anorion 0.1.0 → 0.2.1

package/bin/anorion.js

@@ -7108,7 +7108,7 @@ function getVersion() {
   try {
     const pkgPath = resolve(dirname(import.meta.url.replace("file://", "")), "../../package.json");
     const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
-    return pkg.version || "0.1.0";
+    return pkg.version || "0.2.0";
   } catch {
     return "0.1.0";
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "anorion",
-  "version": "0.1.0",
+  "version": "0.2.1",
   "description": "The open-source agent gateway — connect any LLM to any channel",
   "keywords": [
     "ai",

package/src/agents/handoff.ts

@@ -0,0 +1,197 @@
+// Agent Handoff Protocol
+// Agents declare handoffs in their config. The runtime auto-creates handoff_to_<agent> tools.
+// When the LLM calls a handoff tool, conversation transfers to the target agent.
+
+import type { Message, ToolDefinition, ToolContext, ToolResult } from '../shared/types';
+import { toolRegistry } from '../tools/registry';
+import { agentRegistry } from './registry';
+import { sendMessage } from './runtime';
+import { sessionManager } from './session';
+import { logger } from '../shared/logger';
+import { eventBus } from '../shared/events';
+
+export interface AgentHandoff {
+  /** Target agent ID or name */
+  targetAgentId: string;
+  /** Description of when to hand off (LLM uses this to decide) */
+  description: string;
+  /** Filter which messages carry over to the target agent */
+  filterMessages?: (messages: Message[]) => Message[];
+  /** Callback when handoff occurs */
+  onHandoff?: (from: string, to: string, context: HandoffContext) => Promise<void>;
+}
+
+export interface HandoffContext {
+  fromAgentId: string;
+  toAgentId: string;
+  sessionId: string;
+  messages: Message[];
+  reason?: string;
+}
+
+// Track registered handoff tools so we can clean up
+const registeredHandoffTools = new Map<string, string>(); // toolName -> sourceAgentId
+
+/**
+ * Register handoff tools for an agent based on its declared handoffs.
+ */
+export function registerHandoffTools(
+  agentId: string,
+  handoffs: AgentHandoff[],
+): void {
+  for (const handoff of handoffs) {
+    const toolName = `handoff_to_${handoff.targetAgentId.replace(/[^a-zA-Z0-9_-]/g, '_')}`;
+
+    // Skip if already registered (e.g., multiple agents hand off to same target)
+    if (toolRegistry.get(toolName)) continue;
+
+    const toolDef: ToolDefinition = {
+      name: toolName,
+      description: `Transfer the conversation to the ${handoff.targetAgentId} agent. Use this when: ${handoff.description}`,
+      parameters: {
+        type: 'object',
+        properties: {
+          reason: {
+            type: 'string',
+            description: 'Brief reason for the handoff',
+          },
+          message: {
+            type: 'string',
+            description: 'Optional message to pass to the target agent',
+          },
+        },
+        required: [],
+      },
+      execute: async (
+        params: Record<string, unknown>,
+        ctx: ToolContext,
+      ): Promise<ToolResult> => {
+        return executeHandoff(handoff, params, ctx);
+      },
+    };
+
+    toolRegistry.register(toolDef);
+    registeredHandoffTools.set(toolName, agentId);
+
+    logger.info({ agentId, targetAgent: handoff.targetAgentId, toolName }, 'Handoff tool registered');
+  }
+
+  // Bind handoff tool names to the agent
+  const existingTools = toolRegistry.getToolNamesForAgent(agentId);
+  const handoffToolNames = handoffs.map((h) =>
+    `handoff_to_${h.targetAgentId.replace(/[^a-zA-Z0-9_-]/g, '_')}`,
+  );
+  toolRegistry.bindTools(agentId, [...existingTools, ...handoffToolNames]);
+}
+
+/**
+ * Execute a handoff: transfer conversation to target agent.
+ */
+async function executeHandoff(
+  handoff: AgentHandoff,
+  params: Record<string, unknown>,
+  ctx: ToolContext,
+): Promise<ToolResult> {
+  const targetAgent = agentRegistry.get(handoff.targetAgentId) ||
+    agentRegistry.getByName(handoff.targetAgentId);
+
+  if (!targetAgent) {
+    return {
+      content: '',
+      error: `Handoff target agent not found: ${handoff.targetAgentId}`,
+    };
+  }
+
+  const reason = String(params.reason || '');
+  const message = String(params.message || '');
+
+  try {
+    // Get conversation history
+    const messages = await sessionManager.getMessages(ctx.sessionId, 50);
+
+    // Apply message filter if provided
+    const filteredMessages = handoff.filterMessages
+      ? handoff.filterMessages(messages)
+      : messages;
+
+    // Build context for target agent
+    const contextSummary = filteredMessages.length > 0
+      ? `[Previous conversation context]\n${filteredMessages
+          .map((m) => `${m.role}: ${m.content.slice(0, 200)}`)
+          .join('\n')}\n\n`
+      : '';
+
+    const handoffPrompt = reason
+      ? `${contextSummary}[Handoff from ${ctx.agentId}] Reason: ${reason}${message ? '\nMessage: ' + message : ''}`
+      : `${contextSummary}[Handoff from ${ctx.agentId}]${message ? '\n' + message : ''}`;
+
+    // Fire handoff event
+    const handoffCtx: HandoffContext = {
+      fromAgentId: ctx.agentId,
+      toAgentId: targetAgent.id,
+      sessionId: ctx.sessionId,
+      messages: filteredMessages,
+      reason,
+    };
+
+    eventBus.emit('agent:handoff', {
+      from: ctx.agentId,
+      to: targetAgent.id,
+      sessionId: ctx.sessionId,
+      reason,
+      timestamp: Date.now(),
+    });
+
+    // Call onHandoff callback
+    if (handoff.onHandoff) {
+      await handoff.onHandoff(ctx.agentId, targetAgent.id, handoffCtx);
+    }
+
+    // Send message to target agent in same session
+    const result = await sendMessage({
+      agentId: targetAgent.id,
+      sessionId: ctx.sessionId,
+      text: handoffPrompt,
+    });
+
+    return {
+      content: result.content,
+      metadata: {
+        handoff: true,
+        fromAgent: ctx.agentId,
+        toAgent: targetAgent.id,
+      },
+    };
+  } catch (err) {
+    logger.error(
+      { from: ctx.agentId, to: targetAgent.id, error: (err as Error).message },
+      'Handoff failed',
+    );
+    return {
+      content: '',
+      error: `Handoff failed: ${(err as Error).message}`,
+    };
+  }
+}
+
+/**
+ * Get handoff tool names for a given set of handoffs.
+ */
+export function getHandoffToolNames(handoffs: AgentHandoff[]): string[] {
+  return handoffs.map((h) =>
+    `handoff_to_${h.targetAgentId.replace(/[^a-zA-Z0-9_-]/g, '_')}`,
+  );
+}
+
+/**
+ * Unregister handoff tools for an agent.
+ */
+export function unregisterHandoffTools(agentId: string): void {
+  for (const [toolName, sourceId] of registeredHandoffTools) {
+    if (sourceId === agentId) {
+      registeredHandoffTools.delete(toolName);
+      // Note: we don't unregister from toolRegistry as it doesn't support it
+      // This is fine for now since tool names are deterministic
+    }
+  }
+}

