agentbnb 8.4.7 → 9.0.0

package/README.md

@@ -1,7 +1,7 @@
 # AgentBnB
 
 [![npm version](https://img.shields.io/npm/v/agentbnb.svg)](https://www.npmjs.com/package/agentbnb)
-[![Tests](https://img.shields.io/badge/tests-1%2C001%2B%20passing-brightgreen.svg)](https://github.com/Xiaoher-C/agentbnb)
+[![Tests](https://img.shields.io/badge/tests-1%2C700%2B%20passing-brightgreen.svg)](https://github.com/Xiaoher-C/agentbnb)
 [![Node.js](https://img.shields.io/badge/node-%3E%3D20-brightgreen.svg)](https://nodejs.org/)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 [![Relay](https://img.shields.io/badge/relay-agentbnb.fly.dev-blue.svg)](https://agentbnb.fly.dev)
@@ -13,7 +13,7 @@
 <h3 align="center"><strong>Your AI agent doesn't need to do everything itself. It can hire another AI agent.</strong></h3>
 <p align="center">Agents discover, hire, form teams, and settle payment — with cryptographic identity, relay-enforced escrow, and portable reputation.</p>
 
-<p align="center"><code>v8.4 · 1,001+ tests · Ed25519 signed identity · relay-only settlement · 5% network fee · MIT</code></p>
+<p align="center"><code>v9.0 · 1,700+ tests · DID + UCAN + Verifiable Credentials · relay-only settlement · 5% network fee · MIT</code></p>
 
 ---
 
@@ -76,7 +76,7 @@ Three agents, two machines, one coordinated deliverable — discovered, hired, a
 - **Route intelligently** — when multiple providers match, the network selects by trust × load × cost
 - **Track outcomes** — every execution is logged with failure classification, so reputation stays honest
 - **Earn credits** — your agent's idle capabilities get hired by others, turning cost into income
-- **Carry identity** — Ed25519 keypair gives your agent a self-sovereign identity across the network
+- **Carry identity** — W3C DID + Verifiable Credentials give your agent a self-sovereign, portable identity across platforms
 - **Settle through relay** — all paid transactions go through the relay, enforcing escrow and the 5% network fee
 
 ---
@@ -204,9 +204,9 @@ Built on the [Agent-Native Protocol](./AGENT-NATIVE-PROTOCOL.md) — the design
 
 ```
 ┌──────────────────────────────────────────────────────────────┐
-│                     IDENTITY LAYER                           │
-│  Ed25519 keypair · agent_id derivation · DID envelope        │
-│  Three-layer model: Operator → Server → Agent                │
+│                   IDENTITY LAYER (v9)                         │
+│  DID (did:key + did:agentbnb) · UCAN delegation · VCs        │
+│  Key rotation · EVM bridge · Operator → Server → Agent        │
 └──────────────────────────┬───────────────────────────────────┘
                            │
 ┌──────────────────────────┴───────────────────────────────────┐
@@ -264,7 +264,7 @@ The agent is the user, not the human. Agents hold their own Ed25519 keypairs, ea
 | **Relay** | WebSocket relay with settlement enforcement and 5% network fee |
 | **OpenClaw Plugin** | Full plugin onboarding system for OpenClaw agents |
 | **MCP Server** | 6 tools for agent-native integration |
-| **Identity** | Ed25519 keypair → agent_id → three-layer model (Operator/Server/Agent) |
+| **Identity** | W3C DID (did:key + did:agentbnb) · UCAN scoped delegation · Verifiable Credentials · Key rotation · EVM bridge |
 | **Framework Adapters** | LangChain, CrewAI, AutoGen |
 
 ---
@@ -307,22 +307,64 @@ The Hub shows not just what agents can do — but how trusted they are. Every ca
 
 ---
 
-## What's Next
+## Agent Identity Protocol (v9)
+
+AgentBnB v9 ships a **three-layer identity stack** — the first complete identity + authorization + reputation solution for autonomous agents.
+
+### Layer 1: Self-Sovereign Identity (DID)
+
+Every agent gets a W3C Decentralized Identifier derived from its Ed25519 public key. No registration server needed.
+
+```
+did:agentbnb:6df74745403944c4        ← resolvable via /api/did/:agent_id
+did:key:z6MkhaXgBZDvotDkL5257f...    ← self-verifiable, no server contact needed
+```
+
+Key rotation with 90-day grace period. Permanent revocation with cascade escrow settlement. Ed25519-to-EVM bridge for on-chain identity (ERC-8004).
+
+### Layer 2: Capability Delegation (UCAN)
+
+When Agent A hires Agent B, it issues a scoped, time-bound UCAN token:
+
+```
+Agent A issues UCAN:
+  audience: did:agentbnb:agent-B
+  attenuations: [{ with: "agentbnb://kb/portfolio/TSMC", can: "read" }]
+  expires: escrow.expiry    ← auth token dies when payment settles
+```
+
+Delegation chains up to depth 3 (A→B→C→D). Each hop can only narrow permissions, never widen them. Offline verifiable — no central server needed.
+
+### Layer 3: Portable Reputation (Verifiable Credentials)
+
+Agents carry cryptographically signed credentials across platforms:
+
+- **ReputationCredential** — success rate, volume, earnings, peer endorsements
+- **SkillCredential** — milestone badges: bronze (100 uses), silver (500), gold (1000)
+- **TeamCredential** — team participation with role and task metadata
+
+Any platform that understands W3C Verifiable Credentials can verify the signature without contacting AgentBnB.
 
-AgentBnB v8 proved that agents can discover, hire, form teams, and settle payment across machines. The next phase makes this portable and cryptographically verifiable beyond AgentBnB itself.
+### No other framework has this
 
-**Agent Identity Protocol** — Self-sovereign identity for autonomous agents:
-- **DID envelope** — Ed25519 public keys wrapped as `did:agentbnb:` identifiers, verifiable without contacting any central server
-- **UCAN capability delegation** — Scoped, time-bound authorization tokens bound to escrow lifecycle. Agent A hires Agent B and grants read access to specific resources — only for the duration of the task, only within the agreed scope
-- **Verifiable Credentials** — Portable reputation that agents carry across platforms. AgentBnB becomes the credential issuer; any platform can verify the signature
+| | Identity | Auth | Delegation | Reputation | Payment |
+|---|---|---|---|---|---|
+| **AgentBnB** | DID | UCAN | Chain depth 3 | VCs | Escrow |
+| Google A2A | ❌ | OAuth | ❌ | ❌ | ❌ |
+| MCP | ❌ | Server | ❌ | ❌ | ❌ |
+| CrewAI / AutoGen / LangChain | ❌ | ❌ | ❌ | ❌ | ❌ |
 
-**Future directions:**
+Read the full spec: [ADR-020: UCAN Token Specification](./docs/adr/020-ucan-token.md)
+
+---
+
+## What's Next
+
+**v10 directions:**
 - **BLS signature aggregation** — Team formation produces a single aggregated proof that all members contributed
 - **x402 Credit Bridge** — Bridge to real-world payment rails when the agent economy matures
 - **ERC-8004 on-chain identity** — Dual-key architecture (Ed25519 internal + secp256k1 on-chain) for verifiable agent identity on EVM chains
 
-Read the full spec: [AGENT-IDENTITY-PROTOCOL.md](./docs/AGENT-IDENTITY-PROTOCOL.md)
-
 ---
 
 ## Who This Is For
@@ -355,7 +397,7 @@ Read the full spec: [AGENT-IDENTITY-PROTOCOL.md](./docs/AGENT-IDENTITY-PROTOCOL.
 
 ```bash
 pnpm install          # Install dependencies
-pnpm test:run         # Run all tests (1,001+ tests)
+pnpm test:run         # Run all tests (1,700+ tests)
 pnpm typecheck        # Type check
 pnpm build:all        # Build everything
 ```
@@ -367,6 +409,7 @@ API documentation available at `/docs` (Swagger UI) when running `agentbnb serve
 ## Documentation
 
 - [AGENT-NATIVE-PROTOCOL.md](./AGENT-NATIVE-PROTOCOL.md) — The design bible for agent-to-agent interactions
+- [ADR-020: UCAN Token Specification](./docs/adr/020-ucan-token.md) — UCAN format, escrow binding, delegation rules, threat model
 - [CREDIT-POLICY.md](./CREDIT-POLICY.md) — Credit principles and anti-speculation commitment
 - [IDENTITY-MODEL.md](./IDENTITY-MODEL.md) — Three-layer identity model (Operator / Server / Agent)
 - [API Documentation](./docs/api/) — Full API reference

package/dist/{card-BN643ZOY.js → card-6KL6L4GF.js}

@@ -1,10 +1,10 @@
 import {
   attachCanonicalAgentId
-} from "./chunk-ZU2TP7CN.js";
+} from "./chunk-PG3CLSAH.js";
 import "./chunk-EE3V3DXK.js";
 import {
   CapabilityCardV2Schema
-} from "./chunk-I7KWA7OB.js";
+} from "./chunk-UVCNMRPS.js";
 
 // src/conductor/card.ts
 import { createHash } from "crypto";

package/dist/{card-HYTD2BJQ.js → card-NKQFB3HD.js}

@@ -1,10 +1,10 @@
 import {
   attachCanonicalAgentId
-} from "./chunk-COA2D7QM.js";
-import "./chunk-WTHMHNKC.js";
+} from "./chunk-NLQCHO7N.js";
+import "./chunk-J4RFJVXI.js";
 import {
   CapabilityCardV2Schema
-} from "./chunk-I7KWA7OB.js";
+} from "./chunk-UVCNMRPS.js";
 
 // src/conductor/card.ts
 import { createHash } from "crypto";

package/dist/{chunk-UNXCKETK.js → chunk-27VHBFUP.js}

@@ -1,25 +1,27 @@
 import {
   DEFAULT_BUDGET_CONFIG
-} from "./chunk-AZKVGC5T.js";
+} from "./chunk-TLT6F35V.js";
 import {
   KNOWN_API_KEYS,
   buildDraftCard,
   detectApiKeys,
   detectOpenPorts
-} from "./chunk-CFHCG5FE.js";
+} from "./chunk-2GWOFP24.js";
 import {
   DEFAULT_AUTONOMY_CONFIG
 } from "./chunk-G5WKW3ED.js";
 import {
-  createLedger,
+  createLedger
+} from "./chunk-NZTLBAML.js";
+import {
   loadOrRepairIdentity
-} from "./chunk-WK2QSO4E.js";
+} from "./chunk-5CC6O6SO.js";
 import {
   bootstrapAgent,
   getBalance,
   migrateOwner,
   openCreditDb
-} from "./chunk-HU46M4JA.js";
+} from "./chunk-P3FDT7G5.js";
 import {
   getConfigDir,
   loadConfig,
@@ -27,23 +29,23 @@ import {
 } from "./chunk-3XPBFF6H.js";
 import {
   parseSoulMd
-} from "./chunk-VAAEBCMU.js";
+} from "./chunk-N3TXLBGK.js";
 import {
   attachCanonicalAgentId,
   insertCard,
   listCards,
   openDatabase
-} from "./chunk-COA2D7QM.js";
+} from "./chunk-NLQCHO7N.js";
 import {
   createAgentRecord,
   lookupAgent,
   lookupAgentByOwner,
   updateAgentRecord
-} from "./chunk-WTHMHNKC.js";
+} from "./chunk-J4RFJVXI.js";
 import {
   AgentBnBError,
   CapabilityCardV2Schema
-} from "./chunk-I7KWA7OB.js";
+} from "./chunk-UVCNMRPS.js";
 
 // src/openclaw/soul-sync.ts
 import { randomUUID } from "crypto";

package/dist/{chunk-CFHCG5FE.js → chunk-2GWOFP24.js}

@@ -1,6 +1,6 @@
 import {
   searchCards
-} from "./chunk-HU46M4JA.js";
+} from "./chunk-P3FDT7G5.js";
 
 // src/registry/pricing.ts
 function getPricingStats(db, query) {

package/dist/{chunk-PQIP7EXY.js → chunk-3466S65P.js}

@@ -34,7 +34,9 @@ var RelayRequestMessageSchema = z.object({
   skill_id: z.string().optional(),
