@ouro.bot/friends 0.1.0-alpha.5 → 0.1.0-alpha.7

package/dist/identity.js

@@ -0,0 +1,68 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveAgentIdentity = resolveAgentIdentity;
+exports.withMigratedIdentity = withMigratedIdentity;
+// Agent identity migrate-on-read (p11 Item 2 — the DID re-key).
+//
+// The durable identity home is `AgentMeta.identity` ({ did, pinnedKey?, handle?,
+// pinnedAt? }). Legacy records carry only the optional `a2a.did` hint (or nothing).
+// `resolveAgentIdentity` reads either, preferring the durable home and lifting
+// `a2a.did` on a miss (migrate-on-read), mirroring FileGrantStore.normalize's
+// legacy-field handling. `withMigratedIdentity` backfills `identity.did` from
+// `a2a.did` so the next `put` persists it forward (migrate-on-write), matching the
+// resolver's local-id migration + the grant subjectFriendId→subjectKey pattern.
+const observability_1 = require("./observability");
+/** Read an agent's durable identity, preferring `meta.identity` and lifting the
+ * legacy `meta.a2a.did` on a miss (migrate-on-read). Returns `{}` for a did-less
+ * or absent meta. (Unit 4a stub — not implemented.) */
+function resolveAgentIdentity(meta) {
+    if (!meta)
+        return {};
+    // Durable home wins (authoritative). Spread only the present optional fields so
+    // a partial identity ({ did } only) doesn't surface undefined keys. SECURITY
+    // (finding 6, LOW): an empty-string did is NOT a did — omit it so it can never be a
+    // matchable identity key (ties to findFriendByDid's falsy-did guard, finding 4).
+    //
+    // NOTE (finding 5-D): when BOTH meta.identity.did and a legacy meta.a2a.did are
+    // present and DIVERGE, the durable home silently wins here. That divergence can be a
+    // tampering signal (a record's legacy hint disagreeing with its pinned identity).
+    // We don't warn from this hot path (resolveAgentIdentity runs per-record in the
+    // findFriendByDid scan and per-audit-derivation); a divergence audit belongs in a
+    // write-time reconciliation (e.g. withMigratedIdentity / the onboard path), not here.
+    if (meta.identity) {
+        const { did, pinnedKey, handle, pinnedAt } = meta.identity;
+        return {
+            ...(did ? { did } : {}),
+            ...(pinnedKey !== undefined ? { pinnedKey } : {}),
+            ...(handle !== undefined ? { handle } : {}),
+            ...(pinnedAt !== undefined ? { pinnedAt } : {}),
+        };
+    }
+    // Migrate-on-read: lift the legacy a2a.did hint when the durable home is absent.
+    // A falsy (absent or empty-string) hint is treated as no-did.
+    if (meta.a2a?.did)
+        return { did: meta.a2a.did };
+    return {};
+}
+/** Return a meta whose `identity.did` is backfilled from `a2a.did` when the durable
+ * home is absent (migrate-on-write); a meta already carrying `identity` is returned
+ * unchanged (no clobber). Absent meta is returned as-is. (Unit 4a stub.) */
+function withMigratedIdentity(meta) {
+    if (!meta)
+        return undefined;
+    // Already carries the durable home → no clobber.
+    if (meta.identity)
+        return meta;
+    // Nothing to migrate from → unchanged. A falsy (absent or empty-string) a2a.did is
+    // not a real did to backfill (finding 6).
+    if (!meta.a2a?.did)
+        return meta;
+    // Backfill identity.did from the legacy a2a.did so the next put persists forward.
+    (0, observability_1.emitNervesEvent)({
+        component: "friends",
+        event: "friends.identity_migrated",
+        message: "backfilled AgentMeta.identity.did from legacy a2a.did",
+        meta: { did: meta.a2a.did },
+    });
+    return { ...meta, identity: { did: meta.a2a.did } };
+}

package/dist/index.d.ts

@@ -29,8 +29,25 @@ export { upsertGroupContextParticipants } from "./group-context";
 export { accumulateFriendTokens } from "./tokens";
 export { applyFriendNote } from "./notes";
 export { setFriendTrust } from "./trust-mutation";
+export type { SetFriendTrustContext } from "./trust-mutation";
+export { MemoryAuditSink, FileAuditSink, auditPathFor } from "./audit";
+export type { AuditSink, ControlPlaneAuditRecord } from "./audit";
 export { linkExternalId, unlinkExternalId } from "./link-identity";
 export { upsertAgentPeer } from "./agent-peer";
+export { connectAgents } from "./connect";
+export type { ConnectPeer, ConnectAgentsInput, ConnectAgentsDeps, ConnectResult, ConnectStatus } from "./connect";
+export { authorizeConnect } from "./connect-authority";
+export type { AuthorizeConnectInput, ConnectAuthorization } from "./connect-authority";
+export { resolveAgentIdentity, withMigratedIdentity } from "./identity";
+export type { ResolvedAgentIdentity } from "./identity";
+export { findFriendByDid } from "./friend-lookup";
+export { FileRosterStore, rostersDirFor } from "./roster-store-file";
+export type { RosterStore, AccountRoster, RosterPin } from "./roster-store";
+export { identityRosterVerifier, DEFAULT_ROSTER_VERIFIER } from "./roster-verifier";
+export type { RosterVerifier } from "./roster-verifier";
+export { MemoryRosterStore } from "./roster-store-memory";
+export { evaluateAccountMembership, verifiedCandidate, _resetRosterVerifierWarningForTest } from "./account-roster";
+export type { AccountMembershipDecision, AccountMembershipResult, EvaluateAccountMembershipInput, VerifiedCandidate, } from "./account-roster";
 export { recordRelationshipOutcome } from "./outcomes";
 export { recordMission } from "./missions";
 export type { RecordMissionInput } from "./missions";
@@ -44,6 +61,9 @@ export { prepareMissionShare, importMissionShare } from "./mission-share";
 export type { MissionShareEnvelope, SharedLearning, PrepareMissionShareInput, PrepareMissionShareResult, PrepareMissionShareStatus, ImportMissionShareInput, ImportMissionShareOptions, ImportMissionShareResult, ImportMissionShareStatus, } from "./mission-share";
 export { prepareCoordination, importCoordination } from "./coordination";
 export type { CoordinationEnvelope, PrepareCoordinationInput, PrepareCoordinationResult, PrepareCoordinationStatus, ImportCoordinationInput, ImportCoordinationOptions, ImportCoordinationResult, ImportCoordinationStatus, } from "./coordination";
+export { prepareMissionResult, importMissionResult } from "./mission-result";
+export type { PrepareMissionResultInput, PrepareMissionResultResult, PrepareMissionResultStatus, ImportMissionResultInput, ImportMissionResultOptions, ImportMissionResultResult, ImportMissionResultStatus, } from "./mission-result";
+export type { MissionTaskSpec, MissionResult, MissionResultEnvelope } from "./types";
 export { grantShare, revokeShare, listShares, isGrantEffective } from "./grants";
 export { emitNervesEvent, setNervesEmitter, } from "./observability";
 export type { NervesEvent, NervesEmitter, LogLevel } from "./observability";

