ASPL/examples/migrate_from_a2a.py at main · TilelliLab/ASPL · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
"""Migration guide: A2A Agent Cards -> ASPL passports + capabilities.

This example shows how to take A2A Agent Cards and register them
in ASPL, gaining cryptographic identity, trust scoring, and
environment verification — while keeping the A2A communication bridge.
"""

from aspl.adapters.a2a import A2AAdapter

adapter = A2AAdapter()

# --- Step 1: Your A2A Agent Card ---

# This is the JSON that lives at /.well-known/agent.json
agent_card = {
    "name": "invoice-processor",
    "description": "Process invoices: extract data, validate, and route for approval",
    "url": "https://agents.acme.com/invoice-processor",
    "version": "2.1",
    "skills": [
        {
            "id": "extract-invoice-data",
            "name": "Invoice Data Extraction",
            "description": "Extract structured data from invoice PDFs and images",
            "tags": ["invoice", "ocr", "data-extraction", "pdf"],
            "examples": [
                "Extract line items from this invoice",
                "Parse the total and tax from this PDF",
            ],
        },
        {
            "id": "validate-invoice",
            "name": "Invoice Validation",
            "description": "Validate invoice data against purchase orders and contracts",
            "tags": ["invoice", "validation", "compliance"],
            "examples": ["Check if this invoice matches PO-12345"],
        },
        {
            "id": "route-approval",
            "name": "Approval Routing",
            "description": "Route invoice for approval based on amount and department rules",
            "tags": ["invoice", "approval", "workflow"],
            "examples": ["Route this $5000 invoice to the right approver"],
        },
    ],
    "capabilities": {
        "streaming": True,
        "pushNotifications": True,
        "stateTransitionHistory": True,
    },
    "authentication": {
        "schemes": ["bearer"],
    },
    "provider": {
        "organization": "Acme Corp",
    },
}

# --- Step 2: Convert to ASPL ---

passport, capabilities = adapter.convert_agent_card(agent_card)

print(f"A2A Agent: {agent_card['name']}")
print(f"ASPL Passport:")
print(f"  Name: {passport.name}")
print(f"  Trust: {passport.trust_score} (starts low — A2A cards are unsigned)")
print(f"  Source: {passport.source_ref}")
print(f"  Environment: {passport.environment}")
print(f"  Capabilities: {len(capabilities)}")
print()

for cap in capabilities:
    print(f"  Skill: {cap.content['a2a_skill']['name']}")
    print(f"    ASPL Intent: {cap.intent}")
    print(f"    Safety: {cap.safety_level}")
    print(f"    Bridge: {cap.content['adapter']['agent_url']}")
    print()

# --- Step 3: Register with ASPL server ---

print("To register with a running ASPL server:")
print("""
    import requests

    # Ingest the entire Agent Card in one call:
    response = requests.post(
        "http://localhost:5010/v1/ingest/a2a",
        headers={"X-API-Key": api_key},
        json=agent_card,
    )

    # Result includes:
    # - ASPL passport with trust score
    # - Each skill converted to ASPL capability
    # - A2A bridge adapter for calling via original protocol
""")

# --- The security gap A2A leaves open ---

print("""
What A2A Agent Cards lack (and ASPL adds):

1. CRYPTOGRAPHIC IDENTITY
   A2A: Unsigned JSON at /.well-known/agent.json
        Anyone who controls the URL can impersonate the agent.
   ASPL: Ed25519 signed passport. Cryptographic proof of identity.
         Spoofing requires the private key.

2. TRUST SCORING
   A2A: No trust mechanism. Their own docs say identity verification
        is "left to external mechanisms."
   ASPL: Bayesian trust scoring with anti-gaming (burst detection,
         collusion detection, rating-weight-by-rater-trust).

3. ENVIRONMENT VERIFICATION
   A2A: No environment declaration or verification.
        You don't know if the agent's skill will work in your setup.
   ASPL: Agents declare their environment. ASPL can probe
        to verify compatibility before delivery.

4. CONTENT SECURITY
   A2A: No scanning of agent responses or capabilities.
   ASPL: Content scanned for prompt injection, data exfiltration,
         resource abuse — at publish time, before any agent sees it.

5. EMERGENCY REVOCATION
   A2A: No revocation mechanism. Bad agents stay discoverable.
   ASPL: Real-time revocation broadcast. Compromised capabilities
         are killed instantly across the network.

What you keep:
- A2A communication protocol still works (via bridge)
- Agent Card stays at /.well-known/agent.json
- Other A2A agents can still find and call you
- ASPL adds trust on top, doesn't replace the communication layer
""")