agorai 0.4.4 → 0.6.0

package/README.md

@@ -75,12 +75,16 @@ Your PC / VPS
 │                                                   │
 │  ┌──────────┐ ┌───────────┐ ┌──────────────────┐ │
 │  │ Projects │ │ Convos    │ │ Shared Memory    │ │
-│  │          │ │ @mentions │ │ per-project      │ │
+│  │ + Tasks  │ │ + Whisper │ │ + Agent Memory   │ │
 │  └──────────┘ └───────────┘ └──────────────────┘ │
 │  ┌──────────┐ ┌───────────┐ ┌──────────────────┐ │
 │  │ Auth     │ │ Rate      │ │ 4-level          │ │
 │  │ (salted) │ │ limiting  │ │ visibility       │ │
 │  └──────────┘ └───────────┘ └──────────────────┘ │
+│  ┌──────────┐ ┌───────────┐ ┌──────────────────┐ │
+│  │ Capabil. │ │ Skills    │ │ 35 MCP tools     │ │
+│  │ catalog  │ │ system    │ │ + SSE push       │ │
+│  └──────────┘ └───────────┘ └──────────────────┘ │
 │                    SQLite                         │
 └────────────────────┬─────────────────────────────┘
                      │ HTTP (MCP protocol)
@@ -94,7 +98,7 @@ Your PC / VPS
 
 Two npm packages:
 
-- **`agorai`** — The bridge server. Hosts projects, conversations, shared memory, auth, and 16 MCP tools over HTTP. SQLite storage, zero external services. Can also run internal agents in the same process via `--with-agent`.
+- **`agorai`** — The bridge server. Hosts projects, conversations, shared memory, auth, and 35 MCP tools over HTTP. SQLite storage, zero external services. Can also run internal agents in the same process via `--with-agent`.
 - **`agorai-connect`** — Connects any agent to the bridge. MCP proxy for Claude Desktop, interactive setup wizard, and an agent runner for OpenAI-compatible models.
 
 ## Key features
@@ -120,6 +124,18 @@ Two npm packages:
 npx agorai debate "Redis vs Memcached for session storage?"
 ```
 
+**Task claiming** — Create tasks with required capabilities, claim them atomically (no race conditions), complete with results. Stale claims auto-release when agents go offline. Pull model — agents discover and claim work, not push.
+
+**Directed messages (whisper)** — Send private messages to specific agents with `recipients`. Only listed agents and the sender can see the message. Store-enforced — non-recipients never know the message exists. Additive to visibility: both filters apply.
+
+**Capability discovery** — Agents register capabilities on connect. `discover_capabilities` lets agents find each other by skill (`code-review`, `analysis`, `code-execution`). The foundation for intelligent task routing.
+
+**Skills system** — Progressive disclosure skills replace instructions. Skills have title, summary, instructions hint, full content, and supporting files. Agents receive only metadata (tier 1) on subscribe — load full content (tier 2) and files (tier 3) on demand. Target skills to specific agents by name or by type/capability selector. Tags for filtering. ~80-90% context savings.
+
+**Agent memory** — Private per-agent scratchpad with 3 scopes: global, per-project, and per-conversation. Each agent manages its own memory — invisible to other agents. Conversation memory auto-cleans on unsubscribe.
+
+**Message tags** — Tag messages with metadata (`review`, `urgent`, `decision`) and filter by tags or sender in `get_messages`. Structured message types (`proposal`, `decision`) enable formal conversation protocols.
+
 **Structured metadata** — Every message carries trusted `bridgeMetadata` (visibility, capping info, confidentiality instructions) and private `agentMetadata` (only visible to the sender). Agents can't forge bridge data.
 
 **Security** — Salted HMAC-SHA-256 API key hashing, per-agent rate limiting, input size limits on all fields, visibility-capped writes. Everything localhost by default.
