agentbnb 8.2.0 → 8.2.1

package/dist/{chunk-E2OKP5CY.js → chunk-GJETGML6.js}

@@ -3,16 +3,17 @@ import {
 } from "./chunk-3MJT4PZG.js";
 import {
   scorePeers
-} from "./chunk-5GME4KJZ.js";
+} from "./chunk-UYCD3JBZ.js";
 import {
   fetchRemoteCards
 } from "./chunk-KF3TZHA5.js";
 import {
   searchCards
-} from "./chunk-LJM7FHPM.js";
+} from "./chunk-BZOJ7HBT.js";
 import {
-  requestCapability
-} from "./chunk-64AK4FJM.js";
+  requestCapability,
+  requestCapabilityBatch
+} from "./chunk-EZVOG7QS.js";
 
 // src/conductor/decomposition-validator.ts
 function validateAndNormalizeSubtasks(raw, context) {
@@ -410,6 +411,65 @@ function computeWaves(subtasks) {
   }
   return waves;
 }
+async function executeSingleTask(pt, gatewayToken, timeoutMs, requesterOwner, relayClient, resolveAgentUrl) {
+  const { taskId, match: m, interpolatedParams, primary, teamId, capabilityType } = pt;
+  try {
+    let res;
+    if (primary.url.startsWith("relay://") && relayClient) {
+      const targetOwner = primary.url.replace("relay://", "");
+      res = await relayClient.request({
+        targetOwner,
+        cardId: primary.cardId,
+        params: interpolatedParams,
+        requester: requesterOwner,
+        timeoutMs
+      });
+    } else {
+      res = await requestCapability({
+        gatewayUrl: primary.url,
+        token: gatewayToken,
+        cardId: primary.cardId,
+        params: { ...interpolatedParams, requester: requesterOwner },
+        timeoutMs
+      });
+    }
+    return { taskId, result: res, credits: m.credits, team_id: teamId, capability_type: capabilityType };
+  } catch (primaryErr) {
+    if (m.alternatives.length > 0) {
+      const alt = m.alternatives[0];
+      const altResolved = resolveAgentUrl ? resolveAgentUrl(alt.agent) : { url: `http://${alt.agent}:7700`, cardId: `card-${alt.agent}` };
+      try {
+        let altRes;
+        if (altResolved.url.startsWith("relay://") && relayClient) {
+          const targetOwner = altResolved.url.replace("relay://", "");
+          altRes = await relayClient.request({
+            targetOwner,
+            cardId: altResolved.cardId,
+            params: interpolatedParams,
+            requester: requesterOwner,
+            timeoutMs
+          });
+        } else {
+          altRes = await requestCapability({
+            gatewayUrl: altResolved.url,
+            token: gatewayToken,
+            cardId: altResolved.cardId,
+            params: { ...interpolatedParams, requester: requesterOwner },
+            timeoutMs
+          });
+        }
+        return { taskId, result: altRes, credits: alt.credits, team_id: teamId, capability_type: capabilityType };
+      } catch (altErr) {
+        throw new Error(
+          `Task ${taskId}: primary (${m.selected_agent}) failed: ${primaryErr instanceof Error ? primaryErr.message : String(primaryErr)}; alternative (${alt.agent}) failed: ${altErr instanceof Error ? altErr.message : String(altErr)}`
+        );
+      }
+    }
+    throw new Error(
+      `Task ${taskId}: ${primaryErr instanceof Error ? primaryErr.message : String(primaryErr)}`
+    );
+  }
+}
 async function orchestrate(opts) {
   const { subtasks, matches, gatewayToken, resolveAgentUrl, timeoutMs = 3e5, maxBudget, relayClient, requesterOwner } = opts;
   const startTime = Date.now();
@@ -447,89 +507,127 @@ async function orchestrate(opts) {
       }
       executableIds.push(taskId);
     }
-    const waveResults = await Promise.allSettled(
-      executableIds.map(async (taskId) => {
-        const subtask = subtaskMap.get(taskId);
-        const m = matches.get(taskId);
-        if (!m) {
-          throw new Error(`No match found for subtask ${taskId}`);
-        }
-        const stepsContext = {};
-        for (const [id, val] of results) {
-          stepsContext[id] = val;
-        }
