Docker fix

Dockerfile

@@ -1,34 +1,68 @@
-# syntax=docker/dockerfile:1
-FROM python:3.11-slim
+# syntax=docker/dockerfile:1.4
+
+# --- Stage 1: Builder ---------------------------------------------------------
+FROM python:3.11-slim AS builder
 
-# --- base env ---
 ENV PYTHONDONTWRITEBYTECODE=1 \
     PYTHONUNBUFFERED=1 \
     PIP_NO_CACHE_DIR=1
 
-# --- system deps ---
-RUN apt-get update \
- && apt-get install -y --no-install-recommends ca-certificates curl \
- && rm -rf /var/lib/apt/lists/*
+WORKDIR /app
+
+# Install deps once and build wheels for a reproducible, cacheable layer
+COPY requirements.txt .
+RUN pip wheel --no-cache-dir --wheel-dir /app/wheels -r requirements.txt
+
+
+# --- Stage 2: Final Image -----------------------------------------------------
+FROM python:3.11-slim
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    # Platforms like HF Spaces set PORT at runtime; default to 7860 for local
+    PORT=7860
 
-# --- app dir ---
 WORKDIR /app
 
-# --- python deps (cache friendly layer) ---
-COPY requirements.txt ./
-RUN pip install --upgrade pip && pip install -r requirements.txt
+# Minimal runtime deps (TLS certs for HTTPS calls, etc.)
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends ca-certificates \
+ && rm -rf /var/lib/apt/lists/*
+
+# Install prebuilt wheels
+COPY --from=builder /app/wheels /wheels
+COPY --from=builder /app/requirements.txt .
+RUN pip install --no-cache-dir /wheels/*
 
-# --- copy app ---
+# Copy app source
 COPY . .
 
-# Hugging Face sets $PORT at runtime; keep a sane default for local runs
-ENV PORT=7860
-EXPOSE 7860
+# Non-root for security
+RUN useradd --create-home --shell /bin/bash appuser \
+ && chown -R appuser:appuser /app
+USER appuser
 
-# Optional: run as non-root
-# RUN useradd -ms /bin/bash appuser && chown -R appuser:appuser /app
-# USER appuser
+# --- Ports commonly used with A2A agents -------------------------------------
+# NOTE: EXPOSE is documentation; publishing happens via `-p host:container`.
+# 443   → Recommended prod HTTPS port (JSON-RPC /rpc and websockets on TLS)
+# 80    → HTTP (typically only to redirect → 443 behind a reverse proxy)
+# 8080  → Very common app / agent port for /rpc during dev/staging
+# 8000  → Uvicorn/Gunicorn defaults (also used in many Python stacks)
+# 7860  → Popular in ML tooling & Hugging Face Spaces (default UI port here)
+# 5000  → Flask default (frequent in prototypes and simple agents)
+# 3000  → Node dev servers / proxy frontends around agents
+# 8443  → Alternate TLS port (used in some k8s/ingress setups)
+EXPOSE 443
+EXPOSE 80
+EXPOSE 8080
+EXPOSE 8000
+EXPOSE 7860
+EXPOSE 5000
+EXPOSE 3000
+EXPOSE 8443
 
-# --- start (shell form so $PORT expands) ---
-# --proxy-headers is helpful behind HF’s proxy
-CMD uvicorn app.main:app --host 0.0.0.0 --port $PORT --proxy-headers
+# --- Start command ------------------------------------------------------------
+# Use shell form so ${PORT} expands at runtime (important on HF Spaces).
+# --host 0.0.0.0 allows external connections
+# --proxy-headers plays nice behind reverse proxies
+CMD ["sh", "-c", "uvicorn app.main:app --host 0.0.0.0 --port ${PORT:-7860} --proxy-headers"]

app/services/validator_service.py

@@ -3,12 +3,16 @@
 A2A Validator service.
 - Provides /validator (UI) + /validator/agent-card (HTTP) routes.
 - Defines all Socket.IO event handlers.
+- Automatic localhost rewriting: if an Agent Card's "url" is localhost/127.0.0.1,
+  we rewrite it to the origin that served the card (same scheme+host+port), then
+  probe connectivity. If that fails, we try host.docker.internal:<same-port>.
 """
 from __future__ import annotations
 
 import logging
-from typing import Any
-from urllib.parse import urlparse, urlunparse
+import socket
+from typing import Any, Mapping, Tuple
+from urllib.parse import urlparse, urlunparse, ParseResult
 from uuid import uuid4
 
