diff --git a/.claude/commands/sync-docs.md b/.claude/commands/sync-docs.md
new file mode 100644
index 0000000..f7f050d
--- /dev/null
+++ b/.claude/commands/sync-docs.md
@@ -0,0 +1,62 @@
+# Sync Documentation
+
+After feature work, update the affected documentation to reflect code changes.
+
+## Steps
+
+1. **Identify changed files** — Run `git diff main --name-only` to find modified Go files.
+
+2. **Map files to docs** — Use this mapping to determine which docs need updates:
+
+   | Changed path pattern | Affected docs |
+   |---------------------|---------------|
+   | `forge-core/runtime/` | `docs/runtime.md`, `docs/hooks.md` |
+   | `forge-core/security/` | `docs/security/overview.md`, `docs/security/egress.md` |
+   | `forge-core/tools/` | `docs/tools.md` |
+   | `forge-core/llm/` | `docs/runtime.md` |
+   | `forge-core/memory/` | `docs/memory.md` |
+   | `forge-core/scheduler/` | `docs/scheduling.md` |
+   | `forge-core/secrets/` | `docs/security/secrets.md` |
+   | `forge-core/skills/` | `docs/skills.md` |
+   | `forge-core/channels/` | `docs/channels.md` |
+   | `forge-cli/cmd/` | `docs/commands.md` |
+   | `forge-cli/runtime/` | `docs/runtime.md` |
+   | `forge-cli/server/` | `docs/architecture.md` |
+   | `forge-cli/channels/` | `docs/channels.md` |
+   | `forge-cli/tools/` | `docs/tools.md` |
+   | `forge-plugins/` | `docs/channels.md`, `docs/plugins.md` |
+   | `forge-ui/` | `docs/dashboard.md` |
+   | `forge-skills/` | `docs/skills.md` |
+   | `forge.yaml` / `types/` | `docs/configuration.md` |
+
+3. **Read the diff** — For each mapped doc, read the relevant `git diff main` output to understand what changed.
+
+4. **Update docs** — For each affected doc:
+   - Read the current doc file
+   - Identify sections that need updating based on the code changes
+   - Edit the doc to reflect new behavior, flags, types, or configuration
+   - Preserve the navigation footer and header
+
+5. **Check cross-references** — If you added a new feature/section, ensure:
+   - The README.md documentation table links to it (if it's a new doc)
+   - Related docs cross-link to it where appropriate
+   - Navigation order is still correct
+
+6. **Validate** — Run a quick broken-link check:
+   ```bash
+   grep -rn '\[.*\](.*\.md)' README.md docs/ | while read line; do
+     file=$(echo "$line" | grep -oP '\(.*?\.md\)' | tr -d '()')
+     dir=$(dirname "$(echo "$line" | cut -d: -f1)")
+     target="$dir/$file"
+     [ ! -f "$target" ] && echo "BROKEN: $line"
+   done
+   ```
+
+## Rules
+
+- One topic per file; split if >300 lines
+- Start each doc with a one-sentence summary
+- Use tables over bullet lists for comparisons
+- Link, don't repeat — cross-reference other docs
+- Keep ASCII diagrams (they render everywhere)
+- Code examples must be runnable
diff --git a/README.md b/README.md
index a49010d..e4129fa 100644
--- a/README.md
+++ b/README.md
@@ -1,89 +1,30 @@
-# Forge — Secure Portable AI Agent Runtime
+# Forge — Secure, Portable AI Agent Runtime
 
-## What is Forge?
-
-Forge is a secure, portable AI agent runtime that allows developers to run AI agents locally, in cloud, or in enterprise environments without exposing inbound tunnels.
-
-Forge enables:
-- Atomic agent execution
-- Secure outbound-only connectivity
-- Portable skill-based agents
-- Channel connectors (Slack, Telegram)
-- Cron scheduling
-- Enterprise-grade identity support
-
----
+Build, run, and deploy AI agents from a single `SKILL.md` file.
+Secure by default. Runs anywhere — local, container, cloud, air-gapped.
 
 ## Why Forge?
 
-**Instant Agent From a Single Command**
-
-Write a SKILL.md. Run `forge init`. Your agent is live.
-
-The wizard configures your model provider, validates your API key,
-connects Slack or Telegram, picks skills, and starts your agent.
-Zero to running in under 60 seconds.
-
-**Secure by Default**
-
-Forge is designed for safe execution:
+- **60-second setup** — `forge init` wizard configures provider, keys, channels, and skills
+- **Secure by default** — outbound-only connections, egress allowlists, encrypted secrets, no public listeners
+- **Portable** — same agent runs locally, in Docker, Kubernetes, or inside [Initializ Command](https://initializ.ai)
+- **Observable** — structured NDJSON audit logs with correlation IDs for every action
+- **Extensible** — add skills, tools, channels, and LLM providers without changing core code
 
-* Does NOT create public tunnels
-* Does NOT expose webhooks automatically
-* Uses outbound-only connections (Slack Socket Mode, Telegram polling)
-* Enforces outbound domain allowlists at both build-time and runtime, including subprocess HTTP via a local egress proxy
-* Encrypts secrets at rest (AES-256-GCM) with per-agent isolation
-* Signs build artifacts (Ed25519) for supply chain integrity
-* Supports restricted network profiles with audit logging
-
-No accidental exposure. No hidden listeners.
-
----
-
-## Get Started in 60 Seconds
+## Quick Start
 
 ```bash
 # Install
-curl -sSL https://github.com/initializ/forge/releases/latest/download/forge-$(uname -s)-$(uname -m).tar.gz | tar xz
-sudo mv forge /usr/local/bin/
-
-# Initialize a new agent (interactive wizard)
-forge init my-agent
-
-# Run locally
-cd my-agent && forge run
-
-# Run with Telegram
-forge run --with telegram
-```
+brew install initializ/tap/forge          # or download binary from GitHub Releases
 
-The `forge init` wizard walks you through model provider, API key, fallback providers, tools, skills, and channel setup. Use `--non-interactive` with flags for scripted setups.
+# Create and run an agent
+forge init my-agent && cd my-agent && forge run
 
----
-
-## Install
-
-### macOS (Homebrew)
-```bash
-brew install initializ/tap/forge
-```
-
-### Linux / macOS (binary)
-```bash
-curl -sSL https://github.com/initializ/forge/releases/latest/download/forge-$(uname -s)-$(uname -m).tar.gz | tar xz
-sudo mv forge /usr/local/bin/
-```
-
-### Windows
-
-Download the latest `.zip` from [GitHub Releases](https://github.com/initializ/forge/releases/latest) and add to your PATH.
-
-### Verify
-```bash
-forge --version
+# Connect to Slack
+forge run --with slack
 ```
 
----
+See [Quick Start](docs/quickstart.md) for the full walkthrough, or [Installation](docs/installation.md) for all methods.
 
