feat(shell): cut over to libp2p mDNS transport and terminal auth

CHANGELOG.md

@@ -9,12 +9,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 ### Changed
 - **Daemon install no longer depends on `~/.ww/config.glia`.** `ww daemon install` now renders launchd/systemd service definitions directly from flags/env/defaults, removing the extra host-side Glia config control plane.
 - **Routing capability gains write-path v1 mutation surface (CID-transform API).** Added explicit mutation methods that take a base CID and return a new root CID: `mkdir`, `writeFile`, and `remove`, plus `publish` for IPNS updates with optional compare-and-set (`expectedCurrent`) conflict checks. This keeps reads on WASI paths while making writes explicit, attenuable effects with no hidden mutable daemon root.
-- **Release-facing docs synchronized with shell-migration state.** README/CLI/shell/routing docs now consistently state that `ww shell` is currently a forward-stable stub (`NOT IMPLEMENTED`), reflect persistent-identity defaults and explicit `--insecure-ephemeral`, document routing write-path v1 semantics, and call out shell transport follow-up issue #470.
+- **`ww shell` remote path is live again over libp2p transport.** `ww shell` now dials `/ww/0.1.0`, authenticates through `Terminal(Membrane)` with the local identity key (`WW_IDENTITY` or `~/.ww/identity`), loads the shell cell through `runtime.load`, and opens an interactive REPL.
 - **`ww run` now requires a persistent identity by default.** Identity resolution no longer silently falls back to ephemeral keys when `--identity` is missing or points to a nonexistent file. Default lookup is `~/.ww/identity`; if absent, startup fails with a clear message and remediation. Operators can explicitly bypass with `--insecure-ephemeral` (named insecure on purpose), which restores prior ephemeral behavior for quick trial runs.
-- **Admin UDS interface removed; `ww shell` is temporarily unavailable.** Removed the daemon-side Unix-domain admin service and its local socket discovery path. `ww shell` now remains as a forward-stable CLI surface but exits with `NOT IMPLEMENTED` until the replacement remote transport/auth path lands.
+- **Removed `~/.ww/config.glia` daemon control-plane dependency.** Daemon service definitions are now rendered directly from CLI/env/defaults in `ww daemon install` instead of reading/writing `config.glia`. This removes overlap with pid0 Glia scripts and keeps host config source-of-truth in flags/env.
+- **Admin UDS interface removed; shell transport is now libp2p-first.** The daemon-side UDS admin service remains removed, and shell connectivity is now through the replacement libp2p + terminal-auth path.
 - **Filesystem data-plane contract tightened: backend is now root-layer-only and `perform fs` reads are removed.** The shell/MCP evaluation wrapper no longer routes data-plane reads through `(perform fs ...)`; filesystem reads now go through WASI path I/O (`load`, `import`, `/ipfs/...`, `/ipns/...`). The legacy `fs` handler has been removed. Backend virtual mount resolution now rejects targeted mounts (`source:/guest/path`) and accepts root layers only; `ww run` enforces this early with a CLI preflight error that lists offending mounts. Docs updated across `doc/shell.md`, `doc/capabilities.md`, and `doc/architecture.md` to reflect the single-path model.
 - **CompilationService now uses a dedicated worker pool with in-flight dedupe.** The compiler subsystem moved from single-thread compile handling to a fixed worker pool (`WW_COMPILE_WORKERS`, default derived from CPU count), keys cache entries by `(wasm_blake3, engine identity)`, and coalesces concurrent duplicate compile requests so one cold compile serves all waiters.
-- **Shell local-discovery policy aligned to per-user run dir.** `ww shell` local discovery now scans only `~/.ww/run/` for `<peer-id>.sock` entries (no `/var/run/ww` fallback), and the client fails deterministically with a disambiguation error when multiple local daemons are present instead of prompting interactively. Updated `src/discovery.rs`, `src/cli/shell.rs`, and shell/CLI docs to match this behavior and keep the local admin auth boundary consistently user-scoped.
+- **Shell local discovery moved to mDNS (no lockfile/runtime-record dependency).** No-arg `ww shell` now discovers local candidates over mDNS, prefers deterministic identity matches, auto-connects only when unambiguous, and refuses to guess on multi-result ambiguity (explicit target required). Interactive multi-select UX is tracked separately in #479.
 - **CLI module boundary cleanup (no behavior change).** Extracted daemon-management helpers, namespace command handlers, and doctor checks from `src/cli/main.rs` into `src/cli/daemon_cmd.rs`, `src/cli/ns_cmd.rs`, and `src/cli/doctor_cmd.rs`, leaving `Commands` as thin delegators. This reduces `main.rs` surface area and improves maintainability while preserving existing command behavior.
 - **Runtime load path now supports staged component precompilation via a dedicated compiler service.** Added `ProcBuilder::with_component(...)` so executor spawns can instantiate precompiled components instead of recompiling WASM on worker threads, threaded an optional compile-request channel through runtime construction, and wired daemon startup to spawn `CompilationService` and pass it into kernel/admin runtimes. This keeps behavior compatible while moving CPU-heavy compile work off the executor hot path.
 

Cargo.toml

@@ -56,7 +56,7 @@ blake3 = "1.8.3"
 
 # Host-only dependencies (not needed for WASM guests)
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
-libp2p = { version = "0.55.0", features = ["tokio", "tcp", "noise", "yamux", "macros", "identify", "rsa", "request-response", "ed25519", "kad", "autonat", "relay", "dcutr", "quic", "dns"] }
+libp2p = { version = "0.55.0", features = ["tokio", "tcp", "noise", "yamux", "macros", "identify", "rsa", "request-response", "ed25519", "kad", "autonat", "relay", "dcutr", "quic", "dns", "mdns"] }
 libp2p-core = "0.43"
 ipfs = { path = "crates/ipfs" }
 clap = { version = "4.5.51", features = ["derive", "env"] }

README.md

@@ -63,12 +63,12 @@ Requires a Rust toolchain with the `wasm32-wasip2` target. Optional: [Kubo](http
 
 ```bash
 ww run .                                # boot a node from current dir
-ww shell                                # shell transport currently unavailable
+ww shell                                # discover a local node via mDNS, then open REPL
 ```
 
-`ww shell` is currently a forward-stable CLI stub and exits
-`NOT IMPLEMENTED` while the replacement remote transport/auth path lands.
-See issue #470 for the transport cutover follow-up.
+`ww shell` uses libp2p transport and Terminal(Membrane) auth. By default it
+discovers local hosts via mDNS and auto-connects only when resolution is
+unambiguous.
 
 ### Boot a cell
 

doc/cli.md

@@ -96,34 +96,28 @@ ww run . --stem 0x1234...abcd --rpc-url http://rpc.example.com:8545
 Connect to a running daemon and open a Glia REPL.
 
 ```
-ww shell [ADDR] [--discover]
+ww shell [ADDR]
 ```
 
 The admin UDS path has been removed. The command surface is preserved
-for forward compatibility while remote transport/auth work lands, and
-currently exits with `NOT IMPLEMENTED`.
+with libp2p transport + Terminal(Membrane) auth:
 
-- *(no args)* — **NOT IMPLEMENTED.**
-- `<multiaddr>` — **NOT IMPLEMENTED.** Future libp2p remote dial.
-- `--discover` — **NOT IMPLEMENTED.** Future mDNS LAN browse.
-
-If both `<multiaddr>` and `--discover` are given, `<multiaddr>` takes
-precedence and `--discover` is ignored (documented for forward
-compatibility; today both exit `NOT IMPLEMENTED`).
+- *(no args)* — discover via mDNS, auto-connect only when unambiguous.
+- `<multiaddr>` — explicit remote dial.
 
 ### Examples
 
 ```sh
-ww shell                                    # NOT IMPLEMENTED
-ww shell /dnsaddr/master.wetware.run        # NOT IMPLEMENTED (clap parse OK)
-ww shell /ip4/127.0.0.1/tcp/2025            # NOT IMPLEMENTED (clap parse OK)
+ww shell                                    # mDNS discover + connect
+ww shell /dnsaddr/master.wetware.run        # explicit dial
+ww shell /ip4/127.0.0.1/tcp/2025/p2p/12D3KooW...
 ww shell garbage                            # clap parse error: invalid multiaddr
 ```
 
 ### Auth model
 
-No shell auth model is active right now because there is no live shell
-transport path. The replacement design will use explicit remote auth.
+Shell uses Terminal(Membrane) challenge-response auth over libp2p.
+The signer key comes from `WW_IDENTITY` or `~/.ww/identity`.
 
 See [shell.md](shell.md) for Glia syntax and the capabilities the
 shell cell exposes.

doc/shell.md

@@ -1,22 +1,27 @@
 # Shell
 
-The `ww shell` transport is currently unavailable.
+`ww shell` connects to a running node and opens a Glia REPL.
 
-The previous local admin UDS path has been removed, and the replacement
-remote shell transport/auth path has not landed yet. For now, all
-invocations of `ww shell` return `NOT IMPLEMENTED`.
-
-## CLI Surface (Forward-Compatible)
+## Modes
 
 ```sh
 ww shell
 ww shell <multiaddr>
-ww shell --discover
 ```
 
-The command shape is intentionally preserved so the remote-shell rollout
-can land without another CLI-breaking change.
+- `ww shell`: discover hosts via mDNS, then connect only when target
+  selection is unambiguous.
+- `ww shell <multiaddr>`: dial an explicit target.
+
+## Auth
+
+Shell transport uses libp2p streams and Terminal(Membrane) challenge-response
+authentication. `ww shell` signs terminal challenges with the local identity
+key (`WW_IDENTITY` or `~/.ww/identity`).
+
+## Multi-Result Discovery
 
-## Follow-ups
+When mDNS returns multiple candidates and no deterministic preferred target
+is found, `ww shell` refuses to guess and asks for an explicit multiaddr.
 
-- Transport cutover work is tracked in issue #470.
+Interactive multi-select UX is tracked in issue #479.

src/cli/main.rs

@@ -256,26 +256,12 @@ enum Commands {
 
     /// Connect to a running node and open a Glia REPL.
     ///
-    /// Remote shell transport/auth is currently being reworked.
-    /// This command exists as a forward-stable CLI surface.
-    ///
     /// Example:
     ///   ww shell
-    ///   ww shell /ip4/127.0.0.1/tcp/2025/p2p/12D3KooW...   # NOT IMPLEMENTED
-    ///   ww shell --discover                                # NOT IMPLEMENTED
-    ///
-    /// If both ADDR and --discover are given, ADDR takes precedence
-    /// and --discover is ignored with a warning. (When ADDR / --discover
-    /// are implemented, both will use libp2p with Noise.)
+    ///   ww shell /ip4/127.0.0.1/tcp/2025/p2p/12D3KooW...
     Shell {
-        /// Multiaddr of a remote node (NOT YET IMPLEMENTED — forward-stable
-        /// CLI surface for future libp2p remote shell support).
+        /// Multiaddr of a remote node.
         addr: Option<Multiaddr>,
-
-        /// Browse the LAN for a wetware daemon via mDNS (NOT YET
-        /// IMPLEMENTED — forward-stable CLI surface).
-        #[arg(long)]
-        discover: bool,
     },
 
     /// Effectful operations that mutate state beyond the current directory.
@@ -590,7 +576,7 @@ impl Commands {
                 private_key,
             } => Self::push(path, ipfs_url, stem, rpc_url, private_key).await,
             Commands::Keygen { output } => Self::keygen(output).await,
-            Commands::Shell { addr, discover } => shell::run_shell(addr, discover).await,
+            Commands::Shell { addr } => shell::run_shell(addr).await,
             Commands::Perform { action } => match action {
                 PerformAction::Install => Self::perform_install().await,
                 PerformAction::Uninstall => Self::perform_uninstall().await,
@@ -1356,7 +1342,6 @@ wasip2::cli::command::export!({iface_name}Guest);
         tracing::debug!(source = identity_source, "identity resolved");
 
         let keypair = ww::keys::to_libp2p(&sk)?;
-
         // Attempt to fetch Kubo's identity so we can bootstrap the in-process
         // Kad client against the local node (Amino DHT /ipfs/kad/1.0.0).
         // Non-fatal: if Kubo is unreachable we still start, just without Kad.