feat: add A2A task delegation over mTLS (#804)

agent/a2a_mtls.py

@@ -29,6 +29,8 @@ import logging
 import os
 import ssl
 import threading
+import time
+import uuid
 from http.server import BaseHTTPRequestHandler, HTTPServer
 from pathlib import Path
 from typing import Any, Callable, Dict, Optional
@@ -441,3 +443,244 @@ class A2AMTLSClient:
     def post(self, url: str, json: Optional[Dict[str, Any]] = None, **kwargs: Any) -> Dict[str, Any]:
         data = (__import__("json").dumps(json).encode() if json is not None else None)
         return self._request("POST", url, data=data, **kwargs)
+
+
+# ---------------------------------------------------------------------------
+# Structured A2A task delegation over mTLS
+# ---------------------------------------------------------------------------
+
+_TERMINAL_TASK_STATES = {"completed", "failed", "canceled", "rejected"}
+
+
+def _iso_now() -> str:
+    return time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime())
+
+
+def _task_status(state: str, message: str) -> Dict[str, Any]:
+    return {
+        "state": state,
+        "message": message,
+        "timestamp": _iso_now(),
+    }
+
+
+def _coerce_artifact(result: Any) -> Dict[str, Any]:
+    if isinstance(result, dict):
+        if "text" in result:
+            return result
+        if "artifact" in result and isinstance(result["artifact"], dict):
+            return result["artifact"]
+    return {"text": str(result)}
+
+
+def _build_task_record(task_id: str, task: str, requester: Optional[str], metadata: Optional[Dict[str, Any]] = None) -> Dict[str, Any]:
+    return {
+        "taskId": task_id,
+        "task": task,
+        "requester": requester,
+        "metadata": metadata or {},
+        "artifacts": [],
+        "status": _task_status("submitted", "Task submitted"),
+    }
+
+
+def _default_agent_card(host: str, port: int) -> Dict[str, Any]:
+    base_url = f"https://{host}:{port}"
+    try:
+        from agent.agent_card import build_agent_card
+        from dataclasses import asdict
+
+        card = asdict(build_agent_card())
+    except Exception as exc:  # pragma: no cover - fallback only exercised when card build breaks
+        logger.warning("Falling back to minimal agent card: %s", exc)
+        card = {
+            "name": os.environ.get("HERMES_AGENT_NAME", "hermes"),
+            "description": "Hermes A2A task server",
+            "version": "unknown",
+        }
+    card["url"] = base_url
+    card["a2aTaskEndpoint"] = f"{base_url}/a2a/rpc"
+    return card
+
+
+def _default_local_hermes_executor(task_payload: Dict[str, Any]) -> Dict[str, Any]:
+    task_text = str(task_payload.get("task", "")).strip()
+    if not task_text:
+        return {"text": ""}
+    from run_agent import AIAgent
+
+    agent = AIAgent(quiet_mode=True)
+    result = agent.chat(task_text)
+    return {
+        "text": result,
+        "metadata": {"executor": "local-hermes"},
+    }
+
+
+class A2ATaskServer:
+    """JSON-RPC A2A task server running over the routing mTLS server."""
+
+    def __init__(
+        self,
+        cert: str | Path,
+        key: str | Path,
+        ca: str | Path,
+        host: str = "127.0.0.1",
+        port: int = 9443,
+        executor: Optional[Callable[[Dict[str, Any]], Dict[str, Any]]] = None,
+        card_factory: Optional[Callable[[], Dict[str, Any]]] = None,
+    ) -> None:
+        self.host = host
+        self.port = port
+        self._server = A2AMTLSServer(cert=cert, key=key, ca=ca, host=host, port=port)
+        self._executor = executor or _default_local_hermes_executor
+        self._card_factory = card_factory or (lambda: _default_agent_card(self.host, self.port))
+        self._tasks: Dict[str, Dict[str, Any]] = {}
+        self._lock = threading.Lock()
+        self._server.add_route("/.well-known/agent-card.json", self._handle_agent_card)
+        self._server.add_route("/agent-card.json", self._handle_agent_card)
+        self._server.add_route("/a2a/rpc", self._handle_rpc)
+
+    def __enter__(self) -> "A2ATaskServer":
+        self.start()
+        return self
+
+    def __exit__(self, *_: Any) -> None:
+        self.stop()
+
+    def start(self) -> None:
+        self._server.start()
+
+    def stop(self) -> None:
+        self._server.stop()
+
+    def _handle_agent_card(self, payload: Dict[str, Any], *, peer_cn: str | None = None) -> Dict[str, Any]:
+        return self._card_factory()
+
+    def _handle_rpc(self, payload: Dict[str, Any], *, peer_cn: str | None = None) -> Dict[str, Any]:
+        req_id = payload.get("id")
+        if payload.get("jsonrpc") != "2.0":
+            return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32600, "message": "invalid jsonrpc version"}}
+
+        method = payload.get("method")
+        params = payload.get("params") or {}
+        try:
+            if method == "tasks/send":
+                result = self._rpc_send_task(params, peer_cn=peer_cn)
+            elif method == "tasks/get":
+                result = self._rpc_get_task(params)
+            else:
+                return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32601, "message": f"unknown method: {method}"}}
+        except Exception as exc:
+            logger.exception("A2A task RPC failed: %s", exc)
+            return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32000, "message": str(exc)}}
+        return {"jsonrpc": "2.0", "id": req_id, "result": result}
+
+    def _rpc_send_task(self, params: Dict[str, Any], *, peer_cn: str | None = None) -> Dict[str, Any]:
+        task_text = str(params.get("task", "")).strip()
+        if not task_text:
+            raise ValueError("task is required")
+        task_id = params.get("taskId") or uuid.uuid4().hex
+        requester = params.get("requester") or peer_cn
+        metadata = dict(params.get("metadata") or {})
+        if peer_cn:
+            metadata.setdefault("peer_cn", peer_cn)
+        record = _build_task_record(task_id, task_text, requester, metadata)
+        with self._lock:
+            self._tasks[task_id] = record
+        worker = threading.Thread(target=self._run_task, args=(task_id,), daemon=True, name=f"a2a-task-{task_id[:8]}")
+        worker.start()
+        return self._copy_task(task_id)
+
+    def _rpc_get_task(self, params: Dict[str, Any]) -> Dict[str, Any]:
+        task_id = str(params.get("taskId", "")).strip()
+        if not task_id:
+            raise ValueError("taskId is required")
+        return self._copy_task(task_id)
+
+    def _copy_task(self, task_id: str) -> Dict[str, Any]:
+        with self._lock:
+            if task_id not in self._tasks:
+                raise KeyError(f"unknown taskId: {task_id}")
+            return json.loads(json.dumps(self._tasks[task_id]))
+
+    def _run_task(self, task_id: str) -> None:
+        with self._lock:
+            task = self._tasks[task_id]
+            task["status"] = _task_status("working", "Task is running")
+            task_payload = {
+                "taskId": task["taskId"],
+                "task": task["task"],
+                "requester": task.get("requester"),
+                "metadata": dict(task.get("metadata") or {}),
+            }
+        try:
+            result = self._executor(task_payload)
+            artifact = _coerce_artifact(result)
+            with self._lock:
+                task = self._tasks[task_id]
+                task["artifacts"] = [artifact]
+                task["status"] = _task_status("completed", "Task completed")
+        except Exception as exc:
+            with self._lock:
+                task = self._tasks[task_id]
+                task["status"] = _task_status("failed", f"Task failed: {exc}")
+
+
+class A2ATaskClient(A2AMTLSClient):
+    """Client helper for A2A JSON-RPC task send/get flows."""
+
+    def discover_card(self, base_url: str) -> Dict[str, Any]:
+        return self.get(f"{base_url.rstrip('/')}/.well-known/agent-card.json")
+
+    def _rpc_call(self, base_url: str, method: str, params: Dict[str, Any]) -> Dict[str, Any]:
+        payload = {
+            "jsonrpc": "2.0",
+            "id": uuid.uuid4().hex,
+            "method": method,
+            "params": params,
+        }
+        response = self.post(f"{base_url.rstrip('/')}/a2a/rpc", json=payload)
+        if "error" in response:
+            error = response["error"]
+            raise RuntimeError(error.get("message") or str(error))
+        return response.get("result", {})
+
+    def send_task(
+        self,
+        base_url: str,
+        *,
+        task: str,
+        requester: str | None = None,
+        metadata: Optional[Dict[str, Any]] = None,
+    ) -> Dict[str, Any]:
+        return self._rpc_call(
+            base_url,
+            "tasks/send",
+            {
+                "task": task,
+                "requester": requester,
+                "metadata": metadata or {},
+            },
+        )
+
+    def get_task(self, base_url: str, task_id: str) -> Dict[str, Any]:
+        return self._rpc_call(base_url, "tasks/get", {"taskId": task_id})
+
+    def wait_for_task(
+        self,
+        base_url: str,
+        task_id: str,
+        *,
+        timeout: float = 30.0,
+        poll_interval: float = 0.5,
+    ) -> Dict[str, Any]:
+        deadline = time.monotonic() + timeout
+        while True:
+            task = self.get_task(base_url, task_id)
+            state = str(((task.get("status") or {}).get("state") or "")).lower()
+            if state in _TERMINAL_TASK_STATES:
+                return task
+            if time.monotonic() >= deadline:
+                raise TimeoutError(f"Timed out waiting for task {task_id}")
+            time.sleep(poll_interval)