 ## How It Works
 
@@ -98,1249 +39,74 @@ SKILL.md --> Parse --> Discover tools/requirements --> Compile AgentSpec
                                                (tool calling + memory + cron)
 ```
 
-1. You write a `SKILL.md` that describes what the agent can do
-2. Forge parses the skill definitions and optional YAML frontmatter (binary deps, env vars)
-3. The build pipeline discovers tools, resolves egress domains, and compiles an `AgentSpec`
-4. Security policies (egress allowlists, capability bundles) are applied
-5. Build artifacts are checksummed and optionally signed (Ed25519)
-6. At runtime, encrypted secrets are decrypted and the LLM-powered tool-calling loop executes with session persistence, memory, and a cron scheduler for recurring tasks
-
----
-
-## Skills
-
-Skills are defined in Markdown with optional YAML frontmatter for requirements:
-
-```markdown
----
-name: weather
-description: Weather data skill
-metadata:
-  forge:
-    requires:
-      bins:
-        - curl
-      env:
-        required: []
-        one_of: []
-        optional: []
----
-## Tool: weather_current
-
-Get current weather for a location.
-
-**Input:** location (string) - City name or coordinates
-**Output:** Current temperature, conditions, humidity, and wind speed
-
-## Tool: weather_forecast
-
-Get weather forecast for a location.
-
-**Input:** location (string), days (integer: 1-7)
-**Output:** Daily forecast with high/low temperatures and conditions
-```
-
-Each `## Tool:` heading defines a tool the agent can call. The frontmatter declares binary dependencies and environment variable requirements. Skills compile into JSON artifacts and prompt text during `forge build`.
-
-### Skill Registry
-
-Forge ships with a built-in skill registry. Add skills to your project with a single command:
-
-```bash
-# Add a skill from the registry
-forge skills add tavily-research
-
-# Validate skill requirements
-forge skills validate
-
-# Audit skill security
-forge skills audit --embedded
-```
-
-`forge skills add` copies the skill's SKILL.md and any associated scripts into your project's `skills/` directory. It validates binary and environment requirements, checks for existing values in your environment, `.env` file, and encrypted secrets, and prompts only for truly missing values with a suggestion to use `forge secrets set` for sensitive keys.
-
-### Skills as First-Class Tools
-
-Script-backed skills are automatically registered as **first-class LLM tools** at runtime. When a skill has scripts in `skills/scripts/`, Forge:
-
-1. Parses the skill's SKILL.md for tool definitions, descriptions, and input schemas
-2. Creates a named tool for each `## Tool:` entry (e.g., `tavily_research` becomes a tool the LLM can call directly)
-3. Executes the skill's shell script with JSON input when the LLM invokes it
-
-This means the LLM sees skill tools alongside builtins like `web_search` and `http_request` — no generic `cli_execute` indirection needed.
-
-For skills **without** scripts (binary-backed skills like `k8s-incident-triage`), Forge injects the full skill instructions into the system prompt. The complete SKILL.md body — including triage steps, detection heuristics, output structure, and safety constraints — is included inline so the LLM follows the skill protocol without needing an extra tool call. Skills are invoked via `cli_execute` with the declared binary dependencies.
-
-```
-┌─────────────────────────────────────────────────┐
-│                LLM Tool Registry                │
-├─────────────────┬───────────────────────────────┤
-│  Builtins       │  web_search, http_request     │
-│  Skill Tools    │  tavily_research, ...         │  ← auto-registered from scripts
-│  read_skill     │  load any SKILL.md on demand  │
-│  cli_execute    │  run approved binaries        │
-├─────────────────┴───────────────────────────────┤
-│  System Prompt: full skill instructions inline  │  ← binary-backed skills
-└─────────────────────────────────────────────────┘
-```
-
-### Skill Execution Security
-
-Skill scripts run in a restricted environment via `SkillCommandExecutor`:
-
-- **Isolated environment**: Only `PATH`, `HOME`, and explicitly declared env vars are passed through
-- **Configurable timeout**: Each skill declares a `timeout_hint` in its YAML frontmatter (e.g., 300s for research)
-- **No shell execution**: Scripts run via `bash <script> <json-input>`, not through a shell interpreter
-- **Egress proxy enforcement**: When egress mode is `allowlist` or `deny-all`, a local HTTP/HTTPS proxy is started and `HTTP_PROXY`/`HTTPS_PROXY` env vars are injected into subprocess environments, ensuring `curl`, `wget`, Python `requests`, and other HTTP clients route through the same domain allowlist used by in-process tools (see [Subprocess Egress Proxy](#subprocess-egress-proxy) below)
-
-### Skill Categories & Tags
-
-Skills can declare a `category` and `tags` in their frontmatter for organization and filtering:
-
-```markdown
----
-name: k8s-incident-triage
-category: sre
-tags:
-  - kubernetes
-  - incident-response
-  - triage
----
-```
-
-Categories and tags must be lowercase kebab-case. Use them to filter skills:
-
-```bash
-# List skills by category
-forge skills list --category sre
-
-# Filter by tags (AND semantics — skill must have all listed tags)
-forge skills list --tags kubernetes,incident-response
-```
-
-### Built-in Skills
-
-| Skill | Description | Scripts |
-|-------|-------------|---------|
-| `tavily-research` | Deep multi-source research via Tavily API | `tavily-research.sh`, `tavily-research-poll.sh` |
-| `k8s-incident-triage` | Read-only Kubernetes incident triage using kubectl | — (binary-backed) |
-
-### Tavily Research Skill
-
-The `tavily-research` skill demonstrates the **async two-tool pattern** for long-running operations:
-
-```bash
-forge skills add tavily-research
-```
-
-This registers two tools:
-
-| Tool | Purpose | Behavior |
-|------|---------|----------|
-| `tavily_research` | Submit a research query | Returns immediately with a `request_id` |
-| `tavily_research_poll` | Wait for results | Polls internally for up to ~5 minutes, returns complete report |
-
-The LLM uses them in sequence: submit the research request, inform the user that research is in progress, then call the poll tool which handles all waiting internally. The complete report (1000-3000 words with sources) is returned to the LLM and delivered to the user.
-
-**Research models:**
-
-| Model | Speed | Use Case |
-|-------|-------|----------|
-| `mini` | ~30s | Quick overviews, simple topics |
-| `pro` | ~300s | Comprehensive analysis, complex topics |
-| `auto` | Varies | Let the API choose based on query complexity |
-
-Requires: `curl`, `jq`, `TAVILY_API_KEY` environment variable.
-
-### Kubernetes Incident Triage Skill
-
-The `k8s-incident-triage` skill performs read-only triage of Kubernetes workloads using `kubectl`:
-
-```bash
-forge skills add k8s-incident-triage
-```
-
-This registers a single tool:
-
-| Tool | Purpose | Behavior |
-|------|---------|----------|
-| `k8s_triage` | Diagnose unhealthy workloads, pods, or namespaces | Runs read-only kubectl commands, produces a structured triage report |
-
-The skill accepts two input modes:
-
-- **Human mode** — natural language like `"triage payments-prod"` or `"why are pods pending in checkout-prod?"`
-- **Automation mode** — structured JSON with namespace, workload, pod, and diagnostic options
-
-**Triage process:**
-
-1. Verify cluster access (kubectl version, cluster-info)
-2. Fast health snapshot (pods, deployments, statefulsets)
-3. Events timeline (FailedScheduling, probe failures, evictions)
-4. Describe pods & workloads (container state, restart counts, probes)
-5. Node diagnostics (optional — NotReady, memory/disk pressure)
-6. Logs (optional — with previous container logs for CrashLoopBackOff)
-7. Metrics (optional — via metrics-server)
-
-**Detection heuristics** classify issues into: CrashLoop, OOMKilled, Image Pull Failure, Scheduling Constraint, Probe Failure, PVC/Volume Failure, Node Pressure/Eviction, Rollout Stuck. Each finding includes a hypothesis, evidence, confidence score (0.0–1.0), and recommended next commands.
-
-**Safety:** This skill is strictly read-only. It never executes `apply`, `patch`, `delete`, `exec`, `port-forward`, `scale`, or `rollout restart`. It never prints Secret values.
-
-Requires: `kubectl`, optional `KUBECONFIG`, `K8S_API_DOMAIN`, `DEFAULT_NAMESPACE` environment variables.
-
-### Skill Instructions in System Prompt
-
-Forge injects the **full body** of each skill's SKILL.md into the LLM system prompt. This means all detailed operational instructions — triage steps, detection heuristics, output structure, safety constraints — are directly available in the LLM's context without requiring an extra `read_skill` tool call.
-
-For skills with extensive instructions (like `k8s-incident-triage` with ~150 lines of triage procedures), this ensures the LLM follows the complete skill protocol from the first interaction.
-
----
-
-## Tools
-
-Forge ships with built-in tools, adapter tools, and supports custom tools:
-
-### Built-in Tools
-
-| Tool | Description |
-|------|-------------|
-| `http_request` | Make HTTP requests (GET, POST, PUT, DELETE) |
-| `json_parse` | Parse and query JSON data |
-| `csv_parse` | Parse CSV data into structured records |
-| `datetime_now` | Get current date and time |
-| `uuid_generate` | Generate UUID v4 identifiers |
-| `math_calculate` | Evaluate mathematical expressions |
-| `web_search` | Search the web for quick lookups and recent information |
-| `read_skill` | Load full instructions for an available skill on demand |
-| `memory_search` | Search long-term memory (when enabled) |
-| `memory_get` | Read memory files (when enabled) |
-| `cli_execute` | Execute pre-approved CLI binaries |
-| `schedule_set` | Create or update a recurring cron schedule |
-| `schedule_list` | List all active and inactive schedules |
-| `schedule_delete` | Remove an LLM-created schedule |
-| `schedule_history` | View execution history for scheduled tasks |
-
-### Adapter Tools
-
-| Adapter | Description |
-|---------|-------------|
-| `mcp_call` | Call tools on MCP servers via JSON-RPC |
-| `webhook_call` | POST JSON payloads to webhook URLs |
-| `openapi_call` | Call OpenAPI-described endpoints |
-
-### Web Search Providers
-
-The `web_search` tool supports two providers:
-
-| Provider | API Key Env Var | Endpoint |
-|----------|----------------|----------|
-| Tavily (recommended) | `TAVILY_API_KEY` | `api.tavily.com/search` |
-| Perplexity | `PERPLEXITY_API_KEY` | `api.perplexity.ai/chat/completions` |
-
-Provider selection: `WEB_SEARCH_PROVIDER` env var, or auto-detect from available API keys (Tavily first).
-
-### CLI Execute
-
-The `cli_execute` tool provides security-hardened command execution with 7 security layers:
-
-```yaml
-tools:
-  - name: cli_execute
-    config:
-      allowed_binaries: ["git", "curl", "jq", "python3"]
-      env_passthrough: ["GITHUB_TOKEN"]
-      timeout: 120
-      max_output_bytes: 1048576
-```
-
-Only allowlisted binaries can run. No shell execution. Arguments are validated against injection patterns. Environment is isolated to `PATH`, `HOME`, `LANG` plus explicit passthrough vars.
-
-### Tool Commands
-
-```bash
-# List all registered tools
-forge tool list
-
-# Show details for a specific tool
-forge tool describe web_search
-```
-
-Custom tools can be added by placing scripts in a `tools/` directory in your project.
-
----
-
-## LLM Providers
-
-Forge supports multiple LLM providers with automatic fallback:
-
-| Provider | Default Model | Auth |
-|----------|--------------|------|
-| `openai` | `gpt-5.2-2025-12-11` | API key or OAuth |
-| `anthropic` | `claude-sonnet-4-20250514` | API key |
-| `gemini` | `gemini-2.5-flash` | API key |
-| `ollama` | `llama3` | None (local) |
-| Custom | Configurable | API key |
-
-### Configuration
-
-```yaml
-model:
-  provider: openai
-  name: gpt-4o
-```
-
-Or override with environment variables:
-
-```bash
-export FORGE_MODEL_PROVIDER=anthropic
-export ANTHROPIC_API_KEY=sk-ant-...
-forge run
-```
-
-Provider is auto-detected from available API keys if not explicitly set.
-
-### OpenAI OAuth
-
-For OpenAI, Forge supports browser-based OAuth login (matching the Codex CLI flow) as an alternative to API keys:
-
-```bash
-forge init my-agent
-# Select "OpenAI" -> "Login with browser (OAuth)"
-# Browser opens for authentication
-```
-
-OAuth tokens are stored in `~/.forge/credentials/openai.json` and automatically refreshed.
-
-### Fallback Chains
-
-Configure fallback providers for automatic failover when the primary provider is unavailable:
-
-```yaml
-model:
-  provider: openai
-  name: gpt-4o
-  fallbacks:
-    - provider: anthropic
-      name: claude-sonnet-4-20250514
-    - provider: gemini
-```
-
-Or via environment variable:
-
-```bash
-export FORGE_MODEL_FALLBACKS="anthropic:claude-sonnet-4-20250514,gemini:gemini-2.5-flash"
-```
-
-Fallback behavior:
-- **Retriable errors** (rate limits, overloaded, timeouts) try the next provider
-- **Non-retriable errors** (auth, billing, bad format) abort immediately
-- Per-provider exponential backoff cooldowns prevent thundering herd
-- Fallbacks are also auto-detected from available API keys when not explicitly configured
-
----
-
-## Channel Connectors
-
-Forge connects agents to messaging platforms via channel adapters. Both use **outbound-only connections** — no public URLs, no ngrok, no inbound webhooks.
-
-| Channel | Mode | How It Works |
-|---------|------|-------------|
-| Slack | Socket Mode | Outbound WebSocket via `apps.connections.open` |
-| Telegram | Polling (default) | Long-polling via `getUpdates`, no public URL needed |
-
-```bash
-# Add Slack adapter to your project
-forge channel add slack
-
-# Run agent with Slack connected
-forge run --with slack
-
-# Run with multiple channels
-forge run --with slack,telegram
-```
-
-### Slack App Setup
-
-Before running the Slack adapter, create and configure a Slack App:
-
-1. **Create a Slack App** at https://api.slack.com/apps → "Create New App" → "From scratch"
-2. **Enable Socket Mode** — Settings → Socket Mode → toggle **On**
-3. **Generate an App-Level Token** — Basic Information → "App-Level Tokens" → "Generate Token and Scopes" → add the `connections:write` scope → copy the `xapp-...` token
-4. **Enable Event Subscriptions** — Features → Event Subscriptions → toggle **On** → Subscribe to bot events:
-   - `message.channels` — messages in public channels
-   - `message.im` — direct messages
-   - `app_mention` — @mentions of your bot
-5. **Set Bot Token Scopes** — Features → OAuth & Permissions → Bot Token Scopes → add:
-   - `app_mentions:read`
-   - `chat:write`
-   - `channels:history`
-   - `im:history`
-   - `files:write` (for large response file uploads)
-   - `reactions:write` (for processing indicators)
-6. **Install the App** — Settings → Install App → "Install to Workspace" → copy the `xoxb-...` Bot Token
-7. **Add tokens to `.env`**:
-   ```
-   SLACK_APP_TOKEN=xapp-1-...
-   SLACK_BOT_TOKEN=xoxb-...
-   ```
-8. **Invite the bot** to channels where you want it active: `/invite @YourBot`
-
-### Mention-Aware Filtering
-
-The Slack adapter resolves the bot's own user ID at startup via `auth.test` and uses it for intelligent message filtering:
-
-- **Channel messages** — the bot only responds when explicitly @mentioned (e.g. `@ForgeBot what's the status?`)
-- **Thread replies** — the bot responds to all messages in a thread it's participating in, unless the message @mentions a different user
-- **Direct messages** — all DMs are processed
-- Bot mentions are stripped from the message text before passing to the LLM, so it sees clean input
-
-### Processing Indicators
-
-When the Slack adapter receives a message:
-
-1. An :eyes: reaction is added immediately to acknowledge receipt
-2. If the handler takes longer than 15 seconds, an interim message is posted: _"Researching, I'll post the result shortly..."_
-3. The :eyes: reaction is removed when the response is ready
-
-This gives users visual feedback that their message is being processed, especially for long-running research queries.
-
-Channels can also run standalone as separate services:
-
-```bash
-export AGENT_URL=http://localhost:8080
-forge channel serve slack
-```
-
-### Large Response Handling
-
-When an agent response exceeds 4096 characters (common with research reports), channel adapters automatically split it into a **summary message** and a **file attachment**:
-
-1. A brief summary (first paragraph, up to 600 characters) is sent as a regular message
-2. The full report is uploaded as a downloadable Markdown file (`research-report.md`)
-
-This works on both Slack (via `files.getUploadURLExternal`) and Telegram (via `sendDocument`). If file upload fails, adapters fall back to chunked messages. Markdown is converted to platform-native formatting (Slack mrkdwn or Telegram HTML).
-
-Additionally, the runtime tracks large tool outputs (>8000 characters) and attaches them as file parts in the A2A response. This ensures channel adapters receive the complete, untruncated tool output even when the LLM's text summary is truncated by output token limits. JSON tool outputs (e.g. Tavily Research/Search results) are automatically unwrapped into readable markdown before delivery.
-
----
-
-## Security
-
-Forge provides layered security controls at both build-time and runtime.
-
-### Runtime Egress Enforcement
-
-Every outbound HTTP request from tools passes through an `EgressEnforcer` — an `http.RoundTripper` that validates the target domain against the resolved allowlist before forwarding the request.
-
-| Mode | Behavior |
-|------|----------|
-| `deny-all` | All non-localhost outbound traffic blocked |
-| `allowlist` | Only explicitly allowed domains (exact + wildcard) |
-| `dev-open` | All traffic allowed (development only) |
-
-Key behaviors:
-- **Localhost always allowed** (`127.0.0.1`, `::1`, `localhost`) in all modes
-- **Wildcard domains** supported (e.g., `*.github.com` matches `api.github.com`)
-- **Tool domains auto-inferred** — declaring `web_search` in tools automatically allows `api.tavily.com` and `api.perplexity.ai`
-- **Capability bundles** — declaring `slack` capability adds `slack.com`, `wss-primary.slack.com`, `api.slack.com`, `files.slack.com`
-- Blocked requests return: `egress blocked: domain "X" not in allowlist (mode=allowlist)`
-
-### Subprocess Egress Proxy
-
-The `EgressEnforcer` only works for in-process Go `http.Client` calls. Skill scripts and `cli_execute` subprocesses bypass it because they use external tools like `curl` or `wget`. To close this gap, Forge starts a **local HTTP/HTTPS forward proxy** that validates domains against the same allowlist:
-
-```
-┌─────────────────────────────────────────────────────┐
-│                   forge run                         │
-│                                                     │
-│  In-process HTTP ──→ EgressEnforcer (RoundTripper)  │
-│                                                     │
-│  Subprocesses ──→ HTTP_PROXY ──→ EgressProxy        │
-│  (curl, wget,       127.0.0.1:<port>  (validates    │
-│   python, etc.)                        domains)     │
-└─────────────────────────────────────────────────────┘
-```
-
-Key properties:
-
-- **Local-only**: Binds to `127.0.0.1:0` (random port), never exposed externally
-- **Per-instance**: Each `forge run` gets its own proxy on a different random port
-- **HTTPS CONNECT support**: Validates the destination hostname from the CONNECT line, then blind-relays bytes (no MITM, no custom CA certs needed)
-- **Transparent**: Both uppercase (`HTTP_PROXY`, `HTTPS_PROXY`) and lowercase (`http_proxy`, `https_proxy`) env vars are set to cover all common HTTP clients
-- **Container-aware**: Skipped when running inside Docker/Kubernetes (detected via `KUBERNETES_SERVICE_HOST` env var or `/.dockerenv`), where `NetworkPolicy` handles egress enforcement instead
-- **Mode-aware**: Skipped in `dev-open` mode (no restrictions needed)
-- **Audit logged**: Proxy decisions emit the same `egress_allowed`/`egress_blocked` audit events as the in-process enforcer, with `"source": "proxy"` for distinction
-
-The proxy appears in the startup banner when active:
-
-```
-  Egress:     strict / allowlist
-  Proxy:      http://127.0.0.1:54321
-```
-
-### Egress Profiles
-
-| Profile | Description | Default Mode |
-|---------|-------------|-------------|
-| `strict` | Maximum restriction, deny by default | `deny-all` |
-| `standard` | Balanced, allow known domains | `allowlist` |
-| `permissive` | Minimal restriction for development | `dev-open` |
-
-### Configuration
-
-```yaml
-egress:
-  profile: standard
-  mode: allowlist
-  allowed_domains:
-    - api.example.com
-    - "*.github.com"
-  capabilities:
-    - slack
-```
-
-### Audit Logging
-
-All runtime events are emitted as structured NDJSON to stderr with correlation IDs for end-to-end tracing:
-
-```json
-{"ts":"2026-02-26T10:00:00Z","event":"session_start","correlation_id":"a1b2c3d4","task_id":"task-1"}
-{"ts":"2026-02-26T10:00:01Z","event":"tool_exec","correlation_id":"a1b2c3d4","task_id":"task-1","fields":{"tool":"http_request","phase":"start"}}
-{"ts":"2026-02-26T10:00:01Z","event":"egress_allowed","correlation_id":"a1b2c3d4","task_id":"task-1","fields":{"domain":"api.openai.com","mode":"allowlist"}}
-{"ts":"2026-02-26T10:00:01Z","event":"tool_exec","correlation_id":"a1b2c3d4","task_id":"task-1","fields":{"tool":"http_request","phase":"end"}}
-{"ts":"2026-02-26T10:00:02Z","event":"llm_call","correlation_id":"a1b2c3d4","task_id":"task-1","fields":{"tokens":493}}
-{"ts":"2026-02-26T10:00:02Z","event":"session_end","correlation_id":"a1b2c3d4","task_id":"task-1","fields":{"state":"completed"}}
-```
-
-Event types: `session_start`, `session_end`, `tool_exec`, `egress_allowed`, `egress_blocked`, `llm_call`, `guardrail_check`, `schedule_fire`, `schedule_complete`, `schedule_skip`, `schedule_modify`.
-
-### Build-Time Security
-
-Every `forge build` produces:
-- `egress_allowlist.json` — machine-readable domain allowlist
-- Kubernetes `NetworkPolicy` manifest — restricts pod egress to allowed domains on ports 80/443
-
-```bash
-# Production build rejects dev tools and dev-open egress
-forge package --prod
-```
-
-### Guardrails
-
-The guardrail engine checks inbound and outbound messages against policy rules:
-
-| Guardrail | Description |
-|-----------|-------------|
-| `content_filter` | Blocks messages containing configured blocked words |
-| `no_pii` | Detects email addresses, phone numbers, and SSNs via regex |
-| `jailbreak_protection` | Detects common jailbreak phrases ("ignore previous instructions", etc.) |
-
-Guardrails run in `enforce` mode (blocking) or `warn` mode (logging only), configured via the policy scaffold.
-
----
-
-## Secrets
-
-Forge provides encrypted secret management with per-agent isolation and interactive passphrase prompting.
-
-### Encrypted Storage
+You write a `SKILL.md`. Forge compiles it into a secure, runnable agent with egress controls, encrypted secrets, and audit logging.
 
-Secrets are stored in AES-256-GCM encrypted files with Argon2id key derivation. The file format is `salt(16) || nonce(12) || ciphertext`, with the plaintext being a JSON key-value map.
-
-```bash
-# Store a secret (prompts for value securely)
-forge secret set OPENAI_API_KEY
-
-# Store with inline value
-forge secret set SLACK_BOT_TOKEN xoxb-...
-
-# Retrieve a secret (shows source: encrypted-file or env)
-forge secret get OPENAI_API_KEY
-
-# List all secret keys
-forge secret list
-
-# Delete a secret
-forge secret delete OLD_KEY
-```
-
-### Per-Agent Secrets
-
-Each agent can have its own encrypted secrets file at `<agent-dir>/.forge/secrets.enc`, separate from the global `~/.forge/secrets.enc`. Use the `--local` flag to operate on agent-local secrets:
-
-```bash
-cd my-agent
-
-# Store a secret in the agent-local file
-forge secret set OPENAI_API_KEY sk-agent1-key --local
-
-# Different agent, different key
-cd ../other-agent
-forge secret set OPENAI_API_KEY sk-agent2-key --local
-```
-
-At runtime, secrets are resolved in order: **agent-local** → **global** → **environment variables**. This lets you override global defaults per agent.
-
-### Runtime Passphrase Prompting
-
-When `forge run` encounters encrypted secrets and no `FORGE_PASSPHRASE` environment variable is set, it prompts interactively:
-
-```
-$ forge run
-Enter passphrase for encrypted secrets: ****
-```
-
-In non-interactive environments (CI/CD), set the passphrase via environment variable:
-
-```bash
-export FORGE_PASSPHRASE="my-passphrase"
-forge run
-```
-
-### Smart Init Passphrase
-
-`forge init` detects whether `~/.forge/secrets.enc` already exists:
-
-- **First time**: prompts for passphrase + confirmation (new setup)
-- **Subsequent**: prompts once and validates by attempting to decrypt the existing file
-
-### Configuration
-
-```yaml
-secrets:
-  providers:
-    - encrypted-file          # AES-256-GCM encrypted file
-    - env                     # Environment variables (fallback)
-```
-
-Secret files are automatically excluded from git (`.forge/` in `.gitignore`) and Docker builds (`*.enc` in `.dockerignore`).
-
----
-
-## Build Signing & Verification
-
-Forge supports Ed25519 signing of build artifacts for supply chain integrity.
-
-### Key Management
-
-```bash
-# Generate an Ed25519 signing keypair
-forge key generate
-# Output: ~/.forge/signing-key.pem (private) + ~/.forge/signing-key.pub (public)
-
-# Generate with a custom name
-forge key generate --name ci-key
-
-# Add a public key to the trusted keyring
-forge key trust ~/.forge/signing-key.pub
-
-# List signing and trusted keys
-forge key list
-```
-
-### Build Signing
-
-When a signing key exists at `~/.forge/signing-key.pem` (or specified via `--signing-key`), `forge build` automatically:
-
-1. Computes SHA-256 checksums of all generated artifacts
-2. Signs the checksums with the Ed25519 private key
-3. Writes `checksums.json` with checksums, signature, and key ID
-
-### Runtime Verification
-
-At runtime, `forge run` can verify build artifacts against `checksums.json`:
-
-- Validates SHA-256 checksums of all files
-- Verifies the Ed25519 signature against trusted keys in `~/.forge/trusted-keys/`
-- Verification is optional — if `checksums.json` doesn't exist, it's skipped
-
-### Secret Safety Stage
-
-The build pipeline includes a `secret-safety` stage that:
-
-- Blocks production builds (`--prod`) that only use `encrypted-file` without `env` provider (containers can't use encrypted files at runtime)
-- Warns if `.dockerignore` is missing alongside a generated Dockerfile
-- Ensures secrets never leak into container images
-
----
-
-## Memory
-
-Forge provides two layers of memory management:
-
-### Session Persistence
-
-Sessions are automatically persisted to disk across requests, enabling multi-turn conversations:
-
-```yaml
-memory:
-  persistence: true          # default: true
-  sessions_dir: ".forge/sessions"
-```
-
-- Sessions are saved as JSON files with atomic writes (temp file + fsync + rename)
-- Automatic cleanup of sessions older than 7 days at startup
-- Session recovery on subsequent requests (disk snapshot supersedes task history)
-
-### Context Window Management
-
-Forge automatically manages context window usage based on model capabilities:
-
-| Model | Context Window | Character Budget |
-|-------|---------------|-----------------|
-| `gpt-4o` / `gpt-5` | 128K tokens | ~435K chars |
-| `claude-sonnet` / `claude-opus` | 200K tokens | ~680K chars |
-| `gemini-2.5` | 1M tokens | ~3.4M chars |
-| `llama3` | 8K tokens | ~27K chars |
-| `llama3.1` | 128K tokens | ~435K chars |
-
-When context grows too large, the **Compactor** automatically:
-1. Takes the oldest 50% of messages
-2. Flushes tool results and decisions to long-term memory (if enabled)
-3. Summarizes via LLM (with extractive fallback)
-4. Replaces old messages with the summary
-
-Research tool results receive special handling during compaction: they are preserved with a higher extraction limit (5000 vs 2000 characters) and tagged distinctly in long-term memory logs (e.g., `[research][tool:tavily_research]`) so research insights persist across sessions.
-
-```yaml
-memory:
-  char_budget: 200000       # override auto-detection
-  trigger_ratio: 0.6        # compact at 60% of budget (default)
-```
-
-### Long-Term Memory
-
-Enable cross-session knowledge persistence with hybrid vector + keyword search:
-
-```yaml
-memory:
-  long_term: true
-  memory_dir: ".forge/memory"
-  vector_weight: 0.7
-  keyword_weight: 0.3
-  decay_half_life_days: 7
-```
-
-Or via environment variable:
-
-```bash
-export FORGE_MEMORY_LONG_TERM=true
-```
-
-When enabled, Forge:
-- Creates a `.forge/memory/` directory with a `MEMORY.md` template for curated facts
-- Indexes all `.md` files into a hybrid search index (vector similarity + keyword overlap + temporal decay)
-- Registers `memory_search` and `memory_get` tools for the agent to use
-- Automatically flushes compacted conversation context to daily log files (`YYYY-MM-DD.md`)
-
-**Embedding providers** for vector search:
-
-| Provider | Default Model | Notes |
-|----------|--------------|-------|
-| `openai` | `text-embedding-3-small` | Standard OpenAI embeddings API |
-| `gemini` | `text-embedding-3-small` | OpenAI-compatible endpoint |
-| `ollama` | `nomic-embed-text` | Local embeddings |
-
-Falls back to keyword-only search if no embedding provider is available (e.g., when using Anthropic as the primary provider without a fallback).
-
----
-
-## Hooks
-
-The agent loop fires hooks at key points, enabling observability and custom behavior:
-
-| Hook Point | When | Available Data |
-|------------|------|---------------|
-| `BeforeLLMCall` | Before each LLM API call | Messages, TaskID, CorrelationID |
-| `AfterLLMCall` | After each LLM API call | Messages, Response, TaskID, CorrelationID |
-| `BeforeToolExec` | Before each tool execution | ToolName, ToolInput, TaskID, CorrelationID |
-| `AfterToolExec` | After each tool execution | ToolName, ToolInput, ToolOutput, Error, TaskID, CorrelationID |
-| `OnError` | On LLM call errors | Error, TaskID, CorrelationID |
-| `OnProgress` | During tool execution | Phase, ToolName, StatusMessage |
-
-Hooks fire in registration order. If any hook returns an error, execution stops (useful for security enforcement).
-
-### Progress Tracking
-
-The runner automatically registers progress hooks that emit real-time status updates during tool execution. Progress events include the tool name, phase (`tool_start` / `tool_end`), and a human-readable status message. These events are streamed to clients via SSE when using the A2A HTTP server, enabling live progress indicators in web and chat UIs.
-
----
-
-## Web Dashboard (`forge ui`)
-
-Forge includes a local web dashboard for managing agents from the browser — no CLI needed after launch.
-
-```bash
-# Launch the dashboard
-forge ui
-
-# Specify workspace and port
-forge ui --dir /path/to/workspace --port 4200
-
-# Launch without auto-opening browser
-forge ui --no-open
-```
-
-Opens `http://localhost:4200` with a full-featured SPA for the complete agent lifecycle.
-
-### Dashboard
-
-The main view discovers all agents in the workspace directory and shows their status in real-time via SSE (Server-Sent Events).
-
-| Feature | Description |
-|---------|-------------|
-| Agent discovery | Auto-scans workspace for `forge.yaml` files |
-| Start / Stop | Start and stop agents with one click |
-| Live status | Real-time state updates (stopped, starting, running, errored) |
-| Passphrase unlock | Prompts for `FORGE_PASSPHRASE` when agents have encrypted secrets |
-| Auto-rescan | Detects new agents after creation |
-
-### Interactive Chat
-
-Click any running agent to open a chat interface that streams responses via the A2A protocol.
-
-| Feature | Description |
-|---------|-------------|
-| Streaming responses | Real-time token streaming with progress indicators |
-| Markdown rendering | Code blocks, tables, lists rendered inline |
-| Session history | Browse and resume previous conversations |
-| Tool call visibility | See which tools the agent invokes during execution |
-
-### Create Agent Wizard
-
-A multi-step wizard (web equivalent of `forge init`) that walks through the full agent setup:
-
-| Step | What it does |
-|------|-------------|
-| Name | Set agent name with live slug preview |
-| Provider | Select LLM provider (OpenAI, Anthropic, Gemini, Ollama, Custom) with descriptions |
-| Model & Auth | Pick from provider-specific model lists; OpenAI supports API key or browser OAuth login |
-| Channels | Select Slack/Telegram with inline token collection |
-| Tools | Select builtin tools; web_search shows Tavily vs Perplexity provider choice with API key input |
-| Skills | Browse registry skills by category with inline required/optional env var collection |
-| Fallback | Select backup LLM providers with API keys for automatic failover |
-| Env & Security | Add extra env vars; set passphrase for AES-256-GCM secret encryption |
-| Review | Summary of all selections before creation |
-
-The wizard collects credentials inline at each step (matching the CLI TUI behavior) and supports all the same options: model selection, OAuth, web search providers, fallback chains, and encrypted secret storage.
-
-### Config Editor
-
-Edit `forge.yaml` for any agent with a Monaco-based YAML editor:
-
-| Feature | Description |
-|---------|-------------|
-| Syntax highlighting | YAML language support with Monaco editor |
-| Live validation | Validate config against the forge schema without saving |
-| Save with validation | Server-side validation before writing to disk |
-| Keyboard shortcut | Cmd/Ctrl+S to save |
-| Restart integration | Restart agent after config changes |
-| Fallback editor | Plain textarea if Monaco fails to load |
-
-The Monaco editor is a tree-shaken YAML-only bundle (~615KB) built with esbuild — not the full 4MB distribution.
-
-### Skills Browser
-
-Browse the built-in skill registry with filtering and detail view:
+## Key Features
 
 | Feature | Description |
 |---------|-------------|
-| Grid view | Skill cards showing name, description, category, tags |
-| Category filter | Filter skills by category |
-| Detail panel | Click a skill to view its full SKILL.md content |
-| Env requirements | Shows required, one-of, and optional env vars per skill |
-
-### Architecture
-
-The dashboard is a single Go module (`forge-ui`) embedded into the `forge` binary:
-
-```
-forge-cli/cmd/ui.go          CLI command, injects StartFunc/CreateFunc/OAuthFunc
-forge-ui/
-  server.go                   HTTP server with CORS, SPA fallback
-  handlers.go                 Dashboard API (agents, start/stop, chat, sessions)
-  handlers_create.go          Wizard API (create, config, skills, tools, OAuth)
-  process.go                  Process manager (start/stop agent goroutines)
-  discovery.go                Workspace scanner (finds forge.yaml files)
-  sse.go                      Server-Sent Events broker
-  chat.go                     A2A chat proxy with streaming
-  types.go                    Shared types
-  static/dist/                Embedded frontend (Preact + HTM, no build step)
-    app.js                    SPA with hash routing
-    style.css                 Dark theme styles
-    monaco/                   Tree-shaken YAML editor
-```
-
-Key design: `forge-cli` imports `forge-ui` (not vice versa). CLI-specific logic (scaffold, config loading, OAuth flow) is injected via function callbacks, keeping `forge-ui` framework-agnostic.
-
----
-
-## Scheduling (Cron)
-
-Forge includes a built-in cron scheduler for recurring tasks. Schedules can be defined in `forge.yaml` or created dynamically by the agent at runtime.
-
-### Configuration
-
-```yaml
-schedules:
-  - id: daily-report
-    cron: "@daily"
-    task: "Generate and send the daily status report"
-    skill: "tavily-research"           # optional: invoke a specific skill
-    channel: telegram                  # optional: deliver results to a channel
-    channel_target: "-100123456"       # optional: destination chat/channel ID
-```
-
-### Cron Expressions
-
-| Format | Example | Description |
-|--------|---------|-------------|
-| 5-field standard | `*/15 * * * *` | Every 15 minutes |
-| Aliases | `@hourly`, `@daily`, `@weekly`, `@monthly` | Common intervals |
-| Intervals | `@every 5m`, `@every 1h30m` | Duration-based (minimum 1 minute) |
-
-### Schedule Management
-
-The agent has four built-in tools for managing schedules at runtime:
-
-| Tool | Description |
-|------|-------------|
-| `schedule_set` | Create or update a recurring schedule |
-| `schedule_list` | List all active and inactive schedules |
-| `schedule_delete` | Remove a schedule (LLM-created only; YAML-defined cannot be deleted) |
-| `schedule_history` | View execution history for scheduled tasks |
-
-Schedules can also be managed via the CLI:
-
-```bash
-# List all schedules
-forge schedule list
-```
-
-### Channel Delivery
-
-When a schedule includes `channel` and `channel_target`, the agent's response is automatically delivered to the specified channel after each execution. When schedules are created from channel conversations (Slack, Telegram), the channel context is automatically available so the agent can capture the delivery target.
-
-### Execution Details
-
-- **Tick interval**: 30 seconds
-- **Overlap prevention**: A schedule won't fire again if its previous run is still in progress
-- **Persistence**: Schedules are stored in `.forge/memory/SCHEDULES.md` and survive restarts
-- **History**: The last 50 executions are recorded with status, duration, and correlation IDs
-- **Audit events**: `schedule_fire`, `schedule_complete`, `schedule_skip`, `schedule_modify`
-
----
-
-## Running Modes
-
-### `forge run` — Foreground Server
-
-Run the agent as a foreground HTTP server. Used for development and container deployments.
-
-```bash
-# Development (all interfaces, immediate shutdown)
-forge run --with slack --port 8080
-
-# Container deployment
-forge run --host 0.0.0.0 --shutdown-timeout 30s
-```
-
-| Flag | Default | Description |
-|------|---------|-------------|
-| `--port` | `8080` | HTTP server port |
-| `--host` | `""` (all interfaces) | Bind address |
-| `--shutdown-timeout` | `0` (immediate) | Graceful shutdown timeout |
-| `--with` | — | Channel adapters (e.g. `slack,telegram`) |
-| `--mock-tools` | `false` | Use mock executor for testing |
-| `--model` | — | Override model name |
-| `--provider` | — | Override LLM provider |
-| `--env` | `.env` | Path to env file |
-| `--enforce-guardrails` | `false` | Enforce guardrail violations as errors |
-
-### `forge serve` — Background Daemon
-
-Manage the agent as a background daemon process with PID/log management.
-
-```bash
-# Start daemon (secure defaults: 127.0.0.1, 30s shutdown timeout)
-forge serve
-
-# Start on custom port
-forge serve start --port 9090 --host 0.0.0.0
-
-# Stop the daemon
-forge serve stop
-
-# Check status (PID, uptime, health)
-forge serve status
-
-# View recent logs (last 100 lines)
-forge serve logs
-```
-
-| Subcommand | Description |
-|------------|-------------|
-| `start` (default) | Start the daemon in background |
-| `stop` | Send SIGTERM (10s timeout, SIGKILL fallback) |
-| `status` | Show PID, listen address, health check |
-| `logs` | Tail `.forge/serve.log` |
-
-The daemon forks `forge run` in the background with `setsid`, writes state to `.forge/serve.json`, and redirects output to `.forge/serve.log`. Passphrase prompting for encrypted secrets happens in the parent process (which has TTY access) before forking.
-
----
+| Atomic Skills | `SKILL.md`-based agent definitions with YAML frontmatter |
+| Egress Security | Runtime + build-time domain allowlists with subprocess proxy |
+| Channel Connectors | Slack (Socket Mode), Telegram (polling) — outbound-only |
+| Cron Scheduling | Recurring tasks with channel delivery |
+| Memory | Session persistence + long-term vector search |
+| LLM Fallbacks | Multi-provider with automatic failover |
+| Web Dashboard | `forge ui` for browser-based agent management |
+| Build Signing | Ed25519 artifact signing & verification |
+| Air-Gap Ready | Runs with local models, no cloud required |
 
-## Packaging & Deployment
-
-```bash
-# Build a container image (auto-detects Docker/Podman/Buildah)
-forge package
-
-# Production build (rejects dev tools and dev-open egress)
-forge package --prod
-
-# Build and push to registry
-forge package --registry ghcr.io/myorg --push
-
-# Generate docker-compose with channel sidecars
-forge package --with-channels
-
-# Export for Initializ Command platform
-forge export --pretty --include-schemas
-```
-
-`forge package` generates a Dockerfile, Kubernetes manifests, and NetworkPolicy. Use `--prod` to strip dev tools and enforce strict egress. Use `--verify` to smoke-test the built container.
-
----
-
-## Configuration Reference
-
-Complete `forge.yaml` schema:
-
-```yaml
-agent_id: "my-agent"                # Required
-version: "1.0.0"                    # Required
-framework: "forge"                  # forge (default), crewai, langchain
-registry: "ghcr.io/org"             # Container registry
-entrypoint: "agent.py"              # Required for crewai/langchain, omit for forge
-
-model:
-  provider: "openai"                # openai, anthropic, gemini, ollama, custom
-  name: "gpt-4o"                    # Model name
-  fallbacks:                        # Fallback providers (optional)
-    - provider: "anthropic"
-      name: "claude-sonnet-4-20250514"
-
-tools:
-  - name: "web_search"
-  - name: "cli_execute"
-    config:
-      allowed_binaries: ["git", "curl"]
-      env_passthrough: ["GITHUB_TOKEN"]
-
-channels:
-  - "telegram"
-  - "slack"
-
-egress:
-  profile: "strict"                 # strict, standard, permissive
-  mode: "allowlist"                 # deny-all, allowlist, dev-open
-  allowed_domains:                  # Explicit domains
-    - "api.example.com"
-    - "*.github.com"
-  capabilities:                     # Capability bundles
-    - "slack"
-
-skills:
-  path: "SKILL.md"
-
-secrets:
-  providers:                        # Secret providers (order matters)
-    - "encrypted-file"              # AES-256-GCM encrypted file
-    - "env"                         # Environment variables
-
-memory:
-  persistence: true                 # Session persistence (default: true)
-  sessions_dir: ".forge/sessions"
-  char_budget: 200000               # Context budget override
-  trigger_ratio: 0.6                # Compaction trigger ratio
-  long_term: false                  # Long-term memory (default: false)
-  memory_dir: ".forge/memory"
-  embedding_provider: ""            # Auto-detect from LLM provider
-  embedding_model: ""               # Provider default
-  vector_weight: 0.7                # Hybrid search vector weight
-  keyword_weight: 0.3               # Hybrid search keyword weight
-  decay_half_life_days: 7           # Temporal decay half-life
-
-schedules:                          # Recurring scheduled tasks (optional)
-  - id: "daily-report"
-    cron: "@daily"
-    task: "Generate daily status report"
-    skill: ""                       # Optional skill to invoke
-    channel: "telegram"             # Optional channel for delivery
-    channel_target: "-100123456"    # Destination chat/channel ID
-```
+## Documentation
 
-### Environment Variables
+### Getting Started
 
-| Variable | Description |
+| Document | Description |
 |----------|-------------|
-| `FORGE_MODEL_PROVIDER` | Override LLM provider |
-| `FORGE_MODEL_FALLBACKS` | Fallback chain (e.g., `"anthropic:claude-sonnet-4,gemini"`) |
-| `FORGE_MEMORY_PERSISTENCE` | Set `false` to disable session persistence |
-| `FORGE_MEMORY_LONG_TERM` | Set `true` to enable long-term memory |
-| `FORGE_EMBEDDING_PROVIDER` | Override embedding provider |
-| `OPENAI_API_KEY` | OpenAI API key |
-| `ANTHROPIC_API_KEY` | Anthropic API key |
-| `GEMINI_API_KEY` | Google Gemini API key |
-| `TAVILY_API_KEY` | Tavily web search API key |
-| `PERPLEXITY_API_KEY` | Perplexity web search API key |
-| `WEB_SEARCH_PROVIDER` | Force web search provider (`tavily` or `perplexity`) |
-| `OPENAI_BASE_URL` | Override OpenAI base URL |
-| `ANTHROPIC_BASE_URL` | Override Anthropic base URL |
-| `OLLAMA_BASE_URL` | Override Ollama base URL (default: `http://localhost:11434`) |
-| `FORGE_PASSPHRASE` | Passphrase for encrypted secrets file |
-
----
-
-## Command Reference
-
-| Command | Description |
-|---------|-------------|
-| `forge ui [--port 4200] [--dir .] [--no-open]` | Launch the local web dashboard |
-| `forge init [name]` | Initialize a new agent project (interactive wizard) |
-| `forge build` | Compile agent artifacts (AgentSpec, egress allowlist, skills) |
-| `forge validate [--strict] [--command-compat]` | Validate agent spec and forge.yaml |
-| `forge run [--with slack,telegram] [--port 8080] [--host] [--shutdown-timeout]` | Run agent as foreground server |
-| `forge serve [start\|stop\|status\|logs]` | Manage agent as background daemon |
-| `forge schedule list` | List configured cron schedules |
-| `forge package [--push] [--prod] [--registry] [--with-channels]` | Build container image |
-| `forge export [--pretty] [--include-schemas] [--simulate-import]` | Export for Command platform |
-| `forge tool list\|describe` | List or inspect registered tools |
-| `forge skills add\|list\|validate\|audit\|sign\|keygen\|trust-report` | Manage agent skills |
-| `forge channel add\|serve\|list\|status` | Manage channel adapters |
-| `forge secret set\|get\|list\|delete [--local]` | Manage encrypted secrets |
-| `forge key generate\|trust\|list` | Manage Ed25519 signing keys |
-
-See [docs/commands.md](docs/commands.md) for full flags and examples.
+| [Quick Start](docs/quickstart.md) | Get an agent running in 60 seconds |
+| [Installation](docs/installation.md) | Homebrew, binary, and Windows install |
+| [Architecture](docs/architecture.md) | System design, module layout, and data flows |
 
----
+### Core Concepts
 
-## Architecture
-
-```
-forge/
-  forge-core/          Core library
-    a2a/               A2A protocol types
-    llm/               LLM client, fallback chains, OAuth
-    memory/            Long-term memory (vector + keyword search)
-    runtime/           Agent loop, hooks, compactor, audit logger
-    scheduler/         Cron scheduler (parser, tick loop, overlap prevention)
-    secrets/           Encrypted secret storage (AES-256-GCM + Argon2id)
-    security/          Egress resolver, enforcer, proxy, K8s NetworkPolicy
-    tools/             Tool registry, builtins, adapters, skill_tool
-    types/             Config types
-  forge-cli/           CLI application
-    cmd/               CLI commands (init, build, run, serve, schedule, etc.)
-    runtime/           Runner, skill registration, scheduler store, subprocess executor
-    internal/tui/      Interactive init wizard (Bubbletea)
-    tools/             CLI-specific tools (cli_execute, skill executor)
-  forge-plugins/       Channel plugins
-    telegram/          Telegram adapter (polling, document upload)
-    slack/             Slack adapter (Socket Mode, file upload)
-    markdown/          Markdown converter, message splitting
-  forge-ui/            Local web dashboard
-    server.go          HTTP server, routing, CORS
-    handlers*.go       REST API (agents, config, wizard, skills)
-    process.go         Agent process manager
-    discovery.go       Workspace scanner
-    sse.go             Real-time event broker
-    chat.go            A2A streaming chat proxy
-    static/dist/       Embedded SPA (Preact + HTM + Monaco)
-  forge-skills/        Skill system
-    contract/          Skill types, registry interface, filtering
-    local/             Embedded + local skill registries
-    parser/            SKILL.md parser (frontmatter + body extraction)
-    compiler/          Skill compiler (prompt generation)
-    requirements/      Requirement aggregation and derivation
-    analyzer/          Security audit for skills
-    resolver/          Binary and env var resolution
-    trust/             Skill signing and verification
-```
-
----
-
-## Philosophy
-
-Running agents that do real work requires more than prompts.
-
-It requires:
-
-### Atomicity
-
-Agents must be packaged as clear, self-contained units:
-
-* Explicit skills
-* Defined tools
-* Declared dependencies
-* Deterministic behavior
-
-No hidden state. No invisible glue code.
+| Document | Description |
+|----------|-------------|
+| [Skills](docs/skills.md) | Skill definitions, registry, and compilation |
+| [Tools](docs/tools.md) | Built-in tools, adapters, and custom tools |
+| [Runtime](docs/runtime.md) | LLM providers, fallback chains, running modes |
+| [Memory](docs/memory.md) | Session persistence and long-term memory |
+| [Channels](docs/channels.md) | Slack and Telegram adapter setup |
+| [Scheduling](docs/scheduling.md) | Cron configuration and schedule tools |
 
 ### Security
 
-Agents must run safely:
-
-* Restricted outbound access with runtime enforcement
-* Explicit capability bundles
-* No automatic inbound exposure
-* Structured audit trails for every action
-* Transparent execution boundaries
-
-If an agent can touch the outside world, it must declare how.
-
-### Portability
-
-Agents should not be locked to a framework, a cloud, or a vendor.
-
-A Forge agent:
-
-- Runs locally
-- Runs in containers
-- Runs in Kubernetes
-- Runs in cloud
-- Runs inside **initializ**
-- Speaks A2A
-
-*Same agent. Anywhere.*
-
-**Forge is built on a simple belief:**
+| Document | Description |
+|----------|-------------|
+| [Security Overview](docs/security/overview.md) | Complete security architecture |
+| [Egress Security](docs/security/egress.md) | Egress enforcement deep dive |
+| [Secrets](docs/security/secrets.md) | Encrypted secret management |
+| [Build Signing](docs/security/signing.md) | Ed25519 signing and verification |
+| [Guardrails](docs/security/guardrails.md) | Content filtering and PII detection |
 
-> Real agent systems require atomicity, security, and portability.
+### Operations
 
-Forge provides those building blocks.
+| Document | Description |
+|----------|-------------|
+| [Commands](docs/commands.md) | Full CLI reference |
+| [Configuration](docs/configuration.md) | `forge.yaml` schema and environment variables |
+| [Dashboard](docs/dashboard.md) | Web UI features and architecture |
+| [Deployment](docs/deployment.md) | Container packaging, Kubernetes, air-gap |
+| [Hooks](docs/hooks.md) | Agent loop hook system |
+| [Plugins](docs/plugins.md) | Framework plugin system |
+| [Command Integration](docs/command-integration.md) | Initializ Command platform guide |
 
----
+## Philosophy
 
-## Documentation
+Running agents that do real work requires **atomicity** (explicit skills, defined tools, declared dependencies), **security** (restricted egress, encrypted secrets, audit trails), and **portability** (runs locally, in containers, in Kubernetes, in cloud — same agent, anywhere).
 
-- [Architecture](docs/architecture.md) — System design and data flows
-- [Commands](docs/commands.md) — CLI reference with all flags and examples
-- [Runtime](docs/runtime.md) — LLM agent loop, providers, and memory
-- [Tools](docs/tools.md) — Tool system: builtins, adapters, custom tools
-- [Skills](docs/skills.md) — Skills definition and compilation
-- [Security](docs/security/SECURITY.md) — Complete security architecture
-- [Egress Security](docs/security/egress.md) — Egress enforcement deep dive
-- [Hooks](docs/hooks.md) — Agent loop hook system
-- [Plugins](docs/plugins.md) — Framework plugin system
-- [Channels](docs/channels.md) — Channel adapter architecture
+> Real agent systems require atomicity, security, and portability. Forge provides those building blocks.
 
 ## Contributing
 
-We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for the full guide, including:
-
-- Development setup and multi-module workflow
-- How to contribute a new skill (copy the [skill template](forge-skills/local/embedded/_template/), validate, and PR)
-- Security rules for egress, secrets, and tool restrictions
-- Pull request process and code style
+We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, how to add skills/tools/channels, and the PR process.
 
 Please read our [Code of Conduct](CODE_OF_CONDUCT.md) before participating.
 
diff --git a/docs/architecture.md b/docs/architecture.md
index e85a7ab..3c8f692 100644
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -1,24 +1,40 @@
 # Architecture
 
-## Overview
+> Part of [Forge Documentation](../README.md)
 
-Forge is a portable runtime for building and running secure AI agents from simple skill definitions. The core data flow is:
+Forge is a portable runtime for building and running secure AI agents from simple skill definitions.
+
+## At a Glance
 
