added passthrough headers - a2a agent (add/edit)

Signed-off-by: Satya <[email protected]>

Author: TS0713

alembic/README

@@ -0,0 +1 @@
+Generic single-database configuration.

alembic/env.py

@@ -0,0 +1,78 @@
+from logging.config import fileConfig
+
+from sqlalchemy import engine_from_config
+from sqlalchemy import pool
+
+from alembic import context
+
+# this is the Alembic Config object, which provides
+# access to the values within the .ini file in use.
+config = context.config
+
+# Interpret the config file for Python logging.
+# This line sets up loggers basically.
+if config.config_file_name is not None:
+    fileConfig(config.config_file_name)
+
+# add your model's MetaData object here
+# for 'autogenerate' support
+# from myapp import mymodel
+# target_metadata = mymodel.Base.metadata
+target_metadata = None
+
+# other values from the config, defined by the needs of env.py,
+# can be acquired:
+# my_important_option = config.get_main_option("my_important_option")
+# ... etc.
+
+
+def run_migrations_offline() -> None:
+    """Run migrations in 'offline' mode.
+
+    This configures the context with just a URL
+    and not an Engine, though an Engine is acceptable
+    here as well.  By skipping the Engine creation
+    we don't even need a DBAPI to be available.
+
+    Calls to context.execute() here emit the given string to the
+    script output.
+
+    """
+    url = config.get_main_option("sqlalchemy.url")
+    context.configure(
+        url=url,
+        target_metadata=target_metadata,
+        literal_binds=True,
+        dialect_opts={"paramstyle": "named"},
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def run_migrations_online() -> None:
+    """Run migrations in 'online' mode.
+
+    In this scenario we need to create an Engine
+    and associate a connection with the context.
+
+    """
+    connectable = engine_from_config(
+        config.get_section(config.config_ini_section, {}),
+        prefix="sqlalchemy.",
+        poolclass=pool.NullPool,
+    )
+
+    with connectable.connect() as connection:
+        context.configure(
+            connection=connection, target_metadata=target_metadata
+        )
+
+        with context.begin_transaction():
+            context.run_migrations()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()

alembic/script.py.mako

@@ -0,0 +1,28 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+${imports if imports else ""}
+
+# revision identifiers, used by Alembic.
+revision: str = ${repr(up_revision)}
+down_revision: Union[str, Sequence[str], None] = ${repr(down_revision)}
+branch_labels: Union[str, Sequence[str], None] = ${repr(branch_labels)}
+depends_on: Union[str, Sequence[str], None] = ${repr(depends_on)}
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    ${downgrades if downgrades else "pass"}

mcpgateway/admin.py

@@ -9444,8 +9444,15 @@ async def admin_add_a2a_agent(
                 LOGGER.info(f"✅ Assembled OAuth config from UI form fields: grant_type={oauth_grant_type}, issuer={oauth_issuer}")
                 LOGGER.info(f"DEBUG: Complete oauth_config = {oauth_config}")
 
-        # TODO
-        # Handle passthrough_headers
+        passthrough_headers = str(form.get("passthrough_headers"))
+        if passthrough_headers and passthrough_headers.strip():
+            try:
+                passthrough_headers = json.loads(passthrough_headers)
+            except (json.JSONDecodeError, ValueError):
+                # Fallback to comma-separated parsing
+                passthrough_headers = [h.strip() for h in passthrough_headers.split(",") if h.strip()]
+        else:
+            passthrough_headers = None
 
         # Auto-detect OAuth: if oauth_config is present and auth_type not explicitly set, use "oauth"
         auth_type_from_form = str(form.get("auth_type", ""))
@@ -9474,6 +9481,7 @@ async def admin_add_a2a_agent(
             visibility=form.get("visibility", "private"),
             team_id=team_id,
             owner_email=user_email,
+            passthrough_headers=passthrough_headers,
         )
 
         LOGGER.info(f"Creating A2A agent: {agent_data.name} at {agent_data.endpoint_url}")
@@ -9551,6 +9559,7 @@ async def admin_edit_a2a_agent(
       - team_id (optional)
       - capabilities (JSON, optional)
       - config (JSON, optional)
+      - passthrough_headers: Optional[List[str]]
 