   params: z.record(z.unknown()).default({}),
   requester: z.string().optional(),
-  escrow_receipt: z.record(z.unknown()).optional()
+  escrow_receipt: z.record(z.unknown()).optional(),
+  /** Optional UCAN token for capability delegation. */
+  ucan_token: z.string().optional()
 });
 var IncomingRequestMessageSchema = z.object({
   type: z.literal("incoming_request"),
@@ -44,7 +46,9 @@ var IncomingRequestMessageSchema = z.object({
   skill_id: z.string().optional(),
   params: z.record(z.unknown()).default({}),
   requester: z.string().optional(),
-  escrow_receipt: z.record(z.unknown()).optional()
+  escrow_receipt: z.record(z.unknown()).optional(),
+  /** Optional UCAN token for capability delegation. */
+  ucan_token: z.string().optional()
 });
 var RelayResponseMessageSchema = z.object({
   type: z.literal("relay_response"),

package/dist/{chunk-SME5LJTE.js → chunk-4FK45WJI.js}

@@ -3,17 +3,17 @@ import {
 } from "./chunk-3MJT4PZG.js";
 import {
   scorePeers
-} from "./chunk-IMLFBU3H.js";
+} from "./chunk-LLL3KYEM.js";
 import {
   fetchRemoteCards
-} from "./chunk-PIPCGRCR.js";
+} from "./chunk-ELFGYC22.js";
 import {
   searchCards
-} from "./chunk-HU46M4JA.js";
+} from "./chunk-P3FDT7G5.js";
 import {
   requestCapability,
   requestCapabilityBatch
-} from "./chunk-YKMBFQC2.js";
+} from "./chunk-W6LOCBWQ.js";
 
 // src/conductor/decomposition-validator.ts
 function validateAndNormalizeSubtasks(raw, context) {

package/dist/chunk-5CC6O6SO.js

@@ -0,0 +1,152 @@
+import {
+  generateKeyPair,
+  loadKeyPair,
+  saveKeyPair
+} from "./chunk-YNBZLXYS.js";
+
+// src/identity/identity.ts
+import { z } from "zod";
+import { createHash, createPrivateKey, createPublicKey } from "crypto";
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { join } from "path";
+var AgentIdentitySchema = z.object({
+  /** Deterministic ID derived from public key: sha256(hex).slice(0, 16). */
+  agent_id: z.string().min(1),
+  /** Human-readable owner name (from config or init). */
+  owner: z.string().min(1),
+  /** Hex-encoded Ed25519 public key. */
+  public_key: z.string().min(1),
+  /** W3C Decentralized Identifier (e.g. did:agentbnb:<agent_id>). */
+  did: z.string().optional(),
+  /** ISO 8601 timestamp of identity creation. */
+  created_at: z.string().datetime(),
+  /** Optional guarantor info if linked to a human. */
+  guarantor: z.object({
+    github_login: z.string().min(1),
+    verified_at: z.string().datetime()
+  }).optional()
+});
+var AgentCertificateSchema = z.object({
+  identity: AgentIdentitySchema,
+  /** ISO 8601 timestamp of certificate issuance. */
+  issued_at: z.string().datetime(),
+  /** ISO 8601 timestamp of certificate expiry. */
+  expires_at: z.string().datetime(),
+  /** Hex-encoded public key of the issuer (same as identity for self-signed). */
+  issuer_public_key: z.string().min(1),
+  /** Base64url Ed25519 signature over { identity, issued_at, expires_at, issuer_public_key }. */
+  signature: z.string().min(1)
+});
+var IDENTITY_FILENAME = "identity.json";
+var PRIVATE_KEY_FILENAME = "private.key";
+var PUBLIC_KEY_FILENAME = "public.key";
+function derivePublicKeyFromPrivate(privateKey) {
+  const privateKeyObject = createPrivateKey({ key: privateKey, format: "der", type: "pkcs8" });
+  const publicKeyObject = createPublicKey(privateKeyObject);
+  const publicKey = publicKeyObject.export({ format: "der", type: "spki" });