 ```
-SKILL.md → Parse → Discover tools/requirements → Compile AgentSpec → Apply security → Run LLM loop
+SKILL.md --> Parse --> Discover tools/requirements --> Compile AgentSpec
+                                                            |
+                                                            v
+                                                    Apply security policy
+                                                            |
+                                                            v
+                                                    Run LLM agent loop
+                                               (tool calling + memory + cron)
 ```
 
-Skill definitions and `forge.yaml` configuration are compiled into a canonical `AgentSpec`, security policies are applied, and the resulting agent can be run locally, packaged into a container, or served over the A2A protocol.
+1. You write a `SKILL.md` that describes what the agent can do
+2. Forge parses the skill definitions and optional YAML frontmatter (binary deps, env vars)
+3. The build pipeline discovers tools, resolves egress domains, and compiles an `AgentSpec`
+4. Security policies (egress allowlists, capability bundles) are applied
+5. Build artifacts are checksummed and optionally signed (Ed25519)
+6. At runtime, encrypted secrets are decrypted and the LLM-powered tool-calling loop executes with session persistence, memory, and a cron scheduler for recurring tasks
 
 ## Module Architecture
 
-Forge is organized as a Go workspace with three modules:
+Forge is organized as a Go workspace with five modules:
 
 ```
 go.work
-├── forge-core/     Embeddable library
-├── forge-cli/      CLI frontend
-└── forge-plugins/  Channel plugin implementations
+├── forge-core/       Embeddable library
+├── forge-cli/        CLI frontend
+├── forge-plugins/    Channel plugin implementations
+├── forge-ui/         Local web dashboard
+└── forge-skills/     Skill system (registry, parser, compiler)
 ```
 
 ### forge-core — Library
@@ -33,6 +49,14 @@ Command-line application built on top of forge-core. Includes Cobra commands, bu
 
 Messaging platform integrations that implement the `channels.ChannelPlugin` interface from forge-core. Ships Slack, Telegram, and markdown formatting plugins.
 
+### forge-ui — Web Dashboard
+
+Local web dashboard for managing agents from the browser. Single Go module embedded into the `forge` binary. See [Dashboard](dashboard.md) for details.
+
+### forge-skills — Skill System
+
+Skill system including the embedded and local skill registries, SKILL.md parser, skill compiler, requirement aggregation, security analyzer, binary/env resolver, and skill signing/verification.
+
 ## Package Map
 
 ### forge-core
@@ -66,7 +90,7 @@ Messaging platform integrations that implement the `channels.ChannelPlugin` inte
 | Package | Responsibility | Key Types |
 |---------|---------------|-----------|
 | `cmd/forge` | Main entry point | — |
-| `cmd` | CLI command implementations | `init`, `build`, `run`, `validate`, `package`, `export`, `tool`, `channel`, `skills` |
+| `cmd` | CLI command implementations | `init`, `build`, `run`, `validate`, `package`, `export`, `tool`, `channel`, `skills`, `serve`, `schedule`, `secret`, `key`, `ui` |
 | `config` | ForgeConfig loading and YAML parsing | — |
 | `build` | Build pipeline stage implementations | `FrameworkAdapterStage`, `AgentSpecStage`, `ToolsStage`, `SkillsStage`, `EgressStage`, etc. |
 | `container` | Container image builders | `DockerBuilder`, `PodmanBuilder`, `BuildahBuilder` |
@@ -91,6 +115,19 @@ Messaging platform integrations that implement the `channels.ChannelPlugin` inte
 | `channels/telegram` | Telegram channel adapter (polling) |
 | `channels/markdown` | Markdown formatting helper |
 
+### forge-skills
+
+| Package | Responsibility |
+|---------|---------------|
+| `contract` | Skill types, registry interface, filtering |
+| `local` | Embedded + local skill registries |
+| `parser` | SKILL.md parser (frontmatter + body extraction) |
+| `compiler` | Skill compiler (prompt generation) |
+| `requirements` | Requirement aggregation and derivation |
+| `analyzer` | Security audit for skills |
+| `resolver` | Binary and env var resolution |
+| `trust` | Skill signing and verification |
+
 ## Key Interfaces
 
 ### `forgecore` Public API
@@ -259,33 +296,55 @@ forge run
   → channels.Router (optional)            [forge-cli/channels]
 ```
 
-## Schema Validation
+## Module Directory Tree
 
-AgentSpec JSON is validated against `schemas/agentspec.v1.0.schema.json` (JSON Schema draft-07) using the `gojsonschema` library. The schema is embedded in the binary via `go:embed` in `forge-core/schemas/`.
-
-Validation checks include:
-- `agent_id` matches pattern `^[a-z0-9-]+$`
-- `version` matches semver pattern
-- Required fields: `forge_version`, `agent_id`, `version`, `name`
-- Nested object schemas for runtime, tools, policy_scaffold, identity, a2a, model
-
-## Template System
-
-Templates use Go's `text/template` package and are embedded via `go:embed` in `forge-cli/templates/`. Templates are used for:
-
-- **Build output** — Dockerfile, Kubernetes manifests
-- **Init scaffolding** — forge.yaml, agent entrypoints, tool examples, .gitignore
-- **Framework wrappers** — A2A wrappers for CrewAI and LangChain
-
-## Runtime Architecture
+```
+forge/
+  forge-core/          Core library
+    a2a/               A2A protocol types
+    llm/               LLM client, fallback chains, OAuth
+    memory/            Long-term memory (vector + keyword search)
+    runtime/           Agent loop, hooks, compactor, audit logger
+    scheduler/         Cron scheduler (parser, tick loop, overlap prevention)
+    secrets/           Encrypted secret storage (AES-256-GCM + Argon2id)
+    security/          Egress resolver, enforcer, proxy, K8s NetworkPolicy
+    tools/             Tool registry, builtins, adapters, skill_tool
+    types/             Config types
+  forge-cli/           CLI application
+    cmd/               CLI commands (init, build, run, serve, schedule, etc.)
+    runtime/           Runner, skill registration, scheduler store, subprocess executor
+    internal/tui/      Interactive init wizard (Bubbletea)
+    tools/             CLI-specific tools (cli_execute, skill executor)
+  forge-plugins/       Channel plugins
+    telegram/          Telegram adapter (polling, document upload)
+    slack/             Slack adapter (Socket Mode, file upload)
+    markdown/          Markdown converter, message splitting
+  forge-ui/            Local web dashboard
+    server.go          HTTP server, routing, CORS
+    handlers*.go       REST API (agents, config, wizard, skills)
+    process.go         Agent process manager
+    discovery.go       Workspace scanner
+    sse.go             Real-time event broker
+    chat.go            A2A streaming chat proxy
+    static/dist/       Embedded SPA (Preact + HTM + Monaco)
+  forge-skills/        Skill system
+    contract/          Skill types, registry interface, filtering
+    local/             Embedded + local skill registries
+    parser/            SKILL.md parser (frontmatter + body extraction)
+    compiler/          Skill compiler (prompt generation)
+    requirements/      Requirement aggregation and derivation
+    analyzer/          Security audit for skills
+    resolver/          Binary and env var resolution
+    trust/             Skill signing and verification
+```
 
-The local runner (`forge run`) orchestrates:
+## Schema Validation
 
-1. **Executor selection** — `LLMExecutor` (custom with LLM) lives in forge-core; `SubprocessExecutor`, `MockExecutor`, `StubExecutor` live in `forge-cli/runtime`
-2. **A2A server** — JSON-RPC 2.0 HTTP server handling `tasks/send`, `tasks/get`, `tasks/cancel` (in `forge-cli/server`)
-3. **Guardrail engine** — Optional inbound/outbound message checking (in `forge-core/runtime`)
-4. **Channel adapters** — Optional Slack/Telegram bridges forwarding events to the A2A server (in `forge-plugins/channels`)
+AgentSpec JSON is validated against `schemas/agentspec.v1.0.schema.json` (JSON Schema draft-07) using the `gojsonschema` library. The schema is embedded in the binary via `go:embed` in `forge-core/schemas/`.
 
 ## Egress Security
 
-Egress controls operate at both build time and runtime. Build-time controls generate allowlist artifacts and Kubernetes NetworkPolicy manifests. Runtime controls include an in-process `EgressEnforcer` (Go `http.RoundTripper`) and a local `EgressProxy` for subprocess HTTP traffic. The resolver in `forge-core/security` combines explicit domains, tool-inferred domains, and capability bundles. See [security/egress.md](security/egress.md) for details.
+Egress controls operate at both build time and runtime. Build-time controls generate allowlist artifacts and Kubernetes NetworkPolicy manifests. Runtime controls include an in-process `EgressEnforcer` (Go `http.RoundTripper`) and a local `EgressProxy` for subprocess HTTP traffic. See [Egress Security](security/egress.md) for details.
+
+---
+← [Installation](installation.md) | [Back to README](../README.md) | [Skills](skills.md) →
diff --git a/docs/channels.md b/docs/channels.md
index 6ec21ce..31dca79 100644
--- a/docs/channels.md
+++ b/docs/channels.md
@@ -1,6 +1,6 @@
 # Channel Adapters
 
-## Overview
+> Part of [Forge Documentation](../README.md)
 
 Channel adapters bridge messaging platforms (Slack, Telegram) to your A2A-compliant agent. Each adapter normalizes platform-specific events into a common `ChannelEvent` format, forwards them to the agent's A2A server, and delivers responses back to the originating platform.
 
@@ -10,6 +10,8 @@ Channel adapters bridge messaging platforms (Slack, Telegram) to your A2A-compli
        └──────────────── SendResponse ←────────────────────────┘
 ```
 
+Both channels use **outbound-only connections** — no public URLs, no ngrok, no inbound webhooks.
+
 ## Supported Channels
 
 | Channel | Adapter | Mode | Default Port |
@@ -35,25 +37,46 @@ This command:
 3. Adds the channel to `forge.yaml`'s `channels` list
 4. Prints setup instructions
 
+## Running with Channels
+
+### Alongside the Agent
+
+```bash
+# Start agent with Slack and Telegram adapters
+forge run --with slack,telegram
+```
+
+This starts the A2A dev server and all specified channel adapters in the same process.
+
+### Standalone Mode
+
+```bash
+# Run adapter separately (requires AGENT_URL)
+export AGENT_URL=http://localhost:8080
+forge channel serve slack
+```
+
+Standalone mode is useful for running adapters as separate services in production. Each adapter connects to the agent's A2A server via HTTP.
+
 ## Slack App Setup
 
 Before running the Slack adapter, create and configure a Slack App:
 
-1. **Create a Slack App** at https://api.slack.com/apps → "Create New App" → "From scratch"
-2. **Enable Socket Mode** — Settings → Socket Mode → toggle **On**
-3. **Generate an App-Level Token** — Basic Information → "App-Level Tokens" → "Generate Token and Scopes" → add the `connections:write` scope → copy the `xapp-...` token
-4. **Enable Event Subscriptions** — Features → Event Subscriptions → toggle **On** → Subscribe to bot events:
+1. **Create a Slack App** at https://api.slack.com/apps -> "Create New App" -> "From scratch"
+2. **Enable Socket Mode** — Settings -> Socket Mode -> toggle **On**
+3. **Generate an App-Level Token** — Basic Information -> "App-Level Tokens" -> "Generate Token and Scopes" -> add the `connections:write` scope -> copy the `xapp-...` token
+4. **Enable Event Subscriptions** — Features -> Event Subscriptions -> toggle **On** -> Subscribe to bot events:
    - `message.channels` — messages in public channels
    - `message.im` — direct messages
    - `app_mention` — @mentions of your bot
-5. **Set Bot Token Scopes** — Features → OAuth & Permissions → Bot Token Scopes → add:
+5. **Set Bot Token Scopes** — Features -> OAuth & Permissions -> Bot Token Scopes -> add:
    - `app_mentions:read`
    - `chat:write`
    - `channels:history`
    - `im:history`
    - `files:write` (for large response file uploads)
    - `reactions:write` (for processing indicators)
-6. **Install the App** — Settings → Install App → "Install to Workspace" → copy the `xoxb-...` Bot Token
+6. **Install the App** — Settings -> Install App -> "Install to Workspace" -> copy the `xoxb-...` Bot Token
 7. **Add tokens to `.env`**:
    ```
    SLACK_APP_TOKEN=xapp-1-...
@@ -61,6 +84,25 @@ Before running the Slack adapter, create and configure a Slack App:
    ```
 8. **Invite the bot** to any channel where you want it active: `/invite @YourBot`
 
+### Mention-Aware Filtering
+
+The Slack adapter resolves the bot's own user ID at startup via `auth.test` and uses it for intelligent message filtering:
+
+- **Channel messages** — the bot only responds when explicitly @mentioned (e.g. `@ForgeBot what's the status?`)
+- **Thread replies** — the bot responds to all messages in a thread it's participating in, unless the message @mentions a different user
+- **Direct messages** — all DMs are processed
+- Bot mentions are stripped from the message text before passing to the LLM, so it sees clean input
+
+### Processing Indicators
+
+When the Slack adapter receives a message:
+
+1. An :eyes: reaction is added immediately to acknowledge receipt
+2. If the handler takes longer than 15 seconds, an interim message is posted: _"Researching, I'll post the result shortly..."_
+3. The :eyes: reaction is removed when the response is ready
+
+This gives users visual feedback that their message is being processed, especially for long-running research queries.
+
 ## Configuration
 
 ### Slack (`slack-config.yaml`)
@@ -94,26 +136,16 @@ Mode options:
 - `polling` (default) — Long-polling via `getUpdates`
 - `webhook` — Receives updates via HTTP webhook
 
-## Running with Channels
-
-### Alongside the Agent
-
-```bash
-# Start agent with Slack and Telegram adapters
-forge run --with slack,telegram
-```
+## Large Response Handling
 
-This starts the A2A dev server and all specified channel adapters in the same process.
+When an agent response exceeds 4096 characters (common with research reports), channel adapters automatically split it into a **summary message** and a **file attachment**:
 
-### Standalone Mode
+1. A brief summary (first paragraph, up to 600 characters) is sent as a regular message
+2. The full report is uploaded as a downloadable Markdown file (`research-report.md`)
 
-```bash
-# Run adapter separately (requires AGENT_URL)
-export AGENT_URL=http://localhost:8080
-forge channel serve slack
-```
+This works on both Slack (via `files.getUploadURLExternal`) and Telegram (via `sendDocument`). If file upload fails, adapters fall back to chunked messages. Markdown is converted to platform-native formatting (Slack mrkdwn or Telegram HTML).
 
-Standalone mode is useful for running adapters as separate services in production.
+Additionally, the runtime tracks large tool outputs (>8000 characters) and attaches them as file parts in the A2A response. This ensures channel adapters receive the complete, untruncated tool output even when the LLM's text summary is truncated by output token limits. JSON tool outputs (e.g. Tavily Research/Search results) are automatically unwrapped into readable markdown before delivery.
 
 ## Docker Compose Integration
 
@@ -132,53 +164,21 @@ Implement the `channels.ChannelPlugin` interface:
 
 ```go
 type ChannelPlugin interface {
-    // Name returns the adapter name (e.g. "slack", "telegram").
     Name() string
-
-    // Init configures the plugin from a ChannelConfig.
     Init(cfg ChannelConfig) error
-
-    // Start begins listening for events and dispatching them to handler.
-    // It blocks until ctx is cancelled.
     Start(ctx context.Context, handler EventHandler) error
-
-    // Stop gracefully shuts down the plugin.
     Stop() error
-
-    // NormalizeEvent converts raw platform bytes into a ChannelEvent.
     NormalizeEvent(raw []byte) (*ChannelEvent, error)
-
-    // SendResponse delivers an A2A response back to the originating platform.
     SendResponse(event *ChannelEvent, response *a2a.Message) error
 }
 ```
 
-### Key Types
-
-```go
-// ChannelConfig holds per-adapter configuration loaded from YAML.
-type ChannelConfig struct {
-    Adapter     string            `yaml:"adapter"`
-    WebhookPort int               `yaml:"webhook_port,omitempty"`
-    WebhookPath string            `yaml:"webhook_path,omitempty"`
-    Settings    map[string]string `yaml:"settings,omitempty"`
-}
-
-// ChannelEvent is the normalized representation of an inbound message.
-type ChannelEvent struct {
-    Channel     string          `json:"channel"`
-    WorkspaceID string          `json:"workspace_id"`
-    UserID      string          `json:"user_id"`
-    ThreadID    string          `json:"thread_id,omitempty"`
-    Message     string          `json:"message"`
-    Attachments []Attachment    `json:"attachments,omitempty"`
-    Raw         json.RawMessage `json:"raw,omitempty"`
-}
-```
-
 ### Steps
 
-1. Create a new package under `internal/channels/yourplatform/`.
+1. Create a new package under `forge-plugins/channels/yourplatform/`.
 2. Implement `ChannelPlugin`.
-3. Register the plugin in the channel registry (see `internal/cmd/channel.go`).
+3. Register the plugin in the channel registry.
 4. Add config generation in `generateChannelConfig()` and env vars in `generateEnvVars()`.
+
+---
+← [Memory](memory.md) | [Back to README](../README.md) | [Security Overview](security/overview.md) →
diff --git a/docs/command-integration.md b/docs/command-integration.md
index 20c9a86..809dbb4 100644
--- a/docs/command-integration.md
+++ b/docs/command-integration.md
@@ -192,3 +192,6 @@ The following are considered stable and will not change without a major version
 - Deprecated APIs will be marked with `// Deprecated:` comments
 - Deprecated APIs will continue to work for at least one minor version
 - Removal of deprecated APIs requires a major version bump
+
+---
+← [Plugins](plugins.md) | [Back to README](../README.md) | [Contributing](contributing.md) →
diff --git a/docs/commands.md b/docs/commands.md
index e5e5776..30cea98 100644
--- a/docs/commands.md
+++ b/docs/commands.md
@@ -1,5 +1,9 @@
 # CLI Reference
 
+> Part of [Forge Documentation](../README.md)
+
+Complete reference for all Forge CLI commands.
+
 ## Global Flags
 
 | Flag | Short | Default | Description |
@@ -127,6 +131,8 @@ forge run [flags]
 | Flag | Default | Description |
 |------|---------|-------------|
 | `--port` | `8080` | Port for the A2A dev server |
+| `--host` | `""` (all interfaces) | Bind address |
+| `--shutdown-timeout` | `0` (immediate) | Graceful shutdown timeout |
 | `--mock-tools` | `false` | Use mock runtime instead of subprocess |
 | `--enforce-guardrails` | `false` | Enforce guardrail violations as errors |
 | `--model` | | Override model name (sets `MODEL_NAME` env var) |
@@ -146,12 +152,63 @@ forge run --port 9090 --mock-tools
 # Run with LLM provider and channels
 forge run --provider openai --model gpt-4 --with slack
 
+# Container deployment
+forge run --host 0.0.0.0 --shutdown-timeout 30s
+
 # Run with guardrails enforced
 forge run --enforce-guardrails --env .env.production
 ```
 
 ---
 
+## `forge serve`
+
+Manage the agent as a background daemon process.
+
+```
+forge serve [start|stop|status|logs] [flags]
+```
+
+### Subcommands
+
+| Subcommand | Description |
+|------------|-------------|
+| `start` (default) | Start the daemon in background |
+| `stop` | Send SIGTERM (10s timeout, SIGKILL fallback) |
+| `status` | Show PID, listen address, health check |
+| `logs` | Tail `.forge/serve.log` |
+
+### Flags (start)
+
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--port` | `8080` | HTTP server port |
+| `--host` | `127.0.0.1` | Bind address (secure default) |
+| `--with` | | Channel adapters |
+
+### Examples
+
+```bash
+# Start daemon (secure defaults: 127.0.0.1, 30s shutdown timeout)
+forge serve
+
+# Start on custom port
+forge serve start --port 9090 --host 0.0.0.0
+
+# Stop the daemon
+forge serve stop
+
+# Check status (PID, uptime, health)
+forge serve status
+
+# View recent logs (last 100 lines)
+forge serve logs
+```
+
+The daemon forks `forge run` in the background with `setsid`, writes state to `.forge/serve.json`, and redirects output to `.forge/serve.log`.
+
+---
+
 ## `forge export`
 
 Export agent spec for Command platform import.
@@ -226,6 +283,18 @@ forge package --with-channels
 
 ---
 
+## `forge schedule`
+
+Manage cron schedules.
+
+```
+forge schedule list
+```
+
+Lists all configured cron schedules (both YAML-defined and LLM-created).
+
+---
+
 ## `forge tool`
 
 Manage and inspect agent tools.
@@ -246,16 +315,6 @@ Show tool details and input schema.
 forge tool describe <name>
 ```
 
-### Examples
-
-```bash
-# List all tools
-forge tool list
-
-# Describe a specific tool
-forge tool describe web-search
-```
-
 ---
 
 ## `forge channel`
@@ -296,22 +355,105 @@ Show configured channels from `forge.yaml`.
 forge channel status
 ```
 
-### Examples
+---
+
+## `forge secret`
+
+Manage encrypted secrets.
 
 ```bash
-# Add Slack adapter
-forge channel add slack
+# Store a secret (prompts for value securely)
+forge secret set OPENAI_API_KEY
 
-# Add Telegram adapter
-forge channel add telegram
+# Store with inline value
+forge secret set SLACK_BOT_TOKEN xoxb-...
 
-# List available adapters
-forge channel list
+# Retrieve a secret (shows source)
+forge secret get OPENAI_API_KEY
 
-# Show configured channels
-forge channel status
+# List all secret keys
+forge secret list
+
+# Delete a secret
+forge secret delete OLD_KEY
+
+# Agent-local secret
+forge secret set API_KEY --local
+```
+
+---
+
+## `forge key`
+
+Manage Ed25519 signing keys.
+
+```bash
+# Generate an Ed25519 signing keypair
+forge key generate
+
+# Generate with a custom name
+forge key generate --name ci-key
+
+# Add a public key to the trusted keyring
+forge key trust ~/.forge/signing-key.pub
+
+# List signing and trusted keys
+forge key list
+```
+
+---
+
+## `forge skills`
+
+Manage agent skills.
 
-# Run Slack adapter standalone
-export AGENT_URL=http://localhost:8080
-forge channel serve slack
+```bash
+# Add a skill from the registry
+forge skills add <skill-name>
+
+# List available skills
+forge skills list
+
+# Filter by category
+forge skills list --category sre
+
+# Filter by tags
+forge skills list --tags kubernetes,incident-response
+
+# Validate skill requirements
+forge skills validate
+
+# Audit skill security
+forge skills audit --embedded
+
+# Sign a skill
+forge skills sign
+
+# Generate a signing key
+forge skills keygen
+
+# Generate trust report
+forge skills trust-report
 ```
+
+---
+
+## `forge ui`
+
+Launch the local web dashboard.
+
+```bash
+# Launch with defaults
+forge ui
+
+# Specify workspace and port
+forge ui --dir /path/to/workspace --port 4200
+
+# Launch without auto-opening browser
+forge ui --no-open
+```
+
+See [Dashboard](dashboard.md) for full documentation.
+
+---
+← [Hooks](hooks.md) | [Back to README](../README.md) | [Configuration](configuration.md) →
diff --git a/docs/configuration.md b/docs/configuration.md
new file mode 100644
index 0000000..18991d3
--- /dev/null
+++ b/docs/configuration.md
@@ -0,0 +1,94 @@
+# Configuration Reference
+
+> Part of [Forge Documentation](../README.md)
+
+All Forge agent configuration lives in `forge.yaml` at the project root.
+
+## Full Schema
+
+```yaml
+agent_id: "my-agent"                # Required
+version: "1.0.0"                    # Required
+framework: "forge"                  # forge (default), crewai, langchain
+registry: "ghcr.io/org"             # Container registry
+entrypoint: "agent.py"              # Required for crewai/langchain, omit for forge
+
+model:
+  provider: "openai"                # openai, anthropic, gemini, ollama, custom
+  name: "gpt-4o"                    # Model name
+  fallbacks:                        # Fallback providers (optional)
+    - provider: "anthropic"
+      name: "claude-sonnet-4-20250514"
+
+tools:
+  - name: "web_search"
+  - name: "cli_execute"
+    config:
+      allowed_binaries: ["git", "curl"]
+      env_passthrough: ["GITHUB_TOKEN"]
+
+channels:
+  - "telegram"
+  - "slack"
+
+egress:
+  profile: "strict"                 # strict, standard, permissive
+  mode: "allowlist"                 # deny-all, allowlist, dev-open
+  allowed_domains:                  # Explicit domains
+    - "api.example.com"
+    - "*.github.com"
+  capabilities:                     # Capability bundles
+    - "slack"
+
+skills:
+  path: "SKILL.md"
+
+secrets:
+  providers:                        # Secret providers (order matters)
+    - "encrypted-file"              # AES-256-GCM encrypted file
+    - "env"                         # Environment variables
+
+memory:
+  persistence: true                 # Session persistence (default: true)
+  sessions_dir: ".forge/sessions"
+  char_budget: 200000               # Context budget override
+  trigger_ratio: 0.6                # Compaction trigger ratio
+  long_term: false                  # Long-term memory (default: false)
+  memory_dir: ".forge/memory"
+  embedding_provider: ""            # Auto-detect from LLM provider
+  embedding_model: ""               # Provider default
+  vector_weight: 0.7                # Hybrid search vector weight
+  keyword_weight: 0.3               # Hybrid search keyword weight
+  decay_half_life_days: 7           # Temporal decay half-life
+
+schedules:                          # Recurring scheduled tasks (optional)
+  - id: "daily-report"
+    cron: "@daily"
+    task: "Generate daily status report"
+    skill: ""                       # Optional skill to invoke
+    channel: "telegram"             # Optional channel for delivery
+    channel_target: "-100123456"    # Destination chat/channel ID
+```
+
+## Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `FORGE_MODEL_PROVIDER` | Override LLM provider |
+| `FORGE_MODEL_FALLBACKS` | Fallback chain (e.g., `"anthropic:claude-sonnet-4,gemini"`) |
+| `FORGE_MEMORY_PERSISTENCE` | Set `false` to disable session persistence |
+| `FORGE_MEMORY_LONG_TERM` | Set `true` to enable long-term memory |
+| `FORGE_EMBEDDING_PROVIDER` | Override embedding provider |
+| `OPENAI_API_KEY` | OpenAI API key |
+| `ANTHROPIC_API_KEY` | Anthropic API key |
+| `GEMINI_API_KEY` | Google Gemini API key |
+| `TAVILY_API_KEY` | Tavily web search API key |
+| `PERPLEXITY_API_KEY` | Perplexity web search API key |
+| `WEB_SEARCH_PROVIDER` | Force web search provider (`tavily` or `perplexity`) |
+| `OPENAI_BASE_URL` | Override OpenAI base URL |
+| `ANTHROPIC_BASE_URL` | Override Anthropic base URL |
+| `OLLAMA_BASE_URL` | Override Ollama base URL (default: `http://localhost:11434`) |
+| `FORGE_PASSPHRASE` | Passphrase for encrypted secrets file |
+
+---
+← [Commands](commands.md) | [Back to README](../README.md) | [Dashboard](dashboard.md) →
diff --git a/docs/contributing.md b/docs/contributing.md
index eeb3a63..245d333 100644
--- a/docs/contributing.md
+++ b/docs/contributing.md
@@ -154,3 +154,6 @@ Releases are automated via GoReleaser:
 3. Tag the release: `git tag v0.1.0`
 4. Push the tag: `git push origin v0.1.0`
 5. GitHub Actions runs GoReleaser to build and publish binaries
+
+---
+← [Command Integration](command-integration.md) | [Back to README](../README.md)
diff --git a/docs/dashboard.md b/docs/dashboard.md
new file mode 100644
index 0000000..01fd307
--- /dev/null
+++ b/docs/dashboard.md
@@ -0,0 +1,113 @@
+# Web Dashboard
+
+> Part of [Forge Documentation](../README.md)
+
+Forge includes a local web dashboard for managing agents from the browser — no CLI needed after launch.
+
+## Launch
+
+```bash
+# Launch the dashboard
+forge ui
+
+# Specify workspace and port
+forge ui --dir /path/to/workspace --port 4200
+
+# Launch without auto-opening browser
+forge ui --no-open
+```
+
+Opens `http://localhost:4200` with a full-featured SPA for the complete agent lifecycle.
+
+## Dashboard
+
+The main view discovers all agents in the workspace directory and shows their status in real-time via SSE (Server-Sent Events).
+
+| Feature | Description |
+|---------|-------------|
+| Agent discovery | Auto-scans workspace for `forge.yaml` files |
+| Start / Stop | Start and stop agents with one click |
+| Live status | Real-time state updates (stopped, starting, running, errored) |
+| Passphrase unlock | Prompts for `FORGE_PASSPHRASE` when agents have encrypted secrets |
+| Auto-rescan | Detects new agents after creation |
+
+## Interactive Chat
+
+Click any running agent to open a chat interface that streams responses via the A2A protocol.
+
+| Feature | Description |
+|---------|-------------|
+| Streaming responses | Real-time token streaming with progress indicators |
+| Markdown rendering | Code blocks, tables, lists rendered inline |
+| Session history | Browse and resume previous conversations |
+| Tool call visibility | See which tools the agent invokes during execution |
+
+## Create Agent Wizard
+
+A multi-step wizard (web equivalent of `forge init`) that walks through the full agent setup:
+
+| Step | What it does |
+|------|-------------|
+| Name | Set agent name with live slug preview |
+| Provider | Select LLM provider (OpenAI, Anthropic, Gemini, Ollama, Custom) with descriptions |
+| Model & Auth | Pick from provider-specific model lists; OpenAI supports API key or browser OAuth login |
+| Channels | Select Slack/Telegram with inline token collection |
+| Tools | Select builtin tools; web_search shows Tavily vs Perplexity provider choice with API key input |
+| Skills | Browse registry skills by category with inline required/optional env var collection |
+| Fallback | Select backup LLM providers with API keys for automatic failover |
+| Env & Security | Add extra env vars; set passphrase for AES-256-GCM secret encryption |
+| Review | Summary of all selections before creation |
+
+The wizard collects credentials inline at each step (matching the CLI TUI behavior) and supports all the same options: model selection, OAuth, web search providers, fallback chains, and encrypted secret storage.
+
+## Config Editor
+
+Edit `forge.yaml` for any agent with a Monaco-based YAML editor:
+
+| Feature | Description |
+|---------|-------------|
+| Syntax highlighting | YAML language support with Monaco editor |
+| Live validation | Validate config against the forge schema without saving |
+| Save with validation | Server-side validation before writing to disk |
+| Keyboard shortcut | Cmd/Ctrl+S to save |
+| Restart integration | Restart agent after config changes |
+| Fallback editor | Plain textarea if Monaco fails to load |
+
+The Monaco editor is a tree-shaken YAML-only bundle (~615KB) built with esbuild — not the full 4MB distribution.
+
+## Skills Browser
+
+Browse the built-in skill registry with filtering and detail view:
+
+| Feature | Description |
+|---------|-------------|
+| Grid view | Skill cards showing name, description, category, tags |
+| Category filter | Filter skills by category |
+| Detail panel | Click a skill to view its full SKILL.md content |
+| Env requirements | Shows required, one-of, and optional env vars per skill |
+
+## Architecture
+
+The dashboard is a single Go module (`forge-ui`) embedded into the `forge` binary:
+
+```
+forge-cli/cmd/ui.go          CLI command, injects StartFunc/CreateFunc/OAuthFunc
+forge-ui/
+  server.go                   HTTP server with CORS, SPA fallback
+  handlers.go                 Dashboard API (agents, start/stop, chat, sessions)
+  handlers_create.go          Wizard API (create, config, skills, tools, OAuth)
+  process.go                  Process manager (start/stop agent goroutines)
+  discovery.go                Workspace scanner (finds forge.yaml files)
+  sse.go                      Server-Sent Events broker
+  chat.go                     A2A chat proxy with streaming
+  types.go                    Shared types
+  static/dist/                Embedded frontend (Preact + HTM, no build step)
+    app.js                    SPA with hash routing
+    style.css                 Dark theme styles
+    monaco/                   Tree-shaken YAML editor
+```
+
+Key design: `forge-cli` imports `forge-ui` (not vice versa). CLI-specific logic (scaffold, config loading, OAuth flow) is injected via function callbacks, keeping `forge-ui` framework-agnostic.
+
+---
+← [Configuration](configuration.md) | [Back to README](../README.md) | [Deployment](deployment.md) →
diff --git a/docs/deployment.md b/docs/deployment.md
new file mode 100644
index 0000000..5ca63a6
--- /dev/null
+++ b/docs/deployment.md
@@ -0,0 +1,92 @@
+# Packaging & Deployment
+
+> Part of [Forge Documentation](../README.md)
+
+Forge agents can be packaged as container images and deployed to Docker, Kubernetes, or air-gapped environments.
+
+## Building Container Images
+
+```bash
+# Build a container image (auto-detects Docker/Podman/Buildah)
+forge package
+
+# Production build (rejects dev tools and dev-open egress)
+forge package --prod
+
+# Build and push to registry
+forge package --registry ghcr.io/myorg --push
+
+# Generate docker-compose with channel sidecars
+forge package --with-channels
+
+# Export for Initializ Command platform
+forge export --pretty --include-schemas
+```
+
+`forge package` generates a Dockerfile, Kubernetes manifests, and NetworkPolicy. Use `--prod` to strip dev tools and enforce strict egress. Use `--verify` to smoke-test the built container.
+
+## Production Build Checks
+
+Production builds (`--prod`) enforce:
+
+- No `dev-open` egress mode
+- No dev-only tools (`local_shell`, `local_file_browser`)
+- Secret provider chain must include `env` (not just `encrypted-file`)
+- `.dockerignore` must exist if a Dockerfile is generated
+
+## Docker Compose
+
+```bash
+forge package --with-channels
+```
+
+This generates a `docker-compose.yaml` with:
+- An `agent` service running the A2A server
+- Adapter services (e.g., `slack-adapter`, `telegram-adapter`) connecting to the agent
+
+## Kubernetes
+
+Every `forge build` generates container-ready artifacts:
+
+| Artifact | Purpose |
+|----------|---------|
+| `Dockerfile` | Container image with minimal attack surface |
+| `deployment.yaml` | Kubernetes Deployment manifest |
+| `service.yaml` | Kubernetes Service manifest |
+| `network-policy.yaml` | NetworkPolicy restricting pod egress to allowed domains |
+| `egress_allowlist.json` | Machine-readable domain allowlist |
+| `checksums.json` | SHA-256 checksums + Ed25519 signature |
+
+## Air-Gap Deployments
+
+Forge can run entirely offline with local models:
+
+1. Use `ollama` as the LLM provider with a locally-hosted model
+2. Set egress mode to `deny-all` to block all outbound traffic
+3. Pre-install all binary dependencies in the container image
+4. Use environment variables for secrets (no passphrase prompting needed)
+
+```yaml
+model:
+  provider: ollama
+  name: llama3
+egress:
+  mode: deny-all
+```
+
+## Command Platform Export
+
+For Initializ Command integration, export the agent spec:
+
+```bash
+# Export with embedded schemas
+forge export --pretty --include-schemas
+
+# Simulate Command import
+forge export --simulate-import
+```
+
+See [Command Integration](command-integration.md) for the full integration guide.
+
+---
+← [Dashboard](dashboard.md) | [Back to README](../README.md) | [Plugins](plugins.md) →
diff --git a/docs/hooks.md b/docs/hooks.md
index 5468ae0..1de19d3 100644
--- a/docs/hooks.md
+++ b/docs/hooks.md
@@ -1,10 +1,12 @@
 # Hooks
 
+> Part of [Forge Documentation](../README.md)
+
 The hook system allows custom logic to run at key points in the LLM agent loop. Hooks can observe, modify context, or block execution.
 
