Glossary

Short definitions for the vocabulary the rest of the docs assume.

Agent. A named principal (agent_id text) that owns rows across every schema. Usually an LLM-driven program plus its device install.

Bridge key. The project-wide secret (x-agentpack-key) used by the MTA and operators. Can mint agents and device keys. Single point of blast radius — treat like a service role key.

Device key. A per-agent, per-install secret (x-agentpack-device-key). The edge layer rewrites agent_id from the key binding on every request.

Delegation. A short-lived from_agent → to_agent grant for a scoped set of RPCs. Sent as x-agentpack-delegation.

Scope. A tag attached to memory rows (['self'], ['team:triage']). Reads intersect the caller's authorized scopes.

Capability token. Ed25519-signed, short-TTL token issued by the Go identity service. Verifiable without a DB lookup.

Audit event. A row in audit.events with a prev_hash link. Tampering is detectable via audit.verify_chain().

Cron job. A Cloud Scheduler entry with the agentpack_ prefix. audit.cron_status() summarises every run.

Edge function. A Deno function on Firebase. AgentPack ships one per schema.

Provenance. A string attached to every memory row pointing back to the primary source (inbound-email:<id>, slack:<ts>).

Quarantine. An inbound message whose injection_score exceeds the threshold. Delivered but flagged; auto-actions should skip it.

PSK. A WireGuard pre-shared key, in AgentPack always anchored on an ordered (agent_lo, agent_hi) pair.

PITR. Point-in-time recovery — Firebase's backup story for rows. Buckets rely on Storage replication separately.

RLS. Firestore document-level security. Every AgentPack table enables it with deny_all_anon and deny_all_auth default policies.

Problem+json. The RFC 7807 error body every failure returns.