@rootzero/contracts 0.9.1 → 0.9.2

package/Commands.sol

@@ -1,10 +1,10 @@
 // SPDX-License-Identifier: GPL-3.0-only
 pragma solidity ^0.8.33;
 
-// Aggregator: re-exports command, control, and remote abstractions.
+// Aggregator: re-exports command, admin, and peer abstractions.
 // Import this file to inherit from the full rootzero command surface without managing individual paths.
 
-import { CommandBase, CommandContext, CommandPayable, encodeCommandCall } from "./commands/Base.sol";
+import { CommandBase, CommandContext, CommandPayable } from "./commands/Base.sol";
 import { Keys } from "./blocks/Keys.sol";
 import { Burn, BurnHook } from "./commands/Burn.sol";
 import { CreditAccount, CreditAccountHook } from "./commands/Credit.sol";
@@ -14,20 +14,20 @@ import { PipePayable, PipePayableHook } from "./commands/Pipe.sol";
 import { Provision, ProvisionHook, ProvisionPayable, ProvisionPayableHook } from "./commands/Provision.sol";
 import { Transfer, TransferHook } from "./commands/Transfer.sol";
 import { Withdraw, WithdrawHook } from "./commands/Withdraw.sol";
-import { AllowAssets, AllowAssetsHook } from "./commands/control/AllowAssets.sol";
-import { Destroy, DestroyHook } from "./commands/control/Destroy.sol";
-import { ExecutePayable } from "./commands/control/Execute.sol";
-import { Authorize } from "./commands/control/Authorize.sol";
-import { DenyAssets, DenyAssetsHook } from "./commands/control/DenyAssets.sol";
-import { Init, InitHook } from "./commands/control/Init.sol";
-import { Allowance, AllowanceHook } from "./commands/control/Allowance.sol";
-import { Unauthorize } from "./commands/control/Unauthorize.sol";
-import { RemoteBase, encodeRemoteCall } from "./remote/Base.sol";
-import { RemoteAllowance } from "./remote/Allowance.sol";
-import { RemoteAssetPull, AssetPullHook } from "./remote/AssetPull.sol";
-import { RemoteAllowAssets } from "./remote/AllowAssets.sol";
-import { RemoteDenyAssets } from "./remote/DenyAssets.sol";
-import { RemoteSettle } from "./remote/Settle.sol";
+import { AllowAssets, AllowAssetsHook } from "./commands/admin/AllowAssets.sol";
+import { Destroy, DestroyHook } from "./commands/admin/Destroy.sol";
+import { ExecutePayable } from "./commands/admin/Execute.sol";
+import { Authorize } from "./commands/admin/Authorize.sol";
+import { DenyAssets, DenyAssetsHook } from "./commands/admin/DenyAssets.sol";
+import { Init, InitHook } from "./commands/admin/Init.sol";
+import { Allowance, AllowanceHook } from "./commands/admin/Allowance.sol";
+import { Unauthorize } from "./commands/admin/Unauthorize.sol";
+import { PeerBase, encodePeerCall } from "./peer/Base.sol";
+import { PeerAllowance } from "./peer/Allowance.sol";
+import { PeerAssetPull, AssetPullHook } from "./peer/AssetPull.sol";
+import { PeerAllowAssets } from "./peer/AllowAssets.sol";
+import { PeerDenyAssets } from "./peer/DenyAssets.sol";
+import { PeerSettle } from "./peer/Settle.sol";
 
 
 

package/Events.sol

@@ -5,7 +5,7 @@ pragma solidity ^0.8.33;
 // Import this file to get access to every event emitter in one import.
 