 ## Overview
 
-Hooks are defined in `internal/runtime/engine/hooks.go`. They fire synchronously during the agent loop and can:
+Hooks fire synchronously during the agent loop and can:
 
 - **Log** interactions for debugging or auditing
 - **Block** execution by returning an error
@@ -12,13 +14,14 @@ Hooks are defined in `internal/runtime/engine/hooks.go`. They fire synchronously
 
 ## Hook Points
 
-| Hook Point | When It Fires | HookContext Data |
+| Hook Point | When It Fires | Available Data |
 |-----------|---------------|------------------|
-| `BeforeLLMCall` | Before each LLM API call | `Messages` |
-| `AfterLLMCall` | After each LLM API call | `Messages`, `Response` |
-| `BeforeToolExec` | Before each tool execution | `ToolName`, `ToolInput` |
-| `AfterToolExec` | After each tool execution | `ToolName`, `ToolInput`, `ToolOutput`, `Error` |
-| `OnError` | When an LLM call fails | `Error` |
+| `BeforeLLMCall` | Before each LLM API call | `Messages`, `TaskID`, `CorrelationID` |
+| `AfterLLMCall` | After each LLM API call | `Messages`, `Response`, `TaskID`, `CorrelationID` |
+| `BeforeToolExec` | Before each tool execution | `ToolName`, `ToolInput`, `TaskID`, `CorrelationID` |
+| `AfterToolExec` | After each tool execution | `ToolName`, `ToolInput`, `ToolOutput`, `Error`, `TaskID`, `CorrelationID` |
+| `OnError` | When an LLM call fails | `Error`, `TaskID`, `CorrelationID` |
+| `OnProgress` | During tool execution | `Phase`, `ToolName`, `StatusMessage` |
 
 ## HookContext
 
@@ -70,6 +73,10 @@ hooks.Register(engine.BeforeToolExec, func(ctx context.Context, hctx *engine.Hoo
 })
 ```
 
+## Progress Tracking
+
+The runner automatically registers progress hooks that emit real-time status updates during tool execution. Progress events include the tool name, phase (`tool_start` / `tool_end`), and a human-readable status message. These events are streamed to clients via SSE when using the A2A HTTP server, enabling live progress indicators in web and chat UIs.
+
 ## Error Handling
 
 - Hooks fire **in registration order** for each hook point
@@ -94,7 +101,5 @@ exec := engine.NewLLMExecutor(engine.LLMExecutorConfig{
 
 If no `HookRegistry` is provided, an empty one is created automatically.
 
-## Related Files
-
-- `internal/runtime/engine/hooks.go` — Hook types, registry, and firing logic
-- `internal/runtime/engine/loop.go` — Hook integration in the agent loop
+---
+← [Scheduling](scheduling.md) | [Back to README](../README.md) | [Commands](commands.md) →
diff --git a/docs/installation.md b/docs/installation.md
new file mode 100644
index 0000000..f193530
--- /dev/null
+++ b/docs/installation.md
@@ -0,0 +1,31 @@
+# Installation
+
+> Part of [Forge Documentation](../README.md)
+
+Forge can be installed via Homebrew, pre-built binary, or manual download on Windows.
+
+## macOS (Homebrew)
+
+```bash
+brew install initializ/tap/forge
+```
+
+## Linux / macOS (Binary)
+
+```bash
+curl -sSL https://github.com/initializ/forge/releases/latest/download/forge-$(uname -s)-$(uname -m).tar.gz | tar xz
+sudo mv forge /usr/local/bin/
+```
+
+## Windows
+
+Download the latest `.zip` from [GitHub Releases](https://github.com/initializ/forge/releases/latest) and add to your PATH.
+
+## Verify
+
+```bash
+forge --version
+```
+
+---
+← [Quick Start](quickstart.md) | [Back to README](../README.md) | [Architecture](architecture.md) →
diff --git a/docs/memory.md b/docs/memory.md
new file mode 100644
index 0000000..a2e8762
--- /dev/null
+++ b/docs/memory.md
@@ -0,0 +1,112 @@
+# Memory
+
+> Part of [Forge Documentation](../README.md)
+
+Forge provides two layers of memory management: session persistence for multi-turn conversations and long-term memory for cross-session knowledge.
+
+## Session Persistence
+
+Sessions are automatically persisted to disk across requests, enabling multi-turn conversations:
+
+```yaml
+memory:
+  persistence: true          # default: true
+  sessions_dir: ".forge/sessions"
+```
+
+- Sessions are saved as JSON files with atomic writes (temp file + fsync + rename)
+- Automatic cleanup of sessions older than 7 days at startup
+- Session recovery on subsequent requests (disk snapshot supersedes task history)
+
+## Context Window Management
+
+Forge automatically manages context window usage based on model capabilities:
+
+| Model | Context Window | Character Budget |
+|-------|---------------|-----------------|
+| `gpt-4o` / `gpt-5` | 128K tokens | ~435K chars |
+| `claude-sonnet` / `claude-opus` | 200K tokens | ~680K chars |
+| `gemini-2.5` | 1M tokens | ~3.4M chars |
+| `llama3` | 8K tokens | ~27K chars |
+| `llama3.1` | 128K tokens | ~435K chars |
+
+When context grows too large, the **Compactor** automatically:
+1. Takes the oldest 50% of messages
+2. Flushes tool results and decisions to long-term memory (if enabled)
+3. Summarizes via LLM (with extractive fallback)
+4. Replaces old messages with the summary
+
+Research tool results receive special handling during compaction: they are preserved with a higher extraction limit (5000 vs 2000 characters) and tagged distinctly in long-term memory logs (e.g., `[research][tool:tavily_research]`) so research insights persist across sessions.
+
+```yaml
+memory:
+  char_budget: 200000       # override auto-detection
+  trigger_ratio: 0.6        # compact at 60% of budget (default)
+```
+
+## Long-Term Memory
+
+Enable cross-session knowledge persistence with hybrid vector + keyword search:
+
+```yaml
+memory:
+  long_term: true
+  memory_dir: ".forge/memory"
+  vector_weight: 0.7
+  keyword_weight: 0.3
+  decay_half_life_days: 7
+```
+
+Or via environment variable:
+
+```bash
+export FORGE_MEMORY_LONG_TERM=true
+```
+
+When enabled, Forge:
+- Creates a `.forge/memory/` directory with a `MEMORY.md` template for curated facts
+- Indexes all `.md` files into a hybrid search index (vector similarity + keyword overlap + temporal decay)
+- Registers `memory_search` and `memory_get` tools for the agent to use
+- Automatically flushes compacted conversation context to daily log files (`YYYY-MM-DD.md`)
+
+## Embedding Providers
+
+Embedding providers power the vector search component of long-term memory:
+
+| Provider | Default Model | Notes |
+|----------|--------------|-------|
+| `openai` | `text-embedding-3-small` | Standard OpenAI embeddings API |
+| `gemini` | `text-embedding-3-small` | OpenAI-compatible endpoint |
+| `ollama` | `nomic-embed-text` | Local embeddings |
+
+Falls back to keyword-only search if no embedding provider is available (e.g., when using Anthropic as the primary provider without a fallback).
+
+## Configuration
+
+Full memory configuration in `forge.yaml`:
+
+```yaml
+memory:
+  persistence: true
+  sessions_dir: ".forge/sessions"
+  char_budget: 200000
+  trigger_ratio: 0.6
+  long_term: false
+  memory_dir: ".forge/memory"
+  embedding_provider: ""      # Auto-detect from LLM provider
+  embedding_model: ""         # Provider default
+  vector_weight: 0.7
+  keyword_weight: 0.3
+  decay_half_life_days: 7
+```
+
+Environment variables:
+
+| Variable | Description |
+|----------|-------------|
+| `FORGE_MEMORY_PERSISTENCE` | Set `false` to disable session persistence |
+| `FORGE_MEMORY_LONG_TERM` | Set `true` to enable long-term memory |
+| `FORGE_EMBEDDING_PROVIDER` | Override embedding provider |
+
+---
+← [Runtime](runtime.md) | [Back to README](../README.md) | [Channels](channels.md) →
diff --git a/docs/plugins.md b/docs/plugins.md
index 4ebe1be..b4a7ee6 100644
--- a/docs/plugins.md
+++ b/docs/plugins.md
@@ -139,3 +139,6 @@ type Plugin interface {
 ```
 
 Available hook points: `pre-build`, `post-build`, `pre-push`, `post-push`.
+
+---
+← [Deployment](deployment.md) | [Back to README](../README.md) | [Command Integration](command-integration.md) →
diff --git a/docs/quickstart.md b/docs/quickstart.md
new file mode 100644
index 0000000..61d10be
--- /dev/null
+++ b/docs/quickstart.md
@@ -0,0 +1,53 @@
+# Quick Start
+
+> Part of [Forge Documentation](../README.md)
+
+Get a Forge agent running in under 60 seconds.
+
+## Why Forge?
+
+**Instant Agent From a Single Command**
+
+Write a SKILL.md. Run `forge init`. Your agent is live.
+
+The wizard configures your model provider, validates your API key,
+connects Slack or Telegram, picks skills, and starts your agent.
+Zero to running in under 60 seconds.
+
+**Secure by Default**
+
+Forge is designed for safe execution:
+
+* Does NOT create public tunnels
+* Does NOT expose webhooks automatically
+* Uses outbound-only connections (Slack Socket Mode, Telegram polling)
+* Enforces outbound domain allowlists at both build-time and runtime, including subprocess HTTP via a local egress proxy
+* Encrypts secrets at rest (AES-256-GCM) with per-agent isolation
+* Signs build artifacts (Ed25519) for supply chain integrity
+* Supports restricted network profiles with audit logging
+
+No accidental exposure. No hidden listeners.
+
+## Get Started in 60 Seconds
+
+```bash
+# Install
+curl -sSL https://github.com/initializ/forge/releases/latest/download/forge-$(uname -s)-$(uname -m).tar.gz | tar xz
+sudo mv forge /usr/local/bin/
+
+# Initialize a new agent (interactive wizard)
+forge init my-agent
+
+# Run locally
+cd my-agent && forge run
+
+# Run with Telegram
+forge run --with telegram
+```
+
+The `forge init` wizard walks you through model provider, API key, fallback providers, tools, skills, and channel setup. Use `--non-interactive` with flags for scripted setups.
+
+See [Installation](installation.md) for all installation methods.
+
+---
+[Back to README](../README.md) | [Installation](installation.md) →
diff --git a/docs/runtime.md b/docs/runtime.md
index 77e681e..d08fd13 100644
--- a/docs/runtime.md
+++ b/docs/runtime.md
@@ -1,10 +1,12 @@
 # LLM Runtime Engine
 
+> Part of [Forge Documentation](../README.md)
+
 The runtime engine powers `forge run` — executing agent tasks via LLM providers with tool calling, conversation memory, and lifecycle hooks.
 
 ## Agent Loop
 
-The core agent loop is implemented in `internal/runtime/engine/loop.go`. It follows a simple pattern:
+The core agent loop follows a simple pattern:
 
 1. **Initialize memory** with the system prompt and task history
 2. **Append** the user message
@@ -19,6 +21,78 @@ User message → Memory → LLM → tool_calls? → Execute tools → LLM → ..
 
 The loop terminates when `FinishReason == "stop"` or `len(ToolCalls) == 0`.
 
+## LLM Providers
+
+Forge supports multiple LLM providers with automatic fallback:
+
+| Provider | Default Model | Auth |
+|----------|--------------|------|
+| `openai` | `gpt-5.2-2025-12-11` | API key or OAuth |
+| `anthropic` | `claude-sonnet-4-20250514` | API key |
+| `gemini` | `gemini-2.5-flash` | API key |
+| `ollama` | `llama3` | None (local) |
+| Custom | Configurable | API key |
+
+### Configuration
+
+```yaml
+model:
+  provider: openai
+  name: gpt-4o
+```
+
+Or override with environment variables:
+
+```bash
+export FORGE_MODEL_PROVIDER=anthropic
+export ANTHROPIC_API_KEY=sk-ant-...
+forge run
+```
+
+Provider is auto-detected from available API keys if not explicitly set. Provider configuration is resolved via `ResolveModelConfig()` in priority order:
+
+1. **CLI flag** `--provider` (highest priority)
+2. **Environment variables**: `FORGE_MODEL_PROVIDER`, `OPENAI_API_KEY`, `ANTHROPIC_API_KEY`
+3. **forge.yaml** `model` section (lowest priority)
+
+### OpenAI OAuth
+
+For OpenAI, Forge supports browser-based OAuth login (matching the Codex CLI flow) as an alternative to API keys:
+
+```bash
+forge init my-agent
+# Select "OpenAI" -> "Login with browser (OAuth)"
+# Browser opens for authentication
+```
+
+OAuth tokens are stored in `~/.forge/credentials/openai.json` and automatically refreshed.
+
+### Fallback Chains
+
+Configure fallback providers for automatic failover when the primary provider is unavailable:
+
+```yaml
+model:
+  provider: openai
+  name: gpt-4o
+  fallbacks:
+    - provider: anthropic
+      name: claude-sonnet-4-20250514
+    - provider: gemini
+```
+
+Or via environment variable:
+
+```bash
+export FORGE_MODEL_FALLBACKS="anthropic:claude-sonnet-4-20250514,gemini:gemini-2.5-flash"
+```
+
+Fallback behavior:
+- **Retriable errors** (rate limits, overloaded, timeouts) try the next provider
+- **Non-retriable errors** (auth, billing, bad format) abort immediately
+- Per-provider exponential backoff cooldowns prevent thundering herd
+- Fallbacks are also auto-detected from available API keys when not explicitly configured
+
 ## Executor Types
 
 The runtime supports multiple executor implementations:
@@ -29,61 +103,75 @@ The runtime supports multiple executor implementations:
 | `SubprocessExecutor` | Framework agents (CrewAI, LangChain) running as subprocesses |
 | `StubExecutor` | Returns canned responses for testing |
 
-Executor selection happens in `internal/runtime/runner.go` based on framework type and configuration.
+Executor selection happens in `runner.go` based on framework type and configuration.
 
-## Provider Configuration
+## Running Modes
 
-Provider configuration is resolved in `internal/runtime/engine/config.go` via `ResolveModelConfig()`. Sources are checked in priority order:
+### `forge run` — Foreground Server
 
-1. **CLI flag** `--provider` (highest priority)
-2. **Environment variables**: `FORGE_MODEL_PROVIDER`, `OPENAI_API_KEY`, `ANTHROPIC_API_KEY`, `LLM_API_KEY`
-3. **forge.yaml** `model` section (lowest priority)
+Run the agent as a foreground HTTP server. Used for development and container deployments.
 
-If no provider is explicitly set, the system auto-detects from available API keys.
+```bash
+# Development (all interfaces, immediate shutdown)
+forge run --with slack --port 8080
 
-### Supported Providers
+# Container deployment
+forge run --host 0.0.0.0 --shutdown-timeout 30s
+```
 
-| Provider | Default Model | Base URL Override |
-|----------|--------------|-------------------|
-| `openai` | `gpt-4o` | `OPENAI_BASE_URL` |
-| `anthropic` | `claude-sonnet-4-20250514` | `ANTHROPIC_BASE_URL` |
-| `ollama` | `llama3` | `OLLAMA_BASE_URL` |
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--port` | `8080` | HTTP server port |
+| `--host` | `""` (all interfaces) | Bind address |
+| `--shutdown-timeout` | `0` (immediate) | Graceful shutdown timeout |
+| `--with` | — | Channel adapters (e.g. `slack,telegram`) |
+| `--mock-tools` | `false` | Use mock executor for testing |
+| `--model` | — | Override model name |
+| `--provider` | — | Override LLM provider |
+| `--env` | `.env` | Path to env file |
+| `--enforce-guardrails` | `false` | Enforce guardrail violations as errors |
 
-All providers implement the `llm.Client` interface defined in `internal/runtime/llm/client.go`:
+### `forge serve` — Background Daemon
 
-```go
-type Client interface {
-    Chat(ctx context.Context, req *ChatRequest) (*ChatResponse, error)
-    ChatStream(ctx context.Context, req *ChatRequest) (<-chan StreamDelta, error)
-    ModelID() string
-}
-```
+Manage the agent as a background daemon process with PID/log management.
 
-## Conversation Memory
+```bash
+# Start daemon (secure defaults: 127.0.0.1, 30s shutdown timeout)
+forge serve
 
-Memory management is handled by `internal/runtime/engine/memory.go`. Key behaviors:
+# Start on custom port
+forge serve start --port 9090 --host 0.0.0.0
 
-- **System prompt** is always prepended to the message list (never trimmed)
-- **Character budget** defaults to 32,000 characters (~8,000 tokens)
-- When over budget, **oldest messages are trimmed first**
-- The **most recent message is never trimmed**
-- Memory is per-task (created fresh for each `Execute` call)
-- Thread-safe via `sync.Mutex`
+# Stop the daemon
+forge serve stop
 
-## Streaming
+# Check status (PID, uptime, health)
+forge serve status
 
-The current implementation (v1) runs the full tool-calling loop non-streaming. `ExecuteStream` calls `Execute` internally and emits the final response as a single message on a channel. True word-by-word streaming during tool loops is planned for v2.
+# View recent logs (last 100 lines)
+forge serve logs
+```
+
+| Subcommand | Description |
+|------------|-------------|
+| `start` (default) | Start the daemon in background |
+| `stop` | Send SIGTERM (10s timeout, SIGKILL fallback) |
+| `status` | Show PID, listen address, health check |
+| `logs` | Tail `.forge/serve.log` |
+
+The daemon forks `forge run` in the background with `setsid`, writes state to `.forge/serve.json`, and redirects output to `.forge/serve.log`. Passphrase prompting for encrypted secrets happens in the parent process (which has TTY access) before forking.
+
+## Conversation Memory
+
+For details on session persistence, context window management, compaction, and long-term memory, see [Memory](memory.md).
 
 ## Hooks
 
-The engine fires hooks at key points in the loop. See [docs/hooks.md](hooks.md) for details.
+The engine fires hooks at key points in the loop. See [Hooks](hooks.md) for details.
 
-## Related Files
+## Streaming
+
+The current implementation (v1) runs the full tool-calling loop non-streaming. `ExecuteStream` calls `Execute` internally and emits the final response as a single message on a channel. True word-by-word streaming during tool loops is planned for v2.
 
-- `internal/runtime/engine/loop.go` — Agent loop implementation
-- `internal/runtime/engine/memory.go` — Conversation memory
-- `internal/runtime/engine/config.go` — Provider configuration resolution
-- `internal/runtime/engine/hooks.go` — Hook system
-- `internal/runtime/llm/client.go` — LLM client interface
-- `internal/runtime/llm/types.go` — Canonical chat types
-- `internal/runtime/llm/providers/` — Provider implementations
+---
+← [Tools](tools.md) | [Back to README](../README.md) | [Memory](memory.md) →
diff --git a/docs/scheduling.md b/docs/scheduling.md
new file mode 100644
index 0000000..23bae69
--- /dev/null
+++ b/docs/scheduling.md
@@ -0,0 +1,58 @@
+# Scheduling (Cron)
+
+> Part of [Forge Documentation](../README.md)
+
+Forge includes a built-in cron scheduler for recurring tasks, configurable in `forge.yaml` or created dynamically by the agent at runtime.
+
+## Configuration
+
+```yaml
+schedules:
+  - id: daily-report
+    cron: "@daily"
+    task: "Generate and send the daily status report"
+    skill: "tavily-research"           # optional: invoke a specific skill
+    channel: telegram                  # optional: deliver results to a channel
+    channel_target: "-100123456"       # optional: destination chat/channel ID
+```
+
+## Cron Expressions
+
+| Format | Example | Description |
+|--------|---------|-------------|
+| 5-field standard | `*/15 * * * *` | Every 15 minutes |
+| Aliases | `@hourly`, `@daily`, `@weekly`, `@monthly` | Common intervals |
+| Intervals | `@every 5m`, `@every 1h30m` | Duration-based (minimum 1 minute) |
+
+## Schedule Tools
+
+The agent has four built-in tools for managing schedules at runtime:
+
+| Tool | Description |
+|------|-------------|
+| `schedule_set` | Create or update a recurring schedule |
+| `schedule_list` | List all active and inactive schedules |
+| `schedule_delete` | Remove a schedule (LLM-created only; YAML-defined cannot be deleted) |
+| `schedule_history` | View execution history for scheduled tasks |
+
+Schedules can also be managed via the CLI:
+
+```bash
+# List all schedules
+forge schedule list
+```
+
+## Channel Delivery
+
+When a schedule includes `channel` and `channel_target`, the agent's response is automatically delivered to the specified channel after each execution. When schedules are created from channel conversations (Slack, Telegram), the channel context is automatically available so the agent can capture the delivery target.
+
+## Execution Details
+
+- **Tick interval**: 30 seconds
+- **Overlap prevention**: A schedule won't fire again if its previous run is still in progress
+- **Persistence**: Schedules are stored in `.forge/memory/SCHEDULES.md` and survive restarts
+- **History**: The last 50 executions are recorded with status, duration, and correlation IDs
+- **Audit events**: `schedule_fire`, `schedule_complete`, `schedule_skip`, `schedule_modify`
+
+---
+← [Guardrails](security/guardrails.md) | [Back to README](../README.md) | [Hooks](hooks.md) →
diff --git a/docs/security/egress.md b/docs/security/egress.md
index dd30423..b4971ec 100644
--- a/docs/security/egress.md
+++ b/docs/security/egress.md
@@ -229,3 +229,6 @@ Events without `"source"` come from the in-process enforcer; events with `"sourc
 | `forge-cli/tools/exec.go` | `SkillCommandExecutor` — proxy env injection for skill scripts |
 | `forge-cli/tools/cli_execute.go` | `CLIExecuteTool` — proxy env injection for CLI binaries |
 | `forge-cli/runtime/runner.go` | Proxy lifecycle management in `Run()` |
+
+---
+← [Security Overview](overview.md) | [Back to README](../../README.md) | [Secrets](secrets.md) →
diff --git a/docs/security/guardrails.md b/docs/security/guardrails.md
new file mode 100644
index 0000000..c2428ff
--- /dev/null
+++ b/docs/security/guardrails.md
@@ -0,0 +1,66 @@
+# Content Guardrails
+
+> Part of [Forge Documentation](../../README.md)
+
+The guardrail engine checks inbound and outbound messages against configurable policy rules.
+
+## Built-in Guardrails
+
+| Guardrail | Direction | Description |
+|-----------|-----------|-------------|
+| `content_filter` | Inbound + Outbound | Blocks messages containing configured blocked words |
+| `no_pii` | Outbound | Detects email addresses, phone numbers, and SSNs via regex |
+| `jailbreak_protection` | Inbound | Detects common jailbreak phrases ("ignore previous instructions", etc.) |
+
+## Modes
+
+| Mode | Behavior |
+|------|----------|
+| `enforce` | Blocks violating messages, returns error to caller |
+| `warn` | Logs violation, allows message to pass |
+
+## Configuration
+
+Guardrails are defined in the policy scaffold, loaded from `policy-scaffold.json` or generated during `forge build`.
+
+Custom guardrail rules can be added to the policy scaffold:
+
+```json
+{
+  "guardrails": {
+    "content_filter": {
+      "mode": "enforce",
+      "blocked_words": ["password", "credit card"]
+    },
+    "no_pii": {
+      "mode": "enforce"
+    },
+    "jailbreak_protection": {
+      "mode": "warn"
+    }
+  }
+}
+```
+
+## Runtime
+
+```bash
+# Run with guardrails enforced
+forge run --enforce-guardrails
+
+# Default: warn mode (log only)
+forge run
+```
+
+## Audit Events
+
+Guardrail evaluations are logged as structured audit events:
+
+```json
+{"ts":"2026-02-28T10:00:00Z","event":"guardrail_check","correlation_id":"a1b2c3d4","fields":{"guardrail":"no_pii","direction":"outbound","result":"blocked"}}
+```
+
+See [Security Overview](overview.md) for the full security architecture.
+
+---
+← [Build Signing](signing.md) | [Back to README](../../README.md) | [Scheduling](../scheduling.md) →
diff --git a/docs/security/SECURITY.md b/docs/security/overview.md
similarity index 71%
rename from docs/security/SECURITY.md
rename to docs/security/overview.md
index d7c93b6..3279a10 100644
--- a/docs/security/SECURITY.md
+++ b/docs/security/overview.md
@@ -140,130 +140,25 @@ tools:
 
 ## Secrets Management
 
-Forge provides encrypted secret storage with per-agent isolation and defense-in-depth.
+Forge provides AES-256-GCM encrypted secret storage with Argon2id key derivation, per-agent isolation, and a three-tier resolution hierarchy (agent-local -> global -> environment). Secrets are managed via `forge secret set|get|list|delete`.
 