-        const interpContext = { steps: stepsContext, prev: void 0 };
-        if (subtask.depends_on.length > 0) {
-          const lastDep = subtask.depends_on[subtask.depends_on.length - 1];
-          interpContext.prev = results.get(lastDep);
-        }
-        const interpolatedParams = interpolateObject(
-          subtask.params,
-          interpContext
-        );
-        const teamMember = teamMemberMap.get(taskId);
-        const teamId = opts.team?.team_id ?? null;
-        const taskCapabilityType = teamMember?.capability_type ?? null;
-        const agentOwner = teamMember?.agent ?? m.selected_agent;
-        const primary = resolveAgentUrl(agentOwner);
-        try {
-          let res;
-          if (primary.url.startsWith("relay://") && relayClient) {
-            const targetOwner = primary.url.replace("relay://", "");
-            res = await relayClient.request({
-              targetOwner,
-              cardId: primary.cardId,
-              params: interpolatedParams,
-              requester: requesterOwner,
-              timeoutMs
-            });
-          } else {
-            res = await requestCapability({
-              gatewayUrl: primary.url,
-              token: gatewayToken,
-              cardId: primary.cardId,
-              params: { ...interpolatedParams, requester: requesterOwner },
-              timeoutMs
-            });
-          }
-          return { taskId, result: res, credits: m.credits, team_id: teamId, capability_type: taskCapabilityType };
-        } catch (primaryErr) {
-          if (m.alternatives.length > 0) {
-            const alt = m.alternatives[0];
-            const altAgent = resolveAgentUrl(alt.agent);
+    const preparedTasks = [];
+    for (const taskId of executableIds) {
+      const subtask = subtaskMap.get(taskId);
+      const m = matches.get(taskId);
+      if (!m) {
+        errors.push(`No match found for subtask ${taskId}`);
+        continue;
+      }
+      const stepsContext = {};
+      for (const [id, val] of results) stepsContext[id] = val;
+      const interpContext = { steps: stepsContext, prev: void 0 };
+      if (subtask.depends_on.length > 0) {
+        const lastDep = subtask.depends_on[subtask.depends_on.length - 1];
+        interpContext.prev = results.get(lastDep);
+      }
+      const interpolatedParams = interpolateObject(
+        subtask.params,
+        interpContext
+      );
+      const teamMember = teamMemberMap.get(taskId);
+      const agentOwner = teamMember?.agent ?? m.selected_agent;
+      const primary = resolveAgentUrl(agentOwner);
+      preparedTasks.push({
+        taskId,
+        subtask,
+        match: m,
+        interpolatedParams,
+        agentOwner,
+        primary,
+        teamId: opts.team?.team_id ?? null,
+        capabilityType: teamMember?.capability_type ?? null
+      });
+    }
+    const httpGroups = /* @__PURE__ */ new Map();
+    const relayTasks = [];
+    for (const pt of preparedTasks) {
+      if (pt.primary.url.startsWith("relay://") && relayClient) {
+        relayTasks.push(pt);
+      } else {
+        const group = httpGroups.get(pt.primary.url) ?? [];
+        group.push(pt);
+        httpGroups.set(pt.primary.url, group);
+      }
+    }
+    const batchPromises = [];
+    for (const [gatewayUrl, group] of httpGroups) {
+      if (group.length >= 2) {
+        batchPromises.push(
+          (async () => {
+            const items = group.map((pt) => ({
+              id: pt.taskId,
+              cardId: pt.primary.cardId,
+              params: { ...pt.interpolatedParams, requester: requesterOwner },
+              _pt: pt
+            }));
             try {
-              let altRes;
-              if (altAgent.url.startsWith("relay://") && relayClient) {
-                const targetOwner = altAgent.url.replace("relay://", "");
