a2acalling 0.6.68 → 0.6.70

package/.a2a-manifest.json

@@ -1,6 +1,6 @@
 {
-  "version": "0.6.68",
-  "installed_at": "2026-02-25T19:26:27.869Z",
+  "version": "0.6.70",
+  "installed_at": "2026-02-26T06:18:02.969Z",
   "files": [
     {
       "path": "CLAUDE.md",

package/CONVENTIONS.md

@@ -66,6 +66,7 @@ All modules use CommonJS (`require`/`module.exports`). Each lib file exports a f
 - Dark theme is the default; uses CSS custom properties for theming
 - Sidebar navigation with tab switching (Contacts, Calls, Invites, Logs, Settings, Permissions, Health)
 - Permissions tab uses tier cards with tool toggles and auto-save
+- Drag-and-drop uses event delegation on stable parent containers (`.perm-sidebar` for sidebar items, zone containers for drop targets) — do NOT bind listeners directly to innerHTML-generated elements (A2A-61)
 
 ## Network Resilience (A2A-54)
 
@@ -85,6 +86,22 @@ Dashboard API integration tests follow the pattern in `test/integration/dashboar
 - Call `loggerModule.closeAllLoggerStores()` in teardown to prevent SQLite handle leaks
 - Pass `convStore` directly via `options.convStore` when testing calls endpoints
 
+## Store Lifecycle (A2A-57)
+
+All SQLite store classes (`ConversationStore`, `DashboardEventStore`, `CallbookStore`, `LoggerStore`) implement a `close()` method following this pattern:
+```js
+close() {
+  if (this.db) {
+    try { this.db.close(); } catch (_) {}
+    this.db = null;
+  }
+}
+```
+- `close()` must be idempotent (safe to call multiple times)
+- `close()` must be a no-op when DB was never initialized (`this.db === null`)
+- The `server.js` `shutdown()` function closes all stores on SIGTERM/SIGINT
+- Test teardown should call `store.close()` to prevent SQLite handle leaks
+
 ## Permission Tiers
 
 Tokens have a tier (`public`, `friends`, `family`) and a disclosure level (`public`, `minimal`, `none`). These are enforced at the route level in `src/routes/a2a.js`.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "a2acalling",
-  "version": "0.6.68",
+  "version": "0.6.70",
   "description": "Agent-to-agent calling for OpenClaw - A2A agent communication",
   "main": "src/index.js",
   "bin": {

package/src/dashboard/public/app.js

@@ -1307,7 +1307,6 @@ function renderPermissions() {
   renderTierWarnings(tier);
   renderSidebarPreview(state.activeTierId);
   renderSidebarLists(tier);
-  bindSidebarDrag();
 }
 
 // A2A-48: Renders the inline "Preview as Caller" card in the right sidebar.
@@ -1479,22 +1478,6 @@ function autoSaveTier() {
   }, 250);
 }
 
-// A2A-48: Binds dragstart/dragend on sidebar items (re-created each render).
-// Zone listeners (dragover/dragleave/drop) are bound ONCE in
-// bindPermissionsActions() to avoid listener accumulation — the zone
-// containers persist across renders while only their innerHTML changes.
-function bindSidebarDrag() {
-  document.querySelectorAll('.sidebar-item[draggable="true"]').forEach(item => {
-    item.addEventListener('dragstart', (e) => {
-      const itemType = item.dataset.itemType || 'topic';
-      const name = item.dataset.sidebarTopic || item.dataset.sidebarGoal || '';
-      const desc = item.dataset.description || '';
-      e.dataTransfer.setData('application/json', JSON.stringify({ name, description: desc, type: itemType }));
-      item.style.opacity = '0.5';
-    });
-    item.addEventListener('dragend', () => { item.style.opacity = ''; });
-  });
-}
 
 // A2A-50: Drop handler for active topic/goal zones. Routes items to the
 // CORRECT zone based on data.type (not the zone they were dropped on).
@@ -1537,9 +1520,6 @@ function handleZoneDrop(zone, e) {
     const freshTier = (state.settings?.tiers || []).find(t => t.id === state.activeTierId);
     if (freshTier) {
       renderSidebarLists(freshTier);
-      // A2A-51: Re-bind drag listeners after innerHTML replacement in renderSidebarLists().
-      // Without this, sidebar items lose dragstart/dragend handlers after the first drop.
-      bindSidebarDrag();
     }
   }, 300);
 }
@@ -1803,7 +1783,7 @@ function bindPermissionsActions() {
   // A2A-48: Drop zone listeners — bound ONCE here because the zone containers
   // (#active-topics-zone, #active-goals-zone) persist across renders. Only
   // their innerHTML is replaced by renderActiveTopics/renderActiveGoals.
-  // Binding in bindSidebarDrag() would cause listener accumulation.
+  // Binding per-element would cause listener accumulation.
   // A2A-51: Uses dragenter/dragleave counter to prevent flickering when
   // cursor moves over child elements (cards, placeholder) inside the zone.
   const topicZone = document.getElementById('active-topics-zone');
@@ -1817,6 +1797,27 @@ function bindPermissionsActions() {
     zone.addEventListener('drop', (e) => { dragCounter = 0; handleZoneDrop(zone, e); });
   });
 
+  // A2A-61: Delegated drag listeners on .perm-sidebar — survives innerHTML
+  // rewrites in renderSidebarLists(). Replaces bindSidebarDrag() which bound
+  // directly to elements destroyed on each render, causing the drag-drop
+  // regression in A2A-41/48/50/51.
+  const sidebar = document.querySelector('.perm-sidebar');
+  if (sidebar) {
+    sidebar.addEventListener('dragstart', (e) => {
+      const item = e.target.closest('.sidebar-item[draggable="true"]');
+      if (!item) return;
+      const itemType = item.dataset.itemType || 'topic';
+      const name = item.dataset.sidebarTopic || item.dataset.sidebarGoal || '';
+      const desc = item.dataset.description || '';
+      e.dataTransfer.setData('application/json', JSON.stringify({ name, description: desc, type: itemType }));
+      item.style.opacity = '0.5';
+    });
+    sidebar.addEventListener('dragend', (e) => {
+      const item = e.target.closest('.sidebar-item[draggable="true"]');
+      if (item) item.style.opacity = '';
+    });
+  }
+
   // A2A-48: Tool toggle change — auto-save and update card styling
   panel.addEventListener('change', (e) => {
     const toggle = e.target.closest('#tool-toggles .toggle-switch input');

package/src/routes/a2a.js

@@ -57,6 +57,10 @@ function getCallMonitor(options = {}) {
 // For production: use Redis or persistent store
 const rateLimits = new Map();
 
+// Rate limit eviction constants
+const RATE_LIMIT_MAX_ENTRIES = 1000;
+const RATE_LIMIT_STALE_MS = 24 * 60 * 60 * 1000; // 24 hours
+
 // Constants
 const MAX_MESSAGE_LENGTH = 10000;  // 10KB max message
 const MAX_TIMEOUT_SECONDS = 300;   // 5 min max timeout
@@ -104,6 +108,20 @@ function normalizeRequestMetadata(req) {
   };
 }
 
+/**
+ * Timing-safe comparison of two token strings.
+ * Returns true if tokens match, false otherwise.
+ * Short-circuits (non-timing-safe) only when a value is missing or empty,
+ * which is acceptable since the absence of a token is not secret.
+ */
+function timingSafeTokenEqual(a, b) {
+  if (!a || !b) return false;
+  const bufA = Buffer.from(String(a));
+  const bufB = Buffer.from(String(b));
+  if (bufA.length !== bufB.length) return false;
+  return crypto.timingSafeEqual(bufA, bufB);
+}
+
 function checkRateLimit(tokenId, limits = { minute: 10, hour: 100, day: 1000 }) {
   const now = Date.now();
   const minute = Math.floor(now / 60000);
@@ -141,6 +159,34 @@ function checkRateLimit(tokenId, limits = { minute: 10, hour: 100, day: 1000 })
   state.hour.count++;
   state.day.count++;
 