hermes_cli/a2a_cmd.py

@@ -0,0 +1,132 @@
+"""CLI helpers for A2A task delegation."""
+
+from __future__ import annotations
+
+import json
+import os
+import re
+import sys
+import time
+from pathlib import Path
+from typing import Any
+
+from agent.a2a_mtls import A2ATaskClient, A2ATaskServer
+from hermes_cli.config import get_hermes_home
+
+
+def _registry_path() -> Path:
+    return get_hermes_home() / "a2a_agents.json"
+
+
+def _default_identity_paths() -> tuple[str, str, str]:
+    hermes_home = get_hermes_home()
+    agent_name = os.environ.get("HERMES_AGENT_NAME", "hermes").lower()
+    cert = os.environ.get(
+        "HERMES_A2A_CERT",
+        str(hermes_home / "pki" / "agents" / agent_name / f"{agent_name}.crt"),
+    )
+    key = os.environ.get(
+        "HERMES_A2A_KEY",
+        str(hermes_home / "pki" / "agents" / agent_name / f"{agent_name}.key"),
+    )
+    ca = os.environ.get(
+        "HERMES_A2A_CA",
+        str(hermes_home / "pki" / "ca" / "fleet-ca.crt"),
+    )
+    return cert, key, ca
+
+
+def load_agent_registry(path: Path | None = None) -> dict[str, Any]:
+    registry_path = path or _registry_path()
+    if not registry_path.exists():
+        return {}
+    return json.loads(registry_path.read_text(encoding="utf-8"))
+
+
+def resolve_agent_url(agent: str, *, registry_path: Path | None = None) -> str:
+    key = re.sub(r"[^A-Za-z0-9]+", "_", agent).upper()
+    env_value = os.getenv(f"HERMES_A2A_{key}_URL")
+    if env_value:
+        return env_value
+
+    registry = load_agent_registry(registry_path)
+    entry = registry.get(agent)
+    if isinstance(entry, str) and entry:
+        return entry
+    if isinstance(entry, dict):
+        url = entry.get("url") or entry.get("base_url") or entry.get("card_url")
+        if url:
+            return str(url)
+    if agent.startswith("https://") or agent.startswith("http://"):
+        return agent
+    raise SystemExit(f"Unknown A2A agent '{agent}'. Set HERMES_A2A_{key}_URL or add it to {_registry_path()}.")
+
+
+def _print(data: dict[str, Any]) -> None:
+    print(json.dumps(data, indent=2, ensure_ascii=False))
+
+
+def cmd_send(args) -> None:
+    base_url = args.url or resolve_agent_url(args.agent)
+    cert, key, ca = args.cert, args.key, args.ca
+    if not (cert and key and ca):
+        cert, key, ca = _default_identity_paths()
+    client = A2ATaskClient(cert=cert, key=key, ca=ca)
+    card = client.discover_card(base_url)
+    task = client.send_task(
+        base_url,
+        task=args.task,
+        requester=args.requester,
+        metadata={"agent": args.agent},
+    )
+    if args.wait:
+        task = client.wait_for_task(
+            base_url,
+            task["taskId"],
+            timeout=args.timeout,
+            poll_interval=args.poll_interval,
+        )
+    _print({
+        "agent": args.agent,
+        "url": base_url,
+        "card": card,
+        "task": task,
+    })
+
+
+def cmd_status(args) -> None:
+    base_url = args.url or resolve_agent_url(args.agent)
+    cert, key, ca = args.cert, args.key, args.ca
+    if not (cert and key and ca):
+        cert, key, ca = _default_identity_paths()
+    client = A2ATaskClient(cert=cert, key=key, ca=ca)
+    task = client.get_task(base_url, args.task_id)
+    _print({"agent": args.agent, "url": base_url, "task": task})
+
+
+def cmd_serve(args) -> None:
+    cert, key, ca = args.cert, args.key, args.ca
+    if not (cert and key and ca):
+        cert, key, ca = _default_identity_paths()
+    server = A2ATaskServer(cert=cert, key=key, ca=ca, host=args.host, port=args.port)
+    server.start()
+    print(f"A2A task server listening on https://{args.host}:{args.port}")
+    try:
+        while True:
+            time.sleep(1)
+    except KeyboardInterrupt:
+        server.stop()
+
+
+def cmd_a2a(args) -> None:
+    command = getattr(args, "a2a_command", None) or "send"
+    if command == "send":
+        cmd_send(args)
+        return
+    if command == "status":
+        cmd_status(args)
+        return
+    if command == "serve":
+        cmd_serve(args)
+        return
+    raise SystemExit(f"Unknown a2a command: {command}")

hermes_cli/main.py

@@ -173,6 +173,13 @@ from hermes_constants import OPENROUTER_BASE_URL
 logger = logging.getLogger(__name__)
 
 
+def cmd_a2a(args):
+    """Dispatch A2A CLI subcommands lazily to avoid heavy imports at startup."""
+    from hermes_cli.a2a_cmd import cmd_a2a as _cmd_a2a
+
+    return _cmd_a2a(args)
+
+
 def _relative_time(ts) -> str:
     """Format a timestamp as relative time (e.g., '2h ago', 'yesterday')."""
     if not ts:
@@ -4781,6 +4788,45 @@ For more help on a command:
 
     gateway_parser.set_defaults(func=cmd_gateway)
     
+    # =========================================================================
+    # a2a command
+    # =========================================================================
+    a2a_parser = subparsers.add_parser(
+        "a2a",
+        help="A2A task delegation over mutual TLS",
+        description="Send, inspect, and serve structured A2A tasks between Hermes agents",
+    )
+    a2a_subparsers = a2a_parser.add_subparsers(dest="a2a_command")
+
+    a2a_send = a2a_subparsers.add_parser("send", help="Send an A2A task to another agent")
+    a2a_send.add_argument("--agent", required=True, help="Agent alias or URL (for example: allegro)")
+    a2a_send.add_argument("--task", required=True, help="Task text to delegate")
+    a2a_send.add_argument("--url", help="Explicit base URL for the remote agent")
+    a2a_send.add_argument("--requester", default=None, help="Requester label included in task metadata")
+    a2a_send.add_argument("--wait", action="store_true", help="Poll until the task reaches a terminal state")
+    a2a_send.add_argument("--timeout", type=float, default=30.0, help="Wait timeout in seconds (default: 30)")
+    a2a_send.add_argument("--poll-interval", type=float, default=0.5, help="Polling interval in seconds while waiting (default: 0.5)")
+    a2a_send.add_argument("--cert", default=None, help="Client certificate path (defaults from HERMES_A2A_CERT)")
+    a2a_send.add_argument("--key", default=None, help="Client private key path (defaults from HERMES_A2A_KEY)")
+    a2a_send.add_argument("--ca", default=None, help="Fleet CA certificate path (defaults from HERMES_A2A_CA)")
+
+    a2a_status = a2a_subparsers.add_parser("status", help="Fetch the current status of an A2A task")
+    a2a_status.add_argument("--agent", required=True, help="Agent alias or URL (for example: allegro)")
+    a2a_status.add_argument("--task-id", required=True, help="Task identifier returned by a2a send")
+    a2a_status.add_argument("--url", help="Explicit base URL for the remote agent")
+    a2a_status.add_argument("--cert", default=None, help="Client certificate path (defaults from HERMES_A2A_CERT)")
+    a2a_status.add_argument("--key", default=None, help="Client private key path (defaults from HERMES_A2A_KEY)")
+    a2a_status.add_argument("--ca", default=None, help="Fleet CA certificate path (defaults from HERMES_A2A_CA)")
+
+    a2a_serve = a2a_subparsers.add_parser("serve", help="Run the local A2A task server")
+    a2a_serve.add_argument("--host", default=os.environ.get("HERMES_A2A_HOST", "127.0.0.1"), help="Bind host (default: HERMES_A2A_HOST or 127.0.0.1)")
+    a2a_serve.add_argument("--port", type=int, default=int(os.environ.get("HERMES_A2A_PORT", "9443")), help="Bind port (default: HERMES_A2A_PORT or 9443)")
+    a2a_serve.add_argument("--cert", default=None, help="Server certificate path (defaults from HERMES_A2A_CERT)")
+    a2a_serve.add_argument("--key", default=None, help="Server private key path (defaults from HERMES_A2A_KEY)")
+    a2a_serve.add_argument("--ca", default=None, help="Fleet CA certificate path (defaults from HERMES_A2A_CA)")
+
+    a2a_parser.set_defaults(func=cmd_a2a)
+    
     # =========================================================================
     # setup command
     # =========================================================================