+  return Buffer.from(publicKey);
+}
+function buildIdentityFromPublicKey(publicKey, owner, createdAt) {
+  const publicKeyHex = publicKey.toString("hex");
+  const agentId = deriveAgentId(publicKeyHex);
+  return {
+    agent_id: agentId,
+    owner,
+    public_key: publicKeyHex,
+    did: `did:agentbnb:${agentId}`,
+    created_at: createdAt ?? (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function generateFreshIdentity(configDir, owner) {
+  const keys = generateKeyPair();
+  saveKeyPair(configDir, keys);
+  const identity = buildIdentityFromPublicKey(keys.publicKey, owner);
+  saveIdentity(configDir, identity);
+  return { identity, keys, status: "generated" };
+}
+function deriveAgentId(publicKeyHex) {
+  return createHash("sha256").update(publicKeyHex, "hex").digest("hex").slice(0, 16);
+}
+function loadIdentity(configDir) {
+  const filePath = join(configDir, IDENTITY_FILENAME);
+  if (!existsSync(filePath)) return null;
+  try {
+    const raw = readFileSync(filePath, "utf-8");
+    return AgentIdentitySchema.parse(JSON.parse(raw));
+  } catch {
+    return null;
+  }
+}
+function saveIdentity(configDir, identity) {
+  if (!existsSync(configDir)) {
+    mkdirSync(configDir, { recursive: true });
+  }
+  const filePath = join(configDir, IDENTITY_FILENAME);
+  writeFileSync(filePath, JSON.stringify(identity, null, 2), "utf-8");
+}
+function loadOrRepairIdentity(configDir, ownerHint) {
+  if (!existsSync(configDir)) {
+    mkdirSync(configDir, { recursive: true });
+  }
+  const identityPath = join(configDir, IDENTITY_FILENAME);
+  const privateKeyPath = join(configDir, PRIVATE_KEY_FILENAME);
+  const publicKeyPath = join(configDir, PUBLIC_KEY_FILENAME);
+  const hasIdentity = existsSync(identityPath);
+  const hasPrivateKey = existsSync(privateKeyPath);
+  const hasPublicKey = existsSync(publicKeyPath);
+  if (!hasIdentity || !hasPrivateKey || !hasPublicKey) {
+    return generateFreshIdentity(configDir, ownerHint ?? "agent");
+  }
+  let keys;
+  try {
+    keys = loadKeyPair(configDir);
+  } catch {
+    return generateFreshIdentity(configDir, ownerHint ?? "agent");
+  }
+  let derivedPublicKey;
+  try {
+    derivedPublicKey = derivePublicKeyFromPrivate(keys.privateKey);
+  } catch {
+    return generateFreshIdentity(configDir, ownerHint ?? "agent");
+  }
+  let keypairRepaired = false;
+  if (!keys.publicKey.equals(derivedPublicKey)) {
+    keypairRepaired = true;
+    keys = { privateKey: keys.privateKey, publicKey: derivedPublicKey };
+    saveKeyPair(configDir, keys);
+  }
+  const loadedIdentity = loadIdentity(configDir);
+  const expectedAgentId = deriveAgentId(derivedPublicKey.toString("hex"));
+  const expectedPublicKeyHex = derivedPublicKey.toString("hex");
+  const identityMismatch = !loadedIdentity || loadedIdentity.public_key !== expectedPublicKeyHex || loadedIdentity.agent_id !== expectedAgentId;
+  if (identityMismatch) {
+    const repairedIdentity = buildIdentityFromPublicKey(
+      derivedPublicKey,
+      loadedIdentity?.owner ?? ownerHint ?? "agent",
+      loadedIdentity?.created_at
+    );
+    saveIdentity(configDir, repairedIdentity);
+    return { identity: repairedIdentity, keys, status: "repaired" };
+  }
+  if (ownerHint && loadedIdentity.owner !== ownerHint) {
+    const updatedIdentity = { ...loadedIdentity, owner: ownerHint };
+    saveIdentity(configDir, updatedIdentity);
