daemora 1.0.4 → 1.0.6

package/src/mcp/MCPAgentRunner.js

@@ -1,5 +1,6 @@
 import { spawnSubAgent } from "../agents/SubAgentManager.js";
 import mcpManager from "./MCPManager.js";
+import { createSession, getSession, setMessages } from "../services/sessions.js";
 
 /**
  * MCP Agent Runner - spawns specialist sub-agents for individual MCP servers.
@@ -69,6 +70,8 @@ All MCP tool params must be passed as a single JSON string (the first and only a
  * @returns {Promise<string>}       - Agent's final response
  */
 export async function runMCPAgent(serverName, taskDescription, options = {}) {
+  const { mainSessionId, ...restOptions } = options;
+
   // Get only this server's tool functions
   const serverTools = mcpManager.getServerTools(serverName);
 
@@ -80,33 +83,67 @@ export async function runMCPAgent(serverName, taskDescription, options = {}) {
     return `MCP server "${serverName}" not found or has no tools. Available servers: ${available.join(", ")}`;
   }
 
-  // Build tool docs for this server's system prompt
+  // Build tool docs for this server's system prompt (include nested schemas)
   const toolDocs = Object.keys(serverTools)
     .map((fullName) => {
       const entry = mcpManager.toolMap.get(fullName);
       if (!entry) return `### ${fullName}(argsJson: string)`;
-      const schema = entry.inputSchema?.properties || {};
-      const required = entry.inputSchema?.required || [];
-      const params = Object.entries(schema)
-        .map(([k, v]) => `${k}${required.includes(k) ? "" : "?"}: ${v.type || "any"}`)
-        .join(", ");
       const desc = entry.description || entry.toolName;
-      const paramLine = params ? `\n- argsJson: \`{${params}}\`` : "";
-      return `### ${fullName}(argsJson: string)\n${desc}${paramLine}`;
+      const schema = entry.inputSchema;
+      // Show full JSON schema so the sub-agent knows exact field names
+      let schemaDoc = "";
+      if (schema) {
+        try {
+          schemaDoc = "\n- Schema:\n```json\n" + JSON.stringify(schema, null, 2) + "\n```";
+        } catch {
+          const props = schema.properties || {};
+          const required = schema.required || [];
+          const params = Object.entries(props)
+            .map(([k, v]) => `${k}${required.includes(k) ? "" : "?"}: ${v.type || "any"}`)
+            .join(", ");
+          schemaDoc = params ? `\n- argsJson: \`{${params}}\`` : "";
+        }
+      }
+      return `### ${fullName}(argsJson: string)\n${desc}${schemaDoc}`;
     })
     .join("\n\n");
 
   const systemPromptOverride = buildMCPAgentSystemPrompt(serverName, toolDocs);
 
+  // Load sub-agent session history (persistent across calls)
+  const subSessionId = mainSessionId ? `${mainSessionId}--${serverName}` : null;
+  let historyMessages = [];
+  if (subSessionId) {
+    const subSession = getSession(subSessionId);
+    if (subSession && subSession.messages.length > 0) {
+      historyMessages = subSession.messages.map(m => ({ role: m.role, content: m.content }));
+      console.log(`[MCPAgentRunner] Loaded ${historyMessages.length} history messages for "${serverName}"`);
+    }
+  }
+
   console.log(
     `[MCPAgentRunner] Spawning specialist for "${serverName}" (${Object.keys(serverTools).length} tools)`
   );
 