 import { AccessEvent } from "./events/Access.sol";
-import { ControlEvent } from "./events/Control.sol";
+import { AdminEvent } from "./events/Admin.sol";
 import { AssetEvent } from "./events/Asset.sol";
 import { BalanceEvent } from "./events/Balance.sol";
 import { CollateralEvent } from "./events/Collateral.sol";
@@ -17,9 +17,9 @@ import { EventEmitter } from "./events/Emitter.sol";
 import { GovernedEvent } from "./events/Governed.sol";
 import { HostAnnouncedEvent } from "./events/Host.sol";
 import { ListingEvent } from "./events/Listing.sol";
-import { RemoteEvent } from "./events/Remote.sol";
+import { PeerEvent } from "./events/Peer.sol";
 import { QueryEvent } from "./events/Query.sol";
-import { RootZeroEvent } from "./events/RootZero.sol";
+import { PipedEvent } from "./events/Piped.sol";
 import { SwapEvent } from "./events/Swap.sol";
 import { WithdrawalEvent } from "./events/Withdraw.sol";
 

package/Utils.sol

@@ -11,7 +11,7 @@ import { ECDSA } from "./utils/ECDSA.sol";
 import { Ids, Selectors } from "./utils/Ids.sol";
 import { Layout } from "./utils/Layout.sol";
 import { Schemas } from "./blocks/Schema.sol";
-import { addrOr, applyBps, beforeBps, bytes32ToInt, bytes32ToString, divisible, hash32, intToBytes32, isFamily, isLocal, isLocalFamily, matchesBase, MAX_BPS, max8, max16, max24, max32, max40, max64, max96, max128, max160, NotDivisible, retryTicket, toLocalBase, toLocalFamily, toUnspecifiedBase, ValueOverflow } from "./utils/Utils.sol";
+import { addrOr, applyBps, beforeBps, bytes32ToInt, bytes32ToString, divisible, hash32, intToBytes32, isFamily, isLocalChain, isLocalFamily, matchesBase, MAX_BPS, max8, max16, max24, max32, max40, max64, max96, max128, max160, NotDivisible, retryTicket, toLocalBase, toLocalFamily, toUnspecifiedBase, ValueOverflow } from "./utils/Utils.sol";
 import { Budget, Values } from "./utils/Value.sol";
 
 

package/commands/Base.sol

@@ -18,25 +18,6 @@ struct CommandContext {
     bytes request;
 }
 
-/// @notice ABI-encode a command call from a command ID and execution context.
-/// @dev Derives the function selector from `cid` via `Ids.commandSelector(cid)`.
-/// Reverts if `cid` is not a valid command ID.
-/// @param cid Command node ID embedding the target selector.
-/// @param account Caller account identifier for the command context.
-/// @param state Current state block stream passed to the command.
-/// @param request Input block stream for the command invocation.
-/// @return ABI-encoded calldata for the command entry point.
-function encodeCommandCall(
-    uint cid,
-    bytes32 account,
-    bytes memory state,
-    bytes calldata request
-) pure returns (bytes memory) {
-    bytes4 selector = Ids.commandSelector(cid);
-    CommandContext memory ctx = CommandContext(account, state, request);
-    return abi.encodeWithSelector(selector, ctx);
-}
-
 /// @title CommandBase
 /// @notice Abstract base for all rootzero command contracts.
 /// Provides access control modifiers, event emission, and the `commandId`

package/commands/Pipe.sol

@@ -9,8 +9,17 @@ import {Budget, Values} from "../utils/Value.sol";
 using Cursors for Cur;
 
 abstract contract PipePayableHook {
-    function dispatchStep(
-        uint target,
+    /// @notice Override to dispatch one piped command step.
+    /// Called once per STEP block. The returned bytes become the state passed to
+    /// the next step.
+    /// @param id Command node ID to invoke or handle.
+    /// @param account Account identifier for the piped command context.
+    /// @param state Current threaded state block stream.
+    /// @param request Step request block stream.
+    /// @param value Native value assigned to this step.
+    /// @return Updated state block stream for the next step.
+    function dispatchCommand(
+        uint id,
         bytes32 account,
         bytes memory state,
         bytes calldata request,
@@ -20,7 +29,7 @@ abstract contract PipePayableHook {
 
