feat: add A2A task delegation over mTLS (#804)

agent/a2a_mtls.py

@@ -29,6 +29,8 @@ import logging
 import os
 import ssl
 import threading
+import time
+import uuid
 from http.server import BaseHTTPRequestHandler, HTTPServer
 from pathlib import Path
 from typing import Any, Callable, Dict, Optional
@@ -441,3 +443,244 @@ class A2AMTLSClient:
     def post(self, url: str, json: Optional[Dict[str, Any]] = None, **kwargs: Any) -> Dict[str, Any]:
         data = (__import__("json").dumps(json).encode() if json is not None else None)
         return self._request("POST", url, data=data, **kwargs)
+
+
+# ---------------------------------------------------------------------------
+# Structured A2A task delegation over mTLS
+# ---------------------------------------------------------------------------
+
+_TERMINAL_TASK_STATES = {"completed", "failed", "canceled", "rejected"}
+
+
+def _iso_now() -> str:
+    return time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime())
+
+
+def _task_status(state: str, message: str) -> Dict[str, Any]:
+    return {
+        "state": state,
+        "message": message,
+        "timestamp": _iso_now(),
+    }
+
+
+def _coerce_artifact(result: Any) -> Dict[str, Any]:
+    if isinstance(result, dict):
+        if "text" in result:
+            return result
+        if "artifact" in result and isinstance(result["artifact"], dict):
+            return result["artifact"]
+    return {"text": str(result)}
+
+
+def _build_task_record(task_id: str, task: str, requester: Optional[str], metadata: Optional[Dict[str, Any]] = None) -> Dict[str, Any]:
+    return {
+        "taskId": task_id,
+        "task": task,
+        "requester": requester,
+        "metadata": metadata or {},
+        "artifacts": [],
+        "status": _task_status("submitted", "Task submitted"),
+    }
+
+
+def _default_agent_card(host: str, port: int) -> Dict[str, Any]:
+    base_url = f"https://{host}:{port}"
+    try:
+        from agent.agent_card import build_agent_card
+        from dataclasses import asdict
+
+        card = asdict(build_agent_card())
+    except Exception as exc:  # pragma: no cover - fallback only exercised when card build breaks
+        logger.warning("Falling back to minimal agent card: %s", exc)
+        card = {
+            "name": os.environ.get("HERMES_AGENT_NAME", "hermes"),
+            "description": "Hermes A2A task server",
+            "version": "unknown",
+        }
+    card["url"] = base_url
+    card["a2aTaskEndpoint"] = f"{base_url}/a2a/rpc"
+    return card
+
+
+def _default_local_hermes_executor(task_payload: Dict[str, Any]) -> Dict[str, Any]:
+    task_text = str(task_payload.get("task", "")).strip()
+    if not task_text:
+        return {"text": ""}
+    from run_agent import AIAgent
+
+    agent = AIAgent(quiet_mode=True)
+    result = agent.chat(task_text)
+    return {
+        "text": result,
+        "metadata": {"executor": "local-hermes"},
+    }
+
+
+class A2ATaskServer:
+    """JSON-RPC A2A task server running over the routing mTLS server."""
+
+    def __init__(
+        self,
+        cert: str | Path,
+        key: str | Path,
+        ca: str | Path,
+        host: str = "127.0.0.1",
+        port: int = 9443,
+        executor: Optional[Callable[[Dict[str, Any]], Dict[str, Any]]] = None,
+        card_factory: Optional[Callable[[], Dict[str, Any]]] = None,
+    ) -> None:
+        self.host = host
+        self.port = port
+        self._server = A2AMTLSServer(cert=cert, key=key, ca=ca, host=host, port=port)
+        self._executor = executor or _default_local_hermes_executor
+        self._card_factory = card_factory or (lambda: _default_agent_card(self.host, self.port))
+        self._tasks: Dict[str, Dict[str, Any]] = {}
+        self._lock = threading.Lock()
+        self._server.add_route("/.well-known/agent-card.json", self._handle_agent_card)
+        self._server.add_route("/agent-card.json", self._handle_agent_card)
+        self._server.add_route("/a2a/rpc", self._handle_rpc)
+
+    def __enter__(self) -> "A2ATaskServer":
+        self.start()
+        return self
+
+    def __exit__(self, *_: Any) -> None:
+        self.stop()
+
+    def start(self) -> None:
+        self._server.start()
+
+    def stop(self) -> None:
+        self._server.stop()
+
+    def _handle_agent_card(self, payload: Dict[str, Any], *, peer_cn: str | None = None) -> Dict[str, Any]:
+        return self._card_factory()
+
+    def _handle_rpc(self, payload: Dict[str, Any], *, peer_cn: str | None = None) -> Dict[str, Any]:
+        req_id = payload.get("id")
+        if payload.get("jsonrpc") != "2.0":
+            return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32600, "message": "invalid jsonrpc version"}}
+
+        method = payload.get("method")
+        params = payload.get("params") or {}
+        try:
+            if method == "tasks/send":
+                result = self._rpc_send_task(params, peer_cn=peer_cn)
+            elif method == "tasks/get":
+                result = self._rpc_get_task(params)
+            else:
+                return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32601, "message": f"unknown method: {method}"}}
+        except Exception as exc:
+            logger.exception("A2A task RPC failed: %s", exc)
+            return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32000, "message": str(exc)}}
+        return {"jsonrpc": "2.0", "id": req_id, "result": result}
+
+    def _rpc_send_task(self, params: Dict[str, Any], *, peer_cn: str | None = None) -> Dict[str, Any]:
+        task_text = str(params.get("task", "")).strip()
+        if not task_text:
+            raise ValueError("task is required")
+        task_id = params.get("taskId") or uuid.uuid4().hex
+        requester = params.get("requester") or peer_cn
+        metadata = dict(params.get("metadata") or {})
+        if peer_cn:
+            metadata.setdefault("peer_cn", peer_cn)
+        record = _build_task_record(task_id, task_text, requester, metadata)
+        with self._lock:
+            self._tasks[task_id] = record
+        worker = threading.Thread(target=self._run_task, args=(task_id,), daemon=True, name=f"a2a-task-{task_id[:8]}")
+        worker.start()
+        return self._copy_task(task_id)
+
+    def _rpc_get_task(self, params: Dict[str, Any]) -> Dict[str, Any]:
+        task_id = str(params.get("taskId", "")).strip()
+        if not task_id:
+            raise ValueError("taskId is required")
+        return self._copy_task(task_id)
+
+    def _copy_task(self, task_id: str) -> Dict[str, Any]:
+        with self._lock:
+            if task_id not in self._tasks:
+                raise KeyError(f"unknown taskId: {task_id}")
+            return json.loads(json.dumps(self._tasks[task_id]))
+
+    def _run_task(self, task_id: str) -> None:
+        with self._lock:
+            task = self._tasks[task_id]
+            task["status"] = _task_status("working", "Task is running")
+            task_payload = {
+                "taskId": task["taskId"],
+                "task": task["task"],
+                "requester": task.get("requester"),
+                "metadata": dict(task.get("metadata") or {}),
+            }
+        try:
+            result = self._executor(task_payload)
+            artifact = _coerce_artifact(result)
+            with self._lock:
+                task = self._tasks[task_id]
+                task["artifacts"] = [artifact]
+                task["status"] = _task_status("completed", "Task completed")
+        except Exception as exc:
+            with self._lock:
+                task = self._tasks[task_id]
+                task["status"] = _task_status("failed", f"Task failed: {exc}")
+
+
+class A2ATaskClient(A2AMTLSClient):
+    """Client helper for A2A JSON-RPC task send/get flows."""
+
+    def discover_card(self, base_url: str) -> Dict[str, Any]:
+        return self.get(f"{base_url.rstrip('/')}/.well-known/agent-card.json")
+
+    def _rpc_call(self, base_url: str, method: str, params: Dict[str, Any]) -> Dict[str, Any]:
+        payload = {
+            "jsonrpc": "2.0",
+            "id": uuid.uuid4().hex,
+            "method": method,
+            "params": params,
+        }
+        response = self.post(f"{base_url.rstrip('/')}/a2a/rpc", json=payload)
+        if "error" in response:
+            error = response["error"]
+            raise RuntimeError(error.get("message") or str(error))
+        return response.get("result", {})
+
+    def send_task(
+        self,
+        base_url: str,
+        *,
+        task: str,
+        requester: str | None = None,
+        metadata: Optional[Dict[str, Any]] = None,
+    ) -> Dict[str, Any]:
+        return self._rpc_call(
+            base_url,
+            "tasks/send",
+            {
+                "task": task,
+                "requester": requester,
+                "metadata": metadata or {},
+            },
+        )
+
+    def get_task(self, base_url: str, task_id: str) -> Dict[str, Any]:
+        return self._rpc_call(base_url, "tasks/get", {"taskId": task_id})
+
+    def wait_for_task(
+        self,
+        base_url: str,
+        task_id: str,
+        *,
+        timeout: float = 30.0,
+        poll_interval: float = 0.5,
+    ) -> Dict[str, Any]:
+        deadline = time.monotonic() + timeout
+        while True:
+            task = self.get_task(base_url, task_id)
+            state = str(((task.get("status") or {}).get("state") or "")).lower()
+            if state in _TERMINAL_TASK_STATES:
+                return task
+            if time.monotonic() >= deadline:
+                raise TimeoutError(f"Timed out waiting for task {task_id}")
+            time.sleep(poll_interval)

