@wipcomputer/wip-ldm-os 0.4.77 → 0.4.79

package/SKILL.md

@@ -9,7 +9,7 @@ license: MIT
 compatibility: Requires git, npm, node. Node.js 18+.
 metadata:
   display-name: "LDM OS"
-  version: "0.4.77"
+  version: "0.4.79"
   homepage: "https://github.com/wipcomputer/wip-ldm-os"
   author: "Parker Todd Brooks"
   category: infrastructure

package/dist/bridge/{chunk-7NH6JBIO.js → chunk-O65O6CCM.js}

@@ -156,18 +156,41 @@ function messageMatchesSession(msgTo, agentId, sessionName) {
   if (target.session === "*") return true;
   return target.session === sessionName;
 }
+function findMessageById(id) {
+  if (!id) return null;
+  for (const dir of [MESSAGES_DIR, PROCESSED_DIR]) {
+    const candidate = join(dir, `${id}.json`);
+    if (!existsSync(candidate)) continue;
+    try {
+      const data = JSON.parse(readFileSync(candidate, "utf-8"));
+      return data;
+    } catch {
+    }
+  }
+  return null;
+}
 function pushInbox(msg) {
   try {
     mkdirSync(MESSAGES_DIR, { recursive: true });
     const id = randomUUID();
+    let resolvedTo = msg.to;
+    const explicitBroadcast = resolvedTo === "*" || resolvedTo === "all" || resolvedTo && resolvedTo.endsWith(":*");
+    const agentOnly = resolvedTo && !resolvedTo.includes(":") && !explicitBroadcast;
+    if (msg.inReplyTo && (!resolvedTo || agentOnly)) {
+      const original = findMessageById(msg.inReplyTo);
+      if (original && original.from) {
+        resolvedTo = original.from;
+      }
+    }
     const data = {
       id,
       type: msg.type || "chat",
       from: msg.from || "unknown",
-      to: msg.to || `${_sessionAgentId}:${_sessionName}`,
+      to: resolvedTo || `${_sessionAgentId}:${_sessionName}`,
       body: msg.body || msg.message || "",
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      read: false
+      read: false,
+      ...msg.inReplyTo ? { inReplyTo: msg.inReplyTo } : {}
     };
     writeFileSync(join(MESSAGES_DIR, `${id}.json`), JSON.stringify(data, null, 2) + "\n");
     return inboxCount();
@@ -245,14 +268,27 @@ function sendLdmMessage(opts) {
   try {
     mkdirSync(MESSAGES_DIR, { recursive: true });
     const id = randomUUID();
+    let resolvedTo = opts.to;
+    const explicitBroadcast = resolvedTo === "*" || resolvedTo === "all" || resolvedTo && resolvedTo.endsWith(":*");
+    const agentOnly = resolvedTo && !resolvedTo.includes(":") && !explicitBroadcast;
+    if (opts.inReplyTo && (!resolvedTo || agentOnly)) {
+      const original = findMessageById(opts.inReplyTo);
+      if (original && original.from) {
+        resolvedTo = original.from;
+      }
+    }
+    if (!resolvedTo) {
+      return null;
+    }
     const data = {
       id,
       type: opts.type || "chat",
       from: opts.from || `${_sessionAgentId}:${_sessionName}`,
-      to: opts.to,
+      to: resolvedTo,
       body: opts.body,
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      read: false
+      read: false,
+      ...opts.inReplyTo ? { inReplyTo: opts.inReplyTo } : {}
     };
     writeFileSync(join(MESSAGES_DIR, `${id}.json`), JSON.stringify(data, null, 2) + "\n");
     return id;
@@ -652,6 +688,7 @@ export {
   setSessionIdentity,
   getSessionIdentity,
   refreshSessionIdentity,
+  findMessageById,
   pushInbox,
   drainInbox,
   inboxCount,

package/dist/bridge/cli.js

@@ -8,7 +8,7 @@ import {
   searchConversations,
   searchWorkspace,
   sendMessage
-} from "./chunk-7NH6JBIO.js";
+} from "./chunk-O65O6CCM.js";
 import "./chunk-3RG5ZIWI.js";
 
