feat(a2a): implement M12 A2A server (#98)

* feat(a2a): implement M12 A2A server with JSON-RPC routing, task management, and SSE streaming

Add axum-based HTTP server to zeph-a2a crate behind feature-gated
server module. Implements core A2A protocol server-side operations:
JSON-RPC 2.0 dispatch for message/send, tasks/get, tasks/cancel;
in-memory TaskManager with full lifecycle; SSE streaming with
JSON-RPC response envelope; bearer token auth with constant-time
comparison (subtle); per-IP rate limiting; 1 MiB body size limit.

Refactor Part from flat struct to tagged enum with kind discriminator
and rename TaskState::Pending to Submitted with explicit per-variant
serde renames for spec-compliant kebab-case wire format.

Resolves #83, #84, #85

* chore: bump version to 0.7.0, update README and Docker configs for A2A server

- Bump workspace version 0.6.0 -> 0.7.0
- Add A2A Server section to README with endpoints and env vars
- Add A2A environment variables to docker-compose.yml and docker-compose.dev.yml
- Expose A2A port 8080 in Docker Compose services
- Add zeph-a2a Cargo.toml to Dockerfile.dev dependency cache layer
- Update CHANGELOG with 0.7.0 release date

Author: bug-ops

CHANGELOG.md

@@ -6,6 +6,26 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased]
 
+## [0.7.0] - 2026-02-08
+
+### Added
+- A2A Server: axum-based HTTP server with JSON-RPC 2.0 routing for `message/send`, `tasks/get`, `tasks/cancel` (Issue #83)
+- In-memory `TaskManager` with full task lifecycle: create, get, update status, add artifacts, append history, cancel (Issue #83)
+- SSE streaming endpoint (`/a2a/stream`) with JSON-RPC response envelope wrapping per A2A spec (Issue #84)
+- Bearer token authentication middleware with constant-time comparison via `subtle::ConstantTimeEq` (Issue #85)
+- Per-IP rate limiting middleware with configurable 60-second sliding window (Issue #85)
+- Request body size limit (1 MiB) via `tower-http::limit::RequestBodyLimitLayer` (Issue #85)
+- `A2aServerConfig` with env var overrides: `ZEPH_A2A_ENABLED`, `ZEPH_A2A_HOST`, `ZEPH_A2A_PORT`, `ZEPH_A2A_PUBLIC_URL`, `ZEPH_A2A_AUTH_TOKEN`, `ZEPH_A2A_RATE_LIMIT`
+- Agent card served at `/.well-known/agent-card.json` (public, no auth required)
+- Graceful shutdown integration via tokio watch channel
+- Server module gated behind `server` feature flag on `zeph-a2a` crate
+
+### Changed
+- `Part` type refactored from flat struct to tagged enum with `kind` discriminator (`text`, `file`, `data`) per A2A spec
+- `TaskState::Pending` renamed to `TaskState::Submitted` with explicit per-variant `#[serde(rename)]` for kebab-case wire format
+- Added `AuthRequired` and `Unknown` variants to `TaskState`
+- `TaskStatusUpdateEvent` and `TaskArtifactUpdateEvent` gained `kind` field (`status-update`, `artifact-update`)
+
 ## [0.6.0] - 2026-02-08
 
 ### Added

Cargo.lock

@@ -5,22 +5,26 @@ resolver = "3"
 [workspace.package]
 edition = "2024"
 rust-version = "1.88"
-version = "0.6.0"
+version = "0.7.0"
 authors = ["bug-ops"]
 license = "MIT"
 repository = "https://github.com/bug-ops/zeph"
 
 [workspace.dependencies]
 anyhow = "1.0"
+axum = "0.8"
 criterion = "0.8"
+futures = "0.3"
 eventsource-stream = "0.2"
+http-body-util = "0.1"
 futures-core = "0.3"
 notify = "8"
 notify-debouncer-mini = "0.7"
 ollama-rs = { version = "0.3", default-features = false, features = ["rustls", "stream"] }
 pulldown-cmark = "0.13"
 qdrant-client = { version = "1.16", default-features = false }
 reqwest = { version = "0.13", default-features = false }
+subtle = "2.6"
 serde = "1.0"
 serde_json = "1.0"
 serial_test = "3.3"
@@ -32,16 +36,18 @@ thiserror = "2.0"
 tokio = "1"
 tokio-stream = "0.1"
 toml = "0.9"
+tower = "0.5"
+tower-http = "0.6"
 tracing = "0.1"
 tracing-subscriber = "0.3"
 uuid = "1.20"
-zeph-a2a = { path = "crates/zeph-a2a", version = "0.6.0" }
-zeph-channels = { path = "crates/zeph-channels", version = "0.6.0" }
-zeph-core = { path = "crates/zeph-core", version = "0.6.0" }
-zeph-llm = { path = "crates/zeph-llm", version = "0.6.0" }
-zeph-memory = { path = "crates/zeph-memory", version = "0.6.0" }
-zeph-skills = { path = "crates/zeph-skills", version = "0.6.0" }
-zeph-tools = { path = "crates/zeph-tools", version = "0.6.0" }
+zeph-a2a = { path = "crates/zeph-a2a", version = "0.7.0" }
+zeph-channels = { path = "crates/zeph-channels", version = "0.7.0" }
+zeph-core = { path = "crates/zeph-core", version = "0.7.0" }
+zeph-llm = { path = "crates/zeph-llm", version = "0.7.0" }
+zeph-memory = { path = "crates/zeph-memory", version = "0.7.0" }
+zeph-skills = { path = "crates/zeph-skills", version = "0.7.0" }
+zeph-tools = { path = "crates/zeph-tools", version = "0.7.0" }
 
 [workspace.lints.clippy]
 all = "warn"
@@ -57,7 +63,7 @@ repository.workspace = true
 
 [features]
 default = ["a2a"]
-a2a = ["dep:zeph-a2a"]
+a2a = ["dep:zeph-a2a", "zeph-a2a?/server"]
 
 [dependencies]
 anyhow.workspace = true

Cargo.toml

@@ -14,6 +14,7 @@ COPY crates/zeph-skills/Cargo.toml crates/zeph-skills/Cargo.toml
 COPY crates/zeph-memory/Cargo.toml crates/zeph-memory/Cargo.toml
 COPY crates/zeph-channels/Cargo.toml crates/zeph-channels/Cargo.toml
 COPY crates/zeph-tools/Cargo.toml crates/zeph-tools/Cargo.toml
+COPY crates/zeph-a2a/Cargo.toml crates/zeph-a2a/Cargo.toml
 RUN mkdir -p src && echo 'fn main() {}' > src/main.rs && \
     for d in crates/*/; do mkdir -p "$d/src" && echo '' > "$d/src/lib.rs"; done && \
     cargo build --release 2>/dev/null || true

Dockerfile.dev

@@ -45,7 +45,7 @@ docker pull ghcr.io/bug-ops/zeph:latest
 Or use a specific version:
 
 ```bash
-docker pull ghcr.io/bug-ops/zeph:v0.6.0
+docker pull ghcr.io/bug-ops/zeph:v0.7.0
 ```
 
 **Security:** Images are scanned with [Trivy](https://trivy.dev/) in CI/CD and use Oracle Linux 9 Slim base with **0 HIGH/CRITICAL CVEs**. Multi-platform: linux/amd64, linux/arm64.
@@ -128,6 +128,14 @@ enabled = true
 [tools.shell]
 timeout = 30
 blocked_commands = []  # Additional patterns beyond defaults
+
+[a2a]
+enabled = false
+host = "0.0.0.0"
+port = 8080
+# public_url = "https://agent.example.com"
+# auth_token = "secret"
+rate_limit = 60
 ```
 
 </details>
@@ -152,6 +160,12 @@ blocked_commands = []  # Additional patterns beyond defaults
 | `ZEPH_MEMORY_CONTEXT_BUDGET_TOKENS` | Context budget for proportional token allocation (default: 0 = unlimited) |
 | `ZEPH_SKILLS_MAX_ACTIVE` | Max skills per query via embedding match (default: 5) |
 | `ZEPH_TOOLS_TIMEOUT` | Shell command timeout in seconds (default: 30) |
+| `ZEPH_A2A_ENABLED` | Enable A2A server (default: false) |
+| `ZEPH_A2A_HOST` | A2A server bind address (default: `0.0.0.0`) |
+| `ZEPH_A2A_PORT` | A2A server port (default: `8080`) |
+| `ZEPH_A2A_PUBLIC_URL` | Public URL for agent card discovery |
+| `ZEPH_A2A_AUTH_TOKEN` | Bearer token for A2A server authentication |
+| `ZEPH_A2A_RATE_LIMIT` | Max requests per IP per minute (default: 60) |
 
 </details>
 
@@ -261,7 +275,7 @@ context_budget_tokens = 8000  # Set to LLM context window size (0 = unlimited)
 
 ## Docker
 
-**Note:** Docker Compose automatically pulls the latest image from GitHub Container Registry. To use a specific version, set `ZEPH_IMAGE=ghcr.io/bug-ops/zeph:v0.6.0`.
+**Note:** Docker Compose automatically pulls the latest image from GitHub Container Registry. To use a specific version, set `ZEPH_IMAGE=ghcr.io/bug-ops/zeph:v0.7.0`.
 
 <details>
 <summary><b>🐳 Docker Deployment Options</b> (click to expand)</summary>
@@ -304,7 +318,7 @@ docker compose --profile gpu -f docker-compose.yml -f docker-compose.gpu.yml up
 
 ```bash
 # Use a specific release version
-ZEPH_IMAGE=ghcr.io/bug-ops/zeph:v0.6.0 docker compose up
+ZEPH_IMAGE=ghcr.io/bug-ops/zeph:v0.7.0 docker compose up
 
 # Always pull latest
 docker compose pull && docker compose up
@@ -408,11 +422,27 @@ Found a vulnerability? See [SECURITY.md](SECURITY.md) for responsible disclosure
 
 **Security contact:** Submit via GitHub Security Advisories (confidential)
 
+## A2A Server (Optional)
+
+Zeph includes an embedded [A2A protocol](https://github.com/a2aproject/A2A) server for agent-to-agent communication. When enabled, other agents can discover and interact with Zeph via the standard A2A JSON-RPC 2.0 API.
+
+```bash
+ZEPH_A2A_ENABLED=true ZEPH_A2A_AUTH_TOKEN=secret ./target/release/zeph
+```
+
+The server exposes:
+- `/.well-known/agent-card.json` — agent discovery (public, no auth)
+- `/a2a` — JSON-RPC endpoint (`message/send`, `tasks/get`, `tasks/cancel`)
+- `/a2a/stream` — SSE streaming endpoint
+
+> [!TIP]
+> Set `ZEPH_A2A_AUTH_TOKEN` to secure the server with bearer token authentication. The agent card endpoint remains public per A2A spec.
+
 ## Feature Flags
 
 | Feature | Default | Description |
 |---------|---------|-------------|
-| `a2a` | Enabled | [A2A protocol](https://github.com/a2aproject/A2A) client for agent-to-agent communication |
+| `a2a` | Enabled | [A2A protocol](https://github.com/a2aproject/A2A) client and server for agent-to-agent communication |
 
 Disable optional features for a smaller binary:
 
@@ -433,7 +463,7 @@ zeph (binary)
 ├── zeph-memory     SQLite + Qdrant, SemanticMemory orchestrator, summarization
 ├── zeph-channels   Telegram adapter (teloxide) with streaming
 ├── zeph-tools      ToolExecutor trait, ShellExecutor with bash parser
-└── zeph-a2a        A2A protocol client, agent discovery, JSON-RPC 2.0 (optional)
+└── zeph-a2a        A2A protocol client + server, agent discovery, JSON-RPC 2.0 (optional)
 ```
 
 </details>

README.md

@@ -42,6 +42,18 @@ enabled = false
 # Maximum number of semantically relevant messages to recall
 recall_limit = 5
 
+[a2a]
+# Enable A2A server for agent-to-agent communication
+enabled = false
+# Bind address
+host = "0.0.0.0"
+# HTTP port
+port = 8080
+# Public URL advertised in AgentCard (auto-generated if empty)
+public_url = ""
+# Rate limit: max requests per minute per IP (0 = unlimited)
+rate_limit = 60
+
 [tools]
 # Enable tool execution (bash commands)
 enabled = true