 /// @title PipePayable
 /// @notice Command that sequences multiple sub-command STEP invocations in a single transaction.
-/// Each STEP block carries a target node, native value to forward, and an embedded request.
+/// Each STEP block carries a command node, native value to forward, and an embedded request.
 /// State threads through the steps: each step's output becomes the next step's state.
 /// Admin accounts are not permitted to use `pipePayable`.
 abstract contract PipePayable is CommandPayable, PipePayableHook {
@@ -43,7 +52,7 @@ abstract contract PipePayable is CommandPayable, PipePayableHook {
         while (input.i < input.bound) {
             (uint target, uint value, bytes calldata request) = input.unpackStep();
             uint spend = Values.use(budget, value);
-            state = dispatchStep(target, account, state, request, spend);
+            state = dispatchCommand(target, account, state, request, spend);
         }
 
         settleValue(account, budget);
@@ -52,11 +61,7 @@ abstract contract PipePayable is CommandPayable, PipePayableHook {
     }
 
     /// @notice Execute the pipePayable command.
-    function pipePayable(
-        CommandContext calldata c
-    ) external payable onlyCommand(c.account) returns (bytes memory) {
-        if (Accounts.isAdmin(c.account)) revert Accounts.InvalidAccount();
-        Budget memory budget = Values.fromMsg();
-        return pipe(c.account, c.state, c.request, budget);
+    function pipePayable(CommandContext calldata c) external payable onlyCommand(c.account) returns (bytes memory) {
+        return pipe(Accounts.ensureNotAdmin(c.account), c.state, c.request, Values.fromMsg());
     }
 }

package/commands/Provision.sol

@@ -29,7 +29,7 @@ abstract contract ProvisionPayableHook {
 }
 
 /// @title Provision
-/// @notice Command that provisions assets to remote hosts from ALLOCATION request blocks.
+/// @notice Command that provisions assets to peer hosts from ALLOCATION request blocks.
 /// Each request block supplies the target host plus an asset amount; the output is a CUSTODY state stream.
 abstract contract Provision is CommandBase, ProvisionHook {
     string private constant NAME = "provision";
@@ -55,7 +55,7 @@ abstract contract Provision is CommandBase, ProvisionHook {
 }
 
 /// @title ProvisionPayable
-/// @notice Command that provisions assets to remote hosts from ALLOCATION request blocks.
+/// @notice Command that provisions assets to peer hosts from ALLOCATION request blocks.
 /// Each request block supplies the target host plus an asset amount; the output is a CUSTODY state stream.
 /// The hook receives a mutable native-value budget drawn from `msg.value`.
 abstract contract ProvisionPayable is CommandPayable, ProvisionPayableHook {

package/commands/{control → admin}/AllowAssets.sol

@@ -3,7 +3,7 @@ pragma solidity ^0.8.33;
 
 import { CommandBase, CommandContext, Keys } from "../Base.sol";
 import { Cursors, Cur, Schemas } from "../../Cursors.sol";
-import { ControlEvent } from "../../events/Control.sol";
+import { AdminEvent } from "../../events/Admin.sol";
 using Cursors for Cur;
 
 abstract contract AllowAssetsHook {
@@ -13,15 +13,15 @@ abstract contract AllowAssetsHook {
 }
 
 /// @title AllowAssets
-/// @notice Control command that permits a list of (asset, meta) pairs via a virtual hook.
+/// @notice Admin command that permits a list of (asset, meta) pairs via a virtual hook.
 /// Each ASSET block in the request calls `allowAsset`. Only callable by the admin account.
-abstract contract AllowAssets is CommandBase, ControlEvent, AllowAssetsHook {
+abstract contract AllowAssets is CommandBase, AdminEvent, AllowAssetsHook {
     string private constant NAME = "allowAssets";
 
     uint internal immutable allowAssetsId = commandId(NAME);
 
     constructor() {
-        emit Control(host, allowAssetsId, NAME, Schemas.Asset, Keys.Empty, Keys.Empty, false);
+        emit Admin(host, allowAssetsId, NAME, Schemas.Asset, Keys.Empty, Keys.Empty, false);
     }
 
