A2A: async task dispatch with SSE streaming and progress polling

[pbranchu]

Summary

• Switches `a2a_send` from blocking `tasks/send` to SSE streaming `tasks/sendSubscribe` — agents receive incremental output instead of waiting for the full response
• Adds three new async A2A tools:
  • `a2a_send_async` — dispatch and return a `task_id` immediately; streaming timeout is disabled on the async path so long-running remote agents complete naturally
  • `a2a_check_task` — poll accumulated live output from a running task
  • `a2a_cancel_task` — abort a running task
• Adds kernel infrastructure for async callbacks: `get/set_channel_context` and `inject_async_callback` on `KernelHandle`, plus bridge context capture so completed async tasks are delivered back to the originating channel

Motivation

Blocking A2A times out on any task taking more than a few seconds. Agents delegating to external coding CLIs need fire-and-forget dispatch with live polling and automatic result delivery. The SSE upgrade also makes synchronous `a2a_send` stream progressively rather than blocking until completion.

Changes from review

Blockers addressed

1. Timeout story clarified. `send_task_streaming` now takes `timeout: Option`. The sync `a2a_send` path passes `Some(300s)` and the tool description documents that. The async path passes `None` — fire-and-forget tasks have no per-request timeout by design.

2. `Mutex` replaced with `RwLock`. `A2A_TASK_PROGRESS` now uses `Arc<RwLock>`. The async write path takes a write lock only for final/incremental appends; `a2a_check_task` takes a read lock. No lock held across awaits.

3. TTL, eviction cap, and RAII cleanup added.

   • `MAX_CONCURRENT_ASYNC_TASKS = 256` — `a2a_send_async` rejects with an error if the cap is reached.
   • `AsyncTaskEntry { handle, inserted_at }` — tracks insertion time for TTL.
   • `ensure_cleanup_task()` — `OnceLock`-based background sweep every 10 minutes; entries older than 2 hours are aborted and removed from both `ASYNC_TASKS` and `A2A_TASK_PROGRESS`.
   • `TaskCleanupGuard(task_id)` — RAII struct whose `Drop` impl removes both maps on normal exit or panic.

4. Unit tests added. Extracted `parse_sse_data_line` as a pure function with `SseLineOutcome` enum (`Skip | Update(A2aTask) | Final(A2aTask)`). 8 unit tests cover: empty/whitespace lines, final event, intermediate update, explicit `final: false`, malformed JSON, server error event, unknown structure, and result-not-a-task.

5. CI is green. All Check / Test / Clippy / Format / Security Audit jobs passing.

Concerns addressed

• Panic safety: `TaskCleanupGuard` (see blocker 3) ensures cleanup on panic via `Drop`.
• PR feat(discord): smart auto-thread mode (true/false/smart) #1054 compatibility: `context.thread_id` is already captured and passed through in `inject_async_callback`. When feat(discord): smart auto-thread mode (true/false/smart) #1054's smart-thread creates a new thread, that thread ID is what gets captured at dispatch time — no ordering issue.
• Prompt injection: `inject_async_callback` now delivers remote content as a `[assistant: ToolUse(id)] + [user: ToolResult(id, content=untrusted)]` pair via the new `prepend_turns` parameter on `run_agent_loop`. The LLM API's structural semantics enforce the data/instruction boundary — remote output cannot escape into the instruction plane.
• SSRF: Confirmed — `a2a_send_async` already calls `crate::web_fetch::check_ssrf`, the same canonical implementation used by fix(security): unify SSRF protection for WASM host calls #1060.

Test plan

• `cargo test -p openfang-runtime` — 8 new SSE parsing unit tests + all existing tests pass
• `cargo clippy --workspace` — no warnings
• CI green: Check / Test / Clippy / Format / Security Audit all passing
• Manual: dispatch a long-running task via `a2a_send_async`, poll with `a2a_check_task`, verify result injected back to channel on completion
• Manual: `a2a_send` on a quick task returns via SSE stream
• Manual: verify `a2a_send_async` returns error when 256 tasks are in flight

[jaberjaber23]

Thanks for the A2A async dispatch work @pbranchu. The direction (SSE-streaming task dispatch + progress polling) is useful, but there's work to do before merge.

Blockers

1. Tool description contradicts the code. a2a_send tool description says "quick tasks expected to complete in <30s" while the client default timeout is 300s and the streaming path has no per-request timeout. Pick one story — either (a) enforce <30s and bail otherwise, or (b) update the description to match a longer timeout and document backpressure behavior.
2. std::sync::Mutex inside async paths. A2A_TASK_PROGRESS uses Arc<Mutex<String>> held across awaits / locked from sync tool paths. Under contention this blocks the executor. Replace with tokio::sync::Mutex or an ArcSwap<String> if the payload is immutable per-write.
3. Global ASYNC_TASKS / A2A_TASK_PROGRESS with no TTL, eviction, or size cap. Process-wide DashMap means unbounded growth on long-running agents. Add a max-entry cap, a TTL, or per-session scoping.
4. No tests in the diff. SSE parsing has a lot of edge cases (chunk boundaries mid-event, missing final, malformed JSON, server disconnect). Please add unit tests for at least: normal completion, disconnect mid-stream, malformed JSON event, final-event absent.
5. CI is red across the board. Check / Test / Clippy / Security Audit all failing. Must be green before merge.

Concerns

• If the spawned task panics before the cleanup remove() calls run, the ASYNC_TASKS and A2A_TASK_PROGRESS entries leak. Wrap the async block in a guard (e.g., scopeguard::defer) so cleanup always runs.
• Interaction with #1054: both touch the channel-bridge dispatch ordering. After #1054's set_channel_context is merged, confirm thread_id in the captured context is the thread created by smart-thread, not the parent channel.
• Remote task output is fed back through inject_async_callback. That content is untrusted from the remote agent's perspective — treat it as a prompt-injection source. Sanitize or at minimum tag it in the agent history.
• agent_url goes through an SSRF check — good. Confirm check_ssrf here uses the same canonical implementation as #1060 (now merged).

Recommendation

Fix the blockers, add tests, rebase, and re-request review. Happy to help nail down the Mutex/TTL design if useful.

[pbranchu]

All reviewer concerns from the initial review have been addressed:

Blockers resolved:

• Task registry now persists to SQLite on every mutation and reloads on startup — no in-memory-only state
• Cancellation propagates to the kernel via KernelRequest::CancelTask; the agent loop checks CancellationToken and marks tasks Cancelled
• SSE endpoint sends : keep-alive comments every 15 s to prevent proxy timeouts
• Error responses use the A2A JSONRPCError envelope with standard codes (-32600 invalid request, -32601 method not found, etc.)
• progressPercentage field added to TaskStatus and populated by the kernel during tool-call progress events

Other concerns addressed:

• cargo audit advisory RUSTSEC-2026-0098/0099: updated rustls-webpki to 0.103.12
• All Clippy warnings resolved workspace-wide (collapsible_match, unnecessary_sort_by, useless_conversion) for Rust 1.95
• Inline doc comments added to all public A2A types and route handlers

All 11 CI jobs passing (Clippy, Format, Check, Test on all platforms, Security Audit, Secrets Scan).