Proj/channel protocol (POC)

[ngduyanhece]

brv channel + bridge - multi-agent collaboration over a wire protocol

proj/channel-protocol → main. 204 commits. Lands the entire channel-protocol body of work for internal-test rollout.

Summary

• Problem: Each agentic CLI (Claude Code, codex, kimi, opencode, brv itself) lives in its own working directory with no way to address another agent as an @mention or share context across them. Cross-machine collaboration between teammates' agents is impossible.
• Why it matters: Two failure modes today: (1) Manual copy-paste of agent output between CLIs is the only way to combine them, breaks any agentic flow that wants to fan-out / quorum / second-opinion. (2) Teammates' agents have no shared transcript or way to ask each other questions — every cross-person agent interaction is a human relay.
• What changed: Full brv channel subsystem (Phases 1–5), agent-driven skill connector (Phase 8), cross-machine brv bridge over libp2p with TOFU identity (Phase 9 demo target + post-merge heartbeat hardening), agent quorum Tier 1 + 2 (Phase 10), transcript-storage migration. New brv bridge, brv trust, brv alias CLI surfaces. New bridge-config.json persistence. SDK packages @brv/agent-sdk (TS) + brv-agent (Py). Pi-extension SDK consumer.
• What did NOT change (scope boundary):
  • No web UI for channels — CLI / agent-driven only in this cut. Pi's web-UI design remains compatible if re-introduced later.
  • No native /channel:* slash commands in CLIs other than Pi. Other CLIs use the byterover skill to drive brv channel mention from their shell tool.
  • No libp2p kad-dht backend (Slice 9.6 interface only) — peers manually pinned via brv trust pin --multiaddr ....
  • No HTTP byterover-hosted registry client (Slice 9.7 interface only).
  • No libp2p AutoNAT / DCUtR / Circuit-Relay-v2 wiring (Slice 9.8 reachability classifier only) — Tailscale / same-LAN / public-IP works; raw double-NAT does not.
  • No /brv/parley/delegate/v1 wire handler (Slice 9.9 policy gate + startup warnings only) — cross-bridge agents can answer queries but cannot perform write actions on the dialer's behalf.
  • No browser-channel UI changes.

Type of change

• New feature
• Bug fix (heartbeat keep-alive, env-var persistence, cross-merge typecheck repair)
• Refactor (no behavior change)
• Documentation (INTERNAL_TEST.md, design + PHASES update)
• Test
• Chore (build, dependencies, CI)

Scope (select all touched areas)

• TUI / REPL (no v1 changes; channels are oclif-only)
• Agent / Tools (skill connector, byterover memory tools, ACP driver pool)
• LLM Providers (no provider-specific changes; provider-agnostic by design)
• Server / Daemon (channel orchestrator, parley server/client, libp2p host, bridge transcript service, auto-provision policy, bridge config store)
• Shared (constants, types, transport events) — new ChannelEvents, BridgeEvents, TrustEvents
• CLI Commands (oclif) — new topics: channel, bridge, trust, alias
• Hub / Connectors — new brv connectors install <agent> --type skill flow
• Cloud Sync
• CI/CD / Infra

Linked issues

• Closes: N/A — internal channel-protocol epic, no single tracking issue
• Related: plan/channel-protocol/DESIGN.md, plan/channel-protocol/PHASES.md, plan/channel-protocol/IMPLEMENTATION_PHASE_9_CLOUD_BRIDGE.md

Root cause

N/A — primarily new-feature work. The handful of bug fixes (heartbeat keep-alive, env-var persistence, channel-events test fixture lag) have their root causes documented in their individual commit messages.

Test plan

• Coverage added:
  • Unit test (9603+ tests passing; new tests under test/unit/server/infra/channel/bridge/ for: bridge-config-store, audit-parley-seal, parley-verifier, parley-server, parley-end-to-end, bridge-reachability, bridge-transcript-service, bridge-driver-pool, delegate-policy, peer-multiaddr-resolver, registry-client + nonce-lru, rate-limit)
  • Integration test (channel-phase{1..10}-* integration tests, cross-bridge end-to-end)
  • Manual verification — live two-daemon cross-bridge test on 2026-05-20: mario-team-v4, ctx-exchange-v2, bobs-side-v2 channels, multiple kimi/codex agents, round-trip queries + context-tree exchange, heartbeat verified across multi-minute idle gaps that previously triggered TRANSCRIPT_TERMINAL_MISSING
• Test file(s): 50+ new test files under test/{unit,integration}/; see commit-by-commit log for which slice each belongs to
• Key scenarios:
  • Single-machine multi-agent channel + fan-out
  • Cross-machine bridge: handshake, TOFU pin, signed parley round-trip, transcript persistence on both sides
  • Auto-provision policy (auto / pinned-only / deny)
  • Cancel mid-stream + permission flow
  • Heartbeat keep-alive during slow agent generators
  • Daemon respawn config persistence (NEW — eliminates the silent mock-echo degradation)

User-visible changes

New CLI surfaces:

• brv channel new|invite|mention|cancel|show|list|members|onboard|doctor|approve|deny|archive|leave (full Phases 1–5 surface)
• brv channel mention --mode sync --suppress-thoughts --json --timeout <ms> for agent-driven invocations (Phase 8)
• brv channel mention --quorum N for fan-out + agreement merging (Phase 10 Tier 1)
• brv bridge listen|whoami|pin|ping|verify for cross-machine peer setup
• brv trust pin|list|verify with --multiaddr + --alias flags
• brv alias add|list|remove for short-name routing
• brv connectors install <agent> --type skill writes byterover skill (.agents/skills/byterover/SKILL.md) into a project so the host LLM can drive brv channel mention from its shell tool

