@ouro.bot/friends 0.1.0-alpha.5 → 0.1.0-alpha.7

package/dist/mission-result.d.ts

@@ -0,0 +1,82 @@
+import type { MissionStore } from "./mission-store";
+import type { FriendStore } from "./store";
+import type { GrantStore } from "./grant-store";
+import type { MissionRecord, MissionResultEnvelope, TrustLevel } from "./types";
+import type { ConsentPolicy } from "./consent";
+import type { AgentVerifier } from "./verifier";
+export interface PrepareMissionResultInput {
+    /** The LOCAL mission B is returning a result for, by its local UUID id. */
+    missionId: string;
+    /** The recipient agent's join-key agentId — A, the delegator. */
+    toAgentId: string;
+    /** The delegation correlation key (the gap-1 task-spec's requestId). */
+    requestId: string;
+    /** B's deliverable. `requestId`/`provenance` are stamped by the producer. */
+    result: {
+        summary: string;
+        artifact?: string;
+        outputs?: Record<string, string>;
+    };
+    /** This agent's own join-key agentId — the attribution (fromAgentId = B). */
+    selfAgentId: string;
+    /** Optional proof to stamp on the envelope (for a non-TOFU recipient verifier). */
+    proof?: string;
+}
+export type PrepareMissionResultStatus = "not_found" | "no_consent";
+export type PrepareMissionResultResult = {
+    ok: true;
+    envelope: MissionResultEnvelope;
+} | {
+    ok: false;
+    status: PrepareMissionResultStatus;
+};
+/**
+ * Producer half of the result-return. Resolves the local mission by `missionId`; names
+ * it by its `missionKey` (NEVER the local UUID); attributes the result to `selfAgentId`
+ * (B); correlates by `requestId`. Consent-gated via the `"coordinate"` identity-tier
+ * scope (a result is B answering A's own delegation — trust ≥ friend suffices under the
+ * tiered default, ZERO new scope). Records the result first-party on B's own record under
+ * `results[requestId]`.
+ */
+export declare function prepareMissionResult(missions: MissionStore, store: FriendStore, grants: GrantStore, input: PrepareMissionResultInput, consent?: ConsentPolicy): Promise<PrepareMissionResultResult>;
+export interface ImportMissionResultInput {
+    envelope: MissionResultEnvelope;
+    /** The agent the envelope arrived from (its join-key agentId) — B. */
+    fromAgentId: string;
+    /** This agent's resolved trust in the source agent — the cap on acceptance. */
+    trustOfSource: TrustLevel;
+}
+export type ImportMissionResultStatus = "imported" | "no_mission" | "no_delegation" | "assignee_mismatch" | "untrusted_source";
+export type ImportMissionResultResult = {
+    ok: true;
+    status: "imported";
+    record: MissionRecord;
+} | {
+    ok: false;
+    status: "no_mission" | "no_delegation" | "assignee_mismatch" | "untrusted_source";
+};
+export interface ImportMissionResultOptions {
+    /** Authentication seam. Defaults to TOFU. Authorization (trust) is still applied
+     * regardless of what the verifier says. */
+    verifier?: AgentVerifier;
+    /** Minimum trust a source must hold for its result to be accepted at all.
+     * Default `acquaintance`: a stranger source is refused. */
+    minTrustToAccept?: TrustLevel;
+}
+/**
+ * Consumer half of the result-return — the non-clobbering merge. Order (PINNED):
+ *  (1) TOFU verifier + trust cap (both must pass, else `untrusted_source`, write nothing);
+ *  (2) unknown mission (no findByMissionKey hit) → `no_mission` (NO seeding — a result
+ *      never creates a mission);
+ *  (3) the result's `requestId` not present in the record's FIRST-PARTY `delegations`
+ *      (A never delegated this) → `no_delegation` — correlation honesty;
+ *  (3b) the matched delegation's recorded `assignee` is not the result's source
+ *      (`delegation.assignee.agentId !== fromAgentId`) → `assignee_mismatch` — assignee
+ *      honesty (security-review inc-2 finding 1). FAILS CLOSED on a legacy delegation with
+ *      no recorded assignee. A mismatch writes NOTHING (not even quarantined);
+ *  (4) otherwise land under `importedResults[agentId][requestId]` (dedupe on replay),
+ *      stamped imported + attributed + importedAt, NEVER touching first-party
+ *      `learnings`/`notes`/`status`/`delegations`/`results`, NEVER recomputing
+ *      status/participants (non-transitive).
+ */
+export declare function importMissionResult(missions: MissionStore, input: ImportMissionResultInput, options?: ImportMissionResultOptions): Promise<ImportMissionResultResult>;

package/dist/mission-result.js

@@ -0,0 +1,200 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.prepareMissionResult = prepareMissionResult;
+exports.importMissionResult = importMissionResult;
+// prepareMissionResult (producer) + importMissionResult (consumer) — the result-return
+// envelope (gap-2, p11 inc2). The honest north-star DELIVERABLE channel. Structural twin
+// of mission-share.ts, re-aimed from a SHARE (outcomes/learnings) at a RESULT (B's actual
+// produced artifact, attributed to B, correlated to A's delegation via missionKey +
+// requestId). Q1 resolved: a NEW result envelope, NOT a mission_share reuse.
+//
+// Store-only + transport-agnostic: prepareMissionResult returns an envelope,
+// importMissionResult consumes one; the WIRE is the caller's job (the result rides the
+// mailbox under kind:"mission_result"). Pure — the only node builtin is `node:crypto`,
+// mirroring mission-share.ts. Core-clean (no a2a-client import).
+//
+// Through-line invariants (every one tested in mission-result.test.ts):
+//  - the mission is named by its JOIN KEY (missionKey), NEVER the local UUID;
+//  - fromAgentId === the producing self (attributed to B);
+//  - the result correlates to A's delegation via requestId;
+//  - consent rides the "coordinate" identity-tier scope — a result is B answering A's OWN
+//    delegation request (no third-party content), so trust ≥ friend suffices, exactly like
+//    coordinate; NO new ShareScope, NO new content grant;
+//  - on import the deliverable lands QUARANTINED under importedResults[agentId][requestId],
+//    attributed to B + stamped imported, WITHOUT touching first-party;
+//  - correlation honesty: a result whose requestId matches NO prior first-party delegation
+//    on A is REJECTED (no_delegation) — A only accepts results for work it delegated;
+//  - assignee honesty (security-review inc-2 finding 1): a result whose source is NOT the
+//    agent A delegated TO (delegation.assignee.agentId !== fromAgentId) is REJECTED
+//    (assignee_mismatch), even from a trusted peer with the right requestId; a legacy
+//    delegation with no recorded assignee FAILS CLOSED;
+//  - NO seeding: an unknown mission → no_mission (a result never creates a mission);
+//  - the source agent's trust CAPS acceptance (a stranger/over-trust source writes nothing),
+//    checked BEFORE correlation;
+//  - non-transitive: status/participants are NEVER recomputed; first-party byte-untouched;
+//  - idempotent on replay (same (agentId, requestId) → no double-land).
+const observability_1 = require("./observability");
+const consent_1 = require("./consent");
+const verifier_1 = require("./verifier");
+/**
+ * Producer half of the result-return. Resolves the local mission by `missionId`; names
+ * it by its `missionKey` (NEVER the local UUID); attributes the result to `selfAgentId`
+ * (B); correlates by `requestId`. Consent-gated via the `"coordinate"` identity-tier
+ * scope (a result is B answering A's own delegation — trust ≥ friend suffices under the
+ * tiered default, ZERO new scope). Records the result first-party on B's own record under
+ * `results[requestId]`.
+ */
+async function prepareMissionResult(missions, store, grants, input, consent = consent_1.DEFAULT_CONSENT_POLICY) {
+    const record = await missions.get(input.missionId);
+    if (!record) {
+        return { ok: false, status: "not_found" };
+    }
+    // The recipient's trust is read from this agent's own knowledge of it (the a2a-agent
+    // friend record for toAgentId). An unknown recipient defaults to stranger.
+    const recipientRecord = await store.findByExternalId("a2a-agent", input.toAgentId);
+    const recipientTrust = recipientRecord?.trustLevel ?? "stranger";
+    const recipient = { agentId: input.toAgentId, trustLevel: recipientTrust };
+    // Consent rides the EXISTING "coordinate" identity-tier scope — a result is B
+    // answering A's OWN delegation, so trust ≥ friend suffices under the tiered default,
+    // with ZERO change to consent logic and NO new scope.
+    const consented = await consent.consents({
+        subjectKey: record.missionKey,
+        recipient,
+        scope: "coordinate",
+        grants,
+    });
+    if (!consented) {
+        return { ok: false, status: "no_consent" };
+    }
+    const now = new Date().toISOString();
+    const envelope = {
+        subject: { missionKey: record.missionKey, title: record.title },
+        fromAgentId: input.selfAgentId,
+        requestId: input.requestId,
+        result: {
+            requestId: input.requestId,
+            summary: input.result.summary,
+            ...(input.result.artifact !== undefined ? { artifact: input.result.artifact } : {}),
+            ...(input.result.outputs !== undefined ? { outputs: input.result.outputs } : {}),
+        },
+        issuedAt: now,
+        ...(input.proof !== undefined ? { proof: input.proof } : {}),
+    };
+    // Record the result first-party on B's own mission under results[requestId].
+    const firstPartyResult = { ...envelope.result, provenance: { origin: "first_party" } };
+    const updated = {
+        ...record,
+        results: { ...(record.results ?? {}), [input.requestId]: firstPartyResult },
+        updatedAt: now,
+    };
+    await missions.put(updated.id, updated);
+    (0, observability_1.emitNervesEvent)({
+        component: "friends",
+        event: "friends.mission_result_prepared",
+        message: "prepared mission result envelope",
+        meta: { toAgentId: input.toAgentId, requestId: input.requestId, consentPolicy: consent.name },
+    });
+    return { ok: true, envelope };
+}
+// ── Consumer ──
+const TRUST_RANK = { family: 4, friend: 3, acquaintance: 2, stranger: 1 };
+/** Land B's deliverable under `importedResults[fromAgentId][requestId]`, returning a NEW
+ * namespace (never mutates the input). First-party `results` are NOT passed in and stay
+ * physically untouched. Idempotent per (agentId, requestId): an entry that already exists
+ * is preserved unchanged (never re-stamped). */
+function mergeImportedResult(record, result, fromAgentId, now) {
+    const existing = record.importedResults ?? {};
+    const forAgent = existing[fromAgentId] ?? {};
+    if (forAgent[result.requestId])
+        return existing;
+    return {
+        ...existing,
+        [fromAgentId]: {
+            ...forAgent,
+            [result.requestId]: {
+                requestId: result.requestId,
+                summary: result.summary,
+                ...(result.artifact !== undefined ? { artifact: result.artifact } : {}),
+                ...(result.outputs !== undefined ? { outputs: result.outputs } : {}),
+                provenance: { origin: "imported", assertedBy: { agentId: fromAgentId }, importedAt: now },
+            },
+        },
+    };
+}
+/**
+ * Consumer half of the result-return — the non-clobbering merge. Order (PINNED):
+ *  (1) TOFU verifier + trust cap (both must pass, else `untrusted_source`, write nothing);
+ *  (2) unknown mission (no findByMissionKey hit) → `no_mission` (NO seeding — a result
+ *      never creates a mission);
+ *  (3) the result's `requestId` not present in the record's FIRST-PARTY `delegations`
+ *      (A never delegated this) → `no_delegation` — correlation honesty;
+ *  (3b) the matched delegation's recorded `assignee` is not the result's source
+ *      (`delegation.assignee.agentId !== fromAgentId`) → `assignee_mismatch` — assignee
+ *      honesty (security-review inc-2 finding 1). FAILS CLOSED on a legacy delegation with
+ *      no recorded assignee. A mismatch writes NOTHING (not even quarantined);
+ *  (4) otherwise land under `importedResults[agentId][requestId]` (dedupe on replay),
+ *      stamped imported + attributed + importedAt, NEVER touching first-party
+ *      `learnings`/`notes`/`status`/`delegations`/`results`, NEVER recomputing
+ *      status/participants (non-transitive).
+ */
+async function importMissionResult(missions, input, options = {}) {
+    const verifier = options.verifier ?? verifier_1.DEFAULT_AGENT_VERIFIER;
+    const minTrust = options.minTrustToAccept ?? "acquaintance";
+    // (1) Authentication (caller's seam) AND authorization (trust ladder) must BOTH pass —
+    // checked BEFORE correlation, so a stranger never even learns whether the mission exists.
+    const authenticated = verifier.verify(input.fromAgentId, input.envelope.proof);
+    const trustedEnough = TRUST_RANK[input.trustOfSource] >= TRUST_RANK[minTrust];
+    if (!authenticated || !trustedEnough) {
+        (0, observability_1.emitNervesEvent)({
+            component: "friends",
+            event: "friends.mission_result_refused",
+            message: "refused mission result from untrusted source",
+            meta: { fromAgentId: input.fromAgentId, trustOfSource: input.trustOfSource, authenticated },
+        });
+        return { ok: false, status: "untrusted_source" };
+    }
+    // (2) Unknown mission → no_mission. A result NEVER seeds a mission (distinct from
+    // mission-share's friend-seed).
+    const existing = await missions.findByMissionKey(input.envelope.subject.missionKey);
+    if (!existing) {
+        return { ok: false, status: "no_mission" };
+    }
+    // (3) Correlation honesty — the requestId must name a delegation THIS agent issued
+    // first-party (A only accepts results for work it actually delegated).
+    const delegation = existing.delegations?.[input.envelope.requestId];
+    if (!delegation) {
+        return { ok: false, status: "no_delegation" };
+    }
+    // (3b) Assignee honesty (security-review inc-2 finding 1) — the result's SOURCE must be
+    // the very agent A delegated TO. The requestId being delegated is NOT enough: a peer C
+    // that A trusts (≥ the cap) who learned a requestId A delegated to a DIFFERENT agent B
+    // could otherwise inject a forged result. FAILS CLOSED on a legacy/orphan delegation with
+    // no recorded assignee (reject, never land). A mismatch writes NOTHING — not even
+    // quarantined.
+    if (delegation.assignee?.agentId !== input.fromAgentId) {
+        (0, observability_1.emitNervesEvent)({
+            component: "friends",
+            event: "friends.mission_result_refused",
+            message: "refused mission result — source is not the delegation's assignee",
+            meta: {
+                fromAgentId: input.fromAgentId,
+                requestId: input.envelope.requestId,
+                expectedAssignee: delegation.assignee?.agentId ?? null,
+            },
+        });
+        return { ok: false, status: "assignee_mismatch" };
+    }
+    // (4) Land the deliverable quarantined + attributed, never touching first-party, never
+    // recomputing status/participants (non-transitive).
+    const now = new Date().toISOString();
+    const importedResults = mergeImportedResult(existing, input.envelope.result, input.fromAgentId, now);
+    const updated = { ...existing, importedResults, updatedAt: now };
+    await missions.put(updated.id, updated);
+    (0, observability_1.emitNervesEvent)({
+        component: "friends",
+        event: "friends.mission_result_imported",
+        message: "imported mission result into existing mission",
+        meta: { missionId: updated.id, fromAgentId: input.fromAgentId, requestId: input.envelope.requestId },
+    });
+    return { ok: true, status: "imported", record: updated };
+}

package/dist/mission-store-file.js

@@ -126,6 +126,14 @@ class FileMissionStore {
             // present iff the record carries one, so a legacy mission with no coordination
             // round-trips unchanged (absent ⇒ unclaimed).
             ...(raw.coordination && typeof raw.coordination === "object" ? { coordination: raw.coordination } : {}),
+            // The delegation/result namespaces (gap-1 + gap-2, p11 inc2) pass through the same
+            // way: present iff the record carries one, so a legacy mission round-trips unchanged
+            // (absent ⇒ none). Without these, a FILE-backed store would silently drop them,
+            // breaking the result-return correlation (which reads first-party `delegations`).
+            ...(raw.delegations && typeof raw.delegations === "object" ? { delegations: raw.delegations } : {}),
+            ...(raw.importedDelegations && typeof raw.importedDelegations === "object" ? { importedDelegations: raw.importedDelegations } : {}),
+            ...(raw.results && typeof raw.results === "object" ? { results: raw.results } : {}),
+            ...(raw.importedResults && typeof raw.importedResults === "object" ? { importedResults: raw.importedResults } : {}),
             createdAt: typeof raw.createdAt === "string" ? raw.createdAt : new Date().toISOString(),
             updatedAt: typeof raw.updatedAt === "string" ? raw.updatedAt : new Date().toISOString(),
             schemaVersion: typeof raw.schemaVersion === "number" ? raw.schemaVersion : 1,

package/dist/resolver.d.ts

@@ -1,5 +1,29 @@
 import type { FriendStore } from "./store";
 import type { IdentityProvider, ResolvedContext } from "./types";
+import type { RosterStore } from "./roster-store";
+import type { RosterVerifier } from "./roster-verifier";
+/** Optional roster context for a cold-contact resolution (Bug C). When supplied AND
+ * the candidate's `did` is a key-verified member of the pinned account roster, the
+ * resolver seats `family` (attributable to `same_account`) even when the peer is on
+ * a different OS user. Constructor-injected (not a `resolve()` arg) so existing
+ * `new FriendResolver(store, params)` call sites stay source-compatible. The
+ * resolver stays core-clean: the Ed25519 `verifier` arrives via the seam — never an
+ * a2a-client import. */
+export interface FriendResolverRosterContext {
+    store: RosterStore;
+    accountId: string;
+    /** The peer's did. PRECONDITION (finding 2): the host has already authenticated
+     * that the peer controls this did (the a2a-client sealed-envelope gate runs
+     * `DidVerifier` before resolution). The resolver wraps it in a `VerifiedCandidate`
+     * on the caller's behalf — so only seed this from a verified inbound identity, never
+     * an unauthenticated, peer-claimed string. */
+    candidateDid: string;
+    /** PRECONDITION (finding 1): to actually seat family, this MUST be a cryptographic
+     * verifier (`ed25519RosterVerifier`, `grantsFamily: true`). With it absent (the
+     * identity-only default), `evaluateAccountMembership` fails closed and the resolver
+     * keeps the cold-A2A `stranger` default — never family. */
+    verifier?: RosterVerifier;
+}
 export interface FriendResolverParams {
     provider: IdentityProvider;
     externalId: string;
@@ -22,7 +46,14 @@ export declare function isLocalMachineOwnerIdentity(provider: string, externalId
 export declare class FriendResolver {
     private readonly store;
     private readonly params;
-    constructor(store: FriendStore, params: FriendResolverParams);
+    private readonly roster?;
+    constructor(store: FriendStore, params: FriendResolverParams, roster?: FriendResolverRosterContext);
     resolve(): Promise<ResolvedContext>;
     private resolveOrCreate;
+    /** Bug C — whether the candidate is family via a key-verified account roster.
+     * Reads the pinned roster + roster key from the injected RosterStore and reuses
+     * `evaluateAccountMembership`. Returns false (no family) when no roster context is
+     * wired, the roster/pin is absent, or membership is anything but
+     * `family_same_account` (unverified / not-member / key-mismatch all stay false). */
+    private evaluateRosterFamily;
 }

package/dist/resolver.js

@@ -11,6 +11,7 @@ const crypto_1 = require("crypto");
 const os_1 = require("os");
 const channel_1 = require("./channel");
 const observability_1 = require("./observability");
+const account_roster_1 = require("./account-roster");
 const CURRENT_SCHEMA_VERSION = 1;
 // Test seam: when set (including to null), overrides OS detection of the
 // machine-owner username so resolver tests are deterministic.
@@ -46,9 +47,11 @@ function isLocalMachineOwnerIdentity(provider, externalId, ownerUsername) {
 class FriendResolver {
     store;
     params;
-    constructor(store, params) {
+    roster;
+    constructor(store, params, roster) {
         this.store = store;
         this.params = params;
+        this.roster = roster;
     }
     async resolve() {
         const friend = await this.resolveOrCreate();
@@ -123,6 +126,13 @@ class FriendResolver {
         }
         const isFirstImprint = !hasAnyFriends;
         const isA2AAgent = this.params.provider === "a2a-agent";
+        // Bug C — roster-awareness. When a roster context is injected AND the candidate's
+        // did is a key-verified member of the pinned account roster, seat `family` (even
+        // on a different OS user). Reuses `evaluateAccountMembership` against the pinned
+        // roster fetched from the injected RosterStore. Absent/unverifiable roster ⇒ the
+        // OS-owner + cold-A2A default below is unchanged. The resolver never imports
+        // a2a-client — the Ed25519 verifier arrives via the injected seam.
+        const isRosterFamily = await this.evaluateRosterFamily();
         // The local friend that names the OS user running the daemon is the machine
         // owner (family) — they own the agent + its bundle. Usually this friend already
         // exists as a family/primary hatch imprint; this covers the un-imprinted boss
@@ -146,8 +156,11 @@ class FriendResolver {
         const friend = {
             id: (0, crypto_1.randomUUID)(),
             name: this.params.displayName,
-            role: isA2AAgent ? "agent-peer" : isFirstImprint ? "primary" : isLocalMachineOwner ? "family" : "stranger",
-            trustLevel: isA2AAgent ? "stranger" : (isFirstImprint || isLocalMachineOwner) ? "family" : "stranger",
+            // Bug C: a key-verified roster member is family (role + trustLevel), overriding
+            // the cold-A2A `agent-peer`/`stranger` default. Otherwise the matrix is
+            // unchanged: a2a ⇒ agent-peer/stranger; first imprint or machine owner ⇒ family.
+            role: isRosterFamily ? "family" : isA2AAgent ? "agent-peer" : isFirstImprint ? "primary" : isLocalMachineOwner ? "family" : "stranger",
+            trustLevel: isRosterFamily ? "family" : isA2AAgent ? "stranger" : (isFirstImprint || isLocalMachineOwner) ? "family" : "stranger",
             connections: [],
             externalIds: [externalId],
             tenantMemberships,
@@ -183,5 +196,39 @@ class FriendResolver {
         }
         return friend;
     }
+    /** Bug C — whether the candidate is family via a key-verified account roster.
+     * Reads the pinned roster + roster key from the injected RosterStore and reuses
+     * `evaluateAccountMembership`. Returns false (no family) when no roster context is
+     * wired, the roster/pin is absent, or membership is anything but
+     * `family_same_account` (unverified / not-member / key-mismatch all stay false). */
+    async evaluateRosterFamily() {
+        const ctx = this.roster;
+        if (!ctx)
+            return false;
+        const roster = await ctx.store.getRoster(ctx.accountId);
+        const pin = await ctx.store.getPin(ctx.accountId);
+        // The resolver grants family only against an ALREADY-pinned roster key (the pin
+        // is established during explicit onboarding, never silently at resolve time).
+        if (!roster || !pin)
+            return false;
+        const result = await (0, account_roster_1.evaluateAccountMembership)({
+            roster,
+            // The host authenticated the peer's control of this did upstream (see the
+            // FriendResolverRosterContext.candidateDid precondition); wrap it as verified.
+            candidate: (0, account_roster_1.verifiedCandidate)(ctx.candidateDid),
+            rosterKey: pin.rosterKey,
+            store: ctx.store,
+            ...(ctx.verifier !== undefined ? { verifier: ctx.verifier } : {}),
+        });
+        if (result.decision !== "family_same_account")
+            return false;
+        (0, observability_1.emitNervesEvent)({
+            component: "friends",
+            event: "friends.family_via_roster",
+            message: "seated family via the account roster (same_account)",
+            meta: { accountId: ctx.accountId, candidateDid: ctx.candidateDid },
+        });
+        return true;
+    }
 }
 exports.FriendResolver = FriendResolver;

