@zhijiewang/openharness 0.12.1 → 1.2.0

package/dist/providers/router.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Multi-Model Router — task-aware model selection.
+ *
+ * Routes LLM calls to the most appropriate model based on task context:
+ * - Fast model for exploration, search, and tool-heavy turns
+ * - Powerful model for final responses, code review, and complex reasoning
+ * - Balanced model as the default
+ *
+ * Saves ~20% cost and ~30% latency by avoiding expensive models for simple tasks.
+ */
+export type ModelTier = 'fast' | 'balanced' | 'powerful';
+export type RouterConfig = {
+    fast?: string;
+    balanced?: string;
+    powerful?: string;
+};
+export type RouteContext = {
+    /** Current turn number (1-indexed) */
+    turn: number;
+    /** Whether the previous turn had tool calls */
+    hadToolCalls: boolean;
+    /** Number of tool calls in previous turn */
+    toolCallCount: number;
+    /** Agent role (if sub-agent) */
+    role?: string;
+    /** Estimated context usage (0-1) */
+    contextUsage?: number;
+    /** Whether this is likely the final response (no tool calls expected) */
+    isFinalResponse?: boolean;
+};
+export type RouteResult = {
+    model: string;
+    tier: ModelTier;
+    reason: string;
+};
+export declare class ModelRouter {
+    private config;
+    private defaultModel;
+    constructor(config: RouterConfig, defaultModel: string);
+    /** Select the best model for the current context */
+    select(context: RouteContext): RouteResult;
+    private route;
+    /** Whether this router has any non-default models configured */
+    get isConfigured(): boolean;
+    /** Get all configured tiers */
+    get tiers(): Record<ModelTier, string>;
+}
+//# sourceMappingURL=router.d.ts.map

package/dist/providers/router.js

@@ -0,0 +1,61 @@
+/**
+ * Multi-Model Router — task-aware model selection.
+ *
+ * Routes LLM calls to the most appropriate model based on task context:
+ * - Fast model for exploration, search, and tool-heavy turns
+ * - Powerful model for final responses, code review, and complex reasoning
+ * - Balanced model as the default
+ *
+ * Saves ~20% cost and ~30% latency by avoiding expensive models for simple tasks.
+ */
+export class ModelRouter {
+    config;
+    defaultModel;
+    constructor(config, defaultModel) {
+        this.config = config;
+        this.defaultModel = defaultModel;
+    }
+    /** Select the best model for the current context */
+    select(context) {
+        // High-context pressure → use fast model to minimize token cost
+        if (context.contextUsage && context.contextUsage > 0.8) {
+            return this.route('fast', 'context pressure > 80%');
+        }
+        // Roles that require deep reasoning → powerful
+        const powerfulRoles = ['code-reviewer', 'evaluator', 'architect', 'security-auditor'];
+        if (context.role && powerfulRoles.includes(context.role)) {
+            return this.route('powerful', `role: ${context.role}`);
+        }
+        // Early exploration turns (1-2) → fast
+        if (context.turn <= 2 && context.hadToolCalls) {
+            return this.route('fast', 'early exploration');
+        }
+        // Tool-heavy turns (3+ tool calls) → fast (just dispatching)
+        if (context.toolCallCount >= 3) {
+            return this.route('fast', 'tool-heavy turn');
+        }
+        // Final response (no tool calls) → powerful for quality
+        if (context.isFinalResponse) {
+            return this.route('powerful', 'final response');
+        }
+        // Default → balanced
+        return this.route('balanced', 'default');
+    }
+    route(tier, reason) {
+        const model = this.config[tier] ?? this.defaultModel;
+        return { model, tier, reason };
+    }
+    /** Whether this router has any non-default models configured */
+    get isConfigured() {
+        return !!(this.config.fast || this.config.balanced || this.config.powerful);
+    }
+    /** Get all configured tiers */
+    get tiers() {
+        return {
+            fast: this.config.fast ?? this.defaultModel,
+            balanced: this.config.balanced ?? this.defaultModel,
+            powerful: this.config.powerful ?? this.defaultModel,
+        };
+    }
+}
+//# sourceMappingURL=router.js.map

