daemora 1.0.0

package/src/models/ModelRouter.js

@@ -0,0 +1,180 @@
+import { createOpenAI } from "@ai-sdk/openai";
+import { createAnthropic } from "@ai-sdk/anthropic";
+import { createGoogleGenerativeAI } from "@ai-sdk/google";
+import { createOllama } from "ollama-ai-provider";
+import { models, fallbackChains } from "../config/models.js";
+
+/**
+ * Provider factory — lazily created so vault secrets are available.
+ * Per-tenant apiKeys overlay: if apiKeys[KEY] is set, create a fresh provider instance
+ * (never cached) to avoid cross-tenant bleed in concurrent requests.
+ */
+const providerCache = {};
+
+function getProvider(name, apiKeys = {}) {
+  const keyMap = { openai: "OPENAI_API_KEY", anthropic: "ANTHROPIC_API_KEY", google: "GOOGLE_AI_API_KEY" };
+  const envKeyName = keyMap[name];
+  const tenantKey = envKeyName ? apiKeys[envKeyName] : null;
+
+  if (name === "ollama") {
+    if (providerCache[name]) return providerCache[name];
+    providerCache[name] = createOllama({ baseURL: process.env.OLLAMA_BASE_URL || "http://localhost:11434/api" });
+    return providerCache[name];
+  }
+
+  const globalKey = envKeyName ? process.env[envKeyName] : null;
+  if (!tenantKey && !globalKey) return null;
+
+  if (tenantKey) {
+    // Per-tenant key: always create a fresh instance — never cache, prevents cross-tenant bleed
+    if (name === "openai")    return createOpenAI({ apiKey: tenantKey });
+    if (name === "anthropic") return createAnthropic({ apiKey: tenantKey });
+    if (name === "google")    return createGoogleGenerativeAI({ apiKey: tenantKey });
+  }
+
+  // Global key: existing singleton cache behavior (zero overhead for single-user mode)
+  if (providerCache[name]) return providerCache[name];
+  if (name === "openai")    providerCache[name] = createOpenAI({ apiKey: globalKey });
+  if (name === "anthropic") providerCache[name] = createAnthropic({ apiKey: globalKey });
+  if (name === "google")    providerCache[name] = createGoogleGenerativeAI({ apiKey: globalKey });
+  return providerCache[name] || null;
+}
+
+/**
+ * Get a Vercel AI SDK model instance from a "provider:model" string.
+ *
+ * @param {string} modelId - e.g. "openai:gpt-4.1-mini" or "anthropic:claude-sonnet-4-6"
+ * @param {object} apiKeys - Per-tenant API key overlay { OPENAI_API_KEY: "...", ... }
+ * @returns {{ model: object, meta: object }} AI SDK model instance + metadata
+ */
+export function getModel(modelId, apiKeys = {}) {
+  const meta = models[modelId];
+  if (!meta) {
+    throw new Error(`Unknown model: ${modelId}. Available: ${Object.keys(models).join(", ")}`);
+  }
+
+  const provider = getProvider(meta.provider, apiKeys);
+  if (!provider) {
+    throw new Error(
+      `Provider "${meta.provider}" not configured. Set the API key in .env (e.g. ${meta.provider.toUpperCase()}_API_KEY).`
+    );
+  }
+
+  return {
+    model: provider(meta.model),
+    meta,
+  };
+}
+
+/**
+ * Get model with fallback chain.
+ * Tries the preferred model first, then falls through the chain.
