@rootzero/contracts 0.9.5 → 0.9.7

package/{Commands.sol → Endpoints.sol}

@@ -1,12 +1,15 @@
 // SPDX-License-Identifier: GPL-3.0-only
 pragma solidity ^0.8.33;
 
-// Aggregator: re-exports command, admin, and peer abstractions.
-// Import this file to inherit from the full rootzero command surface without managing individual paths.
+// Aggregator: re-exports command, admin, peer, guard, and query endpoint abstractions.
+// Import this file to inherit from the full rootzero callable host surface without managing individual paths.
 
+// Shared helpers
+import { Keys } from "./blocks/Keys.sol";
 import { CommandBase, CommandContext } from "./commands/Base.sol";
 import { Payable } from "./core/Payable.sol";
-import { Keys } from "./blocks/Keys.sol";
+
+// Commands
 import { Burn, BurnHook } from "./commands/Burn.sol";
 import { CreditAccount, CreditAccountHook } from "./commands/Credit.sol";
 import { DebitAccount, DebitAccountHook } from "./commands/Debit.sol";
@@ -14,22 +17,34 @@ import { Deposit, DepositHook, DepositPayable, DepositPayableHook } from "./comm
 import { Provision, ProvisionHook, ProvisionPayable, ProvisionPayableHook } from "./commands/Provision.sol";
 import { Transfer, TransferHook } from "./commands/Transfer.sol";
 import { Withdraw, WithdrawHook } from "./commands/Withdraw.sol";
+
+// Admin commands
 import { AllowAssets, AllowAssetsHook } from "./commands/admin/AllowAssets.sol";
-import { Destroy, DestroyHook } from "./commands/admin/Destroy.sol";
-import { ExecutePayable } from "./commands/admin/Execute.sol";
+import { Allowance, AllowanceHook } from "./commands/admin/Allowance.sol";
+import { Appoint } from "./commands/admin/Appoint.sol";
 import { Authorize } from "./commands/admin/Authorize.sol";
+import { Destroy, DestroyHook } from "./commands/admin/Destroy.sol";
 import { DenyAssets, DenyAssetsHook } from "./commands/admin/DenyAssets.sol";
+import { Dismiss } from "./commands/admin/Dismiss.sol";
+import { ExecutePayable } from "./commands/admin/Execute.sol";
 import { Init, InitHook } from "./commands/admin/Init.sol";
-import { Allowance, AllowanceHook } from "./commands/admin/Allowance.sol";
 import { Unauthorize } from "./commands/admin/Unauthorize.sol";
+
+// Peer endpoints
 import { PeerBase, encodePeerCall } from "./peer/Base.sol";
+import { PeerAllowAssets } from "./peer/AllowAssets.sol";
 import { PeerAllowance } from "./peer/Allowance.sol";
 import { PeerBalancePull, BalancePullHook } from "./peer/BalancePull.sol";
-import { PeerAllowAssets } from "./peer/AllowAssets.sol";
 import { PeerDenyAssets } from "./peer/DenyAssets.sol";
 import { PeerPipePayable } from "./peer/Pipe.sol";
 import { PeerSettle } from "./peer/Settle.sol";
 
+// Guard endpoints
+import { GuardBase, encodeGuardCall } from "./guards/Base.sol";
+import { Revoke } from "./guards/Revoke.sol";
 
-
-
+// Query endpoints
+import { QueryBase, encodeQueryCall } from "./queries/Base.sol";
+import { AssetStatus, AssetStatusHook } from "./queries/Assets.sol";
+import { GetBalances, GetBalancesHook } from "./queries/Balances.sol";
+import { GetPosition, GetPositionHook } from "./queries/Positions.sol";

package/Events.sol

@@ -4,23 +4,24 @@ pragma solidity ^0.8.33;
 // Aggregator: re-exports all event contracts.
 // Import this file to get access to every event emitter in one import.
 