@@ -140,15 +156,16 @@ docker run -v ./agorai.config.json:/app/agorai.config.json -p 3100:3100 agorai/b
 
 | Version | Focus |
 |---------|-------|
-| **v0.2** | **Bridge — shared workspace, visibility, auth, 16 MCP tools** |
+| **v0.2** | **Bridge — shared workspace, visibility, auth, MCP tools** |
 | v0.2.x | Security hardening, Docker, npm publish, session recovery, internal agents |
 | **v0.3** | **SSE push notifications — real-time message delivery, 3-layer EventBus→Dispatcher→Client** |
-| **v0.4** | **Metadata overhaul — bridgeMetadata/agentMetadata, confidentiality modes, high-water marks** |
-| v0.4.x | Strict mode enforcement, discovery rules, access control |
-| v0.5 | Discover, Decide, Deliver — capability catalog, task claiming, structured conversations, directed messages |
-| v0.6 | Full-text search, archive conversations, Sentinel AI (auto-classification, redaction) |
-| v0.7 | Web dashboard, human participants, A2A protocol support |
-| v0.8+ | Enterprise — OAuth/JWT, RBAC, audit trail |
+| **v0.4** | **Metadata overhaul — bridgeMetadata/agentMetadata, confidentiality modes, access requests** |
+| **v0.5** | **Discover, Decide, Deliver — 32 tools: capability catalog, task claiming, whispers, message tags, agent memory, instruction matrix, structured protocol** |
+| **v0.6** | **Skills system — progressive disclosure (3-tier), agent targeting, skill files, replaces instruction matrix. 35 tools** |
+| v0.7 | Task dependencies, explicit project access control, full-text search, conversation templates |
+| v0.8 | Orchestrator agent, Sentinel AI, debate engine via bridge |
+| v0.9 | Web dashboard, human participants, A2A protocol support |
+| v1.0+ | Enterprise — OAuth/JWT, RBAC, audit trail, SaaS |
 
 ## Positioning
 
@@ -160,6 +177,9 @@ Agorai is **not** another agent framework. It's infrastructure — the collabora
 | Protocol | MCP (open standard) | Custom | Custom | Custom |
 | Models | Any (BYOM) | OpenAI-focused | OpenAI-focused | LangChain |
 | Visibility | 4-level, store-enforced | None | None | None |
+| Task claiming | Atomic, capability-based | Role assignment | None | DAG nodes |
+| Agent memory | Private per-agent, 3 scopes | Shared only | Shared only | None |
+| Directed messages | Whisper (recipients) | None | None | None |
 | Debate/consensus | Built-in | None | Basic | None |
 | Local-first | Yes | Cloud-centric | Cloud-centric | Cloud-centric |
 

package/dist/bridge/server.d.ts

@@ -1,7 +1,7 @@
 /**
  * Bridge HTTP server — Streamable HTTP transport for the MCP bridge.
  *
- * Exposes 16 bridge tools + debate tools over HTTP.
+ * Exposes 35 bridge tools + debate tools over HTTP.
  * Auth is handled via API key in Authorization header.
  * Each request is authenticated before being passed to the MCP handler.
  */

package/dist/bridge/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/bridge/server.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAOH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,KAAK,EAAE,aAAa,EAAc,MAAM,WAAW,CAAC;AAC3D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AA2F3C,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,aAAa,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;CAChB;AAgeD,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC;IAC1E,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5B,CAAC,CAmLD"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/bridge/server.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAOH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,KAAK,EAAE,aAAa,EAAc,MAAM,WAAW,CAAC;AAC3D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AA2G3C,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,aAAa,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;CAChB;AA+6BD,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC;IAC1E,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5B,CAAC,CAqLD"}

package/dist/bridge/server.js

@@ -1,7 +1,7 @@
 /**
  * Bridge HTTP server — Streamable HTTP transport for the MCP bridge.
  *
- * Exposes 16 bridge tools + debate tools over HTTP.
+ * Exposes 35 bridge tools + debate tools over HTTP.
  * Auth is handled via API key in Authorization header.
  * Each request is authenticated before being passed to the MCP handler.