-  return spawnSubAgent(taskDescription, {
-    ...options,
+  const fullResult = await spawnSubAgent(taskDescription, {
+    ...restOptions,
     toolOverride: serverTools,
     systemPromptOverride,
-    // MCP agents are always depth 1 - they don't spawn further sub-agents
     depth: 1,
+    historyMessages,
+    returnFullResult: true,
   });
+
+  // Save sub-agent session (cap at 100 messages)
+  if (subSessionId && fullResult.messages) {
+    let subSession = getSession(subSessionId);
+    if (!subSession) subSession = createSession(subSessionId);
+    const capped = fullResult.messages.length > 100
+      ? fullResult.messages.slice(-100)
+      : fullResult.messages;
+    setMessages(subSessionId, capped);
+    console.log(`[MCPAgentRunner] Saved ${capped.length} messages to sub-session "${subSessionId}"`);
+  }
+
+  return typeof fullResult === "string" ? fullResult : fullResult.text;
 }

package/src/mcp/MCPManager.js

@@ -192,9 +192,47 @@ class MCPManager {
 
     const servers = mcpConfig.mcpServers || {};
 
-    // Filter to only real, enabled servers
+    // Filter to only real, enabled servers with valid auth
     const enabledServers = Object.entries(servers).filter(
-      ([name, cfg]) => !name.startsWith("_comment") && typeof cfg === "object" && cfg.enabled !== false
+      ([name, cfg]) => {
+        if (name.startsWith("_comment") || typeof cfg !== "object" || cfg.enabled === false) return false;
+
+        // Validate auth: skip servers with placeholder or empty credentials
+        if (cfg.env) {
+          const hasPlaceholder = Object.entries(cfg.env).some(([, v]) =>
+            typeof v === "string" && (
+              v === "" ||
+              v.startsWith("YOUR_") ||
+              v === "your-token-here" ||
+              v === "your-key-here" ||
+              /^[A-Z_]+$/.test(v) // e.g. "GITHUB_TOKEN" as a value, not a reference
+            )
+          );
+          if (hasPlaceholder) {
+            console.log(`[MCPManager] Skipping "${name}" - env vars contain placeholder/empty values. Set real credentials.`);
+            return false;
+          }
+        }
+
+        if (cfg.headers) {
+          const expandedHeaders = Object.entries(cfg.headers).map(([k, v]) => {
+            if (typeof v === "string") {
+              return [k, v.replace(/\$\{([^}]+)\}/g, (_, envName) => process.env[envName] ?? "")];
+            }
+            return [k, v];
+          });
+          const hasEmpty = expandedHeaders.some(([, v]) => typeof v === "string" && v.trim() === "");
+          const hasPlaceholder = expandedHeaders.some(([, v]) =>
+            typeof v === "string" && (v.includes("YOUR_") || v === "Bearer " || v === "Bearer")
+          );
+          if (hasEmpty || hasPlaceholder) {
+            console.log(`[MCPManager] Skipping "${name}" - headers resolve to empty/placeholder values. Set env vars.`);
+            return false;
+          }
+        }
+
+        return true;
+      }
     );
 
     if (enabledServers.length === 0) {

package/src/models/ModelRouter.js

@@ -48,7 +48,28 @@ function getProvider(name, apiKeys = {}) {
  * @returns {{ model: object, meta: object }} AI SDK model instance + metadata
  */
 export function getModel(modelId, apiKeys = {}) {
-  const meta = models[modelId];
+  let meta = models[modelId];
+
+  // Passthrough: if model isn't in the registry but follows "provider:model" format,
+  // create a dynamic entry so new models work without updating the registry.
+  if (!meta && modelId.includes(":")) {
+    const [providerName, modelName] = modelId.split(":", 2);
+    const knownProviders = ["openai", "anthropic", "google", "ollama"];
+    if (knownProviders.includes(providerName)) {
+      console.log(`[ModelRouter] Model "${modelId}" not in registry — using dynamic passthrough`);
+      meta = {
+        provider: providerName,
+        model: modelName,
+        contextWindow: 128_000,
+        compactAt: 90_000,
+        costPer1kInput: 0.001,
+        costPer1kOutput: 0.004,
+        capabilities: ["text", "tools"],
+        tier: "standard",
+      };
+    }
+  }
+
   if (!meta) {
     throw new Error(`Unknown model: ${modelId}. Available: ${Object.keys(models).join(", ")}`);
   }
@@ -138,6 +159,51 @@ export function listAvailableModels() {
   return available;
 }
 