tests/agent/test_a2a_mtls.py

@@ -572,3 +572,94 @@ class TestA2AMTLSServerAndClient:
 
         assert not errors, f"Concurrent connection errors: {errors}"
         assert len(results) == 3
+
+
+@_requires_crypto
+class TestA2ATaskServerAndClient:
+    """Structured A2A task send/get flow over mTLS."""
+
+    @pytest.fixture(autouse=True)
+    def _pki(self, tmp_path):
+        ca_dir = tmp_path / "ca"
+        ca_dir.mkdir()
+        self.ca_crt, self.ca_key = _make_ca_keypair(ca_dir)
+        agent_dir = tmp_path / "agents"
+        agent_dir.mkdir()
+        self.srv_crt, self.srv_key = _make_agent_keypair(
+            agent_dir, "timmy", self.ca_crt, self.ca_key
+        )
+        self.cli_crt, self.cli_key = _make_agent_keypair(
+            agent_dir, "allegro", self.ca_crt, self.ca_key
+        )
+
+    @pytest.fixture()
+    def task_server(self):
+        from agent.a2a_mtls import A2ATaskServer
+
+        gate = threading.Event()
+
+        def analyze_executor(task: dict[str, object]) -> dict[str, object]:
+            gate.wait(timeout=2)
+            text = str(task.get("task", ""))
+            return {
+                "text": f"analysis:{text}",
+                "metadata": {"tool": "local-hermes-stub"},
+            }
+
+        port = _find_free_port()
+        server = A2ATaskServer(
+            cert=self.srv_crt,
+            key=self.srv_key,
+            ca=self.ca_crt,
+            host="127.0.0.1",
+            port=port,
+            executor=analyze_executor,
+        )
+        with server:
+            time.sleep(0.1)
+            yield server, port, gate
+
+    def test_task_send_get_and_completion_flow(self, task_server):
+        from agent.a2a_mtls import A2ATaskClient
+
+        server, port, gate = task_server
+        client = A2ATaskClient(cert=self.cli_crt, key=self.cli_key, ca=self.ca_crt)
+        base_url = f"https://127.0.0.1:{port}"
+
+        card = client.discover_card(base_url)
+        assert card["name"]
+
+        submitted = client.send_task(base_url, task="Analyze README.md", requester="timmy")
+        assert submitted["status"]["state"] in {"submitted", "working"}
+
+        in_flight = client.get_task(base_url, submitted["taskId"])
+        assert in_flight["status"]["state"] in {"submitted", "working"}
+
+        gate.set()
+        completed = client.wait_for_task(base_url, submitted["taskId"], timeout=5.0, poll_interval=0.05)
+        assert completed["status"]["state"] == "completed"
+        assert completed["artifacts"][0]["text"] == "analysis:Analyze README.md"
+
+    def test_failed_executor_marks_task_failed(self):
+        from agent.a2a_mtls import A2ATaskClient, A2ATaskServer
+
+        def failing_executor(task: dict[str, object]) -> dict[str, object]:
+            raise RuntimeError("boom")
+
+        port = _find_free_port()
+        server = A2ATaskServer(
+            cert=self.srv_crt,
+            key=self.srv_key,
+            ca=self.ca_crt,
+            host="127.0.0.1",
+            port=port,
+            executor=failing_executor,
+        )
+        with server:
+            time.sleep(0.1)
+            client = A2ATaskClient(cert=self.cli_crt, key=self.cli_key, ca=self.ca_crt)
+            base_url = f"https://127.0.0.1:{port}"
+            submitted = client.send_task(base_url, task="explode", requester="timmy")
+            failed = client.wait_for_task(base_url, submitted["taskId"], timeout=5.0, poll_interval=0.05)
+            assert failed["status"]["state"] == "failed"
+            assert "boom" in failed["status"]["message"]

