a2acalling 0.6.1 → 0.6.3

package/src/routes/dashboard.js

@@ -13,9 +13,11 @@ const fs = require('fs');
 const path = require('path');
 const { TokenStore } = require('../lib/tokens');
 const { ConversationStore } = require('../lib/conversations');
+const { A2AClient } = require('../lib/client');
 const { A2AConfig } = require('../lib/config');
 const { loadManifest, saveManifest } = require('../lib/disclosure');
 const { resolveInviteHost } = require('../lib/invite-host');
+const { CallbookStore } = require('../lib/callbook');
 const { createLogger } = require('../lib/logger');
 
 const DASHBOARD_STATIC_DIR = path.join(__dirname, '..', 'dashboard', 'public');
@@ -28,6 +30,63 @@ function isLoopbackAddress(ip) {
   return ip.startsWith('::ffff:127.');
 }
 
+function parseCookieHeader(headerValue) {
+  const raw = String(headerValue || '').trim();
+  if (!raw) return {};
+  const cookies = {};
+  for (const part of raw.split(';')) {
+    const idx = part.indexOf('=');
+    if (idx === -1) continue;
+    const key = part.slice(0, idx).trim();
+    const value = part.slice(idx + 1).trim();
+    if (!key) continue;
+    cookies[key] = decodeURIComponent(value);
+  }
+  return cookies;
+}
+
+function isDirectLocalRequest(req) {
+  const ip = (req && req.socket && req.socket.remoteAddress) ? req.socket.remoteAddress : req.ip;
+  if (!isLoopbackAddress(ip)) return false;
+  const host = String(req.headers.host || '').toLowerCase();
+  const isLocalHost = host.startsWith('localhost') ||
+    host.startsWith('127.0.0.1') ||
+    host.startsWith('[::1]') ||
+    host.startsWith('::1');
+  if (!isLocalHost) return false;
+  // Avoid treating proxy-forwarded traffic as "local".
+  const forwarded = req.headers['x-forwarded-for'] ||
+    req.headers['x-forwarded-proto'] ||
+    req.headers['x-forwarded-host'] ||
+    req.headers['cf-connecting-ip'] ||
+    req.headers['x-forwarded-by'];
+  if (forwarded) return false;
+  return true;
+}
+
+function isHttpsRequest(req) {
+  const proto = String(req.headers['x-forwarded-proto'] || '')
+    .split(',')[0]
+    .trim()
+    .toLowerCase();
+  if (proto === 'https') return true;
+  if (req && req.socket && req.socket.encrypted) return true;
+  return false;
+}
+
+function buildSetCookie(name, value, options = {}) {
+  const parts = [];
+  parts.push(`${name}=${encodeURIComponent(String(value || ''))}`);
+  parts.push('Path=/');
+  if (options.httpOnly !== false) parts.push('HttpOnly');
+  if (options.sameSite) parts.push(`SameSite=${options.sameSite}`);
+  if (options.secure) parts.push('Secure');
+  if (Number.isFinite(options.maxAgeSeconds)) {
+    parts.push(`Max-Age=${Math.max(0, Math.floor(options.maxAgeSeconds))}`);
+  }
+  return parts.join('; ');
+}
+
 function sanitizeString(value, maxLength = 200) {
   return String(value || '')
     .replace(/\s+/g, ' ')
@@ -35,6 +94,30 @@ function sanitizeString(value, maxLength = 200) {
     .slice(0, maxLength);
 }
 
