feat(a2a): agent-card public URL injection (X-Forwarded-Host aware)

[bokelley]

Problem

adcp.server.a2a_server._build_agent_card hardcodes http://localhost:{port}/ at server-init time. There's no hook for injecting a public URL.

In production the bound socket is internal — the public URL comes from the load balancer's X-Forwarded-Host (or the request Host). Without intervention, the static localhost URL leaks into /.well-known/agent-card.json, and SDK clients that read the card to discover the JSON-RPC endpoint try to reach http://localhost:8080/ from outside the container, failing every A2A request with fetch failed.

Workaround

We run a 190-LOC ASGI middleware (AgentCardPublicUrlMiddleware) that intercepts the /.well-known/agent-card.json response, parses the JSON body, rewrites the URL fields based on X-Forwarded-Host/Host/X-Forwarded-Proto, and sends the modified payload. Rewrites both top-level url and every supportedInterfaces[].url. Only rewrites loopback URLs so explicit configurations pass through.

This is brittle — buffer the response, parse JSON, mutate, re-encode, recompute Content-Length, forward. One bug in the buffering and discovery silently breaks.

Proposed SDK shape

Either:

A) serve(public_url=...) kwarg — explicit override, simplest. Adopters set it once at boot; framework uses it instead of the bound-socket URL when building the card.

B) Honour X-Forwarded-Host natively — when an inbound request to /.well-known/agent-card.json carries X-Forwarded-Host (or X-Forwarded-Proto), the framework derives the public URL from those headers and uses them in the response. Matches HTTP-server convention; no new public API needed beyond a trust_forwarded_headers=True opt-in.

C) Both — public_url= for static config, X-Forwarded-Host for dynamic deployments behind a reverse proxy.

Files

• Our workaround: core/middleware/agent_card_public_url.py
• Local tracker: Fix CI test failures and SSE connection issues prebid/salesagent#103

Related

• A2A: /.well-known/agent.json (0.3 alias) returns 404 — route not registered, breaking SDK auto-detection #612 (also open, just filed) — /.well-known/agent.json 0.3 alias 404. Solving that doesn't help with the public-URL leak; both need fixing.

[bokelley]

Triage

Classification: Feature request
Bucket(s): handlers
Status: drafting-pr
Milestone: (omitted — no target version specified)

What the experts said:

• dx-expert: Ship option A (public_url= static kwarg) now; option B (trust_forwarded_headers) has a trust-boundary design gap and thread-safety issues with shared pb.AgentCard mutation — deferred to follow-up. public_url naming is correct (distinct from existing base_url for MCP discovery manifest). PUBLIC_URL env-var fallback is the right zero-config pattern for PaaS.
• code-reviewer: Non-breaking, clean threading through the stack. Added trailing-slash normalisation so callers can pass "https://x.com" or "https://x.com/" interchangeably. Required a serve() docstring entry (was missing despite being in create_a2a_server's docs). All blockers resolved in the review→fix iteration.

My take: The localhost hardcoding is a genuine production blocker for any containerised deployment. Option A (static public_url=) solves 95%+ of cases with zero ambiguity; option B's per-request X-Forwarded-Host derivation can follow once the trust-boundary design is settled.

Draft PR: #621 — adds public_url to _build_agent_card, create_a2a_server, serve, and ServeConfig; PUBLIC_URL env-var fallback; 7 new tests (including trailing-slash and default-localhost coverage).

---

Triaged by Claude Code. Session: https://claude.ai/code/session_01NXgGie4ARyxg3hWBYo5tG6

---

Generated by Claude Code