-import { AccessEvent } from "./events/Access.sol";
 import { AdminEvent } from "./events/Admin.sol";
-import { AssetEvent } from "./events/Asset.sol";
+import { AssetStatusEvent } from "./events/Asset.sol";
 import { BalanceEvent } from "./events/Balance.sol";
 import { CollateralEvent } from "./events/Collateral.sol";
 import { CommandEvent } from "./events/Command.sol";
+import { Contexts } from "./events/Contexts.sol";
 import { DebtEvent } from "./events/Debt.sol";
-import { DepositEvent } from "./events/Deposit.sol";
-import { AssetPositionEvent } from "./events/Position.sol";
+import { PositionEvent } from "./events/Position.sol";
+import { ReceivedEvent } from "./events/Received.sol";
 import { EventEmitter } from "./events/Emitter.sol";
+import { GuardEvent } from "./events/Guard.sol";
+import { GuardianEvent } from "./events/Guardian.sol";
 import { IntroductionEvent } from "./events/Introduction.sol";
-import { ListingEvent } from "./events/Listing.sol";
+import { NodeEvent } from "./events/Node.sol";
 import { PeerEvent } from "./events/Peer.sol";
 import { QueryEvent } from "./events/Query.sol";
 import { RootedEvent } from "./events/Rooted.sol";
-import { SwapEvent } from "./events/Swap.sol";
-import { WithdrawalEvent } from "./events/Withdraw.sol";
+import { SpentEvent } from "./events/Spent.sol";
 
 
 

package/README.md

@@ -9,8 +9,7 @@ It contains the reusable contracts, utilities, cursor parsers, and encoding help
 Most consumers should start from the package root entry points:
 
 - `@rootzero/contracts/Core.sol` — host, access control, balances, and validator building blocks
-- `@rootzero/contracts/Commands.sol` — command and peer base contracts plus all standard command mixins
-- `@rootzero/contracts/Queries.sol` — query base contracts plus standard query mixins
+- `@rootzero/contracts/Endpoints.sol` — command, peer, guard, and query base contracts plus standard endpoint mixins
 - `@rootzero/contracts/Cursors.sol` — cursor reader (`Cur`), block schemas, key constants, typed block helpers, and writers
 - `@rootzero/contracts/Utils.sol` — IDs, assets, accounts, layout, and value helpers
 - `@rootzero/contracts/Events.sol` — reusable event emitters and event contracts
@@ -66,7 +65,7 @@ Extend `CommandBase` to define a command mixin that runs inside the protocol's t
 // SPDX-License-Identifier: GPL-3.0-only
 pragma solidity ^0.8.33;
 
-import { CommandBase, CommandContext, Keys } from "@rootzero/contracts/Commands.sol";
+import { CommandBase, CommandContext, Keys } from "@rootzero/contracts/Endpoints.sol";
 import { Cursors, Cur, Schemas, Writer, Writers } from "@rootzero/contracts/Cursors.sol";
 
 using Cursors for Cur;

package/blocks/Cursors.sol

@@ -531,21 +531,19 @@ library Cursors {
         return createBlock(Keys.Context, bytes.concat(account, toBytesBlock(state), toBytesBlock(request)));
     }
 
-    /// @notice Encode a RELAY block.
-    /// @param target Command target identifier.
-    /// @param value Native value assigned to the relay.
+    /// @notice Encode a PIPE block.
+    /// @param value Native value assigned to the pipe.
     /// @param account Command account identifier.
     /// @param state Embedded state block stream.
     /// @param request Embedded request block stream.
-    /// @return Encoded RELAY block bytes.
-    function toRelayBlock(
-        uint target,
+    /// @return Encoded PIPE block bytes.
+    function toPipeBlock(
         uint value,
         bytes32 account,
         bytes memory state,
         bytes memory request
     ) internal pure returns (bytes memory) {
-        return createBlock(Keys.Relay, bytes.concat(bytes32(target), bytes32(value), toContextBlock(account, state, request)));
+        return createBlock(Keys.Pipe, bytes.concat(bytes32(value), toContextBlock(account, state, request)));
     }
 