package/dist/index.js

@@ -6,8 +6,8 @@
 // multi-agent (a2a peer) aware, consumed through the FriendStore interface +
 // FriendResolver.
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.revokeShare = exports.grantShare = exports.importCoordination = exports.prepareCoordination = exports.importMissionShare = exports.prepareMissionShare = exports.importProfileShare = exports.prepareProfileShare = exports.DEFAULT_AGENT_VERIFIER = exports.tofuVerifier = exports.DEFAULT_CONSENT_POLICY = exports.tieredPolicy = exports.trustImpliedPolicy = exports.strictPolicy = exports.resolveRoom = exports.whoami = exports.recordMission = exports.recordRelationshipOutcome = exports.upsertAgentPeer = exports.unlinkExternalId = exports.linkExternalId = exports.setFriendTrust = exports.applyFriendNote = exports.accumulateFriendTokens = exports.upsertGroupContextParticipants = exports.DEFAULT_STANDING_RULE = exports.explainStanding = exports.assessStanding = exports.describeTrustContext = exports.getAlwaysOnSenseNames = exports.isRemoteChannel = exports.channelToFacing = exports.getChannelCapabilities = exports._setMachineOwnerUsernameForTest = exports.isLocalMachineOwnerIdentity = exports.machineOwnerUsername = exports.FriendResolver = exports.openFileBundle = exports.missionsDirFor = exports.FileMissionStore = exports.grantsDirFor = exports.FileGrantStore = exports.FileFriendStore = exports.isCoordinationIntent = exports.isShareScope = exports.isIntegration = exports.isIdentityProvider = exports.isTrustedLevel = exports.IDENTITY_SCOPES = exports.TRUSTED_LEVELS = void 0;
-exports.setNervesEmitter = exports.emitNervesEvent = exports.isGrantEffective = exports.listShares = void 0;
+exports.recordMission = exports.recordRelationshipOutcome = exports._resetRosterVerifierWarningForTest = exports.verifiedCandidate = exports.evaluateAccountMembership = exports.MemoryRosterStore = exports.DEFAULT_ROSTER_VERIFIER = exports.identityRosterVerifier = exports.rostersDirFor = exports.FileRosterStore = exports.findFriendByDid = exports.withMigratedIdentity = exports.resolveAgentIdentity = exports.authorizeConnect = exports.connectAgents = exports.upsertAgentPeer = exports.unlinkExternalId = exports.linkExternalId = exports.auditPathFor = exports.FileAuditSink = exports.MemoryAuditSink = exports.setFriendTrust = exports.applyFriendNote = exports.accumulateFriendTokens = exports.upsertGroupContextParticipants = exports.DEFAULT_STANDING_RULE = exports.explainStanding = exports.assessStanding = exports.describeTrustContext = exports.getAlwaysOnSenseNames = exports.isRemoteChannel = exports.channelToFacing = exports.getChannelCapabilities = exports._setMachineOwnerUsernameForTest = exports.isLocalMachineOwnerIdentity = exports.machineOwnerUsername = exports.FriendResolver = exports.openFileBundle = exports.missionsDirFor = exports.FileMissionStore = exports.grantsDirFor = exports.FileGrantStore = exports.FileFriendStore = exports.isCoordinationIntent = exports.isShareScope = exports.isIntegration = exports.isIdentityProvider = exports.isTrustedLevel = exports.IDENTITY_SCOPES = exports.TRUSTED_LEVELS = void 0;
+exports.setNervesEmitter = exports.emitNervesEvent = exports.isGrantEffective = exports.listShares = exports.revokeShare = exports.grantShare = exports.importMissionResult = exports.prepareMissionResult = exports.importCoordination = exports.prepareCoordination = exports.importMissionShare = exports.prepareMissionShare = exports.importProfileShare = exports.prepareProfileShare = exports.DEFAULT_AGENT_VERIFIER = exports.tofuVerifier = exports.DEFAULT_CONSENT_POLICY = exports.tieredPolicy = exports.trustImpliedPolicy = exports.strictPolicy = exports.resolveRoom = exports.whoami = void 0;
 // -- Values --
 var types_1 = require("./types");
 Object.defineProperty(exports, "TRUSTED_LEVELS", { enumerable: true, get: function () { return types_1.TRUSTED_LEVELS; } });
@@ -52,11 +52,50 @@ var notes_1 = require("./notes");
 Object.defineProperty(exports, "applyFriendNote", { enumerable: true, get: function () { return notes_1.applyFriendNote; } });
 var trust_mutation_1 = require("./trust-mutation");
 Object.defineProperty(exports, "setFriendTrust", { enumerable: true, get: function () { return trust_mutation_1.setFriendTrust; } });
+// -- Control-plane audit (Bug B): append-only record of trust mutations --
+var audit_1 = require("./audit");
+Object.defineProperty(exports, "MemoryAuditSink", { enumerable: true, get: function () { return audit_1.MemoryAuditSink; } });
+Object.defineProperty(exports, "FileAuditSink", { enumerable: true, get: function () { return audit_1.FileAuditSink; } });
+Object.defineProperty(exports, "auditPathFor", { enumerable: true, get: function () { return audit_1.auditPathFor; } });
 var link_identity_1 = require("./link-identity");
 Object.defineProperty(exports, "linkExternalId", { enumerable: true, get: function () { return link_identity_1.linkExternalId; } });
 Object.defineProperty(exports, "unlinkExternalId", { enumerable: true, get: function () { return link_identity_1.unlinkExternalId; } });
 var agent_peer_1 = require("./agent-peer");
 Object.defineProperty(exports, "upsertAgentPeer", { enumerable: true, get: function () { return agent_peer_1.upsertAgentPeer; } });
