diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fc2df694..119f98ab 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -72,4 +72,4 @@ jobs:
             target
           key: wasm-${{ hashFiles('**/Cargo.lock') }}
           restore-keys: wasm-
-      - run: cargo check --target wasm32-unknown-unknown --workspace --exclude willow-relay --exclude willow-worker --exclude willow-replay --exclude willow-storage
+      - run: cargo check --target wasm32-unknown-unknown --workspace --exclude willow-relay --exclude willow-worker --exclude willow-replay --exclude willow-storage --exclude willow-agent
diff --git a/Cargo.lock b/Cargo.lock
index ac7d6c59..bcc78680 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -20,7 +20,7 @@ checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0"
 dependencies = [
  "cfg-if",
  "cipher",
- "cpufeatures",
+ "cpufeatures 0.2.17",
 ]
 
 [[package]]
@@ -297,6 +297,58 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
 
+[[package]]
+name = "axum"
+version = "0.8.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b52af3cb4058c895d37317bb27508dccc8e5f2d39454016b297bf4a400597b8"
+dependencies = [
+ "axum-core",
+ "bytes",
+ "form_urlencoded",
+ "futures-util",
+ "http",
+ "http-body",
+ "http-body-util",
+ "hyper",
+ "hyper-util",
+ "itoa",
+ "matchit",
+ "memchr",
+ "mime",
+ "percent-encoding",
+ "pin-project-lite",
+ "serde_core",
+ "serde_json",
+ "serde_path_to_error",
+ "serde_urlencoded",
+ "sync_wrapper",
+ "tokio",
+ "tower",
+ "tower-layer",
+ "tower-service",
+ "tracing",
+]
+
+[[package]]
+name = "axum-core"
+version = "0.5.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08c78f31d7b1291f7ee735c1c6780ccde7785daae9a9206026862dab7d8792d1"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "http",
+ "http-body",
+ "http-body-util",
+ "mime",
+ "pin-project-lite",
+ "sync_wrapper",
+ "tower-layer",
+ "tower-service",
+ "tracing",
+]
+
 [[package]]
 name = "backon"
 version = "1.6.0"
@@ -377,7 +429,7 @@ dependencies = [
  "cc",
  "cfg-if",
  "constant_time_eq",
- "cpufeatures",
+ "cpufeatures 0.2.17",
 ]
 
 [[package]]
@@ -476,7 +528,18 @@ checksum = "c3613f74bd2eac03dad61bd53dbe620703d4371614fe0bc3b9f04dd36fe4e818"
 dependencies = [
  "cfg-if",
  "cipher",
- "cpufeatures",
+ "cpufeatures 0.2.17",
+]
+
+[[package]]
+name = "chacha20"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6f8d983286843e49675a4b7a2d174efe136dc93a18d69130dd18198a6c167601"
+dependencies = [
+ "cfg-if",
+ "cpufeatures 0.3.0",
+ "rand_core 0.10.0",
 ]
 
 [[package]]
@@ -486,7 +549,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "10cd79432192d1c0f4e1a0fef9527696cc039165d729fb41b3f4f4f354c2dc35"
 dependencies = [
  "aead",
- "chacha20",
+ "chacha20 0.9.1",
  "cipher",
  "poly1305",
  "zeroize",
@@ -741,6 +804,15 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "cpufeatures"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "critical-section"
 version = "1.2.0"
@@ -807,7 +879,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
 dependencies = [
  "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
  "curve25519-dalek-derive",
  "fiat-crypto 0.2.9",
  "rustc_version",
@@ -822,7 +894,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6f9200d1d13637f15a6acb71e758f64624048d85b31a5fdbfd8eca1e2687d0b7"
 dependencies = [
  "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
  "curve25519-dalek-derive",
  "digest 0.11.0-rc.10",
  "fiat-crypto 0.3.0",
@@ -894,8 +966,18 @@ version = "0.20.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee"
 dependencies = [
- "darling_core",
- "darling_macro",
+ "darling_core 0.20.11",
+ "darling_macro 0.20.11",
+]
+
+[[package]]
+name = "darling"
+version = "0.23.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "25ae13da2f202d56bd7f91c25fba009e7717a1e4a1cc98a76d844b65ae912e9d"
+dependencies = [
+ "darling_core 0.23.0",
+ "darling_macro 0.23.0",
 ]
 
 [[package]]
@@ -912,13 +994,37 @@ dependencies = [
  "syn 2.0.117",
 ]
 
+[[package]]
+name = "darling_core"
+version = "0.23.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9865a50f7c335f53564bb694ef660825eb8610e0a53d3e11bf1b0d3df31e03b0"
+dependencies = [
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "strsim",
+ "syn 2.0.117",
+]
+
 [[package]]
 name = "darling_macro"
 version = "0.20.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead"
 dependencies = [
- "darling_core",
+ "darling_core 0.20.11",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "darling_macro"
+version = "0.23.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac3984ec7bd6cfa798e62b4a642426a5be0e68f9401cfc2a01e3fa9ea2fcdb8d"
+dependencies = [
+ "darling_core 0.23.0",
  "quote",
  "syn 2.0.117",
 ]
@@ -1003,7 +1109,7 @@ version = "0.20.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2d5bcf7b024d6835cfb3d473887cd966994907effbe9227e8c8219824d06c4e8"
 dependencies = [
- "darling",
+ "darling 0.20.11",
  "proc-macro2",
  "quote",
  "syn 2.0.117",
@@ -1562,6 +1668,7 @@ dependencies = [
  "js-sys",
  "libc",
  "r-efi 6.0.0",
+ "rand_core 0.10.0",
  "wasip2",
  "wasip3",
  "wasm-bindgen",
@@ -2474,9 +2581,9 @@ dependencies = [
 
 [[package]]
 name = "itoa"
-version = "1.0.4"
+version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4217ad341ebadf8d8e724e264f13e593e0648f5b3e94b3896a5df283be015ecc"
+checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
 
 [[package]]
 name = "jni"
@@ -2813,12 +2920,24 @@ dependencies = [
  "regex-automata",
 ]
 
+[[package]]
+name = "matchit"
+version = "0.8.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3"
+
 [[package]]
 name = "memchr"
 version = "2.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
 
+[[package]]
+name = "mime"
+version = "0.3.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
+
 [[package]]
 name = "minicov"
 version = "0.3.8"
@@ -3366,6 +3485,12 @@ version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
 
+[[package]]
+name = "pastey"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b867cad97c0791bbd3aaa6472142568c6c9e8f71937e98379f584cfb0cf35bec"
+
 [[package]]
 name = "pathdiff"
 version = "0.2.3"
@@ -3493,7 +3618,7 @@ version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8159bd90725d2df49889a078b54f4f79e87f1f8a8444194cdca81d38f5393abf"
 dependencies = [
- "cpufeatures",
+ "cpufeatures 0.2.17",
  "opaque-debug",
  "universal-hash",
 ]
@@ -3505,7 +3630,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9d1fe60d06143b2430aa532c94cfe9e29783047f06c0d7fd359a9a51b729fa25"
 dependencies = [
  "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
  "opaque-debug",
  "universal-hash",
 ]
@@ -3839,6 +3964,17 @@ dependencies = [
  "rand_core 0.9.5",
 ]
 
+[[package]]
+name = "rand"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bc266eb313df6c5c09c1c7b1fbe2510961e5bcd3add930c1e31f7ed9da0feff8"
+dependencies = [
+ "chacha20 0.10.0",
+ "getrandom 0.4.2",
+ "rand_core 0.10.0",
+]
+
 [[package]]
 name = "rand_chacha"
 version = "0.3.1"
@@ -3877,6 +4013,12 @@ dependencies = [
  "getrandom 0.3.4",
 ]
 
+[[package]]
+name = "rand_core"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c8d0fd677905edcbeedbf2edb6494d676f0e98d54d5cf9bda0b061cb8fb8aba"
+
 [[package]]
 name = "range-collections"
 version = "0.4.6"
@@ -4121,6 +4263,50 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
+[[package]]
+name = "rmcp"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2231b2c085b371c01bc90c0e6c1cab8834711b6394533375bdbf870b0166d419"
+dependencies = [
+ "async-trait",
+ "base64",
+ "bytes",
+ "chrono",
+ "futures",
+ "http",
+ "http-body",
+ "http-body-util",
+ "pastey",
+ "pin-project-lite",
+ "rand 0.10.0",
+ "rmcp-macros",
+ "schemars",
+ "serde",
+ "serde_json",
+ "sse-stream",
+ "thiserror 2.0.18",
+ "tokio",
+ "tokio-stream",
+ "tokio-util",
+ "tower-service",
+ "tracing",
+ "uuid",
+]
+
+[[package]]
+name = "rmcp-macros"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "36ea0e100fadf81be85d7ff70f86cd805c7572601d4ab2946207f36540854b43"
+dependencies = [
+ "darling 0.23.0",
+ "proc-macro2",
+ "quote",
+ "serde_json",
+ "syn 2.0.117",
+]
+
 [[package]]
 name = "rstml"
 version = "0.12.1"
@@ -4326,6 +4512,32 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "schemars"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a2b42f36aa1cd011945615b92222f6bf73c599a102a300334cd7f8dbeec726cc"
+dependencies = [
+ "chrono",
+ "dyn-clone",
+ "ref-cast",
+ "schemars_derive",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "schemars_derive"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d115b50f4aaeea07e79c1912f645c7513d81715d0420f8bc77a18c6260b307f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "serde_derive_internals",
+ "syn 2.0.117",
+]
+
 [[package]]
 name = "scoped-tls"
 version = "1.0.1"
@@ -4438,6 +4650,17 @@ dependencies = [
  "syn 2.0.117",
 ]
 
+[[package]]
+name = "serde_derive_internals"
+version = "0.29.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "18d26a20a969b9e3fdf2fc2d9f21eda6c40e2de84c9408bb5d3b05d499aae711"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
 [[package]]
 name = "serde_json"
 version = "1.0.149"
@@ -4451,6 +4674,17 @@ dependencies = [
  "zmij",
 ]
 
+[[package]]
+name = "serde_path_to_error"
+version = "0.1.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "10a9ff822e371bb5403e391ecd83e182e0e77ba7f6fe0160b795797109d1b457"
+dependencies = [
+ "itoa",
+ "serde",
+ "serde_core",
+]
+
 [[package]]
 name = "serde_qs"
 version = "0.13.0"
@@ -4544,7 +4778,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c777f0a122a53fddb0beb6e706771197000b8eb5c9f42b5b850f450ef48c788"
 dependencies = [
  "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
  "digest 0.11.0-rc.10",
 ]
 
@@ -4555,7 +4789,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
 dependencies = [
  "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
  "digest 0.10.7",
 ]
 
@@ -4566,7 +4800,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d1e3878ab0f98e35b2df35fe53201d088299b41a6bb63e3e34dada2ac4abd924"
 dependencies = [
  "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
  "digest 0.11.0-rc.10",
 ]
 
@@ -4708,6 +4942,19 @@ dependencies = [
  "der",
 ]
 
+[[package]]
+name = "sse-stream"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eb4dc4d33c68ec1f27d386b5610a351922656e1fdf5c05bbaad930cd1519479a"
+dependencies = [
+ "bytes",
+ "futures-util",
+ "http-body",
+ "http-body-util",
+ "pin-project-lite",
+]
+
 [[package]]
 name = "stable_deref_trait"
 version = "1.2.0"
@@ -5169,6 +5416,7 @@ dependencies = [
  "tokio",
  "tower-layer",
  "tower-service",
+ "tracing",
 ]
 
 [[package]]
@@ -5701,6 +5949,31 @@ dependencies = [
  "wasm-bindgen-futures",
 ]
 