-                altRes = await relayClient.request({
-                  targetOwner,
-                  cardId: altAgent.cardId,
-                  params: interpolatedParams,
-                  requester: requesterOwner,
-                  timeoutMs
-                });
-              } else {
-                altRes = await requestCapability({
-                  gatewayUrl: altAgent.url,
-                  token: gatewayToken,
-                  cardId: altAgent.cardId,
-                  params: { ...interpolatedParams, requester: requesterOwner },
-                  timeoutMs
-                });
-              }
-              return { taskId, result: altRes, credits: alt.credits, team_id: teamId, capability_type: taskCapabilityType };
-            } catch (altErr) {
-              throw new Error(
-                `Task ${taskId}: primary (${m.selected_agent}) failed: ${primaryErr instanceof Error ? primaryErr.message : String(primaryErr)}; alternative (${alt.agent}) failed: ${altErr instanceof Error ? altErr.message : String(altErr)}`
+              const batchResults = await requestCapabilityBatch(
+                gatewayUrl,
+                gatewayToken,
+                items.map(({ _pt, ...item }) => item),
+                { timeoutMs }
               );
+              return items.map((item) => {
+                const res = batchResults.get(item.id);
+                if (res instanceof Error) {
+                  return {
+                    status: "rejected",
+                    reason: new Error(`Task ${item.id}: ${res.message}`)
+                  };
+                }
+                return {
+                  status: "fulfilled",
+                  value: {
+                    taskId: item.id,
+                    result: res,
+                    credits: item._pt.match.credits,
+                    team_id: item._pt.teamId,
+                    capability_type: item._pt.capabilityType
+                  }
+                };
+              });
+            } catch (batchErr) {
+              return Promise.all(group.map(async (pt) => {
+                try {
+                  const res = await executeSingleTask(pt, gatewayToken, timeoutMs, requesterOwner, relayClient, resolveAgentUrl);
+                  return { status: "fulfilled", value: res };
+                } catch (err) {
+                  return { status: "rejected", reason: err };
+                }
+              }));
+            }
+          })()
+        );
+      } else {
+        const pt = group[0];
+        batchPromises.push(
+          (async () => {
+            try {
+              const res = await executeSingleTask(pt, gatewayToken, timeoutMs, requesterOwner, relayClient, resolveAgentUrl);
+              return [{ status: "fulfilled", value: res }];
+            } catch (err) {
+              return [{ status: "rejected", reason: err }];
             }
+          })()
+        );
+      }
+    }
+    for (const pt of relayTasks) {
+      batchPromises.push(
+        (async () => {
+          try {
+            const res = await executeSingleTask(pt, gatewayToken, timeoutMs, requesterOwner, relayClient, resolveAgentUrl);
+            return [{ status: "fulfilled", value: res }];
+          } catch (err) {
+            return [{ status: "rejected", reason: err }];
           }
-          throw new Error(
-            `Task ${taskId}: ${primaryErr instanceof Error ? primaryErr.message : String(primaryErr)}`
-          );
-        }
-      })
-    );
+        })()
+      );
+    }
+    const allBatchResults = await Promise.all(batchPromises);
+    const waveResults = allBatchResults.flat();
     for (const settlement of waveResults) {
       if (settlement.status === "fulfilled") {
         const { taskId, result, credits, team_id, capability_type } = settlement.value;