+// -- connect_to (brick 8, p11 inc2): the owner links one of their OWN agents into the
+// fleet, gated to a management sense (local/closed) — `local` commits; an `open` sense
+// downgrades to a confirm-prompt; `closed` is gated by a roster/membership check (never a
+// blanket allow); a bare name with no resolvable handle/DID returns needs_handle (never
+// fabricated). Writes one `action:"connect"` control-plane audit. `authorizeConnect` is the
+// pure authority predicate (consumes a pre-computed AccountMembershipResult — core-clean).
+var connect_1 = require("./connect");
+Object.defineProperty(exports, "connectAgents", { enumerable: true, get: function () { return connect_1.connectAgents; } });
+var connect_authority_1 = require("./connect-authority");
+Object.defineProperty(exports, "authorizeConnect", { enumerable: true, get: function () { return connect_authority_1.authorizeConnect; } });
+// -- Agent identity (p11 Item 2 — DID re-key): durable home + migrate-on-read --
+var identity_1 = require("./identity");
+Object.defineProperty(exports, "resolveAgentIdentity", { enumerable: true, get: function () { return identity_1.resolveAgentIdentity; } });
+Object.defineProperty(exports, "withMigratedIdentity", { enumerable: true, get: function () { return identity_1.withMigratedIdentity; } });
+// did-aware friend lookup (the durable cross-agent primary key is the DID).
+var friend_lookup_1 = require("./friend-lookup");
+Object.defineProperty(exports, "findFriendByDid", { enumerable: true, get: function () { return friend_lookup_1.findFriendByDid; } });
+// -- Account roster (p11 Item 3): pinned roster + TOFU roster-key storage seam --
+var roster_store_file_1 = require("./roster-store-file");
+Object.defineProperty(exports, "FileRosterStore", { enumerable: true, get: function () { return roster_store_file_1.FileRosterStore; } });
+Object.defineProperty(exports, "rostersDirFor", { enumerable: true, get: function () { return roster_store_file_1.rostersDirFor; } });
+// -- RosterVerifier seam (Q1): core declares the interface + identity-only default;
+// the a2a-client provides the Ed25519 impl (host-injected). Core stays crypto-free.
+var roster_verifier_1 = require("./roster-verifier");
+Object.defineProperty(exports, "identityRosterVerifier", { enumerable: true, get: function () { return roster_verifier_1.identityRosterVerifier; } });
+Object.defineProperty(exports, "DEFAULT_ROSTER_VERIFIER", { enumerable: true, get: function () { return roster_verifier_1.DEFAULT_ROSTER_VERIFIER; } });
+var roster_store_memory_1 = require("./roster-store-memory");
+Object.defineProperty(exports, "MemoryRosterStore", { enumerable: true, get: function () { return roster_store_memory_1.MemoryRosterStore; } });
+// -- Account-roster membership (Item 3 payoff): family via same_account for a
+// key-verified, TOFU-pinned roster member; changed roster key hard-fails. --
+var account_roster_1 = require("./account-roster");
+Object.defineProperty(exports, "evaluateAccountMembership", { enumerable: true, get: function () { return account_roster_1.evaluateAccountMembership; } });
+Object.defineProperty(exports, "verifiedCandidate", { enumerable: true, get: function () { return account_roster_1.verifiedCandidate; } });
+Object.defineProperty(exports, "_resetRosterVerifierWarningForTest", { enumerable: true, get: function () { return account_roster_1._resetRosterVerifierWarningForTest; } });
 var outcomes_1 = require("./outcomes");
 Object.defineProperty(exports, "recordRelationshipOutcome", { enumerable: true, get: function () { return outcomes_1.recordRelationshipOutcome; } });
 var missions_1 = require("./missions");
@@ -91,6 +130,16 @@ Object.defineProperty(exports, "importMissionShare", { enumerable: true, get: fu
 var coordination_1 = require("./coordination");
 Object.defineProperty(exports, "prepareCoordination", { enumerable: true, get: function () { return coordination_1.prepareCoordination; } });
 Object.defineProperty(exports, "importCoordination", { enumerable: true, get: function () { return coordination_1.importCoordination; } });
+// -- Result-return / delegation deliverable (gap-2, p11 inc2): B returns its result --
+// prepareMissionResult (producer) / importMissionResult (consumer) carry B's actual
+// produced deliverable back to A — attributed to B, correlated to A's delegation via
+// missionKey + requestId, consent-gated via the existing "coordinate" scope, lands
+// quarantined + attributed on import, trust-capped, non-transitive, first-party-inviolable.
+// `MissionTaskSpec` (gap-1) rides the CoordinationEnvelope; the new MissionRecord fields
+// (delegations / importedDelegations / results / importedResults) are additive.
+var mission_result_1 = require("./mission-result");
+Object.defineProperty(exports, "prepareMissionResult", { enumerable: true, get: function () { return mission_result_1.prepareMissionResult; } });
+Object.defineProperty(exports, "importMissionResult", { enumerable: true, get: function () { return mission_result_1.importMissionResult; } });
 var grants_1 = require("./grants");
 Object.defineProperty(exports, "grantShare", { enumerable: true, get: function () { return grants_1.grantShare; } });
 Object.defineProperty(exports, "revokeShare", { enumerable: true, get: function () { return grants_1.revokeShare; } });