package/dist/query/compress.d.ts

@@ -4,6 +4,11 @@
  */
 import type { Message } from "../types/message.js";
 import type { Provider } from "../providers/base.js";
+/**
+ * Semantic importance scoring for messages.
+ * Higher score = more important to keep during compression.
+ */
+export declare function scoreMessage(msg: Message, index: number, total: number): number;
 export declare function makeTokenEstimator(provider: Provider): (text: string) => number;
 export declare function estimateMessagesTokens(messages: Message[], estimateTokens?: (text: string) => number): number;
 /**

package/dist/query/compress.js

@@ -5,6 +5,35 @@
 import { createUserMessage } from "../types/message.js";
 import { defaultEstimateTokens } from "../providers/base.js";
 const DEFAULT_KEEP_LAST = 10;
+/**
+ * Semantic importance scoring for messages.
+ * Higher score = more important to keep during compression.
+ */
+export function scoreMessage(msg, index, total) {
+    if (msg.meta?.pinned)
+        return Infinity;
+    let score = 0;
+    // Role weight: user intent > tool decisions > assistant text
+    if (msg.role === 'user')
+        score += 30;
+    else if (msg.role === 'assistant' && msg.toolCalls?.length)
+        score += 20;
+    else if (msg.role === 'assistant')
+        score += 10;
+    else if (msg.role === 'system')
+        score += 25; // system messages are usually important
+    else if (msg.role === 'tool')
+        score += 5;
+    // Recency bonus: recent messages get +0 to +20
+    const recencyFactor = index / total;
+    score += recencyFactor * 20;
+    // Content length (longer = more substantive, but cap benefit)
+    score += Math.min(msg.content.length / 200, 5);
+    // Tool calls indicate decision points
+    if (msg.toolCalls?.length)
+        score += msg.toolCalls.length * 3;
+    return score;
+}
 export function makeTokenEstimator(provider) {
     if (provider.estimateTokens)
         return provider.estimateTokens.bind(provider);
@@ -58,12 +87,24 @@ export function compressMessages(messages, targetTokens) {
             result[i] = { ...result[i], content: "[previous tool result truncated]" };
         }
     }
-    // AutoCompact Phase 2: Drop oldest non-system, non-pinned messages
+    // AutoCompact Phase 2: Drop lowest-importance messages first (importance-aware)
     while (estimateMessagesTokens(result) > targetTokens && result.length > keepLast + 1) {
-        const firstDroppable = result.findIndex((m) => m.role !== "system" && !m.meta?.pinned);
-        if (firstDroppable === -1 || firstDroppable >= result.length - keepLast)
+        // Score all droppable messages and remove the lowest-scored
+        let lowestScore = Infinity;
+        let lowestIdx = -1;
+        for (let i = 0; i < result.length - keepLast; i++) {
+            const msg = result[i];
+            if (msg.role === 'system' || msg.meta?.pinned)
+                continue;
+            const score = scoreMessage(msg, i, result.length);
+            if (score < lowestScore) {
+                lowestScore = score;
+                lowestIdx = i;
+            }
+        }
+        if (lowestIdx === -1)
             break;
-        result.splice(firstDroppable, 1);
+        result.splice(lowestIdx, 1);
     }
     // Phase 3: Remove orphaned tool results
     const validCallIds = new Set();