     // -------------------------------------------------------------------------
@@ -1112,18 +1110,16 @@ library Cursors {
         cur.exit(end);
     }
 
-    /// @notice Consume a RELAY block and return its target, value, and context fields.
+    /// @notice Consume a PIPE block and return its value and context fields.
     /// @param cur Cursor; advanced past the block.
-    /// @return target Destination command/node ID.
-    /// @return value Native value assigned to the relay.
+    /// @return value Native value assigned to the pipe.
     /// @return account Command account identifier.
     /// @return state Embedded state block stream.
     /// @return request Embedded request block stream.
-    function unpackRelay(
+    function unpackPipe(
         Cur memory cur
-    ) internal pure returns (uint target, uint value, bytes32 account, bytes calldata state, bytes calldata request) {
-        uint end = cur.enter(Keys.Relay, 64 + Sizes.Header + 32 + 2 * Sizes.Header, 0);
-        target = uint(cur.read32());
+    ) internal pure returns (uint value, bytes32 account, bytes calldata state, bytes calldata request) {
+        uint end = cur.enter(Keys.Pipe, 32 + Sizes.Header + 32 + 2 * Sizes.Header, 0);
         value = uint(cur.read32());
         (account, state, request) = cur.unpackContext();
         cur.exit(end);

package/blocks/Keys.sol

@@ -43,8 +43,8 @@ library Keys {
     bytes4 constant Call = bytes4(keccak256("#call"));
     /// @dev Command context transport - (bytes32 account, #bytes as state, #bytes as request)
     bytes4 constant Context = bytes4(keccak256("#context"));
-    /// @dev Pipeline relay - (uint target, uint value, #context)
-    bytes4 constant Relay = bytes4(keccak256("#relay"));
+    /// @dev Pipeline invocation - (uint value, #context)
+    bytes4 constant Pipe = bytes4(keccak256("#pipe"));
     /// @dev Authentication proof - (uint cid, uint deadline, #bytes as proof); must appear last in its segment
     bytes4 constant Auth = bytes4(keccak256("#auth"));
     /// @dev Asset descriptor without amount - (bytes32 asset, bytes32 meta)
@@ -54,7 +54,7 @@ library Keys {
     /// @dev Relayer bounty - (uint amount, bytes32 relayer)
     bytes4 constant Bounty = bytes4(keccak256("#bounty"));
 
-    /// @dev Structural status form - (bool ok)
+    /// @dev Structural status form - (uint code)
     bytes4 constant Status = bytes4(keccak256("#status"));
     /// @dev Structural asset amount form - (bytes32 asset, bytes32 meta, uint amount)
     bytes4 constant AssetAmount = bytes4(keccak256("#assetAmount"));

