@rootzero/contracts 0.9.6 → 0.9.7

package/{Commands.sol → Endpoints.sol}

@@ -1,12 +1,15 @@
 // SPDX-License-Identifier: GPL-3.0-only
 pragma solidity ^0.8.33;
 
-// Aggregator: re-exports command, admin, and peer abstractions.
-// Import this file to inherit from the full rootzero command surface without managing individual paths.
+// Aggregator: re-exports command, admin, peer, guard, and query endpoint abstractions.
+// Import this file to inherit from the full rootzero callable host surface without managing individual paths.
 
+// Shared helpers
+import { Keys } from "./blocks/Keys.sol";
 import { CommandBase, CommandContext } from "./commands/Base.sol";
 import { Payable } from "./core/Payable.sol";
-import { Keys } from "./blocks/Keys.sol";
+
+// Commands
 import { Burn, BurnHook } from "./commands/Burn.sol";
 import { CreditAccount, CreditAccountHook } from "./commands/Credit.sol";
 import { DebitAccount, DebitAccountHook } from "./commands/Debit.sol";
@@ -14,22 +17,34 @@ import { Deposit, DepositHook, DepositPayable, DepositPayableHook } from "./comm
 import { Provision, ProvisionHook, ProvisionPayable, ProvisionPayableHook } from "./commands/Provision.sol";
 import { Transfer, TransferHook } from "./commands/Transfer.sol";
 import { Withdraw, WithdrawHook } from "./commands/Withdraw.sol";
+
+// Admin commands
 import { AllowAssets, AllowAssetsHook } from "./commands/admin/AllowAssets.sol";
-import { Destroy, DestroyHook } from "./commands/admin/Destroy.sol";
-import { ExecutePayable } from "./commands/admin/Execute.sol";
+import { Allowance, AllowanceHook } from "./commands/admin/Allowance.sol";
+import { Appoint } from "./commands/admin/Appoint.sol";
 import { Authorize } from "./commands/admin/Authorize.sol";
+import { Destroy, DestroyHook } from "./commands/admin/Destroy.sol";
 import { DenyAssets, DenyAssetsHook } from "./commands/admin/DenyAssets.sol";
+import { Dismiss } from "./commands/admin/Dismiss.sol";
+import { ExecutePayable } from "./commands/admin/Execute.sol";
 import { Init, InitHook } from "./commands/admin/Init.sol";
-import { Allowance, AllowanceHook } from "./commands/admin/Allowance.sol";
 import { Unauthorize } from "./commands/admin/Unauthorize.sol";
+
+// Peer endpoints
 import { PeerBase, encodePeerCall } from "./peer/Base.sol";
+import { PeerAllowAssets } from "./peer/AllowAssets.sol";
 import { PeerAllowance } from "./peer/Allowance.sol";
 import { PeerBalancePull, BalancePullHook } from "./peer/BalancePull.sol";
-import { PeerAllowAssets } from "./peer/AllowAssets.sol";
 import { PeerDenyAssets } from "./peer/DenyAssets.sol";
 import { PeerPipePayable } from "./peer/Pipe.sol";
 import { PeerSettle } from "./peer/Settle.sol";
 
+// Guard endpoints
+import { GuardBase, encodeGuardCall } from "./guards/Base.sol";
+import { Revoke } from "./guards/Revoke.sol";
 
-
-
+// Query endpoints
+import { QueryBase, encodeQueryCall } from "./queries/Base.sol";
+import { AssetStatus, AssetStatusHook } from "./queries/Assets.sol";
+import { GetBalances, GetBalancesHook } from "./queries/Balances.sol";
+import { GetPosition, GetPositionHook } from "./queries/Positions.sol";

package/Events.sol

@@ -4,7 +4,6 @@ pragma solidity ^0.8.33;
 // Aggregator: re-exports all event contracts.
 // Import this file to get access to every event emitter in one import.
 
