a2a-lite 0.2.0__tar.gz → 0.2.2__tar.gz

{a2a_lite-0.2.0 → a2a_lite-0.2.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: a2a-lite
-Version: 0.2.0
+Version: 0.2.2
 Summary: Simplified wrapper for Google's A2A Protocol SDK
 Author: A2A Lite Contributors
 License-Expression: Apache-2.0
@@ -27,6 +27,8 @@ Provides-Extra: dev
 Requires-Dist: httpx>=0.25; extra == 'dev'
 Requires-Dist: pytest-asyncio>=0.21; extra == 'dev'
 Requires-Dist: pytest>=7.0; extra == 'dev'
+Provides-Extra: oauth
+Requires-Dist: pyjwt[crypto]>=2.0; extra == 'oauth'
 Description-Content-Type: text/markdown
 
 # A2A Lite - Python

{a2a_lite-0.2.0 → a2a_lite-0.2.2}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "a2a-lite"
-version = "0.2.0"
+version = "0.2.2"
 description = "Simplified wrapper for Google's A2A Protocol SDK"
 readme = "README.md"
 license = "Apache-2.0"
@@ -32,6 +32,9 @@ dependencies = [
 ]
 
 [project.optional-dependencies]
+oauth = [
+    "pyjwt[crypto]>=2.0",
+]
 dev = [
     "pytest>=7.0",
     "pytest-asyncio>=0.21",

{a2a_lite-0.2.0 → a2a_lite-0.2.2}/src/a2a_lite/__init__.py

@@ -102,7 +102,7 @@ from .auth import (
     require_auth,
 )
 
-__version__ = "0.2.0"
+__version__ = "0.2.2"
 
 __all__ = [
     # Core

{a2a_lite-0.2.0 → a2a_lite-0.2.2}/src/a2a_lite/agent.py

@@ -170,11 +170,14 @@ class Agent:
             import typing
             from .tasks import TaskContext as _TaskContext
             from .human_loop import InteractionContext as _InteractionContext
+            from .auth import AuthResult as _AuthResult
 
             needs_task_context = False
             needs_interaction = False
+            needs_auth = False
             task_context_param: str | None = None
             interaction_param: str | None = None
+            auth_param: str | None = None
 
             try:
                 resolved_hints = typing.get_type_hints(func)
@@ -190,6 +193,14 @@ class Agent:
                 elif _is_or_subclass(hint, _InteractionContext):
                     needs_interaction = True
                     interaction_param = param_name
+                elif _is_or_subclass(hint, _AuthResult):
+                    needs_auth = True
+                    auth_param = param_name
+
+            # Also detect require_auth decorator
+            if getattr(func, '__requires_auth__', False) and not needs_auth:
+                needs_auth = True
+                auth_param = auth_param or "auth"
 
             # Extract schemas
             input_schema, output_schema = extract_function_schemas(func)
@@ -205,8 +216,10 @@ class Agent:
                 is_streaming=is_streaming,
                 needs_task_context=needs_task_context,
                 needs_interaction=needs_interaction,
+                needs_auth=needs_auth,
                 task_context_param=task_context_param,
                 interaction_param=interaction_param,
+                auth_param=auth_param,
             )
 
             self._skills[skill_name] = skill_def
@@ -332,6 +345,10 @@ class Agent:
             task_store=self._task_store,
         )
 
+        # The SDK's InMemoryTaskStore handles protocol-level task lifecycle
+        # (task creation, state transitions per the A2A spec). This is separate
+        # from self._task_store which provides application-level tracking
+        # (progress updates, custom status) exposed via TaskContext to skills.
         request_handler = DefaultRequestHandler(
             agent_executor=executor,
             task_store=InMemoryTaskStore(),
@@ -379,11 +396,14 @@ class Agent:
         ))
 
         # Run startup hooks
-        for hook in self._on_startup:
-            if asyncio.iscoroutinefunction(hook):
-                asyncio.get_event_loop().run_until_complete(hook())
-            else:
-                hook()
+        async def _run_startup():
+            for hook in self._on_startup:
+                if asyncio.iscoroutinefunction(hook):
+                    await hook()
+                else:
+                    hook()
+        if self._on_startup:
+            asyncio.run(_run_startup())
 