 // cli.ts

package/dist/bridge/core.d.ts

@@ -20,6 +20,7 @@ interface InboxMessage {
     message?: string;
     timestamp: string;
     read: boolean;
+    inReplyTo?: string;
 }
 interface ConversationResult {
     text: string;
@@ -60,9 +61,23 @@ declare function getSessionIdentity(): {
  * Cheap: one file read per call. No network. No delay.
  */
 declare function refreshSessionIdentity(): void;
+/**
+ * Look up a message by id in the inbox or processed dir. Returns null if
+ * not found. Used by reply-to-sender routing.
+ */
+declare function findMessageById(id: string): InboxMessage | null;
 /**
  * Write a message to the file-based inbox.
  * Creates a JSON file at ~/.ldm/messages/{uuid}.json.
+ *
+ * Reply-to-sender routing (added 2026-04-20):
+ *   If `inReplyTo` is set AND `to` is missing or agent-only (no colon),
+ *   the bridge looks up the referenced message and copies its `from` into
+ *   this message's `to`. This makes replies land at the specific session
+ *   that sent the original, rather than broadcasting to every session of
+ *   the agent (which is what Apr 10's Option 1 shipped as a safety net).
+ *   Callers that explicitly want broadcast can still use
+ *   `to: "<agent>:*"` or `to: "*"`.
  */
 declare function pushInbox(msg: {
     from: string;
@@ -70,6 +85,7 @@ declare function pushInbox(msg: {
     body?: string;
     to?: string;
     type?: string;
+    inReplyTo?: string;
 }): number;
 /**
  * Read and drain all messages for this session from the inbox.
@@ -92,9 +108,10 @@ declare function inboxCountBySession(): Record<string, number>;
  */
 declare function sendLdmMessage(opts: {
     from?: string;
-    to: string;
+    to?: string;
     body: string;
     type?: string;
+    inReplyTo?: string;
 }): string | null;
 interface SessionInfo {
     name: string;
@@ -144,4 +161,4 @@ declare function discoverSkills(openclawDir: string): SkillInfo[];
 declare function executeSkillScript(skillDir: string, scripts: string[], scriptName: string | undefined, args: string): Promise<string>;
 declare function readWorkspaceFile(workspaceDir: string, filePath: string): WorkspaceFileResult;
 
-export { type BridgeConfig, type ConversationResult, type GatewayConfig, type InboxMessage, LDM_ROOT, type SessionInfo, type SkillInfo, type WorkspaceFileResult, type WorkspaceSearchResult, blobToEmbedding, cosineSimilarity, discoverSkills, drainInbox, executeSkillScript, findMarkdownFiles, getQueryEmbedding, getSessionIdentity, inboxCount, inboxCountBySession, listActiveSessions, pushInbox, readWorkspaceFile, refreshSessionIdentity, registerBridgeSession, resolveApiKey, resolveConfig, resolveConfigMulti, resolveGatewayConfig, searchConversations, searchWorkspace, sendLdmMessage, sendMessage, setSessionIdentity };
+export { type BridgeConfig, type ConversationResult, type GatewayConfig, type InboxMessage, LDM_ROOT, type SessionInfo, type SkillInfo, type WorkspaceFileResult, type WorkspaceSearchResult, blobToEmbedding, cosineSimilarity, discoverSkills, drainInbox, executeSkillScript, findMarkdownFiles, findMessageById, getQueryEmbedding, getSessionIdentity, inboxCount, inboxCountBySession, listActiveSessions, pushInbox, readWorkspaceFile, refreshSessionIdentity, registerBridgeSession, resolveApiKey, resolveConfig, resolveConfigMulti, resolveGatewayConfig, searchConversations, searchWorkspace, sendLdmMessage, sendMessage, setSessionIdentity };

package/dist/bridge/core.js

@@ -6,6 +6,7 @@ import {
   drainInbox,
   executeSkillScript,
   findMarkdownFiles,
+  findMessageById,
   getQueryEmbedding,
   getSessionIdentity,
   inboxCount,
@@ -24,7 +25,7 @@ import {
   sendLdmMessage,
   sendMessage,
   setSessionIdentity
-} from "./chunk-7NH6JBIO.js";
+} from "./chunk-O65O6CCM.js";
 import "./chunk-3RG5ZIWI.js";
 export {
   LDM_ROOT,
@@ -34,6 +35,7 @@ export {
   drainInbox,
   executeSkillScript,
   findMarkdownFiles,
+  findMessageById,
   getQueryEmbedding,
   getSessionIdentity,
   inboxCount,

