CAMEL-23063: Add camel-a2a component for Agent-to-Agent (A2A) protoco…

[luigidemasi]

…l integration

Adds the camel-a2a component implementing the A2A (Agent-to-Agent) protocol for Apache Camel. The component provides both producer and consumer support, enabling Camel
routes to participate in standardized agent-to-agent communication.

Features

• Consumer — exposes a Camel route as an A2A server with automatic agent card serving at /.well-known/agent-card.json
• Producer — sends A2A messages (MESSAGE_SEND, MESSAGE_STREAM, TASK_GET, TASK_CANCEL, etc.) to remote agents
• Protocol bindings — REST and JSON-RPC 2.0
• Streaming — Server-Sent Events (SSE) for real-time task updates
• Authentication — API key, Bearer token, OAuth 2.0, OpenID Connect
• Task management — in-memory task store with TTL, push notifications, subscriber management
• Agent card — discovery, resolution (file < bean < URI params), and auto-serving
• Type converters — Message/Task to String, plus Simple DSL functions (a2aText(), a2aData(), a2aFile())
• Progress API — A2AProgress.emit() for status updates from any route

Demo

A multi-agent demo showcasing camel-a2a in action is available at:

https://github.com/luigidemasi/camel-a2a-morning-routine

[github-actions]

🌟 Thank you for your contribution to the Apache Camel project! 🌟
🤖 CI automation will test this PR automatically.

🐫 Apache Camel Committers, please review the following items:

• First-time contributors require MANUAL approval for the GitHub Actions to run
• You can use the command /component-test (camel-)component-name1 (camel-)component-name2.. to request a test from the test bot although they are normally detected and executed by CI.
• You can label PRs using skip-tests and test-dependents to fine-tune the checks executed by this PR.
• Build and test logs are available in the summary page. Only Apache Camel committers have access to the summary.

⚠️ Be careful when sharing logs. Review their contents before sharing them publicly.

[davsclaus]

Thank you for this substantial contribution — the A2A component is well-structured, follows Camel conventions, and has impressive test coverage. I have one blocking security finding and a few additional items.

Positive observations

• Good security defaults: followRedirects=false, agent card loader blocks redirects, WebhookUrlValidator has SSRF protection with private IP/IPv6 checks
• Comprehensive test coverage across operations, protocols, streaming, auth, and push notifications
• Proper MojoHelper registration, SimpleFunctionDispatcher integration, secret = true annotations on sensitive params
• No new external dependencies beyond Jackson (already managed by parent BOM)

General (non-inline) findings

• Missing upgrade guide entry — per project conventions, new user-visible features should be documented in docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
• Dead code — the private method executeStreamProcessing in A2AConsumer (line ~1077) appears unused and should be removed
• CI — one CI check ("build") is currently failing; the three matrix builds pass, so this may be infrastructure, but worth confirming

Note: This review evaluates the PR against Apache Camel's project rules and conventions. It does not replace specialized review tools (CodeRabbit, Sourcery) or static analysis (SonarCloud).

This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.

[orpiske]

LGTM ... one minor thing about an unused method, but other than that looks fine.

Thanks @luigidemasi !

[davsclaus]

All findings from my previous CHANGES_REQUESTED review have been addressed:

1. Security (was blocking) — filterInboundHeaders now strips all camel* headers case-insensitively, matching the project's security model for consumer header filtering.
2. Header read ordering — filterInboundHeaders is called before reading untrusted headers (pageSize, contextId); httpPath is extracted before the filter in other handlers.
3. ExecutorService — PushNotificationDispatcher now receives the executor via injection from getCamelContext().getExecutorServiceManager().newScheduledThreadPool(), properly shut down in doStop().
4. Upgrade guide — entry added.
5. Category/labels — fixed.

This review does not replace specialized AI review tools (CodeRabbit, Sourcery) or static analysis (SonarCloud).

This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.

[gnodet]

This PR adds the camel-a2a component implementing the Agent-to-Agent protocol — a significant new feature. The diff exceeds 20,000 lines, which is beyond what can be reviewed automatically via the GitHub API diff endpoint.

The CI checks all pass (build on JDK 17, 21, and 25), and the PR description is comprehensive — covering consumer/producer support, protocol bindings, streaming, authentication, task management, and type converters.

This PR requires manual review given its size and the scope of the new component (REST + JSON-RPC 2.0 bindings, SSE streaming, OAuth/OIDC auth, in-memory task store). I'd recommend reviewers focus on:

• Security: authentication implementation and header filtering
• Protocol correctness: JSON-RPC 2.0 compliance
• Resource management: task store TTL and cleanup

Fully automatic review from Claude Code

[davsclaus]

LGTM @luigidemasi its a massive work so when you think its ready then go ahead and merge - we need it in 4.21 so we have both MCP and A2A

[davsclaus]

Are we getting in shape for this to be included next week

[luigidemasi]

Are we getting in shape for this to be included next week

@davsclaus yes, it is almost ready and I think we are in good shape for next week. Before marking it ready, I want to finish and incorporate the OAuth authentication support for HTTP consumers from CAMEL-23685 (#23866) and CAMEL-23723 (#23926), so A2A lands with the right auth path for 4.21.
I will update the PR later today.