+[[package]]
+name = "willow-agent"
+version = "0.1.0"
+dependencies = [
+ "anyhow",
+ "axum",
+ "clap",
+ "dirs",
+ "rand 0.8.5",
+ "rmcp",
+ "schemars",
+ "serde",
+ "serde_json",
+ "tempfile",
+ "tokio",
+ "tokio-util",
+ "tracing",
+ "tracing-subscriber",
+ "willow-actor",
+ "willow-client",
+ "willow-identity",
+ "willow-network",
+ "willow-state",
+]
+
 [[package]]
 name = "willow-channel"
 version = "0.1.0"
diff --git a/crates/agent/Cargo.toml b/crates/agent/Cargo.toml
new file mode 100644
index 00000000..5f4cf3d5
--- /dev/null
+++ b/crates/agent/Cargo.toml
@@ -0,0 +1,40 @@
+[package]
+name = "willow-agent"
+edition.workspace = true
+version.workspace = true
+license.workspace = true
+description = "MCP server binary exposing Willow ClientHandle to AI agents"
+
+[lib]
+name = "willow_agent"
+path = "src/lib.rs"
+
+[[bin]]
+name = "willow-agent"
+path = "src/main.rs"
+
+[dependencies]
+willow-client = { path = "../client" }
+willow-identity = { path = "../identity" }
+willow-network = { path = "../network" }
+willow-actor = { path = "../actor" }
+willow-state = { path = "../state" }
+
+rmcp = { version = "1.3", features = ["server", "transport-io", "transport-streamable-http-server"] }
+axum = "0.8"
+tokio-util = "0.7"
+schemars = "1.0"
+tokio = { version = "1", features = ["full"] }
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+clap = { version = "4", features = ["derive"] }
+tracing = { workspace = true }
+tracing-subscriber = { workspace = true }
+anyhow = { workspace = true }
+rand = "0.8"
+dirs = "6"
+
+[dev-dependencies]
+willow-client = { path = "../client", features = ["test-utils"] }
+willow-network = { path = "../network", features = ["test-utils"] }
+tempfile = "3"
diff --git a/crates/agent/src/auth.rs b/crates/agent/src/auth.rs
new file mode 100644
index 00000000..28257c65
--- /dev/null
+++ b/crates/agent/src/auth.rs
@@ -0,0 +1,96 @@
+//! # Bearer Token Generation
+//!
+//! Generate and manage bearer tokens for MCP transport authentication.
+//! Stdio transport skips auth (process isolation). SSE/HTTP transports
+//! require a bearer token in the `Authorization` header.
+
+use rand::Rng;
+
+/// Token prefix for Willow agent tokens.
+const TOKEN_PREFIX: &str = "wlw_";
+
+/// Generate a 256-bit random bearer token with `wlw_` prefix.
+pub fn generate_token() -> String {
+    let mut rng = rand::thread_rng();
+    let mut bytes = [0u8; 32];
+    rng.fill(&mut bytes);
+    format!("{}{}", TOKEN_PREFIX, hex::encode(&bytes))
+}
+
+/// Resolve the bearer token: use provided value, or generate one.
+/// If `token_file` is set, write the token to that path with 0600 permissions.
+pub fn resolve_token(token: &Option<String>, token_file: Option<&str>) -> anyhow::Result<String> {
+    let t = match token {
+        Some(t) => t.clone(),
+        None => generate_token(),
+    };
+
+    if let Some(path) = token_file {
+        std::fs::write(path, &t)?;
+        #[cfg(unix)]
+        {
+            use std::os::unix::fs::PermissionsExt;
+            std::fs::set_permissions(path, std::fs::Permissions::from_mode(0o600))?;
+        }
+        tracing::info!("token written to {}", path);
+    }
+
+    Ok(t)
+}
+
+/// Simple hex encoding (avoids pulling in the `hex` crate for just this).
+mod hex {
+    pub fn encode(bytes: &[u8]) -> String {
+        bytes.iter().map(|b| format!("{b:02x}")).collect()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn token_has_correct_prefix() {
+        let token = generate_token();
+        assert!(token.starts_with("wlw_"));
+    }
+
+    #[test]
+    fn token_has_correct_length() {
+        let token = generate_token();
+        // wlw_ (4) + 64 hex chars = 68
+        assert_eq!(token.len(), 68);
+    }
+
+    #[test]
+    fn tokens_are_unique() {
+        let t1 = generate_token();
+        let t2 = generate_token();
+        assert_ne!(t1, t2);
+    }
+
+    #[test]
+    fn resolve_uses_provided_token() {
+        let provided = "wlw_custom".to_string();
+        let result = resolve_token(&Some(provided.clone()), None).unwrap();
+        assert_eq!(result, provided);
+    }
+
+    #[test]
+    fn resolve_generates_when_none() {
+        let result = resolve_token(&None, None).unwrap();
+        assert!(result.starts_with("wlw_"));
+        assert_eq!(result.len(), 68);
+    }
+
+    #[test]
+    fn token_file_written_and_readable() {
+        let dir = std::env::temp_dir().join("willow-auth-test");
+        let _ = std::fs::create_dir_all(&dir);
+        let path = dir.join("test-token");
+        let token = resolve_token(&None, Some(path.to_str().unwrap())).unwrap();
+        let read_back = std::fs::read_to_string(&path).unwrap();
+        assert_eq!(token, read_back);
+        let _ = std::fs::remove_file(&path);
+    }
+}
diff --git a/crates/agent/src/lib.rs b/crates/agent/src/lib.rs
new file mode 100644
index 00000000..e9b93a00
--- /dev/null
+++ b/crates/agent/src/lib.rs
@@ -0,0 +1,10 @@
+//! # Willow Agent Library
+//!
+//! Re-exports for integration tests and external consumers.
+
+pub mod auth;
+pub mod notifications;
+pub mod resources;
+pub mod scopes;
+pub mod server;
+pub mod tools;
diff --git a/crates/agent/src/main.rs b/crates/agent/src/main.rs
new file mode 100644
index 00000000..26c9b6cd
--- /dev/null
+++ b/crates/agent/src/main.rs
@@ -0,0 +1,187 @@
+//! # Willow Agent
+//!
+//! MCP server binary that exposes `ClientHandle` as tools, resources, and
+//! notifications to AI agents, bots, and scripts. The agent binary is a
+//! first-class Willow peer with its own Ed25519 identity.
+
+use clap::Parser;
+use willow_agent::{auth, server};
+use willow_client::{ClientConfig, ClientHandle};
+use willow_identity::Identity;
+use willow_network::iroh::{Config as IrohConfig, IrohNetwork, RelayUrl};
+
+#[derive(Parser)]
+#[command(name = "willow-agent", about = "Willow MCP agent peer")]
+struct Cli {
+    /// Iroh relay URL for NAT traversal.
+    #[arg(long)]
+    relay: Option<String>,
+
+    /// Display name for the agent peer.
+    #[arg(long, default_value = "Agent")]
+    name: String,
+
+    /// Server ID to switch to on startup.
+    #[arg(long)]
+    server: Option<String>,
+
+    /// Invite code to accept on startup.
+    #[arg(long)]
+    invite: Option<String>,
+
+    /// MCP transport: stdio | http [default: stdio].
+    #[arg(long, default_value = "stdio")]
+    transport: String,
+
+    /// Bind address for SSE/HTTP transports.
+    #[arg(long, default_value = "127.0.0.1:9100")]
+    bind: String,
+
+    /// Bearer token (auto-generated if omitted).
+    #[arg(long)]
+    token: Option<String>,
+
+    /// Write bearer token to this file (0600 permissions).
+    #[arg(long)]
+    token_file: Option<String>,
+
+    /// Path to Ed25519 identity file.
+    #[arg(long)]
+    identity: Option<String>,
+
+    /// Whether to persist state to disk.
+    #[arg(long)]
+    persist: bool,
+
+    /// Log level filter.
+    #[arg(long, default_value = "info")]
+    log_level: String,
+
+    /// Generate a new identity and exit.
+    #[arg(long)]
+    generate_identity: bool,
+
+    /// Print the peer ID for the identity file and exit.
+    #[arg(long)]
+    print_peer_id: bool,
+}
+
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+    let cli = Cli::parse();
+
+    tracing_subscriber::fmt()
+        .with_env_filter(
+            tracing_subscriber::EnvFilter::try_from_default_env()
+                .unwrap_or_else(|_| cli.log_level.clone().into()),
+        )
+        .with_writer(std::io::stderr)
+        .init();
+
+    // Identity management.
+    let identity_path = cli.identity.clone().unwrap_or_else(default_identity_path);
+
+    if cli.generate_identity {
+        let identity = Identity::generate();
+        std::fs::create_dir_all(
+            std::path::Path::new(&identity_path)
+                .parent()
+                .unwrap_or(std::path::Path::new(".")),
+        )?;
+        std::fs::write(&identity_path, identity.to_bytes())?;
+        tracing::info!("identity generated at {}", identity_path);
+        return Ok(());
+    }
+
+    let identity = load_or_generate_identity(&identity_path)?;
+
+    if cli.print_peer_id {
+        println!("{}", identity.endpoint_id());
+        return Ok(());
+    }
+
+    // Build client.
+    let config = ClientConfig {
+        relay_addr: cli.relay.clone(),
+        display_name: Some(cli.name.clone()),
+        persistence: cli.persist,
+    };
+
+    let (mut client, _event_loop) = ClientHandle::<IrohNetwork>::new(config);
+
+    // Connect to network if relay specified.
+    if let Some(ref relay_url) = cli.relay {
+        let relay: RelayUrl = relay_url.parse().expect("invalid relay URL");
+        let iroh_config = IrohConfig {
+            secret_key: identity.secret_key().clone(),
+            relay_url: Some(relay),
+            bootstrap_peers: vec![],
+            mdns: false,
+        };
+        let network = IrohNetwork::new(iroh_config).await?;
+        client.connect(network).await;
+        tracing::info!(peer_id = %client.peer_id(), "connected to network");
+    }
+
+    // Accept invite if provided.
+    if let Some(ref invite) = cli.invite {
+        client.accept_invite(invite).await?;
+        tracing::info!("accepted invite");
+    }
+
+    // Switch server if specified.
+    if let Some(ref server_id) = cli.server {
+        client.switch_server(server_id).await;
+        tracing::info!(server = server_id, "switched to server");
+    }
+
+    // Set display name.
+    client.set_display_name(&cli.name).await;
+
+    // Generate or use provided bearer token.
+    let token = auth::resolve_token(&cli.token, cli.token_file.as_deref())?;
+
+    // Start MCP server.
+    match cli.transport.as_str() {
+        "stdio" => {
+            tracing::info!("starting MCP server on stdio");
+            server::serve_stdio(client).await?;
+        }
+        "http" => {
+            eprintln!("Bearer token: {token}");
+            tracing::info!("starting MCP HTTP server on {}", cli.bind);
+            server::serve_http(client, &cli.bind, Default::default(), token).await?;
+        }
+        other => {
+            anyhow::bail!("unsupported transport: {other} (supported: 'stdio', 'http')");
+        }
+    }
+
+    Ok(())
+}
+
+/// Default identity path: ~/.willow/agent-identity
+fn default_identity_path() -> String {
+    dirs::home_dir()
+        .map(|h| h.join(".willow").join("agent-identity"))
+        .unwrap_or_else(|| std::path::PathBuf::from(".willow/agent-identity"))
+        .to_string_lossy()
+        .into_owned()
+}
+
+/// Load identity from file, or generate a new one if the file doesn't exist.
+fn load_or_generate_identity(path: &str) -> anyhow::Result<Identity> {
+    let p = std::path::Path::new(path);
+    if p.exists() {
+        let bytes = std::fs::read(p)?;
+        Identity::from_bytes(&bytes).ok_or_else(|| anyhow::anyhow!("invalid identity file"))
+    } else {
+        let identity = Identity::generate();
+        if let Some(parent) = p.parent() {
+            std::fs::create_dir_all(parent)?;
+        }
+        std::fs::write(p, identity.to_bytes())?;
+        tracing::info!("generated new identity at {}", path);
+        Ok(identity)
+    }
+}
diff --git a/crates/agent/src/notifications.rs b/crates/agent/src/notifications.rs
new file mode 100644
index 00000000..b44e5d73
--- /dev/null
+++ b/crates/agent/src/notifications.rs
@@ -0,0 +1,422 @@
+//! # ClientEvent → MCP Notifications
+//!
+//! Bridges `ClientEvent` from `Broker<ClientEvent>` into MCP
+//! server-sent notifications. Each event variant is serialized to JSON
+//! with a `type` field matching the spec notification table.
+
+use serde::Serialize;
+use willow_client::ClientEvent;
+
+/// Serialize a `ClientEvent` into a JSON value for MCP notification params.
+pub fn event_to_json(event: &ClientEvent) -> serde_json::Value {
+    match event {
+        ClientEvent::MessageReceived {
+            channel,
+            message_id,
+            is_local,
+        } => to_value(&NotificationPayload {
+            r#type: "MessageReceived",
+            data: serde_json::json!({
+                "channel": channel,
+                "message_id": message_id,
+                "is_local": is_local,
+            }),
+        }),
+        ClientEvent::MessageEdited {
+            channel,
+            message_id,
+            new_body,
+        } => to_value(&NotificationPayload {
+            r#type: "MessageEdited",
+            data: serde_json::json!({
+                "channel": channel,
+                "message_id": message_id,
+                "new_body": new_body,
+            }),
+        }),
+        ClientEvent::MessageDeleted {
+            channel,
+            message_id,
+        } => to_value(&NotificationPayload {
+            r#type: "MessageDeleted",
+            data: serde_json::json!({
+                "channel": channel,
+                "message_id": message_id,
+            }),
+        }),
+        ClientEvent::ReactionAdded {
+            channel,
+            message_id,
+            emoji,
+            author,
+        } => to_value(&NotificationPayload {
+            r#type: "ReactionAdded",
+            data: serde_json::json!({
+                "channel": channel,
+                "message_id": message_id,
+                "emoji": emoji,
+                "author": author.to_string(),
+            }),
+        }),
+        ClientEvent::PeerConnected(peer) => to_value(&NotificationPayload {
+            r#type: "PeerConnected",
+            data: serde_json::json!({ "peer_id": peer.to_string() }),
+        }),
+        ClientEvent::PeerDisconnected(peer) => to_value(&NotificationPayload {
+            r#type: "PeerDisconnected",
+            data: serde_json::json!({ "peer_id": peer.to_string() }),
+        }),
+        ClientEvent::ChannelCreated(name) => to_value(&NotificationPayload {
+            r#type: "ChannelCreated",
+            data: serde_json::json!({ "name": name }),
+        }),
+        ClientEvent::ChannelDeleted(name) => to_value(&NotificationPayload {
+            r#type: "ChannelDeleted",
+            data: serde_json::json!({ "name": name }),
+        }),
+        ClientEvent::MemberKicked(peer) => to_value(&NotificationPayload {
+            r#type: "MemberKicked",
+            data: serde_json::json!({ "peer_id": peer.to_string() }),
+        }),
+        ClientEvent::PeerTrusted(peer) => to_value(&NotificationPayload {
+            r#type: "PeerTrusted",
+            data: serde_json::json!({ "peer_id": peer.to_string() }),
+        }),
+        ClientEvent::PeerUntrusted(peer) => to_value(&NotificationPayload {
+            r#type: "PeerUntrusted",
+            data: serde_json::json!({ "peer_id": peer.to_string() }),
+        }),
+        ClientEvent::ProfileUpdated {
+            peer_id,
+            display_name,
+        } => to_value(&NotificationPayload {
+            r#type: "ProfileUpdated",
+            data: serde_json::json!({
+                "peer_id": peer_id.to_string(),
+                "display_name": display_name,
+            }),
+        }),
+        ClientEvent::FileAnnounced {
+            channel,
+            filename,
+            size,
+            from,
+        } => to_value(&NotificationPayload {
+            r#type: "FileAnnounced",
+            data: serde_json::json!({
+                "channel": channel,
+                "filename": filename,
+                "size": size,
+                "from": from,
+            }),
+        }),
+        ClientEvent::Listening(address) => to_value(&NotificationPayload {
+            r#type: "Listening",
+            data: serde_json::json!({ "address": address }),
+        }),
+        ClientEvent::SyncCompleted { ops_applied } => to_value(&NotificationPayload {
+            r#type: "SyncCompleted",
+            data: serde_json::json!({ "ops_applied": ops_applied }),
+        }),
+        ClientEvent::RoleCreated { name, role_id } => to_value(&NotificationPayload {
+            r#type: "RoleCreated",
+            data: serde_json::json!({
+                "name": name,
+                "role_id": role_id,
+            }),
+        }),
+        ClientEvent::RoleDeleted { role_id } => to_value(&NotificationPayload {
+            r#type: "RoleDeleted",
+            data: serde_json::json!({ "role_id": role_id }),
+        }),
+        ClientEvent::StateHashMismatch {
+            peer_id,
+            our_hash,
+            their_hash,
+        } => to_value(&NotificationPayload {
+            r#type: "StateHashMismatch",
+            data: serde_json::json!({
+                "peer_id": peer_id.to_string(),
+                "our_hash": our_hash,
+                "their_hash": their_hash,
+            }),
+        }),
+        ClientEvent::ServerRenamed { new_name } => to_value(&NotificationPayload {
+            r#type: "ServerRenamed",
+            data: serde_json::json!({ "new_name": new_name }),
+        }),
+        ClientEvent::ServerDescriptionChanged { description } => to_value(&NotificationPayload {
+            r#type: "ServerDescriptionChanged",
+            data: serde_json::json!({ "description": description }),
+        }),
+        ClientEvent::MessagePinned {
+            channel,
+            message_id,
+        } => to_value(&NotificationPayload {
+            r#type: "MessagePinned",
+            data: serde_json::json!({
+                "channel": channel,
+                "message_id": message_id,
+            }),
+        }),
+        ClientEvent::MessageUnpinned {
+            channel,
+            message_id,
+        } => to_value(&NotificationPayload {
+            r#type: "MessageUnpinned",
+            data: serde_json::json!({
+                "channel": channel,
+                "message_id": message_id,
+            }),
+        }),
+        ClientEvent::VoiceJoined {
+            channel_id,
+            peer_id,
+        } => to_value(&NotificationPayload {
+            r#type: "VoiceJoined",
+            data: serde_json::json!({
+                "channel_id": channel_id,
+                "peer_id": peer_id.to_string(),
+            }),
+        }),
+        ClientEvent::VoiceLeft {
+            channel_id,
+            peer_id,
+        } => to_value(&NotificationPayload {
+            r#type: "VoiceLeft",
+            data: serde_json::json!({
+                "channel_id": channel_id,
+                "peer_id": peer_id.to_string(),
+            }),
+        }),
+        ClientEvent::VoiceSignal {
+            channel_id,
+            from_peer,
+            signal,
+        } => to_value(&NotificationPayload {
+            r#type: "VoiceSignal",
+            data: serde_json::json!({
+                "channel_id": channel_id,
+                "from_peer": from_peer.to_string(),
+                "signal": signal,
+            }),
+        }),
+        ClientEvent::JoinLinkResponse { invite_data } => to_value(&NotificationPayload {
+            r#type: "JoinLinkResponse",
+            data: serde_json::json!({ "invite_data": invite_data }),
+        }),
+        ClientEvent::JoinLinkDenied { reason } => to_value(&NotificationPayload {
+            r#type: "JoinLinkDenied",
+            data: serde_json::json!({ "reason": reason }),
+        }),
+    }
+}
+
+/// All 27 event type names for validation.
+pub const EVENT_TYPE_NAMES: &[&str] = &[
+    "MessageReceived",
+    "MessageEdited",
+    "MessageDeleted",
+    "ReactionAdded",
+    "PeerConnected",
+    "PeerDisconnected",
+    "ChannelCreated",
+    "ChannelDeleted",
+    "MemberKicked",
+    "PeerTrusted",
+    "PeerUntrusted",
+    "ProfileUpdated",
+    "FileAnnounced",
+    "Listening",
+    "SyncCompleted",
+    "RoleCreated",
+    "RoleDeleted",
+    "StateHashMismatch",
+    "ServerRenamed",
+    "ServerDescriptionChanged",
+    "MessagePinned",
+    "MessageUnpinned",
+    "VoiceJoined",
+    "VoiceLeft",
+    "VoiceSignal",
+    "JoinLinkResponse",
+    "JoinLinkDenied",
+];
+
+#[derive(Serialize)]
+struct NotificationPayload {
+    r#type: &'static str,
+    data: serde_json::Value,
+}
+
+fn to_value(payload: &NotificationPayload) -> serde_json::Value {
+    serde_json::to_value(payload).unwrap_or_default()
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use willow_identity::Identity;
+
+    #[test]
+    fn all_27_event_types_listed() {
+        assert_eq!(EVENT_TYPE_NAMES.len(), 27);
+    }
+
+    #[test]
+    fn event_type_names_are_unique() {
+        let mut set = std::collections::HashSet::new();
+        for name in EVENT_TYPE_NAMES {
+            assert!(set.insert(name), "duplicate event type: {name}");
+        }
+    }
+
+    #[test]
+    fn message_received_serializes_correctly() {
+        let event = ClientEvent::MessageReceived {
+            channel: "general".to_string(),
+            message_id: "msg-1".to_string(),
+            is_local: false,
+        };
+        let json = event_to_json(&event);
+        assert_eq!(json["type"], "MessageReceived");
+        assert_eq!(json["data"]["channel"], "general");
+        assert_eq!(json["data"]["message_id"], "msg-1");
+        assert_eq!(json["data"]["is_local"], false);
+    }
+
+    #[test]
+    fn peer_connected_serializes_correctly() {
+        let id = Identity::generate().endpoint_id();
+        let event = ClientEvent::PeerConnected(id);
+        let json = event_to_json(&event);
+        assert_eq!(json["type"], "PeerConnected");
+        assert_eq!(json["data"]["peer_id"], id.to_string());
+    }
+
+    #[test]
+    fn all_variants_produce_valid_json() {
+        let id = Identity::generate().endpoint_id();
+        let events = vec![
+            ClientEvent::MessageReceived {
+                channel: "ch".into(),
+                message_id: "m".into(),
+                is_local: true,
+            },
+            ClientEvent::MessageEdited {
+                channel: "ch".into(),
+                message_id: "m".into(),
+                new_body: "new".into(),
+            },
+            ClientEvent::MessageDeleted {
+                channel: "ch".into(),
+                message_id: "m".into(),
+            },
+            ClientEvent::ReactionAdded {
+                channel: "ch".into(),
+                message_id: "m".into(),
+                emoji: "👍".into(),
+                author: id,
+            },
+            ClientEvent::PeerConnected(id),
+            ClientEvent::PeerDisconnected(id),
+            ClientEvent::ChannelCreated("dev".into()),
+            ClientEvent::ChannelDeleted("dev".into()),
+            ClientEvent::MemberKicked(id),
+            ClientEvent::PeerTrusted(id),
+            ClientEvent::PeerUntrusted(id),
+            ClientEvent::ProfileUpdated {
+                peer_id: id,
+                display_name: "Alice".into(),
+            },
+            ClientEvent::FileAnnounced {
+                channel: "ch".into(),
+                filename: "f.txt".into(),
+                size: 100,
+                from: "Alice".into(),
+            },
+            ClientEvent::Listening("topic".into()),
+            ClientEvent::SyncCompleted { ops_applied: 5 },
+            ClientEvent::RoleCreated {
+                name: "mod".into(),
+                role_id: "r1".into(),
+            },
+            ClientEvent::RoleDeleted {
+                role_id: "r1".into(),
+            },
+            ClientEvent::StateHashMismatch {
+                peer_id: id,
+                our_hash: "aaa".into(),
+                their_hash: "bbb".into(),
+            },
+            ClientEvent::ServerRenamed {
+                new_name: "New".into(),
+            },
+            ClientEvent::ServerDescriptionChanged {
+                description: "desc".into(),
+            },
+            ClientEvent::MessagePinned {
+                channel: "ch".into(),
+                message_id: "m".into(),
+            },
+            ClientEvent::MessageUnpinned {
+                channel: "ch".into(),
+                message_id: "m".into(),
+            },
+            ClientEvent::VoiceJoined {
+                channel_id: "vc".into(),
+                peer_id: id,
+            },
+            ClientEvent::VoiceLeft {
+                channel_id: "vc".into(),
+                peer_id: id,
+            },
+            ClientEvent::VoiceSignal {
+                channel_id: "vc".into(),
+                from_peer: id,
+                signal: willow_client::VoiceSignalPayload::Offer("sdp-offer".into()),
+            },
+            ClientEvent::JoinLinkResponse {
+                invite_data: "data".into(),
+            },
+            ClientEvent::JoinLinkDenied {
+                reason: "no".into(),
+            },
+        ];
+        // All 27 events
+        assert_eq!(events.len(), 27, "should test all 27 event variants");
+        for event in &events {
+            let json = event_to_json(event);
+            assert!(json.is_object(), "expected object for {event:?}");
+            assert!(json["type"].is_string(), "missing type for {event:?}");
+        }
+    }
+
+    #[test]
+    fn voice_signal_includes_payload() {
+        let id = Identity::generate().endpoint_id();
+
+        // Test Offer variant
+        let event = ClientEvent::VoiceSignal {
+            channel_id: "vc".into(),
+            from_peer: id,
+            signal: willow_client::VoiceSignalPayload::Offer("sdp-data".into()),
+        };
+        let json = event_to_json(&event);
+        assert_eq!(json["type"], "VoiceSignal");
+        assert!(
+            json["data"]["signal"].is_object(),
+            "signal should be present"
+        );
+        assert_eq!(json["data"]["signal"]["Offer"], "sdp-data");
+
+        // Test IceCandidate variant
+        let event = ClientEvent::VoiceSignal {
+            channel_id: "vc".into(),
+            from_peer: id,
+            signal: willow_client::VoiceSignalPayload::IceCandidate("candidate-data".into()),
+        };
+        let json = event_to_json(&event);
+        assert_eq!(json["data"]["signal"]["IceCandidate"], "candidate-data");
+    }
+}
diff --git a/crates/agent/src/resources.rs b/crates/agent/src/resources.rs
new file mode 100644
index 00000000..ffd4352d
--- /dev/null
+++ b/crates/agent/src/resources.rs
@@ -0,0 +1,433 @@
+//! # MCP Resource Definitions and Handlers
+//!
+//! All 15 MCP resources mapped to `ClientHandle` accessors and `StateRef` views.
+
+use std::sync::Arc;
+
+use rmcp::model::*;
+use rmcp::ErrorData;
+use serde::Serialize;
+use willow_client::ClientHandle;
+use willow_network::Network;
+
+/// Build the static list of resource definitions for `resources/list`.
+pub fn list_resources() -> Vec<Resource> {
+    let defs = [
+        (
+            "willow://identity",
+            "Identity",
+            "Local peer identity (peer_id, display_name)",
+        ),
+        (
+            "willow://connection",
+            "Connection",
+            "Connection status (connected, peer_count, typing_peers)",
+        ),
+        ("willow://servers", "Servers", "List of servers (id, name)"),
+        (
+            "willow://server/current",
+            "Current Server",
+            "Active server details",
+        ),
+        (
+            "willow://server/channels",
+            "Channels",
+            "Channels in the active server",
+        ),
+        (
+            "willow://server/members",
+            "Members",
+            "Members of the active server",
+        ),
+        (
+            "willow://server/roles",
+            "Roles",
+            "Roles in the active server",
+        ),
+        (
+            "willow://server/unread",
+            "Unread Counts",
+            "Unread message counts per channel",
+        ),
+        (
+            "willow://server/join-links",
+            "Join Links",
+            "Active join links",
+        ),
+        (
+            "willow://server/state-agreement",
+            "State Agreement",
+            "State hash agreement status",
+        ),
+        (
+            "willow://channel/{name}/messages",
+            "Channel Messages",
+            "Messages in a channel (use channel name in URI)",
+        ),
+        (
+            "willow://channel/{name}/pins",
+            "Pinned Messages",
+            "Pinned messages in a channel",
+        ),
+        (
+            "willow://channel/{name}/typing",
+            "Typing Indicators",
+            "Who is typing in a channel",
+        ),
+        (
+            "willow://voice/status",
+            "Voice Status",
+            "Current voice state (active channel, muted, deafened)",
+        ),
+        (
+            "willow://voice/{channel}/participants",
+            "Voice Participants",
+            "Participants in a voice channel",
+        ),
+    ];
+
+    defs.iter()
+        .map(|(uri, name, desc)| Annotated {
+            raw: RawResource {
+                uri: uri.to_string(),
+                name: name.to_string(),
+                title: None,
+                description: Some(desc.to_string()),
+                mime_type: Some("application/json".to_string()),
+                size: None,
+                icons: None,
+                meta: None,
+            },
+            annotations: None,
+        })
+        .collect()
+}
+
+/// Read a resource by URI. Returns JSON-encoded state snapshots.
+pub async fn read_resource<N: Network>(
+    client: &Arc<ClientHandle<N>>,
+    uri: &str,
+) -> Result<ReadResourceResult, ErrorData> {
+    let json = match uri {
+        "willow://identity" => {
+            let peer_id = client.peer_id();
+            let display_name = client.display_name().await;
+            to_json(&IdentityResource {
+                peer_id,
+                display_name,
+            })
+        }
+
+        "willow://connection" => {
+            let connected = client.is_connected().await;
+            let peers = client.peers().await;
+            let typing = client.typing_peers().await;
+            let typing_entries: Vec<TypingPeerEntry> = typing
+                .into_iter()
+                .map(|(peer_id, channel)| TypingPeerEntry { peer_id, channel })
+                .collect();
+            to_json(&ConnectionResource {
+                connected,
+                peer_count: peers.len(),
+                typing_peers: typing_entries,
+            })
+        }
+
+        "willow://servers" => {
+            let servers = client.server_list().await;
+            let entries: Vec<ServerListEntry> = servers
+                .into_iter()
+                .map(|(id, name)| ServerListEntry { id, name })
+                .collect();
+            to_json(&entries)
+        }
+
+        "willow://server/current" => {
+            let id = client.active_server_id().await;
+            let name = client.active_server_name().await;
+            let owner = client.server_owner().await;
+            let description = client.server_description().await;
+            let display_name = client.display_name().await;
+            to_json(&CurrentServerResource {
+                id,
+                name,
+                owner: owner.to_string(),
+                description,
+                display_name,
+            })
+        }
+
+        "willow://server/channels" => {
+            let channels = client.channel_kinds().await;
+            let entries: Vec<ChannelEntry> = channels
+                .into_iter()
+                .map(|(name, kind)| ChannelEntry { name, kind })
+                .collect();
+            to_json(&entries)
+        }
+
+        "willow://server/members" => {
+            let members = client.server_members().await;
+            let entries: Vec<MemberEntry> = members
+                .into_iter()
+                .map(|(peer_id, display_name, is_online)| MemberEntry {
+                    peer_id: peer_id.to_string(),
+                    display_name,
+                    is_online,
+                })
+                .collect();
+            to_json(&entries)
+        }
+
+        "willow://server/roles" => {
+            let roles = client.roles_data().await;
+            let entries: Vec<RoleEntry> = roles
+                .into_iter()
+                .map(|(id, name, permissions)| RoleEntry {
+                    id,
+                    name,
+                    permissions,
+                })
+                .collect();
+            to_json(&entries)
+        }
+
+        "willow://server/unread" => {
+            let counts = client.unread_counts().await;
+            to_json(&counts)
+        }
+
+        "willow://server/join-links" => {
+            let links = client.join_links().await;
+            let entries: Vec<JoinLinkEntry> = links
+                .into_iter()
+                .map(|l| JoinLinkEntry {
+                    id: l.link_id,
+                    max_uses: l.max_uses,
+                    uses: l.used,
+                    active: l.active,
+                    expires_at: l.expires_at,
+                })
+                .collect();
+            to_json(&entries)
+        }
+
+        "willow://server/state-agreement" => {
+            let (agreeing, total) = client.state_hash_agreement().await;
+            to_json(&StateAgreementResource { agreeing, total })
+        }
+
+        "willow://voice/status" => {
+            let active_channel = client.active_voice_channel().await;
+            let muted = client.is_voice_muted().await;
+            let deafened = client.is_voice_deafened().await;
+            to_json(&VoiceStatusResource {
+                active_channel,
+                muted,
+                deafened,
+            })
+        }
+
+        _ if uri.starts_with("willow://channel/") && uri.ends_with("/messages") => {
+            let channel = extract_channel_name(uri, "/messages");
+            let messages = client.messages(&channel).await;
+            let entries: Vec<MessageEntry> = messages.into_iter().map(MessageEntry::from).collect();
+            to_json(&entries)
+        }
+
+        _ if uri.starts_with("willow://channel/") && uri.ends_with("/pins") => {
+            let channel = extract_channel_name(uri, "/pins");
+            let messages = client.pinned_messages(&channel).await;
