opencode-a2a-server 0.2.1__tar.gz → 0.2.2__tar.gz

{opencode_a2a_server-0.2.1 → opencode_a2a_server-0.2.2}/.secrets.baseline

@@ -126,16 +126,6 @@
       "path": "detect_secrets.filters.heuristic.is_templated_secret"
     }
   ],
-  "results": {
-    "scripts/init_system.sh": [
-      {
-        "type": "Hex High Entropy String",
-        "filename": "scripts/init_system.sh",
-        "hashed_secret": "96183ea4ff07d786ed3233777364ddbf14eb74cc",
-        "is_verified": false,
-        "line_number": 25
-      }
-    ]
-  },
-  "generated_at": "2026-03-17T13:35:29Z"
+  "results": {},
+  "generated_at": "2026-03-19T03:57:43Z"
 }

{opencode_a2a_server-0.2.1 → opencode_a2a_server-0.2.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: opencode-a2a-server
-Version: 0.2.1
+Version: 0.2.2
 Summary: A2A wrapper service for opencode
 Author: liujuanjuan1984@Intelligent-Internet
 License-Expression: Apache-2.0
@@ -38,12 +38,12 @@ Dynamic: license-file
 
 # opencode-a2a-server
 
-> Turn OpenCode into a stateful A2A service with a clear runtime boundary and production-friendly deployment workflow.
+> Turn OpenCode into a stateful A2A service with a clear runtime boundary.
 
 `opencode-a2a-server` exposes OpenCode through standard A2A interfaces and adds
-the operational pieces that raw agent runtimes usually do not provide by
-default: authentication, session continuity, streaming contracts, interrupt
-handling, deployment tooling, and explicit security guidance.
+the runtime pieces that raw agent runtimes usually do not provide by default:
+authentication, session continuity, streaming contracts, interrupt handling,
+and explicit security guidance.
 
 ## Why This Project Exists
 
@@ -52,7 +52,8 @@ need a stable service layer around it. This repository provides that layer by:
 
 - bridging A2A transport contracts to OpenCode session/message/event APIs
 - making session and interrupt behavior explicit and auditable
-- packaging release-first deployment scripts and operational guidance for long-running use
+- keeping the server/runtime contract explicit while leaving deployment
+  supervision to the operator
 
 ## What It Already Provides
 
@@ -64,7 +65,7 @@ need a stable service layer around it. This repository provides that layer by:
 - session continuation via `metadata.shared.session.id`
 - request-scoped model selection via `metadata.shared.model`
 - OpenCode session query/control extensions and provider/model discovery
-- released CLI install/upgrade flow and release-based systemd deployment
+- released CLI install/upgrade flow and a foreground runtime entrypoint
 
 ## Extension Capability Overview
 
@@ -96,7 +97,9 @@ Detailed consumption guidance:
 One `OpenCode + opencode-a2a-server` instance pair is treated as a
 single-tenant trust boundary.
 
-This repository's intended scaling model is parameterized self-deployment: consumers should launch their own isolated instance pairs through the provided deployment scripts instead of sharing one runtime across mutually untrusted tenants.
+This repository's intended scaling model is parameterized self-deployment:
+consumers should launch their own isolated instance pairs instead of sharing
+one runtime across mutually untrusted tenants.
 
 - OpenCode may manage multiple projects/directories, but one deployed instance
   is not a secure multi-tenant runtime.
@@ -115,7 +118,6 @@ flowchart TD
     Mapping --> Runtime["OpenCode HTTP runtime"]
 
