feat: add A2A task delegation over mTLS (#804)

agent/a2a_mtls.py

@@ -29,6 +29,8 @@ import logging
 import os
 import ssl
 import threading
+import time
+import uuid
 from http.server import BaseHTTPRequestHandler, HTTPServer
 from pathlib import Path
 from typing import Any, Callable, Dict, Optional
@@ -441,3 +443,244 @@ class A2AMTLSClient:
     def post(self, url: str, json: Optional[Dict[str, Any]] = None, **kwargs: Any) -> Dict[str, Any]:
         data = (__import__("json").dumps(json).encode() if json is not None else None)
         return self._request("POST", url, data=data, **kwargs)
+
+
+# ---------------------------------------------------------------------------
+# Structured A2A task delegation over mTLS
+# ---------------------------------------------------------------------------
+
+_TERMINAL_TASK_STATES = {"completed", "failed", "canceled", "rejected"}
+
+
+def _iso_now() -> str:
+    return time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime())
+
+
+def _task_status(state: str, message: str) -> Dict[str, Any]:
+    return {
+        "state": state,
+        "message": message,
+        "timestamp": _iso_now(),
+    }
+
+
+def _coerce_artifact(result: Any) -> Dict[str, Any]:
+    if isinstance(result, dict):
+        if "text" in result:
+            return result
+        if "artifact" in result and isinstance(result["artifact"], dict):
+            return result["artifact"]
+    return {"text": str(result)}
+
+
+def _build_task_record(task_id: str, task: str, requester: Optional[str], metadata: Optional[Dict[str, Any]] = None) -> Dict[str, Any]:
+    return {
+        "taskId": task_id,
+        "task": task,
+        "requester": requester,
+        "metadata": metadata or {},
+        "artifacts": [],
+        "status": _task_status("submitted", "Task submitted"),
+    }
+
+
+def _default_agent_card(host: str, port: int) -> Dict[str, Any]:
+    base_url = f"https://{host}:{port}"
+    try:
+        from agent.agent_card import build_agent_card
+        from dataclasses import asdict
+
+        card = asdict(build_agent_card())
+    except Exception as exc:  # pragma: no cover - fallback only exercised when card build breaks
+        logger.warning("Falling back to minimal agent card: %s", exc)
+        card = {
+            "name": os.environ.get("HERMES_AGENT_NAME", "hermes"),
+            "description": "Hermes A2A task server",
+            "version": "unknown",
+        }
+    card["url"] = base_url
+    card["a2aTaskEndpoint"] = f"{base_url}/a2a/rpc"
+    return card
+
+
+def _default_local_hermes_executor(task_payload: Dict[str, Any]) -> Dict[str, Any]:
+    task_text = str(task_payload.get("task", "")).strip()
+    if not task_text:
+        return {"text": ""}
+    from run_agent import AIAgent
+
+    agent = AIAgent(quiet_mode=True)
+    result = agent.chat(task_text)
+    return {
+        "text": result,
+        "metadata": {"executor": "local-hermes"},
+    }
+
+
+class A2ATaskServer:
+    """JSON-RPC A2A task server running over the routing mTLS server."""
+
+    def __init__(
+        self,
+        cert: str | Path,
+        key: str | Path,
+        ca: str | Path,
+        host: str = "127.0.0.1",
+        port: int = 9443,
+        executor: Optional[Callable[[Dict[str, Any]], Dict[str, Any]]] = None,
+        card_factory: Optional[Callable[[], Dict[str, Any]]] = None,
+    ) -> None:
+        self.host = host
+        self.port = port
+        self._server = A2AMTLSServer(cert=cert, key=key, ca=ca, host=host, port=port)
+        self._executor = executor or _default_local_hermes_executor
+        self._card_factory = card_factory or (lambda: _default_agent_card(self.host, self.port))
+        self._tasks: Dict[str, Dict[str, Any]] = {}
+        self._lock = threading.Lock()
+        self._server.add_route("/.well-known/agent-card.json", self._handle_agent_card)
+        self._server.add_route("/agent-card.json", self._handle_agent_card)
+        self._server.add_route("/a2a/rpc", self._handle_rpc)
+
+    def __enter__(self) -> "A2ATaskServer":
+        self.start()
+        return self
+
+    def __exit__(self, *_: Any) -> None:
+        self.stop()
+
+    def start(self) -> None:
+        self._server.start()
+
+    def stop(self) -> None:
+        self._server.stop()
+
+    def _handle_agent_card(self, payload: Dict[str, Any], *, peer_cn: str | None = None) -> Dict[str, Any]:
+        return self._card_factory()
+
+    def _handle_rpc(self, payload: Dict[str, Any], *, peer_cn: str | None = None) -> Dict[str, Any]:
+        req_id = payload.get("id")
+        if payload.get("jsonrpc") != "2.0":
+            return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32600, "message": "invalid jsonrpc version"}}
+
+        method = payload.get("method")
+        params = payload.get("params") or {}
+        try:
+            if method == "tasks/send":
+                result = self._rpc_send_task(params, peer_cn=peer_cn)
+            elif method == "tasks/get":
+                result = self._rpc_get_task(params)
+            else:
+                return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32601, "message": f"unknown method: {method}"}}
+        except Exception as exc:
+            logger.exception("A2A task RPC failed: %s", exc)
+            return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32000, "message": str(exc)}}
+        return {"jsonrpc": "2.0", "id": req_id, "result": result}
+
+    def _rpc_send_task(self, params: Dict[str, Any], *, peer_cn: str | None = None) -> Dict[str, Any]:
+        task_text = str(params.get("task", "")).strip()
+        if not task_text:
+            raise ValueError("task is required")
+        task_id = params.get("taskId") or uuid.uuid4().hex
+        requester = params.get("requester") or peer_cn
+        metadata = dict(params.get("metadata") or {})
+        if peer_cn:
+            metadata.setdefault("peer_cn", peer_cn)
+        record = _build_task_record(task_id, task_text, requester, metadata)
+        with self._lock:
+            self._tasks[task_id] = record
+        worker = threading.Thread(target=self._run_task, args=(task_id,), daemon=True, name=f"a2a-task-{task_id[:8]}")
+        worker.start()
+        return self._copy_task(task_id)
+
+    def _rpc_get_task(self, params: Dict[str, Any]) -> Dict[str, Any]:
+        task_id = str(params.get("taskId", "")).strip()
+        if not task_id:
+            raise ValueError("taskId is required")
+        return self._copy_task(task_id)
+
+    def _copy_task(self, task_id: str) -> Dict[str, Any]:
+        with self._lock:
+            if task_id not in self._tasks:
+                raise KeyError(f"unknown taskId: {task_id}")
+            return json.loads(json.dumps(self._tasks[task_id]))
+
+    def _run_task(self, task_id: str) -> None:
+        with self._lock:
+            task = self._tasks[task_id]
+            task["status"] = _task_status("working", "Task is running")
+            task_payload = {
+                "taskId": task["taskId"],
+                "task": task["task"],
+                "requester": task.get("requester"),
+                "metadata": dict(task.get("metadata") or {}),
+            }
+        try:
+            result = self._executor(task_payload)
+            artifact = _coerce_artifact(result)
+            with self._lock:
+                task = self._tasks[task_id]
+                task["artifacts"] = [artifact]
+                task["status"] = _task_status("completed", "Task completed")
+        except Exception as exc:
+            with self._lock:
+                task = self._tasks[task_id]
+                task["status"] = _task_status("failed", f"Task failed: {exc}")
+
+
+class A2ATaskClient(A2AMTLSClient):
+    """Client helper for A2A JSON-RPC task send/get flows."""
+
+    def discover_card(self, base_url: str) -> Dict[str, Any]:
+        return self.get(f"{base_url.rstrip('/')}/.well-known/agent-card.json")
+
+    def _rpc_call(self, base_url: str, method: str, params: Dict[str, Any]) -> Dict[str, Any]:
+        payload = {
+            "jsonrpc": "2.0",
+            "id": uuid.uuid4().hex,
+            "method": method,
+            "params": params,
+        }
+        response = self.post(f"{base_url.rstrip('/')}/a2a/rpc", json=payload)
+        if "error" in response:
+            error = response["error"]
+            raise RuntimeError(error.get("message") or str(error))
+        return response.get("result", {})
+
+    def send_task(
+        self,
+        base_url: str,
+        *,
+        task: str,
+        requester: str | None = None,
+        metadata: Optional[Dict[str, Any]] = None,
+    ) -> Dict[str, Any]:
+        return self._rpc_call(
+            base_url,
+            "tasks/send",
+            {
+                "task": task,
+                "requester": requester,
+                "metadata": metadata or {},
+            },
+        )
+
+    def get_task(self, base_url: str, task_id: str) -> Dict[str, Any]:
+        return self._rpc_call(base_url, "tasks/get", {"taskId": task_id})
+
+    def wait_for_task(
+        self,
+        base_url: str,
+        task_id: str,
+        *,
+        timeout: float = 30.0,
+        poll_interval: float = 0.5,
+    ) -> Dict[str, Any]:
+        deadline = time.monotonic() + timeout
+        while True:
+            task = self.get_task(base_url, task_id)
+            state = str(((task.get("status") or {}).get("state") or "")).lower()
+            if state in _TERMINAL_TASK_STATES:
+                return task
+            if time.monotonic() >= deadline:
+                raise TimeoutError(f"Timed out waiting for task {task_id}")
+            time.sleep(poll_interval)