New persisted state:

• <dataDir>/identity/install.{key.enc,cert.json,master.key,peer-id} — L1 identity (auto-generated on first brv bridge whoami)
• <dataDir>/identity/tree-default.{key.enc,cert.json,master.key} — L2 peer-tree identity
• <dataDir>/identity/known-peers.jsonl — TOFU pin store (alias / peer-id / pin-state)
• <dataDir>/identity/aliases.json — local alias map
• <dataDir>/state/bridge-config.json — NEW persistent operator-prefs for BRV_BRIDGE_* env vars (survives daemon respawns)
• <projectRoot>/.brv/channel-history/<channelId>/turns/<turnId>.ndjson — channel transcript (Phase 9 storage migration; was under .brv/context-tree/channel/)

New behavioural defaults:

• BRV_BRIDGE_AUTO_PROVISION defaults to pinned-only (spec §7.3) — first-contact peers must be pinned via brv trust pin before they can dispatch into a channel
• BRV_BRIDGE_MAX_CONCURRENT_PER_PROFILE=1 per agent; excess inbound parleys reject with signed PARLEY_LOCAL_AGENT_BUSY
• BRV_BRIDGE_DELEGATE_POLICY=prompt default (mutating-tool wire is deferred so this is type-level only)
• Daemon emits heartbeat_ping every 10s during idle bridge streams so libp2p Yamux substreams don't time out on multi-minute LLM calls

Deprecated: none.

Breaking: none on main's existing CLI surface — channels are net-new commands. Internal: WaitForTaskOptions.timeoutMs was removed in main f14047cae; reconciled in the cross-merge against proj/byterover-tool-mode.

Evidence

• Failing test before / passing after: see commit 75b6c58b5 (heartbeat keep-alive) — added unit test that reliably fails on pre-fix code (cross-bridge tool-using turn dies with TRANSCRIPT_TERMINAL_MISSING after ~120s) and passes on post-fix code (heartbeats keep the substream alive indefinitely)
• Live cross-bridge transcript: Bridge-handshake completed in 4.3s, cross-tree exchange completed in 7.7–33.3s round-trip, design+engineering notes successfully exchanged between two daemons (mario-team-v4 + ctx-exchange-v2 + bobs-side-v2 channels) on 2026-05-20
• Daemon respawn persistence test: Live verified — kill daemon, respawn WITHOUT any BRV_BRIDGE_* env vars, daemon reads persisted <dataDir>/state/bridge-config.json and resumes with codex profile + auto provision + cap=3 instead of silently falling back to mock-echo + pinned-only. See INTERNAL_TEST.md §5.1 for the operational story
• Test summary: 9603 unit + integration passing, 26 pending (22 pre-existing + 4 newly-skipped orphans with rationale in each describe.skip comment), 0 failing

Checklist

• Tests added or updated and passing (npm test): 9603 passing, 26 pending, 0 failing
• Lint passes (npm run lint)
• Type check passes (npm run typecheck)
• Build succeeds (npm run build)
• Commits follow Conventional Commits format
• Documentation updated — plan/channel-protocol/DESIGN.md, plan/channel-protocol/PHASES.md, new INTERNAL_TEST.md at repo root
• No breaking changes (or clearly documented above)
• Branch is up to date with main — last main sync c897ee00f (Release 3.15.0 merged)

Risks and mitigations

• Risk: Operators set up the bridge on heterogeneous-NAT laptops and connections silently fail.
  • Mitigation: INTERNAL_TEST.md §3 recommends Tailscale upfront. brv channel doctor surfaces reachability (public / wildcard-unconfirmed / behind-nat-with-relay / loopback-only / unreachable) honestly. The libp2p AutoNAT/DCUtR/Circuit-Relay-v2 wire is explicitly deferred.
• Risk: Cross-bridge agents try to write to dialer's repo and get a confusing rejection.
  • Mitigation: INTERNAL_TEST.md §5 lists this as a known limitation. The delegate_policy startup log makes the unwired state visible. The error path returns a clear CHANNEL_AUTO_PROVISION_DECLINED or PARLEY_REJECTED rather than hanging.
• Risk: Peer's multiaddr rotates (laptop sleep/wake / network change) and the pinned entry breaks.
  • Mitigation: brv trust pin <peer-id> --multiaddr <new-addr> re-pins idempotently. brv channel doctor surfaces stale-cache state. DHT-driven multiaddr refresh ships in a follow-up slice (Phase 9.6 backend).
• Risk: Operator confused by env-var vs. persisted config precedence.
  • Mitigation: New bridge-config.json resolver logs [Daemon] Bridge config persisted to ... whenever env supplies a value that changes the file. Revert path documented in INTERNAL_TEST.md §5.1 (rm <dataDir>/state/bridge-config.json).
• Risk: 4 integration tests are describe.skipped — looks worse than it is on CI.
  • Mitigation: Each skip has a per-file rationale comment. 3 are pre-existing test-only orphans (BRV_FORCE_ORIGIN consumer never implemented; Phase 10 surface change made the multi-mention rejection assertion obsolete; channel-history storage migration made the cancel-ordering integration probe stale). The actual code paths these tested are covered by unit-level tests. None are Phase-9 regressions.

---

How to use it

A. Local multi-agent channel (single machine)

The basic flow. No network setup needed. Two terminals.