 import bleach
@@ -63,6 +67,7 @@ if HAS_SOCKETIO:
     sio = socketio.AsyncServer(async_mode="asgi", cors_allowed_origins="*")
     socketio_app = socketio.ASGIApp(sio)
 else:
+
     class _SioShim:
         async def emit(self, *a, **k):  # no-op
             pass
@@ -70,6 +75,7 @@ else:
         def on(self, *a, **k):
             def _wrap(f):
                 return f
+
             return _wrap
 
         event = on
@@ -90,13 +96,122 @@ STANDARD_HEADERS = {
     "accept-encoding",
 }
 
+LOCAL_HOSTS = {"localhost", "127.0.0.1", "::1", "[::1]"}
+
 # ==============================================================================
 # State Management
 # ==============================================================================
-clients: dict[str, tuple[httpx.AsyncClient, Any, Any]] = {}
+# sid -> (httpx_client, a2a_client, card, origin_used_for_card_fetch)
+clients: dict[str, tuple[httpx.AsyncClient, Any, Any, str]] = {}
+
+# ==============================================================================
+# URL helpers / rewriting
+# ==============================================================================
+def _parse(url: str) -> ParseResult:
+    return urlparse(url)
+
+
+def _build(pr: ParseResult) -> str:
+    return urlunparse(pr)
+
+
+def _origin_of(url: str) -> str:
+    """
+    Return scheme://netloc for a URL (no path/query/fragment).
+    """
+    pr = _parse(url)
+    return f"{pr.scheme}://{pr.netloc}" if pr.scheme and pr.netloc else ""
+
+
+def _looks_localhost(host: str | None) -> bool:
+    return (host or "").lower() in LOCAL_HOSTS
+
+
+def _docker_has_host_gateway() -> bool:
+    try:
+        socket.gethostbyname("host.docker.internal")
+        return True
+    except Exception:
+        return False
+
+
+def _rewrite_to_origin(card_url: ParseResult, card_origin: ParseResult) -> Tuple[ParseResult, str | None]:
+    """
+    If the card_url host is localhost/127.0.0.1 and we know the origin where the
+    Agent Card was fetched from, rewrite to that origin (same scheme+host[:port]),
+    preserving the /path?query.
+    """
+    if not _looks_localhost(card_url.hostname):
+        return card_url, None
+    if not (card_origin.scheme and card_origin.netloc):
+        return card_url, None
+
+    rewritten = ParseResult(
+        scheme=card_origin.scheme,
+        netloc=card_origin.netloc,
+        path=card_url.path or "",
+        params="",
+        query=card_url.query or "",
+        fragment="",
+    )
+    return rewritten, "rewritten to Agent Card origin"
+
+
+def _rewrite_to_gateway(card_url: ParseResult) -> Tuple[ParseResult, str | None]:
+    """
+    Fallback: rewrite localhost to host.docker.internal:<same-port> if resolvable.
+    """
+    if not _looks_localhost(card_url.hostname):
+        return card_url, None
+    if not _docker_has_host_gateway():
+        return card_url, None
+
+    port = f":{card_url.port}" if card_url.port else ""
+    rewritten = ParseResult(
+        scheme=card_url.scheme or "http",
+        netloc=f"host.docker.internal{port}",
+        path=card_url.path or "",
+        params="",
+        query=card_url.query or "",
+        fragment="",
+    )
+    return rewritten, "rewritten via host.docker.internal"
+
+
+async def _probe_reachable(client: httpx.AsyncClient, url: str) -> Tuple[bool, str]:
+    """
+    Cheap reachability probe.
+    - 2xx/3xx reachable
+    - 405 counts as reachable (JSON-RPC endpoints often reject GET)
+    """
+    try:
+        r = await client.get(url)
+        if r.status_code == 405:
+            return True, "reachable (405 on GET is OK for JSON-RPC)"
+        if 200 <= r.status_code < 400:
+            return True, f"reachable (HTTP {r.status_code})"
+        return False, f"HTTP {r.status_code}"
+    except httpx.ConnectError as e:
+        return False, f"connect error: {e!s}"
+    except httpx.RequestError as e:
+        return False, f"request error: {e!s}"
+    except Exception as e:
+        return False, f"unexpected error: {e!s}"
+
+
+def _card_copy_with_url(card: AgentCard, new_url: str) -> AgentCard:
+    try:
+        return card.model_copy(update={"url": new_url})  # type: ignore[attr-defined]
+    except Exception:
+        try:
+            card.url = new_url  # type: ignore[attr-defined]
+            return card
+        except Exception:
+            raise
+
 