+function parseBoolean(value) {
+  if (value === null || value === undefined) return false;
+  if (typeof value === 'boolean') return value;
+  if (typeof value === 'number') return value !== 0;
+  const s = String(value).trim().toLowerCase();
+  if (['true', '1', 'yes', 'y', 'on'].includes(s)) return true;
+  if (['false', '0', 'no', 'n', 'off', ''].includes(s)) return false;
+  return Boolean(value);
+}
+
+function resolveAgentContext(options = {}) {
+  const provided = options.agentContext && typeof options.agentContext === 'object' ? options.agentContext : null;
+  const name = sanitizeString(
+    provided?.name || process.env.A2A_AGENT_NAME || process.env.AGENT_NAME || 'a2a-agent',
+    80
+  ) || 'a2a-agent';
+  const owner = sanitizeString(
+    provided?.owner || process.env.A2A_OWNER_NAME || process.env.USER || 'Agent Owner',
+    120
+  ) || 'Agent Owner';
+
+  return { name, owner };
+}
+
 function normalizeTierId(value) {
   return sanitizeString(value, 80)
     .toLowerCase()
@@ -108,6 +191,8 @@ function buildContext(options = {}) {
   const tokenStore = options.tokenStore || new TokenStore();
   const config = options.config || new A2AConfig();
   const logger = options.logger || createLogger({ component: 'a2a.dashboard' });
+  const callbookStore = options.callbookStore || new CallbookStore(tokenStore.configDir);
+  const agentContext = resolveAgentContext(options);
   let convStore = options.convStore || null;
   if (!convStore) {
     try {
@@ -124,7 +209,9 @@ function buildContext(options = {}) {
     tokenStore,
     config,
     convStore,
+    callbookStore,
     logger,
+    agentContext,
     staticDir: DASHBOARD_STATIC_DIR
   };
 }
@@ -165,24 +252,95 @@ function resolveConversationContact(conversation, contactIndex) {
   return null;
 }
 
-function ensureDashboardAccess(req, res, next) {
-  const adminToken = process.env.A2A_ADMIN_TOKEN;
-  const headerToken = req.headers['x-admin-token'];
-  const queryToken = req.query?.admin_token;
-  if (isLoopbackAddress(req.ip)) {
-    return next();
-  }
-  if (!adminToken) {
+function toDashboardContact(contact) {
+  const canCall = Boolean(
+    contact &&
+    String(contact.host || '').trim() &&
+    contact.token_enc &&
+    contact.token_hash
+  );
+
+  return {
+    id: contact.id,
+    owner: contact.owner || null,
+    name: contact.name || null,
+    host: contact.host || null,
+    web_address: contact.host || null,
+    is_mine: Boolean(contact.is_mine),
+    server_name: contact.server_name || null,
+    notes: contact.notes || null,
+    tags: Array.isArray(contact.tags) ? contact.tags : [],
+    fields: (contact.fields && typeof contact.fields === 'object' && !Array.isArray(contact.fields)) ? contact.fields : {},
+    linked_token_id: contact.linked_token_id || null,
+    status: contact.status || 'unknown',
+    last_seen: contact.last_seen || null,
+    last_check: contact.last_check || null,
+    last_error: contact.last_error || null,
+    added_at: contact.added_at || null,
+    updated_at: contact.updated_at || null,
+    can_call: canCall
+  };
+}
+
+function makeEnsureDashboardAccess(context) {
+  return function ensureDashboardAccess(req, res, next) {
+    const adminToken = process.env.A2A_ADMIN_TOKEN;
+    const headerToken = req.headers['x-admin-token'];
+    const queryToken = req.query?.admin_token;
+
+    if (isDirectLocalRequest(req)) {
+      return next();
+    }
+
+    if (adminToken && (headerToken === adminToken || queryToken === adminToken)) {
+      return next();
+    }
+
+    const cookies = parseCookieHeader(req.headers.cookie || '');
+    const sessionToken = cookies.a2a_callbook_session || null;
+    if (sessionToken && context.callbookStore && context.callbookStore.isAvailable()) {
+      const session = context.callbookStore.validateSession(sessionToken);
+      if (session && session.valid) {
+        req.callbook = session;
+        return next();
+      }
+    }
+
+    const wantsHtml = String(req.headers.accept || '').includes('text/html');
+    if (wantsHtml) {
+      return res.status(401).send(`<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>A2A Dashboard</title>
+  </head>
+  <body style="font-family: system-ui, -apple-system, Segoe UI, sans-serif; padding: 2rem;">
+    <h1>A2A Dashboard Locked</h1>
+    <p>This dashboard requires owner access.</p>
+    <ul>
+      <li>Local access: open <code>http://127.0.0.1:PORT/dashboard/</code> on the server</li>
+      <li>Remote access: generate a Callbook Remote install link on the server, then open it on your Mac</li>
+      <li>Break-glass: set <code>A2A_ADMIN_TOKEN</code> and send <code>x-admin-token</code> header</li>
+    </ul>
+  </body>
+</html>`);
+    }
+
+    if (!adminToken && !(context.callbookStore && context.callbookStore.isAvailable())) {
+      return res.status(401).json({
+        success: false,
+        error: 'admin_token_required',
+        message: 'Set A2A_ADMIN_TOKEN (or enable callbook session storage) to access dashboard from non-local addresses'
+      });
+    }
+
     return res.status(401).json({
       success: false,
-      error: 'admin_token_required',
-      message: 'Set A2A_ADMIN_TOKEN to access dashboard from non-local addresses'
+      error: 'unauthorized',
+      message: 'Admin token or callbook session required'
     });
-  }
-  if (headerToken === adminToken || queryToken === adminToken) {
-    return next();
-  }
-  return res.status(401).json({ success: false, error: 'unauthorized', message: 'Admin token required' });
+  };
 }
 