-### Encryption
-
-- **Algorithm**: AES-256-GCM (authenticated encryption)
-- **Key derivation**: Argon2id (memory-hard, resistant to GPU attacks)
-- **File format**: `salt(16 bytes) || nonce(12 bytes) || ciphertext`
-- **Plaintext format**: JSON key-value map
-
-### Storage Hierarchy
-
-Secrets are resolved in order, with earlier sources taking priority:
-
-1. **Agent-local** — `<agent-dir>/.forge/secrets.enc`
-2. **Global** — `~/.forge/secrets.enc`
-3. **Environment variables** — `os.Getenv()`
-
-This enables per-agent key isolation: different agents can use different API keys even on the same machine.
-
-### Passphrase Handling
-
-| Context | Behavior |
-|---------|----------|
-| `forge run` (TTY) | Prompts interactively if `FORGE_PASSPHRASE` not set |
-| `forge run` (CI/CD) | Reads from `FORGE_PASSPHRASE` environment variable |
-| `forge init` (first time) | Prompts for passphrase + confirmation |
-| `forge init` (subsequent) | Prompts once and validates against existing file |
-
-### File Safety
-
-- `.forge/` directories are automatically added to `.gitignore`
-- `*.enc` files are excluded in `.dockerignore`
-- Secret files never appear in container images
-
-### Commands
-
-```bash
-forge secret set OPENAI_API_KEY              # Prompts for value securely
-forge secret set SLACK_BOT_TOKEN xoxb-...    # Inline value
-forge secret get OPENAI_API_KEY              # Shows value and source
-forge secret list                            # Lists all keys
-forge secret delete OLD_KEY                  # Removes a key
-forge secret set API_KEY --local             # Agent-local secret
-```
-
-### Configuration
-
-```yaml
-secrets:
-  providers:
-    - encrypted-file    # AES-256-GCM encrypted file
-    - env               # Environment variables (fallback)
-```
+For full details, see **[Secrets Management](secrets.md)**.
 
 ---
 
 ## Build Integrity
 
-Forge supports Ed25519 signing of build artifacts for supply chain integrity verification.
-
-### Signing Flow
-
-1. `forge build` computes SHA-256 checksums of all generated artifacts
-2. If a signing key exists at `~/.forge/signing-key.pem`, the checksums are signed with Ed25519
-3. `checksums.json` is written with checksums, signature, and key ID
-
-### Verification Flow
-
-At runtime, `forge run` optionally verifies build artifacts:
-1. Validates SHA-256 checksums of all files against `checksums.json`
-2. Verifies the Ed25519 signature against trusted keys in `~/.forge/trusted-keys/`
-3. If `checksums.json` doesn't exist, verification is skipped (opt-in)
+Forge supports Ed25519 signing and SHA-256 checksumming of build artifacts for supply chain integrity. At runtime, `forge run` can verify artifacts against trusted keys before execution.
 
-### Key Management
-
-```bash
-forge key generate                     # Generate Ed25519 keypair
-forge key generate --name ci-key       # Named keypair
-forge key trust ~/.forge/signing-key.pub   # Add to trusted keyring
-forge key list                         # List signing + trusted keys
-```
-
-### Production Build Safety
-
-The build pipeline includes a `secret-safety` stage that:
-- Blocks production builds (`--prod`) that only use `encrypted-file` without `env` provider
-- Warns if `.dockerignore` is missing alongside a generated Dockerfile
-- Rejects `dev-open` egress mode in production builds
-- Filters out dev-only tools (`local_shell`, `local_file_browser`)
+For full details, see **[Build Signing & Verification](signing.md)**.
 
 ---
 
 ## Guardrails
 
-The guardrail engine checks inbound and outbound messages against configurable policy rules.
-
-### Built-in Guardrails
+The guardrail engine checks inbound and outbound messages against policy rules including content filtering, PII detection, and jailbreak protection. Guardrails run in `enforce` (blocking) or `warn` (logging) mode.
 
-| Guardrail | Direction | Description |
-|-----------|-----------|-------------|
-| `content_filter` | Inbound + Outbound | Blocks messages containing configured blocked words |
-| `no_pii` | Outbound | Detects email addresses, phone numbers, and SSNs via regex |
-| `jailbreak_protection` | Inbound | Detects common jailbreak phrases ("ignore previous instructions", etc.) |
-
-### Modes
-
-| Mode | Behavior |
-|------|----------|
-| `enforce` | Blocks violating messages, returns error to caller |
-| `warn` | Logs violation, allows message to pass |
-
-### Configuration
-
-Guardrails are defined in the policy scaffold, loaded from `policy-scaffold.json` or generated during `forge build`.
-
-### Runtime
-
-```bash
-# Run with guardrails enforced
-forge run --enforce-guardrails
-
-# Default: warn mode (log only)
-forge run
-```
+For full details, see **[Content Guardrails](guardrails.md)**.
 
 ---
 
@@ -337,7 +232,13 @@ Production builds enforce:
 | Document | Description |
 |----------|-------------|
 | [Egress Security](egress.md) | Deep dive into egress enforcement: profiles, modes, domain matching, proxy architecture, NetworkPolicy |
+| [Secrets Management](secrets.md) | Encrypted storage, per-agent secrets, passphrase handling |
+| [Build Signing & Verification](signing.md) | Key management, build signing, runtime verification |
+| [Content Guardrails](guardrails.md) | PII detection, jailbreak protection, custom rules |
 | [Architecture](../architecture.md) | System design, module layout, and data flows |
 | [Tools](../tools.md) | Tool system including `cli_execute` security layers |
 | [Skills](../skills.md) | Skill definitions and runtime execution |
 | [Commands](../commands.md) | CLI reference including security-related flags |
+
+---
+← [Channels](../channels.md) | [Back to README](../../README.md) | [Egress Security](egress.md) →
diff --git a/docs/security/secrets.md b/docs/security/secrets.md
new file mode 100644
index 0000000..6f03b7f
--- /dev/null
+++ b/docs/security/secrets.md
@@ -0,0 +1,86 @@
+# Secrets Management
+
+> Part of [Forge Documentation](../../README.md)
+
+Forge provides encrypted secret management with per-agent isolation and interactive passphrase prompting.
+
+## Encrypted Storage
+
+Secrets are stored in AES-256-GCM encrypted files with Argon2id key derivation. The file format is `salt(16) || nonce(12) || ciphertext`, with the plaintext being a JSON key-value map.
+
+```bash
+# Store a secret (prompts for value securely)
+forge secret set OPENAI_API_KEY
+
+# Store with inline value
+forge secret set SLACK_BOT_TOKEN xoxb-...
+
+# Retrieve a secret (shows source: encrypted-file or env)
+forge secret get OPENAI_API_KEY
+
+# List all secret keys
+forge secret list
+
+# Delete a secret
+forge secret delete OLD_KEY
+```
+
+## Per-Agent Secrets
+
+Each agent can have its own encrypted secrets file at `<agent-dir>/.forge/secrets.enc`, separate from the global `~/.forge/secrets.enc`. Use the `--local` flag to operate on agent-local secrets:
+
+```bash
+cd my-agent
+
+# Store a secret in the agent-local file
+forge secret set OPENAI_API_KEY sk-agent1-key --local
+
+# Different agent, different key
+cd ../other-agent
+forge secret set OPENAI_API_KEY sk-agent2-key --local
+```
+
+At runtime, secrets are resolved in order: **agent-local** -> **global** -> **environment variables**. This lets you override global defaults per agent.
+
+## Runtime Passphrase Prompting
+
+When `forge run` encounters encrypted secrets and no `FORGE_PASSPHRASE` environment variable is set, it prompts interactively:
+
+```
+$ forge run
+Enter passphrase for encrypted secrets: ****
+```
+
+In non-interactive environments (CI/CD), set the passphrase via environment variable:
+
+```bash
+export FORGE_PASSPHRASE="my-passphrase"
+forge run
+```
+
+## Smart Init Passphrase
+
+`forge init` detects whether `~/.forge/secrets.enc` already exists:
+
+- **First time**: prompts for passphrase + confirmation (new setup)
+- **Subsequent**: prompts once and validates by attempting to decrypt the existing file
+
+## Configuration
+
+```yaml
+secrets:
+  providers:
+    - encrypted-file          # AES-256-GCM encrypted file
+    - env                     # Environment variables (fallback)
+```
+
+Secret files are automatically excluded from git (`.forge/` in `.gitignore`) and Docker builds (`*.enc` in `.dockerignore`).
+
+## File Safety
+
+- `.forge/` directories are automatically added to `.gitignore`
+- `*.enc` files are excluded in `.dockerignore`
+- Secret files never appear in container images
+
+---
+← [Egress Security](egress.md) | [Back to README](../../README.md) | [Build Signing](signing.md) →
diff --git a/docs/security/signing.md b/docs/security/signing.md
new file mode 100644
index 0000000..21d2ad7
--- /dev/null
+++ b/docs/security/signing.md
@@ -0,0 +1,49 @@
+# Build Signing & Verification
+
+> Part of [Forge Documentation](../../README.md)
+
+Forge supports Ed25519 signing of build artifacts for supply chain integrity.
+
+## Key Management
+
+```bash
+# Generate an Ed25519 signing keypair
+forge key generate
+# Output: ~/.forge/signing-key.pem (private) + ~/.forge/signing-key.pub (public)
+
+# Generate with a custom name
+forge key generate --name ci-key
+
+# Add a public key to the trusted keyring
+forge key trust ~/.forge/signing-key.pub
+
+# List signing and trusted keys
+forge key list
+```
+
+## Build Signing
+
+When a signing key exists at `~/.forge/signing-key.pem` (or specified via `--signing-key`), `forge build` automatically:
+
+1. Computes SHA-256 checksums of all generated artifacts
+2. Signs the checksums with the Ed25519 private key
+3. Writes `checksums.json` with checksums, signature, and key ID
+
+## Runtime Verification
+
+At runtime, `forge run` can verify build artifacts against `checksums.json`:
+
+- Validates SHA-256 checksums of all files
+- Verifies the Ed25519 signature against trusted keys in `~/.forge/trusted-keys/`
+- Verification is optional — if `checksums.json` doesn't exist, it's skipped
+
+## Secret Safety Stage
+
+The build pipeline includes a `secret-safety` stage that:
+
+- Blocks production builds (`--prod`) that only use `encrypted-file` without `env` provider (containers can't use encrypted files at runtime)
+- Warns if `.dockerignore` is missing alongside a generated Dockerfile
+- Ensures secrets never leak into container images
+
+---
+← [Secrets](secrets.md) | [Back to README](../../README.md) | [Guardrails](guardrails.md) →
diff --git a/docs/skills.md b/docs/skills.md
index b4dcd74..32cc2a4 100644
--- a/docs/skills.md
+++ b/docs/skills.md
@@ -1,5 +1,7 @@
 # Skills
 
+> Part of [Forge Documentation](../README.md)
+
 Skills are a progressive disclosure mechanism for defining agent capabilities in a structured, human-readable format. They compile into container artifacts during `forge build`.
 
 ## Overview
@@ -10,10 +12,6 @@ Skills bridge the gap between high-level capability descriptions and the tool-ca
 
 Skills are defined in a Markdown file (default: `SKILL.md`). The file supports optional YAML frontmatter and two body formats.
 
-### YAML Frontmatter
-
-Skills can declare metadata and requirements in a YAML frontmatter block delimited by `---`:
-
 ```markdown
 ---
 name: weather
@@ -29,54 +27,202 @@ metadata:
         optional: []
 ---
 ## Tool: weather_current
+
 Get current weather for a location.
+
+**Input:** location (string) - City name or coordinates
+**Output:** Current temperature, conditions, humidity, and wind speed
+
+## Tool: weather_forecast
+
+Get weather forecast for a location.
+
+**Input:** location (string), days (integer: 1-7)
+**Output:** Daily forecast with high/low temperatures and conditions
 ```
 
+Each `## Tool:` heading defines a tool the agent can call. The frontmatter declares binary dependencies and environment variable requirements. Skills compile into JSON artifacts and prompt text during `forge build`.
+
+### YAML Frontmatter
+
 The `metadata.forge.requires` block declares:
 - **`bins`** — Binary dependencies that must be in `$PATH` at runtime
 - **`env.required`** — Environment variables that must be set
 - **`env.one_of`** — At least one of these environment variables must be set
 - **`env.optional`** — Optional environment variables for extended functionality
 
-Frontmatter is parsed by `ParseWithMetadata()` in `forge-core/skills/parser.go` and feeds into the compilation pipeline. The `SkillMetadata` and `SkillRequirements` types are defined in `forge-core/skills/types.go`.
+Frontmatter is parsed by `ParseWithMetadata()` in `forge-core/skills/parser.go` and feeds into the compilation pipeline.
 
-### Tool Heading Format (recommended)
+### Legacy List Format
 
 ```markdown
-## Tool: web_search
-Search the web for current information and return relevant results.
+# Agent Skills
+
+- translate
+- summarize
+- classify
+```
+
+Single-word list items (no spaces, max 64 characters) create name-only skill entries. This format is simpler but provides less metadata.
 
-**Input:** query: string, max_results: int
-**Output:** results: []string
+## Skill Registry
 
-## Tool: summarize
-Summarize long text into a concise paragraph.
+Forge ships with a built-in skill registry. Add skills to your project with a single command:
 
-**Input:** text: string, max_length: int
-**Output:** summary: string
+```bash
+# Add a skill from the registry
+forge skills add tavily-research
+
+# Validate skill requirements
+forge skills validate
+
+# Audit skill security
+forge skills audit --embedded
 ```
 
-Each `## Tool:` heading starts a new skill entry. Paragraph text becomes the description. `**Input:**` and `**Output:**` lines set the input/output specifications.
+`forge skills add` copies the skill's SKILL.md and any associated scripts into your project's `skills/` directory. It validates binary and environment requirements, checks for existing values in your environment, `.env` file, and encrypted secrets, and prompts only for truly missing values with a suggestion to use `forge secrets set` for sensitive keys.
 
-### Legacy List Format
+## Skills as First-Class Tools
+
+Script-backed skills are automatically registered as **first-class LLM tools** at runtime. When a skill has scripts in `skills/scripts/`, Forge:
+
+1. Parses the skill's SKILL.md for tool definitions, descriptions, and input schemas
+2. Creates a named tool for each `## Tool:` entry (e.g., `tavily_research` becomes a tool the LLM can call directly)
+3. Executes the skill's shell script with JSON input when the LLM invokes it
+
+This means the LLM sees skill tools alongside builtins like `web_search` and `http_request` — no generic `cli_execute` indirection needed.
+
+For skills **without** scripts (binary-backed skills like `k8s-incident-triage`), Forge injects the full skill instructions into the system prompt. The complete SKILL.md body — including triage steps, detection heuristics, output structure, and safety constraints — is included inline so the LLM follows the skill protocol without needing an extra tool call. Skills are invoked via `cli_execute` with the declared binary dependencies.
+
+```
+┌─────────────────────────────────────────────────┐
+│                LLM Tool Registry                │
+├─────────────────┬───────────────────────────────┤
+│  Builtins       │  web_search, http_request     │
+│  Skill Tools    │  tavily_research, ...         │  ← auto-registered from scripts
+│  read_skill     │  load any SKILL.md on demand  │
+│  cli_execute    │  run approved binaries        │
+├─────────────────┴───────────────────────────────┤
+│  System Prompt: full skill instructions inline  │  ← binary-backed skills
+└─────────────────────────────────────────────────┘
+```
+
+## Skill Execution Security
+
+Skill scripts run in a restricted environment via `SkillCommandExecutor`:
+
+- **Isolated environment**: Only `PATH`, `HOME`, and explicitly declared env vars are passed through
+- **Configurable timeout**: Each skill declares a `timeout_hint` in its YAML frontmatter (e.g., 300s for research)
+- **No shell execution**: Scripts run via `bash <script> <json-input>`, not through a shell interpreter
+- **Egress proxy enforcement**: When egress mode is `allowlist` or `deny-all`, a local HTTP/HTTPS proxy is started and `HTTP_PROXY`/`HTTPS_PROXY` env vars are injected into subprocess environments, ensuring `curl`, `wget`, Python `requests`, and other HTTP clients route through the same domain allowlist used by in-process tools (see [Egress Security](security/egress.md))
+
+## Skill Categories & Tags
+
+Skills can declare a `category` and `tags` in their frontmatter for organization and filtering:
 
 ```markdown
-# Agent Skills
+---
+name: k8s-incident-triage
+category: sre
+tags:
+  - kubernetes
+  - incident-response
+  - triage
+---
+```
 
-- translate
-- summarize
-- classify
+Categories and tags must be lowercase kebab-case. Use them to filter skills:
+
+```bash
+# List skills by category
+forge skills list --category sre
+
+# Filter by tags (AND semantics — skill must have all listed tags)
+forge skills list --tags kubernetes,incident-response
 ```
 
-Single-word list items (no spaces, max 64 characters) create name-only skill entries. This format is simpler but provides less metadata.
+## Built-in Skills
+
+| Skill | Description | Scripts |
+|-------|-------------|---------|
+| `tavily-research` | Deep multi-source research via Tavily API | `tavily-research.sh`, `tavily-research-poll.sh` |
+| `k8s-incident-triage` | Read-only Kubernetes incident triage using kubectl | — (binary-backed) |
+
+### Tavily Research Skill
+
+The `tavily-research` skill demonstrates the **async two-tool pattern** for long-running operations:
+
+```bash
+forge skills add tavily-research
+```
+
+This registers two tools:
+
+| Tool | Purpose | Behavior |
+|------|---------|----------|
+| `tavily_research` | Submit a research query | Returns immediately with a `request_id` |
+| `tavily_research_poll` | Wait for results | Polls internally for up to ~5 minutes, returns complete report |
+
+The LLM uses them in sequence: submit the research request, inform the user that research is in progress, then call the poll tool which handles all waiting internally. The complete report (1000-3000 words with sources) is returned to the LLM and delivered to the user.
+
+**Research models:**
+
+| Model | Speed | Use Case |
+|-------|-------|----------|
+| `mini` | ~30s | Quick overviews, simple topics |
+| `pro` | ~300s | Comprehensive analysis, complex topics |
+| `auto` | Varies | Let the API choose based on query complexity |
+
+Requires: `curl`, `jq`, `TAVILY_API_KEY` environment variable.
+
+### Kubernetes Incident Triage Skill
+
+The `k8s-incident-triage` skill performs read-only triage of Kubernetes workloads using `kubectl`:
+
+```bash
+forge skills add k8s-incident-triage
+```
+
+This registers a single tool:
+
+| Tool | Purpose | Behavior |
+|------|---------|----------|
+| `k8s_triage` | Diagnose unhealthy workloads, pods, or namespaces | Runs read-only kubectl commands, produces a structured triage report |
+
+The skill accepts two input modes:
+
+- **Human mode** — natural language like `"triage payments-prod"` or `"why are pods pending in checkout-prod?"`
+- **Automation mode** — structured JSON with namespace, workload, pod, and diagnostic options
+
+**Triage process:**
+
+1. Verify cluster access (kubectl version, cluster-info)
+2. Fast health snapshot (pods, deployments, statefulsets)
+3. Events timeline (FailedScheduling, probe failures, evictions)
+4. Describe pods & workloads (container state, restart counts, probes)
+5. Node diagnostics (optional — NotReady, memory/disk pressure)
+6. Logs (optional — with previous container logs for CrashLoopBackOff)
+7. Metrics (optional — via metrics-server)
+
+**Detection heuristics** classify issues into: CrashLoop, OOMKilled, Image Pull Failure, Scheduling Constraint, Probe Failure, PVC/Volume Failure, Node Pressure/Eviction, Rollout Stuck. Each finding includes a hypothesis, evidence, confidence score (0.0-1.0), and recommended next commands.
+
+**Safety:** This skill is strictly read-only. It never executes `apply`, `patch`, `delete`, `exec`, `port-forward`, `scale`, or `rollout restart`. It never prints Secret values.
+
+Requires: `kubectl`, optional `KUBECONFIG`, `K8S_API_DOMAIN`, `DEFAULT_NAMESPACE` environment variables.
+
+## Skill Instructions in System Prompt
+
+Forge injects the **full body** of each skill's SKILL.md into the LLM system prompt. This means all detailed operational instructions — triage steps, detection heuristics, output structure, safety constraints — are directly available in the LLM's context without requiring an extra `read_skill` tool call.
+
+For skills with extensive instructions (like `k8s-incident-triage` with ~150 lines of triage procedures), this ensures the LLM follows the complete skill protocol from the first interaction.
 
 ## Compilation Pipeline
 
 The skill compilation pipeline has three stages:
 
-1. **Parse** (`internal/plugins/skills/parser.go`) — Reads `skills.md` and extracts `SkillEntry` values with name, description, input spec, and output spec. When YAML frontmatter is present, `ParseWithMetadata()` (`forge-core/skills/parser.go`) additionally extracts `SkillMetadata` and `SkillRequirements` (binary deps, env vars).
+1. **Parse** — Reads `SKILL.md` and extracts `SkillEntry` values with name, description, input spec, and output spec. When YAML frontmatter is present, `ParseWithMetadata()` additionally extracts `SkillMetadata` and `SkillRequirements` (binary deps, env vars).
 