         # Enable discovery if requested
         if enable_discovery:
@@ -430,11 +450,14 @@ class Agent:
             )
         finally:
             # Run shutdown hooks
-            for hook in self._on_shutdown:
-                if asyncio.iscoroutinefunction(hook):
-                    asyncio.get_event_loop().run_until_complete(hook())
-                else:
-                    hook()
+            async def _run_shutdown():
+                for hook in self._on_shutdown:
+                    if asyncio.iscoroutinefunction(hook):
+                        await hook()
+                    else:
+                        hook()
+            if self._on_shutdown:
+                asyncio.run(_run_shutdown())
 
             # Unregister discovery
             if self._discovery:
@@ -485,6 +508,7 @@ class Agent:
             task_store=self._task_store,
         )
 
+        # SDK task store for protocol-level lifecycle (separate from app-level self._task_store)
         request_handler = DefaultRequestHandler(
             agent_executor=executor,
             task_store=InMemoryTaskStore(),

{a2a_lite-0.2.0 → a2a_lite-0.2.2}/src/a2a_lite/auth.py

@@ -60,6 +60,17 @@ class AuthRequest:
     method: str = "POST"
     path: str = "/"
 
+    def get_header(self, name: str) -> Optional[str]:
+        """Get a header value (case-insensitive)."""
+        # Try exact match first, then case-insensitive
+        if name in self.headers:
+            return self.headers[name]
+        lower = name.lower()
+        for k, v in self.headers.items():
+            if k.lower() == lower:
+                return v
+        return None
+
 
 @dataclass
 class AuthResult:
@@ -128,8 +139,8 @@ class APIKeyAuth(AuthProvider):
         return hashlib.sha256(key.encode()).hexdigest()
 
     async def authenticate(self, request: AuthRequest) -> AuthResult:
-        # Check header
-        key = request.headers.get(self.header)
+        # Check header (case-insensitive)
+        key = request.get_header(self.header)
 
         # Check query param
         if not key and self.query_param:
@@ -179,7 +190,7 @@ class BearerAuth(AuthProvider):
         self.header = header
 
     async def authenticate(self, request: AuthRequest) -> AuthResult:
-        auth_header = request.headers.get(self.header, "")
+        auth_header = request.get_header(self.header) or ""
 
         if not auth_header.startswith("Bearer "):
             return AuthResult.failure("Bearer token required")
@@ -211,7 +222,7 @@ class OAuth2Auth(AuthProvider):
             audience="my-agent",
         )
 
-    Requires: pip install pyjwt[crypto]
+    Requires: pip install a2a-lite[oauth]
     """
 
     def __init__(
@@ -228,7 +239,7 @@ class OAuth2Auth(AuthProvider):
         self._jwks_client = None
 
     async def authenticate(self, request: AuthRequest) -> AuthResult:
-        auth_header = request.headers.get("Authorization", "")
+        auth_header = request.get_header("Authorization") or ""
 
         if not auth_header.startswith("Bearer "):
             return AuthResult.failure("Bearer token required")
@@ -266,7 +277,7 @@ class OAuth2Auth(AuthProvider):
 
         except ImportError:
             return AuthResult.failure(
-                "OAuth2 requires pyjwt: pip install pyjwt[crypto]"
+                "OAuth2 requires pyjwt: pip install a2a-lite[oauth]"
             )
         except Exception as e:
             return AuthResult.failure(f"Token validation failed: {str(e)}")

{a2a_lite-0.2.0 → a2a_lite-0.2.2}/src/a2a_lite/cli.py

@@ -75,7 +75,7 @@ version = "0.1.0"
 description = "A2A Agent: {name}"
 requires-python = ">=3.10"
 dependencies = [
-    "a2a-lite>=0.2.0",
+    "a2a-lite>=0.2.2",
 ]
 '''
     (project_path / "pyproject.toml").write_text(pyproject)

{a2a_lite-0.2.0 → a2a_lite-0.2.2}/src/a2a_lite/decorators.py

@@ -18,8 +18,10 @@ class SkillDefinition:
     is_streaming: bool = False
     needs_task_context: bool = False
     needs_interaction: bool = False
+    needs_auth: bool = False
     task_context_param: Optional[str] = None
     interaction_param: Optional[str] = None
+    auth_param: Optional[str] = None
 
     def to_dict(self) -> Dict[str, Any]:
         """Convert to dictionary for serialization."""

