daemora 1.0.0

package/skills/weather.md

@@ -0,0 +1,127 @@
+---
+name: weather
+description: Get current weather conditions, forecasts, hourly data, and rain predictions for any city, airport, or coordinates. Use when the user asks about weather, temperature, rain, wind, humidity, UV index, or travel forecasts. No API key required.
+triggers: weather, temperature, rain, forecast, wind, humidity, hot, cold, snow, sunny, cloudy, storm, UV, climate, degrees
+---
+
+## When to Use
+
+✅ Current conditions, today's forecast, multi-day forecast, rain prediction, travel weather, "will it rain?", "is it cold in [city]?"
+
+❌ Historical weather archives, climate trends, aviation METAR/TAF, severe weather emergency alerts — use official sources for those.
+
+## Quick Commands (no API key)
+
+```bash
+# One-line summary — best for quick answers
+curl -s "wttr.in/London?format=3"
+# → London: ⛅️ +18°C
+
+# Full current conditions + 3-day forecast
+curl -s "wttr.in/London"
+
+# Specific city with spaces
+curl -s "wttr.in/New+York"
+
+# Airport code (IATA)
+curl -s "wttr.in/JFK"
+
+# Coordinates
+curl -s "wttr.in/48.8566,2.3522"  # Paris lat/lon
+
+# JSON — parse programmatically
+curl -s "wttr.in/London?format=j1" | python3 -c "
+import sys, json
+d = json.load(sys.stdin)
+c = d['current_condition'][0]
+print(f\"Temp: {c['temp_C']}°C / {c['temp_F']}°F\")
+print(f\"Feels like: {c['FeelsLikeC']}°C\")
+print(f\"Humidity: {c['humidity']}%\")
+print(f\"Wind: {c['windspeedKmph']} km/h {c['winddir16Point']}\")
+print(f\"Condition: {c['weatherDesc'][0]['value']}\")
+"
+```
+
+## Forecast Queries
+
+```bash
+# Today only
+curl -s "wttr.in/Tokyo?1"
+
+# Tomorrow only
+curl -s "wttr.in/Tokyo?2"
+
+# 3-day compact view
+curl -s "wttr.in/Tokyo?format=v2"
+
+# Moon phase bonus
+curl -s "wttr.in/~moon"
+```
+
+## Custom Format Codes
+
+Build exactly the output you want:
+
+| Code | Meaning |
+|------|---------|
+| `%l` | Location name |
+| `%c` | Condition emoji |
+| `%t` | Temperature |
+| `%f` | Feels like |
+| `%h` | Humidity % |
+| `%w` | Wind speed + direction |
+| `%p` | Precipitation (mm) |
+| `%P` | Pressure (hPa) |
+| `%u` | UV index |
+| `%S` | Sunrise |
+| `%s` | Sunset |
+
+```bash
+# Rich one-liner
+curl -s "wttr.in/London?format=%l:+%c+%t+(feels+%f)+💨%w+💧%h+☔%p"
+# → London: ⛅ +17°C (feels +14°C) 💨 18km/h W 💧 72% ☔ 0.0mm
+
+# Travel check — sunrise/sunset
+curl -s "wttr.in/Dubai?format=%l:+%c+%t+🌅%S+🌇%s"
+```
+
+## "Will it rain?" — Rain Probability
+
+```bash
+# Parse hourly rain chance from JSON
+curl -s "wttr.in/London?format=j1" | python3 -c "
+import sys, json
+d = json.load(sys.stdin)
+print('Rain chance by period today:')
+for period in d['weather'][0]['hourly']:
+    t = period['time'].zfill(4)
+    print(f\"  {t[:2]}:00 — {period['chanceofrain']}% rain, {period['tempC']}°C\")
+"
+```
+
+## Multiple Cities Comparison
+
+```bash
+for city in "London" "New+York" "Tokyo" "Sydney"; do
+  curl -s "wttr.in/${city}?format=%l:+%c+%t+💧%h" &
+done
+wait
+```
+
+## Error Handling
+
+- If `wttr.in` is slow or down: fall back to `curl -s "wttr.in/${city}?format=j1"` (JSON is more reliable than HTML)
+- Unknown city → wttr.in returns nearest match or error; try airport code instead
+- Rate limited → wait 10s and retry once; if still failing, report the outage
+
+## Output Format for Users
+
+Always present weather in a clean, scannable format:
+
+```
+📍 London, UK
+🌤 Partly cloudy · 17°C (feels like 14°C)
+💨 Wind: 18 km/h W · 💧 Humidity: 72%
+🌧 Rain chance: 10% today, 60% tomorrow
+🌅 Sunrise: 06:42 · 🌇 Sunset: 20:15
+```

package/src/a2a/A2AClient.js

@@ -0,0 +1,136 @@
+/**
+ * A2A Client — delegates tasks to external agents via A2A protocol.
