npm - daemora - Versions diffs - 1.0.9 → 1.0.11 - Mend

daemora 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/README.md +37 -15
package/SOUL.md +23 -4
package/daemora-ui/dist/assets/index-BkPHvKYt.css +1 -0
package/daemora-ui/dist/assets/index-ZiuOJUu0.js +92 -0
package/daemora-ui/dist/index.html +2 -2
package/package.json +1 -1
package/skills/coding.md +23 -4
package/skills/planning.md +168 -0
package/src/agents/systemPrompt.js +80 -58
package/src/cli.js +124 -4
package/src/index.js +55 -15
package/src/safety/CommandGuard.js +22 -1
package/src/setup/theme.js +1 -0
package/src/setup/wizard.js +220 -26
package/src/tenants/TenantManager.js +37 -0
package/src/tools/_paths.js +39 -0
package/src/tools/applyPatch.js +6 -0
package/src/tools/browserAutomation.js +18 -6
package/src/tools/createDocument.js +4 -0
package/src/tools/executeCommand.js +4 -2
package/src/tools/generateImage.js +7 -3
package/src/tools/replyWithFile.js +4 -0
package/src/tools/screenCapture.js +6 -1
package/src/tools/sendFile.js +4 -0
package/src/tools/sshTool.js +2 -2
package/src/tools/textToSpeech.js +21 -12
package/src/tools/transcribeAudio.js +15 -4
package/daemora-ui/dist/assets/index-AfA65HSy.js +0 -90
package/daemora-ui/dist/assets/index-DP95eMOr.css +0 -1

package/src/tools/executeCommand.js CHANGED Viewed

@@ -56,7 +56,10 @@ export async function executeCommand(cmd, optionsJson) {
   // ──────────────────────────────────────────────────────────────────────────
   // ── Filesystem scope enforcement ───────────────────────────────────────────
-  const allowedPaths = config.filesystem?.allowedPaths || [];
+  // Prefer per-tenant resolved config (set by TaskRunner), fall back to global
+  const store = tenantContext.getStore();
+  const resolvedConfig = store?.resolvedConfig;
+  const allowedPaths = resolvedConfig?.allowedPaths || config.filesystem?.allowedPaths || [];
   if (allowedPaths.length > 0) {
     // Always check that the cwd is inside an allowed directory
     const cwdGuard = filesystemGuard.checkRead(cwd);
@@ -93,7 +96,6 @@ export async function executeCommand(cmd, optionsJson) {
   // ── Docker sandbox mode — route through container ──
   if (config.sandbox?.mode === "docker" && dockerSandbox.isAvailable() && !background) {
-    const store = tenantContext.getStore();
     const scope = config.sandbox.docker?.scope === "shared" ? "shared" : (store?.sessionId || "shared");
     return dockerSandbox.exec(scope, cmd, { timeout, cwd });
   }

package/src/tools/generateImage.js CHANGED Viewed

@@ -4,8 +4,9 @@
  */
 import { writeFileSync, mkdirSync } from "node:fs";
 import { join } from "node:path";
-import { tmpdir } from "node:os";
 import tenantContext from "../tenants/TenantContext.js";
+import filesystemGuard from "../safety/FilesystemGuard.js";
+import { getTenantTmpDir } from "./_paths.js";
 export async function generateImage(prompt, optionsJson) {
   if (!prompt) return "Error: prompt is required.";
@@ -48,13 +49,16 @@ export async function generateImage(prompt, optionsJson) {
     if (images.length === 0) return "Error: No images returned.";
     const saved = [];
-    const dir = join(tmpdir(), "daemora-images");
-    mkdirSync(dir, { recursive: true });
+    const dir = getTenantTmpDir("daemora-images");
     for (let i = 0; i < images.length; i++) {
       const b64 = images[i].b64_json;
       const revised = images[i].revised_prompt || prompt;
       const filePath = outputPath || join(dir, `image-${Date.now()}-${i}.png`);
+      if (outputPath) {
+        const wc = filesystemGuard.checkWrite(outputPath);
+        if (!wc.allowed) return `Error: ${wc.reason}`;
+      }
       writeFileSync(filePath, Buffer.from(b64, "base64"));
       saved.push({ path: filePath, revisedPrompt: revised });
     }

package/src/tools/replyWithFile.js CHANGED Viewed

@@ -11,6 +11,7 @@
 import tenantContext from "../tenants/TenantContext.js";
 import channelRegistry from "../channels/index.js";
 import { existsSync, statSync } from "node:fs";
+import filesystemGuard from "../safety/FilesystemGuard.js";
 const MAX_FILE_SIZE = 50 * 1024 * 1024; // 50 MB
@@ -18,6 +19,9 @@ export async function replyWithFile(filePath, caption) {
   try {
     if (!filePath) return "Error: filePath is required.";
+    const readCheck = filesystemGuard.checkRead(filePath);
+    if (!readCheck.allowed) return `Error: ${readCheck.reason}`;
     if (!existsSync(filePath)) {
       return `Error: File not found: ${filePath}`;
     }

package/src/tools/screenCapture.js CHANGED Viewed

@@ -15,15 +15,20 @@ import { execSync } from "node:child_process";
 import { existsSync, mkdirSync, statSync } from "node:fs";
 import { platform } from "node:os";
 import { join } from "node:path";
+import filesystemGuard from "../safety/FilesystemGuard.js";
+import { getTenantTmpDir } from "./_paths.js";
 export function screenCapture(optionsJson) {
   try {
     const opts = optionsJson ? JSON.parse(optionsJson) : {};
-    const outputDir = opts.outputDir || "/tmp";
+    const outputDir = opts.outputDir || getTenantTmpDir("daemora-captures");
     const region    = opts.region;                   // { x, y, width, height } - screenshot only
     const mode      = (opts.mode || "screenshot").toLowerCase();
     const duration  = parseInt(opts.duration || "10", 10); // seconds - video only
+    const wc = filesystemGuard.checkWrite(outputDir);
+    if (!wc.allowed) return `Error: ${wc.reason}`;
     if (!existsSync(outputDir)) {
       mkdirSync(outputDir, { recursive: true });
     }

package/src/tools/sendFile.js CHANGED Viewed

@@ -15,6 +15,7 @@
  */
 import channelRegistry from "../channels/index.js";
 import { existsSync, statSync } from "node:fs";
+import filesystemGuard from "../safety/FilesystemGuard.js";
 const MAX_FILE_SIZE = 50 * 1024 * 1024; // 50 MB - most platforms limit around this
@@ -24,6 +25,9 @@ export async function sendFile(channel, target, filePath, caption) {
     if (!target)  return "Error: target is required (chat ID, user ID, phone, or email)";
     if (!filePath) return "Error: filePath is required";
+    const readCheck = filesystemGuard.checkRead(filePath);
+    if (!readCheck.allowed) return `Error: ${readCheck.reason}`;
     if (!existsSync(filePath)) {
       return `Error: File not found: ${filePath}`;
     }

package/src/tools/sshTool.js CHANGED Viewed

@@ -7,8 +7,8 @@
 import { execFileSync } from "node:child_process";
 import { writeFileSync, unlinkSync, mkdirSync } from "node:fs";
 import { join } from "node:path";
-import { tmpdir } from "node:os";
 import { randomBytes } from "node:crypto";
+import { getTenantTmpDir } from "./_paths.js";
 export async function sshTool(action, paramsJson) {
   if (!action) return "Error: action required. Valid: exec, upload, download, tunnel";
@@ -97,7 +97,7 @@ export async function sshTool(action, paramsJson) {
   if (action === "keygen") {
     // Generate a new SSH key pair for the agent's use
-    const keyDir = join(tmpdir(), `daemora-ssh-${randomBytes(4).toString("hex")}`);
+    const keyDir = join(getTenantTmpDir("daemora-ssh"), `keygen-${randomBytes(4).toString("hex")}`);
     mkdirSync(keyDir, { recursive: true });
     const keyFile = join(keyDir, "id_ed25519");
     try {

package/src/tools/textToSpeech.js CHANGED Viewed

@@ -15,9 +15,9 @@
 import { writeFileSync, mkdirSync } from "node:fs";
 import { join } from "node:path";
-import { tmpdir } from "node:os";
-const TMP_DIR = join(tmpdir(), "daemora-tts");
+import filesystemGuard from "../safety/FilesystemGuard.js";
+import { getTenantTmpDir } from "./_paths.js";
+import tenantContext from "../tenants/TenantContext.js";
 const OPENAI_CHAR_LIMIT = 4096;
 const ELEVENLABS_CHAR_LIMIT = 5000;
@@ -31,7 +31,10 @@ export async function textToSpeech(text, optionsJson) {
     const provider = opts.provider?.toLowerCase() || "openai";
     // Prefer ElevenLabs if key is present and provider not forced
-    if (provider === "elevenlabs" || (provider === "auto" && process.env.ELEVENLABS_API_KEY)) {
+    const _store = tenantContext.getStore();
+    const _keys = _store?.apiKeys || {};
+    const hasElevenLabs = _keys.ELEVENLABS_API_KEY || process.env.ELEVENLABS_API_KEY;
+    if (provider === "elevenlabs" || (provider === "auto" && hasElevenLabs)) {
       return await _elevenLabs(text.trim(), opts);
     }
@@ -44,26 +47,30 @@ export async function textToSpeech(text, optionsJson) {
 // ── OpenAI TTS ────────────────────────────────────────────────────────────────
 async function _openAI(text, opts) {
-  if (!process.env.OPENAI_API_KEY) {
+  const store = tenantContext.getStore();
+  const apiKeys = store?.apiKeys || {};
+  const apiKey = apiKeys.OPENAI_API_KEY || process.env.OPENAI_API_KEY;
+  if (!apiKey) {
     return "Error: textToSpeech requires OPENAI_API_KEY";
   }
   const { default: OpenAI } = await import("openai");
-  const client = new OpenAI({ apiKey: process.env.OPENAI_API_KEY });
+  const client = new OpenAI({ apiKey });
   const voice  = opts.voice  || "nova";    // nova = clear, neutral, works great for most use cases
   const speed  = Math.max(0.25, Math.min(4.0, parseFloat(opts.speed  || "1.0")));
   const format = opts.format || "mp3";     // mp3 | opus | aac | flac
   const model  = opts.hd === false ? "tts-1" : "tts-1-hd"; // tts-1-hd = better quality
-  mkdirSync(TMP_DIR, { recursive: true });
+  const ttsDir = getTenantTmpDir("daemora-tts");
   // Split into chunks if text exceeds API limit
   const chunks = _splitText(text, OPENAI_CHAR_LIMIT);
   if (chunks.length === 1) {
     const response = await client.audio.speech.create({ model, voice, input: chunks[0], speed, response_format: format });
-    const filePath = join(TMP_DIR, `speech-${Date.now()}.${format}`);
+    const filePath = join(ttsDir, `speech-${Date.now()}.${format}`);
     writeFileSync(filePath, Buffer.from(await response.arrayBuffer()));
     return `Audio saved to: ${filePath}`;
   }
@@ -72,7 +79,7 @@ async function _openAI(text, opts) {
   const paths = [];
   for (let i = 0; i < chunks.length; i++) {
     const response = await client.audio.speech.create({ model, voice, input: chunks[i], speed, response_format: format });
-    const filePath = join(TMP_DIR, `speech-${Date.now()}-part${i + 1}.${format}`);
+    const filePath = join(ttsDir, `speech-${Date.now()}-part${i + 1}.${format}`);
     writeFileSync(filePath, Buffer.from(await response.arrayBuffer()));
     paths.push(filePath);
   }
@@ -83,7 +90,9 @@ async function _openAI(text, opts) {
 // ── ElevenLabs TTS ────────────────────────────────────────────────────────────
 async function _elevenLabs(text, opts) {
-  const apiKey = process.env.ELEVENLABS_API_KEY;
+  const store = tenantContext.getStore();
+  const tenantKeys = store?.apiKeys || {};
+  const apiKey = tenantKeys.ELEVENLABS_API_KEY || process.env.ELEVENLABS_API_KEY;
   if (!apiKey) {
     return "Error: provider=elevenlabs requires ELEVENLABS_API_KEY";
   }
@@ -115,8 +124,8 @@ async function _elevenLabs(text, opts) {
     return `Error: ElevenLabs API returned HTTP ${res.status}${body ? `: ${body.slice(0, 200)}` : ""}`;
   }
-  mkdirSync(TMP_DIR, { recursive: true });
-  const filePath = join(TMP_DIR, `speech-eleven-${Date.now()}.mp3`);
+  const ttsDir = getTenantTmpDir("daemora-tts");
+  const filePath = join(ttsDir, `speech-eleven-${Date.now()}.mp3`);
   writeFileSync(filePath, Buffer.from(await res.arrayBuffer()));
   return `Audio saved to: ${filePath}`;
 }

package/src/tools/transcribeAudio.js CHANGED Viewed

@@ -9,8 +9,10 @@
  */
 import { createReadStream, writeFileSync, existsSync } from "node:fs";
 import { join, extname, basename } from "node:path";
-import { tmpdir } from "node:os";
 import OpenAI from "openai";
+import filesystemGuard from "../safety/FilesystemGuard.js";
+import { getTenantTmpDir } from "./_paths.js";
+import tenantContext from "../tenants/TenantContext.js";
 const SUPPORTED_EXTENSIONS = new Set([
   ".mp3", ".mp4", ".mpeg", ".mpga", ".m4a", ".wav", ".webm", ".ogg", ".oga", ".flac"
@@ -23,7 +25,10 @@ export async function transcribeAudio(audioPath, prompt) {
   try {
     if (!audioPath) return "Error: audioPath is required";
-    if (!process.env.OPENAI_API_KEY) {
+    const _store = tenantContext.getStore();
+    const _keys = _store?.apiKeys || {};
+    const apiKey = _keys.OPENAI_API_KEY || process.env.OPENAI_API_KEY;
+    if (!apiKey) {
       return "Error: transcribeAudio requires OPENAI_API_KEY (uses OpenAI Whisper API)";
     }
@@ -32,7 +37,7 @@ export async function transcribeAudio(audioPath, prompt) {
     // Download if URL
     if (audioPath.startsWith("https://") || audioPath.startsWith("http://")) {
       const ext = extname(new URL(audioPath).pathname) || ".ogg";
-      const tmpPath = join(tmpdir(), `audio-${Date.now()}${ext}`);
+      const tmpPath = join(getTenantTmpDir("daemora-audio"), `audio-${Date.now()}${ext}`);
       const res = await fetch(audioPath, { signal: AbortSignal.timeout(30000) });
       if (!res.ok) return `Error downloading audio: HTTP ${res.status}`;
@@ -42,6 +47,12 @@ export async function transcribeAudio(audioPath, prompt) {
       localPath = tmpPath;
     }
+    // Guard read access for local files (not downloaded URLs — those are already in tenant workspace)
+    if (!audioPath.startsWith("http")) {
+      const rc = filesystemGuard.checkRead(localPath);
+      if (!rc.allowed) return `Error: ${rc.reason}`;
+    }
     if (!existsSync(localPath)) {
       return `Error: Audio file not found: ${localPath}`;
     }
@@ -56,7 +67,7 @@ export async function transcribeAudio(audioPath, prompt) {
       return `Error: Unsupported audio format: ${ext}. Supported: ${[...SUPPORTED_EXTENSIONS].join(", ")}`;
     }
-    const openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY });
+    const openai = new OpenAI({ apiKey });
     const transcription = await openai.audio.transcriptions.create({
       file: createReadStream(localPath),