{a2a_lite-0.2.0 → a2a_lite-0.2.2}/src/a2a_lite/executor.py

@@ -59,6 +59,23 @@ class LiteAgentExecutor(AgentExecutor):
         from a2a.utils import new_agent_text_message
 
         try:
+            # Authenticate the request (always run to produce auth_result for injection)
+            auth_result = None
+            if self.auth_provider:
+                from .auth import AuthRequest, NoAuth
+                headers = {}
+                if context.call_context and context.call_context.state:
+                    headers = context.call_context.state.get('headers', {})
+                auth_request = AuthRequest(headers=headers)
+                auth_result = await self.auth_provider.authenticate(auth_request)
+                # Reject unauthenticated requests (unless NoAuth)
+                if not isinstance(self.auth_provider, NoAuth) and not auth_result.authenticated:
+                    error_msg = json.dumps({
+                        "error": auth_result.error or "Authentication failed",
+                    })
+                    await event_queue.enqueue_event(new_agent_text_message(error_msg))
+                    return
+
             # Extract message and parts
             message, parts = self._extract_message_and_parts(context)
 
@@ -72,9 +89,10 @@ class LiteAgentExecutor(AgentExecutor):
                 message=message,
             )
 
-            # Store parts in metadata for skill access
+            # Store parts and auth result in metadata for skill access
             ctx.metadata["parts"] = parts
             ctx.metadata["event_queue"] = event_queue
+            ctx.metadata["auth_result"] = auth_result
 
             # Define final handler
             async def final_handler(ctx: MiddlewareContext) -> Any:
@@ -120,7 +138,14 @@ class LiteAgentExecutor(AgentExecutor):
         if skill_name is None:
             if not self.skills:
                 return {"error": "No skills registered"}
-            skill_name = list(self.skills.keys())[0]
+            # Only auto-select if there's exactly one skill
+            if len(self.skills) == 1:
+                skill_name = list(self.skills.keys())[0]
+            else:
+                return {
+                    "error": "No skill specified. Use {\"skill\": \"name\", \"params\": {...}} format.",
+                    "available_skills": list(self.skills.keys()),
+                }
 
         if skill_name not in self.skills:
             return {
@@ -150,6 +175,10 @@ class LiteAgentExecutor(AgentExecutor):
             param_name = skill_def.interaction_param or "ctx"
             params[param_name] = interaction_ctx
 
+        if skill_def.needs_auth:
+            param_name = skill_def.auth_param or "auth"
+            params[param_name] = metadata.get("auth_result")
+
         # Call the handler
         handler = skill_def.handler
 
@@ -167,11 +196,19 @@ class LiteAgentExecutor(AgentExecutor):
         metadata: Dict[str, Any],
     ) -> Dict[str, Any]:
         """Convert parameters to Pydantic models and file parts if needed."""
+        import typing
         handler = skill_def.handler
-        hints = getattr(handler, '__annotations__', {})
+        try:
+            hints = typing.get_type_hints(handler)
+        except Exception:
+            hints = getattr(handler, '__annotations__', {})
+
+        from .parts import FilePart, DataPart
 
         converted = {}
         for param_name, value in params.items():
+            if param_name == 'return':
+                continue
             param_type = hints.get(param_name)
 
             if param_type is None:
@@ -181,13 +218,12 @@ class LiteAgentExecutor(AgentExecutor):
             # Skip special context types
             from .tasks import TaskContext as _TaskContext
             from .human_loop import InteractionContext as _InteractionContext
-            if _is_or_subclass(param_type, _TaskContext) or _is_or_subclass(param_type, _InteractionContext):
+            from .auth import AuthResult as _AuthResult
+            if _is_or_subclass(param_type, _TaskContext) or _is_or_subclass(param_type, _InteractionContext) or _is_or_subclass(param_type, _AuthResult):
                 continue
 
             # Convert FilePart
-            type_name = str(param_type)
-            if "FilePart" in type_name:
-                from .parts import FilePart
+            if _is_or_subclass(param_type, FilePart):
                 if isinstance(value, dict):
                     # Handle both A2A format and simple dict format
                     if "file" in value:
@@ -208,8 +244,7 @@ class LiteAgentExecutor(AgentExecutor):
                 continue
 
             # Convert DataPart
-            if "DataPart" in type_name:
-                from .parts import DataPart
+            if _is_or_subclass(param_type, DataPart):
                 if isinstance(value, dict):
                     # Handle both A2A format and simple dict format
                     if "type" in value and value.get("type") == "data":
@@ -317,7 +352,7 @@ class LiteAgentExecutor(AgentExecutor):
         if asyncio.iscoroutinefunction(handler):
             return await handler(*args, **kwargs)
         else:
-            loop = asyncio.get_event_loop()
+            loop = asyncio.get_running_loop()
             return await loop.run_in_executor(
                 None,
                 lambda: handler(*args, **kwargs)