+ *
+ * @param {string} preferredModelId - e.g. "openai:gpt-4.1-mini"
+ * @param {object} apiKeys - Per-tenant API key overlay
+ * @returns {{ model: object, meta: object, modelId: string }}
+ */
+export function getModelWithFallback(preferredModelId, apiKeys = {}) {
+  // Try preferred model first
+  try {
+    const result = getModel(preferredModelId, apiKeys);
+    return { ...result, modelId: preferredModelId };
+  } catch (e) {
+    console.log(`[ModelRouter] Preferred model "${preferredModelId}" unavailable: ${e.message}`);
+  }
+
+  // Find the fallback chain for this model's tier
+  const meta = models[preferredModelId];
+  const tier = meta?.tier || "cheap";
+  const chain = fallbackChains[tier] || fallbackChains.cheap;
+
+  for (const fallbackId of chain) {
+    if (fallbackId === preferredModelId) continue;
+    try {
+      const result = getModel(fallbackId, apiKeys);
+      console.log(`[ModelRouter] Falling back to "${fallbackId}"`);
+      return { ...result, modelId: fallbackId };
+    } catch (e) {
+      continue;
+    }
+  }
+
+  throw new Error(`No available model found. Tried: ${preferredModelId} + fallback chain.`);
+}
+
+/**
+ * Get the cheapest available model (for compaction/summarization).
+ *
+ * @param {object} apiKeys - Per-tenant API key overlay
+ */
+export function getCheapModel(apiKeys = {}) {
+  const cheapChain = ["google:gemini-2.0-flash", "openai:gpt-4.1-mini", "anthropic:claude-haiku-4-5"];
+  for (const modelId of cheapChain) {
+    try {
+      const result = getModel(modelId, apiKeys);
+      return { ...result, modelId };
+    } catch {
+      continue;
+    }
+  }
+  // Last resort: whatever the default is
+  const defaultId = process.env.DEFAULT_MODEL || "openai:gpt-4.1-mini";
+  return { ...getModel(defaultId, apiKeys), modelId: defaultId };
+}
+
+/**
+ * List all available models (ones that have API keys configured).
+ */
+export function listAvailableModels() {
+  const available = [];
+  for (const modelId of Object.keys(models)) {
+    try {
+      getModel(modelId);
+      available.push({ id: modelId, ...models[modelId] });
+    } catch {
+      // skip unavailable
+    }
+  }
+  return available;
+}
+
+// ── Task-Type Model Routing ────────────────────────────────────────────────────
+
+const _profileEnvMap = {
+  coder:      "CODE_MODEL",
+  researcher: "RESEARCH_MODEL",
+  writer:     "WRITER_MODEL",
+  analyst:    "ANALYST_MODEL",
+};
+
+/**
+ * Resolve the best model for a given agent profile, using a priority chain:
+ *   1. explicitModel (caller override)
+ *   2. Per-tenant modelRoutes[profile]
+ *   3. Global CODE_MODEL / RESEARCH_MODEL / WRITER_MODEL / ANALYST_MODEL env vars
+ *   4. Per-tenant general model override
+ *   5. DEFAULT_MODEL env var / hardcoded default
+ *
+ * @param {string|null} profile       - e.g. "coder", "researcher", "writer", "analyst"
+ * @param {object}      tenantConfig  - resolvedConfig from TenantManager (may have .modelRoutes, .model)
+ * @param {string|null} explicitModel - Caller-supplied model override (highest priority)
+ * @returns {string} Resolved model ID
+ */
+export function resolveModelForProfile(profile, tenantConfig = {}, explicitModel = null) {
+  if (explicitModel) return explicitModel;
+  if (profile && tenantConfig.modelRoutes?.[profile]) return tenantConfig.modelRoutes[profile];
+  if (profile && process.env[_profileEnvMap[profile]]) return process.env[_profileEnvMap[profile]];
+  if (tenantConfig.model) return tenantConfig.model;
+  return process.env.DEFAULT_MODEL || "openai:gpt-4.1-mini";
+}
+
+/**
+ * Get the task-type model for a profile from global env vars only.
+ * Utility for callers without a tenant config.
+ *
+ * @param {string|null} profile - e.g. "coder", "researcher"
+ * @returns {string} Model ID
+ */
+export function getTaskTypeModel(profile) {
+  return (profile && process.env[_profileEnvMap[profile]]) || process.env.DEFAULT_MODEL || "openai:gpt-4.1-mini";
+}

package/src/safety/AuditLog.js

@@ -0,0 +1,135 @@
+import { appendFileSync, mkdirSync } from "fs";
+import { config } from "../config/default.js";
+import eventBus from "../core/EventBus.js";
+import tenantContext from "../tenants/TenantContext.js";
+
+/**
+ * Audit Log — append-only logging of all agent actions.
+ *
+ * Writes to: data/audit/YYYY-MM-DD.jsonl
+ *
+ * Listens to EventBus events already emitted by AgentLoop, Supervisor,
+ * SubAgentManager, and TaskRunner. No changes needed to other files —
+ * just start() this and it captures everything automatically.
+ */
+
+class AuditLog {
+  constructor() {
+    this.enabled = true;
+    this.entryCount = 0;
+  }
+
+  start() {
+    mkdirSync(config.auditDir, { recursive: true });
+
+    // ── Tool lifecycle (emitted by AgentLoop) ─────────────────────────────
+    eventBus.on("tool:before", ({ tool_name, params, taskId, stepCount }) => {
+      this.write({ event: "tool_attempted", tool_name, taskId, stepCount,
+        params: params?.slice(0, 3).map((p) => String(p).slice(0, 120)) });
+    });
+
+    eventBus.on("tool:after", ({ tool_name, taskId, stepCount, duration, outputLength, error }) => {
+      if (error) {
+        this.write({ event: "tool_failed", tool_name, taskId, stepCount, duration, error });
+      } else {
+        this.write({ event: "tool_executed", tool_name, taskId, stepCount, duration, outputLength });
+      }
+    });
+
+    // ── Model calls (emitted by AgentLoop) ───────────────────────────────
+    eventBus.on("model:called", ({ modelId, loopCount, elapsed, inputTokens, outputTokens, taskId }) => {
+      this.write({ event: "model_called", modelId, loopCount, elapsed, inputTokens, outputTokens, taskId });
+    });
+
+    // ── Agent lifecycle (emitted by SubAgentManager) ─────────────────────
+    eventBus.on("agent:spawned", ({ agentId, taskDescription, depth, parentTaskId }) => {
+      this.write({ event: "agent_spawned", agentId, depth, parentTaskId,
+        task: taskDescription?.slice(0, 120) });
+    });
+
+    eventBus.on("agent:killed", ({ agentId, reason }) => {
+      this.write({ event: "agent_killed", agentId, reason });
+    });
+
+    // ── Safety events (emitted by PermissionGuard, Sandbox, HumanApproval, AgentLoop) ──
+    eventBus.on("audit:permission_denied", ({ tool_name, reason, taskId }) => {
+      this.write({ event: "permission_denied", tool_name, reason, taskId });
+    });
+
+    eventBus.on("audit:sandbox_blocked", ({ command, reason, taskId }) => {
+      this.write({ event: "sandbox_blocked", command: command?.slice(0, 200), reason, taskId });
+    });
+
+    eventBus.on("audit:hook_blocked", ({ tool_name, reason, taskId }) => {
+      this.write({ event: "hook_blocked", tool_name, reason, taskId });
+    });
+
+    eventBus.on("audit:secret_detected", ({ tool_name, taskId, count }) => {
+      this.write({ event: "secret_detected", tool_name, taskId, count });
+    });
+
+    eventBus.on("audit:approval_requested", ({ requestId, tool_name, taskId, channelMeta }) => {
+      this.write({ event: "approval_requested", requestId, tool_name, taskId,
+        channel: channelMeta?.channel });
+    });
+
+    eventBus.on("audit:approval_result", ({ requestId, tool_name, taskId, approved, source }) => {
+      this.write({ event: "approval_result", requestId, tool_name, taskId, approved, source });
+    });
+
+    eventBus.on("audit:git_snapshot", ({ taskId, ref }) => {
+      this.write({ event: "git_snapshot", taskId, ref });
+    });
+
+    eventBus.on("audit:git_rollback", ({ taskId, ref, success }) => {
+      this.write({ event: "git_rollback", taskId, ref, success });
+    });
+
+    eventBus.on("audit:memory_written", ({ category, entryLength, taskId }) => {