# One-time per agent type — probes its ACP install:
brv channel onboard codex -- codex-acp
brv channel onboard kimi -- kimi acp
brv channel onboard opencode -- opencode acp

# Create a channel + invite two local agents:
brv channel new code-review
brv channel invite code-review @codex --profile codex
brv channel invite code-review @kimi --profile kimi

# Address one agent:
brv channel mention code-review "@codex review src/foo.ts for null-safety bugs" \
  --mode sync --suppress-thoughts --json --timeout 300000

# Quorum across both (Phase 10):
brv channel mention code-review "@codex @kimi rate the diff: solid / risky / unsafe" \
  --quorum 2 --json

# Live tail any time:
brv channel watch code-review --from-tail 5
brv channel show code-review <turnId>
brv channel list-turns code-review --tail 10

Inside another agentic CLI (Claude Code, codex, kimi-cli, opencode, Pi) the host LLM calls these commands from its bash tool — install the byterover skill once per project and the LLM picks them up:

brv connectors install Codex --type skill           # or Claude Code / Cursor / Gemini CLI / etc.

After that the host agent reads .agents/skills/byterover/SKILL.md and learns to call brv channel mention --mode sync --suppress-thoughts --json whenever the user says "ask @Kimi to review this" or similar.

B. Cross-machine bridge (two laptops, two agents)

Prerequisite: both peers need a routable path to each other. Internal-test recommendation is Tailscale — install on every team member's laptop, join the same tailnet, every peer gets a stable IP that punches through every NAT. Free for ≤3 users; trivial setup. Bare-internet over heterogeneous NAT will NOT work in this cut (libp2p AutoNAT/DCUtR/Circuit-Relay-v2 are deferred).

# ─── Each peer (Alice + Bob) sets up the bridge ───
# In a shell rc (`~/.zshrc` / `~/.bashrc`), once:
export BRV_BRIDGE_PARLEY_PROFILE=codex     # the agent that answers parley calls; or kimi / opencode
export BRV_BRIDGE_AUTO_PROVISION=auto      # accept first-contact peers; switch to pinned-only after the team is up
export BRV_BRIDGE_MAX_CONCURRENT_PER_PROFILE=2

# Each peer: confirm bridge identity (auto-generates L1 + L2 keys on first run)
brv bridge whoami --format json
# {"data":{"multiaddrs":["/ip4/100.x.x.x/tcp/61234/p2p/12D3KooW..."], "peerId":"12D3KooW...", ...}}
# Share that multiaddr line with the other peer out-of-band (Slack, etc.)

# ─── Alice pins Bob (and Bob pins Alice) ───
brv trust pin <BOB-PEER-ID> --multiaddr <BOB-MULTIADDR> --alias bob
# verify:
brv trust list

# ─── Alice creates a channel and invites Bob as a remote peer ───
brv channel new team-review
brv channel invite team-review @alice --profile codex                                    # local member
brv channel invite team-review @bob --multiaddr <BOB-MULTIADDR> --peer <BOB-PEER-ID> --display-name "Bob"

# ─── Alice addresses Bob's agent across the bridge ───
brv channel mention team-review "@bob what's your team's preferred test runner? \
  Use your byterover skill (brv query) to consult your local context tree." \
  --mode sync --suppress-thoughts --json --timeout 300000
# → Bob's daemon receives the parley call, codex on Bob's side runs `brv query` against
#   Bob's `.brv/context-tree/`, replies inline with text. Alice sees the reply in
#   ~5–30s depending on agent latency.

# ─── Alice ingests Bob's reply into her own context tree ───
brv channel mention alice-local "@alice ingest Bob's reply under shared_from_bob/ using brv curate" \
  --mode sync --suppress-thoughts --json --timeout 300000
# → Alice's codex calls `brv curate` locally to persist the note.

# Verify with a search later:
brv search "test runner" --limit 5 --format json

That's the full cross-bridge loop. Two agents on different laptops exchange context via signed parley envelopes; both daemons persist the transcript; the receiver's context tree gains the shared knowledge.

C. What's the difference between brv channel and brv bridge?

• brv channel is the user-facing surface: create a channel, invite members (local or remote), mention them, see transcripts.
• brv bridge is the low-level libp2p surface: bring up your install's bridge identity, pin remote peers, ping them, verify TOFU promotions.

You almost always interact via brv channel and brv trust. brv bridge is for debugging (e.g. brv bridge whoami to share your multiaddr, brv bridge ping <peer-id> to test reachability).

---

What's left for a full-fledged release

Below is the list of follow-up slices that are NOT in this PR but are designed for and the next obvious work. Internal-test feedback will inform priority.

Within Phase 9 (cross-machine bridge) — 4 follow-up slices

These have interfaces + policy gates in this PR but no live backends:

1. Slice 9.6 — DHT-driven multiaddr resolution. Wire @libp2p/kad-dht into Libp2pHost, implement DhtPeerMultiaddrResolver, daemon publishes signed peer-record every announce interval. Replaces manual brv trust pin --multiaddr re-pinning when IPs rotate. Effort: ~1 week. Worth doing only if internal-test feedback says manual re-pinning hurts.
2. Slice 9.7 — HTTP byterover registry client. Implement HttpRegistryClient against BRV_REGISTRY_BASE_URL, allows handle-based peer discovery. Requires backend deployment (registry endpoint not yet hosted by ByteRover). Effort: ~1 week of CLI + backend infra outside this repo.
3. Slice 9.8 — libp2p NAT-traversal wiring. Enable autoNAT() + dcutr() + circuitRelayClient/Server() libp2p services in Libp2pHost. Ship default ByteRover-hosted relay multiaddrs. Effort: ~3–5 days CLI + ops work to deploy relays. Likely unnecessary if teams adopt Tailscale; track internal-test feedback before committing.
4. Slice 9.9 — /brv/parley/delegate/v1 wire protocol handler. Today: policy gate (delegate_policy: auto / prompt / deny) is enforced at the type level + logged at daemon startup, but the actual cross-bridge permission_request → permission_decision wire is unimplemented. Implementing this enables Alice asking Bob's agent to write to Bob's repo with cross-bridge consent. Effort: ~1 week. High-value if team's flagship use case is cross-machine delegation.

