a2acalling 0.6.65 → 0.6.66

package/.a2a-manifest.json

@@ -1,6 +1,6 @@
 {
-  "version": "0.6.65",
-  "installed_at": "2026-02-25T07:27:45.973Z",
+  "version": "0.6.66",
+  "installed_at": "2026-02-25T09:43:06.371Z",
   "files": [
     {
       "path": "CLAUDE.md",

package/bin/cli.js

@@ -1103,17 +1103,18 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
     console.log('Legend: 🌐 public  🔧 friends  ⚡ family');
   },
 
-  'contacts:add': (args) => {
+  'contacts:add': async (args) => {
     const url = args._[2];
     if (!url) {
       console.error('Usage: a2a contacts add <invite_url> [options]');
       console.error('Options:');
-      console.error('  --name, -n     Agent name');
-      console.error('  --owner, -o    Owner name');
-      console.error('  --server-name  Server label (optional)');
-      console.error('  --notes        Notes about this contact');
-      console.error('  --tags         Comma-separated tags');
-      console.error('  --link         Link to token ID you gave them');
+      console.error('  --name, -n       Agent name');
+      console.error('  --owner, -o      Owner name');
+      console.error('  --server-name    Server label (optional)');
+      console.error('  --notes          Notes about this contact');
+      console.error('  --tags           Comma-separated tags');
+      console.error('  --link           Link to token ID you gave them');
+      console.error('  --public-key     Ed25519 public key (base64, or "fetch" to get from /status)');
       process.exit(1);
     }
 
@@ -1126,6 +1127,24 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
       linkedTokenId: args.flags.link || null
     };
 
+    // A2A-52: fetch or accept public key for identity verification
+    const pubKeyFlag = args.flags['public-key'] || args.flags.public_key || args.flags.publicKey;
+    if (pubKeyFlag === 'fetch' || pubKeyFlag === true) {
+      try {
+        const client = new A2AClient({});
+        const statusResult = await client.status(url);
+        if (statusResult.public_key) {
+          options.public_key = statusResult.public_key;
+          const { fingerprint: fpFunc } = require('../src/lib/crypto');
+          console.log(`  Fetched public key: ${fpFunc(statusResult.public_key)}`);
+        }
+      } catch (fetchErr) {
+        console.error(`  Warning: could not fetch public key from /status: ${fetchErr.message}`);
+      }
+    } else if (pubKeyFlag && typeof pubKeyFlag === 'string') {
+      options.public_key = pubKeyFlag;
+    }
+
     try {
       const result = store.addContact(url, options);
       if (!result.success) {
@@ -1186,13 +1205,22 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
       console.log(`🔐 No linked token (you haven't given them access yet)`);
     }
     
+    // A2A-52: show cryptographic identity verification status
+    if (remote.public_key) {
+      const { fingerprint: fpFunc } = require('../src/lib/crypto');
+      console.log(`🔑 Identity: verified`);
+      console.log(`   Fingerprint: ${fpFunc(remote.public_key)}`);
+    } else {
+      console.log(`🔑 Identity: unverified (no public key pinned)`);
+    }
+
     if (remote.tags && remote.tags.length > 0) {
       console.log(`🏷️  Tags: ${remote.tags.join(', ')}`);
     }
     if (remote.notes) {
       console.log(`📝 Notes: ${remote.notes}`);
     }
-    
+
     console.log(`\n📅 Added: ${new Date(remote.added_at).toLocaleDateString()}`);
     if (remote.last_seen) {
       console.log(`📍 Last seen: ${formatTimeAgo(new Date(remote.last_seen))}`);
@@ -1300,6 +1328,23 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
       console.log(`🟢 ${remote.name} is online`);
       console.log(`   Agent: ${result.name}`);
       console.log(`   Version: ${result.version}`);
+
+      // A2A-52: also fetch /status to refresh public key
+      try {
+        const statusResult = await client.status(url);
+        if (statusResult.public_key) {
+          const { fingerprint: fpFunc } = require('../src/lib/crypto');
+          if (remote.public_key && remote.public_key !== statusResult.public_key) {
+            console.log(`   ⚠️  Public key changed!`);
+            console.log(`      Old: ${fpFunc(remote.public_key)}`);
+            console.log(`      New: ${fpFunc(statusResult.public_key)}`);
+          }
+          store.updateContact(name, { public_key: statusResult.public_key });
+          console.log(`   🔑 Fingerprint: ${fpFunc(statusResult.public_key)}`);
+        }
+      } catch (_) {
+        // /status fetch is best-effort during ping
+      }
     } catch (err) {
       store.updateContactStatus(name, 'offline', err.message);
       console.log(`🔴 ${remote.name} is offline`);
@@ -1535,6 +1580,8 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
         // Best effort
       }
 
+      // A2A-52: load keypair for request signing in multi-turn calls
+      const _multiKeypair = config.getKeypair();
       const driver = new ConversationDriver({
         runtime,
         agentContext,
@@ -1546,6 +1593,8 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
         maxTurns,
         configTurnTimeoutMs,
         ownerContext,
+        privateKey: _multiKeypair ? _multiKeypair.privateKey : null,
+        publicKey: _multiKeypair ? _multiKeypair.publicKey : null,
         onTurn: (info) => {
           const preview = info.messagePreview.length >= 80
             ? info.messagePreview + '...'
@@ -1586,8 +1635,12 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
     }
 
     // Single-shot call (existing behavior)
+    // A2A-52: load keypair for request signing
+    const _callKeypair = config.getKeypair();
     const client = new A2AClient({
-      caller: { name: callerName }
+      caller: { name: callerName },
+      privateKey: _callKeypair ? _callKeypair.privateKey : null,
+      publicKey: _callKeypair ? _callKeypair.publicKey : null
     });
 
     try {
@@ -2292,6 +2345,21 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
       } catch (_) {}
     }
 
+    // A2A-52: Generate Ed25519 keypair for cryptographic identity (skip if already exists)
+    const existingKeypair = config.getKeypair();
+    if (!existingKeypair) {
+      const { generateKeypair, fingerprint: fpFunc } = require('../src/lib/crypto');
+      const keypair = generateKeypair();
+      config.setKeypair(keypair.privateKey, keypair.publicKey);
+      const fp = fpFunc(keypair.publicKey);
+      console.log(`\n  🔑 Ed25519 identity generated`);
+      console.log(`     Fingerprint: ${fp}`);
+    } else {
+      const { fingerprint: fpFunc } = require('../src/lib/crypto');
+      console.log(`\n  🔑 Ed25519 identity exists (not overwritten)`);
+      console.log(`     Fingerprint: ${fpFunc(existingKeypair.publicKey)}`);
+    }
+
     // Save server config and advance onboarding state to awaiting_disclosure.
     config.setAgent({ hostname: publicHost });
     config.setOnboarding({ step: 'awaiting_disclosure' });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "a2acalling",
-  "version": "0.6.65",
+  "version": "0.6.66",
   "description": "Agent-to-agent calling for OpenClaw - A2A agent communication",
   "main": "src/index.js",
   "bin": {

package/src/dashboard/public/app.js

@@ -1535,7 +1535,12 @@ function handleZoneDrop(zone, e) {
   // since autoSaveTier() may refresh state.settings asynchronously.
   setTimeout(() => {
     const freshTier = (state.settings?.tiers || []).find(t => t.id === state.activeTierId);
-    if (freshTier) renderSidebarLists(freshTier);
+    if (freshTier) {
+      renderSidebarLists(freshTier);
+      // A2A-51: Re-bind drag listeners after innerHTML replacement in renderSidebarLists().
+      // Without this, sidebar items lose dragstart/dragend handlers after the first drop.
+      bindSidebarDrag();
+    }
   }, 300);
 }
 
@@ -1776,8 +1781,9 @@ function bindPermissionsActions() {
       return;
     }
 
-    // A2A-48: Sidebar "Add Topic" / "Add Goal" buttons open create dialog
-    const addBtn = e.target.closest('.sidebar-add-btn[data-add-type]');
+    // A2A-48: Sidebar "Add Topic" / "Add Goal" buttons open create dialog.
+    // A2A-51: Also matches .col-header-add-btn for narrow viewports where sidebar is hidden.
+    const addBtn = e.target.closest('[data-add-type]');
     if (addBtn) {
       const type = addBtn.dataset.addType;
       const dialog = document.getElementById('create-item-dialog');
@@ -1798,13 +1804,17 @@ function bindPermissionsActions() {
   // (#active-topics-zone, #active-goals-zone) persist across renders. Only
   // their innerHTML is replaced by renderActiveTopics/renderActiveGoals.
   // Binding in bindSidebarDrag() would cause listener accumulation.
+  // A2A-51: Uses dragenter/dragleave counter to prevent flickering when
+  // cursor moves over child elements (cards, placeholder) inside the zone.
   const topicZone = document.getElementById('active-topics-zone');
   const goalZone = document.getElementById('active-goals-zone');
   [topicZone, goalZone].forEach(zone => {
     if (!zone) return;
-    zone.addEventListener('dragover', (e) => { e.preventDefault(); zone.classList.add('drag-over'); });
-    zone.addEventListener('dragleave', () => zone.classList.remove('drag-over'));
-    zone.addEventListener('drop', (e) => handleZoneDrop(zone, e));
+    let dragCounter = 0;
+    zone.addEventListener('dragenter', (e) => { e.preventDefault(); dragCounter++; zone.classList.add('drag-over'); });
+    zone.addEventListener('dragover', (e) => { e.preventDefault(); });
+    zone.addEventListener('dragleave', () => { dragCounter--; if (dragCounter === 0) zone.classList.remove('drag-over'); });
+    zone.addEventListener('drop', (e) => { dragCounter = 0; handleZoneDrop(zone, e); });
   });
 
   // A2A-48: Tool toggle change — auto-save and update card styling

package/src/dashboard/public/index.html

@@ -130,6 +130,7 @@
                     <span class="status-dot status-dot--teal"></span>
                     Active Topics
                     <span id="topic-count" class="count-badge count-badge--teal">0</span>
+                    <button class="col-header-add-btn" data-add-type="topic" title="Add topic"><span class="material-symbols-outlined" style="font-size:16px;">add</span></button>
                   </div>
                   <div id="active-topics-zone" class="perm-drop-zone"></div>
                 </div>
@@ -138,6 +139,7 @@
                     <span class="status-dot status-dot--yellow"></span>
                     Active Goals
                     <span id="goal-count" class="count-badge count-badge--yellow">0</span>
+                    <button class="col-header-add-btn" data-add-type="goal" title="Add goal"><span class="material-symbols-outlined" style="font-size:16px;">add</span></button>
                   </div>
                   <div id="active-goals-zone" class="perm-drop-zone"></div>
                 </div>

package/src/dashboard/public/style.css

@@ -697,6 +697,25 @@ table tbody tr:hover td {
   padding: 0 0.25rem;
 }
 
+/* A2A-51: "+" button in column headers for adding topics/goals without sidebar */
+.col-header-add-btn {
+  margin-left: auto;
+  background: none;
+  border: 1px solid rgba(255,255,255,0.12);
+  border-radius: 4px;
+  color: var(--ink-muted);
+  cursor: pointer;
+  padding: 1px 4px;
+  display: flex;
+  align-items: center;
+  transition: color 0.15s ease, border-color 0.15s ease;
+}
+
+.col-header-add-btn:hover {
+  color: var(--ink);
+  border-color: rgba(255,255,255,0.3);
+}
+
 .config-col-header--teal {
   color: #2DD4BF;
 }

package/src/lib/client.js

@@ -4,6 +4,7 @@
 
 const https = require('https');
 const http = require('http');
+const { signRequest } = require('./crypto');
 
 function splitHostPort(rawHost) {
   const host = String(rawHost || '').trim();
@@ -54,6 +55,24 @@ class A2AClient {
   constructor(options = {}) {
     this.timeout = options.timeout || 60000;
     this.caller = options.caller || {};
+    // A2A-52: Ed25519 identity keys for request signing
+    this.privateKey = options.privateKey || null;
+    this.publicKey = options.publicKey || null;
+  }
+
+  /**
+   * A2A-52: Build signature headers if keypair is available.
+   * Shared helper used by both call() and end().
+   */
+  _signHeaders(method, endpoint, body) {
+    if (!this.privateKey || !this.publicKey) return {};
+    return signRequest({
+      privateKey: this.privateKey,
+      publicKey: this.publicKey,
+      method,
+      endpoint,
+      body
+    });
   }
 
   /**
@@ -95,6 +114,8 @@ class A2AClient {
     });
 
     const { protocol, hostname, port } = resolveProtocolAndPort(host);
+    // A2A-52: attach signature headers when keypair available
+    const sigHeaders = this._signHeaders('POST', '/api/a2a/invoke', body);
 
     return new Promise((resolve, reject) => {
       const req = protocol.request({
@@ -105,7 +126,8 @@ class A2AClient {
         headers: {
           'Authorization': `Bearer ${token}`,
           'Content-Type': 'application/json',
-          'Content-Length': Buffer.byteLength(body)
+          'Content-Length': Buffer.byteLength(body),
+          ...sigHeaders
         },
         timeout: this.timeout
       }, (res) => {
@@ -141,7 +163,7 @@ class A2AClient {
 
   /**
    * Explicitly end a remote conversation and trigger call conclusion
-   * 
+   *
    * @param {string|object} endpoint - a2a:// URL or {host, token}
    * @param {string} conversationId - Conversation ID to conclude
    * @returns {Promise<object>} End response from remote agent
@@ -152,7 +174,7 @@ class A2AClient {
     }
 
     let host, token;
-    
+
     if (typeof endpoint === 'string') {
       ({ host, token } = A2AClient.parseInvite(endpoint));
     } else {
@@ -164,6 +186,8 @@ class A2AClient {
     });
 
     const { protocol, hostname, port } = resolveProtocolAndPort(host);
+    // A2A-52: attach signature headers when keypair available
+    const sigHeaders = this._signHeaders('POST', '/api/a2a/end', body);
 
     return new Promise((resolve, reject) => {
       const req = protocol.request({
@@ -174,7 +198,8 @@ class A2AClient {
         headers: {
           'Authorization': `Bearer ${token}`,
           'Content-Type': 'application/json',
-          'Content-Length': Buffer.byteLength(body)
+          'Content-Length': Buffer.byteLength(body),
+          ...sigHeaders
         },
         timeout: this.timeout
       }, (res) => {

package/src/lib/config.js

@@ -230,10 +230,13 @@ const DEFAULT_CONFIG = {
   },
   
   // Agent info
+  // A2A-52: private_key/public_key store Ed25519 identity (base64 DER)
   agent: {
     name: '',
     description: '',
-    hostname: ''
+    hostname: '',
+    private_key: null,
+    public_key: null
   },
 
   // Auto-updater
@@ -386,6 +389,21 @@ class A2AConfig {
     this._save();
   }
 
+  // A2A-52: Get Ed25519 keypair from agent config (null if not generated)
+  getKeypair() {
+    const agent = this.config.agent || {};
+    if (!agent.private_key || !agent.public_key) return null;
+    return { privateKey: agent.private_key, publicKey: agent.public_key };
+  }
+
+  // A2A-52: Store Ed25519 keypair in agent config (already 0o600 via _save)
+  setKeypair(privateKey, publicKey) {
+    this.config.agent = this.config.agent || {};
+    this.config.agent.private_key = privateKey;
+    this.config.agent.public_key = publicKey;
+    this._save();
+  }
+
   // Get full config
   getAll() {
     return this.config;
@@ -424,12 +442,13 @@ class A2AConfig {
     return next;
   }
 
-  // Export for sharing
+  // Export for sharing (strips private_key to prevent leakage — A2A-52)
   export() {
+    const { private_key, ...agentPublic } = this.config.agent || {};
     return {
       tiers: this.config.tiers,
       defaults: this.config.defaults,
-      agent: this.config.agent
+      agent: agentPublic
     };
   }
 }

package/src/lib/conversation-driver.js

@@ -147,7 +147,13 @@ class ConversationDriver {
     const clientTimeout = this.claudeMode
       ? Math.max(this.claudeTimeoutMs + 20000, 200000)
       : 65000;
-    this.client = new A2AClient({ caller: this.caller, timeout: clientTimeout });
+    // A2A-52: pass Ed25519 keypair for request signing
+    this.client = new A2AClient({
+      caller: this.caller,
+      timeout: clientTimeout,
+      privateKey: options.privateKey || null,
+      publicKey: options.publicKey || null
+    });
   }
 
   /**

package/src/lib/crypto.js

@@ -0,0 +1,113 @@
+/**
+ * A2A Ed25519 Cryptographic Identity
+ *
+ * Provides keypair generation, request signing, signature verification,
+ * and public key fingerprinting for agent-to-agent identity verification.
+ *
+ * A2A-52: Zero new dependencies — uses Node.js built-in crypto (Ed25519 since v15).
+ */
+
+const crypto = require('crypto');
+
+// A2A-52: 5-minute window for replay protection
+const TIMESTAMP_WINDOW_MS = 5 * 60 * 1000;
+
+/**
+ * Generate an Ed25519 keypair.
+ * Returns { privateKey, publicKey } as base64-encoded DER buffers.
+ */
+function generateKeypair() {
+  const { privateKey, publicKey } = crypto.generateKeyPairSync('ed25519', {
+    privateKeyEncoding: { type: 'pkcs8', format: 'der' },
+    publicKeyEncoding: { type: 'spki', format: 'der' }
+  });
+  return {
+    privateKey: privateKey.toString('base64'),
+    publicKey: publicKey.toString('base64')
+  };
+}
+
+/**
+ * Compute a SHA-256 fingerprint of a base64-encoded public key.
+ * Returns colon-separated hex string (like SSH fingerprints).
+ */
+function fingerprint(publicKeyBase64) {
+  const hash = crypto.createHash('sha256')
+    .update(Buffer.from(publicKeyBase64, 'base64'))
+    .digest('hex');
+  // A2A-52: colon-separated pairs for readability (SSH-style)
+  return hash.match(/.{2}/g).join(':');
+}
+
+/**
+ * Sign an outbound request.
+ *
+ * Signing payload: `${timestamp}:${method}:${endpoint}:${bodyHash}`
+ * where bodyHash = SHA-256 of the request body string.
+ *
+ * @param {object} params
+ * @param {string} params.privateKey - base64-encoded DER private key
+ * @param {string} params.publicKey  - base64-encoded DER public key
+ * @param {string} params.method     - HTTP method (e.g. 'POST')
+ * @param {string} params.endpoint   - Request path (e.g. '/api/a2a/invoke')
+ * @param {string} params.body       - Serialized request body
+ * @returns {object} Headers to attach: { 'X-A2A-Signature', 'X-A2A-Public-Key', 'X-A2A-Timestamp' }
+ */
+function signRequest({ privateKey, publicKey, method, endpoint, body }) {
+  const timestamp = new Date().toISOString();
+  const bodyHash = crypto.createHash('sha256').update(body).digest('hex');
+  const payload = `${timestamp}:${method}:${endpoint}:${bodyHash}`;
+
+  const keyObject = crypto.createPrivateKey({
+    key: Buffer.from(privateKey, 'base64'),
+    format: 'der',
+    type: 'pkcs8'
+  });
+
+  const signature = crypto.sign(null, Buffer.from(payload), keyObject);
+
+  return {
+    'X-A2A-Signature': signature.toString('base64'),
+    'X-A2A-Public-Key': publicKey,
+    'X-A2A-Timestamp': timestamp
+  };
+}
+
+/**
+ * Verify an inbound request signature.
+ *
+ * @param {object} params
+ * @param {string} params.signature   - base64-encoded Ed25519 signature
+ * @param {string} params.publicKey   - base64-encoded DER public key
+ * @param {string} params.timestamp   - ISO 8601 timestamp from header
+ * @param {string} params.method      - HTTP method
+ * @param {string} params.endpoint    - Request path
+ * @param {string} params.body        - Raw request body string
+ * @returns {boolean} true if signature is valid
+ */
+function verifySignature({ signature, publicKey, timestamp, method, endpoint, body }) {
+  const bodyHash = crypto.createHash('sha256').update(body).digest('hex');
+  const payload = `${timestamp}:${method}:${endpoint}:${bodyHash}`;
+
+  const keyObject = crypto.createPublicKey({
+    key: Buffer.from(publicKey, 'base64'),
+    format: 'der',
+    type: 'spki'
+  });
+
+  return crypto.verify(null, Buffer.from(payload), keyObject, Buffer.from(signature, 'base64'));
+}
+
+/**
+ * Check if a timestamp is within the allowed window (replay protection).
+ * @param {string} timestamp - ISO 8601 timestamp
+ * @returns {boolean} true if within +-5 minutes of now
+ */
+function isTimestampValid(timestamp) {
+  const ts = new Date(timestamp).getTime();
+  if (Number.isNaN(ts)) return false;
+  const diff = Math.abs(Date.now() - ts);
+  return diff <= TIMESTAMP_WINDOW_MS;
+}
+
+module.exports = { generateKeypair, fingerprint, signRequest, verifySignature, isTimestampValid };

package/src/lib/tokens.js

@@ -448,6 +448,7 @@ class TokenStore {
       tags: Array.isArray(options.tags) ? options.tags : [],
       fields: sanitizeCustomFields(options.fields || options.custom_fields || options.customFields),
       linked_token_id: options.linkedTokenId || options.linked_token_id || null,  // Token you gave them
+      public_key: options.public_key || options.publicKey || null,  // A2A-52: Ed25519 public key (base64 DER)
       status: 'unknown',
       last_seen: null,
       added_at: new Date().toISOString(),
@@ -597,7 +598,8 @@ class TokenStore {
 	    }
 
 	    // Only allow updating specific fields
-	    const allowed = ['name', 'owner', 'is_mine', 'notes', 'tags', 'linked_token_id', 'server_name', 'fields'];
+	    // A2A-52: 'public_key' added for Ed25519 identity verification (TOFU pinning)
+	    const allowed = ['name', 'owner', 'is_mine', 'notes', 'tags', 'linked_token_id', 'server_name', 'fields', 'public_key'];
 	    for (const key of allowed) {
 	      if (updates[key] !== undefined) {
 	        if (key === 'fields') {
@@ -764,6 +766,7 @@ class TokenStore {
       tags: ['inbound'],
       fields: {},
       linked_token_id: tokenId || null,
+      public_key: null,  // A2A-52: populated via TOFU on first verified call
       status: 'unknown',
       last_seen: null,
       added_at: new Date().toISOString(),

package/src/routes/a2a.js

@@ -11,6 +11,7 @@
 const { TokenStore } = require('../lib/tokens');
 const crypto = require('crypto');
 const { createLogger, createTraceId } = require('../lib/logger');
+const { verifySignature, isTimestampValid, fingerprint } = require('../lib/crypto');
 
 // Lazy-load conversation store (optional dependency)
 let ConversationStore = null;
@@ -187,19 +188,75 @@ function createRoutes(options = {}) {
     } catch (_) {}
   }
 
+  // A2A-52: shared signature verification helper for /invoke and /end
+  function verifySigHeaders(req, validation, endpoint, reqLogger, withTracePayload) {
+    const sigHeader = req.headers['x-a2a-signature'];
+    const pubKeyHeader = req.headers['x-a2a-public-key'];
+    const tsHeader = req.headers['x-a2a-timestamp'];
+    const result = { identityVerified: false, publicKeyFingerprint: null, error: null };
+
+    if (!sigHeader || !pubKeyHeader || !tsHeader) return result;
+
+    if (!isTimestampValid(tsHeader)) {
+      result.error = { status: 403, body: { success: false, error: 'timestamp_expired', message: 'Request timestamp outside allowed window' } };
+      reqLogger.warn('Signature timestamp outside window', { tokenId: validation.id, error_code: 'SIGNATURE_TIMESTAMP_EXPIRED', status_code: 403 });
+      return result;
+    }
+
+    try {
+      crypto.createPublicKey({ key: Buffer.from(pubKeyHeader, 'base64'), format: 'der', type: 'spki' });
+    } catch (_) {
+      result.error = { status: 400, body: { success: false, error: 'malformed_public_key', message: 'X-A2A-Public-Key is not a valid Ed25519 public key' } };
+      reqLogger.warn('Malformed public key', { tokenId: validation.id, error_code: 'MALFORMED_PUBLIC_KEY', status_code: 400 });
+      return result;
+    }
+
+    const existingContact = tokenStore.getContact(validation.id) ||
+      (tokenStore.listContacts().find(c => c.linked_token_id === validation.id));
+    if (existingContact && existingContact.public_key && existingContact.public_key !== pubKeyHeader) {
+      result.error = { status: 403, body: { success: false, error: 'public_key_mismatch', message: 'Public key does not match previously pinned key' } };
+      reqLogger.warn('Public key mismatch (TOFU violation)', { tokenId: validation.id, error_code: 'PUBLIC_KEY_MISMATCH', status_code: 403 });
+      return result;
+    }
+
+    const rawBody = JSON.stringify(req.body);
+    try {
+      const valid = verifySignature({ signature: sigHeader, publicKey: pubKeyHeader, timestamp: tsHeader, method: 'POST', endpoint, body: rawBody });
+      if (valid) {
+        result.identityVerified = true;
+        result.publicKeyFingerprint = fingerprint(pubKeyHeader);
+        if (existingContact && !existingContact.public_key) {
+          tokenStore.updateContact(existingContact.name || existingContact.id, { public_key: pubKeyHeader });
+        }
+      } else {
+        result.error = { status: 403, body: { success: false, error: 'invalid_signature', message: 'Ed25519 signature verification failed' } };
+        reqLogger.warn('Signature verification failed', { tokenId: validation.id, error_code: 'SIGNATURE_INVALID', status_code: 403 });
+      }
+    } catch (sigErr) {
+      result.error = { status: 403, body: { success: false, error: 'invalid_signature', message: 'Signature verification failed' } };
+      reqLogger.warn('Signature verification error', { tokenId: validation.id, error_code: 'SIGNATURE_VERIFY_ERROR', status_code: 403, error: sigErr });
+    }
+    return result;
+  }
+
   /**
    * GET /status
    * Check if A2A is enabled
    */
   router.get('/status', (req, res) => {
     const activeCalls = monitor ? monitor.getActiveCount() : 0;
-    res.json({
+    const response = {
       a2a: true,
       version: require('../../package.json').version,
       capabilities: ['invoke', 'multi-turn'],
       rate_limits: limits,
       active_calls: activeCalls
-    });
+    };
+    // A2A-52: include agent public key so contacts can fetch it
+    if (options.publicKey) {
+      response.public_key = options.publicKey;
+    }
+    res.json(response);
   });
 
   /**
@@ -291,6 +348,14 @@ function createRoutes(options = {}) {
       }));
     }
 
+    // A2A-52: Ed25519 signature verification (after token auth, before message handling)
+    const sigCheck = verifySigHeaders(req, validation, '/api/a2a/invoke', reqLogger, withTracePayload);
+    if (sigCheck.error) {
+      return res.status(sigCheck.error.status).json(withTracePayload(sigCheck.error.body));
+    }
+    const identityVerified = sigCheck.identityVerified;
+    const publicKeyFingerprint = sigCheck.publicKeyFingerprint;
+
     // Extract and validate request
     const { message, conversation_id, caller, context, timeout_seconds = 60 } = req.body;
 
@@ -353,7 +418,10 @@ function createRoutes(options = {}) {
       caller: sanitizedCaller,
       conversation_id: conversation_id || `conv_${Date.now()}_${crypto.randomBytes(6).toString('hex')}`,
       trace_id: traceId,
-      request_id: requestId
+      request_id: requestId,
+      // A2A-52: cryptographic identity verification status
+      identity_verified: identityVerified,
+      public_key_fingerprint: publicKeyFingerprint
     };
 
     // Ensure inbound caller exists as a contact (best-effort).
@@ -568,10 +636,16 @@ function createRoutes(options = {}) {
       return res.status(401).json(withTracePayload({ 
         success: false, 
         error: 'unauthorized', 
-        message: 'Invalid or expired token' 
+        message: 'Invalid or expired token'
       }));
     }
 
+    // A2A-52: Ed25519 signature verification for /end (same as /invoke)
+    const endSigCheck = verifySigHeaders(req, validation, '/api/a2a/end', reqLogger, withTracePayload);
+    if (endSigCheck.error) {
+      return res.status(endSigCheck.error.status).json(withTracePayload(endSigCheck.error.body));
+    }
+
     const { conversation_id } = req.body;
     if (!conversation_id) {
       reqLogger.warn('End request missing conversation_id', {

package/src/routes/dashboard.js

@@ -1331,7 +1331,7 @@ function createDashboardApiRouter(options = {}) {
       success: true,
       onboarding_complete: context.config.isOnboarded(),
       defaults: cfg.defaults || {},
-      agent: cfg.agent || {},
+      agent: (() => { const { private_key, ...pub } = cfg.agent || {}; return pub; })(),
       tiers,
       manifest: {
         never_disclose: manifest.never_disclose || [],

package/src/server.js

@@ -901,9 +901,12 @@ app.use('/dashboard', createDashboardUiRouter({
 }));
 app.use('/callbook', createCallbookRouter());
 
+// A2A-52: pass agent's public key so /status can advertise it
+const _a2aKeypair = config.getKeypair();
 app.use('/api/a2a', createRoutes({
   tokenStore,
   eventStore,
+  publicKey: _a2aKeypair ? _a2aKeypair.publicKey : null,
   logger: logger.child({ component: 'a2a.routes' }),
   onCallMonitor: (monitor) => {
     activeCallMonitor = monitor;