a2claude 0.1.0__tar.gz

a2claude-0.1.0/PKG-INFO

@@ -0,0 +1,188 @@
+Metadata-Version: 2.4
+Name: a2claude
+Version: 0.1.0
+Summary: Run Claude Code as an A2A protocol agent server.
+Keywords: a2a,claude-code,agent,agent2agent
+Author: kanywst
+License-Expression: Apache-2.0
+Requires-Dist: a2a-sdk[http-server]>=1.1,<2
+Requires-Dist: claude-agent-sdk>=0.2.101
+Requires-Dist: uvicorn>=0.49
+Requires-Dist: httpx>=0.28
+Requires-Dist: typer>=0.26
+Requires-Python: >=3.13
+Project-URL: Repository, https://github.com/kanywst/a2claude
+Description-Content-Type: text/markdown
+
+<img src="assets/mascot.png" alt="a2claude" width="150" align="right">
+
+# a2claude
+
+Run Claude Code as an [A2A](https://a2aprotocol.ai/) agent server. Other agents
+call it over the protocol; it drives a real Claude Code session in your project
+and streams back the actual work — the tools it runs, the diffs it writes, what
+it costs, and the permissions it needs.
+
+[![CI](https://github.com/kanywst/a2claude/actions/workflows/ci.yml/badge.svg)](https://github.com/kanywst/a2claude/actions/workflows/ci.yml)
+[![License: Apache 2.0](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)
+[![Python 3.13+](https://img.shields.io/badge/python-3.13+-blue.svg)](https://www.python.org/)
+[![Protocol: A2A 1.0](https://img.shields.io/badge/protocol-A2A%201.0-D97757.svg)](https://a2aprotocol.ai/)
+
+![a2claude streaming a task, then pausing on a permission prompt](assets/demo.gif)
+
+Most "wrap a coding agent in A2A" adapters flatten everything to text in, text
+out. a2claude keeps the parts that matter for the agent on the other end: which
+tools ran, what files changed, what it cost, and how to continue the same
+session on the next turn.
+
+## How it maps to A2A
+
+| Claude Code produces | A2A surface it lands on |
+| --- | --- |
+| Assistant text | A streamed artifact (`append` / `last_chunk`) |
+| A tool call (Bash, Edit) | A `working` status update for the action |
+| A file edit | A named artifact carrying the diff |
+| Run result | Cost, turns, and usage on the completion message |
+| Session id | Mapped to the A2A `contextId` so follow-ups resume |
+
+The mapping lives in one place (`executor.py`). Backends only emit
+normalized events; they never touch the protocol.
+
+## Requirements
+
+- Python 3.13+
+- [uv](https://docs.astral.sh/uv/)
+- Claude Code CLI on `PATH` (only for the `claude` backend)
+
+## Quick start
+
+Install:
+
+```bash
+uv sync
+```
+
+The `echo` backend needs no API key and no Claude install, so you can
+exercise the whole path offline first:
+
+```bash
+uv run a2claude serve --backend echo &
+# once the "Uvicorn running" line appears:
+uv run a2claude call "fix the failing test"
+```
+
+```text
+task 189b1c63-1a7b-4908-87c4-c8f3bba8f6b5
+context 0b2a901e-2b6f-4c56-bba2-d0da546936e9
+
+  · Echo
+fix the failing test
+[completed] $0.0 · 1 turns
+```
+
+Then point it at a real project:
+
+```bash
+uv run a2claude serve --backend claude --cwd /path/to/project
+uv run a2claude call "add a /health endpoint" --url http://localhost:9100/
+```
+
+Continue the same conversation by passing the `context` from a previous turn:
+
+```bash
+uv run a2claude call "now add a test for it" --context <context-id>
+```
+
+## Commands
+
+| Command | Description |
+| --- | --- |
+| `a2claude serve` | Start the A2A server |
+| `a2claude call TEXT` | Send a message and print the streamed events |
+| `a2claude card` | Fetch and print the agent card |
+
+The agent card is served at `/.well-known/agent-card.json` and advertises
+Claude Code's abilities as discrete skills (generation, refactor, debug,
+review, test, explain).
+
+## Backends
+
+A backend turns a prompt into a stream of normalized events. Two ship today:
+
+- `echo` — no dependencies; mirrors the input. For wiring checks and tests.
+- `claude` — drives Claude Code through the Claude Agent SDK.
+
+The split keeps the A2A layer independent of how Claude Code is invoked, so
+a raw-CLI backend can be added later without touching the server or the
+protocol mapping.
+
+## Authentication
+
+The `claude` backend uses whatever the Claude CLI is configured with. When
+the server answers on behalf of other agents, that has to be an Anthropic API
+key (or Bedrock / Vertex) — Anthropic does not permit subscription
+credentials for third-party serving. Set a per-run cost ceiling with
+`--max-budget-usd`.
+
+## Permissions
+
+A tool that needs approval pauses the task in the A2A `input-required` state
+instead of being skipped. The caller answers with a follow-up message on the
+same task:
+
+```bash
+uv run a2claude call "sudo reboot"
+# ... [input-required] Permission requested for Bash: $ sudo reboot
+#       reply: a2claude call "allow" --task <id> --context <id>
+uv run a2claude call "allow" --task <id> --context <id>
+```
+
+`allow` (or `yes`, `approve`, `ok`) approves; anything else denies. The Claude
+session stays alive across the pause, so it resumes exactly where it stopped.
+
+The server does not inherit your personal Claude settings, so it has no
+pre-approved tool allowlist — every tool that needs approval routes through the
+caller. Read-only actions Claude already treats as safe still run without a
+prompt.
+
+## Long-running tasks
+
+The agent card advertises push notifications. A caller can register a webhook
+for a task and receive status and artifact updates by HTTP POST instead of
+holding a stream open — useful when a run takes minutes. Streaming and polling
+(`tasks/get`) both work too.
+
+## Development
+
+```bash
+uv sync --dev
+uv run ruff check src tests
+uv run ruff format src tests
+uv run mypy
+uv run pytest
+```
+
+CI runs these on Python 3.13 and 3.14, plus a Markdown lint, on every push and
+pull request.
+
+## Releasing
+
+Pushing a `v*` tag builds the package, creates a GitHub release with the
+artifacts, and publishes to PyPI via trusted publishing:
+
+```bash
+git tag v0.1.0
+git push origin v0.1.0
+```
+
+## Status
+
+The mapping is complete end to end and verified against real Claude: text round
+trip, tool-progress updates, streaming artifacts, file diffs as artifacts, run
+metadata, session continuity, the permission → `input-required` round trip, and
+push notifications. The offline `echo` backend covers every path including
+permissions, so it can all be exercised without an API key.
+
+## License
+
+Apache 2.0 — see [LICENSE](LICENSE).

a2claude-0.1.0/README.md

@@ -0,0 +1,172 @@
+<img src="assets/mascot.png" alt="a2claude" width="150" align="right">
+
+# a2claude
+
+Run Claude Code as an [A2A](https://a2aprotocol.ai/) agent server. Other agents
+call it over the protocol; it drives a real Claude Code session in your project
+and streams back the actual work — the tools it runs, the diffs it writes, what
+it costs, and the permissions it needs.
+
+[![CI](https://github.com/kanywst/a2claude/actions/workflows/ci.yml/badge.svg)](https://github.com/kanywst/a2claude/actions/workflows/ci.yml)
+[![License: Apache 2.0](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)
+[![Python 3.13+](https://img.shields.io/badge/python-3.13+-blue.svg)](https://www.python.org/)
+[![Protocol: A2A 1.0](https://img.shields.io/badge/protocol-A2A%201.0-D97757.svg)](https://a2aprotocol.ai/)
+
+![a2claude streaming a task, then pausing on a permission prompt](assets/demo.gif)
+
+Most "wrap a coding agent in A2A" adapters flatten everything to text in, text
+out. a2claude keeps the parts that matter for the agent on the other end: which
+tools ran, what files changed, what it cost, and how to continue the same
+session on the next turn.
+
+## How it maps to A2A
+
+| Claude Code produces | A2A surface it lands on |
+| --- | --- |
+| Assistant text | A streamed artifact (`append` / `last_chunk`) |
+| A tool call (Bash, Edit) | A `working` status update for the action |
+| A file edit | A named artifact carrying the diff |
+| Run result | Cost, turns, and usage on the completion message |
+| Session id | Mapped to the A2A `contextId` so follow-ups resume |
+
+The mapping lives in one place (`executor.py`). Backends only emit
+normalized events; they never touch the protocol.
+
+## Requirements
+
+- Python 3.13+
+- [uv](https://docs.astral.sh/uv/)
+- Claude Code CLI on `PATH` (only for the `claude` backend)
+
+## Quick start
+
+Install:
+
+```bash
+uv sync
+```
+
+The `echo` backend needs no API key and no Claude install, so you can
+exercise the whole path offline first:
+
+```bash
+uv run a2claude serve --backend echo &
+# once the "Uvicorn running" line appears:
+uv run a2claude call "fix the failing test"
+```
+
+```text
+task 189b1c63-1a7b-4908-87c4-c8f3bba8f6b5
+context 0b2a901e-2b6f-4c56-bba2-d0da546936e9
+
+  · Echo
+fix the failing test
+[completed] $0.0 · 1 turns
+```
+
+Then point it at a real project:
+
+```bash
+uv run a2claude serve --backend claude --cwd /path/to/project
+uv run a2claude call "add a /health endpoint" --url http://localhost:9100/
+```
+
+Continue the same conversation by passing the `context` from a previous turn:
+
+```bash
+uv run a2claude call "now add a test for it" --context <context-id>
+```
+
+## Commands
+
+| Command | Description |
+| --- | --- |
+| `a2claude serve` | Start the A2A server |
+| `a2claude call TEXT` | Send a message and print the streamed events |
+| `a2claude card` | Fetch and print the agent card |
+
+The agent card is served at `/.well-known/agent-card.json` and advertises
+Claude Code's abilities as discrete skills (generation, refactor, debug,
+review, test, explain).
+
+## Backends
+
+A backend turns a prompt into a stream of normalized events. Two ship today:
+
+- `echo` — no dependencies; mirrors the input. For wiring checks and tests.
+- `claude` — drives Claude Code through the Claude Agent SDK.
+
+The split keeps the A2A layer independent of how Claude Code is invoked, so
+a raw-CLI backend can be added later without touching the server or the