+            let entries: Vec<MessageEntry> = messages.into_iter().map(MessageEntry::from).collect();
+            to_json(&entries)
+        }
+
+        _ if uri.starts_with("willow://channel/") && uri.ends_with("/typing") => {
+            let channel = extract_channel_name(uri, "/typing");
+            let typing = client.typing_in(&channel).await;
+            to_json(&typing)
+        }
+
+        _ if uri.starts_with("willow://voice/") && uri.ends_with("/participants") => {
+            let channel = uri
+                .strip_prefix("willow://voice/")
+                .and_then(|s| s.strip_suffix("/participants"))
+                .unwrap_or("");
+            let participants = client.voice_participants(channel).await;
+            let entries: Vec<String> = participants.into_iter().map(|p| p.to_string()).collect();
+            to_json(&entries)
+        }
+
+        _ => {
+            return Err(ErrorData::resource_not_found(
+                format!("unknown resource: {uri}"),
+                None,
+            ));
+        }
+    };
+
+    Ok(ReadResourceResult::new(vec![ResourceContents::text(
+        json, uri,
+    )
+    .with_mime_type("application/json")]))
+}
+
+fn extract_channel_name(uri: &str, suffix: &str) -> String {
+    uri.strip_prefix("willow://channel/")
+        .and_then(|s| s.strip_suffix(suffix))
+        .unwrap_or("general")
+        .to_string()
+}
+
+fn to_json(value: &impl Serialize) -> String {
+    serde_json::to_string(value).unwrap_or_else(|_| "null".to_string())
+}
+
+// ─────────────────────── Resource response types ─────────────────────────────
+
+#[derive(Serialize)]
+struct IdentityResource {
+    peer_id: String,
+    display_name: String,
+}
+
+#[derive(Serialize)]
+struct ConnectionResource {
+    connected: bool,
+    peer_count: usize,
+    typing_peers: Vec<TypingPeerEntry>,
+}
+
+#[derive(Serialize)]
+struct TypingPeerEntry {
+    peer_id: String,
+    channel: String,
+}
+
+#[derive(Serialize)]
+struct ServerListEntry {
+    id: String,
+    name: String,
+}
+
+#[derive(Serialize)]
+struct CurrentServerResource {
+    id: Option<String>,
+    name: String,
+    owner: String,
+    description: String,
+    display_name: String,
+}
+
+#[derive(Serialize)]
+struct ChannelEntry {
+    name: String,
+    kind: String,
+}
+
+#[derive(Serialize)]
+struct MemberEntry {
+    peer_id: String,
+    display_name: String,
+    is_online: bool,
+}
+
+#[derive(Serialize)]
+struct RoleEntry {
+    id: String,
+    name: String,
+    permissions: Vec<String>,
+}
+
+#[derive(Serialize)]
+struct JoinLinkEntry {
+    id: String,
+    max_uses: u32,
+    uses: u32,
+    active: bool,
+    expires_at: Option<u64>,
+}
+
+#[derive(Serialize)]
+struct StateAgreementResource {
+    agreeing: usize,
+    total: usize,
+}
+
+#[derive(Serialize)]
+struct VoiceStatusResource {
+    active_channel: Option<String>,
+    muted: bool,
+    deafened: bool,
+}
+
+#[derive(Serialize)]
+struct MessageEntry {
+    id: String,
+    author_peer_id: String,
+    author_display_name: String,
+    body: String,
+    timestamp_ms: u64,
+    edited: bool,
+    reply_to: Option<String>,
+    reactions: std::collections::HashMap<String, Vec<String>>,
+}
+
+impl From<willow_client::DisplayMessage> for MessageEntry {
+    fn from(m: willow_client::DisplayMessage) -> Self {
+        Self {
+            id: m.id,
+            author_peer_id: m.author_peer_id.to_string(),
+            author_display_name: m.author_display_name,
+            body: m.body,
+            timestamp_ms: m.timestamp_ms,
+            edited: m.edited,
+            reply_to: m.reply_to,
+            reactions: m.reactions,
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn all_15_resources_defined() {
+        let resources = list_resources();
+        assert_eq!(resources.len(), 15);
+    }
+
+    #[test]
+    fn resource_uris_are_unique() {
+        let resources = list_resources();
+        let mut uris: Vec<&str> = resources.iter().map(|r| r.raw.uri.as_str()).collect();
+        let before = uris.len();
+        uris.sort();
+        uris.dedup();
+        assert_eq!(uris.len(), before, "duplicate resource URIs found");
+    }
+
+    #[test]
+    fn resource_uris_start_with_willow() {
+        for r in list_resources() {
+            assert!(
+                r.raw.uri.starts_with("willow://"),
+                "URI should start with willow:// but got: {}",
+                r.raw.uri
+            );
+        }
+    }
+
+    #[test]
+    fn extract_channel_name_works() {
+        assert_eq!(
+            extract_channel_name("willow://channel/general/messages", "/messages"),
+            "general"
+        );
+        assert_eq!(
+            extract_channel_name("willow://channel/dev-ops/pins", "/pins"),
+            "dev-ops"
+        );
+    }
+}
diff --git a/crates/agent/src/scopes.rs b/crates/agent/src/scopes.rs
new file mode 100644
index 00000000..7ebc9c34
--- /dev/null
+++ b/crates/agent/src/scopes.rs
@@ -0,0 +1,120 @@
+//! # Token Scoping
+//!
+//! Defines `TokenScope` variants that control which MCP tools and resources
+//! a bearer token grants access to.
+
+use std::collections::HashSet;
+
+/// Scope of a bearer token, controlling tool and resource access.
+#[derive(Debug, Clone, Default)]
+pub enum TokenScope {
+    /// All tools, all resources.
+    #[default]
+    Full,
+    /// No tools, all resources.
+    ReadOnly,
+    /// Messaging tools only, all resources.
+    Messaging,
+    /// All tools, all resources (semantically distinct from Full for audit).
+    Admin,
+    /// Explicit allowlist of tool names.
+    Custom(HashSet<String>),
+}
+
+/// Tools available in the Messaging scope.
+const MESSAGING_TOOLS: &[&str] = &[
+    "send_message",
+    "send_reply",
+    "edit_message",
+    "delete_message",
+    "react",
+    "pin_message",
+    "unpin_message",
+    "send_typing",
+];
+
+impl TokenScope {
+    /// Returns true if the given tool name is allowed by this scope.
+    pub fn allows_tool(&self, tool_name: &str) -> bool {
+        match self {
+            Self::Full | Self::Admin => true,
+            Self::ReadOnly => false,
+            Self::Messaging => MESSAGING_TOOLS.contains(&tool_name),
+            Self::Custom(set) => set.contains(tool_name),
+        }
+    }
+
+    /// Returns true if the given resource URI is allowed.
+    pub fn allows_resource(&self, _uri: &str) -> bool {
+        // All scopes allow all resources.
+        true
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn full_allows_everything() {
+        let scope = TokenScope::Full;
+        assert!(scope.allows_tool("send_message"));
+        assert!(scope.allows_tool("create_channel"));
+        assert!(scope.allows_tool("kick_member"));
+        assert!(scope.allows_resource("willow://identity"));
+    }
+
+    #[test]
+    fn readonly_blocks_all_tools() {
+        let scope = TokenScope::ReadOnly;
+        assert!(!scope.allows_tool("send_message"));
+        assert!(!scope.allows_tool("create_channel"));
+        assert!(scope.allows_resource("willow://identity"));
+        assert!(scope.allows_resource("willow://server/channels"));
+    }
+
+    #[test]
+    fn messaging_allows_only_messaging_tools() {
+        let scope = TokenScope::Messaging;
+        assert!(scope.allows_tool("send_message"));
+        assert!(scope.allows_tool("send_reply"));
+        assert!(scope.allows_tool("edit_message"));
+        assert!(scope.allows_tool("delete_message"));
+        assert!(scope.allows_tool("react"));
+        assert!(scope.allows_tool("pin_message"));
+        assert!(scope.allows_tool("unpin_message"));
+        assert!(scope.allows_tool("send_typing"));
+        assert!(!scope.allows_tool("create_channel"));
+        assert!(!scope.allows_tool("kick_member"));
+        assert!(!scope.allows_tool("create_server"));
+        assert!(scope.allows_resource("willow://identity"));
+    }
+
+    #[test]
+    fn custom_allows_only_listed_tools() {
+        let mut set = HashSet::new();
+        set.insert("send_message".to_string());
+        set.insert("react".to_string());
+        let scope = TokenScope::Custom(set);
+        assert!(scope.allows_tool("send_message"));
+        assert!(scope.allows_tool("react"));
+        assert!(!scope.allows_tool("create_channel"));
+        assert!(!scope.allows_tool("kick_member"));
+        assert!(scope.allows_resource("willow://identity"));
+    }
+
+    #[test]
+    fn admin_allows_everything() {
+        let scope = TokenScope::Admin;
+        assert!(scope.allows_tool("send_message"));
+        assert!(scope.allows_tool("create_channel"));
+        assert!(scope.allows_tool("kick_member"));
+        assert!(scope.allows_resource("willow://identity"));
+    }
+
+    #[test]
+    fn default_is_full() {
+        let scope = TokenScope::default();
+        assert!(scope.allows_tool("anything"));
+    }
+}
diff --git a/crates/agent/src/server.rs b/crates/agent/src/server.rs
new file mode 100644
index 00000000..be41f531
--- /dev/null
+++ b/crates/agent/src/server.rs
@@ -0,0 +1,267 @@
+//! # MCP Server
+//!
+//! Sets up the MCP server using rmcp, wiring tools, resources, and
+//! notifications to a `ClientHandle`.
+
+use std::sync::Arc;
+
+use rmcp::{
+    model::*,
+    service::{Peer, RequestContext},
+    ErrorData, RoleServer, ServerHandler,
+};
+
+use crate::resources;
+use crate::scopes::TokenScope;
+use crate::tools;
+use willow_client::ClientHandle;
+use willow_network::Network;
+
+/// MCP server backed by a Willow `ClientHandle`.
+#[derive(Clone)]
+pub struct WillowMcpServer<N: Network> {
+    pub(crate) client: Arc<ClientHandle<N>>,
+    pub tool_router: tools::WillowToolRouter<N>,
+    pub scope: TokenScope,
+    /// Ensures the notification bridge is started at most once per server instance.
+    notification_started: Arc<tokio::sync::OnceCell<()>>,
+}
+
+impl<N: Network> WillowMcpServer<N> {
+    /// Create a new MCP server wrapping the given client handle.
+    pub fn new(client: ClientHandle<N>) -> Self {
+        let client = Arc::new(client);
+        let tool_router = tools::WillowToolRouter::new(Arc::clone(&client));
+        Self {
+            client,
+            tool_router,
+            scope: TokenScope::default(),
+            notification_started: Arc::new(tokio::sync::OnceCell::new()),
+        }
+    }
+
+    /// Create a new MCP server with a specific token scope.
+    pub fn with_scope(client: ClientHandle<N>, scope: TokenScope) -> Self {
+        let client = Arc::new(client);
+        let tool_router = tools::WillowToolRouter::new(Arc::clone(&client));
+        Self {
+            client,
+            tool_router,
+            scope,
+            notification_started: Arc::new(tokio::sync::OnceCell::new()),
+        }
+    }
+
+    /// Start the notification bridge if not already running. Subscribes to
+    /// `Broker<ClientEvent>` and forwards each event as a custom MCP notification.
+    pub(crate) fn ensure_notification_bridge(&self, peer: Peer<RoleServer>) {
+        let client = Arc::clone(&self.client);
+        let started = Arc::clone(&self.notification_started);
+        tokio::spawn(async move {
+            // Only start once per server instance.
+            let already = started
+                .get_or_init(|| async {
+                    let mut events = client.subscribe_events().await;
+                    let p = peer;
+                    tokio::spawn(async move {
+                        while let Some(event) = events.recv().await {
+                            let json = crate::notifications::event_to_json(&event);
+                            let notif = CustomNotification::new("willow/event", Some(json));
+                            if p.send_notification(notif.into()).await.is_err() {
+                                // Transport closed — stop forwarding.
+                                break;
+                            }
+                        }
+                    });
+                })
+                .await;
+            let _ = already;
+        });
+    }
+}
+
+#[allow(clippy::manual_async_fn)]
+impl<N: Network> ServerHandler for WillowMcpServer<N> {
+    fn get_info(&self) -> ServerInfo {
+        InitializeResult::new(
+            ServerCapabilities::builder()
+                .enable_tools()
+                .enable_resources()
+                .build(),
+        )
+        .with_server_info(Implementation::new(
+            "willow-agent",
+            env!("CARGO_PKG_VERSION"),
+        ))
+        .with_instructions(
+            "Willow P2P chat agent. Use tools to send messages, manage channels, \
+             and administer servers. Read resources for current state.",
+        )
+    }
+
+    fn list_tools(
+        &self,
+        _request: Option<PaginatedRequestParams>,
+        context: RequestContext<RoleServer>,
+    ) -> impl Future<Output = Result<ListToolsResult, ErrorData>> + Send + '_ {
+        // Start the notification bridge on the first request (list_tools is
+        // always the first method called by the client during initialization).
+        self.ensure_notification_bridge(context.peer);
+        async {
+            let tools = self
+                .tool_router
+                .tool_list()
+                .into_iter()
+                .filter(|t| self.scope.allows_tool(t.name.as_ref()))
+                .collect();
+            Ok(ListToolsResult {
+                tools,
+                next_cursor: None,
+                meta: None,
+            })
+        }
+    }
+
+    fn call_tool(
+        &self,
+        request: CallToolRequestParams,
+        _context: RequestContext<RoleServer>,
+    ) -> impl Future<Output = Result<CallToolResult, ErrorData>> + Send + '_ {
+        async move {
+            let name = request.name.as_ref();
+            if !self.scope.allows_tool(name) {
+                return Err(ErrorData::new(
+                    ErrorCode::INVALID_REQUEST,
+                    format!("tool '{name}' not allowed by token scope"),
+                    None,
+                ));
+            }
+            self.tool_router.call(&request).await
+        }
+    }
+
+    fn list_resources(
+        &self,
+        _request: Option<PaginatedRequestParams>,
+        _context: RequestContext<RoleServer>,
+    ) -> impl Future<Output = Result<ListResourcesResult, ErrorData>> + Send + '_ {
+        async {
+            let resources = resources::list_resources()
+                .into_iter()
+                .filter(|r| self.scope.allows_resource(&r.raw.uri))
+                .collect();
+            Ok(ListResourcesResult {
+                resources,
+                next_cursor: None,
+                meta: None,
+            })
+        }
+    }
+
+    fn read_resource(
+        &self,
+        request: ReadResourceRequestParams,
+        _context: RequestContext<RoleServer>,
+    ) -> impl Future<Output = Result<ReadResourceResult, ErrorData>> + Send + '_ {
+        async move { resources::read_resource(&self.client, &request.uri).await }
+    }
+}
+
+use std::future::Future;
+
+/// Serve the MCP server over stdio.
+pub async fn serve_stdio<N: Network>(client: ClientHandle<N>) -> anyhow::Result<()> {
+    let server = WillowMcpServer::new(client);
+    let transport = rmcp::transport::io::stdio();
+    let service = rmcp::serve_server(server, transport).await?;
+    // The notification bridge is also started in list_tools (first handler
+    // called during init), but we start it here too as a safety net.
+    service
+        .service()
+        .ensure_notification_bridge(service.peer().clone());
+    service.waiting().await?;
+    Ok(())
+}
+
+/// Serve the MCP server over Streamable HTTP (SSE/JSON) with bearer token auth.
+pub async fn serve_http<N: Network + 'static>(
+    client: ClientHandle<N>,
+    bind: &str,
+    scope: TokenScope,
+    token: String,
+) -> anyhow::Result<()> {
+    use rmcp::transport::streamable_http_server::{
+        session::local::LocalSessionManager, StreamableHttpServerConfig, StreamableHttpService,
+    };
+
+    let config = StreamableHttpServerConfig::default();
+    let session_manager = Arc::new(LocalSessionManager::default());
+
+    let service = StreamableHttpService::new(
+        move || Ok(WillowMcpServer::with_scope(client.clone(), scope.clone())),
+        session_manager,
+        config,
+    );
+
+    let app = axum::Router::new()
+        .route_service("/mcp", service)
+        .layer(axum::middleware::from_fn(move |req, next| {
+            let expected = token.clone();
+            bearer_auth_middleware(req, next, expected)
+        }));
+
+    let listener = tokio::net::TcpListener::bind(bind).await?;
+    tracing::info!("MCP HTTP server listening on {bind}");
+    axum::serve(listener, app).await?;
+    Ok(())
+}
+
+/// Axum middleware that validates `Authorization: Bearer <token>` on every request.
+async fn bearer_auth_middleware(
+    req: axum::extract::Request,
+    next: axum::middleware::Next,
+    expected_token: String,
+) -> axum::response::Response {
+    use axum::http::StatusCode;
+
+    let auth_header = req
+        .headers()
+        .get(axum::http::header::AUTHORIZATION)
+        .and_then(|v| v.to_str().ok());
+
+    match auth_header {
+        Some(value) if value.starts_with("Bearer ") => {
+            let provided = &value["Bearer ".len()..];
+            if provided == expected_token {
+                next.run(req).await
+            } else {
+                (StatusCode::FORBIDDEN, "invalid bearer token").into_response()
+            }
+        }
+        _ => (StatusCode::UNAUTHORIZED, "missing bearer token").into_response(),
+    }
+}
+
+use axum::response::IntoResponse;
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn server_info_is_correct() {
+        // We can't easily construct a WillowMcpServer without a full client,
+        // but we can test the static parts.
+        let info = InitializeResult::new(
+            ServerCapabilities::builder()
+                .enable_tools()
+                .enable_resources()
+                .build(),
+        )
+        .with_server_info(Implementation::new(
+            "willow-agent",
+            env!("CARGO_PKG_VERSION"),
+        ));
+        assert_eq!(info.server_info.name, "willow-agent");
+    }
+}
diff --git a/crates/agent/src/tools.rs b/crates/agent/src/tools.rs
new file mode 100644
index 00000000..ec8fab08
--- /dev/null
+++ b/crates/agent/src/tools.rs
@@ -0,0 +1,796 @@
+//! # MCP Tool Definitions and Handlers
+//!
+//! All 37 MCP tools mapped to `ClientHandle` methods. Each tool has a
+//! typed parameter struct (JSON Schema via `schemars`) and an async handler.
+
+use std::sync::Arc;
+
+use rmcp::model::*;
+use rmcp::ErrorData;
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+use willow_client::ClientHandle;
+use willow_identity::EndpointId;
+use willow_network::Network;
+
+/// Parse a 64-character hex string into an `EndpointId`.
+fn parse_endpoint_id(hex: &str) -> Result<EndpointId, String> {
+    hex.parse::<EndpointId>()
+        .map_err(|e| format!("invalid peer_id: {e}"))
+}
+
+/// Parse multiple hex peer IDs.
+fn parse_endpoint_ids(ids: &[String]) -> Result<Vec<EndpointId>, String> {
+    ids.iter().map(|s| parse_endpoint_id(s)).collect()
+}
+
+fn success_json(value: impl Serialize) -> Result<CallToolResult, ErrorData> {
+    let text = serde_json::to_string(&value).unwrap_or_else(|_| "{}".to_string());
+    Ok(CallToolResult::success(vec![Content::text(text)]))
+}
+
+fn error_text(msg: impl Into<String>) -> Result<CallToolResult, ErrorData> {
+    Ok(CallToolResult::error(vec![Content::text(msg.into())]))
+}
+
+// ──────────────────────────── Parameter types ────────────────────────────────
+
+// Messaging
+#[derive(Deserialize, JsonSchema)]
+pub struct SendMessageParams {
+    /// Channel name to send to.
+    pub channel: String,
+    /// Message body text.
+    pub body: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct SendReplyParams {
+    /// Channel name.
+    pub channel: String,
+    /// ID of the parent message.
+    pub parent_id: String,
+    /// Reply body text.
+    pub body: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct ShareFileInlineParams {
+    /// Channel name.
+    pub channel: String,
+    /// Filename for the shared file.
+    pub filename: String,
+    /// Base64-encoded file data (max 256KB).
+    pub data: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct EditMessageParams {
+    /// Channel name.
+    pub channel: String,
+    /// ID of the message to edit.
+    pub message_id: String,
+    /// New message body.
+    pub new_body: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct DeleteMessageParams {
+    /// Channel name.
+    pub channel: String,
+    /// ID of the message to delete.
+    pub message_id: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct ReactParams {
+    /// Channel name.
+    pub channel: String,
+    /// ID of the message to react to.
+    pub message_id: String,
+    /// Emoji to react with.
+    pub emoji: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct PinMessageParams {
+    /// Channel name.
+    pub channel: String,
+    /// ID of the message to pin.
+    pub message_id: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct UnpinMessageParams {
+    /// Channel name.
+    pub channel: String,
+    /// ID of the message to unpin.
+    pub message_id: String,
+}
+
+// Channels
+#[derive(Deserialize, JsonSchema)]
+pub struct CreateChannelParams {
+    /// Channel name.
+    pub name: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct CreateVoiceChannelParams {
+    /// Voice channel name.
+    pub name: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct DeleteChannelParams {
+    /// Channel name to delete.
+    pub name: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct SwitchChannelParams {
+    /// Channel name to switch to.
+    pub name: String,
+}
+
+// Permissions & Members
+#[derive(Deserialize, JsonSchema)]
+pub struct PeerIdParams {
+    /// Peer ID (64-char hex Ed25519 public key).
+    pub peer_id: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct CreateRoleParams {
+    /// Role name.
+    pub name: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct DeleteRoleParams {
+    /// Role ID (UUID).
+    pub role_id: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct SetPermissionParams {
+    /// Role ID (UUID).
+    pub role_id: String,
+    /// Permission name: SyncProvider, ManageChannels, ManageRoles,
+    /// KickMembers, SendMessages, CreateInvite, or Administrator.
+    pub permission: String,
+    /// Whether to grant (true) or revoke (false) the permission.
+    pub granted: bool,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct AssignRoleParams {
+    /// Peer ID (64-char hex).
+    pub peer_id: String,
+    /// Role ID (UUID).
+    pub role_id: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct AuthorizeWorkersParams {
+    /// List of worker peer IDs (64-char hex each).
+    pub worker_peer_ids: Vec<String>,
+}
+
+// Server management
+#[derive(Deserialize, JsonSchema)]
+pub struct CreateServerParams {
+    /// Server display name.
+    pub name: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct SwitchServerParams {
+    /// Server ID to switch to.
+    pub id: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct LeaveServerParams {
+    /// Server ID to leave.
+    pub id: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct RenameServerParams {
+    /// New server name.
+    pub name: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct SetServerDescriptionParams {
+    /// New server description.
+    pub description: String,
+}
+
+// Identity
+#[derive(Deserialize, JsonSchema)]
+pub struct SetDisplayNameParams {
+    /// Display name.
+    pub name: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct SetServerDisplayNameParams {
+    /// Server-scoped display name.
+    pub name: String,
+}
+
+// Invites
+#[derive(Deserialize, JsonSchema)]
+pub struct GenerateInviteParams {
+    /// Recipient peer ID (64-char hex).
+    pub recipient_peer_id: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct AcceptInviteParams {
+    /// Invite code to accept.
+    pub code: String,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct CreateJoinLinkParams {
+    /// Maximum number of uses for this link.
+    pub max_uses: u32,
+    /// Optional expiration timestamp (Unix ms).
+    pub expires_at: Option<u64>,
+}
+
+#[derive(Deserialize, JsonSchema)]
+pub struct DeleteJoinLinkParams {
+    /// Link ID to delete.
+    pub link_id: String,
+}
+
+// Voice
+#[derive(Deserialize, JsonSchema)]
+pub struct JoinVoiceParams {
+    /// Voice channel ID to join.
+    pub channel_id: String,
+}
+
+// ──────────────────────────── Tool Router ────────────────────────────────────
+
+/// Central tool router that holds tool definitions and dispatches calls.
+pub struct WillowToolRouter<N: Network> {
+    client: Arc<ClientHandle<N>>,
+    tools: Vec<Tool>,
+}
+
+impl<N: Network> Clone for WillowToolRouter<N> {
+    fn clone(&self) -> Self {
+        Self {
+            client: Arc::clone(&self.client),
+            tools: self.tools.clone(),
+        }
+    }
+}
+
+fn make_tool<P: JsonSchema>(name: &'static str, description: &'static str) -> Tool {
+    let schema = schemars::generate::SchemaSettings::default()
+        .into_generator()
+        .into_root_schema_for::<P>();
+    let schema_value = serde_json::to_value(&schema).unwrap_or_default();
+    let schema_obj: JsonObject = match schema_value {
+        serde_json::Value::Object(m) => m,
+        _ => JsonObject::default(),
+    };
+    Tool::new(name, description, Arc::new(schema_obj))
+}
+
+fn make_tool_no_params(name: &'static str, description: &'static str) -> Tool {
+    let mut schema = JsonObject::new();
+    schema.insert("type".to_string(), serde_json::json!("object"));
+    Tool::new(name, description, Arc::new(schema))
+}
+
+impl<N: Network> WillowToolRouter<N> {
+    /// Build the full tool list.
+    pub fn new(client: Arc<ClientHandle<N>>) -> Self {
+        let tools = vec![
+            // Messaging (8)
+            make_tool::<SendMessageParams>("send_message", "Send a text message to a channel"),
+            make_tool::<SendReplyParams>("send_reply", "Reply to a specific message"),
+            make_tool::<ShareFileInlineParams>(
+                "share_file_inline",
+                "Share a file inline (base64, max 256KB)",
+            ),
+            make_tool::<EditMessageParams>("edit_message", "Edit a message"),
+            make_tool::<DeleteMessageParams>("delete_message", "Delete a message"),
+            make_tool::<ReactParams>("react", "Add an emoji reaction to a message"),
+            make_tool::<PinMessageParams>("pin_message", "Pin a message in a channel"),
+            make_tool::<UnpinMessageParams>("unpin_message", "Unpin a message in a channel"),
+            // Channels (4)
+            make_tool::<CreateChannelParams>("create_channel", "Create a text channel"),
+            make_tool::<CreateVoiceChannelParams>("create_voice_channel", "Create a voice channel"),
+            make_tool::<DeleteChannelParams>("delete_channel", "Delete a channel"),
+            make_tool::<SwitchChannelParams>("switch_channel", "Set the active channel"),
+            // Permissions & Members (7)
+            make_tool::<PeerIdParams>("trust_peer", "Grant Administrator permission to a peer"),
+            make_tool::<PeerIdParams>(
+                "untrust_peer",
+                "Revoke Administrator permission from a peer",
+            ),
+            make_tool::<PeerIdParams>("kick_member", "Remove a member and rotate channel keys"),
+            make_tool::<CreateRoleParams>("create_role", "Create a permission role"),
+            make_tool::<DeleteRoleParams>("delete_role", "Delete a role"),
+            make_tool::<SetPermissionParams>(
+                "set_permission",
+                "Set a permission on a role (grant or revoke)",
+            ),
+            make_tool::<AssignRoleParams>("assign_role", "Assign a role to a peer"),
+            // Server management (6)
+            make_tool::<CreateServerParams>(
+                "create_server",
+                "Create a new server. Returns the server ID.",
+            ),
+            make_tool::<SwitchServerParams>("switch_server", "Switch to a different server"),
+            make_tool::<LeaveServerParams>("leave_server", "Leave a server"),
+            make_tool::<RenameServerParams>("rename_server", "Rename the current server"),
+            make_tool::<SetServerDescriptionParams>(
+                "set_server_description",
+                "Set the server description",
+            ),
+            make_tool::<AuthorizeWorkersParams>(
+                "authorize_workers",
+                "Grant SyncProvider permission to worker peers",
+            ),
+            // Identity (3)
+            make_tool::<SetDisplayNameParams>("set_display_name", "Set the agent's display name"),
+            make_tool::<SetServerDisplayNameParams>(
+                "set_server_display_name",
+                "Set server-scoped display name",
+            ),
+            make_tool_no_params("send_typing", "Broadcast a typing indicator"),
+            // Invites (4)
+            make_tool::<GenerateInviteParams>(
+                "generate_invite",
+                "Create an encrypted invite for a specific peer",
+            ),
+            make_tool::<AcceptInviteParams>("accept_invite", "Accept an invite and join a server"),
+            make_tool::<CreateJoinLinkParams>("create_join_link", "Create a shareable join link"),
+            make_tool::<DeleteJoinLinkParams>("delete_join_link", "Delete a join link"),
+            // Voice (4)
+            make_tool::<JoinVoiceParams>("join_voice", "Join a voice channel"),
+            make_tool_no_params("leave_voice", "Leave the current voice channel"),
+            make_tool_no_params("toggle_mute", "Toggle mute state. Returns new state."),
+            make_tool_no_params("toggle_deafen", "Toggle deafen state. Returns new state."),
+            // State (1)
+            make_tool_no_params("verify_state", "Broadcast state hash for verification"),
+        ];
+        Self { client, tools }
+    }
+
+    /// Return the tool definitions for `tools/list`.
+    pub fn tool_list(&self) -> Vec<Tool> {
+        self.tools.clone()
+    }
+
+    /// Dispatch a tool call by name.
+    pub async fn call(&self, request: &CallToolRequestParams) -> Result<CallToolResult, ErrorData> {
+        let name = request.name.as_ref();
+        let args = request
+            .arguments
+            .as_ref()
+            .map(|a| serde_json::Value::Object(a.clone()))
+            .unwrap_or(serde_json::Value::Object(JsonObject::new()));
+
+        match name {
+            // ── Messaging ────────────────────────────────────────────────
+            "send_message" => {
+                let p: SendMessageParams = parse_args(&args)?;
+                match self.client.send_message(&p.channel, &p.body).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "send_reply" => {
+                let p: SendReplyParams = parse_args(&args)?;
+                match self
+                    .client
+                    .send_reply(&p.channel, &p.parent_id, &p.body)
+                    .await
+                {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "share_file_inline" => {
+                let p: ShareFileInlineParams = parse_args(&args)?;
+                let data = base64_decode(&p.data).map_err(|e| {
+                    ErrorData::invalid_params(format!("invalid base64 data: {e}"), None)
+                })?;
+                match self
+                    .client
+                    .share_file_inline(&p.channel, &p.filename, &data)
+                    .await
+                {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "edit_message" => {
+                let p: EditMessageParams = parse_args(&args)?;
+                match self
+                    .client
+                    .edit_message(&p.channel, &p.message_id, &p.new_body)
+                    .await
+                {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "delete_message" => {
+                let p: DeleteMessageParams = parse_args(&args)?;
+                match self.client.delete_message(&p.channel, &p.message_id).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "react" => {
+                let p: ReactParams = parse_args(&args)?;
+                match self.client.react(&p.channel, &p.message_id, &p.emoji).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "pin_message" => {
+                let p: PinMessageParams = parse_args(&args)?;
+                match self.client.pin_message(&p.channel, &p.message_id).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "unpin_message" => {
+                let p: UnpinMessageParams = parse_args(&args)?;
+                match self.client.unpin_message(&p.channel, &p.message_id).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+
+            // ── Channels ─────────────────────────────────────────────────
+            "create_channel" => {
+                let p: CreateChannelParams = parse_args(&args)?;
+                match self.client.create_channel(&p.name).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "create_voice_channel" => {
+                let p: CreateVoiceChannelParams = parse_args(&args)?;
+                match self.client.create_voice_channel(&p.name).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "delete_channel" => {
+                let p: DeleteChannelParams = parse_args(&args)?;
+                match self.client.delete_channel(&p.name).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "switch_channel" => {
+                let p: SwitchChannelParams = parse_args(&args)?;
+                self.client.switch_channel(&p.name).await;
+                success_json(serde_json::json!({"success": true}))
+            }
+
+            // ── Permissions & Members ────────────────────────────────────