{a2a_lite-0.2.0 → a2a_lite-0.2.2}/src/a2a_lite/middleware.py

@@ -159,7 +159,12 @@ def retry_middleware(max_retries: int = 3, delay: float = 1.0):
 
 def rate_limit_middleware(requests_per_minute: int = 60):
     """
-    Create a simple rate limiting middleware.
+    Create a simple in-process rate limiting middleware.
+
+    Note: This rate limiter is per-process. Under multi-worker uvicorn
+    (e.g., ``--workers 4``), each worker tracks limits independently.
+    For shared rate limiting across workers, use an external store
+    (Redis, etc.) and a custom middleware.
 
     Example:
         agent.add_middleware(rate_limit_middleware(requests_per_minute=100))

{a2a_lite-0.2.0 → a2a_lite-0.2.2}/src/a2a_lite/tasks.py

@@ -30,7 +30,7 @@ from __future__ import annotations
 import asyncio
 import logging
 from dataclasses import dataclass, field
-from datetime import datetime
+from datetime import datetime, timezone
 from enum import Enum
 from typing import Any, Callable, Dict, List, Optional
 from uuid import uuid4
@@ -55,7 +55,7 @@ class TaskStatus:
     state: TaskState
     message: Optional[str] = None
     progress: Optional[float] = None  # 0.0 to 1.0
-    timestamp: datetime = field(default_factory=datetime.utcnow)
+    timestamp: datetime = field(default_factory=lambda: datetime.now(timezone.utc))
 
     def to_dict(self) -> Dict[str, Any]:
         return {
@@ -77,8 +77,8 @@ class Task:
     error: Optional[str] = None
     artifacts: List[Any] = field(default_factory=list)
     history: List[TaskStatus] = field(default_factory=list)
-    created_at: datetime = field(default_factory=datetime.utcnow)
-    updated_at: datetime = field(default_factory=datetime.utcnow)
+    created_at: datetime = field(default_factory=lambda: datetime.now(timezone.utc))
+    updated_at: datetime = field(default_factory=lambda: datetime.now(timezone.utc))
 
     def update_status(
         self,
@@ -89,7 +89,7 @@ class Task:
         """Update task status."""
         self.history.append(self.status)
         self.status = TaskStatus(state=state, message=message, progress=progress)
-        self.updated_at = datetime.utcnow()
+        self.updated_at = datetime.now(timezone.utc)
 
 
 class TaskContext:

{a2a_lite-0.2.0 → a2a_lite-0.2.2}/src/a2a_lite/testing.py

@@ -214,7 +214,16 @@ class AgentTestClient:
                 result = await gen
                 results.append(result)
 
-        asyncio.get_event_loop().run_until_complete(run_handler())
+        # Handle both sync and async calling contexts
+        try:
+            asyncio.get_running_loop()
+            # Already in an async context — run in a separate thread
+            import concurrent.futures
+            with concurrent.futures.ThreadPoolExecutor(1) as pool:
+                pool.submit(asyncio.run, run_handler()).result()
+        except RuntimeError:
+            # No running loop — safe to use asyncio.run()
+            asyncio.run(run_handler())
         return results
 
 

{a2a_lite-0.2.0 → a2a_lite-0.2.2}/src/a2a_lite/utils.py

@@ -1,6 +1,7 @@
 """
 Helper functions for A2A Lite.
 """
+import typing
 from typing import Any, Dict, Type, get_origin, get_args, Union
 import inspect
 
@@ -103,7 +104,10 @@ def extract_function_schemas(func) -> tuple[Dict[str, Any], Dict[str, Any]]:
         Tuple of (input_schema, output_schema)
     """
     sig = inspect.signature(func)
-    hints = getattr(func, '__annotations__', {})
+    try:
+        hints = typing.get_type_hints(func)
+    except Exception:
+        hints = getattr(func, '__annotations__', {})
 
     # Build input schema from parameters
     properties = {}

{a2a_lite-0.2.0 → a2a_lite-0.2.2}/src/a2a_lite/webhooks.py

@@ -9,7 +9,7 @@ Simplifies sending notifications when tasks complete:
 """
 from __future__ import annotations
 
-from dataclasses import dataclass
+from dataclasses import dataclass, field
 from typing import Any, Callable, Dict, List, Optional
 import asyncio
 import json
@@ -19,15 +19,11 @@ import json
 class WebhookConfig:
     """Configuration for a webhook endpoint."""
     url: str
-    headers: Dict[str, str] = None
+    headers: Dict[str, str] = field(default_factory=dict)
     retry_count: int = 3
     retry_delay: float = 1.0
     timeout: float = 30.0
 
