Add A2A bearer token auth and reorganize documentation#17
Merged
initializ-mk merged 7 commits intomainfrom Mar 2, 2026
Merged
Conversation
Extract content from README.md into dedicated doc files: - installation.md: Homebrew, binary, and Windows install - quickstart.md: Why Forge + Get Started in 60 Seconds - memory.md: Session persistence, compactor, long-term memory - configuration.md: Full forge.yaml schema + env vars - deployment.md: Container packaging, Kubernetes, air-gap - scheduling.md: Cron config, expressions, schedule tools - dashboard.md: forge ui features and architecture - security/secrets.md: Encrypted storage, per-agent secrets - security/signing.md: Ed25519 key management and verification - security/guardrails.md: Content filtering, PII, jailbreak protection
Merge README content into existing doc files: - skills.md: Add skill registry CLI, first-class tools, execution security, categories/tags, built-in skills detail, system prompt injection - tools.md: Expand builtin tools table, add web search providers, CLI execute security config, memory tools - runtime.md: Add LLM providers table, OpenAI OAuth, fallback chains, running modes (forge run vs forge serve) - hooks.md: Add OnProgress hook point, progress tracking section - channels.md: Add large response handling, Slack standalone mode - commands.md: Add forge serve, forge secret, forge key, forge schedule - architecture.md: Add at-a-glance ASCII diagram, update module tree to include forge-skills/ and forge-ui/
…nces Refactor overview.md to replace full Guardrails, Secrets, and Build Integrity sections with 2-sentence summaries linking to dedicated sub-files (guardrails.md, secrets.md, signing.md). Add new sub-files to Related Documentation table.
Add prev/next navigation footer to all 22 doc files in reading order: quickstart -> installation -> architecture -> skills -> tools -> runtime -> memory -> channels -> security/overview -> security/egress -> security/secrets -> security/signing -> security/guardrails -> scheduling -> hooks -> commands -> configuration -> dashboard -> deployment -> plugins -> command-integration -> contributing
Slim README from 1,349 lines to 115 lines. All detailed content now lives in docs/. README now contains: title, why Forge, quick start, how it works diagram, key features table, full documentation link table, compressed philosophy, and contributing/license sections.
Create .claude/commands/sync-docs.md with a prompt that reads git diff, maps changed Go files to affected documentation, and updates them. Includes file-to-doc mapping table and doc style rules.
Add automatic bearer token authentication for the A2A HTTP server: - New forge-core/auth package: token generation (crypto/rand), file-based storage (.forge/runtime.token), and HTTP middleware - Runner auto-generates a token on startup, stores it with 0600 permissions, and injects auth middleware into the server chain - Channel router sends the token as Authorization header when forwarding events to the A2A server - forge-ui chat proxy loads agent tokens for authenticated requests - --no-auth flag to disable (localhost-only), --auth-token for explicit - forge serve passes auth flags and reports auth status - Audit events: auth_success, auth_failure with request metadata - CORS updated to allow Authorization header
Closed
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
forge run, stored at.forge/runtime.tokenwith 0600 permissions, and validated via middleware. Channel router andforge uichat proxy include tokens automatically. Opt out with--no-auth(localhost only) or set explicit tokens with--auth-token.docs/. Add prev/next navigation to all docs, renamesecurity/SECURITY.mdtooverview.md, and create a/sync-docsslash command for keeping docs current.Test plan
cd forge-core && go test ./...— auth package unit tests (middleware, token generation, file permissions)cd forge-cli && go test ./...— runner integration test verifies auto-generated token, authenticated requests, and 401 on missing tokencd forge-plugins && go test ./...— channel adapter tests pass with updated router signatureforge runstarts with auth enabled banner, token written to.forge/runtime.tokenforge run --no-authdisables auth on localhostforge run --host 0.0.0.0 --no-authis rejected (non-localhost)forge servereports auth status in daemon output