stdout: io.stdout });
+    // The consent-grant + mission + audit collections are sibling `_grants/`,
+    // `_missions/`, `_audit/` dirs under the friends dir, so the single `--dir` wires the
+    // whole substrate. `openFileBundle` encapsulates that convention.
+    const { store, grants, missions, audit } = (0, file_bundle_1.openFileBundle)(dir);
+    // SECURITY (finding 3 / 3-A): thread the FileAuditSink into the live server so trust
+    // mutations are audited. The `friends-mcp` bin speaks owner-only stdio, so the
+    // default actor/originSense (the stdio owner boundary) is the correct attribution.
+    const server = (0, server_1.createFriendsMcpServer)({ store, grants, missions, audit, stdin: io.stdin, stdout: io.stdout });
     server.start();
     return server;
 }

package/dist/mcp/schemas.js

@@ -187,7 +187,7 @@ function getToolSchemas() {
                 properties: {
                     name: { type: "string", description: "the peer agent's name" },
                     agentId: { type: "string", description: "the a2a agent id" },
-                    trustLevel: { type: "string", description: "trust level (default acquaintance)" },
+                    trustLevel: { type: "string", description: "trust level (default stranger (cold contact))" },
                     a2a: { type: "object", description: "a2a coordinates { cardUrl?, endpointUrl?, protocolVersion? }" },
                     mailbox: { type: "object", description: "optional A2A git-mailbox coords { repo, selfOutboxAgentId }" },
                     bundleName: { type: "string", description: "optional bundle name" },

package/dist/mcp/server.d.ts

@@ -1,6 +1,8 @@
 import type { FriendStore } from "../store";
 import type { GrantStore } from "../grant-store";
 import type { MissionStore } from "../mission-store";
+import type { AuditSink } from "../audit";
+import type { ControlPlaneContext } from "./dispatch";
 export interface FriendsMcpServerOptions {
     store: FriendStore;
     /** Optional consent-grant store. When omitted, the consent/share tools
@@ -11,6 +13,13 @@ export interface FriendsMcpServerOptions {
      * (record_mission / get_mission / list_missions / share_mission /
      * import_mission) report `unsupported`; everything else works without it. */
     missions?: MissionStore;
+    /** Optional control-plane audit sink (Bug B, finding 3). When wired, the LIVE
+     * trust mutations (`set_trust`, and an explicit-trust-seat `onboard_agent`) append
+     * an append-only audit record. When omitted, those mutations are unaudited. */
+    audit?: AuditSink;
+    /** Optional WHO/WHENCE context for audited mutations. Defaults to the stdio
+     * owner-only boundary (finding 3-A) when omitted. */
+    controlContext?: ControlPlaneContext;
     stdin: NodeJS.ReadableStream;
     stdout: NodeJS.WritableStream;
 }

package/dist/mcp/server.js

@@ -13,7 +13,7 @@ const observability_1 = require("../observability");
 const schemas_1 = require("./schemas");
 const dispatch_1 = require("./dispatch");
 function createFriendsMcpServer(options) {
-    const { store, grants, missions, stdin, stdout } = options;
+    const { store, grants, missions, audit, controlContext, stdin, stdout } = options;
     let buffer = "";
     let running = false;
     let useContentLengthFraming = true;
@@ -145,7 +145,7 @@ function createFriendsMcpServer(options) {
         const toolName = params.name ?? "";
         const toolArgs = params.arguments ?? {};
         try {
-            const { result, isError } = await (0, dispatch_1.dispatchTool)(store, toolName, toolArgs, grants, missions);
+            const { result, isError } = await (0, dispatch_1.dispatchTool)(store, toolName, toolArgs, grants, missions, audit, controlContext);
             writeResponse({
                 jsonrpc: "2.0",
                 id: request.id,

package/dist/resolver.d.ts

@@ -1,5 +1,29 @@
 import type { FriendStore } from "./store";
 import type { IdentityProvider, ResolvedContext } from "./types";
+import type { RosterStore } from "./roster-store";
+import type { RosterVerifier } from "./roster-verifier";
+/** Optional roster context for a cold-contact resolution (Bug C). When supplied AND
+ * the candidate's `did` is a key-verified member of the pinned account roster, the
+ * resolver seats `family` (attributable to `same_account`) even when the peer is on
+ * a different OS user. Constructor-injected (not a `resolve()` arg) so existing
+ * `new FriendResolver(store, params)` call sites stay source-compatible. The
+ * resolver stays core-clean: the Ed25519 `verifier` arrives via the seam — never an
+ * a2a-client import. */
+export interface FriendResolverRosterContext {
+    store: RosterStore;
+    accountId: string;
+    /** The peer's did. PRECONDITION (finding 2): the host has already authenticated
+     * that the peer controls this did (the a2a-client sealed-envelope gate runs
+     * `DidVerifier` before resolution). The resolver wraps it in a `VerifiedCandidate`
+     * on the caller's behalf — so only seed this from a verified inbound identity, never
+     * an unauthenticated, peer-claimed string. */
+    candidateDid: string;
+    /** PRECONDITION (finding 1): to actually seat family, this MUST be a cryptographic
+     * verifier (`ed25519RosterVerifier`, `grantsFamily: true`). With it absent (the
+     * identity-only default), `evaluateAccountMembership` fails closed and the resolver
+     * keeps the cold-A2A `stranger` default — never family. */
+    verifier?: RosterVerifier;
+}
 export interface FriendResolverParams {
     provider: IdentityProvider;
     externalId: string;
@@ -22,7 +46,14 @@ export declare function isLocalMachineOwnerIdentity(provider: string, externalId
 export declare class FriendResolver {
     private readonly store;
     private readonly params;
-    constructor(store: FriendStore, params: FriendResolverParams);
+    private readonly roster?;
+    constructor(store: FriendStore, params: FriendResolverParams, roster?: FriendResolverRosterContext);
     resolve(): Promise<ResolvedContext>;
     private resolveOrCreate;
+    /** Bug C — whether the candidate is family via a key-verified account roster.
+     * Reads the pinned roster + roster key from the injected RosterStore and reuses
+     * `evaluateAccountMembership`. Returns false (no family) when no roster context is
+     * wired, the roster/pin is absent, or membership is anything but
+     * `family_same_account` (unverified / not-member / key-mismatch all stay false). */
+    private evaluateRosterFamily;
 }

