@vallum/standards 0.0.0-prerelease → 0.0.1-prerelease.0

package/dist/a2aHttp.d.ts

@@ -1,14 +1,25 @@
 import { type A2AAgentCardWellKnownOptions } from "@vallum/registry";
 import type { AgentActionPolicy } from "@vallum/policy-gateway";
 import { type A2APushNotificationTransport, type A2ATaskPushNotificationConfig, type LocalA2APushNotificationStore } from "./a2aPush.js";
-import { type A2ATask, type A2AProcessMessageContext, type A2AProcessMessageResult, type LocalA2ATaskStore } from "./a2aTask.js";
+import { type A2ATask, type A2AMessage, type A2AProcessMessageContext, type A2AProcessMessageResult, type LocalA2ATaskStore } from "./a2aTask.js";
+export type A2AHttpStandardsBodyMode = "vallum" | "a2a";
+export type A2AHttpA2ATaskBody = Omit<A2ATask, "agenticVallum">;
 export interface A2AHttpRequest {
     readonly method?: string;
     readonly path?: string;
     readonly headers?: Record<string, string | undefined>;
     readonly body?: unknown;
 }
-export type A2AHttpResponseBody = {
+export type A2AHttpResponseBody = A2AHttpA2ATaskBody | {
+    readonly message: A2AMessage;
+} | {
+    readonly task: A2AHttpA2ATaskBody;
+} | {
+    readonly tasks: readonly A2AHttpA2ATaskBody[];
+    readonly nextPageToken?: string;
+    readonly pageSize?: number;
+    readonly totalSize?: number;
+} | {
     readonly kind: "agent-card";
     readonly [key: string]: unknown;
 } | {
@@ -32,8 +43,16 @@ export type A2AHttpResponseBody = {
     readonly deleted: boolean;
 } | {
     readonly error: {
-        readonly code: A2AHttpErrorCode | string;
+        readonly code: number;
+        readonly status: string;
         readonly message: string;
+        readonly details: readonly {
+            readonly "@type": "type.googleapis.com/google.rpc.ErrorInfo";
+            readonly reason: string;
+            readonly domain: "a2a-protocol.org";
+            readonly metadata?: Record<string, string>;
+        }[];
+        readonly reason: A2AHttpErrorCode | string;
     };
 };
 export interface A2AHttpResponse {
@@ -54,10 +73,13 @@ export interface LocalA2AHttpHandlerOptions {
     readonly pushNotificationStore?: LocalA2APushNotificationStore;
     readonly pushNotificationTransport?: A2APushNotificationTransport;
     readonly now?: () => Date;
+    readonly standardsBodyMode?: A2AHttpStandardsBodyMode;
+    readonly allowUnmanifestedTasks?: boolean;
     readonly processMessage?: (context: A2AProcessMessageContext) => Promise<A2AProcessMessageResult> | A2AProcessMessageResult;
 }
 export declare const A2A_HTTP_SEND_MESSAGE_PATH: "/message:send";
 export declare const A2A_HTTP_STREAM_MESSAGE_PATH: "/message:stream";
 export declare const A2A_HTTP_EXTENDED_AGENT_CARD_PATH: "/extendedAgentCard";
 export declare const A2A_HTTP_TASKS_PATH: "/tasks";
+export declare const A2A_HTTP_SUBSCRIBE_TASK_SUFFIX: ":subscribe";
 export declare function handleLocalA2AHttpRequest(request: A2AHttpRequest, options: LocalA2AHttpHandlerOptions): Promise<A2AHttpResponse>;

package/dist/a2aHttp.js

@@ -5,6 +5,7 @@ export const A2A_HTTP_SEND_MESSAGE_PATH = "/message:send";
 export const A2A_HTTP_STREAM_MESSAGE_PATH = "/message:stream";
 export const A2A_HTTP_EXTENDED_AGENT_CARD_PATH = "/extendedAgentCard";
 export const A2A_HTTP_TASKS_PATH = "/tasks";
+export const A2A_HTTP_SUBSCRIBE_TASK_SUFFIX = ":subscribe";
 export async function handleLocalA2AHttpRequest(request, options) {
     const method = normalizeMethod(request.method);
     const url = parsePath(request.path);
@@ -39,32 +40,41 @@ export async function handleLocalA2AHttpRequest(request, options) {
         if (url.pathname === A2A_HTTP_TASKS_PATH) {
             if (method !== "GET")
                 return methodNotAllowed(["GET"]);
-            return ok({
-                kind: "task-list",
-                ...listA2ATasks({
-                    store: options.store,
-                    contextId: optionalQuery(url, "contextId"),
-                    state: optionalQuery(url, "state"),
-                    includeArtifacts: booleanQuery(url, "includeArtifacts"),
