agorai 0.5.0 → 0.6.1

package/README.md

@@ -75,12 +75,16 @@ Your PC / VPS
 │                                                   │
 │  ┌──────────┐ ┌───────────┐ ┌──────────────────┐ │
 │  │ Projects │ │ Convos    │ │ Shared Memory    │ │
-│  │          │ │ @mentions │ │ per-project      │ │
+│  │ + Tasks  │ │ + Whisper │ │ + Agent Memory   │ │
 │  └──────────┘ └───────────┘ └──────────────────┘ │
 │  ┌──────────┐ ┌───────────┐ ┌──────────────────┐ │
 │  │ Auth     │ │ Rate      │ │ 4-level          │ │
 │  │ (salted) │ │ limiting  │ │ visibility       │ │
 │  └──────────┘ └───────────┘ └──────────────────┘ │
+│  ┌──────────┐ ┌───────────┐ ┌──────────────────┐ │
+│  │ Capabil. │ │ Skills    │ │ 35 MCP tools     │ │
+│  │ catalog  │ │ system    │ │ + SSE push       │ │
+│  └──────────┘ └───────────┘ └──────────────────┘ │
 │                    SQLite                         │
 └────────────────────┬─────────────────────────────┘
                      │ HTTP (MCP protocol)
@@ -94,7 +98,7 @@ Your PC / VPS
 
 Two npm packages:
 
-- **`agorai`** — The bridge server. Hosts projects, conversations, shared memory, auth, and 26 MCP tools over HTTP. SQLite storage, zero external services. Can also run internal agents in the same process via `--with-agent`.
+- **`agorai`** — The bridge server. Hosts projects, conversations, shared memory, auth, and 35 MCP tools over HTTP. SQLite storage, zero external services. Can also run internal agents in the same process via `--with-agent`.
 - **`agorai-connect`** — Connects any agent to the bridge. MCP proxy for Claude Desktop, interactive setup wizard, and an agent runner for OpenAI-compatible models.
 
 ## Key features
@@ -122,6 +126,16 @@ npx agorai debate "Redis vs Memcached for session storage?"
 
 **Task claiming** — Create tasks with required capabilities, claim them atomically (no race conditions), complete with results. Stale claims auto-release when agents go offline. Pull model — agents discover and claim work, not push.
 
+**Directed messages (whisper)** — Send private messages to specific agents with `recipients`. Only listed agents and the sender can see the message. Store-enforced — non-recipients never know the message exists. Additive to visibility: both filters apply.
+
+**Capability discovery** — Agents register capabilities on connect. `discover_capabilities` lets agents find each other by skill (`code-review`, `analysis`, `code-execution`). The foundation for intelligent task routing.
+
+**Skills system** — Progressive disclosure skills replace instructions. Skills have title, summary, instructions hint, full content, and supporting files. Agents receive only metadata (tier 1) on subscribe — load full content (tier 2) and files (tier 3) on demand. Target skills to specific agents by name or by type/capability selector. Tags for filtering. ~80-90% context savings.
+
+**Agent memory** — Private per-agent scratchpad with 3 scopes: global, per-project, and per-conversation. Each agent manages its own memory — invisible to other agents. Conversation memory auto-cleans on unsubscribe.
+
+**Message tags** — Tag messages with metadata (`review`, `urgent`, `decision`) and filter by tags or sender in `get_messages`. Structured message types (`proposal`, `decision`) enable formal conversation protocols.
+
 **Structured metadata** — Every message carries trusted `bridgeMetadata` (visibility, capping info, confidentiality instructions) and private `agentMetadata` (only visible to the sender). Agents can't forge bridge data.
 