+            "trust_peer" => {
+                let p: PeerIdParams = parse_args(&args)?;
+                let eid = parse_endpoint_id(&p.peer_id)
+                    .map_err(|e| ErrorData::invalid_params(e, None))?;
+                self.client.trust_peer(eid).await;
+                success_json(serde_json::json!({"success": true}))
+            }
+            "untrust_peer" => {
+                let p: PeerIdParams = parse_args(&args)?;
+                let eid = parse_endpoint_id(&p.peer_id)
+                    .map_err(|e| ErrorData::invalid_params(e, None))?;
+                self.client.untrust_peer(eid).await;
+                success_json(serde_json::json!({"success": true}))
+            }
+            "kick_member" => {
+                let p: PeerIdParams = parse_args(&args)?;
+                let eid = parse_endpoint_id(&p.peer_id)
+                    .map_err(|e| ErrorData::invalid_params(e, None))?;
+                match self.client.kick_member(eid).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "create_role" => {
+                let p: CreateRoleParams = parse_args(&args)?;
+                match self.client.create_role(&p.name).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "delete_role" => {
+                let p: DeleteRoleParams = parse_args(&args)?;
+                match self.client.delete_role(&p.role_id).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "set_permission" => {
+                let p: SetPermissionParams = parse_args(&args)?;
+                match self
+                    .client
+                    .set_permission(&p.role_id, &p.permission, p.granted)
+                    .await
+                {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "assign_role" => {
+                let p: AssignRoleParams = parse_args(&args)?;
+                let eid = parse_endpoint_id(&p.peer_id)
+                    .map_err(|e| ErrorData::invalid_params(e, None))?;
+                match self.client.assign_role(eid, &p.role_id).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+
+            // ── Server Management ────────────────────────────────────────
+            "create_server" => {
+                let p: CreateServerParams = parse_args(&args)?;
+                match self.client.create_server(&p.name).await {
+                    Ok(id) => success_json(serde_json::json!({"server_id": id})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "switch_server" => {
+                let p: SwitchServerParams = parse_args(&args)?;
+                self.client.switch_server(&p.id).await;
+                success_json(serde_json::json!({"success": true}))
+            }
+            "leave_server" => {
+                let p: LeaveServerParams = parse_args(&args)?;
+                self.client.leave_server(&p.id).await;
+                success_json(serde_json::json!({"success": true}))
+            }
+            "rename_server" => {
+                let p: RenameServerParams = parse_args(&args)?;
+                match self.client.rename_server(&p.name).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "set_server_description" => {
+                let p: SetServerDescriptionParams = parse_args(&args)?;
+                match self.client.set_server_description(&p.description).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "authorize_workers" => {
+                let p: AuthorizeWorkersParams = parse_args(&args)?;
+                let eids = parse_endpoint_ids(&p.worker_peer_ids)
+                    .map_err(|e| ErrorData::invalid_params(e, None))?;
+                self.client.authorize_workers(&eids).await;
+                success_json(serde_json::json!({"success": true}))
+            }
+
+            // ── Identity ─────────────────────────────────────────────────
+            "set_display_name" => {
+                let p: SetDisplayNameParams = parse_args(&args)?;
+                self.client.set_display_name(&p.name).await;
+                success_json(serde_json::json!({"success": true}))
+            }
+            "set_server_display_name" => {
+                let p: SetServerDisplayNameParams = parse_args(&args)?;
+                match self.client.set_server_display_name(&p.name).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "send_typing" => {
+                self.client.send_typing().await;
+                success_json(serde_json::json!({"success": true}))
+            }
+
+            // ── Invites ──────────────────────────────────────────────────
+            "generate_invite" => {
+                let p: GenerateInviteParams = parse_args(&args)?;
+                let eid = parse_endpoint_id(&p.recipient_peer_id)
+                    .map_err(|e| ErrorData::invalid_params(e, None))?;
+                match self.client.generate_invite(&eid).await {
+                    Ok(code) => success_json(serde_json::json!({"invite_code": code})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "accept_invite" => {
+                let p: AcceptInviteParams = parse_args(&args)?;
+                match self.client.accept_invite(&p.code).await {
+                    Ok(()) => success_json(serde_json::json!({"success": true})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "create_join_link" => {
+                let p: CreateJoinLinkParams = parse_args(&args)?;
+                match self.client.create_join_link(p.max_uses, p.expires_at).await {
+                    Ok(link) => success_json(serde_json::json!({"link": link})),
+                    Err(e) => error_text(e.to_string()),
+                }
+            }
+            "delete_join_link" => {
+                let p: DeleteJoinLinkParams = parse_args(&args)?;
+                self.client.delete_join_link(&p.link_id).await;
+                success_json(serde_json::json!({"success": true}))
+            }
+
+            // ── Voice ────────────────────────────────────────────────────
+            "join_voice" => {
+                let p: JoinVoiceParams = parse_args(&args)?;
+                self.client.join_voice(&p.channel_id).await;
+                success_json(serde_json::json!({"success": true}))
+            }
+            "leave_voice" => {
+                self.client.leave_voice().await;
+                success_json(serde_json::json!({"success": true}))
+            }
+            "toggle_mute" => {
+                let muted = self.client.toggle_mute().await;
+                success_json(serde_json::json!({"muted": muted}))
+            }
+            "toggle_deafen" => {
+                let deafened = self.client.toggle_deafen().await;
+                success_json(serde_json::json!({"deafened": deafened}))
+            }
+
+            // ── State ────────────────────────────────────────────────────
+            "verify_state" => match self.client.verify_state().await {
+                Ok(()) => success_json(serde_json::json!({"success": true})),
+                Err(e) => error_text(e.to_string()),
+            },
+
+            _ => Err(ErrorData::new(
+                ErrorCode::METHOD_NOT_FOUND,
+                format!("unknown tool: {name}"),
+                None,
+            )),
+        }
+    }
+}
+
+fn parse_args<T: serde::de::DeserializeOwned>(args: &serde_json::Value) -> Result<T, ErrorData> {
+    serde_json::from_value(args.clone())
+        .map_err(|e| ErrorData::invalid_params(format!("invalid arguments: {e}"), None))
+}
+
+fn base64_decode(s: &str) -> Result<Vec<u8>, String> {
+    willow_client::base64::decode(s).ok_or_else(|| "invalid base64".to_string())
+}
+
+// ──────────────────────────── Tests ──────────────────────────────────────────
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn all_37_tools_defined() {
+        // Verify we can construct the tool list without a real client.
+        // We test the count by checking the tool_list vector length.
+        let expected = 37;
+        let tools = vec![
+            // Messaging (8)
+            make_tool::<SendMessageParams>("send_message", ""),
+            make_tool::<SendReplyParams>("send_reply", ""),
+            make_tool::<ShareFileInlineParams>("share_file_inline", ""),
+            make_tool::<EditMessageParams>("edit_message", ""),
+            make_tool::<DeleteMessageParams>("delete_message", ""),
+            make_tool::<ReactParams>("react", ""),
+            make_tool::<PinMessageParams>("pin_message", ""),
+            make_tool::<UnpinMessageParams>("unpin_message", ""),
+            // Channels (4)
+            make_tool::<CreateChannelParams>("create_channel", ""),
+            make_tool::<CreateVoiceChannelParams>("create_voice_channel", ""),
+            make_tool::<DeleteChannelParams>("delete_channel", ""),
+            make_tool::<SwitchChannelParams>("switch_channel", ""),
+            // Permissions & Members (7)
+            make_tool::<PeerIdParams>("trust_peer", ""),
+            make_tool::<PeerIdParams>("untrust_peer", ""),
+            make_tool::<PeerIdParams>("kick_member", ""),
+            make_tool::<CreateRoleParams>("create_role", ""),
+            make_tool::<DeleteRoleParams>("delete_role", ""),
+            make_tool::<SetPermissionParams>("set_permission", ""),
+            make_tool::<AssignRoleParams>("assign_role", ""),
+            // Server management (6)
+            make_tool::<CreateServerParams>("create_server", ""),
+            make_tool::<SwitchServerParams>("switch_server", ""),
+            make_tool::<LeaveServerParams>("leave_server", ""),
+            make_tool::<RenameServerParams>("rename_server", ""),
+            make_tool::<SetServerDescriptionParams>("set_server_description", ""),
+            make_tool::<AuthorizeWorkersParams>("authorize_workers", ""),
+            // Identity (3)
+            make_tool::<SetDisplayNameParams>("set_display_name", ""),
+            make_tool::<SetServerDisplayNameParams>("set_server_display_name", ""),
+            make_tool_no_params("send_typing", ""),
+            // Invites (4)
+            make_tool::<GenerateInviteParams>("generate_invite", ""),
+            make_tool::<AcceptInviteParams>("accept_invite", ""),
+            make_tool::<CreateJoinLinkParams>("create_join_link", ""),
+            make_tool::<DeleteJoinLinkParams>("delete_join_link", ""),
+            // Voice (4)
+            make_tool::<JoinVoiceParams>("join_voice", ""),
+            make_tool_no_params("leave_voice", ""),
+            make_tool_no_params("toggle_mute", ""),
+            make_tool_no_params("toggle_deafen", ""),
+            // State (1)
+            make_tool_no_params("verify_state", ""),
+        ];
+        assert_eq!(tools.len(), expected);
+    }
+
+    #[test]
+    fn tool_schemas_are_valid_json() {
+        let tool = make_tool::<SendMessageParams>("send_message", "Send a message");
+        let schema = tool.input_schema;
+        let value = serde_json::to_value(&*schema).unwrap();
+        assert!(value.is_object());
+        // Should have properties.channel and properties.body
+        let props = value.get("properties").expect("should have properties");
+        assert!(props.get("channel").is_some());
+        assert!(props.get("body").is_some());
+    }
+
+    #[test]
+    fn tool_names_are_unique() {
+        let tools = vec![
+            "send_message",
+            "send_reply",
+            "share_file_inline",
+            "edit_message",
+            "delete_message",
+            "react",
+            "pin_message",
+            "unpin_message",
+            "create_channel",
+            "create_voice_channel",
+            "delete_channel",
+            "switch_channel",
+            "trust_peer",
+            "untrust_peer",
+            "kick_member",
+            "create_role",
+            "delete_role",
+            "set_permission",
+            "assign_role",
+            "create_server",
+            "switch_server",
+            "leave_server",
+            "rename_server",
+            "set_server_description",
+            "authorize_workers",
+            "set_display_name",
+            "set_server_display_name",
+            "send_typing",
+            "generate_invite",
+            "accept_invite",
+            "create_join_link",
+            "delete_join_link",
+            "join_voice",
+            "leave_voice",
+            "toggle_mute",
+            "toggle_deafen",
+            "verify_state",
+        ];
+        let mut set = std::collections::HashSet::new();
+        for name in &tools {
+            assert!(set.insert(name), "duplicate tool name: {name}");
+        }
+        assert_eq!(set.len(), 37);
+    }
+}
diff --git a/crates/agent/tests/e2e.rs b/crates/agent/tests/e2e.rs
new file mode 100644
index 00000000..07105787
--- /dev/null
+++ b/crates/agent/tests/e2e.rs
@@ -0,0 +1,707 @@
+//! # E2E Tests for the Willow Agent
+//!
+//! Tests use `test_client()` from willow-client (via `test-utils` feature)
+//! to create in-process `ClientHandle<MemNetwork>` instances. These are
+//! single-peer tests that verify the full MCP server → ClientHandle → actor
+//! pipeline works end-to-end. Multi-peer tests use `test_client_on_hub()`
+//! with a shared `MemHub`.
+
+use std::sync::Arc;
+use willow_client::{test_client, ClientHandle};
+use willow_network::mem::{MemHub, MemNetwork};
+
+use willow_agent::server::WillowMcpServer;
+use willow_agent::tools::WillowToolRouter;
+
+/// Helper to create a test MCP server.
+fn test_mcp_server() -> (WillowMcpServer<MemNetwork>, ClientHandle<MemNetwork>) {
+    let (client, _broker) = test_client();
+    let server = WillowMcpServer::new(client.clone());
+    (server, client)
+}
+
+/// Helper to call a tool by name with JSON args.
+async fn call_tool(
+    router: &WillowToolRouter<MemNetwork>,
+    name: &'static str,
+    args: serde_json::Value,
+) -> rmcp::model::CallToolResult {
+    let params = rmcp::model::CallToolRequestParams::new(name).with_arguments(match args {
+        serde_json::Value::Object(m) => m,
+        _ => serde_json::Map::new(),
+    });
+    router.call(&params).await.expect("tool call failed")
+}
+
+fn result_text(result: &rmcp::model::CallToolResult) -> String {
+    result
+        .content
+        .first()
+        .and_then(|c| match &c.raw {
+            rmcp::model::RawContent::Text(t) => Some(t.text.clone()),
+            _ => None,
+        })
+        .unwrap_or_default()
+}
+
+// ─────────────────────── Messaging Tests ─────────────────────────────────────
+
+#[tokio::test]
+async fn send_message_and_read_back() {
+    let (server, client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    let result = call_tool(
+        &router,
+        "send_message",
+        serde_json::json!({ "channel": "general", "body": "hello from agent" }),
+    )
+    .await;
+    assert!(result.is_error != Some(true));
+
+    let messages = client.messages("general").await;
+    assert!(
+        messages.iter().any(|m| m.body == "hello from agent"),
+        "message not found in channel"
+    );
+}
+
+#[tokio::test]
+async fn edit_message() {
+    let (server, client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    call_tool(
+        &router,
+        "send_message",
+        serde_json::json!({ "channel": "general", "body": "original" }),
+    )
+    .await;
+
+    let messages = client.messages("general").await;
+    let msg_id = &messages.last().unwrap().id;
+
+    call_tool(
+        &router,
+        "edit_message",
+        serde_json::json!({
+            "channel": "general",
+            "message_id": msg_id,
+            "new_body": "edited"
+        }),
+    )
+    .await;
+
+    let messages = client.messages("general").await;
+    let msg = messages.iter().find(|m| m.id == *msg_id).unwrap();
+    assert_eq!(msg.body, "edited");
+}
+
+#[tokio::test]
+async fn delete_message() {
+    let (server, client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    call_tool(
+        &router,
+        "send_message",
+        serde_json::json!({ "channel": "general", "body": "to delete" }),
+    )
+    .await;
+
+    let messages = client.messages("general").await;
+    let msg_id = &messages.last().unwrap().id;
+
+    call_tool(
+        &router,
+        "delete_message",
+        serde_json::json!({ "channel": "general", "message_id": msg_id }),
+    )
+    .await;
+
+    let messages = client.messages("general").await;
+    assert!(
+        !messages.iter().any(|m| m.body == "to delete"),
+        "deleted message still visible"
+    );
+}
+
+#[tokio::test]
+async fn react_to_message() {
+    let (server, client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    call_tool(
+        &router,
+        "send_message",
+        serde_json::json!({ "channel": "general", "body": "react to me" }),
+    )
+    .await;
+
+    let messages = client.messages("general").await;
+    let msg_id = &messages.last().unwrap().id;
+
+    call_tool(
+        &router,
+        "react",
+        serde_json::json!({
+            "channel": "general",
+            "message_id": msg_id,
+            "emoji": "👍"
+        }),
+    )
+    .await;
+
+    let messages = client.messages("general").await;
+    let msg = messages.iter().find(|m| m.id == *msg_id).unwrap();
+    assert!(!msg.reactions.is_empty(), "reaction should be present");
+}
+
+#[tokio::test]
+async fn pin_and_unpin_message() {
+    let (server, client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    call_tool(
+        &router,
+        "send_message",
+        serde_json::json!({ "channel": "general", "body": "pin me" }),
+    )
+    .await;
+
+    let messages = client.messages("general").await;
+    let msg_id = &messages.last().unwrap().id;
+
+    call_tool(
+        &router,
+        "pin_message",
+        serde_json::json!({ "channel": "general", "message_id": msg_id }),
+    )
+    .await;
+
+    assert!(client.is_pinned("general", msg_id).await);
+
+    call_tool(
+        &router,
+        "unpin_message",
+        serde_json::json!({ "channel": "general", "message_id": msg_id }),
+    )
+    .await;
+
+    assert!(!client.is_pinned("general", msg_id).await);
+}
+
+// ─────────────────────── Channel Tests ───────────────────────────────────────
+
+#[tokio::test]
+async fn create_channel() {
+    let (server, client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    call_tool(
+        &router,
+        "create_channel",
+        serde_json::json!({ "name": "dev" }),
+    )
+    .await;
+
+    let channels = client.channels().await;
+    assert!(
+        channels.iter().any(|c| c == "dev"),
+        "created channel not found: {channels:?}"
+    );
+}
+
+#[tokio::test]
+async fn switch_channel() {
+    let (server, client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    call_tool(
+        &router,
+        "switch_channel",
+        serde_json::json!({ "name": "general" }),
+    )
+    .await;
+
+    let current = client.current_channel().await;
+    assert_eq!(current, "general");
+}
+
+// ─────────────────────── Server Tests ────────────────────────────────────────
+
+#[tokio::test]
+async fn create_server_returns_id() {
+    let (server, _client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    let result = call_tool(
+        &router,
+        "create_server",
+        serde_json::json!({ "name": "My Server" }),
+    )
+    .await;
+
+    let text = result_text(&result);
+    let parsed: serde_json::Value = serde_json::from_str(&text).unwrap();
+    assert!(parsed["server_id"].is_string());
+}
+
+#[tokio::test]
+async fn rename_server() {
+    let (server, client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    call_tool(
+        &router,
+        "rename_server",
+        serde_json::json!({ "name": "Renamed" }),
+    )
+    .await;
+
+    // Verify via resource read
+    let name = client.active_server_name().await;
+    // The rename goes through event-sourced state
+    // Check that it either applied or the event was built
+    assert!(!name.is_empty());
+}
+
+// ─────────────────────── Identity Tests ──────────────────────────────────────
+
+#[tokio::test]
+async fn set_display_name() {
+    let (server, client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    call_tool(
+        &router,
+        "set_display_name",
+        serde_json::json!({ "name": "AgentBot" }),
+    )
+    .await;
+
+    let name = client.display_name().await;
+    assert_eq!(name, "AgentBot");
+}
+
+// ─────────────────────── Voice Tests ─────────────────────────────────────────
+
+#[tokio::test]
+async fn toggle_mute_returns_state() {
+    let (server, _client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    let result = call_tool(&router, "toggle_mute", serde_json::json!({})).await;
+    let text = result_text(&result);
+    let parsed: serde_json::Value = serde_json::from_str(&text).unwrap();
+    assert_eq!(parsed["muted"], true);
+
+    let result2 = call_tool(&router, "toggle_mute", serde_json::json!({})).await;
+    let text2 = result_text(&result2);
+    let parsed2: serde_json::Value = serde_json::from_str(&text2).unwrap();
+    assert_eq!(parsed2["muted"], false);
+}
+
+#[tokio::test]
+async fn toggle_deafen_returns_state() {
+    let (server, _client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    let result = call_tool(&router, "toggle_deafen", serde_json::json!({})).await;
+    let text = result_text(&result);
+    let parsed: serde_json::Value = serde_json::from_str(&text).unwrap();
+    assert_eq!(parsed["deafened"], true);
+}
+
+// ─────────────────────── Resource Tests ──────────────────────────────────────
+
+#[tokio::test]
+async fn read_identity_resource() {
+    let (_server, client) = test_mcp_server();
+    let client_arc = Arc::new(client.clone());
+    let result = willow_agent::resources::read_resource(&client_arc, "willow://identity")
+        .await
+        .unwrap();
+
+    assert!(!result.contents.is_empty());
+    match &result.contents[0] {
+        rmcp::model::ResourceContents::TextResourceContents { text, .. } => {
+            let parsed: serde_json::Value = serde_json::from_str(text).unwrap();
+            assert!(parsed["peer_id"].is_string());
+            assert_eq!(parsed["peer_id"].as_str().unwrap().len(), 64);
+        }
+        _ => panic!("expected text resource"),
+    }
+}
+
+#[tokio::test]
+async fn read_channels_resource() {
+    let (_server, client) = test_mcp_server();
+    let client_arc = Arc::new(client);
+    let result = willow_agent::resources::read_resource(&client_arc, "willow://server/channels")
+        .await
+        .unwrap();
+
+    assert!(!result.contents.is_empty());
+    match &result.contents[0] {
+        rmcp::model::ResourceContents::TextResourceContents { text, .. } => {
+            let parsed: serde_json::Value = serde_json::from_str(text).unwrap();
+            assert!(parsed.is_array());
+            let channels = parsed.as_array().unwrap();
+            assert!(
+                channels.iter().any(|c| c["name"] == "general"),
+                "general channel not found"
+            );
+        }
+        _ => panic!("expected text resource"),
+    }
+}
+
+#[tokio::test]
+async fn read_unknown_resource_returns_error() {
+    let (_server, client) = test_mcp_server();
+    let client_arc = Arc::new(client);
+    let result = willow_agent::resources::read_resource(&client_arc, "willow://nonexistent").await;
+
+    assert!(result.is_err());
+}
+
+// ─────────────────────── Advanced E2E Tests ─────────────────────────────────
+
+#[tokio::test]
+async fn kick_member_removes_from_server() {
+    let (server, client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    // Our own peer_id — kicking self should produce an error or be a no-op
+    let peer_id = client.peer_id();
+
+    let result = call_tool(
+        &router,
+        "kick_member",
+        serde_json::json!({ "peer_id": peer_id }),
+    )
+    .await;
+
+    // Kicking oneself is expected to either error or succeed gracefully
+    let text = result_text(&result);
+    assert!(!text.is_empty(), "kick_member should return a response");
+}
+
+#[tokio::test]
+async fn server_rename_via_tool() {
+    let (server, client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    let result = call_tool(
+        &router,
+        "rename_server",
+        serde_json::json!({ "name": "My Renamed Server" }),
+    )
+    .await;
+    assert!(result.is_error != Some(true));
+
+    let name = client.active_server_name().await;
+    assert!(!name.is_empty());
+}
+
+#[tokio::test]
+async fn display_name_updates() {
+    let (server, client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    call_tool(
+        &router,
+        "set_display_name",
+        serde_json::json!({ "name": "BotAlpha" }),
+    )
+    .await;
+
+    let name = client.display_name().await;
+    assert_eq!(name, "BotAlpha");
+
+    // Change again
+    call_tool(
+        &router,
+        "set_display_name",
+        serde_json::json!({ "name": "BotBeta" }),
+    )
+    .await;
+
+    let name = client.display_name().await;
+    assert_eq!(name, "BotBeta");
+}
+
+#[tokio::test]
+async fn voice_join_and_leave() {
+    let (server, _client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    let result = call_tool(
+        &router,
+        "join_voice",
+        serde_json::json!({ "channel_id": "voice-lobby" }),
+    )
+    .await;
+    assert!(result.is_error != Some(true));
+
+    let result = call_tool(&router, "leave_voice", serde_json::json!({})).await;
+    assert!(result.is_error != Some(true));
+}
+
+#[tokio::test]
+async fn send_reply_to_message() {
+    let (server, client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    // Send original message
+    call_tool(
+        &router,
+        "send_message",
+        serde_json::json!({ "channel": "general", "body": "original message" }),
+    )
+    .await;
+
+    let messages = client.messages("general").await;
+    let msg_id = &messages.last().unwrap().id;
+
+    // Send reply
+    let result = call_tool(
+        &router,
+        "send_reply",
+        serde_json::json!({
+            "channel": "general",
+            "parent_id": msg_id,
+            "body": "this is a reply"
+        }),
+    )
+    .await;
+    assert!(result.is_error != Some(true));
+
+    let messages = client.messages("general").await;
+    assert!(
+        messages.iter().any(|m| m.body == "this is a reply"),
+        "reply not found in channel"
+    );
+}
+
+#[tokio::test]
+async fn create_and_delete_channel() {
+    let (server, client) = test_mcp_server();
+    let router = server.tool_router.clone();
+
+    call_tool(
+        &router,
+        "create_channel",
+        serde_json::json!({ "name": "temp-channel" }),
+    )
+    .await;
+
+    let channels = client.channels().await;
+    assert!(channels.iter().any(|c| c == "temp-channel"));
+
+    call_tool(
+        &router,
+        "delete_channel",
+        serde_json::json!({ "name": "temp-channel" }),
+    )
+    .await;
+
+    let channels = client.channels().await;
+    assert!(
+        !channels.iter().any(|c| c == "temp-channel"),
+        "channel should be deleted"
+    );
+}
+
+// ─────────────────────── Scope Enforcement Tests ────────────────────────────
+
+#[tokio::test]
+async fn readonly_token_hides_tools() {
+    use willow_agent::scopes::TokenScope;
+    use willow_agent::server::WillowMcpServer;
+
+    let (client, _broker) = test_client();
+    let server = WillowMcpServer::with_scope(client.clone(), TokenScope::ReadOnly);
+
+    // Scope should filter all tools
+    let visible: Vec<_> = server
+        .tool_router
+        .tool_list()
+        .into_iter()
+        .filter(|t| server.scope.allows_tool(t.name.as_ref()))
+        .collect();
+    assert!(
+        visible.is_empty(),
+        "ReadOnly scope should hide all tools, got: {:?}",
+        visible.iter().map(|t| &t.name).collect::<Vec<_>>()
+    );
+
+    // Resources should all be visible
+    let resources = willow_agent::resources::list_resources();
+    for r in &resources {
+        assert!(
+            server.scope.allows_resource(&r.raw.uri),
+            "ReadOnly should allow resource: {}",
+            r.raw.uri
+        );
+    }
+}
+
+#[tokio::test]
+async fn messaging_scope_restricts_tools() {
+    use willow_agent::scopes::TokenScope;
+    use willow_agent::server::WillowMcpServer;
+
+    let (client, _broker) = test_client();
+    let server = WillowMcpServer::with_scope(client.clone(), TokenScope::Messaging);
+
+    let all_tools = server.tool_router.tool_list();
+    let visible: Vec<&str> = all_tools
+        .iter()
+        .filter(|t| server.scope.allows_tool(t.name.as_ref()))
+        .map(|t| t.name.as_ref())
+        .collect();
+
+    assert!(visible.contains(&"send_message"));
+    assert!(visible.contains(&"edit_message"));
+    assert!(visible.contains(&"react"));
+    assert!(!visible.contains(&"create_channel"));
+    assert!(!visible.contains(&"kick_member"));
+    assert!(!visible.contains(&"create_server"));
+
+    // Verify the allowed set matches expectations
+    assert_eq!(visible.len(), 8, "Messaging scope should allow 8 tools");
+}
+
+#[tokio::test]
+async fn custom_scope_allowlist() {
+    use std::collections::HashSet;
+    use willow_agent::scopes::TokenScope;
+    use willow_agent::server::WillowMcpServer;
+
+    let (client, _broker) = test_client();
+    let mut allowed = HashSet::new();
+    allowed.insert("send_message".to_string());
+    allowed.insert("react".to_string());
+    let server = WillowMcpServer::with_scope(client.clone(), TokenScope::Custom(allowed));
+
+    let all_tools = server.tool_router.tool_list();
+    let visible: Vec<&str> = all_tools
+        .iter()
+        .filter(|t| server.scope.allows_tool(t.name.as_ref()))
+        .map(|t| t.name.as_ref())
+        .collect();
+
+    assert_eq!(visible.len(), 2);
+    assert!(visible.contains(&"send_message"));
+    assert!(visible.contains(&"react"));
+}
+
+// ─────────────────────── Notification Tests ────────────────────────────────
+
+#[tokio::test]
+async fn notification_serialization_covers_all_variants() {
+    // Verify that event_to_json produces valid output for all 27 event types.
+    // This test complements the unit tests in notifications.rs by running
+    // in the integration test context.
+    assert_eq!(willow_agent::notifications::EVENT_TYPE_NAMES.len(), 27);
+
+    for name in willow_agent::notifications::EVENT_TYPE_NAMES {
+        assert!(!name.is_empty(), "event type name should not be empty");
+    }
+}
+
+#[tokio::test]
+async fn notification_event_to_json_roundtrip() {
+    use willow_client::ClientEvent;
+
+    let event = ClientEvent::MessageReceived {
+        channel: "general".into(),
+        message_id: "msg-1".into(),
+        is_local: false,
+    };
+    let json = willow_agent::notifications::event_to_json(&event);
+
+    // Should be valid JSON with type and data
+    assert_eq!(json["type"], "MessageReceived");
+    assert_eq!(json["data"]["channel"], "general");
+    assert_eq!(json["data"]["message_id"], "msg-1");
+    assert_eq!(json["data"]["is_local"], false);
+
+    // Should be serializable to string and back
+    let json_str = serde_json::to_string(&json).unwrap();
+    let reparsed: serde_json::Value = serde_json::from_str(&json_str).unwrap();
+    assert_eq!(json, reparsed);
+}
+
+// ─────────────────────── Multi-Peer Infrastructure Tests ───────────────────
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn test_client_on_hub_creates_connected_client() {
+    let local = tokio::task::LocalSet::new();
+    local
+        .run_until(async {
+            let hub = MemHub::new();
+            let (client, _broker) = willow_client::test_client_on_hub(&hub).await;
+
+            // Client should be connected (network is Some)
+            assert!(client.is_connected().await);
+
+            let peer_id = client.peer_id();
+            assert_eq!(peer_id.len(), 64, "peer ID should be 64 hex chars");
+        })
+        .await;
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn two_clients_on_same_hub_have_different_ids() {
+    let local = tokio::task::LocalSet::new();
+    local
+        .run_until(async {
+            let hub = MemHub::new();
+            let (client_a, _) = willow_client::test_client_on_hub(&hub).await;
+            let (client_b, _) = willow_client::test_client_on_hub(&hub).await;
+
+            assert_ne!(
+                client_a.peer_id(),
+                client_b.peer_id(),
+                "two clients should have different peer IDs"
+            );
+        })
+        .await;
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn multi_peer_agent_servers_have_separate_state() {
+    let local = tokio::task::LocalSet::new();
+    local
+        .run_until(async {
+            let hub = MemHub::new();
+            let (client_a, _) = willow_client::test_client_on_hub(&hub).await;
+            let (client_b, _) = willow_client::test_client_on_hub(&hub).await;
+
+            let server_a = WillowMcpServer::new(client_a.clone());
+            let _server_b = WillowMcpServer::new(client_b.clone());
+
+            // Send message on A
+            call_tool(
+                &server_a.tool_router,
+                "send_message",
+                serde_json::json!({ "channel": "general", "body": "from A" }),
+            )
+            .await;
+
+            // A sees the message
+            let msgs_a = client_a.messages("general").await;
+            assert!(msgs_a.iter().any(|m| m.body == "from A"));
+
+            // B has its own state — won't see A's message (separate server states)
+            let msgs_b = client_b.messages("general").await;
+            assert!(
+                !msgs_b.iter().any(|m| m.body == "from A"),
+                "B should not see A's message without joining A's server"
+            );
+        })
+        .await;
+}
diff --git a/crates/client/Cargo.toml b/crates/client/Cargo.toml
index bb80157e..76fbfccc 100644
--- a/crates/client/Cargo.toml
+++ b/crates/client/Cargo.toml
@@ -5,6 +5,9 @@ version.workspace = true
 license.workspace = true
 description = "UI-agnostic client library for the Willow P2P chat network"
 
+[features]
+test-utils = ["willow-network/test-utils"]
+
 [dependencies]
 willow-actor = { path = "../actor" }
 willow-identity = { path = "../identity" }
diff --git a/crates/client/src/accessors.rs b/crates/client/src/accessors.rs
index 223cd44d..891d6b4d 100644
--- a/crates/client/src/accessors.rs
+++ b/crates/client/src/accessors.rs
@@ -141,4 +141,22 @@ impl<N: willow_network::Network> ClientHandle<N> {
     pub async fn current_channel(&self) -> String {
         willow_actor::state::select(&self.chat_meta_addr, |c| c.current_channel.clone()).await
     }
+
+    pub async fn server_description(&self) -> String {
+        willow_actor::state::select(&self.event_state_addr, |es| es.description.clone()).await
+    }
+
+    pub async fn typing_peers(&self) -> Vec<(String, String)> {
+        let my_id = self.identity.endpoint_id();
+        willow_actor::state::mutate(&self.network_meta_addr, move |n| {
+            let now = crate::util::current_time_ms();
+            n.typing_peers.retain(|_, (_, ts)| now - *ts < 5000);
+            n.typing_peers
+                .iter()
+                .filter(|(pid, _)| *pid != &my_id)
+                .map(|(pid, (channel, _))| (pid.to_string(), channel.clone()))
+                .collect()
+        })
+        .await
+    }
 }
diff --git a/crates/client/src/lib.rs b/crates/client/src/lib.rs
index 7afd0a71..f56ed8ce 100644
--- a/crates/client/src/lib.rs
+++ b/crates/client/src/lib.rs
@@ -701,8 +701,8 @@ fn parse_permission(s: &str) -> anyhow::Result<willow_channel::Permission> {
 }
 
 /// Create a test-only ClientHandle without connecting to the network.
-#[cfg(test)]
-pub(crate) fn test_client() -> (
+#[cfg(any(test, feature = "test-utils"))]
+pub fn test_client() -> (
     ClientHandle<willow_network::mem::MemNetwork>,
     willow_actor::Addr<willow_actor::Broker<ClientEvent>>,
 ) {
@@ -943,6 +943,23 @@ pub(crate) fn test_client() -> (
     (client, event_broker)
 }
 
+/// Create a test `ClientHandle` connected to a shared `MemHub`.
+///
+/// Unlike `test_client()`, multiple clients created with the same `hub`
+/// can exchange messages through the in-memory gossip mesh.
+#[cfg(any(test, feature = "test-utils"))]
+pub async fn test_client_on_hub(
+    hub: &std::sync::Arc<willow_network::mem::MemHub>,
+) -> (
+    ClientHandle<willow_network::mem::MemNetwork>,
+    willow_actor::Addr<willow_actor::Broker<ClientEvent>>,
+) {
+    let (mut client, broker) = test_client();
+    let network = willow_network::mem::MemNetwork::new(hub);
+    client.connect(network).await;
+    (client, broker)
+}
+
 #[cfg(test)]
 mod tests {
     // 5 tests temporarily disabled during Arc<RwLock> → actor migration.
diff --git a/docs/plans/2026-04-01-agentic-peer-api.md b/docs/plans/2026-04-01-agentic-peer-api.md
new file mode 100644
index 00000000..0b3ce1fd
--- /dev/null
+++ b/docs/plans/2026-04-01-agentic-peer-api.md
@@ -0,0 +1,865 @@
+# Agentic Peer API — Implementation Plan
+
+**Date**: 2026-04-01
+**Spec**: `docs/specs/2026-03-29-agentic-peer-api-design.md`
+
+## Overview
+
+Build `willow-agent`, an MCP server binary that exposes `ClientHandle`
+as tools/resources/notifications to AI agents, bots, and scripts. Also
+build a multi-peer E2E test harness that exercises the full client stack
+without a UI — this becomes the primary way to test complex multi-peer
+scenarios.
+
+Four phases, each producing a compilable, testable codebase.
+
+---
+
+## Phase 1: Crate Skeleton + CLI + Stdio MCP Server
+
+**Goal**: A `willow-agent` binary that starts up, connects to the
+network as a real peer, and serves a working MCP server over stdio with
+tool discovery (`tools/list`) and resource listing (`resources/list`).
+No tools execute yet — just the shell.
+
+### 1a. Create `crates/agent/` crate
+
+Create the crate with binary target:
+
+```
+crates/agent/
+├── Cargo.toml
+└── src/
+    ├── main.rs       — CLI parsing (clap), startup, shutdown
+    ├── server.rs     — MCP server setup, transport selection
+    ├── tools.rs      — Tool definitions (schema only, stubs)
+    ├── resources.rs  — Resource definitions (schema only, stubs)
+    └── auth.rs       — Bearer token generation
+```
+
+**`Cargo.toml` dependencies:**
+```toml
+[package]
+name = "willow-agent"
+version = "0.1.0"
+edition = "2021"
+
+[[bin]]
+name = "willow-agent"
+path = "src/main.rs"
+
+[dependencies]
+willow-client = { path = "../client" }
+willow-identity = { path = "../identity" }
+willow-network = { path = "../network" }
+willow-actor = { path = "../actor" }
+willow-state = { path = "../state" }
+rmcp = { version = "0.1", features = ["server", "transport-io"] }
+tokio = { version = "1", features = ["full"] }
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+clap = { version = "4", features = ["derive"] }
+tracing = "0.1"
+tracing-subscriber = "0.3"
+anyhow = "1"
+rand = "0.8"
+
+[dev-dependencies]
+willow-network = { path = "../network", features = ["test-utils"] }
+tempfile = "3"
+
+# Note: willow-client test-utils feature is enabled for tests via:
+# [features]
+# test-harness = ["willow-client/test-utils"]
+# (added in Phase 3 when the multi-peer harness is built)
+```
+
+### 1b. CLI parsing (`main.rs`)
+
+Implement `clap::Parser` struct matching the spec CLI interface:
+
+```rust
+#[derive(Parser)]
+#[command(name = "willow-agent", about = "Willow MCP agent peer")]
+struct Cli {
+    #[arg(long)]
+    relay: Option<String>,
+    #[arg(long, default_value = "Agent")]
+    name: String,
+    #[arg(long)]
+    server: Option<String>,
+    #[arg(long)]
+    invite: Option<String>,
+    #[arg(long, default_value = "stdio")]
+    transport: String,           // "stdio" | "sse" | "http"
+    #[arg(long, default_value = "127.0.0.1:9100")]
+    bind: String,
+    #[arg(long)]
+    token: Option<String>,
+    #[arg(long)]
+    token_file: Option<String>,
+    #[arg(long)]
+    identity: Option<String>,    // defaults to ~/.willow/agent-identity
+    #[arg(long)]
+    persist: bool,
+    #[arg(long, default_value = "info")]
+    log_level: String,
+    #[arg(long)]
+    generate_identity: bool,
+    #[arg(long)]
+    print_peer_id: bool,
+}
+```
+
+Follow the worker binary pattern from `crates/replay/src/main.rs`:
+identity load/generate, tracing init, tokio runtime.
+
+### 1c. Startup flow (`main.rs`)
+
+1. Init tracing
+2. Load or generate Ed25519 identity (reuse `willow_worker::identity`
+   helpers, or inline equivalent — `Identity::load`/`Identity::generate`)
+3. Create `ClientHandle<IrohNetwork>` via `ClientHandle::new(config)`
+4. If `--relay`, create `IrohNetwork` and call `client.connect(network)`
+5. If `--invite`, call `client.accept_invite(&code)`
+6. If `--server`, call `client.switch_server(&id)`
+7. Set display name via `client.set_display_name(&name)`
+8. Start MCP server on selected transport (stdio only in Phase 1)
+9. Block until stdin closes or SIGTERM
+
+### 1d. MCP server shell (`server.rs`)
+
+Use `rmcp` crate to create an MCP server. Register:
+- Server info (name: "willow-agent", version)
+- Tool schemas from 1e (schema-only stubs, handlers return
+  `NotImplemented` until Phase 2)
+- Resource schemas from 1f (placeholder JSON until Phase 2)
+
+For stdio transport: `rmcp::transport::stdio::serve(server)`.
+
+### 1e. Tool definitions — schema only (`tools.rs`)
+
+Define all tool schemas from the spec as `rmcp::Tool` definitions.
+Each tool has a name, description, and JSON Schema for `inputSchema`.
+Tool handlers return `ToolError::NotImplemented` for now.
+
+Tool groups (from spec):
+- **Server**: `create_server`, `switch_server`, `leave_server`,
+  `rename_server`, `set_server_description`, `authorize_workers`
+- **Messaging**: `send_message`, `send_reply`, `share_file_inline`,
+  `edit_message`, `delete_message`, `react`, `pin_message`,
+  `unpin_message`
+- **Channels**: `create_channel`, `create_voice_channel`,
+  `delete_channel`, `switch_channel`
+- **Permissions**: `trust_peer`, `untrust_peer`, `kick_member`,
+  `create_role`, `delete_role`, `set_permission`, `assign_role`
+- **Identity**: `set_display_name`, `set_server_display_name`,
+  `send_typing`
+- **Invites**: `generate_invite`, `accept_invite`, `create_join_link`,
+  `delete_join_link`
+- **Voice**: `join_voice`, `leave_voice`, `toggle_mute`, `toggle_deafen`
+- **State**: `verify_state`
+
+### 1f. Resource definitions — schema only (`resources.rs`)
+
+Define all MCP resource URIs from the spec. Handlers return placeholder
+JSON for now.
+
+Static resources:
+- `willow://identity`
+- `willow://connection`
+- `willow://servers`
+
+Dynamic resources:
+- `willow://server/current`
+- `willow://server/channels`
+- `willow://server/members`
+- `willow://server/roles`
+- `willow://server/unread`
+- `willow://server/join-links`
+- `willow://server/state-agreement`
+- `willow://channel/{name}/messages`
+- `willow://channel/{name}/pins`
+- `willow://channel/{name}/typing`
+- `willow://voice/status`
+- `willow://voice/{channel}/participants`
+
+### 1g. Bearer token generation (`auth.rs`)
+
+- Generate 256-bit random token via `rand::OsRng`
+- Prefix with `wlw_` and hex-encode
+- `--token` flag overrides auto-generation
+- `--token-file` writes token to file with 0600 permissions
+- Stdio transport skips token auth (process isolation)
+
+### 1h. Justfile + workspace integration
+
+Add to `justfile`:
+```
+# Build the agent binary
+build-agent:
+    cargo build -p willow-agent
+
+# Run the agent
+agent *args:
+    cargo run -p willow-agent -- {{args}}
+
+# Test the agent crate
+test-agent:
+    cargo test -p willow-agent
+```
+
+No changes needed to `check-wasm` — it explicitly lists
+WASM-compatible crates, so `willow-agent` is already excluded.
+
+### 1i. Unit tests
+
+- CLI parsing: verify defaults, required args
+- Token generation: format, uniqueness, length
+- Tool list: all expected tools present, schemas valid JSON
+- Resource list: all expected URIs present
+
+### Verification
+
+```bash
+cargo build -p willow-agent           # compiles
+cargo test -p willow-agent            # unit tests pass
+echo '{"jsonrpc":"2.0","method":"initialize","params":{"capabilities":{}},"id":1}' | cargo run -p willow-agent -- --transport stdio
+# Returns MCP initialize response with server capabilities
+just clippy                           # zero warnings
+```
+
+---
+
+## Phase 2: Tool Implementations
+
+**Goal**: Every MCP tool actually executes against `ClientHandle`.
+Calling `send_message` via MCP delivers a real message over gossipsub.
+
+### 2a. Wire `ClientHandle` into MCP server
+
+The MCP server holds an `Arc<ClientHandle<IrohNetwork>>` (or generic
+over `N: Network` for testability). Each tool handler receives a
+reference to the client handle.
+
+Define a `WillowMcpServer` struct:
+```rust
+pub struct WillowMcpServer<N: Network> {
+    client: Arc<ClientHandle<N>>,
+    // token_scope added in Phase 4
+}
+```
+
+This struct implements `rmcp::ServerHandler` (or equivalent trait from
+the rmcp crate).
+
+### 2b. Implement messaging tools
+
+Map each tool's JSON params to `ClientHandle` method calls:
+
+| Tool | Calls |
+|---|---|
+| `send_message` | `client.send_message(channel, body)` |
+| `send_reply` | `client.send_reply(channel, parent_id, body)` |
+| `share_file_inline` | `client.share_file_inline(channel, filename, &base64_decode(data))` |
+| `edit_message` | `client.edit_message(channel, message_id, new_body)` |
+| `delete_message` | `client.delete_message(channel, message_id)` |
+| `react` | `client.react(channel, message_id, emoji)` |
+| `pin_message` | `client.pin_message(channel, message_id)` |
+| `unpin_message` | `client.unpin_message(channel, message_id)` |
+
+Return `{ "success": true }` on Ok, MCP error on Err.
+
+### 2c. Implement channel tools
+
+| Tool | Calls |
+|---|---|
+| `create_channel` | `client.create_channel(name)` |
+| `create_voice_channel` | `client.create_voice_channel(name)` |
+| `delete_channel` | `client.delete_channel(name)` |
+| `switch_channel` | `client.switch_channel(name)` |
+
+### 2d. Implement permission/member tools
+
+Parse `peer_id` from 64-char hex string to `EndpointId`:
+
+| Tool | Calls |
+|---|---|
+| `trust_peer` | `client.trust_peer(parse_endpoint_id(peer_id))` |
+| `untrust_peer` | `client.untrust_peer(parse_endpoint_id(peer_id))` |
+| `kick_member` | `client.kick_member(parse_endpoint_id(peer_id))` |
+| `create_role` | `client.create_role(name)` |
+| `delete_role` | `client.delete_role(role_id)` |
+| `set_permission` | `client.set_permission(role_id, permission, granted)` |
+| `assign_role` | `client.assign_role(parse_endpoint_id(peer_id), role_id)` |
+
+### 2e. Implement server management tools
+
+| Tool | Calls |
+|---|---|
+| `create_server` | `client.create_server(name)` |
+| `switch_server` | `client.switch_server(id)` |
+| `leave_server` | `client.leave_server()` |
+| `rename_server` | `client.rename_server(name)` |
+| `set_server_description` | `client.set_server_description(desc)` |
+| `authorize_workers` | `client.authorize_workers(&parse_endpoint_ids(worker_peer_ids))` |
+
+### 2f. Implement identity, invite, voice, state tools
+
+**Identity:**
+- `set_display_name` → `client.set_display_name(name)`
+- `set_server_display_name` → `client.set_server_display_name(name)`
+- `send_typing` → `client.send_typing()`
+
+**Invites:**
+- `generate_invite` → `client.generate_invite(&parse_endpoint_id(recipient_peer_id))`
+- `accept_invite` → `client.accept_invite(code)`
+- `create_join_link` → `client.create_join_link(max_uses, expires_at)`
+- `delete_join_link` → `client.delete_join_link(link_id)`
+
+**Voice:**
+- `join_voice` → `client.join_voice(channel_id)`
+- `leave_voice` → `client.leave_voice()`
+- `toggle_mute` → `client.toggle_mute()`
+- `toggle_deafen` → `client.toggle_deafen()`
+
+**State:**
+- `verify_state` → `client.verify_state()`
+
+### 2g. Implement resource handlers
+
+Wire each resource URI to the appropriate `ClientHandle` accessor or
+`ClientViewHandle` `StateRef`. Resources return JSON-serialized
+snapshots:
+
+**Static:**
+- `willow://identity` → `{ peer_id: client.peer_id(), display_name: client.display_name() }`
+- `willow://connection` → `client.views().connection.get()` → serialize `ConnectionView`
+- `willow://servers` → `client.server_list()` → `[{ id, name }]`
+
+**Dynamic (per active server):**
+- `willow://server/current` → `{ id, name, owner, description, display_name }`
+  from `server_registry` + accessors
+- `willow://server/channels` → `client.views().channels.get()` → serialize
+- `willow://server/members` → `client.views().members.get()` → serialize
+- `willow://server/roles` → `client.views().roles.get()` → serialize
+- `willow://server/unread` → `client.views().unread.get()` → serialize
+- `willow://server/join-links` → `client.join_links()`
+- `willow://server/state-agreement` → `client.state_hash_agreement()`
+- `willow://channel/{name}/messages` → filter `messages` view or
+  `client.messages(name)`
+- `willow://channel/{name}/pins` → `client.pinned_messages(name)`
+- `willow://channel/{name}/typing` → filter `ConnectionView.typing_peers`
+- `willow://voice/status` → `voice` state ref
+- `willow://voice/{channel}/participants` → `client.voice_participants(channel)`
+
+### 2h. Unit tests for tool dispatch
+
+Create a local `test_mcp_client()` helper in the agent crate that
+constructs a `WillowMcpServer<MemNetwork>` with a single-peer
+`ClientHandle` (replicate the `test_client()` setup from
+`crates/client/src/lib.rs`). This is Phase 2-only — Phase 3d
+introduces a proper `test-utils` feature for multi-peer harnesses.
+
+For each tool category:
+1. Construct valid JSON params
+2. Call the tool handler via the MCP server
+3. Verify the state change via the underlying `ClientHandle` accessors
+
+Example: call `send_message` tool, then `client.messages("general")`
+should contain the message.
+
+### Verification
+
+```bash
+cargo test -p willow-agent            # all tool + resource tests pass
+just clippy                           # zero warnings
+# Manual: pipe JSON-RPC tool calls via stdio, see real results
+```
+
+---
+
+## Phase 3: Notifications + E2E Test Harness
+
+**Goal**: Wire `ClientEvent` notifications to MCP, build the
+`AgentTestHarness` for in-process multi-peer E2E testing, and write the
+first batch of E2E tests. This phase is where we get the biggest
+testing win — multi-peer scenarios without a browser.
+
+### 3a. ClientEvent → MCP notifications (`notifications.rs`)
+
+Create `crates/agent/src/notifications.rs`:
+
+1. Subscribe to `Broker<ClientEvent>` via `client.subscribe_events()`
+2. Spawn a task that reads from `EventReceiver`
+3. For each `ClientEvent`, serialize to JSON matching the spec's
+   notification format:
+   ```json
+   {
+     "jsonrpc": "2.0",
+     "method": "notifications/willow/event",
+     "params": { "type": "MessageReceived", "channel": "general", ... }
+   }
+   ```
+4. Forward to the MCP server's notification channel
+
+Implement `ClientEvent` → JSON serialization for all 27 variants:
+- `MessageReceived`, `MessageEdited`, `MessageDeleted`, `ReactionAdded`
+- `PeerConnected`, `PeerDisconnected`
+- `ChannelCreated`, `ChannelDeleted`
+- `MemberKicked`, `PeerTrusted`, `PeerUntrusted`
+- `ProfileUpdated`, `ServerRenamed`, `ServerDescriptionChanged`
+- `SyncCompleted`, `RoleCreated`, `RoleDeleted`
+- `StateHashMismatch`
+- `MessagePinned`, `MessageUnpinned`
+- `FileAnnounced`, `Listening`
+- `VoiceJoined`, `VoiceLeft`, `VoiceSignal`
+- `JoinLinkResponse`, `JoinLinkDenied`
+
+### 3b. Resource subscription support
+
+Wire MCP `resources/subscribe` to `StateRef<T>::subscribe()`:
+
+1. When an MCP client subscribes to a resource URI, look up the
+   backing `StateRef` from the resource table
+2. Call `state_ref.subscribe()` to get a notification stream
+3. Spawn a task that watches for changes and emits
+   `notifications/resources/updated` to the MCP client
+4. On unsubscribe, drop the subscription handle (auto-cleaned by actor)
+
+Resources backed by `StateRef` (reactive): `connection`, `channels`,
+`members`, `roles`, `unread`, `messages`, `voice/status`,
+`voice/{channel}/participants`.
+
+Resources backed by plain accessors (polled on read): `identity`,
+`servers`, `server/current`, `server/join-links`,
+`server/state-agreement`, `channel/{name}/pins`,
+`channel/{name}/typing`.
+
+### 3c. `AgentTestHarness` — in-process multi-peer E2E
+
+Create `crates/agent/src/test_harness.rs` (cfg(test) only):
+
+```rust
+/// In-process test peers using MemNetwork.
+pub(crate) struct AgentTestHarness {
+    pub peers: Vec<TestPeer>,
+    _system: willow_actor::System,
+}
+
+pub(crate) struct TestPeer {
+    pub client: ClientHandle<MemNetwork>,
+    pub endpoint_id: EndpointId,
+    pub views: ClientViewHandle,
+}
+
+impl AgentTestHarness {
+    /// Create N in-process peers on a shared MemNetwork hub.
+    ///
+    /// Peer 0 is the "owner" — creates the server and is trusted.
+    /// Peers 1..N join via invite (or direct server state seeding).
+    pub async fn start(n: usize) -> Self { ... }
+
+    /// Convenience: get peer by index.
+    pub fn peer(&self, i: usize) -> &TestPeer { ... }
+
+    /// Wait for gossipsub delivery to settle across all peers.
+    pub async fn settle(&self) { ... }
+
+    pub async fn teardown(self) { ... }
+}
+```
+
+Key design decisions:
+- Uses `MemNetwork` (from `willow-network` `test-utils` feature) for
+  zero-overhead gossipsub simulation
+- Each peer gets its own `ClientHandle<MemNetwork>` with full actor
+  tree (6 domain actors, derived views, persistence, broker)
+- Peers share a `MemHub` for message delivery
+- `settle()` sleeps briefly to let async actor propagation finish
+  (start with 100ms, tune down as we learn the actual latency)
+- Owner peer creates the server and trusts other peers automatically
+  so tests can focus on the scenario, not setup boilerplate
+- Exposed as `pub(crate)` — tests in the agent crate use it directly
+
+Implementation notes:
+- Adapt `test_client()` from `crates/client/src/lib.rs` — it already
+  creates a `ClientHandle<MemNetwork>` with the full actor tree. The
+  harness needs to extend this to N peers sharing a `MemHub` and
+  connected to the same server.
+- `MemNetwork::connect()` / topic subscription will wire peers together.
+  Check if `MemNetwork` supports multi-peer hubs (it uses
+  `tokio::sync::broadcast`). If not, extend `MemHub` to track multiple
+  peers per topic.
+- The existing `test_client()` is `pub(crate)` in `willow-client`. We
+  need either: (a) a `pub` test helper in `willow-client` behind a
+  `test-utils` feature, or (b) replicate the setup in `willow-agent`
+  tests. Option (a) is cleaner — add `pub fn test_client_with_hub(hub)`
+  to `willow-client` behind `#[cfg(feature = "test-utils")]`.
+
+### 3d. Multi-peer client test utilities in `willow-client`
+
+Add to `crates/client/Cargo.toml`:
+```toml
+[features]
+test-utils = ["willow-network/test-utils"]
+```
+
+Add to `crates/client/src/lib.rs` (or a new `test_utils.rs`):
+```rust
+#[cfg(feature = "test-utils")]
+pub mod test_utils {
+    /// Create a ClientHandle connected to the given MemHub.
+    /// Returns the client, its EndpointId, and the event broker.
+    pub fn test_client_on_hub(
+        hub: &MemHub,
+        server_state: &ServerSeed,
+    ) -> (ClientHandle<MemNetwork>, EndpointId, Addr<Broker<ClientEvent>>) { ... }
+
+    /// Seed data for creating a shared server across test peers.
+    pub struct ServerSeed { ... }
+
+    /// Create a server seed owned by the given identity.
+    pub fn create_server_seed(owner: &Identity) -> ServerSeed { ... }
+}
+```
+
+This keeps the complex `ClientHandle` construction centralized in the
+client crate and lets agent tests (and any future test consumers) just
+call `test_client_on_hub()`.
+
+### 3e. First E2E test batch
+
+Create `crates/agent/tests/e2e.rs`:
+
+**Test 1: `messages_delivered_to_all_peers`**
+- 3 peers, Alice sends "hello everyone"
+- Assert Bob and Carol see it via their views
+
+**Test 2: `edit_message_propagates`**
+- Alice sends a message, edits it
+- Assert Bob sees the edited body
+
+**Test 3: `delete_message_propagates`**
+- Alice sends, then deletes
+- Assert Bob no longer sees it
+
+**Test 4: `reactions_propagate`**
+- Alice sends, Bob reacts with 👍
+- Assert Alice sees the reaction
+
+**Test 5: `create_channel_visible_to_all`**
+- Alice creates "dev" channel
+- Assert Bob and Carol see it in their channel list
+
+**Test 6: `pin_unpin_propagates`**
+- Alice sends, pins the message
+- Assert Bob sees it pinned
+- Alice unpins, assert Bob sees it unpinned
+
+**Test 7: `concurrent_messages_converge`**
+- Alice and Bob send simultaneously
+- Assert both peers see both messages (same order)
+
+**Test 8: `events_emitted_on_message_received`**
+- Subscribe to Bob's event broker
+- Alice sends a message
+- Assert Bob's broker emits `MessageReceived`
+
+### 3f. Permission E2E tests
+
+**Test 9: `untrusted_peer_cannot_create_channel`**
+- 2 peers, owner doesn't trust guest
+- Guest tries `create_channel` → expect error
+- Verify channel wasn't created via owner's view
+
+**Test 10: `kick_member_removes_from_server`**
+- Owner kicks guest
+- Assert guest is no longer in member list
+- Assert `MemberKicked` event emitted
+
+**Test 11: `trust_then_untrust_flow`**
+- Owner trusts peer, peer creates channel (succeeds)
+- Owner untrusts peer, peer tries to create another (fails)
+
+**Test 12: `role_permission_enforcement`**
+- Create role with `SendMessages` only
+- Assign to guest
+- Guest can send messages but cannot create channels
+
+### 3g. State convergence E2E tests
+
+**Test 13: `state_hash_agreement`**
+- 3 peers, perform several operations
+- Call `verify_state` on all peers
+- Assert `state_hash_agreement` returns unanimous
+
+**Test 14: `concurrent_channel_creation`**
+- Alice and Bob both create channels simultaneously
+- Assert both channels exist on both peers after settling
+
+**Test 15: `10_peer_message_flood`**
+- 10 peers, each sends 5 messages to "general"
+- Assert all peers see all 50 messages
+
+### 3h. Notification unit tests
+
+- Serialize each `ClientEvent` variant to JSON
+- Verify field names match the spec notification table
+- Round-trip: serialize → deserialize → compare
+
+### Verification
+
+```bash
+cargo test -p willow-agent                          # unit + notification tests
+cargo test -p willow-agent --test e2e               # E2E tests
+cargo test -p willow-client --features test-utils   # client test-utils
+just clippy
+```
+
+---
+
+## Phase 4: Token Scoping + SSE Transport + Justfile Integration
+
+**Goal**: Add bearer token scoping, SSE/HTTP transports, integrate into
+the dev stack, and port remaining high-value Playwright scenarios.
+
+### 4a. Token scoping (`scopes.rs`)
+
+Create `crates/agent/src/scopes.rs`:
+
+```rust
+#[derive(Debug, Clone)]
+pub enum TokenScope {
+    Full,
+    ReadOnly,
+    Messaging,
+    Admin,
+    Custom(HashSet<String>),
+}
+
+impl TokenScope {
+    /// Returns true if the given tool name is allowed by this scope.
+    pub fn allows_tool(&self, tool_name: &str) -> bool { ... }
+
+    /// Returns true if the given resource URI is allowed.
+    pub fn allows_resource(&self, uri: &str) -> bool { ... }
+}
+```
+
+Scope definitions:
+- **Full**: all tools, all resources
+- **ReadOnly**: no tools, all resources
+- **Messaging**: `send_message`, `send_reply`, `edit_message`,
+  `delete_message`, `react`, `pin_message`, `unpin_message`,
+  `send_typing` + all resources
+- **Admin**: all tools + all resources (same as Full, but semantically
+  distinct for future per-tool audit logging)
+- **Custom**: explicit allowlist of tool names
+
+Wire into `WillowMcpServer`:
+- `tools/list` filters by scope
+- `tools/call` checks scope before dispatch, returns MCP error if denied
+- `resources/list` filters by scope
+
+### 4b. Streamable HTTP transport (`server.rs`)
+
+Add `rmcp` feature `transport-streamable-http-server`:
+```toml
+rmcp = { version = "1.3", features = ["server", "transport-io", "transport-streamable-http-server"] }
+```
+
+When `--transport http`:
+1. Generate bearer token (or use `--token`)
+2. Start axum HTTP server on `--bind` address
+3. Streamable HTTP endpoint at `/mcp` (supports both SSE streaming
+   and stateless request/response via rmcp's `StreamableHttpService`)
+4. Print token to stderr and optionally to `--token-file`
+
+### 4c. Justfile updates
+
+```just
+# Build the agent binary
+build-agent:
+    cargo build -p willow-agent
+
+# Build agent (release)
+build-agent-release:
+    cargo build --release -p willow-agent
+
+# Run the agent
+agent *args:
+    cargo run -p willow-agent -- {{args}}
+
+# Test agent unit + integration
+test-agent:
+    cargo test -p willow-agent
+
+# Run E2E multi-peer tests via agent harness
+test-agent-e2e:
+    cargo test -p willow-agent --test e2e -- --nocapture
+
+# Update test-all to include agent
+test-all: test test-browser test-agent-e2e test-e2e-ui
+```
+
+Update `scripts/dev.sh` to optionally start an agent process alongside
+relay + workers + web UI. Add `--agent` flag to `dev.sh` that starts
+`willow-agent --transport sse --relay <local-relay>`.
+
+### 4d. Advanced E2E tests (ported from Playwright scenarios)
+
+These scenarios are currently tested via Playwright with real browsers.
+Port the core logic to in-process E2E tests:
+
+**Test 16: `kick_and_rejoin_flow`**
+- Owner kicks member
+- Verify member removed from all peer views
+- Member re-joins via new invite
+- Verify member visible again
+
+**Test 17: `invite_max_uses_enforcement`**
+- Create join link with max_uses=2
+- Two peers join successfully
+- Third peer's join attempt is rejected
+
+**Test 18: `server_rename_propagates`**
+- Owner renames server
+- All peers see `ServerRenamed` event
+- Server name updated in all views
+
+**Test 19: `display_name_propagates`**
+- Peer sets display name
+- All other peers see `ProfileUpdated` event
+- Member list shows new name
+
+**Test 20: `voice_join_leave_tracking`**
+- Peer joins voice channel
+- All peers see `VoiceJoined` event
+- Peer leaves, all see `VoiceLeft`
+- Voice participants list updates
+
+**Test 21: `offline_peer_catches_up`** (if MemNetwork supports
+disconnect/reconnect simulation)
+- Peer goes offline
+- Other peers send messages
+- Peer reconnects
+- Assert peer sees all missed messages
+
+### 4e. Scope enforcement tests
+
+**Test 22: `readonly_token_hides_tools`**
+- Create MCP server with `ReadOnly` scope
+- `tools/list` returns empty
+- `resources/list` returns full list
+- Calling any tool returns error
+
+**Test 23: `messaging_scope_restricts_tools`**
+- Create MCP server with `Messaging` scope
+- `tools/list` shows only messaging tools
+- `create_channel` call returns error
+- `send_message` call succeeds
+
+**Test 24: `custom_scope_allowlist`**
+- Create scope with only `["send_message", "react"]`
+- Verify only those tools appear and execute
+
+### Verification
+
+```bash
+just test-agent                  # unit tests
+just test-agent-e2e              # all E2E tests (15+ scenarios)
+just clippy                      # zero warnings
+just check                       # full check passes
+```
+
+---
+
+## Phase Ordering
+
+```
+Phase 1 (Crate skeleton, CLI, stdio MCP shell)
+    ↓
+Phase 2 (Tool + resource implementations)
+    ↓
+Phase 3 (Notifications, E2E harness, first 15 E2E tests)
+    ↓
+Phase 4 (Scopes, SSE/HTTP, justfile, 6 E2E + 3 scope tests)
+```
+
+All phases are sequential. Each produces a compilable codebase that
+passes `just check`.
+
+---
+
+## Files Changed (complete list)
+
+### Created
+
+```
+crates/agent/Cargo.toml
+crates/agent/src/main.rs           — CLI, startup, shutdown
+crates/agent/src/lib.rs            — Public module re-exports for tests
+crates/agent/src/server.rs         — MCP server setup, stdio + HTTP transports
+crates/agent/src/tools.rs          — 37 MCP tool definitions + handlers
+crates/agent/src/resources.rs      — 15 MCP resource definitions + handlers
+crates/agent/src/notifications.rs  — 27 ClientEvent → MCP notifications
+crates/agent/src/auth.rs           — Bearer token generation + validation
+crates/agent/src/scopes.rs         — TokenScope definitions + enforcement
+crates/agent/tests/e2e.rs          — 24 E2E integration tests
+```
+
+### Modified
+
+```
+crates/client/Cargo.toml           — add test-utils feature
+crates/client/src/lib.rs           — make test_client() pub with test-utils feature
+crates/client/src/accessors.rs     — add server_description(), typing_peers() accessors
+justfile                           — add agent targets, update test-all
+```
+
+### E2E Test Inventory (Actual)
+
+Tests use `test_client()` from `willow-client` (single-peer, in-process)
+since `MemNetwork` multi-peer support requires additional hub wiring.
+Multi-peer propagation tests are deferred to the `McpTestHarness` (future).
+
+| # | Test | Type |
+|---|---|---|
+| 1 | send_message_and_read_back | tool + resource |
+| 2 | edit_message | tool |
+| 3 | delete_message | tool |
+| 4 | react_to_message | tool |
+| 5 | pin_and_unpin_message | tool |
+| 6 | create_channel | tool |
+| 7 | switch_channel | tool |
+| 8 | create_server_returns_id | tool |
+| 9 | rename_server | tool |
+| 10 | set_display_name | tool + accessor |
+| 11 | toggle_mute_returns_state | tool |
+| 12 | toggle_deafen_returns_state | tool |
+| 13 | read_identity_resource | resource |
+| 14 | read_channels_resource | resource |
+| 15 | read_unknown_resource_returns_error | resource |
+| 16 | kick_member_removes_from_server | tool |
+| 17 | server_rename_via_tool | tool + accessor |
+| 18 | display_name_updates | tool + accessor |
+| 19 | voice_join_and_leave | tool |
+| 20 | send_reply_to_message | tool + accessor |
+| 21 | create_and_delete_channel | tool + accessor |
+| 22 | readonly_token_hides_tools | scope |
+| 23 | messaging_scope_restricts_tools | scope |
+| 24 | custom_scope_allowlist | scope |
+
+---
+
+## Future (post-Phase 4)
+
+- `McpTestHarness` — process-spawning harness with real iroh for MCP
+  protocol-level integration tests
+- `crates/agent-sdk/` — typed Rust MCP client library
+- Webhook ingress endpoint
+- Rate limiting per token
+- Audit logging
+- MCP prompts for common workflows
+- Multi-server support via `switch_server` tool
diff --git a/docs/specs/2026-03-29-agentic-peer-api-design.md b/docs/specs/2026-03-29-agentic-peer-api-design.md
new file mode 100644
index 00000000..af96473f
--- /dev/null
+++ b/docs/specs/2026-03-29-agentic-peer-api-design.md
@@ -0,0 +1,1024 @@
+# Agentic Peer API Design Spec
+
+**Date**: 2026-03-29
+**Status**: Draft
+
+## Overview
+
+Expose the `ClientHandle` API to external agents (AI assistants, bots,
+automation scripts) via an MCP (Model Context Protocol) server embedded
+in a new `willow-agent` binary. Agents connect over stdio, SSE, or
+Streamable HTTP and interact with Willow through MCP tools, resources,
+and notifications. The agent binary is a first-class Willow peer — same
+identity, same permissions, same gossipsub participation.
+
+## Why MCP
+
+MCP is JSON-RPC 2.0 with conventions purpose-built for AI agent
+integration. Choosing MCP over raw JSON-RPC, REST, or gRPC gives us:
+
+1. **Zero-integration AI access** — Any MCP-compatible client (Claude
+   Code, Claude Desktop, Cursor, Windsurf, ChatGPT, Gemini, etc.) can
+   connect directly. The agent declares its tools and the AI discovers
+   them at runtime via `tools/list`. No custom SDK required.
+2. **JSON-RPC 2.0 superset** — Non-AI consumers (Python scripts, CLI
+   tools, bots) still work via plain JSON-RPC. Nothing is lost.
+3. **Built-in schema discovery** — `tools/list` returns every operation
+   with typed JSON Schema parameters. Agents know exactly what they can
+   call without external documentation.
+4. **Resources for state** — Server members, channel lists, message
+   history map naturally to MCP resources that AI agents can read.
+5. **Server-sent notifications** — MCP supports server→client
+   notifications, mapping directly to `ClientEvent` streaming.
+6. **Standardized auth** — MCP defines OAuth 2.1 for remote servers
+   and simpler bearer token auth for local transports.
+
+## Motivation
+
+Willow's `ClientHandle` already provides a rich, UI-agnostic API for
+every operation: messaging, channels, roles, permissions, invites, voice
+signaling, file sharing, and state verification. Today only the Bevy
+desktop app and Leptos web app consume it. Opening this API to external
+processes enables:
+
+- **AI chat agents** that participate in conversations, answer questions,
+  summarize threads, or moderate content
+- **CI/CD bots** that post build status, deploy notifications, or PR
+  links into channels
+- **Webhook bridges** that relay events from GitHub, Sentry, PagerDuty
+  into Willow channels
+- **Custom automation** — scheduled messages, on-call rotations,
+  standup bots, poll bots
+- **CLI tooling** — scriptable Willow access for power users
+- **Multi-agent workflows** — AI agents collaborating across channels
+
+## Design Principles
+
+1. **Peer, not proxy**: The agent binary is a real peer with its own
+   Ed25519 identity. It participates in gossipsub, signs messages, and
+   is subject to the same permission model as any user.
+2. **No new wire protocol**: Agents don't need a new P2P protocol. They
+   talk to the local `willow-agent` process over MCP; that process
+   handles all networking via the existing `ClientHandle`.
+3. **Minimal surface**: MCP tools map 1:1 to `ClientHandle` methods.
+   MCP resources map to state accessors. No new abstractions — if the
+   client can do it, the agent can do it.
+4. **Event streaming**: Agents receive `ClientEvent`s as MCP
+   notifications, enabling reactive behavior without polling.
+5. **Local-only by default**: The MCP server uses stdio (spawned by AI
+   client) or binds to `127.0.0.1`. No remote access without explicit
+   configuration.
+
+## Architecture
+
+```
+┌─────────────┐     MCP        ┌──────────────────┐   gossipsub   ┌───────────┐
+│  AI Agent   │───────────────▶│  willow-agent    │◀────────────▶│  Willow   │
+│  (Claude,   │  stdio / SSE   │                  │   iroh QUIC   │  Network  │
+│   scripts)  │◀───────────────│  ClientHandle<N> │               │           │
+│             │  notifications │  + MCP server    │               │           │
+└─────────────┘                └──────────────────┘               └───────────┘
+```
+
+### Internal Architecture
+
+The `willow-agent` binary owns a `ClientHandle<IrohNetwork>` backed by
+the `willow-actor` system. The client uses a **multi-actor reactive
+architecture** with three layers:
+
+**Layer 1 — Domain State Actors** (6 `StateActor<S>` instances):
+
+| Actor | State Type | Fields |
+|---|---|---|
+| Event State | `ServerState` | Event-sourced channels, roles, members, messages, permissions |
+| Server Registry | `ServerRegistry` | `servers: HashMap<String, ServerEntry>`, `active_server: Option<String>` — each entry holds server, topic map, channel keys, unread counts |
+| Chat Meta | `ChatMeta` | `current_channel: String`, `peers: Vec<EndpointId>`, `seen_message_ids: HashSet<String>` |
+| Profiles | `ProfileState` | `names: HashMap<EndpointId, String>` |
+| Network Meta | `NetworkMeta` | `connected: bool`, `typing_peers: HashMap<EndpointId, (String, u64)>`, `last_typing_sent_ms`, `state_verification_results` |
+| Voice State | `VoiceState` | `participants: HashMap<String, HashSet<EndpointId>>`, `active_channel`, `muted`, `deafened` |
+
+Each actor holds its state as `Arc<S>` with copy-on-write mutations.
+Subscribers are notified only when state actually changes (`PartialEq`).
+
+**Layer 2 — Derived Views** (`DerivedActor` instances):
+Reactive computed views that subscribe to layer 1 actors and recompute
+automatically. Each is a pure function of its sources:
+
+| View | Sources | Produces |
+|---|---|---|
+| `MessagesView` | EventState, ServerRegistry, ChatMeta, ProfileState | `Vec<DisplayMessage>` for current channel |
+| `ChannelsView` | EventState, ServerRegistry | `Vec<ChannelInfo>` with name + kind |
+| `MembersView` | EventState, ChatMeta, ProfileState | `Vec<MemberInfo>` with online status |
+| `UnreadView` | ServerRegistry | `HashMap<String, usize>` per channel |
+| `RolesView` | EventState | `Vec<RoleEntry>` with permissions |
+| `ConnectionView` | NetworkMeta, ChatMeta | `connected`, `peer_count`, `typing_peers` |
+
+These only recompute when their sources change, and only notify
+downstream if the computed value differs (`PartialEq`).
+
+**Layer 3 — Composite Views**:
+`ChatViews`, `SocialViews`, and a terminal `ClientView` that groups
+everything into a single snapshot.
+
+**Access Surfaces**:
+- **`client.views()`** → `ClientViewHandle` with `StateRef<T>` handles:
+  - Terminal: `view` (`ClientView` — everything in one snapshot)
+  - Layer 2: `messages`, `members`, `channels`, `unread`, `roles`,
+    `connection` (individual derived views)
+  - Layer 1: `event_state`, `server_registry`, `chat_meta`, `profiles`,
+    `network`, `voice` (raw source state)
+- **`client.mutations()`** → `ClientMutations<N>` typed mutation
+  interface for event-sourced operations
+- **`ClientHandle` methods** → higher-level actions that coordinate
+  multiple actors (e.g., `kick_member`, `create_voice_channel`,
+  `set_permission`, `assign_role`, `share_file_inline`)
+- **`Broker<ClientEvent>`** → pub/sub event distribution
+- **`PersistenceActor`** → fire-and-forget database writes (owns
+  non-Send rusqlite handles, single-threaded by actor guarantee)
+
+This maps naturally to MCP: `StateRef` subscriptions power resource
+change notifications, `ClientMutations` methods become tools, and
+`Broker<ClientEvent>` feeds MCP notifications.
+
+Peer identities use `EndpointId` (an Ed25519 public key from iroh),
+which displays as a 64-character hex string. All tool parameters and
+resource fields that reference peers use this hex format.
+
+### Components
+
+**1. `willow-agent` binary** (`crates/agent/`)
+- Owns a `ClientHandle<IrohNetwork>` with its actor system
+- Runs an MCP server supporting two transports:
+  - **stdio** (default) — AI clients spawn the binary directly
+  - **Streamable HTTP** — `http://127.0.0.1:9100/mcp` for network
+    clients (supports both SSE streaming and stateless HTTP via rmcp's
+    `transport-streamable-http-server` feature)
+- Exposes `ClientHandle` methods as MCP tools
+- Exposes state accessors as MCP resources
+- Streams `ClientEvent`s as MCP notifications
+- Authenticates SSE/HTTP connections with a bearer token
+
+**2. Permission scoping** (bearer token + server-side filtering)
+- Each bearer token is scoped to a set of allowed tool categories
+- Default token: full access (matches the peer's permissions)
+- Restricted tokens: read-only, messaging-only, admin-only
+- Tools that exceed the token scope return MCP error responses
+
+## MCP Server Capabilities
+
+### Transports
+
+| Transport | Use Case | Auth |
+|---|---|---|
+| **stdio** | AI client spawns `willow-agent` as subprocess | Implicit (process isolation) |
+| **Streamable HTTP** | Scripts/bots, stateless or long-lived SSE | Bearer token header |
+
+### Tools
+
+Every mutating method on `ClientHandle<N>` maps to an MCP tool.
+Internally, `ClientHandle` delegates to `ClientMutations<N>` for
+event-sourced operations and directly to domain actors for operations
+that span multiple actors (e.g., `kick_member`, `create_voice_channel`,
+`set_permission`, `assign_role`). Tools are discoverable via
+`tools/list` and include full JSON Schema for params.
+
+#### Server Management
+
+```json
+{
+  "name": "create_server",
+  "description": "Create a new server with the given name. Returns the server ID.",
+  "inputSchema": {
+    "type": "object",
+    "properties": {
+      "name": { "type": "string", "description": "Server display name" }
+    },
+    "required": ["name"]
+  }
+}
+```
+
+Other server tools: `switch_server`, `leave_server`, `rename_server`,
+`set_server_description`, `authorize_workers`.
+
+#### Messaging
+
+| Tool | Parameters | Description |
+|---|---|---|
+| `send_message` | `channel`, `body` | Send a text message |
+| `send_reply` | `channel`, `parent_id`, `body` | Reply to a message |
+| `share_file_inline` | `channel`, `filename`, `data` | Share file (base64, max 256KB) |
+| `edit_message` | `channel`, `message_id`, `new_body` | Edit a message |
+| `delete_message` | `channel`, `message_id` | Delete a message |
+| `react` | `channel`, `message_id`, `emoji` | Add emoji reaction |
+| `pin_message` | `channel`, `message_id` | Pin a message |
+| `unpin_message` | `channel`, `message_id` | Unpin a message |
+
+#### Channels
+
+| Tool | Parameters | Description |
+|---|---|---|
+| `create_channel` | `name` | Create a text channel |
+| `create_voice_channel` | `name` | Create a voice channel |
+| `delete_channel` | `name` | Delete a channel |
+| `switch_channel` | `name` | Set active channel |
+
+#### Permissions & Members
+
+All `peer_id` parameters accept an `EndpointId` as a 64-character hex
+string (the Ed25519 public key of the target peer).
+
+| Tool | Parameters | Description |
+|---|---|---|
+| `trust_peer` | `peer_id` | Grant Administrator permission |
+| `untrust_peer` | `peer_id` | Revoke Administrator permission |
+| `kick_member` | `peer_id` | Remove member, rotate keys |
+| `create_role` | `name` | Create a permission role |
+| `delete_role` | `role_id` | Delete a role |
+| `set_permission` | `role_id`, `permission`, `granted` | Set role permission |
+| `assign_role` | `peer_id`, `role_id` | Assign role to peer |
+| `authorize_workers` | `worker_peer_ids` | Grant SyncProvider to workers |
+
+Valid `permission` values: `SyncProvider`, `ManageChannels`,
+`ManageRoles`, `KickMembers`, `SendMessages`, `CreateInvite`,
+`Administrator`.
+
+#### Identity
+
+| Tool | Parameters | Description |
+|---|---|---|
+| `set_display_name` | `name` | Set agent's display name |
+| `set_server_display_name` | `name` | Set server-scoped name |
+| `send_typing` | | Broadcast typing indicator |
+
+#### Invites
+
+| Tool | Parameters | Description |
+|---|---|---|
+| `generate_invite` | `recipient_peer_id` | Create encrypted invite |
+| `accept_invite` | `code` | Accept invite, join server |
+| `create_join_link` | `max_uses`, `expires_at?` | Create shareable link |
+| `delete_join_link` | `link_id` | Delete a join link |
+
+#### Voice
+
+| Tool | Parameters | Description |
+|---|---|---|
+| `join_voice` | `channel_id` | Join a voice channel |
+| `leave_voice` | | Leave current voice channel |
+| `toggle_mute` | | Toggle mute state, returns new state |
+| `toggle_deafen` | | Toggle deafen state, returns new state |
+
+#### State
+
+| Tool | Parameters | Description |
+|---|---|---|
+| `verify_state` | | Broadcast state hash for verification |
+
+### Resources
+
+Read-only state is exposed as MCP resources via `client.views()`.
+Each resource maps to a `StateRef<T>` from the reactive view system.
+AI agents read resources via `resources/read`; the MCP server reads
+the underlying `StateRef` snapshot (cheap `Arc` clone, no computation
+on read).
+
+All `peer_id` and `author` fields in resource responses are
+`EndpointId` values — 64-character hex strings representing Ed25519
+public keys.
+
+#### Static Resources (always available)
+
+| URI | Backed By | Returns |
+|---|---|---|
+| `willow://identity` | `Identity` + `ProfileState` | `{ peer_id, display_name }` |
+| `willow://connection` | `StateRef<ConnectionView>` | `{ connected, peer_count, typing_peers: [{ peer_id, channel }] }` |
+| `willow://servers` | `StateRef<ServerRegistry>` | `[{ id, name }]` |
+
+#### Dynamic Resources (per active server)
+
+| URI Template | Backed By | Returns |
+|---|---|---|
+| `willow://server/current` | `StateRef<ServerRegistry>` | `{ id, name, owner, description, display_name }` |
+| `willow://server/channels` | `StateRef<ChannelsView>` | `[{ name, kind }]` |
+| `willow://server/members` | `StateRef<MembersView>` | `[{ peer_id, display_name, is_online }]` |
+| `willow://server/roles` | `StateRef<RolesView>` | `[{ id, name, permissions }]` |
+| `willow://server/unread` | `StateRef<UnreadView>` | `{ channel: count }` |
+| `willow://server/join-links` | `join_links` accessor | `[{ id, max_uses, uses }]` |
+| `willow://server/state-agreement` | `NetworkMeta` | `{ agreeing, total }` |
+| `willow://channel/{name}/messages` | `StateRef<MessagesView>` (filtered) | `[{ id, author, body, timestamp, edited, reply_to, reactions }]` |
+| `willow://channel/{name}/pins` | `event_state` accessor | `[{ id, author, body }]` |
+| `willow://channel/{name}/typing` | `NetworkMeta` + accessor | `[{ peer_id, display_name }]` |
+| `willow://voice/status` | `StateRef<VoiceState>` | `{ active_channel, muted, deafened }` |
+| `willow://voice/{channel}/participants` | `StateRef<VoiceState>` | `[{ peer_id }]` |
+
+Resources will support MCP's `resources/subscribe` for change notifications
+in a future release. The current implementation uses `CustomNotification`
+events via `willow/event` for real-time state change delivery (see
+Notifications below). Full resource subscription support is deferred
+because rmcp's `ServerHandler` trait does not yet expose a
+`subscribe_resource` callback — resource subscriptions require framework
+support that is not available in rmcp 1.3. When rmcp adds this, the MCP
+server will call `StateRef<T>::subscribe()` on the backing view actor.
+When the `DerivedActor` recomputes and the value actually changes
+(`PartialEq` check), it will send a `Notify` message to the MCP server,
+which emits `notifications/resources/updated` to the agent. This means:
+
+- **No polling** — changes push from state actors through derived views
+  to the MCP transport automatically
+- **No spurious updates** — `PartialEq` at every layer ensures agents
+  only see real changes
+- **Granular subscriptions** — agents can subscribe to individual
+  resources (just messages, just members) rather than getting firehosed
+
+The `Backed By` column in the resource tables above shows the exact
+`StateRef<T>` or accessor that powers each resource. Resources backed
+by a `StateRef` (derived views or layer 1 actors) support reactive
+subscriptions. Resources backed by plain accessors (e.g., join links,
+pinned messages) are polled on read.
+
+### Notifications (Server → Client)
+
+`ClientEvent`s are distributed via `Broker<ClientEvent>`. The MCP
+server subscribes to the broker and forwards each event as an MCP
+notification. Agents receive these automatically on stdio/SSE
+transports. Dead subscriptions are auto-pruned by the broker.
+
+```json
+{
+  "jsonrpc": "2.0",
+  "method": "notifications/willow/event",
+  "params": {
+    "type": "MessageReceived",
+    "channel": "general",
+    "message_id": "msg-uuid-123",
+    "is_local": false
+  }
+}
+```
+
+All `ClientEvent` variants are forwarded:
+
+| Notification Type | Key Fields |
+|---|---|
+| `MessageReceived` | `channel`, `message_id`, `is_local` |
+| `MessageEdited` | `channel`, `message_id`, `new_body` |
+| `MessageDeleted` | `channel`, `message_id` |
+| `ReactionAdded` | `channel`, `message_id`, `emoji`, `author` |
+| `PeerConnected` | `peer_id` |
+| `PeerDisconnected` | `peer_id` |
+| `ChannelCreated` | `name` |
+| `ChannelDeleted` | `name` |
+| `MemberKicked` | `peer_id` |
+| `PeerTrusted` | `peer_id` |
+| `PeerUntrusted` | `peer_id` |
+| `ProfileUpdated` | `peer_id`, `display_name` |
+| `ServerRenamed` | `new_name` |
+| `SyncCompleted` | `ops_applied` |
+| `RoleCreated` | `name`, `role_id` |
+| `RoleDeleted` | `role_id` |
+| `StateHashMismatch` | `peer_id`, `our_hash`, `their_hash` |
+| `MessagePinned` | `channel`, `message_id` |
+| `MessageUnpinned` | `channel`, `message_id` |
+| `ServerDescriptionChanged` | `description` |
+| `FileAnnounced` | `channel`, `filename`, `size`, `from` |
+| `Listening` | `address` (iroh node address string) |
+| `VoiceJoined` | `channel_id`, `peer_id` |
+| `VoiceLeft` | `channel_id`, `peer_id` |
+| `VoiceSignal` | `channel_id`, `from_peer`, `signal` |
+| `JoinLinkResponse` | `invite_data` |
+| `JoinLinkDenied` | `reason` |
+
+## `willow-agent` Binary
+
+### CLI Interface
+
+```
+willow-agent [OPTIONS]
+
+Options:
+  --relay <MULTIADDR>       Relay address (required)
+  --name <NAME>             Display name [default: "Agent"]
+  --server <ID>             Auto-join server by ID
+  --invite <CODE>           Accept invite on startup
+  --transport <MODE>        MCP transport: stdio | http [default: stdio]
+  --bind <ADDR>             HTTP bind address [default: 127.0.0.1:9100]
+  --token <TOKEN>           Fixed bearer token (generated if omitted)
+  --token-file <PATH>       Write token to file for other processes
+  --identity <PATH>         Identity key path [default: ~/.willow/agent-identity]
+  --persist                 Enable persistent storage
+  --log-level <LEVEL>       Log verbosity [default: info]
+```
+
+### Startup Flow
+
+1. Load or generate Ed25519 identity
+2. Start `willow-actor` system
+3. Create `ClientHandle<IrohNetwork>` with config — spawns all 6
+   domain state actors, derived view actors, persistence actor, and
+   event broker
+4. Call `client.connect(network)` — starts iroh node, subscribes to
+   gossipsub topics, spawns topic listener tasks
+5. If `--invite`, accept it; if `--server`, switch to it
+6. Subscribe MCP server to `Broker<ClientEvent>` for notifications
+7. Subscribe MCP server to relevant `StateRef<T>` views for resource
+   change detection
+8. Start MCP server on the selected transport:
+   - **stdio**: read JSON-RPC from stdin, write to stdout (default)
+   - **http**: generate bearer token, start Streamable HTTP endpoint
+     at `/mcp` (supports SSE streaming and stateless request/response)
+9. Block until stdin closes (stdio) or SIGTERM/SIGINT (http)
+
+### AI Client Configuration
+
+AI agents configure `willow-agent` as an MCP server in their config:
+
+**Claude Code (`~/.claude/claude_code_config.json`):**
+```json
+{
+  "mcpServers": {
+    "willow": {
+      "command": "willow-agent",
+      "args": [
+        "--relay", "/ip4/relay.example.com/tcp/9091/ws",
+        "--name", "Claude",
+        "--invite", "wlw_invite_code..."
+      ]
+    }
+  }
+}
+```
+
+**Claude Desktop (`claude_desktop_config.json`):**
+```json
+{
+  "mcpServers": {
+    "willow": {
+      "command": "willow-agent",
+      "args": ["--relay", "/ip4/1.2.3.4/tcp/9091/ws", "--name", "Assistant"]
+    }
+  }
+}
+```
+
+The AI client spawns the process, communicates over stdio, and
+discovers all tools/resources automatically via `initialize`.
+
+### HTTP Mode for Scripts/Bots
+
+```
+$ willow-agent --relay /ip4/1.2.3.4/tcp/9091/ws --name "BuildBot" --transport http
+Agent endpoint ID: a1b2c3d4e5f6...  (64-char hex)
+MCP server listening on: http://127.0.0.1:9100
+Bearer token: wlw_a1b2c3d4e5f6...
+
+# Call a tool via JSON-RPC over HTTP:
+curl -X POST http://127.0.0.1:9100/mcp \
+  -H "Authorization: Bearer wlw_a1b2c3d4e5f6..." \
+  -H "Content-Type: application/json" \
+  -d '{
+    "jsonrpc": "2.0",
+    "method": "tools/call",
+    "params": {
+      "name": "send_message",
+      "arguments": { "channel": "general", "body": "Build #42 passed" }
+    },
+    "id": 1
+  }'
+```
+
+## Permission Model
+
+Agents are regular peers. Their capabilities are determined by:
+
+1. **Network-level permissions**: What the server owner grants to the
+   agent's peer ID (via `trust_peer`, `assign_role`, `set_permission`)
+2. **Token-level scoping**: The bearer token can further restrict what
+   tools the agent process exposes through MCP
+
+### Token Scopes
+
+```rust
+enum TokenScope {
+    /// Full access — all tools and resources
+    Full,
+    /// Read-only — resources only, no tools
+    ReadOnly,
+    /// Messaging — send/edit/delete messages, reactions, typing
+    Messaging,
+    /// Admin — full access including permission management
+    Admin,
+    /// Custom — explicit allowlist of tool names
+    Custom(HashSet<String>),
+}
+```
+
+Token scopes filter which tools appear in `tools/list` and which
+resources appear in `resources/list`. A `ReadOnly` token hides all
+mutating tools entirely — the AI agent never even sees them. Scopes
+cannot grant more than the peer's network permissions — they can only
+restrict.
+
+### Trust Setup
+
+Server owners trust an agent the same way they trust any peer:
+
+1. Agent starts and connects to the network
+2. Owner sees agent's peer ID in the member list
+3. Owner runs `trust_peer` or assigns a role with specific permissions
+4. Agent can now perform operations matching its permissions
+
+No special trust model. No backdoors. The agent is just a peer.
+
+## Event-Driven Agent Pattern
+
+### Python (using any MCP client library)
+
+```python
+from mcp import ClientSession, StdioServerParameters
+from mcp.client.stdio import stdio_client
+
+async def main():
+    server = StdioServerParameters(
+        command="willow-agent",
+        args=["--relay", "/ip4/1.2.3.4/tcp/9091/ws", "--name", "Bot"],
+    )
+
+    async with stdio_client(server) as (read, write):
+        async with ClientSession(read, write) as session:
+            await session.initialize()
+
+            # Discover available tools
+            tools = await session.list_tools()
+            print(f"Available: {[t.name for t in tools.tools]}")
+
+            # Read channel messages
+            messages = await session.read_resource("willow://channel/general/messages")
+            print(messages)
+
+            # Send a message
+            result = await session.call_tool("send_message", {
+                "channel": "general",
+                "body": "Hello from Python!"
+            })
+            print(result)
+```
+
+### Rust (using `willow-agent-sdk`)
+
+```rust
+use willow_agent_sdk::AgentClient;
+
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+    let client = AgentClient::connect_sse(
+        "http://127.0.0.1:9100",
+        "wlw_a1b2c3d4e5f6...",
+    ).await?;
+
+    // Read current members
+    let members = client.read_resource("willow://server/members").await?;
+
+    // Subscribe to message events
+    let mut events = client.notifications().await?;
+
+    while let Some(event) = events.recv().await {
+        if event.event_type == "MessageReceived" && !event.is_local {
+            let messages = client
+                .read_resource(&format!(
+                    "willow://channel/{}/messages", event.channel
+                ))
+                .await?;
+
+            if let Some(latest) = messages.last() {
+                if latest.body.to_lowercase().contains("hello") {
+                    client.call_tool("send_message", serde_json::json!({
+                        "channel": event.channel,
+                        "body": format!("Hey {}!", latest.author_name),
+                    })).await?;
+                }
+            }
+        }
+    }
+    Ok(())
+}
+```
+
+### Claude Code (automatic via MCP config)
+
+Once configured, Claude Code can use Willow tools directly:
+
+> "Send a message in #general saying the deploy is complete"
+
+Claude Code sees the `send_message` tool via MCP discovery and calls
+it with `{ "channel": "general", "body": "Deploy complete." }`.
+
+> "Summarize the last 20 messages in #dev"
+
+Claude Code reads the `willow://channel/dev/messages` resource and
+synthesizes a summary.
+
+## Relationship to Worker Nodes
+
+Workers and agents serve different purposes:
+
+| | Worker Nodes | Agent Peers |
+|---|---|---|
+| **Purpose** | Infrastructure (sync, storage) | User-facing automation |
+| **Protocol** | `WorkerRole` trait, bincode gossipsub | MCP over stdio/SSE/HTTP |
+| **Identity** | Dedicated worker identity | Dedicated agent identity |
+| **Consumers** | Other peers (automatic) | External processes (AI, scripts) |
+| **Discovery** | `_willow_workers` heartbeats | MCP `tools/list` + `resources/list` |
+| **API** | `WorkerRequest`/`WorkerResponse` | `ClientMutations` + `ClientViewHandle` via MCP |
+| **Scaling** | Multiple per role | One agent process per identity |
+
+An agent process could optionally also register as a worker (e.g., a
+bot that provides search capabilities), but this is not required.
+
+## Crate Structure
+
+```
+crates/agent/
+├── Cargo.toml
+├── tests/
+│   └── e2e.rs         — 24 E2E integration tests
+└── src/
+    ├── main.rs        — CLI parsing, startup, shutdown
+    ├── lib.rs         — Public module re-exports for tests
+    ├── server.rs      — MCP server setup, stdio + HTTP transports
+    ├── tools.rs       — 37 MCP tool definitions (ClientHandle methods)
+    ├── resources.rs   — 15 MCP resource definitions (state accessors)
+    ├── auth.rs        — Bearer token generation and validation
+    ├── notifications.rs — 27 ClientEvent → MCP notification bridge
+    └── scopes.rs      — Token scope definitions and enforcement
+
+crates/agent-sdk/
+├── Cargo.toml
+└── src/
+    ├── lib.rs         — AgentClient, connection management
+    ├── tools.rs       — Typed tool call wrappers
+    ├── resources.rs   — Typed resource read wrappers
+    └── events.rs      — Notification stream types
+```
+
+### Dependencies
+
+```toml
+# crates/agent/Cargo.toml
+[dependencies]
+willow-client = { path = "../client" }
+willow-identity = { path = "../identity" }
+willow-network = { path = "../network" }
+willow-actor = { path = "../actor" }
+rmcp = { version = "1.3", features = ["server", "transport-io", "transport-streamable-http-server"] }
+schemars = "1.0"
+axum = "0.8"
+tokio = { version = "1", features = ["full"] }
+tokio-util = "0.7"
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+clap = { version = "4", features = ["derive"] }
+tracing = "0.1"
+tracing-subscriber = "0.3"
+anyhow = "1"
+rand = "0.9"
+dirs = "6"
+```
+
+## Implementation Plan
+
+### Phase 1: Core MCP Server (stdio)
+- [ ] Create `crates/agent/` with CLI skeleton
+- [ ] Implement MCP server with stdio transport
+- [ ] Define MCP resources for read-only state (channels, members,
+      messages, identity, connection status)
+- [ ] Bearer token generation for non-stdio transports
+- [ ] Basic integration test: spawn agent, call `tools/list`
+
+### Phase 2: Tools + Notifications + E2E Harness
+- [ ] Define MCP tools for all mutating `ClientHandle` methods
+- [ ] Wire `ClientEvent`s to MCP notifications
+- [ ] Resource subscription support (`resources/subscribe`) — deferred, requires rmcp framework support
+- [ ] Token scoping (Full, ReadOnly, Messaging)
+- [ ] Build `AgentTestHarness` — spawn relay + N agents for tests
+- [ ] First MCP E2E test: multi-peer message delivery
+- [ ] Integration test: call `send_message` tool, verify delivery
+
+### Phase 3: SSE Transport + SDK + E2E Suite
+- [ ] Add SSE transport alongside stdio
+- [ ] Add Streamable HTTP transport
+- [ ] Create `crates/agent-sdk/` with typed Rust client
+- [ ] `--invite` and `--server` auto-join on startup
+- [ ] Graceful shutdown (drain connections, save state)
+- [ ] `just build-agent` / `just agent` commands in justfile
+- [ ] `just test-agent-e2e` command for MCP E2E tests
+- [ ] Add to `just dev` stack as optional participant
+- [ ] Port key Playwright scenarios to MCP E2E tests (permissions,
+      multi-peer sync, kick/rejoin, invite flows)
+- [ ] Documentation with examples in Python, TypeScript, Rust
+
+### Phase 4: Advanced Features (future)
+- [ ] Webhook ingress (HTTP endpoint that maps webhooks → messages)
+- [ ] Rate limiting per token
+- [ ] Audit logging of all tool calls
+- [ ] Multi-server support (switch_server via tool)
+- [ ] File upload via tool (base64-encoded)
+- [ ] Custom token scopes via config file
+- [ ] MCP prompts for common workflows (summarize channel, onboard
+      new member, review permissions)
+
+## Security Considerations
+
+1. **Local-only by default**: stdio requires no network listener. SSE
+   and HTTP default to `127.0.0.1`. Exposing to `0.0.0.0` requires
+   explicit `--bind 0.0.0.0:9100` and is strongly discouraged without
+   TLS.
+2. **Bearer tokens**: Generated with 256 bits of entropy via
+   `rand::OsRng`. Prefixed with `wlw_` for easy identification in
+   logs/configs. Only required for SSE/HTTP — stdio relies on process
+   isolation.
+3. **No privilege escalation**: Token scopes filter which tools and
+   resources are visible. They can only restrict, never expand beyond
+   the peer's network permissions.
+4. **Identity isolation**: Agent uses its own identity key, separate
+   from the user's main identity. Compromising the agent token doesn't
+   compromise the user's identity.
+5. **Rate limiting**: Phase 4 adds per-token rate limits to prevent
+   abuse from compromised tokens.
+6. **Token rotation**: Restarting the agent generates a new token
+   (unless `--token` is pinned). Token files are created with 0600
+   permissions.
+7. **Tool visibility**: `ReadOnly` scoped tokens hide mutating tools
+   from `tools/list` entirely. The AI agent cannot call what it cannot
+   discover.
+
+## Testing Strategy
+
+### Unit & Integration Tests
+
+| What | Type | Command |
+|---|---|---|
+| Tool definitions + schemas | Unit tests | `cargo test -p willow-agent` |
+| Resource serialization | Unit tests | `cargo test -p willow-agent` |
+| Token auth + scopes | Unit tests | `cargo test -p willow-agent` |
+| Agent ↔ network (stdio) | Integration | `cargo test -p willow-agent --test integration` |
+| SDK client methods | Unit tests | `cargo test -p willow-agent-sdk` |
+| End-to-end agent | Integration | Start agent + relay, script calls tools |
+
+### E2E Testing via MCP (UI-Free)
+
+One of the biggest wins of the agent API is that it enables full
+end-to-end testing of multi-peer behavior without a browser, DOM, or
+UI framework. Today's Playwright E2E tests must navigate the Leptos web
+UI to perform every action — clicking buttons, filling inputs, waiting
+for DOM updates. This makes tests slow, brittle (selector changes break
+them), and unable to test scenarios that aren't exposed in the UI.
+
+The MCP API gives us a typed, deterministic interface to drive real
+peers over the actual network. Tests become:
+
+- **Faster** — no browser startup, no WASM compilation, no DOM rendering
+- **More reliable** — no CSS selectors to break, no timing hacks
+- **More expressive** — test permission edge cases, concurrent mutations,
+  state divergence, and recovery scenarios that are hard to trigger via UI
+- **Parallel** — spin up N agent processes cheaply vs. N browser contexts
+
+#### Test Harness: `AgentTestHarness`
+
+Two complementary approaches:
+
+**1. In-process harness (fastest, for most tests)**
+
+Uses `ClientHandle<MemNetwork>` directly — no child processes, no
+real networking. The `MemNetwork` test double (already in
+`willow-network`) simulates gossipsub in memory. Tests exercise the
+full client stack (actors, views, mutations, persistence) without
+process or network overhead.
+
+```rust
+/// In-process test peers using MemNetwork.
+struct AgentTestHarness {
+    peers: Vec<TestPeer>,
+    system: SystemHandle,
+}
+
+struct TestPeer {
+    client: ClientHandle<MemNetwork>,
+    endpoint_id: EndpointId,
+    /// Subscribe to the view system for assertions.
+    views: ClientViewHandle,
+    /// Drive mutations.
+    mutations: ClientMutations<MemNetwork>,
+}
+
+impl AgentTestHarness {
+    /// Create N in-process peers on a shared MemNetwork.
+    /// First peer creates the server and invites the rest.
+    async fn start(n: usize) -> Self { ... }
+
+    async fn teardown(self) { ... }
+}
+```
+
+**2. Process-spawning harness (for MCP protocol + real network tests)**
+
+Spawns actual `willow-agent` binaries connected over iroh, and drives
+them via MCP over stdio. Tests the full MCP serialization path and
+real networking.
+
+```rust
+/// Spawns `willow-agent` processes and provides typed MCP clients.
+struct McpTestHarness {
+    relay: RelayHandle,
+    agents: Vec<McpAgentHandle>,
+}
+
+struct McpAgentHandle {
+    /// Typed MCP client (from willow-agent-sdk) connected over stdio.
+    client: AgentClient,
+    endpoint_id: EndpointId,
+    process: Child,
+}
+```
+
+Most tests should use the in-process harness (runs in ~5ms vs ~1-2s).
+The MCP process harness is for integration tests that specifically
+validate the MCP transport layer and real iroh networking.
+
+#### Example: Multi-Peer Message Delivery (in-process)
+
+```rust
+#[tokio::test]
+async fn messages_delivered_to_all_peers() {
+    let harness = AgentTestHarness::start(3).await;
+    let [alice, bob, carol] = &harness.peers[..] else { panic!() };
+
+    // Alice sends a message via the mutations interface.
+    alice.mutations.send_message("general", "hello everyone").await.unwrap();
+
+    // Wait for gossipsub delivery via MemNetwork.
+    tokio::time::sleep(Duration::from_millis(100)).await;
+
+    // Verify via reactive views — no polling needed.
+    let bob_msgs = bob.views.messages.get().await;
+    assert!(bob_msgs.messages.iter().any(|m| m.body == "hello everyone"));
+
+    let carol_msgs = carol.views.messages.get().await;
+    assert!(carol_msgs.messages.iter().any(|m| m.body == "hello everyone"));
+
+    harness.teardown().await;
+}
+```
+
+#### Example: Permission Enforcement (in-process)
+
+```rust
+#[tokio::test]
+async fn unprivileged_peer_cannot_create_channel() {
+    let harness = AgentTestHarness::start(2).await;
+    let [owner, guest] = &harness.peers[..] else { panic!() };
+
+    // Guest (not trusted) tries to create a channel.
+    let result = guest.mutations.create_channel("secret").await;
+
+    // Should fail — guest lacks ManageChannels permission.
+    assert!(result.is_err());
+
+    // Verify channel was not created via owner's view.
+    let channels = owner.views.channels.get().await;
+    assert!(!channels.channels.iter().any(|c| c.name == "secret"));
+
+    harness.teardown().await;
+}
+```
+
+#### Example: State Convergence (in-process)
+
+```rust
+#[tokio::test]
+async fn state_converges_after_concurrent_writes() {
+    let harness = AgentTestHarness::start(2).await;
+    let [alice, bob] = &harness.peers[..] else { panic!() };
+
+    // Both peers send messages concurrently.
+    let (a, b) = tokio::join!(
+        alice.mutations.send_message("general", "from alice"),
+        bob.mutations.send_message("general", "from bob"),
+    );
+    a.unwrap();
+    b.unwrap();
+
+    // Wait for sync to settle.
+    tokio::time::sleep(Duration::from_millis(200)).await;
+
+    // Both peers should see both messages via their views.
+    let alice_msgs = alice.views.messages.get().await;
+    let bob_msgs = bob.views.messages.get().await;
+
+    assert_eq!(alice_msgs.messages.len(), bob_msgs.messages.len());
+    assert!(alice_msgs.messages.iter().any(|m| m.body == "from bob"));
+    assert!(bob_msgs.messages.iter().any(|m| m.body == "from alice"));
+
+    // Verify state hashes agree.
+    alice.mutations.verify_state().await.unwrap();
+    tokio::time::sleep(Duration::from_millis(200)).await;
+    let (agreeing, total) = alice.client.state_hash_agreement().await;
+    assert_eq!(agreeing, total);
+
+    harness.teardown().await;
+}
+```
+
+#### Example: MCP Protocol Test (process-spawning)
+
+```rust
+#[tokio::test]
+async fn mcp_send_message_round_trip() {
+    let harness = McpTestHarness::start(2).await;
+    let [alice, bob] = &harness.agents[..] else { panic!() };
+
+    // Drive via MCP tool calls — validates full serialization path.
+    alice.client.call_tool("send_message", json!({
+        "channel": "general",
+        "body": "hello via MCP",
+    })).await.unwrap();
+
+    bob.client.wait_for_notification(|n| {
+        n.event_type == "MessageReceived" && !n.is_local
+    }).await;
+
+    let bob_msgs = bob.client.read_resource(
+        "willow://channel/general/messages"
+    ).await.unwrap();
+    assert_eq!(bob_msgs.last().unwrap().body, "hello via MCP");
+
+    harness.teardown().await;
+}
+```
+
+#### Scenarios Enabled by MCP E2E Tests
+
+These are hard or impossible to test via UI but straightforward with
+the agent API:
+
+| Scenario | Why it's hard via UI |
+|---|---|
+| 3-way merge convergence | Need 3 browsers, precise timing |
+| Permission escalation/de-escalation | Many UI clicks, hard to verify state |
+| Kick + key rotation + rejoin | Multi-step flow across peers |
+| Concurrent channel creation | Race conditions masked by UI debounce |
+| 10+ peer message flood | 10 browser contexts is expensive |
+| Offline peer recovery via relay | Can't simulate disconnect in browser |
+| State hash mismatch detection | No UI surface for this at all |
+| Role/permission matrix exhaustive | Combinatorial explosion of UI paths |
+| Invite flow edge cases (expired, max uses) | Timing-sensitive, multi-peer |
+| Worker authorization + sync | Workers have no UI |
+
+#### Integration with Existing Test Tiers
+
+MCP E2E tests sit between the existing client integration tests and
+Playwright E2E tests:
+
+| Tier | What it tests | Speed | Needs Network | Needs UI |
+|---|---|---|---|---|
+| State tests | Pure event logic | ~1ms/test | No | No |
+| Client tests | Client API methods | ~5ms/test | No | No |
+| **In-process E2E** | **Multi-peer via MemNetwork** | **~5-50ms/test** | **No (MemNetwork)** | **No** |
+| **MCP E2E tests** | **MCP protocol + real iroh** | **~1-2s/test** | **Yes (localhost)** | **No** |
+| Playwright E2E | Full UI + network | ~10-30s/test | Yes | Yes (browser) |
+
+The in-process harness should be the default for most multi-peer tests.
+It exercises the full actor stack (all 6 domain actors, derived views,
+mutations, persistence, event broker) without process spawning or real
+networking. MCP E2E tests validate the MCP serialization layer and
+real iroh transport. Playwright tests focus purely on UI rendering and
+interaction (click targets, responsive layout, visual state).
+
+#### Justfile Commands
+
+```
+just test-agent       # unit + integration tests for crates/agent
+just test-agent-e2e   # MCP-based multi-peer E2E tests
+just test-all         # includes test-agent and test-agent-e2e
+```
+
+## Open Questions
+
+1. **Should the agent binary support running multiple agent identities
+   in one process?** Current design: one identity per process. Multiple
+   agents = multiple processes. Simpler, better isolation.
+
+2. **Should agents be able to impersonate the user's identity (act on
+   behalf of) instead of having their own?** Current design: agents
+   always have their own identity. This is safer and more auditable.
+   "Delegate" mode could be explored later with explicit consent.
+
+3. **MCP Prompts**: Should we expose canned prompt templates (e.g.,
+   "summarize channel", "review permissions", "draft announcement")?
+   These are optional MCP primitives that guide AI behavior. Worth
+   adding in Phase 4 once we see real usage patterns.
+
+4. **MCP Sampling**: MCP supports servers requesting LLM completions
+   from the client (`sampling/createMessage`). This could let the
+   Willow agent ask the AI for help (e.g., auto-moderate by asking the
+   AI to evaluate a message). Defer until clear use case emerges.
diff --git a/justfile b/justfile
index 0a3937da..a6e49696 100644
--- a/justfile
+++ b/justfile
@@ -87,8 +87,28 @@ test-e2e-sync:
 test-e2e-perms:
     npx playwright test e2e/permissions.spec.ts --project=desktop-chrome
 
+# Run agent unit + integration tests
+test-agent:
+    cargo test -p willow-agent
+
+# Run E2E multi-peer tests via agent harness
+test-agent-e2e:
+    cargo test -p willow-agent --test e2e -- --nocapture
+
+# Build the agent binary
+build-agent:
+    cargo build -p willow-agent
+
+# Build agent (release)
+build-agent-release:
+    cargo build --release -p willow-agent
+
+# Run the agent
+agent *args:
+    cargo run -p willow-agent -- {{args}}
+
 # Run ALL tests including browser and E2E
-test-all: test test-browser test-e2e-ui
+test-all: test test-browser test-agent-e2e test-e2e-ui
 
 # Check native compilation
 check-native: