CAMEL-23063: Add camel-a2a component for Agent-to-Agent (A2A) protoco…#23711
CAMEL-23063: Add camel-a2a component for Agent-to-Agent (A2A) protoco…#23711luigidemasi wants to merge 1 commit into
Conversation
| "description": "Camel A2A component for Agent-to-Agent protocol communication", | ||
| "deprecated": false, | ||
| "firstVersion": "4.21.0", | ||
| "label": "ai,a2a", |
There was a problem hiding this comment.
What is the reason for the a2a label? Plan to have several agent to agents components?
What about ai and agent labels? maybe we will have some components acting as agents or doing agent to something else communication?
| return "oauth2"; | ||
| } | ||
| if (configuration.getBearerToken() != null) { | ||
| return "http"; |
There was a problem hiding this comment.
Is it for both http and https?
| .artifacts(task.artifacts != null ? new ArrayList<>(task.artifacts) : null) | ||
| .history(task.history != null ? new ArrayList<>(task.history) : null) | ||
| .metadata(task.metadata != null ? new HashMap<>(task.metadata) : null); |
There was a problem hiding this comment.
What about providing empty List or Map instead of null?
it avoids having to check for nullness
|
🌟 Thank you for your contribution to the Apache Camel project! 🌟 🐫 Apache Camel Committers, please review the following items:
|
davsclaus
left a comment
davsclaus
left a comment
There was a problem hiding this comment.
Thank you for this substantial contribution — the A2A component is well-structured, follows Camel conventions, and has impressive test coverage. I have one blocking security finding and a few additional items.
Positive observations
- Good security defaults:
followRedirects=false, agent card loader blocks redirects,WebhookUrlValidatorhas SSRF protection with private IP/IPv6 checks - Comprehensive test coverage across operations, protocols, streaming, auth, and push notifications
- Proper
MojoHelperregistration,SimpleFunctionDispatcherintegration,secret = trueannotations on sensitive params - No new external dependencies beyond Jackson (already managed by parent BOM)
General (non-inline) findings
- Missing upgrade guide entry — per project conventions, new user-visible features should be documented in
docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc - Dead code — the private method
executeStreamProcessinginA2AConsumer(line ~1077) appears unused and should be removed - CI — one CI check ("build") is currently failing; the three matrix builds pass, so this may be infrastructure, but worth confirming
Note: This review evaluates the PR against Apache Camel's project rules and conventions. It does not replace specialized review tools (CodeRabbit, Sourcery) or static analysis (SonarCloud).
This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.
| String lower = entry.getKey().toLowerCase(Locale.ENGLISH); | ||
| return lower.startsWith("camela2a") || lower.startsWith("org.apache.camel."); | ||
| }); | ||
| } |
There was a problem hiding this comment.
[Blocking — Security] This filter only strips CamelA2A* and org.apache.camel.* headers but does not strip all Camel* headers. Per the project's security model and the committer review checklist, consumers exposed to untrusted input must block Camel* / camel* / org.apache.camel.* case-insensitively.
The current filter leaves headers like CamelBeanMethodName, CamelExecCommandExecutable, etc. unfiltered — this is the exact attack vector from CVE-2025-27636 and five follow-on CVEs.
| } | |
| return lower.startsWith("camel") || lower.startsWith("org.apache.camel."); |
| this.maxRetries = maxRetries; | ||
| this.initialBackoffMs = initialBackoffMs; | ||
| this.executor = Executors.newScheduledThreadPool(4, r -> { | ||
| Thread t = new Thread(r, "A2APushDispatcher"); |
There was a problem hiding this comment.
[Medium] This creates a ScheduledExecutorService via Executors.newScheduledThreadPool() directly, bypassing Camel's ExecutorServiceManager. The threads won't be tracked by JMX/monitoring, won't participate in graceful shutdown, and won't respect Camel's thread pool profile.
The HttpClient executor in A2AEndpoint.doStart() correctly uses getCamelContext().getExecutorServiceManager() — this should follow the same pattern. Since PushNotificationDispatcher doesn't have access to CamelContext, consider passing in a ScheduledExecutorService created by the endpoint instead.
| String contextId = exchange.getMessage().getHeader(A2AConstants.LIST_CONTEXT_ID, String.class); | ||
|
|
||
| filterInboundHeaders(exchange); | ||
|
|
There was a problem hiding this comment.
[Low] pageSize and contextId are read from exchange headers before filterInboundHeaders is called (lines 734-735). An untrusted HTTP client could inject CamelA2AListPageSize and CamelA2AListContextId headers. While the impact is low (pageSize is capped at 100, contextId is just a filter key), the filter should run before any header reads — consistent with all other handlers in this class.
3 participants
…l integration
Adds the
camel-a2acomponent implementing the A2A (Agent-to-Agent) protocol for Apache Camel. The component provides both producer and consumer support, enabling Camelroutes to participate in standardized agent-to-agent communication.
Features
/.well-known/agent-card.jsona2aText(),a2aData(),a2aFile())A2AProgress.emit()for status updates from any routeDemo
A multi-agent demo showcasing
camel-a2ain action is available at:https://github.com/luigidemasi/camel-a2a-morning-routine