package/src/agents/registry.ts

@@ -41,6 +41,7 @@ class AgentRegistry {
           timeoutMs: parsed.timeoutMs || 120000,
           tags: parsed.tags,
           metadata: parsed.metadata,
+          handoffs: parsed.handoffs,
         });
       } catch (err) {
         logger.error({ file, error: (err as Error).message }, 'Failed to load agent YAML');

package/src/agents/runtime.ts

@@ -23,6 +23,8 @@ import { memoryManager } from '../memory/store';
 import { eventBus } from '../shared/events';
 import { resolveModel } from '../llm/providers';
 import { jsonSchema } from '@ai-sdk/provider-utils';
+import { registerHandoffTools, getHandoffToolNames } from './handoff';
+import type { AgentHandoffConfig } from '../shared/types';
 
 // ── Interfaces ──
 
@@ -179,6 +181,14 @@ export async function sendMessage(input: SendMessageInput): Promise<SendMessageR
 
   agentRegistry.setState(agentId, 'processing');
 
+  // Register handoff tools if agent has handoffs configured
+  if (agent.handoffs && agent.handoffs.length > 0) {
+    registerHandoffTools(agentId, agent.handoffs.map((h: AgentHandoffConfig) => ({
+      targetAgentId: h.targetAgentId,
+      description: h.description,
+    })));
+  }
+
   const abortController = new AbortController();
   const signal = input.abortSignal ?? abortController.signal;
 

package/src/auth/api-keys.ts

@@ -0,0 +1,60 @@
+// API Key CRUD — in-memory store with optional SQLite persistence
+
+import type { ApiKey, ApiKeyScope } from './types';
+
+function hashKey(rawKey: string): string {
+  const hasher = new Bun.CryptoHasher('sha256');
+  hasher.update(rawKey);
+  return hasher.digest('hex');
+}
+
+function generateRawKey(): string {
+  return `anr_${crypto.randomUUID().replace(/-/g, '')}`;
+}
+
+// In-memory key store
+const memoryKeys = new Map<string, ApiKey>();
+
+export function createApiKeyMemory(userId: string, name: string, scopes: ApiKeyScope[]): { key: string; apiKey: ApiKey } {
+  const rawKey = generateRawKey();
+  const keyHash = hashKey(rawKey);
+  const id = crypto.randomUUID();
+  const now = Date.now();
+
+  const apiKey: ApiKey = {
+    id,
+    userId,
+    name,
+    keyHash,
+    keyPrefix: rawKey.slice(0, 8),
+    scopes,
+    enabled: true,
+    lastUsed: 0,
+    createdAt: now,
+  };
+
+  memoryKeys.set(keyHash, apiKey);
+  return { key: rawKey, apiKey };
+}
+
+export function verifyApiKeyMemory(rawKey: string): ApiKey | null {
+  const keyHash = hashKey(rawKey);
+  const entry = memoryKeys.get(keyHash);
+  if (!entry || !entry.enabled) return null;
+  entry.lastUsed = Date.now();
+  return entry;
+}
+
+export function listApiKeysMemory(): ApiKey[] {
+  return [...memoryKeys.values()];
+}
+
+export function revokeApiKeyMemory(id: string): boolean {
+  for (const [hash, key] of memoryKeys) {
+    if (key.id === id) {
+      memoryKeys.delete(hash);
+      return true;
+    }
+  }
+  return false;
+}

