UPDATE autenticación rag connector

src/va_agent/agent.py

@@ -10,7 +10,33 @@ from google.cloud.firestore_v1.async_client import AsyncClient
 from va_agent.config import settings
 from va_agent.session import FirestoreSessionService
 
-connection_params = SseConnectionParams(url=settings.mcp_remote_url)
+
+
+# --- Autenticación Cloud Run → Cloud Run (ID Token) ---
+from google.oauth2 import id_token
+from google.auth.transport.requests import Request as GAuthRequest
+
+def _fetch_id_token(audience: str) -> str:
+    """Emite un ID Token para invocar un servicio Cloud Run protegido."""
+    return id_token.fetch_id_token(GAuthRequest(), audience)
+
+# Audience = URL del MCP remoto 
+_MCP_URL = settings.mcp_remote_url
+_MCP_AUDIENCE = getattr(settings, "mcp_audience", None) or _MCP_URL
+
+
+
+def _auth_headers_provider() -> dict[str, str]:
+    token = _fetch_id_token(_MCP_AUDIENCE)
+    return {"Authorization": f"Bearer {token}"}
+
+
+connection_params = SseConnectionParams(
+    url=_MCP_URL,
+    headers=_auth_headers_provider()
+)
+
+# connection_params = SseConnectionParams(url=settings.mcp_remote_url)
 toolset = McpToolset(connection_params=connection_params)
 
 agent = Agent(

src/va_agent/config.py

@@ -27,6 +27,9 @@ class AgentSettings(BaseSettings):
     firestore_db: str
 
     # MCP configuration
+    mcp_audience: str
+
+    # MCP configuration audience
     mcp_remote_url: str
 
     model_config = SettingsConfigDict(