     Api --> Auth["Bearer auth + request logging controls"]
-    Api --> Deploy["release-based deployment tooling"]
     Runtime --> Workspace["Shared workspace / environment boundary"]
 ```
 
@@ -141,13 +143,14 @@ hard multi-tenant isolation layer.
   isolation boundary inside one deployed instance.
 - LLM provider keys are consumed by the OpenCode process. Prompt injection or
   indirect exfiltration attempts may still expose sensitive values.
-- systemd deploy defaults use operator-provisioned root-only secret files
-  unless `ENABLE_SECRET_PERSISTENCE=true` is explicitly enabled.
+- Deployment supervision is intentionally BYO. If you wrap this runtime with
+  `systemd`, Docker, Kubernetes, or another supervisor, you own the service
+  user, secret storage, restart policy, and hardening choices.
 
 Read before deployment:
 
 - [SECURITY.md](SECURITY.md)
-- [scripts/deploy_release_readme.md](scripts/deploy_release_readme.md)
+- [docs/guide.md](docs/guide.md)
 
 ## User Paths
 
@@ -184,12 +187,36 @@ opencode serve
 
 A2A_BEARER_TOKEN=prod-token \
 A2A_PUBLIC_URL=http://127.0.0.1:8000 \
-OPENCODE_DIRECTORY=/abs/path/to/workspace \
-opencode-a2a-server
+OPENCODE_WORKSPACE_ROOT=/abs/path/to/workspace \
+opencode-a2a-server serve
 ```
 
+`OPENCODE_WORKSPACE_ROOT` is the default workspace root that this runtime
+exposes to OpenCode.
+
 Default address: `http://127.0.0.1:8000`
 
+Common runtime variables:
+
+| Variable | Required | Default | Purpose |
+| --- | --- | --- | --- |
+| `A2A_BEARER_TOKEN` | Yes | None | Bearer token required for authenticated runtime requests. |
+| `OPENCODE_BASE_URL` | No | `http://127.0.0.1:4096` | Upstream OpenCode HTTP endpoint. |
+| `OPENCODE_WORKSPACE_ROOT` | No | None | Default workspace root exposed to OpenCode. |
+| `OPENCODE_PROVIDER_ID` | No | None | Default provider for the upstream runtime. |
+| `OPENCODE_MODEL_ID` | No | None | Default model for the upstream runtime. Set together with `OPENCODE_PROVIDER_ID`. |
+| `A2A_HOST` | No | `127.0.0.1` | Bind host for the A2A server. |
+| `A2A_PORT` | No | `8000` | Bind port for the A2A server. |
+| `A2A_PUBLIC_URL` | No | `http://127.0.0.1:8000` | Public base URL advertised by the Agent Card. |
+| `A2A_LOG_LEVEL` | No | `WARNING` | Server log level. |
+| `A2A_LOG_PAYLOADS` | No | `false` | Enable request/response payload logging. |
+| `A2A_LOG_BODY_LIMIT` | No | `0` | Payload preview size used when payload logging is enabled. |
+| `A2A_MAX_REQUEST_BODY_BYTES` | No | `1048576` | Maximum accepted request size. |
+| `A2A_ALLOW_DIRECTORY_OVERRIDE` | No | `true` | Allow request-level `metadata.opencode.directory` overrides. |
+| `A2A_ENABLE_SESSION_SHELL` | No | `false` | Enable high-risk `opencode.sessions.shell`. |
+| `OPENCODE_TIMEOUT` | No | `120` | Upstream OpenCode request timeout in seconds. |
+| `OPENCODE_TIMEOUT_STREAM` | No | None | Upstream OpenCode stream timeout override in seconds. |
+
 If you omit `OPENCODE_PROVIDER_ID` / `OPENCODE_MODEL_ID`, `opencode serve`
 uses your local OpenCode defaults (for example `~/.config/opencode/opencode.json`).
 
@@ -201,36 +228,63 @@ official docs and CLI:
 - Local checks: `opencode auth list`, `opencode models`, `opencode models <provider>`
 
 This path is for users who already manage their own shell, workspace, and
-process lifecycle. No host bootstrap script is required.
+process lifecycle.
+
+Use any supervisor you prefer for long-running operation:
 
-### Path 2: Formal systemd Deploy From a Released Version
+- `systemd`
+- Docker / container runtimes
+- Kubernetes
+- `supervisord`, `pm2`, or similar process managers
 
-For long-running systemd deployments, use the release-based scripts:
+The project no longer ships built-in host bootstrap or process-manager
+wrappers. The official product surface is the runtime entrypoint itself.
+
+Minimal `systemd` example:
+
+1. Create an env file such as `/etc/opencode-a2a/alpha.env`:
 
 ```bash
-./scripts/init_release_system.sh
-./scripts/deploy_release.sh project=alpha a2a_port=8010 a2a_host=127.0.0.1
+A2A_BEARER_TOKEN=replace-me
+A2A_HOST=127.0.0.1
+A2A_PORT=8000
+A2A_PUBLIC_URL=https://a2a.example.com
+OPENCODE_BASE_URL=http://127.0.0.1:4096
+OPENCODE_WORKSPACE_ROOT=/srv/my-workspace
 ```
 
-This path is for users who want:
+2. Create a unit file such as `/etc/systemd/system/opencode-a2a-server.service`:
+
+```ini
+[Unit]
+Description=OpenCode A2A Server
+After=network-online.target
+Wants=network-online.target
 
-- isolated Linux users and per-project directories
-- systemd-managed restart behavior
-- root-only secret files
-- published package versions as the deployment boundary
+[Service]
+Type=simple
+WorkingDirectory=/srv/my-workspace
+EnvironmentFile=/etc/opencode-a2a/alpha.env
+ExecStart=/home/dev/.local/bin/opencode-a2a-server serve
+Restart=on-failure
+RestartSec=2
 
-Primary operator docs:
+[Install]
+WantedBy=multi-user.target
+```
+
+Replace `ExecStart` with the absolute path returned by `command -v opencode-a2a-server`.
 
-- [scripts/init_release_system.sh](scripts/init_release_system.sh)
-- [scripts/deploy_release.sh](scripts/deploy_release.sh)
-- [scripts/deploy_release_readme.md](scripts/deploy_release_readme.md)
-- [docs/release_deploy_smoke_test.md](docs/release_deploy_smoke_test.md)
+Migration notes:
+
+- `OPENCODE_DIRECTORY` has been removed. Use `OPENCODE_WORKSPACE_ROOT`.
+- Built-in `init-release-system`, `deploy-release`, and `uninstall-instance` have been removed.
+- Secret storage, service users, restart policy, and supervisor configuration are now operator-managed.
 
 ## Contributor Paths
 
 Use the repository checkout directly only for development, local debugging, or
-validation against unreleased changes. Source-based deploy/bootstrap docs are
-kept for contributors and internal debugging, not as the recommended user path.
+validation against unreleased changes.
 
 Quick source run:
 