-                    historyLength: numberQuery(url, "historyLength"),
-                    pageSize: numberQuery(url, "pageSize"),
-                }),
-            });
+            const pageSize = numberQuery(url, "pageSize");
+            return taskListResponse(listA2ATasks({
+                store: options.store,
+                contextId: optionalQuery(url, "contextId"),
+                state: optionalQuery(url, "state"),
+                includeArtifacts: booleanQuery(url, "includeArtifacts"),
+                historyLength: numberQuery(url, "historyLength"),
+                pageSize,
+            }), options, pageSize);
         }
         const taskRoute = matchTaskRoute(url.pathname);
         if (taskRoute) {
             if (taskRoute.action === "get") {
                 if (method !== "GET")
                     return methodNotAllowed(["GET"]);
-                return ok({
-                    kind: "task",
-                    ...getA2ATask({
-                        store: options.store,
-                        id: taskRoute.taskId,
-                        includeArtifacts: booleanQuery(url, "includeArtifacts"),
-                        historyLength: numberQuery(url, "historyLength"),
-                    }),
+                return taskResponse(getA2ATask({
+                    store: options.store,
+                    id: taskRoute.taskId,
+                    includeArtifacts: booleanQuery(url, "includeArtifacts"),
+                    historyLength: numberQuery(url, "historyLength"),
+                }), options);
+            }
+            if (taskRoute.action === "subscribe") {
+                if (method !== "GET" && method !== "POST")
+                    return methodNotAllowed(["GET", "POST"]);
+                const result = getA2ATask({
+                    store: options.store,
+                    id: taskRoute.taskId,
+                    includeArtifacts: booleanQuery(url, "includeArtifacts"),
+                    historyLength: numberQuery(url, "historyLength"),
                 });
+                if (options.standardsBodyMode === "a2a" && isTerminalTaskState(result.task.status.state)) {
+                    throw new A2ATaskError("A2A_TASK_TERMINAL", "Terminal A2A tasks cannot be subscribed.", 409);
+                }
+                return taskResponse(result, options);
             }
             if (method !== "POST")
                 return methodNotAllowed(["POST"]);
@@ -75,10 +85,7 @@ export async function handleLocalA2AHttpRequest(request, options) {
                 includeArtifacts: booleanQuery(url, "includeArtifacts"),
             });
             await maybeDeliverPushNotifications(result.task, options);
-            return ok({
-                kind: "task",
-                ...result,
-            });
+            return taskResponse(result, options);
         }
         return errorResponse(404, "A2A_ROUTE_NOT_FOUND", "A2A route was not found.");
     }
@@ -137,13 +144,19 @@ function handleExtendedAgentCardRequest(options) {
     });
 }
 async function handleSendMessage(request, options) {
-    if (!options.taskPolicy) {
-        return errorResponse(503, "A2A_POLICY_NOT_CONFIGURED", "A2A task endpoint policy is not configured.");
+    const contentType = header(request.headers, "content-type");
+    if (contentType !== undefined && !isSupportedRequestContentType(contentType)) {
+        return errorResponse(415, "A2A_CONTENT_TYPE_NOT_SUPPORTED", "A2A request content type is not supported.");
     }
     const body = parseBody(request.body);
     if (!isSendMessageBody(body)) {
         return errorResponse(400, "A2A_BODY_INVALID", "A2A request body is invalid.");
     }
+    const isNewTask = body.message.taskId === undefined;
+    const canCreateUnmanifestedTask = options.allowUnmanifestedTasks && body.manifest === undefined;
+    if (isNewTask && !options.taskPolicy && !canCreateUnmanifestedTask) {
+        return errorResponse(503, "A2A_POLICY_NOT_CONFIGURED", "A2A task endpoint policy is not configured.");
+    }
     const result = await sendA2AMessage({
         store: options.store,