 function summarizeDebugLogs(logs) {
@@ -252,19 +410,215 @@ function createDashboardApiRouter(options = {}) {
   const router = express.Router();
   const context = buildContext(options);
   router.use(express.json());
+  const ensureDashboardAccess = makeEnsureDashboardAccess(context);
+
+  // Callbook Remote: exchange a short-lived provisioning code for a long-lived session cookie.
+  // This route must be reachable BEFORE dashboard access is established.
+  router.post('/callbook/exchange', (req, res) => {
+    const body = req.body || {};
+    const code = sanitizeString(body.code || '', 500);
+    const label = sanitizeString(body.label || '', 120) || null;
+
+    if (!context.callbookStore || !context.callbookStore.isAvailable()) {
+      return res.status(500).json({
+        success: false,
+        error: 'callbook_storage_unavailable',
+        message: 'Callbook session storage is not available on this server.',
+        hint: context.callbookStore ? context.callbookStore.getDbError() : 'missing_callbook_store'
+      });
+    }
+
+    const result = context.callbookStore.exchangeProvisionCode(code, { label });
+    if (!result.success) {
+      return res.status(401).json({
+        success: false,
+        error: result.error || 'invalid_code',
+        message: 'Callbook install code is invalid, expired, or already used.'
+      });
+    }
+
+    // "Never expires" in DB; for browsers we set a very long cookie lifetime.
+    // (Browsers may still evict cookies; owner can always re-provision.)
+    const maxAgeSeconds = 10 * 365 * 24 * 60 * 60; // ~10 years
+    const cookie = buildSetCookie('a2a_callbook_session', result.sessionToken, {
+      httpOnly: true,
+      sameSite: 'Lax',
+      secure: isHttpsRequest(req),
+      maxAgeSeconds
+    });
+    res.setHeader('Set-Cookie', cookie);
+
+    return res.json({
+      success: true,
+      device: result.device,
+      dashboard_path: '/dashboard/'
+    });
+  });
+
+  // All other dashboard API routes require owner access.
   router.use(ensureDashboardAccess);
 