 # ==============================================================================
-# Helpers
+# Debug helpers
 # ==============================================================================
 async def _emit_debug_log(sid: str, event_id: str, log_type: str, data: Any) -> None:
     await sio.emit("debug_log", {"type": log_type, "data": data, "id": event_id}, to=sid)
@@ -137,16 +252,15 @@ def get_card_resolver(client: httpx.AsyncClient, agent_card_url: str) -> Any:
         return A2ACardResolver(client, base_url, agent_card_path=card_path)
     return A2ACardResolver(client, base_url)
 
+
 # ==============================================================================
 # FastAPI Routes
 # ==============================================================================
 
-# FIX: Add a decorator to handle requests without a trailing slash
-@router.get("", response_class=HTMLResponse, include_in_schema=False) # Handles /validator
-@router.get("/", response_class=HTMLResponse)                         # Handles /validator/
+# Handle both /validator and /validator/
+@router.get("", response_class=HTMLResponse, include_in_schema=False)
+@router.get("/", response_class=HTMLResponse)
 async def validator_ui(request: Request) -> HTMLResponse:
-    """Serves the main validator UI page."""
-    # This logic already correctly tries to find validator.html or a fallback
     for name in ("validator.html", "validator.hml"):
         try:
             return templates.TemplateResponse(name, {"request": request})
@@ -162,13 +276,14 @@ async def get_agent_card(request: Request) -> JSONResponse:
 
     If A2A SDK is installed, use its resolver.
     Otherwise, be lenient: follow redirects and probe common well-known paths.
+    Automatically rewrite localhost URLs in the card to the card's own origin.
     """
     # Parse request body
     try:
         request_data = await request.json()
-        agent_url = (request_data.get("url") or "").strip()
+        user_url = (request_data.get("url") or "").strip()
         sid = request_data.get("sid")
-        if not agent_url or not sid:
+        if not user_url or not sid:
             return JSONResponse({"error": "Agent URL and SID are required."}, status_code=400)
     except Exception:
         return JSONResponse({"error": "Invalid request body."}, status_code=400)
@@ -190,17 +305,21 @@ async def get_agent_card(request: Request) -> JSONResponse:
     # Fetch the agent card
     try:
         async with httpx.AsyncClient(
-            timeout=30.0,
+            timeout=httpx.Timeout(30.0, connect=10.0),
             headers=custom_headers,
-            follow_redirects=True,  # <<< important for 3xx like 307 to /docs
+            follow_redirects=True,
+            trust_env=True,
         ) as client:
+            # We'll remember the ORIGIN we used to reach the card, for rewriting.
+            card_fetch_origin = _origin_of(user_url)
+
             if HAS_A2A:
-                # Preferred path: let the resolver figure out the right card location
-                card_resolver = get_card_resolver(client, agent_url)
-                card = await card_resolver.get_agent_card()
+                resolver = get_card_resolver(client, user_url)
+                card = await resolver.get_agent_card()  # type: ignore[assignment]
                 card_data = card.model_dump(exclude_none=True)
+                # Origin we used is the resolver's base (scheme+host[:port])
+                card_fetch_origin = _origin_of(user_url)
             else:
-                # Fallback: try what the user typed first; if non-JSON, probe common paths
                 tried: list[str] = []
 
                 async def _try(url: str) -> dict[str, Any]:
@@ -209,45 +328,73 @@ async def get_agent_card(request: Request) -> JSONResponse:
                     ctype = (r.headers.get("content-type") or "").lower()
                     if "application/json" in ctype or ctype.endswith("+json"):
                         return r.json()
-                    # If we got HTML or something else, raise to trigger probing
                     raise ValueError(f"Non-JSON response (content-type={ctype or 'unknown'}) at {url}")
 
+                # Try the user URL first; otherwise probe well-knowns at that origin
                 try:
-                    card_data = await _try(agent_url)
+                    card_data = await _try(user_url)
                 except Exception:
-                    # If the user pasted a base/root URL, probe common Agent Card paths on same host
-                    parsed = urlparse(agent_url)
-                    base = f"{parsed.scheme}://{parsed.netloc}"
+                    pr = _parse(user_url)
+                    base = f"{pr.scheme}://{pr.netloc}" if pr.scheme and pr.netloc else ""
                     candidates = [
-                        agent_url,  # original again (in case it became JSON after redirect)
+                        user_url,
                         f"{base}/.well-known/agent.json",
                         f"{base}/.well-known/ai-agent.json",
                         f"{base}/agent-card",
                         f"{base}/agent.json",
                     ]
-                    err: Exception | None = None
-                    card_data = None
+                    last_err: Exception | None = None
+                    card_data = None  # type: ignore[assignment]
                     for u in candidates:
-                        if u in tried:
+                        if u in tried or not u.startswith("http"):
                             continue
                         tried.append(u)
                         try:
                             card_data = await _try(u)
-                            agent_url = u  # record the working URL
+                            card_fetch_origin = _origin_of(u)
                             break
                         except Exception as e:
-                            err = e
-                    if card_data is None:
+                            last_err = e
+                    if card_data is None:  # type: ignore[truthy-bool]
                         raise RuntimeError(
-                            f"Could not find a JSON Agent Card at {agent_url} (last error: {err})"
+                            f"Could not find a JSON Agent Card at {user_url} (last error: {last_err})"
                         )
 
         # Validate locally
         validation_errors = validators.validate_agent_card(card_data)  # type: ignore[arg-type]
+
+        # --- Automatic localhost rewrite of the card's own URL ---
+        rewrite_note = None
+        resolved_card_url = None
+        try:
+            card_origin_pr = _parse(card_fetch_origin) if card_fetch_origin else None
+            raw_card_url = (card_data.get("url") if isinstance(card_data, Mapping) else None) or ""
+            card_url_pr = _parse(raw_card_url)
+
+            if _looks_localhost(card_url_pr.hostname):
+                # 1) Prefer rewrite to the origin that served the Agent Card
+                if card_origin_pr and (card_origin_pr.scheme and card_origin_pr.netloc):
+                    new_pr, note = _rewrite_to_origin(card_url_pr, card_origin_pr)
+                    if note:
+                        resolved_card_url = _build(new_pr)
+                        card_data = {**card_data, "url": resolved_card_url}  # type: ignore[operator]
+                        rewrite_note = note
+                # 2) Fallback to host.docker.internal if available
+                if not resolved_card_url:
+                    new_pr, note = _rewrite_to_gateway(card_url_pr)
+                    if note:
+                        resolved_card_url = _build(new_pr)
+                        card_data = {**card_data, "url": resolved_card_url}  # type: ignore[operator]
+                        rewrite_note = note
+        except Exception as e:
+            # Do not fail the card response if rewriting fails
+            rewrite_note = f"rewrite failed: {e}"
+
         response = {
             "card": card_data,
             "validation_errors": validation_errors,
-            "resolved_url": agent_url,
+            "resolved_url": (card_data.get("url") if isinstance(card_data, Mapping) else None),  # type: ignore[union-attr]
+            "rewrite_note": rewrite_note,
         }
         status = 200
 
@@ -261,6 +408,7 @@ async def get_agent_card(request: Request) -> JSONResponse:
     await _emit_debug_log(sid, "http-agent-card", "response", {"status": status, "payload": response})
     return JSONResponse(content=response, status_code=status)
 
+
 # ==============================================================================
 # Socket.IO Event Handlers
 # ==============================================================================
@@ -273,7 +421,7 @@ async def handle_connect(sid: str, environ: dict[str, Any]) -> None:  # type: ig
 async def handle_disconnect(sid: str) -> None:  # type: ignore[misc]
     logger.info(f"Client disconnected: {sid}")
     if sid in clients:
-        httpx_client, _, _ = clients.pop(sid)
+        httpx_client, _, _, _ = clients.pop(sid)
         await httpx_client.aclose()
         logger.info(f"Cleaned up client for {sid}")
 
@@ -281,8 +429,8 @@ async def handle_disconnect(sid: str) -> None:  # type: ignore[misc]
 @sio.on("initialize_client")
 async def handle_initialize_client(sid: str, data: dict[str, Any]) -> None:  # type: ignore[misc]
     """
-    Prepare an A2A client for chat/streaming. If a2a is not installed, reply with a warning
-    so the UI still proceeds (card viewing still works via HTTP).
+    Prepare an A2A client for chat/streaming.
+    Automatically rewrites localhost card URLs to the card origin or host.docker.internal.
     """
     if not HAS_A2A:
         await sio.emit(
@@ -292,20 +440,79 @@ async def handle_initialize_client(sid: str, data: dict[str, Any]) -> None:  # t
         )
         return
 
-    agent_card_url = data.get("url")
-    custom_headers = data.get("customHeaders", {})
-    if not agent_card_url:
+    user_url = (data.get("url") or "").strip()
+    custom_headers = data.get("customHeaders", {}) or {}
+    if not user_url:
         await sio.emit("client_initialized", {"status": "error", "message": "Agent URL is required."}, to=sid)
         return
 
+    httpx_client = httpx.AsyncClient(
+        timeout=httpx.Timeout(60.0, connect=15.0),
+        headers=custom_headers,
+        follow_redirects=True,
+        trust_env=True,
+    )
+
     try:
-        httpx_client = httpx.AsyncClient(timeout=600.0, headers=custom_headers)
-        card_resolver = get_card_resolver(httpx_client, agent_card_url)
-        card = await card_resolver.get_agent_card()
+        # Resolve card (this base will be our "origin" candidate)
+        resolver = get_card_resolver(httpx_client, user_url)
+        card: AgentCard = await resolver.get_agent_card()  # type: ignore[assignment]
+        card_fetch_origin = _origin_of(user_url)
+        origin_pr = _parse(card_fetch_origin) if card_fetch_origin else None
+
+        # Rewrite card.url if it's localhost to the card origin first
+        try:
+            card_url_pr = _parse(getattr(card, "url", "") or "")
+            if _looks_localhost(card_url_pr.hostname):
+                if origin_pr and (origin_pr.scheme and origin_pr.netloc):
+                    new_pr, note = _rewrite_to_origin(card_url_pr, origin_pr)
+                    if note:
+                        new_url = _build(new_pr)
+                        card = _card_copy_with_url(card, new_url)
+                        await _emit_debug_log(
+                            sid,
+                            "client-init-rewrite",
+                            "info",
+                            {"original": card_url_pr.geturl(), "rewritten": new_url, "note": note},
+                        )
+                # Fallback to host.docker.internal if still localhost
+                card_url_pr2 = _parse(getattr(card, "url", "") or "")
+                if _looks_localhost(card_url_pr2.hostname):
+                    new_pr, note = _rewrite_to_gateway(card_url_pr2)
+                    if note:
+                        new_url = _build(new_pr)
+                        card = _card_copy_with_url(card, new_url)
+                        await _emit_debug_log(
+                            sid,
+                            "client-init-gateway",
+                            "info",
+                            {"original": card_url_pr2.geturl(), "rewritten": new_url, "note": note},
+                        )
+        except Exception as e:
+            await _emit_debug_log(sid, "client-init-rewrite", "warn", {"error": str(e)})
+
+        # Connectivity probe before enabling chat
+        ok, detail = await _probe_reachable(httpx_client, getattr(card, "url", ""))
+        if not ok:
+            await sio.emit(
+                "client_initialized",
+                {
+                    "status": "error",
+                    "message": f"Agent endpoint unreachable: {detail}. "
+                               f"Ensure your Agent Card URL points to a network-reachable host.",
+                },
+                to=sid,
+            )
+            await httpx_client.aclose()
+            return
+
+        # Create A2A client and store
         a2a_client = A2AClient(httpx_client, agent_card=card)
-        clients[sid] = (httpx_client, a2a_client, card)
+        clients[sid] = (httpx_client, a2a_client, card, card_fetch_origin)
         await sio.emit("client_initialized", {"status": "success"}, to=sid)
+
     except Exception as e:
+        await httpx_client.aclose()
         await sio.emit("client_initialized", {"status": "error", "message": str(e)}, to=sid)
 
 
@@ -324,7 +531,7 @@ async def handle_send_message(sid: str, json_data: dict[str, Any]) -> None:  # t
         await sio.emit("agent_response", {"error": "Client not initialized.", "id": message_id}, to=sid)
         return
 
-    _, a2a_client, card = clients[sid]
+    httpx_client, a2a_client, card, _origin = clients[sid]
 
     message = Message(
         role=Role.user,
@@ -337,7 +544,7 @@ async def handle_send_message(sid: str, json_data: dict[str, Any]) -> None:  # t
         message=message,
         configuration=MessageSendConfiguration(accepted_output_modes=["text/plain", "video/mp4"]),
     )
-    supports_streaming = hasattr(card.capabilities, "streaming") and card.capabilities.streaming is True
+    supports_streaming = hasattr(card.capabilities, "streaming") and getattr(card.capabilities, "streaming") is True
 
     try:
         if supports_streaming:
@@ -358,4 +565,5 @@ async def handle_send_message(sid: str, json_data: dict[str, Any]) -> None:  # t
     except Exception as e:
         await sio.emit("agent_response", {"error": f"Failed to send message: {e}", "id": message_id}, to=sid)
 
-__all__ = ["router", "socketio_app", "HAS_SOCKETIO"]
+
+__all__ = ["router", "socketio_app", "HAS_SOCKETIO"]