daemora 1.0.3 → 1.0.5

package/src/index.js

@@ -1,15 +1,18 @@
 import express from "express";
-import { mkdirSync } from "fs";
+import { mkdirSync, existsSync } from "fs";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
 import { toolFunctions } from "./tools/index.js";
-import { getSession } from "./services/sessions.js";
+import { getSession, listSessions, createSession, clearSession } from "./services/sessions.js";
 import { config } from "./config/default.js";
 import { listAvailableModels } from "./models/ModelRouter.js";
 import taskQueue from "./core/TaskQueue.js";
 import taskRunner from "./core/TaskRunner.js";
-import { loadTask, listTasks } from "./storage/TaskStore.js";
+import { loadTask, listTasks, listChildTasks } from "./storage/TaskStore.js";
 import { getTodayCost } from "./core/CostTracker.js";
 import supervisor from "./agents/Supervisor.js";
-import { getActiveSubAgentCount } from "./agents/SubAgentManager.js";
+import { getActiveSubAgentCount, listActiveAgents } from "./agents/SubAgentManager.js";
+import eventBus from "./core/EventBus.js";
 import channelRegistry from "./channels/index.js";
 import skillLoader from "./skills/SkillLoader.js";
 import mcpManager from "./mcp/MCPManager.js";
@@ -22,6 +25,12 @@ import voiceWebhook from "./voice/VoiceWebhook.js";
 import daemonManager from "./daemon/DaemonManager.js";
 import secretVault from "./safety/SecretVault.js";
 import tenantManager from "./tenants/TenantManager.js";
+import { runCleanup } from "./services/cleanup.js";
+import webhookHandler from "./webhooks/WebhookHandler.js";
+import execApproval from "./safety/ExecApproval.js";
+import openaiCompat from "./api/openai-compat.js";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
 
 // Ensure all data directories exist
 const dirs = [
@@ -37,6 +46,14 @@ for (const dir of dirs) {
   mkdirSync(dir, { recursive: true });
 }
 
+// Auto-cleanup old data on startup
+if (config.cleanupAfterDays > 0) {
+  const cleaned = runCleanup(config.cleanupAfterDays);
+  if (cleaned.total > 0) {
+    console.log(`[Cleanup] Deleted ${cleaned.total} file(s) older than ${config.cleanupAfterDays} days (tasks: ${cleaned.tasks}, audit: ${cleaned.audit}, costs: ${cleaned.costs}, sessions: ${cleaned.sessions})`);
+  }
+}
+
 // Initialize task system
 taskQueue.init();
 taskRunner.start();
@@ -55,8 +72,32 @@ mountA2AServer(app);
 // Mount voice call webhooks (Twilio callbacks during live calls)
 app.use("/voice", voiceWebhook);
 
+// Mount webhook triggers (external integrations, CI/CD, GitHub webhooks)
+app.use("/hooks", webhookHandler);
+
+// Mount OpenAI-compatible API (gated by OPENAI_COMPAT_ENABLED)
+if (process.env.OPENAI_COMPAT_ENABLED === "true") {
+  app.use("/v1", openaiCompat);
+  console.log("[Server] OpenAI-compatible API enabled at /v1/chat/completions");
+}
+
+// --- Security middleware ---
+const localOnly = (req, res, next) => {
+  const remoteAddress = req.socket.remoteAddress;
+  // Support both IPv4 and IPv6 localhost
+  if (remoteAddress === "127.0.0.1" || remoteAddress === "::ffff:127.0.0.1" || remoteAddress === "::1") {
+    next();
+  } else {
+    console.warn(`[Security] Blocked non-local request from ${remoteAddress}`);
+    res.status(403).json({ error: "Access denied. Only local requests are allowed." });
+  }
+};
+
+// Apply local-only security to all API routes
+app.use("/api", localOnly);
+
 // --- Health check ---
-app.get("/health", (req, res) => {
+app.get("/api/health", (req, res) => {
   res.json({
     status: "ok",
     uptime: process.uptime(),
@@ -69,14 +110,57 @@ app.get("/health", (req, res) => {
   });
 });
 