package/dist/bridge/mcp-server.js

@@ -15,7 +15,7 @@ import {
   sendLdmMessage,
   sendMessage,
   setSessionIdentity
-} from "./chunk-7NH6JBIO.js";
+} from "./chunk-O65O6CCM.js";
 import {
   __require
 } from "./chunk-3RG5ZIWI.js";
@@ -225,7 +225,7 @@ Message delivered to the gateway (fire-and-forget). L\u0113sa will process it th
 server.registerTool(
   "lesa_check_inbox",
   {
-    description: "Check for pending messages in the file-based inbox (~/.ldm/messages/). Messages can come from OpenClaw agents, other Claude Code sessions, or CLI. Returns all pending messages for this session and marks them as read.",
+    description: "Check for pending messages in the file-based inbox (~/.ldm/messages/). Messages can come from OpenClaw agents, other Claude Code sessions, or CLI. Returns all pending messages for this session and marks them as read. Each entry includes [id: <uuid>] so you can pass it to lesa_reply_to_sender when replying to a specific message.",
     inputSchema: {}
   },
   async () => {
@@ -233,13 +233,43 @@ server.registerTool(
     if (messages.length === 0) {
       return { content: [{ type: "text", text: "No pending messages." }] };
     }
-    const text = messages.map((m) => `**${m.from}** [${m.type}] (${m.timestamp}):
+    const text = messages.map((m) => `**${m.from}** [${m.type}] (${m.timestamp}) [id: ${m.id}]:
 ${m.body || m.message}`).join("\n\n---\n\n");
     return { content: [{ type: "text", text: `${messages.length} message(s):
 
 ${text}` }] };
   }
 );
+server.registerTool(
+  "lesa_reply_to_sender",
+  {
+    description: "Reply to a specific inbox message, routing back to the exact session that sent it (not broadcast). Use this instead of ldm_send_message when responding to something you saw in lesa_check_inbox. The message id is printed as [id: <uuid>] in the inbox output.\n\nIf the message id can't be found (already deleted, typo, etc.) the reply is still written with a best-effort target derived from the message sender field you pass in as fallback.",
+    inputSchema: {
+      messageId: z.string().describe("The inbox message id you are replying to (from the [id: ...] field in lesa_check_inbox output)"),
+      body: z.string().describe("Reply body"),
+      type: z.string().optional().default("chat").describe("Message type: chat, system, task (default: chat)")
+    }
+  },
+  async ({ messageId, body, type }) => {
+    try {
+      const { agentId, sessionName } = getSessionIdentity();
+      sendLdmMessage({
+        from: `${agentId}:${sessionName}`,
+        body,
+        type: type || "chat",
+        inReplyTo: messageId
+      });
+      return {
+        content: [{
+          type: "text",
+          text: `Replied to message ${messageId}. Routed back to the original sender (not broadcast).`
+        }]
+      };
+    } catch (err) {
+      return { content: [{ type: "text", text: `Error replying: ${err.message}` }], isError: true };
+    }
+  }
+);
 server.registerTool(
   "ldm_send_message",
   {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ldm-os",
-  "version": "0.4.77",
+  "version": "0.4.79",
   "type": "module",
   "description": "LDM OS: identity, memory, and sovereignty infrastructure for AI agents",
   "engines": {

package/shared/docs/dev-guide-wipcomputerinc.md.tmpl

@@ -261,10 +261,84 @@ cd ~/.ldm/extensions/{name} && npm install --omit=dev
 openclaw gateway restart
 ```
 
+## Bridge: Reply Routing (lesa-bridge 0.4.1+)
+
+The bridge's file inbox (`~/.ldm/messages/`) supports three routing modes:
+
+| `to` field | Delivered to |
+|---|---|
+| `agent:session` | Exactly one session (unicast) |
+| `agent:*` | All sessions of that agent (explicit broadcast) |
+| `agent` (no colon) | All sessions of that agent (legacy broadcast, kept for compat) |
+| `*` or `all` | All agents, all sessions |
+
+**Reply-to-sender pattern (use this for replies).** When responding to a message you read via `lesa_check_inbox`, call `lesa_reply_to_sender({ messageId, body })` with the id from `[id: <uuid>]` in the inbox output. The bridge auto-resolves `to` to the original sender's fully-qualified identity (`agent:session`), so replies land at exactly one session instead of waking every cc-mini session on the machine.
+
+For non-reply sends (initiating a thread), use `ldm_send_message` with an explicit `agent:session` target, or `lesa_send_message` for OpenClaw (Lēsa) which goes through the gateway pipeline.
+
+Avoid agent-only targets (`to: "cc-mini"`) for replies. They still work (broadcast) but burn a turn in every idle cc-mini session that happens to be open. Reply-to-sender is the cheap, obvious, correct path.
+
 ## Branch Protection Audit
 
 Enforced on all 64 repos on 2026-02-20, re-audited 2026-02-27 (18 repos had drifted or were new). No force pushes to main. No direct pushes. No exceptions. The `lesaai` account is not exempt.
 
+## Branch Guard: Runtime Enforcement (wip-branch-guard v1.9.80+)
+
+The branch guard runs as a PreToolUse hook on every Claude Code tool call and as an OpenClaw plugin for Lēsa. Same rules, same deny messages on both sides. Enforces three layers on top of the standard branch/worktree check.
+
+### Layer 1 ... write gate
+
+- On main branch: Write/Edit/NotebookEdit denied. Bash writes denied.
+- On a feature branch NOT in a worktree: writes denied.
+- On a feature branch in a worktree: writes allowed (baseline workflow).
+- Shared-state paths (`~/.claude/plans/`, `workspace/*`, `~/.ldm/shared/`, `~/.openclaw/workspace/`, etc.) always allowed regardless of branch.
+
+### Layer 2 ... destructive-command block
+
+Always denied, any branch: `git clean -f`, `git checkout -- <path>`, `git checkout .`, `git stash drop/pop/clear`, `git reset --hard`, `git restore <path>` (`--staged` is safe). Plus code-execution bypass patterns (`python -c "open().write()"`, `node -e "writeFile()"`).
+
+Denied on any branch: `--no-verify`, `git push --force` (use `--force-with-lease`).
+
+### Layer 3 ... session-level gates (new 2026-04-20)
+
+1. **Onboarding-before-first-write.** Before the first Write/Edit to a repo in a session, the guard requires you to have Read (via the Read tool) `README.md`, `CLAUDE.md`, and any `*RUNBOOK*.md`/`*LANDMINES*.md`/`WORKFLOW*.md` at repo root. State auto-populates from Read calls. 2-hour TTL once onboarded. Override: `LDM_GUARD_SKIP_ONBOARDING=<repo>` or `=1`.
+
+2. **Recently-blocked-file tracking.** If the guard denies a file via Write/Edit, retrying via a different tool on the same path re-denies with "equivalent-action bypass" context. Last 20 denials in a 1-hour rolling window. Override: `LDM_GUARD_ACK_BLOCKED_FILE=<path>`.
+
+3. **External-PR create guard.** `gh pr create --repo <owner>/<repo>` and `gh api repos/<owner>/<repo>/pulls -X POST` are denied if `<owner>` is not `wipcomputer`. Triggered by the 2026-04-18 PR #89 incident. `gh pr view/list/merge/edit` and `gh api .../issues` pass through. Override: `LDM_GUARD_UPSTREAM_PR_APPROVED=<owner>/<repo>` or `=1`.
+
+### Override env vars
+
+All overrides are audited. Every use appends to `~/.ldm/state/bypass-audit.jsonl` as `{kind, ts, session_id, tool, path, via, reason}`. Log rotates at 50 MB to dated archives.
+
+| Env var | Purpose | Shape |
+|---|---|---|
+| `LDM_GUARD_SKIP_ONBOARDING` | Skip onboarding gate | `<repo-path>` or `1` |
+| `LDM_GUARD_ACK_BLOCKED_FILE` | Acknowledge a prior block | `<file-path>` or `1` |
+| `LDM_GUARD_UPSTREAM_PR_APPROVED` | Parker-approved external PR | `<owner>/<repo>` or `1` |
+| `LDM_GUARD_APPROVAL_BACKEND` | Backend selector | `env` (default), future: `bridge`, `kaleidoscope-biometric` |
+| `LDM_GUARD_STATE_DIR` | State file location | dir path (test isolation only) |
+
+Default stance: don't bypass. Read the block message. It tells you what to do.
+
+### Expected first-write ritual
+
+For any repo new to your session:
+
+```