-import { AccessEvent } from "./events/Access.sol";
 import { AdminEvent } from "./events/Admin.sol";
 import { AssetStatusEvent } from "./events/Asset.sol";
 import { BalanceEvent } from "./events/Balance.sol";
@@ -15,7 +14,10 @@ import { DebtEvent } from "./events/Debt.sol";
 import { PositionEvent } from "./events/Position.sol";
 import { ReceivedEvent } from "./events/Received.sol";
 import { EventEmitter } from "./events/Emitter.sol";
+import { GuardEvent } from "./events/Guard.sol";
+import { GuardianEvent } from "./events/Guardian.sol";
 import { IntroductionEvent } from "./events/Introduction.sol";
+import { NodeEvent } from "./events/Node.sol";
 import { PeerEvent } from "./events/Peer.sol";
 import { QueryEvent } from "./events/Query.sol";
 import { RootedEvent } from "./events/Rooted.sol";

package/README.md

@@ -9,8 +9,7 @@ It contains the reusable contracts, utilities, cursor parsers, and encoding help
 Most consumers should start from the package root entry points:
 
 - `@rootzero/contracts/Core.sol` — host, access control, balances, and validator building blocks
-- `@rootzero/contracts/Commands.sol` — command and peer base contracts plus all standard command mixins
-- `@rootzero/contracts/Queries.sol` — query base contracts plus standard query mixins
+- `@rootzero/contracts/Endpoints.sol` — command, peer, guard, and query base contracts plus standard endpoint mixins
 - `@rootzero/contracts/Cursors.sol` — cursor reader (`Cur`), block schemas, key constants, typed block helpers, and writers
 - `@rootzero/contracts/Utils.sol` — IDs, assets, accounts, layout, and value helpers
 - `@rootzero/contracts/Events.sol` — reusable event emitters and event contracts
@@ -66,7 +65,7 @@ Extend `CommandBase` to define a command mixin that runs inside the protocol's t
 // SPDX-License-Identifier: GPL-3.0-only
 pragma solidity ^0.8.33;
 
-import { CommandBase, CommandContext, Keys } from "@rootzero/contracts/Commands.sol";
+import { CommandBase, CommandContext, Keys } from "@rootzero/contracts/Endpoints.sol";
 import { Cursors, Cur, Schemas, Writer, Writers } from "@rootzero/contracts/Cursors.sol";
 
 using Cursors for Cur;

package/commands/Base.sol

@@ -23,12 +23,10 @@ struct CommandContext {
 abstract contract CommandBase is NodeCalls, CommandEvent {
     /// @dev Thrown when `onlyActive` finds that `deadline` has already passed.
     error Expired();
-    /// @dev Thrown when `onlyAdmin` finds that `account` is not the admin account.
-    error NotAdmin();
 
     /// @dev Restrict execution to the commander using the host's admin account.
     modifier onlyAdmin(bytes32 account) {
-        if (account != adminAccount) revert NotAdmin();
+        if (account != admin) revert AccessDenied();
         enforceCommander(msg.sender);
         _;
     }
@@ -39,12 +37,6 @@ abstract contract CommandBase is NodeCalls, CommandEvent {
         _;
     }
 
-    /// @dev Restrict execution to callers whose host node is trusted.
-    modifier onlyTrusted() {
-        enforceCaller(msg.sender);
-        _;
-    }
-
     /// @dev Restrict execution to invocations where `deadline` is in the future.
     /// @param deadline Unix timestamp after which the invocation is considered expired.
     modifier onlyActive(uint deadline) {

package/commands/admin/Appoint.sol

@@ -0,0 +1,35 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { CommandBase, CommandContext, Keys } from "../Base.sol";
+import { Cursors, Cur, Schemas } from "../../Cursors.sol";
+import { AdminEvent } from "../../events/Admin.sol";
+using Cursors for Cur;
+
+/// @title Appoint
+/// @notice Admin command that grants guardian status to a list of account IDs.
+/// Each ACCOUNT block in the request is enabled as a guardian on the host.
+/// Only callable by the admin account.
+abstract contract Appoint is CommandBase, AdminEvent {
+    string private constant NAME = "appoint";
+
+    uint internal immutable appointId = commandId(NAME);
+
+    constructor() {
+        emit Admin(host, appointId, NAME, "1:0:0", Schemas.Account, Keys.Empty, Keys.Empty, false);
+    }
+
+    function appoint(
+        CommandContext calldata c
+    ) external onlyAdmin(c.account) returns (bytes memory) {
+        (Cur memory request, ) = cursor(c.request, 1);
+
+        while (request.i < request.bound) {
+            bytes32 account = request.unpackAccount();
+            setGuardian(account, true);
+        }
+
+        request.close();
+        return "";
+    }
+}

package/commands/admin/Authorize.sol

@@ -26,7 +26,7 @@ abstract contract Authorize is CommandBase, AdminEvent {
 
         while (request.i < request.bound) {
             uint node = request.unpackNode();
-            authorize(node);
+            setNode(node, true);
         }
 
         request.close();

package/commands/admin/Dismiss.sol

@@ -0,0 +1,35 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { CommandBase, CommandContext, Keys } from "../Base.sol";
+import { Cursors, Cur, Schemas } from "../../Cursors.sol";
+import { AdminEvent } from "../../events/Admin.sol";
+using Cursors for Cur;
+
+/// @title Dismiss
+/// @notice Admin command that revokes guardian status from a list of account IDs.
+/// Each ACCOUNT block in the request is disabled as a guardian on the host.
+/// Only callable by the admin account.
+abstract contract Dismiss is CommandBase, AdminEvent {
+    string private constant NAME = "dismiss";
+
+    uint internal immutable dismissId = commandId(NAME);
+
+    constructor() {
+        emit Admin(host, dismissId, NAME, "1:0:0", Schemas.Account, Keys.Empty, Keys.Empty, false);
+    }
+
+    function dismiss(
+        CommandContext calldata c
+    ) external onlyAdmin(c.account) returns (bytes memory) {
+        (Cur memory request, ) = cursor(c.request, 1);
+
+        while (request.i < request.bound) {
+            bytes32 account = request.unpackAccount();
+            setGuardian(account, false);
+        }
+
+        request.close();
+        return "";
+    }
+}

package/commands/admin/Unauthorize.sol

@@ -26,7 +26,7 @@ abstract contract Unauthorize is CommandBase, AdminEvent {
 
         while (request.i < request.bound) {
             uint node = request.unpackNode();
-            unauthorize(node);
+            setNode(node, false);
         }
 
         request.close();

package/core/Access.sol

@@ -1,7 +1,8 @@
 // SPDX-License-Identifier: GPL-3.0-only
 pragma solidity ^0.8.33;
 
-import {AccessEvent} from "../events/Access.sol";
+import {NodeEvent} from "../events/Node.sol";
+import {GuardianEvent} from "../events/Guardian.sol";
 import {RootZeroContext} from "./Context.sol";
 import {Accounts} from "../utils/Accounts.sol";
 import {Ids} from "../utils/Ids.sol";
@@ -13,41 +14,48 @@ import {addrOr} from "../utils/Utils.sol";
 /// mapping of externally trusted node IDs. Inbound trust is host-based:
 /// trusted hosts, the commander, and this contract itself may interact
 /// with the host through the guarded command and peer entrypoints.
-abstract contract AccessControl is RootZeroContext, AccessEvent {
+abstract contract AccessControl is RootZeroContext, NodeEvent, GuardianEvent {
     /// @dev Trusted commander address. All calls from this address are implicitly trusted.
     /// Defaults to `address(this)` when no external commander is provided.
     address internal immutable commander;
     /// @dev Admin account ID derived from the commander address at construction time.
-    bytes32 internal immutable adminAccount;
+    bytes32 internal immutable admin;
 
-    /// @dev Mapping from node ID to trust status.
-    mapping(uint node => bool) internal trusted;
+    /// @dev Mapping from guardian account ID to guardian status.
+    mapping(bytes32 account => bool) internal guardians;
 
-    /// @dev Thrown when `enforceCaller` is called by an address that is not trusted.
-    error UnauthorizedCaller(address addr);
+    /// @dev Mapping from node ID to trust status.
+    mapping(uint node => bool) internal nodes;
 
-    /// @dev Thrown when a required trusted node is missing from the trusted set.
-    error UnauthorizedNode(uint node);
+    /// @dev Thrown when a caller, account, or node lacks required access.
+    error AccessDenied();
 
     constructor(address cmdr) {
         commander = addrOr(cmdr, address(this));
-        adminAccount = Accounts.toAdmin(commander);
+        admin = Accounts.toAdmin(commander);
+    }
+
+    /// @notice Set authorization status for a node.
+    /// @param node Node ID to update.
+    /// @param active True to authorize the node, false to revoke it.
+    function setNode(uint node, bool active) internal {
+        nodes[node] = active;
+        emit Node(host, node, active);
     }
 