package/dist/remote/auth.d.ts

@@ -0,0 +1,25 @@
+/**
+ * API security layer — auth, rate limiting, and tool access control
+ * for the remote server.
+ */
+import type { IncomingMessage, ServerResponse } from 'node:http';
+import type { Tools } from '../Tool.js';
+/** Check if a request is within rate limits. Returns true if allowed. */
+export declare function checkRateLimit(ip: string, maxPerMinute: number): boolean;
+/** Validate a bearer token against configured tokens. Returns true if valid. */
+export declare function validateToken(authHeader: string | undefined): boolean;
+/** Filter tools based on remote config allowlist */
+export declare function filterRemoteTools(tools: Tools): Tools;
+/** Generate a unique request ID */
+export declare function generateRequestId(): string;
+export type AuthResult = {
+    allowed: boolean;
+    reason?: string;
+    requestId: string;
+};
+/**
+ * Run auth checks on an incoming request.
+ * Returns allowed=true if the request should proceed.
+ */
+export declare function authenticateRequest(req: IncomingMessage, res: ServerResponse): AuthResult;
+//# sourceMappingURL=auth.d.ts.map

package/dist/remote/auth.js

@@ -0,0 +1,73 @@
+/**
+ * API security layer — auth, rate limiting, and tool access control
+ * for the remote server.
+ */
+import { readOhConfig } from '../harness/config.js';
+const rateLimitMap = new Map();
+const WINDOW_MS = 60_000; // 1 minute sliding window
+/** Check if a request is within rate limits. Returns true if allowed. */
+export function checkRateLimit(ip, maxPerMinute) {
+    const now = Date.now();
+    const entry = rateLimitMap.get(ip);
+    if (!entry || now - entry.windowStart > WINDOW_MS) {
+        rateLimitMap.set(ip, { count: 1, windowStart: now });
+        return true;
+    }
+    if (entry.count >= maxPerMinute)
+        return false;
+    entry.count++;
+    return true;
+}
+// ── Token Auth ──
+/** Validate a bearer token against configured tokens. Returns true if valid. */
+export function validateToken(authHeader) {
+    const config = readOhConfig();
+    const tokens = config?.remote?.tokens;
+    // No tokens configured = no auth required (open access)
+    if (!tokens || tokens.length === 0)
+        return true;
+    if (!authHeader)
+        return false;
+    const token = authHeader.replace(/^Bearer\s+/i, '').trim();
+    if (!token)
+        return false;
+    return tokens.includes(token);
+}
+// ── Tool Filtering ──
+/** Filter tools based on remote config allowlist */
+export function filterRemoteTools(tools) {
+    const config = readOhConfig();
+    const allowed = config?.remote?.allowedTools;
+    if (!allowed || allowed.length === 0)
+        return tools;
+    const allowSet = new Set(allowed.map(n => n.toLowerCase()));
+    const filtered = tools.filter(t => allowSet.has(t.name.toLowerCase()));
+    return filtered.length > 0 ? filtered : tools; // fallback to all if filter empties
+}
+// ── Request ID ──
+let requestCounter = 0;
+/** Generate a unique request ID */
+export function generateRequestId() {
+    return `req-${Date.now().toString(36)}-${(++requestCounter).toString(36)}`;
+}
+/**
+ * Run auth checks on an incoming request.
+ * Returns allowed=true if the request should proceed.
+ */
+export function authenticateRequest(req, res) {
+    const requestId = generateRequestId();
+    res.setHeader('X-Request-ID', requestId);
+    // Token auth
+    if (!validateToken(req.headers.authorization)) {
+        return { allowed: false, reason: 'Invalid or missing bearer token', requestId };
+    }
+    // Rate limiting
+    const config = readOhConfig();
+    const rateLimit = config?.remote?.rateLimit ?? 60; // default 60/min
+    const ip = req.socket.remoteAddress ?? 'unknown';
+    if (!checkRateLimit(ip, rateLimit)) {
+        return { allowed: false, reason: 'Rate limit exceeded', requestId };
+    }
+    return { allowed: true, requestId };
+}
+//# sourceMappingURL=auth.js.map