package/dist/roster-store-file.d.ts

@@ -0,0 +1,16 @@
+import type { AccountRoster, RosterPin, RosterStore } from "./roster-store";
+/** The sibling rosters directory for a given friends directory:
+ * `<friendsDir>/_rosters`. A reserved `_`-prefixed subdir (like `_grants`) so one
+ * `--dir` still points the whole substrate at one place. */
+export declare function rostersDirFor(friendsDir: string): string;
+export declare class FileRosterStore implements RosterStore {
+    private readonly rostersPath;
+    constructor(rostersPath: string);
+    getRoster(accountId: string): Promise<AccountRoster | null>;
+    putRoster(roster: AccountRoster): Promise<void>;
+    getPin(accountId: string): Promise<RosterPin | null>;
+    putPin(pin: RosterPin): Promise<void>;
+    /** Read + parse a JSON file, returning null on a missing file, invalid JSON, or a
+     * non-object payload (guarded; mirrors FileGrantStore.readJson). */
+    private readJson;
+}

package/dist/roster-store-file.js

@@ -0,0 +1,125 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FileRosterStore = void 0;
+exports.rostersDirFor = rostersDirFor;
+// FileRosterStore — filesystem adapter for RosterStore.
+//
+// Stores the account roster and its pinned key as JSON files in a sibling
+// `_rosters/` collection next to the friends directory (one `<accountId>.roster.json`
+// and one `<accountId>.pin.json` per account). Mirrors FileGrantStore's structure
+// (mkdir on construct, one file per record, guarded reads) so the stores feel
+// uniform.
+const fs = __importStar(require("fs"));
+const fsPromises = __importStar(require("fs/promises"));
+const path = __importStar(require("path"));
+const observability_1 = require("./observability");
+/** The sibling rosters directory for a given friends directory:
+ * `<friendsDir>/_rosters`. A reserved `_`-prefixed subdir (like `_grants`) so one
+ * `--dir` still points the whole substrate at one place. */
+function rostersDirFor(friendsDir) {
+    return path.join(friendsDir, "_rosters");
+}
+/** SECURITY (finding 8, LOW): the accountId is interpolated into the
+ * `<accountId>.roster.json` / `.pin.json` filename, so a wire-influenced value like
+ * "../evil" could otherwise escape the `_rosters/` dir. Enforce a strict allowlist
+ * (alphanumerics, dot, underscore, hyphen — no path separators) AND a basename
+ * identity (no normalization surprises), rejecting `.`/`..` and the empty string.
+ * Throws on anything unsafe so a bad accountId can never reach the filesystem. */
+const SAFE_ACCOUNT_ID = /^[A-Za-z0-9._-]+$/;
+function assertSafeAccountId(accountId) {
+    // Basename identity is the primary traversal guard: any value carrying a path
+    // separator (`/` on POSIX, `/` or `\` on Windows) basenames to something else and is
+    // rejected. The charset allowlist then rejects the remaining unsafe-but-separatorless
+    // bytes (spaces, shell metachars, control chars, the empty string — `+` needs ≥1
+    // char). The explicit `.`/`..` reject closes the two in-charset relative-dir refs.
+    if (path.basename(accountId) !== accountId) {
+        throw new Error(`unsafe accountId ${JSON.stringify(accountId)}: must not contain a path separator`);
+    }
+    if (!SAFE_ACCOUNT_ID.test(accountId) || accountId === "." || accountId === "..") {
+        throw new Error(`unsafe accountId ${JSON.stringify(accountId)}: must match ${SAFE_ACCOUNT_ID} (not "." or "..")`);
+    }
+}
+class FileRosterStore {
+    rostersPath;
+    constructor(rostersPath) {
+        this.rostersPath = rostersPath;
+        fs.mkdirSync(rostersPath, { recursive: true });
+        (0, observability_1.emitNervesEvent)({
+            component: "friends",
+            event: "friends.roster_store_init",
+            message: "file roster store initialized",
+            meta: {},
+        });
+    }
+    async getRoster(accountId) {
+        assertSafeAccountId(accountId);
+        const raw = await this.readJson(path.join(this.rostersPath, `${accountId}.roster.json`));
+        return raw;
+    }
+    async putRoster(roster) {
+        assertSafeAccountId(roster.accountId);
+        await fsPromises.writeFile(path.join(this.rostersPath, `${roster.accountId}.roster.json`), JSON.stringify(roster, null, 2), "utf-8");
+    }
+    async getPin(accountId) {
+        assertSafeAccountId(accountId);
+        const raw = await this.readJson(path.join(this.rostersPath, `${accountId}.pin.json`));
+        return raw;
+    }
+    async putPin(pin) {
+        assertSafeAccountId(pin.accountId);
+        await fsPromises.writeFile(path.join(this.rostersPath, `${pin.accountId}.pin.json`), JSON.stringify(pin, null, 2), "utf-8");
+    }
+    /** Read + parse a JSON file, returning null on a missing file, invalid JSON, or a
+     * non-object payload (guarded; mirrors FileGrantStore.readJson). */
+    async readJson(filePath) {
+        try {
+            const raw = await fsPromises.readFile(filePath, "utf-8");
+            try {
+                const parsed = JSON.parse(raw);
+                if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+                    return null;
+                return parsed;
+            }
+            catch {
+                return null;
+            }
+        }
+        catch {
+            return null;
+        }
+    }
+}
+exports.FileRosterStore = FileRosterStore;