package/blocks/Schema.sol

@@ -60,7 +60,7 @@ library Schemas {
     string constant Allowance = "#allowance { uint host, bytes32 asset, bytes32 meta, uint amount }";
     string constant Transaction = "#transaction { bytes32 from, bytes32 to, bytes32 asset, bytes32 meta, uint amount }";
     string constant Context = "#context { bytes32 account, #bytes as state, #bytes as request }";
-    string constant Relay = "#relay { uint target, uint value, #context { bytes32 account, #bytes as state, #bytes as request } }";
+    string constant Pipe = "#pipe { uint value, #context { bytes32 account, #bytes as state, #bytes as request } }";
     string constant Call = "#call { uint target, uint value, #bytes as payload }";
     string constant Step = "#step { uint target, uint value, #bytes as request }";
     string constant Bounty = "#bounty { uint amount, bytes32 relayer }";
@@ -76,7 +76,7 @@ library Schemas {
 /// @notice Reusable structural block schemas for core tuple shapes.
 /// These describe payload form without assigning command or query semantics.
 library Forms {
-    string constant Status = "#status { bool ok }";
+    string constant Status = "#status { uint code }";
     string constant AssetAmount = "#assetAmount { bytes32 asset, bytes32 meta, uint amount }";
     string constant AccountAsset = "#accountAsset { bytes32 account, bytes32 asset, bytes32 meta }";
     string constant AccountAmount = "#accountAmount { bytes32 account, bytes32 asset, bytes32 meta, uint amount }";
@@ -107,8 +107,8 @@ library Sizes {
     uint constant Proof = 85;
     /// @dev AUTH block: 8 header + 32 cid + 32 deadline + nested BYTES block with 85-byte proof = 165 bytes
     uint constant Auth = B64 + Header + Proof;
-    /// @dev STATUS block: 8 header + 1 bool byte = 9 bytes
-    uint constant Status = Header + 1;
+    /// @dev STATUS block: 8 header + 32 status code = 40 bytes
+    uint constant Status = B32;
     /// @dev AMOUNT block: 8 header + 32 asset + 32 meta + 32 amount = 104 bytes
     uint constant Amount = B96;
     /// @dev BALANCE block: 8 header + 32 asset + 32 meta + 32 amount = 104 bytes

package/blocks/Writers.sol

@@ -27,7 +27,7 @@ library Hints {
     uint constant Step = 256;
     uint constant Call = 256;
     uint constant Context = 512;
-    uint constant Relay = 640;
+    uint constant Pipe = 608;
 }
 
 /// @title Writers
@@ -224,12 +224,12 @@ library Writers {
         return allocFromHint(count, Hints.Context);
     }
 
-    /// @notice Allocate a writer for `count` RELAY blocks using a per-block capacity hint.
-    /// @dev The backing buffer expands automatically if encoded relays exceed the initial hint.
-    /// @param count Number of relay blocks to allocate space for.
+    /// @notice Allocate a writer for `count` PIPE blocks using a per-block capacity hint.
+    /// @dev The backing buffer expands automatically if encoded pipes exceed the initial hint.
+    /// @param count Number of pipe blocks to allocate space for.
     /// @return writer Allocated growable writer.
-    function allocRelays(uint count) internal pure returns (Writer memory writer) {
-        return allocFromHint(count, Hints.Relay);
+    function allocPipes(uint count) internal pure returns (Writer memory writer) {
+        return allocFromHint(count, Hints.Pipe);
     }
 
     // -------------------------------------------------------------------------
@@ -889,40 +889,37 @@ library Writers {
         appendBlock32BytesBytes(writer, Keys.Context, account, state, request);
     }
 
-    /// @notice Append a RELAY block with a nested CONTEXT block.
-    /// @param writer Destination writer; `i` is advanced by the encoded RELAY block length.
-    /// @param target Command target identifier.
-    /// @param value Native value assigned to the relay.
+    /// @notice Append a PIPE block with a nested CONTEXT block.
+    /// @param writer Destination writer; `i` is advanced by the encoded PIPE block length.
+    /// @param value Native value assigned to the pipe.
     /// @param account Command account identifier.
     /// @param state Raw nested state payload.
     /// @param request Raw nested request payload.
-    function appendRelay(
+    function appendPipe(
         Writer memory writer,
-        uint target,
         uint value,
         bytes32 account,
         bytes memory state,
         bytes memory request
     ) internal pure {
         uint i = writer.i;
-        uint len = 96 + 3 * Sizes.Header + state.length + request.length;
+        uint len = 64 + 3 * Sizes.Header + state.length + request.length;
         uint next = i + Sizes.Header + len;
         i = reserve(writer, next, next);
 
-        uint p = writeHeader(writer.dst, i, Keys.Relay, uint32(max32(len)));
+        uint p = writeHeader(writer.dst, i, Keys.Pipe, uint32(max32(len)));
         assembly ("memory-safe") {
-            mstore(add(p, 0x08), target)
-            mstore(add(p, 0x28), value)
+            mstore(add(p, 0x08), value)
         }
 