package/dist/remote/server.d.ts

@@ -1,11 +1,14 @@
 /**
  * Remote server — HTTP + WebSocket server for remote agent dispatch,
- * bidirectional channels, and structured event streaming.
+ * bidirectional channels, A2A protocol, and structured event streaming.
  *
  * Endpoints:
- * - POST /dispatch  — send a prompt, get a streaming response
+ * - POST /dispatch  — send a prompt, get a streaming response (SSE)
+ * - POST /a2a       — A2A protocol: task delegation, discovery, status
  * - GET  /status    — check server status
  * - WS   /channel   — bidirectional WebSocket channel
+ *
+ * Security: bearer token auth, per-IP rate limiting, tool allowlists.
  */
 import type { Provider } from '../providers/base.js';
 import type { Tools } from '../Tool.js';
@@ -17,15 +20,28 @@ export type RemoteServerConfig = {
     systemPrompt: string;
     permissionMode: PermissionMode;
     model?: string;
+    sessionId?: string;
 };
 export declare class RemoteServer {
     private config;
     private channels;
     private server;
+    private agentCardId;
     constructor(config: RemoteServerConfig);
     start(): Promise<void>;
     stop(): void;
     private handleHttp;
+    private handleDispatch;
+    /**
+     * A2A protocol handler — receives inter-agent messages.
+     *
+     * Supports:
+     * - task: delegate a task to this agent
+     * - discover: return this agent's capabilities
+     * - status: return current state
+     * - cancel: abort a running task
+     */
+    private handleA2A;
     private handleChannel;
 }
 //# sourceMappingURL=server.d.ts.map

package/dist/remote/server.js

@@ -1,18 +1,24 @@
 /**
  * Remote server — HTTP + WebSocket server for remote agent dispatch,
- * bidirectional channels, and structured event streaming.
+ * bidirectional channels, A2A protocol, and structured event streaming.
  *
  * Endpoints:
- * - POST /dispatch  — send a prompt, get a streaming response
+ * - POST /dispatch  — send a prompt, get a streaming response (SSE)
+ * - POST /a2a       — A2A protocol: task delegation, discovery, status
  * - GET  /status    — check server status
  * - WS   /channel   — bidirectional WebSocket channel
+ *
+ * Security: bearer token auth, per-IP rate limiting, tool allowlists.
  */
 import { createServer } from 'node:http';
 import { WebSocketServer, WebSocket } from 'ws';
+import { authenticateRequest, filterRemoteTools } from './auth.js';
+import { createSessionCard, publishCard, unpublishCard, discoverAgents, generateMessageId, } from '../services/a2a.js';
 export class RemoteServer {
     config;
     channels = new Map();
     server = null;
+    agentCardId = null;
     constructor(config) {
         this.config = config;
     }
@@ -33,12 +39,27 @@ export class RemoteServer {
             });
             this.server.listen(this.config.port, () => {
                 process.stderr.write(`[remote] Server listening on http://localhost:${this.config.port}\n`);
-                process.stderr.write(`[remote] Endpoints: POST /dispatch, GET /status, WS /channel\n`);
+                process.stderr.write(`[remote] Endpoints: POST /dispatch, POST /a2a, GET /status, WS /channel\n`);
+                // Publish A2A agent card with HTTP endpoint
+                const sessionId = this.config.sessionId ?? Date.now().toString(36);
+                const card = createSessionCard(sessionId, {
+                    provider: this.config.provider.name,
+                    model: this.config.model,
+                    port: this.config.port,
+                });
+                publishCard(card);
+                this.agentCardId = card.id;
+                process.stderr.write(`[remote] A2A agent card published: ${card.id}\n`);
                 resolve();
             });
         });
     }
     stop() {
+        // Unpublish A2A card
+        if (this.agentCardId) {
+            unpublishCard(this.agentCardId);
+            this.agentCardId = null;
+        }
         for (const ch of this.channels.values()) {
             ch.abortController.abort();
             ch.ws.close();
@@ -50,12 +71,23 @@ export class RemoteServer {
         // CORS headers
         res.setHeader('Access-Control-Allow-Origin', '*');
         res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-        res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+        res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
         if (req.method === 'OPTIONS') {
             res.writeHead(204);
             res.end();
             return;
         }
+        // Auth check (skip for /status which is a health check)
+        if (req.url !== '/status') {
+            const auth = authenticateRequest(req, res);
+            if (!auth.allowed) {
+                const status = auth.reason?.includes('Rate limit') ? 429 : 401;
+                res.writeHead(status, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: auth.reason, requestId: auth.requestId }));
+                return;
+            }
+        }
+        // ── GET /status ──
         if (req.url === '/status' && req.method === 'GET') {
             res.writeHead(200, { 'Content-Type': 'application/json' });
             res.end(JSON.stringify({
@@ -63,50 +95,146 @@ export class RemoteServer {
                 provider: this.config.provider.name,
                 model: this.config.model,
                 channels: this.channels.size,
+                agentId: this.agentCardId,
             }));
             return;
         }
+        // ── POST /dispatch ──
         if (req.url === '/dispatch' && req.method === 'POST') {
-            const body = await readBody(req);
-            try {
-                const { prompt, maxTurns } = JSON.parse(body);
-                if (!prompt) {
-                    res.writeHead(400, { 'Content-Type': 'application/json' });
-                    res.end(JSON.stringify({ error: 'Missing "prompt" field' }));
+            await this.handleDispatch(req, res);
+            return;
+        }
+        // ── POST /a2a ──
+        if (req.url === '/a2a' && req.method === 'POST') {
+            await this.handleA2A(req, res);
+            return;
+        }
+        res.writeHead(404, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Not found' }));
+    }
+    async handleDispatch(req, res) {
+        const body = await readBody(req);
+        try {
+            const { prompt, maxTurns } = JSON.parse(body);
+            if (!prompt) {
+                res.writeHead(400, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Missing "prompt" field' }));
+                return;
+            }
+            // Apply tool filtering for remote callers
+            const tools = filterRemoteTools(this.config.tools);
+            // Stream response as Server-Sent Events
+            res.writeHead(200, {
+                'Content-Type': 'text/event-stream',
+                'Cache-Control': 'no-cache',
+                'Connection': 'keep-alive',
+            });
+            const { query } = await import('../query.js');
+            const config = {
+                provider: this.config.provider,
+                tools,
+                systemPrompt: this.config.systemPrompt,
+                permissionMode: this.config.permissionMode,
+                model: this.config.model,
+                maxTurns: maxTurns ?? 20,
+            };
+            for await (const event of query(prompt, config)) {
+                const data = JSON.stringify(event);
+                res.write(`data: ${data}\n\n`);
+            }
+            res.write('data: [DONE]\n\n');
+            res.end();
+        }
+        catch (err) {
+            if (!res.headersSent) {
+                res.writeHead(500, { 'Content-Type': 'application/json' });
+            }
+            res.end(JSON.stringify({ error: err instanceof Error ? err.message : String(err) }));
+        }
+    }
+    /**
+     * A2A protocol handler — receives inter-agent messages.
+     *
+     * Supports:
+     * - task: delegate a task to this agent
+     * - discover: return this agent's capabilities
+     * - status: return current state
+     * - cancel: abort a running task
+     */
+    async handleA2A(req, res) {
+        const body = await readBody(req);
+        try {
+            const message = JSON.parse(body);
+            switch (message.payload.kind) {
+                case 'discover': {
+                    // Return our agent card
+                    const agents = discoverAgents();
+                    const self = agents.find(a => a.id === this.agentCardId);
+                    const response = {
+                        id: generateMessageId(),
+                        from: this.agentCardId ?? 'unknown',
+                        to: message.from,
+                        type: 'result',
+                        payload: { kind: 'result', taskId: message.id, output: self ?? { error: 'agent not found' } },
+                        timestamp: Date.now(),
+                    };
+                    res.writeHead(200, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify(response));
                     return;
                 }
-                // Stream response as Server-Sent Events
-                res.writeHead(200, {
-                    'Content-Type': 'text/event-stream',
-                    'Cache-Control': 'no-cache',
-                    'Connection': 'keep-alive',
-                });
-                const { query } = await import('../query.js');
-                const config = {
-                    provider: this.config.provider,
-                    tools: this.config.tools,
-                    systemPrompt: this.config.systemPrompt,
-                    permissionMode: this.config.permissionMode,
-                    model: this.config.model,
-                    maxTurns: maxTurns ?? 20,
-                };
-                for await (const event of query(prompt, config)) {
-                    const data = JSON.stringify(event);
-                    res.write(`data: ${data}\n\n`);
+                case 'task': {
+                    // Execute the task via query loop
+                    const tools = filterRemoteTools(this.config.tools);
+                    const { query } = await import('../query.js');
+                    const config = {
+                        provider: this.config.provider,
+                        tools,
+                        systemPrompt: `[A2A Task from agent ${message.from}]\n\n${this.config.systemPrompt}`,
+                        permissionMode: this.config.permissionMode,
+                        model: this.config.model,
+                        maxTurns: 10,
+                    };
+                    let output = '';
+                    for await (const event of query(String(message.payload.input), config)) {
+                        if (event.type === 'text_delta')
+                            output += event.content;
+                    }
+                    const response = {
+                        id: generateMessageId(),
+                        from: this.agentCardId ?? 'unknown',
+                        to: message.from,
+                        type: 'result',
+                        payload: { kind: 'result', taskId: message.id, output },
+                        timestamp: Date.now(),
+                    };
+                    res.writeHead(200, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify(response));
+                    return;
                 }
-                res.write('data: [DONE]\n\n');
-                res.end();
-            }
-            catch (err) {
-                if (!res.headersSent) {
-                    res.writeHead(500, { 'Content-Type': 'application/json' });
+                case 'status': {
+                    const response = {
+                        id: generateMessageId(),
+                        from: this.agentCardId ?? 'unknown',
+                        to: message.from,
+                        type: 'status',
+                        payload: { kind: 'status', state: 'idle' },
+                        timestamp: Date.now(),
+                    };
+                    res.writeHead(200, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify(response));
+                    return;
+                }
+                default: {
+                    res.writeHead(400, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify({ error: `Unknown A2A message kind: ${message.payload.kind}` }));
+                    return;
                 }
-                res.end(JSON.stringify({ error: err instanceof Error ? err.message : String(err) }));
             }
-            return;
         }
-        res.writeHead(404, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({ error: 'Not found' }));
+        catch (err) {
+            res.writeHead(400, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: err instanceof Error ? err.message : String(err) }));
+        }
     }
     handleChannel(ws) {
         const id = Date.now().toString(36) + Math.random().toString(36).slice(2, 6);
@@ -119,10 +247,11 @@ export class RemoteServer {
             try {
                 const msg = JSON.parse(data.toString());
                 if (msg.type === 'dispatch') {
+                    const tools = filterRemoteTools(this.config.tools);
                     const { query } = await import('../query.js');
                     const config = {
                         provider: this.config.provider,
-                        tools: this.config.tools,
+                        tools,
                         systemPrompt: this.config.systemPrompt,
                         permissionMode: this.config.permissionMode,
                         model: this.config.model,

package/dist/renderer/index.d.ts

@@ -86,6 +86,13 @@ export declare class TerminalRenderer {
     private handlePermissionKey;
     /** Handle question prompt text input. Returns true if key was consumed. */
     private handleQuestionKey;
+    private renderTimer;
+    private lastRenderTime;
+    private static readonly FRAME_MS;
+    /**
+     * Schedule a render at ~60fps. Multiple calls within a frame are batched.
+     * This prevents excessive re-renders during fast token streaming.
+     */
     private scheduleRender;
     /** Apply lightweight markdown styling to a line for scrollback output */
     private styleMarkdownLine;