+// ── Thinking Level Resolution ──────────────────────────────────────────────────
+
+const _thinkingAliases = { on: "low", min: "minimal", max: "high" };
+
+/**
+ * Resolve thinking config for a model + level combination.
+ * Returns params to merge into the generateObject call, or null if no thinking.
+ *
+ * @param {string} modelId - e.g. "anthropic:claude-sonnet-4-6"
+ * @param {string} level   - "auto"|"off"|"minimal"|"low"|"medium"|"high"|"xhigh"
+ * @returns {{ thinkingParams: object } | null}
+ */
+export function resolveThinkingConfig(modelId, level = "auto") {
+  const normalized = _thinkingAliases[level] || level;
+  if (normalized === "off" || normalized === "auto") return null;
+
+  const provider = modelId.split(":")[0];
+
+  // Anthropic: thinking.budget_tokens
+  if (provider === "anthropic") {
+    const budgetMap = { minimal: 1024, low: 2048, medium: 4096, high: 8192, xhigh: 16384 };
+    const budget = budgetMap[normalized];
+    if (!budget) return null;
+    return { thinkingParams: { thinking: { type: "enabled", budgetTokens: budget } } };
+  }
+
+  // OpenAI: reasoning.effort (only for o-series models)
+  if (provider === "openai") {
+    const effortMap = { minimal: "low", low: "low", medium: "medium", high: "high", xhigh: "high" };
+    const effort = effortMap[normalized];
+    if (!effort) return null;
+    return { thinkingParams: { reasoning: { effort } } };
+  }
+
+  // Google: thinkingConfig.thinkingBudget
+  if (provider === "google") {
+    const budgetMap = { minimal: 1024, low: 2048, medium: 4096, high: 8192, xhigh: 16384 };
+    const budget = budgetMap[normalized];
+    if (!budget) return null;
+    return { thinkingParams: { thinkingConfig: { thinkingBudget: budget } } };
+  }
+
+  return null;
+}
+
 // ── Task-Type Model Routing ────────────────────────────────────────────────────
 
 const _profileEnvMap = {
@@ -152,11 +218,12 @@ const _profileEnvMap = {
  *   1. explicitModel (caller override)
  *   2. Per-tenant modelRoutes[profile]
  *   3. Global CODE_MODEL / RESEARCH_MODEL / WRITER_MODEL / ANALYST_MODEL env vars
- *   4. Per-tenant general model override
- *   5. DEFAULT_MODEL env var / hardcoded default
+ *   4. SUB_AGENT_MODEL (global sub-agent default)
+ *   5. Per-tenant general model override
+ *   6. DEFAULT_MODEL env var / hardcoded default
  *
  * @param {string|null} profile       - e.g. "coder", "researcher", "writer", "analyst"
- * @param {object}      tenantConfig  - resolvedConfig from TenantManager (may have .modelRoutes, .model)
+ * @param {object}      tenantConfig  - resolvedConfig from TenantManager (may have .modelRoutes, .model, .subAgentModel)
  * @param {string|null} explicitModel - Caller-supplied model override (highest priority)
  * @returns {string} Resolved model ID
  */
@@ -164,6 +231,9 @@ export function resolveModelForProfile(profile, tenantConfig = {}, explicitModel
   if (explicitModel) return explicitModel;
   if (profile && tenantConfig.modelRoutes?.[profile]) return tenantConfig.modelRoutes[profile];
   if (profile && process.env[_profileEnvMap[profile]]) return process.env[_profileEnvMap[profile]];
+  // Sub-agent model: tenant-level > env-level
+  if (tenantConfig.subAgentModel) return tenantConfig.subAgentModel;
+  if (process.env.SUB_AGENT_MODEL) return process.env.SUB_AGENT_MODEL;
   if (tenantConfig.model) return tenantConfig.model;
   return process.env.DEFAULT_MODEL || "openai:gpt-4.1-mini";
 }

package/src/safety/DockerSandbox.js

@@ -0,0 +1,212 @@
+/**
+ * Docker Sandbox — run commands inside Docker containers for kernel-level isolation.
+ *
+ * Config:
+ *   SANDBOX_MODE=docker          — enable Docker isolation
+ *   DOCKER_IMAGE=node:22-slim    — base image
+ *   DOCKER_MEMORY=512m           — memory limit
+ *   DOCKER_CPUS=0.5              — CPU limit
+ *   DOCKER_NETWORK=none          — network mode (none = no network)
+ *   DOCKER_SCOPE=session         — "session" (per session) | "shared" (one for all)
+ */
+
+import { execSync, spawnSync } from "node:child_process";
+import { config } from "../config/default.js";
+
+// containerId → { scope, createdAt, lastUsedAt }
+const _containers = new Map();
+const CLEANUP_AFTER = 10 * 60 * 1000; // 10 min inactivity
+
+class DockerSandbox {
+  constructor() {
+    this._available = null; // cached Docker availability check
+  }
+
+  /**
+   * Check if Docker is available.
+   */
+  isAvailable() {
+    if (this._available !== null) return this._available;
+    try {
+      execSync("docker info", { stdio: "pipe", timeout: 5000 });
+      this._available = true;
+    } catch {
+      this._available = false;
+    }
+    return this._available;
+  }
+
+  /**
+   * Ensure a container exists for the given scope.
+   * @param {string} scopeId — session ID or "shared"
+   * @returns {string} containerId
+   */
+  ensureContainer(scopeId = "shared") {
+    const existing = _containers.get(scopeId);
+    if (existing) {
+      // Check if container is still running
+      try {
+        const status = execSync(`docker inspect -f '{{.State.Running}}' ${existing.containerId}`, {
+          encoding: "utf-8",
+          stdio: ["pipe", "pipe", "pipe"],
+          timeout: 5000,
+        }).trim();
+        if (status === "true") {
+          existing.lastUsedAt = Date.now();
+          return existing.containerId;
+        }
+      } catch {
+        // Container gone — remove from map and create new
+        _containers.delete(scopeId);
+      }
+    }
+
+    const sandbox = config.sandbox || {};
+    const image = sandbox.dockerImage || "node:22-slim";
+    const memory = sandbox.dockerMemory || "512m";
+    const cpus = sandbox.dockerCpus || "0.5";
+    const network = sandbox.dockerNetwork || "none";
+
+    // Create container with security constraints
+    const containerName = `daemora-sandbox-${scopeId.replace(/[^a-zA-Z0-9_-]/g, "-").slice(0, 30)}-${Date.now()}`;
+
+    const args = [
+      "docker", "run", "-d",
+      "--name", containerName,
+      "--memory", memory,
+      "--cpus", cpus,
+      "--network", network,
+      "--read-only",
+      "--cap-drop", "ALL",
+      "--tmpfs", "/tmp:rw,noexec,nosuid,size=100m",
+      "--tmpfs", "/workspace:rw,size=500m",
+      "-w", "/workspace",
+      image,
+      "tail", "-f", "/dev/null", // Keep container alive
+    ];
+
+    try {
+      const containerId = execSync(args.join(" "), {
+        encoding: "utf-8",
+        timeout: 30000,
+      }).trim();
+
+      _containers.set(scopeId, {
+        containerId,
+        containerName,
+        createdAt: Date.now(),
+        lastUsedAt: Date.now(),
+      });
+
+      console.log(`[DockerSandbox] Created container ${containerName} (${containerId.slice(0, 12)}) for scope: ${scopeId}`);
