Scoped Trik Identity
All resource partitioning (storage, config, containers, workspace) now uses scoped names (@scope/trik-name) backed by a .trikhub-identity.json trust anchor written at install time. The gateway rejects duplicate scoped names.
Capability Enforcement
The scanner now cross-checks trik code against manifest declarations at publish, install, and runtime. Undeclared capabilities block publishing. Post-download verification warns on mismatches (tamper detection). Storage access is gated on capabilities.storage.enabled.
Trik Management Capability
Triks can declare trikManagement.enabled to search, install, uninstall, and upgrade other triks via registry tools injected by the gateway.
Container Lifecycle
- Containers stay warm across handoffs with configurable idle TTL (default 5 min) instead of restart-per-handoff
- Process exit handlers force-kill containers — no more orphaned Docker containers blocking restarts