Within Phase 7 (native CLI integrations) — upstream-gated

• 7.1b — kimi-cli upstream PR (native /channel:* slash command). Effort: ~200–500 LOC; merge timeline depends on Moonshot maintainers.
• 7.2 — claude-code native integration. Effort: similar; depends on Anthropic.
• 7.3 — opencode native integration. Same shape; depends on opencode maintainers.

These work without us — the skill connector in this PR (brv connectors install <agent> --type skill) makes every ACP-speaking CLI usable via shell-tool calls. Native slash commands are quality-of-life, not load-bearing.

Within Phase 8 (agent-driven channel) — upstream-async

• 8.3 — upstream skill distribution. Currently the skill ships from this repo; longer-term distribution channels (Anthropic skills registry, etc.) are async.

Pre-existing tech debt outside Phase 9 scope

• 3 integration tests skipped with rationale (channel-phase{2,3}-* reference orphan code paths like BRV_FORCE_ORIGIN that were never implemented, or test against the pre-storage-migration layout). Implement the missing consumer side OR delete the tests in a small follow-up PR.
• No brv channel kick @<handle> / member-remove command. Today a multiaddr/port change forces creating a new channel. Effort: ~half day. Worth doing soon if teams cycle multiaddrs frequently.
• Heartbeat counter metric for prod observability (kimi sign-off note, non-blocking).

Out of scope but tracked for v1.1+

• @everyone / @all semantics in channel mentions
• Per-channel ACLs
• Threaded sub-conversations within a channel
• Account-abstracted cross-channel identity ("same @kimi-cli across all channels")
• Web UI for channels (Pi's design remains compatible)
• Web-UI permission prompts (CLI is the only consent surface in this cut)

Out of scope indefinitely

• Cross-CA federation (v1 trusts one CA root; multi-org bridging is v2)
• End-to-end channel-content encryption at rest
• Strong cross-machine consistency (transcripts are append-only by author; eventual consistency is the contract)
• Group-chat semantics across channels
• Claude Managed Agents driver class C-prime runtime (schema-only in v1)

[chatgpt-codex-connector]

To use Codex here, create an environment for this repo.

[github-actions]

Claude finished @ngduyanhece's task in 7m 28s —— View job

---

Review — Channel + Bridge protocol (Phase 9 internal-test cut)

Overall: 4 / 5 — competent, well-documented, extensively review-cycled cryptographic work shipped with proportional test coverage. The structural foundations (domain-separated Ed25519 signing, RFC 8785 JCS canonicalization, atomic-rename + flock storage, strict-allowlist cert shape validation, the verifier's 11-step ordering) are sound. Findings are minor robustness gaps and threat-model documentation, not blocking bugs.

The PR is large (711 files, 74103 / 18653 lines, 204 logical commits squashed under a topic branch). Full per-file review is impractical; I focused on the security-sensitive surface (src/agent/core/trust/**, src/server/infra/channel/bridge/**) and spot-checked the new SDK packages, install scripts, and the heartbeat fix that motivated commit 75b6c58b.

What's good

• Domain-separated signing. sign.ts exposes no signRaw — every intent has a typed helper with its own brv.<kind>.v1\n prefix. The satisfies Record<string, \brv.${string}.v1\n`>` clause enforces the tag shape at compile time. Cross-protocol replay is structurally impossible.
• Verifier ordering in parley-verifier.ts runs cheap checks first (syntactic decode, timestamp window, transport-identity match), defers TOFU side effects until everything else passes, inserts the nonce LRU entry only on success. Step 9 (requester_cert ≡ tree_cert) uses canonical-JCS bytes rather than reference equality.
• NFC normalization on the writer side for display_handle, with TOCTOU race fixes already addressed in earlier review rounds (upsertWithMerge inside the flock).
• Heartbeat fix (75b6c58) is structurally correct: setInterval driven, serialised through a sendChain promise queue, terminalQueued flag guarantees no heartbeat slips between the last chunk and the terminal frame, dedicated tests added.
• Strict shape allowlist on install + tree certs prevents protocol-malleable bytes from being smuggled into the signed payload.

Inline findings (8 buffered)

• install-identity-service.ts — Master key colocated with encrypted key (at-rest obfuscation, not encryption — threat-model gap).
• identity-client.ts — Client-side display_handle comparison is byte-exact; NFC normalization is only applied at the writer. Homoglyph collision possible.
• parley-nonce-lru.ts — Outer per-sender Map has no global cap; a peer-id-cycling attacker can grow memory.
• parley-rate-limit.ts — Same structural unbounded-Map concern (referenced from the nonce-LRU comment).
• process-lock.ts — Comment says "recurse" but code doesn't; a double-stale race surfaces a confusing error.
• alias-store.ts — Atomic-write uses a non-unique tmp path, inconsistent with install-identity-service.ts.
• discovery.py — isinstance(port, int) accepts JSON true/false (bool is an int subclass).
• channel-skill/install-lib.js — resolveBrvBin uses accessSync(constants.X_OK) without isFile(); a directory named brv on PATH wins.
• local-agent-response-generator.ts — Important threat-model note: Alice's prompt is run by Bob's local agent with Bob's tools. The protocol: 'query' vs 'delegate' discriminator exists at the type level but is not enforced at the wire (the delegate-policy.ts gate is exported but not wired). The internal-test docs should call out the trust model more loudly than the current "read-only Q&A" framing.
• ai-sdk-content-generator.ts — Minor nit on the synthetic usage block masking any future upstream usage. (Self-correction: I also wrote that Number.isFinite(0) rejects 0 — it does not, that half of the nit is wrong; ignore it.)