     function allowAssets(

package/commands/{control → admin}/Allowance.sol

@@ -3,7 +3,7 @@ pragma solidity ^0.8.33;
 
 import {CommandBase, CommandContext, Keys} from "../Base.sol";
 import {Cursors, Cur, Schemas} from "../../Cursors.sol";
-import {ControlEvent} from "../../events/Control.sol";
+import {AdminEvent} from "../../events/Admin.sol";
 using Cursors for Cur;
 
 abstract contract AllowanceHook {
@@ -11,30 +11,30 @@ abstract contract AllowanceHook {
     /// Called once per ALLOWANCE block in the request. Implementations decide
     /// how the allowance is represented, e.g. ERC-20 approval, an internal cap,
     /// or another host-specific authorization record.
-    /// @param remote Host node receiving the allowed cap.
+    /// @param peer Host node receiving the allowed cap.
     /// @param asset Asset identifier.
     /// @param meta Asset metadata slot.
     /// @param amount Allowed cap amount.
-    function allowance(uint remote, bytes32 asset, bytes32 meta, uint amount) internal virtual;
+    function allowance(uint peer, bytes32 asset, bytes32 meta, uint amount) internal virtual;
 }
 
 /// @title Allowance
-/// @notice Control command that applies cross-host allowance entries via a virtual hook.
+/// @notice Admin command that applies cross-host allowance entries via a virtual hook.
 /// Each ALLOWANCE block grants or updates a host-scoped asset cap. Only callable by the admin account.
-abstract contract Allowance is CommandBase, ControlEvent, AllowanceHook {
+abstract contract Allowance is CommandBase, AdminEvent, AllowanceHook {
     string private constant NAME = "allowance";
     uint internal immutable allowanceId = commandId(NAME);
 
     constructor() {
-        emit Control(host, allowanceId, NAME, Schemas.Allowance, Keys.Empty, Keys.Empty, false);
+        emit Admin(host, allowanceId, NAME, Schemas.Allowance, Keys.Empty, Keys.Empty, false);
     }
 
     function allowance(CommandContext calldata c) external onlyAdmin(c.account) returns (bytes memory) {
         (Cur memory request, , ) = cursor(c.request, 1);
 
         while (request.i < request.bound) {
-            (uint remote, bytes32 asset, bytes32 meta, uint amount) = request.unpackAllowance();
-            allowance(remote, asset, meta, amount);
+            (uint peer, bytes32 asset, bytes32 meta, uint amount) = request.unpackAllowance();
+            allowance(peer, asset, meta, amount);
         }
 
         request.complete();

package/commands/{control → admin}/Authorize.sol

@@ -3,20 +3,20 @@ pragma solidity ^0.8.33;
 
 import { CommandBase, CommandContext, Keys } from "../Base.sol";
 import { Cursors, Cur, Schemas } from "../../Cursors.sol";
-import { ControlEvent } from "../../events/Control.sol";
+import { AdminEvent } from "../../events/Admin.sol";
 using Cursors for Cur;
 
 /// @title Authorize
-/// @notice Control command that grants authorization to a list of node IDs.
+/// @notice Admin command that grants authorization to a list of node IDs.
 /// Each NODE block in the request is authorized on the host.
 /// Only callable by the admin account.
-abstract contract Authorize is CommandBase, ControlEvent {
+abstract contract Authorize is CommandBase, AdminEvent {
     string private constant NAME = "authorize";
 
     uint internal immutable authorizeId = commandId(NAME);
 
     constructor() {
-        emit Control(host, authorizeId, NAME, Schemas.Node, Keys.Empty, Keys.Empty, false);
+        emit Admin(host, authorizeId, NAME, Schemas.Node, Keys.Empty, Keys.Empty, false);
     }
 
     function authorize(

package/commands/{control → admin}/DenyAssets.sol

@@ -3,7 +3,7 @@ pragma solidity ^0.8.33;
 
 import { CommandBase, CommandContext, Keys } from "../Base.sol";
 import { Cursors, Cur, Schemas } from "../../Cursors.sol";
-import { ControlEvent } from "../../events/Control.sol";
+import { AdminEvent } from "../../events/Admin.sol";
 using Cursors for Cur;
 
 abstract contract DenyAssetsHook {
@@ -13,15 +13,15 @@ abstract contract DenyAssetsHook {
 }
 
