a2acalling 0.6.65 → 0.6.67

package/.a2a-manifest.json

@@ -1,6 +1,6 @@
 {
-  "version": "0.6.65",
-  "installed_at": "2026-02-25T07:27:45.973Z",
+  "version": "0.6.67",
+  "installed_at": "2026-02-25T14:23:35.176Z",
   "files": [
     {
       "path": "CLAUDE.md",

package/ARCHITECTURE.md

@@ -20,7 +20,7 @@ A2A Calling enables agent-to-agent communication across OpenClaw instances. Agen
 ┌───────────▼──────────────────────────────────────────────────────┐
 │  Core Libraries (src/lib/)                                        │
 │  ├─ tokens.js         Token CRUD, validation, tiers               │
-│  ├─ client.js         A2AClient for outbound calls                │
+│  ├─ client.js         A2AClient for outbound calls (retry + size cap) │
 │  ├─ conversations.js  ConversationStore (SQLite)                  │
 │  ├─ conversation-driver.js  Multi-turn call orchestration         │
 │  ├─ summarizer.js     Call summary generation                     │
@@ -28,6 +28,7 @@ A2A Calling enables agent-to-agent communication across OpenClaw instances. Agen
 │  ├─ summary-formatter.js  Format summaries for display            │
 │  ├─ disclosure.js     Disclosure level enforcement                │
 │  ├─ config.js         Config file management                      │
+│  ├─ crypto.js         Ed25519 identity keypair + signing           │
 │  ├─ logger.js         Structured logger (SQLite + stdout)         │
 │  ├─ call-monitor.js   Active call monitoring                      │
 │  ├─ callbook.js       Contact/callbook management                 │
@@ -80,6 +81,10 @@ Single-page app served from `src/dashboard/public/`. Uses Shoelace web component
 
 Tauri v2 app at `native/macos/` wrapping the dashboard SPA. Provides native menus, notifications, and server lifecycle management.
 
+## Identity Verification
+
+Ed25519 cryptographic identity for agents. Each instance generates a keypair on first run (stored in config). Outbound calls sign messages; inbound calls verify signatures. Uses Node.js built-in `crypto.sign`/`crypto.verify` — no external dependencies. See `src/lib/crypto.js`.
+
 ## Testing
 
 Zero-dependency test runner at `test/run.js` with custom assert API. Three test tiers:
@@ -90,3 +95,7 @@ Zero-dependency test runner at `test/run.js` with custom assert API. Three test
 Test profiles at `test/profiles/` represent real personas with distinct permission tiers.
 
 E2E test results are persisted to `~/.config/openclaw/a2a-e2e-results.json` via `test/e2e/persist.js` and surfaced in the dashboard Health tab. The `scripts/run-e2e.sh` orchestrator runs E2E suites and stores results.
+
+## Network Resilience
+
+The outbound A2A client (`src/lib/client.js`) retries transient network failures (ECONNRESET, ECONNREFUSED, EPIPE, ENOTFOUND, EAI_AGAIN, timeouts) with exponential backoff (0s, 1s, 2s). HTTP 4xx/5xx errors are not retried. All response accumulation is capped at 2MB to prevent OOM from malicious remotes.

package/CONVENTIONS.md

@@ -67,6 +67,24 @@ All modules use CommonJS (`require`/`module.exports`). Each lib file exports a f
 - Sidebar navigation with tab switching (Contacts, Calls, Invites, Logs, Settings, Permissions, Health)
 - Permissions tab uses tier cards with tool toggles and auto-save
 
+## Network Resilience (A2A-54)
+
+Outbound client methods (`call()`, `end()`) automatically retry transient network errors with exponential backoff. Pattern:
+- Use `withRetry(fn, { delays })` for retryable operations
+- Only retry on transient errors (ECONNRESET, ECONNREFUSED, EPIPE, ENOTFOUND, EAI_AGAIN, timeout)
+- Never retry HTTP 4xx/5xx — those are explicit server rejections
+- All HTTP responses are size-capped at 2MB via `handleSizeCappedResponse()`
+- Configurable retry delays via `_retryDelays` constructor option (used in tests with `[0,0,0]` for fast execution)
+
+## Dashboard API Testing (A2A-56)
+
+Dashboard API integration tests follow the pattern in `test/integration/dashboard-logs.test.js`:
+- Mount `createDashboardApiRouter()` on an Express app
+- Use `helpers.request()` for HTTP assertions (binds to 127.0.0.1 — bypasses auth)
+- Bust module caches for `dashboard`, `logger`, `tokens`, `config`, `disclosure`, `conversations`, `callbook`, `dashboard-events`
+- Call `loggerModule.closeAllLoggerStores()` in teardown to prevent SQLite handle leaks
+- Pass `convStore` directly via `options.convStore` when testing calls endpoints
+
 ## Permission Tiers
 
 Tokens have a tier (`public`, `friends`, `family`) and a disclosure level (`public`, `minimal`, `none`). These are enforced at the route level in `src/routes/a2a.js`.

package/bin/cli.js

@@ -1103,17 +1103,18 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
     console.log('Legend: 🌐 public  🔧 friends  ⚡ family');
   },
 
-  'contacts:add': (args) => {
+  'contacts:add': async (args) => {
     const url = args._[2];
     if (!url) {
       console.error('Usage: a2a contacts add <invite_url> [options]');
       console.error('Options:');
-      console.error('  --name, -n     Agent name');
-      console.error('  --owner, -o    Owner name');
-      console.error('  --server-name  Server label (optional)');
-      console.error('  --notes        Notes about this contact');
-      console.error('  --tags         Comma-separated tags');
-      console.error('  --link         Link to token ID you gave them');
+      console.error('  --name, -n       Agent name');
+      console.error('  --owner, -o      Owner name');
+      console.error('  --server-name    Server label (optional)');
+      console.error('  --notes          Notes about this contact');
+      console.error('  --tags           Comma-separated tags');
+      console.error('  --link           Link to token ID you gave them');
+      console.error('  --public-key     Ed25519 public key (base64, or "fetch" to get from /status)');
       process.exit(1);
     }
 
