From 9c4d9f73a1f70700782617fa2d8e8ec91f1867e8 Mon Sep 17 00:00:00 2001 From: PAVEL PALMA Date: Wed, 25 Feb 2026 01:20:25 -0600 Subject: [PATCH 1/5] UPDATE endpoint RAG Connector --- config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config.yaml b/config.yaml index 266417a..f65bfd5 100644 --- a/config.yaml +++ b/config.yaml @@ -2,7 +2,7 @@ google_cloud_project: bnt-orquestador-cognitivo-dev google_cloud_location: us-central1 firestore_db: bnt-orquestador-cognitivo-firestore-bdo-dev -mcp_remote_url: https://ap01194-orq-cog-orchestrator-1007577023101.us-central1.run.app/sse +mcp_remote_url: https://ap01194-orq-cog-rag-connector-1007577023101.us-central1.run.app/sse agent_name: Vaia agent_model: gemini-2.5-flash From 1eae63394b3246db58274b68ba7d917ebc3ac894 Mon Sep 17 00:00:00 2001 From: PAVEL PALMA Date: Wed, 25 Feb 2026 02:01:04 -0600 Subject: [PATCH 2/5] =?UTF-8?q?UPDATE=20autenticaci=C3=B3n=20rag=20connect?= =?UTF-8?q?or?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- config.yaml | 5 ++++- pyproject.toml | 1 + src/va_agent/agent.py | 28 +++++++++++++++++++++++++++- src/va_agent/config.py | 3 +++ 4 files changed, 35 insertions(+), 2 deletions(-) diff --git a/config.yaml b/config.yaml index f65bfd5..845b5f5 100644 --- a/config.yaml +++ b/config.yaml @@ -2,7 +2,10 @@ google_cloud_project: bnt-orquestador-cognitivo-dev google_cloud_location: us-central1 firestore_db: bnt-orquestador-cognitivo-firestore-bdo-dev -mcp_remote_url: https://ap01194-orq-cog-rag-connector-1007577023101.us-central1.run.app/sse + +mcp_remote_url: "https://ap01194-orq-cog-rag-connector-1007577023101.us-central1.run.app/sse" +# audience sin la ruta, para emitir el ID Token: +mcp_audience: "https://ap01194-orq-cog-rag-connector-1007577023101.us-central1.run.app" agent_name: Vaia agent_model: gemini-2.5-flash diff --git a/pyproject.toml b/pyproject.toml index cf5937a..bdf1185 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -12,6 +12,7 @@ dependencies = [ "google-adk>=1.14.1", "google-cloud-firestore>=2.23.0", "pydantic-settings[yaml]>=2.13.1", + "google-auth>=2.34.0", ] [build-system] diff --git a/src/va_agent/agent.py b/src/va_agent/agent.py index 9f47586..79724c9 100644 --- a/src/va_agent/agent.py +++ b/src/va_agent/agent.py @@ -10,7 +10,33 @@ from google.cloud.firestore_v1.async_client import AsyncClient from va_agent.config import settings from va_agent.session import FirestoreSessionService -connection_params = SseConnectionParams(url=settings.mcp_remote_url) + + +# --- Autenticación Cloud Run → Cloud Run (ID Token) --- +from google.oauth2 import id_token +from google.auth.transport.requests import Request as GAuthRequest + +def _fetch_id_token(audience: str) -> str: + """Emite un ID Token para invocar un servicio Cloud Run protegido.""" + return id_token.fetch_id_token(GAuthRequest(), audience) + +# Audience = URL del MCP remoto +_MCP_URL = settings.mcp_remote_url +_MCP_AUDIENCE = getattr(settings, "mcp_audience", None) or _MCP_URL + + + +def _auth_headers_provider() -> dict[str, str]: + token = _fetch_id_token(_MCP_AUDIENCE) + return {"Authorization": f"Bearer {token}"} + + +connection_params = SseConnectionParams( + url=_MCP_URL, + headers=_auth_headers_provider() +) + +# connection_params = SseConnectionParams(url=settings.mcp_remote_url) toolset = McpToolset(connection_params=connection_params) agent = Agent( diff --git a/src/va_agent/config.py b/src/va_agent/config.py index cb7e0f6..1184a0b 100644 --- a/src/va_agent/config.py +++ b/src/va_agent/config.py @@ -27,6 +27,9 @@ class AgentSettings(BaseSettings): firestore_db: str # MCP configuration + mcp_audience: str + + # MCP configuration audience mcp_remote_url: str model_config = SettingsConfigDict( From 3d526b903f4187740e5c5f3e84bb734995f919fc Mon Sep 17 00:00:00 2001 From: PAVEL PALMA Date: Wed, 25 Feb 2026 02:14:40 -0600 Subject: [PATCH 3/5] Fix dockerfile --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index c61af70..3d0a95f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,6 +11,7 @@ WORKDIR /app # Install dependencies first (cached layer as long as lockfile doesn't change) COPY pyproject.toml uv.lock ./ +RUN uv lock --upgrade RUN uv sync --locked --no-install-project --no-editable # Copy the rest of the project and install it @@ -23,6 +24,7 @@ FROM quay.ocp.banorte.com/golden/python-312:latest WORKDIR /app COPY --from=builder /app/.venv /app/.venv +COPY --from=builder /app /app COPY config.yaml ./ ENV PATH="/app/.venv/bin:$PATH" From 5c78887ba3d139b9aea70b93714edf961e168b5a Mon Sep 17 00:00:00 2001 From: PAVEL PALMA Date: Wed, 25 Feb 2026 02:18:25 -0600 Subject: [PATCH 4/5] fix --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3d0a95f..cf680ee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,7 @@ WORKDIR /app # Install dependencies first (cached layer as long as lockfile doesn't change) COPY pyproject.toml uv.lock ./ -RUN uv lock --upgrade +RUN uv lock RUN uv sync --locked --no-install-project --no-editable # Copy the rest of the project and install it From c7d9f25fa79ebc6c0f297135fd3d0bf226d12800 Mon Sep 17 00:00:00 2001 From: PAVEL PALMA Date: Wed, 25 Feb 2026 02:20:32 -0600 Subject: [PATCH 5/5] UPDATE --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index cf680ee..4129d06 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,11 +11,12 @@ WORKDIR /app # Install dependencies first (cached layer as long as lockfile doesn't change) COPY pyproject.toml uv.lock ./ -RUN uv lock +RUN uv lock --upgrade RUN uv sync --locked --no-install-project --no-editable # Copy the rest of the project and install it COPY . . +RUN uv lock RUN uv sync --locked --no-editable # --- Final stage: no uv, no build artifacts ---