-2. **Compile** (`internal/skills/compiler.go`) — Converts entries into `CompiledSkills` with:
+2. **Compile** — Converts entries into `CompiledSkills` with:
    - A JSON-serializable skill list
    - A human-readable prompt catalog
    - Version identifier (`agentskills-v1`)
@@ -87,7 +233,7 @@ The skill compilation pipeline has three stages:
 
 ## Build Stage Integration
 
-The `SkillsStage` (`internal/build/skills_stage.go`) runs as part of the build pipeline:
+The `SkillsStage` runs as part of the build pipeline:
 
 1. Resolves the skills file path (default: `SKILL.md` in work directory)
 2. Skips silently if the file doesn't exist
@@ -95,11 +241,6 @@ The `SkillsStage` (`internal/build/skills_stage.go`) runs as part of the build p
 4. Updates the `AgentSpec` with `skills_spec_version` and `forge_skills_ext_version`
 5. Records generated files in the build manifest
 
-## Prompt-Only vs Tool-Bearing Skills
-
-- **Prompt-only skills** (legacy format) provide names only. They appear in the prompt catalog but have no structured input/output.
-- **Tool-bearing skills** (heading format) include full specifications that can be used for validation and documentation.
-
 ## Configuration
 
 In `forge.yaml`:
@@ -119,8 +260,5 @@ forge init my-agent --from-skills
 forge build
 ```
 
-## Related Files
-
-- `internal/plugins/skills/parser.go` — SKILL.md parser
-- `internal/skills/compiler.go` — Skill compilation and artifact generation
-- `internal/build/skills_stage.go` — Build pipeline integration
+---
+← [Architecture](architecture.md) | [Back to README](../README.md) | [Tools](tools.md) →
diff --git a/docs/tools.md b/docs/tools.md
index 71427d3..030cfd9 100644
--- a/docs/tools.md
+++ b/docs/tools.md
@@ -1,64 +1,112 @@
 # Tools
 
+> Part of [Forge Documentation](../README.md)
+
 Tools are capabilities that an LLM agent can invoke during execution. Forge provides a pluggable tool system with built-in tools, adapter tools, development tools, and custom tools.
 
 ## Tool Categories
 
 | Category | Code | Description |
 |----------|------|-------------|
-| **Builtin** | `builtin` | Core tools shipped with Forge (A) |
-| **Adapter** | `adapter` | External service integrations via webhook, MCP, or OpenAPI (B) |
-| **Dev** | `dev` | Development-only tools, filtered in production builds (C) |
+| **Builtin** | `builtin` | Core tools shipped with Forge |
+| **Adapter** | `adapter` | External service integrations via webhook, MCP, or OpenAPI |
+| **Dev** | `dev` | Development-only tools, filtered in production builds |
 | **Custom** | `custom` | User-defined tools discovered from the project |
 
-## Tool Interface
-
-All tools implement the `tools.Tool` interface defined in `internal/tools/tool.go`:
-
-```go
-type Tool interface {
-    Name() string
-    Description() string
-    Category() Category
-    InputSchema() json.RawMessage
-    Execute(ctx context.Context, args json.RawMessage) (string, error)
-}
-```
-
 ## Built-in Tools
 
-Located in `internal/tools/builtins/`:
-
 | Tool | Description |
 |------|-------------|
-| `web_search` | Search the web using Perplexity API |
-| `http_request` | Make HTTP requests (GET, POST, etc.) |
+| `http_request` | Make HTTP requests (GET, POST, PUT, DELETE) |
 | `json_parse` | Parse and query JSON data |
 | `csv_parse` | Parse CSV data into structured records |
 | `datetime_now` | Get current date and time |
 | `uuid_generate` | Generate UUID v4 identifiers |
 | `math_calculate` | Evaluate mathematical expressions |
+| `web_search` | Search the web for quick lookups and recent information |
+| `read_skill` | Load full instructions for an available skill on demand |
+| `memory_search` | Search long-term memory (when enabled) |
+| `memory_get` | Read memory files (when enabled) |
+| `cli_execute` | Execute pre-approved CLI binaries |
+| `schedule_set` | Create or update a recurring cron schedule |
+| `schedule_list` | List all active and inactive schedules |
+| `schedule_delete` | Remove an LLM-created schedule |
+| `schedule_history` | View execution history for scheduled tasks |
 
 Register all builtins with `builtins.RegisterAll(registry)`.
 
 ## Adapter Tools
 
-Located in `internal/tools/adapters/`:
-
 | Adapter | Description |
 |---------|-------------|
-| `webhook` | Invoke external HTTP endpoints as tools |
-| `mcp` | Connect to Model Context Protocol servers |
-| `openapi` | Auto-generate tools from OpenAPI specifications |
+| `mcp_call` | Call tools on MCP servers via JSON-RPC |
+| `webhook_call` | POST JSON payloads to webhook URLs |
+| `openapi_call` | Call OpenAPI-described endpoints |
 
 Adapter tools bridge external services into the agent's tool set.
 
-## Development Tools
+## Web Search Providers
+
+The `web_search` tool supports two providers:
+
+| Provider | API Key Env Var | Endpoint |
+|----------|----------------|----------|
+| Tavily (recommended) | `TAVILY_API_KEY` | `api.tavily.com/search` |
+| Perplexity | `PERPLEXITY_API_KEY` | `api.perplexity.ai/chat/completions` |
+
+Provider selection: `WEB_SEARCH_PROVIDER` env var, or auto-detect from available API keys (Tavily first).
+
+## CLI Execute
+
+The `cli_execute` tool provides security-hardened command execution with 7 security layers:
+
+```yaml
+tools:
+  - name: cli_execute
+    config:
+      allowed_binaries: ["git", "curl", "jq", "python3"]
+      env_passthrough: ["GITHUB_TOKEN"]
+      timeout: 120
+      max_output_bytes: 1048576
+```
+
+| # | Layer | Detail |
+|---|-------|--------|
+| 1 | **Binary allowlist** | Only pre-approved binaries can execute |
+| 2 | **Binary resolution** | Binaries are resolved to absolute paths via `exec.LookPath` at startup |
+| 3 | **Argument validation** | Rejects arguments containing `$(`, backticks, or newlines |
+| 4 | **Timeout** | Configurable per-command timeout (default: 120s) |
+| 5 | **No shell** | Uses `exec.CommandContext` directly — no shell expansion |
+| 6 | **Environment isolation** | Only `PATH`, `HOME`, `LANG`, explicit passthrough vars, and proxy vars |
+| 7 | **Output limits** | Configurable max output size (default: 1MB) to prevent memory exhaustion |
 
-Located in `internal/tools/devtools/`:
+## Memory Tools
+
+When [long-term memory](memory.md) is enabled, two additional tools are registered:
+
+- **`memory_search`** — Hybrid vector + keyword search across stored memory files
+- **`memory_get`** — Read specific memory files by path
+
+These tools allow the agent to recall information from previous sessions.
+
+## Development Tools
 
 Development tools (`local_shell`, `local_file_browser`, `debug_console`, `test_runner`) are available during `forge run --dev` but are **automatically filtered out** in production builds by the `ToolFilterStage`.
 
+## Tool Interface
+
+All tools implement the `tools.Tool` interface:
+
+```go
+type Tool interface {
+    Name() string
+    Description() string
+    Category() Category
+    InputSchema() json.RawMessage
+    Execute(ctx context.Context, args json.RawMessage) (string, error)
+}
+```
+
 ## Writing a Custom Tool
 
 Custom tools are discovered from the project directory. Create a Python or TypeScript file with a docstring schema:
@@ -88,23 +136,9 @@ if __name__ == "__main__":
     print(execute(input_data))
 ```
 
-## Tool Discovery
+Custom tools can also be added by placing scripts in a `tools/` directory in your project.
 
