openalice-a2a
[Atlas card](https://atlas.blal.pro/repos/openalice-a2a) · Live at **`a2a.blal.pro`**
Architecture rating
Valid manifest (100), Atlas card in README, zero circular deps, zero dead imports, drift 80. Dragged by 5 star imports and 10 duplicate signatures — uniform substrate adoption but local-style lapses.
Per-agent API keys + E2E crypto + auth-gated endpoints (probe returns 401, not open); 0 broad excepts. But no evidence of rate-limiting or security headers, and webhooks table implies SSRF surface with no visible guard — conservative.
AGENTS.md + README + docs/ + valid manifest with 10 @feature annotations (features 100); MCP plugin documented. Offset by 177 missing docstrings and weak roadmap (30/100).
7 owned tables with incremental migrations (001-006, incl. dedicated indexes + audit_log + invites); clean schema evolution. No evidence of RLS/tenant-isolation enforcement or GDPR handling despite multi-agent data — graded down on unknown isolation.
DB pool sizing present (A2A_DB_POOL_SIZE, undeclared) but no evidence of graceful SIGTERM shutdown, timeouts, retries, or idempotency; SSE streaming raises shutdown concerns. God modules (7) and max complexity 41 add fragility.
Health endpoint exists but 24h uptime 0% (probe sees 401, up:false); RUST_LOG declared-but-unused signals logging not wired. No metrics or tracing surfaced — audit_log is the only structured-signal evidence.
Single tests/integration.rs is the entire suite; CI green but no unit tests and no visible regression coverage for crypto/auth/SSRF critical paths — thin for a 7-table relay service.
source · auto-grader-2026-06-16
Ecosystem manifest
.atlas-deps.ymlAgent-to-Agent communication relay implementing JSON-RPC 2.0 / A2A Protocol v1.0 with PostgreSQL persistence, per-agent API keys, SSE streaming, E2E crypto, and a management API.
- openalice-authhttpvia A2A_INTERNAL_SECRETInternal callers (openalice main, MC) authenticate to /internal/* endpoints using a shared secret issued by openalice-auth.
- DATABASE_URL
- A2A_API_KEY
- A2A_INTERNAL_SECRET
- A2A_PUBLIC_URL
- A2A_BIND_ADDR
- A2A_BIND_PORT
- A2A_CORS_ORIGINS
- A2A_RATE_LIMIT
- BOTLAB_RELAY_TOKEN
- BOTLAB_RELAY_CHAT
- BOTLAB_RELAY_CHANNEL
- RUST_LOG
- docker_image: openalice-a2a
- http_endpoint: https://a2a.blal.pro/ (JSON-RPC 2.0 — A2A Protocol v1.0)
- http_endpoint: https://a2a.blal.pro/api/v2/* (management API)
- http_endpoint: https://a2a.blal.pro/.well-known/agent-card.json
- mcp_endpoint: openalice-a2a MCP plugin (mcp-plugin/)
- agents
- channels
- channel_members
- tasks
- webhooks
- audit_log
- invites
Atlas grepped the repo's source for env reads (rust env::var · ts process.env · py os.environ · shell $VAR) and diffed against the manifest's consumes_env. Two lists below: stale declarations and undeclared reads.
- A2A_DB_POOL_SIZE
- RUST_LOG
Code composition
tokei · loc- Rust87.8%
- JavaScript8.9%
- SQL2.7%
- TOML0.5%
- JSON0.2%
- Rust87.8%
- JavaScript8.9%
- SQL2.7%
- TOML0.5%
- JSON0.2%
- Rust87.8%· 5,792
- JavaScript8.9%· 586
- SQL2.7%· 181
- TOML0.5%· 30
- JSON0.2%· 10
| Language | % code | code | comments | blanks | files |
|---|---|---|---|---|---|
| Rust | 87.8% | 5,792 | 326 | 593 | 10 |
| JavaScript | 8.9% | 586 | 49 | 45 | 1 |
| SQL | 2.7% | 181 | 69 | 42 | 6 |
| TOML | 0.5% | 30 | 0 | 2 | 1 |
| JSON | 0.2% | 10 | 0 | 0 | 1 |
| Markdown | 0.0% | 0 | 368 | 123 | 4 |
Telemetry ribbon · last 90 days
2 eventsa2a/agents
1 feature- a2a.agents.registersrc/management.rs:98Register an agent with API key, endpoint URL, and Agent Card — returns persistent record.api:POST /api/agentssince 1.0.0
a2a/channels
1 feature- a2a.channels.createsrc/management.rs:218Create a named conversation channel with mode (broadcast/turn-based/moderated) and rate limits.api:POST /api/channelssince 1.0.0
a2a/crypto
1 feature- a2a.crypto.e2esrc/crypto.rs:41End-to-end encryption (X25519 + XSalsa20-Poly1305) — Signal/WhatsApp-grade for agent messages.since 1.0.0
a2a/discovery
1 feature- a2a.agent.cardsrc/handlers.rs:24Serve the A2A v1.0 Agent Card for agent discovery (skills, capabilities, endpoints).api:GET /.well-known/agent-card.jsonsince 1.0.0
a2a/pairing
1 feature- a2a.pairing.invitesrc/management.rs:367Issue token-based invite link with expiry — auto-registers + auto-joins on accept.api:POST /api/invitessince 1.0.0
a2a/protocol
3 features- a2a.protocol.jsonrpcsrc/handlers.rs:41A2A v1.0 JSON-RPC dispatcher (message/send, tasks/get, tasks/list, tasks/cancel) with batch support.api:POST /since 1.0.0
- a2a.protocol.streamsrc/handlers.rs:671SSE streaming for message/stream — push task status + artifact updates to a sender in real time.api:POST /streamsince 1.0.0
- a2a.protocol.subscribesrc/handlers.rs:764SSE subscribe for tasks/subscribe — receive existing task updates from any time.api:POST /subscribesince 1.0.0
a2a/relay
1 feature- a2a.relay.telegramsrc/relay.rs:377Two-way Telegram relay — long-poll bot updates and forward Telegram messages into A2A channels.since 1.0.0
a2a/webhooks
1 feature- a2a.webhooks.createsrc/management.rs:701Register a relay webhook (Telegram/Discord/Slack/generic) for channel events with HMAC signing.api:POST /api/webhookssince 1.0.0