agent/context_snapshots.py

@@ -1,69 +0,0 @@
-"""First-class context snapshot artifacts for live runtime memory evaluation."""
-
-from __future__ import annotations
-
-import json
-import re
-from pathlib import Path
-from typing import Any
-
-from hermes_constants import get_hermes_home
-
-
-_SAFE_SEGMENT_RE = re.compile(r"[^A-Za-z0-9_.-]+")
-
-
-class ContextSnapshotRecorder:
-    """Write per-call prompt-composition artifacts for a Hermes session."""
-
-    def __init__(self, session_id: str, *, enabled: bool = False, base_dir: str | Path | None = None):
-        self.session_id = session_id or "session"
-        self.enabled = bool(enabled)
-        self.base_dir = Path(base_dir) if base_dir else get_hermes_home() / "reports" / "context_snapshots"
-
-    @property
-    def session_dir(self) -> Path:
-        safe_session = _SAFE_SEGMENT_RE.sub("_", self.session_id).strip("._") or "session"
-        return self.base_dir / safe_session
-
-    def record_call(
-        self,
-        api_call_count: int,
-        *,
-        system_prompt: str,
-        memory_provider_system_prompt: str = "",
-        memory_prefetch_raw: str = "",
-        memory_context_block: str = "",
-        api_user_message: str = "",
-        api_messages: list[dict[str, Any]] | None = None,
-        metadata: dict[str, Any] | None = None,
-    ) -> Path | None:
-        if not self.enabled:
-            return None
-
-        call_dir = self.session_dir / f"call_{api_call_count:03d}"
-        call_dir.mkdir(parents=True, exist_ok=True)
-
-        self._write_text(call_dir / "system_prompt.txt", system_prompt or "")
-        self._write_text(call_dir / "memory_provider_system_prompt.txt", memory_provider_system_prompt or "")
-        self._write_text(call_dir / "memory_prefetch_raw.txt", memory_prefetch_raw or "")
-        self._write_text(call_dir / "memory_context_block.txt", memory_context_block or "")
-        self._write_text(call_dir / "api_user_message.txt", api_user_message or "")
-        self._write_json(call_dir / "api_messages.json", api_messages or [])
-        self._write_json(
-            call_dir / "metadata.json",
-            {
-                "session_id": self.session_id,
-                "api_call_count": api_call_count,
-                **(metadata or {}),
-            },
-        )
-        return call_dir
-
-    @staticmethod
-    def _write_text(path: Path, content: str) -> None:
-        path.write_text(content, encoding="utf-8")
-
-    @staticmethod
-    def _write_json(path: Path, payload: Any) -> None:
-        path.write_text(json.dumps(payload, indent=2, ensure_ascii=False), encoding="utf-8")

docs/hindsight-local-eval.md

@@ -1,132 +0,0 @@
-# Hindsight local eval homes for live Hermes runtime testing
-
-Issue: #1010
-Parent: #985
-
-This document defines a reproducible, profile-scoped evaluation layout for baseline / MemPalace / Hindsight comparisons without requiring Hindsight Cloud.
-
-## Eval home layout
-
-Use three separate `HERMES_HOME` directories so each run has isolated config, memory, sessions, and artifacts.
-
-```text
-~/.hermes/profiles/atlas-baseline/
-  config.yaml
-  .env
-  MEMORY.md
-  USER.md
-  reports/context_snapshots/
-
-~/.hermes/profiles/atlas-mempalace/
-  config.yaml
-  .env
-  MEMORY.md
-  USER.md
-  reports/context_snapshots/
-  plugins/           # if a local MemPalace plugin is installed for this eval lane
-
-~/.hermes/profiles/atlas-hindsight/
-  config.yaml
-  .env
-  MEMORY.md
-  USER.md
-  hindsight/config.json
-  reports/context_snapshots/
-```
-
-## Hindsight local config
-
-The Hindsight provider already loads config from `$HERMES_HOME/hindsight/config.json` first. For the local eval lane, prefer `local_embedded` so Hermes can bring up a local Hindsight daemon without cloud signup.
-
-Example `~/.hermes/profiles/atlas-hindsight/hindsight/config.json`:
-
-```json
-{
-  "mode": "local_embedded",
-  "memory_mode": "context",
-  "recall_prefetch_method": "recall",
-  "llm_provider": "ollama",
-  "llm_model": "gemma3:12b",
-  "api_url": "http://localhost:8888"
-}
-```
-
-Notes:
-- `local_embedded` avoids any Hindsight Cloud dependency.
-- If `profile` is omitted, Hermes now derives a stable local Hindsight profile name from the active profile identity / `HERMES_HOME` instead of collapsing all local runs into the shared legacy `hermes` profile.
-- `local_external` remains valid if you already run a local Hindsight server yourself.
-
-## Runtime switching procedure
-
-Switch by exporting `HERMES_HOME` before launching Hermes.
-
-### 1. Baseline
-
-```bash
-export HERMES_HOME="$HOME/.hermes/profiles/atlas-baseline"
-unset HERMES_CONTEXT_SNAPSHOTS
-hermes chat
-```
-
-### 2. MemPalace lane
-
-```bash
-export HERMES_HOME="$HOME/.hermes/profiles/atlas-mempalace"
-export HERMES_CONTEXT_SNAPSHOTS=1
-hermes chat
-```
-
-### 3. Hindsight lane
-
-```bash
-export HERMES_HOME="$HOME/.hermes/profiles/atlas-hindsight"
-export HERMES_CONTEXT_SNAPSHOTS=1
-hermes chat
-```
-
-## Raw artifact capture
-
-When `HERMES_CONTEXT_SNAPSHOTS=1` is enabled, Hermes writes first-class prompt-composition artifacts under the active home by default.
-
-Artifact tree:
-
-```text
-$HERMES_HOME/reports/context_snapshots/<session-id>/call_001/
-  system_prompt.txt
-  memory_provider_system_prompt.txt
-  memory_prefetch_raw.txt
-  memory_context_block.txt
-  api_user_message.txt
-  api_messages.json
-  metadata.json
-```
-
-Minimum files a benchmark should inspect:
-- `system_prompt.txt`
-- `memory_prefetch_raw.txt`
-- `memory_context_block.txt`
-- `api_user_message.txt`
-- `api_messages.json`
-
-These prove:
-- what the system prompt was
-- what the provider prefetched
-- what entered `<memory-context>`
-- what the final API user message looked like
-- what full payload reached the model
-
-## Follow-on benchmark workflow
-
-A benchmark issue can now consume this path without redoing integration work:
-1. pick one eval home (`atlas-baseline`, `atlas-mempalace`, `atlas-hindsight`)
-2. export the corresponding `HERMES_HOME`
-3. run Hermes on the same prompt set
-4. compare the snapshot artifacts in `reports/context_snapshots/`
-5. score recall quality and answer quality separately
-
-## Why this is sovereign
-
-- no hosted Hindsight Cloud dependency is required
-- the Hindsight config is profile-scoped under `hindsight/config.json`
-- the runtime artifacts stay under the active `HERMES_HOME`
-- switching between baseline / MemPalace / Hindsight is just a `HERMES_HOME` swap

hermes_cli/a2a_cmd.py

@@ -0,0 +1,132 @@
+"""CLI helpers for A2A task delegation."""
+
+from __future__ import annotations
+
+import json
+import os
+import re
+import sys
+import time
+from pathlib import Path
+from typing import Any
+
+from agent.a2a_mtls import A2ATaskClient, A2ATaskServer
+from hermes_cli.config import get_hermes_home
+
+
+def _registry_path() -> Path:
+    return get_hermes_home() / "a2a_agents.json"
+
+
+def _default_identity_paths() -> tuple[str, str, str]:
+    hermes_home = get_hermes_home()
+    agent_name = os.environ.get("HERMES_AGENT_NAME", "hermes").lower()
+    cert = os.environ.get(
+        "HERMES_A2A_CERT",
+        str(hermes_home / "pki" / "agents" / agent_name / f"{agent_name}.crt"),
+    )
+    key = os.environ.get(
+        "HERMES_A2A_KEY",
+        str(hermes_home / "pki" / "agents" / agent_name / f"{agent_name}.key"),
+    )
+    ca = os.environ.get(
+        "HERMES_A2A_CA",
+        str(hermes_home / "pki" / "ca" / "fleet-ca.crt"),
+    )
+    return cert, key, ca
+
+
+def load_agent_registry(path: Path | None = None) -> dict[str, Any]:
+    registry_path = path or _registry_path()
+    if not registry_path.exists():
+        return {}
+    return json.loads(registry_path.read_text(encoding="utf-8"))
+
+
+def resolve_agent_url(agent: str, *, registry_path: Path | None = None) -> str:
+    key = re.sub(r"[^A-Za-z0-9]+", "_", agent).upper()
+    env_value = os.getenv(f"HERMES_A2A_{key}_URL")
+    if env_value:
+        return env_value
+
+    registry = load_agent_registry(registry_path)
+    entry = registry.get(agent)
+    if isinstance(entry, str) and entry:
+        return entry
+    if isinstance(entry, dict):
+        url = entry.get("url") or entry.get("base_url") or entry.get("card_url")
+        if url:
+            return str(url)
+    if agent.startswith("https://") or agent.startswith("http://"):
+        return agent
+    raise SystemExit(f"Unknown A2A agent '{agent}'. Set HERMES_A2A_{key}_URL or add it to {_registry_path()}.")
+
+
+def _print(data: dict[str, Any]) -> None:
+    print(json.dumps(data, indent=2, ensure_ascii=False))
+
+
+def cmd_send(args) -> None:
+    base_url = args.url or resolve_agent_url(args.agent)
+    cert, key, ca = args.cert, args.key, args.ca
+    if not (cert and key and ca):
+        cert, key, ca = _default_identity_paths()
+    client = A2ATaskClient(cert=cert, key=key, ca=ca)
+    card = client.discover_card(base_url)
+    task = client.send_task(
+        base_url,
+        task=args.task,
+        requester=args.requester,
+        metadata={"agent": args.agent},
+    )
+    if args.wait:
+        task = client.wait_for_task(
+            base_url,
+            task["taskId"],
+            timeout=args.timeout,
+            poll_interval=args.poll_interval,
+        )
+    _print({
+        "agent": args.agent,
+        "url": base_url,
+        "card": card,
+        "task": task,
+    })
+
+
+def cmd_status(args) -> None:
+    base_url = args.url or resolve_agent_url(args.agent)
+    cert, key, ca = args.cert, args.key, args.ca
+    if not (cert and key and ca):
+        cert, key, ca = _default_identity_paths()
+    client = A2ATaskClient(cert=cert, key=key, ca=ca)
+    task = client.get_task(base_url, args.task_id)
+    _print({"agent": args.agent, "url": base_url, "task": task})
+
+
+def cmd_serve(args) -> None:
+    cert, key, ca = args.cert, args.key, args.ca
+    if not (cert and key and ca):
+        cert, key, ca = _default_identity_paths()
+    server = A2ATaskServer(cert=cert, key=key, ca=ca, host=args.host, port=args.port)
+    server.start()
+    print(f"A2A task server listening on https://{args.host}:{args.port}")
+    try:
+        while True:
+            time.sleep(1)
+    except KeyboardInterrupt:
+        server.stop()
+
+
+def cmd_a2a(args) -> None:
+    command = getattr(args, "a2a_command", None) or "send"
+    if command == "send":
+        cmd_send(args)
+        return
+    if command == "status":
+        cmd_status(args)
+        return
+    if command == "serve":
+        cmd_serve(args)
+        return
+    raise SystemExit(f"Unknown a2a command: {command}")

hermes_cli/main.py

@@ -173,6 +173,13 @@ from hermes_constants import OPENROUTER_BASE_URL
 logger = logging.getLogger(__name__)
 
 
+def cmd_a2a(args):
+    """Dispatch A2A CLI subcommands lazily to avoid heavy imports at startup."""
+    from hermes_cli.a2a_cmd import cmd_a2a as _cmd_a2a
+
+    return _cmd_a2a(args)
+
+
 def _relative_time(ts) -> str:
     """Format a timestamp as relative time (e.g., '2h ago', 'yesterday')."""
     if not ts:
@@ -4781,6 +4788,45 @@ For more help on a command:
 
     gateway_parser.set_defaults(func=cmd_gateway)
     
+    # =========================================================================
+    # a2a command
+    # =========================================================================
+    a2a_parser = subparsers.add_parser(
+        "a2a",
+        help="A2A task delegation over mutual TLS",
+        description="Send, inspect, and serve structured A2A tasks between Hermes agents",
+    )
+    a2a_subparsers = a2a_parser.add_subparsers(dest="a2a_command")
+
+    a2a_send = a2a_subparsers.add_parser("send", help="Send an A2A task to another agent")
+    a2a_send.add_argument("--agent", required=True, help="Agent alias or URL (for example: allegro)")
+    a2a_send.add_argument("--task", required=True, help="Task text to delegate")
+    a2a_send.add_argument("--url", help="Explicit base URL for the remote agent")
+    a2a_send.add_argument("--requester", default=None, help="Requester label included in task metadata")
+    a2a_send.add_argument("--wait", action="store_true", help="Poll until the task reaches a terminal state")
+    a2a_send.add_argument("--timeout", type=float, default=30.0, help="Wait timeout in seconds (default: 30)")
+    a2a_send.add_argument("--poll-interval", type=float, default=0.5, help="Polling interval in seconds while waiting (default: 0.5)")
+    a2a_send.add_argument("--cert", default=None, help="Client certificate path (defaults from HERMES_A2A_CERT)")
+    a2a_send.add_argument("--key", default=None, help="Client private key path (defaults from HERMES_A2A_KEY)")
+    a2a_send.add_argument("--ca", default=None, help="Fleet CA certificate path (defaults from HERMES_A2A_CA)")
+
+    a2a_status = a2a_subparsers.add_parser("status", help="Fetch the current status of an A2A task")
+    a2a_status.add_argument("--agent", required=True, help="Agent alias or URL (for example: allegro)")
+    a2a_status.add_argument("--task-id", required=True, help="Task identifier returned by a2a send")
+    a2a_status.add_argument("--url", help="Explicit base URL for the remote agent")
+    a2a_status.add_argument("--cert", default=None, help="Client certificate path (defaults from HERMES_A2A_CERT)")
+    a2a_status.add_argument("--key", default=None, help="Client private key path (defaults from HERMES_A2A_KEY)")
+    a2a_status.add_argument("--ca", default=None, help="Fleet CA certificate path (defaults from HERMES_A2A_CA)")
+
+    a2a_serve = a2a_subparsers.add_parser("serve", help="Run the local A2A task server")
+    a2a_serve.add_argument("--host", default=os.environ.get("HERMES_A2A_HOST", "127.0.0.1"), help="Bind host (default: HERMES_A2A_HOST or 127.0.0.1)")
+    a2a_serve.add_argument("--port", type=int, default=int(os.environ.get("HERMES_A2A_PORT", "9443")), help="Bind port (default: HERMES_A2A_PORT or 9443)")
+    a2a_serve.add_argument("--cert", default=None, help="Server certificate path (defaults from HERMES_A2A_CERT)")
+    a2a_serve.add_argument("--key", default=None, help="Server private key path (defaults from HERMES_A2A_KEY)")
+    a2a_serve.add_argument("--ca", default=None, help="Fleet CA certificate path (defaults from HERMES_A2A_CA)")
+
+    a2a_parser.set_defaults(func=cmd_a2a)
+    
     # =========================================================================
     # setup command
     # =========================================================================

plugins/memory/hindsight/__init__.py

@@ -178,25 +178,6 @@ def _load_config() -> dict:
     }
 
 
-def _derive_local_profile_name(agent_identity: str = "", hermes_home: str = "") -> str:
-    """Return a stable profile name for local embedded Hindsight storage.
-
-    Prefer the active Hermes profile identity when available, otherwise fall back
-    to the basename of the active HERMES_HOME path. This prevents all local
-    Hindsight eval homes from sharing the legacy default profile name "hermes".
-    """
-    from pathlib import Path
-    import re
-
-    raw = (agent_identity or "").strip()
-    if not raw and hermes_home:
-        raw = Path(hermes_home).name.strip()
-    if not raw:
-        raw = "hermes"
-    safe = re.sub(r"[^A-Za-z0-9_.-]+", "-", raw).strip(".-_")
-    return safe or "hermes"
-
-
 # ---------------------------------------------------------------------------
 # MemoryProvider implementation
 # ---------------------------------------------------------------------------
@@ -487,8 +468,6 @@ class HindsightMemoryProvider(MemoryProvider):
 
     def initialize(self, session_id: str, **kwargs) -> None:
         self._session_id = session_id
-        hermes_home = str(kwargs.get("hermes_home") or "")
-        agent_identity = str(kwargs.get("agent_identity") or "")
 
         # Check client version and auto-upgrade if needed
         try:
@@ -521,11 +500,6 @@ class HindsightMemoryProvider(MemoryProvider):
         # "local" is a legacy alias for "local_embedded"
         if self._mode == "local":
             self._mode = "local_embedded"
-        if self._mode == "local_embedded" and not self._config.get("profile"):
-            self._config["profile"] = _derive_local_profile_name(
-                agent_identity=agent_identity,
-                hermes_home=hermes_home,
-            )
         self._api_key = self._config.get("apiKey") or self._config.get("api_key") or os.environ.get("HINDSIGHT_API_KEY", "")
         default_url = _DEFAULT_LOCAL_URL if self._mode in ("local_embedded", "local_external") else _DEFAULT_API_URL
         self._api_url = self._config.get("api_url") or os.environ.get("HINDSIGHT_API_URL", default_url)

run_agent.py

@@ -604,8 +604,6 @@ class AIAgent:
         checkpoint_max_snapshots: int = 50,
         pass_session_id: bool = False,
         persist_session: bool = True,
-        context_snapshots_enabled: bool | None = None,
-        context_snapshots_dir: str | None = None,
     ):
         """
         Initialize the AI Agent.
@@ -1131,43 +1129,6 @@ class AIAgent:
         except Exception:
             _agent_cfg = {}
 
-        def _is_enabled(value):
-            if isinstance(value, bool):
-                return value
-            return str(value).strip().lower() in {"1", "true", "yes", "on"}
-
-        _debug_cfg = _agent_cfg.get("debug", {}) if isinstance(_agent_cfg, dict) else {}
-        if not isinstance(_debug_cfg, dict):
-            _debug_cfg = {}
-        _snapshot_cfg = _debug_cfg.get("context_snapshots", {})
-        if not isinstance(_snapshot_cfg, dict):
-            _snapshot_cfg = {}
-        _snapshots_env = os.getenv("HERMES_CONTEXT_SNAPSHOTS")
-        _snapshots_dir_env = os.getenv("HERMES_CONTEXT_SNAPSHOTS_DIR")
-        if context_snapshots_enabled is None:
-            if _snapshots_env is not None:
-                self._context_snapshots_enabled = _is_enabled(_snapshots_env)
-            else:
-                self._context_snapshots_enabled = _is_enabled(_snapshot_cfg.get("enabled", False))
-        else:
-            self._context_snapshots_enabled = bool(context_snapshots_enabled)
-        self._context_snapshots_dir = (
-            context_snapshots_dir
-            or _snapshots_dir_env
-            or _snapshot_cfg.get("dir")
-            or None
-        )
-        try:
-            from agent.context_snapshots import ContextSnapshotRecorder
-            self._context_snapshot_recorder = ContextSnapshotRecorder(
-                session_id=self.session_id,
-                enabled=self._context_snapshots_enabled,
-                base_dir=self._context_snapshots_dir,
-            )
-        except Exception as _snapshot_err:
-            logger.debug("Context snapshot recorder init failed: %s", _snapshot_err)
-            self._context_snapshot_recorder = None
-
         # Persistent memory (MEMORY.md + USER.md) -- loaded from disk
         self._memory_store = None
         self._memory_enabled = False
@@ -8183,17 +8144,12 @@ class AIAgent:
         # Use original_user_message (clean input) — user_message may contain
         # injected skill content that bloats / breaks provider queries.
         _ext_prefetch_cache = ""
-        _memory_provider_prompt_cache = ""
         if self._memory_manager:
             try:
                 _query = original_user_message if isinstance(original_user_message, str) else ""
                 _ext_prefetch_cache = self._memory_manager.prefetch_all(_query) or ""
             except Exception:
                 pass
-            try:
-                _memory_provider_prompt_cache = self._memory_manager.build_system_prompt() or ""
-            except Exception:
-                pass
 
         while (api_call_count < self.max_iterations and self.iteration_budget.remaining > 0) or self._budget_grace_call:
             # Reset per-turn checkpoint dedup so each iteration can take one snapshot
@@ -8261,8 +8217,6 @@ class AIAgent:
             # However, providers like Moonshot AI require a separate 'reasoning_content' field
             # on assistant messages with tool_calls. We handle both cases here.
             api_messages = []
-            _current_api_user_message = ""
-            _current_memory_context_block = ""
             for idx, msg in enumerate(messages):
                 api_msg = msg.copy()
 
@@ -8277,15 +8231,12 @@ class AIAgent:
                         _fenced = build_memory_context_block(_ext_prefetch_cache)
                         if _fenced:
                             _injections.append(_fenced)
-                            _current_memory_context_block = _fenced
                     if _plugin_user_context:
                         _injections.append(_plugin_user_context)
                     if _injections:
                         _base = api_msg.get("content", "")
                         if isinstance(_base, str):
                             api_msg["content"] = _base + "\n\n" + "\n\n".join(_injections)
-                    if isinstance(api_msg.get("content"), str):
-                        _current_api_user_message = api_msg["content"]
 
                 # For ALL assistant messages, pass reasoning back to the API
                 # This ensures multi-turn reasoning context is preserved
@@ -8320,13 +8271,7 @@ class AIAgent:
                 from agent.privacy_filter import PrivacyFilter
                 pf = PrivacyFilter()
                 # Sanitize messages before they reach the provider
-                _pf_result = pf.sanitize_messages(api_messages)
-                if isinstance(_pf_result, tuple):
-                    api_messages, _pf_report = _pf_result
-                    if getattr(pf, "last_report", None) is None:
-                        pf.last_report = _pf_report
-                else:
-                    api_messages = _pf_result
+                api_messages = pf.sanitize_messages(api_messages)
                 if pf.last_report and pf.last_report.had_redactions:
                     logger.info(f"Privacy Filter: Redacted sensitive data from turn payload. Details: {pf.last_report.summary()}")
             except Exception as e:
@@ -8397,27 +8342,6 @@ class AIAgent:
                     new_tcs.append(tc)
                 am["tool_calls"] = new_tcs
 
-            if self._context_snapshot_recorder:
-                try:
-                    self._context_snapshot_recorder.record_call(
-                        api_call_count,
-                        system_prompt=effective_system,
-                        memory_provider_system_prompt=_memory_provider_prompt_cache,
-                        memory_prefetch_raw=_ext_prefetch_cache,
-                        memory_context_block=_current_memory_context_block,
-                        api_user_message=_current_api_user_message,
-                        api_messages=api_messages,
-                        metadata={
-                            "model": self.model,
-                            "provider": self.provider,
-                            "platform": self.platform or "",
-                            "api_mode": self.api_mode,
-                            "memory_providers": [p.name for p in getattr(self._memory_manager, "providers", [])],
-                        },
-                    )
-                except Exception as _snapshot_err:
-                    logger.debug("Context snapshot capture failed: %s", _snapshot_err)
-
             # Calculate approximate request size for logging
             total_chars = sum(len(str(msg)) for msg in api_messages)
             approx_tokens = estimate_messages_tokens_rough(api_messages)

tests/agent/test_a2a_mtls.py

@@ -572,3 +572,94 @@ class TestA2AMTLSServerAndClient:
 
         assert not errors, f"Concurrent connection errors: {errors}"
         assert len(results) == 3
+
+
+@_requires_crypto
+class TestA2ATaskServerAndClient:
+    """Structured A2A task send/get flow over mTLS."""
+
+    @pytest.fixture(autouse=True)
+    def _pki(self, tmp_path):
+        ca_dir = tmp_path / "ca"
+        ca_dir.mkdir()
+        self.ca_crt, self.ca_key = _make_ca_keypair(ca_dir)
+        agent_dir = tmp_path / "agents"
+        agent_dir.mkdir()
+        self.srv_crt, self.srv_key = _make_agent_keypair(
+            agent_dir, "timmy", self.ca_crt, self.ca_key
+        )
+        self.cli_crt, self.cli_key = _make_agent_keypair(
+            agent_dir, "allegro", self.ca_crt, self.ca_key
+        )
+
+    @pytest.fixture()
+    def task_server(self):
+        from agent.a2a_mtls import A2ATaskServer
+
+        gate = threading.Event()
+
+        def analyze_executor(task: dict[str, object]) -> dict[str, object]:
+            gate.wait(timeout=2)
+            text = str(task.get("task", ""))
+            return {
+                "text": f"analysis:{text}",
+                "metadata": {"tool": "local-hermes-stub"},
+            }
+
+        port = _find_free_port()
+        server = A2ATaskServer(
+            cert=self.srv_crt,
+            key=self.srv_key,
+            ca=self.ca_crt,
+            host="127.0.0.1",
+            port=port,
+            executor=analyze_executor,
+        )
+        with server:
+            time.sleep(0.1)
+            yield server, port, gate
+
+    def test_task_send_get_and_completion_flow(self, task_server):
+        from agent.a2a_mtls import A2ATaskClient
+
+        server, port, gate = task_server
+        client = A2ATaskClient(cert=self.cli_crt, key=self.cli_key, ca=self.ca_crt)
+        base_url = f"https://127.0.0.1:{port}"
+
+        card = client.discover_card(base_url)
+        assert card["name"]
+
+        submitted = client.send_task(base_url, task="Analyze README.md", requester="timmy")
+        assert submitted["status"]["state"] in {"submitted", "working"}
+
+        in_flight = client.get_task(base_url, submitted["taskId"])
+        assert in_flight["status"]["state"] in {"submitted", "working"}
+
+        gate.set()
+        completed = client.wait_for_task(base_url, submitted["taskId"], timeout=5.0, poll_interval=0.05)
+        assert completed["status"]["state"] == "completed"
+        assert completed["artifacts"][0]["text"] == "analysis:Analyze README.md"
+
+    def test_failed_executor_marks_task_failed(self):
+        from agent.a2a_mtls import A2ATaskClient, A2ATaskServer
+
+        def failing_executor(task: dict[str, object]) -> dict[str, object]:
+            raise RuntimeError("boom")
+
+        port = _find_free_port()
+        server = A2ATaskServer(
+            cert=self.srv_crt,
+            key=self.srv_key,
+            ca=self.ca_crt,
+            host="127.0.0.1",
+            port=port,
+            executor=failing_executor,
+        )
+        with server:
+            time.sleep(0.1)
+            client = A2ATaskClient(cert=self.cli_crt, key=self.cli_key, ca=self.ca_crt)
+            base_url = f"https://127.0.0.1:{port}"
+            submitted = client.send_task(base_url, task="explode", requester="timmy")
+            failed = client.wait_for_task(base_url, submitted["taskId"], timeout=5.0, poll_interval=0.05)
+            assert failed["status"]["state"] == "failed"
+            assert "boom" in failed["status"]["message"]

tests/agent/test_context_snapshots.py

@@ -1,43 +0,0 @@
-from pathlib import Path
-
-from agent.context_snapshots import ContextSnapshotRecorder
-
-
-def test_disabled_recorder_writes_nothing(tmp_path):
-    recorder = ContextSnapshotRecorder(session_id="session-1", enabled=False, base_dir=tmp_path)
-
-    out = recorder.record_call(
-        1,
-        system_prompt="system",
-        api_messages=[{"role": "user", "content": "hello"}],
-    )
-
-    assert out is None
-    assert not (tmp_path / "session-1").exists()
-
-
-def test_enabled_recorder_writes_expected_artifacts(tmp_path):
-    recorder = ContextSnapshotRecorder(session_id="session-1", enabled=True, base_dir=tmp_path)
-
-    out = recorder.record_call(
-        1,
-        system_prompt="system prompt",
-        memory_provider_system_prompt="# Hindsight Memory\nActive.",
-        memory_prefetch_raw="- remembered fact",
-        memory_context_block="<memory-context>\nremembered\n</memory-context>",
-        api_user_message="What do I prefer?\n\n<memory-context>\nremembered\n</memory-context>",
-        api_messages=[
-            {"role": "system", "content": "system prompt"},
-            {"role": "user", "content": "What do I prefer?"},
-        ],
-        metadata={"provider": "openai", "memory_providers": ["builtin", "hindsight"]},
-    )
-
-    assert out == tmp_path / "session-1" / "call_001"
-    assert (out / "system_prompt.txt").read_text(encoding="utf-8") == "system prompt"
-    assert (out / "memory_provider_system_prompt.txt").read_text(encoding="utf-8").startswith("# Hindsight Memory")
-    assert (out / "memory_prefetch_raw.txt").read_text(encoding="utf-8") == "- remembered fact"
-    assert "<memory-context>" in (out / "memory_context_block.txt").read_text(encoding="utf-8")
-    assert "What do I prefer?" in (out / "api_user_message.txt").read_text(encoding="utf-8")
-    assert (out / "api_messages.json").read_text(encoding="utf-8").startswith("[")
-    assert '"hindsight"' in (out / "metadata.json").read_text(encoding="utf-8")

tests/hermes_cli/test_a2a_cmd.py

@@ -0,0 +1,95 @@
+from __future__ import annotations
+
+import argparse
+import json
+from pathlib import Path
+from unittest.mock import patch
+
+import pytest
+
+
+def test_cmd_send_uses_registry_and_waits_for_terminal_task(tmp_path, monkeypatch, capsys):
+    hermes_home = tmp_path / ".hermes"
+    hermes_home.mkdir()
+    (hermes_home / "a2a_agents.json").write_text(
+        json.dumps({"allegro": {"url": "https://127.0.0.1:9443"}}),
+        encoding="utf-8",
+    )
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+
+    from hermes_cli.a2a_cmd import cmd_a2a
+
+    class FakeClient:
+        def __init__(self, **kwargs):
+            self.kwargs = kwargs
+
+        def discover_card(self, base_url: str):
+            assert base_url == "https://127.0.0.1:9443"
+            return {"name": "allegro", "url": base_url}
+
+        def send_task(self, base_url: str, *, task: str, requester: str | None = None, metadata=None):
+            assert task == "analyze README"
+            return {"taskId": "task-123", "status": {"state": "submitted"}}
+
+        def wait_for_task(self, base_url: str, task_id: str, *, timeout: float, poll_interval: float):
+            assert task_id == "task-123"
+            return {
+                "taskId": task_id,
+                "status": {"state": "completed"},
+                "artifacts": [{"text": "README looks healthy"}],
+            }
+
+    args = argparse.Namespace(
+        a2a_command="send",
+        agent="allegro",
+        task="analyze README",
+        url=None,
+        wait=True,
+        timeout=5.0,
+        poll_interval=0.01,
+        requester="timmy",
+        cert="cert.pem",
+        key="key.pem",
+        ca="ca.pem",
+    )
+
+    with patch("hermes_cli.a2a_cmd.A2ATaskClient", FakeClient):
+        cmd_a2a(args)
+
+    result = json.loads(capsys.readouterr().out)
+    assert result["agent"] == "allegro"
+    assert result["card"]["name"] == "allegro"
+    assert result["task"]["status"]["state"] == "completed"
+    assert result["task"]["artifacts"][0]["text"] == "README looks healthy"
+
+
+def test_resolve_agent_url_supports_env_override(monkeypatch):
+    monkeypatch.setenv("HERMES_A2A_ALLEGRO_URL", "https://fleet-allegro:9443")
+    from hermes_cli.a2a_cmd import resolve_agent_url
+
+    assert resolve_agent_url("allegro") == "https://fleet-allegro:9443"
+
+
+def test_cmd_send_requires_known_agent(tmp_path, monkeypatch):
+    hermes_home = tmp_path / ".hermes"
+    hermes_home.mkdir()
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+
+    from hermes_cli.a2a_cmd import cmd_a2a
+
+    args = argparse.Namespace(
+        a2a_command="send",
+        agent="unknown",
+        task="do work",
+        url=None,
+        wait=False,
+        timeout=5.0,
+        poll_interval=0.05,
+        requester=None,
+        cert="cert.pem",
+        key="key.pem",
+        ca="ca.pem",
+    )
+
+    with pytest.raises(SystemExit):
+        cmd_a2a(args)

tests/plugins/memory/test_hindsight_provider.py

@@ -596,26 +596,3 @@ class TestAvailability:
         monkeypatch.setenv("HINDSIGHT_MODE", "local")
         p = HindsightMemoryProvider()
         assert p.is_available()
-
-    def test_local_embedded_profile_defaults_to_agent_identity(self, tmp_path, monkeypatch):
-        config_path = tmp_path / "hindsight" / "config.json"
-        config_path.parent.mkdir(parents=True, exist_ok=True)
-        config_path.write_text(json.dumps({
-            "mode": "local_embedded",
-            "llm_provider": "ollama",
-            "llm_model": "gemma3:12b",
-        }))
-        monkeypatch.setattr(
-            "plugins.memory.hindsight.get_hermes_home",
-            lambda: tmp_path,
-        )
-
-        p = HindsightMemoryProvider()
-        p.initialize(
-            session_id="test-session",
-            hermes_home=str(tmp_path / "profiles" / "atlas-hindsight"),
-            platform="cli",
-            agent_identity="atlas-hindsight",
-        )
-
-        assert p._config["profile"] == "atlas-hindsight"

tests/run_agent/test_run_agent_context_snapshots.py

@@ -1,94 +0,0 @@
-from pathlib import Path
-from types import SimpleNamespace
-from unittest.mock import MagicMock, patch
-import importlib
-import sys
-import types
-
-
-
-def _make_tool_defs(*names: str) -> list:
-    return [
-        {
-            "type": "function",
-            "function": {
-                "name": n,
-                "description": f"{n} tool",
-                "parameters": {"type": "object", "properties": {}},
-            },
-        }
-        for n in names
-    ]
-
-
-
-def _mock_response(content="Done", finish_reason="stop"):
-    msg = SimpleNamespace(content=content, tool_calls=None)
-    choice = SimpleNamespace(message=msg, finish_reason=finish_reason)
-    return SimpleNamespace(choices=[choice], usage=SimpleNamespace(prompt_tokens=1, completion_tokens=1, total_tokens=2))
-
-
-
-def _load_ai_agent():
-    sys.modules.setdefault("agent.auxiliary_client", types.SimpleNamespace(call_llm=lambda *a, **k: ""))
-    run_agent = importlib.import_module("run_agent")
-    return run_agent.AIAgent
-
-
-
-def test_run_conversation_writes_context_snapshot_artifacts(tmp_path):
-    AIAgent = _load_ai_agent()
-
-    class _FakePrivacyFilter:
-        def __init__(self):
-            self.last_report = None
-
-        def sanitize_messages(self, messages):
-            return list(messages)
-
-    with (
-        patch("run_agent.get_tool_definitions", return_value=_make_tool_defs("web_search")),
-        patch("run_agent.check_toolset_requirements", return_value={}),
-        patch("run_agent.OpenAI"),
-        patch("hermes_cli.plugins.invoke_hook", return_value=[]),
-        patch.dict(sys.modules, {"agent.privacy_filter": types.SimpleNamespace(PrivacyFilter=_FakePrivacyFilter)}),
-    ):
-        agent = AIAgent(
-            api_key="test-key-1234567890",
-            base_url="https://example.com/v1",
-            quiet_mode=True,
-            skip_context_files=True,
-            skip_memory=True,
-            context_snapshots_enabled=True,
-            context_snapshots_dir=str(tmp_path),
-        )
-
-    agent.client = MagicMock()
-    agent.client.chat.completions.create.return_value = _mock_response(content="Done")
-    agent._build_system_prompt = MagicMock(return_value="Core system prompt")
-    agent._memory_manager = MagicMock()
-    agent._memory_manager.prefetch_all.return_value = "- remembered preference"
-    agent._memory_manager.build_system_prompt.return_value = "# Hindsight Memory\nActive."
-    agent._memory_manager.providers = [
-        SimpleNamespace(name="builtin"),
-        SimpleNamespace(name="hindsight"),
-    ]
-
-    result = agent.run_conversation("What do I prefer?")
-
-    assert result["final_response"] == "Done"
-
-    call_dir = tmp_path / agent.session_id / "call_001"
-    assert call_dir.exists()
-    assert (call_dir / "system_prompt.txt").read_text(encoding="utf-8") == "Core system prompt"
-    assert (call_dir / "memory_provider_system_prompt.txt").read_text(encoding="utf-8").startswith("# Hindsight Memory")
-    assert (call_dir / "memory_prefetch_raw.txt").read_text(encoding="utf-8") == "- remembered preference"
-    assert "<memory-context>" in (call_dir / "memory_context_block.txt").read_text(encoding="utf-8")
-    api_user_message = (call_dir / "api_user_message.txt").read_text(encoding="utf-8")
-    assert "What do I prefer?" in api_user_message
-    assert "remembered preference" in api_user_message
-    api_messages = (call_dir / "api_messages.json").read_text(encoding="utf-8")
-    assert '"role": "system"' in api_messages
-    assert '"role": "user"' in api_messages
-    metadata = (call_dir / "metadata.json").read_text(encoding="utf-8")
-    assert '"hindsight"' in metadata

tests/test_hindsight_local_eval_doc.py

@@ -1,22 +0,0 @@
-from pathlib import Path
-
-
-ROOT = Path(__file__).resolve().parents[1]
-DOC = ROOT / "docs" / "hindsight-local-eval.md"
-
-
-def test_hindsight_local_eval_doc_exists_and_covers_switching():
-    assert DOC.exists(), "missing Hindsight local eval doc"
-    text = DOC.read_text(encoding="utf-8")
-    for snippet in (
-        "atlas-baseline",
-        "atlas-mempalace",
-        "atlas-hindsight",
-        "HERMES_HOME",
-        "HERMES_CONTEXT_SNAPSHOTS",
-        "memory_prefetch_raw.txt",
-        "api_user_message.txt",
-        "local_embedded",
-        "hindsight/config.json",
-    ):
-        assert snippet in text