+1. git rev-parse --show-toplevel   # confirm the repo
+2. Read README.md                  # via Read tool
+3. Read CLAUDE.md                  # if present
+4. Read RUNBOOK / LANDMINES / WORKFLOW  # if present at root
+5. Proceed with Write/Edit
+```
+
+State persists at `~/.ldm/state/guard-session.json`. Same session + same repo = onboarded for 2h. New session or TTL expires = re-onboard.
+
+### Bypass audit trail
+
+Every deny and every approved bypass is in `~/.ldm/state/bypass-audit.jsonl`. Append-only JSON Lines. Tail it during post-mortems; rotate archives are `bypass-audit.jsonl.YYYY-MM-DD`.
+
 ## Worktree Workflow (WIP-specific)
 
 Same as the public Dev Guide section, plus:

package/src/bridge/core.ts

@@ -65,6 +65,12 @@ export interface InboxMessage {
   message?: string; // legacy compat: alias for body
   timestamp: string;
   read: boolean;
+  // Optional: id of the message this is a reply to. When present on a
+  // pushInbox call and `to` is missing or agent-only, the bridge looks up
+  // the referenced message and copies its `from` into this message's `to`
+  // so replies land at the specific session that sent the original, not
+  // broadcast to every session of the agent.
+  inReplyTo?: string;
 }
 
 export interface ConversationResult {
@@ -287,22 +293,61 @@ function messageMatchesSession(msgTo: string, agentId: string, sessionName: stri
   return target.session === sessionName;
 }
 
+/**
+ * Look up a message by id in the inbox or processed dir. Returns null if
+ * not found. Used by reply-to-sender routing.
+ */
+export function findMessageById(id: string): InboxMessage | null {
+  if (!id) return null;
+  for (const dir of [MESSAGES_DIR, PROCESSED_DIR]) {
+    const candidate = join(dir, `${id}.json`);
+    if (!existsSync(candidate)) continue;
+    try {
+      const data = JSON.parse(readFileSync(candidate, "utf-8")) as InboxMessage;
+      return data;
+    } catch {}
+  }
+  return null;
+}
+
 /**
  * Write a message to the file-based inbox.
  * Creates a JSON file at ~/.ldm/messages/{uuid}.json.
+ *
+ * Reply-to-sender routing (added 2026-04-20):
+ *   If `inReplyTo` is set AND `to` is missing or agent-only (no colon),
+ *   the bridge looks up the referenced message and copies its `from` into
+ *   this message's `to`. This makes replies land at the specific session
+ *   that sent the original, rather than broadcasting to every session of
+ *   the agent (which is what Apr 10's Option 1 shipped as a safety net).
+ *   Callers that explicitly want broadcast can still use
+ *   `to: "<agent>:*"` or `to: "*"`.
  */
-export function pushInbox(msg: { from: string; message?: string; body?: string; to?: string; type?: string }): number {
+export function pushInbox(msg: { from: string; message?: string; body?: string; to?: string; type?: string; inReplyTo?: string }): number {
   try {
     mkdirSync(MESSAGES_DIR, { recursive: true });
     const id = randomUUID();
+
+    // Resolve reply target from inReplyTo if applicable.
+    let resolvedTo = msg.to;
+    const explicitBroadcast = resolvedTo === "*" || resolvedTo === "all" || (resolvedTo && resolvedTo.endsWith(":*"));
+    const agentOnly = resolvedTo && !resolvedTo.includes(":") && !explicitBroadcast;
+    if (msg.inReplyTo && (!resolvedTo || agentOnly)) {
+      const original = findMessageById(msg.inReplyTo);
+      if (original && original.from) {
+        resolvedTo = original.from;
+      }
+    }
+
     const data: InboxMessage = {
       id,
       type: msg.type || "chat",
       from: msg.from || "unknown",
-      to: msg.to || `${_sessionAgentId}:${_sessionName}`,
+      to: resolvedTo || `${_sessionAgentId}:${_sessionName}`,
       body: msg.body || msg.message || "",
       timestamp: new Date().toISOString(),
       read: false,
+      ...(msg.inReplyTo ? { inReplyTo: msg.inReplyTo } : {}),
     };
     writeFileSync(join(MESSAGES_DIR, `${id}.json`), JSON.stringify(data, null, 2) + "\n");
 
@@ -416,21 +461,45 @@ export function inboxCountBySession(): Record<string, number> {
  */
 export function sendLdmMessage(opts: {
   from?: string;
-  to: string;
+  to?: string;
   body: string;
   type?: string;
+  // Reply-to-sender routing (added 2026-04-20). If provided and `to` is
+  // missing or agent-only (no session suffix), `to` is auto-resolved from
+  // the referenced message's `from`, so the reply lands at exactly the
+  // session that sent the original. See
+  // ai/product/bugs/bridge/2026-04-20--cc-mini--bridge-reply-to-sender-routing.md
+  inReplyTo?: string;
 }): string | null {
   try {
     mkdirSync(MESSAGES_DIR, { recursive: true });
     const id = randomUUID();
