a2acalling 0.6.64 → 0.6.66

package/src/dashboard/public/index.html

@@ -45,6 +45,11 @@
         <span class="material-symbols-outlined nav-icon" style="color:#EF4444;">monitor_heart</span>
         <span class="nav-label">Health</span>
       </a>
+      <!-- A2A-50: Settings nav item for relocated admin settings -->
+      <a data-panel="settings" class="nav-item">
+        <span class="material-symbols-outlined nav-icon" style="color:#6B7280;">settings</span>
+        <span class="nav-label">Settings</span>
+      </a>
     </nav>
   </aside>
 
@@ -125,6 +130,7 @@
                     <span class="status-dot status-dot--teal"></span>
                     Active Topics
                     <span id="topic-count" class="count-badge count-badge--teal">0</span>
+                    <button class="col-header-add-btn" data-add-type="topic" title="Add topic"><span class="material-symbols-outlined" style="font-size:16px;">add</span></button>
                   </div>
                   <div id="active-topics-zone" class="perm-drop-zone"></div>
                 </div>
@@ -133,6 +139,7 @@
                     <span class="status-dot status-dot--yellow"></span>
                     Active Goals
                     <span id="goal-count" class="count-badge count-badge--yellow">0</span>
+                    <button class="col-header-add-btn" data-add-type="goal" title="Add goal"><span class="material-symbols-outlined" style="font-size:16px;">add</span></button>
                   </div>
                   <div id="active-goals-zone" class="perm-drop-zone"></div>
                 </div>
@@ -147,77 +154,6 @@
 
             <!-- Tier Warnings -->
             <div id="tier-warnings" class="tier-warnings"></div>
-
-            <!-- Settings & Administration (collapsed) -->
-            <sl-details summary="Settings &amp; Administration">
-              <h3>Defaults</h3>
-              <form id="defaults-form">
-                <sl-input id="defaults-expiration" label="Expiration" placeholder="7d"></sl-input>
-                <sl-input id="defaults-max-calls" label="Max Calls" type="number" min="1"></sl-input>
-                <div class="row">
-                  <sl-button type="submit" variant="primary">Save Defaults</sl-button>
-                </div>
-              </form>
-
-              <h3>New Tier</h3>
-              <form id="new-tier-form">
-                <sl-input id="new-tier-id" label="Tier ID" placeholder="partners"></sl-input>
-                <sl-input id="new-tier-name" label="Name" placeholder="Partners"></sl-input>
-                <label>Copy from
-                  <sl-select id="new-tier-copy-from" size="small">
-                    <sl-option value="">None</sl-option>
-                  </sl-select>
-                </label>
-                <div class="row">
-                  <sl-button type="submit" variant="primary">Create Tier</sl-button>
-                </div>
-              </form>
-
-              <h3>Remote Callbook</h3>
-              <sl-card id="callbook-status"></sl-card>
-
-              <h3>Auto Update</h3>
-              <sl-card id="auto-update-status">Loading...</sl-card>
-              <div class="row">
-                <sl-button id="auto-update-check" size="small">Check now</sl-button>
-                <sl-button id="auto-update-now" size="small">Update now</sl-button>
-                <sl-button id="auto-update-toggle" size="small">Disable auto-update</sl-button>
-              </div>
-
-              <sl-card>
-                <form id="callbook-provision-form">
-                  <div class="row">
-                    <sl-button type="submit" variant="primary" size="small">Create Install Link (24h)</sl-button>
-                    <sl-button id="callbook-logout" size="small" variant="default">Logout This Browser</sl-button>
-                  </div>
-                  <sl-input id="callbook-label" label="Device label" value="Callbook Remote"></sl-input>
-                  <sl-textarea id="callbook-install-url" label="Install URL" rows="3" readonly></sl-textarea>
-                  <div class="row">
-                    <sl-button id="callbook-copy-url" size="small">Copy Link</sl-button>
-                  </div>
-                  <div id="callbook-warnings" class="mono"></div>
-                </form>
-              </sl-card>
-
-              <sl-card>
-                <div class="row">
-                  <strong>Paired Devices</strong>
-                </div>
-                <table id="callbook-devices-table">
-                  <thead>
-                    <tr>
-                      <th>Label</th>
-                      <th>Created</th>
-                      <th>Last Used</th>
-                      <th>Sessions</th>
-                      <th>Revoked</th>
-                      <th>Action</th>
-                    </tr>
-                  </thead>
-                  <tbody></tbody>
-                </table>
-              </sl-card>
-            </sl-details>
           </div>
 
