feat: AgentCardSignature#448
Conversation
🧪 Code Coverage
Generated by coverage-comment.yml |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces Agent Card signature support using JWS and JCS canonicalization, adding the jose library as a dependency. Key changes include new signature generation and verification utilities, updates to the client and server request handlers to support signed cards, and comprehensive tests. Feedback focuses on avoiding object mutation in the signer, improving the type safety of object cloning by using destructuring instead of JSON serialization, and refining the canonicalization logic to preserve array semantics and handle Date objects correctly.
…bgralewicz/agent_card_signature
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
There was a problem hiding this comment.
Code Review
This pull request introduces Agent Card signature support using JWS and JCS canonicalization, integrating signing and verification utilities into both the client and server request handlers. Feedback focuses on ensuring the canonicalization logic correctly handles empty array elements and Date objects, avoiding the use of console logging in library code, and reconsidering the minimum Node.js version bump to maintain compatibility.
…ase non-schema fields are present in the object.
🤖 I have created a release *beep* *boop* --- ## 1.0.0-alpha.0 (2026-05-11) See the [v0.3 -> v1.0-alpha.0 migration guide](https://github.com/a2aproject/a2a-js/blob/v1.0.0-alpha.0/docs/migration-guide.md). **Note**: Enabling backward compatibility with v0.3 is tracked in [#452](#452). ### ⚠ BREAKING CHANGES * Drop support for node 18 ([#368](#368)) * Make ServerCallContext parameter mandatory across all places ([#405](#405)) * Remove JSON-RPC client ([#353](#353)) * Remove transport-specific exports ([#404](#404)) * Update codebase to use A2A 1.0.0 data model ([#375](#375)) * Remove A2AExpressApp ([#363](#363)) ### Features * Add A2A Version Header ([#422](#422)) ([b5f3db7](b5f3db7)) * Add cache-headers logic to the agent card handler ([#435](#435)) ([955b52b](955b52b)) * Add resource scoping ([#450](#450)) ([c527086](c527086)) * Add support for custom authentication scheme and credentials in auth-headers ([#430](#430)) ([5a4389b](5a4389b)) * AgentCardSignature support ([#448](#448)) ([4a41a8c](4a41a8c)) * Enforce events ordering ([#437](#437)) ([157cf48](157cf48)) * Enriched Error Model ([#427](#427)) ([c130778](c130778)) * Implement listTasks method ([#383](#383)) ([7d4c472](7d4c472)) * Send current task as the first event after subscribing to it ([#418](#418)) ([4bfcf5f](4bfcf5f)) * Support multi-tenancy ([#419](#419)) ([1877877](1877877)) ### Code Refactoring * remove A2AExpressApp ([#363](#363)) ([0b84728](0b84728)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: bartek-gralewicz <bgralewicz@google.com> Co-authored-by: Ivan Shymko <ishymko@google.com>
2 participants
Description
Implementing the feature of
AgentCardSignature. The PR is based on #290.Important note
Most changes are ported 1-1. The main difference between the implementation here and the one on the #290 is that in the initial PR, the
agentCardhad rootsignaturesincremented. This resulted in constantly growingagentCardobject.In the #290 there were also unit tests to confirm that behavior but it seems like an undesired outcome. In this PR, using
generateAgentCardSignaturewill return a newagentCardwith incremented signatures instead of incrementing the original object.Fixes #289 🦕