+
+    // Resolve reply target from inReplyTo when applicable.
+    let resolvedTo = opts.to;
+    const explicitBroadcast = resolvedTo === "*" || resolvedTo === "all" || (resolvedTo && resolvedTo.endsWith(":*"));
+    const agentOnly = resolvedTo && !resolvedTo.includes(":") && !explicitBroadcast;
+    if (opts.inReplyTo && (!resolvedTo || agentOnly)) {
+      const original = findMessageById(opts.inReplyTo);
+      if (original && original.from) {
+        resolvedTo = original.from;
+      }
+    }
+    if (!resolvedTo) {
+      // No target and no inReplyTo to resolve from. Nothing safe to do
+      // except a no-op. Caller is at fault; return null to signal.
+      return null;
+    }
+
     const data: InboxMessage = {
       id,
       type: opts.type || "chat",
       from: opts.from || `${_sessionAgentId}:${_sessionName}`,
-      to: opts.to,
+      to: resolvedTo,
       body: opts.body,
       timestamp: new Date().toISOString(),
       read: false,
+      ...(opts.inReplyTo ? { inReplyTo: opts.inReplyTo } : {}),
     };
     writeFileSync(join(MESSAGES_DIR, `${id}.json`), JSON.stringify(data, null, 2) + "\n");
     return id;

package/src/bridge/mcp-server.ts

@@ -303,7 +303,9 @@ server.registerTool(
     description:
       "Check for pending messages in the file-based inbox (~/.ldm/messages/). " +
       "Messages can come from OpenClaw agents, other Claude Code sessions, or CLI. " +
-      "Returns all pending messages for this session and marks them as read.",
+      "Returns all pending messages for this session and marks them as read. " +
+      "Each entry includes [id: <uuid>] so you can pass it to lesa_reply_to_sender " +
+      "when replying to a specific message.",
     inputSchema: {},
   },
   async () => {
@@ -314,13 +316,57 @@ server.registerTool(
     }
 
     const text = messages
-      .map((m) => `**${m.from}** [${m.type}] (${m.timestamp}):\n${m.body || m.message}`)
+      .map((m) => `**${m.from}** [${m.type}] (${m.timestamp}) [id: ${m.id}]:\n${m.body || m.message}`)
       .join("\n\n---\n\n");
 
     return { content: [{ type: "text" as const, text: `${messages.length} message(s):\n\n${text}` }] };
   }
 );
 
+// Tool 5b: Reply to a specific message, routing back to the original sender.
+// Added 2026-04-20 to fix the "agent-only reply broadcasts to every session"
+// footgun. Caller passes the message id from lesa_check_inbox output; the
+// bridge resolves `to` to the original sender's fully-qualified identity,
+// so replies land at exactly one session instead of every session of the
+// agent. See ai/product/bugs/bridge/2026-04-20--cc-mini--bridge-reply-to-sender-routing.md
+server.registerTool(
+  "lesa_reply_to_sender",
+  {
+    description:
+      "Reply to a specific inbox message, routing back to the exact session " +
+      "that sent it (not broadcast). Use this instead of ldm_send_message when " +
+      "responding to something you saw in lesa_check_inbox. The message id is " +
+      "printed as [id: <uuid>] in the inbox output.\n\n" +
+      "If the message id can't be found (already deleted, typo, etc.) the reply " +
+      "is still written with a best-effort target derived from the message sender " +
+      "field you pass in as fallback.",
+    inputSchema: {
+      messageId: z.string().describe("The inbox message id you are replying to (from the [id: ...] field in lesa_check_inbox output)"),
+      body: z.string().describe("Reply body"),
+      type: z.string().optional().default("chat").describe("Message type: chat, system, task (default: chat)"),
+    },
+  },
+  async ({ messageId, body, type }) => {
+    try {
+      const { agentId, sessionName } = getSessionIdentity();
+      sendLdmMessage({
+        from: `${agentId}:${sessionName}`,
+        body,
+        type: type || "chat",
+        inReplyTo: messageId,
+      });
+      return {
+        content: [{
+          type: "text" as const,
+          text: `Replied to message ${messageId}. Routed back to the original sender (not broadcast).`,
+        }],
+      };
+    } catch (err: any) {
+      return { content: [{ type: "text" as const, text: `Error replying: ${err.message}` }], isError: true };
+    }
+  }
+);
+
 // Tool 6: Send message to any agent via file-based inbox (Phase 4)
 server.registerTool(
   "ldm_send_message",

package/src/bridge/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/ldm-bridge",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "private": true,
   "type": "module",
   "description": "WIP Bridge ... agent-to-agent communication, memory search, skill bridging. Core module of LDM OS.",