+  // Evict stale entries when the Map exceeds the size threshold
+  if (rateLimits.size > RATE_LIMIT_MAX_ENTRIES) {
+    const staleThreshold = now - RATE_LIMIT_STALE_MS;
+    let evicted = 0;
+    for (const [key, entry] of rateLimits) {
+      // An entry is stale if all three bucket timestamps are older than 24h
+      const latestBucket = Math.max(
+        entry.minute.bucket * 60000,
+        entry.hour.bucket * 3600000,
+        entry.day.bucket * 86400000
+      );
+      if (latestBucket < staleThreshold) {
+        rateLimits.delete(key);
+        evicted++;
+      }
+    }
+    // If no stale entries found, evict the oldest (first-inserted) entries
+    if (evicted === 0) {
+      const excess = rateLimits.size - RATE_LIMIT_MAX_ENTRIES;
+      let removed = 0;
+      for (const key of rateLimits.keys()) {
+        if (removed >= excess) break;
+        rateLimits.delete(key);
+        removed++;
+      }
+    }
+  }
+
   return { limited: false };
 }
 
@@ -758,7 +804,7 @@ function createRoutes(options = {}) {
           message: 'Set A2A_ADMIN_TOKEN to access conversation admin routes from non-local addresses'
         });
       }
-      if (adminToken !== expected) {
+      if (!timingSafeTokenEqual(adminToken, expected)) {
         return res.status(401).json({ error: 'unauthorized' });
       }
     }
@@ -773,7 +819,7 @@ function createRoutes(options = {}) {
     const conversations = convStore.listConversations({
       contactId: contact_id,
       status,
-      limit: parseInt(limit),
+      limit: Math.min(100, Math.max(1, Number.parseInt(String(limit), 10) || 20)),
       includeMessages: false
     });
 
@@ -794,7 +840,7 @@ function createRoutes(options = {}) {
           message: 'Set A2A_ADMIN_TOKEN to access conversation admin routes from non-local addresses'
         });
       }
-      if (adminToken !== expected) {
+      if (!timingSafeTokenEqual(adminToken, expected)) {
         return res.status(401).json({ error: 'unauthorized' });
       }
     }
@@ -806,8 +852,8 @@ function createRoutes(options = {}) {
 
     const { recent_messages = 10 } = req.query;
     const context = convStore.getConversationContext(
-      req.params.id, 
-      parseInt(recent_messages)
+      req.params.id,
+      Math.min(50, Math.max(1, Number.parseInt(String(recent_messages), 10) || 10))
     );
 
     if (!context) {
@@ -830,4 +876,11 @@ async function defaultMessageHandler(message, context, options) {
   };
 }
 
-module.exports = { createRoutes, checkRateLimit };
+module.exports = {
+  createRoutes,
+  checkRateLimit,
+  timingSafeTokenEqual,
+  // Exposed for testing only
+  _rateLimits: rateLimits,
+  _RATE_LIMIT_MAX_ENTRIES: RATE_LIMIT_MAX_ENTRIES
+};

package/src/server.js

@@ -27,6 +27,7 @@ const { buildUnifiedSummaryPrompt } = require('./lib/summary-prompt');
 const { A2AConfig } = require('./lib/config');
 const { UpdateManager } = require('./lib/update-manager');
 const { DashboardEventStore } = require('./lib/dashboard-events');
+const { CallbookStore } = require('./lib/callbook');
 const { spawn } = require('child_process');
 const { resolveTurnTimeoutMs } = require('./lib/turn-timeout');
 
@@ -69,6 +70,8 @@ const agentContext = loadAgentContext();
 const tokenStore = new TokenStore();
 const config = new A2AConfig();
 const eventStore = new DashboardEventStore(tokenStore.configDir);
+// A2A-59: Hoist CallbookStore to server.js so shutdown() can close it
+const callbookStore = new CallbookStore(tokenStore.configDir);
 const runtime = createRuntimeAdapter({
   workspaceDir,
   agentContext,
@@ -878,6 +881,7 @@ app.use('/api/a2a/dashboard', createDashboardApiRouter({
   agentContext,
   config,
   eventStore,
+  callbookStore,
   getUpdateManager: () => updateManager,
   logger: logger.child({ component: 'a2a.dashboard' })
 }));
@@ -1081,6 +1085,8 @@ async function startServer() {
       try { serverConvStore.close(); } catch (_) {}
     }
     try { eventStore.close(); } catch (_) {}
+    // A2A-59: Close CallbookStore to flush WAL on shutdown
+    try { callbookStore.close(); } catch (_) {}
     try { closeAllLoggerStores(); } catch (_) {}
     server.close(() => process.exit(0));
     // Force exit after 5s if connections won't close