+      return containerId;
+    } catch (error) {
+      throw new Error(`Failed to create Docker container: ${error.message}`);
+    }
+  }
+
+  /**
+   * Execute a command inside a container.
+   * @param {string} scopeId
+   * @param {string} command
+   * @param {object} opts — { timeout, cwd }
+   * @returns {string} command output
+   */
+  exec(scopeId, command, opts = {}) {
+    const containerId = this.ensureContainer(scopeId);
+    const timeout = opts.timeout || 120_000;
+    const cwd = opts.cwd || "/workspace";
+
+    try {
+      const result = execSync(`docker exec -w "${cwd}" ${containerId} sh -c ${JSON.stringify(command)}`, {
+        encoding: "utf-8",
+        timeout,
+        maxBuffer: 10 * 1024 * 1024,
+        stdio: ["pipe", "pipe", "pipe"],
+      });
+
+      const entry = _containers.get(scopeId);
+      if (entry) entry.lastUsedAt = Date.now();
+
+      return result || "(command completed with no output)";
+    } catch (error) {
+      if (error.killed) {
+        return `Command timed out after ${timeout / 1000}s inside Docker container.`;
+      }
+      const parts = [];
+      if (error.stdout) parts.push(`stdout:\n${error.stdout.slice(0, 2000)}`);
+      if (error.stderr) parts.push(`stderr:\n${error.stderr.slice(0, 2000)}`);
+      const exitMsg = error.status !== undefined ? ` (exit code: ${error.status})` : "";
+      if (parts.length > 0) return `Command failed${exitMsg}:\n${parts.join("\n---\n")}`;
+      return `Command failed${exitMsg}: ${error.message}`;
+    }
+  }
+
+  /**
+   * Copy workspace files into the container.
+   */
+  copyToContainer(scopeId, hostPath, containerPath = "/workspace") {
+    const containerId = this.ensureContainer(scopeId);
+    try {
+      execSync(`docker cp "${hostPath}/." ${containerId}:${containerPath}`, {
+        timeout: 30000,
+        stdio: "pipe",
+      });
+      return true;
+    } catch (error) {
+      console.log(`[DockerSandbox] Copy failed: ${error.message}`);
+      return false;
+    }
+  }
+
+  /**
+   * Remove a container.
+   */
+  removeContainer(scopeId) {
+    const entry = _containers.get(scopeId);
+    if (!entry) return;
+    try {
+      execSync(`docker rm -f ${entry.containerId}`, { stdio: "pipe", timeout: 10000 });
+      console.log(`[DockerSandbox] Removed container for scope: ${scopeId}`);
+    } catch {}
+    _containers.delete(scopeId);
+  }
+
+  /**
+   * Cleanup inactive containers.
+   */
+  cleanup() {
+    const now = Date.now();
+    for (const [scopeId, entry] of _containers.entries()) {
+      if (now - entry.lastUsedAt > CLEANUP_AFTER) {
+        this.removeContainer(scopeId);
+      }
+    }
+  }
+
+  /**
+   * Remove all containers.
+   */
+  removeAll() {
+    for (const scopeId of [..._containers.keys()]) {
+      this.removeContainer(scopeId);
+    }
+  }
+
+  /**
+   * List active containers.
+   */
+  list() {
+    return [..._containers.entries()].map(([scopeId, entry]) => ({
+      scopeId,
+      containerId: entry.containerId.slice(0, 12),
+      containerName: entry.containerName,
+      createdAt: new Date(entry.createdAt).toISOString(),
+      lastUsedAt: new Date(entry.lastUsedAt).toISOString(),
+      idleMs: Date.now() - entry.lastUsedAt,
+    }));
+  }
+}
+
+const dockerSandbox = new DockerSandbox();
+export default dockerSandbox;