         protocolVersion: body.protocolVersion ?? A2A_TASK_PROTOCOL_VERSION,
@@ -152,17 +165,16 @@ async function handleSendMessage(request, options) {
         policy: body.message.taskId ? undefined : options.taskPolicy,
         now: options.now?.(),
         contextId: body.contextId,
+        allowUnmanifestedTasks: options.allowUnmanifestedTasks,
+        returnImmediately: body.configuration?.returnImmediately,
         processMessage: options.processMessage,
     });
     await maybeDeliverPushNotifications(result.task, options);
-    return ok({
-        kind: "task",
-        ...result,
-    });
+    return sendMessageResponse(result, options);
 }
 function handlePushNotificationRoute(method, url, request, options, route) {
     if (!options.pushNotificationStore) {
-        return errorResponse(501, "A2A_OPERATION_UNSUPPORTED", "A2A push notification configuration is not enabled for this local Vallum server.");
+        return errorResponse(options.standardsBodyMode === "a2a" ? 400 : 501, options.standardsBodyMode === "a2a" ? "A2A_PUSH_NOTIFICATION_NOT_SUPPORTED" : "A2A_OPERATION_UNSUPPORTED", "A2A push notification configuration is not enabled for this local Vallum server.");
     }
     getA2ATask({ store: options.store, id: route.taskId });
     if (!route.configId) {
@@ -211,6 +223,14 @@ function handlePushNotificationRoute(method, url, request, options, route) {
     }
     return methodNotAllowed(["DELETE", "GET"]);
 }
+function isTerminalTaskState(state) {
+    return [
+        "TASK_STATE_COMPLETED",
+        "TASK_STATE_CANCELED",
+        "TASK_STATE_FAILED",
+        "TASK_STATE_REJECTED",
+    ].includes(state);
+}
 async function maybeDeliverPushNotifications(task, options) {
     if (!options.pushNotificationStore || !options.pushNotificationTransport)
         return;
@@ -237,19 +257,73 @@ function validateProtocolVersion(request) {
     }
     return undefined;
 }
-function ok(body) {
+function ok(body, contentType = A2A_TASK_MEDIA_TYPE) {
     return {
         status: 200,
         headers: {
-            "content-type": `${A2A_TASK_MEDIA_TYPE}; charset=utf-8`,
+            "content-type": `${contentType}; charset=utf-8`,
             "cache-control": "no-store",
         },
         body,
         json: `${JSON.stringify(body)}\n`,
     };
 }
+function sendMessageResponse(result, options) {
+    if (options.standardsBodyMode === "a2a") {
+        if (result.message) {
+            return ok({ message: result.message }, "application/json");
+        }
+        return ok({ task: a2aTaskBody(result.task) }, "application/json");
+    }
+    return ok({
+        kind: "task",
+        ...result,
+    });
+}
+function taskResponse(result, options) {
+    if (options.standardsBodyMode === "a2a") {
+        return ok(a2aTaskBody(result.task), "application/json");
+    }
+    return ok({
+        kind: "task",
+        ...result,
+    });
+}
+function taskListResponse(result, options, pageSize) {
+    if (options.standardsBodyMode === "a2a") {
+        return ok({
+            tasks: result.tasks.map(a2aTaskBody),
+            nextPageToken: "",
+            pageSize: pageSize ?? result.tasks.length,
+            totalSize: result.tasks.length,
+        }, "application/json");
+    }
+    return ok({
+        kind: "task-list",
+        ...result,
+    });
+}
+function a2aTaskBody(task) {
+    const { agenticVallum: _agenticVallum, ...rest } = task;
+    return rest;
+}
 function errorResponse(status, code, message, headers = {}) {
-    const body = { error: { code, message } };
+    const body = {
+        error: {
+            code: status,
+            status: httpStatusName(status),
+            message,
+            details: [{
+                    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
+                    reason: a2aErrorInfoReason(code),
+                    domain: "a2a-protocol.org",
+                    metadata: {
+                        vallumCode: code,
+                    },
+                }],
+            reason: code,
+        },
+    };
     return {
         status,
