✦ A2UI Protocol Implementation

Native UI forms
for AI agents

Stop wasting rounds of chat to collect structured input. One JSON in, one native window, one JSON out — no server, no browser, no loop.

Download View on GitHub
🤖
Agent
📄
JSON spec
via stdin
🪟
Native window
(egui)
📤
JSON result
via stdout

See It In Action

Light and dark themes — with the built-in multilingual AI-generated UI security warning.

a2native light mode — New Project Setup form
Light mode — dropdown, checkboxes, text field, slider
a2native dark mode — Configure Deployment form
Dark mode — radio group, number input, dropdown

The Problem with Chat Loops

Agents asking humans questions one at a time is painfully inefficient.

❌ Chat loop (status quo)

Agent asks a question → user types → agent asks next question → user types…

10 fields = 10 round-trips. Breaks context windows. Loses state on reconnect.

✅ a2native

Agent generates one JSON form spec → user fills everything at once → agent gets all answers in one structured response.

10 fields = 1 round-trip. Works offline. No server required.

Features

Everything an agent needs to gather structured human input.

🎛️

17 Component Types

Text fields, dropdowns, sliders, file pickers, radio groups, checkboxes, markdown, images, cards and more.

🔄

Session Mode

UUID-keyed long-lifecycle windows. The same window updates across multiple agent turns — no flicker, no re-spawn.

🎨

Theming

Dark mode and custom accent colours via theme in the JSON spec.

⏱️

Timeout

Auto-close windows after N seconds with timeout. Result status becomes "timeout".

🪶

Zero Runtime Deps

Single static binary. No Node, no Python, no browser engine. Ships as one executable file.

🔒

Safety Banner

Every window permanently shows an amber AI-generated warning. Cannot be suppressed by the form spec.

Session Mode

Inspired by agent-browser's client-daemon pattern: the window lives, the agent turns are short.

# Turn 1 — opens the window (daemon spawns in background)
echo '{"title":"Wizard 1/3","components":[...]}' | a2n --session abc123
# → {"status":"submitted","values":{...}}

# Turn 2 — same window, new form (no new window spawned)
echo '{"title":"Wizard 2/3","components":[...]}' | a2n --session abc123

# Turn 3 — final step
echo '{"title":"Wizard 3/3","components":[...]}' | a2n --session abc123

# Close the window
a2n --close abc123
Turn 1
daemon spawns Window opens. First form shown.
User
Fills form, clicks Submit → JSON → stdout
Window
Shows "⏳ Waiting for the agent to send the next step…"
Turn 2
IPC update Window form replaced. No flicker.
--close
Daemon exits cleanly. Port file removed.

A2UI Protocol

A minimal JSON contract between agents and native UI renderers.

// Input
{
  "title":     "Deploy to production",
  "timeout":   60,
  "theme":     { "dark_mode": true, "accent_color": "#6C63FF" },
  "components": [
    { "id": "env", "type": "dropdown", "label": "Environment",
      "options": [
        { "value": "prod",  "label": "Production" },
        { "value": "stag", "label": "Staging" }
      ]},
    { "id": "ok", "type": "button", "label": "Deploy", "action": "submit" }
  ]
}

// Output
{ "status": "submitted", "values": { "env": "prod" } }
ComponentOutput typeNotes
text-fieldstringSingle-line text
textareastringMulti-line text, 4 rows default
number-inputnumberDrag value with optional min/max/step
dropdownstringComboBox, value from options list
checkboxbooleanSingle toggle
checkbox-groupstring[]Multiple selection
radio-groupstringExclusive selection
slidernumberRange slider, default 0–100
date-pickerstringYYYY-MM-DD text field
time-pickerstringHH:MM text field
file-uploadstringNative file dialog; paths joined by ;
buttonsubmit / cancel / custom actions
cardBordered group, nests any components
text / markdown / image / dividerDisplay only

⚠ Security Considerations

a2native is called by AI agents automatically. Understand the risks.

The banner above appears at the top of every a2native window. It cannot be hidden by the form spec.

Prompt Injection

A compromised agent could mimic a trusted UI (fake password dialog, fake bank login).

Credential Harvesting

Malicious agents can ask for passwords or API keys and exfiltrate them.

Social Engineering

Markdown components allow arbitrary text. Attackers can craft convincing deceptive messages.

Session Hijacking

Guessable session UUIDs can be exploited by other processes on the same machine.

Mitigations: Only run a2native from agents you trust. Use random UUIDs (v4) for sessions. Set short timeout values. Never enter passwords or private keys into a2native forms.

Get Started

Build from source or download a pre-built binary.

# Build from source
git clone https://github.com/a2native/a2native.git
cd a2native
cargo build --release

# One-shot usage
echo '{"components":[{"id":"n","type":"text-field","label":"Name"}]}' | ./target/release/a2n

# Multi-turn session
echo '{"title":"Step 1","components":[...]}' | a2n --session "$(uuidgen)"