Coverage for mcpgateway / services / a2a_service.py: 98%

1# -*- coding: utf-8 -*- 

2# pylint: disable=invalid-name, import-outside-toplevel, unused-import, no-name-in-module 

3"""Location: ./mcpgateway/services/a2a_service.py 

4Copyright 2025 

5SPDX-License-Identifier: Apache-2.0 

6Authors: Mihai Criveti 

7 

8A2A Agent Service 

9 

10This module implements A2A (Agent-to-Agent) agent management for ContextForge. 

11It handles agent registration, listing, retrieval, updates, activation toggling, deletion, 

12and interactions with A2A-compatible agents. 

13""" 

14 

15# Standard 

16import binascii 

17from datetime import datetime, timezone 

18from typing import Any, AsyncGenerator, Dict, List, Optional, Union 

19 

20# Third-Party 

21from pydantic import ValidationError 

22from sqlalchemy import and_, delete, desc, or_, select, update 

23from sqlalchemy.exc import IntegrityError 

24from sqlalchemy.orm import Session 

25 

26# First-Party 

27from mcpgateway.cache.a2a_stats_cache import a2a_stats_cache 

28from mcpgateway.db import A2AAgent as DbA2AAgent 

29from mcpgateway.db import A2AAgentMetric, A2AAgentMetricsHourly, EmailTeam 

30from mcpgateway.db import EmailTeamMember as DbEmailTeamMember 

31from mcpgateway.db import fresh_db_session, get_for_update 

32from mcpgateway.db import Tool as DbTool 

33from mcpgateway.observability import create_span, set_span_attribute, set_span_error 

34from mcpgateway.schemas import A2AAgentAggregateMetrics, A2AAgentCreate, A2AAgentMetrics, A2AAgentRead, A2AAgentUpdate 

35from mcpgateway.services.base_service import BaseService 

36from mcpgateway.services.encryption_service import protect_oauth_config_for_storage 

37from mcpgateway.services.logging_service import LoggingService 

38from mcpgateway.services.metrics_cleanup_service import delete_metrics_in_batches, pause_rollup_during_purge 

39from mcpgateway.services.structured_logger import get_structured_logger 

40from mcpgateway.services.team_management_service import TeamManagementService 

41from mcpgateway.utils.correlation_id import get_correlation_id 

42from mcpgateway.utils.create_slug import slugify 

43from mcpgateway.utils.pagination import unified_paginate 

44from mcpgateway.utils.services_auth import decode_auth, encode_auth 

45from mcpgateway.utils.sqlalchemy_modifier import json_contains_tag_expr 

46from mcpgateway.utils.trace_redaction import is_input_capture_enabled, is_output_capture_enabled, serialize_trace_payload 

47 

48# Cache import (lazy to avoid circular dependencies) 

49_REGISTRY_CACHE = None 

50_TOOL_LOOKUP_CACHE = None 

51 

52 

53def _get_registry_cache(): 

54 """Get registry cache singleton lazily. 

55 

56 Returns: 

57 RegistryCache instance. 

58 """ 

59 global _REGISTRY_CACHE # pylint: disable=global-statement 

60 if _REGISTRY_CACHE is None: 

61 # First-Party 

62 from mcpgateway.cache.registry_cache import registry_cache # pylint: disable=import-outside-toplevel 

63 

64 _REGISTRY_CACHE = registry_cache 

65 return _REGISTRY_CACHE 

66 

67 

68def _get_tool_lookup_cache(): 

69 """Get tool lookup cache singleton lazily. 

70 

71 Returns: 

72 ToolLookupCache instance. 

73 """ 

74 global _TOOL_LOOKUP_CACHE # pylint: disable=global-statement 

75 if _TOOL_LOOKUP_CACHE is None: 

76 # First-Party 

77 from mcpgateway.cache.tool_lookup_cache import tool_lookup_cache # pylint: disable=import-outside-toplevel 

78 

79 _TOOL_LOOKUP_CACHE = tool_lookup_cache 

80 return _TOOL_LOOKUP_CACHE 

81 

82 

83# Initialize logging service first 

84logging_service = LoggingService() 

85logger = logging_service.get_logger(__name__) 

86 

87# Initialize structured logger for A2A lifecycle tracking 

88structured_logger = get_structured_logger("a2a_service") 

89 

90 

91class A2AAgentError(Exception): 

92 """Base class for A2A agent-related errors. 

93 

94 Examples: 

95 >>> try: 

96 ... raise A2AAgentError("Agent operation failed") 

97 ... except A2AAgentError as e: 

98 ... str(e) 

99 'Agent operation failed' 

100 >>> try: 

101 ... raise A2AAgentError("Connection error") 

102 ... except Exception as e: 

103 ... isinstance(e, A2AAgentError) 

104 True 

105 """ 

106 

107 

108class A2AAgentNotFoundError(A2AAgentError): 

109 """Raised when a requested A2A agent is not found. 

