m3/org/openalice-a2aci ok

openalice-a2a

[Atlas card](https://atlas.blal.pro/repos/openalice-a2a) · Live at **`a2a.blal.pro`**

Features
10
Status
·unknown
Last activity
1mo ago
Branch
mvp

Architecture rating

C-1mo ago
consistencyB-

Valid manifest (100), Atlas card in README, zero circular deps, zero dead imports, drift 80. Dragged by 5 star imports and 10 duplicate signatures — uniform substrate adoption but local-style lapses.

securityB-

Per-agent API keys + E2E crypto + auth-gated endpoints (probe returns 401, not open); 0 broad excepts. But no evidence of rate-limiting or security headers, and webhooks table implies SSRF surface with no visible guard — conservative.

docsB-

AGENTS.md + README + docs/ + valid manifest with 10 @feature annotations (features 100); MCP plugin documented. Offset by 177 missing docstrings and weak roadmap (30/100).

data layerC+

7 owned tables with incremental migrations (001-006, incl. dedicated indexes + audit_log + invites); clean schema evolution. No evidence of RLS/tenant-isolation enforcement or GDPR handling despite multi-agent data — graded down on unknown isolation.

reliabilityD

DB pool sizing present (A2A_DB_POOL_SIZE, undeclared) but no evidence of graceful SIGTERM shutdown, timeouts, retries, or idempotency; SSE streaming raises shutdown concerns. God modules (7) and max complexity 41 add fragility.

observabilityD

Health endpoint exists but 24h uptime 0% (probe sees 401, up:false); RUST_LOG declared-but-unused signals logging not wired. No metrics or tracing surfaced — audit_log is the only structured-signal evidence.

testingD

Single tests/integration.rs is the entire suite; CI green but no unit tests and no visible regression coverage for crypto/auth/SSRF critical paths — thin for a 7-table relay service.

source · auto-grader-2026-06-16

Ecosystem manifest

.atlas-deps.yml

Agent-to-Agent communication relay implementing JSON-RPC 2.0 / A2A Protocol v1.0 with PostgreSQL persistence, per-agent API keys, SSE streaming, E2E crypto, and a management API.

Runtime deps
  • via A2A_INTERNAL_SECRET
    Internal callers (openalice main, MC) authenticate to /internal/* endpoints using a shared secret issued by openalice-auth.
Consumed env
  • DATABASE_URL
  • A2A_API_KEY
  • A2A_INTERNAL_SECRET
  • A2A_PUBLIC_URL
  • A2A_BIND_ADDR
  • A2A_BIND_PORT
  • A2A_CORS_ORIGINS
  • A2A_RATE_LIMIT
  • BOTLAB_RELAY_TOKEN
  • BOTLAB_RELAY_CHAT
  • BOTLAB_RELAY_CHANNEL
  • RUST_LOG
Exposes
  • docker_image: openalice-a2a
  • http_endpoint: https://a2a.blal.pro/ (JSON-RPC 2.0 — A2A Protocol v1.0)
  • http_endpoint: https://a2a.blal.pro/api/v2/* (management API)
  • http_endpoint: https://a2a.blal.pro/.well-known/agent-card.json
  • mcp_endpoint: openalice-a2a MCP plugin (mcp-plugin/)
Owns tables
  • agents
  • channels
  • channel_members
  • tasks
  • webhooks
  • audit_log
  • invites
Env drift · manifest ⇄ code

Atlas grepped the repo's source for env reads (rust env::var · ts process.env · py os.environ · shell $VAR) and diffed against the manifest's consumes_env. Two lists below: stale declarations and undeclared reads.

Code reads, manifest omits
  • A2A_DB_POOL_SIZE
Manifest declares, code unused
  • RUST_LOG
Observed reads: 12 · declared: 12

Code composition

tokei · loc
6.6kloc
  • Rust87.8%
  • JavaScript8.9%
  • SQL2.7%
  • TOML0.5%
  • JSON0.2%
  • Rust87.8%· 5,792
  • JavaScript8.9%· 586
  • SQL2.7%· 181
  • TOML0.5%· 30
  • JSON0.2%· 10
Language% codecodecommentsblanksfiles
Rust87.8%5,79232659310
JavaScript8.9%58649451
SQL2.7%18169426
TOML0.5%30021
JSON0.2%10001
Markdown0.0%03681234

Telemetry ribbon · last 90 days

2 events
MAYJUNJUL2026-05-21 · commit · new commit e3c9560 → 8bd9c9d2026-05-22 · commit · new commit 8bd9c9d → ef08d85NOW
commitmanifestlifecyclekind

a2a/agents

1 feature
  • a2a.agents.register
    src/management.rs:98
    Register an agent with API key, endpoint URL, and Agent Card — returns persistent record.
    api:POST /api/agents
    since 1.0.0

a2a/channels

1 feature
  • a2a.channels.create
    src/management.rs:218
    Create a named conversation channel with mode (broadcast/turn-based/moderated) and rate limits.
    api:POST /api/channels
    since 1.0.0

a2a/crypto

1 feature
  • a2a.crypto.e2e
    src/crypto.rs:41
    End-to-end encryption (X25519 + XSalsa20-Poly1305) — Signal/WhatsApp-grade for agent messages.
    since 1.0.0

a2a/discovery

1 feature
  • a2a.agent.card
    src/handlers.rs:24
    Serve the A2A v1.0 Agent Card for agent discovery (skills, capabilities, endpoints).
    api:GET /.well-known/agent-card.json
    since 1.0.0

a2a/pairing

1 feature
  • a2a.pairing.invite
    src/management.rs:367
    Issue token-based invite link with expiry — auto-registers + auto-joins on accept.
    api:POST /api/invites
    since 1.0.0

a2a/protocol

3 features
  • a2a.protocol.jsonrpc
    src/handlers.rs:41
    A2A v1.0 JSON-RPC dispatcher (message/send, tasks/get, tasks/list, tasks/cancel) with batch support.
    api:POST /
    since 1.0.0
  • a2a.protocol.stream
    src/handlers.rs:671
    SSE streaming for message/stream — push task status + artifact updates to a sender in real time.
    api:POST /stream
    since 1.0.0
  • a2a.protocol.subscribe
    src/handlers.rs:764
    SSE subscribe for tasks/subscribe — receive existing task updates from any time.
    api:POST /subscribe
    since 1.0.0

a2a/relay

1 feature
  • a2a.relay.telegram
    src/relay.rs:377
    Two-way Telegram relay — long-poll bot updates and forward Telegram messages into A2A channels.
    since 1.0.0

a2a/webhooks

1 feature
  • a2a.webhooks.create
    src/management.rs:701
    Register a relay webhook (Telegram/Discord/Slack/generic) for channel events with HMAC signing.
    api:POST /api/webhooks
    since 1.0.0