npm - @pellux/goodvibes-agent - Versions diffs - 0.1.41 → 0.1.43 - Mend

@pellux/goodvibes-agent 0.1.41 → 0.1.43

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +8 -0
package/README.md +2 -2
package/docs/operator-capability-benchmark.md +2 -2
package/package.json +1 -1
package/src/input/agent-workspace.ts +14 -0
package/src/operator/daemon-capability-audit.ts +39 -2
package/src/renderer/agent-workspace.ts +8 -0
package/src/version.ts +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,14 @@
 All notable changes to GoodVibes Agent will be recorded here.
+## 0.1.43 - 2026-05-31
+- 3afba9c Add daemon route risk coverage
+## 0.1.42 - 2026-05-31
+- 3c84649 Surface daemon capabilities in Agent workspace
 ## 0.1.41 - 2026-05-31
 - c108e13 Add live daemon capability audit

package/README.md CHANGED Viewed

@@ -43,9 +43,9 @@ bun run package:install-check
 bun run publish:check
 ```
-Inside the Agent TUI, use `/agent`, `/home`, or `/operator` to open the operator workspace. It is the Agent-first fullscreen surface for setup, status, knowledge, local memory/skills, work-plan/approval review, automation observability, and explicit build delegation to GoodVibes TUI.
+Inside the Agent TUI, use `/agent`, `/home`, or `/operator` to open the operator workspace. It is the Agent-first fullscreen surface for setup, status, live daemon capability coverage, knowledge, local memory/skills, work-plan/approval review, automation observability, and explicit build delegation to GoodVibes TUI.
-Use `goodvibes-agent capabilities` or `/capabilities` to inspect the OpenClaw/Hermes benchmark, current Agent posture, configuration commands, usage paths, and remaining gaps. Use `goodvibes-agent capabilities daemon` or `/capabilities daemon` for a live read-only audit of the GoodVibes daemon method catalog and isolated Agent Knowledge route coverage.
+Use `goodvibes-agent capabilities` or `/capabilities` to inspect the OpenClaw/Hermes benchmark, current Agent posture, configuration commands, usage paths, and remaining gaps. Use `goodvibes-agent capabilities daemon` or `/capabilities daemon` for a live read-only audit of the GoodVibes daemon method catalog, route risk posture, and isolated Agent Knowledge route coverage.
 Inside the workspace, use `/agent-profile guide` to author custom profile starters without leaving the Agent TUI. The guided flow lists starters, exports starter JSON, imports edited local starters, and creates isolated runtime profiles from them.

package/docs/operator-capability-benchmark.md CHANGED Viewed

@@ -56,7 +56,7 @@ The benchmark measures two different GoodVibes layers:
 If the daemon already has a route but Agent lacks a good setup/workspace/CLI surface, the gap is treated as an Agent product gap rather than a missing platform capability.
-Use `goodvibes-agent capabilities daemon` for the live read-only daemon audit. It checks the public control-plane method catalog and the isolated Agent Knowledge status route. It intentionally does not call default `/api/knowledge/*`, HomeGraph, or Home Assistant routes.
+Use `goodvibes-agent capabilities daemon` for the live read-only daemon audit. It checks the public control-plane method catalog, route risk posture, and the isolated Agent Knowledge status route. It intentionally does not call default `/api/knowledge/*`, HomeGraph, or Home Assistant routes.
 ## Capability Targets
@@ -78,7 +78,7 @@ Use `goodvibes-agent capabilities daemon` for the live read-only daemon audit. I
 GoodVibes Agent should exceed OpenClaw/Hermes by making these properties true from day one:
-- Capability surfaces are discoverable through `goodvibes-agent capabilities`, `/capabilities`, onboarding, and the operator workspace.
+- Capability surfaces are discoverable through `goodvibes-agent capabilities`, `goodvibes-agent capabilities daemon`, `/capabilities`, `/capabilities daemon`, onboarding, and the operator workspace.
 - Agent Knowledge isolation is a release gate, not a convention.
 - Routine-to-schedule promotion preserves Agent Knowledge isolation, uses only public external daemon schedule routes, supports explicit delivery targets, and stores redacted receipts.
 - Model-visible tools are policy-gated for serial, non-secret, non-destructive use.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@pellux/goodvibes-agent",
-  "version": "0.1.41",
+  "version": "0.1.43",
   "private": false,
   "description": "Near-fork GoodVibes operator assistant with the GoodVibes TUI shell, renderer, input, fullscreen workspace, and daemon-connected Agent product brain.",
   "type": "module",

package/src/input/agent-workspace.ts CHANGED Viewed

@@ -480,6 +480,20 @@ export const AGENT_WORKSPACE_CATEGORIES: readonly AgentWorkspaceCategory[] = [
       { id: 'auth', label: 'Auth review', detail: 'Review authentication posture without printing token values.', command: '/auth review', kind: 'command', safety: 'read-only' },
     ],
   },
+  {
+    id: 'capabilities',
+    group: 'SETUP',
+    label: 'Capabilities',
+    summary: 'OpenClaw/Hermes benchmark and live daemon coverage.',
+    detail: 'Use this area to measure both layers: what GoodVibes Agent makes usable, and what the externally owned GoodVibes daemon actually exposes through public routes. Agent Knowledge is checked only through /api/goodvibes-agent/knowledge/*.',
+    actions: [
+      { id: 'capabilities-benchmark', label: 'Benchmark report', detail: 'Show the OpenClaw/Hermes parity benchmark with Agent posture, setup commands, usage paths, and remaining product gaps.', command: '/capabilities', kind: 'command', safety: 'read-only' },
+      { id: 'capabilities-daemon', label: 'Live daemon audit', detail: 'Inspect the public daemon method catalog plus isolated Agent Knowledge route coverage. Does not query default Knowledge/Wiki or HomeGraph.', command: '/capabilities daemon', kind: 'command', safety: 'read-only' },
+      { id: 'capabilities-daemon-knowledge', label: 'Knowledge coverage', detail: 'Filter the live daemon audit to the isolated Agent Knowledge segment.', command: '/capabilities daemon knowledge', kind: 'command', safety: 'read-only' },
+      { id: 'capabilities-daemon-channels', label: 'Channel coverage', detail: 'Filter the live daemon audit to channel and delivery gateway route coverage.', command: '/capabilities daemon channels', kind: 'command', safety: 'read-only' },
+      { id: 'capabilities-daemon-automation', label: 'Automation coverage', detail: 'Filter the live daemon audit to automation, schedule, run, and capacity route coverage.', command: '/capabilities daemon automation', kind: 'command', safety: 'read-only' },
+    ],
+  },
   {
     id: 'channels',
     group: 'SETUP',

package/src/operator/daemon-capability-audit.ts CHANGED Viewed

@@ -41,6 +41,12 @@ export interface DaemonCapabilityAuditArea {
     readonly route: string;
     readonly coverage: DaemonCapabilityRouteCoverage;
   }[];
+  readonly routeRisk: {
+    readonly readOnlyMethodCount: number;
+    readonly mutatingMethodCount: number;
+    readonly authenticatedMethodCount: number;
+    readonly dangerousMethodIds: readonly string[];
+  };
   readonly next: readonly string[];
 }
@@ -75,12 +81,13 @@ export type DaemonCapabilityAuditResult =
   | DaemonCapabilityAuditSuccess
   | DaemonCapabilityAuditFailure;
-interface DaemonMethodSummary {
+export interface DaemonMethodSummary {
   readonly id: string;
   readonly title?: string;
   readonly category?: string;
   readonly invokable?: boolean;
   readonly access?: string;
+  readonly dangerous?: boolean;
   readonly http?: {
     readonly method?: string;
     readonly path?: string;
@@ -294,6 +301,7 @@ function readMethodSummaries(body: unknown): readonly DaemonMethodSummary[] {
       category: readString(value, 'category') ?? undefined,
       access: readString(value, 'access') ?? undefined,
       invokable: typeof value.invokable === 'boolean' ? value.invokable : undefined,
+      dangerous: typeof value.dangerous === 'boolean' ? value.dangerous : undefined,
       http: httpRecord
         ? {
             method: readString(httpRecord, 'method') ?? undefined,
@@ -389,7 +397,9 @@ function failureFromThrown(error: unknown, connection: AgentDaemonConnection, ro
 export function buildDaemonCapabilityAuditAreas(
   methodIds: ReadonlySet<string>,
   agentKnowledgeRouteReady: boolean | null,
+  methodSummaries: readonly DaemonMethodSummary[] = [],
 ): readonly DaemonCapabilityAuditArea[] {
+  const methodsById = new Map(methodSummaries.map((method) => [method.id, method]));
   return DAEMON_CAPABILITY_REQUIREMENTS.map((requirement) => {
     const presentRequiredMethodIds = requirement.requiredMethodIds.filter((methodId) => methodIds.has(methodId));
     const missingRequiredMethodIds = requirement.requiredMethodIds.filter((methodId) => !methodIds.has(methodId));
@@ -404,6 +414,23 @@ export function buildDaemonCapabilityAuditAreas(
           : 'missing',
     } satisfies DaemonCapabilityAuditArea['agentRoutes'][number]));
     const missingAgentRoutes = agentRoutes.filter((route) => route.coverage === 'missing');
+    const areaMethodIds = [...requirement.requiredMethodIds, ...requirement.optionalMethodIds];
+    const areaMethods = areaMethodIds.flatMap((methodId): DaemonMethodSummary[] => {
+      const method = methodsById.get(methodId);
+      return method ? [method] : [];
+    });
+    const readOnlyMethodCount = areaMethods.filter((method) => {
+      const verb = method.http?.method?.toUpperCase();
+      return verb === 'GET' || verb === 'HEAD';
+    }).length;
+    const mutatingMethodCount = areaMethods.filter((method) => {
+      const verb = method.http?.method?.toUpperCase();
+      return Boolean(verb) && verb !== 'GET' && verb !== 'HEAD';
+    }).length;
+    const authenticatedMethodCount = areaMethods.filter((method) => method.access === 'authenticated').length;
+    const dangerousMethodIds = areaMethods
+      .filter((method) => method.dangerous === true)
+      .map((method) => method.id);
     const requiredCount = requirement.requiredMethodIds.length + requirement.requiredAgentRoutes.length;
     const presentRequiredCount = presentRequiredMethodIds.length
       + agentRoutes.filter((route) => route.coverage === 'ready').length;
@@ -423,6 +450,12 @@ export function buildDaemonCapabilityAuditAreas(
       presentOptionalMethodIds,
       missingOptionalMethodIds,
       agentRoutes,
+      routeRisk: {
+        readOnlyMethodCount,
+        mutatingMethodCount,
+        authenticatedMethodCount,
+        dangerousMethodIds,
+      },
       next: requirement.next,
     };
   });
@@ -472,7 +505,7 @@ export async function fetchLiveDaemonCapabilityAudit(
       defaultKnowledgeFallback: false,
       homeGraphFallback: false,
       warnings,
-      areas: buildDaemonCapabilityAuditAreas(methodIds, agentKnowledge.ok),
+      areas: buildDaemonCapabilityAuditAreas(methodIds, agentKnowledge.ok, methodSummaries),
     };
   } catch (error) {
     return failureFromThrown(error, connection, daemonVersion === 'unknown' ? DAEMON_STATUS_ROUTE : DAEMON_METHOD_CATALOG_ROUTE);
@@ -528,6 +561,10 @@ export function renderDaemonCapabilityAudit(
       lines.push(`  optional methods: ${area.presentOptionalMethodIds.length}/${optionalTotal}`);
       if (area.missingOptionalMethodIds.length > 0) lines.push(`  missing optional: ${area.missingOptionalMethodIds.join(', ')}`);
     }
+    lines.push(`  route risk: ${area.routeRisk.readOnlyMethodCount} read-only; ${area.routeRisk.mutatingMethodCount} mutating; ${area.routeRisk.dangerousMethodIds.length} dangerous; ${area.routeRisk.authenticatedMethodCount} authenticated`);
+    if (area.routeRisk.dangerousMethodIds.length > 0) {
+      lines.push(`  dangerous methods: ${area.routeRisk.dangerousMethodIds.join(', ')}`);
+    }
     for (const route of area.agentRoutes) lines.push(`  route: ${route.route} [${route.coverage}]`);
     lines.push(`  next: ${area.next.join(' | ')}`);
     lines.push('');

package/src/renderer/agent-workspace.ts CHANGED Viewed

@@ -88,6 +88,14 @@ function snapshotLines(category: AgentWorkspaceCategory, snapshot: AgentWorkspac
       { text: `Workspace: ${snapshot.workingDirectory}`, fg: PALETTE.muted },
       { text: `Home: ${snapshot.homeDirectory}`, fg: PALETTE.muted },
     );
+  } else if (category.id === 'capabilities') {
+    base.push(
+      { text: `External daemon: ${snapshot.daemonBaseUrl}`, fg: PALETTE.info },
+      { text: 'Live audit source: /api/control-plane/methods plus /api/goodvibes-agent/knowledge/status.', fg: PALETTE.info },
+      { text: 'Isolation: no default Knowledge/Wiki, HomeGraph, or Home Assistant route is used for Agent Knowledge coverage.', fg: PALETTE.good },
+      { text: 'Readiness meaning: daemon route coverage is platform capability; missing Agent UX remains a product gap to close here.', fg: PALETTE.muted },
+      { text: 'Use filtered audits for knowledge, channels, automation, voice/media/nodes, providers, MCP/tools, approvals, or sessions.', fg: PALETTE.muted },
+    );
   } else if (category.id === 'channels') {
     const enabledCount = snapshot.channels.filter((channel) => channel.enabled).length;
     const readyCount = snapshot.channels.filter((channel) => channel.ready).length;

package/src/version.ts CHANGED Viewed

@@ -6,7 +6,7 @@ import { join } from 'node:path';
 // The prebuild script updates the fallback value before compilation.
 // Uses import.meta.dir (Bun) to locate package.json relative to this file,
 // which is correct regardless of the process working directory.
-let _version = '0.1.41';
+let _version = '0.1.43';
 let _sdkVersion = '0.33.35';
 try {
   const pkg = JSON.parse(readFileSync(join(import.meta.dir, '..', 'package.json'), 'utf-8')) as {