         headers: {
@@ -264,6 +338,51 @@ function errorResponse(status, code, message, headers = {}) {
 function methodNotAllowed(allowed) {
     return errorResponse(405, "A2A_METHOD_NOT_ALLOWED", "A2A route does not support this method.", { allow: allowed.join(", ") });
 }
+function httpStatusName(status) {
+    switch (status) {
+        case 400:
+            return "INVALID_ARGUMENT";
+        case 401:
+            return "UNAUTHENTICATED";
+        case 404:
+            return "NOT_FOUND";
+        case 405:
+            return "METHOD_NOT_ALLOWED";
+        case 409:
+            return "FAILED_PRECONDITION";
+        case 410:
+            return "ABORTED";
+        case 415:
+            return "INVALID_ARGUMENT";
+        case 501:
+            return "UNIMPLEMENTED";
+        case 503:
+            return "UNAVAILABLE";
+        case 200:
+            return "OK";
+    }
+}
+function a2aErrorInfoReason(code) {
+    switch (code) {
+        case "A2A_TASK_NOT_FOUND":
+            return "TASK_NOT_FOUND";
+        case "A2A_TASK_NOT_CANCELABLE":
+            return "TASK_NOT_CANCELABLE";
+        case "A2A_PUSH_NOT_ENABLED":
+        case "A2A_OPERATION_UNSUPPORTED":
+            return "UNSUPPORTED_OPERATION";
+        case "A2A_PUSH_NOTIFICATION_NOT_SUPPORTED":
+            return "PUSH_NOTIFICATION_NOT_SUPPORTED";
+        case "A2A_EXTENDED_AGENT_CARD_NOT_CONFIGURED":
+            return "EXTENDED_AGENT_CARD_NOT_CONFIGURED";
+        case "A2A_VERSION_NOT_SUPPORTED":
+            return "VERSION_NOT_SUPPORTED";
+        case "A2A_CONTENT_TYPE_NOT_SUPPORTED":
+            return "CONTENT_TYPE_NOT_SUPPORTED";
+        default:
+            return "INVALID_REQUEST";
+    }
+}
 function parseBody(body) {
     if (typeof body !== "string")
         return body;
@@ -279,6 +398,10 @@ function isSendMessageBody(value) {
         return false;
     return isRecord(value.message);
 }
+function isSupportedRequestContentType(contentType) {
+    const mediaType = contentType.split(";")[0]?.trim().toLowerCase();
+    return mediaType === "application/json" || mediaType === A2A_TASK_MEDIA_TYPE;
+}
 function matchTaskRoute(pathname) {
     const parts = pathname.split("/").filter(Boolean);
     if (parts.length !== 2 || parts[0] !== "tasks")
@@ -287,6 +410,12 @@ function matchTaskRoute(pathname) {
     if (taskPart.endsWith(":cancel")) {
         return { taskId: decodeURIComponent(taskPart.slice(0, -":cancel".length)), action: "cancel" };
     }
+    if (taskPart.endsWith(A2A_HTTP_SUBSCRIBE_TASK_SUFFIX)) {
+        return {
+            taskId: decodeURIComponent(taskPart.slice(0, -A2A_HTTP_SUBSCRIBE_TASK_SUFFIX.length)),
+            action: "subscribe",
+        };
+    }
     return { taskId: decodeURIComponent(taskPart), action: "get" };
 }
 function matchPushNotificationRoute(pathname) {

package/dist/a2aNodeServer.js

@@ -1,6 +1,6 @@
 import { createServer } from "node:http";
 import { A2A_JWKS_WELL_KNOWN_PATH, handleA2APublicJwksRequest, } from "@vallum/registry";
-import { A2A_HTTP_SEND_MESSAGE_PATH, A2A_HTTP_STREAM_MESSAGE_PATH, handleLocalA2AHttpRequest, } from "./a2aHttp.js";
+import { A2A_HTTP_SEND_MESSAGE_PATH, A2A_HTTP_SUBSCRIBE_TASK_SUFFIX, A2A_HTTP_STREAM_MESSAGE_PATH, handleLocalA2AHttpRequest, } from "./a2aHttp.js";
 const DEFAULT_HOST = "127.0.0.1";
 const DEFAULT_MAX_BODY_BYTES = 64_000;
 export async function startLocalA2ANodeServer(options) {
@@ -8,6 +8,7 @@ export async function startLocalA2ANodeServer(options) {
     if (!options.allowNonLoopbackHost && !isLoopbackHost(host)) {
         throw new Error("A2A local Node server refuses non-loopback hosts without explicit opt-in.");
     }
+    const subscribers = new Map();
     const server = createServer(async (request, response) => {
         try {
             const body = await readBody(request, options.maxBodyBytes ?? DEFAULT_MAX_BODY_BYTES);
@@ -30,7 +31,27 @@ export async function startLocalA2ANodeServer(options) {
                     writeHandledResponse(response, handled.status, handled.headers, handled.json);
                     return;
                 }
-                writeServerSentEvents(response, [{ event: "task", data: handled.body }]);
+                notifySubscribers(subscribers, handled.body, options);
+                writeServerSentEvents(response, [{ event: "task", data: streamResponseBody(handled.body, options) }]);
+                return;
+            }
+            if (isSubscribeTaskPath(requestPathname(request.url))) {
+                const handled = await handleLocalA2AHttpRequest({
+                    method: request.method,
+                    path: request.url,
+                    headers: normalizeHeaders(request.headers),
+                    body,
+                }, options);
+                if (handled.status !== 200) {
+                    writeHandledResponse(response, handled.status, handled.headers, handled.json);
+                    return;
+                }
+                const task = a2aTaskFromResponseBody(handled.body);
+                if (!task) {
+                    writeServerSentEvents(response, [{ event: "task", data: streamResponseBody(handled.body, options) }]);
+                    return;
+                }
+                writeSubscribeResponse(response, task, subscribers, options);
                 return;
             }
             const handled = await handleLocalA2AHttpRequest({
@@ -39,6 +60,9 @@ export async function startLocalA2ANodeServer(options) {
                 headers: normalizeHeaders(request.headers),
                 body,
             }, options);
+            if (handled.status === 200) {
+                notifySubscribers(subscribers, handled.body, options);
+            }
             writeHandledResponse(response, handled.status, handled.headers, handled.json);
         }
         catch (error) {
@@ -68,7 +92,10 @@ export async function startLocalA2ANodeServer(options) {
         host: address.address,
         port: address.port,
         boundToLoopback: isLoopbackHost(address.address),
-        close: () => closeServer(server),
+        close: async () => {
+            closeSubscribers(subscribers);
+            await closeServer(server);
+        },
     };
 }
 function listen(server, host, port) {
@@ -99,11 +126,99 @@ function writeServerSentEvents(response, events) {
     response.setHeader("connection", "keep-alive");
     response.setHeader("x-accel-buffering", "no");
     for (const event of events) {
-        response.write(`event: ${event.event}\n`);
-        response.write(`data: ${JSON.stringify(event.data)}\n\n`);
+        writeServerSentEvent(response, event);
     }
     response.end();
 }
+function writeSubscribeResponse(response, task, subscribers, options) {
+    response.statusCode = 200;
+    response.setHeader("content-type", "text/event-stream; charset=utf-8");
+    response.setHeader("cache-control", "no-store");
+    response.setHeader("connection", "keep-alive");
+    response.setHeader("x-accel-buffering", "no");
+    writeServerSentEvent(response, { event: "task", data: streamResponseBody(task, options) });
+    if (isTerminalTaskState(task.status.state)) {
+        response.end();
+        return;
+    }
+    const taskSubscribers = subscribers.get(task.id) ?? new Set();
+    taskSubscribers.add(response);
+    subscribers.set(task.id, taskSubscribers);
+    response.once("close", () => {
+        taskSubscribers.delete(response);
+        if (taskSubscribers.size === 0)
+            subscribers.delete(task.id);
+    });
+}
+function notifySubscribers(subscribers, body, options) {
+    const task = a2aTaskFromResponseBody(body);
+    if (!task)
+        return;
+    const taskSubscribers = subscribers.get(task.id);
+    if (!taskSubscribers || taskSubscribers.size === 0)
+        return;
+    for (const subscriber of [...taskSubscribers]) {
+        if (subscriber.destroyed || subscriber.writableEnded) {
+            taskSubscribers.delete(subscriber);
+            continue;
+        }
+        writeServerSentEvent(subscriber, { event: "task", data: streamResponseBody(task, options) });
+        if (isTerminalTaskState(task.status.state)) {