 /// @title DenyAssets
-/// @notice Control command that blocks a list of (asset, meta) pairs via a virtual hook.
+/// @notice Admin command that blocks a list of (asset, meta) pairs via a virtual hook.
 /// Each ASSET block in the request calls `denyAsset`. Only callable by the admin account.
-abstract contract DenyAssets is CommandBase, ControlEvent, DenyAssetsHook {
+abstract contract DenyAssets is CommandBase, AdminEvent, DenyAssetsHook {
     string private constant NAME = "denyAssets";
 
     uint internal immutable denyAssetsId = commandId(NAME);
 
     constructor() {
-        emit Control(host, denyAssetsId, NAME, Schemas.Asset, Keys.Empty, Keys.Empty, false);
+        emit Admin(host, denyAssetsId, NAME, Schemas.Asset, Keys.Empty, Keys.Empty, false);
     }
 
     function denyAssets(

package/commands/{control → admin}/Destroy.sol

@@ -3,7 +3,7 @@ pragma solidity ^0.8.33;
 
 import { CommandBase, CommandContext, Keys } from "../Base.sol";
 import { Cursors, Cur } from "../../Cursors.sol";
-import { ControlEvent } from "../../events/Control.sol";
+import { AdminEvent } from "../../events/Admin.sol";
 
 using Cursors for Cur;
 
@@ -14,15 +14,15 @@ abstract contract DestroyHook {
 }
 
 /// @title Destroy
-/// @notice Control command that runs host teardown logic via a virtual hook.
+/// @notice Admin command that runs host teardown logic via a virtual hook.
 /// The full request is passed to `destroy` as a cursor. Only callable by the admin account.
-abstract contract Destroy is CommandBase, ControlEvent, DestroyHook {
+abstract contract Destroy is CommandBase, AdminEvent, DestroyHook {
     string private constant NAME = "destroy";
 
     uint internal immutable destroyId = commandId(NAME);
 
     constructor(string memory input) {
-        emit Control(host, destroyId, NAME, input, Keys.Empty, Keys.Empty, false);
+        emit Admin(host, destroyId, NAME, input, Keys.Empty, Keys.Empty, false);
     }
 
     function destroy(

package/commands/{control → admin}/Execute.sol

@@ -3,23 +3,23 @@ pragma solidity ^0.8.33;
 
 import {CommandContext, CommandPayable, Keys} from "../Base.sol";
 import {Cursors, Cur, Schemas} from "../../Cursors.sol";
-import {ControlEvent} from "../../events/Control.sol";
+import {AdminEvent} from "../../events/Admin.sol";
 import {Budget, Values} from "../../utils/Value.sol";
 import {Ids} from "../../utils/Ids.sol";
 
 using Cursors for Cur;
 
 /// @title ExecutePayable
-/// @notice Control command that forwards raw calldata to one or more target nodes.
+/// @notice Admin command that forwards raw calldata to one or more target nodes.
 /// Each CALL block specifies a target node ID, native value, and raw calldata payload.
 /// Only callable by the admin account.
-abstract contract ExecutePayable is CommandPayable, ControlEvent {
+abstract contract ExecutePayable is CommandPayable, AdminEvent {
     string private constant NAME = "executePayable";
 
     uint internal immutable executePayableId = commandId(NAME);
 
     constructor() {
-        emit Control(host, executePayableId, NAME, Schemas.Call, Keys.Empty, Keys.Empty, true);
+        emit Admin(host, executePayableId, NAME, Schemas.Call, Keys.Empty, Keys.Empty, true);
     }
 
