daemora 1.0.10 → 1.0.11

package/daemora-ui/dist/index.html

@@ -7,8 +7,8 @@
     <meta name="theme-color" content="#0a0a0f" />
     <meta name="description" content="Daemora — Self-hosted AI agent platform" />
     <title>Daemora</title>
-    <script type="module" crossorigin src="/assets/index-D7W1-PNQ.js"></script>
-    <link rel="stylesheet" crossorigin href="/assets/index-DzMLJeoL.css">
+    <script type="module" crossorigin src="/assets/index-ZiuOJUu0.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-BkPHvKYt.css">
   </head>
   <body>
     <div id="root"></div>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "daemora",
-  "version": "1.0.10",
+  "version": "1.0.11",
   "description": "A powerful open-source AI agent that runs on your machine. Connects to any AI model, any MCP server, any channel. Fully autonomous - plans, codes, tests, browses, emails, and manages your tools without asking permission.",
   "main": "src/index.js",
   "bin": {

package/skills/planning.md

@@ -0,0 +1,168 @@
+---
+name: planning
+description: Task planning for any complex work — coding, research, communication, automation. Decide when to plan vs just do, break into steps, get user confirmation before executing.
+triggers: plan, planning, design, architect, approach, strategy, implement, big task, complex task, multi-step, think through, break down, figure out, how should, what approach, steps, workflow
+---
+
+# Planning — Think Before You Act
+
+## When to Plan vs Just Do It
+
+**Plan first** when ANY of these apply:
+- **Multiple steps required** — the task needs 3+ distinct actions to complete.
+- **Multiple valid approaches** — the task can be solved several ways. Pick the right one first.
+- **Unclear scope** — you need to explore or research before understanding the full extent of work.
+- **User preferences matter** — the outcome could go multiple reasonable directions.
+- **High stakes** — mistakes are costly to undo (emails sent, files restructured, data transformed).
+- **Multi-agent work** — the task needs parallel or sequential agent coordination.
+- **New feature or system change** — adding meaningful new functionality or modifying existing behavior.
+- **Multi-file code changes** — the task will touch 3+ files. Map out which files and what changes.
+- **Architectural decisions** — choosing between patterns, libraries, data models, or technologies.
+
+**Skip planning** — do it directly:
+- Single-action tasks (send one email, fetch one page, fix a typo).
+- Tasks where the user gave very specific, detailed instructions.
+- Quick lookups, simple questions, casual conversation.
+- Few-line code fixes with obvious solutions.
+
+**When in doubt → plan.** The cost of planning is low. The cost of rework is high.
+
+## Planning Workflow
+
+1. **Explore** — gather context. Read files, search the web, check memory, review conversation history. Understand the current state before deciding what to change.
+2. **Identify the approach** — what needs to happen, in what order, using what tools/agents. Consider alternatives and pick the best one.
+3. **Break into steps** — ordered list of concrete actions. Each step = one verifiable outcome. Keep it short — a list of actions, not an essay.
+4. **Present the plan to the user** — before executing, tell the user what you're about to do and ask for confirmation. This prevents wasted effort and ensures alignment. Format: numbered list of concrete actions, not vague descriptions.
+5. **Execute on confirmation** — work through each step. Verify after each one.
+
+## User Confirmation
+
+**Always confirm before executing a complex plan.** Present the plan clearly and ask:
+- "Here's my plan — want me to go ahead?"
+- List the concrete steps so the user can see what will happen.
+- If the user adjusts, update the plan and confirm again.
+- Only skip confirmation for simple tasks that don't need planning.
+
+This is non-negotiable for complex work. The user should always know what's about to happen before it happens.
+
+## Exploration by Task Type
+
+**Code tasks:**
+- Find files — `glob("src/**/*.ts")`, `searchFiles("*.controller.*")` to map the structure.
+- Find patterns — `searchContent("export function", "src/")`, `grep("interface.*Props")` to see conventions.
+- Read key files — entry points, related components, tests, configs.
+- Check dependencies — what libraries, APIs, patterns are established.
+
+**Research tasks:**
+- Web search for current information on the topic.
+- Fetch and read actual pages — don't stop at summaries.
+- Check memory for previous findings on the same topic.
+- Cross-reference multiple sources for anything important.
+
+**Communication tasks:**
+- Review conversation history for context and tone.
+- Check memory for user preferences (writing style, contacts, templates).
+- Identify all recipients, attachments, and follow-up actions needed.
+
+**Automation / workflow tasks:**
+- Map the full workflow end-to-end before automating any step.
+- Identify dependencies between steps.
