a2acalling 0.6.0 → 0.6.2

package/README.md

@@ -11,7 +11,7 @@ Your AI agent can now call other AI agents — across instances, with scoped per
 
 ## ✨ Features
 
-- 🔐 **Tiered permissions** — public (chat), friends (tools-read), family (tools-write)
+- 🔐 **Tiered permissions** — public / friends / family
 - 📇 **Contact management** — save agents, track trust, link permissions
 - 🧠 **Strategic summaries** — track what you got vs. gave, find mutual wins
 - 🔔 **Owner notifications** — know when your agent gets called
@@ -28,7 +28,7 @@ Your AI agent can now call other AI agents — across instances, with scoped per
 ### Create an invite for others to call your agent
 
 ```bash
-a2a create --name "My Agent" --owner "Your Name" --tier friends
+a2a create --name "My Agent" --owner "Your Name" --permissions friends
 
 # Output:
 # 🤝 Your Name is inviting you to connect agents!
@@ -79,19 +79,29 @@ Setup behavior:
 - Setup inspects port 80 and prints reverse proxy guidance for stable internet-facing ingress.
 - Setup prints the exact dashboard URL at the end.
 
-Before the first `a2a call`, the owner must set permissions and disclosure tiers. Run onboarding first:
+Before the first `a2a call`, the owner must complete onboarding (install location, permission tiers, and server ingress verification). Run:
 
 ```bash
 /a2a quickstart
 ```
 
+CLI equivalents:
+
+```bash
+# Local machine (local-only invites)
+a2a quickstart --port 3001
+
+# Server / public hostname (recommended: terminate at 443 via reverse proxy)
+a2a quickstart --hostname YOUR_DOMAIN:443 --port 3001
+```
+
 ## 🎯 Permission Tiers
 
-| Tier | Alias | What They Can Access |
-|------|-------|---------------------|
-| `public` | `chat-only` | Conversation only |
-| `friends` | `tools-read` | Chat + web, files, calendar (read) |
-| `family` | `tools-write` | Full tool access (careful!) |
+| Tier | What They Can Access |
+|------|---------------------|
+| `public` | Conversation only |
+| `friends` | Most read-only tools (calendar/email/search) |
+| `family` | Full tool access (careful!) |
 
 Customize tiers in `~/.config/openclaw/a2a-config.json`:
 
@@ -171,7 +181,7 @@ a2a create [options]          # Create an invite token
 
 a2a list                      # List your tokens
 a2a revoke <id>               # Revoke a token
-a2a quickstart                # Interactive setup
+a2a quickstart                # Deterministic onboarding
 ```
 
 ### Calling
@@ -196,6 +206,20 @@ Dashboard paths:
 - Standalone A2A server: `http://<host>:<port>/dashboard`
 - OpenClaw gateway mode: `http://<gateway>/a2a`
 
+### Remote Callbook (Mac / Remote Browser)
+
+If the owner wants to manage A2A from a different machine (ex: their MacBook), you can pair a browser session using a one-time install link:
+
+1. Open the dashboard on the server (local): `http://127.0.0.1:<port>/dashboard/`
+2. Go to `Settings` -> `Remote Callbook`
+3. Click `Create Install Link (24h)` and copy the URL
+4. Open that link on the Mac. It exchanges the code for a long-lived session cookie and then redirects to the dashboard.
+
+Notes:
+- The install link expires after 24 hours and is one-time use.
+- The session cookie is long-lived (effectively "never expires") until you revoke that device in `Settings` -> `Remote Callbook`.
+- Callbook session storage DB: `~/.config/openclaw/a2a-callbook.db` (or `$A2A_CONFIG_DIR/a2a-callbook.db`).
+
 ### Traceability and Logs
 
 All runtime logs are persisted in SQLite and also emitted to stdout:

package/SKILL.md

@@ -32,16 +32,34 @@ Enable agent-to-agent communication across OpenClaw instances.
 Before processing ANY /a2a command, check onboarding status:
 
 ```bash
-cat ~/.config/openclaw/a2a-config.json 2>/dev/null | grep '"onboardingComplete"'
+node - <<'NODE'
+const fs = require('fs');
+const path = require('path');
+
+const dir = process.env.A2A_CONFIG_DIR ||
+  process.env.OPENCLAW_CONFIG_DIR ||
+  path.join(process.env.HOME || '/tmp', '.config', 'openclaw');
+const file = path.join(dir, 'a2a-config.json');
+
+let ok = false;
+try {
+  const cfg = JSON.parse(fs.readFileSync(file, 'utf8'));
+  ok = cfg.onboarding &&
+    cfg.onboarding.version === 2 &&
+    cfg.onboarding.step === 'complete';
+} catch (e) {}
+
+process.stdout.write(ok ? 'onboarded\n' : 'not_onboarded\n');
+NODE
 ```
 
-**If the file does not exist or `onboardingComplete` is `false`:**
+**If it prints `not_onboarded`:**
 - DO NOT process the requested command yet
 - Tell the user: "A2A needs initial setup. Let me configure your agent's disclosure topics first."
-- Run the Quickstart flow below to completion
+- Run the deterministic Quickstart flow below to completion (flags-based, step-by-step)
 - Only THEN proceed with the user's original command
 
-**If `onboardingComplete` is `true`:** proceed normally.
+**If it prints `onboarded`:** proceed normally.
 
 **Context gathering for onboarding:** Read ALL available context to generate personalized tier topics:
 - **Primary:** USER.md, HEARTBEAT.md, SOUL.md
@@ -58,13 +76,51 @@ Extract: professional context, interests, goals, skills, sensitive areas. Group
 - Recommended: run the A2A backend on an internal port and expose it via a reverse proxy on `:443` (HTTPS) or `:80` (HTTP), routing `/api/a2a/*` to the backend.
 - `npx a2acalling setup` inspects port 80 and prints reverse proxy guidance + an external reachability check.
 
+## Publishing (Maintainers)
+
+This repo ships as:
+- GitHub repo: `onthegonow/a2a_calling`
+- npm package: `a2acalling`
+
+Maintainer credentials are local-only and must never be committed:
+- `.env` (gitignored) must contain `GH_TOKEN` and `NPM_TOKEN`
+- GitHub Actions repo secrets should also include `GH_TOKEN` and `NPM_TOKEN` for automated releases
+
 ## Commands
 
 ### Quickstart
 
 User says: `/a2a quickstart`, `/a2a start`, "set up A2A", "get started with A2A", "configure what my agent shares"
 
-Full onboarding flow: generates a disclosure manifest that controls what topics your agent leads with, discusses, or deflects during A2A calls — scoped by access tier (public, friends, family).
+Deterministic onboarding flow (sequential, flags-based):
+
+1. Background bootstrap (config + disclosure)
+2. Owner dashboard access (local URL + optional Callbook Remote install link)
+3. Set permission tiers: populate and confirm tier `topics` + `goals`
+4. Port scan + reverse proxy guidance (if needed for public hostname)
+5. External IP confirmation and public reachability check (public hostname only)
+
+Run it like:
+
+```bash
+# Local machine (local-only invites)
+a2a quickstart --port 3001
+
+# Server / public hostname
+a2a quickstart --hostname YOUR_DOMAIN:443 --port 3001
+```
+
+Quickstart will print a proposed tier configuration. After the user reviews it, re-run with:
+
+```bash
+a2a quickstart --port 3001 --confirm-tiers
+# or (public hostname)
+a2a quickstart --hostname YOUR_DOMAIN:443 --port 3001 --confirm-tiers
+```
+
+If reverse proxy/ingress is required, Quickstart will stop and ask for explicit confirmation (`--confirm-ingress`).
+
+Full disclosure onboarding (manifest editing) remains available below: it generates a disclosure manifest that controls what topics your agent leads with, discusses, or deflects during A2A calls — scoped by access tier (public, friends, family).
 
 This onboarding is required before the first `/a2a call`. The owner must approve permissions first.
 
@@ -117,6 +173,12 @@ Notes:
 - This command is safe and **does not require onboarding**.
 - Optional: open a specific tab via `--tab`.
 
+Remote dashboard access (Callbook Remote):
+- If the owner wants to use the dashboard from a different machine (ex: MacBook), have them open the dashboard locally on the server at `http://127.0.0.1:<port>/dashboard/`.
+- In `Settings` -> `Remote Callbook`, click `Create Install Link (24h)` and copy the URL to the remote machine.
+- The install link is one-time use and exchanges for a long-lived session cookie in the remote browser.
+- To revoke access, use `Settings` -> `Remote Callbook` -> `Paired Devices` -> `Revoke`.
+
 Examples:
 
 ```bash