package/src/auth/jwt.ts

@@ -0,0 +1,93 @@
+// JWT sign/verify using Web Crypto API — no external dependencies
+
+import type { JwtPayload, UserRole, ApiKeyScope } from './types';
+
+const JWT_ALG = 'HS256';
+const JWT_ISS = 'anorion';
+const DEFAULT_EXPIRY_S = 3600; // 1 hour
+
+function b64url(data: ArrayBuffer | Uint8Array): string {
+  const bytes = data instanceof Uint8Array ? data : new Uint8Array(data);
+  let bin = '';
+  for (const b of bytes) bin += String.fromCharCode(b);
+  return btoa(bin).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+function b64urlDecode(str: string): Uint8Array {
+  let s = str.replace(/-/g, '+').replace(/_/g, '/');
+  while (s.length % 4) s += '=';
+  const bin = atob(s);
+  const bytes = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+  return bytes;
+}
+
+function textToBytes(text: string): Uint8Array {
+  return new TextEncoder().encode(text);
+}
+
+async function getKey(secret: string): Promise<CryptoKey> {
+  return crypto.subtle.importKey(
+    'raw',
+    textToBytes(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign', 'verify'],
+  );
+}
+
+let _jwtSecret: string | null = null;
+
+export function setJwtSecret(secret: string): void {
+  _jwtSecret = secret;
+}
+
+function getJwtSecret(): string {
+  if (!_jwtSecret) {
+    _jwtSecret = process.env.JWT_SECRET || 'anorion-dev-secret-change-me';
+  }
+  return _jwtSecret;
+}
+
+export async function signJwt(payload: Omit<JwtPayload, 'iat' | 'exp' | 'iss'>, expiresInSeconds = DEFAULT_EXPIRY_S): Promise<string> {
+  const header = b64url(textToBytes(JSON.stringify({ alg: JWT_ALG, typ: 'JWT' })));
+
+  const now = Math.floor(Date.now() / 1000);
+  const fullPayload: JwtPayload = {
+    ...payload,
+    iat: now,
+    exp: now + expiresInSeconds,
+  };
+
+  const payloadB64 = b64url(textToBytes(JSON.stringify({ ...fullPayload, iss: JWT_ISS })));
+  const signingInput = `${header}.${payloadB64}`;
+
+  const key = await getKey(getJwtSecret());
+  const sig = await crypto.subtle.sign('HMAC', key, textToBytes(signingInput));
+
+  return `${signingInput}.${b64url(sig)}`;
+}
+
+export async function verifyJwt(token: string): Promise<JwtPayload | null> {
+  const parts = token.split('.');
+  if (parts.length !== 3) return null;
+
+  const headerB64 = parts[0]!;
+  const payloadB64 = parts[1]!;
+  const sigB64 = parts[2]!;
+  const signingInput = `${headerB64}.${payloadB64}`;
+
+  try {
+    const key = await getKey(getJwtSecret());
+    const valid = await crypto.subtle.verify('HMAC', key, b64urlDecode(sigB64), textToBytes(signingInput));
+    if (!valid) return null;
+
+    const payload = JSON.parse(new TextDecoder().decode(b64urlDecode(payloadB64))) as JwtPayload & { iss?: string };
+    if (payload.iss !== JWT_ISS) return null;
+    if (payload.exp < Math.floor(Date.now() / 1000)) return null;
+
+    return payload;
+  } catch {
+    return null;
+  }
+}