@@ -243,8 +297,8 @@ OPENCODE_MODEL_ID=gemini-3.1-pro-preview \
 opencode serve
 
 A2A_BEARER_TOKEN=dev-token \
-OPENCODE_DIRECTORY=/abs/path/to/workspace \
-uv run opencode-a2a-server
+OPENCODE_WORKSPACE_ROOT=/abs/path/to/workspace \
+uv run opencode-a2a-server serve
 ```
 
 Baseline validation:
@@ -256,34 +310,17 @@ uv run pytest
 
 ## Documentation Map
 
-### User / Operator Docs
+### User Docs
 
 - [docs/guide.md](docs/guide.md)
   Product behavior, API contracts, and detailed streaming/session/interrupt
   consumption guidance.
+- [SECURITY.md](SECURITY.md)
+  Threat model, deployment caveats, and vulnerability disclosure guidance.
 - [CONTRIBUTING.md](CONTRIBUTING.md)
   Contributor workflow, validation baseline, and documentation expectations.
-- [docs/agent_deploy_sop.md](docs/agent_deploy_sop.md)
-  Operator-facing SOP for release-based deployment, verification, and uninstall.
-- [docs/release_deploy_smoke_test.md](docs/release_deploy_smoke_test.md)
-  Real-host smoke test checklist for release-based systemd deployment.
-- [scripts/deploy_release_readme.md](scripts/deploy_release_readme.md)
-  Release-based systemd deployment guide for published package versions.
-- [scripts/init_release_system_readme.md](scripts/init_release_system_readme.md)
-  Release-based host bootstrap guide that avoids source checkout.
-- [scripts/uninstall_readme.md](scripts/uninstall_readme.md)
-  Preview-first uninstall flow for deployed instances.
 - [scripts/README.md](scripts/README.md)
-  Full script index, including contributor/internal paths.
-
-### Contributor / Internal Docs
-
-- [scripts/deploy_readme.md](scripts/deploy_readme.md)
-  Source-based systemd deployment for development/debugging only.
-- [scripts/init_system_readme.md](scripts/init_system_readme.md)
-  Source-based host bootstrap for contributor/internal workflows.
-- [SECURITY.md](SECURITY.md)
-  threat model, deployment caveats, and vulnerability disclosure guidance.
+  Contributor helper script index.
 
 ## License
 

{opencode_a2a_server-0.2.1 → opencode_a2a_server-0.2.2}/README.md

@@ -1,11 +1,11 @@
 # opencode-a2a-server
 
-> Turn OpenCode into a stateful A2A service with a clear runtime boundary and production-friendly deployment workflow.
+> Turn OpenCode into a stateful A2A service with a clear runtime boundary.
 
 `opencode-a2a-server` exposes OpenCode through standard A2A interfaces and adds
-the operational pieces that raw agent runtimes usually do not provide by
-default: authentication, session continuity, streaming contracts, interrupt
-handling, deployment tooling, and explicit security guidance.
+the runtime pieces that raw agent runtimes usually do not provide by default:
+authentication, session continuity, streaming contracts, interrupt handling,
+and explicit security guidance.
 
 ## Why This Project Exists
 
@@ -14,7 +14,8 @@ need a stable service layer around it. This repository provides that layer by:
 
 - bridging A2A transport contracts to OpenCode session/message/event APIs
 - making session and interrupt behavior explicit and auditable
-- packaging release-first deployment scripts and operational guidance for long-running use
+- keeping the server/runtime contract explicit while leaving deployment
+  supervision to the operator
 
 ## What It Already Provides
 
@@ -26,7 +27,7 @@ need a stable service layer around it. This repository provides that layer by:
 - session continuation via `metadata.shared.session.id`
 - request-scoped model selection via `metadata.shared.model`
 - OpenCode session query/control extensions and provider/model discovery
-- released CLI install/upgrade flow and release-based systemd deployment
+- released CLI install/upgrade flow and a foreground runtime entrypoint
 
 ## Extension Capability Overview
 
@@ -58,7 +59,9 @@ Detailed consumption guidance:
 One `OpenCode + opencode-a2a-server` instance pair is treated as a
 single-tenant trust boundary.
 
-This repository's intended scaling model is parameterized self-deployment: consumers should launch their own isolated instance pairs through the provided deployment scripts instead of sharing one runtime across mutually untrusted tenants.
+This repository's intended scaling model is parameterized self-deployment:
+consumers should launch their own isolated instance pairs instead of sharing
+one runtime across mutually untrusted tenants.
 
 - OpenCode may manage multiple projects/directories, but one deployed instance
   is not a secure multi-tenant runtime.
@@ -77,7 +80,6 @@ flowchart TD
     Mapping --> Runtime["OpenCode HTTP runtime"]
 
     Api --> Auth["Bearer auth + request logging controls"]
-    Api --> Deploy["release-based deployment tooling"]
     Runtime --> Workspace["Shared workspace / environment boundary"]
 ```
 
@@ -103,13 +105,14 @@ hard multi-tenant isolation layer.
   isolation boundary inside one deployed instance.
 - LLM provider keys are consumed by the OpenCode process. Prompt injection or
   indirect exfiltration attempts may still expose sensitive values.
-- systemd deploy defaults use operator-provisioned root-only secret files
-  unless `ENABLE_SECRET_PERSISTENCE=true` is explicitly enabled.
+- Deployment supervision is intentionally BYO. If you wrap this runtime with
+  `systemd`, Docker, Kubernetes, or another supervisor, you own the service
+  user, secret storage, restart policy, and hardening choices.
 
