daemora 1.0.10 → 1.0.13

package/README.md

@@ -1,11 +1,19 @@
 # Daemora
 
-**A fully autonomous, self-hosted AI agent - production-secure, multi-tenant, multi-channel.**
+<p align="center">
+  <img src="public/banner.svg" alt="Daemora — Autonomous AI Agent" width="100%" />
+</p>
 
-[![npm](https://img.shields.io/npm/v/daemora?color=black&label=npm)](https://npmjs.com/package/daemora)
-[![license](https://img.shields.io/badge/license-AGPL--3.0-black)](LICENSE)
-[![node](https://img.shields.io/badge/node-20%2B-black)](https://nodejs.org)
-[![platform](https://img.shields.io/badge/platform-macOS%20%7C%20Linux%20%7C%20Windows-black)](#)
+<p align="center">
+  <strong>A fully autonomous, self-hosted AI agent — production-secure, multi-tenant, multi-channel.</strong>
+</p>
+
+<p align="center">
+  <a href="https://npmjs.com/package/daemora"><img src="https://img.shields.io/npm/v/daemora?color=black&label=npm" alt="npm" /></a>
+  <a href="LICENSE"><img src="https://img.shields.io/badge/license-AGPL--3.0-black" alt="license" /></a>
+  <a href="https://nodejs.org"><img src="https://img.shields.io/badge/node-20%2B-black" alt="node" /></a>
+  <img src="https://img.shields.io/badge/platform-macOS%20%7C%20Linux%20%7C%20Windows-black" alt="platform" />
+</p>
 
 Daemora runs on your own machine. It connects to your messaging apps, accepts tasks in plain language, executes them autonomously with 51 built-in tools across 20 channels, and reports back - without you watching over it.
 
@@ -87,19 +95,21 @@ Unlike cloud AI assistants, nothing leaves your infrastructure except the tokens
                                   └──────────────────────────────┘
 ```
 
-### Security Architecture (10 Layers)
+### Security Architecture (12 Layers)
 
 ```
-  LAYER 1  Permission Tiers ───── minimal / standard / full
-  LAYER 2  Filesystem Sandbox ─── ALLOWED_PATHS · BLOCKED_PATHS · hardcoded blocks
-  LAYER 3  Secret Vault ────────── AES-256-GCM · scrypt key derivation · passphrase on start
-  LAYER 4  Channel Allowlists ─── per-channel user ID whitelist
-  LAYER 5  A2A Security ────────── bearer token · agent allowlist · rate limiting
-  LAYER 6  Audit Trail ─────────── append-only JSONL · secrets redacted · tenantId tagged
-  LAYER 7  Supervisor Agent ────── runaway loop detection · cost overruns · dangerous patterns
-  LAYER 8  Input Sanitisation ─── untrusted-input wrapping · prompt injection detection
-  LAYER 9  Multi-Tenant Isolation ─ AsyncLocalStorage · no cross-tenant data leakage
-  LAYER 10 Security Audit CLI ─── daemora doctor · 8 checks · scored output
+  LAYER 1   Permission Tiers ────── minimal / standard / full
+  LAYER 2   Filesystem Sandbox ──── ALLOWED_PATHS · BLOCKED_PATHS · hardcoded blocks · per-tenant workspace isolation
+  LAYER 3   Secret Vault ─────────── AES-256-GCM · scrypt key derivation · passphrase on start
+  LAYER 4   Channel Allowlists ──── per-channel user ID whitelist
+  LAYER 5   A2A Security ─────────── bearer token · agent allowlist · rate limiting
+  LAYER 6   Audit Trail ──────────── append-only JSONL · secrets redacted · tenantId tagged
+  LAYER 7   Supervisor Agent ─────── runaway loop detection · cost overruns · dangerous patterns
+  LAYER 8   Input Sanitisation ──── untrusted-input wrapping · prompt injection detection
+  LAYER 9   Multi-Tenant Isolation ─ AsyncLocalStorage · no cross-tenant data leakage
+  LAYER 10  Security Audit CLI ──── daemora doctor · 8 checks · scored output
+  LAYER 11  Command Guard ─────────── blocks env dumps · .env reads · credential exfil · CLI privilege escalation
+  LAYER 12  Tool Filesystem Guard ── all 18 file-touching tools enforce checkRead/checkWrite
 ```
 
 ---
@@ -218,7 +228,7 @@ sequenceDiagram
 