package/dist/mailbox/index.d.ts

@@ -1,6 +1,7 @@
 import type { ProfileShareEnvelope } from "../share";
 import type { MissionShareEnvelope } from "../mission-share";
 import type { CoordinationEnvelope } from "../coordination";
+import type { MissionResultEnvelope } from "../types";
 /** The mailbox wire-format version. Bumped only on a breaking message change. */
 export declare const MAILBOX_VERSION = 1;
 /** A mailbox message: the TRANSPORT wrapper around a verbatim share envelope. The
@@ -14,19 +15,21 @@ export interface MailboxMessage {
     toAgentId: string;
     issuedAt: string;
     /** The payload discriminant. The host branches on it to call importProfileShare
-     * vs importMissionShare vs importCoordination. The mailbox itself is
-     * payload-agnostic — this union grows by one leaf per brick (additive, backward-
-     * compatible); buildOutgoing/readIncoming carry any of them unchanged. */
-    kind: "profile_share" | "mission_share" | "coordination";
-    envelope: ProfileShareEnvelope | MissionShareEnvelope | CoordinationEnvelope;
+     * vs importMissionShare vs importCoordination vs importMissionResult. The mailbox
+     * itself is payload-agnostic — this union grows by one leaf per brick (additive,
+     * backward-compatible); buildOutgoing/readIncoming carry any of them unchanged.
+     * `mission_result` (gap-2) carries B's delegation deliverable back to A. */
+    kind: "profile_share" | "mission_share" | "coordination" | "mission_result";
+    envelope: ProfileShareEnvelope | MissionShareEnvelope | CoordinationEnvelope | MissionResultEnvelope;
 }
 export interface BuildOutgoingInput {
-    envelope: ProfileShareEnvelope | MissionShareEnvelope | CoordinationEnvelope;
+    envelope: ProfileShareEnvelope | MissionShareEnvelope | CoordinationEnvelope | MissionResultEnvelope;
     fromAgentId: string;
     toAgentId: string;
     /** The payload discriminant. Defaults to "profile_share" for backward-compat;
-     * a mission share passes "mission_share", a coordination message "coordination". */
-    kind?: "profile_share" | "mission_share" | "coordination";
+     * a mission share passes "mission_share", a coordination message "coordination",
+     * a result-return "mission_result" (gap-2). */
+    kind?: "profile_share" | "mission_share" | "coordination" | "mission_result";
     /** Injectable ISO clock for deterministic tests; defaults to now. */
     now?: string;
 }
@@ -54,8 +57,8 @@ export interface IncomingMessage {
     fromAgentId: string;
     toAgentId: string;
     issuedAt: string;
-    kind: "profile_share" | "mission_share" | "coordination";
-    envelope: ProfileShareEnvelope | MissionShareEnvelope | CoordinationEnvelope;
+    kind: "profile_share" | "mission_share" | "coordination" | "mission_result";
+    envelope: ProfileShareEnvelope | MissionShareEnvelope | CoordinationEnvelope | MissionResultEnvelope;
     relativePath: string;
 }
 export interface ReadIncomingInput {

package/dist/mailbox/index.js

@@ -86,7 +86,7 @@ function isWellFormedWrapper(value) {
         typeof value.fromAgentId === "string" &&
         typeof value.toAgentId === "string" &&
         typeof value.issuedAt === "string" &&
-        (value.kind === "profile_share" || value.kind === "mission_share" || value.kind === "coordination") &&
+        (value.kind === "profile_share" || value.kind === "mission_share" || value.kind === "coordination" || value.kind === "mission_result") &&
         typeof value.envelope === "object" &&
         value.envelope !== null &&
         !Array.isArray(value.envelope));