  */
@@ -16,7 +16,7 @@ import { fileURLToPath } from "node:url";
 import { resolve, dirname } from "node:path";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const PKG_VERSION = JSON.parse(readFileSync(resolve(__dirname, "../../package.json"), "utf-8")).version;
-import { RegisterAgentSchema, ListBridgeAgentsSchema, CreateProjectSchema, ListProjectsSchema, SetMemorySchema, GetMemorySchema, DeleteMemorySchema, CreateConversationSchema, ListConversationsSchema, SubscribeSchema, UnsubscribeSchema, SendMessageSchema, GetMessagesSchema, GetStatusSchema, MarkReadSchema, ListSubscribersSchema, ListAccessRequestsSchema, RespondToAccessRequestSchema, GetMyAccessRequestsSchema, } from "./tools.js";
+import { RegisterAgentSchema, ListBridgeAgentsSchema, DiscoverCapabilitiesSchema, CreateProjectSchema, ListProjectsSchema, SetMemorySchema, GetMemorySchema, DeleteMemorySchema, CreateConversationSchema, ListConversationsSchema, SubscribeSchema, UnsubscribeSchema, SendMessageSchema, GetMessagesSchema, GetStatusSchema, MarkReadSchema, ListSubscribersSchema, ListAccessRequestsSchema, RespondToAccessRequestSchema, GetMyAccessRequestsSchema, CreateTaskSchema, ListTasksSchema, ClaimTaskSchema, CompleteTaskSchema, ReleaseTaskSchema, UpdateTaskSchema, SetSkillSchema, ListSkillsSchema, GetSkillSchema, DeleteSkillSchema, SetSkillFileSchema, GetSkillFileSchema, SetAgentMemorySchema, GetAgentMemorySchema, DeleteAgentMemorySchema, } from "./tools.js";
 const log = createLogger("bridge");
 /** Per-session context: maps transport sessionId → agent auth. */
 const sessionAuth = new Map();
@@ -98,6 +98,13 @@ function createBridgeMcpServer(store, agentId) {
             "If you try to subscribe to a conversation you don't have access to, an access request is created automatically.",
             "Subscribers of that conversation can approve or deny your request via list_access_requests + respond_to_access_request.",
             "Check your request status with get_my_access_requests.",
+            "",
+            "IMPORTANT — Skills system (progressive disclosure):",
+            "Skills provide behavioral instructions and context. They use 3-tier progressive disclosure to save context:",
+            "- Tier 1 (metadata): When you subscribe, you receive skill metadata (title, summary, instructions, tags) — NOT the full content.",
+            "- Tier 2 (content): Call get_skill(skill_id) to load the full content of a skill you need.",
+            "- Tier 3 (files): Call get_skill_file(skill_id, filename) to load supporting files attached to a skill.",
+            "Only load tier 2/3 when you actually need the detail. The summary and instructions fields give you enough to decide.",
         ].join("\n"),
     });
     // --- Agent tools ---
@@ -137,6 +144,17 @@ function createBridgeMcpServer(store, agentId) {
         const safe = filtered.map(({ apiKeyHash: _, ...rest }) => rest);
         return { content: [{ type: "text", text: JSON.stringify(safe, null, 2) }] };
     });
+    server.tool("discover_capabilities", "Find agents by capability. Without a filter, returns all agents and their capabilities.", DiscoverCapabilitiesSchema.shape, async (args) => {
+        let agents;
+        if (args.capability) {
+            agents = await store.findAgentsByCapability(args.capability);
+        }
+        else {
+            agents = await store.listAgents();
+        }
+        const safe = agents.map(({ apiKeyHash: _, ...rest }) => rest);
+        return { content: [{ type: "text", text: JSON.stringify(safe, null, 2) }] };
+    });
     // --- Project tools ---
     server.tool("create_project", "Create a new project", CreateProjectSchema.shape, async (args) => {
         const project = await store.createProject({
@@ -203,9 +221,20 @@ function createBridgeMcpServer(store, agentId) {
             defaultVisibility: args.default_visibility,
             createdBy: agentId,
         });
-        // Auto-subscribe the creator
+        // Auto-subscribe the creator and include skills metadata
         await store.subscribe(conv.id, agentId);
-        return { content: [{ type: "text", text: JSON.stringify(conv, null, 2) }] };
+        const agent = await store.getAgent(agentId);
+        const matchingSkills = agent
+            ? await store.getMatchingSkills({ name: agent.name, type: agent.type, capabilities: agent.capabilities }, conv.id)
+            : [];
+        return { content: [{ type: "text", text: JSON.stringify({
+                        ...conv,
+                        skills: matchingSkills.map((s) => ({
+                            id: s.id, title: s.title, summary: s.summary,
+                            instructions: s.instructions, tags: s.tags,
+                            scope: s.scope, agents: s.agents, files: s.files,
+                        })),
+                    }, null, 2) }] };
     });