 ```bash
 npm install -g daemora
-daemora setup      # interactive wizard (9 steps) - models, channels, cleanup, vault, MCP
+daemora setup      # interactive wizard (11 steps) - models, channels, tools, cleanup, vault, MCP, multi-tenant
 daemora start      # start the agent
 ```
 
@@ -319,7 +329,8 @@ Enable only what you need. Each channel supports `{CHANNEL}_ALLOWLIST` and `{CHA
 | **WhatsApp** | `TWILIO_ACCOUNT_SID`, `TWILIO_AUTH_TOKEN`, `TWILIO_WHATSAPP_FROM` |
 | **Discord** | `DISCORD_BOT_TOKEN` |
 | **Slack** | `SLACK_BOT_TOKEN`, `SLACK_APP_TOKEN` |
-| **Email** | `EMAIL_USER`, `EMAIL_PASSWORD`, `EMAIL_IMAP_HOST`, `EMAIL_SMTP_HOST` |
+| **Email (Resend)** | `RESEND_API_KEY`, `RESEND_FROM` |
+| **Email (IMAP/SMTP)** | `EMAIL_USER`, `EMAIL_PASSWORD`, `EMAIL_IMAP_HOST`, `EMAIL_SMTP_HOST` |
 | **LINE** | `LINE_CHANNEL_ACCESS_TOKEN`, `LINE_CHANNEL_SECRET` |
 | **Signal** | `SIGNAL_CLI_PATH`, `SIGNAL_PHONE_NUMBER` |
 | **Microsoft Teams** | `TEAMS_APP_ID`, `TEAMS_APP_PASSWORD` |
@@ -352,6 +363,11 @@ ALLOWED_PATHS=/home/user/work      # Sandbox: restrict file access to these dire
 BLOCKED_PATHS=/home/user/.secrets  # Always block these, even inside allowed paths
 RESTRICT_COMMANDS=true             # Block shell commands referencing paths outside sandbox
 
+# Multi-tenant mode
+MULTI_TENANT_ENABLED=true          # Enable per-user isolation
+AUTO_REGISTER_TENANTS=true         # Auto-create tenants on first message
+TENANT_ISOLATE_FILESYSTEM=true     # Tenant temp files → data/tenants/{id}/workspace/
+
 # Per-tenant API key encryption (required for production multi-tenant mode)
 # Generate: openssl rand -hex 32
 DAEMORA_TENANT_KEY=
@@ -473,6 +489,13 @@ daemora tenant plan telegram:123 pro
 # Store a tenant's own OpenAI key (AES-256-GCM encrypted at rest)
 daemora tenant apikey set telegram:123 OPENAI_API_KEY sk-their-key
 
+# Manage per-tenant workspace paths
+daemora tenant workspace telegram:123                  # Show workspace paths
+daemora tenant workspace telegram:123 add /home/user   # Add to allowedPaths
+daemora tenant workspace telegram:123 remove /home/user
+daemora tenant workspace telegram:123 block /secrets   # Add to blockedPaths
+daemora tenant workspace telegram:123 unblock /secrets
+
 # Suspend a user
 daemora tenant suspend telegram:123 "Exceeded usage policy"
 ```
@@ -483,7 +506,7 @@ Per-tenant isolation:
 |---|---|
 | Memory | `data/tenants/{id}/MEMORY.md` - never shared across users |
 | Sessions | Persistent per-user sessions + per-sub-agent sessions (`userId--coder`, `userId--researcher`) |
-| Filesystem | `allowedPaths` and `blockedPaths` scoped per user |
+| Filesystem | `allowedPaths` and `blockedPaths` scoped per user. `TENANT_ISOLATE_FILESYSTEM=true` → temp files in `data/tenants/{id}/workspace/` |
 | API keys | AES-256-GCM encrypted; passed through call stack, never via `process.env` |
 | Cost tracking | Per-tenant daily cost recorded in audit log |
 | MCP servers | `mcpServers` field restricts which servers a tenant can call |
@@ -504,7 +527,9 @@ daemora doctor
 | Feature | Description |
 |---|---|
 | **Permission tiers** | `minimal` / `standard` / `full` - controls which tools the agent can call |
-| **Filesystem sandbox** | Directory scoping via `ALLOWED_PATHS`, hardcoded blocks for `.ssh`, `.env`, `.aws` |
+| **Filesystem sandbox** | Directory scoping via `ALLOWED_PATHS`, hardcoded blocks for `.ssh`, `.env`, `.aws`. All 18 file-touching tools enforce FilesystemGuard |
+| **Tenant workspace isolation** | `TENANT_ISOLATE_FILESYSTEM=true` → each tenant's temp files go to `data/tenants/{id}/workspace/` |
+| **Command guard** | Blocks env dumps, `.env` reads, credential exfiltration, CLI privilege escalation (daemora/aegis commands) |
 | **Secret vault** | AES-256-GCM encrypted secrets, passphrase required on start |
 | **Channel allowlists** | Per-channel user ID whitelist - blocks unknown senders |
 | **Secret scanning** | Redacts API keys and tokens from tool output before the model sees them |
@@ -599,6 +624,11 @@ daemora tenant unsuspend <id>    Unsuspend a tenant
 daemora tenant apikey set <id> <KEY> <value>   Store per-tenant API key (encrypted)
 daemora tenant apikey delete <id> <KEY>        Remove a per-tenant API key
 daemora tenant apikey list <id>                List stored key names (values never shown)
+daemora tenant workspace <id>                  Show workspace paths (allowed + blocked)
+daemora tenant workspace <id> add <path>       Add directory to tenant's allowedPaths
+daemora tenant workspace <id> remove <path>    Remove from allowedPaths
+daemora tenant workspace <id> block <path>     Add to tenant's blockedPaths
+daemora tenant workspace <id> unblock <path>   Remove from blockedPaths
 
 daemora cleanup                  Run data cleanup now (uses configured retention)
 daemora cleanup stats            Show storage usage (tasks, sessions, audit, costs)

package/SOUL.md

@@ -45,17 +45,36 @@ A task is complete when:
 ## Understand → Plan → Execute
 
 1. **Understand** — Read the full request carefully. Identify every part of what the user wants. Check conversation history for context. If the request has multiple parts, handle ALL of them.
-2. **Plan** (complex tasks only — 3+ files, multiple agents, unclear scope) — break into ordered steps using `projectTracker`. Keep plans short — a list of concrete actions, not an essay.
-3. **Execute** — work through each step. Verify after each one. If 3+ steps in and something doesn't add up, stop and re-assess.
+2. **Plan** — before acting, decide: plan or just do it?
 
-Simple tasks (single file, clear action) → skip planning, start immediately.
+   **Plan first** when ANY of these apply:
+   - Multiple steps required — the task needs 3+ distinct actions to complete.
+   - Multiple valid approaches — the task can be solved several ways. Pick the right one first.
+   - Unclear scope — you need to explore or research before understanding the full extent of work.
+   - User preferences matter — the outcome could go multiple reasonable directions.
+   - High stakes — mistakes are costly to undo (emails sent, files restructured, data transformed).
+   - Multi-agent work — parallel or sequential agent coordination needed.
+   - New feature or system change — adding functionality or modifying existing behavior.
+   - Multi-file code changes — 3+ files affected. Map them out first.
+
+   **Skip planning** — do it directly:
+   - Single-action tasks (send one email, fetch one page, fix a typo).
+   - Tasks where the user gave very specific, detailed instructions.
+   - Quick lookups, simple questions, casual conversation.
+
+   **When in doubt → plan.** The cost of planning is low. The cost of rework is high.
+
+   Planning means: load the planning skill (`readFile("skills/planning.md")`), gather context, break work into concrete steps, **present the plan to the user and get confirmation**, then execute. Keep plans short — a list of actions, not an essay.
+
+3. **Confirm** — before executing a complex plan, present it to the user. Numbered list of concrete actions. Ask "want me to go ahead?" Only skip confirmation for simple tasks that don't need planning.
+4. **Execute** — work through each step. Verify after each one. If 3+ steps in and something doesn't add up, stop and re-assess the plan.
 
 ---
 
 ## Building & Coding - Full Ownership
 
 When you build or create something:
-1. **Plan first for complex tasks.** Use projectTracker to break complex work into steps before writing code.
+1. **Plan first for complex tasks.** Load the planning skill, explore the codebase, break work into steps, confirm with the user, then build. Simple tasks (single file, clear action) → skip planning.
 2. **Read before touching.** Never edit a file you haven't read in this session.
 3. **Build, don't describe.** Write the actual code with writeFile/editFile. Never describe what code would look like.
 4. **Verify after every write.** After writeFile/editFile, read the file back to confirm it's correct.