+ *
+ * Flow:
+ * 1. Discover agent: fetch /.well-known/agent.json
+ * 2. Send task: POST /a2a/tasks
+ * 3. Poll for result: GET /a2a/tasks/:id (or stream via SSE)
+ */
+
+/**
+ * Discover an agent's capabilities.
+ * @param {string} agentUrl - Base URL of the agent
+ * @returns {object} Agent card
+ */
+export async function discoverAgent(agentUrl) {
+  const url = `${agentUrl.replace(/\/$/, "")}/.well-known/agent.json`;
+
+  const response = await fetch(url, {
+    signal: AbortSignal.timeout(10000),
+  });
+
+  if (!response.ok) {
+    throw new Error(`Agent discovery failed: ${response.status}`);
+  }
+
+  return response.json();
+}
+
+/**
+ * Send a task to an external agent.
+ * @param {string} agentUrl - Base URL of the agent
+ * @param {string} taskInput - The task to send
+ * @returns {object} Task response with id and status
+ */
+export async function sendTaskToAgent(agentUrl, taskInput) {
+  const baseUrl = agentUrl.replace(/\/$/, "");
+
+  const response = await fetch(`${baseUrl}/a2a/tasks`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      jsonrpc: "2.0",
+      method: "tasks/send",
+      params: {
+        message: {
+          role: "user",
+          parts: [{ type: "text", text: taskInput }],
+        },
+      },
+    }),
+    signal: AbortSignal.timeout(30000),
+  });
+
+  if (!response.ok) {
+    throw new Error(`A2A task submission failed: ${response.status}`);
+  }
+
+  return response.json();
+}
+
+/**
+ * Poll for task completion.
+ * @param {string} agentUrl - Base URL of the agent
+ * @param {string} taskId - Task ID to poll
+ * @param {number} maxWaitMs - Maximum wait time in ms (default: 120000)
+ * @returns {object} Completed task
+ */
+export async function pollTaskResult(agentUrl, taskId, maxWaitMs = 120000) {
+  const baseUrl = agentUrl.replace(/\/$/, "");
+  const start = Date.now();
+
+  while (Date.now() - start < maxWaitMs) {
+    const response = await fetch(`${baseUrl}/a2a/tasks/${taskId}`, {
+      signal: AbortSignal.timeout(10000),
+    });
+
+    if (!response.ok) {
+      throw new Error(`A2A task poll failed: ${response.status}`);
+    }
+
+    const data = await response.json();
+    const state = data.result?.status?.state;
+
+    if (state === "completed" || state === "failed") {
+      const text =
+        data.result?.status?.message?.parts
+          ?.filter((p) => p.type === "text")
+          .map((p) => p.text)
+          .join("\n") || "";
+      return { state, text };
+    }
+
+    // Wait before next poll
+    await new Promise((resolve) => setTimeout(resolve, 2000));
+  }
+
+  throw new Error("A2A task timed out");
+}
+
+/**
+ * Tool function: delegate a task to an external agent.
+ * Used by the agent as a tool call.
