Skip to content

feat: Gap Remediation Round 2 — server middleware, call chaining, observability, Guided Tour multi-agent flow#17

Merged
dasiths merged 17 commits into
mainfrom
feature/gap-remediation-round-2
May 25, 2026
Merged

feat: Gap Remediation Round 2 — server middleware, call chaining, observability, Guided Tour multi-agent flow#17
dasiths merged 17 commits into
mainfrom
feature/gap-remediation-round-2

Conversation

@dasiths
Copy link
Copy Markdown
Collaborator

@dasiths dasiths commented May 25, 2026

Summary

Second round of gap remediation addressing server-side middleware, multi-agent call chaining, observability, and sample enhancements. 87 files changed, 447 tests passing (190 unit + 257 conformance).

Key Changes

Server Middleware (new)

  • AAuthVerificationMiddleware — full HTTP signature + JWT issuer verification via JWKS discovery, with per-path UseWhen scoping
  • Challenge middleware — issues 401 + resource_token for agent-token callers
  • Authorization integrationAddAAuthAuthentication() / RequireAAuthPolicy() for ASP.NET Core auth pipeline

Call Chaining (new)

  • TokenExchangeClient.ExchangeAsync accepts upstreamToken parameter — PS builds nested act claims
  • UseJwt(string) on AAuthClientBuilder — present a pre-acquired auth token directly
  • Orchestrator sample — intermediate service demonstrating Agent → Orchestrator → Resource delegation with full act chain verification
  • Interaction chaining (Gap 12) — consent propagation through multi-hop call chains

Observability (new)

  • OpenTelemetry ActivitySource integration for signature verification spans
  • Prefer: wait=N header support for long-polling with conformance tests

Samples & Documentation

  • WhoAmI split into 3 endpoints: GET /hwk, GET /jwks-uri, GET / (three-party JWT)
  • SampleApp — new CallChain page + updated all existing pages to target correct endpoints
  • AgentConsole — all 5 signing mode permutations working (hwk, jwks-uri, jwt, jkt-jwt, call-chain)
  • Guided Tour — new "Call Chain / Multi-Agent" flow (7 steps) with 4-lane sequence diagram and sub-step arrows showing Orchestrator internals
  • Makefilemake demo now starts 5 services (added Orchestrator)
  • 10+ documentation files added/updated (call-chaining workflow, verification middleware, authorization policies, observability)

SDK Enhancements

  • IAAuthKey interface extraction for key abstraction
  • RequireIssuerVerification option on verification middleware
  • ResourceIdentifier for audience validation

Testing

All 447 tests pass — 190 unit/integration + 257 conformance, including:

  • Call-chaining nested act claim verification
  • Challenge middleware token issuance
  • Verification middleware JWKS discovery + signature validation
  • Prefer: wait=N long-polling conformance
  • ECDSA P-256 + Ed25519 cross-algorithm signing
  • jkt-jwt key rotation scenarios

How to Test

make demo          # starts all 5 services + Guided Tour on :5400
make demo-sample   # starts all 5 services + SampleApp on :5240

Select "5 · Call Chain (Multi-Agent)" in the Guided Tour picker or visit the Call Chain page in SampleApp.

dasiths added 17 commits May 25, 2026 13:37
@dasiths
docs: update gap remediation round 2 plan with spec validation results
546e723 
- Re-validated all 11 gaps against spec and SDK (2026-05-25)
- Added spec-level observations from deep read (research §8)
- Added implementation decisions and act claim enforcement to Phase 1
- Expanded audience resolution logic in Phase 2
- Added routing table for call chaining in Phase 5
@dasiths
docs: add Phase 7 (samples + docs updates) to implementation plan
7d9c44e 
- GuidedTour: jkt-jwt signing mode, Prefer header, optional ECDSA
- AgentConsole: jkt-jwt mode, prefer-wait, upstream-token flags
- SampleApp: mini resource server + 3 new Blazor pages for server-side demos
- Docs: 6 new files, 14 existing files updated across all gaps
@dasiths
feat: implement AAuth full verification middleware with JWT issuer ve…
2d94263 
…rification
@dasiths
feat: add AAuth challenge middleware and configuration options for to…
6c56b61 
…ken handling
@dasiths
feat: implement AAuth authentication and authorization handlers with …
4db15c2 
…integration tests
@dasiths
feat: update Definition of Done checklist for AAuth verification and …
b6ea7fd 
…challenge handling
@dasiths
Refactor AAuth key handling to use IAAuthKey interface
1b68a57 
- Updated PendingStore and Program to accept IAAuthKey instead of AAuthKey.
- Modified DefaultSignatureKeyResolver to utilize MetadataClient for jkt-jwt verification.
- Enhanced JwksClient to resolve keys as IAAuthKey.
- Introduced KeyFactory for creating IAAuthKey instances from JWKs.
- Updated TokenVerifier and AuthTokenBuilder to work with IAAuthKey.
- Added comprehensive tests for jkt-jwt and ECDSA key handling.
@dasiths
feat: implement call-chaining support with upstream token handling an…
b1655ec 
…d related tests
@dasiths
feat: add Interaction Chaining (Gap 12) for consent propagation throu…
5343f5b 
…gh call chains
@dasiths
feat: enhance observability with OpenTelemetry support and add confor…
56f04df 
…mance tests for Prefer: wait=N header
@dasiths
feat: implement call chaining support, enhance documentation, and add…
a4fe903 
… observability features
@dasiths
Implement AAuthVerificationMiddleware for HTTP signature and JWT issu…
8534c6d 
…er verification

- Refactored ActivityDiagnosticsTests to use AAuthVerificationOptions.
- Added AAuthVerificationMiddleware to handle HTTP signature verification and JWT issuer verification in a single pass.
- Created AAuthVerificationOptions for middleware configuration, including trusted issuers and resource identifier.
- Developed comprehensive unit tests for AAuthVerificationMiddleware to ensure correct behavior for various scenarios, including valid and invalid tokens, issuer verification, and missing claims.
@dasiths
Enhance AAuth samples with multi-hop call chaining and improved serve…
54a973c 
…r/client code

- Updated Hwk.razor to include client and server code for HWK pseudonymous access.
- Enhanced JwksUri.razor with client and server code for JWKS URI agent identity access.
- Improved Jwt.razor to demonstrate enrollment and token handling for three-party JWT access.
- Refactored Program.cs to remove unnecessary AAuth server-side services and middleware.
- Deleted ResourceEndpoints.cs as its functionality is now integrated into the main application.
- Added orchestrator sample with full implementation for multi-agent call chaining.
- Introduced CallChain.razor to demonstrate multi-hop delegation from Agent A to Orchestrator and WhoAmI.
- Updated appsettings.json files across samples to include orchestrator configuration.
- Enhanced AAuthClientBuilder with clearer documentation for JWT signing modes.
- Improved AAuthVerificationMiddleware to handle audience verification and token validation more robustly.
@dasiths
feat: enhance documentation for call chaining and multi-agent delegat…
51afe12 
…ion in AAuth SDK
@dasiths
feat: implement call chain support in Guided Tour, enhancing demo and…
e217870 
… documentation
@dasiths
feat: add JWT scheme to three-party access response in WhoAmI sample
9652320
@dasiths
feat: update JSON serialization options to allow unsafe relaxed escap…
b4bc758 
…ing in response handling
@dasiths dasiths merged commit bd4de32 into main May 25, 2026
1 check passed
@dasiths dasiths deleted the feature/gap-remediation-round-2 branch May 25, 2026 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dasiths