 Read before deployment:
 
 - [SECURITY.md](SECURITY.md)
-- [scripts/deploy_release_readme.md](scripts/deploy_release_readme.md)
+- [docs/guide.md](docs/guide.md)
 
 ## User Paths
 
@@ -146,12 +149,36 @@ opencode serve
 
 A2A_BEARER_TOKEN=prod-token \
 A2A_PUBLIC_URL=http://127.0.0.1:8000 \
-OPENCODE_DIRECTORY=/abs/path/to/workspace \
-opencode-a2a-server
+OPENCODE_WORKSPACE_ROOT=/abs/path/to/workspace \
+opencode-a2a-server serve
 ```
 
+`OPENCODE_WORKSPACE_ROOT` is the default workspace root that this runtime
+exposes to OpenCode.
+
 Default address: `http://127.0.0.1:8000`
 
+Common runtime variables:
+
+| Variable | Required | Default | Purpose |
+| --- | --- | --- | --- |
+| `A2A_BEARER_TOKEN` | Yes | None | Bearer token required for authenticated runtime requests. |
+| `OPENCODE_BASE_URL` | No | `http://127.0.0.1:4096` | Upstream OpenCode HTTP endpoint. |
+| `OPENCODE_WORKSPACE_ROOT` | No | None | Default workspace root exposed to OpenCode. |
+| `OPENCODE_PROVIDER_ID` | No | None | Default provider for the upstream runtime. |
+| `OPENCODE_MODEL_ID` | No | None | Default model for the upstream runtime. Set together with `OPENCODE_PROVIDER_ID`. |
+| `A2A_HOST` | No | `127.0.0.1` | Bind host for the A2A server. |
+| `A2A_PORT` | No | `8000` | Bind port for the A2A server. |
+| `A2A_PUBLIC_URL` | No | `http://127.0.0.1:8000` | Public base URL advertised by the Agent Card. |
+| `A2A_LOG_LEVEL` | No | `WARNING` | Server log level. |
+| `A2A_LOG_PAYLOADS` | No | `false` | Enable request/response payload logging. |
+| `A2A_LOG_BODY_LIMIT` | No | `0` | Payload preview size used when payload logging is enabled. |
+| `A2A_MAX_REQUEST_BODY_BYTES` | No | `1048576` | Maximum accepted request size. |
+| `A2A_ALLOW_DIRECTORY_OVERRIDE` | No | `true` | Allow request-level `metadata.opencode.directory` overrides. |
+| `A2A_ENABLE_SESSION_SHELL` | No | `false` | Enable high-risk `opencode.sessions.shell`. |
+| `OPENCODE_TIMEOUT` | No | `120` | Upstream OpenCode request timeout in seconds. |
+| `OPENCODE_TIMEOUT_STREAM` | No | None | Upstream OpenCode stream timeout override in seconds. |
+
 If you omit `OPENCODE_PROVIDER_ID` / `OPENCODE_MODEL_ID`, `opencode serve`
 uses your local OpenCode defaults (for example `~/.config/opencode/opencode.json`).
 
@@ -163,36 +190,63 @@ official docs and CLI:
 - Local checks: `opencode auth list`, `opencode models`, `opencode models <provider>`
 
 This path is for users who already manage their own shell, workspace, and
-process lifecycle. No host bootstrap script is required.
+process lifecycle.
+
+Use any supervisor you prefer for long-running operation:
 
-### Path 2: Formal systemd Deploy From a Released Version
+- `systemd`
+- Docker / container runtimes
+- Kubernetes
+- `supervisord`, `pm2`, or similar process managers
 
-For long-running systemd deployments, use the release-based scripts:
+The project no longer ships built-in host bootstrap or process-manager
+wrappers. The official product surface is the runtime entrypoint itself.
+
+Minimal `systemd` example:
+
+1. Create an env file such as `/etc/opencode-a2a/alpha.env`:
 