+      this.write({ event: "memory_written", category, entryLength, taskId });
+    });
+
+    // ── Supervisor (emitted by Supervisor) ───────────────────────────────
+    eventBus.on("supervisor:warning", (data) => {
+      this.write({ event: "supervisor_warning", ...data });
+    });
+
+    eventBus.on("supervisor:alert", (data) => {
+      this.write({ event: "supervisor_alert", ...data });
+    });
+
+    eventBus.on("supervisor:kill", ({ taskId, reason }) => {
+      this.write({ event: "supervisor_kill", taskId, reason });
+    });
+
+    // ── Manual audit events (catch-all for anything else) ────────────────
+    eventBus.on("audit:event", (data) => {
+      if (!this.enabled) return;
+      this.write(data);
+    });
+
+    console.log(`[AuditLog] Started — logging to ${config.auditDir}`);
+  }
+
+  write(data) {
+    if (!this.enabled) return;
+    try {
+      const today = new Date().toISOString().split("T")[0];
+      const logFile = `${config.auditDir}/${today}.jsonl`;
+      const tenantId = tenantContext.getStore()?.tenant?.id || null;
+      const entry = { timestamp: new Date().toISOString(), tenantId, ...data };
+      appendFileSync(logFile, JSON.stringify(entry) + "\n", "utf-8");
+      this.entryCount++;
+    } catch (error) {
+      // Never let audit failures crash the system
+      console.log(`[AuditLog] Write error: ${error.message}`);
+    }
+  }
+
+  stats() {
+    return { enabled: this.enabled, entriesWritten: this.entryCount };
+  }
+}
+
+const auditLog = new AuditLog();
+export default auditLog;

package/src/safety/CircuitBreaker.js

@@ -0,0 +1,126 @@
+import eventBus from "../core/EventBus.js";
+
+/**
+ * Circuit Breaker — prevents cascading failures in agent chains.
+ *
+ * Per-agent: 3 consecutive failures → stop the agent.
+ * Per-tool: 5 failures in 1 minute → disable tool temporarily.
+ * Reset after cooldown period.
+ */
+
+class CircuitBreaker {
+  constructor() {
+    // Track failures per tool
+    this.toolFailures = new Map(); // toolName -> { count, lastFailure, disabled }
+    // Track failures per task/agent
+    this.agentFailures = new Map(); // taskId -> { consecutive, lastFailure }
+
+    this.maxToolFailures = 5;
+    this.toolCooldownMs = 60000; // 1 minute
+    this.maxAgentFailures = 3;
+  }
+
+  /**
+   * Record a tool failure.
+   * @returns {{ tripped: boolean, reason?: string }}
+   */
+  recordToolFailure(toolName) {
+    const now = Date.now();
+    const entry = this.toolFailures.get(toolName) || {
+      count: 0,
+      firstFailure: now,
+      disabled: false,
+    };
+
+    // Reset if cooldown has passed
+    if (now - entry.firstFailure > this.toolCooldownMs) {
+      entry.count = 0;
+      entry.firstFailure = now;
+      entry.disabled = false;
+    }
+
+    entry.count++;
+
+    if (entry.count >= this.maxToolFailures) {
+      entry.disabled = true;
+      this.toolFailures.set(toolName, entry);
+      eventBus.emitEvent("circuit:tool_disabled", {
+        toolName,
+        failures: entry.count,
+      });
+      return {
+        tripped: true,
+        reason: `Tool "${toolName}" disabled: ${entry.count} failures in ${this.toolCooldownMs / 1000}s. Will reset automatically.`,
+      };
+    }
+
+    this.toolFailures.set(toolName, entry);
+    return { tripped: false };
+  }
+
+  /**
+   * Record an agent/task failure.
