Context
The truthful partial leaf of #15270, split at review. PR #15312's Cycle-1 review (RA-1 scope correction) established that #15270's first AC — the drilled resident's active inbox via #15269 — cannot be honestly closed by this PR, because the last mile is an authentication boundary, not a wiring gap.
The falsifier (V-B-A'd from both sides, independently):
dispatchFleetRequest receives no request-bound identity — zero hits for identity / RequestContext / auth / token.
fleetBridgeServer is loopback-only but unauthenticated, and emits Access-Control-Allow-Origin: *.
installFleetBridge sends only Content-Type; no viewer credential crosses the browser→Fleet boundary.
- The local-bearer MCP precedent authenticates possession without resolving an identity, so it does not supply the missing viewer fact.
Loopback locality is not a viewer identity. #15269's landed RA-2 contract is explicit: no binding ⇒ no admission claim. Binding a fixed viewer, or trusting caller-supplied text, would turn local reachability into ambient CAN_READ_INBOX_OF authority — the caller-authored-provenance shape #15269 and #15309 both exist to kill, rebuilt one layer lower and blessed by a green test.
This ticket captures exactly the scope PR #15312 delivers. #15270 stays open owning the last mile.
The Problem
The S1 view half is built and the Body↔Brain read seam exists, but nothing may claim an admitted production read until an authenticated Fleet viewer ingress exists. Without a split, either the PR overclaims its close-target or finished, reviewed work sits unlanded behind a security boundary that is not its own.
The Architectural Reality
- View:
apps/agentos/view/fleet/MailboxPane.mjs + its AgentDetail tab host — renders, never fetches.
- Read seam:
FleetControlBridge.fleetMailboxMirror() over the injected mailboxMirrorSource DI slot, mirroring the activitySource precedent. The bridge routes; it never imports MailboxService and never authors an admission fact.
- The source stays deliberately unwired: the verb degrades through the adapter's own pure half, so the not-wired envelope is shape-identical to a live one and reads as honestly
unavailable rather than as an empty inbox.
- Admission remains the Memory Core primitive's fail-closed
CAN_READ_INBOX_OF gate, decided one layer down (#15269, merged).
Acceptance Criteria
Out of Scope
The authenticated last mile — owned by #15270 and its successor boundary: authenticated Fleet viewer ingress → per-request RequestContext binding → mailboxMirrorSource wiring → end-to-end admitted read. Also out: dock-liftability, chat/actionable evolution (v13.3), archive browsing.
Related
Parent: #15270 (stays open; owns the last mile) · Epic #14560 · #15269 (merged; the Brain half) · D#15249 (graduated record) · #15254 (registry) · PR #15312.
Sweeps: latest-open checked 2026-07-16T22:18Z (latest #15315) — no equivalent; mailbox pane read seam all-state search surfaces only the parent epic. Reviewer-directed split, not self-triage.
Context
The truthful partial leaf of #15270, split at review. PR #15312's Cycle-1 review (RA-1 scope correction) established that #15270's first AC — the drilled resident's active inbox via #15269 — cannot be honestly closed by this PR, because the last mile is an authentication boundary, not a wiring gap.
The falsifier (V-B-A'd from both sides, independently):
dispatchFleetRequestreceives no request-bound identity — zero hits for identity / RequestContext / auth / token.fleetBridgeServeris loopback-only but unauthenticated, and emitsAccess-Control-Allow-Origin: *.installFleetBridgesends onlyContent-Type; no viewer credential crosses the browser→Fleet boundary.Loopback locality is not a viewer identity. #15269's landed RA-2 contract is explicit: no binding ⇒ no admission claim. Binding a fixed viewer, or trusting caller-supplied text, would turn local reachability into ambient
CAN_READ_INBOX_OFauthority — the caller-authored-provenance shape #15269 and #15309 both exist to kill, rebuilt one layer lower and blessed by a green test.This ticket captures exactly the scope PR #15312 delivers. #15270 stays open owning the last mile.
The Problem
The S1 view half is built and the Body↔Brain read seam exists, but nothing may claim an admitted production read until an authenticated Fleet viewer ingress exists. Without a split, either the PR overclaims its close-target or finished, reviewed work sits unlanded behind a security boundary that is not its own.
The Architectural Reality
apps/agentos/view/fleet/MailboxPane.mjs+ itsAgentDetailtab host — renders, never fetches.FleetControlBridge.fleetMailboxMirror()over the injectedmailboxMirrorSourceDI slot, mirroring theactivitySourceprecedent. The bridge routes; it never imports MailboxService and never authors an admission fact.unavailablerather than as an empty inbox.CAN_READ_INBOX_OFgate, decided one layer down (#15269, merged).Acceptance Criteria
AgentDetailgrows the countless Mailbox tab; the pane renders flat-chrono with thread-collapse from one adapter snapshot.unobserved/denied/degraded/empty), never a fabricated success; the degrade line names no cause it cannot know.unobserved, never a fabricated empty inbox.freshmailbox cannot stay fresh while its snapshot rots.Out of Scope
The authenticated last mile — owned by #15270 and its successor boundary: authenticated Fleet viewer ingress → per-request
RequestContextbinding →mailboxMirrorSourcewiring → end-to-end admitted read. Also out: dock-liftability, chat/actionable evolution (v13.3), archive browsing.Related
Parent: #15270 (stays open; owns the last mile) · Epic #14560 · #15269 (merged; the Brain half) · D#15249 (graduated record) · #15254 (registry) · PR #15312.
Sweeps: latest-open checked 2026-07-16T22:18Z (latest #15315) — no equivalent;
mailbox pane read seamall-state search surfaces only the parent epic. Reviewer-directed split, not self-triage.