Skip to content

feat(server): implement Resource Scoping for tasks and push notifications#709

Merged
sokoliva merged 58 commits intoa2aproject:1.0-devfrom
sokoliva:resource-scoping
Feb 27, 2026
Merged

feat(server): implement Resource Scoping for tasks and push notifications#709
sokoliva merged 58 commits intoa2aproject:1.0-devfrom
sokoliva:resource-scoping

Conversation

@sokoliva
Copy link
Member

@sokoliva sokoliva commented Feb 18, 2026
edited
Loading

Description

Introduces caller indentity isolation to ensure clients only access authorized resources, as mandated by the A2A spec.

  • Add ownerfield to TaskMixin and PushNotificationConfig database models.
  • Add last_updated field to TaskMixin for optimized sorting and indexing.
  • Update DatabaseTaskStore, InMemoryTaskStore and DatabasePushNotificationConfigStore to use OwnerResolver.
  • Add Resource Scoping related Unit tests.
  • Add Alembic configuration to enable users to update their own databases with non-optional owner column in tasks and push_notification_configs table and optional last_updated and index (owner, last_updated) in tasks .
  • Distribute alembic configuration, enable CLI commands such as uv run a2a-db for database updating.

Note

  • In src/a2a/server/tasks/database_task_store.py list method, Gemini suggested a refactor of pagination. I thoroughly reviewed it and comfirmed that the logic is the same and that readability of code improved so I decided to accept it.
  • It seems there was a functional bug in InMemoryPushNotificationConfigStore delete_info method. When config_id is None and only task_id was provided it would search for configs mapped to task_id with config.id=task_id, contrary to delete_info method of DatabasePushNotificationConfigStore where if config_id is None, all configurations for the task are deleted. Unfortunately, I did not find intended behavior defined in the spec, but behavior of DatabasePushNotificationConfigStore's delete_info seems more logical.

Breaking changes

  • added non-optional owner field to the Task Model. Use alembic configuration to update your database.

  • Ensure the tests and linter pass (Run bash scripts/format.sh from the repository root to format)

  • Appropriate docs were updated (if necessary)

Fixes #610 🦕

@sokoliva
feat(server): implement resource scoping for tasks and `push noti…
2d2d31e 
…fications`

Introduces caller indentity isolation to ensure clients only access authorized resources, as mandated by the A2A spec.

- Add 'owner' field to `TaskMixin` and `PushNotificationConfig` database models.
 - Add 'last_updated' field to `TaskMixin` for optimized sorting and indexing.
- Update `DatabaseTaskStore`, `InMemoryTaskStore` and `DatabasePushNotificationConfigStore` to use `OwnerResolver`.
- Add relevant Unit tests.
- Add Alembic configuration to enable users to update their own databases with non-optional `owner` field in `tasks` table.
@sokoliva sokoliva requested review from a team and a2a-bot as code owners February 18, 2026 16:19
@sokoliva sokoliva changed the base branch from main to 1.0-dev February 18, 2026 16:22
@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Feb 18, 2026

Summary of Changes

Hello @sokoliva, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the server's data management capabilities by implementing robust resource scoping for tasks and push notification configurations, ensuring that users can only access their own data. It also introduces a flexible 'ListTasks' API, enabling efficient retrieval and management of tasks with advanced filtering and pagination. The integration of Alembic provides a structured approach to future database schema evolution.