+            taskSubscribers.delete(subscriber);
+            subscriber.end();
+        }
+    }
+    if (taskSubscribers.size === 0)
+        subscribers.delete(task.id);
+}
+function closeSubscribers(subscribers) {
+    for (const taskSubscribers of subscribers.values()) {
+        for (const subscriber of taskSubscribers) {
+            if (!subscriber.destroyed && !subscriber.writableEnded)
+                subscriber.end();
+        }
+    }
+    subscribers.clear();
+}
+function writeServerSentEvent(response, event) {
+    response.write(`event: ${event.event}\n`);
+    response.write(`data: ${JSON.stringify(event.data)}\n\n`);
+}
+function streamResponseBody(body, options) {
+    if (options.standardsBodyMode !== "a2a")
+        return body;
+    const task = a2aTaskFromResponseBody(body);
+    if (!task)
+        return body;
+    return {
+        status_update: {
+            taskId: task.id,
+            contextId: task.contextId,
+            status: task.status,
+        },
+    };
+}
+function a2aTaskFromResponseBody(body) {
+    if (!isRecord(body))
+        return undefined;
+    const record = body;
+    if (typeof record.id === "string" && isRecord(record.status)) {
+        return record;
+    }
+    const task = record.task;
+    if (isRecord(task) && typeof task.id === "string" && isRecord(task.status)) {
+        return task;
+    }
+    return undefined;
+}
+function isTerminalTaskState(state) {
+    return [
+        "TASK_STATE_COMPLETED",
+        "TASK_STATE_CANCELED",
+        "TASK_STATE_FAILED",
+        "TASK_STATE_REJECTED",
+    ].includes(state);
+}
 function normalizeHeaders(headers) {
     const normalized = {};
     for (const [name, value] of Object.entries(headers)) {
@@ -141,6 +256,10 @@ function requestPathname(url = "/") {
         return "/";
     }
 }
+function isSubscribeTaskPath(pathname) {
+    const parts = pathname.split("/").filter(Boolean);
+    return parts.length === 2 && parts[0] === "tasks" && (parts[1] ?? "").endsWith(A2A_HTTP_SUBSCRIBE_TASK_SUFFIX);
+}
 function isAddressInfo(value) {
     return Boolean(value)
         && typeof value === "object"
@@ -148,6 +267,9 @@ function isAddressInfo(value) {
         && "address" in value
         && "port" in value;
 }
+function isRecord(value) {
+    return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
 class BodyTooLargeError extends Error {
     constructor() {
         super("A2A request body is too large.");

package/dist/a2aPush.d.ts

@@ -30,9 +30,12 @@ export interface A2APushNotificationTransportResponse {
     readonly status: number;
 }
 export type A2APushNotificationTransport = (request: A2APushNotificationDeliveryRequest) => A2APushNotificationTransportResponse | Promise<A2APushNotificationTransportResponse>;
+export type A2ACallbackHostResolver = (hostname: string) => readonly string[] | Promise<readonly string[]>;
 export interface A2APushHttpTransportOptions {
     readonly allowedCallbackHosts?: readonly string[];
     readonly fetch?: typeof fetch;
+    readonly requireCallbackHostAllowlist?: boolean;
+    readonly resolveCallbackHost?: A2ACallbackHostResolver;
     readonly timeoutMs?: number;
 }
 export interface A2APushNotificationDeliveryAttempt {

package/dist/a2aPush.js

@@ -327,11 +327,17 @@ export function createA2APushHttpTransport(options = {}) {
     if (typeof fetchImpl !== "function") {
         throw new A2APushNotificationError("A2A_PUSH_CONFIG_INVALID", "A2A push HTTP transport requires fetch support.");
     }
+    if (options.requireCallbackHostAllowlist && (!options.allowedCallbackHosts || options.allowedCallbackHosts.length === 0)) {
+        throw new A2APushNotificationError("A2A_PUSH_CONFIG_INVALID", "A2A production push HTTP transport requires a callback host allowlist.");
+    }
     const timeoutMs = normalizeTimeoutMs(options.timeoutMs);
     return async (request) => {
         const url = safeWebhookUrl(request.url, {
             allowedCallbackHosts: options.allowedCallbackHosts,
         });
+        if (options.resolveCallbackHost) {