 ```bash
-./scripts/init_release_system.sh
-./scripts/deploy_release.sh project=alpha a2a_port=8010 a2a_host=127.0.0.1
+A2A_BEARER_TOKEN=replace-me
+A2A_HOST=127.0.0.1
+A2A_PORT=8000
+A2A_PUBLIC_URL=https://a2a.example.com
+OPENCODE_BASE_URL=http://127.0.0.1:4096
+OPENCODE_WORKSPACE_ROOT=/srv/my-workspace
 ```
 
-This path is for users who want:
+2. Create a unit file such as `/etc/systemd/system/opencode-a2a-server.service`:
+
+```ini
+[Unit]
+Description=OpenCode A2A Server
+After=network-online.target
+Wants=network-online.target
 
-- isolated Linux users and per-project directories
-- systemd-managed restart behavior
-- root-only secret files
-- published package versions as the deployment boundary
+[Service]
+Type=simple
+WorkingDirectory=/srv/my-workspace
+EnvironmentFile=/etc/opencode-a2a/alpha.env
+ExecStart=/home/dev/.local/bin/opencode-a2a-server serve
+Restart=on-failure
+RestartSec=2
 
-Primary operator docs:
+[Install]
+WantedBy=multi-user.target
+```
+
+Replace `ExecStart` with the absolute path returned by `command -v opencode-a2a-server`.
 
-- [scripts/init_release_system.sh](scripts/init_release_system.sh)
-- [scripts/deploy_release.sh](scripts/deploy_release.sh)
-- [scripts/deploy_release_readme.md](scripts/deploy_release_readme.md)
-- [docs/release_deploy_smoke_test.md](docs/release_deploy_smoke_test.md)
+Migration notes:
+
+- `OPENCODE_DIRECTORY` has been removed. Use `OPENCODE_WORKSPACE_ROOT`.
+- Built-in `init-release-system`, `deploy-release`, and `uninstall-instance` have been removed.
+- Secret storage, service users, restart policy, and supervisor configuration are now operator-managed.
 
 ## Contributor Paths
 
 Use the repository checkout directly only for development, local debugging, or
-validation against unreleased changes. Source-based deploy/bootstrap docs are
-kept for contributors and internal debugging, not as the recommended user path.
+validation against unreleased changes.
 
 Quick source run:
 
@@ -205,8 +259,8 @@ OPENCODE_MODEL_ID=gemini-3.1-pro-preview \
 opencode serve
 
 A2A_BEARER_TOKEN=dev-token \
-OPENCODE_DIRECTORY=/abs/path/to/workspace \
-uv run opencode-a2a-server
+OPENCODE_WORKSPACE_ROOT=/abs/path/to/workspace \
+uv run opencode-a2a-server serve
 ```
 
 Baseline validation:
@@ -218,34 +272,17 @@ uv run pytest
 
 ## Documentation Map
 
-### User / Operator Docs
+### User Docs
 
 - [docs/guide.md](docs/guide.md)
   Product behavior, API contracts, and detailed streaming/session/interrupt
   consumption guidance.
+- [SECURITY.md](SECURITY.md)
+  Threat model, deployment caveats, and vulnerability disclosure guidance.
 - [CONTRIBUTING.md](CONTRIBUTING.md)
   Contributor workflow, validation baseline, and documentation expectations.
-- [docs/agent_deploy_sop.md](docs/agent_deploy_sop.md)
-  Operator-facing SOP for release-based deployment, verification, and uninstall.
-- [docs/release_deploy_smoke_test.md](docs/release_deploy_smoke_test.md)
-  Real-host smoke test checklist for release-based systemd deployment.
-- [scripts/deploy_release_readme.md](scripts/deploy_release_readme.md)
-  Release-based systemd deployment guide for published package versions.
-- [scripts/init_release_system_readme.md](scripts/init_release_system_readme.md)
-  Release-based host bootstrap guide that avoids source checkout.
-- [scripts/uninstall_readme.md](scripts/uninstall_readme.md)
-  Preview-first uninstall flow for deployed instances.
 - [scripts/README.md](scripts/README.md)
-  Full script index, including contributor/internal paths.
-
-### Contributor / Internal Docs
-
-- [scripts/deploy_readme.md](scripts/deploy_readme.md)
-  Source-based systemd deployment for development/debugging only.
-- [scripts/init_system_readme.md](scripts/init_system_readme.md)
-  Source-based host bootstrap for contributor/internal workflows.
-- [SECURITY.md](SECURITY.md)
-  threat model, deployment caveats, and vulnerability disclosure guidance.
+  Contributor helper script index.
 