 **Security** — Salted HMAC-SHA-256 API key hashing, per-agent rate limiting, input size limits on all fields, visibility-capped writes. Everything localhost by default.
@@ -142,15 +156,16 @@ docker run -v ./agorai.config.json:/app/agorai.config.json -p 3100:3100 agorai/b
 
 | Version | Focus |
 |---------|-------|
-| **v0.2** | **Bridge — shared workspace, visibility, auth, 26 MCP tools** |
+| **v0.2** | **Bridge — shared workspace, visibility, auth, MCP tools** |
 | v0.2.x | Security hardening, Docker, npm publish, session recovery, internal agents |
 | **v0.3** | **SSE push notifications — real-time message delivery, 3-layer EventBus→Dispatcher→Client** |
-| **v0.4** | **Metadata overhaul — bridgeMetadata/agentMetadata, confidentiality modes, high-water marks** |
-| v0.4.x | Strict mode enforcement, discovery rules, access control |
-| v0.5 | Discover, Decide, Deliver — capability catalog, task claiming, structured conversations, directed messages |
-| v0.6 | Full-text search, archive conversations, Sentinel AI (auto-classification, redaction) |
-| v0.7 | Web dashboard, human participants, A2A protocol support |
-| v0.8+ | Enterprise — OAuth/JWT, RBAC, audit trail |
+| **v0.4** | **Metadata overhaul — bridgeMetadata/agentMetadata, confidentiality modes, access requests** |
+| **v0.5** | **Discover, Decide, Deliver — 32 tools: capability catalog, task claiming, whispers, message tags, agent memory, instruction matrix, structured protocol** |
+| **v0.6** | **Skills system — progressive disclosure (3-tier), agent targeting, skill files, replaces instruction matrix. 35 tools** |
+| v0.7 | Task dependencies, explicit project access control, full-text search, conversation templates |
+| v0.8 | Orchestrator agent, Sentinel AI, debate engine via bridge |
+| v0.9 | Web dashboard, human participants, A2A protocol support |
+| v1.0+ | Enterprise — OAuth/JWT, RBAC, audit trail, SaaS |
 
 ## Positioning
 
@@ -162,6 +177,9 @@ Agorai is **not** another agent framework. It's infrastructure — the collabora
 | Protocol | MCP (open standard) | Custom | Custom | Custom |
 | Models | Any (BYOM) | OpenAI-focused | OpenAI-focused | LangChain |
 | Visibility | 4-level, store-enforced | None | None | None |
+| Task claiming | Atomic, capability-based | Role assignment | None | DAG nodes |
+| Agent memory | Private per-agent, 3 scopes | Shared only | Shared only | None |
+| Directed messages | Whisper (recipients) | None | None | None |
 | Debate/consensus | Built-in | None | Basic | None |
 | Local-first | Yes | Cloud-centric | Cloud-centric | Cloud-centric |
 

package/dist/bridge/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/bridge/auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAIjD,MAAM,WAAW,UAAU;IACzB,aAAa,EAAE,OAAO,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,eAAe,CAAC;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CAClD;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAK7D;AAED;;;;;;;GAOG;AACH,qBAAa,kBAAmB,YAAW,aAAa;IACtD,OAAO,CAAC,MAAM,CAA4B;IAC1C,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,IAAI,CAAC,CAAS;gBAEV,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM;IAe3D,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CA8BvD"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/bridge/auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAIjD,MAAM,WAAW,UAAU;IACzB,aAAa,EAAE,OAAO,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,eAAe,CAAC;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CAClD;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAK7D;AAED;;;;;;;GAOG;AACH,qBAAa,kBAAmB,YAAW,aAAa;IACtD,OAAO,CAAC,MAAM,CAA4B;IAC1C,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,IAAI,CAAC,CAAS;gBAEV,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM;IAiB3D,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CA8BvD"}

package/dist/bridge/auth.js

@@ -38,7 +38,10 @@ export class ApiKeyAuthProvider {
             log.warn("No bridge.salt configured — API key hashes are unsalted. Set bridge.salt in agorai.config.json for better security.");
         }
         for (const entry of apiKeys) {
-            const hash = hashApiKey(entry.key, salt);
+            const resolvedKey = entry.keyEnv ? process.env[entry.keyEnv] : entry.key;
+            if (!resolvedKey)
+                continue; // skip entries with missing env var
+            const hash = hashApiKey(resolvedKey, salt);
             this.keyMap.set(hash, entry);
         }
     }