-  router.get('/status', (req, res) => {
+  router.get('/status', async (req, res) => {
     context.logger.debug('Dashboard status requested', { event: 'dashboard_status' });
-    res.json({
+    const refreshIp = String(req.query.refresh_ip || 'false') === 'true';
+    let resolvedHost = null;
+    let warnings = [];
+    let inviteResolution = null;
+    try {
+      const resolved = await resolveInviteHost({
+        config: context.config,
+        fallbackHost: req.headers.host || process.env.HOSTNAME || 'localhost',
+        defaultPort: process.env.PORT || process.env.A2A_PORT || 3001,
+        refreshExternalIp: refreshIp,
+        forceRefreshExternalIp: refreshIp,
+        alwaysLookupExternalIp: true,
+        warnOnExternalIpFailure: refreshIp
+      });
+      inviteResolution = resolved;
+      resolvedHost = resolved.host;
+      warnings = resolved.warnings || [];
+    } catch (err) {
+      // Non-fatal: still return base status.
+    }
+
+    const schemeOverride = String(process.env.A2A_PUBLIC_SCHEME || '').trim();
+    const inferredScheme = schemeOverride || (isHttpsRequest(req) ? 'https' : 'http');
+    const publicBaseUrl = resolvedHost ? `${inferredScheme}://${resolvedHost}` : null;
+
+    const devices = (context.callbookStore && context.callbookStore.isAvailable())
+      ? context.callbookStore.listDevices({ includeRevoked: true, limit: 200 }).devices
+      : [];
+
+    return res.json({
       success: true,
       dashboard: true,
       conversations_enabled: Boolean(context.convStore),
+      agent: {
+        name: context.agentContext?.name || null,
+        owner_name: context.agentContext?.owner || null,
+        server_name: sanitizeString(context.config.getAgent?.().server_name || context.config.getAgent?.().serverName || '', 120) || null
+      },
       config_file: require('../lib/config').CONFIG_FILE,
-      manifest_file: require('../lib/disclosure').MANIFEST_FILE
+      manifest_file: require('../lib/disclosure').MANIFEST_FILE,
+      public_base_url: publicBaseUrl,
+      public_dashboard_url: publicBaseUrl ? `${publicBaseUrl}/dashboard/` : null,
+      callbook_install_base: publicBaseUrl ? `${publicBaseUrl}/callbook/install` : null,
+      invite_host: inviteResolution ? {
+        host: inviteResolution.host,
+        source: inviteResolution.source || null,
+        original_host: inviteResolution.originalHost || null
+      } : null,
+      external_ip: inviteResolution && inviteResolution.externalIpInfo ? {
+        ip: inviteResolution.externalIpInfo.ip || null,
+        checked_at: inviteResolution.externalIpInfo.checkedAt || null,
+        source: inviteResolution.externalIpInfo.source || null,
+        from_cache: Boolean(inviteResolution.externalIpInfo.fromCache),
+        stale: Boolean(inviteResolution.externalIpInfo.stale),
+        error: inviteResolution.externalIpInfo.error || null,
+        attempts: inviteResolution.externalIpInfo.attempts || null
+      } : null,
+      warnings,
+      callbook: {
+        enabled: Boolean(context.callbookStore && context.callbookStore.isAvailable()),
+        device_count: Array.isArray(devices) ? devices.length : 0
+      }
     });
   });
 
+  // Callbook Remote: create a short-lived install link (24h by default).
+  router.post('/callbook/provision', async (req, res) => {
+    const body = req.body || {};
+    const label = sanitizeString(body.label || 'Callbook Remote', 120) || null;
+    const ttlHoursRaw = body.ttl_hours !== undefined ? body.ttl_hours : body.ttlHours;
+    const ttlHours = Math.max(1, Math.min(168, Number.parseInt(String(ttlHoursRaw || '24'), 10) || 24));
+    const ttlMs = ttlHours * 60 * 60 * 1000;
+
+    if (!context.callbookStore || !context.callbookStore.isAvailable()) {
+      return res.status(500).json({
+        success: false,
+        error: 'callbook_storage_unavailable',
+        message: 'Callbook session storage is not available on this server.',
+        hint: context.callbookStore ? context.callbookStore.getDbError() : 'missing_callbook_store'
+      });
+    }
+
+    const created = context.callbookStore.createProvisionCode({ label, ttlMs });
+    if (!created.success) {
+      return res.status(500).json({
+        success: false,
+        error: created.error || 'callbook_provision_failed',
+        message: created.message || 'Failed to create Callbook Remote install link.'
+      });
+    }
+
+    let resolvedHost = null;
+    let warnings = [];
+    try {
+      const resolved = await resolveInviteHost({
+        config: context.config,
+        fallbackHost: req.headers.host || process.env.HOSTNAME || 'localhost',
+        defaultPort: process.env.PORT || process.env.A2A_PORT || 3001,
+        refreshExternalIp: true,
+        forceRefreshExternalIp: true
+      });
+      resolvedHost = resolved.host;
+      warnings = resolved.warnings || [];
+    } catch (err) {
+      // Non-fatal: we can still return the code; owner can assemble URL manually.
+    }
+
+    const schemeOverride = String(process.env.A2A_PUBLIC_SCHEME || '').trim();
+    const scheme = schemeOverride || (isHttpsRequest(req) ? 'https' : 'http');
+    const baseUrl = resolvedHost ? `${scheme}://${resolvedHost}` : null;
+    const installUrl = baseUrl ? `${baseUrl}/callbook/install#code=${created.code}` : null;
+
+    return res.json({
+      success: true,
+      install_url: installUrl,
+      expires_at: created.record.expires_at,
+      token: {
+        id: created.record.id,
+        label: created.record.label
+      },
+      warnings
+    });
+  });
+
+  router.get('/callbook/devices', (req, res) => {
+    if (!context.callbookStore || !context.callbookStore.isAvailable()) {
+      return res.json({ success: true, devices: [], message: 'Callbook storage not available' });
+    }
+    const includeRevoked = String(req.query.include_revoked || 'false') === 'true';
+    const result = context.callbookStore.listDevices({ includeRevoked, limit: req.query.limit || 200 });
+    if (!result.success) {
+      return res.status(500).json({ success: false, error: result.error || 'callbook_list_failed', message: result.message });
+    }
+    return res.json({ success: true, devices: result.devices });
+  });
+
+  router.post('/callbook/devices/:deviceId/revoke', (req, res) => {
+    if (!context.callbookStore || !context.callbookStore.isAvailable()) {
+      return res.status(500).json({ success: false, error: 'callbook_storage_unavailable' });
+    }
+    const deviceId = sanitizeString(req.params.deviceId, 120);
+    const result = context.callbookStore.revokeDevice(deviceId);
+    if (!result.success) {
+      return res.status(404).json({ success: false, error: result.error || 'device_not_found' });
+    }
+    return res.json({ success: true, device: result.device });
+  });
+
+  router.post('/callbook/logout', (req, res) => {
+    const cookie = buildSetCookie('a2a_callbook_session', '', {
+      httpOnly: true,
+      sameSite: 'Lax',
+      secure: isHttpsRequest(req),
+      maxAgeSeconds: 0
+    });
+    res.setHeader('Set-Cookie', cookie);
+    return res.json({ success: true });
+  });
+
   router.get('/logs', (req, res) => {
     const limit = Math.min(1000, Math.max(1, Number.parseInt(req.query.limit || '200', 10) || 200));
     const logs = context.logger.list({
@@ -362,7 +716,7 @@ function createDashboardApiRouter(options = {}) {
   });
 
   router.get('/contacts', (req, res) => {
-    const contacts = context.tokenStore.listRemotes();
+    const contacts = context.tokenStore.listContacts({ includeLinkedToken: true, includeSecrets: true });
     const contactIndex = buildContactIndex(contacts);
     const conversations = context.convStore
       ? context.convStore.listConversations({
@@ -389,10 +743,12 @@ function createDashboardApiRouter(options = {}) {
         return String(b.last_message_at || '').localeCompare(String(a.last_message_at || ''));
       });
       const latest = calls[0] || null;
+
       return {
-        ...contact,
+        ...toDashboardContact(contact),
         call_count: calls.length,
         last_call_at: latest?.last_message_at || null,
+        last_call_id: latest?.id || null,
         last_summary: latest?.summary || null,
         last_owner_summary: latest?.owner_summary || null
       };
@@ -401,13 +757,187 @@ function createDashboardApiRouter(options = {}) {
     res.json({ success: true, contacts: result });
   });
 