package/dist/resolver.js

@@ -11,6 +11,7 @@ const crypto_1 = require("crypto");
 const os_1 = require("os");
 const channel_1 = require("./channel");
 const observability_1 = require("./observability");
+const account_roster_1 = require("./account-roster");
 const CURRENT_SCHEMA_VERSION = 1;
 // Test seam: when set (including to null), overrides OS detection of the
 // machine-owner username so resolver tests are deterministic.
@@ -46,9 +47,11 @@ function isLocalMachineOwnerIdentity(provider, externalId, ownerUsername) {
 class FriendResolver {
     store;
     params;
-    constructor(store, params) {
+    roster;
+    constructor(store, params, roster) {
         this.store = store;
         this.params = params;
+        this.roster = roster;
     }
     async resolve() {
         const friend = await this.resolveOrCreate();
@@ -123,6 +126,13 @@ class FriendResolver {
         }
         const isFirstImprint = !hasAnyFriends;
         const isA2AAgent = this.params.provider === "a2a-agent";
+        // Bug C — roster-awareness. When a roster context is injected AND the candidate's
+        // did is a key-verified member of the pinned account roster, seat `family` (even
+        // on a different OS user). Reuses `evaluateAccountMembership` against the pinned
+        // roster fetched from the injected RosterStore. Absent/unverifiable roster ⇒ the
+        // OS-owner + cold-A2A default below is unchanged. The resolver never imports
+        // a2a-client — the Ed25519 verifier arrives via the injected seam.
+        const isRosterFamily = await this.evaluateRosterFamily();
         // The local friend that names the OS user running the daemon is the machine
         // owner (family) — they own the agent + its bundle. Usually this friend already
         // exists as a family/primary hatch imprint; this covers the un-imprinted boss
@@ -146,8 +156,11 @@ class FriendResolver {
         const friend = {
             id: (0, crypto_1.randomUUID)(),
             name: this.params.displayName,
-            role: isA2AAgent ? "agent-peer" : isFirstImprint ? "primary" : isLocalMachineOwner ? "family" : "stranger",
-            trustLevel: isA2AAgent ? "stranger" : (isFirstImprint || isLocalMachineOwner) ? "family" : "stranger",
+            // Bug C: a key-verified roster member is family (role + trustLevel), overriding
+            // the cold-A2A `agent-peer`/`stranger` default. Otherwise the matrix is
+            // unchanged: a2a ⇒ agent-peer/stranger; first imprint or machine owner ⇒ family.
+            role: isRosterFamily ? "family" : isA2AAgent ? "agent-peer" : isFirstImprint ? "primary" : isLocalMachineOwner ? "family" : "stranger",
+            trustLevel: isRosterFamily ? "family" : isA2AAgent ? "stranger" : (isFirstImprint || isLocalMachineOwner) ? "family" : "stranger",
             connections: [],
             externalIds: [externalId],
             tenantMemberships,
@@ -183,5 +196,39 @@ class FriendResolver {
         }
         return friend;
     }
+    /** Bug C — whether the candidate is family via a key-verified account roster.
+     * Reads the pinned roster + roster key from the injected RosterStore and reuses
+     * `evaluateAccountMembership`. Returns false (no family) when no roster context is
+     * wired, the roster/pin is absent, or membership is anything but
+     * `family_same_account` (unverified / not-member / key-mismatch all stay false). */
+    async evaluateRosterFamily() {
+        const ctx = this.roster;
+        if (!ctx)
+            return false;
+        const roster = await ctx.store.getRoster(ctx.accountId);
+        const pin = await ctx.store.getPin(ctx.accountId);
+        // The resolver grants family only against an ALREADY-pinned roster key (the pin
+        // is established during explicit onboarding, never silently at resolve time).
+        if (!roster || !pin)
+            return false;
+        const result = await (0, account_roster_1.evaluateAccountMembership)({
+            roster,
+            // The host authenticated the peer's control of this did upstream (see the
+            // FriendResolverRosterContext.candidateDid precondition); wrap it as verified.
+            candidate: (0, account_roster_1.verifiedCandidate)(ctx.candidateDid),
+            rosterKey: pin.rosterKey,
+            store: ctx.store,
+            ...(ctx.verifier !== undefined ? { verifier: ctx.verifier } : {}),
+        });
+        if (result.decision !== "family_same_account")
+            return false;
+        (0, observability_1.emitNervesEvent)({
+            component: "friends",
+            event: "friends.family_via_roster",
+            message: "seated family via the account roster (same_account)",
+            meta: { accountId: ctx.accountId, candidateDid: ctx.candidateDid },
+        });
+        return true;
+    }
 }
 exports.FriendResolver = FriendResolver;

package/dist/roster-store-file.d.ts

@@ -0,0 +1,16 @@
+import type { AccountRoster, RosterPin, RosterStore } from "./roster-store";
+/** The sibling rosters directory for a given friends directory:
+ * `<friendsDir>/_rosters`. A reserved `_`-prefixed subdir (like `_grants`) so one
+ * `--dir` still points the whole substrate at one place. */
+export declare function rostersDirFor(friendsDir: string): string;
+export declare class FileRosterStore implements RosterStore {
+    private readonly rostersPath;
+    constructor(rostersPath: string);
+    getRoster(accountId: string): Promise<AccountRoster | null>;
+    putRoster(roster: AccountRoster): Promise<void>;
+    getPin(accountId: string): Promise<RosterPin | null>;
+    putPin(pin: RosterPin): Promise<void>;
+    /** Read + parse a JSON file, returning null on a missing file, invalid JSON, or a
+     * non-object payload (guarded; mirrors FileGrantStore.readJson). */
+    private readJson;
+}