Other observations (not inlined)

• Skipped tests — 4 describe.skip'd integration tests have per-file rationale and are not Phase-9 regressions. Acceptable for internal-test, but file a follow-up to either implement the consumer side (BRV_FORCE_ORIGIN) or delete the orphans.
• Deferred slices — 9.6 (DHT), 9.7 (registry), 9.8 (NAT traversal), 9.9 (delegate wire) are interface-only. The PR description is clear; the policy-only stubs are honest.
• PR size — 74k additions across 711 files is hard to review thoroughly even with extensive test coverage. Consider whether internal-test feedback informs splitting a future release into smaller cuts (e.g. trust/identity / bridge / channel / SDKs as separate landing PRs against an integration branch).

Checklist

• Map the diff against origin/main
• Review identity/crypto code under src/agent/core/trust/
• Spot-check the bridge: parley server, verifier, identity exchange, nonce LRU, rate limiter, delegate policy, local-agent generator
• Sample SDK packages (TS + Python channel-client, channel-skill installer, agent-sdk shape)
• Spot-check the LLM generator changes (logging-content-generator, ai-sdk-content-generator, usage-extractor)
• Post inline comments (9 buffered)
• Post overall summary + score
  · branch

[github-actions]

suggestion (security, non-blocking): install.master.key lives in the same directory as install.key.enc with the same mode (0600). That means the AES-GCM encryption provides effectively zero protection against a local attacker who can read install.key.enc — they can read the master key with the same privileges and decrypt trivially. This is essentially obfuscation at rest, not encryption.

That may well be the intended trust model (the design is "private home dir = trust boundary"), but the file-level comment frames this as protective encryption and the AMENDMENT_TOFU §A3.1 reference suggests a higher bar. Recommend either:

1. Adding a // SECURITY: this is at-rest obfuscation only — relies on parent dir 0700 + filesystem ACL. note here, or
2. Deriving the master key from a passphrase / OS keychain (Phase 9.x) so the encryption isn't decorative.

Either is fine — but the current docstring overstates the protection. Linked from tofu-store.ts line 18 ("operator-private") which has the same modeling.

[github-actions]

issue (security, low-medium): Client side does not NFC-normalize display_handle before the collision check.

install-identity-service.ts:458-467 documents that the writer NFC-normalizes at the boundary so two visually-identical handles with different byte sequences can't both be persisted. But the verifier here compares the wire string directly:

const collision = peers.find(
  (p) => p.display_handle === cert.display_handle && ...
)

A peer running a non-spec implementation (or a malicious peer) can pin a handle like "alice" (NFC) on one machine and "álice" (combining accent rendered identically) on another. Both render the same in brv trust list; equality is false; collision check misses.

Suggest normalizing both sides of the compare:

const wanted = cert.display_handle.normalize('NFC')
const collision = peers.find(
  (p) => p.display_handle?.normalize('NFC') === wanted && p.peer_id !== cert.subject_id,
)

Same fix probably belongs in tofu-store.ts upsert and alias-store.ts set.

[github-actions]

issue (resource, low): The per-sender Map has a cap (perSenderCapacity, default 256), but the outer senders Map has no global cap.

An attacker who can produce many distinct install identities (cheap — local Ed25519 keypair gen, no proof-of-work) and complete a single handshake from each will grow senders without bound. The rate limiter only kicks in on failed verifies; successful handshakes from cycled identities are unbounded.

Two reasonable mitigations:

1. Cap senders.size and LRU-evict the oldest entry (the value is itself a Map, so eviction cost is bounded).
2. Treat senders that haven't been seen for > 2 × clockSkewMs as stale and prune them periodically.

HandshakeRateLimiter at parley-rate-limit.ts:51 has the same structural issue with its counters map — both should probably get a shared cap policy.

[github-actions]

nit (doc/code drift): The comment at L46 says "Recurse once to acquire (single retry; if it fails again, propagate)" — but the code does not recurse; it just calls open(...) directly. If two processes both decide the lock is stale at the same instant, one wins the open('wx') race and the other gets EEXIST again. That throws back out as the generic 'identity dir is locked by another process' error without re-running the stale check.

Either fix the comment ("Try to acquire once; if the open race loses, propagate") or actually re-attempt the stale check on the retry path. The latter is more robust if there's any legitimate scenario where the lock could legitimately be re-stale between the unlink and the open (e.g. crashed process spawned a new instance with a new PID after we checked).

[github-actions]

nit (consistency): This atomic-write helper uses a non-unique tmp path (${storePath}.tmp), whereas install-identity-service.ts:427 uses a pid+random-suffixed name (${target}.tmp.${process.pid}.${randomBytes(4).toString('hex')}).

It's safe under the in-process queue + cross-process flock, but two issues:

1. A stale .tmp from a crashed process gets silently overwritten on the next write — harmless but masks a partial-write footprint.
2. The two patterns being inconsistent makes it easy for the next contributor to grep, copy the wrong one, and end up with a tmp-name collision in some other store.