     function executePayable(CommandContext calldata c) external payable onlyAdmin(c.account) returns (bytes memory) {

package/commands/{control → admin}/Init.sol

@@ -3,7 +3,7 @@ pragma solidity ^0.8.33;
 
 import { CommandBase, CommandContext, Keys } from "../Base.sol";
 import { Cursors, Cur } from "../../Cursors.sol";
-import { ControlEvent } from "../../events/Control.sol";
+import { AdminEvent } from "../../events/Admin.sol";
 
 using Cursors for Cur;
 
@@ -14,15 +14,15 @@ abstract contract InitHook {
 }
 
 /// @title Init
-/// @notice Control command that runs host initialization logic via a virtual hook.
+/// @notice Admin command that runs host initialization logic via a virtual hook.
 /// The full request is passed to `init` as a cursor. Only callable by the admin account.
-abstract contract Init is CommandBase, ControlEvent, InitHook {
+abstract contract Init is CommandBase, AdminEvent, InitHook {
     string private constant NAME = "init";
 
     uint internal immutable initId = commandId(NAME);
 
     constructor(string memory input) {
-        emit Control(host, initId, NAME, input, Keys.Empty, Keys.Empty, false);
+        emit Admin(host, initId, NAME, input, Keys.Empty, Keys.Empty, false);
     }
 
     function init(

package/commands/{control → admin}/Unauthorize.sol

@@ -3,20 +3,20 @@ pragma solidity ^0.8.33;
 
 import { CommandBase, CommandContext, Keys } from "../Base.sol";
 import { Cursors, Cur, Schemas } from "../../Cursors.sol";
-import { ControlEvent } from "../../events/Control.sol";
+import { AdminEvent } from "../../events/Admin.sol";
 using Cursors for Cur;
 
 /// @title Unauthorize
-/// @notice Control command that revokes authorization from a list of node IDs.
+/// @notice Admin command that revokes authorization from a list of node IDs.
 /// Each NODE block in the request is deauthorized on the host.
 /// Only callable by the admin account.
-abstract contract Unauthorize is CommandBase, ControlEvent {
+abstract contract Unauthorize is CommandBase, AdminEvent {
     string private constant NAME = "unauthorize";
 
     uint internal immutable unauthorizeId = commandId(NAME);
 
     constructor() {
-        emit Control(host, unauthorizeId, NAME, Schemas.Node, Keys.Empty, Keys.Empty, false);
+        emit Admin(host, unauthorizeId, NAME, Schemas.Node, Keys.Empty, Keys.Empty, false);
     }
 
     function unauthorize(

package/core/Access.sol

@@ -12,7 +12,7 @@ import {addrOr} from "../utils/Utils.sol";
 /// Tracks an immutable trusted commander, the host's own node ID, and a
 /// mapping of externally trusted node IDs. Inbound trust is host-based:
 /// trusted hosts, the commander, and this contract itself may interact
-/// with the host through the guarded command and remote entrypoints.
+/// with the host through the guarded command and peer entrypoints.
 abstract contract AccessControl is RootZeroContext, AccessEvent {
     /// @dev Trusted commander address. All calls from this address are implicitly trusted.
     /// Defaults to `address(this)` when no external commander is provided.
@@ -69,7 +69,7 @@ abstract contract AccessControl is RootZeroContext, AccessEvent {
     }
 
     /// @notice Assert that `caller` is trusted and return it.
-    /// Used by command and remote modifiers to gate execution to authorized senders.
+    /// Used by command and peer modifiers to gate execution to authorized senders.
     /// @param caller Address to validate.
     /// @return The same `caller` value if trusted.
     function enforceCaller(address caller) internal view returns (address) {

package/core/Calls.sol

@@ -2,6 +2,7 @@
 pragma solidity ^0.8.33;
 
 import {AccessControl} from "./Access.sol";
+import {CommandContext} from "../commands/Base.sol";
 import {Ids} from "../utils/Ids.sol";
 