-        writeBlock32BytesBytes(writer.dst, i + Sizes.Header + 64, Keys.Context, account, state, request);
+        writeBlock32BytesBytes(writer.dst, i + Sizes.Header + 32, Keys.Context, account, state, request);
     }
 
     /// @notice Append a STATUS form block.
     /// @param writer Destination writer; `i` is advanced by `Sizes.Status`.
-    /// @param ok Status value to encode.
-    function appendStatus(Writer memory writer, bool ok) internal pure {
-        appendBlock32(writer, Keys.Status, ok ? bytes32(uint(1) << 248) : bytes32(0), 1);
+    /// @param code Status code to encode.
+    function appendStatus(Writer memory writer, uint code) internal pure {
+        appendBlock32(writer, Keys.Status, bytes32(code), 32);
     }
 
     /// @notice Append a BALANCE block using separate field values.

package/commands/Base.sol

@@ -23,12 +23,10 @@ struct CommandContext {
 abstract contract CommandBase is NodeCalls, CommandEvent {
     /// @dev Thrown when `onlyActive` finds that `deadline` has already passed.
     error Expired();
-    /// @dev Thrown when `onlyAdmin` finds that `account` is not the admin account.
-    error NotAdmin();
 
     /// @dev Restrict execution to the commander using the host's admin account.
     modifier onlyAdmin(bytes32 account) {
-        if (account != adminAccount) revert NotAdmin();
+        if (account != admin) revert AccessDenied();
         enforceCommander(msg.sender);
         _;
     }
@@ -39,12 +37,6 @@ abstract contract CommandBase is NodeCalls, CommandEvent {
         _;
     }
 
-    /// @dev Restrict execution to callers whose host node is trusted.
-    modifier onlyTrusted() {
-        enforceCaller(msg.sender);
-        _;
-    }
-
     /// @dev Restrict execution to invocations where `deadline` is in the future.
     /// @param deadline Unix timestamp after which the invocation is considered expired.
     modifier onlyActive(uint deadline) {

package/commands/admin/Appoint.sol

@@ -0,0 +1,35 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { CommandBase, CommandContext, Keys } from "../Base.sol";
+import { Cursors, Cur, Schemas } from "../../Cursors.sol";
+import { AdminEvent } from "../../events/Admin.sol";
+using Cursors for Cur;
+
+/// @title Appoint
+/// @notice Admin command that grants guardian status to a list of account IDs.
+/// Each ACCOUNT block in the request is enabled as a guardian on the host.
+/// Only callable by the admin account.
+abstract contract Appoint is CommandBase, AdminEvent {
+    string private constant NAME = "appoint";
+
+    uint internal immutable appointId = commandId(NAME);
+
+    constructor() {
+        emit Admin(host, appointId, NAME, "1:0:0", Schemas.Account, Keys.Empty, Keys.Empty, false);
+    }
+
+    function appoint(
+        CommandContext calldata c
+    ) external onlyAdmin(c.account) returns (bytes memory) {
+        (Cur memory request, ) = cursor(c.request, 1);
+
+        while (request.i < request.bound) {
+            bytes32 account = request.unpackAccount();
+            setGuardian(account, true);
+        }
+
+        request.close();
+        return "";
+    }
+}

package/commands/admin/Authorize.sol

@@ -26,7 +26,7 @@ abstract contract Authorize is CommandBase, AdminEvent {
 
         while (request.i < request.bound) {
             uint node = request.unpackNode();
-            authorize(node);
+            setNode(node, true);
         }
 
         request.close();