-    /// @notice Grant authorization for a node.
-    /// Accepts any node ID that should be trusted by this contract.
-    /// @param node Node ID to authorize.
-    function authorize(uint node) internal {
-        trusted[node] = true;
-        emit Access(host, node, true);
+    /// @notice Set guardian status for an account.
+    /// @param account Guardian account ID to update.
+    /// @param active True to enable the guardian, false to revoke it.
+    function setGuardian(bytes32 account, bool active) internal {
+        Accounts.guardian(account);
+        guardians[account] = active;
+        emit Guardian(host, account, active);
     }
 
-    /// @notice Revoke authorization for a node.
-    /// Accepts any node ID that should no longer be trusted by this contract.
-    /// @param node Node ID to unauthorize.
-    function unauthorize(uint node) internal {
-        trusted[node] = false;
-        emit Access(host, node, false);
+    /// @notice Return true if `addr` is an active guardian.
+    /// @param addr EVM address to check as a guardian account.
+    function isGuardian(address addr) internal view returns (bool) {
+        return guardians[Accounts.toGuardian(addr)];
     }
 
     /// @notice Return true if `caller` is an implicitly trusted address.
@@ -55,15 +63,15 @@ abstract contract AccessControl is RootZeroContext, AccessEvent {
     /// whose host ID has been explicitly authorized.
     /// @param caller Address to check.
     function isTrusted(address caller) internal view returns (bool) {
-        return caller == commander || caller == address(this) || trusted[Ids.toHost(caller)];
+        return caller == commander || caller == address(this) || nodes[Ids.toHost(caller)];
     }
 
     /// @notice Assert that `node` is in the trusted set and return it.
     /// @param node Node ID to validate.
     /// @return The same `node` value if trusted.
     function ensureTrusted(uint node) internal view returns (uint) {
-        if (node == 0 || !trusted[node]) {
-            revert UnauthorizedNode(node);
+        if (node == 0 || !nodes[node]) {
+            revert AccessDenied();
         }
         return node;
     }
@@ -74,7 +82,7 @@ abstract contract AccessControl is RootZeroContext, AccessEvent {
     /// @return The same `caller` value if trusted.
     function enforceCaller(address caller) internal view returns (address) {
         if (caller == address(0) || !isTrusted(caller)) {
-            revert UnauthorizedCaller(caller);
+            revert AccessDenied();
         }
         return caller;
     }
@@ -85,7 +93,7 @@ abstract contract AccessControl is RootZeroContext, AccessEvent {
     /// @return The same `caller` value if it is the commander.
     function enforceCommander(address caller) internal view returns (address) {
         if (caller == address(0) || caller != commander) {
-            revert UnauthorizedCaller(caller);
+            revert AccessDenied();
         }
         return caller;
     }

package/core/Host.sol

@@ -2,7 +2,9 @@
 pragma solidity ^0.8.33;
 
 import {AccessControl} from "./Access.sol";
+import {Appoint} from "../commands/admin/Appoint.sol";
 import {Authorize} from "../commands/admin/Authorize.sol";
+import {Dismiss} from "../commands/admin/Dismiss.sol";
 import {Unauthorize} from "../commands/admin/Unauthorize.sol";
 import {ExecutePayable} from "../commands/admin/Execute.sol";
 import {IntroductionEvent} from "../events/Introduction.sol";
@@ -24,7 +26,7 @@ interface IHostIntroduction {
 /// Inherits admin command support (authorize, unauthorize, executePayable) and
 /// optionally introduces itself to a commander host at deployment.
 /// Accepts native ETH payments via the `receive` function.
-abstract contract Host is Authorize, Unauthorize, ExecutePayable, IntroductionEvent, IHostIntroduction {
+abstract contract Host is Authorize, Unauthorize, Appoint, Dismiss, ExecutePayable, IntroductionEvent, IHostIntroduction {
     /// @param cmdr Commander address; passed to `AccessControl`.
     ///        If `cmdr` is a deployed contract, the host calls `introduce`
     ///        on it during construction.