package/dist/mcp/dispatch.d.ts

@@ -1,14 +1,40 @@
 import type { FriendStore } from "../store";
 import type { GrantStore } from "../grant-store";
 import type { MissionStore } from "../mission-store";
+import type { AuditSink } from "../audit";
+import type { SenseType } from "../types";
+import type { AccountMembershipResult } from "../account-roster";
 type Args = Record<string, unknown>;
 export interface DispatchResult {
     result: unknown;
     isError: boolean;
 }
+/** WHO/WHENCE context stamped onto a control-plane audit record (finding 3). The MCP
+ * server passes the local owner/sense it was constructed with. */
+export interface ControlPlaneContext {
+    actor?: string;
+    originSense?: string;
+    /** The management SENSE the gate evaluates for `connect_to` (p11 inc2, brick 8).
+     * The stdio path is owner-only, so this defaults to `local` (`?? "local"`) — a
+     * `local` management sense COMMITS. A network/multi-tenant transport that constructs
+     * the server MUST pass its real senseType (`open` ⇒ confirm-prompt downgrade; `closed`
+     * ⇒ gated by `membership`). Distinct from `originSense` (a free-form audit string like
+     * "stdio"); this is the typed SenseType the authority predicate consumes. */
+    senseType?: SenseType;
+    /** The PRE-COMPUTED account-roster membership for a `closed`-sense `connect_to`
+     * (p11 inc2). The stdio `local` path never consults it (left `undefined`); a `closed`
+     * network transport supplies the membership it already evaluated against the roster.
+     * The boundary stays thin — it forwards this to the library, computing no membership
+     * itself (the MCP `resolve_party` path does not wire a roster context). */
+    membership?: AccountMembershipResult;
+}
+/** Whether wiring an AuditSink should also stamp a record for an `onboard_agent` trust
+ * seat: only when the owner explicitly set a trustLevel (a deliberate trust decision).
+ * A cold contact with no trustLevel lands at the safe `stranger` default (Bug A) and is
+ * NOT an owner trust mutation, so it is not audited. */
 export declare function coerceBool(v: unknown): boolean;
 export declare function coerceInt(v: unknown): number | undefined;
 export declare function coerceString(v: unknown): string;
 export declare function coerceOptionalString(v: unknown): string | undefined;
-export declare function dispatchTool(store: FriendStore, name: string, args: Args, grants?: GrantStore, missions?: MissionStore): Promise<DispatchResult>;
+export declare function dispatchTool(store: FriendStore, name: string, args: Args, grants?: GrantStore, missions?: MissionStore, audit?: AuditSink, controlContext?: ControlPlaneContext): Promise<DispatchResult>;
 export {};

