Week 3 — multi-leg handoff auth shipped (2026-04-20)

First Week 3 drop: the v1 total_legs == 1 guardrail is gone. The protocol now settles multi-hop relays with explicit, on-chain handoff attestation.

What changed

confirm_leg is multi-leg aware. For the final leg the recipient is still the package shipper. For intermediate legs the recipient is the next-hop courier — their signature is the handoff attestation.
Strict ordering. Legs must confirm in legIndex order. Enforced via leg_index == swarm.completed_legs; out-of-order attempts fail with LegOutOfOrder.
New next_leg_account. Optional account on confirm_leg. Required for intermediate legs (points at the next leg's LegAccount PDA); must be absent on the final leg. MissingNextLeg / UnexpectedNextLeg cover the mis-use cases.
API auth widened. POST /swarms/legs/:legId/build-confirm-tx and /confirm now resolve the expected recipient from the leg's position in the chain instead of always requiring the shipper.
7 new Anchor tests cover ordering, wrong-recipient, missing / unexpected next_leg_account, and the 2-leg happy path (courier1 attests handoff → shipper confirms final → both couriers paid from the vault).

Dashboard still only renders the shipper-facing CONFIRM DELIVERY button. Intermediate handoff signing is a courier-wallet operation; in the demo it'll be signed programmatically by the agent's keypair (scheduled under "Agent execution loop" in Week 3's Next up).
On-chain courier_arrived gating is still pending — spec at docs/reference/in-transit-signal.md.