@@ -1126,6 +1127,24 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
       linkedTokenId: args.flags.link || null
     };
 
+    // A2A-52: fetch or accept public key for identity verification
+    const pubKeyFlag = args.flags['public-key'] || args.flags.public_key || args.flags.publicKey;
+    if (pubKeyFlag === 'fetch' || pubKeyFlag === true) {
+      try {
+        const client = new A2AClient({});
+        const statusResult = await client.status(url);
+        if (statusResult.public_key) {
+          options.public_key = statusResult.public_key;
+          const { fingerprint: fpFunc } = require('../src/lib/crypto');
+          console.log(`  Fetched public key: ${fpFunc(statusResult.public_key)}`);
+        }
+      } catch (fetchErr) {
+        console.error(`  Warning: could not fetch public key from /status: ${fetchErr.message}`);
+      }
+    } else if (pubKeyFlag && typeof pubKeyFlag === 'string') {
+      options.public_key = pubKeyFlag;
+    }
+
     try {
       const result = store.addContact(url, options);
       if (!result.success) {
@@ -1186,13 +1205,22 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
       console.log(`🔐 No linked token (you haven't given them access yet)`);
     }
     
+    // A2A-52: show cryptographic identity verification status
+    if (remote.public_key) {
+      const { fingerprint: fpFunc } = require('../src/lib/crypto');
+      console.log(`🔑 Identity: verified`);
+      console.log(`   Fingerprint: ${fpFunc(remote.public_key)}`);
+    } else {
+      console.log(`🔑 Identity: unverified (no public key pinned)`);
+    }
+
     if (remote.tags && remote.tags.length > 0) {
       console.log(`🏷️  Tags: ${remote.tags.join(', ')}`);
     }
     if (remote.notes) {
       console.log(`📝 Notes: ${remote.notes}`);
     }
-    
+
     console.log(`\n📅 Added: ${new Date(remote.added_at).toLocaleDateString()}`);
     if (remote.last_seen) {
       console.log(`📍 Last seen: ${formatTimeAgo(new Date(remote.last_seen))}`);
@@ -1300,6 +1328,23 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
       console.log(`🟢 ${remote.name} is online`);
       console.log(`   Agent: ${result.name}`);
       console.log(`   Version: ${result.version}`);
+
+      // A2A-52: also fetch /status to refresh public key
+      try {
+        const statusResult = await client.status(url);
+        if (statusResult.public_key) {
+          const { fingerprint: fpFunc } = require('../src/lib/crypto');
+          if (remote.public_key && remote.public_key !== statusResult.public_key) {
+            console.log(`   ⚠️  Public key changed!`);
+            console.log(`      Old: ${fpFunc(remote.public_key)}`);
+            console.log(`      New: ${fpFunc(statusResult.public_key)}`);
+          }
+          store.updateContact(name, { public_key: statusResult.public_key });
+          console.log(`   🔑 Fingerprint: ${fpFunc(statusResult.public_key)}`);
+        }
+      } catch (_) {
+        // /status fetch is best-effort during ping
+      }
     } catch (err) {
       store.updateContactStatus(name, 'offline', err.message);
       console.log(`🔴 ${remote.name} is offline`);
@@ -1535,6 +1580,8 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
         // Best effort
       }
 
+      // A2A-52: load keypair for request signing in multi-turn calls
+      const _multiKeypair = config.getKeypair();
       const driver = new ConversationDriver({
         runtime,
         agentContext,
@@ -1546,6 +1593,8 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
         maxTurns,
         configTurnTimeoutMs,
         ownerContext,
+        privateKey: _multiKeypair ? _multiKeypair.privateKey : null,
+        publicKey: _multiKeypair ? _multiKeypair.publicKey : null,
         onTurn: (info) => {
           const preview = info.messagePreview.length >= 80
             ? info.messagePreview + '...'
@@ -1586,8 +1635,12 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
     }
 
     // Single-shot call (existing behavior)
+    // A2A-52: load keypair for request signing
+    const _callKeypair = config.getKeypair();
     const client = new A2AClient({
-      caller: { name: callerName }
+      caller: { name: callerName },
+      privateKey: _callKeypair ? _callKeypair.privateKey : null,
+      publicKey: _callKeypair ? _callKeypair.publicKey : null
     });
 
     try {
@@ -2292,6 +2345,21 @@ a2a add "${inviteUrl}" "${ownerText || 'friend'}" && a2a call "${ownerText || 'f
       } catch (_) {}
     }
 
