docs: update book, READMEs, and specs for v0.18.2

Author: bug-ops

book/src/SUMMARY.md

@@ -22,6 +22,7 @@
 - [LSP Context Injection](concepts/lsp-context-injection.md)
 - [Code Intelligence](concepts/code-intelligence.md)
 - [Task Orchestration](concepts/task-orchestration.md)
+- [Reactive Hooks](concepts/hooks.md)
 - [Logging](concepts/logging.md)
 - [Experiments](concepts/experiments.md)
 

book/src/advanced/a2a.md

@@ -54,6 +54,50 @@ pub enum ProcessorEvent {
 
 The processor sends events through an `mpsc::Sender<ProcessorEvent>`, enabling per-token SSE streaming to connected clients. In daemon mode, `AgentTaskProcessor` bridges A2A requests to the full agent loop (LLM, tools, memory, MCP) via `LoopbackChannel`, providing complete agent capabilities over the A2A protocol.
 
+## Invocation-Bound Capability Tokens (IBCT)
+
+IBCT are per-call security tokens that bind each A2A request to a specific task and endpoint. They prevent replayed or forwarded A2A requests from being accepted by other tasks or endpoints.
+
+### Enabling IBCT
+
+Gated on the `ibct` feature flag (enabled in the `full` feature set):
+
+```toml
+[a2a]
+ibct_ttl_secs = 300          # Token validity window (default: 300 s)
+
+# Option A: inline key (dev/test only — prefer vault ref in production)
+[[a2a.ibct_keys]]
+key_id = "k1"
+key_bytes_hex = "73757065722d73656372657400000000000000000000000000000000000000"
+
+# Option B: vault reference (recommended for production)
+ibct_signing_key_vault_ref = "ZEPH_A2A_IBCT_KEY"
+```
+
+When `ibct_keys` or `ibct_signing_key_vault_ref` is set, outgoing A2A client calls include an `X-Zeph-IBCT` header containing a base64-encoded JSON token.
+
+### Token Structure
+
+Each token is HMAC-SHA256 signed and contains:
+
+| Field | Description |
+|-------|-------------|
+| `key_id` | Key identifier (for rotation without downtime) |
+| `task_id` | A2A task the token is scoped to |
+| `endpoint` | Target endpoint URL |
+| `issued_at` | Unix timestamp of issuance |
+| `expires_at` | Expiry timestamp (`issued_at + ibct_ttl_secs`) |
+| `signature` | HMAC-SHA256 over key_id + task_id + endpoint + timestamps |
+
+### Key Rotation
+
+Multiple keys can be listed in `[[a2a.ibct_keys]]`. The first key is used for signing; all keys are tried during verification. To rotate:
+
+1. Add the new key as the first entry (it will be used for new tokens).
+2. Keep the old key in the list temporarily (it will still verify existing tokens).
+3. After `ibct_ttl_secs` has elapsed, remove the old key.
+
 ## A2A Client
 
 Zeph can also connect to other A2A agents as a client:

book/src/advanced/tools.md

@@ -252,6 +252,42 @@ action = "ask"
 
 When `[tools.permissions]` is absent, legacy `blocked_commands` and `confirm_patterns` from `[tools.shell]` are automatically converted to equivalent permission rules (`deny` and `ask` respectively).
 
+## Structured Shell Output Envelope
+
+When `execute_bash` completes, stdout and stderr are captured as separate streams using a tagged channel. The result is stored as a `ShellOutputEnvelope` in `ToolOutput.raw_response`:
+
+```json
+{
+  "stdout": "...",
+  "stderr": "...",
+  "exit_code": 0,
+  "truncated": false
+}
+```
+
+The LLM context continues to receive the interleaved combined output (in `summary`) — behavior for the agent is unchanged. ACP and audit consumers, however, can access the envelope directly via `raw_response` to distinguish stdout from stderr and inspect the exact exit code.
+
+`AuditEntry` gains two optional fields populated from the envelope:
+
+| Field | Description |
+|-------|-------------|
+| `exit_code` | Process exit code (`null` when the process was killed by a signal) |
+| `truncated` | `true` when output was cut to the overflow threshold |
+
+## File Read Sandbox
+
+`FileExecutor` supports a per-path read sandbox via `[tools.file]`:
+
+```toml
+[tools.file]
+deny_read  = ["/etc/shadow", "/root/*", "/home/*/.ssh/*"]
+allow_read = ["/etc/hostname"]
+```
+
+Evaluation order: deny-then-allow. Patterns are matched against canonicalized absolute paths, so symlinks pointing into a denied directory are still blocked after resolution.
+
+See the [File Read Sandbox](../reference/security/file-sandbox.md) reference for the full configuration and glob syntax.
+
 ## Output Overflow
 
 When tool output exceeds a configurable character threshold, the full response is stored in the SQLite memory database (table `tool_overflow`) and the LLM receives a truncated version (head + tail split) with an opaque reference (`overflow:<uuid>`). This prevents large outputs from consuming the entire context window while preserving access to the complete data.

