refactor: implement strict Content-Type validation for JSON-RPC and REST requests, and update event loop termination logic for interrupted states, update ci pipelines for itk

[JakubWorek]

Description

This pull request introduces several important improvements to request handling, event streaming, and content type validation in the server codebase. The main focus is on correctly handling interrupted (non-terminal) task states, enforcing strict content type requirements for JSON-RPC and REST endpoints, and improving the robustness of server-sent event (SSE) streaming error handling. These changes enhance protocol compliance (especially with the A2A specification), prevent subtle bugs, and improve client-facing error reporting.

Task execution and event bus management:

• Introduced INTERRUPTED_STATE_LIST to distinguish non-terminal task states (such as INPUT_REQUIRED and AUTH_REQUIRED) that pause execution but keep the task and event bus alive for follow-up actions. The event bus is now only closed for truly terminal states, allowing clients to resubscribe or continue tasks as specified in the A2A protocol (§3.4.3).
• Added a trackLatestTaskState utility to reliably track the most recent task state on the event bus, ensuring correct bus lifecycle management even when consumer processing lags behind event publishing.

Content type enforcement for API endpoints:

• Added middleware to strictly enforce application/json for JSON-RPC endpoints and either application/json or application/a2a+json for REST endpoints. Requests with unsupported content types now return a ContentTypeNotSupportedError mapped to HTTP 400, improving protocol compliance and error clarity.

Streaming and error handling improvements:

• Improved SSE streaming in JSON-RPC: the first event is now "peeked" before sending SSE headers, ensuring that errors occurring before the stream starts are returned as proper JSON-RPC error responses (with the correct HTTP status and format), rather than as misleading SSE error events.
• Updated tests to assert that pre-stream errors result in JSON-RPC error responses instead of SSE error streams, aligning with the improved error handling logic.

Workflow trigger refinement:

• Updated GitHub workflow triggers to match all branches under epic/** rather than just epic, ensuring workflows run for all relevant feature branches.

Part of changes from #517

[github-actions]

🧪 Code Coverage

⬇️ Download Full Report

	Base	PR	Delta
src/server/events/execution_event_queue.ts	94.33%	94.44%	🟢 +0.11%
src/server/express/json_rpc_handler.ts	95.61%	89.61%	🔴 -6.00%
src/server/express/rest_handler.ts	88.42%	87.41%	🔴 -1.01%
src/server/request_handler/default_request_handler.ts	82.07%	82.69%	🟢 +0.62%
src/server/utils.ts	85.96%	86.88%	🟢 +0.92%
Total	90.54%	90.46%	🔴 -0.08%

Generated by coverage-comment.yml

[gemini-code-assist]

Code Review

This pull request introduces support for interrupted task states (INPUT_REQUIRED and AUTH_REQUIRED) by keeping the execution event bus alive when these states are encountered, allowing clients to resubscribe or send follow-up messages. It also adds content-type validation guards for both JSON-RPC and REST handlers to reject unsupported content types with a ContentTypeNotSupportedError (HTTP 400). Additionally, the JSON-RPC handler is updated to peek at the first event of a stream before flushing SSE headers, ensuring early failures are returned as standard JSON-RPC error responses. Tests have been updated to reflect these changes. I have no feedback to provide as there are no review comments.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.