package/dist/{chunk-YHY7OG6S.js → chunk-GWMMYVLL.js}

@@ -7,13 +7,13 @@ import {
   decompose,
   matchSubTasks,
   orchestrate
-} from "./chunk-E2OKP5CY.js";
+} from "./chunk-GJETGML6.js";
 import {
   BudgetManager
-} from "./chunk-5GME4KJZ.js";
+} from "./chunk-UYCD3JBZ.js";
 import {
   openCreditDb
-} from "./chunk-D6RKW2XG.js";
+} from "./chunk-JLNHMNES.js";
 import {
   loadPeers
 } from "./chunk-5AH3CMOX.js";
@@ -22,7 +22,7 @@ import {
 } from "./chunk-75OC6E4F.js";
 import {
   openDatabase
-} from "./chunk-O2OYBAVR.js";
+} from "./chunk-SRBVKO2V.js";
 
 // src/cli/conduct.ts
 async function conductAction(task, opts) {

package/dist/{chunk-D6RKW2XG.js → chunk-JLNHMNES.js}

@@ -149,10 +149,23 @@ function getBalance(db, owner) {
   const row = db.prepare("SELECT balance FROM credit_balances WHERE owner = ?").get(owner);
   return row?.balance ?? 0;
 }
-function getTransactions(db, owner, limit = 100) {
+function getTransactions(db, owner, opts = 100) {
+  const page = typeof opts === "number" ? { limit: opts } : opts;
+  const limit = page.limit ?? 100;
+  const conditions = ["owner = ?"];
+  const params = [owner];
+  if (page.before) {
+    conditions.push("created_at < ?");
+    params.push(page.before);
+  }
+  if (page.after) {
+    conditions.push("created_at > ?");
+    params.push(page.after);
+  }
+  params.push(limit);
   return db.prepare(
-    "SELECT id, owner, amount, reason, reference_id, created_at FROM credit_transactions WHERE owner = ? ORDER BY created_at DESC LIMIT ?"
-  ).all(owner, limit);
+    `SELECT id, owner, amount, reason, reference_id, created_at FROM credit_transactions WHERE ${conditions.join(" AND ")} ORDER BY created_at DESC LIMIT ?`
+  ).all(...params);
 }
 function registerProvider(db, owner) {
   const now = (/* @__PURE__ */ new Date()).toISOString();

package/dist/{chunk-5AAFG2V2.js → chunk-KBQNTUTN.js}

@@ -3,19 +3,154 @@ import {
   getBalance,
   getTransactions,
   holdEscrow,
+  lookupAgent,
   migrateOwner,
   openCreditDb,
   releaseEscrow,
   settleEscrow
-} from "./chunk-D6RKW2XG.js";
+} from "./chunk-JLNHMNES.js";
 import {
+  generateKeyPair,
+  loadKeyPair,
+  saveKeyPair,
   signEscrowReceipt,
   verifyEscrowReceipt
-} from "./chunk-CUONY5TO.js";
+} from "./chunk-EJKW57ZV.js";
 import {
   AgentBnBError
 } from "./chunk-WVY2W7AA.js";
 
