ack PR comments

Author: waleedlatif1

apps/sim/app/api/a2a/agents/[agentId]/route.ts

@@ -103,6 +103,14 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<Ro
 
     const body = await request.json()
 
+    if (
+      body.skillTags !== undefined &&
+      (!Array.isArray(body.skillTags) ||
+        !body.skillTags.every((tag: unknown): tag is string => typeof tag === 'string'))
+    ) {
+      return NextResponse.json({ error: 'skillTags must be an array of strings' }, { status: 400 })
+    }
+
     let skills = body.skills ?? existingAgent.skills
     if (body.skillTags !== undefined) {
       const agentName = body.name ?? existingAgent.name

apps/sim/app/api/a2a/agents/route.ts

@@ -122,6 +122,14 @@ export async function POST(request: NextRequest) {
       )
     }
 
+    const workflowData = await loadWorkflowFromNormalizedTables(workflowId)
+    if (!workflowData || !hasValidStartBlockInState(workflowData)) {
+      return NextResponse.json(
+        { error: 'Workflow must have a Start block to be exposed as an A2A agent' },
+        { status: 400 }
+      )
+    }
+
     const [existing] = await db
       .select({ id: a2aAgent.id })
       .from(a2aAgent)
@@ -135,14 +143,6 @@ export async function POST(request: NextRequest) {
       )
     }
 
-    const workflowData = await loadWorkflowFromNormalizedTables(workflowId)
-    if (!workflowData || !hasValidStartBlockInState(workflowData)) {
-      return NextResponse.json(
-        { error: 'Workflow must have a Start block to be exposed as an A2A agent' },
-        { status: 400 }
-      )
-    }
-
     const skills = generateSkillsFromWorkflow(
       name || wf.name,
       description || wf.description,

apps/sim/app/api/a2a/serve/[agentId]/route.ts

@@ -224,9 +224,8 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
     }
 
     const { id, method, params: rpcParams } = body
-    const apiKey =
-      request.headers.get('X-API-Key') ||
-      request.headers.get('Authorization')?.replace('Bearer ', '')
+    // Only accept API keys from X-API-Key header to maintain proper auth boundaries
+    const apiKey = request.headers.get('X-API-Key')
 
     logger.info(`A2A request: ${method} for agent ${agentId}`)
 
@@ -294,6 +293,9 @@ async function handleMessageSend(
   const taskId = message.taskId || generateTaskId()
   const contextId = message.contextId || uuidv4()
 
+  // Distributed lock to prevent concurrent task processing
+  // Note: When Redis is unavailable, acquireLock returns true (degraded mode).
+  // In production, ensure Redis is available for proper distributed locking.
   const lockKey = `a2a:task:${taskId}:lock`
   const lockValue = uuidv4()
   const acquired = await acquireLock(lockKey, lockValue, 60)
@@ -427,9 +429,14 @@ async function handleMessageSend(
 
       return NextResponse.json(createResponse(id, task))
     } catch (error) {
-      logger.error(`Error executing workflow for task ${taskId}:`, error)
+      const isTimeout = error instanceof Error && error.name === 'TimeoutError'
+      logger.error(`Error executing workflow for task ${taskId}:`, { error, isTimeout })
 
-      const errorMessage = error instanceof Error ? error.message : 'Workflow execution failed'
+      const errorMessage = isTimeout
+        ? `Workflow execution timed out after ${A2A_DEFAULT_TIMEOUT}ms`
+        : error instanceof Error
+          ? error.message
+          : 'Workflow execution failed'
 
       await db
         .update(a2aTask)
@@ -479,9 +486,14 @@ async function handleMessageStream(
   const contextId = message.contextId || uuidv4()
   const taskId = message.taskId || generateTaskId()
 
+  // Distributed lock to prevent concurrent task processing
+  // Note: When Redis is unavailable, acquireLock returns true (degraded mode).
+  // Lock timeout: 5 minutes for streaming to handle long-running workflows.
+  // If a streaming request fails without releasing the lock, subsequent requests
+  // will be blocked until timeout. The lock is released in finally block below.
   const lockKey = `a2a:task:${taskId}:lock`
   const lockValue = uuidv4()
-  const acquired = await acquireLock(lockKey, lockValue, 300) // 5 minute timeout for streaming
+  const acquired = await acquireLock(lockKey, lockValue, 300)
 
   if (!acquired) {
     const encoder = new TextEncoder()
@@ -645,7 +657,11 @@ async function handleMessageStream(
             }
           }
 