package/src/auth/middleware.ts

@@ -0,0 +1,155 @@
+// Auth middleware for Hono — JWT bearer, API key, scope validation, rate limiting
+
+import type { Context, Next } from 'hono';
+import type { ApiKeyScope, AuthContext } from './types';
+import { verifyJwt } from './jwt';
+import { verifyApiKeyMemory, listApiKeysMemory } from './api-keys';
+
+// Extend Hono context variables
+declare module 'hono' {
+  interface ContextVariableMap {
+    auth: AuthContext;
+  }
+}
+
+// ── Public paths that skip auth ──
+const PUBLIC_PATHS = new Set([
+  '/api/v1/health',
+  '/health',
+  '/metrics',
+]);
+
+// ── Extract auth context from request ──
+export async function authMiddleware(c: Context, next: Next): Promise<Response | void> {
+  // Skip auth for public paths
+  if (PUBLIC_PATHS.has(c.req.path)) return next();
+
+  // Dev mode: if no keys configured, allow all
+  const allKeys = listApiKeysMemory();
+  const hasRealKeys = allKeys.length > 0;
+  if (!hasRealKeys) {
+    c.set('auth', {
+      userId: 'dev',
+      username: 'dev',
+      role: 'admin',
+      scopes: ['read', 'write', 'admin'],
+    });
+    return next();
+  }
+
+  // Try API key auth first (X-API-Key header or Authorization: Bearer sk-.../anr_...)
+  const apiKeyHeader = c.req.header('X-API-Key');
+  const authHeader = c.req.header('Authorization') || '';
+
+  let authCtx: AuthContext | null = null;
+
+  if (apiKeyHeader) {
+    const key = verifyApiKeyMemory(apiKeyHeader);
+    if (key) {
+      authCtx = {
+        userId: key.userId,
+        username: key.name,
+        role: 'agent',
+        scopes: key.scopes,
+        apiKeyId: key.id,
+      };
+    }
+  } else if (authHeader.startsWith('Bearer ')) {
+    const token = authHeader.slice(7);
+
+    // Check if it's an API key (starts with anr_)
+    if (token.startsWith('anr_') || token.startsWith('sk-')) {
+      const key = verifyApiKeyMemory(token);
+      if (key) {
+        authCtx = {
+          userId: key.userId,
+          username: key.name,
+          role: 'agent',
+          scopes: key.scopes,
+          apiKeyId: key.id,
+        };
+      }
+    } else {
+      // Try JWT
+      const payload = await verifyJwt(token);
+      if (payload) {
+        authCtx = {
+          userId: payload.sub,
+          username: payload.username,
+          role: payload.role,
+          scopes: payload.scopes,
+        };
+      }
+    }
+  }
+
+  if (!authCtx) {
+    return c.json({ error: 'Unauthorized', message: 'Valid API key or JWT token required' }, 401);
+  }
+
+  c.set('auth', authCtx);
+  return next();
+}
+
+// ── Scope validation middleware ──
+export function requireScope(...requiredScopes: ApiKeyScope[]) {
+  return async (c: Context, next: Next): Promise<Response | void> => {
+    const auth = c.get('auth');
+    if (!auth) return c.json({ error: 'Unauthorized' }, 401);
+
+    // Admin scope grants all
+    if (auth.scopes.includes('admin')) return next();
+
+    const hasScope = requiredScopes.some((s) => auth.scopes.includes(s));
+    if (!hasScope) {
+      return c.json({ error: 'Forbidden', message: `Requires one of: ${requiredScopes.join(', ')}` }, 403);
+    }
+
+    return next();
+  };
+}
+
+// ── Rate limiting per key (in-memory sliding window) ──
+interface RateWindow {
+  timestamps: number[];
+  tokenCount: number;
+}
+
+const rateWindows = new Map<string, RateWindow>();
+
+export function rateLimitPerKey(rpm: number = 60, tpm: number = 100000) {
+  return async (c: Context, next: Next): Promise<Response | void> => {
+    const auth = c.get('auth');
+    const keyId = auth?.apiKeyId || c.req.header('x-forwarded-for')?.split(',')[0]?.trim() || 'unknown';
+
+    const now = Date.now();
+    const windowMs = 60_000; // 1 minute sliding window
+
+    let bucket = rateWindows.get(keyId);
+    if (!bucket) {
+      bucket = { timestamps: [], tokenCount: 0 };
+      rateWindows.set(keyId, bucket);
+    }
+
+    // Slide window
+    bucket.timestamps = bucket.timestamps.filter((t) => now - t < windowMs);
+
+    if (bucket.timestamps.length >= rpm) {
+      const oldest = bucket.timestamps[0]!;
+      const retryAfter = Math.ceil((oldest + windowMs - now) / 1000);
+      return c.json({ error: 'Rate limit exceeded', retryAfter }, 429, { 'Retry-After': String(retryAfter) });
+    }
+
+    bucket.timestamps.push(now);
+    return next();
+  };
+}
+
+// Periodic cleanup of old buckets (every 5 min)
+setInterval(() => {
+  const now = Date.now();
+  for (const [key, bucket] of rateWindows) {
+    bucket.timestamps = bucket.timestamps.filter((t) => now - t < 120_000);
+    if (bucket.timestamps.length === 0) rateWindows.delete(key);
+  }
+}, 300_000);

package/src/auth/routes.ts

@@ -0,0 +1,138 @@
+// Auth routes — login, register, key management, health
+
+import { Hono } from 'hono';
+import { signJwt } from './jwt';
+import { createApiKeyMemory, listApiKeysMemory, revokeApiKeyMemory, verifyApiKeyMemory } from './api-keys';
+import { authMiddleware, requireScope, rateLimitPerKey } from './middleware';
+import type { AuthContext, CreateKeyRequest, LoginRequest, RegisterRequest } from './types';
+
+const app = new Hono();
+
+// ── Public health check ──
+app.get('/api/v1/health', (c) => {
+  return c.json({
+    status: 'ok',
+    uptime: process.uptime(),
+    timestamp: new Date().toISOString(),
+    version: '0.1.0',
+  });
+});
+
+// ── Detailed health (requires auth) ──
+app.get('/api/v1/health/detailed', authMiddleware, (c) => {
+  const mem = process.memoryUsage();
+  return c.json({
+    status: 'ok',
+    uptime: process.uptime(),
+    timestamp: new Date().toISOString(),
+    memory: {
+      rss: `${(mem.rss / 1024 / 1024).toFixed(1)} MB`,
+      heapUsed: `${(mem.heapUsed / 1024 / 1024).toFixed(1)} MB`,
+      heapTotal: `${(mem.heapTotal / 1024 / 1024).toFixed(1)} MB`,
+    },
+    nodeVersion: process.version,
+    pid: process.pid,
+  });
+});
+
+// ── Login: exchange API key for JWT ──
+app.post('/api/v1/auth/login', rateLimitPerKey(10), async (c) => {
+  const body = await c.req.json() as LoginRequest;
+  if (!body.apiKey) return c.json({ error: 'apiKey is required' }, 400);
+
+  const key = verifyApiKeyMemory(body.apiKey);
+  if (!key) return c.json({ error: 'Invalid API key' }, 401);
+
+  const token = await signJwt({
+    sub: key.userId || key.id,
+    username: key.name,
+    role: 'agent',
+    scopes: key.scopes,
+  });
+
+  return c.json({
+    token,
+    expiresIn: 3600,
+    scopes: key.scopes,
+  });
+});
+
+// ── Register: create a user (admin only) ──
+app.post('/api/v1/auth/register', authMiddleware, requireScope('admin'), async (c) => {
+  const body = await c.req.json() as RegisterRequest;
+  if (!body.username) return c.json({ error: 'username is required' }, 400);
+
+  // In this simplified version, registration creates an API key for the user
+  const role = body.role || 'viewer';
+  const scopes = role === 'admin' ? ['read', 'write', 'admin'] as const
+    : role === 'operator' ? ['read', 'write'] as const
+    : ['read'] as const;
+
+  const result = createApiKeyMemory('', body.username, [...scopes]);
+
+  return c.json({
+    user: {
+      username: body.username,
+      role,
+    },
+    apiKey: result.key,
+    apiKeyId: result.apiKey.id,
+  }, 201);
+});
+
+// ── Get current auth info ──
+app.get('/api/v1/auth/me', authMiddleware, (c) => {
+  const auth = c.get('auth') as AuthContext;
+  return c.json({
+    userId: auth.userId,
+    username: auth.username,
+    role: auth.role,
+    scopes: auth.scopes,
+  });
+});
+
+// ── API Key management ──
+
+// Create API key
+app.post('/api/v1/keys', authMiddleware, requireScope('admin'), async (c) => {
+  const body = await c.req.json() as CreateKeyRequest;
+  if (!body.name) return c.json({ error: 'name is required' }, 400);
+  if (!body.scopes || body.scopes.length === 0) return c.json({ error: 'scopes are required' }, 400);
+
+  const auth = c.get('auth') as AuthContext;
+  const result = createApiKeyMemory(auth.userId, body.name, body.scopes);
+
+  return c.json({
+    key: result.key,
+    apiKey: {
+      id: result.apiKey.id,
+      name: result.apiKey.name,
+      scopes: result.apiKey.scopes,
+      createdAt: result.apiKey.createdAt,
+    },
+  }, 201);
+});
+
+// List API keys
+app.get('/api/v1/keys', authMiddleware, requireScope('read'), (c) => {
+  const keys = listApiKeysMemory().map((k) => ({
+    id: k.id,
+    name: k.name,
+    keyPrefix: k.keyPrefix,
+    scopes: k.scopes,
+    enabled: k.enabled,
+    lastUsed: k.lastUsed,
+    createdAt: k.createdAt,
+  }));
+  return c.json({ keys });
+});
+
+// Revoke API key
+app.delete('/api/v1/keys/:id', authMiddleware, requireScope('admin'), (c) => {
+  const id = c.req.param('id')!;
+  const ok = revokeApiKeyMemory(id);
+  if (!ok) return c.json({ error: 'Key not found' }, 404);
+  return c.json({ ok: true });
+});
+
+export default app;