     server.tool("list_conversations", "List conversations in a project", ListConversationsSchema.shape, async (args) => {
         let conversations = await store.listConversations(args.project_id, agentId);
@@ -215,10 +244,23 @@ function createBridgeMcpServer(store, agentId) {
         return { content: [{ type: "text", text: JSON.stringify(conversations, null, 2) }] };
     });
     server.tool("subscribe", "Subscribe to a conversation. If you don't have access, an access request is created automatically — existing subscribers can approve it.", SubscribeSchema.shape, async (args) => {
-        // Check if already subscribed
+        // If already subscribed, return current skills metadata (not an error)
         const alreadySubscribed = await store.isSubscribed(args.conversation_id, agentId);
         if (alreadySubscribed) {
-            return { content: [{ type: "text", text: JSON.stringify({ error: "Already subscribed to this conversation" }) }] };
+            const agent = await store.getAgent(agentId);
+            const matchingSkills = agent
+                ? await store.getMatchingSkills({ name: agent.name, type: agent.type, capabilities: agent.capabilities }, args.conversation_id)
+                : [];
+            return { content: [{ type: "text", text: JSON.stringify({
+                            subscribed: true,
+                            already_subscribed: true,
+                            conversation_id: args.conversation_id,
+                            skills: matchingSkills.map((s) => ({
+                                id: s.id, title: s.title, summary: s.summary,
+                                instructions: s.instructions, tags: s.tags,
+                                scope: s.scope, agents: s.agents, files: s.files,
+                            })),
+                        }) }] };
         }
         // Verify conversation exists and caller can access its project
         const conv = await store.getConversation(args.conversation_id);
@@ -230,7 +272,25 @@ function createBridgeMcpServer(store, agentId) {
             await store.subscribe(args.conversation_id, agentId, {
                 historyAccess: args.history_access,
             });
-            return { content: [{ type: "text", text: JSON.stringify({ subscribed: true, conversation_id: args.conversation_id }) }] };
+            // Include matching skill metadata in subscribe response (progressive disclosure: tier 1 only)
+            const agent = await store.getAgent(agentId);
+            const matchingSkills = agent
+                ? await store.getMatchingSkills({ name: agent.name, type: agent.type, capabilities: agent.capabilities }, args.conversation_id)
+                : [];
+            return { content: [{ type: "text", text: JSON.stringify({
+                            subscribed: true,
+                            conversation_id: args.conversation_id,
+                            skills: matchingSkills.map((s) => ({
+                                id: s.id,
+                                title: s.title,
+                                summary: s.summary,
+                                instructions: s.instructions,
+                                tags: s.tags,
+                                scope: s.scope,
+                                agents: s.agents,
+                                files: s.files,
+                            })),
+                        }) }] };
         }
         // No project access — fallback to access request
         // NOTE: Currently triggered by clearance < project visibility. In v0.6, access control
@@ -280,12 +340,30 @@ function createBridgeMcpServer(store, agentId) {
         const subscribed = await store.isSubscribed(args.conversation_id, agentId);
         if (!subscribed)
             return ACCESS_DENIED;
+        // Validate @mentions in whispers: mentioned agents must be in recipients list
+        if (args.recipients && args.recipients.length > 0) {
+            const allAgents = await store.listAgents();
+            const agentNameMap = new Map(allAgents.map((a) => [a.name.toLowerCase(), a.id]));
+            const mentionPattern = /@([\w-]+)/g;
+            let match;
+            while ((match = mentionPattern.exec(args.content)) !== null) {
+                const mentionedName = match[1].toLowerCase();
+                const mentionedId = agentNameMap.get(mentionedName);
+                if (mentionedId && mentionedId !== agentId && !args.recipients.includes(mentionedId)) {
+                    return { content: [{ type: "text", text: JSON.stringify({
+                                    error: `@${match[1]} is mentioned but not in recipients — they won't see this whisper. Add them to recipients or remove the @mention.`,
+                                }) }] };
+                }
+            }
+        }
         const message = await store.sendMessage({
             conversationId: args.conversation_id,