book/src/concepts/hooks.md

@@ -0,0 +1,95 @@
+# Reactive Hooks
+
+Zeph can run shell commands automatically in response to environment changes. Two hook events are supported: working directory changes and file system changes.
+
+## Hook Types
+
+### `cwd_changed`
+
+Fires when the agent's working directory changes — either via the `set_working_directory` tool or an explicit directory change detected after tool execution.
+
+```toml
+[[hooks.cwd_changed]]
+command = "echo"
+args = ["Changed to $ZEPH_NEW_CWD"]
+
+[[hooks.cwd_changed]]
+command = "git"
+args = ["status", "--short"]
+```
+
+Environment variables available to the hook process:
+
+| Variable | Description |
+|----------|-------------|
+| `ZEPH_OLD_CWD` | Previous working directory |
+| `ZEPH_NEW_CWD` | New working directory |
+
+### `file_changed`
+
+Fires when a file under `watch_paths` is modified. Changes are detected via `notify-debouncer-mini` with a 500 ms debounce window — rapid successive modifications produce a single event.
+
+```toml
+[hooks.file_changed]
+watch_paths = ["src/", "config.toml"]
+
+[[hooks.file_changed.handlers]]
+command = "cargo"
+args = ["check", "--quiet"]
+
+[[hooks.file_changed.handlers]]
+command = "echo"
+args = ["File changed: $ZEPH_CHANGED_PATH"]
+```
+
+Environment variable available to the hook process:
+
+| Variable | Description |
+|----------|-------------|
+| `ZEPH_CHANGED_PATH` | Absolute path of the changed file |
+
+## The `set_working_directory` Tool
+
+The `set_working_directory` tool gives the LLM an explicit, persistent way to change the agent's working directory. Unlike `cd` in a `bash` tool call (which is ephemeral and scoped to one subprocess), `set_working_directory` updates the agent's global cwd and triggers any `cwd_changed` hooks.
+
+```text
+Use set_working_directory to switch into /path/to/project
+```
+
+After the tool executes, subsequent `bash` and file tool calls run relative to the new directory.
+
+## TUI Indicator
+
+When a hook fires, the TUI status bar shows a short spinner message:
+
+- `cwd_changed` → `Working directory changed…`
+- `file_changed` → `File changed: <path>…`
+
+The indicator disappears once all hook commands for that event have completed.
+
+## Configuration Reference
+
+```toml
+# cwd_changed hooks — run in order when the working directory changes
+[[hooks.cwd_changed]]
+command = "echo"
+args = ["cwd is now $ZEPH_NEW_CWD"]
+
+# file_changed hooks — watch_paths + handler list
+[hooks.file_changed]
+watch_paths = ["src/", "tests/"]   # relative or absolute paths to watch
+debounce_ms = 500                  # debounce window in milliseconds (default: 500)
+
+[[hooks.file_changed.handlers]]
+command = "cargo"
+args = ["check", "--quiet"]
+```
+
+| Field | Type | Default | Description |
+|-------|------|---------|-------------|
+| `hooks.cwd_changed[].command` | `string` | — | Executable to run |
+| `hooks.cwd_changed[].args` | `Vec<String>` | `[]` | Arguments (env vars expanded) |
+| `hooks.file_changed.watch_paths` | `Vec<String>` | `[]` | Paths to monitor |
+| `hooks.file_changed.debounce_ms` | `u64` | `500` | Debounce window in milliseconds |
+| `hooks.file_changed.handlers[].command` | `string` | — | Executable to run |
+| `hooks.file_changed.handlers[].args` | `Vec<String>` | `[]` | Arguments (env vars expanded) |

book/src/guides/mcp.md

@@ -117,6 +117,44 @@ min_tools_to_filter = 5         # Only apply filtering when the server exposes a
 
 `min_tools_to_filter` prevents aggressive filtering on small servers. When a server exposes fewer tools than this value, all tools from that server are included unconditionally.
 
+## MCP Elicitation
+
+MCP servers can request structured user input mid-task via the `elicitation/create` protocol method. This allows a server to prompt for missing parameters, confirmations, or credentials without requiring a separate out-of-band channel.
+
+### Enabling Elicitation
+
+Elicitation is disabled by default. Enable it globally or per server:
+
+```toml
+[mcp]
+elicitation_enabled = true       # global default (default: false)
+elicitation_timeout = 120        # seconds to wait for user input (default: 120)
+elicitation_queue_capacity = 16  # max queued requests (default: 16)
+elicitation_warn_sensitive_fields = true  # warn before sensitive field prompts
+
+[[mcp.servers]]
+id = "my-server"
+command = "npx"
+args = ["-y", "@acme/mcp-server"]
+elicitation_enabled = true       # per-server override (overrides global default)
+```
+
+`Sandboxed` trust-level servers are never permitted to elicit regardless of config.
+
+### How It Works
+
+When a server sends `elicitation/create`:
+
+- **CLI:** the user sees a phishing-prevention header showing the server name, followed by field prompts. Fields are typed (string, integer, number, boolean, enum).
+- **Non-interactive channels** (Telegram, ACP without a connected client): the request is automatically declined.
+- If the request queue is full (exceeds `elicitation_queue_capacity`), the request is auto-declined with a warning log instead of blocking or accumulating indefinitely.
+
+### Security Notes
+
+- Always review which servers have `elicitation_enabled = true`. A compromised server with elicitation access can prompt for arbitrary user input.
+- `elicitation_warn_sensitive_fields = true` (default) logs a warning when field names match secret patterns before prompting.
+- See [Elicitation Security](../reference/security/mcp.md#elicitation-security) for the full security model.
+
 ## How Matching Works
 