     Args:
         agent_id (str): The ID of the agent being edited.
@@ -9678,17 +9687,16 @@ async def admin_edit_a2a_agent(
             except (json.JSONDecodeError, ValueError):
                 auth_headers = []
 
-        """
         # Passthrough headers
-        passthrough_headers = None
-        if form.get("passthrough_headers"):
-            raw = str(form.get("passthrough_headers"))
+        passthrough_headers = str(form.get("passthrough_headers"))
+        if passthrough_headers and passthrough_headers.strip():
             try:
-                passthrough_headers = json.loads(raw)
-            except (ValueError, json.JSONDecodeError):
-                passthrough_headers = [h.strip() for h in raw.split(",") if h.strip()]
-
-        """
+                passthrough_headers = json.loads(passthrough_headers)
+            except (json.JSONDecodeError, ValueError):
+                # Fallback to comma-separated parsing
+                passthrough_headers = [h.strip() for h in passthrough_headers.split(",") if h.strip()]
+        else:
+            passthrough_headers = None
 
         # Parse OAuth configuration - support both JSON string and individual form fields
         oauth_config_json = str(form.get("oauth_config"))
@@ -9778,6 +9786,7 @@ async def admin_edit_a2a_agent(
             auth_header_value=str(form.get("auth_header_value", "")),
             auth_value=str(form.get("auth_value", "")),
             auth_headers=auth_headers if auth_headers else None,
+            passthrough_headers=passthrough_headers,
             oauth_config=oauth_config,
             visibility=visibility,
             team_id=team_id,

mcpgateway/db.py

@@ -2571,6 +2571,9 @@ class A2AAgent(Base):
     # OAuth configuration
     oauth_config: Mapped[Optional[Dict[str, Any]]] = mapped_column(JSON, nullable=True, comment="OAuth 2.0 configuration including grant_type, client_id, encrypted client_secret, URLs, and scopes")
 
+    # Header passthrough configuration
+    passthrough_headers: Mapped[Optional[List[str]]] = mapped_column(JSON, nullable=True)  # Store list of strings as JSON array
+
     # Status and metadata
     enabled: Mapped[bool] = mapped_column(Boolean, default=True)
     reachable: Mapped[bool] = mapped_column(Boolean, default=True)

mcpgateway/schemas.py

@@ -3942,6 +3942,7 @@ class A2AAgentCreate(BaseModel):
     protocol_version: str = Field(default="1.0", description="A2A protocol version supported")
     capabilities: Dict[str, Any] = Field(default_factory=dict, description="Agent capabilities and features")
     config: Dict[str, Any] = Field(default_factory=dict, description="Agent-specific configuration parameters")
+    passthrough_headers: Optional[List[str]] = Field(default=None, description="List of headers allowed to be passed through from client to target")
     # Authorizations
     auth_type: Optional[str] = Field(None, description="Type of authentication: basic, bearer, headers, oauth, or none")
     # Fields for various types of authentication
@@ -4222,6 +4223,7 @@ class A2AAgentUpdate(BaseModelWithConfigDict):
     protocol_version: Optional[str] = Field(None, description="A2A protocol version supported")
     capabilities: Optional[Dict[str, Any]] = Field(None, description="Agent capabilities and features")
     config: Optional[Dict[str, Any]] = Field(None, description="Agent-specific configuration parameters")
+    passthrough_headers: Optional[List[str]] = Field(default=None, description="List of headers allowed to be passed through from client to target")
     auth_type: Optional[str] = Field(None, description="Type of authentication")
     auth_username: Optional[str] = Field(None, description="username for basic authentication")
     auth_password: Optional[str] = Field(None, description="password for basic authentication")
@@ -4529,7 +4531,7 @@ class A2AAgentRead(BaseModelWithConfigDict):
     last_interaction: Optional[datetime]
     tags: List[str] = Field(default_factory=list, description="Tags for categorizing the agent")
     metrics: A2AAgentMetrics
-
+    passthrough_headers: Optional[List[str]] = Field(default=None, description="List of headers allowed to be passed through from client to target")
     # Authorizations
     auth_type: Optional[str] = Field(None, description="auth_type: basic, bearer, headers, oauth, or None")
     auth_value: Optional[str] = Field(None, description="auth value: username/password or token or custom headers")

mcpgateway/services/a2a_service.py

@@ -250,6 +250,7 @@ async def register_agent(
                 auth_value=auth_value,  # This should be encrypted in practice
                 oauth_config=oauth_config,
                 tags=agent_data.tags,
+                passthrough_headers=getattr(agent_data, "passthrough_headers", None),
                 # Team scoping fields - use schema values if provided, otherwise fallback to parameters
                 team_id=getattr(agent_data, "team_id", None) or team_id,
                 owner_email=getattr(agent_data, "owner_email", None) or owner_email or created_by,
@@ -618,7 +619,25 @@ async def update_agent(
                         raise A2AAgentNameConflictError(name=new_slug, is_active=existing_agent.enabled, agent_id=existing_agent.id, visibility=existing_agent.visibility)
             # Update fields
             update_data = agent_data.model_dump(exclude_unset=True)
+
             for field, value in update_data.items():
+                if field == "passthrough_headers":
+                    if value is not None:
+                        if isinstance(value, list):
+                            # Clean list: remove empty or whitespace-only entries
+                            cleaned = [h.strip() for h in value if isinstance(h, str) and h.strip()]
+                            agent.passthrough_headers = cleaned or None
+                        elif isinstance(value, str):
+                            # Parse comma-separated string and clean
+                            parsed: List[str] = [h.strip() for h in value.split(",") if h.strip()]
+                            agent.passthrough_headers = parsed or None
+                        else:
+                            raise A2AAgentError("Invalid passthrough_headers format: must be list[str] or comma-separated string")
+                    else:
+                        # Explicitly set to None if value is None
+                        agent.passthrough_headers = None
+                    continue
+
                 if hasattr(agent, field):
                     setattr(agent, field, value)
 

mcpgateway/static/admin.js

@@ -3049,6 +3049,22 @@ async function editA2AAgent(agentId) {
 
         // Set form action to the new POST endpoint
 
+        // Handle passthrough headers
+        const passthroughHeadersField = safeGetElement(
+            "edit-a2a-agent-passthrough-headers",
+        );
+        if (passthroughHeadersField) {
+            if (
+                agent.passthroughHeaders &&
+                Array.isArray(agent.passthroughHeaders)
+            ) {
+                passthroughHeadersField.value =
+                    agent.passthroughHeaders.join(", ");
+            } else {
+                passthroughHeadersField.value = "";
+            }
+        }
+
         openModal("a2a-edit-modal");
         console.log("✓ A2A Agent edit modal loaded successfully");
     } catch (err) {
@@ -8490,7 +8506,6 @@ async function handleA2AFormSubmit(e) {
     try {
         // Basic validation
         const name = formData.get("name");
-
         const nameValidation = validateInputName(name, "A2A Agent");
         if (!nameValidation.valid) {
             throw new Error(nameValidation.error);
@@ -8506,6 +8521,32 @@ async function handleA2AFormSubmit(e) {
 
         const isInactiveCheckedBool = isInactiveChecked("a2a-agents");
         formData.append("is_inactive_checked", isInactiveCheckedBool);
+        // Process passthrough headers - convert comma-separated string to array
+        const passthroughHeadersString = formData.get("passthrough_headers");
+        if (passthroughHeadersString && passthroughHeadersString.trim()) {
+            // Split by comma and clean up each header name
+            const passthroughHeaders = passthroughHeadersString
+                .split(",")
+                .map((header) => header.trim())
+                .filter((header) => header.length > 0);
+
+            // Validate each header name
+            for (const headerName of passthroughHeaders) {
+                if (!HEADER_NAME_REGEX.test(headerName)) {
+                    showErrorMessage(
+                        `Invalid passthrough header name: "${headerName}". Only letters, numbers, and hyphens are allowed.`,
+                    );
+                    return;
+                }
+            }
+
+            // Remove the original string and add as JSON array
+            formData.delete("passthrough_headers");
+            formData.append(
+                "passthrough_headers",
+                JSON.stringify(passthroughHeaders),
+            );
+        }
 
         // Handle auth_headers JSON field
         const authHeadersJson = formData.get("auth_headers");
@@ -8847,7 +8888,6 @@ async function handleEditA2AAgentFormSubmit(e) {
             throw new Error(urlValidation.error);
         }
 
-        /*
         // Handle passthrough headers
         const passthroughHeadersString =
             formData.get("passthrough_headers") || "";
@@ -8870,7 +8910,6 @@ async function handleEditA2AAgentFormSubmit(e) {
             "passthrough_headers",
             JSON.stringify(passthroughHeaders),
         );
-        */
 
         // Handle OAuth configuration
         // NOTE: OAuth config assembly is now handled by the backend (mcpgateway/admin.py)

mcpgateway/templates/admin.html

@@ -5374,7 +5374,7 @@ <h2 class="text-2xl font-bold dark:text-gray-200">
         </div>
 
                 <!-- A2A Agents List -->
-        <div class="bg-white shadow rounded-lg p-6 mb-6 dark:bg-gray-800">
+        <div class="bg-white shadow rounded-lg p-4 mb-4 dark:bg-gray-800">
           <div class="p-0">
             <h3
               class="text-lg font-medium text-gray-900 dark:text-gray-200 mb-4"
@@ -6060,6 +6060,27 @@ <h3 class="text-lg font-medium text-gray-900 dark:text-gray-200 mb-4">
                 </div>
               </div>
 
+              <div class="sm:col-span-2 max-w-5xl">
+                <label
+                  for="passthrough_headers"
+                  class="block text-sm font-medium text-gray-700 dark:text-gray-300"
+                >
+                  Passthrough Headers
+                </label>
+                <input
+                  type="text"
+                  name="passthrough_headers"
+                  placeholder="Authorization, X-Tenant-Id, X-Trace-Id"
+                  class="mt-1 block w-full rounded-md border border-gray-300 dark:border-gray-700 shadow-sm
+                        focus:border-indigo-500 focus:ring-indigo-500 dark:bg-gray-900 dark:placeholder-gray-300 dark:text-gray-300"
+                />
+                <small class="block mt-1 text-sm text-gray-500 dark:text-gray-400">
+                  List of headers to pass through from client requests (comma-separated, e.g.,
+                  "Authorization, X-Tenant-Id, X-Trace-Id").
+                </small>
+              </div>
+
+
               <!-- Error Display -->
               <span
                 id="a2aFormError"
@@ -8699,6 +8720,27 @@ <h3 class="text-lg font-medium text-gray-900 dark:text-gray-100">
                           </label>
                         </div>
                       </div>
+                      
+                      <div>
+                        <label
+                          class="block text-sm font-medium text-gray-700 dark:text-gray-400"
+                          >Passthrough Headers</label
+                        >
+                        <small
+                          class="text-gray-500 dark:text-gray-400 block mb-2"
+                        >
+                          List of headers to pass through from client requests
+                          (comma-separated, e.g., "Authorization, X-Tenant-Id,
+                          X-Trace-Id"). Leave empty to use global defaults.
+                        </small>
+                        <input
+                          type="text"
+                          name="passthrough_headers"
+                          id="edit-a2a-agent-passthrough-headers"
+                          placeholder="Authorization, X-Tenant-Id, X-Trace-Id"
+                          class="mt-1 block w-full rounded-md border border-gray-300 shadow-sm focus:border-indigo-500 focus:ring-indigo-500 dark:bg-gray-900 dark:placeholder-gray-300 dark:text-gray-300"
+                        />
+                      </div>
 
                       <!-- Hidden Config Fields -->
                       <input type="hidden" name="capabilities" id="a2a-agent-capabilities-edit" value="{}" />