-// --- Chat endpoint (DISABLED - no authentication, anyone on the network could submit tasks) ---
-// Uncomment and add authentication middleware before re-enabling.
-// app.post("/chat", async (req, res) => { ... });
+// --- Chat endpoint (Async — returns taskId, client uses SSE to stream) ---
+app.post("/api/chat", (req, res) => {
+  try {
+    const { input, sessionId, model, priority, tenantId } = req.body;
+    if (!input) return res.status(400).json({ error: "input is required" });
+
+    const task = taskQueue.enqueue({
+      input,
+      channel: "http",
+      sessionId: sessionId || "local-user",
+      tenantId: tenantId || "http:local",
+      model,
+      priority: priority || 5,
+      type: "chat",
+    });
 
-// --- Task submit endpoint (DISABLED - same reason, unauthenticated) ---
-// app.post("/tasks", (req, res) => { ... });
+    res.status(202).json({
+      taskId: task.id,
+      sessionId: task.sessionId,
+      status: "queued",
+    });
+  } catch (error) {
+    res.status(500).json({ error: error.message });
+  }
+});
 
-app.get("/tasks/:id", (req, res) => {
+// --- Task submit endpoint (Async) ---
+app.post("/api/tasks", (req, res) => {
+  try {
+    const { input, sessionId, model, priority } = req.body;
+    if (!input) return res.status(400).json({ error: "input is required" });
+
+    const task = taskQueue.enqueue({
+      input,
+      channel: "http",
+      sessionId: sessionId || "local-user",
+      model,
+      priority: priority || 5,
+    });
+
+    res.status(202).json({
+      message: "Task enqueued",
+      taskId: task.id,
+      status: task.status,
+    });
+  } catch (error) {
+    res.status(500).json({ error: error.message });
+  }
+});
+
+app.get("/api/tasks/:id", (req, res) => {
   const task = loadTask(req.params.id);
   if (!task) {
     return res.status(404).json({ error: "Task not found" });
@@ -84,19 +168,26 @@ app.get("/tasks/:id", (req, res) => {
   res.json(task);
 });
 
-app.get("/tasks", (req, res) => {
-  const { limit, status } = req.query;
+app.get("/api/tasks", (req, res) => {
+  const { limit, status, type } = req.query;
   const tasks = listTasks({
     limit: limit ? parseInt(limit, 10) : 20,
     status: status || null,
+    type: type || null,
   });
   res.json({
     tasks: tasks.map((t) => ({
       id: t.id,
       status: t.status,
+      type: t.type || "chat",
+      title: t.title || null,
       channel: t.channel,
-      input: t.input.slice(0, 100),
+      input: t.input?.slice(0, 100) || "",
       cost: t.cost,
+      parentTaskId: t.parentTaskId || null,
+      agentId: t.agentId || null,
+      agentCreated: t.agentCreated || false,
+      subAgents: t.subAgents || null,
       createdAt: t.createdAt,
       completedAt: t.completedAt,
     })),
@@ -104,17 +195,79 @@ app.get("/tasks", (req, res) => {
   });
 });
 