package/dist/mcp/dispatch.js

@@ -11,6 +11,7 @@ exports.dispatchTool = dispatchTool;
 // the library fns. `dispatchTool` is a flat tool → library-fn map (D9/D10) with
 // NO domain logic of its own — every behavior lives in the friends library.
 const observability_1 = require("../observability");
+const identity_1 = require("../identity");
 const types_1 = require("../types");
 const resolver_1 = require("../resolver");
 const trust_explanation_1 = require("../trust-explanation");
@@ -31,6 +32,19 @@ const missions_1 = require("../missions");
 const mission_share_1 = require("../mission-share");
 const coordination_1 = require("../coordination");
 const types_2 = require("../types");
+const connect_1 = require("../connect");
+const mission_result_1 = require("../mission-result");
+/** SECURITY (finding 3-A): the friends MCP server speaks JSON-RPC over **stdio**, and
+ * stdio is an owner-only channel — the local user who launched the process is the only
+ * actor. So when no explicit controlContext is wired, audited mutations are attributed
+ * to the stdio owner boundary rather than the generic "unknown". A network/multi-tenant
+ * transport MUST pass its own authenticated actor instead of relying on these. */
+const STDIO_OWNER_ACTOR = "owner:stdio";
+const STDIO_ORIGIN_SENSE = "stdio";
+/** Whether wiring an AuditSink should also stamp a record for an `onboard_agent` trust
+ * seat: only when the owner explicitly set a trustLevel (a deliberate trust decision).
+ * A cold contact with no trustLevel lands at the safe `stranger` default (Bug A) and is
+ * NOT an owner trust mutation, so it is not audited. */
 function coerceBool(v) {
     return v === true || v === "true";
 }
@@ -69,13 +83,18 @@ const NO_GRANT_STORE = { ok: false, status: "unsupported", message: "no grant st
  * embedding). The mission ledger needs mission persistence, so report it cleanly
  * rather than guessing. */
 const NO_MISSION_STORE = { ok: false, status: "unsupported", message: "no mission store configured (mission tools require one)" };
-async function dispatchTool(store, name, args, grants, missions) {
+async function dispatchTool(store, name, args, grants, missions, audit, controlContext) {
     (0, observability_1.emitNervesEvent)({
         component: "clients",
         event: "clients.mcp_dispatch",
         message: "dispatching friends mcp tool",
         meta: { tool: name },
     });
+    // SECURITY (finding 3 / 3-A): resolve the WHO/WHENCE for an audited mutation. With
+    // no explicit context, attribute to the stdio owner boundary (the only actor on an
+    // owner-only stdio channel) rather than the generic "unknown".
+    const auditActor = controlContext?.actor ?? STDIO_OWNER_ACTOR;
+    const auditOriginSense = controlContext?.originSense ?? STDIO_ORIGIN_SENSE;
     switch (name) {
         case "resolve_party": {
             const provider = coerceString(args.provider);
@@ -188,7 +207,14 @@ async function dispatchTool(store, name, args, grants, missions) {
             return { result: results, isError: false };
         }
         case "set_trust": {
-            const result = await (0, trust_mutation_1.setFriendTrust)(store, coerceString(args.friendId), coerceString(args.trustLevel));
+            // SECURITY (finding 3): thread the audit sink + owner/sense context so the LIVE
+            // trust mutation actually writes a control-plane record. With no sink wired,
+            // setFriendTrust treats the ctx as a no-op (back-compat).
+            const result = await (0, trust_mutation_1.setFriendTrust)(store, coerceString(args.friendId), coerceString(args.trustLevel), {
+                ...(audit ? { sink: audit } : {}),
+                actor: auditActor,
+                originSense: auditOriginSense,
+            });
             return { result, isError: result.ok === false };
         }
         case "link_identity": {
@@ -207,16 +233,59 @@ async function dispatchTool(store, name, args, grants, missions) {
             return { result, isError: result.ok === false };
         }
         case "onboard_agent": {
+            const explicitTrustLevel = coerceOptionalString(args.trustLevel);
             const record = await (0, agent_peer_1.upsertAgentPeer)(store, {
                 name: coerceString(args.name),
                 agentId: coerceString(args.agentId),
-                trustLevel: coerceOptionalString(args.trustLevel),
+                trustLevel: explicitTrustLevel,
                 a2a: parseMaybeJson(args.a2a),
                 mailbox: parseMaybeJson(args.mailbox),
                 bundleName: coerceOptionalString(args.bundleName),
             });
+            // SECURITY (finding 3): an owner-initiated trust SEAT (an explicit trustLevel) is
+            // a control-plane trust mutation, so audit it through the wired sink. A cold
+            // contact with no trustLevel falls to the safe `stranger` default (Bug A) — not
+            // an owner trust decision — so it is left unaudited.
+            if (audit && explicitTrustLevel !== undefined) {
+                const targetDid = (0, identity_1.resolveAgentIdentity)(record.agentMeta).did;
+                const auditRecord = {
+                    action: "set_trust",
+                    targetId: record.id,
+                    ...(targetDid !== undefined ? { targetDid } : {}),
+                    level: explicitTrustLevel,
+                    actor: auditActor,
+                    originSense: auditOriginSense,
+                    ts: record.updatedAt,
+                };
+                await audit.append(auditRecord);
+            }
             return { result: record, isError: false };
         }
+        case "connect_to": {
+            // The management-sense control plane (p11 inc2, brick 8). The boundary stays
+            // thin — coerce the peer handles + level, resolve the gate's management sense
+            // (the stdio path is owner-only ⇒ `local`), and forward to the library, which
+            // owns the authority gate + disambiguation + introduce + audit. `isError` reflects
+            // ok===false (a `downgraded` / `needs_handle_or_introduction` result is an error
+            // result like the other mutation cases).
+            const result = await (0, connect_1.connectAgents)(store, {
+                peer: {
+                    agentId: coerceOptionalString(args.agentId),
+                    did: coerceOptionalString(args.did),
+                    name: coerceOptionalString(args.name),
+                },
+                // The stdio default is `local` (owner-only); a network transport supplies its
+                // real senseType via controlContext. The proof's stdio path commits.
+                senseType: controlContext?.senseType ?? "local",
+                ...(controlContext?.membership ? { membership: controlContext.membership } : {}),
+                trustLevel: coerceOptionalString(args.trustLevel),
+            }, {
+                ...(audit ? { audit } : {}),
+                actor: auditActor,
+                originSense: auditOriginSense,
+            });
+            return { result, isError: result.ok === false };
+        }
         case "whoami": {
             return { result: await (0, whoami_1.whoami)(store), isError: false };
         }
@@ -396,6 +465,9 @@ async function dispatchTool(store, name, args, grants, missions) {
                 note: coerceOptionalString(args.note),
                 proposedAssignee: parseMaybeJson(args.proposedAssignee),
                 selfAgentId,
+                // gap-1 (p11 inc2): an optional task-spec, meaningful only on a `request`. The
+                // library mints the requestId + records the delegation first-party.
+                task: parseMaybeJson(args.task),
                 proof: coerceOptionalString(args.proof),
             });
             return { result, isError: result.ok === false };
@@ -425,6 +497,41 @@ async function dispatchTool(store, name, args, grants, missions) {
             }
             return { result: record.coordination ?? { assignee: undefined, log: [] }, isError: false };
         }
+        case "send_result": {
+            // Producer (gap-2): B returns its deliverable. Self identity comes from whoami
+            // (the dispatch is store-only); the mission is named by its missionKey inside the
+            // library. Gated on BOTH a GrantStore (consent via the "coordinate" scope) and a
+            // MissionStore — exactly like share_mission.
+            if (!missions || !grants)
+                return { result: NO_MISSION_STORE, isError: true };
+            const self = await (0, whoami_1.whoami)(store);
+            const selfAgentId = self.selfFriendId ?? "";
+            const result = await (0, mission_result_1.prepareMissionResult)(missions, store, grants, {
+                missionId: coerceString(args.missionId),
+                toAgentId: coerceString(args.toAgentId),
+                requestId: coerceString(args.requestId),
+                result: parseMaybeJson(args.result) ?? { summary: "" },
+                selfAgentId,
+                proof: coerceOptionalString(args.proof),
+            });
+            return { result, isError: result.ok === false };
+        }
+        case "import_result": {
+            // Consumer (gap-2): A imports B's deliverable. Gated on the MissionStore, like
+            // import_mission. An invalid/malformed envelope is a clean `invalid` result.
+            if (!missions)
+                return { result: NO_MISSION_STORE, isError: true };
+            const envelope = parseMaybeJson(args.envelope);
+            if (!envelope || typeof envelope !== "object") {
+                return { result: { ok: false, status: "invalid", message: "an envelope object is required" }, isError: true };
+            }
+            const result = await (0, mission_result_1.importMissionResult)(missions, {
+                envelope,
+                fromAgentId: coerceString(args.fromAgentId),
+                trustOfSource: coerceString(args.trustOfSource),
+            });
+            return { result, isError: result.ok === false };
+        }
         default: {
             return { result: { error: `Unknown tool: ${name}` }, isError: true };
         }