package/commands/admin/Dismiss.sol

@@ -0,0 +1,35 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { CommandBase, CommandContext, Keys } from "../Base.sol";
+import { Cursors, Cur, Schemas } from "../../Cursors.sol";
+import { AdminEvent } from "../../events/Admin.sol";
+using Cursors for Cur;
+
+/// @title Dismiss
+/// @notice Admin command that revokes guardian status from a list of account IDs.
+/// Each ACCOUNT block in the request is disabled as a guardian on the host.
+/// Only callable by the admin account.
+abstract contract Dismiss is CommandBase, AdminEvent {
+    string private constant NAME = "dismiss";
+
+    uint internal immutable dismissId = commandId(NAME);
+
+    constructor() {
+        emit Admin(host, dismissId, NAME, "1:0:0", Schemas.Account, Keys.Empty, Keys.Empty, false);
+    }
+
+    function dismiss(
+        CommandContext calldata c
+    ) external onlyAdmin(c.account) returns (bytes memory) {
+        (Cur memory request, ) = cursor(c.request, 1);
+
+        while (request.i < request.bound) {
+            bytes32 account = request.unpackAccount();
+            setGuardian(account, false);
+        }
+
+        request.close();
+        return "";
+    }
+}

package/commands/admin/Unauthorize.sol

@@ -26,7 +26,7 @@ abstract contract Unauthorize is CommandBase, AdminEvent {
 
         while (request.i < request.bound) {
             uint node = request.unpackNode();
-            unauthorize(node);
+            setNode(node, false);
         }
 
         request.close();

package/core/Access.sol

@@ -1,7 +1,8 @@
 // SPDX-License-Identifier: GPL-3.0-only
 pragma solidity ^0.8.33;
 
-import {AccessEvent} from "../events/Access.sol";
+import {NodeEvent} from "../events/Node.sol";
+import {GuardianEvent} from "../events/Guardian.sol";
 import {RootZeroContext} from "./Context.sol";
 import {Accounts} from "../utils/Accounts.sol";
 import {Ids} from "../utils/Ids.sol";
@@ -13,41 +14,48 @@ import {addrOr} from "../utils/Utils.sol";
 /// mapping of externally trusted node IDs. Inbound trust is host-based:
 /// trusted hosts, the commander, and this contract itself may interact
 /// with the host through the guarded command and peer entrypoints.
-abstract contract AccessControl is RootZeroContext, AccessEvent {
+abstract contract AccessControl is RootZeroContext, NodeEvent, GuardianEvent {
     /// @dev Trusted commander address. All calls from this address are implicitly trusted.
     /// Defaults to `address(this)` when no external commander is provided.
     address internal immutable commander;
     /// @dev Admin account ID derived from the commander address at construction time.
-    bytes32 internal immutable adminAccount;
+    bytes32 internal immutable admin;
 
-    /// @dev Mapping from node ID to trust status.
-    mapping(uint node => bool) internal trusted;
+    /// @dev Mapping from guardian account ID to guardian status.
+    mapping(bytes32 account => bool) internal guardians;
 
-    /// @dev Thrown when `enforceCaller` is called by an address that is not trusted.
-    error UnauthorizedCaller(address addr);
+    /// @dev Mapping from node ID to trust status.
+    mapping(uint node => bool) internal nodes;
 
-    /// @dev Thrown when a required trusted node is missing from the trusted set.
-    error UnauthorizedNode(uint node);
+    /// @dev Thrown when a caller, account, or node lacks required access.
+    error AccessDenied();
 
     constructor(address cmdr) {
         commander = addrOr(cmdr, address(this));
-        adminAccount = Accounts.toAdmin(commander);
+        admin = Accounts.toAdmin(commander);
+    }
+
+    /// @notice Set authorization status for a node.
+    /// @param node Node ID to update.
+    /// @param active True to authorize the node, false to revoke it.
+    function setNode(uint node, bool active) internal {
+        nodes[node] = active;
+        emit Node(host, node, active);
     }
 
-    /// @notice Grant authorization for a node.
-    /// Accepts any node ID that should be trusted by this contract.
-    /// @param node Node ID to authorize.
-    function authorize(uint node) internal {
-        trusted[node] = true;
-        emit Access(host, node, true);
+    /// @notice Set guardian status for an account.
+    /// @param account Guardian account ID to update.
+    /// @param active True to enable the guardian, false to revoke it.
+    function setGuardian(bytes32 account, bool active) internal {
+        Accounts.guardian(account);
+        guardians[account] = active;
+        emit Guardian(host, account, active);
     }
 
