feat: add A2A task delegation over mTLS (#804)

agent/a2a_mtls.py

@@ -29,6 +29,8 @@ import logging
 import os
 import ssl
 import threading
+import time
+import uuid
 from http.server import BaseHTTPRequestHandler, HTTPServer
 from pathlib import Path
 from typing import Any, Callable, Dict, Optional
@@ -441,3 +443,244 @@ class A2AMTLSClient:
     def post(self, url: str, json: Optional[Dict[str, Any]] = None, **kwargs: Any) -> Dict[str, Any]:
         data = (__import__("json").dumps(json).encode() if json is not None else None)
         return self._request("POST", url, data=data, **kwargs)
+
+
+# ---------------------------------------------------------------------------
+# Structured A2A task delegation over mTLS
+# ---------------------------------------------------------------------------
+
+_TERMINAL_TASK_STATES = {"completed", "failed", "canceled", "rejected"}
+
+
+def _iso_now() -> str:
+    return time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime())
+
+
+def _task_status(state: str, message: str) -> Dict[str, Any]:
+    return {
+        "state": state,
+        "message": message,
+        "timestamp": _iso_now(),
+    }
+
+
+def _coerce_artifact(result: Any) -> Dict[str, Any]:
+    if isinstance(result, dict):
+        if "text" in result:
+            return result
+        if "artifact" in result and isinstance(result["artifact"], dict):
+            return result["artifact"]
+    return {"text": str(result)}
+
+
+def _build_task_record(task_id: str, task: str, requester: Optional[str], metadata: Optional[Dict[str, Any]] = None) -> Dict[str, Any]:
+    return {
+        "taskId": task_id,
+        "task": task,
+        "requester": requester,
+        "metadata": metadata or {},
+        "artifacts": [],
+        "status": _task_status("submitted", "Task submitted"),
+    }
+
+
+def _default_agent_card(host: str, port: int) -> Dict[str, Any]:
+    base_url = f"https://{host}:{port}"
+    try:
+        from agent.agent_card import build_agent_card
+        from dataclasses import asdict
+
+        card = asdict(build_agent_card())
+    except Exception as exc:  # pragma: no cover - fallback only exercised when card build breaks
+        logger.warning("Falling back to minimal agent card: %s", exc)
+        card = {
+            "name": os.environ.get("HERMES_AGENT_NAME", "hermes"),
+            "description": "Hermes A2A task server",
+            "version": "unknown",
+        }
+    card["url"] = base_url
+    card["a2aTaskEndpoint"] = f"{base_url}/a2a/rpc"
+    return card
+
+
+def _default_local_hermes_executor(task_payload: Dict[str, Any]) -> Dict[str, Any]:
+    task_text = str(task_payload.get("task", "")).strip()
+    if not task_text:
+        return {"text": ""}
+    from run_agent import AIAgent
+
+    agent = AIAgent(quiet_mode=True)
+    result = agent.chat(task_text)
+    return {
+        "text": result,
+        "metadata": {"executor": "local-hermes"},
+    }
+
+
+class A2ATaskServer:
+    """JSON-RPC A2A task server running over the routing mTLS server."""
+
+    def __init__(
+        self,
+        cert: str | Path,
+        key: str | Path,
+        ca: str | Path,
+        host: str = "127.0.0.1",
+        port: int = 9443,
+        executor: Optional[Callable[[Dict[str, Any]], Dict[str, Any]]] = None,
+        card_factory: Optional[Callable[[], Dict[str, Any]]] = None,
+    ) -> None:
+        self.host = host
+        self.port = port
+        self._server = A2AMTLSServer(cert=cert, key=key, ca=ca, host=host, port=port)
+        self._executor = executor or _default_local_hermes_executor
+        self._card_factory = card_factory or (lambda: _default_agent_card(self.host, self.port))
+        self._tasks: Dict[str, Dict[str, Any]] = {}
+        self._lock = threading.Lock()
+        self._server.add_route("/.well-known/agent-card.json", self._handle_agent_card)
+        self._server.add_route("/agent-card.json", self._handle_agent_card)
+        self._server.add_route("/a2a/rpc", self._handle_rpc)
+
+    def __enter__(self) -> "A2ATaskServer":
+        self.start()
+        return self
+
+    def __exit__(self, *_: Any) -> None:
+        self.stop()
+
+    def start(self) -> None:
+        self._server.start()
+
+    def stop(self) -> None:
+        self._server.stop()
+
+    def _handle_agent_card(self, payload: Dict[str, Any], *, peer_cn: str | None = None) -> Dict[str, Any]:
+        return self._card_factory()
+
+    def _handle_rpc(self, payload: Dict[str, Any], *, peer_cn: str | None = None) -> Dict[str, Any]:
+        req_id = payload.get("id")
+        if payload.get("jsonrpc") != "2.0":
+            return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32600, "message": "invalid jsonrpc version"}}
+
+        method = payload.get("method")
+        params = payload.get("params") or {}
+        try:
+            if method == "tasks/send":
+                result = self._rpc_send_task(params, peer_cn=peer_cn)
+            elif method == "tasks/get":
+                result = self._rpc_get_task(params)
+            else:
+                return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32601, "message": f"unknown method: {method}"}}
+        except Exception as exc:
+            logger.exception("A2A task RPC failed: %s", exc)
+            return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32000, "message": str(exc)}}
+        return {"jsonrpc": "2.0", "id": req_id, "result": result}
+
+    def _rpc_send_task(self, params: Dict[str, Any], *, peer_cn: str | None = None) -> Dict[str, Any]:
+        task_text = str(params.get("task", "")).strip()
+        if not task_text:
+            raise ValueError("task is required")
+        task_id = params.get("taskId") or uuid.uuid4().hex
+        requester = params.get("requester") or peer_cn
+        metadata = dict(params.get("metadata") or {})
+        if peer_cn:
+            metadata.setdefault("peer_cn", peer_cn)
+        record = _build_task_record(task_id, task_text, requester, metadata)
+        with self._lock:
+            self._tasks[task_id] = record
+        worker = threading.Thread(target=self._run_task, args=(task_id,), daemon=True, name=f"a2a-task-{task_id[:8]}")
+        worker.start()
+        return self._copy_task(task_id)
+
+    def _rpc_get_task(self, params: Dict[str, Any]) -> Dict[str, Any]:
+        task_id = str(params.get("taskId", "")).strip()
+        if not task_id:
+            raise ValueError("taskId is required")
+        return self._copy_task(task_id)
+
+    def _copy_task(self, task_id: str) -> Dict[str, Any]:
+        with self._lock:
+            if task_id not in self._tasks:
+                raise KeyError(f"unknown taskId: {task_id}")
+            return json.loads(json.dumps(self._tasks[task_id]))
+
+    def _run_task(self, task_id: str) -> None:
+        with self._lock:
+            task = self._tasks[task_id]
+            task["status"] = _task_status("working", "Task is running")
+            task_payload = {
+                "taskId": task["taskId"],
+                "task": task["task"],
+                "requester": task.get("requester"),
+                "metadata": dict(task.get("metadata") or {}),
+            }
+        try:
+            result = self._executor(task_payload)
+            artifact = _coerce_artifact(result)
+            with self._lock:
+                task = self._tasks[task_id]
+                task["artifacts"] = [artifact]
+                task["status"] = _task_status("completed", "Task completed")
+        except Exception as exc:
+            with self._lock:
+                task = self._tasks[task_id]
+                task["status"] = _task_status("failed", f"Task failed: {exc}")
+
+
+class A2ATaskClient(A2AMTLSClient):
+    """Client helper for A2A JSON-RPC task send/get flows."""
+
+    def discover_card(self, base_url: str) -> Dict[str, Any]:
+        return self.get(f"{base_url.rstrip('/')}/.well-known/agent-card.json")
+
+    def _rpc_call(self, base_url: str, method: str, params: Dict[str, Any]) -> Dict[str, Any]:
+        payload = {
+            "jsonrpc": "2.0",
+            "id": uuid.uuid4().hex,
+            "method": method,
+            "params": params,
+        }
+        response = self.post(f"{base_url.rstrip('/')}/a2a/rpc", json=payload)
+        if "error" in response:
+            error = response["error"]
+            raise RuntimeError(error.get("message") or str(error))
+        return response.get("result", {})
+
+    def send_task(
+        self,
+        base_url: str,
+        *,
+        task: str,
+        requester: str | None = None,
+        metadata: Optional[Dict[str, Any]] = None,
+    ) -> Dict[str, Any]:
+        return self._rpc_call(
+            base_url,
+            "tasks/send",
+            {
+                "task": task,
+                "requester": requester,
+                "metadata": metadata or {},
+            },
+        )
+
+    def get_task(self, base_url: str, task_id: str) -> Dict[str, Any]:
+        return self._rpc_call(base_url, "tasks/get", {"taskId": task_id})
+
+    def wait_for_task(
+        self,
+        base_url: str,
+        task_id: str,
+        *,
+        timeout: float = 30.0,
+        poll_interval: float = 0.5,
+    ) -> Dict[str, Any]:
+        deadline = time.monotonic() + timeout
+        while True:
+            task = self.get_task(base_url, task_id)
+            state = str(((task.get("status") or {}).get("state") or "")).lower()
+            if state in _TERMINAL_TASK_STATES:
+                return task
+            if time.monotonic() >= deadline:
+                raise TimeoutError(f"Timed out waiting for task {task_id}")
+            time.sleep(poll_interval)

docs/review_packets/hermes-harness-2026-04-21.md

@@ -1,387 +0,0 @@
-# Morning Review Packet
-
-Source epic: [EPIC: Morning review packet — Hermes harness features landed 2026-04-21](https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/949)
-
-## Epic context
-
-EPIC: Morning review packet — Hermes harness features landed 2026-04-21
-
-Source: git log on upstream/main since 2026-04-21 00:00 EDT, plus the current local branch `burn/921-poka-yoke-hardcoded-paths` for the branch-only path-guard work.
-
-Important review note:
-- Validate upstream-landed features on `upstream/main` or a synced branch.
-- Validate the path-guard work on `burn/921-poka-yoke-hardcoded-paths`.
-
-This epic is a morning-review packet: one QA issue per feature cluster, each with concrete acceptance criteria and targeted tests or manual checks.
-
-## Success criteria
-- [ ] Every issue has a clear PASS / FAIL outcome.
-- [ ] Test output or manual evidence is attached to each issue.
-- [ ] Any drift between upstream/main and forge/main is called out explicitly.
-
-## Sub-issues
-### Upstream/main features landed 2026-04-21
-- [ ] #950 [QA] Verify AI Gateway provider UX + attribution headers
-- [ ] #951 [QA] Verify transport abstraction + AnthropicTransport wiring
-- [ ] #952 [QA] Verify CLI voice beep toggle
-- [ ] #953 [QA] Verify bundled skill scripts run out of the box
-- [ ] #954 [QA] Verify maps skill guest_house / camp_site / bakery expansion
-- [ ] #955 [QA] Verify KittenTTS local provider end-to-end
-- [ ] #956 [QA] Verify numbered keyboard shortcuts for approval + clarify prompts
-- [ ] #957 [QA] Verify optional adversarial-ux-test skill catalog flow
-- [ ] #958 [QA] Verify /usage account limits in CLI + gateway
-- [ ] #959 [QA] Verify OpenCode-Go curated catalog additions
-- [ ] #960 [QA] Verify patch 'did you mean?' suggestions
-- [ ] #961 [QA] Verify web dashboard update/restart action buttons
-
-### Local branch-only work
-- [ ] #962 [QA] Verify hardcoded-home path guard on burn/921 branch
-
-## Summary
-
-| Issue | State | Commits | Tests |
-| --- | --- | --- | --- |
-| #950 | open | 5 | 2 |
-| #951 | open | 2 | 2 |
-| #952 | open | 1 | 1 |
-| #953 | open | 1 | 2 |
-| #954 | open | 1 | 0 |
-| #955 | open | 2 | 1 |
-| #956 | open | 1 | 0 |
-| #957 | open | 1 | 0 |
-| #958 | open | 2 | 2 |
-| #959 | open | 1 | 1 |
-| #960 | open | 2 | 1 |
-| #961 | closed | 1 | 0 |
-| #962 | closed | 1 | 1 |
-
-## #950 — [QA] Verify AI Gateway provider UX + attribution headers
-
-State: open
-URL: https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/950
-
-### Branch / checkout
-- Validate on `upstream/main` or an equivalent synced checkout.
-
-### Commits
-- `b11753879` — attribution default_headers for ai-gateway provider
-- `700437440` — curated picker with live pricing
-- `ac26a460f` — promote ai-gateway in provider picker ordering
-- `5bb2d11b0` — auto-promote free Moonshot models
-- `29f57ec95` — Vercel deep-link for API key creation
-
-### Targeted tests
-- `tests/hermes_cli/test_ai_gateway_models.py`
-- `tests/run_agent/test_provider_attribution_headers.py`
-
-### Tasks
-- [ ] Open `hermes model` and verify `ai-gateway` appears near the top.
-- [ ] Verify live pricing appears in the picker.
-- [ ] Verify free Moonshot models are promoted.
-- [ ] Trigger API-key setup flow and verify the Vercel deep link.
-- [ ] Send one ai-gateway request and verify attribution headers are attached.
-
-### Acceptance criteria
-- [ ] UI ordering and pricing match the landed behavior.
-- [ ] Attribution headers are present on ai-gateway requests.
-- [ ] Targeted tests pass.
-
-## #951 — [QA] Verify transport abstraction + AnthropicTransport wiring
-
-State: open
-URL: https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/951
-
-### Branch / checkout
-- Validate on `upstream/main` or an equivalent synced checkout.
-
-### Commits
-- `7ab5eebd0` — transport types + Anthropic normalize migration
-- `731f4fbae` — transport ABC + AnthropicTransport wired to all paths
-
-### Targeted tests
-- `tests/agent/transports/test_types.py`
-- `tests/agent/test_anthropic_normalize_v2.py`
-
-### Tasks
-- [ ] Verify plain-text Anthropic responses normalize correctly.
-- [ ] Verify tool-call responses preserve IDs, names, and arguments.
-- [ ] Verify reasoning/thinking is preserved separately from visible content.
-- [ ] Verify finish_reason mapping remains correct across paths.
-
-### Acceptance criteria
-- [ ] Normalized response shape is stable.
-- [ ] Tool-call and reasoning payloads survive normalization.
-- [ ] Targeted tests pass.
-
-## #952 — [QA] Verify CLI voice beep toggle
-
-State: open
-URL: https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/952
-
-### Branch / checkout
-- Validate on `upstream/main` or an equivalent synced checkout.
-
-### Commits
-- `b48ea41d2` — voice: add CLI beep toggle
-
-### Targeted tests
-- `tests/tools/test_voice_cli_integration.py`
-
-### Tasks
-- [ ] Enable the beep option in config and confirm voice mode emits the beep.
-- [ ] Disable the option and confirm the same path is silent.
-- [ ] Verify voice mode still strips markdown before speech output.
-- [ ] Verify voice mode does not pollute conversation history with TTS-only text.
-
-### Acceptance criteria
-- [ ] Beep behavior is actually toggled by config.
-- [ ] Existing voice/TTS integration behavior is not regressed.
-- [ ] Targeted tests pass.
-
-## #953 — [QA] Verify bundled skill scripts run out of the box
-
-State: open
-URL: https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/953
-
-### Branch / checkout
-- Validate on `upstream/main` or an equivalent synced checkout.
-
-### Commits
-- `328223576` — make bundled skill scripts runnable out of the box
-
-### Targeted tests
-- `tests/agent/test_skill_commands.py`
-- `tests/tools/test_local_shell_init.py`
-
-### Tasks
-- [ ] Pick a bundled skill that ships a script and run it without manual chmod/PATH surgery.
-- [ ] Verify local terminal execution resolves the installed skill script correctly.
-- [ ] Verify local shell init still behaves correctly.
-
-### Acceptance criteria
-- [ ] Bundled skill scripts execute from the installed skill location with no manual prep.
-- [ ] Local shell init remains healthy.
-- [ ] Targeted tests pass.
-
-## #954 — [QA] Verify maps skill guest_house / camp_site / bakery expansion
-
-State: open
-URL: https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/954
-
-### Branch / checkout
-- Validate on `upstream/main` or an equivalent synced checkout.
-
-### Commits
-- `c5a814b23` — maps: add guest_house, camp_site, and dual-key bakery lookup
-
-### Tasks
-- [ ] Use the maps skill to search for a guest house in a known populated area.
-- [ ] Use the maps skill to search for a camp site in a known populated area.
-- [ ] Use the maps skill to search for a bakery and verify both supported keys resolve correctly.
-- [ ] Confirm results are sensible and non-empty.
-
-### Acceptance criteria
-- [ ] All three place types resolve correctly.
-- [ ] Bakery lookup works through both supported keys.
-- [ ] Manual evidence is attached in the issue.
-
-## #955 — [QA] Verify KittenTTS local provider end-to-end
-
-State: open
-URL: https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/955
-
-### Branch / checkout
-- Validate on `upstream/main` or an equivalent synced checkout.
-
-### Commits
-- `1830ebfc5` — add KittenTTS provider
-- `2d7ff9c5b` — complete KittenTTS integration across tools/setup/docs/tests
-
-### Targeted tests
-- `tests/tools/test_tts_kittentts.py`
-
-### Tasks
-- [ ] Configure TTS to use `kittentts`.
-- [ ] Generate speech to `.wav` and verify playable output.
-- [ ] Verify voice / speed / cleaned text are passed correctly.
-- [ ] Generate repeated requests and verify model caching behavior.
-- [ ] Generate a non-wav output and verify ffmpeg conversion path.
-- [ ] Verify missing-package behavior returns a helpful error.
-
-### Acceptance criteria
-- [ ] KittenTTS works end-to-end when installed.
-- [ ] Failure mode is operator-friendly when not installed.
-- [ ] Targeted tests pass.
-
-## #956 — [QA] Verify numbered keyboard shortcuts for approval + clarify prompts
-
-State: open
-URL: https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/956
-
-### Branch / checkout
-- Validate on `upstream/main` or an equivalent synced checkout.
-
-### Commits
-- `d1ed6f4fb` — CLI: add numbered keyboard shortcuts to approval and clarify prompts
-
-### Tasks
-- [ ] Trigger an approval prompt and choose an option with number keys.
-- [ ] Trigger a clarify prompt and choose an option with number keys.
-- [ ] Verify the correct option is submitted both times.
-- [ ] Verify normal keyboard navigation still works.
-
-### Acceptance criteria
-- [ ] Number-key selection works for both prompt types.
-- [ ] Legacy keyboard navigation is not broken.
-- [ ] Manual evidence is attached in the issue.
-
-## #957 — [QA] Verify optional adversarial-ux-test skill catalog flow
-
-State: open
-URL: https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/957
-
-### Branch / checkout
-- Validate on `upstream/main` or an equivalent synced checkout.
-
-### Commits
-- `e50e7f11b` — skills: add adversarial-ux-test optional skill
-
-### Tasks
-- [ ] Verify the optional skill appears in the optional skill catalog.
-- [ ] Install or enable the skill.
-- [ ] Load it successfully through Hermes.
-- [ ] Disable or remove it and verify catalog state updates cleanly.
-
-### Acceptance criteria
-- [ ] Catalog listing is correct.
-- [ ] Install / load / disable lifecycle works cleanly.
-- [ ] Manual evidence is attached in the issue.
-
-## #958 — [QA] Verify /usage account limits in CLI + gateway
-
-State: open
-URL: https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/958
-
-### Branch / checkout
-- Validate on `upstream/main` or an equivalent synced checkout.
-
-### Commits
-- `8a11b0a20` — per-provider account limits module
-- `bcc5d7b67` — append account limits section in CLI and gateway
-
-### Targeted tests
-- `tests/test_account_usage.py`
-- `tests/gateway/test_usage_command.py`
-
-### Tasks
-- [ ] Run `/usage` in CLI for a provider with account limits.
-- [ ] Verify provider, remaining quota, total limit, and reset window render correctly.
-- [ ] Run `/usage` through the gateway and verify the same section appears.
-- [ ] Verify zero-value cache read/write sections stay hidden when appropriate.
-
-### Acceptance criteria
-- [ ] CLI and gateway both show the landed account-limits section correctly.
-- [ ] Targeted tests pass.
-
-## #959 — [QA] Verify OpenCode-Go curated catalog additions
-
-State: open
-URL: https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/959
-
-### Branch / checkout
-- Validate on `upstream/main` or an equivalent synced checkout.
-
-### Commits
-- `4fea1769d` — opencode-go: add Kimi K2.6 and Qwen3.5/3.6 Plus to curated catalog
-
-### Targeted tests
-- `tests/hermes_cli/test_opencode_go_in_model_list.py`
-
-### Tasks
-- [ ] With valid OpenCode-Go credentials, open `hermes model`.
-- [ ] Verify Kimi K2.6 appears.
-- [ ] Verify Qwen 3.5 Plus and 3.6 Plus appear.
-- [ ] Unset credentials and verify the provider/catalog hides correctly.
-
-### Acceptance criteria
-- [ ] New curated models are present when credentials exist.
-- [ ] Catalog visibility still respects credential gating.
-- [ ] Targeted tests pass.
-
-## #960 — [QA] Verify patch 'did you mean?' suggestions
-
-State: open
-URL: https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/960
-
-### Branch / checkout
-- Validate on `upstream/main` or an equivalent synced checkout.
-
-### Commits
-- `15abf4ed8` — add `did you mean?` feedback when patch fails to match
-- `5e6427a42` — gate it to true no-match cases and extend to v4a / skill_manage
-
-### Targeted tests
-- `tests/tools/test_fuzzy_match.py`
-
-### Tasks
-- [ ] Intentionally run a replace/patch with a near-miss `old_string`.
-- [ ] Verify the tool suggests a useful nearby line/context.
-- [ ] Verify suggestions only appear on true no-match failures.
-- [ ] Verify the behavior also works via file tools, v4a patching, and skill_manage.
-
-### Acceptance criteria
-- [ ] Suggestion quality is helpful, not noisy.
-- [ ] Suggestions are correctly gated to no-match cases.
-- [ ] Targeted tests pass.
-
-## #961 — [QA] Verify web dashboard update/restart action buttons
-
-State: closed
-URL: https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/961
-
-### Branch / checkout
-- Validate on `upstream/main` or an equivalent synced checkout.
-
-### Commits
-- `fc21c1420` — add buttons to update Hermes and restart gateway
-
-### Files touched
-- `web/src/pages/StatusPage.tsx`
-- `web/src/lib/api.ts`
-- `web/src/i18n/en.ts`
-
-### Tasks
-- [ ] Open the Web UI status page and verify both buttons are present.
-- [ ] Click Restart Gateway in a safe environment and verify running/output/success-or-failure states render.
-- [ ] Click Update Hermes and verify the same action lifecycle.
-- [ ] Verify the page remains responsive while actions are running.
-
-### Acceptance criteria
-- [ ] Both action buttons are present and wired.
-- [ ] Action status polling and result rendering work end-to-end.
-- [ ] Manual evidence is attached in the issue.
-
-## #962 — [QA] Verify hardcoded-home path guard on burn/921 branch
-
-State: closed
-URL: https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/962
-
-### Branch / checkout
-- Validate specifically on `burn/921-poka-yoke-hardcoded-paths` (not upstream/main).
-
-### Commits
-- `5dcb90531` — Poka-yoke: prevent hardcoded home-directory paths
-
-### Targeted tests
-- `tests/test_path_guard.py`
-
-### Tasks
-- [ ] Verify hardcoded `/Users/...` paths are rejected.
-- [ ] Verify hardcoded `~/.hermes/...` paths are rejected in guarded contexts.
-- [ ] Verify valid relative paths still pass.
-- [ ] Verify appropriate absolute paths still pass where intended.
-- [ ] Verify linting catches violations in non-test files.
-
-### Acceptance criteria
-- [ ] Guard blocks the dangerous patterns and preserves allowed ones.
-- [ ] Targeted tests pass.

hermes_cli/a2a_cmd.py

@@ -0,0 +1,132 @@
+"""CLI helpers for A2A task delegation."""
+
+from __future__ import annotations
+
+import json
+import os
+import re
+import sys
+import time
+from pathlib import Path
+from typing import Any
+
+from agent.a2a_mtls import A2ATaskClient, A2ATaskServer
+from hermes_cli.config import get_hermes_home
+
+
+def _registry_path() -> Path:
+    return get_hermes_home() / "a2a_agents.json"
+
+
+def _default_identity_paths() -> tuple[str, str, str]:
+    hermes_home = get_hermes_home()
+    agent_name = os.environ.get("HERMES_AGENT_NAME", "hermes").lower()
+    cert = os.environ.get(
+        "HERMES_A2A_CERT",
+        str(hermes_home / "pki" / "agents" / agent_name / f"{agent_name}.crt"),
+    )
+    key = os.environ.get(
+        "HERMES_A2A_KEY",
+        str(hermes_home / "pki" / "agents" / agent_name / f"{agent_name}.key"),
+    )
+    ca = os.environ.get(
+        "HERMES_A2A_CA",
+        str(hermes_home / "pki" / "ca" / "fleet-ca.crt"),
+    )
+    return cert, key, ca
+
+
+def load_agent_registry(path: Path | None = None) -> dict[str, Any]:
+    registry_path = path or _registry_path()
+    if not registry_path.exists():
+        return {}
+    return json.loads(registry_path.read_text(encoding="utf-8"))
+
+
+def resolve_agent_url(agent: str, *, registry_path: Path | None = None) -> str:
+    key = re.sub(r"[^A-Za-z0-9]+", "_", agent).upper()
+    env_value = os.getenv(f"HERMES_A2A_{key}_URL")
+    if env_value:
+        return env_value
+
+    registry = load_agent_registry(registry_path)
+    entry = registry.get(agent)
+    if isinstance(entry, str) and entry:
+        return entry
+    if isinstance(entry, dict):
+        url = entry.get("url") or entry.get("base_url") or entry.get("card_url")
+        if url:
+            return str(url)
+    if agent.startswith("https://") or agent.startswith("http://"):
+        return agent
+    raise SystemExit(f"Unknown A2A agent '{agent}'. Set HERMES_A2A_{key}_URL or add it to {_registry_path()}.")
+
+
+def _print(data: dict[str, Any]) -> None:
+    print(json.dumps(data, indent=2, ensure_ascii=False))
+
+
+def cmd_send(args) -> None:
+    base_url = args.url or resolve_agent_url(args.agent)
+    cert, key, ca = args.cert, args.key, args.ca
+    if not (cert and key and ca):
+        cert, key, ca = _default_identity_paths()
+    client = A2ATaskClient(cert=cert, key=key, ca=ca)
+    card = client.discover_card(base_url)
+    task = client.send_task(
+        base_url,
+        task=args.task,
+        requester=args.requester,
+        metadata={"agent": args.agent},
+    )
+    if args.wait:
+        task = client.wait_for_task(
+            base_url,
+            task["taskId"],
+            timeout=args.timeout,
+            poll_interval=args.poll_interval,
+        )
+    _print({
+        "agent": args.agent,
+        "url": base_url,
+        "card": card,
+        "task": task,
+    })
+
+
+def cmd_status(args) -> None:
+    base_url = args.url or resolve_agent_url(args.agent)
+    cert, key, ca = args.cert, args.key, args.ca
+    if not (cert and key and ca):
+        cert, key, ca = _default_identity_paths()
+    client = A2ATaskClient(cert=cert, key=key, ca=ca)
+    task = client.get_task(base_url, args.task_id)
+    _print({"agent": args.agent, "url": base_url, "task": task})
+
+
+def cmd_serve(args) -> None:
+    cert, key, ca = args.cert, args.key, args.ca
+    if not (cert and key and ca):
+        cert, key, ca = _default_identity_paths()
+    server = A2ATaskServer(cert=cert, key=key, ca=ca, host=args.host, port=args.port)
+    server.start()
+    print(f"A2A task server listening on https://{args.host}:{args.port}")
+    try:
+        while True:
+            time.sleep(1)
+    except KeyboardInterrupt:
+        server.stop()
+
+
+def cmd_a2a(args) -> None:
+    command = getattr(args, "a2a_command", None) or "send"
+    if command == "send":
+        cmd_send(args)
+        return
+    if command == "status":
+        cmd_status(args)
+        return
+    if command == "serve":
+        cmd_serve(args)
+        return
+    raise SystemExit(f"Unknown a2a command: {command}")

hermes_cli/main.py

@@ -173,6 +173,13 @@ from hermes_constants import OPENROUTER_BASE_URL
 logger = logging.getLogger(__name__)
 
 
+def cmd_a2a(args):
+    """Dispatch A2A CLI subcommands lazily to avoid heavy imports at startup."""
+    from hermes_cli.a2a_cmd import cmd_a2a as _cmd_a2a
+
+    return _cmd_a2a(args)
+
+
 def _relative_time(ts) -> str:
     """Format a timestamp as relative time (e.g., '2h ago', 'yesterday')."""
     if not ts:
@@ -4781,6 +4788,45 @@ For more help on a command:
 
     gateway_parser.set_defaults(func=cmd_gateway)
     
+    # =========================================================================
+    # a2a command
+    # =========================================================================
+    a2a_parser = subparsers.add_parser(
+        "a2a",
+        help="A2A task delegation over mutual TLS",
+        description="Send, inspect, and serve structured A2A tasks between Hermes agents",
+    )
+    a2a_subparsers = a2a_parser.add_subparsers(dest="a2a_command")
+
+    a2a_send = a2a_subparsers.add_parser("send", help="Send an A2A task to another agent")
+    a2a_send.add_argument("--agent", required=True, help="Agent alias or URL (for example: allegro)")
+    a2a_send.add_argument("--task", required=True, help="Task text to delegate")
+    a2a_send.add_argument("--url", help="Explicit base URL for the remote agent")
+    a2a_send.add_argument("--requester", default=None, help="Requester label included in task metadata")
+    a2a_send.add_argument("--wait", action="store_true", help="Poll until the task reaches a terminal state")
+    a2a_send.add_argument("--timeout", type=float, default=30.0, help="Wait timeout in seconds (default: 30)")
+    a2a_send.add_argument("--poll-interval", type=float, default=0.5, help="Polling interval in seconds while waiting (default: 0.5)")
+    a2a_send.add_argument("--cert", default=None, help="Client certificate path (defaults from HERMES_A2A_CERT)")
+    a2a_send.add_argument("--key", default=None, help="Client private key path (defaults from HERMES_A2A_KEY)")
+    a2a_send.add_argument("--ca", default=None, help="Fleet CA certificate path (defaults from HERMES_A2A_CA)")
+
+    a2a_status = a2a_subparsers.add_parser("status", help="Fetch the current status of an A2A task")
+    a2a_status.add_argument("--agent", required=True, help="Agent alias or URL (for example: allegro)")
+    a2a_status.add_argument("--task-id", required=True, help="Task identifier returned by a2a send")
+    a2a_status.add_argument("--url", help="Explicit base URL for the remote agent")
+    a2a_status.add_argument("--cert", default=None, help="Client certificate path (defaults from HERMES_A2A_CERT)")
+    a2a_status.add_argument("--key", default=None, help="Client private key path (defaults from HERMES_A2A_KEY)")
+    a2a_status.add_argument("--ca", default=None, help="Fleet CA certificate path (defaults from HERMES_A2A_CA)")
+
+    a2a_serve = a2a_subparsers.add_parser("serve", help="Run the local A2A task server")
+    a2a_serve.add_argument("--host", default=os.environ.get("HERMES_A2A_HOST", "127.0.0.1"), help="Bind host (default: HERMES_A2A_HOST or 127.0.0.1)")
+    a2a_serve.add_argument("--port", type=int, default=int(os.environ.get("HERMES_A2A_PORT", "9443")), help="Bind port (default: HERMES_A2A_PORT or 9443)")
+    a2a_serve.add_argument("--cert", default=None, help="Server certificate path (defaults from HERMES_A2A_CERT)")
+    a2a_serve.add_argument("--key", default=None, help="Server private key path (defaults from HERMES_A2A_KEY)")
+    a2a_serve.add_argument("--ca", default=None, help="Fleet CA certificate path (defaults from HERMES_A2A_CA)")
+
+    a2a_parser.set_defaults(func=cmd_a2a)
+    
     # =========================================================================
     # setup command
     # =========================================================================

scripts/morning_review_packet.py

@@ -1,301 +0,0 @@
-#!/usr/bin/env python3
-"""Build a morning review packet from a Gitea epic and its child QA issues.
-
-This script fetches a parent epic plus its sub-issues, extracts the structured
-sections from each QA issue body, and renders a single markdown packet suitable
-for morning review.
-
-Usage:
-    python scripts/morning_review_packet.py --epic-number 949
-    python scripts/morning_review_packet.py --epic-number 949 --children 950-962
-    python scripts/morning_review_packet.py --epic-number 949 --output docs/review_packets/hermes-harness-2026-04-21.md
-"""
-
-from __future__ import annotations
-
-import argparse
-import json
-import os
-import re
-import urllib.request
-from dataclasses import dataclass, field
-from pathlib import Path
-from typing import Iterable
-
-DEFAULT_BASE_URL = "https://forge.alexanderwhitestone.com"
-DEFAULT_OWNER = "Timmy_Foundation"
-DEFAULT_REPO = "hermes-agent"
-DEFAULT_TOKEN_PATH = Path.home() / ".config" / "gitea" / "token"
-
-
-@dataclass(frozen=True)
-class CommitEvidence:
-    sha: str
-    summary: str
-
-
-@dataclass
-class ReviewIssue:
-    number: int
-    title: str
-    state: str
-    url: str
-    comments: int = 0
-    parent_issue: int | None = None
-    checkout_notes: list[str] = field(default_factory=list)
-    commits: list[CommitEvidence] = field(default_factory=list)
-    targeted_tests: list[str] = field(default_factory=list)
-    files_touched: list[str] = field(default_factory=list)
-    tasks: list[str] = field(default_factory=list)
-    acceptance_criteria: list[str] = field(default_factory=list)
-
-
-def parse_issue_number_spec(spec: str) -> list[int]:
-    """Parse a comma-separated issue list like ``950-952,955,962``."""
-    numbers: list[int] = []
-    seen: set[int] = set()
-    for chunk in (part.strip() for part in spec.split(",")):
-        if not chunk:
-            continue
-        if "-" in chunk:
-            start_str, end_str = (part.strip() for part in chunk.split("-", 1))
-            start = int(start_str)
-            end = int(end_str)
-            if end < start:
-                raise ValueError(f"Invalid descending issue range: {chunk}")
-            for number in range(start, end + 1):
-                if number not in seen:
-                    numbers.append(number)
-                    seen.add(number)
-        else:
-            number = int(chunk)
-            if number not in seen:
-                numbers.append(number)
-                seen.add(number)
-    return numbers
-
-
-def _parse_sections(body: str) -> dict[str, list[str]]:
-    sections: dict[str, list[str]] = {}
-    current: str | None = None
-    for raw_line in body.splitlines():
-        line = raw_line.rstrip()
-        if line.startswith("## "):
-            current = line[3:].strip()
-            sections[current] = []
-            continue
-        if current is not None:
-            sections[current].append(line)
-    return sections
-
-
-def _clean_bullet(line: str) -> str | None:
-    stripped = line.strip()
-    if not stripped:
-        return None
-    stripped = re.sub(r"^-\s*\[(?: |x|X)\]\s*", "", stripped)
-    stripped = re.sub(r"^-\s*", "", stripped)
-    return stripped.strip() or None
-
-
-def _extract_bullets(lines: Iterable[str]) -> list[str]:
-    items: list[str] = []
-    for line in lines:
-        cleaned = _clean_bullet(line)
-        if cleaned:
-            items.append(cleaned)
-    return items
-
-
-def _extract_parent_issue(body: str, sections: dict[str, list[str]]) -> int | None:
-    parent_lines = sections.get("Parent", [])
-    for line in parent_lines:
-        match = re.search(r"#(\d+)", line)
-        if match:
-            return int(match.group(1))
-    match = re.search(r"Linked to Epic\s+#(\d+)", body, flags=re.IGNORECASE)
-    if match:
-        return int(match.group(1))
-    return None
-
-
-def _extract_commits(lines: Iterable[str]) -> list[CommitEvidence]:
-    commits: list[CommitEvidence] = []
-    for item in _extract_bullets(lines):
-        match = re.match(r"`([^`]+)`\s*(.*)", item)
-        if match:
-            commits.append(CommitEvidence(sha=match.group(1).strip(), summary=match.group(2).strip()))
-        else:
-            commits.append(CommitEvidence(sha="", summary=item))
-    return commits
-
-
-def _strip_backticks(items: Iterable[str]) -> list[str]:
-    cleaned: list[str] = []
-    for item in items:
-        cleaned.append(item.replace("`", "").strip())
-    return cleaned
-
-
-def discover_child_issue_numbers(epic_body: str) -> list[int]:
-    """Discover sub-issue numbers from an epic body."""
-    sections = _parse_sections(epic_body)
-    sub_lines = sections.get("Sub-issues")
-    if not sub_lines:
-        return []
-    numbers: list[int] = []
-    seen: set[int] = set()
-    for line in sub_lines:
-        for match in re.finditer(r"#(\d+)", line):
-            number = int(match.group(1))
-            if number not in seen:
-                numbers.append(number)
-                seen.add(number)
-    return numbers
-
-
-def parse_child_issue(issue: dict) -> ReviewIssue:
-    body = issue.get("body") or ""
-    sections = _parse_sections(body)
-    commit_lines = sections.get("Commits landed today", []) or sections.get("Commit landed today", [])
-
-    return ReviewIssue(
-        number=int(issue["number"]),
-        title=issue.get("title") or "",
-        state=(issue.get("state") or "unknown").lower(),
-        url=issue.get("html_url") or issue.get("url") or "",
-        comments=int(issue.get("comments") or 0),
-        parent_issue=_extract_parent_issue(body, sections),
-        checkout_notes=_extract_bullets(sections.get("Branch / checkout", [])),
-        commits=_extract_commits(commit_lines),
-        targeted_tests=_strip_backticks(_extract_bullets(sections.get("Targeted tests", []))),
-        files_touched=_strip_backticks(_extract_bullets(sections.get("Files touched", []))),
-        tasks=_extract_bullets(sections.get("Tasks", [])),
-        acceptance_criteria=_extract_bullets(sections.get("Acceptance Criteria", [])),
-    )
-
-
-def build_packet_markdown(epic_issue: dict, child_issues: list[ReviewIssue]) -> str:
-    title = epic_issue.get("title") or f"Epic #{epic_issue.get('number')}"
-    url = epic_issue.get("html_url") or epic_issue.get("url") or ""
-    body = epic_issue.get("body") or ""
-    children = sorted(child_issues, key=lambda item: item.number)
-
-    lines: list[str] = []
-    lines.append("# Morning Review Packet")
-    lines.append("")
-    lines.append(f"Source epic: [{title}]({url})")
-    lines.append("")
-    lines.append("## Epic context")
-    lines.append("")
-    lines.append(title)
-    lines.append("")
-    for line in body.splitlines():
-        if line.strip():
-            lines.append(line)
-        else:
-            lines.append("")
-    lines.append("")
-    lines.append("## Summary")
-    lines.append("")
-    lines.append("| Issue | State | Commits | Tests |")
-    lines.append("| --- | --- | --- | --- |")
-    for child in children:
-        lines.append(
-            f"| #{child.number} | {child.state} | {len(child.commits)} | {len(child.targeted_tests)} |"
-        )
-    lines.append("")
-
-    for child in children:
-        lines.append(f"## #{child.number} — {child.title}")
-        lines.append("")
-        lines.append(f"State: {child.state}")
-        lines.append(f"URL: {child.url}")
-        lines.append("")
-        if child.checkout_notes:
-            lines.append("### Branch / checkout")
-            for note in child.checkout_notes:
-                lines.append(f"- {note}")
-            lines.append("")
-        if child.commits:
-            lines.append("### Commits")
-            for commit in child.commits:
-                if commit.sha:
-                    lines.append(f"- `{commit.sha}` — {commit.summary}")
-                else:
-                    lines.append(f"- {commit.summary}")
-            lines.append("")
-        if child.targeted_tests:
-            lines.append("### Targeted tests")
-            for test_path in child.targeted_tests:
-                lines.append(f"- `{test_path}`")
-            lines.append("")
-        if child.files_touched:
-            lines.append("### Files touched")
-            for file_path in child.files_touched:
-                lines.append(f"- `{file_path}`")
-            lines.append("")
-        if child.tasks:
-            lines.append("### Tasks")
-            for task in child.tasks:
-                lines.append(f"- [ ] {task}")
-            lines.append("")
-        if child.acceptance_criteria:
-            lines.append("### Acceptance criteria")
-            for item in child.acceptance_criteria:
-                lines.append(f"- [ ] {item}")
-            lines.append("")
-
-    return "\n".join(lines).rstrip() + "\n"
-
-
-def _resolve_token(explicit_token: str | None = None) -> str:
-    if explicit_token:
-        return explicit_token.strip()
-    env_token = os.getenv("GITEA_TOKEN")
-    if env_token:
-        return env_token.strip()
-    if DEFAULT_TOKEN_PATH.exists():
-        return DEFAULT_TOKEN_PATH.read_text().strip()
-    raise FileNotFoundError(f"No Gitea token found. Set GITEA_TOKEN or create {DEFAULT_TOKEN_PATH}")
-
-
-def fetch_issue(base_url: str, owner: str, repo: str, number: int, token: str) -> dict:
-    url = f"{base_url.rstrip('/')}/api/v1/repos/{owner}/{repo}/issues/{number}"
-    request = urllib.request.Request(url, headers={"Authorization": f"token {token}"})
-    with urllib.request.urlopen(request, timeout=30) as response:
-        return json.loads(response.read().decode())
-
-
-def collect_child_issues(base_url: str, owner: str, repo: str, epic_issue: dict, token: str, children_spec: str | None = None) -> list[dict]:
-    numbers = parse_issue_number_spec(children_spec) if children_spec else discover_child_issue_numbers(epic_issue.get("body") or "")
-    return [fetch_issue(base_url, owner, repo, number, token) for number in numbers]
-
-
-def main(argv: list[str] | None = None) -> int:
-    parser = argparse.ArgumentParser(description="Build a markdown morning review packet from a Gitea epic")
-    parser.add_argument("--base-url", default=DEFAULT_BASE_URL)
-    parser.add_argument("--owner", default=DEFAULT_OWNER)
-    parser.add_argument("--repo", default=DEFAULT_REPO)
-    parser.add_argument("--epic-number", type=int, required=True)
-    parser.add_argument("--children", help="Explicit issue list/ranges, e.g. 950-962")
-    parser.add_argument("--token", help="Gitea token (defaults to GITEA_TOKEN or ~/.config/gitea/token)")
-    parser.add_argument("--output", help="Write markdown packet to this path instead of stdout")
-    args = parser.parse_args(argv)
-
-    token = _resolve_token(args.token)
-    epic_issue = fetch_issue(args.base_url, args.owner, args.repo, args.epic_number, token)
-    child_issue_dicts = collect_child_issues(args.base_url, args.owner, args.repo, epic_issue, token, args.children)
-    packet = build_packet_markdown(epic_issue, [parse_child_issue(issue) for issue in child_issue_dicts])
-
-    if args.output:
-        output_path = Path(args.output)
-        output_path.parent.mkdir(parents=True, exist_ok=True)
-        output_path.write_text(packet)
-    else:
-        print(packet, end="")
-    return 0
-
-
-if __name__ == "__main__":
-    raise SystemExit(main())