-    def __post_init__(self):
-        if self.headers is None:
-            self.headers = {}
-
 
 class WebhookClient:
     """

a2a_lite-0.2.2/tests/test_auth.py

@@ -0,0 +1,378 @@
+"""
+Tests for authentication providers.
+"""
+import pytest
+from a2a_lite.auth import (
+    AuthRequest,
+    AuthResult,
+    NoAuth,
+    APIKeyAuth,
+    BearerAuth,
+    CompositeAuth,
+    require_auth,
+)
+
+
+class TestAuthResult:
+    def test_success(self):
+        result = AuthResult.success(user_id="user-123", scopes={"read", "write"})
+
+        assert result.authenticated is True
+        assert result.user_id == "user-123"
+        assert "read" in result.scopes
+
+    def test_failure(self):
+        result = AuthResult.failure("Invalid token")
+
+        assert result.authenticated is False
+        assert result.error == "Invalid token"
+
+
+class TestNoAuth:
+    @pytest.mark.asyncio
+    async def test_always_succeeds(self):
+        auth = NoAuth()
+        request = AuthRequest(headers={})
+
+        result = await auth.authenticate(request)
+
+        assert result.authenticated is True
+        assert result.user_id == "anonymous"
+
+    def test_empty_scheme(self):
+        auth = NoAuth()
+        assert auth.get_scheme() == {}
+
+
+class TestAPIKeyAuth:
+    @pytest.mark.asyncio
+    async def test_valid_key_in_header(self):
+        auth = APIKeyAuth(keys=["secret-key", "another-key"])
+        request = AuthRequest(headers={"X-API-Key": "secret-key"})
+
+        result = await auth.authenticate(request)
+
+        assert result.authenticated is True
+        assert result.user_id is not None
+
+    @pytest.mark.asyncio
+    async def test_invalid_key(self):
+        auth = APIKeyAuth(keys=["secret-key"])
+        request = AuthRequest(headers={"X-API-Key": "wrong-key"})
+
+        result = await auth.authenticate(request)
+
+        assert result.authenticated is False
+        assert "Invalid" in result.error
+
+    @pytest.mark.asyncio
+    async def test_missing_key(self):
+        auth = APIKeyAuth(keys=["secret-key"])
+        request = AuthRequest(headers={})
+
+        result = await auth.authenticate(request)
+
+        assert result.authenticated is False
+        assert "required" in result.error.lower()
+
+    @pytest.mark.asyncio
+    async def test_custom_header(self):
+        auth = APIKeyAuth(keys=["key123"], header="Authorization")
+        request = AuthRequest(headers={"Authorization": "key123"})
+
+        result = await auth.authenticate(request)
+
+        assert result.authenticated is True
+
+    @pytest.mark.asyncio
+    async def test_query_param(self):
+        auth = APIKeyAuth(keys=["key123"], query_param="api_key")
+        request = AuthRequest(headers={}, query_params={"api_key": "key123"})
+
+        result = await auth.authenticate(request)
+
+        assert result.authenticated is True
+
+    def test_scheme(self):
+        auth = APIKeyAuth(keys=["key"], header="X-API-Key")
+        scheme = auth.get_scheme()
+
+        assert scheme["type"] == "apiKey"
+        assert scheme["in"] == "header"
+        assert scheme["name"] == "X-API-Key"
+
+
+class TestBearerAuth:
+    @pytest.mark.asyncio
+    async def test_valid_token(self):
+        def validator(token):
+            if token == "valid-token":
+                return "user-123"
+            return None
+
+        auth = BearerAuth(validator=validator)
+        request = AuthRequest(headers={"Authorization": "Bearer valid-token"})
+
+        result = await auth.authenticate(request)
+
+        assert result.authenticated is True
+        assert result.user_id == "user-123"
+
+    @pytest.mark.asyncio
+    async def test_invalid_token(self):
+        def validator(token):
+            return None
+
+        auth = BearerAuth(validator=validator)
+        request = AuthRequest(headers={"Authorization": "Bearer invalid"})
+
+        result = await auth.authenticate(request)
+
+        assert result.authenticated is False
+
+    @pytest.mark.asyncio
+    async def test_missing_bearer_prefix(self):
+        auth = BearerAuth(validator=lambda t: "user")
+        request = AuthRequest(headers={"Authorization": "token-without-bearer"})
+
+        result = await auth.authenticate(request)
+
+        assert result.authenticated is False
+
+    def test_scheme(self):
+        auth = BearerAuth(validator=lambda t: None)
+        scheme = auth.get_scheme()
+
+        assert scheme["type"] == "http"
+        assert scheme["scheme"] == "bearer"
+
+
+class TestCompositeAuth:
+    @pytest.mark.asyncio
+    async def test_first_match_wins(self):
+        auth = CompositeAuth([
+            APIKeyAuth(keys=["api-key"]),
+            BearerAuth(validator=lambda t: "bearer-user" if t == "token" else None),
+        ])
+
+        # API key should work
+        request1 = AuthRequest(headers={"X-API-Key": "api-key"})
+        result1 = await auth.authenticate(request1)
+        assert result1.authenticated is True
+
+        # Bearer should also work
+        request2 = AuthRequest(headers={"Authorization": "Bearer token"})
+        result2 = await auth.authenticate(request2)
+        assert result2.authenticated is True
+
+    @pytest.mark.asyncio
+    async def test_all_fail(self):
+        auth = CompositeAuth([
+            APIKeyAuth(keys=["key1"]),
+            APIKeyAuth(keys=["key2"]),
+        ])
+
+        request = AuthRequest(headers={"X-API-Key": "wrong"})
+        result = await auth.authenticate(request)
+
+        assert result.authenticated is False
+
+
+class TestAuthIntegration:
+    """Test that auth is actually enforced in the HTTP request pipeline."""
+
+    def _make_agent_with_auth(self):
+        from a2a_lite import Agent
+        agent = Agent(
+            name="SecureAgent",
+            description="Auth integration test",
+            auth=APIKeyAuth(keys=["valid-key"]),
+        )
+
+        @agent.skill("secret")
+        async def secret(data: str) -> str:
+            return f"secret: {data}"
+
+        return agent
+
+    def test_unauthenticated_request_rejected(self):
+        """Requests without a valid API key should be rejected."""
+        from starlette.testclient import TestClient
+        import json
+        from uuid import uuid4
+
+        agent = self._make_agent_with_auth()
+        app = agent.get_app()
+        client = TestClient(app)
+
+        request_body = {
+            "jsonrpc": "2.0",
+            "method": "message/send",
+            "id": uuid4().hex,
+            "params": {
+                "message": {
+                    "role": "user",
+                    "parts": [{"type": "text", "text": json.dumps({"skill": "secret", "params": {"data": "hello"}})}],
+                    "messageId": uuid4().hex,
+                }
+            }
+        }
+
+        response = client.post("/", json=request_body)
+        data = response.json()
+
+        # The response should contain an auth error, not the skill result
+        result_text = data.get("result", {}).get("parts", [{}])[0].get("text", "")
+        assert "error" in result_text.lower() or "auth" in result_text.lower() or "key" in result_text.lower()
+        assert "secret: hello" not in result_text
+
+    def test_authenticated_request_succeeds(self):
+        """Requests with a valid API key should succeed."""
+        from starlette.testclient import TestClient
+        import json
+        from uuid import uuid4
+
+        agent = self._make_agent_with_auth()
+        app = agent.get_app()
+        client = TestClient(app)
+
+        request_body = {
+            "jsonrpc": "2.0",
+            "method": "message/send",
+            "id": uuid4().hex,
+            "params": {
+                "message": {
+                    "role": "user",
+                    "parts": [{"type": "text", "text": json.dumps({"skill": "secret", "params": {"data": "hello"}})}],
+                    "messageId": uuid4().hex,
+                }
+            }
+        }
+
+        response = client.post(
+            "/",
+            json=request_body,
+            headers={"X-API-Key": "valid-key"},
+        )
+        data = response.json()
+
+        result_text = data.get("result", {}).get("parts", [{}])[0].get("text", "")
+        assert "secret: hello" in result_text
+
+    def test_wrong_key_rejected(self):
+        """Requests with an invalid API key should be rejected."""