             fromAgent: agentId,
             type: args.type,
             visibility: args.visibility,
             content: args.content,
+            tags: args.tags,
+            recipients: args.recipients,
             metadata: args.metadata,
         });
         // Response: include bridgeMetadata + agentMetadata (sender sees their own), exclude deprecated metadata
@@ -301,6 +379,8 @@ function createBridgeMcpServer(store, agentId) {
             since: args.since,
             unreadOnly: args.unread_only,
             limit: args.limit,
+            tags: args.tags,
+            fromAgent: args.from_agent,
         });
         // Shape response: strip agentMetadata for non-sender, exclude deprecated metadata
         const shaped = messages.map((msg) => {
@@ -312,6 +392,272 @@ function createBridgeMcpServer(store, agentId) {
         });
         return { content: [{ type: "text", text: JSON.stringify(shaped, null, 2) }] };
     });
+    // --- Task tools ---
+    server.tool("create_task", "Create a task in a project. Other agents can discover and claim it.", CreateTaskSchema.shape, async (args) => {
+        const project = await store.getProject(args.project_id, agentId);
+        if (!project)
+            return ACCESS_DENIED;
+        const task = await store.createTask({
+            projectId: args.project_id,
+            conversationId: args.conversation_id,
+            title: args.title,
+            description: args.description,
+            requiredCapabilities: args.required_capabilities,
+            createdBy: agentId,
+        });
+        return { content: [{ type: "text", text: JSON.stringify(task, null, 2) }] };
+    });
+    server.tool("list_tasks", "List tasks in a project, optionally filtered by status, capability, or claiming agent", ListTasksSchema.shape, async (args) => {
+        const tasks = await store.listTasks(args.project_id, agentId, {
+            status: args.status,
+            claimedBy: args.claimed_by,
+            capability: args.capability,
+        });
+        return { content: [{ type: "text", text: JSON.stringify(tasks, null, 2) }] };
+    });
+    server.tool("claim_task", "Claim an open task. Atomic — only one agent can claim a task at a time.", ClaimTaskSchema.shape, async (args) => {
+        const task = await store.claimTask(args.task_id, agentId);
+        if (!task) {
+            return { content: [{ type: "text", text: JSON.stringify({ error: "Task not available — it may already be claimed or does not exist" }) }] };
+        }
+        return { content: [{ type: "text", text: JSON.stringify(task, null, 2) }] };
+    });
+    server.tool("complete_task", "Mark a claimed task as completed with an optional result", CompleteTaskSchema.shape, async (args) => {
+        const task = await store.completeTask(args.task_id, agentId, args.result);
+        if (!task) {
+            return { content: [{ type: "text", text: JSON.stringify({ error: "Cannot complete — task is not claimed by you or does not exist" }) }] };
+        }
+        return { content: [{ type: "text", text: JSON.stringify(task, null, 2) }] };
+    });
+    server.tool("release_task", "Release a claimed task back to open so another agent can claim it", ReleaseTaskSchema.shape, async (args) => {
+        const task = await store.releaseTask(args.task_id, agentId);
+        if (!task) {
+            return { content: [{ type: "text", text: JSON.stringify({ error: "Cannot release — task is not claimed or you lack permission" }) }] };
+        }
+        return { content: [{ type: "text", text: JSON.stringify(task, null, 2) }] };
+    });
+    server.tool("update_task", "Update a task you created (title, description, or status). Only the creator can update.", UpdateTaskSchema.shape, async (args) => {
+        const task = await store.updateTask(args.task_id, agentId, {
+            title: args.title,
+            description: args.description,
+            status: args.status,
+        });
+        if (!task) {
+            return { content: [{ type: "text", text: JSON.stringify({ error: "Cannot update — task not found or you are not the creator" }) }] };
+        }
+        return { content: [{ type: "text", text: JSON.stringify(task, null, 2) }] };
+    });
+    // --- Skill tools ---
+    server.tool("set_skill", "Create or update a skill in a scope. Creator can always create/edit. Listed agents (in agents[]) can edit existing skills. Use selector and agents[] to target specific agents.", SetSkillSchema.shape, async (args) => {
+        let scope = "bridge";
+        let scopeId;
+        if (args.conversation_id) {
+            scope = "conversation";
+            scopeId = args.conversation_id;
+            const conv = await store.getConversation(args.conversation_id);
+            if (!conv)
+                return ACCESS_DENIED;
+            // Creator can always set. Listed agents can edit existing.