+protocol mapping.
+
+## Authentication
+
+The `claude` backend uses whatever the Claude CLI is configured with. When
+the server answers on behalf of other agents, that has to be an Anthropic API
+key (or Bedrock / Vertex) — Anthropic does not permit subscription
+credentials for third-party serving. Set a per-run cost ceiling with
+`--max-budget-usd`.
+
+## Permissions
+
+A tool that needs approval pauses the task in the A2A `input-required` state
+instead of being skipped. The caller answers with a follow-up message on the
+same task:
+
+```bash
+uv run a2claude call "sudo reboot"
+# ... [input-required] Permission requested for Bash: $ sudo reboot
+#       reply: a2claude call "allow" --task <id> --context <id>
+uv run a2claude call "allow" --task <id> --context <id>
+```
+
+`allow` (or `yes`, `approve`, `ok`) approves; anything else denies. The Claude
+session stays alive across the pause, so it resumes exactly where it stopped.
+
+The server does not inherit your personal Claude settings, so it has no
+pre-approved tool allowlist — every tool that needs approval routes through the
+caller. Read-only actions Claude already treats as safe still run without a
+prompt.
+
+## Long-running tasks
+
+The agent card advertises push notifications. A caller can register a webhook
+for a task and receive status and artifact updates by HTTP POST instead of
+holding a stream open — useful when a run takes minutes. Streaming and polling
+(`tasks/get`) both work too.
+
+## Development
+
+```bash
+uv sync --dev
+uv run ruff check src tests
+uv run ruff format src tests
+uv run mypy
+uv run pytest
+```
+
+CI runs these on Python 3.13 and 3.14, plus a Markdown lint, on every push and
+pull request.
+
+## Releasing
+
+Pushing a `v*` tag builds the package, creates a GitHub release with the
+artifacts, and publishes to PyPI via trusted publishing:
+
+```bash
+git tag v0.1.0
+git push origin v0.1.0
+```
+
+## Status
+
+The mapping is complete end to end and verified against real Claude: text round
+trip, tool-progress updates, streaming artifacts, file diffs as artifacts, run
+metadata, session continuity, the permission → `input-required` round trip, and
+push notifications. The offline `echo` backend covers every path including
+permissions, so it can all be exercised without an API key.
+
+## License
+
+Apache 2.0 — see [LICENSE](LICENSE).

a2claude-0.1.0/pyproject.toml

@@ -0,0 +1,51 @@
+[project]
+name = "a2claude"
+version = "0.1.0"
+description = "Run Claude Code as an A2A protocol agent server."
+readme = "README.md"
+requires-python = ">=3.13"
+license = "Apache-2.0"
+authors = [{ name = "kanywst" }]
+keywords = ["a2a", "claude-code", "agent", "agent2agent"]
+dependencies = [
+    "a2a-sdk[http-server]>=1.1,<2",
+    "claude-agent-sdk>=0.2.101",
+    "uvicorn>=0.49",
+    "httpx>=0.28",
+    "typer>=0.26",
+]
+
+[project.scripts]
+a2claude = "a2claude.cli:app"
+
+[project.urls]
+Repository = "https://github.com/kanywst/a2claude"
+
+[dependency-groups]
+dev = [
+    "ruff>=0.15",
+    "pytest>=9",
+    "pytest-asyncio>=1.4",
+    "mypy>=2.1",
+]
+
+[build-system]
+requires = ["uv_build>=0.11.21,<0.12.0"]
+build-backend = "uv_build"
+
+[tool.ruff]
+line-length = 88
+target-version = "py313"
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "UP", "B", "SIM"]
+
+[tool.pytest.ini_options]
+asyncio_mode = "auto"
+testpaths = ["tests"]
+
+[tool.mypy]
+files = ["src"]
+python_version = "3.13"
+ignore_missing_imports = true
+check_untyped_defs = true