+        from starlette.testclient import TestClient
+        import json
+        from uuid import uuid4
+
+        agent = self._make_agent_with_auth()
+        app = agent.get_app()
+        client = TestClient(app)
+
+        request_body = {
+            "jsonrpc": "2.0",
+            "method": "message/send",
+            "id": uuid4().hex,
+            "params": {
+                "message": {
+                    "role": "user",
+                    "parts": [{"type": "text", "text": json.dumps({"skill": "secret", "params": {"data": "hello"}})}],
+                    "messageId": uuid4().hex,
+                }
+            }
+        }
+
+        response = client.post(
+            "/",
+            json=request_body,
+            headers={"X-API-Key": "wrong-key"},
+        )
+        data = response.json()
+
+        result_text = data.get("result", {}).get("parts", [{}])[0].get("text", "")
+        assert "secret: hello" not in result_text
+
+
+class TestRequireAuth:
+    """Test that require_auth decorator receives AuthResult from executor."""
+
+    def test_require_auth_receives_auth_result(self):
+        """Skills decorated with require_auth should receive the AuthResult."""
+        from a2a_lite import Agent
+        from a2a_lite.testing import AgentTestClient
+        from starlette.testclient import TestClient
+        import json
+        from uuid import uuid4
+
+        agent = Agent(
+            name="AuthTest",
+            description="require_auth test",
+            auth=APIKeyAuth(keys=["my-key"]),
+        )
+
+        @agent.skill("admin")
+        @require_auth(scopes=["admin"])
+        async def admin_action(data: str, auth: AuthResult) -> str:
+            return f"admin:{auth.user_id}:{data}"
+
+        app = agent.get_app()
+        client = TestClient(app)
+
+        # Without auth — should be rejected at the gate
+        request_body = {
+            "jsonrpc": "2.0",
+            "method": "message/send",
+            "id": uuid4().hex,
+            "params": {
+                "message": {
+                    "role": "user",
+                    "parts": [{"type": "text", "text": json.dumps({"skill": "admin", "params": {"data": "hello"}})}],
+                    "messageId": uuid4().hex,
+                }
+            }
+        }
+        response = client.post("/", json=request_body)
+        result_text = response.json().get("result", {}).get("parts", [{}])[0].get("text", "")
+        assert "admin:" not in result_text
+
+        # With valid auth — require_auth checks scopes (no admin scope, so should fail)
+        response = client.post("/", json=request_body, headers={"X-API-Key": "my-key"})
+        result_text = response.json().get("result", {}).get("parts", [{}])[0].get("text", "")
+        assert "Insufficient permissions" in result_text or "error" in result_text.lower()
+
+    def test_auth_param_injected_without_decorator(self):
+        """Skills with auth: AuthResult parameter should receive it directly."""
+        from a2a_lite import Agent
+        from starlette.testclient import TestClient
+        import json
+        from uuid import uuid4
+
+        agent = Agent(
+            name="AuthTest2",
+            description="auth param test",
+            auth=APIKeyAuth(keys=["my-key"]),
+        )
+
+        @agent.skill("whoami")
+        async def whoami(auth: AuthResult) -> str:
+            return f"user:{auth.user_id}"
+
+        app = agent.get_app()
+        client = TestClient(app)
+
+        request_body = {
+            "jsonrpc": "2.0",
+            "method": "message/send",
+            "id": uuid4().hex,
+            "params": {
+                "message": {
+                    "role": "user",
+                    "parts": [{"type": "text", "text": json.dumps({"skill": "whoami", "params": {}})}],
+                    "messageId": uuid4().hex,
+                }
+            }
+        }
+
+        response = client.post("/", json=request_body, headers={"X-API-Key": "my-key"})
+        result_text = response.json().get("result", {}).get("parts", [{}])[0].get("text", "")
+        assert result_text.startswith("user:")