package/events/Guard.sol

@@ -0,0 +1,19 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import {EventEmitter} from "./Emitter.sol";
+
+/// @notice Emitted once per guard action during host deployment to publish its request schema.
+abstract contract GuardEvent is EventEmitter {
+    string private constant ABI = "event Guard(uint indexed host, uint id, string name, string request)";
+
+    /// @param host Host node ID that owns this guard action.
+    /// @param id Guard action node ID.
+    /// @param name Human-readable guard action name.
+    /// @param request Schema DSL string describing the guard action request shape.
+    event Guard(uint indexed host, uint id, string name, string request);
+
+    constructor() {
+        emit EventAbi(ABI);
+    }
+}

package/events/Guardian.sol

@@ -0,0 +1,18 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { EventEmitter } from "./Emitter.sol";
+
+/// @notice Emitted when a guardian account status changes on a host.
+abstract contract GuardianEvent is EventEmitter {
+    string private constant ABI = "event Guardian(uint indexed host, bytes32 account, bool active)";
+
+    /// @param host Host node ID where the guardian change occurred.
+    /// @param account Guardian account ID.
+    /// @param active True if the guardian is enabled, false if revoked.
+    event Guardian(uint indexed host, bytes32 account, bool active);
+
+    constructor() {
+        emit EventAbi(ABI);
+    }
+}

package/events/Node.sol

@@ -0,0 +1,18 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { EventEmitter } from "./Emitter.sol";
+
+/// @notice Emitted when a node's authorization status changes on a host.
+abstract contract NodeEvent is EventEmitter {
+    string private constant ABI = "event Node(uint indexed host, uint node, bool active)";
+
+    /// @param host Host node ID where the authorization change occurred.
+    /// @param node Node ID that was authorized or revoked.
+    /// @param active True if the node is authorized, false if revoked.
+    event Node(uint indexed host, uint node, bool active);
+
+    constructor() {
+        emit EventAbi(ABI);
+    }
+}

package/guards/Base.sol

@@ -0,0 +1,35 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import {AccessControl} from "../core/Access.sol";
+import {GuardEvent} from "../events/Guard.sol";
+import {Ids, Selectors} from "../utils/Ids.sol";
+
+/// @notice ABI-encode a guard action call from a target guard ID and request block stream.
+/// @dev Derives the function selector from `target` via `Ids.guardSelector(target)`.
+/// Reverts if `target` is not a valid guard ID.
+/// @param target Destination guard action node ID embedding the target selector.
+/// @param request Input block stream for the guard invocation.
+/// @return ABI-encoded calldata for the guard action entry point.
+function encodeGuardCall(uint target, bytes calldata request) pure returns (bytes memory) {
+    bytes4 selector = Ids.guardSelector(target);
+    return abi.encodeWithSelector(selector, request);
+}
+
+/// @title GuardBase
+/// @notice Abstract base for guardian-only direct host actions.
+/// Guard actions are non-payable direct calls with no command context, state, or response.
+abstract contract GuardBase is AccessControl, GuardEvent {
+    /// @dev Restrict execution to active guardian addresses.
+    modifier onlyGuardian() {
+        if (!isGuardian(msg.sender)) revert AccessDenied();
+        _;
+    }
+
+    /// @notice Derive the deterministic node ID for a named guard action on this contract.
+    /// @param name Guard action function name (without argument list).
+    /// @return Guard action node ID.
+    function guardId(string memory name) internal view returns (uint) {
+        return Ids.toGuard(Selectors.guard(name), address(this));
+    }
+}

package/guards/Revoke.sol

@@ -0,0 +1,31 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import {GuardBase} from "./Base.sol";
+import {Cursors, Cur, Schemas} from "../Cursors.sol";
+using Cursors for Cur;
+
+/// @title Revoke
+/// @notice Guardian action that quickly revokes authorization from a list of node IDs.
+/// Each NODE block in the request is deauthorized on the host.
+/// Only callable by active guardian addresses.
+abstract contract Revoke is GuardBase {
+    string private constant NAME = "revoke";
+
+    uint internal immutable revokeId = guardId(NAME);
+
+    constructor() {
+        emit Guard(host, revokeId, NAME, Schemas.Node);
+    }
+
+    function revoke(bytes calldata request) external onlyGuardian {
+        (Cur memory input, ) = cursor(request, 1);
+
+        while (input.i < input.bound) {
+            uint node = input.unpackNode();
+            setNode(node, false);
+        }
+
+        input.close();
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rootzero/contracts",
-  "version": "0.9.6",
+  "version": "0.9.7",
   "description": "Solidity contracts and protocol building blocks for rootzero hosts and commands.",
   "private": false,
   "license": "GPL-3.0-only",