package/dist/bridge/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/bridge/auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAK5C,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;AAcjC;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW,EAAE,IAAa;IACnD,IAAI,IAAI,EAAE,CAAC;QACT,OAAO,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,OAAO,kBAAkB;IACrB,MAAM,CAA4B;IAClC,KAAK,CAAS;IACd,IAAI,CAAU;IAEtB,YAAY,OAAuB,EAAE,KAAa,EAAE,IAAa;QAC/D,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,MAAM,GAAG,IAAI,GAAG,EAAE,CAAC;QAExB,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,GAAG,CAAC,IAAI,CAAC,qHAAqH,CAAC,CAAC;QAClI,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YACzC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAAa;QAC9B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QAC5D,CAAC;QAED,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAExC,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QAC5D,CAAC;QAED,yCAAyC;QACzC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC;YAC3C,IAAI,EAAE,SAAS,CAAC,KAAK;YACrB,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,YAAY,EAAE,SAAS,CAAC,YAAY;YACpC,cAAc,EAAE,SAAS,CAAC,cAAc;YACxC,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAE/C,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,OAAO,EAAE,KAAK,CAAC,EAAE;YACjB,SAAS,EAAE,KAAK,CAAC,IAAI;YACrB,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC;IACJ,CAAC;CACF"}
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/bridge/auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAK5C,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;AAcjC;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW,EAAE,IAAa;IACnD,IAAI,IAAI,EAAE,CAAC;QACT,OAAO,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,OAAO,kBAAkB;IACrB,MAAM,CAA4B;IAClC,KAAK,CAAS;IACd,IAAI,CAAU;IAEtB,YAAY,OAAuB,EAAE,KAAa,EAAE,IAAa;QAC/D,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,MAAM,GAAG,IAAI,GAAG,EAAE,CAAC;QAExB,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,GAAG,CAAC,IAAI,CAAC,qHAAqH,CAAC,CAAC;QAClI,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC;YACzE,IAAI,CAAC,WAAW;gBAAE,SAAS,CAAC,oCAAoC;YAChE,MAAM,IAAI,GAAG,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;YAC3C,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAAa;QAC9B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QAC5D,CAAC;QAED,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAExC,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QAC5D,CAAC;QAED,yCAAyC;QACzC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC;YAC3C,IAAI,EAAE,SAAS,CAAC,KAAK;YACrB,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,YAAY,EAAE,SAAS,CAAC,YAAY;YACpC,cAAc,EAAE,SAAS,CAAC,cAAc;YACxC,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAE/C,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,OAAO,EAAE,KAAK,CAAC,EAAE;YACjB,SAAS,EAAE,KAAK,CAAC,IAAI;YACrB,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC;IACJ,CAAC;CACF"}

package/dist/bridge/server.d.ts

@@ -1,7 +1,7 @@
 /**
  * Bridge HTTP server — Streamable HTTP transport for the MCP bridge.
  *
- * Exposes 32 bridge tools + debate tools over HTTP.
+ * Exposes 35 bridge tools + debate tools over HTTP.
  * Auth is handled via API key in Authorization header.
  * Each request is authenticated before being passed to the MCP handler.
  */

package/dist/bridge/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/bridge/server.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAOH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,KAAK,EAAE,aAAa,EAAc,MAAM,WAAW,CAAC;AAC3D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAwG3C,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,aAAa,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;CAChB;AA6wBD,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC;IAC1E,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5B,CAAC,CAqLD"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/bridge/server.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAOH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,KAAK,EAAE,aAAa,EAAc,MAAM,WAAW,CAAC;AAC3D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AA2G3C,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,aAAa,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;CAChB;AA+6BD,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC;IAC1E,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5B,CAAC,CAqLD"}

package/dist/bridge/server.js

@@ -1,7 +1,7 @@
 /**
  * Bridge HTTP server — Streamable HTTP transport for the MCP bridge.
  *
- * Exposes 32 bridge tools + debate tools over HTTP.
+ * Exposes 35 bridge tools + debate tools over HTTP.
  * Auth is handled via API key in Authorization header.
  * Each request is authenticated before being passed to the MCP handler.
  */
@@ -16,7 +16,7 @@ import { fileURLToPath } from "node:url";
 import { resolve, dirname } from "node:path";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const PKG_VERSION = JSON.parse(readFileSync(resolve(__dirname, "../../package.json"), "utf-8")).version;
-import { RegisterAgentSchema, ListBridgeAgentsSchema, DiscoverCapabilitiesSchema, CreateProjectSchema, ListProjectsSchema, SetMemorySchema, GetMemorySchema, DeleteMemorySchema, CreateConversationSchema, ListConversationsSchema, SubscribeSchema, UnsubscribeSchema, SendMessageSchema, GetMessagesSchema, GetStatusSchema, MarkReadSchema, ListSubscribersSchema, ListAccessRequestsSchema, RespondToAccessRequestSchema, GetMyAccessRequestsSchema, CreateTaskSchema, ListTasksSchema, ClaimTaskSchema, CompleteTaskSchema, ReleaseTaskSchema, UpdateTaskSchema, SetInstructionsSchema, ListInstructionsSchema, DeleteInstructionsSchema, SetAgentMemorySchema, GetAgentMemorySchema, DeleteAgentMemorySchema, } from "./tools.js";
+import { RegisterAgentSchema, ListBridgeAgentsSchema, DiscoverCapabilitiesSchema, CreateProjectSchema, ListProjectsSchema, SetMemorySchema, GetMemorySchema, DeleteMemorySchema, CreateConversationSchema, ListConversationsSchema, SubscribeSchema, UnsubscribeSchema, SendMessageSchema, GetMessagesSchema, GetStatusSchema, MarkReadSchema, ListSubscribersSchema, ListAccessRequestsSchema, RespondToAccessRequestSchema, GetMyAccessRequestsSchema, CreateTaskSchema, ListTasksSchema, ClaimTaskSchema, CompleteTaskSchema, ReleaseTaskSchema, UpdateTaskSchema, SetSkillSchema, ListSkillsSchema, GetSkillSchema, DeleteSkillSchema, SetSkillFileSchema, GetSkillFileSchema, SetAgentMemorySchema, GetAgentMemorySchema, DeleteAgentMemorySchema, } from "./tools.js";
 const log = createLogger("bridge");
 /** Per-session context: maps transport sessionId → agent auth. */
 const sessionAuth = new Map();
@@ -98,6 +98,13 @@ function createBridgeMcpServer(store, agentId) {
             "If you try to subscribe to a conversation you don't have access to, an access request is created automatically.",
             "Subscribers of that conversation can approve or deny your request via list_access_requests + respond_to_access_request.",
             "Check your request status with get_my_access_requests.",
+            "",
+            "IMPORTANT — Skills system (progressive disclosure):",
+            "Skills provide behavioral instructions and context. They use 3-tier progressive disclosure to save context:",
+            "- Tier 1 (metadata): When you subscribe, you receive skill metadata (title, summary, instructions, tags) — NOT the full content.",
+            "- Tier 2 (content): Call get_skill(skill_id) to load the full content of a skill you need.",
+            "- Tier 3 (files): Call get_skill_file(skill_id, filename) to load supporting files attached to a skill.",
+            "Only load tier 2/3 when you actually need the detail. The summary and instructions fields give you enough to decide.",
         ].join("\n"),
     });
     // --- Agent tools ---
@@ -214,9 +221,20 @@ function createBridgeMcpServer(store, agentId) {
             defaultVisibility: args.default_visibility,
             createdBy: agentId,
         });
-        // Auto-subscribe the creator
+        // Auto-subscribe the creator and include skills metadata
         await store.subscribe(conv.id, agentId);
-        return { content: [{ type: "text", text: JSON.stringify(conv, null, 2) }] };
+        const agent = await store.getAgent(agentId);
+        const matchingSkills = agent
+            ? await store.getMatchingSkills({ name: agent.name, type: agent.type, capabilities: agent.capabilities }, conv.id)
+            : [];
+        return { content: [{ type: "text", text: JSON.stringify({
+                        ...conv,
+                        skills: matchingSkills.map((s) => ({
+                            id: s.id, title: s.title, summary: s.summary,
+                            instructions: s.instructions, tags: s.tags,
+                            scope: s.scope, agents: s.agents, files: s.files,
+                        })),
+                    }, null, 2) }] };
     });
     server.tool("list_conversations", "List conversations in a project", ListConversationsSchema.shape, async (args) => {
         let conversations = await store.listConversations(args.project_id, agentId);
@@ -226,10 +244,23 @@ function createBridgeMcpServer(store, agentId) {
