Merge pull request 'Add Auth v2' (#12) from merge-conflicts-resolved into main

Reviewed-on: #12

Dockerfile

@@ -11,10 +11,12 @@ WORKDIR /app
 
 # Install dependencies first (cached layer as long as lockfile doesn't change)
 COPY pyproject.toml uv.lock ./
+RUN uv lock --upgrade
 RUN uv sync --locked --no-install-project --no-editable
 
 # Copy the rest of the project and install it
 COPY . .
+RUN uv lock
 RUN uv sync --locked --no-editable
 
 # --- Final stage: no uv, no build artifacts ---
@@ -23,6 +25,7 @@ FROM quay.ocp.banorte.com/golden/python-312:latest
 WORKDIR /app
 
 COPY --from=builder /app/.venv /app/.venv
+COPY --from=builder /app /app
 COPY config.yaml ./
 
 ENV PATH="/app/.venv/bin:$PATH"

config.yaml

@@ -2,7 +2,10 @@ google_cloud_project: bnt-orquestador-cognitivo-dev
 google_cloud_location: us-central1
 
 firestore_db: bnt-orquestador-cognitivo-firestore-bdo-dev
-mcp_remote_url: http://localhost:8001/sse
+
+mcp_remote_url: "https://ap01194-orq-cog-rag-connector-1007577023101.us-central1.run.app/sse"
+# audience sin la ruta, para emitir el ID Token:
+mcp_audience: "https://ap01194-orq-cog-rag-connector-1007577023101.us-central1.run.app"
 
 agent_name: VAia
 agent_model: gemini-2.5-flash

pyproject.toml

@@ -12,6 +12,7 @@ dependencies = [
     "google-adk>=1.14.1",
     "google-cloud-firestore>=2.23.0",
     "pydantic-settings[yaml]>=2.13.1",
+    "google-auth>=2.34.0",
 ]
 
 [build-system]

src/va_agent/agent.py

@@ -10,7 +10,33 @@ from google.cloud.firestore_v1.async_client import AsyncClient
 from va_agent.config import settings
 from va_agent.session import FirestoreSessionService
 
-connection_params = SseConnectionParams(url=settings.mcp_remote_url)
+
+
+# --- Autenticación Cloud Run → Cloud Run (ID Token) ---
+from google.oauth2 import id_token
+from google.auth.transport.requests import Request as GAuthRequest
+
+def _fetch_id_token(audience: str) -> str:
+    """Emite un ID Token para invocar un servicio Cloud Run protegido."""
+    return id_token.fetch_id_token(GAuthRequest(), audience)
+
+# Audience = URL del MCP remoto 
+_MCP_URL = settings.mcp_remote_url
+_MCP_AUDIENCE = getattr(settings, "mcp_audience", None) or _MCP_URL
+
+
+
+def _auth_headers_provider() -> dict[str, str]:
+    token = _fetch_id_token(_MCP_AUDIENCE)
+    return {"Authorization": f"Bearer {token}"}
+
+
+connection_params = SseConnectionParams(
+    url=_MCP_URL,
+    headers=_auth_headers_provider()
+)
+
+# connection_params = SseConnectionParams(url=settings.mcp_remote_url)
 toolset = McpToolset(connection_params=connection_params)
 
 agent = Agent(

src/va_agent/config.py

@@ -27,6 +27,9 @@ class AgentSettings(BaseSettings):
     firestore_db: str
 
     # MCP configuration
+    mcp_audience: str
+
+    # MCP configuration audience
     mcp_remote_url: str
 
     model_config = SettingsConfigDict(