Skip to main content
This page documents the canonical JSON envelope formats used for cross-process communication, state synchronization, and the Agent-to-UI (A2UI) protocol. It covers the schema definitions, the patch-based update mechanism, and the security model governing UI rendering.

1. Workspace Patch Protocol

The Workspace Patch protocol is used by the daemon to perform atomic, validated filesystem operations. It is designed to be “fail-closed,” ensuring that no mutations occur if safety checks (traversal, size limits, or UTF-8 validity) fail.

Implementation Details

The core logic resides in palyra-common and provides a WorkspacePatchRequest structure that encapsulates the patch content and redaction policies crates/palyra-common/src/workspace_patch.rs#67-71. Key enforcement mechanisms include:

Patch Data Flow

The following diagram illustrates how a WorkspacePatchRequest is transformed into a PatchPlan and eventually a WorkspacePatchOutcome. Workspace Patch Execution Flow Sources: crates/palyra-common/src/workspace_patch.rs#207-212, crates/palyra-common/src/workspace_patch.rs#184-193

2. A2UI (Agent-to-UI) Protocol

The A2UI protocol enables agents to dynamically construct and update rich UI components in the web console without requiring a full page reload or complex custom code. It uses a JSON-based document model updated via RFC 6902-inspired patches.

A2UI Document Structure

An A2uiDocument consists of a surface identifier and an array of A2uiComponent objects apps/web/src/a2ui/renderer.tsx#13-21. Supported components include:

Patch Operations

Updates are sent as PatchDocument objects containing an array of operations (add, replace, remove) apps/web/src/a2ui/patch.ts#127-138. The applyPatchDocument function handles the state transition apps/web/src/a2ui/patch.ts#47-52.
OperationDescriptionImplementation
addInserts a value at a path or appends to an array (-)applyAddOperation
replaceOverwrites an existing value at a pathapplyReplaceOperation
removeDeletes a key or array elementapplyRemoveOperation
Sources: apps/web/src/a2ui/patch.ts#180-189, apps/web/src/a2ui/renderer.tsx#67-97

3. Security Model & Renderer Constraints

The A2UI renderer implements a strict security model to prevent cross-site scripting (XSS) and prototype pollution from untrusted agent output.

Prototype Pollution Protection

The applyPatchDocument logic enforces a FORBIDDEN_POINTER_TOKENS set, which includes __proto__, prototype, and constructor apps/web/src/a2ui/patch.ts#16-16. Any patch attempting to traverse these tokens is immediately rejected with an A2uiError apps/web/src/a2ui/tests/patch.security.test.tsx#9-30.

Resource Budgets

To prevent Denial of Service (DoS) attacks via massive patches, the system enforces a PatchProcessingBudget apps/web/src/a2ui/patch.ts#10-11: A2UI Security & Rendering Pipeline Sources: apps/web/src/a2ui/patch.ts#18-45, apps/web/src/a2ui/renderer.tsx#33-59, apps/web/src/a2ui/tests/patch.security.test.tsx#8-31

4. UI Component Mapping

The following table maps A2UI component types to their internal React implementations and CSS classes used for styling.
Component TypeReact ComponentCSS ClassData Attributes
textComponentBody.a2ui-textdata-tone
markdownSanitizedMarkdown.a2ui-rendererN/A
formA2uiForm.a2ui-formdata-component-id
tableA2uiTable.a2ui-table-wrapdata-component-type
Sources: apps/web/src/a2ui/renderer.tsx#66-97, apps/web/src/styles.css#140-152