npm - a2acalling - Versions diffs - 0.3.5 → 0.3.6 - Mend

a2acalling 0.3.5 → 0.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "a2acalling",
-  "version": "0.3.5",
+  "version": "0.3.6",
   "description": "Agent-to-agent calling for OpenClaw - A2A agent communication",
   "main": "src/index.js",
   "bin": {

package/src/lib/config.js CHANGED Viewed

@@ -112,8 +112,13 @@ class A2AConfig {
       this.config.createdAt = this.config.updatedAt;
     }
     const tmpPath = `${CONFIG_FILE}.tmp`;
-    fs.writeFileSync(tmpPath, JSON.stringify(this.config, null, 2));
+    fs.writeFileSync(tmpPath, JSON.stringify(this.config, null, 2), { mode: 0o600 });
     fs.renameSync(tmpPath, CONFIG_FILE);
+    try {
+      fs.chmodSync(CONFIG_FILE, 0o600);
+    } catch (err) {
+      // Best effort - ignore on platforms without chmod support.
+    }
   }
   // Check if onboarding is complete

package/src/lib/conversations.js CHANGED Viewed

@@ -39,6 +39,11 @@ class ConversationStore {
     try {
       const Database = require('better-sqlite3');
       this.db = new Database(this.dbPath);
+      try {
+        fs.chmodSync(this.dbPath, 0o600);
+      } catch (err) {
+        // Best effort - ignore on platforms without chmod support.
+      }
       this._migrate();
       return this.db;
     } catch (err) {

package/src/lib/disclosure.js CHANGED Viewed

@@ -39,8 +39,13 @@ function saveManifest(manifest) {
   }
   manifest.updated_at = new Date().toISOString();
   const tmpPath = `${MANIFEST_FILE}.tmp`;
-  fs.writeFileSync(tmpPath, JSON.stringify(manifest, null, 2));
+  fs.writeFileSync(tmpPath, JSON.stringify(manifest, null, 2), { mode: 0o600 });
   fs.renameSync(tmpPath, MANIFEST_FILE);
+  try {
+    fs.chmodSync(MANIFEST_FILE, 0o600);
+  } catch (err) {
+    // Best effort - ignore on platforms without chmod support.
+  }
 }
 /**

package/src/lib/tokens.js CHANGED Viewed

@@ -44,8 +44,13 @@ class TokenStore {
   _save(db) {
     // Atomic write: write to temp file, then rename
     const tmpPath = `${this.dbPath}.tmp.${process.pid}`;
-    fs.writeFileSync(tmpPath, JSON.stringify(db, null, 2));
+    fs.writeFileSync(tmpPath, JSON.stringify(db, null, 2), { mode: 0o600 });
     fs.renameSync(tmpPath, this.dbPath);
+    try {
+      fs.chmodSync(this.dbPath, 0o600);
+    } catch (err) {
+      // Best effort - ignore on platforms without chmod support.
+    }
   }
   /**
@@ -460,6 +465,78 @@ class TokenStore {
     this._save(db);
     return { success: true, remote: removed };
   }
+  /**
+   * Ensure an inbound caller is present in contacts.
+   *
+   * Inbound callers authenticate with a token we issued; we usually don't
+   * have their endpoint URL, so these records are "placeholders" with:
+   * - host: "inbound"
+   * - no token stored
+   * - linked_token_id: token id used to call us (tok_...)
+   *
+   * This allows mapping call history (SQLite contact_id=tok_...) to a contact
+   * row in the dashboard via linked_token_id.
+   */
+  ensureInboundContact(caller, tokenId) {
+    if (!caller || !caller.name) {
+      return null;
+    }
+    const name = String(caller.name || '').trim().slice(0, 120);
+    const owner = caller.owner ? String(caller.owner).trim().slice(0, 120) : null;
+    const db = this._load();
+    db.remotes = db.remotes || [];
+    // Prefer stable linking by the token used for inbound auth.
+    let remote = tokenId
+      ? db.remotes.find(r => r.linked_token_id === tokenId)
+      : null;
+    // Fallback match by agent name/owner (less reliable, but helpful).
+    if (!remote) {
+      remote = db.remotes.find(r => r.name === name || (owner && r.owner === owner));
+    }
+    if (remote) {
+      remote.name = remote.name || name;
+      if (owner && !remote.owner) {
+        remote.owner = owner;
+      }
+      if (tokenId && !remote.linked_token_id) {
+        remote.linked_token_id = tokenId;
+      }
+      remote.host = remote.host || 'inbound';
+      remote.tags = Array.isArray(remote.tags) ? remote.tags : [];
+      if (!remote.tags.includes('inbound')) {
+        remote.tags.push('inbound');
+      }
+      remote.status = remote.status || 'unknown';
+      remote.updated_at = new Date().toISOString();
+      this._save(db);
+      return remote;
+    }
+    const contact = {
+      id: crypto.randomBytes(8).toString('hex'),
+      name,
+      owner,
+      host: 'inbound',
+      token_hash: null,
+      token_enc: null,
+      notes: tokenId ? `Inbound caller via token ${tokenId}` : 'Inbound caller',
+      tags: ['inbound'],
+      linked_token_id: tokenId || null,
+      status: 'unknown',
+      last_seen: null,
+      added_at: new Date().toISOString()
+    };
+    db.remotes.push(contact);
+    this._save(db);
+    return contact;
+  }
 }
 // Legacy tier values from old records → label mapping