           <!-- Right sidebar: preview + topic/goal lists -->
@@ -243,6 +179,30 @@
           <div id="preview-content"></div>
           <sl-button slot="footer" variant="primary" id="preview-close-btn">Close</sl-button>
         </sl-dialog>
+
+        <!-- A2A-50: Delete confirmation dialog for topics/goals -->
+        <sl-dialog id="delete-confirm-dialog" label="Confirm Removal" style="--width: 400px;">
+          <p id="delete-confirm-message">Remove this item from the tier?</p>
+          <div slot="footer" class="row">
+            <sl-button id="delete-confirm-no" variant="default">Cancel</sl-button>
+            <sl-button id="delete-confirm-yes" variant="danger">Remove</sl-button>
+          </div>
+        </sl-dialog>
+
+        <!-- A2A-50: New Tier dialog (glass-styled modal replacing inline form scroll) -->
+        <sl-dialog id="new-tier-dialog" label="Create New Tier" style="--width: 440px;">
+          <sl-input id="new-tier-dialog-id" label="Tier ID" placeholder="partners" required></sl-input>
+          <sl-input id="new-tier-dialog-name" label="Name" placeholder="Partners"></sl-input>
+          <label>Copy from
+            <sl-select id="new-tier-dialog-copy-from" size="small">
+              <sl-option value="">None</sl-option>
+            </sl-select>
+          </label>
+          <div slot="footer" class="row">
+            <sl-button id="new-tier-dialog-cancel" variant="default">Cancel</sl-button>
+            <sl-button id="new-tier-dialog-submit" variant="primary">Create Tier</sl-button>
+          </div>
+        </sl-dialog>
       </div>
 
       <div id="panel-invites" class="panel">
@@ -345,6 +305,77 @@
           <tbody></tbody>
         </table>
       </div>
+
+      <!-- A2A-50: Settings panel — relocated from sl-details in panel-permissions -->
+      <div id="panel-settings" class="panel">
+        <h3>Defaults</h3>
+        <form id="defaults-form">
+          <sl-input id="defaults-expiration" label="Expiration" placeholder="7d"></sl-input>
+          <sl-input id="defaults-max-calls" label="Max Calls" type="number" min="1"></sl-input>
+          <div class="row">
+            <sl-button type="submit" variant="primary">Save Defaults</sl-button>
+          </div>
+        </form>
+
+        <h3>New Tier</h3>
+        <form id="new-tier-form">
+          <sl-input id="new-tier-id" label="Tier ID" placeholder="partners"></sl-input>
+          <sl-input id="new-tier-name" label="Name" placeholder="Partners"></sl-input>
+          <label>Copy from
+            <sl-select id="new-tier-copy-from" size="small">
+              <sl-option value="">None</sl-option>
+            </sl-select>
+          </label>
+          <div class="row">
+            <sl-button type="submit" variant="primary">Create Tier</sl-button>
+          </div>
+        </form>
+
+        <h3>Remote Callbook</h3>
+        <sl-card id="callbook-status"></sl-card>
+
+        <h3>Auto Update</h3>
+        <sl-card id="auto-update-status">Loading...</sl-card>
+        <div class="row">
+          <sl-button id="auto-update-check" size="small">Check now</sl-button>
+          <sl-button id="auto-update-now" size="small">Update now</sl-button>
+          <sl-button id="auto-update-toggle" size="small">Disable auto-update</sl-button>
+        </div>
+
+        <sl-card>
+          <form id="callbook-provision-form">
+            <div class="row">
+              <sl-button type="submit" variant="primary" size="small">Create Install Link (24h)</sl-button>
+              <sl-button id="callbook-logout" size="small" variant="default">Logout This Browser</sl-button>
+            </div>
+            <sl-input id="callbook-label" label="Device label" value="Callbook Remote"></sl-input>
+            <sl-textarea id="callbook-install-url" label="Install URL" rows="3" readonly></sl-textarea>
+            <div class="row">
+              <sl-button id="callbook-copy-url" size="small">Copy Link</sl-button>
+            </div>
+            <div id="callbook-warnings" class="mono"></div>
+          </form>
+        </sl-card>
+
+        <sl-card>
+          <div class="row">
+            <strong>Paired Devices</strong>
+          </div>
+          <table id="callbook-devices-table">
+            <thead>
+              <tr>
+                <th>Label</th>
+                <th>Created</th>
+                <th>Last Used</th>
+                <th>Sessions</th>
+                <th>Revoked</th>
+                <th>Action</th>
+              </tr>
+            </thead>
+            <tbody></tbody>
+          </table>
+        </sl-card>
+      </div>
     </div>
   </main>
 

package/src/dashboard/public/style.css

@@ -697,6 +697,25 @@ table tbody tr:hover td {
   padding: 0 0.25rem;
 }
 
+/* A2A-51: "+" button in column headers for adding topics/goals without sidebar */
+.col-header-add-btn {
+  margin-left: auto;
+  background: none;
+  border: 1px solid rgba(255,255,255,0.12);
+  border-radius: 4px;
+  color: var(--ink-muted);
+  cursor: pointer;
+  padding: 1px 4px;
+  display: flex;
+  align-items: center;
+  transition: color 0.15s ease, border-color 0.15s ease;
+}
+
+.col-header-add-btn:hover {
+  color: var(--ink);
+  border-color: rgba(255,255,255,0.3);
+}
+
 .config-col-header--teal {
   color: #2DD4BF;
 }
@@ -1194,6 +1213,20 @@ sl-details::part(base) {
   color: var(--ink);
 }
 
+/* A2A-50: Glass styling for sl-dialog panels in the Permissions tab.
+   Uses ::part(panel) to style the shadow DOM of Shoelace dialogs while
+   preserving accessibility features (focus trap, ESC, ARIA). The codebase
+   already uses ::part(base) on sl-card (line 205) and sl-details (line 1152). */
+#create-item-dialog::part(panel),
+#preview-dialog::part(panel),
+#delete-confirm-dialog::part(panel),
+#new-tier-dialog::part(panel) {
+  background: rgba(30, 41, 59, 0.85);
+  backdrop-filter: blur(16px);
+  border: 1px solid rgba(255, 255, 255, 0.1);
+  border-radius: 16px;
+}
+
 /* ── A2A-48: Hide permissions sidebar below 1280px ─────────── */
 @media (max-width: 1280px) {
   .perm-sidebar {

package/src/lib/client.js

@@ -4,6 +4,7 @@
 
 const https = require('https');
 const http = require('http');
+const { signRequest } = require('./crypto');
 
 function splitHostPort(rawHost) {
   const host = String(rawHost || '').trim();
@@ -54,6 +55,24 @@ class A2AClient {
   constructor(options = {}) {
     this.timeout = options.timeout || 60000;
     this.caller = options.caller || {};
+    // A2A-52: Ed25519 identity keys for request signing
+    this.privateKey = options.privateKey || null;
+    this.publicKey = options.publicKey || null;
+  }
+
+  /**
+   * A2A-52: Build signature headers if keypair is available.
+   * Shared helper used by both call() and end().
+   */
+  _signHeaders(method, endpoint, body) {
+    if (!this.privateKey || !this.publicKey) return {};
+    return signRequest({
+      privateKey: this.privateKey,
+      publicKey: this.publicKey,
+      method,
+      endpoint,
+      body
+    });
   }
 
   /**
@@ -95,6 +114,8 @@ class A2AClient {
     });
 
     const { protocol, hostname, port } = resolveProtocolAndPort(host);
+    // A2A-52: attach signature headers when keypair available
+    const sigHeaders = this._signHeaders('POST', '/api/a2a/invoke', body);
 
     return new Promise((resolve, reject) => {
       const req = protocol.request({
@@ -105,7 +126,8 @@ class A2AClient {
         headers: {
           'Authorization': `Bearer ${token}`,
           'Content-Type': 'application/json',
-          'Content-Length': Buffer.byteLength(body)
+          'Content-Length': Buffer.byteLength(body),
+          ...sigHeaders
         },
         timeout: this.timeout
       }, (res) => {
@@ -141,7 +163,7 @@ class A2AClient {
 
   /**
    * Explicitly end a remote conversation and trigger call conclusion
-   * 
+   *
    * @param {string|object} endpoint - a2a:// URL or {host, token}
    * @param {string} conversationId - Conversation ID to conclude
    * @returns {Promise<object>} End response from remote agent
@@ -152,7 +174,7 @@ class A2AClient {
     }
 
     let host, token;
-    
+
     if (typeof endpoint === 'string') {
       ({ host, token } = A2AClient.parseInvite(endpoint));
     } else {
@@ -164,6 +186,8 @@ class A2AClient {
     });
 
     const { protocol, hostname, port } = resolveProtocolAndPort(host);
+    // A2A-52: attach signature headers when keypair available
+    const sigHeaders = this._signHeaders('POST', '/api/a2a/end', body);
 
     return new Promise((resolve, reject) => {
       const req = protocol.request({
@@ -174,7 +198,8 @@ class A2AClient {
         headers: {
           'Authorization': `Bearer ${token}`,
           'Content-Type': 'application/json',
-          'Content-Length': Buffer.byteLength(body)
+          'Content-Length': Buffer.byteLength(body),
+          ...sigHeaders
         },
         timeout: this.timeout
       }, (res) => {

package/src/lib/config.js

@@ -230,10 +230,13 @@ const DEFAULT_CONFIG = {
   },
   
   // Agent info
+  // A2A-52: private_key/public_key store Ed25519 identity (base64 DER)
   agent: {
     name: '',
     description: '',
-    hostname: ''
+    hostname: '',
+    private_key: null,
+    public_key: null
   },
 
   // Auto-updater
@@ -386,6 +389,21 @@ class A2AConfig {
     this._save();
   }
 
+  // A2A-52: Get Ed25519 keypair from agent config (null if not generated)
+  getKeypair() {
+    const agent = this.config.agent || {};
+    if (!agent.private_key || !agent.public_key) return null;
+    return { privateKey: agent.private_key, publicKey: agent.public_key };
+  }
+
+  // A2A-52: Store Ed25519 keypair in agent config (already 0o600 via _save)
+  setKeypair(privateKey, publicKey) {
+    this.config.agent = this.config.agent || {};
+    this.config.agent.private_key = privateKey;
+    this.config.agent.public_key = publicKey;
+    this._save();
+  }
+
   // Get full config
   getAll() {
     return this.config;
@@ -424,12 +442,13 @@ class A2AConfig {
     return next;
   }
 
-  // Export for sharing
+  // Export for sharing (strips private_key to prevent leakage — A2A-52)
   export() {
+    const { private_key, ...agentPublic } = this.config.agent || {};
     return {
       tiers: this.config.tiers,
       defaults: this.config.defaults,
-      agent: this.config.agent
+      agent: agentPublic
     };
   }
 }

package/src/lib/conversation-driver.js

@@ -147,7 +147,13 @@ class ConversationDriver {
     const clientTimeout = this.claudeMode
       ? Math.max(this.claudeTimeoutMs + 20000, 200000)
       : 65000;
-    this.client = new A2AClient({ caller: this.caller, timeout: clientTimeout });
+    // A2A-52: pass Ed25519 keypair for request signing
+    this.client = new A2AClient({
+      caller: this.caller,
+      timeout: clientTimeout,
+      privateKey: options.privateKey || null,
+      publicKey: options.publicKey || null
+    });
   }
 
   /**

package/src/lib/crypto.js

@@ -0,0 +1,113 @@
+/**
+ * A2A Ed25519 Cryptographic Identity
+ *
+ * Provides keypair generation, request signing, signature verification,
+ * and public key fingerprinting for agent-to-agent identity verification.
+ *
+ * A2A-52: Zero new dependencies — uses Node.js built-in crypto (Ed25519 since v15).
+ */
+
+const crypto = require('crypto');
+
+// A2A-52: 5-minute window for replay protection
+const TIMESTAMP_WINDOW_MS = 5 * 60 * 1000;
+
+/**
+ * Generate an Ed25519 keypair.
+ * Returns { privateKey, publicKey } as base64-encoded DER buffers.
+ */
+function generateKeypair() {
+  const { privateKey, publicKey } = crypto.generateKeyPairSync('ed25519', {
+    privateKeyEncoding: { type: 'pkcs8', format: 'der' },
+    publicKeyEncoding: { type: 'spki', format: 'der' }
+  });
+  return {
+    privateKey: privateKey.toString('base64'),
+    publicKey: publicKey.toString('base64')
+  };
+}
+
+/**
+ * Compute a SHA-256 fingerprint of a base64-encoded public key.
+ * Returns colon-separated hex string (like SSH fingerprints).
+ */
+function fingerprint(publicKeyBase64) {
+  const hash = crypto.createHash('sha256')
+    .update(Buffer.from(publicKeyBase64, 'base64'))
+    .digest('hex');
+  // A2A-52: colon-separated pairs for readability (SSH-style)
+  return hash.match(/.{2}/g).join(':');
+}
+
+/**
+ * Sign an outbound request.
+ *
+ * Signing payload: `${timestamp}:${method}:${endpoint}:${bodyHash}`
+ * where bodyHash = SHA-256 of the request body string.
+ *
+ * @param {object} params
+ * @param {string} params.privateKey - base64-encoded DER private key
+ * @param {string} params.publicKey  - base64-encoded DER public key
+ * @param {string} params.method     - HTTP method (e.g. 'POST')
+ * @param {string} params.endpoint   - Request path (e.g. '/api/a2a/invoke')
+ * @param {string} params.body       - Serialized request body
+ * @returns {object} Headers to attach: { 'X-A2A-Signature', 'X-A2A-Public-Key', 'X-A2A-Timestamp' }
+ */
+function signRequest({ privateKey, publicKey, method, endpoint, body }) {
+  const timestamp = new Date().toISOString();
+  const bodyHash = crypto.createHash('sha256').update(body).digest('hex');
+  const payload = `${timestamp}:${method}:${endpoint}:${bodyHash}`;
+
+  const keyObject = crypto.createPrivateKey({
+    key: Buffer.from(privateKey, 'base64'),
+    format: 'der',
+    type: 'pkcs8'
+  });
+
+  const signature = crypto.sign(null, Buffer.from(payload), keyObject);
+
+  return {
+    'X-A2A-Signature': signature.toString('base64'),
+    'X-A2A-Public-Key': publicKey,
+    'X-A2A-Timestamp': timestamp
+  };
+}
+
+/**
+ * Verify an inbound request signature.
+ *
+ * @param {object} params
+ * @param {string} params.signature   - base64-encoded Ed25519 signature
+ * @param {string} params.publicKey   - base64-encoded DER public key
+ * @param {string} params.timestamp   - ISO 8601 timestamp from header
+ * @param {string} params.method      - HTTP method
+ * @param {string} params.endpoint    - Request path
+ * @param {string} params.body        - Raw request body string
+ * @returns {boolean} true if signature is valid
+ */
+function verifySignature({ signature, publicKey, timestamp, method, endpoint, body }) {
+  const bodyHash = crypto.createHash('sha256').update(body).digest('hex');
+  const payload = `${timestamp}:${method}:${endpoint}:${bodyHash}`;
+
+  const keyObject = crypto.createPublicKey({
+    key: Buffer.from(publicKey, 'base64'),
+    format: 'der',
+    type: 'spki'
+  });
+
+  return crypto.verify(null, Buffer.from(payload), keyObject, Buffer.from(signature, 'base64'));
+}
+
+/**
+ * Check if a timestamp is within the allowed window (replay protection).
+ * @param {string} timestamp - ISO 8601 timestamp
+ * @returns {boolean} true if within +-5 minutes of now
+ */
+function isTimestampValid(timestamp) {
+  const ts = new Date(timestamp).getTime();
+  if (Number.isNaN(ts)) return false;
+  const diff = Math.abs(Date.now() - ts);
+  return diff <= TIMESTAMP_WINDOW_MS;
+}
+
+module.exports = { generateKeypair, fingerprint, signRequest, verifySignature, isTimestampValid };

package/src/lib/tokens.js

@@ -448,6 +448,7 @@ class TokenStore {
       tags: Array.isArray(options.tags) ? options.tags : [],
       fields: sanitizeCustomFields(options.fields || options.custom_fields || options.customFields),
       linked_token_id: options.linkedTokenId || options.linked_token_id || null,  // Token you gave them
+      public_key: options.public_key || options.publicKey || null,  // A2A-52: Ed25519 public key (base64 DER)
       status: 'unknown',
       last_seen: null,
       added_at: new Date().toISOString(),
@@ -597,7 +598,8 @@ class TokenStore {
 	    }
 
 	    // Only allow updating specific fields
-	    const allowed = ['name', 'owner', 'is_mine', 'notes', 'tags', 'linked_token_id', 'server_name', 'fields'];
+	    // A2A-52: 'public_key' added for Ed25519 identity verification (TOFU pinning)
+	    const allowed = ['name', 'owner', 'is_mine', 'notes', 'tags', 'linked_token_id', 'server_name', 'fields', 'public_key'];
 	    for (const key of allowed) {
 	      if (updates[key] !== undefined) {
 	        if (key === 'fields') {
@@ -764,6 +766,7 @@ class TokenStore {
       tags: ['inbound'],
       fields: {},
       linked_token_id: tokenId || null,
+      public_key: null,  // A2A-52: populated via TOFU on first verified call
       status: 'unknown',
       last_seen: null,
       added_at: new Date().toISOString(),