+            if (conv.createdBy !== agentId) {
+                // Check if caller is a listed agent on an existing skill with this title
+                const existing = (await store.listSkills("conversation", args.conversation_id)).find((s) => s.title === args.title);
+                if (!existing) {
+                    return { content: [{ type: "text", text: JSON.stringify({ error: "Only the conversation creator can create new skills" }) }] };
+                }
+                const agent = await store.getAgent(agentId);
+                const agentName = agent?.name ?? "";
+                if (!existing.agents.some((a) => a.toLowerCase() === agentName.toLowerCase())) {
+                    return { content: [{ type: "text", text: JSON.stringify({ error: "Only the creator or listed agents can edit this skill" }) }] };
+                }
+            }
+        }
+        else if (args.project_id) {
+            scope = "project";
+            scopeId = args.project_id;
+            const project = await store.getProject(args.project_id, agentId);
+            if (!project)
+                return ACCESS_DENIED;
+            if (project.createdBy !== agentId) {
+                const existing = (await store.listSkills("project", args.project_id)).find((s) => s.title === args.title);
+                if (!existing) {
+                    return { content: [{ type: "text", text: JSON.stringify({ error: "Only the project creator can create new skills" }) }] };
+                }
+                const agent = await store.getAgent(agentId);
+                const agentName = agent?.name ?? "";
+                if (!existing.agents.some((a) => a.toLowerCase() === agentName.toLowerCase())) {
+                    return { content: [{ type: "text", text: JSON.stringify({ error: "Only the creator or listed agents can edit this skill" }) }] };
+                }
+            }
+        }
+        else {
+            return { content: [{ type: "text", text: JSON.stringify({ error: "Bridge-level skills cannot be set via MCP. Provide project_id or conversation_id." }) }] };
+        }
+        const skill = await store.setSkill({
+            scope,
+            scopeId,
+            title: args.title,
+            summary: args.summary,
+            instructions: args.instructions,
+            selector: args.selector,
+            agents: args.agents,
+            tags: args.tags,
+            content: args.content,
+            createdBy: agentId,
+        });
+        return { content: [{ type: "text", text: JSON.stringify(skill, null, 2) }] };
+    });
+    server.tool("list_skills", "List skills for a scope (returns metadata only — no content). No params = bridge-level. With project_id = project-level. With conversation_id = conversation-level.", ListSkillsSchema.shape, async (args) => {
+        let scope = "bridge";
+        let scopeId;
+        if (args.conversation_id) {
+            scope = "conversation";
+            scopeId = args.conversation_id;
+            const subscribed = await store.isSubscribed(args.conversation_id, agentId);
+            if (!subscribed)
+                return ACCESS_DENIED;
+        }
+        else if (args.project_id) {
+            scope = "project";
+            scopeId = args.project_id;
+            const project = await store.getProject(args.project_id, agentId);
+            if (!project)
+                return ACCESS_DENIED;
+        }
+        const skills = await store.listSkills(scope, scopeId, { tags: args.tags });
+        // Filter by agent visibility
+        const agent = await store.getAgent(agentId);
+        const agentName = agent?.name ?? "";
+        const visible = skills.filter((s) => {
+            if (s.agents.length === 0)
+                return true;
+            return s.agents.some((a) => a.toLowerCase() === agentName.toLowerCase());
+        });
+        // Return metadata only (progressive disclosure tier 1)
+        const metadata = visible.map(({ content: _, ...rest }) => rest);
+        return { content: [{ type: "text", text: JSON.stringify(metadata, null, 2) }] };
+    });
+    server.tool("get_skill", "Get a skill's full content by ID (progressive disclosure tier 2). Returns content + file list.", GetSkillSchema.shape, async (args) => {
+        const skill = await store.getSkill(args.skill_id);
+        if (!skill)
+            return ACCESS_DENIED;
+        // Check agent visibility (agents[] + selector)
+        const agent = await store.getAgent(agentId);
+        if (agent && skill.agents.length > 0) {
+            if (!skill.agents.some((a) => a.toLowerCase() === agent.name.toLowerCase())) {
+                return ACCESS_DENIED;
+            }
+        }
+        if (agent && skill.selector) {
+            if (skill.selector.type && skill.selector.type.toLowerCase() !== agent.type.toLowerCase())
+                return ACCESS_DENIED;
+            if (skill.selector.capability && !agent.capabilities.some((c) => c.toLowerCase() === skill.selector.capability.toLowerCase()))
+                return ACCESS_DENIED;
+        }
+        return { content: [{ type: "text", text: JSON.stringify(skill, null, 2) }] };
+    });
+    server.tool("delete_skill", "Delete a skill by ID. Creator or listed agents can delete.", DeleteSkillSchema.shape, async (args) => {
+        const skill = await store.getSkill(args.skill_id);
+        if (!skill)
+            return ACCESS_DENIED;
+        // Authorization: creator OR listed agent
+        if (skill.createdBy !== agentId) {
+            const agent = await store.getAgent(agentId);
+            const agentName = agent?.name ?? "";
+            if (!skill.agents.some((a) => a.toLowerCase() === agentName.toLowerCase())) {
+                return { content: [{ type: "text", text: JSON.stringify({ error: "Only the creator or listed agents can delete this skill" }) }] };
+            }
+        }
+        const deleted = await store.deleteSkill(args.skill_id);
+        return { content: [{ type: "text", text: JSON.stringify({ deleted }) }] };
+    });
+    // --- Skill File tools ---
+    server.tool("set_skill_file", "Add or update a file attached to a skill. Creator or listed agents can manage files.", SetSkillFileSchema.shape, async (args) => {
+        const skill = await store.getSkill(args.skill_id);
+        if (!skill)
+            return ACCESS_DENIED;
+        // Authorization: creator OR listed agent
+        if (skill.createdBy !== agentId) {
+            const agent = await store.getAgent(agentId);
+            const agentName = agent?.name ?? "";
+            if (!skill.agents.some((a) => a.toLowerCase() === agentName.toLowerCase())) {
+                return { content: [{ type: "text", text: JSON.stringify({ error: "Only the creator or listed agents can manage skill files" }) }] };
+            }
+        }
+        const file = await store.setSkillFile(args.skill_id, args.filename, args.content);
+        return { content: [{ type: "text", text: JSON.stringify(file, null, 2) }] };
+    });
+    server.tool("get_skill_file", "Get a file attached to a skill (progressive disclosure tier 3).", GetSkillFileSchema.shape, async (args) => {
+        // Check parent skill visibility first
+        const skill = await store.getSkill(args.skill_id);
+        if (!skill)
+            return ACCESS_DENIED;
+        const agent = await store.getAgent(agentId);
+        if (agent && skill.agents.length > 0) {
+            if (!skill.agents.some((a) => a.toLowerCase() === agent.name.toLowerCase())) {
+                return ACCESS_DENIED;
+            }
+        }
+        const file = await store.getSkillFile(args.skill_id, args.filename);
+        if (!file) {
+            return { content: [{ type: "text", text: JSON.stringify({ error: "File not found" }) }] };
+        }
+        return { content: [{ type: "text", text: JSON.stringify(file, null, 2) }] };
+    });
+    // --- Agent Memory tools ---
+    server.tool("set_agent_memory", "Save private memory for yourself. No scope = global. With project_id = per-project. With conversation_id = per-conversation. Content overwrites previous.", SetAgentMemorySchema.shape, async (args) => {
+        let scope = "global";
+        let scopeId;
+        if (args.conversation_id) {
+            scope = "conversation";
+            scopeId = args.conversation_id;
+            // Verify subscribed to the conversation
+            const subscribed = await store.isSubscribed(args.conversation_id, agentId);
+            if (!subscribed)
+                return ACCESS_DENIED;
+        }
+        else if (args.project_id) {
+            scope = "project";
+            scopeId = args.project_id;
+            // Verify project access
+            const project = await store.getProject(args.project_id, agentId);
+            if (!project)
+                return ACCESS_DENIED;
+        }
+        const mem = await store.setAgentMemory(agentId, scope, args.content, scopeId);
+        return { content: [{ type: "text", text: JSON.stringify(mem, null, 2) }] };
+    });
+    server.tool("get_agent_memory", "Read your private memory. No scope = global. With project_id = per-project. With conversation_id = per-conversation.", GetAgentMemorySchema.shape, async (args) => {
+        let scope = "global";
+        let scopeId;
+        if (args.conversation_id) {
+            scope = "conversation";
+            scopeId = args.conversation_id;
+        }
+        else if (args.project_id) {
+            scope = "project";
+            scopeId = args.project_id;
+        }
+        const mem = await store.getAgentMemory(agentId, scope, scopeId);
+        if (!mem) {
+            return { content: [{ type: "text", text: JSON.stringify({ content: null, scope }) }] };
+        }
+        return { content: [{ type: "text", text: JSON.stringify(mem, null, 2) }] };
+    });
+    server.tool("delete_agent_memory", "Delete your private memory for a scope. No scope = global. With project_id = per-project. With conversation_id = per-conversation.", DeleteAgentMemorySchema.shape, async (args) => {
+        let scope = "global";
+        let scopeId;
+        if (args.conversation_id) {
+            scope = "conversation";
+            scopeId = args.conversation_id;
+        }
+        else if (args.project_id) {
+            scope = "project";
+            scopeId = args.project_id;
+        }
+        const deleted = await store.deleteAgentMemory(agentId, scope, scopeId);
+        return { content: [{ type: "text", text: JSON.stringify({ deleted, scope }) }] };
+    });
+    // --- Status tools ---
     server.tool("get_status", "Get a summary: projects, active conversations, unread messages, online agents", GetStatusSchema.shape, async () => {
         const [projects, agents, unreadCount] = await Promise.all([
             store.listProjects(agentId),
@@ -535,6 +881,8 @@ export async function startBridgeServer(opts) {
             if (eventBusListeners && store.eventBus) {
                 store.eventBus.offMessage(eventBusListeners.messageListener);
                 store.eventBus.offAccessRequest(eventBusListeners.accessRequestListener);
+                store.eventBus.offTaskCreated(eventBusListeners.taskCreatedListener);
+                store.eventBus.offTaskUpdated(eventBusListeners.taskUpdatedListener);
             }
             // Close all active transports (best-effort — some may already be closed)
             for (const transport of transports.values()) {
@@ -587,10 +935,22 @@ function setupSSEDispatch(store) {
             log.error(`SSE access-request dispatch error: ${err instanceof Error ? err.message : String(err)}`);
         });
     };
+    const taskCreatedListener = (event) => {
+        dispatchTaskNotification(event.task, "created").catch((err) => {
+            log.error(`SSE task dispatch error: ${err instanceof Error ? err.message : String(err)}`);
+        });
+    };
+    const taskUpdatedListener = (event) => {
+        dispatchTaskNotification(event.task, event.action).catch((err) => {
+            log.error(`SSE task dispatch error: ${err instanceof Error ? err.message : String(err)}`);
+        });
+    };
     store.eventBus.onMessage(messageListener);
     store.eventBus.onAccessRequest(accessRequestListener);
+    store.eventBus.onTaskCreated(taskCreatedListener);
+    store.eventBus.onTaskUpdated(taskUpdatedListener);
     log.info("SSE push notifications enabled");
-    return { messageListener, accessRequestListener };
+    return { messageListener, accessRequestListener, taskCreatedListener, taskUpdatedListener };
 }
 async function dispatchMessageNotification(store, event) {
     const { message } = event;
@@ -630,6 +990,9 @@ async function dispatchMessageNotification(store, event) {
         const agentVisInt = VISIBILITY_ORDER[agent.clearanceLevel];
         if (agentVisInt < messageVisInt)
             continue;
+        // Whisper gate: if message has recipients, agent must be in the list
+        if (message.recipients && !message.recipients.includes(sub.agentId))
+            continue;
         // Find all active sessions for this agent and push notification
         const sessions = agentSessions.get(sub.agentId);
         if (!sessions)
@@ -680,4 +1043,35 @@ async function dispatchAccessRequestNotification(store, event) {
         }
     }
 }
+async function dispatchTaskNotification(task, action) {
+    const notification = {
+        jsonrpc: "2.0",
+        method: "notifications/task",
+        params: {
+            taskId: task.id,
+            projectId: task.projectId,
+            conversationId: task.conversationId,
+            title: task.title,
+            status: task.status,
+            action,
+            createdBy: task.createdBy,
+            claimedBy: task.claimedBy,
+            updatedAt: task.updatedAt,
+        },
+    };
+    // Project-level notification: push to all agents with active sessions
+    for (const [, sessions] of agentSessions) {
+        for (const sessionId of sessions) {
+            const transport = transports.get(sessionId);
+            if (!transport)
+                continue;
+            try {
+                await transport.send(notification);
+            }
+            catch {
+                log.debug(`SSE task send failed for session ${sessionId}`);
+            }
+        }
+    }
+}
 //# sourceMappingURL=server.js.map