Highlights

  • Resource Scoping Implementation: Introduced an 'owner' field to 'TaskMixin' and 'PushNotificationConfig' database models, along with an 'OwnerResolver' to enforce caller identity isolation for tasks and push notification configurations.
  • Task Listing API: Added a new 'ListTasks' API endpoint across gRPC, JSON-RPC, and REST transports, supporting filtering, pagination, and sorting by 'last_updated' timestamp.
  • Database Migration Setup: Integrated Alembic for managing database schema migrations, including an initial migration to add the 'owner' column to the 'tasks' table.
  • Performance Enhancements: Added a 'last_updated' field to 'TaskMixin' and an index on '(owner, last_updated)' to optimize task retrieval and sorting.
Changelog
  • alembic.ini
    • Configured Alembic for database migrations.
  • alembic/README
    • Documented Alembic migration commands and troubleshooting.
  • alembic/env.py
    • Configured Alembic environment for asynchronous SQLAlchemy operations.
  • alembic/script.py.mako
    • Provided a Mako template for generating new Alembic migration scripts.
  • alembic/versions/6419d2d130f6_add_owner_to_task.py
    • Added an initial migration script to introduce a non-nullable 'owner' column to the 'tasks' table with a default value.
  • pyproject.toml
    • Added Alembic tool configuration.
  • src/a2a/client/base_client.py
    • Updated imports and added an abstract 'list_tasks' method to the base client.
  • src/a2a/client/client.py
    • Updated imports and added an abstract 'list_tasks' method to the client interface.
  • src/a2a/client/transports/base.py
    • Updated imports and added an abstract 'list_tasks' method to the base transport.
  • src/a2a/client/transports/grpc.py
    • Implemented the 'list_tasks' method for the gRPC transport, including proto conversions and default page size.
  • src/a2a/client/transports/jsonrpc.py
    • Implemented the 'list_tasks' method for the JSON-RPC transport, handling request/response models and error cases.
  • src/a2a/client/transports/rest.py
    • Implemented the 'list_tasks' method for the REST transport, including query parameter conversion and handling.
  • src/a2a/grpc/a2a_pb2.py
    • Generated new protobuf definitions to include 'ListTasksRequest' and 'ListTasksResponse' messages and the 'ListTasks' service method.
  • src/a2a/grpc/a2a_pb2.pyi
    • Updated the protobuf type hints to include 'ListTasksRequest' and 'ListTasksResponse'.
  • src/a2a/grpc/a2a_pb2_grpc.py
    • Generated new gRPC service code to include the 'ListTasks' method.
  • src/a2a/server/apps/jsonrpc/jsonrpc_app.py
    • Updated to recognize and process 'ListTasksRequest' for JSON-RPC.
  • src/a2a/server/models.py
    • Added 'datetime' import, 'Index' import, 'owner' and 'last_updated' fields to 'TaskMixin', and 'owner' field to 'PushNotificationConfigMixin'.
    • Defined a table argument for a combined index on 'owner' and 'last_updated'.
  • src/a2a/server/owner_resolver.py
    • Added a new module defining 'OwnerResolver' type and a default 'resolve_user_scope' function.
  • src/a2a/server/request_handlers/default_request_handler.py
    • Implemented the 'on_list_tasks' method, handling filtering, pagination, artifact exclusion, and history length application.
  • src/a2a/server/request_handlers/grpc_handler.py
    • Implemented the gRPC handler for the new 'ListTasks' method.
  • src/a2a/server/request_handlers/jsonrpc_handler.py
    • Implemented the JSON-RPC handler for the new 'tasks/list' method.
  • src/a2a/server/request_handlers/request_handler.py
    • Added an abstract 'on_list_tasks' method to the base request handler interface.
  • src/a2a/server/request_handlers/response_helpers.py
    • Updated type definitions to support 'ListTasksResult' in JSON-RPC responses.
  • src/a2a/server/request_handlers/rest_handler.py
    • Implemented the REST handler for 'list_tasks' and adjusted 'list_push_notifications' to be unimplemented.
  • src/a2a/server/tasks/database_push_notification_config_store.py
    • Modified methods ('init', '_to_orm', 'set_info', 'get_info', 'delete_info') to incorporate owner-based scoping for push notification configurations.
  • src/a2a/server/tasks/database_task_store.py
    • Modified methods ('init', '_to_orm', 'save', 'get', 'delete') to incorporate owner-based scoping and 'last_updated' field.
    • Implemented the 'list' method with filtering, sorting, and pagination.
  • src/a2a/server/tasks/inmemory_task_store.py
    • Modified methods ('init', 'save', 'get', 'delete') to incorporate owner-based scoping.
    • Implemented the 'list' method with filtering, sorting, and pagination.
  • src/a2a/server/tasks/push_notification_config_store.py
    • Updated abstract methods to include 'ServerCallContext' for owner resolution.
  • src/a2a/server/tasks/task_store.py
    • Introduced 'TasksPage' model and an abstract 'list' method for task pagination.
  • src/a2a/types.py
    • Added new Pydantic models for 'ListTasksParams', 'ListTasksRequest', 'ListTasksResult', and 'ListTasksSuccessResponse', and updated relevant type unions.
  • src/a2a/utils/constants.py
    • Added 'DEFAULT_LIST_TASKS_PAGE_SIZE' constant.
  • src/a2a/utils/proto_utils.py
    • Added utility functions for converting between 'ListTasksParams'/'ListTasksResult' and their protobuf equivalents.
  • src/a2a/utils/task.py
    • Added utility functions 'encode_page_token' and 'decode_page_token' for base64 encoding/decoding of pagination tokens.
  • tests/client/test_client_factory.py
    • Updated client transport extension assertions.
  • tests/client/transports/test_grpc_client.py
    • Added test cases for the new 'list_tasks' gRPC client method.
  • tests/client/transports/test_jsonrpc_client.py
    • Added test cases for the new 'list_tasks' JSON-RPC client method.
  • tests/extensions/test_common.py
    • Added 'pytest' import.
  • tests/integration/test_client_server_integration.py
    • Added integration tests for 'list_tasks' across HTTP (JSON-RPC, REST) and gRPC transports.
  • tests/server/request_handlers/test_default_request_handler.py
    • Added unit tests for the 'on_list_tasks' method, covering success, artifact exclusion, and history length.
    • Updated 'on_message_send' calls to pass context to 'task_store.get'.
  • tests/server/request_handlers/test_grpc_handler.py
    • Added unit tests for the 'ListTasks' gRPC handler.
  • tests/server/request_handlers/test_jsonrpc_handler.py
    • Added unit tests for the 'list_tasks' JSON-RPC handler.
  • tests/server/tasks/test_database_push_notification_config_store.py
    • Added 'TestUser' class and tests for owner-based resource scoping in the database push notification config store.
  • tests/server/tasks/test_database_task_store.py
    • Added 'TestUser' class and extensive tests for 'list_tasks' with various filters, pagination, and owner-based scoping in the database task store.
  • tests/server/tasks/test_inmemory_task_store.py
    • Added 'TestUser' class and extensive tests for 'list_tasks' with various filters, pagination, and owner-based scoping in the in-memory task store.
  • tests/server/test_owner_resolver.py
    • Added a new test file with unit tests for the 'resolve_user_scope' function.
  • tests/utils/test_proto_utils.py
    • Added unit tests for the new 'list_tasks_request' and 'list_tasks_result' proto utility conversions.
  • tests/utils/test_task.py
    • Added unit tests for the new 'encode_page_token' and 'decode_page_token' utility functions.
Ignored Files
  • Ignored by pattern: .github/workflows/** (2)
    • .github/workflows/linter.yaml
    • .github/workflows/unit-tests.yml
  • Ignored by pattern: CHANGELOG.md (1)
    • CHANGELOG.md
Activity
  • The author, sokoliva, initiated this pull request to implement caller identity isolation for tasks and push notifications, addressing issue [Feat]: Resource Scoping #610.
  • The PR also aims to optimize task retrieval by adding a 'last_updated' field and indexing.
  • A checklist is included in the PR description, indicating the author's intention to ensure tests and linter pass, and that appropriate documentation is updated.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces resource scoping by adding an owner field to tasks and push notification configurations, which is a great step towards multi-tenancy and security. The implementation across the database and in-memory stores is consistent. I've also noticed the addition of Alembic for database migrations, which is excellent for managing schema changes. My feedback focuses on improving the Alembic configuration, strengthening the data model for timestamps, and making the owner resolution logic more robust.

@sokoliva sokoliva requested a review from ishymko February 19, 2026 10:48
sokoliva and others added 7 commits February 19, 2026 10:55
ishymko
ishymko reviewed Feb 20, 2026
View reviewed changes
ishymko
ishymko reviewed Feb 26, 2026
View reviewed changes
@sokoliva sokoliva requested a review from ishymko February 27, 2026 11:05
ishymko
ishymko reviewed Feb 27, 2026
View reviewed changes
ishymko
ishymko reviewed Feb 27, 2026
View reviewed changes
ishymko
ishymko reviewed Feb 27, 2026
View reviewed changes
@sokoliva sokoliva merged commit f0d4669 into a2aproject:1.0-dev Feb 27, 2026
6 checks passed
@sokoliva sokoliva deleted the resource-scoping branch February 27, 2026 16:56
@ishymko ishymko mentioned this pull request Mar 2, 2026
Closed
1 task
This was referenced Mar 12, 2026
Closed
Closed
Merged
ishymko added a commit that referenced this pull request Mar 17, 2026
@a2a-bot @ishymko
chore(1.0-dev): release 1.0.0-alpha.0 (#828)
fce163c 
🤖 I have created a release *beep* *boop*
---


### ⚠ BREAKING CHANGES

* **spec**: upgrade SDK to A2A 1.0 spec and use proto-based types
([#572](#572),
[#665](#665),
[#804](#804),
[#765](#765))
* **client:** introduce ServiceParameters for extensions and include it
in ClientCallContext
([#784](#784))
* **client:** rename "callback" -> "push_notification_config"
([#749](#749))
* **client:** transport agnostic interceptors
([#796](#796))
([a910cbc](a910cbc))
* add `protocol_version` column to Task and PushNotificationConfig
models and create a migration
([#789](#789))
([2e2d431](2e2d431))
* **server:** implement `Resource Scoping` for tasks and push
notifications
([#709](#709))
([f0d4669](f0d4669))

### Features

* add GetExtendedAgentCardRequest as input parameter to
GetExtendedAgentCard method
([#767](#767))
([13a092f](13a092f))
* add validation for the JSON-RPC version
([#808](#808))
([6eb7e41](6eb7e41))
* **client:** expose close() and async context manager support on
abstract Client
([#719](#719))
([e25ba7b](e25ba7b))
* **compat:** AgentCard backward compatibility helpers and tests
([#760](#760))
([81f3494](81f3494))
* **compat:** GRPC client compatible with 0.3 server
([#779](#779))
([0ebca93](0ebca93))
* **compat:** GRPC server compatible with 0.3 client
([#772](#772))
([80d827a](80d827a))
* **compat:** legacy v0.3 protocol models, conversion logic and
utilities ([#754](#754))
([26835ad](26835ad))
* **compat:** REST and JSONRPC clients compatible with 0.3 servers
([#798](#798))
([08794f7](08794f7))
* **compat:** REST and JSONRPC servers compatible with 0.3 clients
([#795](#795))
([9856054](9856054))
* **compat:** set a2a-version header to 1.0.0
([#764](#764))
([4cb68aa](4cb68aa))
* **compat:** unify v0.3 REST url prefix and expand cross-version tests
([#820](#820))
([0925f0a](0925f0a))
* database forward compatibility: make `owner` field optional
([#812](#812))
([cc29d1f](cc29d1f))
* handle tenant in Client
([#758](#758))
([5b354e4](5b354e4))
* implement missing push notifications related methods
([#711](#711))
([041f0f5](041f0f5))
* implement rich gRPC error details per A2A v1.0 spec
([#790](#790))
([245eca3](245eca3))
* **rest:** add tenant support to rest
([#773](#773))
([4771b5a](4771b5a))
* send task as a first subscribe event
([#716](#716))
([e71ac62](e71ac62))
* **server, grpc:** Implement tenant context propagation for gRPC
requests. ([#781](#781))
([164f919](164f919))
* **server, json-rpc:** Implement tenant context propagation for
JSON-RPC requests.
([#778](#778))
([72a330d](72a330d))
* **server:** add v0.3 legacy compatibility for database models
([#783](#783))
([08c491e](08c491e))
* **spec:** add `tasks/list` method with filtering and pagination to the
specification
([#511](#511))
([d5818e5](d5818e5))
* use StreamResponse as push notifications payload
([#724](#724))
([a149a09](a149a09))
* **rest:** update REST error handling to use `google.rpc.Status`
([#838](#838))
([ea7d3ad](ea7d3ad))


### Bug Fixes

* add history length and page size validations
([#726](#726))
([e67934b](e67934b))
* allign error codes with the latest spec
([#826](#826))
([709b1ff](709b1ff))
* **client:** align send_message signature with BaseClient
([#740](#740))
([57cb529](57cb529))
* get_agent_card trailing slash when agent_card_path=""
([#799](#799))
([#800](#800))
([a55c97e](a55c97e))
* handle parsing error in REST
([#806](#806))
([bbd09f2](bbd09f2))
* Improve error handling for Timeout exceptions on REST and JSON-RPC
clients ([#690](#690))
([2acd838](2acd838))
* Improve streaming errors handling
([#576](#576))
([7ea7475](7ea7475))
* properly handle unset and zero history length
([#717](#717))
([72a1007](72a1007))
* return entire history when history_length=0
([#537](#537))
([acdc0de](acdc0de))
* return mandatory fields from list_tasks
([#710](#710))
([6132053](6132053))
* taskslist error on invalid page token and response serialization
([#814](#814))
([a102d31](a102d31))
* use correct REST path for Get Extended Agent Card operation
([#769](#769))
([ced3f99](ced3f99))
* Use POST method for REST endpoint /tasks/{id}:subscribe
([#843](#843))
([a0827d0](a0827d0))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: Ivan Shymko <ishymko@google.com>
@a2a-bot a2a-bot mentioned this pull request Mar 17, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ishymko ishymko ishymko approved these changes

@a2a-bot a2a-bot Awaiting requested review from a2a-bot

+2 more reviewers

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

@scutuatua-crypto scutuatua-crypto scutuatua-crypto approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feat]: Resource Scoping

3 participants

@sokoliva @ishymko @scutuatua-crypto