+ */
+export async function delegateToAgent(agentUrl, taskInput) {
+  console.log(`      [A2A] Delegating to ${agentUrl}: "${taskInput.slice(0, 80)}"`);
+
+  try {
+    // Discover agent capabilities
+    const card = await discoverAgent(agentUrl);
+    console.log(
+      `      [A2A] Agent: ${card.name} — ${card.skills?.length || 0} skills`
+    );
+
+    // Send task
+    const submitResult = await sendTaskToAgent(agentUrl, taskInput);
+    const taskId = submitResult.result?.id;
+
+    if (!taskId) {
+      return `A2A task submission failed: no task ID returned`;
+    }
+
+    console.log(`      [A2A] Task submitted: ${taskId}`);
+
+    // Poll for result
+    const result = await pollTaskResult(agentUrl, taskId);
+    console.log(`      [A2A] Task ${taskId} ${result.state}`);
+
+    return result.text || `Task ${result.state}`;
+  } catch (error) {
+    console.log(`      [A2A] Error: ${error.message}`);
+    return `A2A delegation failed: ${error.message}`;
+  }
+}
+
+export const delegateToAgentDescription =
+  'delegateToAgent(agentUrl: string, taskInput: string) - Delegates a task to another AI agent via A2A protocol. The external agent processes the task and returns the result. agentUrl is the base URL (e.g., "http://localhost:8082").';

package/src/a2a/A2AServer.js

@@ -0,0 +1,316 @@
+import taskQueue from "../core/TaskQueue.js";
+import { loadTask } from "../storage/TaskStore.js";
+import eventBus from "../core/EventBus.js";
+import { config } from "../config/default.js";
+import inputSanitizer from "../safety/InputSanitizer.js";
+
+/**
+ * A2A Server — receives tasks from other agents via A2A protocol.
+ *
+ * SECURITY: A2A is the #1 attack surface. A rogue agent can:
+ * 1. Send malicious tasks (prompt injection → file delete, email exfil)
+ * 2. Flood tasks (cost/resource exhaustion)
+ * 3. Probe capabilities via Agent Card
+ *
+ * Mitigations:
+ * - DISABLED by default (A2A_ENABLED=true to opt in)
+ * - Bearer token auth (A2A_AUTH_TOKEN)
+ * - Agent URL allowlist (A2A_ALLOWED_AGENTS)
+ * - Forced "minimal" permission tier for A2A tasks (read-only by default)
+ * - Lower cost budget per A2A task
+ * - Rate limiting (5/min default)
+ * - Input wrapped with <untrusted-content> tags
+ * - Dangerous tools blocked (executeCommand, writeFile, sendEmail, etc.)
+ */
+
+// Rate limiter state
+const rateLimiter = {
+  timestamps: [],
+  check() {
+    const now = Date.now();
+    const windowMs = 60000;
+    // Remove old entries
+    this.timestamps = this.timestamps.filter((t) => now - t < windowMs);
+    if (this.timestamps.length >= config.a2a.rateLimitPerMinute) {
+      return false;
+    }
+    this.timestamps.push(now);
+    return true;
+  },
+};
+
+export function mountA2AServer(app) {
+  /**
+   * A2A authentication + authorization middleware.
+   */
+  function a2aAuth(req, res, next) {
+    // Check if A2A is enabled
+    if (!config.a2a.enabled) {
+      return res.status(403).json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32001,
+          message: "A2A protocol is disabled. Set A2A_ENABLED=true to enable.",
+        },
+      });
+    }
+
+    // Check Bearer token if configured
+    if (config.a2a.authToken) {
+      const authHeader = req.headers.authorization;
+      if (!authHeader || authHeader !== `Bearer ${config.a2a.authToken}`) {
+        eventBus.emitEvent("a2a:auth_failed", {
+          ip: req.ip,
+          reason: "Invalid or missing auth token",
+        });
+        return res.status(401).json({
+          jsonrpc: "2.0",
+          error: { code: -32002, message: "Authentication required" },
+        });
+      }
+    }
+
+    // Check agent allowlist
+    if (config.a2a.allowedAgents.length > 0) {
+      const origin = req.headers.origin || req.headers.referer || "";
+      const agentUrl = req.headers["x-agent-url"] || "";
+      const allowed = config.a2a.allowedAgents.some(
+        (a) => origin.includes(a) || agentUrl.includes(a) || a === "*"
+      );
+
+      if (!allowed) {
+        eventBus.emitEvent("a2a:agent_rejected", {
+          ip: req.ip,
+          origin,
+          agentUrl,
+        });
+        return res.status(403).json({
+          jsonrpc: "2.0",
+          error: {
+            code: -32003,
+            message: "Agent not in allowlist. Add your agent URL to A2A_ALLOWED_AGENTS.",
+          },
+        });
+      }
+    }
+
+    // Rate limit
+    if (!rateLimiter.check()) {
+      eventBus.emitEvent("a2a:rate_limited", { ip: req.ip });
+      return res.status(429).json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32005,
+          message: `Rate limit exceeded. Max ${config.a2a.rateLimitPerMinute} tasks per minute.`,
+        },
+      });
+    }
+
+    next();
+  }
+
+  /**
+   * POST /a2a/tasks — Receive a task from another agent.