-// --- Session endpoint ---
-app.get("/sessions/:id", (req, res) => {
+// --- Child tasks endpoint ---
+app.get("/api/tasks/:id/children", (req, res) => {
+  const children = listChildTasks(req.params.id);
+  res.json({
+    parentTaskId: req.params.id,
+    children: children.map((t) => ({
+      id: t.id,
+      status: t.status,
+      type: t.type || "chat",
+      title: t.title || null,
+      input: t.input?.slice(0, 100) || "",
+      agentId: t.agentId || null,
+      cost: t.cost,
+      createdAt: t.createdAt,
+      completedAt: t.completedAt,
+    })),
+  });
+});
+
+// --- Session endpoints ---
+app.get("/api/sessions", (req, res) => {
+  const sessionIds = listSessions();
+  const sessionList = sessionIds.map(id => {
+    const s = getSession(id);
+    return {
+      sessionId: s.sessionId,
+      createdAt: s.createdAt,
+      lastMessage: s.messages.length > 0 ? s.messages[s.messages.length - 1].content.slice(0, 50) : "Empty chat",
+      messageCount: s.messages.length
+    };
+  }).sort((a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime());
+  
+  res.json({ sessions: sessionList });
+});
+
+app.post("/api/sessions", (req, res) => {
+  const session = createSession();
+  res.status(201).json(session);
+});
+
+app.get("/api/sessions/:id", (req, res) => {
   const session = getSession(req.params.id);
   if (!session) {
     return res.status(404).json({ error: "Session not found" });
   }
-  res.json(session);
+  // Filter out any leaked tool_call / tool_result messages
+  const cleanMessages = (session.messages || []).filter(msg => {
+    if (!msg.content || typeof msg.content !== "string") return false;
+    if (msg.role !== "user" && msg.role !== "assistant") return false;
+    const trimmed = msg.content.trimStart();
+    if (trimmed.startsWith("{")) {
+      try {
+        const parsed = JSON.parse(trimmed);
+        if (parsed.type === "tool_call" || parsed.tool_call) return false;
+        if (parsed.tool_name) return false;
+        if (parsed.type === "text" && parsed.finalResponse !== undefined) return false;
+      } catch { /* not JSON, keep it */ }
+    }
+    return true;
+  });
+  res.json({ ...session, messages: cleanMessages });
+});
+
+app.delete("/api/sessions/:id", (req, res) => {
+  const deleted = clearSession(req.params.id);
+  if (!deleted) {
+    return res.status(404).json({ error: "Session not found" });
+  }
+  res.json({ message: "Session deleted" });
 });
 
 // --- Config endpoint ---
-app.get("/config", (req, res) => {
+app.get("/api/config", (req, res) => {
   res.json({
     defaultModel: config.defaultModel,
     permissionTier: config.permissionTier,
@@ -129,21 +282,115 @@ app.get("/config", (req, res) => {
 });
 
 // --- Models endpoint ---
-app.get("/models", (req, res) => {
+app.get("/api/models", (req, res) => {
+  const available = listAvailableModels();
   res.json({
     default: config.defaultModel,
-    available: listAvailableModels(),
+    available: available.map(m => ({
+      ...m,
+      pricingPerMTok: m.costPer1kInput > 0 ? {
+        input: `$${(m.costPer1kInput * 1000).toFixed(2)}`,
+        output: `$${(m.costPer1kOutput * 1000).toFixed(2)}`,
+      } : { input: "$0", output: "$0" },
+    })),
   });
 });
 
+// --- Model switch endpoint ---
+app.post("/api/model", (req, res) => {
+  const { model } = req.body;
+  if (!model) return res.status(400).json({ error: "model is required" });
+
+  const available = listAvailableModels();
+  const match = available.find(m => m.id === model);
+  if (!match) {
+    return res.status(400).json({
+      error: `Unknown or unavailable model: ${model}`,
+      available: available.map(m => m.id),
+    });
+  }
+
+  config.defaultModel = model;
+  res.json({ message: `Default model set to ${model}`, model });
+});
+
 // --- Supervisor endpoint ---
-app.get("/supervisor", (req, res) => {
+app.get("/api/supervisor", (req, res) => {
   res.json({
     warnings: supervisor.getWarnings(),
     activeSubAgents: getActiveSubAgentCount(),
   });
 });
 
+// --- Sub-agents endpoint ---
+app.get("/api/subagents", (req, res) => {
+  res.json({ agents: listActiveAgents() });
+});
+
+// --- SSE streaming endpoint for task events ---
+app.get("/api/tasks/:id/stream", (req, res) => {
+  const taskId = req.params.id;
+  res.writeHead(200, {
+    "Content-Type": "text/event-stream",
+    "Cache-Control": "no-cache",
+    Connection: "keep-alive",
+  });
+
+  const send = (event, data) => {
+    res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);
+  };
+
+  // Send current state immediately
+  const task = loadTask(taskId);
+  if (task) send("task:state", task);
+
+  const onTool = (evt) => {
+    if (evt.taskId === taskId) send("tool:after", evt);
+  };
+  const onModel = (evt) => {
+    if (evt.taskId === taskId || evt.taskId?.startsWith("subagent-")) send("model:called", evt);
+  };
+  const onAgentSpawn = (evt) => {
+    if (evt.parentTaskId === taskId) send("agent:spawned", evt);
+  };
+  const onAgentDone = (evt) => {
+    if (evt.parentTaskId === taskId) send("agent:finished", evt);
+  };
+  const onComplete = (evt) => {
+    if (evt.taskId === taskId) {
+      const finalTask = loadTask(taskId);
+      send("task:completed", finalTask || evt);
+      cleanup();
+      res.end();
+    }
+  };
+  const onFail = (evt) => {
+    if (evt.taskId === taskId) {
+      send("task:failed", evt);
+      cleanup();
+      res.end();
+    }
+  };
+
+  eventBus.on("tool:after", onTool);
+  eventBus.on("model:called", onModel);
+  eventBus.on("agent:spawned", onAgentSpawn);
+  eventBus.on("agent:finished", onAgentDone);
+  eventBus.on("task:completed", onComplete);
+  eventBus.on("task:failed", onFail);
+
+  const cleanup = () => {
+    eventBus.removeListener("tool:after", onTool);
+    eventBus.removeListener("model:called", onModel);
+    eventBus.removeListener("agent:spawned", onAgentSpawn);
+    eventBus.removeListener("agent:finished", onAgentDone);
+    eventBus.removeListener("task:completed", onComplete);
+    eventBus.removeListener("task:failed", onFail);
+  };
+
+  req.on("close", cleanup);
+});
+
 // --- WhatsApp webhook ---
 app.post("/webhooks/whatsapp", async (req, res) => {
   const whatsapp = channelRegistry.get("whatsapp");
@@ -209,22 +456,22 @@ app.post("/webhooks/line", express.raw({ type: "application/json" }), async (req
 });
 
 // --- Channels endpoint ---
-app.get("/channels", (req, res) => {
+app.get("/api/channels", (req, res) => {
   res.json({ channels: channelRegistry.list() });
 });
 
 // --- Skills endpoint ---
-app.get("/skills", (req, res) => {
+app.get("/api/skills", (req, res) => {
   res.json({ skills: skillLoader.list() });
 });
 
-app.post("/skills/reload", (req, res) => {
+app.post("/api/skills/reload", (req, res) => {
   skillLoader.reload();
   res.json({ message: "Skills reloaded", skills: skillLoader.list() });
 });
 
 // --- Schedule endpoints ---
-app.post("/schedules", (req, res) => {
+app.post("/api/schedules", (req, res) => {
   try {
     const { cronExpression, taskInput, channel, model, name } = req.body;
     if (!cronExpression || !taskInput) {
@@ -237,22 +484,22 @@ app.post("/schedules", (req, res) => {
   }
 });
 
-app.get("/schedules", (req, res) => {
+app.get("/api/schedules", (req, res) => {
   res.json({ schedules: scheduler.list() });
 });
 
-app.delete("/schedules/:id", (req, res) => {
+app.delete("/api/schedules/:id", (req, res) => {
   scheduler.delete(req.params.id);
   res.json({ message: "Schedule deleted" });
 });
 
 // --- Audit endpoint ---
-app.get("/audit", (req, res) => {
+app.get("/api/audit", (req, res) => {
   res.json(auditLog.stats());
 });
 
 // --- MCP endpoints ---
-app.get("/mcp", (req, res) => {
+app.get("/api/mcp", (req, res) => {
   const cfg = mcpManager.readConfig().mcpServers || {};
   const live = mcpManager.list();
   const servers = Object.entries(cfg)
@@ -267,20 +514,24 @@ app.get("/mcp", (req, res) => {
         type: serverCfg.command ? "stdio" : (serverCfg.transport || "http"),
         command: serverCfg.command || null,
         url: serverCfg.url || null,
+        description: serverCfg.description || null,
+        envKeys: serverCfg.env ? Object.keys(serverCfg.env) : [],
+        headerKeys: serverCfg.headers ? Object.keys(serverCfg.headers) : [],
       };
     });
   res.json({ servers });
 });
 
 // Add a new MCP server
-app.post("/mcp", async (req, res) => {
-  const { name, command, args, url, transport, env } = req.body;
+app.post("/api/mcp", async (req, res) => {
+  const { name, command, args, url, transport, env, headers, description } = req.body;
   if (!name) return res.status(400).json({ error: "name is required" });
   if (!command && !url) return res.status(400).json({ error: "command (stdio) or url (http/sse) required" });
 
   const serverConfig = command
-    ? { command, args: args || [], env: env || {} }
-    : { url, transport: transport || undefined, env: env || {} };
+    ? { command, args: args || [], ...(env && Object.keys(env).length > 0 ? { env } : {}) }
+    : { url, ...(transport ? { transport } : {}), ...(headers && Object.keys(headers).length > 0 ? { headers } : {}) };
+  if (description) serverConfig.description = description;
 
   try {
     const result = await mcpManager.addServer(name, serverConfig);
@@ -291,7 +542,7 @@ app.post("/mcp", async (req, res) => {
 });
 
 // Remove an MCP server
-app.delete("/mcp/:name", async (req, res) => {
+app.delete("/api/mcp/:name", async (req, res) => {
   try {
     const result = await mcpManager.removeServer(req.params.name);
     res.json({ message: result });
@@ -301,7 +552,7 @@ app.delete("/mcp/:name", async (req, res) => {
 });
 
 // Enable / disable / reload an MCP server
-app.post("/mcp/:name/:action", async (req, res) => {
+app.post("/api/mcp/:name/:action", async (req, res) => {
   const { name, action } = req.params;
   try {
     let result;
@@ -316,11 +567,11 @@ app.post("/mcp/:name/:action", async (req, res) => {
 });
 
 // --- Daemon endpoints ---
-app.get("/daemon/status", (req, res) => {
+app.get("/api/daemon/status", (req, res) => {
   res.json(daemonManager.status());
 });
 
-app.post("/daemon/:action", (req, res) => {
+app.post("/api/daemon/:action", (req, res) => {
   const { action } = req.params;
   try {
     switch (action) {
@@ -353,14 +604,14 @@ app.post("/daemon/:action", (req, res) => {
 });
 
 // --- Vault endpoints ---
-app.get("/vault/status", (req, res) => {
+app.get("/api/vault/status", (req, res) => {
   res.json({
     exists: secretVault.exists(),
     unlocked: secretVault.isUnlocked(),
   });
 });
 
-app.post("/vault/unlock", (req, res) => {
+app.post("/api/vault/unlock", (req, res) => {
   try {
     const { passphrase } = req.body;
     if (!passphrase) return res.status(400).json({ error: "passphrase is required" });
@@ -376,30 +627,30 @@ app.post("/vault/unlock", (req, res) => {
   }
 });
 
-app.post("/vault/lock", (req, res) => {
+app.post("/api/vault/lock", (req, res) => {
   secretVault.lock();
   res.json({ message: "Vault locked" });
 });
 
 // --- Tenant endpoints ---
-app.get("/tenants", (req, res) => {
+app.get("/api/tenants", (req, res) => {
   const tenants = tenantManager.list();
   res.json({ tenants, stats: tenantManager.stats() });
 });
 
-app.get("/tenants/:id", (req, res) => {
+app.get("/api/tenants/:id", (req, res) => {
   const tenant = tenantManager.get(decodeURIComponent(req.params.id));
   if (!tenant) return res.status(404).json({ error: "Tenant not found" });
   res.json(tenant);
 });
 
-app.patch("/tenants/:id", (req, res) => {
+app.patch("/api/tenants/:id", (req, res) => {
   const id = decodeURIComponent(req.params.id);
   const updated = tenantManager.set(id, req.body);
   res.json(updated);
 });
 
-app.post("/tenants/:id/suspend", (req, res) => {
+app.post("/api/tenants/:id/suspend", (req, res) => {
   const id = decodeURIComponent(req.params.id);
   const { reason } = req.body;
   const updated = tenantManager.suspend(id, reason || "");
@@ -407,29 +658,44 @@ app.post("/tenants/:id/suspend", (req, res) => {
   res.json(updated);
 });
 
-app.post("/tenants/:id/unsuspend", (req, res) => {
+app.post("/api/tenants/:id/unsuspend", (req, res) => {
   const id = decodeURIComponent(req.params.id);
   const updated = tenantManager.unsuspend(id);
   if (!updated) return res.status(404).json({ error: "Tenant not found" });
   res.json(updated);
 });
 
-app.post("/tenants/:id/reset", (req, res) => {
+app.post("/api/tenants/:id/reset", (req, res) => {
   const id = decodeURIComponent(req.params.id);
   const updated = tenantManager.reset(id);
   if (!updated) return res.status(404).json({ error: "Tenant not found" });
   res.json(updated);
 });
 
-app.delete("/tenants/:id", (req, res) => {
+app.delete("/api/tenants/:id", (req, res) => {
   const id = decodeURIComponent(req.params.id);
   const deleted = tenantManager.delete(id);
   if (!deleted) return res.status(404).json({ error: "Tenant not found" });
   res.json({ message: "Tenant deleted" });
 });
 
+// --- Exec approvals ---
+app.get("/api/approvals", (req, res) => {
+  res.json({ approvals: execApproval.listPending(), mode: execApproval.mode });
+});
+
+app.post("/api/approvals/:id", (req, res) => {
+  const { decision } = req.body;
+  if (!["allow", "allow-once", "deny"].includes(decision)) {
+    return res.status(400).json({ error: 'decision must be "allow", "allow-once", or "deny"' });
+  }
+  const resolved = execApproval.resolveApproval(req.params.id, decision);
+  if (!resolved) return res.status(404).json({ error: "Approval not found or expired" });
+  res.json({ message: `Approval ${req.params.id} → ${decision}` });
+});
+
 // --- Costs endpoint ---
-app.get("/costs/today", (req, res) => {
+app.get("/api/costs/today", (req, res) => {
   res.json({
     date: new Date().toISOString().split("T")[0],
     totalCost: getTodayCost(),
@@ -438,6 +704,20 @@ app.get("/costs/today", (req, res) => {
   });
 });
 
+// --- Static UI ---
+const uiPath = join(__dirname, "..", "daemora-ui", "dist");
+if (existsSync(uiPath)) {
+  app.use(express.static(uiPath));
+  // Serve index.html for all other routes (React Router support)
+  app.get(/.*/, (req, res, next) => {
+    if (req.path.startsWith("/api/") || req.path.startsWith("/webhooks/") || req.path.startsWith("/voice/") || req.path.startsWith("/a2a/") || req.path.startsWith("/hooks/") || req.path.startsWith("/v1/")) {
+      return next();
+    }
+    res.sendFile(join(uiPath, "index.html"));
+  });
+  console.log(`[Server] Serving UI from ${uiPath}`);
+}
+
 // --- Start server ---
 app.listen(config.port, async () => {
   console.log("\n--- Daemora Server ---");