110 

111 Examples: 

112 >>> try: 

113 ... raise A2AAgentNotFoundError("Agent 'test-agent' not found") 

114 ... except A2AAgentNotFoundError as e: 

115 ... str(e) 

116 "Agent 'test-agent' not found" 

117 >>> try: 

118 ... raise A2AAgentNotFoundError("No such agent") 

119 ... except A2AAgentError as e: 

120 ... isinstance(e, A2AAgentError) # Should inherit from A2AAgentError 

121 True 

122 """ 

123 

124 

125class A2AAgentNameConflictError(A2AAgentError): 

126 """Raised when an A2A agent name conflicts with an existing one.""" 

127 

128 def __init__(self, name: str, is_active: bool = True, agent_id: Optional[str] = None, visibility: Optional[str] = "public"): 

129 """Initialize an A2AAgentNameConflictError exception. 

130 

131 Creates an exception that indicates an agent name conflict, with additional 

132 context about whether the conflicting agent is active and its ID if known. 

133 

134 Args: 

135 name: The agent name that caused the conflict. 

136 is_active: Whether the conflicting agent is currently active. 

137 agent_id: The ID of the conflicting agent, if known. 

138 visibility: The visibility level of the conflicting agent (private, team, public). 

139 

140 Examples: 

141 >>> error = A2AAgentNameConflictError("test-agent") 

142 >>> error.name 

143 'test-agent' 

144 >>> error.is_active 

145 True 

146 >>> error.agent_id is None 

147 True 

148 >>> "test-agent" in str(error) 

149 True 

150 >>> 

151 >>> # Test inactive agent conflict 

152 >>> error = A2AAgentNameConflictError("inactive-agent", is_active=False, agent_id="agent-123") 

153 >>> error.is_active 

154 False 

155 >>> error.agent_id 

156 'agent-123' 

157 >>> "inactive" in str(error) 

158 True 

159 >>> "agent-123" in str(error) 

160 True 

161 """ 

162 self.name = name 

163 self.is_active = is_active 

164 self.agent_id = agent_id 

165 message = f"{visibility.capitalize()} A2A Agent already exists with name: {name}" 

166 if not is_active: 

167 message += f" (currently inactive, ID: {agent_id})" 

168 super().__init__(message) 

169 

170 

171def _validate_a2a_team_assignment(db: Session, user_email: Optional[str], target_team_id: Optional[str]) -> None: 

172 """Validate team assignment for A2A agent updates. 

173 

174 Args: 

175 db: Database session used for membership checks. 

176 user_email: Requesting user email. When omitted, ownership checks are skipped. 

177 target_team_id: Team identifier to validate. 

178 

179 Raises: 

180 ValueError: If team does not exist or caller lacks ownership. 

181 """ 

182 if not target_team_id: 

183 raise ValueError("Cannot set visibility to 'team' without a team_id") 

184 

185 team = db.query(EmailTeam).filter(EmailTeam.id == target_team_id).first() 

186 if not team: 

187 raise ValueError(f"Team {target_team_id} not found") 

188 

189 if not user_email: 

190 return 

191 

192 membership = ( 

193 db.query(DbEmailTeamMember) 

194 .filter(DbEmailTeamMember.team_id == target_team_id, DbEmailTeamMember.user_email == user_email, DbEmailTeamMember.is_active, DbEmailTeamMember.role == "owner") 

195 .first() 

196 ) 

197 if not membership: 

198 raise ValueError("User membership in team not sufficient for this update.") 

199 

200 

201class A2AAgentService(BaseService): 

202 """Service for managing A2A agents in the gateway. 

203 

204 Provides methods to create, list, retrieve, update, set state, and delete agent records. 

205 Also supports interactions with A2A-compatible agents. 

206 """ 

207 

208 _visibility_model_cls = DbA2AAgent 

209 

210 def __init__(self) -> None: 

211 """Initialize a new A2AAgentService instance.""" 

212 self._initialized = False 

213 self._event_streams: List[AsyncGenerator[str, None]] = [] 

214 

215 async def initialize(self) -> None: 

216 """Initialize the A2A agent service.""" 

217 if not self._initialized: 

218 logger.info("Initializing A2A Agent Service") 

219 self._initialized = True 

220 

221 async def shutdown(self) -> None: 

222 """Shutdown the A2A agent service and cleanup resources.""" 

223 if self._initialized: 

224 logger.info("Shutting down A2A Agent Service") 

225 self._initialized = False 

226 

227 def _get_team_name(self, db: Session, team_id: Optional[str]) -> Optional[str]: 

228 """Retrieve the team name given a team ID. 

229 

230 Args: 

231 db (Session): Database session for querying teams. 

232 team_id (Optional[str]): The ID of the team. 

233 

234 Returns: 

235 Optional[str]: The name of the team if found, otherwise None. 

236 """ 

237 if not team_id: 

238 return None 

239 

240 team = db.query(EmailTeam).filter(EmailTeam.id == team_id, EmailTeam.is_active.is_(True)).first() 

241 db.commit() # Release transaction to avoid idle-in-transaction 

242 return team.name if team else None 

243 

244 def _batch_get_team_names(self, db: Session, team_ids: List[str]) -> Dict[str, str]: 

245 """Batch retrieve team names for multiple team IDs. 

246 

247 This method fetches team names in a single query to avoid N+1 issues 

248 when converting multiple agents to schemas in list operations. 

249 

250 Args: 

251 db (Session): Database session for querying teams. 

252 team_ids (List[str]): List of team IDs to look up. 

253 

254 Returns: 

255 Dict[str, str]: Mapping of team_id -> team_name for active teams. 

256 """ 

257 if not team_ids: 

258 return {} 

259 

260 # Single query for all teams 

261 teams = db.query(EmailTeam.id, EmailTeam.name).filter(EmailTeam.id.in_(team_ids), EmailTeam.is_active.is_(True)).all() 

262 

263 return {team.id: team.name for team in teams} 

264 

265 def _check_agent_access( 

266 self, 

267 agent: DbA2AAgent, 

268 user_email: Optional[str], 

269 token_teams: Optional[List[str]], 

270 ) -> bool: 

271 """Check if user has access to agent based on visibility rules. 

272 

273 Access rules (matching tools/resources/prompts): 

274 - public visibility: Always allowed 

275 - token_teams is None AND user_email is None: Admin bypass (unrestricted access) 

276 - No user context (but not admin): Deny access to non-public agents 

277 - team visibility: Allowed if agent.team_id in token_teams 

278 - private visibility: Allowed if owner (requires user_email and non-empty token_teams) 

279 

280 Args: 

281 agent: The agent to check access for 

282 user_email: User's email for owner matching 

283 token_teams: Teams from JWT. None = admin bypass, [] = public-only (no owner access) 

284 

285 Returns: 

286 True if access allowed, False otherwise. 

287 """ 

288 # Public agents are accessible by everyone 

289 if agent.visibility == "public": 

290 return True 

291 

292 # Admin bypass: token_teams=None AND user_email=None means unrestricted admin 

293 # This happens when is_admin=True and no team scoping in token 

294 if token_teams is None and user_email is None: 

295 return True 

296 

297 # No user context (but not admin) = deny access to non-public agents 

298 if not user_email: 

299 return False 

300 

301 # Public-only tokens (empty teams array) can ONLY access public agents 

302 is_public_only_token = token_teams is not None and len(token_teams) == 0 

303 if is_public_only_token: 

304 return False # Already checked public above 

305 

306 # Owner can access their own private agents 

307 if agent.visibility == "private" and agent.owner_email and agent.owner_email == user_email: 

308 return True 

309 

310 # Team agents: check team membership 

311 # token_teams=None means admin bypass — allow all team agents 

312 # ([] already handled by public-only check above) 

313 if agent.visibility == "team": 

314 if token_teams is None: 

315 return True 

316 return agent.team_id in token_teams 

317 

318 return False 

319 

320 async def register_agent( 

321 self, 

322 db: Session, 

323 agent_data: A2AAgentCreate, 

324 created_by: Optional[str] = None, 

325 created_from_ip: Optional[str] = None, 

326 created_via: Optional[str] = None, 

327 created_user_agent: Optional[str] = None, 

328 import_batch_id: Optional[str] = None, 

329 federation_source: Optional[str] = None, 

330 team_id: Optional[str] = None, 

331 owner_email: Optional[str] = None, 

332 visibility: Optional[str] = "public", 

333 ) -> A2AAgentRead: 

334 """Register a new A2A agent. 

335 

336 Args: 

337 db (Session): Database session. 

338 agent_data (A2AAgentCreate): Data required to create an agent. 

339 created_by (Optional[str]): User who created the agent. 

340 created_from_ip (Optional[str]): IP address of the creator. 

341 created_via (Optional[str]): Method used for creation (e.g., API, import). 

342 created_user_agent (Optional[str]): User agent of the creation request. 

343 import_batch_id (Optional[str]): UUID of a bulk import batch. 

344 federation_source (Optional[str]): Source gateway for federated agents. 

345 team_id (Optional[str]): ID of the team to assign the agent to. 

346 owner_email (Optional[str]): Email of the agent owner. 

347 visibility (Optional[str]): Visibility level ('public', 'team', 'private'). 