+            await assertResolvedWebhookHostSafe(new URL(url).hostname, options.resolveCallbackHost);
+        }
         const controller = new AbortController();
         const timeout = setTimeout(() => controller.abort(), timeoutMs);
         try {
@@ -349,6 +355,18 @@ export function createA2APushHttpTransport(options = {}) {
         }
     };
 }
+async function assertResolvedWebhookHostSafe(hostname, resolver) {
+    let addresses;
+    try {
+        addresses = await resolver(hostname);
+    }
+    catch {
+        throw new A2APushNotificationError("A2A_PUSH_URL_UNSAFE", "A2A push notification URL host could not be resolved safely.");
+    }
+    if (addresses.length === 0 || addresses.some((address) => isUnsafeWebhookHost(address))) {
+        throw new A2APushNotificationError("A2A_PUSH_URL_UNSAFE", "A2A push notification URL host resolves to an unsafe network address.");
+    }
+}
 function parsePushNotificationConfig(taskId, value, options = {}) {
     if (!isRecord(value)) {
         throw new A2APushNotificationError("A2A_PUSH_CONFIG_INVALID", "A2A push notification config must be an object.");
@@ -586,6 +604,9 @@ function isUnsafeWebhookHost(hostname) {
             || first >= 224;
     }
     if (ipVersion === 6) {
+        if (normalized.startsWith("::ffff:")) {
+            return isUnsafeWebhookHost(normalized.slice("::ffff:".length));
+        }
         return normalized === "::"
             || normalized === "::1"
             || normalized.startsWith("fc")

package/dist/a2aTask.d.ts

@@ -7,6 +7,10 @@ export type A2ATaskState = "TASK_STATE_SUBMITTED" | "TASK_STATE_WORKING" | "TASK
 export interface A2APart {
     readonly text?: string;
     readonly data?: Record<string, unknown>;
+    readonly raw?: string;
+    readonly url?: string;
+    readonly filename?: string;
+    readonly mediaType?: string;
     readonly file?: {
         readonly uri?: string;
         readonly bytes?: string;
@@ -54,11 +58,11 @@ export interface A2ATask {
     };
     readonly metadata?: Record<string, unknown>;
 }
-export type A2ATaskErrorCode = "A2A_VERSION_NOT_SUPPORTED" | "A2A_MESSAGE_INVALID" | "A2A_MANIFEST_REQUIRED" | "A2A_POLICY_REQUIRED" | "A2A_MANIFEST_INVALID" | "A2A_TASK_NOT_FOUND" | "A2A_TASK_TERMINAL" | "A2A_CONTEXT_MISMATCH";
+export type A2ATaskErrorCode = "A2A_VERSION_NOT_SUPPORTED" | "A2A_MESSAGE_INVALID" | "A2A_CONTENT_TYPE_NOT_SUPPORTED" | "A2A_MANIFEST_REQUIRED" | "A2A_POLICY_REQUIRED" | "A2A_MANIFEST_INVALID" | "A2A_TASK_NOT_FOUND" | "A2A_TASK_TERMINAL" | "A2A_CONTEXT_MISMATCH";
 export declare class A2ATaskError extends Error {
     readonly code: A2ATaskErrorCode;
-    readonly status: 400 | 404 | 409;
-    constructor(code: A2ATaskErrorCode, message: string, status?: 400 | 404 | 409);
+    readonly status: 400 | 404 | 409 | 415;
+    constructor(code: A2ATaskErrorCode, message: string, status?: 400 | 404 | 409 | 415);
 }
 export interface A2AProcessMessageContext {
     readonly task: A2ATask;
@@ -71,6 +75,7 @@ export interface A2AProcessMessageResult {
     readonly message?: A2AMessage;
     readonly artifacts?: readonly A2AArtifact[];
     readonly metadata?: Record<string, unknown>;
+    readonly responseKind?: "task" | "message";
 }
 export interface SendA2AMessageOptions {
     readonly store: LocalA2ATaskStore;
@@ -80,10 +85,13 @@ export interface SendA2AMessageOptions {
     readonly policy?: AgentActionPolicy;
     readonly now?: Date;
     readonly contextId?: string;
+    readonly allowUnmanifestedTasks?: boolean;
+    readonly returnImmediately?: boolean;
     readonly processMessage?: (context: A2AProcessMessageContext) => Promise<A2AProcessMessageResult> | A2AProcessMessageResult;
 }
 export interface SendA2AMessageResult {
     readonly task: A2ATask;
+    readonly message?: A2AMessage;
     readonly policyDecision?: AgentPolicyDecision;
 }
 export interface GetA2ATaskOptions {

package/dist/a2aTask.js

@@ -78,6 +78,21 @@ export function redactA2ATaskForLog(task) {
 }
 function createTask(options, message, now) {
     if (options.manifest === undefined) {
+        if (options.allowUnmanifestedTasks) {