package/dist/roster-store-file.js

@@ -0,0 +1,125 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FileRosterStore = void 0;
+exports.rostersDirFor = rostersDirFor;
+// FileRosterStore — filesystem adapter for RosterStore.
+//
+// Stores the account roster and its pinned key as JSON files in a sibling
+// `_rosters/` collection next to the friends directory (one `<accountId>.roster.json`
+// and one `<accountId>.pin.json` per account). Mirrors FileGrantStore's structure
+// (mkdir on construct, one file per record, guarded reads) so the stores feel
+// uniform.
+const fs = __importStar(require("fs"));
+const fsPromises = __importStar(require("fs/promises"));
+const path = __importStar(require("path"));
+const observability_1 = require("./observability");
+/** The sibling rosters directory for a given friends directory:
+ * `<friendsDir>/_rosters`. A reserved `_`-prefixed subdir (like `_grants`) so one
+ * `--dir` still points the whole substrate at one place. */
+function rostersDirFor(friendsDir) {
+    return path.join(friendsDir, "_rosters");
+}
+/** SECURITY (finding 8, LOW): the accountId is interpolated into the
+ * `<accountId>.roster.json` / `.pin.json` filename, so a wire-influenced value like
+ * "../evil" could otherwise escape the `_rosters/` dir. Enforce a strict allowlist
+ * (alphanumerics, dot, underscore, hyphen — no path separators) AND a basename
+ * identity (no normalization surprises), rejecting `.`/`..` and the empty string.
+ * Throws on anything unsafe so a bad accountId can never reach the filesystem. */
+const SAFE_ACCOUNT_ID = /^[A-Za-z0-9._-]+$/;
+function assertSafeAccountId(accountId) {
+    // Basename identity is the primary traversal guard: any value carrying a path
+    // separator (`/` on POSIX, `/` or `\` on Windows) basenames to something else and is
+    // rejected. The charset allowlist then rejects the remaining unsafe-but-separatorless
+    // bytes (spaces, shell metachars, control chars, the empty string — `+` needs ≥1
+    // char). The explicit `.`/`..` reject closes the two in-charset relative-dir refs.
+    if (path.basename(accountId) !== accountId) {
+        throw new Error(`unsafe accountId ${JSON.stringify(accountId)}: must not contain a path separator`);
+    }
+    if (!SAFE_ACCOUNT_ID.test(accountId) || accountId === "." || accountId === "..") {
+        throw new Error(`unsafe accountId ${JSON.stringify(accountId)}: must match ${SAFE_ACCOUNT_ID} (not "." or "..")`);
+    }
+}
+class FileRosterStore {
+    rostersPath;
+    constructor(rostersPath) {
+        this.rostersPath = rostersPath;
+        fs.mkdirSync(rostersPath, { recursive: true });
+        (0, observability_1.emitNervesEvent)({
+            component: "friends",
+            event: "friends.roster_store_init",
+            message: "file roster store initialized",
+            meta: {},
+        });
+    }
+    async getRoster(accountId) {
+        assertSafeAccountId(accountId);
+        const raw = await this.readJson(path.join(this.rostersPath, `${accountId}.roster.json`));
+        return raw;
+    }
+    async putRoster(roster) {
+        assertSafeAccountId(roster.accountId);
+        await fsPromises.writeFile(path.join(this.rostersPath, `${roster.accountId}.roster.json`), JSON.stringify(roster, null, 2), "utf-8");
+    }
+    async getPin(accountId) {
+        assertSafeAccountId(accountId);
+        const raw = await this.readJson(path.join(this.rostersPath, `${accountId}.pin.json`));
+        return raw;
+    }
+    async putPin(pin) {
+        assertSafeAccountId(pin.accountId);
+        await fsPromises.writeFile(path.join(this.rostersPath, `${pin.accountId}.pin.json`), JSON.stringify(pin, null, 2), "utf-8");
+    }
+    /** Read + parse a JSON file, returning null on a missing file, invalid JSON, or a
+     * non-object payload (guarded; mirrors FileGrantStore.readJson). */
+    async readJson(filePath) {
+        try {
+            const raw = await fsPromises.readFile(filePath, "utf-8");
+            try {
+                const parsed = JSON.parse(raw);
+                if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+                    return null;
+                return parsed;
+            }
+            catch {
+                return null;
+            }
+        }
+        catch {
+            return null;
+        }
+    }
+}
+exports.FileRosterStore = FileRosterStore;

package/dist/roster-store-memory.d.ts

@@ -0,0 +1,9 @@
+import type { AccountRoster, RosterPin, RosterStore } from "./roster-store";
+export declare class MemoryRosterStore implements RosterStore {
+    private readonly rosters;
+    private readonly pins;
+    getRoster(accountId: string): Promise<AccountRoster | null>;
+    putRoster(roster: AccountRoster): Promise<void>;
+    getPin(accountId: string): Promise<RosterPin | null>;
+    putPin(pin: RosterPin): Promise<void>;
+}