+  router.post('/contacts', (req, res) => {
+    const body = req.body || {};
+    const inviteUrl = sanitizeString(
+      body.invite_url || body.inviteUrl || body.web_address || body.webAddress || body.url || '',
+      600
+    );
+    const name = sanitizeString(body.name || '', 120) || null;
+    const owner = sanitizeString(body.owner || '', 120) || null;
+    const isMine = parseBoolean(body.is_mine !== undefined ? body.is_mine : body.isMine);
+    const serverName = sanitizeString(body.server_name || body.serverName || '', 120) || null;
+    const notes = sanitizeString(body.notes || '', 800) || null;
+    const tags = sanitizeStringArray(body.tags || [], 30, 40);
+    const fields = (body.fields && typeof body.fields === 'object' && !Array.isArray(body.fields)) ? body.fields : {};
+
+    if (!inviteUrl) {
+      return res.status(400).json({ success: false, error: 'invite_url_required' });
+    }
+
+    try {
+      const result = context.tokenStore.addContact(inviteUrl, {
+        name: name || undefined,
+        owner: owner || undefined,
+        is_mine: isMine,
+        server_name: serverName || undefined,
+        notes: notes || undefined,
+        tags: tags || undefined,
+        fields: fields || undefined
+      });
+      if (!result.success) {
+        return res.status(409).json({ success: false, error: result.error || 'contact_add_failed', contact: result.existing || null });
+      }
+      const stored = context.tokenStore.listContacts({ includeLinkedToken: false, includeSecrets: true })
+        .find(c => c.id === result.contact.id);
+      return res.json({ success: true, contact: stored ? toDashboardContact(stored) : toDashboardContact(result.contact) });
+    } catch (err) {
+      return res.status(400).json({
+        success: false,
+        error: 'invalid_invite_url',
+        message: err.message || 'Invalid invite URL'
+      });
+    }
+  });
+
+  router.put('/contacts/:contactId', (req, res) => {
+    const contactId = sanitizeString(req.params.contactId, 120);
+    if (!contactId) {
+      return res.status(400).json({ success: false, error: 'contact_id_required' });
+    }
+
+    const body = req.body || {};
+    const updates = {};
+    if (body.name !== undefined) updates.name = sanitizeString(body.name, 120);
+    if (body.owner !== undefined) updates.owner = sanitizeString(body.owner, 120);
+    if (body.is_mine !== undefined) updates.is_mine = parseBoolean(body.is_mine);
+    if (body.isMine !== undefined) updates.is_mine = parseBoolean(body.isMine);
+    if (body.server_name !== undefined) updates.server_name = sanitizeString(body.server_name, 120);
+    if (body.serverName !== undefined) updates.server_name = sanitizeString(body.serverName, 120);
+    if (body.notes !== undefined) updates.notes = sanitizeString(body.notes, 800);
+    if (body.tags !== undefined) updates.tags = sanitizeStringArray(body.tags, 30, 40);
+    if (body.fields !== undefined) updates.fields = body.fields;
+    if (body.linked_token_id !== undefined) updates.linked_token_id = sanitizeString(body.linked_token_id, 80);
+    if (body.linkedTokenId !== undefined) updates.linked_token_id = sanitizeString(body.linkedTokenId, 80);
+
+    const result = context.tokenStore.updateContact(contactId, updates);
+    if (!result.success) {
+      return res.status(404).json({ success: false, error: result.error || 'contact_not_found' });
+    }
+
+    const stored = context.tokenStore.listContacts({ includeLinkedToken: false, includeSecrets: true })
+      .find(c => c.id === contactId);
+    return res.json({ success: true, contact: stored ? toDashboardContact(stored) : toDashboardContact(result.contact) });
+  });
+
+  router.delete('/contacts/:contactId', (req, res) => {
+    const contactId = sanitizeString(req.params.contactId, 120);
+    if (!contactId) {
+      return res.status(400).json({ success: false, error: 'contact_id_required' });
+    }
+
+    const result = context.tokenStore.removeContact(contactId);
+    if (!result.success) {
+      return res.status(404).json({ success: false, error: result.error || 'contact_not_found' });
+    }
+
+    return res.json({ success: true, contact: toDashboardContact(result.contact) });
+  });
+
+  router.post('/contacts/:contactId/call', async (req, res) => {
+    const contactId = sanitizeString(req.params.contactId, 120);
+    if (!contactId) {
+      return res.status(400).json({ success: false, error: 'contact_id_required' });
+    }
+
+    const body = req.body || {};
+    const message = sanitizeString(body.message || body.msg || '', 10000);
+    const timeoutSeconds = Math.max(5, Math.min(300, Number.parseInt(String(body.timeout_seconds || body.timeoutSeconds || '60'), 10) || 60));
+    if (!message) {
+      return res.status(400).json({ success: false, error: 'message_required', message: 'Message is required' });
+    }
+
+    const contact = context.tokenStore.getContact(contactId);
+    if (!contact) {
+      return res.status(404).json({ success: false, error: 'contact_not_found' });
+    }
+    if (!contact.host || !contact.token) {
+      return res.status(400).json({ success: false, error: 'contact_not_callable', message: 'This contact has no callable A2A endpoint stored.' });
+    }
+
+    const conversationId = ConversationStore.generateConversationId();
+    const client = new A2AClient({
+      caller: {
+        name: context.agentContext?.name || 'Dashboard',
+        owner: context.agentContext?.owner || 'Agent Owner',
+        instance: context.config.getAgent?.().hostname || null
+      }
+    });
+
+    // Track in local conversation DB (if enabled).
+    if (context.convStore) {
+      try {
+        context.convStore.startConversation({
+          id: conversationId,
+          contactId: contact.id,
+          contactName: contact.name || contact.host,
+          tokenId: null,
+          direction: 'outbound'
+        });
+        context.convStore.addMessage(conversationId, {
+          direction: 'outbound',
+          role: 'user',
+          content: message
+        });
+      } catch (err) {
+        // Best effort; call should still go through.
+      }
+    }
+
+    const url = `a2a://${contact.host}/${contact.token}`;
+    try {
+      const result = await client.call(url, message, { conversationId, timeoutSeconds });
+      context.tokenStore.updateContactStatus(contact.id, 'online');
+
+      if (context.convStore) {
+        try {
+          context.convStore.addMessage(conversationId, {
+            direction: 'inbound',
+            role: 'assistant',
+            content: String(result?.response || '')
+          });
+          // One-shot outbound dashboard calls should be considered concluded.
+          await context.convStore.concludeConversation(conversationId, {});
+        } catch (err) {
+          // ignore
+        }
+      }
+
+      return res.json({
+        success: true,
+        conversation_id: conversationId,
+        response: result?.response || '',
+        remote_trace_id: result?.trace_id || null,
+        remote_request_id: result?.request_id || null,
+        can_continue: result?.can_continue !== false
+      });
+    } catch (err) {
+      context.tokenStore.updateContactStatus(contact.id, 'offline', err.message);
+      return res.status(502).json({
+        success: false,
+        error: 'contact_call_failed',
+        message: err.message || 'Call failed'
+      });
+    }
+  });
+
   router.get('/contacts/:contactId/calls', (req, res) => {
     if (!context.convStore) {
       return res.json({ success: true, calls: [], message: 'Conversation storage not enabled' });
     }
 