 ## License
 

{opencode_a2a_server-0.2.1 → opencode_a2a_server-0.2.2}/SECURITY.md

@@ -4,7 +4,7 @@
 
 This repository is an adapter layer that exposes OpenCode through A2A
 HTTP+JSON and JSON-RPC interfaces. It adds authentication, task/session
-contracts, streaming, interrupt handling, and deployment tooling, but it does
+contracts, streaming, interrupt handling, and runtime guidance, but it does
 not fully isolate upstream model credentials from OpenCode runtime behavior.
 
 ## Security Boundary
@@ -20,9 +20,9 @@ not fully isolate upstream model credentials from OpenCode runtime behavior.
   indirect exfiltration attempts may still expose sensitive values.
 - Payload logging is opt-in. When `A2A_LOG_PAYLOADS=true`, operators should
   treat logs as potentially sensitive operational data.
-- In systemd deployment mode, secret persistence is opt-in. The deploy scripts
-  should not write `GH_TOKEN`, `A2A_BEARER_TOKEN`, or provider keys to disk
-  unless `ENABLE_SECRET_PERSISTENCE=true` is explicitly set.
+- This project does not ship host bootstrap or process-manager wrappers as an
+  official product capability. Operators remain responsible for file
+  permissions, secret storage, service users, and supervisor-specific hardening.
 
 ## Threat Model
 

{opencode_a2a_server-0.2.1 → opencode_a2a_server-0.2.2}/docs/guide.md

@@ -19,16 +19,28 @@ and JSON-RPC extension details (README stays at overview level).
 This section keeps only the protocol-relevant variables.
 For the full runtime variable catalog and defaults, see
 [`../src/opencode_a2a_server/config.py`](../src/opencode_a2a_server/config.py).
-For deploy-time inputs and systemd-oriented parameters, see
-[`../scripts/deploy_readme.md`](../scripts/deploy_readme.md).
+Deployment supervision is intentionally out of scope for this project; use your
+own process manager, container runtime, or host orchestration.
 
 Key variables to understand protocol behavior:
 
 - `A2A_BEARER_TOKEN`: required for all authenticated runtime requests.
+- `OPENCODE_BASE_URL`: upstream OpenCode HTTP endpoint. Default:
+  `http://127.0.0.1:4096`.
+- `OPENCODE_WORKSPACE_ROOT`: service-level default workspace root exposed to
+  OpenCode when clients do not request a narrower directory override.
+- `OPENCODE_PROVIDER_ID` / `OPENCODE_MODEL_ID`: default upstream model
+  selection. Set them together when you want the service to pin a specific
+  provider/model instead of using OpenCode's local defaults.
 - `A2A_ALLOW_DIRECTORY_OVERRIDE`: controls whether clients may pass
   `metadata.opencode.directory`.
 - `A2A_ENABLE_SESSION_SHELL`: gates high-risk JSON-RPC method
   `opencode.sessions.shell`.
+- `A2A_HOST` / `A2A_PORT`: runtime bind address. Defaults:
+  `127.0.0.1:8000`.
+- `A2A_PUBLIC_URL`: public base URL advertised by the Agent Card. Default:
+  `http://127.0.0.1:8000`.
+- `A2A_LOG_LEVEL`: runtime log level. Default: `WARNING`.
 - `A2A_LOG_PAYLOADS` / `A2A_LOG_BODY_LIMIT`: payload logging behavior and
   truncation. When `A2A_LOG_LEVEL=DEBUG`, upstream OpenCode stream events are
   also logged with preview truncation controlled by `A2A_LOG_BODY_LIMIT`.
@@ -38,8 +50,22 @@ Key variables to understand protocol behavior:
   behavior for `(identity, contextId) -> session_id`.
 - `A2A_CANCEL_ABORT_TIMEOUT_SECONDS`: best-effort timeout for upstream
   `session.abort` in cancel flow.
+- `OPENCODE_TIMEOUT` / `OPENCODE_TIMEOUT_STREAM`: upstream request timeout and
+  optional stream timeout override.
 - Runtime authentication is bearer-token only via `A2A_BEARER_TOKEN`.
 
+Minimal runtime example:
+
+```bash
+A2A_BEARER_TOKEN=dev-token \
+A2A_HOST=127.0.0.1 \
+A2A_PORT=8000 \
+A2A_PUBLIC_URL=http://127.0.0.1:8000 \
+OPENCODE_BASE_URL=http://127.0.0.1:4096 \
+OPENCODE_WORKSPACE_ROOT=/abs/path/to/workspace \
+opencode-a2a-server serve
+```
+
 ## Service Behavior
 
 - The service forwards A2A `message:send` to OpenCode session/message calls.
@@ -106,7 +132,9 @@ Key variables to understand protocol behavior:
   - Failure events include concrete error details with `failed` state.
 - Directory validation and normalization:
   - Clients can pass `metadata.opencode.directory`, but it must stay inside
-    `${OPENCODE_DIRECTORY}` (or service runtime root if not configured).
+    `${OPENCODE_WORKSPACE_ROOT}` (or service runtime root if not configured).
+  - `OPENCODE_WORKSPACE_ROOT` is the service-level default workspace root used
+    when clients do not request a narrower directory override.
   - All paths are normalized with `realpath` to prevent `..` or symlink
     boundary bypass.
   - If `A2A_ALLOW_DIRECTORY_OVERRIDE=false`, only the default directory is

{opencode_a2a_server-0.2.1 → opencode_a2a_server-0.2.2}/pyproject.toml

@@ -45,7 +45,7 @@ dev = [
 ]
 
 [project.scripts]
-opencode-a2a-server = "opencode_a2a_server.app:main"
+opencode-a2a-server = "opencode_a2a_server.cli:main"
 
 [project.urls]
 Homepage = "https://github.com/Intelligent-Internet/opencode-a2a-server"

opencode_a2a_server-0.2.2/scripts/README.md

@@ -0,0 +1,22 @@
+# scripts
+
+Executable scripts live in this directory. This file is the entry index for the
+remaining repository-maintenance helpers.
+
+## Product Contract vs Script Docs
+
+- Product/API behavior (transport, protocol contracts, extension semantics):
+  - [`../docs/guide.md`](../docs/guide.md)
+- Security boundary and disclosure guidance:
+  - [`../SECURITY.md`](../SECURITY.md)
+
+## Other Scripts
+
+- [`doctor.sh`](./doctor.sh): local development regression entrypoint (`sync`/`pip check` + lint + tests)
+- [`dependency_health.sh`](./dependency_health.sh): dependency review entrypoint (`sync`/`pip check` + outdated + audit)
+- [`lint.sh`](./lint.sh): lint helper
+- [`smoke_test_built_cli.sh`](./smoke_test_built_cli.sh): wheel-install smoke test for the released CLI runtime
+
+## Notes
+
+- `doctor.sh` and `dependency_health.sh` intentionally remain separate entrypoints and share common prerequisites through [`health_common.sh`](./health_common.sh).

{opencode_a2a_server-0.2.1 → opencode_a2a_server-0.2.2}/src/opencode_a2a_server/app.py

@@ -276,8 +276,8 @@ def _build_deployment_context(settings: Settings) -> dict[str, str | bool]:
     }
     if settings.a2a_project:
         context["project"] = settings.a2a_project
-    if settings.opencode_directory:
-        context["workspace_root"] = settings.opencode_directory
+    if settings.opencode_workspace_root:
+        context["workspace_root"] = settings.opencode_workspace_root
     if settings.opencode_provider_id:
         context["provider_id"] = settings.opencode_provider_id
     if settings.opencode_model_id: