Skip to content

feat(server): /.well-known/adcp-agents.json discovery endpoint#404

Draft
bokelley wants to merge 2 commits intomainfrom
claude/issue-381-adcp-agents-discovery
Draft

feat(server): /.well-known/adcp-agents.json discovery endpoint#404
bokelley wants to merge 2 commits intomainfrom
claude/issue-381-adcp-agents-discovery

Conversation

@bokelley
Copy link
Copy Markdown
Contributor

@bokelley bokelley commented May 3, 2026

Summary

Implements the /.well-known/adcp-agents.json multi-agent topology discovery endpoint per AdCP spec PR #3903 (commit 5c3e3e626).

  • Server-side: Dynamic endpoint served on streamable-http, a2a, and both transports. Document is generated at request time (not cached) so per-instance capability filters and flag-gated features are always current.
  • Auth bypass: BearerTokenAuthMiddleware exempts GET /.well-known/* before reading the request body, keeping discovery unauthenticated per spec.
  • Client-side: fetch_adcp_agents(agent_base_url) fetches and validates a seller's topology doc. SSRF-protected: rejects non-http/https schemes, private/reserved IPs, and localhost.
  • New exception types: AdcpAgentsValidationError, AdcpAgentsNotFoundError, AdcpAgentsTimeoutError — all exported from adcp top-level.
  • 19 smoke tests: streamable-http, a2a, both transports; advertise_all gating; comply_test_controller exclusion; auth middleware bypass; SSRF rejection; timeout namespace.

Document shape (conservative, spec-aligned)

{
  "adcp_version": "3.0",
  "agents": [
    { "name": "my-seller", "capabilities": ["get_products", "create_media_buy"] }
  ]
}

Note on CI schema validation: schemas/cache/adcp-agents.json is not yet available — upstream PR #3903 has not released a schema artifact. The document shape is implemented conservatively against the spec prose. CI schema validation can be added in a follow-up once scripts/sync_schemas.py can fetch the upstream schema.

Test plan

  • pytest tests/test_adcp_agents_discovery.py -v — 19 passed
  • pytest tests/ -q (excluding network test) — 3096 passed, 0 new failures
  • ruff check src/ — all checks passed
  • mypy src/adcp/ — no new errors (pre-existing missing-stubs errors unchanged)
  • Public API snapshot regenerated (tests/fixtures/public_api_snapshot.json)

Pre-PR review sign-offs

Protocol expert: cache-control: no-cache is correct for capability docs (fixed from no-store); auth bypass scope and document shape are spec-aligned.

Code reviewer: SSRF protection added to fetch_adcp_agents; shadow urlparse import removed; AdcpAgentsTimeoutError replaces AdagentsTimeoutError in timeout path; duplicate response-assembly extracted to _send_adcp_agents_response.

Refs #381

https://claude.ai/code/session_01S3J5mFsF94rDjmrhNg8G8a

Generated by Claude Code

claude added 2 commits May 3, 2026 00:48
@claude
feat(server): /.well-known/adcp-agents.json discovery endpoint
5f302cb 
Implements AdCP spec PR #3903 (commit 5c3e3e626). Sellers now serve a
dynamic multi-agent topology document on all three transport modes; buyers
can discover it via fetch_adcp_agents().

- serve() exposes /.well-known/adcp-agents.json on streamable-http, a2a,
  and both transports via a thin ASGI wrapper injected before auth middleware
- Document is generated at request time from get_tools_for_handler() so
  per-instance capability filters are always accurate; comply_test_controller
  is excluded from the public surface
- BearerTokenAuthMiddleware.dispatch() now bypasses auth for GET /.well-known/
  requests (spec-mandated public discovery; JSON-RPC peek was silently 401ing
  these requests before)
- fetch_adcp_agents(agent_base_url) client-side helper mirrors fetch_adagents()
  with SSRF-safe URL construction
- AdcpAgentsNotFoundError and AdcpAgentsValidationError added to exceptions
  hierarchy with context-correct suggestion text
- 16 smoke tests cover all three transports, advertise_all gating,
  comply_test_controller exclusion, and client-side 200/404 paths

Note: CI schema validation against adcp-agents.json requires sync_schemas.py
to pull the upstream schema once adcontextprotocol/adcp PR #3903 releases.

Refs #381

https://claude.ai/code/session_01S3J5mFsF94rDjmrhNg8G8a
@claude
fix(server): address pre-PR review blockers for adcp-agents discovery
0d0fe20 
- Add AdcpAgentsTimeoutError to exceptions hierarchy (namespace fix)
- Add SSRF protection to fetch_adcp_agents: validates scheme (http/https
  only) and rejects private/reserved IPs and localhost before making
  any network call
- Remove shadow urlparse import inside fetch_adcp_agents; use
  module-level urlparse
- Raise AdcpAgentsTimeoutError instead of AdagentsTimeoutError on timeout
- Export AdcpAgentsTimeoutError from adcp.__init__ and update __all__
- Extract _send_adcp_agents_response() helper to eliminate duplicate
  response-assembly code in serve.py
- Move import json to module level in serve.py
- Add 5 new tests: SSRF rejection, timeout namespace, auth middleware
  bypass, and update public API snapshot

https://claude.ai/code/session_01S3J5mFsF94rDjmrhNg8G8a
@bokelley bokelley mentioned this pull request May 3, 2026
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bokelley @claude