Suggest copying the install-identity-service helper or extracting a shared atomicWrite() utility. Same applies to anywhere else that does atomic-write through this codebase.

[github-actions]

nit (robustness): isinstance(port, int) will accept JSON true / false because Python's bool is a subclass of int. A daemon.json with "port": true would pass the check and produce the URL http://127.0.0.1:True, which then fails opaquely at the socket layer.

Suggested change

	port = parsed.get("port") if isinstance(parsed, dict) else None
	if not isinstance(port, int) or port <= 0:
	raise ChannelClientError(
	CHANNEL_CLIENT_ERROR_CODE.DAEMON_NOT_INITIALISED,
	f"{daemon_json_path} does not contain a valid `port` field.",
	)
	port = parsed.get("port") if isinstance(parsed, dict) else None
	if isinstance(port, bool) or not isinstance(port, int) or port <= 0:
	raise ChannelClientError(
	CHANNEL_CLIENT_ERROR_CODE.DAEMON_NOT_INITIALISED,
	f"{daemon_json_path} does not contain a valid `port` field.",
	)

The TS version handles this via !Number.isFinite(port) + port <= 0. Parity nit only — extremely unlikely to bite an end user, but the cost of the fix is one line.

[github-actions]

nit (robustness): accessSync(candidate, constants.X_OK) returns success for directories that happen to be executable (which most directories are on POSIX). If a user has a directory named brv on their PATH ahead of the real binary, resolveBrvBin will happily bake the directory path into SKILL.md, and every shell invocation from the LLM will then fail with EACCES / is a directory.

Cheap fix:

const stat = statSync(candidate, {throwIfNoEntry: false})
if (stat && stat.isFile() && (stat.mode & 0o111)) return candidate

Same fileset already imports existsSync from node:fs, so adding statSync is a one-line change.

[github-actions]

threat-model (security, important to document): This dispatcher hands Alice's envelope.prompt directly to Bob's local ACP subprocess (codex/kimi/opencode) as a normal turn. Whatever tools that agent has access to in Bob's environment, Alice can drive via the prompt. The agent's system prompt + tool gating is the only thing between Alice and Bob's local filesystem / shell.

This is by design (the PR description acknowledges read-only is the intent for query protocol), but two concrete gaps in the current code:

1. No protocol: 'query' vs 'delegate' enforcement. The verifier at parley-verifier.ts:150 only checks acceptModes for the tree-cert kind; it does not gate on envelope.protocol. A dialer who sends protocol: 'delegate' will reach this generator and Bob's agent will be prompted the same way — with full tool access. delegate-policy.ts's policyPermitsDelegation is exported but parley-server.ts doesn't call it.

2. Prompt-injection of Bob's agent. Even with intent of "read-only Q&A", a sufficiently capable agent given a prompt like "use brv curate to commit the following file" will happily do it. Unless Bob's profile passes restricted-tool flags to the ACP subprocess, the agent retains its normal capability set.

Neither is a blocker for an internal-test rollout (operators are setting BRV_BRIDGE_PARLEY_PROFILE themselves and consenting), but INTERNAL_TEST.md §5 should call out the trust model more loudly than "cross-bridge agents can answer queries but cannot perform write actions on the dialer's behalf" — the constraint is "Bob's agent runs Alice's prompts in Bob's environment with Bob's tools", which is a much stronger claim than "read-only Q&A".

Recommend (for a follow-up, not this PR): wire policyPermitsDelegation at parley-server.ts:114 between the verifier and the auto-provision check, so delegate_policy: 'deny' short-circuits today, and prompt becomes the wire-handler hook later.

[github-actions]

nit (correctness): buildRawResponse overwrites the original result.response.usage (if present) with the synthetic usage block, because of object-spread ordering:

return {
  ...responseObj,           // may contain `usage` from upstream
  providerMetadata: ...,
  usage,                    // wins
}

That's the intended behaviour here — extractUsage is built around the AI-SDK-normalized field names — but if any direct-provider adapter ever passes rawResponse: result.response and the SDK upstream starts including its own usage block, the synthetic block will silently mask the upstream one. Adding a brief comment ("synthetic usage intentionally shadows any upstream usage") would make the intent explicit and survive a future refactor.

Also: Number.isFinite check in readAnthropicCacheCreation rejects negative numbers — desired — but it also rejects 0. A cacheCreationInputTokens: 0 would be silently dropped, leaving the synthetic block without the field. If telemetry consumers distinguish "0 cache-creation tokens" from "unknown", you'll lose that distinction. Minor.

[github-actions]

Claude finished @ngduyanhece's task in 2m 27s —— View job

---

Re-review — Channel + Bridge protocol (synchronize, 2026-05-22 push)

Overall: 4 / 5 (unchanged from 2026-05-20). Scope of this re-review is narrow: only one substantive commit landed since the previous pass.

• Identify commits added since previous review
• Diff the new commits against the prior review point
• Verify the previous round of inline findings — were any addressed?
• Spot-check new code (persistent bridge-config, INTERNAL_TEST.md, uninvite)
• Post final summary + any new inline findings

---

Diff since the 2026-05-20 13:17 UTC review

Only one substantive commit landed after the prior review wall-clock:

SHA	Change
a851f620	Expand brv channel uninvite description + examples; update INTERNAL_TEST.md §5.1 with the stale-multiaddr recovery workflow; delete the BRV_FORCE_ORIGIN orphan integration test; add 6 contract tests for uninvite.

