Skip to content

[0.7] A2A provenance chain (signed act claim) #138

Open
Open
[0.7] A2A provenance chain (signed act claim)#138
Labels
P1Urgent: - major component broken - High importance vulnerability - Same daytrack-authorityTrack label for Agentic Era
Milestone
Agentic Era
@Raulgooo

Description

@Raulgooo
Raulgooo
opened on May 7, 2026

Release

0.7 — A2A Auth Layer

Objective

Full act chain embedded in A2A tokens.

Problem

  • No verifiable provenance
  • Recipients cannot audit delegation chain

Fix

  1. Embed full act chain in A2A tokens
  2. Cryptographically signed
  3. Verifiable by recipient without server call
  4. Include timestamps

Files

  • internal/auth/jwt/
  • internal/oauth/a2a_exchange.go

Acceptance Criteria

  • Full act chain in token
  • Signed and verifiable
  • Recipient can verify offline
  • Timestamps included
  • Chain length limit (max hops)

Metadata

Metadata

Assignees

No one assigned

    Labels

    P1Urgent: - major component broken - High importance vulnerability - Same daytrack-authorityTrack label for Agentic Era

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions