feat: allow read-only shares to read A2A tasks#2191
Draft
QuentinBisson wants to merge 1 commit into
Draft
Conversation
Read-only share tokens were blocked from every A2A method because the share middleware rejects all non-GET requests on the A2A path, and A2A is JSON-RPC over POST. That left ListTasks and GetTask unreachable for a read-only share, which is the default share mode. Move read-only enforcement for A2A off the transport verb and into the request handler: reads (ListTasks, GetTask, push-config gets, SubscribeToTask) pass through, and mutating methods (SendMessage, SendStreamingMessage, CancelTask, CreateTaskPushConfig, DeleteTaskPushConfig) are rejected via requireWritableShare. The session REST path keeps its verb-based read-only block. Read-only writes over A2A now return a JSON-RPC error instead of HTTP 403. Signed-off-by: QuentinBisson <quentin@giantswarm.io>
Contributor
|
@onematchfox would love your thoughts as well |
Contributor
I'm on PTO at the moment so haven't looked at the code/implementation itself but the general ask/fix makes sense to me. My original implementation focussed on the controller API endpoints used to read state from the Kagent DB rather than the semantics of similar functionality that could be achieved directly via A2A methods. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Read-only share tokens can now read tasks over A2A (
ListTasks,GetTask). They were blocked from every A2A method becauseshareTokenMiddlewarerejects all non-GET requests on the A2A path, and A2A is JSON-RPC over POST. Read-only is the default share mode (session_shares.godefaultsread_onlytotrue), so the share-scoped task read path added in #2187 was unreachable for the common case.How
Read-only enforcement for A2A moves from the transport verb to the request handler:
ListTasks,GetTask, push-config get/list,SubscribeToTask.requireWritableShare:SendMessage,SendStreamingMessage,CancelTask,CreateTaskPushConfig,DeleteTaskPushConfig.The middleware no longer blanket-blocks non-GET A2A requests for read-only shares, so the per-method guards are what stop a read-only share from mutating a session. Guarding at the handler covers both wires (v0 and v1 route the same methods to it).
Behavior change
A read-only share attempting a mutating A2A method now returns a JSON-RPC error result instead of an HTTP 403.
Follows #2187 (store-backed
ListTasks); branched frommain, no code dependency on it.