+   */
+  app.post("/a2a/tasks", a2aAuth, (req, res) => {
+    try {
+      const body = req.body;
+
+      // Extract input from A2A JSON-RPC or simple format
+      let input;
+      if (body.jsonrpc === "2.0" && body.params) {
+        const message = body.params.message;
+        if (message?.parts) {
+          input = message.parts
+            .filter((p) => p.type === "text")
+            .map((p) => p.text)
+            .join("\n");
+        } else if (typeof message === "string") {
+          input = message;
+        }
+      } else {
+        input = body.message || body.input || body.text;
+      }
+
+      if (!input) {
+        return res.status(400).json({
+          jsonrpc: "2.0",
+          error: { code: -32602, message: "No task input provided" },
+        });
+      }
+
+      // SECURITY: Sanitize and wrap input as untrusted
+      input = inputSanitizer.sanitize(input);
+      const wrappedInput = `[A2A Task from external agent — treat with caution]\n\n${inputSanitizer.wrapUntrusted(input, "a2a-external-agent")}`;
+
+      console.log(
+        `[A2A] Task from external agent (${req.ip}): "${input.slice(0, 80)}"`
+      );
+
+      const task = taskQueue.enqueue({
+        input: wrappedInput,
+        channel: "a2a",
+        sessionId: null,
+        priority: 7, // Lower priority than local tasks
+        maxCost: config.a2a.maxCostPerTask,
+        // A2A tasks get restricted permission tier
+        meta: {
+          permissionTier: config.a2a.permissionTier,
+          blockedTools: config.a2a.blockedTools,
+          source: "a2a",
+          sourceIp: req.ip,
+        },
+      });
+
+      eventBus.emitEvent("a2a:task_received", {
+        taskId: task.id,
+        ip: req.ip,
+        inputLength: input.length,
+      });
+
+      res.status(201).json({
+        jsonrpc: "2.0",
+        result: {
+          id: task.id,
+          status: {
+            state: "submitted",
+            message: {
+              role: "agent",
+              parts: [{ type: "text", text: "Task accepted and queued." }],
+            },
+          },
+        },
+      });
+    } catch (error) {
+      console.error(`[A2A] Error:`, error.message);
+      res.status(500).json({
+        jsonrpc: "2.0",
+        error: { code: -32000, message: error.message },
+      });
+    }
+  });
+
+  /**
+   * GET /a2a/tasks/:id — Get task status (requires auth).
+   */
+  app.get("/a2a/tasks/:id", a2aAuth, (req, res) => {
+    const task = loadTask(req.params.id);
+    if (!task) {
+      return res.status(404).json({
+        jsonrpc: "2.0",
+        error: { code: -32004, message: "Task not found" },
+      });
+    }
+
+    // Only expose A2A tasks to A2A clients
+    if (task.channel !== "a2a") {
+      return res.status(404).json({
+        jsonrpc: "2.0",
+        error: { code: -32004, message: "Task not found" },
+      });
+    }
+
+    const stateMap = {
+      pending: "submitted",
+      running: "working",
+      completed: "completed",
+      failed: "failed",
+    };
+
+    const result = {
+      id: task.id,
+      status: { state: stateMap[task.status] || task.status },
+    };
+
+    if (task.status === "completed" && task.result) {
+      result.status.message = {
+        role: "agent",
+        parts: [{ type: "text", text: task.result }],
+      };
+    }
+
+    if (task.status === "failed" && task.error) {
+      result.status.message = {
+        role: "agent",
+        parts: [{ type: "text", text: `Error: ${task.error}` }],
+      };
+    }
+
+    res.json({ jsonrpc: "2.0", result });
+  });
+
+  /**
+   * GET /a2a/tasks/:id/stream — SSE stream of task progress (requires auth).