-          const messageContent = finalContent || accumulatedContent || 'Task completed'
+          // Use finalContent if available and non-empty, otherwise fall back to accumulated content
+          const messageContent =
+            (finalContent !== undefined && finalContent.length > 0
+              ? finalContent
+              : accumulatedContent) || 'Task completed'
           const agentMessage = createAgentMessage(messageContent)
           agentMessage.taskId = taskId
           if (contextId) agentMessage.contextId = contextId
@@ -718,7 +734,14 @@ async function handleMessageStream(
           })
         }
       } catch (error) {
-        logger.error(`Streaming error for task ${taskId}:`, error)
+        const isTimeout = error instanceof Error && error.name === 'TimeoutError'
+        logger.error(`Streaming error for task ${taskId}:`, { error, isTimeout })
+
+        const errorMessage = isTimeout
+          ? `Workflow execution timed out after ${A2A_DEFAULT_TIMEOUT}ms`
+          : error instanceof Error
+            ? error.message
+            : 'Streaming failed'
 
         await db
           .update(a2aTask)
@@ -735,7 +758,7 @@ async function handleMessageStream(
 
         sendEvent('error', {
           code: A2A_ERROR_CODES.INTERNAL_ERROR,
-          message: error instanceof Error ? error.message : 'Streaming failed',
+          message: errorMessage,
         })
       } finally {
         await releaseLock(lockKey, lockValue)
@@ -862,7 +885,7 @@ async function handleTaskCancel(id: string | number, params: TaskIdParams): Prom
  * Handle tasks/resubscribe - Reconnect to SSE stream for an ongoing task
  */
 async function handleTaskResubscribe(
-  _request: NextRequest,
+  request: NextRequest,
   id: string | number,
   params: TaskIdParams
 ): Promise<NextResponse> {
@@ -896,10 +919,20 @@ async function handleTaskResubscribe(
   let isCancelled = false
   let pollTimeoutId: ReturnType<typeof setTimeout> | null = null
 
+  // Listen for client disconnection via request signal
+  const abortSignal = request.signal
+  abortSignal.addEventListener('abort', () => {
+    isCancelled = true
+    if (pollTimeoutId) {
+      clearTimeout(pollTimeoutId)
+      pollTimeoutId = null
+    }
+  })
+
   const stream = new ReadableStream({
     async start(controller) {
       const sendEvent = (event: string, data: unknown): boolean => {
-        if (isCancelled) return false
+        if (isCancelled || abortSignal.aborted) return false
         try {
           controller.enqueue(encoder.encode(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`))
           return true
@@ -935,7 +968,7 @@ async function handleTaskResubscribe(
 
       let polls = 0
       const poll = async () => {
-        if (isCancelled) {
+        if (isCancelled || abortSignal.aborted) {
           cleanup()
           return
         }

apps/sim/app/api/a2a/serve/[agentId]/utils.ts

@@ -140,12 +140,22 @@ export function extractAgentContent(executeResult: {
   output?: { content?: string; [key: string]: unknown }
   error?: string
 }): string {
-  return (
-    executeResult.output?.content ||
-    (typeof executeResult.output === 'object'
-      ? JSON.stringify(executeResult.output)
-      : String(executeResult.output || executeResult.error || 'Task completed'))
-  )
+  // Prefer explicit content field
+  if (executeResult.output?.content) {
+    return executeResult.output.content
+  }
+
+  // If output is an object with meaningful data, stringify it
+  if (typeof executeResult.output === 'object' && executeResult.output !== null) {
+    const keys = Object.keys(executeResult.output)
+    // Skip empty objects or objects with only undefined values
+    if (keys.length > 0 && keys.some((k) => executeResult.output![k] !== undefined)) {
+      return JSON.stringify(executeResult.output)
+    }
+  }
+
+  // Fallback to error message or default
+  return executeResult.error || 'Task completed'
 }
 
 export function buildTaskResponse(params: {

apps/sim/app/api/tools/a2a/cancel-task/route.ts

@@ -1,8 +1,8 @@
 import type { Task } from '@a2a-js/sdk'
-import { ClientFactory } from '@a2a-js/sdk/client'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { createA2AClient } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -41,8 +41,7 @@ export async function POST(request: NextRequest) {
       taskId: validatedData.taskId,
     })
 
-    const factory = new ClientFactory()
-    const client = await factory.createFromUrl(validatedData.agentUrl)
+    const client = await createA2AClient(validatedData.agentUrl, validatedData.apiKey)
 
     const task = (await client.cancelTask({ id: validatedData.taskId })) as Task
 

apps/sim/app/api/tools/a2a/delete-push-notification/route.ts

@@ -1,7 +1,7 @@
-import { ClientFactory } from '@a2a-js/sdk/client'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { createA2AClient } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -51,8 +51,7 @@ export async function POST(request: NextRequest) {
       pushNotificationConfigId: validatedData.pushNotificationConfigId,
     })
 
-    const factory = new ClientFactory()
-    const client = await factory.createFromUrl(validatedData.agentUrl)
+    const client = await createA2AClient(validatedData.agentUrl, validatedData.apiKey)
 
     await client.deleteTaskPushNotificationConfig({
       id: validatedData.taskId,

apps/sim/app/api/tools/a2a/get-agent-card/route.ts

@@ -1,7 +1,7 @@
-import { ClientFactory } from '@a2a-js/sdk/client'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { createA2AClient } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -45,8 +45,7 @@ export async function POST(request: NextRequest) {
       agentUrl: validatedData.agentUrl,
     })
 
-    const factory = new ClientFactory()
-    const client = await factory.createFromUrl(validatedData.agentUrl)
+    const client = await createA2AClient(validatedData.agentUrl, validatedData.apiKey)
 
     const agentCard = await client.getAgentCard()
 

apps/sim/app/api/tools/a2a/get-push-notification/route.ts

@@ -1,7 +1,7 @@
-import { ClientFactory } from '@a2a-js/sdk/client'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { createA2AClient } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -49,8 +49,7 @@ export async function POST(request: NextRequest) {
       taskId: validatedData.taskId,
     })
 
-    const factory = new ClientFactory()
-    const client = await factory.createFromUrl(validatedData.agentUrl)
+    const client = await createA2AClient(validatedData.agentUrl, validatedData.apiKey)
 
     const result = await client.getTaskPushNotificationConfig({
       id: validatedData.taskId,

apps/sim/app/api/tools/a2a/get-task/route.ts

@@ -1,8 +1,8 @@
 import type { Task } from '@a2a-js/sdk'
-import { ClientFactory } from '@a2a-js/sdk/client'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { createA2AClient } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -47,8 +47,7 @@ export async function POST(request: NextRequest) {
       historyLength: validatedData.historyLength,
     })
 
-    const factory = new ClientFactory()
-    const client = await factory.createFromUrl(validatedData.agentUrl)
+    const client = await createA2AClient(validatedData.agentUrl, validatedData.apiKey)
 
     const task = (await client.getTask({
       id: validatedData.taskId,

apps/sim/app/api/tools/a2a/resubscribe/route.ts

@@ -6,11 +6,10 @@ import type {
   TaskState,
   TaskStatusUpdateEvent,
 } from '@a2a-js/sdk'
-import { ClientFactory } from '@a2a-js/sdk/client'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { extractTextContent, isTerminalState } from '@/lib/a2a/utils'
+import { createA2AClient, extractTextContent, isTerminalState } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -44,8 +43,7 @@ export async function POST(request: NextRequest) {
     const body = await request.json()
     const validatedData = A2AResubscribeSchema.parse(body)
 
-    const factory = new ClientFactory()
-    const client = await factory.createFromUrl(validatedData.agentUrl)
+    const client = await createA2AClient(validatedData.agentUrl, validatedData.apiKey)
 
     const stream = client.resubscribeTask({ id: validatedData.taskId })