package/src/safety/ExecApproval.js

@@ -0,0 +1,118 @@
+/**
+ * Exec Approval Manager — interactive approval gates for dangerous commands.
+ *
+ * When approval mode is enabled and a command matches dangerous patterns,
+ * the agent loop pauses and waits for user approval via the API.
+ *
+ * Config: approval.mode = "off" | "dangerous-only" | "all"
+ * API:
+ *   GET  /api/approvals       — list pending approvals
+ *   POST /api/approvals/:id   — approve/deny { decision: "allow" | "allow-once" | "deny" }
+ */
+
+import { v4 as uuidv4 } from "uuid";
+
+// Dangerous command patterns
+const DANGEROUS_PATTERNS = [
+  /\brm\s+(-rf?|--recursive)\b/i,
+  /\bsudo\b/,
+  /\bdrop\s+(table|database)\b/i,
+  /\bkill\s+-9\b/,
+  /\bshutdown\b/,
+  /\breboot\b/,
+  /\bmkfs\b/,
+  /\bdd\s+if=/,
+  /\bcurl\b.*\|\s*(sh|bash|zsh)\b/,
+  /\bwget\b.*\|\s*(sh|bash|zsh)\b/,
+  /\bnpm\s+publish\b/,
+  /\bgit\s+push\s+.*--force\b/,
+  /\bgit\s+reset\s+--hard\b/,
+  /\bdocker\s+rm\b/,
+  /\bdocker\s+system\s+prune\b/,
+];
+
+class ExecApprovalManager {
+  constructor() {
+    // approvalId → { command, taskId, createdAt, resolve, timer }
+    this._pending = new Map();
+    this._timeoutMs = 60_000; // 60 seconds default
+    this._mode = process.env.APPROVAL_MODE || "off"; // "off" | "dangerous-only" | "all"
+  }
+
+  get mode() {
+    return this._mode;
+  }
+
+  /**
+   * Check if a command needs approval.
+   */
+  needsApproval(command) {
+    if (this._mode === "off") return false;
+    if (this._mode === "all") return true;
+    // "dangerous-only" — check against patterns
+    return DANGEROUS_PATTERNS.some(p => p.test(command));
+  }
+
+  /**
+   * Request approval for a command. Returns a Promise that resolves with the decision.
+   * @param {string} command
+   * @param {string} taskId
+   * @returns {Promise<"allow"|"deny">}
+   */
+  requestApproval(command, taskId) {
+    return new Promise((resolve) => {
+      const approvalId = uuidv4().slice(0, 12);
+
+      const timer = setTimeout(() => {
+        this._pending.delete(approvalId);
+        console.log(`[ExecApproval] Timeout for ${approvalId} — denying`);
+        resolve("deny");
+      }, this._timeoutMs);
+
+      this._pending.set(approvalId, {
+        command,
+        taskId,
+        createdAt: new Date().toISOString(),
+        resolve,
+        timer,
+      });
+
+      console.log(`[ExecApproval] Waiting for approval ${approvalId}: "${command.slice(0, 80)}"`);
+    });
+  }
+
+  /**
+   * Resolve a pending approval.
+   * @param {string} approvalId
+   * @param {"allow"|"allow-once"|"deny"} decision
+   * @returns {boolean} true if found and resolved
+   */
+  resolveApproval(approvalId, decision) {
+    const entry = this._pending.get(approvalId);
+    if (!entry) return false;
+
+    clearTimeout(entry.timer);
+    this._pending.delete(approvalId);
+
+    const effective = decision === "allow-once" ? "allow" : decision;
+    console.log(`[ExecApproval] ${approvalId} → ${decision}`);
+    entry.resolve(effective);
+    return true;
+  }
+
+  /**
+   * List all pending approvals (for API).
+   */
+  listPending() {
+    return [...this._pending.entries()].map(([id, entry]) => ({
+      id,
+      command: entry.command,
+      taskId: entry.taskId,
+      createdAt: entry.createdAt,
+      expiresIn: Math.max(0, this._timeoutMs - (Date.now() - new Date(entry.createdAt).getTime())),
+    }));
+  }
+}
+
+const execApproval = new ExecApprovalManager();
+export default execApproval;