tests/hermes_cli/test_a2a_cmd.py

@@ -0,0 +1,95 @@
+from __future__ import annotations
+
+import argparse
+import json
+from pathlib import Path
+from unittest.mock import patch
+
+import pytest
+
+
+def test_cmd_send_uses_registry_and_waits_for_terminal_task(tmp_path, monkeypatch, capsys):
+    hermes_home = tmp_path / ".hermes"
+    hermes_home.mkdir()
+    (hermes_home / "a2a_agents.json").write_text(
+        json.dumps({"allegro": {"url": "https://127.0.0.1:9443"}}),
+        encoding="utf-8",
+    )
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+
+    from hermes_cli.a2a_cmd import cmd_a2a
+
+    class FakeClient:
+        def __init__(self, **kwargs):
+            self.kwargs = kwargs
+
+        def discover_card(self, base_url: str):
+            assert base_url == "https://127.0.0.1:9443"
+            return {"name": "allegro", "url": base_url}
+
+        def send_task(self, base_url: str, *, task: str, requester: str | None = None, metadata=None):
+            assert task == "analyze README"
+            return {"taskId": "task-123", "status": {"state": "submitted"}}
+
+        def wait_for_task(self, base_url: str, task_id: str, *, timeout: float, poll_interval: float):
+            assert task_id == "task-123"
+            return {
+                "taskId": task_id,
+                "status": {"state": "completed"},
+                "artifacts": [{"text": "README looks healthy"}],
+            }
+
+    args = argparse.Namespace(
+        a2a_command="send",
+        agent="allegro",
+        task="analyze README",
+        url=None,
+        wait=True,
+        timeout=5.0,
+        poll_interval=0.01,
+        requester="timmy",
+        cert="cert.pem",
+        key="key.pem",
+        ca="ca.pem",
+    )
+
+    with patch("hermes_cli.a2a_cmd.A2ATaskClient", FakeClient):
+        cmd_a2a(args)
+
+    result = json.loads(capsys.readouterr().out)
+    assert result["agent"] == "allegro"
+    assert result["card"]["name"] == "allegro"
+    assert result["task"]["status"]["state"] == "completed"
+    assert result["task"]["artifacts"][0]["text"] == "README looks healthy"
+
+
+def test_resolve_agent_url_supports_env_override(monkeypatch):
+    monkeypatch.setenv("HERMES_A2A_ALLEGRO_URL", "https://fleet-allegro:9443")
+    from hermes_cli.a2a_cmd import resolve_agent_url
+
+    assert resolve_agent_url("allegro") == "https://fleet-allegro:9443"
+
+
+def test_cmd_send_requires_known_agent(tmp_path, monkeypatch):
+    hermes_home = tmp_path / ".hermes"
+    hermes_home.mkdir()
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+
+    from hermes_cli.a2a_cmd import cmd_a2a
+
+    args = argparse.Namespace(
+        a2a_command="send",
+        agent="unknown",
+        task="do work",
+        url=None,
+        wait=False,
+        timeout=5.0,
+        poll_interval=0.05,
+        requester=None,
+        cert="cert.pem",
+        key="key.pem",
+        ca="ca.pem",
+    )
+
+    with pytest.raises(SystemExit):
+        cmd_a2a(args)

tests/tools/test_fuzzy_match.py

@@ -148,184 +148,3 @@ class TestStrategyNameSurfaced:
         assert count == 0
         assert strategy is None
         assert err is not None
-
-
-class TestEscapeDriftGuard:
-    """Tests for the escape-drift guard that catches bash/JSON serialization
-    artifacts where an apostrophe gets prefixed with a spurious backslash
-    in tool-call transport.
-    """
-
-    def test_drift_blocked_apostrophe(self):
-        """File has ', old_string and new_string both have \\' — classic
-        tool-call drift. Guard must block with a helpful error instead of
-        writing \\' literals into source code."""
-        content = "x = \"hello there\"\n"
-        # Simulate transport-corrupted old_string and new_string where an
-        # apostrophe-like context got prefixed with a backslash. The content
-        # itself has no apostrophe, but both strings do — matching via
-        # whitespace/anchor strategies would otherwise succeed.
-        old_string = "x = \"hello there\" # don\\'t edit\n"
-        new_string = "x = \"hi there\" # don\\'t edit\n"
-        # This particular pair won't match anything, so it exits via
-        # no-match path. Build a case where a non-exact strategy DOES match.
-        content = "line\n    x = 1\nline"
-        old_string = "line\n  x = \\'a\\'\nline"
-        new_string = "line\n  x = \\'b\\'\nline"
-        new, count, strategy, err = fuzzy_find_and_replace(content, old_string, new_string)
-        assert count == 0
-        assert err is not None and "Escape-drift" in err
-        assert "backslash" in err.lower()
-        assert new == content  # file untouched
-
-    def test_drift_blocked_double_quote(self):
-        """Same idea but with \\" drift instead of \\'."""
-        content = 'line\n    x = 1\nline'
-        old_string = 'line\n  x = \\"a\\"\nline'
-        new_string = 'line\n  x = \\"b\\"\nline'
-        new, count, strategy, err = fuzzy_find_and_replace(content, old_string, new_string)
-        assert count == 0
-        assert err is not None and "Escape-drift" in err
-
-    def test_drift_allowed_when_file_genuinely_has_backslash_escapes(self):
-        """If the file already contains \\' (e.g. inside an existing escaped
-        string), the model is legitimately preserving it. Guard must NOT
-        fire."""
-        content = "line\n  x = \\'a\\'\nline"
-        old_string = "line\n  x = \\'a\\'\nline"
-        new_string = "line\n  x = \\'b\\'\nline"
-        new, count, strategy, err = fuzzy_find_and_replace(content, old_string, new_string)
-        assert err is None
-        assert count == 1
-        assert "\\'b\\'" in new
-
-    def test_drift_allowed_on_exact_match(self):
-        """Exact matches bypass the drift guard entirely — if the file
-        really contains the exact bytes old_string specified, it's not
-        drift."""
-        content = "hello \\'world\\'"
-        new, count, strategy, err = fuzzy_find_and_replace(
-            content, "hello \\'world\\'", "hello \\'there\\'"
-        )
-        assert err is None
-        assert count == 1
-        assert strategy == "exact"
-
-    def test_drift_allowed_when_adding_escaped_strings(self):
-        """Model is adding new content with \\' that wasn't in the original.
-        old_string has no \\', so guard doesn't fire."""
-        content = "line1\nline2\nline3"
-        old_string = "line1\nline2\nline3"
-        new_string = "line1\nprint(\\'added\\')\nline2\nline3"
-        new, count, strategy, err = fuzzy_find_and_replace(content, old_string, new_string)
-        assert err is None
-        assert count == 1
-        assert "\\'added\\'" in new
-
-    def test_no_drift_check_when_new_string_lacks_suspect_chars(self):
-        """Fast-path: if new_string has no \\' or \\", guard must not
-        fire even on fuzzy match."""
-        content = "def foo():\n    pass"  # extra space ignored by line_trimmed
-        old_string = "def foo():\n  pass"
-        new_string = "def bar():\n  return 1"
-        new, count, strategy, err = fuzzy_find_and_replace(content, old_string, new_string)
-        assert err is None
-        assert count == 1
-
-
-class TestFindClosestLines:
-    def setup_method(self):
-        from tools.fuzzy_match import find_closest_lines
-        self.find_closest_lines = find_closest_lines
-
-    def test_finds_similar_line(self):
-        content = "def foo():\n    pass\ndef bar():\n    return 1\n"
-        result = self.find_closest_lines("def baz():", content)
-        assert "def foo" in result or "def bar" in result
-
-    def test_returns_empty_for_no_match(self):
-        content = "completely different content here"
-        result = self.find_closest_lines("xyzzy_no_match_possible_!!!", content)
-        assert result == ""
-
-    def test_returns_empty_for_empty_inputs(self):
-        assert self.find_closest_lines("", "some content") == ""
-        assert self.find_closest_lines("old string", "") == ""
-
-    def test_includes_context_lines(self):
-        content = "line1\nline2\ndef target():\n    pass\nline5\n"
-        result = self.find_closest_lines("def target():", content)
-        assert "target" in result
-
-    def test_includes_line_numbers(self):
-        content = "line1\nline2\ndef foo():\n    pass\n"
-        result = self.find_closest_lines("def foo():", content)
-        # Should include line numbers in format "N| content"
-        assert "|" in result
-
-
-class TestFormatNoMatchHint:
-    """Gating tests for format_no_match_hint — the shared helper that decides
-    whether a 'Did you mean?' snippet should be appended to an error.
-    """
-
-    def setup_method(self):
-        from tools.fuzzy_match import format_no_match_hint
-        self.fmt = format_no_match_hint
-
-    def test_fires_on_could_not_find_with_match(self):
-        """Classic no-match: similar content exists → hint fires."""
-        content = "def foo():\n    pass\ndef bar():\n    pass\n"
-        result = self.fmt(
-            "Could not find a match for old_string in the file",
-            0, "def baz():", content,
-        )
-        assert "Did you mean" in result
-        assert "foo" in result or "bar" in result
-
-    def test_silent_on_ambiguous_match_error(self):
-        """'Found N matches' is not a missing-match failure — no hint."""
-        content = "aaa bbb aaa\n"
-        result = self.fmt(
-            "Found 2 matches for old_string. Provide more context to make it unique, or use replace_all=True.",
-            0, "aaa", content,
-        )
-        assert result == ""
-
-    def test_silent_on_escape_drift_error(self):
-        """Escape-drift errors are intentional blocks — hint would mislead."""
-        content = "x = 1\n"
-        result = self.fmt(
-            "Escape-drift detected: old_string and new_string contain the literal sequence '\\\\''...",
-            0, "x = \\'1\\'", content,
-        )
-        assert result == ""
-
-    def test_silent_on_identical_strings(self):
-        """old_string == new_string — hint irrelevant."""
-        result = self.fmt(
-            "old_string and new_string are identical",
-            0, "foo", "foo bar\n",
-        )
-        assert result == ""
-
-    def test_silent_when_match_count_nonzero(self):
-        """If match succeeded, we shouldn't be in the error path — defense in depth."""
-        result = self.fmt(
-            "Could not find a match for old_string in the file",
-            1, "foo", "foo bar\n",
-        )
-        assert result == ""
-
-    def test_silent_on_none_error(self):
-        """No error at all — no hint."""
-        result = self.fmt(None, 0, "foo", "bar\n")
-        assert result == ""
-
-    def test_silent_when_no_similar_content(self):
-        """Even for a valid no-match error, skip hint when nothing similar exists."""
-        result = self.fmt(
-            "Could not find a match for old_string in the file",
-            0, "totally_unique_xyzzy_qux", "abc\nxyz\n",
-        )
-        assert result == ""