package/utils/Accounts.sol

@@ -8,8 +8,9 @@ import {isFamily, toLocalBase, toUnspecifiedBase} from "./Utils.sol";
 /// @notice Encoding and decoding helpers for 256-bit account identifiers.
 ///
 /// Account IDs embed a 4-byte type tag in bits [255:224]:
-///   - `Admin` — chain-local EVM address in bits [191:32]
-///   - `User`  — chain-agnostic EVM address in bits [191:32]
+///   - `Admin`    — chain-local EVM address in bits [191:32]
+///   - `Guardian` — chain-local EVM address in bits [191:32]
+///   - `User`     — chain-agnostic EVM address in bits [191:32]
 library Accounts {
     /// @dev Thrown when an account ID does not belong to the EVM family.
     error InvalidAccount();
@@ -18,6 +19,8 @@ library Accounts {
     uint24 constant Family = (uint24(Layout.Evm32) << 8) | uint24(Layout.Account);
     /// @dev Full 4-byte type prefix for admin accounts (chain-local EVM address).
     uint32 constant Admin = (uint32(Layout.Evm32) << 16) | (uint32(Layout.Account) << 8) | uint32(Layout.Admin);
+    /// @dev Full 4-byte type prefix for guardian accounts (chain-local EVM address).
+    uint32 constant Guardian = (uint32(Layout.Evm32) << 16) | (uint32(Layout.Account) << 8) | uint32(Layout.Guardian);
     /// @dev Full 4-byte type prefix for user accounts (chain-agnostic EVM address).
     uint32 constant User = (uint32(Layout.Evm32) << 16) | (uint32(Layout.Account) << 8) | uint32(Layout.User);
     /// @dev Full 4-byte type prefix for keccak accounts (opaque 28-byte hash).
@@ -40,6 +43,11 @@ library Accounts {
         return prefix(account) == Admin;
     }
 
+    /// @notice Return true if `account` is a guardian account.
+    function isGuardian(bytes32 account) internal pure returns (bool) {
+        return prefix(account) == Guardian;
+    }
+
     /// @notice Return true if `account` is a user account.
     function isUser(bytes32 account) internal pure returns (bool) {
         return prefix(account) == User;
@@ -49,6 +57,38 @@ library Accounts {
         return prefix(account) == Keccak;
     }
 
+    /// @notice Assert that `input` is an admin account and return it unchanged.
+    /// @param input Account identifier to validate.
+    /// @return account The same `input` if it is an admin account.
+    function admin(bytes32 input) internal pure returns (bytes32 account) {
+        if (!isAdmin(input)) revert InvalidAccount();
+        return input;
+    }
+
+    /// @notice Assert that `input` is a guardian account and return it unchanged.
+    /// @param input Account identifier to validate.
+    /// @return account The same `input` if it is a guardian account.
+    function guardian(bytes32 input) internal pure returns (bytes32 account) {
+        if (!isGuardian(input)) revert InvalidAccount();
+        return input;
+    }
+
+    /// @notice Assert that `input` is a user account and return it unchanged.
+    /// @param input Account identifier to validate.
+    /// @return account The same `input` if it is a user account.
+    function user(bytes32 input) internal pure returns (bytes32 account) {
+        if (!isUser(input)) revert InvalidAccount();
+        return input;
+    }
+
+    /// @notice Assert that `input` is a keccak account and return it unchanged.
+    /// @param input Account identifier to validate.
+    /// @return account The same `input` if it is a keccak account.
+    function keccak(bytes32 input) internal pure returns (bytes32 account) {
+        if (!isKeccak(input)) revert InvalidAccount();
+        return input;
+    }
+
     /// @notice Encode an EVM address as a chain-local admin account ID.
     /// @param addr EVM address to embed.
     /// @return Admin account ID bound to the current chain.
@@ -56,6 +96,13 @@ library Accounts {
         return bytes32(toLocalBase(Admin) | (uint(uint160(addr)) << 32));
     }
 
+    /// @notice Encode an EVM address as a chain-local guardian account ID.
+    /// @param addr EVM address to embed.
+    /// @return Guardian account ID bound to the current chain.
+    function toGuardian(address addr) internal view returns (bytes32) {
+        return bytes32(toLocalBase(Guardian) | (uint(uint160(addr)) << 32));
+    }
+
     /// @notice Encode an EVM address as a chain-agnostic user account ID.
     /// @param addr EVM address to embed.
     /// @return User account ID without a chain binding.

