From 5ba6e243b501b11e798d9d1f9bbc71ea1fb6a01b Mon Sep 17 00:00:00 2001
From: Coco Sheng <cocosheng@google.com>
Date: Thu, 15 Jan 2026 13:59:34 -0500
Subject: [PATCH] Restricting to localhost (#16548)

Co-authored-by: Adam Weidman <adamfweidman@google.com>
---
 packages/a2a-server/src/http/app.test.ts | 43 ++++++++++++++++++++++--
 packages/a2a-server/src/http/app.ts      |  4 +--
 2 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/packages/a2a-server/src/http/app.test.ts b/packages/a2a-server/src/http/app.test.ts
index f427bdfe63..4eb6b522b2 100644
--- a/packages/a2a-server/src/http/app.test.ts
+++ b/packages/a2a-server/src/http/app.test.ts
@@ -14,7 +14,7 @@ import type {
   TaskStatusUpdateEvent,
   SendStreamingMessageSuccessResponse,
 } from '@a2a-js/sdk';
-import type express from 'express';
+import express from 'express';
 import type { Server } from 'node:http';
 import request from 'supertest';
 import {
@@ -27,7 +27,7 @@ import {
   it,
   vi,
 } from 'vitest';
-import { createApp } from './app.js';
+import { createApp, main } from './app.js';
 import { commandRegistry } from '../commands/command-registry.js';
 import {
   assertUniqueFinalEventIsLast,
@@ -1176,4 +1176,43 @@ describe('E2E Tests', () => {
       });
     });
   });
+
+  describe('main', () => {
+    it('should listen on localhost only', async () => {
+      const listenSpy = vi
+        .spyOn(express.application, 'listen')
+        .mockImplementation((...args: unknown[]) => {
+          // Trigger the callback passed to listen
+          const callback = args.find(
+            (arg): arg is () => void => typeof arg === 'function',
+          );
+          if (callback) {
+            callback();
+          }
+
+          return {
+            address: () => ({ port: 1234 }),
+            on: vi.fn(),
+            once: vi.fn(),
+            emit: vi.fn(),
+          } as unknown as Server;
+        });
+
+      // Avoid process.exit if possible, or mock it if main might fail
+      const exitSpy = vi
+        .spyOn(process, 'exit')
+        .mockImplementation(() => undefined as never);
+
+      await main();
+
+      expect(listenSpy).toHaveBeenCalledWith(
+        expect.any(Number),
+        'localhost',
+        expect.any(Function),
+      );
+
+      listenSpy.mockRestore();
+      exitSpy.mockRestore();
+    });
+  });
 });
diff --git a/packages/a2a-server/src/http/app.ts b/packages/a2a-server/src/http/app.ts
index 8d7be4f7a1..4b5763f00b 100644
--- a/packages/a2a-server/src/http/app.ts
+++ b/packages/a2a-server/src/http/app.ts
@@ -326,9 +326,9 @@ export async function createApp() {
 export async function main() {
   try {
     const expressApp = await createApp();
-    const port = process.env['CODER_AGENT_PORT'] || 0;
+    const port = Number(process.env['CODER_AGENT_PORT'] || 0);
 
-    const server = expressApp.listen(port, () => {
+    const server = expressApp.listen(port, 'localhost', () => {
       const address = server.address();
       let actualPort;
       if (process.env['CODER_AGENT_PORT']) {