hermes_cli/a2a_cmd.py

@@ -0,0 +1,132 @@
+"""CLI helpers for A2A task delegation."""
+
+from __future__ import annotations
+
+import json
+import os
+import re
+import sys
+import time
+from pathlib import Path
+from typing import Any
+
+from agent.a2a_mtls import A2ATaskClient, A2ATaskServer
+from hermes_cli.config import get_hermes_home
+
+
+def _registry_path() -> Path:
+    return get_hermes_home() / "a2a_agents.json"
+
+
+def _default_identity_paths() -> tuple[str, str, str]:
+    hermes_home = get_hermes_home()
+    agent_name = os.environ.get("HERMES_AGENT_NAME", "hermes").lower()
+    cert = os.environ.get(
+        "HERMES_A2A_CERT",
+        str(hermes_home / "pki" / "agents" / agent_name / f"{agent_name}.crt"),
+    )
+    key = os.environ.get(
+        "HERMES_A2A_KEY",
+        str(hermes_home / "pki" / "agents" / agent_name / f"{agent_name}.key"),
+    )
+    ca = os.environ.get(
+        "HERMES_A2A_CA",
+        str(hermes_home / "pki" / "ca" / "fleet-ca.crt"),
+    )
+    return cert, key, ca
+
+
+def load_agent_registry(path: Path | None = None) -> dict[str, Any]:
+    registry_path = path or _registry_path()
+    if not registry_path.exists():
+        return {}
+    return json.loads(registry_path.read_text(encoding="utf-8"))
+
+
+def resolve_agent_url(agent: str, *, registry_path: Path | None = None) -> str:
+    key = re.sub(r"[^A-Za-z0-9]+", "_", agent).upper()
+    env_value = os.getenv(f"HERMES_A2A_{key}_URL")
+    if env_value:
+        return env_value
+
+    registry = load_agent_registry(registry_path)
+    entry = registry.get(agent)
+    if isinstance(entry, str) and entry:
+        return entry
+    if isinstance(entry, dict):
+        url = entry.get("url") or entry.get("base_url") or entry.get("card_url")
+        if url:
+            return str(url)
+    if agent.startswith("https://") or agent.startswith("http://"):
+        return agent
+    raise SystemExit(f"Unknown A2A agent '{agent}'. Set HERMES_A2A_{key}_URL or add it to {_registry_path()}.")
+
+
+def _print(data: dict[str, Any]) -> None:
+    print(json.dumps(data, indent=2, ensure_ascii=False))
+
+
+def cmd_send(args) -> None:
+    base_url = args.url or resolve_agent_url(args.agent)
+    cert, key, ca = args.cert, args.key, args.ca
+    if not (cert and key and ca):
+        cert, key, ca = _default_identity_paths()
+    client = A2ATaskClient(cert=cert, key=key, ca=ca)
+    card = client.discover_card(base_url)
+    task = client.send_task(
+        base_url,
+        task=args.task,
+        requester=args.requester,
+        metadata={"agent": args.agent},
+    )
+    if args.wait:
+        task = client.wait_for_task(
+            base_url,
+            task["taskId"],
+            timeout=args.timeout,
+            poll_interval=args.poll_interval,
+        )
+    _print({
+        "agent": args.agent,
+        "url": base_url,
+        "card": card,
+        "task": task,
+    })
+
+
+def cmd_status(args) -> None:
+    base_url = args.url or resolve_agent_url(args.agent)
+    cert, key, ca = args.cert, args.key, args.ca
+    if not (cert and key and ca):
+        cert, key, ca = _default_identity_paths()
+    client = A2ATaskClient(cert=cert, key=key, ca=ca)
+    task = client.get_task(base_url, args.task_id)
+    _print({"agent": args.agent, "url": base_url, "task": task})
+
+
+def cmd_serve(args) -> None:
+    cert, key, ca = args.cert, args.key, args.ca
+    if not (cert and key and ca):
+        cert, key, ca = _default_identity_paths()
+    server = A2ATaskServer(cert=cert, key=key, ca=ca, host=args.host, port=args.port)
+    server.start()
+    print(f"A2A task server listening on https://{args.host}:{args.port}")
+    try:
+        while True:
+            time.sleep(1)
+    except KeyboardInterrupt:
+        server.stop()
+
+
+def cmd_a2a(args) -> None:
+    command = getattr(args, "a2a_command", None) or "send"
+    if command == "send":
+        cmd_send(args)
+        return
+    if command == "status":
+        cmd_status(args)
+        return
+    if command == "serve":
+        cmd_serve(args)
+        return
+    raise SystemExit(f"Unknown a2a command: {command}")

hermes_cli/main.py

@@ -173,6 +173,13 @@ from hermes_constants import OPENROUTER_BASE_URL
 logger = logging.getLogger(__name__)
 
 
+def cmd_a2a(args):
+    """Dispatch A2A CLI subcommands lazily to avoid heavy imports at startup."""
+    from hermes_cli.a2a_cmd import cmd_a2a as _cmd_a2a
+
+    return _cmd_a2a(args)
+
+
 def _relative_time(ts) -> str:
     """Format a timestamp as relative time (e.g., '2h ago', 'yesterday')."""
     if not ts:
@@ -4781,6 +4788,45 @@ For more help on a command:
 
     gateway_parser.set_defaults(func=cmd_gateway)
     
+    # =========================================================================
+    # a2a command
+    # =========================================================================
+    a2a_parser = subparsers.add_parser(
+        "a2a",
+        help="A2A task delegation over mutual TLS",
+        description="Send, inspect, and serve structured A2A tasks between Hermes agents",
+    )
+    a2a_subparsers = a2a_parser.add_subparsers(dest="a2a_command")
+
+    a2a_send = a2a_subparsers.add_parser("send", help="Send an A2A task to another agent")
+    a2a_send.add_argument("--agent", required=True, help="Agent alias or URL (for example: allegro)")
+    a2a_send.add_argument("--task", required=True, help="Task text to delegate")
+    a2a_send.add_argument("--url", help="Explicit base URL for the remote agent")
+    a2a_send.add_argument("--requester", default=None, help="Requester label included in task metadata")
+    a2a_send.add_argument("--wait", action="store_true", help="Poll until the task reaches a terminal state")
+    a2a_send.add_argument("--timeout", type=float, default=30.0, help="Wait timeout in seconds (default: 30)")
+    a2a_send.add_argument("--poll-interval", type=float, default=0.5, help="Polling interval in seconds while waiting (default: 0.5)")
+    a2a_send.add_argument("--cert", default=None, help="Client certificate path (defaults from HERMES_A2A_CERT)")
+    a2a_send.add_argument("--key", default=None, help="Client private key path (defaults from HERMES_A2A_KEY)")
+    a2a_send.add_argument("--ca", default=None, help="Fleet CA certificate path (defaults from HERMES_A2A_CA)")
+
+    a2a_status = a2a_subparsers.add_parser("status", help="Fetch the current status of an A2A task")
+    a2a_status.add_argument("--agent", required=True, help="Agent alias or URL (for example: allegro)")
+    a2a_status.add_argument("--task-id", required=True, help="Task identifier returned by a2a send")
+    a2a_status.add_argument("--url", help="Explicit base URL for the remote agent")
+    a2a_status.add_argument("--cert", default=None, help="Client certificate path (defaults from HERMES_A2A_CERT)")
+    a2a_status.add_argument("--key", default=None, help="Client private key path (defaults from HERMES_A2A_KEY)")
+    a2a_status.add_argument("--ca", default=None, help="Fleet CA certificate path (defaults from HERMES_A2A_CA)")
+
+    a2a_serve = a2a_subparsers.add_parser("serve", help="Run the local A2A task server")
+    a2a_serve.add_argument("--host", default=os.environ.get("HERMES_A2A_HOST", "127.0.0.1"), help="Bind host (default: HERMES_A2A_HOST or 127.0.0.1)")
+    a2a_serve.add_argument("--port", type=int, default=int(os.environ.get("HERMES_A2A_PORT", "9443")), help="Bind port (default: HERMES_A2A_PORT or 9443)")
+    a2a_serve.add_argument("--cert", default=None, help="Server certificate path (defaults from HERMES_A2A_CERT)")
+    a2a_serve.add_argument("--key", default=None, help="Server private key path (defaults from HERMES_A2A_KEY)")
+    a2a_serve.add_argument("--ca", default=None, help="Fleet CA certificate path (defaults from HERMES_A2A_CA)")
+
+    a2a_parser.set_defaults(func=cmd_a2a)
+    
     # =========================================================================
     # setup command
     # =========================================================================

optional-skills/dogfood/adversarial-ux-test/SKILL.md

@@ -1,190 +0,0 @@
----
-name: adversarial-ux-test
-description: Roleplay the most difficult, tech-resistant user for your product. Browse the app as that persona, find every UX pain point, then filter complaints through a pragmatism layer to separate real problems from noise. Creates actionable tickets from genuine issues only.
-version: 1.0.0
-author: Omni @ Comelse
-license: MIT
-metadata:
-  hermes:
-    tags: [qa, ux, testing, adversarial, dogfood, personas, user-testing]
-    related_skills: [dogfood]
----
-
-# Adversarial UX Test
-
-Roleplay the worst-case user for your product — the person who hates technology, doesn't want your software, and will find every reason to complain. Then filter their feedback through a pragmatism layer to separate real UX problems from "I hate computers" noise.
-
-Think of it as an automated "mom test" — but angry.
-
-## Why This Works
-
-Most QA finds bugs. This finds **friction**. A technically correct app can still be unusable for real humans. The adversarial persona catches:
-- Confusing terminology that makes sense to developers but not users
-- Too many steps to accomplish basic tasks
-- Missing onboarding or "aha moments"
-- Accessibility issues (font size, contrast, click targets)
-- Cold-start problems (empty states, no demo content)
-- Paywall/signup friction that kills conversion
-
-The **pragmatism filter** (Phase 3) is what makes this useful instead of just entertaining. Without it, you'd add a "print this page" button to every screen because Grandpa can't figure out PDFs.
-
-## How to Use
-
-Tell the agent:
-```
-"Run an adversarial UX test on [URL]"
-"Be a grumpy [persona type] and test [app name]"
-"Do an asshole user test on my staging site"
-```
-
-You can provide a persona or let the agent generate one based on your product's target audience.
-
-## Step 1: Define the Persona
-
-If no persona is provided, generate one by answering:
-
-1. **Who is the HARDEST user for this product?** (age 50+, non-technical role, decades of experience doing it "the old way")
-2. **What is their tech comfort level?** (the lower the better — WhatsApp-only, paper notebooks, wife set up their email)
-3. **What is the ONE thing they need to accomplish?** (their core job, not your feature list)
-4. **What would make them give up?** (too many clicks, jargon, slow, confusing)
-5. **How do they talk when frustrated?** (blunt, sweary, dismissive, sighing)
-
-### Good Persona Example
-> **"Big Mick" McAllister** — 58-year-old S&C coach. Uses WhatsApp and that's it. His "spreadsheet" is a paper notebook. "If I can't figure it out in 10 seconds I'm going back to my notebook." Needs to log session results for 25 players. Hates small text, jargon, and passwords.
-
-### Bad Persona Example
-> "A user who doesn't like the app" — too vague, no constraints, no voice.
-
-The persona must be **specific enough to stay in character** for 20 minutes of testing.
-
-## Step 2: Become the Asshole (Browse as the Persona)
-
-1. Read any available project docs for app context and URLs
-2. **Fully inhabit the persona** — their frustrations, limitations, goals
-3. Navigate to the app using browser tools
-4. **Attempt the persona's ACTUAL TASKS** (not a feature tour):
-   - Can they do what they came to do?
-   - How many clicks/screens to accomplish it?
-   - What confuses them?
-   - What makes them angry?
-   - Where do they get lost?
-   - What would make them give up and go back to their old way?
-
-5. Test these friction categories:
-   - **First impression** — would they even bother past the landing page?
-   - **Core workflow** — the ONE thing they need to do most often
-   - **Error recovery** — what happens when they do something wrong?
-   - **Readability** — text size, contrast, information density
-   - **Speed** — does it feel faster than their current method?
-   - **Terminology** — any jargon they wouldn't understand?
-   - **Navigation** — can they find their way back? do they know where they are?
-
-6. Take screenshots of every pain point
-7. Check browser console for JS errors on every page
-
-## Step 3: The Rant (Write Feedback in Character)
-
-Write the feedback AS THE PERSONA — in their voice, with their frustrations. This is not a bug report. This is a real human venting.
-
-```
-[PERSONA NAME]'s Review of [PRODUCT]
-
-Overall: [Would they keep using it? Yes/No/Maybe with conditions]
-
-THE GOOD (grudging admission):
-- [things even they have to admit work]
-
-THE BAD (legitimate UX issues):
-- [real problems that would stop them from using the product]
-
-THE UGLY (showstoppers):
-- [things that would make them uninstall/cancel immediately]
-
-SPECIFIC COMPLAINTS:
-1. [Page/feature]: "[quote in persona voice]" — [what happened, expected]
-2. ...
-
-VERDICT: "[one-line persona quote summarizing their experience]"
-```
-
-## Step 4: The Pragmatism Filter (Critical — Do Not Skip)
-
-Step OUT of the persona. Evaluate each complaint as a product person:
-
-- **RED: REAL UX BUG** — Any user would have this problem, not just grumpy ones. Fix it.
-- **YELLOW: VALID BUT LOW PRIORITY** — Real issue but only for extreme users. Note it.
-- **WHITE: PERSONA NOISE** — "I hate computers" talking, not a product problem. Skip it.
-- **GREEN: FEATURE REQUEST** — Good idea hidden in the complaint. Consider it.
-
-### Filter Criteria
-1. Would a 35-year-old competent-but-busy user have the same complaint? → RED
-2. Is this a genuine accessibility issue (font size, contrast, click targets)? → RED
-3. Is this "I want it to work like paper" resistance to digital? → WHITE
-4. Is this a real workflow inefficiency the persona stumbled on? → YELLOW or RED
-5. Would fixing this add complexity for the 80% who are fine? → WHITE
-6. Does the complaint reveal a missing onboarding moment? → GREEN
-
-**This filter is MANDATORY.** Never ship raw persona complaints as tickets.
-
-## Step 5: Create Tickets
-
-For **RED** and **GREEN** items only:
-- Clear, actionable title
-- Include the persona's verbatim quote (entertaining + memorable)
-- The real UX issue underneath (objective)
-- A suggested fix (actionable)
-- Tag/label: "ux-review"
-
-For **YELLOW** items: one catch-all ticket with all notes.
-
-**WHITE** items appear in the report only. No tickets.
-
-**Max 10 tickets per session** — focus on the worst issues.
-
-## Step 6: Report
-
-Deliver:
-1. The persona rant (Step 3) — entertaining and visceral
-2. The filtered assessment (Step 4) — pragmatic and actionable
-3. Tickets created (Step 5) — with links
-4. Screenshots of key issues
-
-## Tips
-
-- **One persona per session.** Don't mix perspectives.
-- **Stay in character during Steps 2-3.** Break character only at Step 4.
-- **Test the CORE WORKFLOW first.** Don't get distracted by settings pages.
-- **Empty states are gold.** New user experience reveals the most friction.
-- **The best findings are RED items the persona found accidentally** while trying to do something else.
-- **If the persona has zero complaints, your persona is too tech-savvy.** Make them older, less patient, more set in their ways.
-- **Run this before demos, launches, or after shipping a batch of features.**
-- **Register as a NEW user when possible.** Don't use pre-seeded admin accounts — the cold start experience is where most friction lives.
-- **Zero WHITE items is a signal, not a failure.** If the pragmatism filter finds no noise, your product has real UX problems, not just a grumpy persona.
-- **Check known issues in project docs AFTER the test.** If the persona found a bug that's already in the known issues list, that's actually the most damning finding — it means the team knew about it but never felt the user's pain.
-- **Subscription/paywall testing is critical.** Test with expired accounts, not just active ones. The "what happens when you can't pay" experience reveals whether the product respects users or holds their data hostage.
-- **Count the clicks to accomplish the persona's ONE task.** If it's more than 5, that's almost always a RED finding regardless of persona tech level.
-
-## Example Personas by Industry
-
-These are starting points — customize for your specific product:
-
-| Product Type | Persona | Age | Key Trait |
-|-------------|---------|-----|-----------|
-| CRM | Retirement home director | 68 | Filing cabinet is the current CRM |
-| Photography SaaS | Rural wedding photographer | 62 | Books clients by phone, invoices on paper |
-| AI/ML Tool | Department store buyer | 55 | Burned by 3 failed tech startups |
-| Fitness App | Old-school gym coach | 58 | Paper notebook, thick fingers, bad eyes |
-| Accounting | Family bakery owner | 64 | Shoebox of receipts, hates subscriptions |
-| E-commerce | Market stall vendor | 60 | Cash only, smartphone is for calls |
-| Healthcare | Senior GP | 63 | Dictates notes, nurse handles the computer |
-| Education | Veteran teacher | 57 | Chalk and talk, worksheets in ring binders |
-
-## Rules
-
-- Stay in character during Steps 2-3
-- Be genuinely mean but fair — find real problems, not manufactured ones
-- The pragmatism filter (Step 4) is **MANDATORY**
-- Screenshots required for every complaint
-- Max 10 tickets per session
-- Test on staging/deployed app, not local dev
-- One persona, one session, one report

tests/agent/test_a2a_mtls.py

@@ -572,3 +572,94 @@ class TestA2AMTLSServerAndClient:
 
         assert not errors, f"Concurrent connection errors: {errors}"
         assert len(results) == 3
+
+
+@_requires_crypto
+class TestA2ATaskServerAndClient:
+    """Structured A2A task send/get flow over mTLS."""
+
+    @pytest.fixture(autouse=True)
+    def _pki(self, tmp_path):
+        ca_dir = tmp_path / "ca"
+        ca_dir.mkdir()
+        self.ca_crt, self.ca_key = _make_ca_keypair(ca_dir)
+        agent_dir = tmp_path / "agents"
+        agent_dir.mkdir()
+        self.srv_crt, self.srv_key = _make_agent_keypair(
+            agent_dir, "timmy", self.ca_crt, self.ca_key
+        )
+        self.cli_crt, self.cli_key = _make_agent_keypair(
+            agent_dir, "allegro", self.ca_crt, self.ca_key
+        )
+
+    @pytest.fixture()
+    def task_server(self):
+        from agent.a2a_mtls import A2ATaskServer
+
+        gate = threading.Event()
+
+        def analyze_executor(task: dict[str, object]) -> dict[str, object]:
+            gate.wait(timeout=2)
+            text = str(task.get("task", ""))
+            return {
+                "text": f"analysis:{text}",
+                "metadata": {"tool": "local-hermes-stub"},
+            }
+
+        port = _find_free_port()
+        server = A2ATaskServer(
+            cert=self.srv_crt,
+            key=self.srv_key,
+            ca=self.ca_crt,
+            host="127.0.0.1",
+            port=port,
+            executor=analyze_executor,
+        )
+        with server:
+            time.sleep(0.1)
+            yield server, port, gate
+
+    def test_task_send_get_and_completion_flow(self, task_server):
+        from agent.a2a_mtls import A2ATaskClient
+
+        server, port, gate = task_server
+        client = A2ATaskClient(cert=self.cli_crt, key=self.cli_key, ca=self.ca_crt)
+        base_url = f"https://127.0.0.1:{port}"
+
+        card = client.discover_card(base_url)
+        assert card["name"]
+
+        submitted = client.send_task(base_url, task="Analyze README.md", requester="timmy")
+        assert submitted["status"]["state"] in {"submitted", "working"}
+
+        in_flight = client.get_task(base_url, submitted["taskId"])
+        assert in_flight["status"]["state"] in {"submitted", "working"}
+
+        gate.set()
+        completed = client.wait_for_task(base_url, submitted["taskId"], timeout=5.0, poll_interval=0.05)
+        assert completed["status"]["state"] == "completed"
+        assert completed["artifacts"][0]["text"] == "analysis:Analyze README.md"
+
+    def test_failed_executor_marks_task_failed(self):
+        from agent.a2a_mtls import A2ATaskClient, A2ATaskServer
+
+        def failing_executor(task: dict[str, object]) -> dict[str, object]:
+            raise RuntimeError("boom")
+
+        port = _find_free_port()
+        server = A2ATaskServer(
+            cert=self.srv_crt,
+            key=self.srv_key,
+            ca=self.ca_crt,
+            host="127.0.0.1",
+            port=port,
+            executor=failing_executor,
+        )
+        with server:
+            time.sleep(0.1)
+            client = A2ATaskClient(cert=self.cli_crt, key=self.cli_key, ca=self.ca_crt)
+            base_url = f"https://127.0.0.1:{port}"
+            submitted = client.send_task(base_url, task="explode", requester="timmy")
+            failed = client.wait_for_task(base_url, submitted["taskId"], timeout=5.0, poll_interval=0.05)
+            assert failed["status"]["state"] == "failed"
+            assert "boom" in failed["status"]["message"]

tests/hermes_cli/test_a2a_cmd.py

@@ -0,0 +1,95 @@
+from __future__ import annotations
+
+import argparse
+import json
+from pathlib import Path
+from unittest.mock import patch
+
+import pytest
+
+
+def test_cmd_send_uses_registry_and_waits_for_terminal_task(tmp_path, monkeypatch, capsys):
+    hermes_home = tmp_path / ".hermes"
+    hermes_home.mkdir()
+    (hermes_home / "a2a_agents.json").write_text(
+        json.dumps({"allegro": {"url": "https://127.0.0.1:9443"}}),
+        encoding="utf-8",
+    )
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+
+    from hermes_cli.a2a_cmd import cmd_a2a
+
+    class FakeClient:
+        def __init__(self, **kwargs):
+            self.kwargs = kwargs
+
+        def discover_card(self, base_url: str):
+            assert base_url == "https://127.0.0.1:9443"
+            return {"name": "allegro", "url": base_url}
+
+        def send_task(self, base_url: str, *, task: str, requester: str | None = None, metadata=None):
+            assert task == "analyze README"
+            return {"taskId": "task-123", "status": {"state": "submitted"}}
+
+        def wait_for_task(self, base_url: str, task_id: str, *, timeout: float, poll_interval: float):
+            assert task_id == "task-123"
+            return {
+                "taskId": task_id,
+                "status": {"state": "completed"},
+                "artifacts": [{"text": "README looks healthy"}],
+            }
+
+    args = argparse.Namespace(
+        a2a_command="send",
+        agent="allegro",
+        task="analyze README",
+        url=None,
+        wait=True,
+        timeout=5.0,
+        poll_interval=0.01,
+        requester="timmy",
+        cert="cert.pem",
+        key="key.pem",
+        ca="ca.pem",
+    )
+
+    with patch("hermes_cli.a2a_cmd.A2ATaskClient", FakeClient):
+        cmd_a2a(args)
+
+    result = json.loads(capsys.readouterr().out)
+    assert result["agent"] == "allegro"
+    assert result["card"]["name"] == "allegro"
+    assert result["task"]["status"]["state"] == "completed"
+    assert result["task"]["artifacts"][0]["text"] == "README looks healthy"
+
+
+def test_resolve_agent_url_supports_env_override(monkeypatch):
+    monkeypatch.setenv("HERMES_A2A_ALLEGRO_URL", "https://fleet-allegro:9443")
+    from hermes_cli.a2a_cmd import resolve_agent_url
+
+    assert resolve_agent_url("allegro") == "https://fleet-allegro:9443"
+
+
+def test_cmd_send_requires_known_agent(tmp_path, monkeypatch):
+    hermes_home = tmp_path / ".hermes"
+    hermes_home.mkdir()
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+
+    from hermes_cli.a2a_cmd import cmd_a2a
+
+    args = argparse.Namespace(
+        a2a_command="send",
+        agent="unknown",
+        task="do work",
+        url=None,
+        wait=False,
+        timeout=5.0,
+        poll_interval=0.05,
+        requester=None,
+        cert="cert.pem",
+        key="key.pem",
+        ca="ca.pem",
+    )
+
+    with pytest.raises(SystemExit):
+        cmd_a2a(args)

tests/test_optional_adversarial_ux_skill_catalog.py

@@ -1,25 +0,0 @@
-from pathlib import Path
-
-from tools.skills_hub import OptionalSkillSource
-
-
-REPO_ROOT = Path(__file__).resolve().parents[1]
-
-
-def test_optional_skill_source_scans_adversarial_ux_test():
-    source = OptionalSkillSource()
-    metas = {meta.identifier: meta for meta in source._scan_all()}
-
-    assert "official/dogfood/adversarial-ux-test" in metas
-    assert metas["official/dogfood/adversarial-ux-test"].name == "adversarial-ux-test"
-    assert "tech-resistant user" in metas["official/dogfood/adversarial-ux-test"].description
-
-
-def test_optional_skill_catalog_docs_list_adversarial_ux_test():
-    optional_catalog = (REPO_ROOT / "website" / "docs" / "reference" / "optional-skills-catalog.md").read_text(encoding="utf-8")
-    bundled_catalog = (REPO_ROOT / "website" / "docs" / "reference" / "skills-catalog.md").read_text(encoding="utf-8")
-
-    assert "**adversarial-ux-test**" in optional_catalog
-    assert "official/dogfood/adversarial-ux-test" in optional_catalog
-    assert "`adversarial-ux-test`" in bundled_catalog
-    assert "dogfood/adversarial-ux-test" in bundled_catalog

website/docs/reference/optional-skills-catalog.md

@@ -16,7 +16,6 @@ For example:
 
 ```bash
 hermes skills install official/blockchain/solana
-hermes skills install official/dogfood/adversarial-ux-test
 hermes skills install official/mlops/flash-attention
 ```
 
@@ -57,12 +56,6 @@ hermes skills uninstall <skill-name>
 | **blender-mcp** | Control Blender directly from Hermes via socket connection to the blender-mcp addon. Create 3D objects, materials, animations, and run arbitrary Blender Python (bpy) code. |
 | **meme-generation** | Generate real meme images by picking a template and overlaying text with Pillow. Produces actual `.png` meme files. |
 
-## Dogfood
-
-| Skill | Description |
-|-------|-------------|
-| **adversarial-ux-test** | Roleplay the most difficult, tech-resistant user for a product — browse in-persona, rant, then filter through a RED/YELLOW/WHITE/GREEN pragmatism layer so only real UX friction becomes tickets. |
-
 ## DevOps
 
 | Skill | Description |

website/docs/reference/skills-catalog.md

@@ -59,12 +59,9 @@ DevOps and infrastructure automation skills.
 
 ## dogfood
 
-Internal dogfooding and QA skills used to test Hermes Agent itself.
-
 | Skill | Description | Path |
 |-------|-------------|------|
 | `dogfood` | Systematic exploratory QA testing of web applications — find bugs, capture evidence, and generate structured reports. | `dogfood/dogfood` |
-| `adversarial-ux-test` | Roleplay the most difficult, tech-resistant user for a product — browse in-persona, rant, then filter through a RED/YELLOW/WHITE/GREEN pragmatism layer so only real UX friction becomes tickets. | `dogfood/adversarial-ux-test` |
 | `hermes-agent-setup` | Help users configure Hermes Agent — CLI usage, setup wizard, model/provider selection, tools, skills, voice/STT/TTS, gateway, and troubleshooting. | `dogfood/hermes-agent-setup` |
 
 ## email