tests/agent/test_a2a_mtls.py

@@ -572,3 +572,94 @@ class TestA2AMTLSServerAndClient:
 
         assert not errors, f"Concurrent connection errors: {errors}"
         assert len(results) == 3
+
+
+@_requires_crypto
+class TestA2ATaskServerAndClient:
+    """Structured A2A task send/get flow over mTLS."""
+
+    @pytest.fixture(autouse=True)
+    def _pki(self, tmp_path):
+        ca_dir = tmp_path / "ca"
+        ca_dir.mkdir()
+        self.ca_crt, self.ca_key = _make_ca_keypair(ca_dir)
+        agent_dir = tmp_path / "agents"
+        agent_dir.mkdir()
+        self.srv_crt, self.srv_key = _make_agent_keypair(
+            agent_dir, "timmy", self.ca_crt, self.ca_key
+        )
+        self.cli_crt, self.cli_key = _make_agent_keypair(
+            agent_dir, "allegro", self.ca_crt, self.ca_key
+        )
+
+    @pytest.fixture()
+    def task_server(self):
+        from agent.a2a_mtls import A2ATaskServer
+
+        gate = threading.Event()
+
+        def analyze_executor(task: dict[str, object]) -> dict[str, object]:
+            gate.wait(timeout=2)
+            text = str(task.get("task", ""))
+            return {
+                "text": f"analysis:{text}",
+                "metadata": {"tool": "local-hermes-stub"},
+            }
+
+        port = _find_free_port()
+        server = A2ATaskServer(
+            cert=self.srv_crt,
+            key=self.srv_key,
+            ca=self.ca_crt,
+            host="127.0.0.1",
+            port=port,
+            executor=analyze_executor,
+        )
+        with server:
+            time.sleep(0.1)
+            yield server, port, gate
+
+    def test_task_send_get_and_completion_flow(self, task_server):
+        from agent.a2a_mtls import A2ATaskClient
+
+        server, port, gate = task_server
+        client = A2ATaskClient(cert=self.cli_crt, key=self.cli_key, ca=self.ca_crt)
+        base_url = f"https://127.0.0.1:{port}"
+
+        card = client.discover_card(base_url)
+        assert card["name"]
+
+        submitted = client.send_task(base_url, task="Analyze README.md", requester="timmy")
+        assert submitted["status"]["state"] in {"submitted", "working"}
+
+        in_flight = client.get_task(base_url, submitted["taskId"])
+        assert in_flight["status"]["state"] in {"submitted", "working"}
+
+        gate.set()
+        completed = client.wait_for_task(base_url, submitted["taskId"], timeout=5.0, poll_interval=0.05)
+        assert completed["status"]["state"] == "completed"
+        assert completed["artifacts"][0]["text"] == "analysis:Analyze README.md"
+
+    def test_failed_executor_marks_task_failed(self):
+        from agent.a2a_mtls import A2ATaskClient, A2ATaskServer
+
+        def failing_executor(task: dict[str, object]) -> dict[str, object]:
+            raise RuntimeError("boom")
+
+        port = _find_free_port()
+        server = A2ATaskServer(
+            cert=self.srv_crt,
+            key=self.srv_key,
+            ca=self.ca_crt,
+            host="127.0.0.1",
+            port=port,
+            executor=failing_executor,
+        )
+        with server:
+            time.sleep(0.1)
+            client = A2ATaskClient(cert=self.cli_crt, key=self.cli_key, ca=self.ca_crt)
+            base_url = f"https://127.0.0.1:{port}"
+            submitted = client.send_task(base_url, task="explode", requester="timmy")
+            failed = client.wait_for_task(base_url, submitted["taskId"], timeout=5.0, poll_interval=0.05)
+            assert failed["status"]["state"] == "failed"
+            assert "boom" in failed["status"]["message"]

tests/hermes_cli/test_a2a_cmd.py

@@ -0,0 +1,95 @@
+from __future__ import annotations
+
+import argparse
+import json
+from pathlib import Path
+from unittest.mock import patch
+
+import pytest
+
+
+def test_cmd_send_uses_registry_and_waits_for_terminal_task(tmp_path, monkeypatch, capsys):
+    hermes_home = tmp_path / ".hermes"
+    hermes_home.mkdir()
+    (hermes_home / "a2a_agents.json").write_text(
+        json.dumps({"allegro": {"url": "https://127.0.0.1:9443"}}),
+        encoding="utf-8",
+    )
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+
+    from hermes_cli.a2a_cmd import cmd_a2a
+
+    class FakeClient:
+        def __init__(self, **kwargs):
+            self.kwargs = kwargs
+
+        def discover_card(self, base_url: str):
+            assert base_url == "https://127.0.0.1:9443"
+            return {"name": "allegro", "url": base_url}
+
+        def send_task(self, base_url: str, *, task: str, requester: str | None = None, metadata=None):
+            assert task == "analyze README"
+            return {"taskId": "task-123", "status": {"state": "submitted"}}
+
+        def wait_for_task(self, base_url: str, task_id: str, *, timeout: float, poll_interval: float):
+            assert task_id == "task-123"
+            return {
+                "taskId": task_id,
+                "status": {"state": "completed"},
+                "artifacts": [{"text": "README looks healthy"}],
+            }
+
+    args = argparse.Namespace(
+        a2a_command="send",
+        agent="allegro",
+        task="analyze README",
+        url=None,
+        wait=True,
+        timeout=5.0,
+        poll_interval=0.01,
+        requester="timmy",
+        cert="cert.pem",
+        key="key.pem",
+        ca="ca.pem",
+    )
+
+    with patch("hermes_cli.a2a_cmd.A2ATaskClient", FakeClient):
+        cmd_a2a(args)
+
+    result = json.loads(capsys.readouterr().out)
+    assert result["agent"] == "allegro"
+    assert result["card"]["name"] == "allegro"
+    assert result["task"]["status"]["state"] == "completed"
+    assert result["task"]["artifacts"][0]["text"] == "README looks healthy"
+
+
+def test_resolve_agent_url_supports_env_override(monkeypatch):
+    monkeypatch.setenv("HERMES_A2A_ALLEGRO_URL", "https://fleet-allegro:9443")
+    from hermes_cli.a2a_cmd import resolve_agent_url
+
+    assert resolve_agent_url("allegro") == "https://fleet-allegro:9443"
+
+
+def test_cmd_send_requires_known_agent(tmp_path, monkeypatch):
+    hermes_home = tmp_path / ".hermes"
+    hermes_home.mkdir()
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+
+    from hermes_cli.a2a_cmd import cmd_a2a
+
+    args = argparse.Namespace(
+        a2a_command="send",
+        agent="unknown",
+        task="do work",
+        url=None,
+        wait=False,
+        timeout=5.0,
+        poll_interval=0.05,
+        requester=None,
+        cert="cert.pem",
+        key="key.pem",
+        ca="ca.pem",
+    )
+
+    with pytest.raises(SystemExit):
+        cmd_a2a(args)

tests/test_morning_review_packet.py

@@ -1,162 +0,0 @@
-from pathlib import Path
-import sys
-
-SCRIPT_DIR = Path(__file__).resolve().parents[1] / "scripts"
-sys.path.insert(0, str(SCRIPT_DIR))
-
-import morning_review_packet as mrp
-
-
-EPIC_BODY = """Source: git log on upstream/main since 2026-04-21 00:00 EDT.
-
-## Success criteria
-- [ ] Every issue has a clear PASS / FAIL outcome.
-
-## Sub-issues
-- [ ] #950 [QA] Verify AI Gateway provider UX + attribution headers
-- [ ] #951 [QA] Verify transport abstraction + AnthropicTransport wiring
-- [x] #962 [QA] Verify hardcoded-home path guard on burn/921 branch
-"""
-
-
-CHILD_BODY_PLURAL = """## Parent
-#949
-
-## Branch / checkout
-- Validate on `upstream/main` or an equivalent synced checkout.
-
-## Commits landed today
-- `b11753879` attribution default_headers for ai-gateway provider
-- `700437440` curated picker with live pricing
-
-## Targeted tests
-- `tests/hermes_cli/test_ai_gateway_models.py`
-- `tests/run_agent/test_provider_attribution_headers.py`
-
-## Tasks
-- [ ] Verify the picker ordering.
-- [ ] Verify attribution headers.
-
-## Acceptance Criteria
-- [ ] Picker shows AI Gateway prominently.
-- [ ] Headers appear on OpenRouter calls.
-"""
-
-
-CHILD_BODY_SINGULAR = """## Parent
-#949
-
-## Branch / checkout
-- Validate on `upstream/main` or an equivalent synced checkout.
-
-## Commit landed today
-- `fc21c1420` add buttons to update Hermes and restart gateway
-
-## Files touched
-- `web/src/pages/StatusPage.tsx`
-- `web/src/lib/api.ts`
-- `web/src/i18n/en.ts`
-
-## Tasks
-- [ ] Open the Web UI status page and verify both buttons are present.
-- [ ] Click Restart Gateway in a safe environment.
-"""
-
-
-def test_discover_child_issue_numbers_from_epic_body():
-    assert mrp.discover_child_issue_numbers(EPIC_BODY) == [950, 951, 962]
-
-
-def test_parse_issue_number_spec_supports_ranges_and_lists():
-    assert mrp.parse_issue_number_spec("950-952,955,962") == [950, 951, 952, 955, 962]
-
-
-def test_parse_child_issue_extracts_structured_sections():
-    issue = {
-        "number": 950,
-        "title": "[QA] Verify AI Gateway provider UX + attribution headers",
-        "state": "open",
-        "html_url": "https://forge.example/950",
-        "comments": 0,
-        "body": CHILD_BODY_PLURAL,
-    }
-
-    parsed = mrp.parse_child_issue(issue)
-
-    assert parsed.number == 950
-    assert parsed.parent_issue == 949
-    assert parsed.checkout_notes == ["Validate on `upstream/main` or an equivalent synced checkout."]
-    assert [c.sha for c in parsed.commits] == ["b11753879", "700437440"]
-    assert parsed.targeted_tests == [
-        "tests/hermes_cli/test_ai_gateway_models.py",
-        "tests/run_agent/test_provider_attribution_headers.py",
-    ]
-    assert parsed.tasks == [
-        "Verify the picker ordering.",
-        "Verify attribution headers.",
-    ]
-    assert parsed.acceptance_criteria == [
-        "Picker shows AI Gateway prominently.",
-        "Headers appear on OpenRouter calls.",
-    ]
-
-
-def test_parse_child_issue_handles_singular_commit_heading_and_files_touched():
-    issue = {
-        "number": 961,
-        "title": "[QA] Verify web dashboard update/restart action buttons",
-        "state": "closed",
-        "html_url": "https://forge.example/961",
-        "comments": 16,
-        "body": CHILD_BODY_SINGULAR,
-    }
-
-    parsed = mrp.parse_child_issue(issue)
-
-    assert [c.sha for c in parsed.commits] == ["fc21c1420"]
-    assert parsed.files_touched == [
-        "web/src/pages/StatusPage.tsx",
-        "web/src/lib/api.ts",
-        "web/src/i18n/en.ts",
-    ]
-    assert parsed.tasks == [
-        "Open the Web UI status page and verify both buttons are present.",
-        "Click Restart Gateway in a safe environment.",
-    ]
-
-
-def test_build_packet_markdown_renders_summary_and_details():
-    epic_issue = {
-        "number": 949,
-        "title": "EPIC: Morning review packet — Hermes harness features landed 2026-04-21",
-        "state": "open",
-        "html_url": "https://forge.example/949",
-        "body": EPIC_BODY,
-    }
-    child_a = mrp.parse_child_issue({
-        "number": 950,
-        "title": "[QA] Verify AI Gateway provider UX + attribution headers",
-        "state": "open",
-        "html_url": "https://forge.example/950",
-        "comments": 0,
-        "body": CHILD_BODY_PLURAL,
-    })
-    child_b = mrp.parse_child_issue({
-        "number": 961,
-        "title": "[QA] Verify web dashboard update/restart action buttons",
-        "state": "closed",
-        "html_url": "https://forge.example/961",
-        "comments": 16,
-        "body": CHILD_BODY_SINGULAR,
-    })
-
-    markdown = mrp.build_packet_markdown(epic_issue, [child_a, child_b])
-
-    assert "# Morning Review Packet" in markdown
-    assert "EPIC: Morning review packet — Hermes harness features landed 2026-04-21" in markdown
-    assert "| #950 | open | 2 | 2 |" in markdown
-    assert "| #961 | closed | 1 | 0 |" in markdown
-    assert "## #950 — [QA] Verify AI Gateway provider UX + attribution headers" in markdown
-    assert "## #961 — [QA] Verify web dashboard update/restart action buttons" in markdown
-    assert "`b11753879` — attribution default_headers for ai-gateway provider" in markdown
-    assert "`web/src/pages/StatusPage.tsx`" in markdown