+- Check what tools, APIs, and MCP servers are available.
+
+3-5 targeted explorations is usually enough. Get the lay of the land, then plan.
+
+## What a Good Plan Looks Like
+
+A plan is a short ordered list of concrete actions:
+
+**Coding example:**
+```
+1. Add FooService class in src/services/foo.ts — handles X with methods Y, Z
+2. Update src/routes/api.ts — add GET /api/foo endpoint, wire to FooService
+3. Add tests in tests/foo.test.ts — cover happy path + error cases
+4. Run build + tests, fix any failures
+```
+
+**Research example:**
+```
+1. Search web for latest pricing on X, Y, Z services
+2. Fetch each provider's pricing page, extract plan details
+3. Compare features and costs in a structured table
+4. Save findings to memory for future reference
+```
+
+**Workflow example:**
+```
+1. Fetch all invoices from email (last 30 days)
+2. Extract amounts, dates, vendors from each
+3. Create summary spreadsheet in workspace
+4. Send summary to user via email
+```
+
+NOT:
+```
+First, I'll think about what to do. Then I'll consider the options.
+After that, I'll figure out the best approach. Finally, I'll do everything.
+```
+
+Each step should be specific enough to hand to someone with zero context.
+
+## Planning Multi-Agent Work
+
+Any task that spawns agents — `spawnAgent`, `parallelAgents`, `useMCP` — is multi-agent work. MCP tasks are spawned agent tasks. Plan them the same way.
+
+### Agent Isolation — Non-Negotiable
+- Each agent operates in its own context. No shared memory, no shared state, no implicit communication.
+- Agents must NOT touch files, paths, or resources owned by another agent. Define boundaries upfront.
+- If two agents need the same data, pass it explicitly via `sharedContext` or workspace files. Never assume one agent can read another's output unless the plan says so.
+- MCP agents (`useMCP`) get ONLY that server's tools. They cannot access files, shell, or other MCP servers. Plan accordingly — don't expect an MCP agent to do something outside its server's scope.
+
+### Contract-Based Planning
+Before spawning any agents, define the contract:
+1. **Inputs** — what each agent receives. Exact data, file paths, specs. Paste the actual content into the brief — don't reference it.
+2. **Outputs** — what each agent produces. File paths, data shapes, expected format.
+3. **Boundaries** — what each agent is NOT allowed to touch. Files, directories, APIs outside its scope.
+4. **Dependencies** — does agent B need output from agent A? Yes → sequential. No → parallel.
+5. **Profiles** — coder for code, researcher for research, writer for docs, analyst for data.
+
+### MCP as Spawned Agents
+- `useMCP(serverName, taskDescription)` spawns a specialist agent with ONLY that MCP server's tools.
+- The specialist has ZERO context beyond the task description you write. Include everything: what to do, all details, full content, background context.
+- Plan MCP calls like any other agent spawn — define inputs, expected outputs, and what happens with the result.
+- Multiple MCP calls to different servers can run in parallel if they don't depend on each other.
+
+### Preventing Cross-Agent Impact
+- Never let two agents write to the same file. Split by file or by section with clear ownership.
+- Never let an agent modify global state (env vars, configs, databases) without the plan explicitly calling for it.
+- Use workspace directories (`data/workspaces/{id}/`) as artifact stores. Each agent writes to its own path within the workspace.
+- After all agents finish, the parent synthesizes results. Agents never directly consume each other's output during execution.
+
+Load `readFile("skills/orchestration.md")` for full multi-agent coordination patterns, error recovery, and structured return conventions.
+
+## Tracking Complex Work
+
+For multi-step work, use `projectTracker("createProject")` to persist the plan:
+- Mark tasks `in_progress` before starting, `done` with notes when finished.
+- If interrupted → `projectTracker("listProjects")` to find and resume.
+- Workspace files survive crashes — work is never lost.
+
+## Re-Assessment
+
+If you're 3+ steps into execution and:
+- The approach isn't working as expected
+- You discovered something that changes the requirements
+- The scope is larger than initially estimated
+
+**Stop. Re-read the original request. Re-plan from current state.** Don't push through a broken plan. If the new plan differs significantly, confirm with the user again.
+
+## Planning Checklist
+
+Before executing, verify:
+- [ ] Gathered enough context (files, web, memory, conversation)
+- [ ] Identified the best approach from available options
+- [ ] Steps are ordered (dependencies resolved)
+- [ ] Each step has a clear, verifiable outcome
+- [ ] User has confirmed the plan (for complex work)
+- [ ] Edge cases and potential failures considered
+- [ ] Multi-agent tasks: contracts defined, boundaries set, no shared-file conflicts
+- [ ] MCP tasks: task descriptions are self-contained, expected outputs specified

package/src/agents/systemPrompt.js

@@ -162,7 +162,7 @@ You MUST respond with a JSON object matching this exact schema on every turn:
 - Task complete and verified → concise outcome in 1-3 sentences. finalResponse = true.
 
 ## Task execution rules
-1. Action requests → start with a tool call immediately.
+1. **Decide: plan or just do it.** Simple task (single action, clear instructions, quick fix) → start immediately with a tool call. Complex task (3+ steps, multiple approaches, unclear scope, high stakes, multi-agent, new feature, multi-file changes) → load the planning skill first (\`readFile("skills/planning.md")\`), gather context, break into steps, **present the plan to the user and get confirmation before executing**. When in doubt → plan. The cost of planning is low; the cost of rework is high.
 2. Chain multiple tool calls. After each result: need more? Call another. Done? Verify first, then finalize.
 3. After writing/editing any file, read it back to verify.
 4. After code changes, run build/tests. Fix failures until clean.
@@ -170,6 +170,7 @@ You MUST respond with a JSON object matching this exact schema on every turn:
 6. Never give up. Never ask the user to do it manually. Never report a problem without attempting to solve it.
 7. Never claim you did something without actually calling the tool.
 8. Never set finalResponse=true while errors or failures exist.
+9. If 3+ steps into execution and something doesn't add up → stop, re-read the request, re-plan from current state.
 
 ## Understanding user intent
 - Read the full request carefully. Identify exactly what the user wants done.

package/src/cli.js

@@ -871,10 +871,18 @@ function handleSandbox(action, args) {
         console.error(`\n  ${S.cross}  Usage: daemora sandbox add ${t.dim("<absolute-path>")}\n`);
         process.exit(1);
       }
-      if (!newPath.startsWith("/") && !newPath.match(/^[A-Za-z]:\\/)) {
+      if (!newPath.startsWith("/") && !newPath.match(/^[A-Za-z]:[\\\/]/)) {
         console.error(`\n  ${S.cross}  Path must be absolute (start with / or C:\\)\n`);
         process.exit(1);
       }
+      if (/[\x00-\x1f]/.test(newPath) || newPath.includes("\0")) {
+        console.error(`\n  ${S.cross}  Path must not contain control characters or null bytes.\n`);
+        process.exit(1);
+      }
+      if (/(^|[\\/])\.\.([\\/]|$)/.test(newPath)) {
+        console.error(`\n  ${S.cross}  Path must not contain ".." traversal.\n`);
+        process.exit(1);
+      }
       const updated = [...new Set([...allowedPaths, newPath])];
       writeEnvKey("ALLOWED_PATHS", updated.join(","));
       console.log(`\n${header}  ${S.check}  ${t.bold(newPath)} added to allowed paths.`);
@@ -909,6 +917,10 @@ function handleSandbox(action, args) {
         console.error(`\n  ${S.cross}  Usage: daemora sandbox block ${t.dim("<absolute-path>")}\n`);
         process.exit(1);
       }
+      if (/[\x00-\x1f]/.test(blockPath) || /(^|[\\/])\.\.([\\/]|$)/.test(blockPath)) {
+        console.error(`\n  ${S.cross}  Invalid path — no control characters or ".." traversal allowed.\n`);
+        process.exit(1);
+      }
       const updated = [...new Set([...blockedPaths, blockPath])];
       writeEnvKey("BLOCKED_PATHS", updated.join(","));
       console.log(`\n${header}  ${S.check}  ${t.bold(blockPath)} added to blocked paths.\n`);
@@ -972,15 +984,24 @@ async function handleTenant(action, args) {
   const port = process.env.PORT || "8081";
   const base = `http://localhost:${port}`;
 
+  // Read auth token for API calls
+  const tokenPath = join(config.dataDir, "auth-token");
+  const authToken = existsSync(tokenPath) ? readFileSync(tokenPath, "utf-8").trim() : "";
+
   async function apiCall(method, path, body) {
     const { default: http } = await import("http");
+    // Ensure path starts with /api/
+    const apiPath = path.startsWith("/api/") ? path : `/api${path}`;
     return new Promise((resolve, reject) => {
       const opts = {
         hostname: "localhost",
         port: parseInt(port),
-        path,
+        path: apiPath,
         method,
-        headers: { "Content-Type": "application/json" },
+        headers: {
+          "Content-Type": "application/json",
+          ...(authToken ? { "Authorization": `Bearer ${authToken}` } : {}),
+        },
       };
       const req = http.request(opts, (res) => {
         let data = "";
@@ -1285,9 +1306,100 @@ async function handleTenant(action, args) {
       break;
     }
 
+    case "workspace": {
+      // daemora tenant workspace <tenantId>                 — show paths
+      // daemora tenant workspace <tenantId> add <path>      — add to allowedPaths
+      // daemora tenant workspace <tenantId> remove <path>   — remove from allowedPaths
+      // daemora tenant workspace <tenantId> block <path>    — add to blockedPaths
+      // daemora tenant workspace <tenantId> unblock <path>  — remove from blockedPaths
+      const [tenantId, wsAction, wsPath] = args;
+      if (!tenantId) {
+        console.error(`\n  ${S.cross}  Usage: daemora tenant workspace ${t.dim("<tenantId> [add|remove|block|unblock] [path]")}\n`);
+        process.exit(1);
+      }
+
+      const { default: tm } = await import("./tenants/TenantManager.js");
+      const tenant = tm.get(tenantId);
+      if (!tenant) {
+        console.error(`\n  ${S.cross}  Tenant "${tenantId}" not found.\n`);
+        process.exit(1);
+      }
+
+      if (!wsAction) {
+        // Show current workspace paths
+        console.log(header);
+        console.log(`  ${S.bar}  Tenant         ${t.bold(tenantId)}`);
+        console.log(`  ${S.bar}  Workspace      ${t.dim(tm.getWorkspace(tenantId))}`);
+        const allowed = tenant.allowedPaths || [];
+        const blocked = tenant.blockedPaths || [];
+        if (allowed.length > 0) {
+          console.log(`  ${S.bar}  Allowed paths:`);
+          for (const p of allowed) console.log(`  ${S.bar}    ${S.check}  ${p}`);
+        } else {
+          console.log(`  ${S.bar}  Allowed paths  ${t.muted("(none — uses global or workspace default)")}`);
+        }
+        if (blocked.length > 0) {
+          console.log(`  ${S.bar}  Blocked paths:`);
+          for (const p of blocked) console.log(`  ${S.bar}    ${S.cross}  ${p}`);
+        } else {
+          console.log(`  ${S.bar}  Blocked paths  ${t.muted("(none)")}`);
+        }
+        console.log("");
+        break;
+      }
+
+      // Validate path is absolute
+      if (["add", "remove", "block", "unblock"].includes(wsAction)) {
+        if (!wsPath) {
+          console.error(`\n  ${S.cross}  Usage: daemora tenant workspace ${tenantId} ${wsAction} ${t.dim("<absolute-path>")}\n`);
+          process.exit(1);
+        }
+        if (!wsPath.startsWith("/") && !/^[A-Za-z]:\\/.test(wsPath)) {
+          console.error(`\n  ${S.cross}  Path must be absolute (start with / or C:\\)\n`);
+          process.exit(1);
+        }
+      }
+
+      try {
+        if (wsAction === "add") {
+          const updated = [...new Set([...(tenant.allowedPaths || []), wsPath])];
+          tm.set(tenantId, { allowedPaths: updated });
+          console.log(`\n${header}  ${S.check}  ${t.bold(wsPath)} added to allowedPaths for ${t.bold(tenantId)}\n`);
+        } else if (wsAction === "remove") {
+          const updated = (tenant.allowedPaths || []).filter(p => p !== wsPath);
+          if (updated.length === (tenant.allowedPaths || []).length) {
+            console.error(`\n  ${S.cross}  "${wsPath}" not found in allowedPaths.\n`);
+            process.exit(1);
+          }
+          tm.set(tenantId, { allowedPaths: updated });
+          console.log(`\n${header}  ${S.check}  ${t.bold(wsPath)} removed from allowedPaths for ${t.bold(tenantId)}\n`);
+        } else if (wsAction === "block") {
+          const updated = [...new Set([...(tenant.blockedPaths || []), wsPath])];
+          tm.set(tenantId, { blockedPaths: updated });
+          console.log(`\n${header}  ${S.check}  ${t.bold(wsPath)} added to blockedPaths for ${t.bold(tenantId)}\n`);
+        } else if (wsAction === "unblock") {
+          const updated = (tenant.blockedPaths || []).filter(p => p !== wsPath);
+          if (updated.length === (tenant.blockedPaths || []).length) {
+            console.error(`\n  ${S.cross}  "${wsPath}" not found in blockedPaths.\n`);
+            process.exit(1);
+          }
+          tm.set(tenantId, { blockedPaths: updated });
+          console.log(`\n${header}  ${S.check}  ${t.bold(wsPath)} removed from blockedPaths for ${t.bold(tenantId)}\n`);
+        } else {
+          console.error(`\n  ${S.cross}  Unknown workspace action: ${wsAction}`);
+          console.log(`  ${t.muted("Usage:")} daemora tenant workspace ${t.dim("<id> [add|remove|block|unblock] <path>")}\n`);
+          process.exit(1);
+        }
+      } catch (err) {
+        console.error(`\n  ${S.cross}  ${err.message}\n`);
+        process.exit(1);
+      }
+      break;
+    }
+
     default:
       console.error(`\n  ${S.cross}  Unknown tenant command: ${action || "(none)"}`);
-      console.log(`  ${t.muted("Usage:")} daemora tenant ${t.dim("[list|show|set|plan|suspend|unsuspend|reset|delete|apikey|channel]")}\n`);
+      console.log(`  ${t.muted("Usage:")} daemora tenant ${t.dim("[list|show|set|plan|suspend|unsuspend|reset|delete|apikey|channel|workspace]")}\n`);
       process.exit(1);
   }
 }
@@ -2193,6 +2305,11 @@ ${line}
   ${t.cmd("tenant channel unset")} ${t.dim("<id> <key>")}  Remove a channel credential
   ${t.cmd("tenant channel list")} ${t.dim("<id>")}         List stored channel credential keys
   ${t.muted("  channel keys: email  email_password  resend_api_key  resend_from")}
+  ${t.cmd("tenant workspace")} ${t.dim("<id>")}             Show workspace + allowed/blocked paths
+  ${t.cmd("tenant workspace")} ${t.dim("<id> add <path>")}  Add path to tenant's allowedPaths
+  ${t.cmd("tenant workspace")} ${t.dim("<id> remove <path>")}  Remove from allowedPaths
+  ${t.cmd("tenant workspace")} ${t.dim("<id> block <path>")}   Add to blockedPaths
+  ${t.cmd("tenant workspace")} ${t.dim("<id> unblock <path>")} Remove from blockedPaths
 
   ${t.cmd("channels")}                          List all 19 supported channels + setup status
   ${t.cmd("models")}                            List all model providers + task-type routing
@@ -2247,6 +2364,9 @@ ${line}
   ${t.dim("$")} daemora tenant channel set telegram:123 email_password xxxx-xxxx-xxxx-xxxx
   ${t.dim("$")} daemora tenant channel list telegram:123
   ${t.dim("$")} daemora tenant channel unset telegram:123 email_password
+  ${t.dim("$")} daemora tenant workspace telegram:123
+  ${t.dim("$")} daemora tenant workspace telegram:123 add /home/user/projects
+  ${t.dim("$")} daemora tenant workspace telegram:123 block /home/user/private
   ${t.dim("$")} daemora doctor
 `);
 }

package/src/index.js

@@ -784,8 +784,12 @@ app.get("/api/tenants/:id", (req, res) => {
 
 app.patch("/api/tenants/:id", (req, res) => {
   const id = decodeURIComponent(req.params.id);
-  const updated = tenantManager.set(id, req.body);
-  res.json(updated);
+  try {
+    const updated = tenantManager.set(id, req.body);
+    res.json(updated);
+  } catch (err) {
+    res.status(400).json({ error: err.message });
+  }
 });
 
 app.post("/api/tenants/:id/suspend", (req, res) => {

package/src/safety/CommandGuard.js

@@ -92,7 +92,28 @@ const BLOCKED_COMMANDS = [
     pattern: /\b(?:cat|less|more|head|tail)\b[^;|&\n]*(?:id_rsa|id_ed25519|id_ecdsa|\.pem|\.key)\b/i,
     reason: "Reading private key files via shell is blocked.",
   },
-  // ── 6. Agent config files (may contain plaintext MCP API keys) ────────────
+  // ── 6. Daemora CLI privilege escalation ──────────────────────────────────
+  // Agent must NEVER run daemora/aegis CLI commands — they can modify tenant
+  // config, workspace paths, API keys, sandbox rules, etc.
+  {
+    pattern: /(?:^|[;&|`]\s*)(?:daemora|aegis)\b/,
+    reason: "Running daemora/aegis CLI commands from within the agent is blocked (privilege escalation).",
+  },
+  {
+    pattern: /\bnpx\s+(?:daemora|aegis)\b/,
+    reason: "Running daemora/aegis via npx is blocked (privilege escalation).",
+  },
+  {
+    // Block: node src/cli.js, node ./src/cli.js, bash -c "daemora ..."
+    pattern: /\bnode\b[^;|&\n]*(?:cli\.js|bin\/daemora|bin\/aegis)\b/,
+    reason: "Running daemora/aegis CLI via node is blocked (privilege escalation).",
+  },
+  {
+    pattern: /\bbash\b[^;|&\n]*-c\s+['"][^'"]*(?:daemora|aegis)\b/,
+    reason: "Running daemora/aegis via bash -c is blocked (privilege escalation).",
+  },
+
+  // ── 7. Agent config files (may contain plaintext MCP API keys) ────────────
   {
     // config/mcp.json contains GITHUB_TOKEN, Bearer tokens, etc. in plaintext
     pattern: /\b(?:cat|less|more|head|tail|bat|jq|python|node)\b[^;|&\n]*config[\/\\]mcp\.json/i,

package/src/setup/theme.js

@@ -57,6 +57,7 @@ export const S = {
   bolt:    chalk.hex(P.cyan)("●"),
   eye:     chalk.hex(P.red)("◉"),
   star:    chalk.hex(P.amber)("★"),
+  info:    chalk.hex(P.teal)("◆"),
 };
 
 // ─── Gradient helpers ──────────────────────────────────────────────────────