+            const baseTask = {
+                id: randomId("task"),
+                contextId: message.contextId ?? options.contextId ?? randomId("ctx"),
+                status: {
+                    state: "TASK_STATE_SUBMITTED",
+                    timestamp: timestamp(now),
+                },
+                history: [message],
+            };
+            if (options.returnImmediately) {
+                return { task: options.store.put(baseTask) };
+            }
+            return processAndStoreTask(options, baseTask, message, now);
+        }
         throw new A2ATaskError("A2A_MANIFEST_REQUIRED", "New A2A tasks require an Vallum manifest.");
     }
     if (!options.policy) {
@@ -115,6 +130,9 @@ function createTask(options, message, now) {
     if (!policyDecision.allowed) {
         return { task: options.store.put(baseTask), policyDecision };
     }
+    if (options.returnImmediately) {
+        return { task: options.store.put(baseTask), policyDecision };
+    }
     return processAndStoreTask(options, baseTask, message, now, manifest, policyDecision);
 }
 async function continueTask(options, message, now) {
@@ -151,6 +169,9 @@ async function processAndStoreTask(options, task, message, now, manifest, policy
     assertValidTaskState(outcome.state);
     if (outcome.message)
         assertValidMessage(outcome.message, "$.processMessage.message");
+    if (outcome.responseKind === "message" && !outcome.message) {
+        throw new A2ATaskError("A2A_MESSAGE_INVALID", "A2A message responses require an agent message.");
+    }
     for (const [index, artifact] of (outcome.artifacts ?? []).entries()) {
         assertValidArtifact(artifact, `$.processMessage.artifacts[${index}]`);
     }
@@ -169,7 +190,11 @@ async function processAndStoreTask(options, task, message, now, manifest, policy
         ...(outcome.artifacts ? { artifacts: outcome.artifacts.map(redactA2AArtifact) } : {}),
         ...(outcome.metadata ? { metadata: redactRecord(outcome.metadata) } : {}),
     };
-    return { task: options.store.put(nextTask), policyDecision };
+    return {
+        task: options.store.put(nextTask),
+        ...(outcome.responseKind === "message" && statusMessage ? { message: statusMessage } : {}),
+        policyDecision,
+    };
 }
 function rejectionMessage(policyDecision, now) {
     return {
@@ -233,10 +258,21 @@ function assertValidPart(part, path) {
         typeof part.text === "string" && part.text.trim() !== "",
         isRecord(part.data),
         isRecord(part.file),
+        typeof part.raw === "string" && part.raw.trim() !== "",
+        typeof part.url === "string" && part.url.trim() !== "",
     ].filter(Boolean);
     if (variants.length !== 1) {
         throw new A2ATaskError("A2A_MESSAGE_INVALID", `${path} must contain exactly one text, data, or file part.`);
     }
+    if ((typeof part.raw === "string" || typeof part.url === "string") && !isSupportedFileMediaType(part.mediaType)) {
+        throw new A2ATaskError("A2A_CONTENT_TYPE_NOT_SUPPORTED", "A2A message part media type is not supported.", 415);
+    }
+}
+function isSupportedFileMediaType(mediaType) {
+    return typeof mediaType === "string" && [
+        "text/plain",
+        "application/json",
+    ].includes(mediaType.trim().toLowerCase());
 }
 function taskView(task, options) {
     const history = typeof options.historyLength === "number"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vallum/standards",
-  "version": "0.0.0-prerelease",
+  "version": "0.0.1-prerelease.0",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -12,10 +12,10 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@vallum/manifest": "0.0.0-prerelease",
-    "@vallum/policy-gateway": "0.0.0-prerelease",
-    "@vallum/receipts": "0.0.0-prerelease",
-    "@vallum/registry": "0.0.0-prerelease"
+    "@vallum/manifest": "0.0.1-prerelease.0",
+    "@vallum/policy-gateway": "0.0.1-prerelease.0",
+    "@vallum/receipts": "0.0.1-prerelease.0",
+    "@vallum/registry": "0.0.1-prerelease.0"
   },
   "description": "Standards bridge adapters for Vallum.",
   "files": [