(c897ee00 is a clean Release 3.15.0 merge from main; 975a83d7 predates the prior review wall-clock by ~2 hours and was already in scope.)

Total delta: 4 files, +57 / -54.

What's good in this delta

• Orphan test deletion is correct and complete. Confirmed independently — grep -rn BRV_FORCE_ORIGIN src/ test/ returns zero hits after the delete. Replacing a describe.skip with a real delete is the right call when the consumer was never wired; the skip-with-rationale framing in 975a83d7 was less honest.
• uninvite description expansion is operator-load-bearing. The old one-line "Remove an agent member from a channel (Phase 2)" hid the most important property: that this is a clean stop (cancels in-flight deliveries, releases the warm driver). For a team about to dogfood multiaddr-rotation on day one, this is exactly the right place to surface the semantics — the host LLM reads --help output via the skill.
• INTERNAL_TEST.md §5.1 update replaces the "no kick command yet" admonition with the actual uninvite + invite recovery sequence. Good operator UX.
• 6 contract tests are appropriately defensive against silent regression of the host-LLM-facing surface (description / examples / args / flags).

New inline finding (1)

• test/commands/channel/uninvite.test.ts:43-50 — Test name promises runtime rejection coverage but the assertion only checks that the arg's description string contains @. The actual this.error(...) rejection at uninvite.ts:30-32 has no coverage. Suggest either renaming the test to match what it asserts, or adding a real runtime case. Non-blocking.

Prior-round findings — status

None of the 9 files flagged in the 2026-05-20 review were modified by a851f620. All prior findings still apply as written:

• install-identity-service.ts:56 — master key colocated with encrypted key (threat-model doc gap) — still open
• identity-client.ts:507 — NFC normalisation only on writer side — still open
• parley-nonce-lru.ts:31 / parley-rate-limit.ts:51 — outer per-sender Map unbounded — still open
• process-lock.ts:52 — comment says "recurse" but code doesn't — still open
• alias-store.ts:198 — non-unique tmp path — still open
• discovery.py:80 — isinstance(port, int) accepts bool — still open
• channel-skill/install-lib.js:105 — accessSync(X_OK) accepts directories — still open
• local-agent-response-generator.ts:127 — delegate-policy gate not wired; threat-model documentation gap — still open (acknowledged in the PR body's "Slice 9.9" deferral)
• ai-sdk-content-generator.ts:390 — synthetic usage masks upstream — still open

This is consistent with the PR's "internal-test cut, follow-ups tracked" framing — the deferred slices (9.6 / 9.7 / 9.8 / 9.9) and the open robustness nits are explicitly out-of-scope for this ship. The earlier review's score (4 / 5) stands.

Verdict for this push

LGTM-incremental. The a851f620 commit is small, focused, and addresses a real operator-UX gap surfaced during live cross-bridge testing. The one inline nit on the test naming is a polish item, not a blocker.
· branch

[github-actions]

nit (test/code drift): The test name promises runtime behaviour ("rejects non-@-prefixed values via run-time validation") but the assertion only checks that the arg's description string contains @. The actual rejection at uninvite.ts:30-32 (if (!args.handle.startsWith('@')) { this.error(...) }) has no coverage from this suite.

Either:

1. Rename the test to match what it asserts — e.g. 'documents the @-prefix requirement in the handle arg description', or
2. Add a second case that actually exercises the rejection (oclif's Command.run is awaitable; the existing chai-only setup makes this a few-line addition):

it('rejects non-@-prefixed handles at runtime with exit code 1', async () => {
  try {
    await ChannelUninvite.run(['some-channel', 'bob'])
    expect.fail('expected ChannelUninvite to reject a bare handle')
  } catch (error) {
    expect((error as Error).message).to.match(/must start with @/i)
  }
})

Not blocking — the static contract tests are useful — but a test whose name doesn't match its assertion will mislead the next person who greps for "@-prefix" expecting to find the live coverage.

[github-actions]

Claude finished @ngduyanhece's task in 2m 57s —— View job

---

Re-review — Channel + Bridge protocol (synchronize, 2026-05-22 15:17 UTC push)

Overall: 4 / 5 (unchanged from prior reviews). Scope is narrow: one substantive commit since the previous wall-clock.

• Identify commits added since prior review
• Diff the new commits
• Spot-check new code (BRV_BRIDGE_LISTEN_ADDRS wiring)
• Post inline findings
• Post final summary + score

---

Diff since the 2026-05-22 14:08 UTC review

SHA

Change

d5c1e14f

Add BRV_BRIDGE_LISTEN_ADDRS env var (comma-separated multiaddrs), threaded through bridge-config-store.ts and applied to the daemon-integrated libp2p host so a remote peer can actually reach Bob's bridge. Closes a real gap — the previous default of /ip4/127.0.0.1/tcp/0 made the daemon-integrated bridge effectively single-machine-only. INTERNAL_TEST.md §3.1 updated with the Tailscale story. 5 new unit tests.

Total delta: 4 files, +140 / -12.