 /// @dev Emitted when a trusted inter-node call fails.
@@ -53,7 +54,8 @@ abstract contract NodeCalls is AccessControl {
     /// @param data Encoded calldata to send.
     /// @return out Return data from the successful call.
     function callTo(uint node, uint value, bytes memory data) internal returns (bytes memory out) {
-        address addr = Ids.nodeAddr(ensureTrusted(node));
+        ensureTrusted(node);
+        address addr = Ids.nodeAddr(node);
         return callAddr(addr, value, data);
     }
 
@@ -64,7 +66,19 @@ abstract contract NodeCalls is AccessControl {
     /// @param data Encoded calldata to send.
     /// @return out Return data from the successful query.
     function queryTo(uint node, bytes memory data) internal view returns (bytes memory out) {
-        address addr = Ids.nodeAddr(ensureTrusted(node));
+        ensureTrusted(node);
+        address addr = Ids.nodeAddr(node);
         return queryAddr(addr, data);
     }
+
+    /// @notice Encode and call a trusted command node.
+    /// @param ctx Command execution context.
+    /// @param cid Command node ID embedding the target selector.
+    /// @param value Native value to forward in wei.
+    /// @return Decoded command output block stream.
+    function callCommand(CommandContext memory ctx, uint cid, uint value) internal returns (bytes memory) {
+        bytes4 selector = Ids.commandSelector(cid);
+        bytes memory data = abi.encodeWithSelector(selector, ctx);
+        return abi.decode(callTo(cid, value, data), (bytes));
+    }
 }

package/core/Host.sol

@@ -2,9 +2,9 @@
 pragma solidity ^0.8.33;
 
 import {AccessControl} from "./Access.sol";
-import {Authorize} from "../commands/control/Authorize.sol";
-import {Unauthorize} from "../commands/control/Unauthorize.sol";
-import {ExecutePayable} from "../commands/control/Execute.sol";
+import {Authorize} from "../commands/admin/Authorize.sol";
+import {Unauthorize} from "../commands/admin/Unauthorize.sol";
+import {ExecutePayable} from "../commands/admin/Execute.sol";
 import {HostAnnouncedEvent} from "../events/Host.sol";
 import {IHostDiscovery} from "../interfaces/IHostDiscovery.sol";
 import {Ids} from "../utils/Ids.sol";
@@ -25,7 +25,7 @@ abstract contract HostDiscovery is HostAnnouncedEvent, IHostDiscovery {
 
 /// @title Host
 /// @notice Abstract base contract for rootzero host implementations.
-/// Inherits control command support (authorize, unauthorize, executePayable) and
+/// Inherits admin command support (authorize, unauthorize, executePayable) and
 /// optionally announces itself to a discovery contract at deployment.
 /// Accepts native ETH payments via the `receive` function.
 abstract contract Host is Authorize, Unauthorize, ExecutePayable {

package/core/Types.sol

@@ -71,7 +71,7 @@ struct HostAccountAmount {
     uint amount;
 }
 
-/// @notice Transfer payload used by transaction blocks and remote settlement.
+/// @notice Transfer payload used by transaction blocks and peer settlement.
 struct Tx {
     /// @dev Sender account identifier.
     bytes32 from;

package/events/{Control.sol → Admin.sol}

@@ -4,18 +4,18 @@ pragma solidity ^0.8.33;
 import { EventEmitter } from "./Emitter.sol";
 
 string constant ABI =
-    "event Control(uint indexed host, uint id, string name, string request, bytes4 state, bytes4 output, bool acceptsValue)";
+    "event Admin(uint indexed host, uint id, string name, string request, bytes4 state, bytes4 output, bool acceptsValue)";
 