a2claude-0.1.0/src/a2claude/__init__.py

@@ -0,0 +1,9 @@
+"""Run Claude Code as an A2A protocol agent server."""
+
+from __future__ import annotations
+
+from .card import build_card
+from .executor import ClaudeCodeExecutor
+from .server import build_app
+
+__all__ = ["build_app", "build_card", "ClaudeCodeExecutor"]

a2claude-0.1.0/src/a2claude/backends/__init__.py

@@ -0,0 +1,47 @@
+"""Backends drive Claude Code and emit normalized events."""
+
+from __future__ import annotations
+
+from .base import (
+    Backend,
+    BackendEvent,
+    FileChange,
+    PermissionDecision,
+    PermissionRequest,
+    Result,
+    RunRequest,
+    TextDelta,
+    ToolUse,
+)
+from .echo import EchoBackend
+from .session import BackendSession
+
+__all__ = [
+    "Backend",
+    "BackendEvent",
+    "BackendSession",
+    "FileChange",
+    "PermissionDecision",
+    "PermissionRequest",
+    "Result",
+    "RunRequest",
+    "TextDelta",
+    "ToolUse",
+    "EchoBackend",
+    "make_backend",
+]
+
+
+def make_backend(name: str, **kwargs) -> Backend:
+    """Construct a backend by name.
+
+    ``claude`` is imported lazily so the echo backend works without the Claude
+    Agent SDK's runtime dependencies present.
+    """
+    if name == "echo":
+        return EchoBackend()
+    if name == "claude":
+        from .claude import ClaudeBackend
+
+        return ClaudeBackend(**kwargs)
+    raise ValueError(f"unknown backend: {name!r} (expected 'echo' or 'claude')")

a2claude-0.1.0/src/a2claude/backends/base.py

@@ -0,0 +1,96 @@
+"""Backend abstraction.
+
+A backend drives Claude Code and yields a normalized stream of events. The
+A2A layer never imports the Claude Agent SDK directly — it only consumes these
+events. That keeps the protocol mapping in one place and lets us swap the
+underlying driver (Agent SDK today, raw CLI later) without touching the server.
+
+Backends implement ``drive(session, request)``: they push events onto the
+session and, when a tool needs approval, call ``session.request_permission(...)``
+which parks until the A2A caller responds. This is what lets a permission prompt
+become an A2A ``input-required`` round trip rather than being silently skipped.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import TYPE_CHECKING, Any, Protocol, runtime_checkable
+
+if TYPE_CHECKING:
+    from .session import BackendSession
+
+
+@dataclass(slots=True)
+class TextDelta:
+    """A chunk of assistant-authored text."""
+
+    text: str
+
+
+@dataclass(slots=True)
+class ToolUse:
+    """The agent decided to run a tool (Bash, Edit, Read, ...)."""
+
+    name: str
+    tool_input: dict[str, Any]
+    tool_use_id: str
+
+
+@dataclass(slots=True)
+class FileChange:
+    """A file was written or edited during the run."""
+
+    path: str
+    diff: str
+
+
+@dataclass(slots=True)
+class PermissionRequest:
+    """A tool needs the caller's approval before it can run."""
+
+    request_id: str
+    tool_name: str
+    tool_input: dict[str, Any]
+    description: str = ""
+
+
+@dataclass(slots=True)
+class PermissionDecision:
+    """The caller's answer to a PermissionRequest."""
+
+    request_id: str
+    allow: bool
+    message: str = ""
+
+
+@dataclass(slots=True)
+class Result:
+    """Terminal event carrying run metadata."""
+
+    session_id: str | None = None
+    cost_usd: float | None = None
+    num_turns: int | None = None
+    usage: dict[str, Any] | None = None
+
+
+BackendEvent = TextDelta | ToolUse | FileChange | PermissionRequest | Result
+
+
+@dataclass(slots=True)
+class RunRequest:
+    """One turn of work handed to a backend."""
+
+    prompt: str
+    context_id: str | None = None
+    resume: str | None = None
+
+
+@runtime_checkable
+class Backend(Protocol):
+    """Anything that can drive Claude Code and emit normalized events."""
+
+    name: str
+
+    async def drive(self, session: BackendSession, request: RunRequest) -> None:
+        """Run one turn, emitting events onto ``session`` until it returns."""
+        ...

a2claude-0.1.0/src/a2claude/backends/claude.py

@@ -0,0 +1,125 @@
+"""Claude backend.
+
+Drives Claude Code through the Claude Agent SDK's bidirectional client and
+normalizes its typed message stream into backend events. Tool calls, file edits,
+run cost, and the session id — everything the "text in, text out" wrappers
+discard — are preserved for the A2A layer to map onto the protocol.
+
+Permission prompts are routed through ``can_use_tool`` into the session's
+``request_permission``, so the caller approves or denies a tool over A2A instead
+of the server skipping it.
+
+Authentication follows whatever the Claude CLI is configured with. For a server
+that answers on behalf of other agents that means an Anthropic API key (or
+Bedrock/Vertex); subscription credentials are not permitted for third-party
+serving.
+"""
+
+from __future__ import annotations
+
+import os
+from collections.abc import Iterator
+
+from claude_agent_sdk import (
+    AssistantMessage,
+    ClaudeAgentOptions,
+    ClaudeSDKClient,
+    PermissionMode,
+    PermissionResultAllow,
+    PermissionResultDeny,
+    ResultMessage,
+    SettingSource,
+    TextBlock,
+    ToolUseBlock,
+)
+
+from .base import BackendEvent, Result, RunRequest, TextDelta, ToolUse
+from .diff import file_changes
+from .session import BackendSession
+
+
+def events_from_message(message: object) -> Iterator[BackendEvent]:
+    """Map one Claude Agent SDK message to normalized backend events.
+
+    Pure and side-effect free so the translation can be unit tested without a
+    live Claude session.
+    """
+    if isinstance(message, AssistantMessage):
+        for block in message.content:
+            if isinstance(block, TextBlock):
+                if block.text:
+                    yield TextDelta(text=block.text)
+            elif isinstance(block, ToolUseBlock):
+                tool_input = dict(block.input or {})
+                yield ToolUse(block.name, tool_input, block.id)
+                yield from file_changes(block.name, tool_input)
+    elif isinstance(message, ResultMessage):
+        yield Result(
+            session_id=message.session_id,
+            cost_usd=message.total_cost_usd,
+            num_turns=message.num_turns,
+            usage=message.usage,
+        )
+
+
+class ClaudeBackend:
+    name = "claude"
+
+    def __init__(
+        self,
+        *,
+        cwd: str | None = None,
+        allowed_tools: list[str] | None = None,
+        permission_mode: PermissionMode | None = None,
+        model: str | None = None,
+        max_budget_usd: float | None = None,
+        setting_sources: list[SettingSource] | None = None,
+    ) -> None:
+        self.cwd = os.path.abspath(cwd or os.getcwd())
+        self.allowed_tools = allowed_tools
+        self.permission_mode = permission_mode
+        self.model = model
+        self.max_budget_usd = max_budget_usd
+        # A server should not inherit a developer's personal tool allowlist:
+        # default to loading no settings so every tool routes through the A2A
+        # permission round trip. Pass e.g. ["project"] to opt back in.
+        self.setting_sources: list[SettingSource] = (
+            [] if setting_sources is None else setting_sources
+        )
+
+    def _options(self, request: RunRequest, can_use_tool) -> ClaudeAgentOptions:
+        options = ClaudeAgentOptions(
+            cwd=self.cwd,
+            can_use_tool=can_use_tool,
+            setting_sources=self.setting_sources,
+        )
+        if request.resume:
+            options.resume = request.resume
+        if self.allowed_tools:
+            options.allowed_tools = self.allowed_tools
+        if self.permission_mode:
+            options.permission_mode = self.permission_mode
+        if self.model:
+            options.model = self.model
+        if self.max_budget_usd is not None:
+            options.max_budget_usd = self.max_budget_usd
+        return options
+
+    async def drive(self, session: BackendSession, request: RunRequest) -> None:
+        async def can_use_tool(tool_name, tool_input, context):
+            description = getattr(context, "display_name", "") or tool_name
+            decision = await session.request_permission(
+                tool_name, dict(tool_input or {}), description
+            )
+            if decision.allow:
+                return PermissionResultAllow()
+            return PermissionResultDeny(
+                message=decision.message or "Denied by A2A caller"
+            )
+
+        options = self._options(request, can_use_tool)
+        async with ClaudeSDKClient(options=options) as client:
+            await client.query(request.prompt)
+            async for message in client.receive_response():
+                for event in events_from_message(message):
+                    await session.emit(event)