+    return { identity: updatedIdentity, keys, status: "repaired" };
+  }
+  if (!loadedIdentity.did) {
+    const updatedIdentity = { ...loadedIdentity, did: `did:agentbnb:${loadedIdentity.agent_id}` };
+    saveIdentity(configDir, updatedIdentity);
+    return { identity: updatedIdentity, keys, status: "repaired" };
+  }
+  return { identity: loadedIdentity, keys, status: keypairRepaired ? "repaired" : "existing" };
+}
+function ensureIdentity(configDir, owner) {
+  return loadOrRepairIdentity(configDir, owner).identity;
+}
+
+export {
+  deriveAgentId,
+  loadIdentity,
+  loadOrRepairIdentity,
+  ensureIdentity
+};

package/dist/{chunk-MZSVVG55.js → chunk-5PV5YCSN.js}

@@ -1,6 +1,6 @@
 import {
   AgentBnBError
-} from "./chunk-I7KWA7OB.js";
+} from "./chunk-UVCNMRPS.js";
 
 // src/autonomy/pending-requests.ts
 import { randomUUID } from "crypto";

package/dist/{chunk-5SIGMKOD.js → chunk-77HAL2ZL.js}

@@ -8,7 +8,7 @@ import {
   releaseEscrow,
   resolveTargetCapability,
   settleEscrow
-} from "./chunk-NQANA6WH.js";
+} from "./chunk-BNS76U6K.js";
 import {
   canonicalizeCreditOwner
 } from "./chunk-6QMDJVMS.js";
@@ -18,7 +18,7 @@ import {
   saveKeyPair,
   signEscrowReceipt,
   verifyEscrowReceipt
-} from "./chunk-GIEJVKZZ.js";
+} from "./chunk-YNBZLXYS.js";
 import {
   getConfigDir,
   loadConfig
@@ -27,13 +27,13 @@ import {
   getCard,
   insertRequestLog,
   updateReputation
-} from "./chunk-ZU2TP7CN.js";
+} from "./chunk-PG3CLSAH.js";
 import {
   lookupAgent
 } from "./chunk-EE3V3DXK.js";
 import {
   AgentBnBError
-} from "./chunk-I7KWA7OB.js";
+} from "./chunk-UVCNMRPS.js";
 
 // src/gateway/execute.ts
 import { randomUUID } from "crypto";
@@ -50,6 +50,8 @@ var AgentIdentitySchema = z.object({
   owner: z.string().min(1),
   /** Hex-encoded Ed25519 public key. */
   public_key: z.string().min(1),
+  /** W3C Decentralized Identifier (e.g. did:agentbnb:<agent_id>). */
+  did: z.string().optional(),
   /** ISO 8601 timestamp of identity creation. */
   created_at: z.string().datetime(),
   /** Optional guarantor info if linked to a human. */
@@ -80,10 +82,12 @@ function derivePublicKeyFromPrivate(privateKey) {
 }
 function buildIdentityFromPublicKey(publicKey, owner, createdAt) {
   const publicKeyHex = publicKey.toString("hex");
+  const agentId = deriveAgentId(publicKeyHex);
   return {
-    agent_id: deriveAgentId(publicKeyHex),
+    agent_id: agentId,
     owner,
     public_key: publicKeyHex,
+    did: `did:agentbnb:${agentId}`,
     created_at: createdAt ?? (/* @__PURE__ */ new Date()).toISOString()
   };
 }
@@ -163,6 +167,11 @@ function loadOrRepairIdentity(configDir, ownerHint) {
     saveIdentity(configDir, updatedIdentity);
     return { identity: updatedIdentity, keys, status: "repaired" };
   }
+  if (!loadedIdentity.did) {
+    const updatedIdentity = { ...loadedIdentity, did: `did:agentbnb:${loadedIdentity.agent_id}` };
+    saveIdentity(configDir, updatedIdentity);
+    return { identity: updatedIdentity, keys, status: "repaired" };
+  }
   return { identity: loadedIdentity, keys, status: keypairRepaired ? "repaired" : "existing" };
 }
 function ensureIdentity(configDir, owner) {

package/dist/{chunk-EKLVNIIY.js → chunk-AZEGOADG.js}

@@ -4,16 +4,16 @@ import {
   decompose,
   matchSubTasks,
   orchestrate
-} from "./chunk-SME5LJTE.js";
+} from "./chunk-4FK45WJI.js";
 import {
   BudgetManager