tests/tools/test_patch_did_you_mean.py

@@ -1,114 +0,0 @@
-import json
-import os
-import textwrap
-from pathlib import Path
-
-import tools.skill_manager_tool as skill_manager_tool
-from tools.file_tools import patch_tool
-from tools.skill_manager_tool import _create_skill, _patch_skill
-
-
-def _disable_patch_tool_guards(monkeypatch):
-    monkeypatch.setattr("tools.file_tools._check_sensitive_path", lambda _path: None)
-    monkeypatch.setattr("tools.file_tools._check_file_staleness", lambda _path, _task_id: None)
-    monkeypatch.setattr("tools.file_tools._log_and_check_conflict", lambda _path, _task_id, _action: None)
-
-
-def test_patch_tool_replace_no_match_shows_rich_hint_without_legacy_hint(tmp_path, monkeypatch):
-    _disable_patch_tool_guards(monkeypatch)
-    sample = tmp_path / "sample.py"
-    sample.write_text("def foo():\n    return 1\n\ndef bar():\n    return 2\n", encoding="utf-8")
-
-    raw = patch_tool(
-        mode="replace",
-        path=str(sample),
-        old_string="def barycentric():",
-        new_string="def barycentric_new():",
-        task_id="qa960-replace-rich-hint",
-    )
-
-    result = json.loads(raw)
-    assert result["success"] is False
-    assert "Could not find a match" in result["error"]
-    assert "Did you mean one of these sections?" in result["error"]
-    assert "def bar():" in result["error"] or "def foo():" in result["error"]
-    assert "[Hint:" not in raw
-
-
-def test_patch_tool_replace_ambiguous_error_does_not_show_did_you_mean(tmp_path, monkeypatch):
-    _disable_patch_tool_guards(monkeypatch)
-    sample = tmp_path / "sample.py"
-    sample.write_text("aaa\nbbb\naaa\n", encoding="utf-8")
-
-    raw = patch_tool(
-        mode="replace",
-        path=str(sample),
-        old_string="aaa",
-        new_string="ccc",
-        task_id="qa960-replace-ambiguous",
-    )
-
-    result = json.loads(raw)
-    assert result["success"] is False
-    assert "Found 2 matches" in result["error"]
-    assert "Did you mean one of these sections?" not in result["error"]
-    assert "[Hint:" not in raw
-
-
-def test_patch_tool_v4a_no_match_shows_rich_hint(tmp_path, monkeypatch):
-    _disable_patch_tool_guards(monkeypatch)
-    sample = tmp_path / "sample.py"
-    sample.write_text("def foo():\n    return 1\n", encoding="utf-8")
-
-    patch = textwrap.dedent(
-        f"""\
-        *** Begin Patch
-        *** Update File: {sample}
-        @@
-        -def barycentric():
-        +def barycentric_new():
-        *** End Patch
-        """
-    )
-
-    raw = patch_tool(mode="patch", patch=patch, task_id="qa960-v4a-rich-hint")
-    result = json.loads(raw)
-    assert result["success"] is False
-    assert "Patch validation failed" in result["error"]
-    assert "Did you mean one of these sections?" in result["error"]
-    assert "def foo():" in result["error"]
-
-
-def test_skill_patch_no_match_shows_rich_hint(tmp_path, monkeypatch):
-    monkeypatch.setenv("HERMES_HOME", str(tmp_path))
-    skills_dir = tmp_path / "skills"
-    skills_dir.mkdir(parents=True, exist_ok=True)
-    monkeypatch.setattr(skill_manager_tool, "SKILLS_DIR", skills_dir)
-    monkeypatch.setattr(skill_manager_tool, "_security_scan_skill", lambda _skill_dir: None)
-
-    _create_skill(
-        "qa-skill",
-        textwrap.dedent(
-            """\
-            ---
-            name: qa-skill
-            description: test
-            ---
-
-            Step 1: Do the thing.
-            Step 2: Verify the thing.
-            """
-        ),
-    )
-
-    result = _patch_skill(
-        "qa-skill",
-        "Step 1: Do the production rollout.",
-        "Step 1: Updated.",
-    )
-
-    assert result["success"] is False
-    assert "Could not find a match" in result["error"]
-    assert "Did you mean one of these sections?" in result["error"]
-    assert "Step 1: Do the thing." in result["error"]
-    assert "file_preview" in result