     const contactId = req.params.contactId;
-    const contacts = context.tokenStore.listRemotes();
+    const contacts = context.tokenStore.listContacts({ includeLinkedToken: false, includeSecrets: false });
     const contactIndex = buildContactIndex(contacts);
     const contact = contactIndex.byId.get(contactId);
     if (!contact) {
@@ -446,7 +976,7 @@ function createDashboardApiRouter(options = {}) {
       includeMessages: false
     });
 
-    const contacts = context.tokenStore.listRemotes();
+    const contacts = context.tokenStore.listContacts({ includeLinkedToken: false, includeSecrets: false });
     const contactIndex = buildContactIndex(contacts);
     const enriched = calls.map(conv => ({
       ...conv,
@@ -473,7 +1003,7 @@ function createDashboardApiRouter(options = {}) {
       return res.status(404).json({ success: false, error: 'conversation_not_found' });
     }
 
-    const contacts = context.tokenStore.listRemotes();
+    const contacts = context.tokenStore.listContacts({ includeLinkedToken: false, includeSecrets: false });
     const contactIndex = buildContactIndex(contacts);
     const contact = resolveConversationContact({
       contact_name: contextData.contact
@@ -511,7 +1041,7 @@ function createDashboardApiRouter(options = {}) {
 
     res.json({
       success: true,
-      onboarding_complete: cfg.onboardingComplete === true,
+      onboarding_complete: context.config.isOnboarded(),
       defaults: cfg.defaults || {},
       agent: cfg.agent || {},
       tiers,
@@ -539,7 +1069,16 @@ function createDashboardApiRouter(options = {}) {
     if (body.topics !== undefined) update.topics = sanitizeStringArray(body.topics, 200, 160);
     if (body.goals !== undefined) update.goals = sanitizeStringArray(body.goals, 200, 160);
 