-/// @notice Emitted once per control command during host deployment to publish its request schema and state keys.
-abstract contract ControlEvent is EventEmitter {
-    /// @param host Host node ID that owns this control command.
+/// @notice Emitted once per admin command during host deployment to publish its request schema and state keys.
+abstract contract AdminEvent is EventEmitter {
+    /// @param host Host node ID that owns this admin command.
     /// @param id Command node ID.
     /// @param name Human-readable command name.
     /// @param request Schema DSL string describing the request shape.
     /// @param state Block key expected for input state, or `Keys.Empty`.
     /// @param output Block key produced for output state, or `Keys.Empty`.
     /// @param acceptsValue Whether the command entrypoint accepts nonzero `msg.value`.
-    event Control(
+    event Admin(
         uint indexed host,
         uint id,
         string name,

package/events/Peer.sol

@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { EventEmitter } from "./Emitter.sol";
+
+string constant ABI =
+    "event Peer(uint indexed host, uint id, string name, string request, bool acceptsValue)";
+
+/// @notice Emitted once per peer during host deployment to publish its request schema.
+abstract contract PeerEvent is EventEmitter {
+    /// @param host Host node ID that owns this peer.
+    /// @param id Peer node ID.
+    /// @param name Human-readable peer name.
+    /// @param request Schema DSL string describing the peer request shape.
+    /// @param acceptsValue Whether the peer entrypoint accepts nonzero `msg.value`.
+    event Peer(uint indexed host, uint id, string name, string request, bool acceptsValue);
+
+    constructor() {
+        emit EventAbi(ABI);
+    }
+}
+
+
+

package/events/{RootZero.sol → Piped.sol}

@@ -3,14 +3,14 @@ pragma solidity ^0.8.33;
 
 import { EventEmitter } from "./Emitter.sol";
 
-string constant ABI = "event RootZero(bytes32 indexed account, uint deadline, uint value)";
+string constant ABI = "event Piped(bytes32 indexed account, uint deadline, uint value)";
 
 /// @notice Emitted for root-level protocol actions (e.g. governance or protocol-wide operations).
-abstract contract RootZeroEvent is EventEmitter {
+abstract contract PipedEvent is EventEmitter {
     /// @param account Account identifier associated with the action.
     /// @param deadline Expiry timestamp of the action.
     /// @param value Native value associated with the action.
-    event RootZero(bytes32 indexed account, uint deadline, uint value);
+    event Piped(bytes32 indexed account, uint deadline, uint value);
 
     constructor() {
         emit EventAbi(ABI);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rootzero/contracts",
-  "version": "0.9.1",
+  "version": "0.9.2",
   "description": "Solidity contracts and protocol building blocks for rootzero hosts and commands.",
   "private": false,
   "license": "GPL-3.0-only",

package/peer/AllowAssets.sol

@@ -0,0 +1,38 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { PeerBase } from "./Base.sol";
+import { AllowAssetsHook } from "../commands/admin/AllowAssets.sol";
+import { Cursors, Cur, Schemas } from "../Cursors.sol";
+
+using Cursors for Cur;
+
+/// @title PeerAllowAssets
+/// @notice Peer that permits a list of (asset, meta) pairs on behalf of a peer host.
+/// Each ASSET block in the request calls `allowAsset`. Restricted to trusted peers.
+abstract contract PeerAllowAssets is PeerBase, AllowAssetsHook {
+    string private constant NAME = "peerAllowAssets";
+    uint internal immutable peerAllowAssetsId = peerId(NAME);
+
+    constructor() {
+        emit Peer(host, peerAllowAssetsId, NAME, Schemas.Asset, false);
+    }
+
+    /// @notice Execute the allow-assets peer call.
+    function peerAllowAssets(bytes calldata request) external onlyPeer returns (bytes memory) {
+        (Cur memory assets, , ) = cursor(request, 1);
+
+        while (assets.i < assets.bound) {
+            (bytes32 asset, bytes32 meta) = assets.unpackAsset();
+            allowAsset(asset, meta);
+        }
+
+        assets.complete();
+        return "";
+    }
+}
+
+
+
+
+