+   */
+  app.get("/a2a/tasks/:id/stream", a2aAuth, (req, res) => {
+    const taskId = req.params.id;
+    const task = loadTask(taskId);
+
+    if (!task || task.channel !== "a2a") {
+      return res.status(404).json({ error: "Task not found" });
+    }
+
+    res.writeHead(200, {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache",
+      Connection: "keep-alive",
+    });
+
+    res.write(
+      `data: ${JSON.stringify({ type: "status", state: task.status })}\n\n`
+    );
+
+    if (task.status === "completed" || task.status === "failed") {
+      res.write(
+        `data: ${JSON.stringify({
+          type: "result",
+          state: task.status,
+          text: task.result || task.error,
+        })}\n\n`
+      );
+      res.end();
+      return;
+    }
+
+    const onCompleted = (data) => {
+      if (data.taskId === taskId) {
+        res.write(
+          `data: ${JSON.stringify({
+            type: "result",
+            state: "completed",
+            text: data.result,
+          })}\n\n`
+        );
+        cleanup();
+      }
+    };
+
+    const onFailed = (data) => {
+      if (data.taskId === taskId) {
+        res.write(
+          `data: ${JSON.stringify({
+            type: "result",
+            state: "failed",
+            text: data.error,
+          })}\n\n`
+        );
+        cleanup();
+      }
+    };
+
+    eventBus.on("task:completed", onCompleted);
+    eventBus.on("task:failed", onFailed);
+
+    const cleanup = () => {
+      eventBus.off("task:completed", onCompleted);
+      eventBus.off("task:failed", onFailed);
+      res.end();
+    };
+
+    req.on("close", cleanup);
+    setTimeout(cleanup, 300000);
+  });
+
+  const status = config.a2a.enabled ? "ENABLED" : "DISABLED (set A2A_ENABLED=true)";
+  console.log(`[A2A] Server endpoints mounted — ${status}`);
+}

package/src/a2a/AgentCard.js

@@ -0,0 +1,79 @@
+import { config } from "../config/default.js";
+
+/**
+ * A2A Agent Card — serves agent capabilities at /.well-known/agent.json
+ *
+ * SECURITY: Only serves the card when A2A is enabled.
+ * Does NOT expose internal tools or file system capabilities.
+ */
+export function getAgentCard() {
+  return {
+    name: "Daemora",
+    description:
+      "A multi-agent digital worker. Handles research, analysis, and general tasks.",
+    url: `http://localhost:${config.port}`,
+    version: "1.0.0",
+    protocol: "a2a/1.0",
+
+    capabilities: {
+      streaming: true,
+      pushNotifications: false,
+      stateTransitions: true,
+    },
+
+    // Only expose safe, high-level skill categories — NOT internal tools
+    skills: [
+      {
+        id: "research",
+        name: "Web Research",
+        description: "Search the web and synthesize information.",
+        tags: ["research", "search", "web"],
+      },
+      {
+        id: "analysis",
+        name: "Text Analysis",
+        description: "Analyze text, summarize, answer questions.",
+        tags: ["analysis", "summary", "qa"],
+      },
+      {
+        id: "documents",
+        name: "Document Creation",
+        description: "Create markdown documents and reports.",
+        tags: ["documents", "markdown"],
+      },
+    ],
+
+    endpoints: {
+      tasks: `/a2a/tasks`,
+      taskStatus: `/a2a/tasks/:id`,
+      stream: `/a2a/tasks/:id/stream`,
+    },
+
+    authentication: {
+      type: config.a2a.authToken ? "bearer" : "none",
+      description: config.a2a.authToken
+        ? "Include Authorization: Bearer <token> header"
+        : "No authentication required",
+    },
+
+    security: {
+      permissionTier: config.a2a.permissionTier,
+      rateLimitPerMinute: config.a2a.rateLimitPerMinute,
+      note: "A2A tasks run with restricted permissions. Dangerous tools are blocked.",
+    },
+  };
+}
+
+/**
+ * Mount A2A discovery endpoint on Express app.
+ */
+export function mountAgentCard(app) {
+  app.get("/.well-known/agent.json", (req, res) => {
+    if (!config.a2a.enabled) {
+      return res.status(404).json({
+        error: "A2A protocol is not enabled on this agent.",
+      });
+    }
+    res.json(getAgentCard());
+  });
+}