-    context.config.setTier(tierId, update);
+    try {
+      context.config.setTier(tierId, update);
+    } catch (err) {
+      return res.status(400).json({
+        success: false,
+        error: 'invalid_tier_config',
+        code: err.code || 'A2A_CONFIG_INVALID_TIER_CONFIG',
+        message: err.message
+      });
+    }
 
     if (body.manifest) {
       const manifest = loadManifest();
@@ -569,17 +1108,35 @@ function createDashboardApiRouter(options = {}) {
 
     const copyFrom = normalizeTierId(body.copy_from || '');
     if (copyFrom && cfg.tiers && cfg.tiers[copyFrom]) {
-      context.config.setTier(tierId, { ...cfg.tiers[copyFrom] });
+      try {
+        context.config.setTier(tierId, { ...cfg.tiers[copyFrom] });
+      } catch (err) {
+        return res.status(400).json({
+          success: false,
+          error: 'invalid_tier_config',
+          code: err.code || 'A2A_CONFIG_INVALID_TIER_CONFIG',
+          message: err.message
+        });
+      }
     } else {
-      context.config.setTier(tierId, {
-        name: sanitizeString(body.name || tierId, 120),
-        description: sanitizeString(body.description || 'Custom tier', 300),
-        capabilities: sanitizeStringArray(body.capabilities || []),
-        topics: sanitizeStringArray(body.topics || []),
-        goals: sanitizeStringArray(body.goals || []),
-        disclosure: sanitizeString(body.disclosure || 'minimal', 40),
-        examples: sanitizeStringArray(body.examples || [], 20, 120)
-      });
+      try {
+        context.config.setTier(tierId, {
+          name: sanitizeString(body.name || tierId, 120),
+          description: sanitizeString(body.description || 'Custom tier', 300),
+          capabilities: sanitizeStringArray(body.capabilities || []),
+          topics: sanitizeStringArray(body.topics || []),
+          goals: sanitizeStringArray(body.goals || []),
+          disclosure: sanitizeString(body.disclosure || 'minimal', 40),
+          examples: sanitizeStringArray(body.examples || [], 20, 120)
+        });
+      } catch (err) {
+        return res.status(400).json({
+          success: false,
+          error: 'invalid_tier_config',
+          code: err.code || 'A2A_CONFIG_INVALID_TIER_CONFIG',
+          message: err.message
+        });
+      }
     }
 
     return res.json({ success: true, tier_id: tierId });
@@ -597,7 +1154,16 @@ function createDashboardApiRouter(options = {}) {
       return res.status(404).json({ success: false, error: 'source_tier_not_found' });
     }
 
-    context.config.setTier(toTier, { ...cfg.tiers[fromTier] });
+    try {
+      context.config.setTier(toTier, { ...cfg.tiers[fromTier] });
+    } catch (err) {
+      return res.status(400).json({
+        success: false,
+        error: 'invalid_tier_config',
+        code: err.code || 'A2A_CONFIG_INVALID_TIER_CONFIG',
+        message: err.message
+      });
+    }
 
     const manifest = loadManifest();
     if (manifest.topics && manifest.topics[fromTier]) {
@@ -672,8 +1238,9 @@ function createDashboardApiRouter(options = {}) {
 
     const resolvedHost = await resolveInviteHost({
       config: context.config,
+      fallbackHost: req.headers.host || process.env.HOSTNAME || 'localhost',
       defaultPort: process.env.PORT || process.env.A2A_PORT || 3001,
-      preferQuickTunnel: true
+      refreshExternalIp: true
     });
     const host = resolvedHost.host;
     const inviteUrl = `a2a://${host}/${token}`;
@@ -716,6 +1283,7 @@ function createDashboardApiRouter(options = {}) {
 function createDashboardUiRouter(options = {}) {
   const router = express.Router();
   const context = buildContext(options);
+  const ensureDashboardAccess = makeEnsureDashboardAccess(context);
   router.use(ensureDashboardAccess);
 
   router.use((req, res, next) => {