         return { content: [{ type: "text", text: JSON.stringify(conversations, null, 2) }] };
     });
     server.tool("subscribe", "Subscribe to a conversation. If you don't have access, an access request is created automatically — existing subscribers can approve it.", SubscribeSchema.shape, async (args) => {
-        // Check if already subscribed
+        // If already subscribed, return current skills metadata (not an error)
         const alreadySubscribed = await store.isSubscribed(args.conversation_id, agentId);
         if (alreadySubscribed) {
-            return { content: [{ type: "text", text: JSON.stringify({ error: "Already subscribed to this conversation" }) }] };
+            const agent = await store.getAgent(agentId);
+            const matchingSkills = agent
+                ? await store.getMatchingSkills({ name: agent.name, type: agent.type, capabilities: agent.capabilities }, args.conversation_id)
+                : [];
+            return { content: [{ type: "text", text: JSON.stringify({
+                            subscribed: true,
+                            already_subscribed: true,
+                            conversation_id: args.conversation_id,
+                            skills: matchingSkills.map((s) => ({
+                                id: s.id, title: s.title, summary: s.summary,
+                                instructions: s.instructions, tags: s.tags,
+                                scope: s.scope, agents: s.agents, files: s.files,
+                            })),
+                        }) }] };
         }
         // Verify conversation exists and caller can access its project
         const conv = await store.getConversation(args.conversation_id);
@@ -241,18 +272,23 @@ function createBridgeMcpServer(store, agentId) {
             await store.subscribe(args.conversation_id, agentId, {
                 historyAccess: args.history_access,
             });
-            // Include matching instructions in subscribe response
+            // Include matching skill metadata in subscribe response (progressive disclosure: tier 1 only)
             const agent = await store.getAgent(agentId);
-            const matchingInstructions = agent
-                ? await store.getMatchingInstructions({ type: agent.type, capabilities: agent.capabilities }, args.conversation_id)
+            const matchingSkills = agent
+                ? await store.getMatchingSkills({ name: agent.name, type: agent.type, capabilities: agent.capabilities }, args.conversation_id)
                 : [];
             return { content: [{ type: "text", text: JSON.stringify({
                             subscribed: true,
                             conversation_id: args.conversation_id,
-                            instructions: matchingInstructions.map((i) => ({
-                                scope: i.scope,
-                                selector: i.selector,
-                                content: i.content,
+                            skills: matchingSkills.map((s) => ({
+                                id: s.id,
+                                title: s.title,
+                                summary: s.summary,
+                                instructions: s.instructions,
+                                tags: s.tags,
+                                scope: s.scope,
+                                agents: s.agents,
+                                files: s.files,
                             })),
                         }) }] };
         }
@@ -411,48 +447,71 @@ function createBridgeMcpServer(store, agentId) {
         }
         return { content: [{ type: "text", text: JSON.stringify(task, null, 2) }] };
     });
-    // --- Instruction tools ---
-    server.tool("set_instructions", "Set instructions for agents in a scope. Only the project/conversation creator can set instructions for their scope. Use selector to target specific agent types or capabilities. Omit selector for instructions that apply to all agents.", SetInstructionsSchema.shape, async (args) => {
+    // --- Skill tools ---
+    server.tool("set_skill", "Create or update a skill in a scope. Creator can always create/edit. Listed agents (in agents[]) can edit existing skills. Use selector and agents[] to target specific agents.", SetSkillSchema.shape, async (args) => {
         let scope = "bridge";
         let scopeId;
         if (args.conversation_id) {
             scope = "conversation";
             scopeId = args.conversation_id;
-            // Verify caller created the conversation
             const conv = await store.getConversation(args.conversation_id);
-            if (!conv || conv.createdBy !== agentId) {
-                return { content: [{ type: "text", text: JSON.stringify({ error: "Only the conversation creator can set instructions" }) }] };