package/utils/Ids.sol

@@ -26,6 +26,8 @@ library Ids {
     uint32 constant Peer = (uint32(Layout.Evm32) << 16) | (uint32(Layout.Node) << 8) | uint32(Layout.Peer);
     /// @dev Full 4-byte type prefix for query nodes.
     uint32 constant Query = (uint32(Layout.Evm32) << 16) | (uint32(Layout.Node) << 8) | uint32(Layout.Query);
+    /// @dev Full 4-byte type prefix for guard action nodes.
+    uint32 constant Guard = (uint32(Layout.Evm32) << 16) | (uint32(Layout.Node) << 8) | uint32(Layout.Guard);
 
     /// @notice Return true if `id` is a host node ID.
     function isHost(uint id) internal pure returns (bool) {
@@ -47,6 +49,11 @@ library Ids {
         return uint32(id >> 224) == Query;
     }
 
+    /// @notice Return true if `id` is a guard action node ID.
+    function isGuard(uint id) internal pure returns (bool) {
+        return uint32(id >> 224) == Guard;
+    }
+
     /// @notice Return true if `id` is a local node ID for this contract.
     function isLocalNode(uint id) internal view returns (bool) {
         return isLocalFamily(id, Node) && address(uint160(id)) == address(this);
@@ -60,14 +67,6 @@ library Ids {
         return id;
     }
 
-    /// @notice Assert that `id` is a command ID and return its embedded ABI selector.
-    /// @param id Node ID to validate.
-    /// @return selector 4-byte command selector stored in bits [191:160].
-    function commandSelector(uint id) internal pure returns (bytes4 selector) {
-        if (!isCommand(id)) revert InvalidId();
-        return bytes4(uint32(id >> 160));
-    }
-
     /// @notice Assert that `id` is a peer ID and return it unchanged.
     /// @param id Node ID to validate.
     /// @return pid The same `id` value if it is a peer.
@@ -76,14 +75,6 @@ library Ids {
         return id;
     }
 
-    /// @notice Assert that `id` is a peer ID and return its embedded ABI selector.
-    /// @param id Node ID to validate.
-    /// @return selector 4-byte peer selector stored in bits [191:160].
-    function peerSelector(uint id) internal pure returns (bytes4 selector) {
-        if (!isPeer(id)) revert InvalidId();
-        return bytes4(uint32(id >> 160));
-    }
-
     /// @notice Assert that `id` is a query ID and return it unchanged.
     /// @param id Node ID to validate.
     /// @return queryId The same `id` value if it is a query.
@@ -92,12 +83,40 @@ library Ids {
         return id;
     }
 
+    /// @notice Assert that `id` is a guard action ID and return it unchanged.
+    /// @param id Node ID to validate.
+    /// @return guardId The same `id` value if it is a guard action.
+    function guard(uint id) internal pure returns (uint guardId) {
+        if (!isGuard(id)) revert InvalidId();
+        return id;
+    }
+
+    /// @notice Assert that `id` is a command ID and return its embedded ABI selector.
+    /// @param id Node ID to validate.
+    /// @return selector 4-byte command selector stored in bits [191:160].
+    function commandSelector(uint id) internal pure returns (bytes4 selector) {
+        return bytes4(uint32(command(id) >> 160));
+    }
+
+    /// @notice Assert that `id` is a peer ID and return its embedded ABI selector.
+    /// @param id Node ID to validate.
+    /// @return selector 4-byte peer selector stored in bits [191:160].
+    function peerSelector(uint id) internal pure returns (bytes4 selector) {
+        return bytes4(uint32(peer(id) >> 160));
+    }
+
     /// @notice Assert that `id` is a query ID and return its embedded ABI selector.
     /// @param id Node ID to validate.
     /// @return selector 4-byte query selector stored in bits [191:160].
     function querySelector(uint id) internal pure returns (bytes4 selector) {
-        if (!isQuery(id)) revert InvalidId();
-        return bytes4(uint32(id >> 160));
+        return bytes4(uint32(query(id) >> 160));
+    }
+
+    /// @notice Assert that `id` is a guard action ID and return its embedded ABI selector.
+    /// @param id Node ID to validate.
+    /// @return selector 4-byte guard selector stored in bits [191:160].
+    function guardSelector(uint id) internal pure returns (bytes4 selector) {
+        return bytes4(uint32(guard(id) >> 160));
     }
 
     /// @notice Assert that `id` is the host ID of `addr` on the current chain.
@@ -146,6 +165,16 @@ library Ids {
         return id;
     }
 