+// src/identity/identity.ts
+import { z } from "zod";
+import { createHash, createPrivateKey, createPublicKey } from "crypto";
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { join } from "path";
+var AgentIdentitySchema = z.object({
+  /** Deterministic ID derived from public key: sha256(hex).slice(0, 16). */
+  agent_id: z.string().min(1),
+  /** Human-readable owner name (from config or init). */
+  owner: z.string().min(1),
+  /** Hex-encoded Ed25519 public key. */
+  public_key: z.string().min(1),
+  /** ISO 8601 timestamp of identity creation. */
+  created_at: z.string().datetime(),
+  /** Optional guarantor info if linked to a human. */
+  guarantor: z.object({
+    github_login: z.string().min(1),
+    verified_at: z.string().datetime()
+  }).optional()
+});
+var AgentCertificateSchema = z.object({
+  identity: AgentIdentitySchema,
+  /** ISO 8601 timestamp of certificate issuance. */
+  issued_at: z.string().datetime(),
+  /** ISO 8601 timestamp of certificate expiry. */
+  expires_at: z.string().datetime(),
+  /** Hex-encoded public key of the issuer (same as identity for self-signed). */
+  issuer_public_key: z.string().min(1),
+  /** Base64url Ed25519 signature over { identity, issued_at, expires_at, issuer_public_key }. */
+  signature: z.string().min(1)
+});
+var IDENTITY_FILENAME = "identity.json";
+var PRIVATE_KEY_FILENAME = "private.key";
+var PUBLIC_KEY_FILENAME = "public.key";
+function derivePublicKeyFromPrivate(privateKey) {
+  const privateKeyObject = createPrivateKey({ key: privateKey, format: "der", type: "pkcs8" });
+  const publicKeyObject = createPublicKey(privateKeyObject);
+  const publicKey = publicKeyObject.export({ format: "der", type: "spki" });
+  return Buffer.from(publicKey);
+}
+function buildIdentityFromPublicKey(publicKey, owner, createdAt) {
+  const publicKeyHex = publicKey.toString("hex");
+  return {
+    agent_id: deriveAgentId(publicKeyHex),
+    owner,
+    public_key: publicKeyHex,
+    created_at: createdAt ?? (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function generateFreshIdentity(configDir, owner) {
+  const keys = generateKeyPair();
+  saveKeyPair(configDir, keys);
+  const identity = buildIdentityFromPublicKey(keys.publicKey, owner);
+  saveIdentity(configDir, identity);
+  return { identity, keys, status: "generated" };
+}
+function deriveAgentId(publicKeyHex) {
+  return createHash("sha256").update(publicKeyHex, "hex").digest("hex").slice(0, 16);
+}
+function loadIdentity(configDir) {
+  const filePath = join(configDir, IDENTITY_FILENAME);
+  if (!existsSync(filePath)) return null;
+  try {
+    const raw = readFileSync(filePath, "utf-8");
+    return AgentIdentitySchema.parse(JSON.parse(raw));
+  } catch {
+    return null;
+  }
+}
+function saveIdentity(configDir, identity) {
+  if (!existsSync(configDir)) {
+    mkdirSync(configDir, { recursive: true });
+  }
+  const filePath = join(configDir, IDENTITY_FILENAME);
+  writeFileSync(filePath, JSON.stringify(identity, null, 2), "utf-8");
+}
+function loadOrRepairIdentity(configDir, ownerHint) {
+  if (!existsSync(configDir)) {
+    mkdirSync(configDir, { recursive: true });
+  }
+  const identityPath = join(configDir, IDENTITY_FILENAME);
+  const privateKeyPath = join(configDir, PRIVATE_KEY_FILENAME);
+  const publicKeyPath = join(configDir, PUBLIC_KEY_FILENAME);
+  const hasIdentity = existsSync(identityPath);
+  const hasPrivateKey = existsSync(privateKeyPath);
+  const hasPublicKey = existsSync(publicKeyPath);
+  if (!hasIdentity || !hasPrivateKey || !hasPublicKey) {
+    return generateFreshIdentity(configDir, ownerHint ?? "agent");
+  }
+  let keys;
+  try {
+    keys = loadKeyPair(configDir);
+  } catch {
+    return generateFreshIdentity(configDir, ownerHint ?? "agent");
+  }
+  let derivedPublicKey;
+  try {
+    derivedPublicKey = derivePublicKeyFromPrivate(keys.privateKey);
+  } catch {
+    return generateFreshIdentity(configDir, ownerHint ?? "agent");
+  }
+  let keypairRepaired = false;
+  if (!keys.publicKey.equals(derivedPublicKey)) {
+    keypairRepaired = true;
+    keys = { privateKey: keys.privateKey, publicKey: derivedPublicKey };
+    saveKeyPair(configDir, keys);
+  }
+  const loadedIdentity = loadIdentity(configDir);
+  const expectedAgentId = deriveAgentId(derivedPublicKey.toString("hex"));
+  const expectedPublicKeyHex = derivedPublicKey.toString("hex");
+  const identityMismatch = !loadedIdentity || loadedIdentity.public_key !== expectedPublicKeyHex || loadedIdentity.agent_id !== expectedAgentId;
+  if (identityMismatch) {
+    const repairedIdentity = buildIdentityFromPublicKey(
+      derivedPublicKey,
+      loadedIdentity?.owner ?? ownerHint ?? "agent",
+      loadedIdentity?.created_at
+    );
+    saveIdentity(configDir, repairedIdentity);
+    return { identity: repairedIdentity, keys, status: "repaired" };
+  }
+  if (ownerHint && loadedIdentity.owner !== ownerHint) {
+    const updatedIdentity = { ...loadedIdentity, owner: ownerHint };
+    saveIdentity(configDir, updatedIdentity);
+    return { identity: updatedIdentity, keys, status: "repaired" };
+  }
+  return { identity: loadedIdentity, keys, status: keypairRepaired ? "repaired" : "existing" };
+}
+function ensureIdentity(configDir, owner) {
+  return loadOrRepairIdentity(configDir, owner).identity;
+}
+
 // src/credit/local-credit-ledger.ts
 var LocalCreditLedger = class {
   constructor(db) {
@@ -91,11 +226,57 @@ var LocalCreditLedger = class {
 
 // src/registry/identity-auth.ts
 var MAX_REQUEST_AGE_MS = 5 * 60 * 1e3;
-async function verifyIdentity(request, reply) {
-  const publicKeyHex = request.headers["x-agent-publickey"];
-  const signature = request.headers["x-agent-signature"];
-  const timestamp = request.headers["x-agent-timestamp"];
-  if (!publicKeyHex || !signature || !timestamp) {
+function normalizeSignedParams(body) {
+  return body === void 0 ? null : body;
+}
+function buildIdentityPayload(method, path, timestamp, publicKeyHex, agentId, params) {
+  return {
+    method,
+    path,
+    timestamp,
+    publicKey: publicKeyHex,
+    agentId,
+    params: normalizeSignedParams(params)
+  };
+}
+function extractClaimedRequester(request) {
+  const extractFromObject = (obj) => {
+    const directOwner = typeof obj.owner === "string" ? obj.owner.trim() : "";
+    if (directOwner) return directOwner;
+    const directRequester = typeof obj.requester === "string" ? obj.requester.trim() : "";
+    if (directRequester) return directRequester;
+    const oldOwner = typeof obj.oldOwner === "string" ? obj.oldOwner.trim() : "";
+    if (oldOwner) return oldOwner;
+    const nestedParams = obj.params;
+    if (nestedParams && typeof nestedParams === "object" && !Array.isArray(nestedParams)) {
+      const nested = nestedParams;
+      const nestedOwner = typeof nested.owner === "string" ? nested.owner.trim() : "";
+      if (nestedOwner) return nestedOwner;
+      const nestedRequester = typeof nested.requester === "string" ? nested.requester.trim() : "";
+      if (nestedRequester) return nestedRequester;
+    }
+    return null;
+  };
+  if (request.body && typeof request.body === "object" && !Array.isArray(request.body)) {
+    const claimed = extractFromObject(request.body);
+    if (claimed) return claimed;
+  }
+  if (request.params && typeof request.params === "object" && !Array.isArray(request.params)) {
+    const claimed = extractFromObject(request.params);
+    if (claimed) return claimed;
+  }
+  return null;
+}
+async function verifyIdentity(request, reply, options) {
+  const agentIdHeader = request.headers["x-agent-id"];
+  const publicKeyHeader = request.headers["x-agent-publickey"];
+  const signatureHeader = request.headers["x-agent-signature"];
+  const timestampHeader = request.headers["x-agent-timestamp"];
+  const agentId = agentIdHeader?.trim();
+  const publicKeyHex = publicKeyHeader?.trim();
+  const signature = signatureHeader?.trim();
+  const timestamp = timestampHeader?.trim();
+  if (!agentId || !publicKeyHex || !signature || !timestamp) {
     await reply.code(401).send({ error: "Missing identity headers" });
     return false;
   }
@@ -104,12 +285,21 @@ async function verifyIdentity(request, reply) {
     await reply.code(401).send({ error: "Request expired" });
     return false;
   }
-  const payload = {
-    method: request.method,
-    path: request.url,
-    timestamp,
-    publicKey: publicKeyHex
-  };
+  if (!/^[0-9a-fA-F]+$/.test(publicKeyHex) || publicKeyHex.length % 2 !== 0) {