package/src/routes/a2a.js CHANGED Viewed

@@ -57,6 +57,14 @@ const MAX_MESSAGE_LENGTH = 10000;  // 10KB max message
 const MAX_TIMEOUT_SECONDS = 300;   // 5 min max timeout
 const MIN_TIMEOUT_SECONDS = 5;     // 5 sec min timeout
+function isLoopbackAddress(ip) {
+  if (!ip) return false;
+  if (ip === '::1' || ip === '127.0.0.1' || ip === '::ffff:127.0.0.1') {
+    return true;
+  }
+  return ip.startsWith('::ffff:127.');
+}
 function checkRateLimit(tokenId, limits = { minute: 10, hour: 100, day: 1000 }) {
   const now = Date.now();
   const minute = Math.floor(now / 60000);
@@ -399,9 +407,18 @@ function createRoutes(options = {}) {
   router.get('/conversations', (req, res) => {
     // This endpoint should be protected by local auth, not A2A tokens
     // For now, require an admin token or local access
+    const expected = process.env.A2A_ADMIN_TOKEN;
     const adminToken = req.headers['x-admin-token'];
-    if (adminToken !== process.env.A2A_ADMIN_TOKEN && req.ip !== '127.0.0.1') {
-      return res.status(401).json({ error: 'unauthorized' });
+    if (!isLoopbackAddress(req.ip)) {
+      if (!expected) {
+        return res.status(401).json({
+          error: 'admin_token_required',
+          message: 'Set A2A_ADMIN_TOKEN to access conversation admin routes from non-local addresses'
+        });
+      }
+      if (adminToken !== expected) {
+        return res.status(401).json({ error: 'unauthorized' });
+      }
     }
     const convStore = getConversationStore();
@@ -426,9 +443,18 @@ function createRoutes(options = {}) {
    * Get conversation details with context
    */
   router.get('/conversations/:id', (req, res) => {
+    const expected = process.env.A2A_ADMIN_TOKEN;
     const adminToken = req.headers['x-admin-token'];
-    if (adminToken !== process.env.A2A_ADMIN_TOKEN && req.ip !== '127.0.0.1') {
-      return res.status(401).json({ error: 'unauthorized' });
+    if (!isLoopbackAddress(req.ip)) {
+      if (!expected) {
+        return res.status(401).json({
+          error: 'admin_token_required',
+          message: 'Set A2A_ADMIN_TOKEN to access conversation admin routes from non-local addresses'
+        });
+      }
+      if (adminToken !== expected) {
+        return res.status(401).json({ error: 'unauthorized' });
+      }
     }
     const convStore = getConversationStore();

package/src/routes/dashboard.js CHANGED Viewed

@@ -169,7 +169,11 @@ function ensureDashboardAccess(req, res, next) {
     return next();
   }
   if (!adminToken) {
-    return next();
+    return res.status(401).json({
+      success: false,
+      error: 'admin_token_required',
+      message: 'Set A2A_ADMIN_TOKEN to access dashboard from non-local addresses'
+    });
   }
   if (headerToken === adminToken || queryToken === adminToken) {
     return next();

package/src/server.js CHANGED Viewed

@@ -397,42 +397,15 @@ function fallbackCollaborationUpdate(state, inboundMessage, responseText, tierTo
  */
 function ensureContact(caller, tokenId) {
   if (!caller?.name) return null;
   try {
-    const remotes = tokenStore.listRemotes();
-    const existing = remotes.find(r =>
-      r.name === caller.name ||
-      (caller.owner && r.owner === caller.owner)
-    );
-    if (existing) {
-      return existing;
+    const contact = tokenStore.ensureInboundContact(caller, tokenId);
+    if (contact) {
+      console.log(`[a2a] 📇 Contact ensured: ${caller.name}${caller.owner ? ` (${caller.owner})` : ''}`);
     }
-    // Create a placeholder contact for the caller
-    const contact = {
-      id: `contact_${Date.now()}`,
-      name: caller.name,
-      owner: caller.owner || null,
-      host: 'inbound', // They called us, we don't have their URL
-      added_at: new Date().toISOString(),
-      notes: `Inbound caller via token ${tokenId}`,
-      tags: ['inbound'],
-      status: 'unknown',
-      linkedTokenId: tokenId
-    };
-    // Save to remotes
-    const db = JSON.parse(fs.readFileSync(tokenStore.dbPath, 'utf8'));
-    db.remotes = db.remotes || [];
-    db.remotes.push(contact);
-    fs.writeFileSync(tokenStore.dbPath, JSON.stringify(db, null, 2));
-    console.log(`[a2a] 📇 New contact added: ${caller.name}${caller.owner ? ` (${caller.owner})` : ''}`);
     return contact;
   } catch (err) {
-    console.error('[a2a] Failed to add contact:', err.message);
+    console.error('[a2a] Failed to ensure contact:', err.message);
     return null;
   }
 }