+   * @returns {{ tripped: boolean, reason?: string }}
+   */
+  recordAgentFailure(taskId) {
+    const entry = this.agentFailures.get(taskId) || { consecutive: 0 };
+    entry.consecutive++;
+
+    if (entry.consecutive >= this.maxAgentFailures) {
+      this.agentFailures.set(taskId, entry);
+      eventBus.emitEvent("circuit:agent_stopped", {
+        taskId,
+        failures: entry.consecutive,
+      });
+      return {
+        tripped: true,
+        reason: `Agent stopped: ${entry.consecutive} consecutive failures. Task may need human intervention.`,
+      };
+    }
+
+    this.agentFailures.set(taskId, entry);
+    return { tripped: false };
+  }
+
+  /**
+   * Record success — resets consecutive failure counter.
+   */
+  recordSuccess(taskId) {
+    if (taskId) {
+      this.agentFailures.delete(taskId);
+    }
+  }
+
+  /**
+   * Check if a tool is currently disabled.
+   */
+  isToolDisabled(toolName) {
+    const entry = this.toolFailures.get(toolName);
+    if (!entry || !entry.disabled) return false;
+
+    // Check if cooldown has passed
+    if (Date.now() - entry.firstFailure > this.toolCooldownMs) {
+      entry.disabled = false;
+      entry.count = 0;
+      this.toolFailures.set(toolName, entry);
+      return false;
+    }
+
+    return true;
+  }
+
+  /**
+   * Get stats.
+   */
+  stats() {
+    return {
+      disabledTools: [...this.toolFailures.entries()]
+        .filter(([, e]) => e.disabled)
+        .map(([name]) => name),
+      activeBreakers: this.agentFailures.size,
+    };
+  }
+}
+
+const circuitBreaker = new CircuitBreaker();
+export default circuitBreaker;

package/src/safety/FilesystemGuard.js

@@ -0,0 +1,169 @@
+import { resolve, sep } from "path";
+import { config } from "../config/default.js";
+import eventBus from "../core/EventBus.js";
+import tenantContext from "../tenants/TenantContext.js";
+
+/**
+ * Filesystem Guard — restricts file access to safe paths.
+ *
+ * Two layers of protection:
+ *
+ * 1. HARDCODED BLOCKED PATTERNS — sensitive system files that are ALWAYS blocked
+ *    (~/.ssh, .env, /etc/shadow, certificates, etc.)
+ *
+ * 2. USER-CONFIGURABLE SCOPING — like Docker volume mounts
+ *    ALLOWED_PATHS=/Users/you/Downloads,/Users/you/Projects
+ *      → Agent can ONLY access files inside those directories.
+ *      → If unset: no directory restriction (global mode).
+ *    BLOCKED_PATHS=/Users/you/Desktop,/Users/you/Documents
+ *      → Always blocked regardless of ALLOWED_PATHS.
+ *      → Useful for saying "everything except these folders".
+ *
+ * Examples:
+ *   ALLOWED_PATHS=/home/john/workspace   → locked to workspace only
+ *   BLOCKED_PATHS=/home/john/private     → blocks one folder, rest is open
+ *   (neither set)                        → only hardcoded patterns blocked
+ */
+
+// Paths the agent should NEVER read or write
+const BLOCKED_PATTERNS = [
+  /\.ssh[\/\\]/,
+  /\.gnupg[\/\\]/,
+  /\.vault\.enc$/,
+  /\.vault\.salt$/,
+  /\/etc\/shadow/,
+  /\/etc\/sudoers/,
+  /\.aws\/credentials/,
+  /\.docker\/config\.json/,
+  /\.kube\/config/,
+  /\.npmrc$/,
+  /\.pypirc$/,
+  /\.netrc$/,
+  /id_rsa/,
+  /id_ed25519/,
+  /id_ecdsa/,
+  /\.pem$/,
+  /\.key$/,
+];
+
+// Patterns to block writing to (reading is ok)
+const WRITE_BLOCKED_PATTERNS = [
+  /\.env$/,
+  /\.env\..+$/,
+  /\/etc\//,
+  /\/usr\//,
+  /\/bin\//,
+  /\/sbin\//,
+  /\/System\//,
+  /\/Library\/LaunchDaemons\//,
+];
+
+class FilesystemGuard {
+  constructor() {
+    this.blockedCount = 0;
+  }
+
+  /**
+   * Check if a read operation is allowed.
