v0.2.0: OAuth2, Postgres, telemetry, health, rate limiting, push notifications, CLI#18
Merged
Conversation
…sh notifications, CLI Adds new capabilities across packages and hardens existing ones for the v0.2.0 release: - auth: OAuth2 strategy (client-credentials + auth-code), shared scope extraction, JWKS caching, case-insensitive Bearer parsing - core: A2A-spec-compliant Agent Card signatures (JWS over RFC 8785 canonicalization, verified via jose) and MutualTLS security scheme; auth-required state transitions - persistence: PostgresTaskStore; principal-scoped list() across all stores; transactional update() that persists history/artifacts - observability: pluggable telemetry provider abstraction + logger module - server: health checks (/healthz, /readyz), in-memory rate limiter, push-notification manager wired into the event bus, Redis SSE coordinator, extended agent card, JSON-RPC sendSubscribe - cli: project scaffolding command Review fixes folded in: - deliver push notifications from the event bus (were registered but never sent) - accept base64url + Ed25519/ES256 signatures - RFC 6749 case-insensitive OAuth2 token_type - correct tasks/list totalSize via store-level principal filtering - gate X-Forwarded-For trust behind trustProxyHeaders (default off) - Retry-After body/header both in seconds Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…tor) Replaces the repo's custom `scheme`-discriminated security schemes with the A2A spec's OpenAPI-style `type` discriminator (§4.5), matching the official SDK type definitions: - discriminator `scheme` → `type` (apiKey | http | oauth2 | openIdConnect | mutualTLS), now a zod discriminatedUnion for precise errors - HTTP: `httpScheme: 'bearer'` → spec `scheme: string` (any RFC 7235 scheme) - OAuth2: fully modeled `flows` (authorizationCode/clientCredentials/implicit/ password) with tokenUrl/authorizationUrl/refreshUrl/scopes, plus `oauth2MetadataUrl`; dropped the ad-hoc top-level endpoint/scope fields - OpenIdConnect: dropped non-spec top-level `scopes` - MutualTLS: `type: 'mutualTLS'` to match siblings Exports the new OAuth flow schemas/types; adds SecuritySchemeSchema coverage. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- core README: signature verification example now passes a key and describes the JWS/RFC 8785 model and supported algorithms (was a no-key call that would now fail) - server README: document the new trustProxyHeaders option - deployment guide: note Retry-After is in seconds and document trustProxyHeaders with the X-Forwarded-For spoofing caveat Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Prepares the v0.2.0 release: new capabilities across packages, hardening of existing ones, and A2A-spec alignment. Includes the fixes from a full working-tree code review.
New capabilities
OAuth2Strategy(client-credentials + authorization-code, refresh), shared scope extraction, JWKS caching, case-insensitiveBearerparsing.jose) andMutualTLSscheme;auth-requiredstate transitions.PostgresTaskStore; principal-scopedlist()across all stores; transactionalupdate()that persists history/artifacts./healthz,/readyz), in-memory rate limiter, push-notification manager wired into the event bus, Redis SSE coordinator, extended agent card, JSON-RPCsendSubscribe.Code-review fixes folded in
jose).token_typecomparison is case-insensitive (RFC 6749 §7.1).tasks/listtotalSizeis correct via store-level principal filtering.X-Forwarded-Fortrust is gated behindtrustProxyHeaders(default off) — closes a rate-limit spoofing vector.Retry-Afterheader andretryAfterbody field are both in seconds.Spec alignment (⚠️ breaking)
protected/signature/header).schemediscriminator to the spec's OpenAPI-styletypediscriminator (apiKey|http|oauth2|openIdConnect|mutualTLS), with fully modeled OAuthflows. Cards using the oldscheme/httpSchemeshape will no longer validate.Verification
pnpm typecheck✅pnpm test✅ (23 packages)pnpm lint✅Notes
joseadded to@reaatech/a2a-reference-core(WebCrypto-based, edge-compatible).🤖 Generated with Claude Code