348 

349 Returns: 

350 A2AAgentRead: The created agent object. 

351 

352 Raises: 

353 A2AAgentNameConflictError: If another agent with the same name already exists. 

354 IntegrityError: If a database constraint or integrity violation occurs. 

355 ValueError: If invalid configuration or data is provided. 

356 A2AAgentError: For any other unexpected errors during registration. 

357 

358 Examples: 

359 # TODO 

360 """ 

361 with create_span( 

362 "a2a.register", 

363 { 

364 "a2a.agent.name": agent_data.name, 

365 "a2a.agent.type": agent_data.agent_type, 

366 "created_by": created_by, 

367 "team_id": team_id, 

368 "visibility": visibility, 

369 }, 

370 ) as span: 

371 try: 

372 agent_data.slug = slugify(agent_data.name) 

373 # Check for existing server with the same slug within the same team or public scope 

374 if visibility.lower() == "public": 

375 logger.info(f"visibility.lower(): {visibility.lower()}") 

376 logger.info(f"agent_data.name: {agent_data.name}") 

377 logger.info(f"agent_data.slug: {agent_data.slug}") 

378 # Check for existing public a2a agent with the same slug 

379 existing_agent = get_for_update(db, DbA2AAgent, where=and_(DbA2AAgent.slug == agent_data.slug, DbA2AAgent.visibility == "public")) 

380 if existing_agent: 

381 raise A2AAgentNameConflictError(name=agent_data.slug, is_active=existing_agent.enabled, agent_id=existing_agent.id, visibility=existing_agent.visibility) 

382 elif visibility.lower() == "team" and team_id: 

383 # Check for existing team a2a agent with the same slug 

384 existing_agent = get_for_update(db, DbA2AAgent, where=and_(DbA2AAgent.slug == agent_data.slug, DbA2AAgent.visibility == "team", DbA2AAgent.team_id == team_id)) 

385 if existing_agent: 

386 raise A2AAgentNameConflictError(name=agent_data.slug, is_active=existing_agent.enabled, agent_id=existing_agent.id, visibility=existing_agent.visibility) 

387 

388 auth_type = getattr(agent_data, "auth_type", None) 

389 # Support multiple custom headers 

390 auth_value = getattr(agent_data, "auth_value", {}) 

391 

392 # authentication_headers: Optional[Dict[str, str]] = None 

393 

394 if hasattr(agent_data, "auth_headers") and agent_data.auth_headers: 

395 # Convert list of {key, value} to dict 

396 header_dict = {h["key"]: h["value"] for h in agent_data.auth_headers if h.get("key")} 

397 # Keep encoded form for persistence, but pass raw headers for initialization 

398 auth_value = encode_auth(header_dict) # Encode the dict for consistency 

399 # authentication_headers = {str(k): str(v) for k, v in header_dict.items()} 

400 # elif isinstance(auth_value, str) and auth_value: 

401 # # Decode persisted auth for initialization 

402 # decoded = decode_auth(auth_value) 

403 # authentication_headers = {str(k): str(v) for k, v in decoded.items()} 

404 else: 

405 # authentication_headers = None 

406 pass 

407 # auth_value = {} 

408 

409 oauth_config = await protect_oauth_config_for_storage(getattr(agent_data, "oauth_config", None)) 

410 

411 # Handle query_param auth - encrypt and prepare for storage 

412 auth_query_params_encrypted: Optional[Dict[str, str]] = None 

413 if auth_type == "query_param": 

414 # Standard 

415 from urllib.parse import urlparse # pylint: disable=import-outside-toplevel 

416 

417 # First-Party 

418 from mcpgateway.config import settings # pylint: disable=import-outside-toplevel 

419 

420 # Service-layer enforcement: Check feature flag 

421 if not settings.insecure_allow_queryparam_auth: 

422 raise ValueError("Query parameter authentication is disabled. Set INSECURE_ALLOW_QUERYPARAM_AUTH=true to enable.") 

423 

424 # Service-layer enforcement: Check host allowlist 

425 if settings.insecure_queryparam_auth_allowed_hosts: 

426 parsed = urlparse(str(agent_data.endpoint_url)) 

427 hostname = (parsed.hostname or "").lower() 

428 allowed_hosts = [h.lower() for h in settings.insecure_queryparam_auth_allowed_hosts] 

429 if hostname not in allowed_hosts: 

430 allowed = ", ".join(settings.insecure_queryparam_auth_allowed_hosts) 

431 raise ValueError(f"Host '{hostname}' is not in the allowed hosts for query param auth. " f"Allowed: {allowed}") 

432 

433 # Extract and encrypt query param auth 

434 param_key = getattr(agent_data, "auth_query_param_key", None) 

435 param_value = getattr(agent_data, "auth_query_param_value", None) 

436 if param_key and param_value: 

437 # Handle SecretStr 

438 if hasattr(param_value, "get_secret_value"): 

439 raw_value = param_value.get_secret_value() 

440 else: 

441 raw_value = str(param_value) 

442 # Encrypt for storage 

443 encrypted_value = encode_auth({param_key: raw_value}) 

444 auth_query_params_encrypted = {param_key: encrypted_value} 

445 # Query param auth doesn't use auth_value 

446 auth_value = None 

447 

448 # Create new agent 

449 new_agent = DbA2AAgent( 

450 name=agent_data.name, 

451 description=agent_data.description, 

452 endpoint_url=agent_data.endpoint_url, 

453 agent_type=agent_data.agent_type, 

454 protocol_version=agent_data.protocol_version, 

455 capabilities=agent_data.capabilities, 

456 config=agent_data.config, 

457 auth_type=auth_type, 

458 auth_value=auth_value, # This should be encrypted in practice 

459 auth_query_params=auth_query_params_encrypted, # Encrypted query param auth 

460 oauth_config=oauth_config, 

461 tags=agent_data.tags, 

462 passthrough_headers=getattr(agent_data, "passthrough_headers", None), 

463 # Team scoping fields - use schema values if provided, otherwise fallback to parameters 

464 team_id=getattr(agent_data, "team_id", None) or team_id, 

465 owner_email=getattr(agent_data, "owner_email", None) or owner_email or created_by, 

466 # Endpoint visibility parameter takes precedence over schema default 

467 visibility=visibility if visibility is not None else getattr(agent_data, "visibility", "public"), 

468 created_by=created_by, 

469 created_from_ip=created_from_ip, 

470 created_via=created_via, 

471 created_user_agent=created_user_agent, 

472 import_batch_id=import_batch_id, 

473 federation_source=federation_source, 

474 ) 

475 

476 db.add(new_agent) 

477 # Commit agent FIRST to ensure it persists even if tool creation fails 

478 # This is critical because ToolService.register_tool calls db.rollback() 

479 # on error, which would undo a pending (flushed but uncommitted) agent 

480 db.commit() 

481 db.refresh(new_agent) 

482 

483 # Invalidate caches since agent count changed 

484 # Wrapped in try/except to ensure cache failures don't fail the request 

485 # when the agent is already successfully committed 

486 try: 

487 a2a_stats_cache.invalidate() 

488 cache = _get_registry_cache() 

489 await cache.invalidate_agents() 

490 # Also invalidate tags cache since agent tags may have changed 

491 # First-Party 

492 from mcpgateway.cache.admin_stats_cache import admin_stats_cache # pylint: disable=import-outside-toplevel 

493 

494 await admin_stats_cache.invalidate_tags() 

495 # First-Party 

496 from mcpgateway.cache.metrics_cache import metrics_cache # pylint: disable=import-outside-toplevel 

497 

498 metrics_cache.invalidate("a2a") 

499 except Exception as cache_error: 

500 logger.warning(f"Cache invalidation failed after agent commit: {cache_error}") 

501 

502 # Automatically create a tool for the A2A agent if not already present 

503 # Tool creation is wrapped in try/except to ensure agent registration succeeds 

504 # even if tool creation fails (e.g., due to visibility or permission issues) 

505 tool_db = None 

506 try: 

507 # First-Party 

508 from mcpgateway.services.tool_service import tool_service 

509 

510 tool_db = await tool_service.create_tool_from_a2a_agent( 

511 db=db, 

512 agent=new_agent, 

513 created_by=created_by, 

514 created_from_ip=created_from_ip, 

515 created_via=created_via, 

516 created_user_agent=created_user_agent, 

517 ) 

518 

519 # Associate the tool with the agent using the relationship 

520 # This sets both the tool_id foreign key and the tool relationship 

521 new_agent.tool = tool_db 

522 db.commit() 

523 db.refresh(new_agent) 

524 logger.info(f"Registered new A2A agent: {new_agent.name} (ID: {new_agent.id}) with tool ID: {tool_db.id}") 

525 except Exception as tool_error: 

526 # Log the error but don't fail agent registration 

527 # Agent was already committed above, so it persists even if tool creation fails 

528 logger.warning(f"Failed to create tool for A2A agent {new_agent.name}: {tool_error}") 

529 structured_logger.warning( 

530 f"A2A agent '{new_agent.name}' created without tool association", 

531 user_id=created_by, 

532 resource_type="a2a_agent", 

533 resource_id=str(new_agent.id), 

534 custom_fields={"error": str(tool_error), "agent_name": new_agent.name}, 

535 ) 

536 # Refresh the agent to ensure it's in a clean state after any rollback 

537 db.refresh(new_agent) 

538 logger.info(f"Registered new A2A agent: {new_agent.name} (ID: {new_agent.id}) without tool") 

539 

540 # Log A2A agent registration for lifecycle tracking 

541 structured_logger.info( 

542 f"A2A agent '{new_agent.name}' registered successfully", 

543 user_id=created_by, 

544 user_email=owner_email, 

545 team_id=team_id, 

546 resource_type="a2a_agent", 

547 resource_id=str(new_agent.id), 

548 resource_action="create", 

549 custom_fields={ 

550 "agent_name": new_agent.name, 

551 "agent_type": new_agent.agent_type, 

552 "protocol_version": new_agent.protocol_version, 

553 "visibility": visibility, 

554 "endpoint_url": new_agent.endpoint_url, 

555 }, 

556 ) 

557 

558 if span: 

559 set_span_attribute(span, "success", True) 

560 set_span_attribute(span, "a2a.agent.id", str(new_agent.id)) 

561 return self.convert_agent_to_read(new_agent, db=db) 

562 

563 except A2AAgentNameConflictError as ie: 

564 set_span_error(span, ie) 

565 db.rollback() 

566 raise ie 

567 except IntegrityError as ie: 

568 set_span_error(span, ie) 

569 db.rollback() 

570 logger.error(f"IntegrityErrors in group: {ie}") 

571 raise ie 

572 except ValueError as ve: 

573 set_span_error(span, ve) 

574 raise ve 

575 except Exception as e: 

576 set_span_error(span, e) 

577 db.rollback() 

578 raise A2AAgentError(f"Failed to register A2A agent: {str(e)}") 

579 

580 async def list_agents( 

581 self, 

582 db: Session, 

583 cursor: Optional[str] = None, 

584 include_inactive: bool = False, 

585 tags: Optional[List[str]] = None, 

586 limit: Optional[int] = None, 

587 page: Optional[int] = None, 

588 per_page: Optional[int] = None, 

589 user_email: Optional[str] = None, 

590 token_teams: Optional[List[str]] = None, 

591 team_id: Optional[str] = None, 

592 visibility: Optional[str] = None, 

593 ) -> Union[tuple[List[A2AAgentRead], Optional[str]], Dict[str, Any]]: 

594 """List A2A agents with cursor pagination and optional team filtering. 

595 

596 Args: 

597 db: Database session. 

598 cursor: Pagination cursor for keyset pagination. 

599 include_inactive: Whether to include inactive agents. 

600 tags: List of tags to filter by. 

601 limit: Maximum number of agents to return. None for default, 0 for unlimited. 

602 page: Page number for page-based pagination (1-indexed). Mutually exclusive with cursor. 

603 per_page: Items per page for page-based pagination. Defaults to pagination_default_page_size. 

604 user_email: Email of user for owner matching in visibility checks. 

605 token_teams: Teams from JWT token. None = admin (no filtering), 

606 [] = public-only, [...] = team-scoped access. 

607 team_id: Optional team ID to filter by specific team. 

608 visibility: Optional visibility filter (private, team, public). 

609 

610 Returns: 

611 If page is provided: Dict with {"data": [...], "pagination": {...}, "links": {...}} 

612 If cursor is provided or neither: tuple of (list of A2AAgentRead objects, next_cursor). 

613 

614 Examples: 

615 >>> from mcpgateway.services.a2a_service import A2AAgentService 

616 >>> from unittest.mock import MagicMock 

617 >>> from mcpgateway.schemas import A2AAgentRead 

618 >>> import asyncio 

619 

620 >>> service = A2AAgentService() 

621 >>> db = MagicMock() 

622 

623 >>> # Mock a single agent object returned by the DB 

624 >>> agent_obj = MagicMock() 

625 >>> db.execute.return_value.scalars.return_value.all.return_value = [agent_obj] 

626 

627 >>> # Mock the A2AAgentRead schema to return a masked string 

628 >>> mocked_agent_read = MagicMock() 

629 >>> mocked_agent_read.masked.return_value = 'agent_read' 

630 >>> A2AAgentRead.model_validate = MagicMock(return_value=mocked_agent_read) 

631 

632 >>> # Run the service method 

633 >>> agents, cursor = asyncio.run(service.list_agents(db)) 

634 >>> agents == ['agent_read'] and cursor is None 

635 True 

636 

637 >>> # Test include_inactive parameter (same mock works) 

638 >>> agents_with_inactive, cursor = asyncio.run(service.list_agents(db, include_inactive=True)) 

639 >>> agents_with_inactive == ['agent_read'] and cursor is None 

640 True 

641 

642 >>> # Test empty result 

643 >>> db.execute.return_value.scalars.return_value.all.return_value = [] 

644 >>> empty_agents, cursor = asyncio.run(service.list_agents(db)) 

645 >>> empty_agents == [] and cursor is None 

646 True 

647 

648 """ 

649 # ══════════════════════════════════════════════════════════════════════ 

650 # CACHE READ: Skip cache when ANY access filtering is applied 

651 # This prevents leaking admin-level results to filtered requests 

652 # Cache only when: user_email is None AND token_teams is None AND page is None 

653 # ══════════════════════════════════════════════════════════════════════ 

654 cache = _get_registry_cache() 

655 if cursor is None and user_email is None and token_teams is None and page is None: 

656 filters_hash = cache.hash_filters(include_inactive=include_inactive, tags=sorted(tags) if tags else None, visibility=visibility) 

657 cached = await cache.get("agents", filters_hash) 

658 if cached is not None: 

659 # Reconstruct A2AAgentRead objects from cached dicts 

660 cached_agents = [A2AAgentRead.model_validate(a).masked() for a in cached["agents"]] 

661 return (cached_agents, cached.get("next_cursor")) 

662 

663 # Build base query with ordering 

664 query = select(DbA2AAgent).order_by(desc(DbA2AAgent.created_at), desc(DbA2AAgent.id)) 

665 

666 # Apply active/inactive filter 

667 if not include_inactive: 

668 query = query.where(DbA2AAgent.enabled) 

669 

670 query = await self._apply_access_control(query, db, user_email, token_teams, team_id) 

671 

672 if visibility: 

673 query = query.where(DbA2AAgent.visibility == visibility) 

674 

675 # Add tag filtering if tags are provided (supports both List[str] and List[Dict] formats) 

676 if tags: 

677 query = query.where(json_contains_tag_expr(db, DbA2AAgent.tags, tags, match_any=True)) 

678 

679 # Use unified pagination helper - handles both page and cursor pagination 

680 pag_result = await unified_paginate( 

681 db=db, 

682 query=query, 

683 page=page, 

684 per_page=per_page, 

685 cursor=cursor, 

686 limit=limit, 

687 base_url="/admin/a2a", # Used for page-based links 

688 query_params={"include_inactive": include_inactive} if include_inactive else {}, 

689 ) 

690 

691 next_cursor = None 

692 # Extract servers based on pagination type 

693 if page is not None: 

694 # Page-based: pag_result is a dict 

695 a2a_agents_db = pag_result["data"] 

696 else: 

697 # Cursor-based: pag_result is a tuple 

698 a2a_agents_db, next_cursor = pag_result 

699 

700 # Fetch team names for the agents (common for both pagination types) 

701 team_ids_set = {s.team_id for s in a2a_agents_db if s.team_id} 

702 team_map = {} 

703 if team_ids_set: 

704 teams = db.execute(select(EmailTeam.id, EmailTeam.name).where(EmailTeam.id.in_(team_ids_set), EmailTeam.is_active.is_(True))).all() 

705 team_map = {team.id: team.name for team in teams} 

706 

707 db.commit() # Release transaction to avoid idle-in-transaction 

708 

709 # Convert to A2AAgentRead (common for both pagination types) 

710 result = [] 

711 for s in a2a_agents_db: 

712 try: 

713 s.team = team_map.get(s.team_id) if s.team_id else None 

714 result.append(self.convert_agent_to_read(s, include_metrics=False, db=db, team_map=team_map)) 

715 except (ValidationError, ValueError, KeyError, TypeError, binascii.Error) as e: 

716 logger.exception(f"Failed to convert A2A agent {getattr(s, 'id', 'unknown')} ({getattr(s, 'name', 'unknown')}): {e}") 

717 # Continue with remaining agents instead of failing completely 

718 

719 # Return appropriate format based on pagination type 

720 if page is not None: 

721 # Page-based format 

722 return { 

723 "data": result, 

724 "pagination": pag_result["pagination"], 

725 "links": pag_result["links"], 

726 } 

727 

728 # Cursor-based format 

729 

730 # ══════════════════════════════════════════════════════════════════════ 

731 # CACHE WRITE: Only cache admin-level results (matches read guard) 

732 # MUST check token_teams is None to prevent caching scoped responses 

733 # ══════════════════════════════════════════════════════════════════════ 

734 if cursor is None and user_email is None and token_teams is None: 

735 try: 

736 cache_data = {"agents": [s.model_dump(mode="json") for s in result], "next_cursor": next_cursor} 

737 await cache.set("agents", cache_data, filters_hash) 

738 except AttributeError: 

739 pass # Skip caching if result objects don't support model_dump (e.g., in doctests) 

740 

741 return (result, next_cursor) 

742 

743 async def list_agents_for_user( 

744 self, db: Session, user_info: Dict[str, Any], team_id: Optional[str] = None, visibility: Optional[str] = None, include_inactive: bool = False, skip: int = 0, limit: int = 100 

745 ) -> List[A2AAgentRead]: 

746 """ 

747 DEPRECATED: Use list_agents() with user_email parameter instead. 

748 

749 This method is maintained for backward compatibility but is no longer used. 

750 New code should call list_agents() with user_email, team_id, and visibility parameters. 

751 

752 List A2A agents user has access to with team filtering. 

753 

754 Args: 

755 db: Database session 

756 user_info: Object representing identity of the user who is requesting agents 

757 team_id: Optional team ID to filter by specific team 

758 visibility: Optional visibility filter (private, team, public) 

759 include_inactive: Whether to include inactive agents 

760 skip: Number of agents to skip for pagination 

761 limit: Maximum number of agents to return 

762 

763 Returns: 

764 List[A2AAgentRead]: A2A agents the user has access to 

765 """ 

766 

767 # Handle case where user_info is a string (email) instead of dict (<0.7.0) 

768 if isinstance(user_info, str): 

769 user_email = str(user_info) 

770 else: 

771 user_email = user_info.get("email", "") 

772 

773 # Build query following existing patterns from list_prompts() 

774 team_service = TeamManagementService(db) 

775 user_teams = await team_service.get_user_teams(user_email) 

776 team_ids = [team.id for team in user_teams] 

777 

778 # Build query following existing patterns from list_agents() 

779 query = select(DbA2AAgent) 

780 

781 # Apply active/inactive filter 

782 if not include_inactive: 

783 query = query.where(DbA2AAgent.enabled.is_(True)) 

784 

785 if team_id: 

786 if team_id not in team_ids: 

787 return [] # No access to team 

788 

789 access_conditions = [] 

790 # Filter by specific team 

791 access_conditions.append(and_(DbA2AAgent.team_id == team_id, DbA2AAgent.visibility.in_(["team", "public"]))) 

792 

793 access_conditions.append(and_(DbA2AAgent.team_id == team_id, DbA2AAgent.owner_email == user_email)) 

794 

795 query = query.where(or_(*access_conditions)) 

796 else: 

797 # Get user's accessible teams 

798 # Build access conditions following existing patterns 

799 access_conditions = [] 

800 # 1. User's personal resources (owner_email matches) 

801 access_conditions.append(DbA2AAgent.owner_email == user_email) 

802 # 2. Team A2A Agents where user is member 

803 if team_ids: 

804 access_conditions.append(and_(DbA2AAgent.team_id.in_(team_ids), DbA2AAgent.visibility.in_(["team", "public"]))) 

805 # 3. Public resources (if visibility allows) 

806 access_conditions.append(DbA2AAgent.visibility == "public") 

807 

808 query = query.where(or_(*access_conditions)) 

809 

810 # Apply visibility filter if specified 

811 if visibility: 

812 query = query.where(DbA2AAgent.visibility == visibility) 

813 

814 # Apply pagination following existing patterns 

815 query = query.order_by(desc(DbA2AAgent.created_at)) 

816 query = query.offset(skip).limit(limit) 

817 

818 agents = db.execute(query).scalars().all() 

819 

820 # Batch fetch team names to avoid N+1 queries 

821 team_ids = list({a.team_id for a in agents if a.team_id}) 

822 team_map = self._batch_get_team_names(db, team_ids) 

823 

824 db.commit() # Release transaction to avoid idle-in-transaction 

825 

826 # Skip metrics to avoid N+1 queries in list operations 

827 result = [] 

828 for agent in agents: 

829 try: 

830 result.append(self.convert_agent_to_read(agent, include_metrics=False, db=db, team_map=team_map)) 

831 except (ValidationError, ValueError, KeyError, TypeError, binascii.Error) as e: 

832 logger.exception(f"Failed to convert A2A agent {getattr(agent, 'id', 'unknown')} ({getattr(agent, 'name', 'unknown')}): {e}") 

833 # Continue with remaining agents instead of failing completely 

834 

835 return result 

836 

837 async def get_agent( 

838 self, 

839 db: Session, 

840 agent_id: str, 

841 include_inactive: bool = True, 

842 user_email: Optional[str] = None, 

843 token_teams: Optional[List[str]] = None, 

844 ) -> A2AAgentRead: 

845 """Retrieve an A2A agent by ID. 

846 

847 Args: 

848 db: Database session. 

849 agent_id: Agent ID. 

850 include_inactive: Whether to include inactive a2a agents. 

851 user_email: User's email for owner matching in visibility checks. 

852 token_teams: Teams from JWT token. None = admin (no filtering), 

853 [] = public-only, [...] = team-scoped access. 

854 

855 Returns: 

856 Agent data. 

857 

858 Raises: 

859 A2AAgentNotFoundError: If the agent is not found or user lacks access. 

860 

861 Examples: 

862 >>> from unittest.mock import MagicMock 

863 >>> from datetime import datetime 

864 >>> import asyncio 

865 >>> from mcpgateway.schemas import A2AAgentRead 

866 >>> from mcpgateway.services.a2a_service import A2AAgentService, A2AAgentNotFoundError 

867 

868 >>> service = A2AAgentService() 

869 >>> db = MagicMock() 

870 

871 >>> # Create a mock agent 

872 >>> agent_mock = MagicMock() 

873 >>> agent_mock.enabled = True 

874 >>> agent_mock.id = "agent_id" 

875 >>> agent_mock.name = "Test Agent" 

876 >>> agent_mock.slug = "test-agent" 

877 >>> agent_mock.description = "A2A test agent" 

878 >>> agent_mock.endpoint_url = "https://example.com"