a2a_lite-0.2.0/tests/test_auth.py

@@ -1,177 +0,0 @@
-"""
-Tests for authentication providers.
-"""
-import pytest
-from a2a_lite.auth import (
-    AuthRequest,
-    AuthResult,
-    NoAuth,
-    APIKeyAuth,
-    BearerAuth,
-    CompositeAuth,
-)
-
-
-class TestAuthResult:
-    def test_success(self):
-        result = AuthResult.success(user_id="user-123", scopes={"read", "write"})
-
-        assert result.authenticated is True
-        assert result.user_id == "user-123"
-        assert "read" in result.scopes
-
-    def test_failure(self):
-        result = AuthResult.failure("Invalid token")
-
-        assert result.authenticated is False
-        assert result.error == "Invalid token"
-
-
-class TestNoAuth:
-    @pytest.mark.asyncio
-    async def test_always_succeeds(self):
-        auth = NoAuth()
-        request = AuthRequest(headers={})
-
-        result = await auth.authenticate(request)
-
-        assert result.authenticated is True
-        assert result.user_id == "anonymous"
-
-    def test_empty_scheme(self):
-        auth = NoAuth()
-        assert auth.get_scheme() == {}
-
-
-class TestAPIKeyAuth:
-    @pytest.mark.asyncio
-    async def test_valid_key_in_header(self):
-        auth = APIKeyAuth(keys=["secret-key", "another-key"])
-        request = AuthRequest(headers={"X-API-Key": "secret-key"})
-
-        result = await auth.authenticate(request)
-
-        assert result.authenticated is True
-        assert result.user_id is not None
-
-    @pytest.mark.asyncio
-    async def test_invalid_key(self):
-        auth = APIKeyAuth(keys=["secret-key"])
-        request = AuthRequest(headers={"X-API-Key": "wrong-key"})
-
-        result = await auth.authenticate(request)
-
-        assert result.authenticated is False
-        assert "Invalid" in result.error
-
-    @pytest.mark.asyncio
-    async def test_missing_key(self):
-        auth = APIKeyAuth(keys=["secret-key"])
-        request = AuthRequest(headers={})
-
-        result = await auth.authenticate(request)
-
-        assert result.authenticated is False
-        assert "required" in result.error.lower()
-
-    @pytest.mark.asyncio
-    async def test_custom_header(self):
-        auth = APIKeyAuth(keys=["key123"], header="Authorization")
-        request = AuthRequest(headers={"Authorization": "key123"})
-
-        result = await auth.authenticate(request)
-
-        assert result.authenticated is True
-
-    @pytest.mark.asyncio
-    async def test_query_param(self):
-        auth = APIKeyAuth(keys=["key123"], query_param="api_key")
-        request = AuthRequest(headers={}, query_params={"api_key": "key123"})
-
-        result = await auth.authenticate(request)
-
-        assert result.authenticated is True
-
-    def test_scheme(self):
-        auth = APIKeyAuth(keys=["key"], header="X-API-Key")
-        scheme = auth.get_scheme()
-
-        assert scheme["type"] == "apiKey"
-        assert scheme["in"] == "header"
-        assert scheme["name"] == "X-API-Key"
-
-
-class TestBearerAuth:
-    @pytest.mark.asyncio
-    async def test_valid_token(self):
-        def validator(token):
-            if token == "valid-token":
-                return "user-123"
-            return None
-
-        auth = BearerAuth(validator=validator)
-        request = AuthRequest(headers={"Authorization": "Bearer valid-token"})
-
-        result = await auth.authenticate(request)
-
-        assert result.authenticated is True
-        assert result.user_id == "user-123"
-
-    @pytest.mark.asyncio
-    async def test_invalid_token(self):
-        def validator(token):
-            return None
-
-        auth = BearerAuth(validator=validator)
-        request = AuthRequest(headers={"Authorization": "Bearer invalid"})
-
-        result = await auth.authenticate(request)
-
-        assert result.authenticated is False
-
-    @pytest.mark.asyncio
-    async def test_missing_bearer_prefix(self):
-        auth = BearerAuth(validator=lambda t: "user")
-        request = AuthRequest(headers={"Authorization": "token-without-bearer"})
-
-        result = await auth.authenticate(request)
-
-        assert result.authenticated is False
-
-    def test_scheme(self):
-        auth = BearerAuth(validator=lambda t: None)
-        scheme = auth.get_scheme()
-
-        assert scheme["type"] == "http"
-        assert scheme["scheme"] == "bearer"
-
-
-class TestCompositeAuth:
-    @pytest.mark.asyncio
-    async def test_first_match_wins(self):
-        auth = CompositeAuth([
-            APIKeyAuth(keys=["api-key"]),
-            BearerAuth(validator=lambda t: "bearer-user" if t == "token" else None),
-        ])
-
-        # API key should work
-        request1 = AuthRequest(headers={"X-API-Key": "api-key"})
-        result1 = await auth.authenticate(request1)
-        assert result1.authenticated is True
-
-        # Bearer should also work
-        request2 = AuthRequest(headers={"Authorization": "Bearer token"})
-        result2 = await auth.authenticate(request2)
-        assert result2.authenticated is True
-
-    @pytest.mark.asyncio
-    async def test_all_fail(self):
-        auth = CompositeAuth([
-            APIKeyAuth(keys=["key1"]),
-            APIKeyAuth(keys=["key2"]),
-        ])
-
-        request = AuthRequest(headers={"X-API-Key": "wrong"})
-        result = await auth.authenticate(request)
-
-        assert result.authenticated is False