package/dist/mcp/run-main.js

@@ -35,11 +35,14 @@ function runMain(argv, env, io) {
         message: "friends mcp run-main",
         meta: { source },
     });
-    // The consent-grant + mission collections are sibling `_grants/` + `_missions/`
-    // dirs under the friends dir, so the single `--dir` wires the whole substrate
-    // (friends + consent + missions). `openFileBundle` encapsulates that convention.
-    const { store, grants, missions } = (0, file_bundle_1.openFileBundle)(dir);
-    const server = (0, server_1.createFriendsMcpServer)({ store, grants, missions, stdin: io.stdin, stdout: io.stdout });
+    // The consent-grant + mission + audit collections are sibling `_grants/`,
+    // `_missions/`, `_audit/` dirs under the friends dir, so the single `--dir` wires the
+    // whole substrate. `openFileBundle` encapsulates that convention.
+    const { store, grants, missions, audit } = (0, file_bundle_1.openFileBundle)(dir);
+    // SECURITY (finding 3 / 3-A): thread the FileAuditSink into the live server so trust
+    // mutations are audited. The `friends-mcp` bin speaks owner-only stdio, so the
+    // default actor/originSense (the stdio owner boundary) is the correct attribution.
+    const server = (0, server_1.createFriendsMcpServer)({ store, grants, missions, audit, stdin: io.stdin, stdout: io.stdout });
     server.start();
     return server;
 }

package/dist/mcp/schemas.js

@@ -3,14 +3,18 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.getToolSchemas = getToolSchemas;
 // MCP tool schemas for the friends server.
 //
-// 29 tools — a thin 1:1 surface over the friends library (D7): the original 14,
+// 32 tools — a thin 1:1 surface over the friends library (D7): the original 14,
 // the cross-agent moat surface (resolve_room, import_profile, grant_share,
 // revoke_share, list_shares; share_profile is de-stubbed in place), the brick-3
 // mission ledger (record_mission, get_mission, list_missions, share_mission,
 // import_mission), the brick-4 earned-standing lenses (assess_standing,
 // explain_standing — read-only, advisory; never write trust, never on the wire),
-// and the brick-5 coordination verbs (coordinate, import_coordination,
-// get_coordination — negotiate WHO does a mission; advisory assignment metadata).
+// the brick-5 coordination verbs (coordinate, import_coordination,
+// get_coordination — negotiate WHO does a mission; advisory assignment metadata),
+// and the p11-inc2 own-fleet delegation surface (connect_to — the management-sense
+// control plane that links two own agents + audits action:"connect"; send_result,
+// import_result — the result-return / delegation deliverable channel that carries
+// B's produced artifact back to A, attributed + correlated + quarantined on import).
 // Each schema follows JSON Schema for
 // `inputSchema` as required by MCP. The shape mirrors the harness's McpToolSchema
 // so the same client tooling consumes both.
@@ -187,7 +191,7 @@ function getToolSchemas() {
                 properties: {
                     name: { type: "string", description: "the peer agent's name" },
                     agentId: { type: "string", description: "the a2a agent id" },
-                    trustLevel: { type: "string", description: "trust level (default acquaintance)" },
+                    trustLevel: { type: "string", description: "trust level (default stranger (cold contact))" },
                     a2a: { type: "object", description: "a2a coordinates { cardUrl?, endpointUrl?, protocolVersion? }" },
                     mailbox: { type: "object", description: "optional A2A git-mailbox coords { repo, selfOutboxAgentId }" },
                     bundleName: { type: "string", description: "optional bundle name" },
@@ -195,6 +199,20 @@ function getToolSchemas() {
                 required: ["name", "agentId"],
             },
         },
+        {
+            name: "connect_to",
+            description: "Management-sense control plane (brick 8): the owner links one of their OWN agents into this agent's fleet — introduce a peer by agentId/did/name at a trust level (default family for own-fleet). Authority-gated: commits inline ONLY from a local (owner-only stdio) or roster-verified same-account closed sense; an open sense never commits inline (it downgrades to a confirm-prompt); a bare name with no resolvable handle/DID and no record hit returns needs_handle_or_introduction (never fabricates a target). Writes one control-plane audit record (action:'connect') through the wired sink. Returns { ok:true, status:'connected', record } or { ok:false, status:'downgraded'|'needs_handle_or_introduction', downgrade? }.",
+            inputSchema: {
+                type: "object",
+                properties: {
+                    agentId: { type: "string", description: "the peer agent's join-key agentId (an owner-supplied handle)" },
+                    did: { type: "string", description: "the peer's DID (an alternative handle; must resolve to an existing record)" },
+                    name: { type: "string", description: "the peer's colloquial name (resolves ONLY by matching an existing record — never fabricated)" },
+                    trustLevel: { type: "string", enum: ["family", "friend", "acquaintance", "stranger"], description: "the trust to link at (default family for own-fleet linked agents)" },
+                    proof: { type: "string", description: "optional opaque proof slot (reserved; the TOFU path ignores it)" },
+                },
+            },
+        },
         {
             name: "whoami",
             description: "Resolve who the machine owner is and which friend record represents the self.",
@@ -365,6 +383,7 @@ function getToolSchemas() {
                     intent: { type: "string", enum: ["request", "offer", "accept", "decline", "handoff"], description: "the coordination verb: request (will you take this?) / offer (I'll take this) / accept (yes, I'm on it — sets assignee=self) / decline (no) / handoff (it's yours now — you must hold the assignment; proposes a new assignee)" },
                     note: { type: "string", description: "optional free text carried on the message + logged" },
                     proposedAssignee: { type: "object", description: "the proposed new assignee { agentId?, agentName? } — meaningful ONLY on intent=handoff" },
+                    task: { type: "object", description: "optional delegation task-spec { summary, details?, inputs? } — meaningful ONLY on intent=request (gap-2); the producer mints a requestId, stamps it on the envelope, and records the delegation first-party for the result-return to correlate against" },
                     proof: { type: "string", description: "optional opaque proof to stamp on the envelope (for a non-TOFU recipient verifier)" },
                 },
                 required: ["missionId", "toAgentId", "intent"],
@@ -394,5 +413,33 @@ function getToolSchemas() {
                 required: ["missionId"],
             },
         },
+        {
+            name: "send_result",
+            description: "Producer (gap-2 — the result-return): B returns its DELIVERABLE for a delegation, attributed to B (from whoami) + correlated to A's task-spec by requestId, named by the mission's missionKey (never the local uuid). Consent-gated via the identity-tier 'coordinate' scope (a result is B answering A's own delegation — trust ≥ friend suffices; NO new scope). Records the result first-party on B's own mission. Returns { ok, envelope } or { ok:false, status: not_found|no_consent }.",
+            inputSchema: {
+                type: "object",
+                properties: {
+                    missionId: { type: "string", description: "the local mission B is returning a result for (its local uuid id)" },
+                    toAgentId: { type: "string", description: "the recipient agent's join-key agentId — A, the delegator" },
+                    requestId: { type: "string", description: "the delegation correlation key (the task-spec's requestId)" },
+                    result: { type: "object", description: "B's deliverable { summary, artifact?, outputs? }" },
+                    proof: { type: "string", description: "optional opaque proof to stamp on the envelope (for a non-TOFU recipient verifier)" },
+                },
+                required: ["missionId", "toAgentId", "requestId", "result"],
+            },
+        },
+        {
+            name: "import_result",
+            description: "Consumer (gap-2, non-clobbering merge): A imports B's result-return. Resolves the mission by missionKey; lands B's deliverable QUARANTINED + attributed under importedResults WITHOUT touching first-party; source trust caps acceptance (checked before correlation); a result whose requestId matches no prior first-party delegation is REJECTED (no_delegation — A only accepts results for work it delegated); an unknown mission is no_mission (a result never seeds a mission); never recomputes status/participants. Returns { ok, status, record } or { ok:false, status: untrusted_source|no_mission|no_delegation|invalid }.",
+            inputSchema: {
+                type: "object",
+                properties: {
+                    envelope: { type: "object", description: "the MissionResultEnvelope to import" },
+                    fromAgentId: { type: "string", description: "the agent the envelope arrived from (join-key agentId) — B" },
+                    trustOfSource: { type: "string", enum: ["family", "friend", "acquaintance", "stranger"], description: "this agent's resolved trust in the source agent — the acceptance cap" },
+                },
+                required: ["envelope", "fromAgentId", "trustOfSource"],
+            },
+        },
     ];
 }

package/dist/mcp/server.d.ts

@@ -1,6 +1,8 @@
 import type { FriendStore } from "../store";
 import type { GrantStore } from "../grant-store";
 import type { MissionStore } from "../mission-store";
+import type { AuditSink } from "../audit";
+import type { ControlPlaneContext } from "./dispatch";
 export interface FriendsMcpServerOptions {
     store: FriendStore;
     /** Optional consent-grant store. When omitted, the consent/share tools
@@ -11,6 +13,13 @@ export interface FriendsMcpServerOptions {
      * (record_mission / get_mission / list_missions / share_mission /
      * import_mission) report `unsupported`; everything else works without it. */
     missions?: MissionStore;
+    /** Optional control-plane audit sink (Bug B, finding 3). When wired, the LIVE
+     * trust mutations (`set_trust`, and an explicit-trust-seat `onboard_agent`) append
+     * an append-only audit record. When omitted, those mutations are unaudited. */
+    audit?: AuditSink;
+    /** Optional WHO/WHENCE context for audited mutations. Defaults to the stdio
+     * owner-only boundary (finding 3-A) when omitted. */
+    controlContext?: ControlPlaneContext;
     stdin: NodeJS.ReadableStream;
     stdout: NodeJS.WritableStream;
 }

package/dist/mcp/server.js

@@ -13,7 +13,7 @@ const observability_1 = require("../observability");
 const schemas_1 = require("./schemas");
 const dispatch_1 = require("./dispatch");
 function createFriendsMcpServer(options) {
-    const { store, grants, missions, stdin, stdout } = options;
+    const { store, grants, missions, audit, controlContext, stdin, stdout } = options;
     let buffer = "";
     let running = false;
     let useContentLengthFraming = true;
@@ -145,7 +145,7 @@ function createFriendsMcpServer(options) {
         const toolName = params.name ?? "";
         const toolArgs = params.arguments ?? {};
         try {
-            const { result, isError } = await (0, dispatch_1.dispatchTool)(store, toolName, toolArgs, grants, missions);
+            const { result, isError } = await (0, dispatch_1.dispatchTool)(store, toolName, toolArgs, grants, missions, audit, controlContext);
             writeResponse({
                 jsonrpc: "2.0",
                 id: request.id,