package/dist/roster-store-memory.d.ts

@@ -0,0 +1,9 @@
+import type { AccountRoster, RosterPin, RosterStore } from "./roster-store";
+export declare class MemoryRosterStore implements RosterStore {
+    private readonly rosters;
+    private readonly pins;
+    getRoster(accountId: string): Promise<AccountRoster | null>;
+    putRoster(roster: AccountRoster): Promise<void>;
+    getPin(accountId: string): Promise<RosterPin | null>;
+    putPin(pin: RosterPin): Promise<void>;
+}

package/dist/roster-store-memory.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MemoryRosterStore = void 0;
+class MemoryRosterStore {
+    rosters = new Map();
+    pins = new Map();
+    async getRoster(accountId) {
+        return this.rosters.get(accountId) ?? null;
+    }
+    async putRoster(roster) {
+        this.rosters.set(roster.accountId, roster);
+    }
+    async getPin(accountId) {
+        return this.pins.get(accountId) ?? null;
+    }
+    async putPin(pin) {
+        this.pins.set(pin.accountId, pin);
+    }
+}
+exports.MemoryRosterStore = MemoryRosterStore;

package/dist/roster-store.d.ts

@@ -0,0 +1,29 @@
+/** The signed account roster as it lives on the wire / on disk. `members` lists the
+ * owner's agents by `{ handle, did }`; `epoch` is the monotonic roster version; the
+ * Ed25519 `sig` is over `jcsBytes({ accountId, members, epoch })` (the roster minus
+ * `sig`), exactly how `verifyEnvelopeSignature` signs the proof-stripped envelope. */
+export interface AccountRoster {
+    accountId: string;
+    members: {
+        handle: string;
+        did: string;
+    }[];
+    epoch: number;
+    sig: string;
+}
+/** The TOFU-pinned roster signing key for an account (first-contact pin; a changed
+ * key HARD-FAILS rather than silently re-pinning). `rosterKey` is the base64
+ * Ed25519 public key the roster `sig` must verify under. */
+export interface RosterPin {
+    accountId: string;
+    rosterKey: string;
+    pinnedAt: string;
+}
+/** Domain-specific store for the account roster + its pinned signing key. One
+ * roster and one pin per accountId. */
+export interface RosterStore {
+    getRoster(accountId: string): Promise<AccountRoster | null>;
+    putRoster(roster: AccountRoster): Promise<void>;
+    getPin(accountId: string): Promise<RosterPin | null>;
+    putPin(pin: RosterPin): Promise<void>;
+}

package/dist/roster-store.js

@@ -0,0 +1,9 @@
+"use strict";
+// Roster store abstraction (p11 Item 3 — the account roster).
+//
+// The pinned account roster + its TOFU roster-key pin persist through RosterStore —
+// a sibling to GrantStore/MissionStore, mirroring their shape. The core stays
+// storage-agnostic; backends stay pluggable. No roster module imports `fs` directly
+// except the FileRosterStore adapter. This file is a PURE INTERFACE (no logic) and
+// is coverage-excluded in vitest.config.ts, mirroring src/store.ts.
+Object.defineProperty(exports, "__esModule", { value: true });