+            if (!conv)
+                return ACCESS_DENIED;
+            // Creator can always set. Listed agents can edit existing.
+            if (conv.createdBy !== agentId) {
+                // Check if caller is a listed agent on an existing skill with this title
+                const existing = (await store.listSkills("conversation", args.conversation_id)).find((s) => s.title === args.title);
+                if (!existing) {
+                    return { content: [{ type: "text", text: JSON.stringify({ error: "Only the conversation creator can create new skills" }) }] };
+                }
+                const agent = await store.getAgent(agentId);
+                const agentName = agent?.name ?? "";
+                if (!existing.agents.some((a) => a.toLowerCase() === agentName.toLowerCase())) {
+                    return { content: [{ type: "text", text: JSON.stringify({ error: "Only the creator or listed agents can edit this skill" }) }] };
+                }
             }
         }
         else if (args.project_id) {
             scope = "project";
             scopeId = args.project_id;
-            // Verify caller created the project
             const project = await store.getProject(args.project_id, agentId);
-            if (!project || project.createdBy !== agentId) {
-                return { content: [{ type: "text", text: JSON.stringify({ error: "Only the project creator can set instructions" }) }] };
+            if (!project)
+                return ACCESS_DENIED;
+            if (project.createdBy !== agentId) {
+                const existing = (await store.listSkills("project", args.project_id)).find((s) => s.title === args.title);
+                if (!existing) {
+                    return { content: [{ type: "text", text: JSON.stringify({ error: "Only the project creator can create new skills" }) }] };
+                }
+                const agent = await store.getAgent(agentId);
+                const agentName = agent?.name ?? "";
+                if (!existing.agents.some((a) => a.toLowerCase() === agentName.toLowerCase())) {
+                    return { content: [{ type: "text", text: JSON.stringify({ error: "Only the creator or listed agents can edit this skill" }) }] };
+                }
             }
         }
         else {
-            // Bridge scope — not settable via MCP (future admin dashboard)
-            return { content: [{ type: "text", text: JSON.stringify({ error: "Bridge-level instructions cannot be set via MCP. Provide project_id or conversation_id." }) }] };
+            return { content: [{ type: "text", text: JSON.stringify({ error: "Bridge-level skills cannot be set via MCP. Provide project_id or conversation_id." }) }] };
         }
-        const instr = await store.setInstruction({
+        const skill = await store.setSkill({
             scope,
             scopeId,
+            title: args.title,
+            summary: args.summary,
+            instructions: args.instructions,
             selector: args.selector,
+            agents: args.agents,
+            tags: args.tags,
             content: args.content,
             createdBy: agentId,
         });
-        return { content: [{ type: "text", text: JSON.stringify(instr, null, 2) }] };
+        return { content: [{ type: "text", text: JSON.stringify(skill, null, 2) }] };
     });
-    server.tool("list_instructions", "List instructions for a scope. No params = bridge-level. With project_id = project-level. With conversation_id = conversation-level.", ListInstructionsSchema.shape, async (args) => {
+    server.tool("list_skills", "List skills for a scope (returns metadata only — no content). No params = bridge-level. With project_id = project-level. With conversation_id = conversation-level.", ListSkillsSchema.shape, async (args) => {
         let scope = "bridge";
         let scopeId;
         if (args.conversation_id) {
             scope = "conversation";
             scopeId = args.conversation_id;
-            // Verify subscribed
             const subscribed = await store.isSubscribed(args.conversation_id, agentId);
             if (!subscribed)
                 return ACCESS_DENIED;
@@ -464,13 +523,86 @@ function createBridgeMcpServer(store, agentId) {
             if (!project)
                 return ACCESS_DENIED;
         }
-        const instructions = await store.listInstructions(scope, scopeId);
-        return { content: [{ type: "text", text: JSON.stringify(instructions, null, 2) }] };
+        const skills = await store.listSkills(scope, scopeId, { tags: args.tags });
+        // Filter by agent visibility
+        const agent = await store.getAgent(agentId);
+        const agentName = agent?.name ?? "";
+        const visible = skills.filter((s) => {
+            if (s.agents.length === 0)
+                return true;
+            return s.agents.some((a) => a.toLowerCase() === agentName.toLowerCase());
+        });
+        // Return metadata only (progressive disclosure tier 1)
+        const metadata = visible.map(({ content: _, ...rest }) => rest);
+        return { content: [{ type: "text", text: JSON.stringify(metadata, null, 2) }] };
     });
-    server.tool("delete_instructions", "Delete an instruction by ID. Only the creator can delete.", DeleteInstructionsSchema.shape, async (args) => {
-        const deleted = await store.deleteInstruction(args.instruction_id, agentId);
+    server.tool("get_skill", "Get a skill's full content by ID (progressive disclosure tier 2). Returns content + file list.", GetSkillSchema.shape, async (args) => {
+        const skill = await store.getSkill(args.skill_id);
+        if (!skill)
+            return ACCESS_DENIED;
+        // Check agent visibility (agents[] + selector)
+        const agent = await store.getAgent(agentId);
+        if (agent && skill.agents.length > 0) {
+            if (!skill.agents.some((a) => a.toLowerCase() === agent.name.toLowerCase())) {
+                return ACCESS_DENIED;
+            }
+        }
+        if (agent && skill.selector) {
+            if (skill.selector.type && skill.selector.type.toLowerCase() !== agent.type.toLowerCase())
+                return ACCESS_DENIED;
+            if (skill.selector.capability && !agent.capabilities.some((c) => c.toLowerCase() === skill.selector.capability.toLowerCase()))
+                return ACCESS_DENIED;
+        }
+        return { content: [{ type: "text", text: JSON.stringify(skill, null, 2) }] };
+    });
+    server.tool("delete_skill", "Delete a skill by ID. Creator or listed agents can delete.", DeleteSkillSchema.shape, async (args) => {
+        const skill = await store.getSkill(args.skill_id);
+        if (!skill)
+            return ACCESS_DENIED;
+        // Authorization: creator OR listed agent
+        if (skill.createdBy !== agentId) {
+            const agent = await store.getAgent(agentId);
+            const agentName = agent?.name ?? "";
+            if (!skill.agents.some((a) => a.toLowerCase() === agentName.toLowerCase())) {
+                return { content: [{ type: "text", text: JSON.stringify({ error: "Only the creator or listed agents can delete this skill" }) }] };
+            }
+        }
+        const deleted = await store.deleteSkill(args.skill_id);
         return { content: [{ type: "text", text: JSON.stringify({ deleted }) }] };
     });
+    // --- Skill File tools ---
+    server.tool("set_skill_file", "Add or update a file attached to a skill. Creator or listed agents can manage files.", SetSkillFileSchema.shape, async (args) => {
+        const skill = await store.getSkill(args.skill_id);
+        if (!skill)
+            return ACCESS_DENIED;
+        // Authorization: creator OR listed agent
+        if (skill.createdBy !== agentId) {
+            const agent = await store.getAgent(agentId);
+            const agentName = agent?.name ?? "";
+            if (!skill.agents.some((a) => a.toLowerCase() === agentName.toLowerCase())) {
+                return { content: [{ type: "text", text: JSON.stringify({ error: "Only the creator or listed agents can manage skill files" }) }] };
+            }
+        }
+        const file = await store.setSkillFile(args.skill_id, args.filename, args.content);
+        return { content: [{ type: "text", text: JSON.stringify(file, null, 2) }] };
+    });
+    server.tool("get_skill_file", "Get a file attached to a skill (progressive disclosure tier 3).", GetSkillFileSchema.shape, async (args) => {
+        // Check parent skill visibility first
+        const skill = await store.getSkill(args.skill_id);
+        if (!skill)
+            return ACCESS_DENIED;
+        const agent = await store.getAgent(agentId);
+        if (agent && skill.agents.length > 0) {
+            if (!skill.agents.some((a) => a.toLowerCase() === agent.name.toLowerCase())) {
+                return ACCESS_DENIED;
+            }
+        }
+        const file = await store.getSkillFile(args.skill_id, args.filename);
+        if (!file) {
+            return { content: [{ type: "text", text: JSON.stringify({ error: "File not found" }) }] };
+        }
+        return { content: [{ type: "text", text: JSON.stringify(file, null, 2) }] };
+    });
     // --- Agent Memory tools ---
     server.tool("set_agent_memory", "Save private memory for yourself. No scope = global. With project_id = per-project. With conversation_id = per-conversation. Content overwrites previous.", SetAgentMemorySchema.shape, async (args) => {
         let scope = "global";