From 4cf014da34244d480b4d16f5548798c1f7642a68 Mon Sep 17 00:00:00 2001
From: Jeff Mesnil <jmesnil@ibm.com>
Date: Thu, 15 Jan 2026 10:25:46 +0100
Subject: [PATCH 1/3] feat: TCK SUT requires authentication

Use a simple properties file with 1 user
credential.

This requires the TCK to be configured to use HTTP
basic authentication in its .env):

```
A2A_AUTH_TYPE=basic
A2A_AUTH_USERNAME=alice
A2A_AUTH_PASSWORD=a2a-p4ssw0rd
````

Signed-off-by: Jeff Mesnil <jmesnil@ibm.com>
---
 tck/pom.xml                                     |  5 +++++
 .../io/a2a/tck/server/AgentCardProducer.java    | 17 +++++++++++++++++
 tck/src/main/resources/application.properties   |  6 ++++++
 3 files changed, 28 insertions(+)

diff --git a/tck/pom.xml b/tck/pom.xml
index 9b41e49e3..f01085d3f 100644
--- a/tck/pom.xml
+++ b/tck/pom.xml
@@ -42,6 +42,11 @@
             <groupId>jakarta.ws.rs</groupId>
             <artifactId>jakarta.ws.rs-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-elytron-security-properties-file</artifactId>
+            <scope>provided</scope>
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/tck/src/main/java/io/a2a/tck/server/AgentCardProducer.java b/tck/src/main/java/io/a2a/tck/server/AgentCardProducer.java
index d5b5d6ffd..25976586d 100644
--- a/tck/src/main/java/io/a2a/tck/server/AgentCardProducer.java
+++ b/tck/src/main/java/io/a2a/tck/server/AgentCardProducer.java
@@ -4,15 +4,19 @@
 
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 
 import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.enterprise.inject.Produces;
 
+import io.a2a.server.ExtendedAgentCard;
 import io.a2a.server.PublicAgentCard;
 import io.a2a.spec.AgentCapabilities;
 import io.a2a.spec.AgentCard;
 import io.a2a.spec.AgentInterface;
 import io.a2a.spec.AgentSkill;
+import io.a2a.spec.HTTPAuthSecurityScheme;
+import io.a2a.spec.OpenIdConnectSecurityScheme;
 import io.a2a.spec.TransportProtocol;
 
 @ApplicationScoped
@@ -41,6 +45,11 @@ public AgentCard agentCard() {
                         .pushNotifications(true)
                         .stateTransitionHistory(true)
                         .build())
+                .securitySchemes(Map.of("acme", HTTPAuthSecurityScheme.builder()
+                       .scheme("basic")
+                       .build()))
+                .security(List.of(Map.of("acme", Collections.emptyList())))
+                .supportsExtendedAgentCard(true)
                 .defaultInputModes(Collections.singletonList("text"))
                 .defaultOutputModes(Collections.singletonList("text"))
                 .skills(Collections.singletonList(AgentSkill.builder()
@@ -58,5 +67,13 @@ private static String getEnvOrDefault(String envVar, String defaultValue) {
         String value = System.getenv(envVar);
         return value == null || value.isBlank() ? defaultValue : value;
     }
+
+    @Produces
+    @ExtendedAgentCard
+    public AgentCard extendedAgentCard() {
+        return AgentCard.builder(agentCard())
+                //TODO what can we put in the extended agent card
+                .build();
+    }
 }
 
diff --git a/tck/src/main/resources/application.properties b/tck/src/main/resources/application.properties
index c68793be4..f59316249 100644
--- a/tck/src/main/resources/application.properties
+++ b/tck/src/main/resources/application.properties
@@ -18,3 +18,9 @@ quarkus.log.file.enable=true
 quarkus.log.file.path=target/tck-test.log
 quarkus.log.file.level=DEBUG
 quarkus.log.console.level=INFO
+
+# Enable basic authentication
+quarkus.http.auth.basic=true
+quarkus.security.users.embedded.enabled=true
+quarkus.security.users.embedded.plain-text=true
+quarkus.security.users.embedded.users.alice=a2a-p4ssw0rd
\ No newline at end of file

From 6e4b7adb51523aad28998269a2fd2d4835617dae Mon Sep 17 00:00:00 2001
From: Jeff Mesnil <jmesnil@ibm.com>
Date: Thu, 15 Jan 2026 16:48:26 +0100
Subject: [PATCH 2/3] chore: Run TCK with user authentication

Signed-off-by: Jeff Mesnil <jmesnil@ibm.com>
---
 .github/workflows/run-tck-1.0-wip.yml         | 25 ++++++++++++-------
 tck/src/main/resources/application.properties |  3 +--
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/run-tck-1.0-wip.yml b/.github/workflows/run-tck-1.0-wip.yml
index b29c78c2c..c8fec4146 100644
--- a/.github/workflows/run-tck-1.0-wip.yml
+++ b/.github/workflows/run-tck-1.0-wip.yml
@@ -5,15 +5,15 @@ on:
   push:
     branches:
       - main
-  #pull_request:
-  #  branches:
-  #     - main
+  pull_request:
+    branches:
+       - main
   workflow_dispatch:
 
 env:
   # TODO this is currently running the TCK off the main branch which included changes needed for 0.4.0
   # Tag/branch of the TCK
-  TCK_VERSION: spec_1.0
+  TCK_VERSION: extended_security_tests
   # Tell the TCK runner to report failure if the quality tests fail
   A2A_TCK_FAIL_ON_QUALITY: 1
   # Tell the TCK runner to report failure if the features tests fail
@@ -42,7 +42,7 @@ jobs:
       - name: Checkout a2a-tck
         uses: actions/checkout@v4
         with:
-          repository: a2aproject/a2a-tck
+          repository: jmesnil/a2a-tck
           path: tck/a2a-tck
           ref: ${{ env.TCK_VERSION }}
       - name: Set up JDK ${{ matrix.java-version }}
@@ -64,8 +64,12 @@ jobs:
         working-directory: tck/a2a-tck
       - name: Build with Maven, skipping tests
         run: mvn -B install -DskipTests
+      - name: Generate random password
+        run: |
+          A2A_PASSWORD=$(openssl rand -base64 16)
+          echo "A2A_PASSWORD=$A2A_PASSWORD" >> $GITHUB_ENV
       - name: Start SUT
-        run: SUT_GRPC_URL=${{ env.SUT_JSONRPC_URL }} SUT_REST_URL=${{ env.SUT_JSONRPC_URL }} mvn -B quarkus:dev & #SUT_JSONRPC_URL already set
+        run: SUT_GRPC_URL=${{ env.SUT_JSONRPC_URL }} SUT_REST_URL=${{ env.SUT_JSONRPC_URL }} mvn -B quarkus:dev -Dquarkus.security.users.embedded.users.alice=${A2A_PASSWORD} &
         working-directory: tck
       - name: Wait for SUT to start
         run: |
@@ -101,12 +105,15 @@ jobs:
             sleep "$RETRY_INTERVAL"
           done
           
-      - name: Run TCK (JSONRPC)
+      - name: Run TCK
         id: run-tck
-        timeout-minutes: 5
+        timeout-minutes: 10
         run: |
           set -o pipefail
-          ./run_tck.py --sut-url ${{ env.SUT_JSONRPC_URL }} --category all --transports jsonrpc --compliance-report report.json 2>&1 | tee tck-output.log
+          A2A_AUTH_TYPE=basic \
+          A2A_AUTH_USERNAME=alice \
+          A2A_AUTH_PASSWORD=$A2A_PASSWORD \
+          ./run_tck.py --sut-url ${{ env.SUT_JSONRPC_URL }} --category all --transports jsonrpc,grpc,rest --compliance-report report.json 2>&1 | tee tck-output.log
         working-directory: tck/a2a-tck
       - name: Capture Diagnostics on Failure
         if: failure()
diff --git a/tck/src/main/resources/application.properties b/tck/src/main/resources/application.properties
index f59316249..73e405822 100644
--- a/tck/src/main/resources/application.properties
+++ b/tck/src/main/resources/application.properties
@@ -22,5 +22,4 @@ quarkus.log.console.level=INFO
 # Enable basic authentication
 quarkus.http.auth.basic=true
 quarkus.security.users.embedded.enabled=true
-quarkus.security.users.embedded.plain-text=true
-quarkus.security.users.embedded.users.alice=a2a-p4ssw0rd
\ No newline at end of file
+quarkus.security.users.embedded.plain-text=true
\ No newline at end of file

From 4b3d01cf8ad4b556411abbdd7b025c586a8ef739 Mon Sep 17 00:00:00 2001
From: Jeff Mesnil <jmesnil@ibm.com>
Date: Fri, 16 Jan 2026 09:44:52 +0100
Subject: [PATCH 3/3] WIP

Signed-off-by: Jeff Mesnil <jmesnil@ibm.com>
---
 .github/workflows/run-tck-1.0-wip.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/run-tck-1.0-wip.yml b/.github/workflows/run-tck-1.0-wip.yml
index c8fec4146..cf03e8739 100644
--- a/.github/workflows/run-tck-1.0-wip.yml
+++ b/.github/workflows/run-tck-1.0-wip.yml
@@ -110,6 +110,7 @@ jobs:
         timeout-minutes: 10
         run: |
           set -o pipefail
+          export PYTHONUNBUFFERED=1
           A2A_AUTH_TYPE=basic \
           A2A_AUTH_USERNAME=alice \
           A2A_AUTH_PASSWORD=$A2A_PASSWORD \