-    /// @notice Revoke authorization for a node.
-    /// Accepts any node ID that should no longer be trusted by this contract.
-    /// @param node Node ID to unauthorize.
-    function unauthorize(uint node) internal {
-        trusted[node] = false;
-        emit Access(host, node, false);
+    /// @notice Return true if `addr` is an active guardian.
+    /// @param addr EVM address to check as a guardian account.
+    function isGuardian(address addr) internal view returns (bool) {
+        return guardians[Accounts.toGuardian(addr)];
     }
 
     /// @notice Return true if `caller` is an implicitly trusted address.
@@ -55,15 +63,15 @@ abstract contract AccessControl is RootZeroContext, AccessEvent {
     /// whose host ID has been explicitly authorized.
     /// @param caller Address to check.
     function isTrusted(address caller) internal view returns (bool) {
-        return caller == commander || caller == address(this) || trusted[Ids.toHost(caller)];
+        return caller == commander || caller == address(this) || nodes[Ids.toHost(caller)];
     }
 
     /// @notice Assert that `node` is in the trusted set and return it.
     /// @param node Node ID to validate.
     /// @return The same `node` value if trusted.
     function ensureTrusted(uint node) internal view returns (uint) {
-        if (node == 0 || !trusted[node]) {
-            revert UnauthorizedNode(node);
+        if (node == 0 || !nodes[node]) {
+            revert AccessDenied();
         }
         return node;
     }
@@ -74,7 +82,7 @@ abstract contract AccessControl is RootZeroContext, AccessEvent {
     /// @return The same `caller` value if trusted.
     function enforceCaller(address caller) internal view returns (address) {
         if (caller == address(0) || !isTrusted(caller)) {
-            revert UnauthorizedCaller(caller);
+            revert AccessDenied();
         }
         return caller;
     }
@@ -85,7 +93,7 @@ abstract contract AccessControl is RootZeroContext, AccessEvent {
     /// @return The same `caller` value if it is the commander.
     function enforceCommander(address caller) internal view returns (address) {
         if (caller == address(0) || caller != commander) {
-            revert UnauthorizedCaller(caller);
+            revert AccessDenied();
         }
         return caller;
     }

package/core/Host.sol

@@ -2,10 +2,13 @@
 pragma solidity ^0.8.33;
 
 import {AccessControl} from "./Access.sol";
+import {Appoint} from "../commands/admin/Appoint.sol";
 import {Authorize} from "../commands/admin/Authorize.sol";
+import {Dismiss} from "../commands/admin/Dismiss.sol";
 import {Unauthorize} from "../commands/admin/Unauthorize.sol";
 import {ExecutePayable} from "../commands/admin/Execute.sol";
 import {IntroductionEvent} from "../events/Introduction.sol";
+import {Ids} from "../utils/Ids.sol";
 
 /// @title IHostIntroduction
 /// @notice Interface implemented by hosts that accept introductions from other hosts.
@@ -23,7 +26,7 @@ interface IHostIntroduction {
 /// Inherits admin command support (authorize, unauthorize, executePayable) and
 /// optionally introduces itself to a commander host at deployment.
 /// Accepts native ETH payments via the `receive` function.
-abstract contract Host is Authorize, Unauthorize, ExecutePayable, IntroductionEvent, IHostIntroduction {
+abstract contract Host is Authorize, Unauthorize, Appoint, Dismiss, ExecutePayable, IntroductionEvent, IHostIntroduction {
     /// @param cmdr Commander address; passed to `AccessControl`.
     ///        If `cmdr` is a deployed contract, the host calls `introduce`
     ///        on it during construction.
@@ -35,13 +38,13 @@ abstract contract Host is Authorize, Unauthorize, ExecutePayable, IntroductionEv
     }
 
     /// @notice Record a host introduction claim.
-    /// @dev This event is informational only; it does not authorize or trust the introduced host.
+    /// @dev Validates that `peer` matches `msg.sender`; it does not authorize or trust the introduced host.
     /// @param peer Host node ID being introduced.
     /// @param blocknum Block number at which the host was deployed.
     /// @param version Protocol version the host implements.
     /// @param namespace Human-readable namespace string for the host.
     function introduce(uint peer, uint blocknum, uint16 version, string calldata namespace) external {
-        emit Introduction(peer, blocknum, version, namespace);
+        emit Introduction(Ids.matchHost(peer, msg.sender), blocknum, version, namespace);
     }
 
     /// @notice Accept native ETH transfers (e.g. from command value flows).

package/docs/Schema.md

@@ -58,7 +58,7 @@ Once a child block appears, no more fixed fields may follow.
 ```txt
 #call { uint target, uint value, #bytes as payload }
 #context { bytes32 account, #bytes as state, #bytes as request }
-#relay { uint target, uint value, #context { bytes32 account, #bytes as state, #bytes as request } }
+#pipe { uint value, #context { bytes32 account, #bytes as state, #bytes as request } }
 ```
 
 The tail is embedded directly as child block bytes. There is no wrapper around a
@@ -189,7 +189,7 @@ Common protocol schemas live in `contracts/blocks/Schema.sol`:
 #call { uint target, uint value, #bytes as payload }
 #step { uint target, uint value, #bytes as request }
 #context { bytes32 account, #bytes as state, #bytes as request }
-#relay { uint target, uint value, #context { bytes32 account, #bytes as state, #bytes as request } }
+#pipe { uint value, #context { bytes32 account, #bytes as state, #bytes as request } }
 #auth { uint cid, uint deadline, #bytes as proof }
 ```
 

package/events/Admin.sol

@@ -3,11 +3,11 @@ pragma solidity ^0.8.33;
 
 import { EventEmitter } from "./Emitter.sol";
 
-string constant ABI =
-    "event Admin(uint indexed host, uint id, string name, bytes32 shape, string request, bytes4 state, bytes4 output, bool acceptsValue)";
-
 /// @notice Emitted once per admin command during host deployment to publish its request schema and state keys.
 abstract contract AdminEvent is EventEmitter {
+    string private constant ABI =
+        "event Admin(uint indexed host, uint id, string name, bytes32 shape, string request, bytes4 state, bytes4 output, bool acceptsValue)";
+
     /// @param host Host node ID that owns this admin command.
     /// @param id Command node ID.
     /// @param name Human-readable command name.

package/events/Asset.sol

@@ -3,14 +3,15 @@ pragma solidity ^0.8.33;
 
 import { EventEmitter } from "./Emitter.sol";
 
-string constant ABI = "event Asset(uint indexed host, bytes32 name, uint32 prefix)";
+/// @notice Emitted when an asset support status is updated on a host.
+abstract contract AssetStatusEvent is EventEmitter {
+    string private constant ABI = "event AssetStatus(uint indexed host, bytes32 asset, bytes32 meta, uint status)";
 
-/// @notice Emitted when an asset is registered or updated on a host.
-abstract contract AssetEvent is EventEmitter {
-    /// @param host Host node ID that registered the asset.
-    /// @param name Asset name encoded as a bytes32 string.
-    /// @param prefix 4-byte type prefix of the asset ID.
-    event Asset(uint indexed host, bytes32 name, uint32 prefix);
+    /// @param host Host node ID that manages this listing.
+    /// @param asset Asset identifier.
+    /// @param meta Asset metadata slot.
+    /// @param status Asset support status. Zero means unsupported; nonzero means supported.
+    event AssetStatus(uint indexed host, bytes32 asset, bytes32 meta, uint status);
 
     constructor() {
         emit EventAbi(ABI);