-The tool discovery system (`internal/tools/discovery.go`) scans project directories for custom tool files. It recognizes:
-
-- Python files with docstring schemas
-- TypeScript files with JSDoc schemas
-- Tool configuration in `forge.yaml`
-
-## Tool Registry
-
-The `tools.Registry` (`internal/tools/registry.go`) is a thread-safe tool registry that:
-
-- Prevents duplicate registrations
-- Provides `Execute(name, args)` and `ToolDefinitions()` methods
-- Satisfies the `engine.ToolExecutor` interface via structural typing
-
-## CLI Commands
+## Tool Commands
 
 ```bash
 # List all registered tools
@@ -116,19 +150,12 @@ forge tool describe web_search
 
 ## Build Pipeline
 
-The `ToolFilterStage` (`internal/build/tool_filter_stage.go`) runs during `forge build`:
+The `ToolFilterStage` runs during `forge build`:
 
 1. Annotates each tool with its category (builtin, adapter, dev, custom)
 2. Sets `tool_interface_version` to `"1.0"` on the AgentSpec
 3. In production mode (`--prod`), removes all dev-category tools
 4. Counts tools per category for the build manifest
 
-## Related Files
-
-- `internal/tools/tool.go` — Tool interface and category constants
-- `internal/tools/registry.go` — Thread-safe tool registry
-- `internal/tools/builtins/` — Built-in tool implementations
-- `internal/tools/adapters/` — Adapter tool implementations
-- `internal/tools/devtools/` — Development tools
-- `internal/tools/discovery.go` — Tool discovery from project files
-- `internal/build/tool_filter_stage.go` — Build-time tool filtering
+---
+← [Skills](skills.md) | [Back to README](../README.md) | [Runtime](runtime.md) →
diff --git a/forge-cli/channels/integration_test.go b/forge-cli/channels/integration_test.go
index cf4ef0d..2f18831 100644
--- a/forge-cli/channels/integration_test.go
+++ b/forge-cli/channels/integration_test.go
@@ -105,7 +105,7 @@ func TestSlackPlugin_MockA2A(t *testing.T) {
 	}
 
 	// Test Router round-trip with mock A2A
-	router := clichannels.NewRouter(srv.URL)
+	router := clichannels.NewRouter(srv.URL, "")
 	handler := router.Handler()
 
 	resp, err := handler(context.Background(), event)
@@ -172,7 +172,7 @@ func TestTelegramPlugin_MockA2A(t *testing.T) {
 	}
 
 	// Test Router round-trip with mock A2A
-	router := clichannels.NewRouter(srv.URL)
+	router := clichannels.NewRouter(srv.URL, "")
 	handler := router.Handler()
 
 	resp, err := handler(context.Background(), event)
diff --git a/forge-cli/channels/router.go b/forge-cli/channels/router.go
index 8632cb7..8abee08 100644
--- a/forge-cli/channels/router.go
+++ b/forge-cli/channels/router.go
@@ -15,14 +15,17 @@ import (
 
 // Router forwards channel events to an A2A agent server via JSON-RPC over HTTP.
 type Router struct {
-	agentURL string
-	client   *http.Client
+	agentURL    string
+	bearerToken string
+	client      *http.Client
 }
 
 // NewRouter creates a Router that forwards events to the A2A server at agentURL.
-func NewRouter(agentURL string) *Router {
+// If bearerToken is non-empty, it is sent as an Authorization header on requests.
+func NewRouter(agentURL, bearerToken string) *Router {
 	return &Router{
-		agentURL: agentURL,
+		agentURL:    agentURL,
+		bearerToken: bearerToken,
 		client: &http.Client{
 			Timeout: 360 * time.Second,
 		},
@@ -81,6 +84,9 @@ func (r *Router) forwardToA2A(ctx context.Context, event *channels.ChannelEvent)
 		return nil, fmt.Errorf("creating request: %w", err)
 	}
 	httpReq.Header.Set("Content-Type", "application/json")
+	if r.bearerToken != "" {
+		httpReq.Header.Set("Authorization", "Bearer "+r.bearerToken)
+	}
 
 	resp, err := r.client.Do(httpReq)
 	if err != nil {
@@ -88,6 +94,14 @@ func (r *Router) forwardToA2A(ctx context.Context, event *channels.ChannelEvent)
 	}
 	defer func() { _ = resp.Body.Close() }()
 
+	// Check for HTTP-level errors (e.g. 401 Unauthorized from auth middleware).
+	if resp.StatusCode == http.StatusUnauthorized {
+		return nil, fmt.Errorf("A2A server returned 401 Unauthorized (check auth token)")
+	}
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("A2A server returned HTTP %d", resp.StatusCode)
+	}
+
 	respBody, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, fmt.Errorf("reading response: %w", err)
diff --git a/forge-cli/channels/router_test.go b/forge-cli/channels/router_test.go
index f602602..7ac57c9 100644
--- a/forge-cli/channels/router_test.go
+++ b/forge-cli/channels/router_test.go
@@ -50,7 +50,7 @@ func TestRouter_ForwardToA2A_Success(t *testing.T) {
 	}))
 	defer srv.Close()
 
-	router := NewRouter(srv.URL)
+	router := NewRouter(srv.URL, "")
 	event := &channels.ChannelEvent{
 		Channel:     "test",
 		WorkspaceID: "W123",
@@ -83,7 +83,7 @@ func TestRouter_ForwardToA2A_Error(t *testing.T) {
 	}))
 	defer srv.Close()
 
-	router := NewRouter(srv.URL)
+	router := NewRouter(srv.URL, "")
 	event := &channels.ChannelEvent{
 		Channel:     "test",
 		WorkspaceID: "W123",
@@ -113,7 +113,7 @@ func TestRouter_ForwardToA2A_NoMessage(t *testing.T) {
 	}))
 	defer srv.Close()
 
-	router := NewRouter(srv.URL)
+	router := NewRouter(srv.URL, "")
 	event := &channels.ChannelEvent{
 		Channel:     "test",
 		WorkspaceID: "W123",
@@ -131,7 +131,7 @@ func TestRouter_ForwardToA2A_NoMessage(t *testing.T) {
 }
 
 func TestRouter_Handler(t *testing.T) {
-	router := NewRouter("http://localhost:9999")
+	router := NewRouter("http://localhost:9999", "")
 	handler := router.Handler()
 	if handler == nil {
 		t.Fatal("Handler() returned nil")
diff --git a/forge-cli/cmd/channel.go b/forge-cli/cmd/channel.go
index adb8371..caec511 100644
--- a/forge-cli/cmd/channel.go
+++ b/forge-cli/cmd/channel.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/initializ/forge/forge-cli/channels"
 	"github.com/initializ/forge/forge-cli/templates"
+	"github.com/initializ/forge/forge-core/auth"
 	corechannels "github.com/initializ/forge/forge-core/channels"
 	"github.com/initializ/forge/forge-plugins/channels/slack"
 	"github.com/initializ/forge/forge-plugins/channels/telegram"
@@ -133,7 +134,12 @@ func runChannelServe(cmd *cobra.Command, args []string) error {
 	}
 
 	// Create router
-	router := channels.NewRouter(agentURL)
+	// Load auth token if present for the agent directory.
+	var channelToken string
+	if wd, err := os.Getwd(); err == nil {
+		channelToken, _ = auth.LoadToken(wd)
+	}
+	router := channels.NewRouter(agentURL, channelToken)
 
 	// Signal handling
 	ctx, cancel := context.WithCancel(context.Background())
diff --git a/forge-cli/cmd/run.go b/forge-cli/cmd/run.go
index 383d7a8..89bac9b 100644
--- a/forge-cli/cmd/run.go
+++ b/forge-cli/cmd/run.go
@@ -27,6 +27,8 @@ var (
 	runProvider          string
 	runEnvFile           string
 	runWithChannels      string
+	runNoAuth            bool
+	runAuthToken         string
 )
 
 var runCmd = &cobra.Command{
@@ -45,6 +47,8 @@ func init() {
 	runCmd.Flags().StringVar(&runProvider, "provider", "", "LLM provider (openai, anthropic, ollama)")
 	runCmd.Flags().StringVar(&runEnvFile, "env", ".env", "path to .env file")
 	runCmd.Flags().StringVar(&runWithChannels, "with", "", "comma-separated channel adapters to start (e.g. slack,telegram)")
+	runCmd.Flags().BoolVar(&runNoAuth, "no-auth", false, "disable bearer token authentication (localhost only)")
+	runCmd.Flags().StringVar(&runAuthToken, "auth-token", "", "explicit bearer token (default: auto-generated)")
 }
 
 func runRun(cmd *cobra.Command, args []string) error {
@@ -68,11 +72,18 @@ func runRun(cmd *cobra.Command, args []string) error {
 		EnvFilePath:       resolveEnvPath(workDir, runEnvFile),
 		Verbose:           verbose,
 		Channels:          activeChannels,
+		NoAuth:            runNoAuth,
+		AuthToken:         runAuthToken,
 	})
 	if err != nil {
 		return fmt.Errorf("creating runner: %w", err)
 	}
 
+	// Resolve auth token early so channel adapters can use it.
+	if err := runner.ResolveAuth(); err != nil {
+		return fmt.Errorf("resolving auth: %w", err)
+	}
+
 	// Set up signal handling
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
@@ -89,7 +100,7 @@ func runRun(cmd *cobra.Command, args []string) error {
 	if runWithChannels != "" {
 		registry := defaultRegistry()
 		agentURL := fmt.Sprintf("http://localhost:%d", runPort)
-		router := channels.NewRouter(agentURL)
+		router := channels.NewRouter(agentURL, runner.AuthToken())
 
 		// Collect initialized plugins so the scheduler can deliver results.
 		activePlugins := make(map[string]corechannels.ChannelPlugin)
diff --git a/forge-cli/cmd/serve.go b/forge-cli/cmd/serve.go
index 66683ac..8281ef8 100644
--- a/forge-cli/cmd/serve.go
+++ b/forge-cli/cmd/serve.go
@@ -17,9 +17,11 @@ import (
 
 // daemonState is persisted in .forge/serve.json.
 type daemonState struct {
-	PID  int    `json:"pid"`
-	Port int    `json:"port"`
-	Host string `json:"host"`
+	PID         int    `json:"pid"`
+	Port        int    `json:"port"`
+	Host        string `json:"host"`
+	AuthEnabled bool   `json:"auth_enabled"`
+	TokenPath   string `json:"token_path,omitempty"`
 }
 
 var (
@@ -31,6 +33,8 @@ var (
 	serveProvider          string
 	serveEnvFile           string
 	serveWithChannels      string
+	serveNoAuth            bool
+	serveAuthToken         string
 )
 
 var serveCmd = &cobra.Command{
@@ -88,6 +92,8 @@ func registerServeFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&serveProvider, "provider", "", "LLM provider (openai, anthropic, ollama)")
 	cmd.Flags().StringVar(&serveEnvFile, "env", ".env", "path to .env file")
 	cmd.Flags().StringVar(&serveWithChannels, "with", "", "comma-separated channel adapters to start (e.g. slack,telegram)")
+	cmd.Flags().BoolVar(&serveNoAuth, "no-auth", false, "disable bearer token authentication (localhost only)")
+	cmd.Flags().StringVar(&serveAuthToken, "auth-token", "", "explicit bearer token (default: auto-generated)")
 }
 
 func init() {
@@ -175,6 +181,12 @@ func serveStartRun(cmd *cobra.Command, args []string) error {
 	if serveWithChannels != "" {
 		runArgs = append(runArgs, "--with", serveWithChannels)
 	}
+	if serveNoAuth {
+		runArgs = append(runArgs, "--no-auth")
+	}
+	if serveAuthToken != "" {
+		runArgs = append(runArgs, "--auth-token", serveAuthToken)
+	}
 
 	// Ensure .forge directory exists
 	forgeDir := filepath.Dir(statePath)
@@ -201,10 +213,18 @@ func serveStartRun(cmd *cobra.Command, args []string) error {
 	}
 
 	// Write state file
+	authEnabled := !serveNoAuth
+	var tokenPath string
+	if authEnabled {
+		wd, _ := os.Getwd()
+		tokenPath = filepath.Join(wd, ".forge", "runtime.token")
+	}
 	state := daemonState{
-		PID:  child.Process.Pid,
-		Port: servePort,
-		Host: serveHost,
+		PID:         child.Process.Pid,
+		Port:        servePort,
+		Host:        serveHost,
+		AuthEnabled: authEnabled,
+		TokenPath:   tokenPath,
 	}
 	stateData, _ := json.Marshal(state)
 	if err := os.WriteFile(statePath, stateData, 0644); err != nil {
@@ -223,6 +243,11 @@ func serveStartRun(cmd *cobra.Command, args []string) error {
 	fmt.Fprintf(os.Stderr, "Daemon started:\n")
 	fmt.Fprintf(os.Stderr, "  PID:     %d\n", state.PID)
 	fmt.Fprintf(os.Stderr, "  Listen:  %s:%d\n", state.Host, state.Port)
+	if state.AuthEnabled {
+		fmt.Fprintf(os.Stderr, "  Auth:    enabled (token in %s)\n", state.TokenPath)
+	} else {
+		fmt.Fprintf(os.Stderr, "  Auth:    disabled\n")
+	}
 	fmt.Fprintf(os.Stderr, "  Logs:    %s\n", logPath)
 
 	return nil
@@ -291,6 +316,11 @@ func serveStatusRun(cmd *cobra.Command, args []string) error {
 	fmt.Fprintf(os.Stderr, "Status:  running\n")
 	fmt.Fprintf(os.Stderr, "PID:     %d\n", state.PID)
 	fmt.Fprintf(os.Stderr, "Listen:  %s:%d\n", state.Host, state.Port)
+	if state.AuthEnabled {
+		fmt.Fprintf(os.Stderr, "Auth:    enabled\n")
+	} else {
+		fmt.Fprintf(os.Stderr, "Auth:    disabled\n")
+	}
 	fmt.Fprintf(os.Stderr, "Logs:    %s\n", logPath)
 
 	// Try to hit the health endpoint for uptime
diff --git a/forge-cli/runtime/runner.go b/forge-cli/runtime/runner.go
index 0c5e0ee..3058f16 100644
--- a/forge-cli/runtime/runner.go
+++ b/forge-cli/runtime/runner.go
@@ -15,6 +15,7 @@ import (
 	clitools "github.com/initializ/forge/forge-cli/tools"
 	"github.com/initializ/forge/forge-core/a2a"
 	"github.com/initializ/forge/forge-core/agentspec"
+	"github.com/initializ/forge/forge-core/auth"
 	"github.com/initializ/forge/forge-core/llm"
 	"github.com/initializ/forge/forge-core/llm/oauth"
 	"github.com/initializ/forge/forge-core/llm/providers"
@@ -45,6 +46,8 @@ type RunnerConfig struct {
 	EnvFilePath       string
 	Verbose           bool
 	Channels          []string // active channel adapters from --with flag
+	NoAuth            bool     // disable bearer token authentication
+	AuthToken         string   // explicit bearer token (empty = auto-generate)
 }
 
 // ScheduleNotifier is called after a scheduled task completes to deliver the
@@ -61,6 +64,7 @@ type Runner struct {
 	sched            *scheduler.Scheduler       // cron scheduler (nil until started)
 	startTime        time.Time                  // server start time (for /health uptime)
 	scheduleNotifier ScheduleNotifier           // optional: delivers cron results to channels
+	authToken        string                     // resolved auth token (empty if --no-auth)
 }
 
 // NewRunner creates a Runner from the given config.
@@ -81,6 +85,38 @@ func (r *Runner) SetScheduleNotifier(fn ScheduleNotifier) {
 	r.scheduleNotifier = fn
 }
 
+// ResolveAuth resolves the auth token early (before Run). This is needed so
+// channel adapters can be configured with the token before Run() blocks.
+// Safe to call multiple times — subsequent calls are no-ops.
+func (r *Runner) ResolveAuth() error {
+	if r.authToken != "" || r.cfg.NoAuth {
+		return nil // already resolved
+	}
+	local := isLocalhost(r.cfg.Host)
+	if r.cfg.NoAuth && !local {
+		return fmt.Errorf("--no-auth is only allowed when binding to localhost (current host: %s)", r.cfg.Host)
+	}
+	token := r.cfg.AuthToken
+	if token == "" {
+		var err error
+		token, err = auth.GenerateToken()
+		if err != nil {
+			return fmt.Errorf("generating auth token: %w", err)
+		}
+	}
+	r.authToken = token
+	if err := auth.StoreToken(r.cfg.WorkDir, token); err != nil {
+		return fmt.Errorf("storing auth token: %w", err)
+	}
+	ensureGitignore(r.cfg.WorkDir)
+	return nil
+}
+
+// AuthToken returns the resolved bearer token. Empty if auth is disabled.
+func (r *Runner) AuthToken() string {
+	return r.authToken
+}
+
 // Run starts the development server. It blocks until ctx is cancelled.
 func (r *Runner) Run(ctx context.Context) error {
 	// 0. Verify build output integrity if checksums.json exists.
@@ -449,6 +485,12 @@ func (r *Runner) Run(ctx context.Context) error {
 		defer lifecycle.Stop() //nolint:errcheck
 	}
 
+	// 6a. Resolve auth configuration.
+	authCfg, err := r.resolveAuth(auditLogger)
+	if err != nil {
+		return fmt.Errorf("resolving auth: %w", err)
+	}
+
 	// 6. Create A2A server
 	r.startTime = time.Now()
 	srv := server.NewServer(server.ServerConfig{
@@ -456,6 +498,7 @@ func (r *Runner) Run(ctx context.Context) error {
 		Host:            r.cfg.Host,
 		ShutdownTimeout: r.cfg.ShutdownTimeout,
 		AgentCard:       card,
+		AuthMiddleware:  auth.Middleware(authCfg),
 	})
 
 	// 7. Register JSON-RPC handlers
@@ -1425,6 +1468,16 @@ func (r *Runner) printBanner(proxyURL string) {
 			defaultStr(r.cfg.Config.Egress.Profile, "strict"),
 			defaultStr(r.cfg.Config.Egress.Mode, "deny-all"))
 	}
+	// Auth
+	if r.cfg.NoAuth {
+		fmt.Fprintf(os.Stderr, "  Auth:       disabled (--no-auth)\n")
+	} else if r.authToken != "" {
+		fmt.Fprintf(os.Stderr, "  Auth:       enabled (token in .forge/runtime.token)\n")
+	}
+	// LAN exposure warning
+	if !isLocalhost(r.cfg.Host) && !r.cfg.NoAuth {
+		fmt.Fprintf(os.Stderr, "  WARNING:    binding to non-localhost; ensure firewall rules are in place\n")
+	}
 	// Egress proxy
 	if proxyURL != "" {
 		fmt.Fprintf(os.Stderr, "  Proxy:      %s\n", proxyURL)
@@ -1438,6 +1491,67 @@ func (r *Runner) printBanner(proxyURL string) {
 	fmt.Fprintf(os.Stderr, "  Press Ctrl+C to stop\n\n")
 }
 
+// resolveAuth builds the auth middleware config. Token resolution is done by
+// ResolveAuth() (called early so channel adapters can use it); this method
+// just wires the already-resolved token into a middleware Config with the audit callback.
+func (r *Runner) resolveAuth(auditLogger *coreruntime.AuditLogger) (auth.Config, error) {
+	// Ensure token is resolved (no-op if already done by ResolveAuth).
+	if err := r.ResolveAuth(); err != nil {
+		return auth.Config{}, err
+	}
+
+	if r.cfg.NoAuth {
+		return auth.Config{Enabled: false}, nil
+	}
+
+	cfg := auth.Config{
+		Enabled:   true,
+		Token:     r.authToken,
+		SkipPaths: auth.DefaultSkipPaths(),
+		OnAuth: func(req *http.Request, success bool) {
+			if auditLogger == nil {
+				return
+			}
+			event := coreruntime.AuditAuthSuccess
+			if !success {
+				event = coreruntime.AuditAuthFailure
+			}
+			auditLogger.Emit(coreruntime.AuditEvent{
+				Event: event,
+				Fields: map[string]any{
+					"method":      req.Method,
+					"path":        req.URL.Path,
+					"remote_addr": req.RemoteAddr,
+				},
+			})
+		},
+	}
+	return cfg, nil
+}
+
+// ensureGitignore makes sure .forge/ is listed in the project's .gitignore.
+func ensureGitignore(workDir string) {
+	gitignorePath := filepath.Join(workDir, ".gitignore")
+	data, err := os.ReadFile(gitignorePath)
+	if err != nil && !os.IsNotExist(err) {
+		return
+	}
+
+	content := string(data)
+	for _, line := range strings.Split(content, "\n") {
+		if strings.TrimSpace(line) == ".forge/" || strings.TrimSpace(line) == ".forge" {
+			return // already present
+		}
+	}
+
+	// Append .forge/ to .gitignore.
+	entry := ".forge/\n"
+	if len(content) > 0 && !strings.HasSuffix(content, "\n") {
+		entry = "\n" + entry
+	}
+	os.WriteFile(gitignorePath, []byte(content+entry), 0644) //nolint:errcheck
+}
+
 // discoverSkillFiles returns all skill file paths from both flat and subdirectory formats,
 // plus the main SKILL.md (or custom path from forge.yaml).
 func (r *Runner) discoverSkillFiles() []string {
@@ -2071,6 +2185,11 @@ func defaultStr(s, def string) string {
 	return def
 }
 
+// isLocalhost returns true if the host string refers to a localhost address.
+func isLocalhost(host string) bool {
+	return host == "" || host == "127.0.0.1" || host == "localhost" || host == "::1"
+}
+
 // initScheduler creates the schedule store and registers schedule tools.
 func (r *Runner) initScheduler(reg *tools.Registry) scheduler.ScheduleStore {
 	schedPath := filepath.Join(r.cfg.WorkDir, ".forge", "memory", "SCHEDULES.md")
diff --git a/forge-cli/runtime/runner_test.go b/forge-cli/runtime/runner_test.go
index 97302e8..6069998 100644
--- a/forge-cli/runtime/runner_test.go
+++ b/forge-cli/runtime/runner_test.go
@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/initializ/forge/forge-core/a2a"
+	"github.com/initializ/forge/forge-core/auth"
 	"github.com/initializ/forge/forge-core/types"
 )
 
@@ -57,6 +58,15 @@ func TestRunner_MockIntegration(t *testing.T) {
 	baseURL := fmt.Sprintf("http://localhost:%d", port)
 	waitForServer(t, baseURL, 5*time.Second)
 
+	// Load the auto-generated auth token.
+	token, err := auth.LoadToken(dir)
+	if err != nil {
+		t.Fatalf("loading auth token: %v", err)
+	}
+	if token == "" {
+		t.Fatal("expected non-empty auth token")
+	}
+
 	// Test healthz
 	t.Run("healthz", func(t *testing.T) {
 		resp, err := http.Get(baseURL + "/healthz")
@@ -100,7 +110,7 @@ func TestRunner_MockIntegration(t *testing.T) {
 		}
 
 		body, _ := json.Marshal(rpcReq)
-		resp, err := http.Post(baseURL+"/", "application/json", bytes.NewReader(body))
+		resp, err := authPost(baseURL+"/", token, body)
 		if err != nil {
 			t.Fatalf("send request: %v", err)
 		}
@@ -136,7 +146,7 @@ func TestRunner_MockIntegration(t *testing.T) {
 		}
 
 		body, _ := json.Marshal(rpcReq)
-		resp, err := http.Post(baseURL+"/", "application/json", bytes.NewReader(body))
+		resp, err := authPost(baseURL+"/", token, body)
 		if err != nil {
 			t.Fatalf("get request: %v", err)
 		}
@@ -160,7 +170,7 @@ func TestRunner_MockIntegration(t *testing.T) {
 		}
 
 		body, _ := json.Marshal(rpcReq)
-		resp, err := http.Post(baseURL+"/", "application/json", bytes.NewReader(body))
+		resp, err := authPost(baseURL+"/", token, body)
 		if err != nil {
 			t.Fatalf("cancel request: %v", err)
 		}
@@ -358,3 +368,14 @@ func waitForServer(t *testing.T, baseURL string, timeout time.Duration) {
 		time.Sleep(50 * time.Millisecond)
 	}
 }
+
+// authPost sends a POST request with a bearer token.
+func authPost(url, token string, body []byte) (*http.Response, error) {
+	req, err := http.NewRequest(http.MethodPost, url, bytes.NewReader(body))
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", "Bearer "+token)
+	return http.DefaultClient.Do(req)
+}
diff --git a/forge-cli/server/a2a_server.go b/forge-cli/server/a2a_server.go
index 27a48c0..dcfde34 100644
--- a/forge-cli/server/a2a_server.go
+++ b/forge-cli/server/a2a_server.go
@@ -27,6 +27,7 @@ type ServerConfig struct {
 	Host            string        // bind address (default "" = all interfaces)
 	ShutdownTimeout time.Duration // graceful shutdown timeout (0 = immediate)
 	AgentCard       *a2a.AgentCard
+	AuthMiddleware  func(http.Handler) http.Handler // optional auth middleware
 }
 
 type httpRoute struct {
@@ -45,6 +46,7 @@ type Server struct {
 	handlers        map[string]Handler
 	sseHandlers     map[string]SSEHandler
 	httpHandlers    []httpRoute
+	authMiddleware  func(http.Handler) http.Handler
 	srv             *http.Server
 }
 
@@ -58,6 +60,7 @@ func NewServer(cfg ServerConfig) *Server {
 		store:           a2a.NewTaskStore(),
 		handlers:        make(map[string]Handler),
 		sseHandlers:     make(map[string]SSEHandler),
+		authMiddleware:  cfg.AuthMiddleware,
 	}
 	return s
 }
@@ -118,8 +121,16 @@ func (s *Server) Start(ctx context.Context) error {
 	mux.HandleFunc("POST /", s.handleJSONRPC)
 	mux.HandleFunc("GET /", s.handleAgentCard)
 
+	// Build handler chain: CORS → Auth → Mux
+	// CORS is outermost so OPTIONS preflight is handled before auth.
+	var handler http.Handler = mux
+	if s.authMiddleware != nil {
+		handler = s.authMiddleware(handler)
+	}
+	handler = corsMiddleware(handler)
+
 	s.srv = &http.Server{
-		Handler:      corsMiddleware(mux),
+		Handler:      handler,
 		WriteTimeout: 0, // SSE-safe: no write deadline
 		IdleTimeout:  120 * time.Second,
 	}
@@ -226,7 +237,7 @@ func corsMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Access-Control-Allow-Origin", "*")
 		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, OPTIONS")
-		w.Header().Set("Access-Control-Allow-Headers", "Content-Type")
+		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
 		if r.Method == http.MethodOptions {
 			w.WriteHeader(http.StatusNoContent)
 			return
diff --git a/forge-core/auth/middleware.go b/forge-core/auth/middleware.go
new file mode 100644
index 0000000..d397e25
--- /dev/null
+++ b/forge-core/auth/middleware.go
@@ -0,0 +1,99 @@
+package auth
+
+import (
+	"encoding/json"
+	"net/http"
+	"strings"
+)
+
+// Config controls bearer-token authentication for the A2A server.
+type Config struct {
+	// Enabled controls whether authentication is enforced.
+	Enabled bool
+
+	// Token is the expected bearer token value.
+	Token string
+
+	// SkipPaths maps "METHOD /path" keys that bypass authentication.
+	// Example: "GET /" → true allows unauthenticated GET on root.
+	SkipPaths map[string]bool
+
+	// OnAuth is an optional callback invoked on every auth decision.
+	// success indicates whether the request was authenticated.
+	OnAuth func(r *http.Request, success bool)
+}
+
+// DefaultSkipPaths returns the default set of public endpoints
+// that do not require authentication (agent card, health checks).
+func DefaultSkipPaths() map[string]bool {
+	return map[string]bool{
+		"GET /":                           true,
+		"GET /.well-known/agent.json":     true,
+		"GET /healthz":                    true,
+		"GET /health":                     true,
+		"OPTIONS /":                       true,
+		"OPTIONS /.well-known/agent.json": true,
+		"OPTIONS /healthz":                true,
+		"OPTIONS /health":                 true,
+	}
+}
+
+// errorResponse is the JSON body returned for auth failures.
+type errorResponse struct {
+	Error   string `json:"error"`
+	Message string `json:"message"`
+}
+
+// Middleware returns an http.Handler that enforces bearer token authentication.
+// If cfg.Enabled is false, requests pass through without checks.
+func Middleware(cfg Config) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if !cfg.Enabled {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Check if this method+path combination is public.
+			key := r.Method + " " + r.URL.Path
+			if cfg.SkipPaths[key] {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Extract bearer token from Authorization header.
+			token := extractBearerToken(r)
+			if ValidateToken(token, cfg.Token) {
+				if cfg.OnAuth != nil {
+					cfg.OnAuth(r, true)
+				}
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Authentication failed.
+			if cfg.OnAuth != nil {
+				cfg.OnAuth(r, false)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusUnauthorized)
+			json.NewEncoder(w).Encode(errorResponse{ //nolint:errcheck
+				Error:   "unauthorized",
+				Message: "valid bearer token required",
+			})
+		})
+	}
+}
+
+// extractBearerToken extracts the token from "Authorization: Bearer <token>".
+func extractBearerToken(r *http.Request) string {
+	auth := r.Header.Get("Authorization")
+	if auth == "" {
+		return ""
+	}
+	const prefix = "Bearer "
+	if len(auth) > len(prefix) && strings.EqualFold(auth[:len(prefix)], prefix) {
+		return auth[len(prefix):]
+	}
+	return ""
+}
diff --git a/forge-core/auth/middleware_test.go b/forge-core/auth/middleware_test.go
new file mode 100644
index 0000000..7107698
--- /dev/null
+++ b/forge-core/auth/middleware_test.go
@@ -0,0 +1,195 @@
+package auth
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"sync/atomic"
+	"testing"
+)
+
+func TestMiddleware(t *testing.T) {
+	const validToken = "test-secret-token"
+
+	okHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("ok")) //nolint:errcheck
+	})
+
+	tests := []struct {
+		name       string
+		cfg        Config
+		method     string
+		path       string
+		authHeader string
+		wantStatus int
+	}{
+		{
+			name:       "disabled passes through",
+			cfg:        Config{Enabled: false},
+			method:     "POST",
+			path:       "/",
+			wantStatus: http.StatusOK,
+		},
+		{
+			name: "valid token accepted",
+			cfg: Config{
+				Enabled:   true,
+				Token:     validToken,
+				SkipPaths: DefaultSkipPaths(),
+			},
+			method:     "POST",
+			path:       "/",
+			authHeader: "Bearer " + validToken,
+			wantStatus: http.StatusOK,
+		},
+		{
+			name: "missing token rejected",
+			cfg: Config{
+				Enabled:   true,
+				Token:     validToken,
+				SkipPaths: DefaultSkipPaths(),
+			},
+			method:     "POST",
+			path:       "/",
+			wantStatus: http.StatusUnauthorized,
+		},
+		{
+			name: "wrong token rejected",
+			cfg: Config{
+				Enabled:   true,
+				Token:     validToken,
+				SkipPaths: DefaultSkipPaths(),
+			},
+			method:     "POST",
+			path:       "/",
+			authHeader: "Bearer wrong-token",
+			wantStatus: http.StatusUnauthorized,
+		},
+		{
+			name: "GET / is public",
+			cfg: Config{
+				Enabled:   true,
+				Token:     validToken,
+				SkipPaths: DefaultSkipPaths(),
+			},
+			method:     "GET",
+			path:       "/",
+			wantStatus: http.StatusOK,
+		},
+		{
+			name: "GET /.well-known/agent.json is public",
+			cfg: Config{
+				Enabled:   true,
+				Token:     validToken,
+				SkipPaths: DefaultSkipPaths(),
+			},
+			method:     "GET",
+			path:       "/.well-known/agent.json",
+			wantStatus: http.StatusOK,
+		},
+		{
+			name: "GET /healthz is public",
+			cfg: Config{
+				Enabled:   true,
+				Token:     validToken,
+				SkipPaths: DefaultSkipPaths(),
+			},
+			method:     "GET",
+			path:       "/healthz",
+			wantStatus: http.StatusOK,
+		},
+		{
+			name: "POST /tasks/send requires auth",
+			cfg: Config{
+				Enabled:   true,
+				Token:     validToken,
+				SkipPaths: DefaultSkipPaths(),
+			},
+			method:     "POST",
+			path:       "/tasks/send",
+			wantStatus: http.StatusUnauthorized,
+		},
+		{
+			name: "case insensitive Bearer prefix",
+			cfg: Config{
+				Enabled:   true,
+				Token:     validToken,
+				SkipPaths: DefaultSkipPaths(),
+			},
+			method:     "POST",
+			path:       "/",
+			authHeader: "bearer " + validToken,
+			wantStatus: http.StatusOK,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mw := Middleware(tt.cfg)
+			handler := mw(okHandler)
+
+			req := httptest.NewRequest(tt.method, tt.path, nil)
+			if tt.authHeader != "" {
+				req.Header.Set("Authorization", tt.authHeader)
+			}
+
+			rr := httptest.NewRecorder()
+			handler.ServeHTTP(rr, req)
+
+			if rr.Code != tt.wantStatus {
+				t.Errorf("status = %d, want %d", rr.Code, tt.wantStatus)
+			}
+
+			// Verify JSON error body on 401.
+			if tt.wantStatus == http.StatusUnauthorized {
+				var resp errorResponse
+				if err := json.NewDecoder(rr.Body).Decode(&resp); err != nil {
+					t.Fatalf("failed to decode error response: %v", err)
+				}
+				if resp.Error != "unauthorized" {
+					t.Errorf("error = %q, want %q", resp.Error, "unauthorized")
+				}
+			}
+		})
+	}
+}
+
+func TestMiddlewareOnAuthCallback(t *testing.T) {
+	const token = "callback-token"
+
+	var successCount, failCount atomic.Int32
+
+	cfg := Config{
+		Enabled:   true,
+		Token:     token,
+		SkipPaths: DefaultSkipPaths(),
+		OnAuth: func(r *http.Request, success bool) {
+			if success {
+				successCount.Add(1)
+			} else {
+				failCount.Add(1)
+			}
+		},
+	}
+
+	handler := Middleware(cfg)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Successful auth.
+	req := httptest.NewRequest("POST", "/", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	handler.ServeHTTP(httptest.NewRecorder(), req)
+
+	// Failed auth.
+	req2 := httptest.NewRequest("POST", "/", nil)
+	handler.ServeHTTP(httptest.NewRecorder(), req2)
+
+	if got := successCount.Load(); got != 1 {
+		t.Errorf("success callbacks = %d, want 1", got)
+	}
+	if got := failCount.Load(); got != 1 {
+		t.Errorf("failure callbacks = %d, want 1", got)
+	}
+}
diff --git a/forge-core/auth/token.go b/forge-core/auth/token.go
new file mode 100644
index 0000000..cd13bdd
--- /dev/null
+++ b/forge-core/auth/token.go
@@ -0,0 +1,72 @@
+package auth
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/base64"
+	"fmt"
+	"os"
+	"path/filepath"
+)
+
+const (
+	// tokenBytes is the number of random bytes for token generation (256-bit).
+	tokenBytes = 32
+
+	// tokenDir is the subdirectory under the agent root where runtime files are stored.
+	tokenDir = ".forge"
+
+	// tokenFile is the filename for the stored bearer token.
+	tokenFile = "runtime.token"
+)
+
+// GenerateToken creates a cryptographically random bearer token.
+// Returns a URL-safe base64-encoded string with 256 bits of entropy.
+func GenerateToken() (string, error) {
+	b := make([]byte, tokenBytes)
+	if _, err := rand.Read(b); err != nil {
+		return "", fmt.Errorf("generating token: %w", err)
+	}
+	return base64.RawURLEncoding.EncodeToString(b), nil
+}
+
+// ValidateToken compares a presented token against the expected token
+// using constant-time comparison to prevent timing attacks.
+func ValidateToken(presented, expected string) bool {
+	if len(presented) == 0 || len(expected) == 0 {
+		return false
+	}
+	return subtle.ConstantTimeCompare([]byte(presented), []byte(expected)) == 1
+}
+
+// TokenPath returns the path to the token file for the given agent root directory.
+func TokenPath(agentRoot string) string {
+	return filepath.Join(agentRoot, tokenDir, tokenFile)
+}
+
+// StoreToken writes a token to <agentRoot>/.forge/runtime.token with 0600 permissions.
+func StoreToken(agentRoot, token string) error {
+	dir := filepath.Join(agentRoot, tokenDir)
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return fmt.Errorf("creating token directory: %w", err)
+	}
+	path := filepath.Join(dir, tokenFile)
+	if err := os.WriteFile(path, []byte(token), 0600); err != nil {
+		return fmt.Errorf("writing token file: %w", err)
+	}
+	return setFileOwnerOnly(path)
+}
+
+// LoadToken reads the stored token from <agentRoot>/.forge/runtime.token.
+// Returns ("", nil) if the file does not exist.
+func LoadToken(agentRoot string) (string, error) {
+	path := filepath.Join(agentRoot, tokenDir, tokenFile)
+	data, err := os.ReadFile(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return "", nil
+		}
+		return "", fmt.Errorf("reading token file: %w", err)
+	}
+	return string(data), nil
+}
diff --git a/forge-core/auth/token_test.go b/forge-core/auth/token_test.go
new file mode 100644
index 0000000..ac55dc1
--- /dev/null
+++ b/forge-core/auth/token_test.go
@@ -0,0 +1,97 @@
+package auth
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestGenerateToken(t *testing.T) {
+	token, err := GenerateToken()
+	if err != nil {
+		t.Fatalf("GenerateToken() error: %v", err)
+	}
+	if len(token) == 0 {
+		t.Fatal("GenerateToken() returned empty string")
+	}
+	// 32 bytes → 43 chars in base64 raw URL encoding
+	if len(token) != 43 {
+		t.Errorf("expected token length 43, got %d", len(token))
+	}
+
+	// Ensure uniqueness
+	token2, _ := GenerateToken()
+	if token == token2 {
+		t.Error("two generated tokens should not be equal")
+	}
+}
+
+func TestValidateToken(t *testing.T) {
+	tests := []struct {
+		name      string
+		presented string
+		expected  string
+		want      bool
+	}{
+		{"matching", "abc123", "abc123", true},
+		{"mismatch", "abc123", "xyz789", false},
+		{"empty presented", "", "abc123", false},
+		{"empty expected", "abc123", "", false},
+		{"both empty", "", "", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := ValidateToken(tt.presented, tt.expected); got != tt.want {
+				t.Errorf("ValidateToken(%q, %q) = %v, want %v", tt.presented, tt.expected, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestStoreAndLoadToken(t *testing.T) {
+	dir := t.TempDir()
+
+	token := "test-token-value"
+	if err := StoreToken(dir, token); err != nil {
+		t.Fatalf("StoreToken() error: %v", err)
+	}
+
+	// Verify file permissions
+	path := filepath.Join(dir, tokenDir, tokenFile)
+	info, err := os.Stat(path)
+	if err != nil {
+		t.Fatalf("Stat token file: %v", err)
+	}
+	if perm := info.Mode().Perm(); perm != 0600 {
+		t.Errorf("expected file permissions 0600, got %04o", perm)
+	}
+
+	// Load and verify
+	loaded, err := LoadToken(dir)
+	if err != nil {
+		t.Fatalf("LoadToken() error: %v", err)
+	}
+	if loaded != token {
+		t.Errorf("LoadToken() = %q, want %q", loaded, token)
+	}
+}
+
+func TestLoadTokenMissing(t *testing.T) {
+	dir := t.TempDir()
+
+	loaded, err := LoadToken(dir)
+	if err != nil {
+		t.Fatalf("LoadToken() error: %v", err)
+	}
+	if loaded != "" {
+		t.Errorf("expected empty string for missing token, got %q", loaded)
+	}
+}
+
+func TestTokenPath(t *testing.T) {
+	got := TokenPath("/home/user/myagent")
+	want := filepath.Join("/home/user/myagent", ".forge", "runtime.token")
+	if got != want {
+		t.Errorf("TokenPath() = %q, want %q", got, want)
+	}
+}
diff --git a/forge-core/auth/token_unix.go b/forge-core/auth/token_unix.go
new file mode 100644
index 0000000..1dc92d3
--- /dev/null
+++ b/forge-core/auth/token_unix.go
@@ -0,0 +1,8 @@
+//go:build !windows
+
+package auth
+
+// setFileOwnerOnly is a no-op on Unix — os.WriteFile with 0600 is sufficient.
+func setFileOwnerOnly(_ string) error {
+	return nil
+}
diff --git a/forge-core/auth/token_windows.go b/forge-core/auth/token_windows.go
new file mode 100644
index 0000000..95831fd
--- /dev/null
+++ b/forge-core/auth/token_windows.go
@@ -0,0 +1,30 @@
+//go:build windows
+
+package auth
+
+import (
+	"fmt"
+	"os/exec"
+	"os/user"
+)
+
+// setFileOwnerOnly restricts the token file to the current user on Windows
+// using icacls to remove inherited permissions and grant only the owner.
+func setFileOwnerOnly(path string) error {
+	u, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("getting current user: %w", err)
+	}
+
+	// Remove inherited permissions.
+	if out, err := exec.Command("icacls", path, "/inheritance:r").CombinedOutput(); err != nil {
+		return fmt.Errorf("removing inheritance: %s: %w", out, err)
+	}
+
+	// Grant full control to the current user only.
+	if out, err := exec.Command("icacls", path, "/grant:r", u.Username+":F").CombinedOutput(); err != nil {
+		return fmt.Errorf("granting owner access: %s: %w", out, err)
+	}
+
+	return nil
+}
diff --git a/forge-core/runtime/audit.go b/forge-core/runtime/audit.go
index 0c232d1..2db26eb 100644
--- a/forge-core/runtime/audit.go
+++ b/forge-core/runtime/audit.go
@@ -23,6 +23,8 @@ const (
 	AuditScheduleComplete = "schedule_complete"
 	AuditScheduleSkip     = "schedule_skip"
 	AuditScheduleModify   = "schedule_modify"
+	AuditAuthSuccess      = "auth_success"
+	AuditAuthFailure      = "auth_failure"
 )
 
 // AuditEvent is a single structured audit record emitted as NDJSON.
diff --git a/forge-ui/chat.go b/forge-ui/chat.go
index 41663aa..122e187 100644
--- a/forge-ui/chat.go
+++ b/forge-ui/chat.go
@@ -12,6 +12,8 @@ import (
 	"sort"
 	"strings"
 	"time"
+
+	"github.com/initializ/forge/forge-core/auth"
 )
 
 // handleChat proxies a chat message to a running agent via A2A JSON-RPC
@@ -75,6 +77,11 @@ func (s *UIServer) handleChat(w http.ResponseWriter, r *http.Request) {
 	}
 	agentReq.Header.Set("Content-Type", "application/json")
 
+	// Load and set auth token from the agent directory.
+	if token := s.loadAgentToken(agentID); token != "" {
+		agentReq.Header.Set("Authorization", "Bearer "+token)
+	}
+
 	agentResp, err := client.Do(agentReq)
 	if err != nil {
 		writeError(w, http.StatusBadGateway, "failed to reach agent: "+err.Error())
@@ -275,6 +282,20 @@ func extractPreview(messagesRaw json.RawMessage) string {
 	return ""
 }
 
+// loadAgentToken attempts to read the auth token for an agent from its directory.
+func (s *UIServer) loadAgentToken(agentID string) string {
+	agents, err := s.scanner.Scan()
+	if err != nil {
+		return ""
+	}
+	agent, ok := agents[agentID]
+	if !ok {
+		return ""
+	}
+	token, _ := auth.LoadToken(agent.Directory)
+	return token
+}
+
 // sanitizeForFilename replaces characters unsafe for filenames.
 func sanitizeForFilename(s string) string {
 	var b strings.Builder