vinkius-labs/mcp-fusion

Deep audit of the A2A protocol bridge identified and remediated 8 bugs across 6 source files, with 35 regression tests added to prevent reintroduction.

Fixed

• SSE parser multi-line data loss — \parseSseStream()\ overwrote \eventData\ on each \data:\ line instead of concatenating with \n\ per the SSE specification. Any proxy (CloudFront, nginx) splitting JSON across multiple \data:\ lines caused silent data corruption. Now concatenates correctly.
• Streaming path missing tool existence check — \StreamableHttpTransport._createMessageStream()\ called \executeStream()\ without verifying the tool exists. Added optional \hasToolName?()\ to \StreamingExecutorLike\ interface and a guard before streaming execution.
• Streaming path skipped \message.kind\ validation — The sync \message/send\ handler rejects messages without \kind: 'message'\ discriminator, but \message/stream\ accepted them silently. Added the same validation to the streaming path.
• Non-text artifact content silently dropped — \A2AHandler\ mapped all MCP tool result content to \TextPart\ with \ ext: c.text ?? ''. Now preserves non-text content as \DataPart\ with \contentType\ metadata.
• Skill resolution logic duplicated across files — Extracted to a shared \message-utils.ts\ module (single source of truth).
• Protocol version mismatch — \A2A_PROTOCOL_VERSION\ updated from '0.3.0'\ to '1.0.0'\ to match the A2A v1.0+ type schema.
• Pagination cursor NaN guard — \TaskManager.listTasks()\ now handles non-numeric cursor strings safely.
• UUID fallback low entropy — Extended to 14 random characters across two \Math.random()\ calls.

Test Suite

• 35 new regression tests covering all 8 fixes
• 245 total tests across 8 test files in @vurb/a2a\
• 6805 total monorepo tests passing (330 suites)