tools/file_operations.py

@@ -757,14 +757,12 @@ class ShellFileOperations(FileOperations):
             content, old_string, new_string, replace_all
         )
         
-        if error or match_count == 0:
-            err_msg = error or f"Could not find match for old_string in {path}"
-            try:
-                from tools.fuzzy_match import format_no_match_hint
-                err_msg += format_no_match_hint(err_msg, match_count, old_string, content)
-            except Exception:
-                pass
-            return PatchResult(error=err_msg)
+        if error:
+            return PatchResult(error=error)
+        
+        if match_count == 0:
+            return PatchResult(error=f"Could not find match for old_string in {path}")
+        
         # Write back
         write_result = self.write_file(path, new_content)
         if write_result.error:

tools/file_tools.py

@@ -8,7 +8,6 @@ import os
 import threading
 import time
 from pathlib import Path
-from typing import Any, Dict, Optional
 from tools.binary_extensions import has_binary_extension
 from tools.file_operations import ShellFileOperations
 from agent.redact import redact_sensitive_text
@@ -691,11 +690,8 @@ def patch_tool(mode: str = "replace", path: str = None, old_string: str = None,
         result_json = json.dumps(result_dict, ensure_ascii=False)
         # Hint when old_string not found — saves iterations where the agent
         # retries with stale content instead of re-reading the file.
-        # Suppressed when patch_replace already attached a rich "Did you mean?"
-        # snippet (which is strictly more useful than the generic hint).
         if result_dict.get("error") and "Could not find" in str(result_dict["error"]):
-            if "Did you mean one of these sections?" not in str(result_dict["error"]):
-                result_json += "\n\n[Hint: old_string not found. Use read_file to verify the current content, or search_files to locate the text.]"
+            result_json += "\n\n[Hint: old_string not found. Use read_file to verify the current content, or search_files to locate the text.]"
         return result_json
     except Exception as e:
         return tool_error(str(e))

tools/fuzzy_match.py

@@ -93,21 +93,6 @@ def fuzzy_find_and_replace(content: str, old_string: str, new_string: str,
                     f"Provide more context to make it unique, or use replace_all=True."
                 )
 
-            # Escape-drift guard: when the matched strategy is NOT `exact`,
-            # we matched via some form of normalization. If new_string
-            # contains shell/JSON-style escape sequences (\\' or \\") that
-            # would be written literally into the file but the matched
-            # region of the file has no such sequences, this is almost
-            # certainly tool-call serialization drift — the model typed
-            # an apostrophe/quote and the transport added a stray
-            # backslash. Writing new_string as-is would corrupt the file.
-            # Block with a helpful error so the model re-reads and retries
-            # instead of the caller silently persisting garbage (or not).
-            if strategy_name != "exact":
-                drift_err = _detect_escape_drift(content, matches, old_string, new_string)
-                if drift_err:
-                    return content, 0, None, drift_err
-
             # Perform replacement
             new_content = _apply_replacements(content, matches, new_string)
             return new_content, len(matches), strategy_name, None
@@ -116,46 +101,6 @@ def fuzzy_find_and_replace(content: str, old_string: str, new_string: str,
     return content, 0, None, "Could not find a match for old_string in the file"
 