+    // A2A-52: Generate Ed25519 keypair for cryptographic identity (skip if already exists)
+    const existingKeypair = config.getKeypair();
+    if (!existingKeypair) {
+      const { generateKeypair, fingerprint: fpFunc } = require('../src/lib/crypto');
+      const keypair = generateKeypair();
+      config.setKeypair(keypair.privateKey, keypair.publicKey);
+      const fp = fpFunc(keypair.publicKey);
+      console.log(`\n  🔑 Ed25519 identity generated`);
+      console.log(`     Fingerprint: ${fp}`);
+    } else {
+      const { fingerprint: fpFunc } = require('../src/lib/crypto');
+      console.log(`\n  🔑 Ed25519 identity exists (not overwritten)`);
+      console.log(`     Fingerprint: ${fpFunc(existingKeypair.publicKey)}`);
+    }
+
     // Save server config and advance onboarding state to awaiting_disclosure.
     config.setAgent({ hostname: publicHost });
     config.setOnboarding({ step: 'awaiting_disclosure' });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "a2acalling",
-  "version": "0.6.65",
+  "version": "0.6.67",
   "description": "Agent-to-agent calling for OpenClaw - A2A agent communication",
   "main": "src/index.js",
   "bin": {

package/src/dashboard/public/app.js

@@ -1535,7 +1535,12 @@ function handleZoneDrop(zone, e) {
   // since autoSaveTier() may refresh state.settings asynchronously.
   setTimeout(() => {
     const freshTier = (state.settings?.tiers || []).find(t => t.id === state.activeTierId);
-    if (freshTier) renderSidebarLists(freshTier);
+    if (freshTier) {
+      renderSidebarLists(freshTier);
+      // A2A-51: Re-bind drag listeners after innerHTML replacement in renderSidebarLists().
+      // Without this, sidebar items lose dragstart/dragend handlers after the first drop.
+      bindSidebarDrag();
+    }
   }, 300);
 }
 
@@ -1776,8 +1781,9 @@ function bindPermissionsActions() {
       return;
     }
 
-    // A2A-48: Sidebar "Add Topic" / "Add Goal" buttons open create dialog
-    const addBtn = e.target.closest('.sidebar-add-btn[data-add-type]');
+    // A2A-48: Sidebar "Add Topic" / "Add Goal" buttons open create dialog.
+    // A2A-51: Also matches .col-header-add-btn for narrow viewports where sidebar is hidden.
+    const addBtn = e.target.closest('[data-add-type]');
     if (addBtn) {
       const type = addBtn.dataset.addType;
       const dialog = document.getElementById('create-item-dialog');
@@ -1798,13 +1804,17 @@ function bindPermissionsActions() {
   // (#active-topics-zone, #active-goals-zone) persist across renders. Only
   // their innerHTML is replaced by renderActiveTopics/renderActiveGoals.
   // Binding in bindSidebarDrag() would cause listener accumulation.
+  // A2A-51: Uses dragenter/dragleave counter to prevent flickering when
+  // cursor moves over child elements (cards, placeholder) inside the zone.
   const topicZone = document.getElementById('active-topics-zone');
   const goalZone = document.getElementById('active-goals-zone');
   [topicZone, goalZone].forEach(zone => {
     if (!zone) return;
-    zone.addEventListener('dragover', (e) => { e.preventDefault(); zone.classList.add('drag-over'); });
-    zone.addEventListener('dragleave', () => zone.classList.remove('drag-over'));
-    zone.addEventListener('drop', (e) => handleZoneDrop(zone, e));
+    let dragCounter = 0;
+    zone.addEventListener('dragenter', (e) => { e.preventDefault(); dragCounter++; zone.classList.add('drag-over'); });
+    zone.addEventListener('dragover', (e) => { e.preventDefault(); });
+    zone.addEventListener('dragleave', () => { dragCounter--; if (dragCounter === 0) zone.classList.remove('drag-over'); });
+    zone.addEventListener('drop', (e) => { dragCounter = 0; handleZoneDrop(zone, e); });
   });
 
   // A2A-48: Tool toggle change — auto-save and update card styling

package/src/dashboard/public/index.html

@@ -130,6 +130,7 @@
                     <span class="status-dot status-dot--teal"></span>
                     Active Topics
                     <span id="topic-count" class="count-badge count-badge--teal">0</span>
+                    <button class="col-header-add-btn" data-add-type="topic" title="Add topic"><span class="material-symbols-outlined" style="font-size:16px;">add</span></button>
                   </div>
                   <div id="active-topics-zone" class="perm-drop-zone"></div>
                 </div>
@@ -138,6 +139,7 @@
                     <span class="status-dot status-dot--yellow"></span>
                     Active Goals
                     <span id="goal-count" class="count-badge count-badge--yellow">0</span>
+                    <button class="col-header-add-btn" data-add-type="goal" title="Add goal"><span class="material-symbols-outlined" style="font-size:16px;">add</span></button>
                   </div>
                   <div id="active-goals-zone" class="perm-drop-zone"></div>
                 </div>

package/src/dashboard/public/style.css

@@ -697,6 +697,25 @@ table tbody tr:hover td {
   padding: 0 0.25rem;
 }
 
+/* A2A-51: "+" button in column headers for adding topics/goals without sidebar */
+.col-header-add-btn {
+  margin-left: auto;
+  background: none;
+  border: 1px solid rgba(255,255,255,0.12);
+  border-radius: 4px;
+  color: var(--ink-muted);
+  cursor: pointer;
+  padding: 1px 4px;
+  display: flex;
+  align-items: center;
+  transition: color 0.15s ease, border-color 0.15s ease;
+}
+
+.col-header-add-btn:hover {
+  color: var(--ink);
+  border-color: rgba(255,255,255,0.3);
+}
+
 .config-col-header--teal {
   color: #2DD4BF;
 }

package/src/lib/client.js

@@ -4,6 +4,69 @@
 
 const https = require('https');
 const http = require('http');
+const { signRequest } = require('./crypto');
+// A2A-54: structured logging for retry warnings and size-cap violations
+const { createLogger } = require('./logger');
+
+const logger = createLogger({ component: 'a2a.client' });
+
+// A2A-54: response size cap prevents OOM from unbounded accumulation
+const MAX_RESPONSE_BYTES = 2 * 1024 * 1024;
+
+// A2A-54: only transient network errors are retryable — HTTP 4xx/5xx are not
+const RETRYABLE_CODES = ['ECONNRESET', 'ECONNREFUSED', 'EPIPE', 'ENOTFOUND', 'EAI_AGAIN'];
+
+// A2A-54: exponential backoff — first retry is immediate, then 1s, then 2s
+const RETRY_DELAYS = [0, 1000, 2000];
+
+/**
+ * A2A-54: Retry wrapper for transient network failures.
+ * Only retries on RETRYABLE_CODES and timeout errors — HTTP status errors
+ * bubble up immediately since the remote explicitly rejected the request.
+ *
+ * @param {Function} fn - async function to retry
+ * @param {object} options
+ * @param {number[]} options.delays - delay sequence in ms (default: RETRY_DELAYS)
+ * @returns {Promise<*>}
+ */
+async function withRetry(fn, options = {}) {
+  const delays = options.delays || RETRY_DELAYS;
+  const maxAttempts = delays.length + 1;
+
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      // A2A-54: only retry transient network errors and timeouts.
+      // HTTP 4xx/5xx errors have err.code set to the server's error code
+      // (e.g. 'bad_request'), so they won't match network_error or timeout.
+      const isRetryable = err instanceof A2AError && (
+        (err.code === 'network_error' && RETRYABLE_CODES.some(c => err.message.includes(c))) ||
+        err.code === 'timeout'
+      );
+
+      if (!isRetryable || attempt >= maxAttempts) {
+        throw err;
+      }
+
+      // A2A-54: log each retry at warn level for operator visibility
+      const delay = delays[attempt - 1];
+      logger.warn(`Retrying request (attempt ${attempt + 1}/${maxAttempts})`, {
+        event: 'retry',
+        data: {
+          error_code: err.code,
+          error_message: err.message,
+          attempt: attempt + 1,
+          delay_ms: delay
+        }
+      });
+
+      if (delay > 0) {
+        await new Promise(resolve => setTimeout(resolve, delay));
+      }
+    }
+  }
+}
 
 function splitHostPort(rawHost) {
   const host = String(rawHost || '').trim();
@@ -50,10 +113,65 @@ function resolveProtocolAndPort(host) {
   return { protocol, hostname, port };
 }
 
+/**
+ * A2A-54: Create a size-capped response handler.
+ * Tracks accumulated bytes and destroys the socket if the cap is exceeded,
+ * preventing OOM from malicious or misconfigured remote agents.
+ *
+ * @param {http.IncomingMessage} res - the response stream
+ * @param {Function} resolve - promise resolve
+ * @param {Function} reject - promise reject
+ * @param {Function} onComplete - called with (data, statusCode) when response ends within cap
+ */
+function handleSizeCappedResponse(res, resolve, reject, onComplete) {
+  let data = '';
+  let bytes = 0;
+  let destroyed = false;
+
+  res.on('data', (chunk) => {
+    bytes += chunk.length;
+    if (bytes > MAX_RESPONSE_BYTES) {
+      if (!destroyed) {
+        destroyed = true;
+        res.destroy();
+        // A2A-54: reject immediately — the remote sent more data than we allow
+        reject(new A2AError('response_too_large', `Response exceeded ${MAX_RESPONSE_BYTES} bytes`));
+      }
+      return;
+    }
+    data += chunk;
+  });
+
+  res.on('end', () => {
+    if (destroyed) return;
+    onComplete(data, res.statusCode);
+  });
+}
+
 class A2AClient {
   constructor(options = {}) {
     this.timeout = options.timeout || 60000;
     this.caller = options.caller || {};
+    // A2A-52: Ed25519 identity keys for request signing
+    this.privateKey = options.privateKey || null;
+    this.publicKey = options.publicKey || null;
+    // A2A-54: allow configurable retry delays for testing (fast tests use [0,0,0])
+    this._retryDelays = options._retryDelays || RETRY_DELAYS;
+  }
+
+  /**
+   * A2A-52: Build signature headers if keypair is available.
+   * Shared helper used by both call() and end().
+   */
+  _signHeaders(method, endpoint, body) {
+    if (!this.privateKey || !this.publicKey) return {};
+    return signRequest({
+      privateKey: this.privateKey,
+      publicKey: this.publicKey,
+      method,
+      endpoint,
+      body
+    });
   }
 
   /**
@@ -69,7 +187,7 @@ class A2AClient {
 
   /**
    * Call a remote agent
-   * 
+   *
    * @param {string|object} endpoint - a2a:// URL or {host, token}
    * @param {string} message - Message to send
    * @param {object} options - Additional options
@@ -77,7 +195,7 @@ class A2AClient {
    */
   async call(endpoint, message, options = {}) {
     let host, token;
-    
+
     if (typeof endpoint === 'string') {
       ({ host, token } = A2AClient.parseInvite(endpoint));
     } else {
@@ -95,8 +213,11 @@ class A2AClient {
     });
 
     const { protocol, hostname, port } = resolveProtocolAndPort(host);
+    // A2A-52: attach signature headers when keypair available
+    const sigHeaders = this._signHeaders('POST', '/api/a2a/invoke', body);
 
-    return new Promise((resolve, reject) => {
+    // A2A-54: wrap with retry for transient network failures
+    const makeRequest = () => new Promise((resolve, reject) => {
       const req = protocol.request({
         hostname,
         port,
@@ -105,28 +226,28 @@ class A2AClient {
         headers: {
           'Authorization': `Bearer ${token}`,
           'Content-Type': 'application/json',
-          'Content-Length': Buffer.byteLength(body)
+          'Content-Length': Buffer.byteLength(body),
+          ...sigHeaders
         },
         timeout: this.timeout
       }, (res) => {
-        let data = '';
-        res.on('data', chunk => data += chunk);
-        res.on('end', () => {
+        // A2A-54: size-capped response accumulation
+        handleSizeCappedResponse(res, resolve, reject, (data, statusCode) => {
           try {
             const json = JSON.parse(data);
-            if (res.statusCode >= 400) {
-              reject(new A2AError(json.error || 'request_failed', json.message || data, res.statusCode));
+            if (statusCode >= 400) {
+              reject(new A2AError(json.error || 'request_failed', json.message || data, statusCode));
             } else {
               resolve(json);
             }
           } catch (e) {
-            reject(new A2AError('parse_error', `Failed to parse response: ${data}`, res.statusCode));
+            reject(new A2AError('parse_error', `Failed to parse response: ${data}`, statusCode));
           }
         });
       });
 
       req.on('error', (e) => {
-        reject(new A2AError('network_error', e.message));
+        reject(new A2AError('network_error', e.code ? `${e.code}: ${e.message}` : e.message));
       });
 
       req.on('timeout', () => {
@@ -137,11 +258,13 @@ class A2AClient {
       req.write(body);
       req.end();
     });
+
+    return withRetry(makeRequest, { delays: this._retryDelays });
   }
 
   /**
    * Explicitly end a remote conversation and trigger call conclusion
-   * 
+   *
    * @param {string|object} endpoint - a2a:// URL or {host, token}
    * @param {string} conversationId - Conversation ID to conclude
    * @returns {Promise<object>} End response from remote agent
@@ -152,7 +275,7 @@ class A2AClient {
     }
 
     let host, token;
-    
+
     if (typeof endpoint === 'string') {
       ({ host, token } = A2AClient.parseInvite(endpoint));
     } else {
@@ -164,8 +287,11 @@ class A2AClient {
     });
 
     const { protocol, hostname, port } = resolveProtocolAndPort(host);
+    // A2A-52: attach signature headers when keypair available
+    const sigHeaders = this._signHeaders('POST', '/api/a2a/end', body);
 
-    return new Promise((resolve, reject) => {
+    // A2A-54: wrap with retry for transient network failures
+    const makeRequest = () => new Promise((resolve, reject) => {
       const req = protocol.request({
         hostname,
         port,
@@ -174,28 +300,28 @@ class A2AClient {
         headers: {
           'Authorization': `Bearer ${token}`,
           'Content-Type': 'application/json',
-          'Content-Length': Buffer.byteLength(body)
+          'Content-Length': Buffer.byteLength(body),
+          ...sigHeaders
         },
         timeout: this.timeout
       }, (res) => {
-        let data = '';
-        res.on('data', chunk => data += chunk);
-        res.on('end', () => {
+        // A2A-54: size-capped response accumulation
+        handleSizeCappedResponse(res, resolve, reject, (data, statusCode) => {
           try {
             const json = JSON.parse(data);
-            if (res.statusCode >= 400) {
-              reject(new A2AError(json.error || 'request_failed', json.message || data, res.statusCode));
+            if (statusCode >= 400) {
+              reject(new A2AError(json.error || 'request_failed', json.message || data, statusCode));
             } else {
               resolve(json);
             }
           } catch (e) {
-            reject(new A2AError('parse_error', `Failed to parse response: ${data}`, res.statusCode));
+            reject(new A2AError('parse_error', `Failed to parse response: ${data}`, statusCode));
           }
         });
       });
 
       req.on('error', (e) => {
-        reject(new A2AError('network_error', e.message));
+        reject(new A2AError('network_error', e.code ? `${e.code}: ${e.message}` : e.message));
       });
 
       req.on('timeout', () => {
@@ -206,6 +332,8 @@ class A2AClient {
       req.write(body);
       req.end();
     });
+
+    return withRetry(makeRequest, { delays: this._retryDelays });
   }
 
   /**
@@ -213,7 +341,7 @@ class A2AClient {
    */
   async ping(endpoint) {
     let host;
-    
+
     if (typeof endpoint === 'string') {
       ({ host } = A2AClient.parseInvite(endpoint));
     } else {
@@ -222,6 +350,7 @@ class A2AClient {
 
     const { protocol, hostname, port } = resolveProtocolAndPort(host);
 
+    // A2A-54: no retry for ping — it's a lightweight probe, not a critical call
     return new Promise((resolve, reject) => {
       const req = protocol.request({
         hostname,
@@ -230,13 +359,12 @@ class A2AClient {
         method: 'GET',
         timeout: 5000
       }, (res) => {
-        let data = '';
-        res.on('data', chunk => data += chunk);
-        res.on('end', () => {
+        // A2A-54: size-capped response accumulation
+        handleSizeCappedResponse(res, resolve, reject, (data, statusCode) => {
           try {
             resolve(JSON.parse(data));
           } catch {
-            resolve({ pong: res.statusCode === 200 });
+            resolve({ pong: statusCode === 200 });
           }
         });
       });
@@ -255,7 +383,7 @@ class A2AClient {
    */
   async status(endpoint) {
     let host;
-    
+
     if (typeof endpoint === 'string') {
       ({ host } = A2AClient.parseInvite(endpoint));
     } else {
@@ -264,6 +392,7 @@ class A2AClient {
 
     const { protocol, hostname, port } = resolveProtocolAndPort(host);
 
+    // A2A-54: no retry for status — read-only probe, not a stateful operation
     return new Promise((resolve, reject) => {
       const req = protocol.request({
         hostname,
@@ -272,9 +401,8 @@ class A2AClient {
         method: 'GET',
         timeout: 5000
       }, (res) => {
-        let data = '';
-        res.on('data', chunk => data += chunk);
-        res.on('end', () => {
+        // A2A-54: size-capped response accumulation
+        handleSizeCappedResponse(res, resolve, reject, (data) => {
           try {
             resolve(JSON.parse(data));
           } catch {
@@ -283,7 +411,7 @@ class A2AClient {
         });
       });
 
-      req.on('error', (e) => reject(new A2AError('network_error', e.message)));
+      req.on('error', (e) => reject(new A2AError('network_error', e.code ? `${e.code}: ${e.message}` : e.message)));
       req.on('timeout', () => {
         req.destroy();
         reject(new A2AError('timeout', 'Request timed out'));
@@ -302,4 +430,13 @@ class A2AError extends Error {
   }
 }
 
-module.exports = { A2AClient, A2AError };
+// A2A-54: export internals for testing (splitHostPort, resolveProtocolAndPort, constants)
+module.exports = {
+  A2AClient,
+  A2AError,
+  _splitHostPort: splitHostPort,
+  _resolveProtocolAndPort: resolveProtocolAndPort,
+  _MAX_RESPONSE_BYTES: MAX_RESPONSE_BYTES,
+  _RETRYABLE_CODES: RETRYABLE_CODES,
+  _RETRY_DELAYS: RETRY_DELAYS
+};

package/src/lib/config.js

@@ -230,10 +230,13 @@ const DEFAULT_CONFIG = {
   },
   
   // Agent info
+  // A2A-52: private_key/public_key store Ed25519 identity (base64 DER)
   agent: {
     name: '',
     description: '',
-    hostname: ''
+    hostname: '',
+    private_key: null,
+    public_key: null
   },
 
   // Auto-updater
@@ -386,6 +389,21 @@ class A2AConfig {
     this._save();
   }
 
+  // A2A-52: Get Ed25519 keypair from agent config (null if not generated)
+  getKeypair() {
+    const agent = this.config.agent || {};
+    if (!agent.private_key || !agent.public_key) return null;
+    return { privateKey: agent.private_key, publicKey: agent.public_key };
+  }
+
+  // A2A-52: Store Ed25519 keypair in agent config (already 0o600 via _save)
+  setKeypair(privateKey, publicKey) {
+    this.config.agent = this.config.agent || {};
+    this.config.agent.private_key = privateKey;
+    this.config.agent.public_key = publicKey;
+    this._save();
+  }
+
   // Get full config
   getAll() {
     return this.config;
@@ -424,12 +442,13 @@ class A2AConfig {
     return next;
   }
 
-  // Export for sharing
+  // Export for sharing (strips private_key to prevent leakage — A2A-52)
   export() {
+    const { private_key, ...agentPublic } = this.config.agent || {};
     return {
       tiers: this.config.tiers,
       defaults: this.config.defaults,
-      agent: this.config.agent
+      agent: agentPublic
     };
   }
 }

package/src/lib/conversation-driver.js

@@ -147,7 +147,13 @@ class ConversationDriver {
     const clientTimeout = this.claudeMode
       ? Math.max(this.claudeTimeoutMs + 20000, 200000)
       : 65000;
-    this.client = new A2AClient({ caller: this.caller, timeout: clientTimeout });
+    // A2A-52: pass Ed25519 keypair for request signing
+    this.client = new A2AClient({
+      caller: this.caller,
+      timeout: clientTimeout,
+      privateKey: options.privateKey || null,
+      publicKey: options.publicKey || null
+    });
   }
 
   /**

package/src/lib/crypto.js

@@ -0,0 +1,113 @@
+/**
+ * A2A Ed25519 Cryptographic Identity
+ *
+ * Provides keypair generation, request signing, signature verification,
+ * and public key fingerprinting for agent-to-agent identity verification.
+ *
+ * A2A-52: Zero new dependencies — uses Node.js built-in crypto (Ed25519 since v15).
+ */
+
+const crypto = require('crypto');
+
+// A2A-52: 5-minute window for replay protection
+const TIMESTAMP_WINDOW_MS = 5 * 60 * 1000;
+
+/**
+ * Generate an Ed25519 keypair.
+ * Returns { privateKey, publicKey } as base64-encoded DER buffers.
+ */
+function generateKeypair() {
+  const { privateKey, publicKey } = crypto.generateKeyPairSync('ed25519', {
+    privateKeyEncoding: { type: 'pkcs8', format: 'der' },
+    publicKeyEncoding: { type: 'spki', format: 'der' }
+  });
+  return {
+    privateKey: privateKey.toString('base64'),
+    publicKey: publicKey.toString('base64')
+  };
+}
+
+/**
+ * Compute a SHA-256 fingerprint of a base64-encoded public key.
+ * Returns colon-separated hex string (like SSH fingerprints).
+ */
+function fingerprint(publicKeyBase64) {
+  const hash = crypto.createHash('sha256')
+    .update(Buffer.from(publicKeyBase64, 'base64'))
+    .digest('hex');
+  // A2A-52: colon-separated pairs for readability (SSH-style)
+  return hash.match(/.{2}/g).join(':');
+}
+
+/**
+ * Sign an outbound request.
+ *
+ * Signing payload: `${timestamp}:${method}:${endpoint}:${bodyHash}`
+ * where bodyHash = SHA-256 of the request body string.
+ *
+ * @param {object} params
+ * @param {string} params.privateKey - base64-encoded DER private key
+ * @param {string} params.publicKey  - base64-encoded DER public key
+ * @param {string} params.method     - HTTP method (e.g. 'POST')
+ * @param {string} params.endpoint   - Request path (e.g. '/api/a2a/invoke')
+ * @param {string} params.body       - Serialized request body
+ * @returns {object} Headers to attach: { 'X-A2A-Signature', 'X-A2A-Public-Key', 'X-A2A-Timestamp' }
+ */
+function signRequest({ privateKey, publicKey, method, endpoint, body }) {
+  const timestamp = new Date().toISOString();
+  const bodyHash = crypto.createHash('sha256').update(body).digest('hex');
+  const payload = `${timestamp}:${method}:${endpoint}:${bodyHash}`;
+
+  const keyObject = crypto.createPrivateKey({
+    key: Buffer.from(privateKey, 'base64'),
+    format: 'der',
+    type: 'pkcs8'
+  });
+
+  const signature = crypto.sign(null, Buffer.from(payload), keyObject);
+
+  return {
+    'X-A2A-Signature': signature.toString('base64'),
+    'X-A2A-Public-Key': publicKey,
+    'X-A2A-Timestamp': timestamp
+  };
+}
+
+/**
+ * Verify an inbound request signature.
+ *
+ * @param {object} params
+ * @param {string} params.signature   - base64-encoded Ed25519 signature
+ * @param {string} params.publicKey   - base64-encoded DER public key
+ * @param {string} params.timestamp   - ISO 8601 timestamp from header
+ * @param {string} params.method      - HTTP method
+ * @param {string} params.endpoint    - Request path
+ * @param {string} params.body        - Raw request body string
+ * @returns {boolean} true if signature is valid
+ */
+function verifySignature({ signature, publicKey, timestamp, method, endpoint, body }) {
+  const bodyHash = crypto.createHash('sha256').update(body).digest('hex');
+  const payload = `${timestamp}:${method}:${endpoint}:${bodyHash}`;
+
+  const keyObject = crypto.createPublicKey({
+    key: Buffer.from(publicKey, 'base64'),
+    format: 'der',
+    type: 'spki'
+  });
+
+  return crypto.verify(null, Buffer.from(payload), keyObject, Buffer.from(signature, 'base64'));
+}
+
+/**
+ * Check if a timestamp is within the allowed window (replay protection).
+ * @param {string} timestamp - ISO 8601 timestamp
+ * @returns {boolean} true if within +-5 minutes of now
+ */
+function isTimestampValid(timestamp) {
+  const ts = new Date(timestamp).getTime();
+  if (Number.isNaN(ts)) return false;
+  const diff = Math.abs(Date.now() - ts);
+  return diff <= TIMESTAMP_WINDOW_MS;
+}
+
+module.exports = { generateKeypair, fingerprint, signRequest, verifySignature, isTimestampValid };

package/src/lib/tokens.js

@@ -448,6 +448,7 @@ class TokenStore {
       tags: Array.isArray(options.tags) ? options.tags : [],
       fields: sanitizeCustomFields(options.fields || options.custom_fields || options.customFields),
       linked_token_id: options.linkedTokenId || options.linked_token_id || null,  // Token you gave them
+      public_key: options.public_key || options.publicKey || null,  // A2A-52: Ed25519 public key (base64 DER)
       status: 'unknown',
       last_seen: null,
       added_at: new Date().toISOString(),
@@ -597,7 +598,8 @@ class TokenStore {
 	    }
 
 	    // Only allow updating specific fields
-	    const allowed = ['name', 'owner', 'is_mine', 'notes', 'tags', 'linked_token_id', 'server_name', 'fields'];
+	    // A2A-52: 'public_key' added for Ed25519 identity verification (TOFU pinning)
+	    const allowed = ['name', 'owner', 'is_mine', 'notes', 'tags', 'linked_token_id', 'server_name', 'fields', 'public_key'];
 	    for (const key of allowed) {
 	      if (updates[key] !== undefined) {
 	        if (key === 'fields') {
@@ -764,6 +766,7 @@ class TokenStore {
       tags: ['inbound'],
       fields: {},
       linked_token_id: tokenId || null,
+      public_key: null,  // A2A-52: populated via TOFU on first verified call
       status: 'unknown',
       last_seen: null,
       added_at: new Date().toISOString(),

package/src/routes/a2a.js

@@ -11,6 +11,7 @@
 const { TokenStore } = require('../lib/tokens');
 const crypto = require('crypto');
 const { createLogger, createTraceId } = require('../lib/logger');
+const { verifySignature, isTimestampValid, fingerprint } = require('../lib/crypto');
 
 // Lazy-load conversation store (optional dependency)
 let ConversationStore = null;
@@ -187,19 +188,75 @@ function createRoutes(options = {}) {
     } catch (_) {}
   }
 
+  // A2A-52: shared signature verification helper for /invoke and /end
+  function verifySigHeaders(req, validation, endpoint, reqLogger, withTracePayload) {
+    const sigHeader = req.headers['x-a2a-signature'];
+    const pubKeyHeader = req.headers['x-a2a-public-key'];
+    const tsHeader = req.headers['x-a2a-timestamp'];
+    const result = { identityVerified: false, publicKeyFingerprint: null, error: null };
+
+    if (!sigHeader || !pubKeyHeader || !tsHeader) return result;
+
+    if (!isTimestampValid(tsHeader)) {
+      result.error = { status: 403, body: { success: false, error: 'timestamp_expired', message: 'Request timestamp outside allowed window' } };
+      reqLogger.warn('Signature timestamp outside window', { tokenId: validation.id, error_code: 'SIGNATURE_TIMESTAMP_EXPIRED', status_code: 403 });
+      return result;
+    }
+
+    try {
+      crypto.createPublicKey({ key: Buffer.from(pubKeyHeader, 'base64'), format: 'der', type: 'spki' });
+    } catch (_) {
+      result.error = { status: 400, body: { success: false, error: 'malformed_public_key', message: 'X-A2A-Public-Key is not a valid Ed25519 public key' } };
+      reqLogger.warn('Malformed public key', { tokenId: validation.id, error_code: 'MALFORMED_PUBLIC_KEY', status_code: 400 });
+      return result;
+    }
+
+    const existingContact = tokenStore.getContact(validation.id) ||
+      (tokenStore.listContacts().find(c => c.linked_token_id === validation.id));
+    if (existingContact && existingContact.public_key && existingContact.public_key !== pubKeyHeader) {
+      result.error = { status: 403, body: { success: false, error: 'public_key_mismatch', message: 'Public key does not match previously pinned key' } };
+      reqLogger.warn('Public key mismatch (TOFU violation)', { tokenId: validation.id, error_code: 'PUBLIC_KEY_MISMATCH', status_code: 403 });
+      return result;
+    }
+
+    const rawBody = JSON.stringify(req.body);
+    try {
+      const valid = verifySignature({ signature: sigHeader, publicKey: pubKeyHeader, timestamp: tsHeader, method: 'POST', endpoint, body: rawBody });
+      if (valid) {
+        result.identityVerified = true;
+        result.publicKeyFingerprint = fingerprint(pubKeyHeader);
+        if (existingContact && !existingContact.public_key) {
+          tokenStore.updateContact(existingContact.name || existingContact.id, { public_key: pubKeyHeader });
+        }
+      } else {
+        result.error = { status: 403, body: { success: false, error: 'invalid_signature', message: 'Ed25519 signature verification failed' } };
+        reqLogger.warn('Signature verification failed', { tokenId: validation.id, error_code: 'SIGNATURE_INVALID', status_code: 403 });
+      }
+    } catch (sigErr) {
+      result.error = { status: 403, body: { success: false, error: 'invalid_signature', message: 'Signature verification failed' } };
+      reqLogger.warn('Signature verification error', { tokenId: validation.id, error_code: 'SIGNATURE_VERIFY_ERROR', status_code: 403, error: sigErr });
+    }
+    return result;
+  }
+
   /**
    * GET /status
    * Check if A2A is enabled
    */
   router.get('/status', (req, res) => {
     const activeCalls = monitor ? monitor.getActiveCount() : 0;
-    res.json({
+    const response = {
       a2a: true,
       version: require('../../package.json').version,
       capabilities: ['invoke', 'multi-turn'],
       rate_limits: limits,
       active_calls: activeCalls
-    });
+    };
+    // A2A-52: include agent public key so contacts can fetch it
+    if (options.publicKey) {
+      response.public_key = options.publicKey;
+    }
+    res.json(response);
   });
 
   /**
@@ -291,6 +348,14 @@ function createRoutes(options = {}) {
       }));
     }
 
+    // A2A-52: Ed25519 signature verification (after token auth, before message handling)
+    const sigCheck = verifySigHeaders(req, validation, '/api/a2a/invoke', reqLogger, withTracePayload);
+    if (sigCheck.error) {
+      return res.status(sigCheck.error.status).json(withTracePayload(sigCheck.error.body));
+    }
+    const identityVerified = sigCheck.identityVerified;
+    const publicKeyFingerprint = sigCheck.publicKeyFingerprint;
+
     // Extract and validate request
     const { message, conversation_id, caller, context, timeout_seconds = 60 } = req.body;
 
@@ -353,7 +418,10 @@ function createRoutes(options = {}) {
       caller: sanitizedCaller,
       conversation_id: conversation_id || `conv_${Date.now()}_${crypto.randomBytes(6).toString('hex')}`,
       trace_id: traceId,
-      request_id: requestId
+      request_id: requestId,
+      // A2A-52: cryptographic identity verification status
+      identity_verified: identityVerified,
+      public_key_fingerprint: publicKeyFingerprint
     };
 
     // Ensure inbound caller exists as a contact (best-effort).
@@ -568,10 +636,16 @@ function createRoutes(options = {}) {
       return res.status(401).json(withTracePayload({ 
         success: false, 
         error: 'unauthorized', 
-        message: 'Invalid or expired token' 
+        message: 'Invalid or expired token'
       }));
     }
 
+    // A2A-52: Ed25519 signature verification for /end (same as /invoke)
+    const endSigCheck = verifySigHeaders(req, validation, '/api/a2a/end', reqLogger, withTracePayload);
+    if (endSigCheck.error) {
+      return res.status(endSigCheck.error.status).json(withTracePayload(endSigCheck.error.body));
+    }
+
     const { conversation_id } = req.body;
     if (!conversation_id) {
       reqLogger.warn('End request missing conversation_id', {

package/src/routes/dashboard.js

@@ -1331,7 +1331,7 @@ function createDashboardApiRouter(options = {}) {
       success: true,
       onboarding_complete: context.config.isOnboarded(),
       defaults: cfg.defaults || {},
-      agent: cfg.agent || {},
+      agent: (() => { const { private_key, ...pub } = cfg.agent || {}; return pub; })(),
       tiers,
       manifest: {
         never_disclose: manifest.never_disclose || [],

package/src/server.js

@@ -901,9 +901,12 @@ app.use('/dashboard', createDashboardUiRouter({
 }));
 app.use('/callbook', createCallbookRouter());
 
+// A2A-52: pass agent's public key so /status can advertise it
+const _a2aKeypair = config.getKeypair();
 app.use('/api/a2a', createRoutes({
   tokenStore,
   eventStore,
+  publicKey: _a2aKeypair ? _a2aKeypair.publicKey : null,
   logger: logger.child({ component: 'a2a.routes' }),
   onCallMonitor: (monitor) => {
     activeCallMonitor = monitor;