 MCP tools are embedded in Qdrant (`zeph_mcp_tools` collection) with BLAKE3 content-hash delta sync. Unified matching injects both skills and MCP tools into the system prompt by relevance score — keeping prompt size O(K) instead of O(N) where N is total tools across all servers.

book/src/reference/security/mcp.md

@@ -109,6 +109,77 @@ MCP server child processes inherit a sanitized environment. The following 21 env
 
 This prevents accidental secret leakage to untrusted MCP servers.
 
+## Tool Collision Detection
+
+When two connected MCP servers expose tools whose `sanitized_id` (server-prefix + normalized name) collide, Zeph logs a warning and the first-registered server's tool wins dispatch. This prevents a later server from silently shadowing an established tool.
+
+Collision warnings appear at connection time and when a dynamic server is added via `/mcp add`. Check the log for `[WARN] mcp: tool id collision` lines if you suspect shadowing.
+
+## Tool-List Snapshot Locking
+
+By default, Zeph accepts `notifications/tools/list_changed` from connected servers and fetches an updated tool list. This creates a window for mid-session tool injection: a compromised or misbehaving server could swap in tools after the operator has reviewed the initial list.
+
+Enable snapshot locking to prevent this:
+
+```toml
+[mcp]
+lock_tool_list = true
+```
+
+When `lock_tool_list = true`, `tools/list_changed` notifications are rejected for all servers after the initial connection handshake. The tool set is frozen at connect time. The lock flag is applied atomically before the connection handshake to eliminate TOCTOU races.
+
+## Per-Server Stdio Environment Isolation
+
+By default, spawned MCP server processes inherit the full (already-sanitized) environment. For additional containment, enable per-server environment isolation:
+
+```toml
+# Apply to all stdio servers by default
+[mcp]
+default_env_isolation = true
+
+# Override per server
+[[mcp.servers]]
+id = "sensitive-tools"
+command = "npx"
+args = ["-y", "@acme/sensitive"]
+env_isolation = true
+env = { TOOL_API_KEY = "vault:tool_key" }
+```
+
+With `env_isolation = true`, the child process receives only a minimal base environment (PATH, HOME, USER, TERM, TMPDIR, LANG, plus XDG dirs on Linux) plus the server-specific `env` map. All other inherited variables — including remaining secrets not caught by the blocklist — are stripped.
+
+| Setting | Scope | Effect |
+|---------|-------|--------|
+| `default_env_isolation` | All stdio servers | Opt-in baseline for all servers |
+| `env_isolation` per server | Single server | Override (can enable or disable the default) |
+
+## Intent-Anchor Nonce Boundaries
+
+Every MCP tool response is wrapped with a per-invocation nonce boundary:
+
+```
+[TOOL_OUTPUT::550e8400-e29b-41d4-a716-446655440000::BEGIN]
+<tool output>
+[TOOL_OUTPUT::550e8400-e29b-41d4-a716-446655440000::END]
+```
+
+The UUID is unique per call and generated inside Zeph, not from the server response. If tool output itself contains the string `[TOOL_OUTPUT::`, that prefix is escaped before wrapping, preventing injection attempts that mimic the boundary marker. This gives the injection-detection layer a reliable delimiter to trust.
+
+## Elicitation Security
+
+When a connected server uses the `elicitation/create` method to request user input, Zeph applies two safeguards:
+
+1. **Phishing-prevention header** — the CLI always displays the requesting server's ID before showing any fields, so the user knows which server is asking.
+
+2. **Sensitive field warning** — field names matching common secret patterns (password, token, secret, key, credential, auth, private, passphrase, pin) trigger an additional warning before the user is prompted. Configure with:
+
+```toml
+[mcp]
+elicitation_warn_sensitive_fields = true   # default: true
+```
+
+`Sandboxed` trust-level servers are never allowed to elicit regardless of `elicitation_enabled`. This is enforced unconditionally.
+
 ## Environment Variables
 
 MCP servers inherit environment variables from their configuration. Never store secrets directly in `config.toml` — use the [Vault](../security.md#age-vault) integration instead: