switch to header only

prassanna-ravishankar · prassanna-ravishankar · commit 8c7ac9624709 · 2025-10-06T21:03:02.000+01:00
diff --git a/src/agentex/lib/sdk/fastacp/base/base_acp_server.py b/src/agentex/lib/sdk/fastacp/base/base_acp_server.py
@@ -152,12 +152,14 @@ async def _handle_jsonrpc(self, request: Request):
                     ),
                 )
 
-            # Extract application headers, excluding sensitive/transport headers per FASTACP_* rules
+            # Extract application headers using allowlist approach (only x-* headers)
+            # Matches gateway's security filtering rules
             # Forward filtered headers via params.request.headers to agent handlers
             custom_headers = {
                 key: value
                 for key, value in request.headers.items()
-                if key.lower() not in FASTACP_HEADER_SKIP_EXACT
+                if key.lower().startswith("x-")
+                and key.lower() not in FASTACP_HEADER_SKIP_EXACT
                 and not any(key.lower().startswith(p) for p in FASTACP_HEADER_SKIP_PREFIXES)
             }
             
@@ -166,6 +168,7 @@ async def _handle_jsonrpc(self, request: Request):
             params_data = dict(rpc_request.params) if rpc_request.params else {}
             
             # Add custom headers to the request structure if any headers were provided
+            # Gateway sends filtered headers via HTTP, SDK extracts and populates params.request
             if custom_headers:
                 params_data["request"] = {"headers": custom_headers}
             params = params_model.model_validate(params_data)
diff --git a/src/agentex/lib/sdk/fastacp/base/constants.py b/src/agentex/lib/sdk/fastacp/base/constants.py
@@ -1,24 +1,37 @@
 from __future__ import annotations
 
 # Header filtering rules for FastACP server
+# These rules match the gateway's security filtering
 
-# Prefixes to skip (case-insensitive beginswith checks)
-FASTACP_HEADER_SKIP_PREFIXES: tuple[str, ...] = (
-    "content-",
+# Hop-by-hop headers that should not be forwarded
+HOP_BY_HOP_HEADERS: set[str] = {
+    "connection",
+    "keep-alive",
+    "proxy-authenticate",
+    "proxy-authorization",
+    "te",
+    "trailer",
+    "transfer-encoding",
+    "upgrade",
+    "content-length",
+    "content-encoding",
     "host",
-    "user-agent",
-    "x-forwarded-",
-    "sec-",
-)
+}
 
-# Exact header names to skip (case-insensitive matching done by lowercasing keys)
-FASTACP_HEADER_SKIP_EXACT: set[str] = {
-    "x-agent-api-key",
-    "connection",
-    "accept-encoding",
+# Sensitive headers that should never be forwarded
+BLOCKED_HEADERS: set[str] = {
+    "authorization",
     "cookie",
-    "content-length",
-    "transfer-encoding",
+    "x-agent-api-key",
+    "x-request-id",
 }
 
+# Legacy constants for backward compatibility
+FASTACP_HEADER_SKIP_EXACT: set[str] = HOP_BY_HOP_HEADERS | BLOCKED_HEADERS
+
+FASTACP_HEADER_SKIP_PREFIXES: tuple[str, ...] = (
+    "x-forwarded-",  # proxy headers
+    "sec-",  # security headers added by browsers
+)
+
 