 
-def _detect_escape_drift(content: str, matches: List[Tuple[int, int]],
-                         old_string: str, new_string: str) -> Optional[str]:
-    """Detect tool-call escape-drift artifacts in new_string.
-
-    Looks for ``\\'`` or ``\\"`` sequences that are present in both
-    old_string and new_string (i.e. the model copy-pasted them as "context"
-    it intended to preserve) but don't exist in the matched region of the
-    file. That pattern indicates the transport layer inserted spurious
-    shell-style escapes around apostrophes or quotes — writing new_string
-    verbatim would literally insert ``\\'`` into source code.
-
-    Returns an error string if drift is detected, None otherwise.
-    """
-    # Cheap pre-check: bail out unless new_string actually contains a
-    # suspect escape sequence. This keeps the guard free for all the
-    # common, correct cases.
-    if "\\'" not in new_string and '\\"' not in new_string:
-        return None
-
-    # Aggregate matched regions of the file — that's what new_string will
-    # replace. If the suspect escapes are present there already, the
-    # model is genuinely preserving them (valid for some languages /
-    # escaped strings); accept the patch.
-    matched_regions = "".join(content[start:end] for start, end in matches)
-
-    for suspect in ("\\'", '\\"'):
-        if suspect in new_string and suspect in old_string and suspect not in matched_regions:
-            plain = suspect[1]  # "'" or '"'
-            return (
-                f"Escape-drift detected: old_string and new_string contain "
-                f"the literal sequence {suspect!r} but the matched region of "
-                f"the file does not. This is almost always a tool-call "
-                f"serialization artifact where an apostrophe or quote got "
-                f"prefixed with a spurious backslash. Re-read the file with "
-                f"read_file and pass old_string/new_string without "
-                f"backslash-escaping {plain!r} characters."
-            )
-    return None
-
-
 def _apply_replacements(content: str, matches: List[Tuple[int, int]], new_string: str) -> str:
     """
     Apply replacements at the given positions.
@@ -619,86 +564,3 @@ def _map_normalized_positions(original: str, normalized: str,
         original_matches.append((orig_start, min(orig_end, len(original))))
     
     return original_matches
-
-
-def find_closest_lines(old_string: str, content: str, context_lines: int = 2, max_results: int = 3) -> str:
-    """Find lines in content most similar to old_string for "did you mean?" feedback.
-
-    Returns a formatted string showing the closest matching lines with context,
-    or empty string if no useful match is found.
-    """
-    if not old_string or not content:
-        return ""
-
-    old_lines = old_string.splitlines()
-    content_lines = content.splitlines()
-
-    if not old_lines or not content_lines:
-        return ""
-
-    # Use first line of old_string as anchor for search
-    anchor = old_lines[0].strip()
-    if not anchor:
-        # Try second line if first is blank
-        candidates = [l.strip() for l in old_lines if l.strip()]
-        if not candidates:
-            return ""
-        anchor = candidates[0]
-
-    # Score each line in content by similarity to anchor
-    scored = []
-    for i, line in enumerate(content_lines):
-        stripped = line.strip()
-        if not stripped:
-            continue
-        ratio = SequenceMatcher(None, anchor, stripped).ratio()
-        if ratio > 0.3:
-            scored.append((ratio, i))
-
-    if not scored:
-        return ""
-
-    # Take top matches
-    scored.sort(key=lambda x: -x[0])
-    top = scored[:max_results]
-
-    parts = []
-    seen_ranges = set()
-    for _, line_idx in top:
-        start = max(0, line_idx - context_lines)
-        end = min(len(content_lines), line_idx + len(old_lines) + context_lines)
-        key = (start, end)
-        if key in seen_ranges:
-            continue
-        seen_ranges.add(key)
-        snippet = "\n".join(
-            f"{start + j + 1:4d}| {content_lines[start + j]}"
-            for j in range(end - start)
-        )
-        parts.append(snippet)
-
-    if not parts:
-        return ""
-
-    return "\n---\n".join(parts)
-
-
-def format_no_match_hint(error: Optional[str], match_count: int,
-                         old_string: str, content: str) -> str:
-    """Return a '\\n\\nDid you mean...' snippet for plain no-match errors.
-
-    Gated so the hint only fires for actual "old_string not found" failures.
-    Ambiguous-match ("Found N matches"), escape-drift, and identical-strings
-    errors all have ``match_count == 0`` but a "did you mean?" snippet would
-    be misleading — those failed for unrelated reasons.
-
-    Returns an empty string when there's nothing useful to append.
-    """
-    if match_count != 0:
-        return ""
-    if not error or not error.startswith("Could not find"):
-        return ""
-    hint = find_closest_lines(old_string, content)
-    if not hint:
-        return ""
-    return "\n\nDid you mean one of these sections?\n" + hint

tools/patch_parser.py

@@ -290,16 +290,10 @@ def _validate_operations(
                 )
                 if count == 0:
                     label = f"'{hunk.context_hint}'" if hunk.context_hint else "(no hint)"
-                    msg = (
+                    errors.append(
                         f"{op.file_path}: hunk {label} not found"
                         + (f" — {match_error}" if match_error else "")
                     )
-                    try:
-                        from tools.fuzzy_match import format_no_match_hint
-                        msg += format_no_match_hint(match_error, count, search_pattern, simulated)
-                    except Exception:
-                        pass
-                    errors.append(msg)
                 else:
                     # Advance simulation so subsequent hunks validate correctly.
                     # Reuse the result from the call above — no second fuzzy run.
@@ -543,13 +537,7 @@ def _apply_update(op: PatchOperation, file_ops: Any) -> Tuple[bool, str]:
                             error = None
                 
                 if error:
-                    err_msg = f"Could not apply hunk: {error}"
-                    try:
-                        from tools.fuzzy_match import format_no_match_hint
-                        err_msg += format_no_match_hint(error, 0, search_pattern, new_content)
-                    except Exception:
-                        pass
-                    return False, err_msg
+                    return False, f"Could not apply hunk: {error}"
         else:
             # Addition-only hunk (no context or removed lines).
             # Insert at the location indicated by the context hint, or at end of file.

tools/skill_manager_tool.py

@@ -575,15 +575,9 @@ def _patch_skill(
     if match_error:
         # Show a short preview of the file so the model can self-correct
         preview = content[:500] + ("..." if len(content) > 500 else "")
-        err_msg = match_error
-        try:
-            from tools.fuzzy_match import format_no_match_hint
-            err_msg += format_no_match_hint(match_error, match_count, old_string, content)
-        except Exception:
-            pass
         return {
             "success": False,
-            "error": err_msg,
+            "error": match_error,
             "file_preview": preview,
         }