+   * @param {string} filePath
+   * @returns {{ allowed: boolean, reason?: string }}
+   */
+  checkRead(filePath) {
+    return this._check(filePath, "read");
+  }
+
+  /**
+   * Check if a write operation is allowed.
+   * @param {string} filePath
+   * @returns {{ allowed: boolean, reason?: string }}
+   */
+  checkWrite(filePath) {
+    return this._check(filePath, "write");
+  }
+
+  _check(filePath, operation) {
+    if (!filePath) return { allowed: false, reason: "No file path provided" };
+
+    const resolved = resolve(filePath);
+
+    // ── Layer 1: Hardcoded blocked patterns ───────────────────────────────────
+    for (const pattern of BLOCKED_PATTERNS) {
+      if (pattern.test(resolved)) {
+        this._block(operation, resolved, pattern.toString());
+        return {
+          allowed: false,
+          reason: `Access denied: "${filePath}" matches a blocked path pattern (sensitive file).`,
+        };
+      }
+    }
+
+    if (operation === "write") {
+      for (const pattern of WRITE_BLOCKED_PATTERNS) {
+        if (pattern.test(resolved)) {
+          this._block(operation, resolved, pattern.toString());
+          return {
+            allowed: false,
+            reason: `Write access denied: "${filePath}" is in a protected system directory.`,
+          };
+        }
+      }
+    }
+
+    // ── Resolve per-tenant or global path config ──────────────────────────────
+    // When a task runs inside tenantContext.run(), use per-tenant resolved config.
+    // Otherwise fall back to global filesystem config.
+    const store = tenantContext.getStore();
+    const resolvedConfig = store?.resolvedConfig;
+
+    // ── Layer 2: User-defined blocked paths ───────────────────────────────────
+    const userBlocked = resolvedConfig
+      ? (resolvedConfig.blockedPaths || [])
+      : (config.filesystem?.blockedPaths || []);
+    for (const dir of userBlocked) {
+      const dirResolved = resolve(dir);
+      if (resolved === dirResolved || resolved.startsWith(dirResolved + sep) || resolved.startsWith(dirResolved + "/")) {
+        this._block(operation, resolved, `user-blocked:${dir}`);
+        return {
+          allowed: false,
+          reason: `Access denied: "${filePath}" is in a blocked directory ("${dir}").`,
+        };
+      }
+    }
+
+    // ── Layer 3: User-defined allowed paths (scoped mode) ─────────────────────
+    const userAllowed = resolvedConfig
+      ? (resolvedConfig.allowedPaths || [])
+      : (config.filesystem?.allowedPaths || []);
+    if (userAllowed.length > 0) {
+      const inAllowed = userAllowed.some((dir) => {
+        const dirResolved = resolve(dir);
+        return resolved === dirResolved || resolved.startsWith(dirResolved + sep) || resolved.startsWith(dirResolved + "/");
+      });
+
+      if (!inAllowed) {
+        this._block(operation, resolved, "outside-allowed-paths");
+        const hint = resolvedConfig?.allowedPaths?.length
+          ? `Your workspace: ${userAllowed.join(", ")}.`
+          : `Allowed: ${userAllowed.join(", ")}. Add more directories to ALLOWED_PATHS in .env, or clear it to allow global access.`;
+        return {
+          allowed: false,
+          reason: `Access denied: "${filePath}" is outside the allowed directories. ${hint}`,
+        };
+      }
+    }
+
+    return { allowed: true };
+  }
+
+  _block(operation, path, reason) {
+    this.blockedCount++;
+    eventBus.emitEvent("filesystem:blocked", { operation, path, reason });
+  }
+
+  stats() {
+    return { blockedCount: this.blockedCount };
+  }
+}
+
+const filesystemGuard = new FilesystemGuard();
+export default filesystemGuard;