+    await reply.code(401).send({ error: "Invalid identity signature" });
+    return false;
+  }
+  let expectedAgentId;
+  try {
+    expectedAgentId = deriveAgentId(publicKeyHex);
+  } catch {
+    await reply.code(401).send({ error: "Invalid identity signature" });
+    return false;
+  }
+  if (agentId !== expectedAgentId) {
+    await reply.code(401).send({ error: "Invalid identity signature" });
+    return false;
+  }
   let publicKeyBuffer;
   try {
     publicKeyBuffer = Buffer.from(publicKeyHex, "hex");
@@ -117,30 +307,52 @@ async function verifyIdentity(request, reply) {
     await reply.code(401).send({ error: "Invalid identity signature" });
     return false;
   }
+  const knownAgent = options.agentDb ? lookupAgent(options.agentDb, agentId) : null;
+  if (knownAgent && knownAgent.public_key.toLowerCase() !== publicKeyHex.toLowerCase()) {
+    await reply.code(401).send({ error: "Invalid identity signature" });
+    return false;
+  }
+  const payload = buildIdentityPayload(
+    request.method,
+    request.url,
+    timestamp,
+    publicKeyHex,
+    agentId,
+    request.body
+  );
   const valid = verifyEscrowReceipt(payload, signature, publicKeyBuffer);
   if (!valid) {
     await reply.code(401).send({ error: "Invalid identity signature" });
     return false;
   }
+  const claimedRequester = extractClaimedRequester(request);
+  if (claimedRequester) {
+    const matchesAgentId = claimedRequester === agentId;
+    const matchesLegacyOwner = knownAgent?.legacy_owner === claimedRequester;
+    if (!matchesAgentId && !matchesLegacyOwner) {
+      await reply.code(401).send({ error: "Identity does not match requester" });
+      return false;
+    }
+  }
   request.agentPublicKey = publicKeyHex;
+  request.agentId = agentId;
   return true;
 }
-function identityAuthPlugin(fastify) {
-  fastify.addHook("onRequest", async (request, reply) => {
-    await verifyIdentity(request, reply);
+function identityAuthPlugin(fastify, options = {}) {
+  fastify.addHook("preHandler", async (request, reply) => {
+    const ok = await verifyIdentity(request, reply, options);
+    if (!ok) {
+      return reply;
+    }
   });
 }
-function signRequest(method, path, body, privateKey, publicKeyHex) {
+function signRequest(method, path, body, privateKey, publicKeyHex, agentIdOverride) {
   const timestamp = (/* @__PURE__ */ new Date()).toISOString();
-  const payload = {
-    method,
-    path,
-    timestamp,
-    publicKey: publicKeyHex
-  };
-  void body;
+  const agentId = agentIdOverride ?? deriveAgentId(publicKeyHex);
+  const payload = buildIdentityPayload(method, path, timestamp, publicKeyHex, agentId, body);
   const signature = signEscrowReceipt(payload, privateKey);
   return {
+    "X-Agent-Id": agentId,
     "X-Agent-PublicKey": publicKeyHex,
     "X-Agent-Signature": signature,
     "X-Agent-Timestamp": timestamp
@@ -368,6 +580,9 @@ function createLedger(opts) {
 }
 
 export {
+  deriveAgentId,
+  loadOrRepairIdentity,
+  ensureIdentity,
   identityAuthPlugin,
   createLedger
 };