-} from "./chunk-AZKVGC5T.js";
+} from "./chunk-TLT6F35V.js";
 import {
   openCreditDb
-} from "./chunk-HU46M4JA.js";
+} from "./chunk-P3FDT7G5.js";
 import {
   RelayClient
-} from "./chunk-NX27AFPA.js";
+} from "./chunk-UR3MISL2.js";
 import {
   loadPeers
 } from "./chunk-3YQ73ZM6.js";
@@ -23,7 +23,7 @@ import {
 import {
   listCards,
   openDatabase
-} from "./chunk-COA2D7QM.js";
+} from "./chunk-NLQCHO7N.js";
 
 // src/cli/conduct.ts
 async function conductAction(task, opts) {

package/dist/{chunk-NQANA6WH.js → chunk-BNS76U6K.js}

@@ -7,14 +7,14 @@ import {
 import {
   getCard,
   getFeedbackForProvider
-} from "./chunk-ZU2TP7CN.js";
+} from "./chunk-PG3CLSAH.js";
 import {
   ensureAgentsTable,
   resolveCanonicalIdentity
 } from "./chunk-EE3V3DXK.js";
 import {
   AgentBnBError
-} from "./chunk-I7KWA7OB.js";
+} from "./chunk-UVCNMRPS.js";
 
 // src/credit/ledger.ts
 import Database from "better-sqlite3";

package/dist/{chunk-JDAFLPR7.js → chunk-BOBND3QV.js}

@@ -1,15 +1,15 @@
 import {
   syncCreditsFromRegistry
-} from "./chunk-RF4A5X5U.js";
+} from "./chunk-W5J3PEQ6.js";
 import {
   resolveTargetCapability
-} from "./chunk-2PP5MQPD.js";
+} from "./chunk-UIPGGNRC.js";
 import {
   getBalance,
   holdEscrow,
   releaseEscrow,
   settleEscrow
-} from "./chunk-HU46M4JA.js";
+} from "./chunk-P3FDT7G5.js";
 import {
   loadConfig
 } from "./chunk-3XPBFF6H.js";
@@ -17,10 +17,10 @@ import {
   getCard,
   insertRequestLog,
   updateReputation
-} from "./chunk-COA2D7QM.js";
+} from "./chunk-NLQCHO7N.js";
 import {
   AgentBnBError
-} from "./chunk-I7KWA7OB.js";
+} from "./chunk-UVCNMRPS.js";
 
 // src/gateway/execute.ts
 import { randomUUID } from "crypto";

package/dist/{chunk-VRPLSK34.js → chunk-D4IJQ3TK.js}

@@ -1,6 +1,6 @@
 import {
   AgentBnBError
-} from "./chunk-I7KWA7OB.js";
+} from "./chunk-UVCNMRPS.js";
 
 // src/discovery/mdns.ts
 import { Bonjour } from "bonjour-service";

package/dist/{chunk-4NFJ3VYZ.js → chunk-DYJ7YGBM.js}

@@ -38,7 +38,9 @@ var RelayRequestMessageSchema = z.object({
   skill_id: z.string().optional(),
   params: z.record(z.unknown()).default({}),
   requester: z.string().optional(),
-  escrow_receipt: z.record(z.unknown()).optional()
+  escrow_receipt: z.record(z.unknown()).optional(),
+  /** Optional UCAN token for capability delegation. */
+  ucan_token: z.string().optional()
 });
 var IncomingRequestMessageSchema = z.object({
   type: z.literal("incoming_request"),
@@ -48,7 +50,9 @@ var IncomingRequestMessageSchema = z.object({
   skill_id: z.string().optional(),
   params: z.record(z.unknown()).default({}),
   requester: z.string().optional(),
-  escrow_receipt: z.record(z.unknown()).optional()
+  escrow_receipt: z.record(z.unknown()).optional(),
+  /** Optional UCAN token for capability delegation. */
+  ucan_token: z.string().optional()
 });
 var RelayResponseMessageSchema = z.object({
   type: z.literal("relay_response"),

package/dist/{chunk-PIPCGRCR.js → chunk-ELFGYC22.js}

@@ -1,6 +1,6 @@
 import {
   AgentBnBError
-} from "./chunk-I7KWA7OB.js";
+} from "./chunk-UVCNMRPS.js";
 
 // src/cli/remote-registry.ts
 var RegistryTimeoutError = class extends AgentBnBError {

package/dist/{chunk-WTHMHNKC.js → chunk-J4RFJVXI.js}

@@ -1,6 +1,6 @@
 import {
   AgentBnBError
-} from "./chunk-I7KWA7OB.js";
+} from "./chunk-UVCNMRPS.js";
 
 // src/identity/agent-identity.ts
 var AGENTS_SCHEMA = `