+    /// @notice Build a chain-local guard action ID for the given selector and contract.
+    /// @param selector 4-byte ABI selector of the guard action entry point.
+    /// @param target Guard action contract address.
+    /// @return Guard action node ID embedding both the selector and address.
+    function toGuard(bytes4 selector, address target) internal view returns (uint) {
+        uint id = toLocalBase(Guard) | uint(uint160(target));
+        id |= uint(uint32(selector)) << 160;
+        return id;
+    }
+
     /// @notice Extract the contract address from any local node ID.
     /// Reverts if `id` does not belong to the local node family.
     /// @param id Node ID (host, command, or peer).
@@ -174,6 +203,8 @@ library Selectors {
     string constant PeerArgs = "(bytes)";
     /// @dev ABI argument encoding for query entry points: `(bytes)`.
     string constant QueryArgs = "(bytes)";
+    /// @dev ABI argument encoding for guard action entry points: `(bytes)`.
+    string constant GuardArgs = "(bytes)";
 
     /// @notice Derive the 4-byte ABI selector for a named command.
     /// The selector is `keccak256(name ++ CommandArgs)[0:4]`.
@@ -198,4 +229,12 @@ library Selectors {
     function query(string memory name) internal pure returns (bytes4) {
         return bytes4(keccak256(bytes.concat(bytes(name), bytes(QueryArgs))));
     }
+
+    /// @notice Derive the 4-byte ABI selector for a named guard action.
+    /// The selector is `keccak256(name ++ GuardArgs)[0:4]`.
+    /// @param name Guard action function name (without arguments).
+    /// @return 4-byte selector.
+    function guard(string memory name) internal pure returns (bytes4) {
+        return bytes4(keccak256(bytes.concat(bytes(name), bytes(GuardArgs))));
+    }
 }

package/utils/Layout.sol

@@ -37,10 +37,12 @@ library Layout {
 
     /// @dev Admin account — chain-local, backed by an EVM address.
     uint8 constant Admin = 0x01;
+    /// @dev Guardian account — chain-local, backed by an EVM address.
+    uint8 constant Guardian = 0x02;
     /// @dev User account — chain-agnostic, backed by an EVM address.
-    uint8 constant User = 0x02;
+    uint8 constant User = 0x03;
     /// @dev Keccak account — opaque 28-byte keccak commitment.
-    uint8 constant Keccak = 0x03;
+    uint8 constant Keccak = 0x04;
 
     // -------------------------------------------------------------------------
     // Node subtype tags (uint8, fourth byte of the ID type field)
@@ -54,6 +56,8 @@ library Layout {
     uint8 constant Peer = 0x03;
     /// @dev Node is a query contract.
     uint8 constant Query = 0x04;
+    /// @dev Node is a guardian-only direct action.
+    uint8 constant Guard = 0x05;
 
     // -------------------------------------------------------------------------
     // Asset subtype tags (uint8, fourth byte of the ID type field)

package/Queries.sol

@@ -1,10 +0,0 @@
-// SPDX-License-Identifier: GPL-3.0-only
-pragma solidity ^0.8.33;
-
-// Aggregator: re-exports query abstractions and reusable query bases.
-// Import this file to build rootzero query contracts without managing individual paths.
-
-import { AssetStatus, AssetStatusHook } from "./queries/Assets.sol";
-import { GetPosition, GetPositionHook } from "./queries/Positions.sol";
-import { GetBalances, GetBalancesHook } from "./queries/Balances.sol";
-import { QueryBase, encodeQueryCall } from "./queries/Base.sol";

package/events/Access.sol

@@ -1,21 +0,0 @@
-// SPDX-License-Identifier: GPL-3.0-only
-pragma solidity ^0.8.33;
-
-import { EventEmitter } from "./Emitter.sol";
-
-/// @notice Emitted when a node's authorization status changes on a host.
-abstract contract AccessEvent is EventEmitter {
-    string private constant ABI = "event Access(uint indexed host, uint node, bool trusted)";
-
-    /// @param host Host node ID where the authorization change occurred.
-    /// @param node Node ID that was authorized or deauthorized.
-    /// @param trusted True if the node was authorized, false if deauthorized.
-    event Access(uint indexed host, uint node, bool trusted);
-
-    constructor() {
-        emit EventAbi(ABI);
-    }
-}
-
-
-