What's good in this delta

• The core fix is correct and load-bearing. Without this, the "real cross-machine bridge" claim in the PR title was true only for the standalone brv bridge listen path (which doesn't share the daemon's transcript store) — the daemon-integrated bridge silently bound to loopback. The commit message explains the live-test discovery (GCP VM ↔ laptop over Tailscale, ECONNREFUSED) honestly.
• Reuses the same resolver scaffolding that already persists BRV_BRIDGE_PARLEY_PROFILE etc., so a respawn without env vars inherits the operator's listen_addrs from bridge-config.json. That's the right shape — env > file > built-in default — and the relocation of resolveBridgeRuntimeConfig to before host construction (with the explanatory comment at brv-server.ts:904-910) is well-motivated and visible.
• Defensive copy on persist (overlay.listenAddrs = [...args.env.listenAddrs] at line 208) — small but worth noting.
• 5 new tests exercise comma-list parsing (incl. whitespace + empty entries), undefined fallback, file-only respawn recovery, and env-overrides-file precedence. Coverage matches the addition.
• Documentation update in INTERNAL_TEST.md §3.1 covers both the 0.0.0.0 (any-interface) and 100.x.x.x (Tailscale-pinned) recipes.

New inline finding (1)

• src/server/infra/channel/bridge/bridge-config-store.ts:37 — listenAddrs: z.array(z.string().min(1)) skips the multiaddr() refinement that the canonical BridgeConfigSchema (bridge-config.ts:11-16,63) deliberately added so libp2p's opaque runtime error becomes a useful parse-time error. The literal-spread at brv-server.ts:916-920 also bypasses parseBridgeConfig, so a malformed BRV_BRIDGE_LISTEN_ADDRS=:60001 gets persisted and then trips the next respawn too. Either validate the multiaddr at the resolver (preferred — also blocks persisting bad state) or route the constructed config through parseBridgeConfig. Non-blocking for the internal-test cut.

Minor / not inlined

• Log-prefix inconsistency — the new line log(\Bridge listen_addrs: ${...}`)atbrv-server.ts:922drops the[Daemon] prefix that every other bridge-startup log in the same block uses (Bridge auto-provision policy: ..., Bridge parley dispatcher: ...). Note that the prefix-less logs are the dominant pattern further down — but the new line sits between persistence + host-start where [Daemon]` is in scope. Cosmetic.
• Security ergonomics in INTERNAL_TEST.md §3.1 — binding /ip4/0.0.0.0/tcp/60001 exposes the bridge on every interface, including the public WAN if the machine has a public IP and no firewall. The TOFU + BRV_BRIDGE_AUTO_PROVISION policy is the real security boundary, but for operators copy-pasting the doc snippet onto a GCP VM, a one-line warning ("0.0.0.0 listens on every interface — pin to the Tailscale IP if your VM has a public address and AUTO_PROVISION=auto") would prevent the operator from accidentally opening a global TOFU-trust window during internal-test.

Prior-round findings — status

d5c1e14f did not touch any of the files flagged in the 2026-05-20 review. All 9 prior findings still open as written and remain consistent with the PR's "internal-test cut, follow-ups tracked" framing — see earlier review summary above.

Verdict for this push

LGTM-incremental. d5c1e14f closes a real cross-machine gap that the PR title implicitly promised. The one inline finding (multiaddr validation parity) is a defensive polish item, not a ship blocker.
· branch

[github-actions]

issue (validation gap, low-medium): This new listenAddrs field is validated as z.array(z.string().min(1)) — i.e. "non-empty strings" only. The canonical BridgeConfigSchema at src/server/infra/channel/bridge/bridge-config.ts:11-16,63 deliberately uses a multiaddrString refinement that calls multiaddr(s) so a malformed value fails at parse time, with the explicit rationale ("Libp2p rejects invalid multiaddrs at runtime with opaque errors; failing at config-parse time gives the user a useful pointer").

The new wiring at brv-server.ts:916-920 constructs the live config with a literal-object spread:

const bridgeListenConfig: typeof DEFAULT_BRIDGE_CONFIG =
  bridgeRuntime.listenAddrs === undefined
    ? DEFAULT_BRIDGE_CONFIG
    : {...DEFAULT_BRIDGE_CONFIG, listen_addrs: [...bridgeRuntime.listenAddrs]}

so the canonical schema's refinement never runs on the env-supplied multiaddrs. End state: an operator who sets BRV_BRIDGE_LISTEN_ADDRS=:60001 (forgetting the /ip4/.../tcp/ prefix), or BRV_BRIDGE_LISTEN_ADDRS=/ip4/0.0.0.0/tcp/60001/extra-junk, gets the value persisted to bridge-config.json, and the first lazy ensureBridgeHost call dies inside createLibp2p({addresses: {listen: [...]}}) (libp2p-host.ts:304) with the exact opaque error the refinement was meant to prevent. The persisted bad value will keep tripping the next daemon respawn too.

Two reasonable fixes — either is fine:

1. Validate at the resolver — reuse the same refinement here:

   import {multiaddr} from '@multiformats/multiaddr'
   const multiaddrString = z.string().refine((s) => {
     try { multiaddr(s); return true } catch { return false }
   })
   // …
   listenAddrs: z.array(multiaddrString).min(1).optional(),

   And in readCommaListEnv (or a new readMultiaddrListEnv), validate per-entry with an onInvalid callback that logs the same [Daemon] invalid BRV_BRIDGE_LISTEN_ADDRS="..." shape the other env readers use, so a bad input is rejected at resolve time rather than persisted.

2. Route through parseBridgeConfig at construction — parseBridgeConfig({...DEFAULT_BRIDGE_CONFIG, listen_addrs: [...]}) would trigger the canonical refinement and throw with a clear Zod error, which ensureBridgeHost already has to catch anyway.

(1) is preferable because it ALSO prevents bad values from being persisted to disk in the first place, which closes the "stuck on a bad config across respawns" failure mode.

Non-blocking for the internal-test ship — operators of this PR are technical and will figure out the multiaddr shape. But the friendlier error path is cheap.