RubyGems - tep - Versions diffs - 0.11.0 - Mend

tep 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (193) hide show

checksums.yaml +7 -0
data/LICENSE +21 -0
data/Makefile +134 -0
data/README.md +247 -0
data/SINATRA_COMPAT.md +376 -0
data/bin/tep +2156 -0
data/examples/agentic_chat/README.md +103 -0
data/examples/agentic_chat/app.rb +310 -0
data/examples/api_gateway/README.md +49 -0
data/examples/api_gateway/app.rb +66 -0
data/examples/blog/app.rb +367 -0
data/examples/blog/views/index.erb +36 -0
data/examples/blog/views/login.erb +28 -0
data/examples/blog/views/new_post.erb +25 -0
data/examples/blog/views/show.erb +16 -0
data/examples/chat/app.rb +278 -0
data/examples/chat/assets/logo.svg +13 -0
data/examples/chat/assets/style.css +209 -0
data/examples/chat/views/index.erb +142 -0
data/examples/chatbot/README.md +111 -0
data/examples/chatbot/app.rb +1024 -0
data/examples/chatbot/assets/chat.js +249 -0
data/examples/chatbot/assets/compare.js +93 -0
data/examples/chatbot/assets/markdown.js +84 -0
data/examples/chatbot/assets/style.css +215 -0
data/examples/chatbot/schema.sql +25 -0
data/examples/chatbot/views/compare.erb +43 -0
data/examples/chatbot/views/index.erb +42 -0
data/examples/chatbot/views/login.erb +22 -0
data/examples/chatbot/views/setup.erb +23 -0
data/examples/counter/README.md +68 -0
data/examples/counter/app.rb +85 -0
data/examples/experiments/AGENTS.md +91 -0
data/examples/experiments/README.md +99 -0
data/examples/experiments/app.rb +225 -0
data/examples/geohash/Gemfile +11 -0
data/examples/geohash/Gemfile.lock +17 -0
data/examples/geohash/README.md +58 -0
data/examples/geohash/app.rb +33 -0
data/examples/hello.rb +120 -0
data/examples/llm_gateway/README.md +73 -0
data/examples/llm_gateway/app.rb +91 -0
data/examples/maidenhead/Gemfile +7 -0
data/examples/maidenhead/Gemfile.lock +17 -0
data/examples/maidenhead/README.md +47 -0
data/examples/maidenhead/app.rb +46 -0
data/examples/pg_hello.rb +76 -0
data/examples/qdrant/Gemfile +11 -0
data/examples/qdrant/Gemfile.lock +29 -0
data/examples/qdrant/README.md +54 -0
data/examples/sinatra_style.rb +32 -0
data/examples/websocket_echo.rb +37 -0
data/lib/tep/agent_delegation.rb +35 -0
data/lib/tep/app.rb +291 -0
data/lib/tep/assets.rb +52 -0
data/lib/tep/auth.rb +78 -0
data/lib/tep/auth_bearer_token.rb +126 -0
data/lib/tep/auth_oauth2.rb +189 -0
data/lib/tep/auth_oauth2_client.rb +29 -0
data/lib/tep/auth_oauth2_code.rb +40 -0
data/lib/tep/auth_session_cookie.rb +132 -0
data/lib/tep/broadcast.rb +265 -0
data/lib/tep/broadcast_subscription.rb +42 -0
data/lib/tep/cache.rb +49 -0
data/lib/tep/events.rb +257 -0
data/lib/tep/filter.rb +21 -0
data/lib/tep/handler.rb +35 -0
data/lib/tep/http.rb +599 -0
data/lib/tep/identity.rb +67 -0
data/lib/tep/job.rb +186 -0
data/lib/tep/json.rb +572 -0
data/lib/tep/jwt.rb +126 -0
data/lib/tep/live_view.rb +219 -0
data/lib/tep/llm.rb +505 -0
data/lib/tep/logger.rb +85 -0
data/lib/tep/mcp.rb +203 -0
data/lib/tep/multipart.rb +98 -0
data/lib/tep/net.rb +155 -0
data/lib/tep/openai_server.rb +725 -0
data/lib/tep/parallel.rb +168 -0
data/lib/tep/parser.rb +81 -0
data/lib/tep/password.rb +102 -0
data/lib/tep/pg.rb +1128 -0
data/lib/tep/presence.rb +589 -0
data/lib/tep/presence_entry.rb +52 -0
data/lib/tep/proxy.rb +801 -0
data/lib/tep/request.rb +194 -0
data/lib/tep/response.rb +134 -0
data/lib/tep/router.rb +137 -0
data/lib/tep/scheduler.rb +342 -0
data/lib/tep/security.rb +140 -0
data/lib/tep/server.rb +276 -0
data/lib/tep/server_scheduled.rb +375 -0
data/lib/tep/session.rb +98 -0
data/lib/tep/shell.rb +62 -0
data/lib/tep/sphttp.c +858 -0
data/lib/tep/sqlite.rb +215 -0
data/lib/tep/streamer.rb +31 -0
data/lib/tep/tep_pg.c +769 -0
data/lib/tep/tep_sqlite.c +320 -0
data/lib/tep/url.rb +161 -0
data/lib/tep/version.rb +3 -0
data/lib/tep/websocket/connection.rb +171 -0
data/lib/tep/websocket/driver.rb +169 -0
data/lib/tep/websocket/frame.rb +238 -0
data/lib/tep/websocket/handshake.rb +159 -0
data/lib/tep/websocket.rb +68 -0
data/lib/tep.rb +981 -0
data/public/hello.txt +1 -0
data/public/style.css +4 -0
data/spinel-ext.json +33 -0
data/test/helper.rb +248 -0
data/test/real_world/01_simple.rb +5 -0
data/test/real_world/02_lifecycle.rb +20 -0
data/test/real_world/03_chat.rb +75 -0
data/test/real_world/04_health_api.rb +25 -0
data/test/real_world/05_todo_api.rb +57 -0
data/test/real_world/06_basic_auth.rb +25 -0
data/test/real_world/07_bbc_rest_api.rb +228 -0
data/test/real_world/07_sklise_things.rb +109 -0
data/test/real_world/08_jwd83_helloworld.rb +56 -0
data/test/run_all.rb +7 -0
data/test/run_parallel.rb +89 -0
data/test/spinel_scheduled_burst_segv_repro.rb +33 -0
data/test/test_api_gateway.rb +76 -0
data/test/test_auth.rb +223 -0
data/test/test_auth_oauth2.rb +208 -0
data/test/test_auth_session_cookie.rb +198 -0
data/test/test_broadcast.rb +197 -0
data/test/test_broadcast_pg.rb +135 -0
data/test/test_cache.rb +98 -0
data/test/test_cache_static.rb +48 -0
data/test/test_cookies.rb +52 -0
data/test/test_erb.rb +53 -0
data/test/test_erb_ivars.rb +58 -0
data/test/test_events.rb +114 -0
data/test/test_filters.rb +41 -0
data/test/test_geohash_example.rb +89 -0
data/test/test_http.rb +137 -0
data/test/test_http_pool.rb +122 -0
data/test/test_http_pool_send.rb +57 -0
data/test/test_identity.rb +165 -0
data/test/test_inbound_tls.rb +101 -0
data/test/test_inbound_tls_scheduled.rb +101 -0
data/test/test_job.rb +108 -0
data/test/test_json.rb +168 -0
data/test/test_jwt.rb +143 -0
data/test/test_live_view.rb +324 -0
data/test/test_llm.rb +250 -0
data/test/test_llm_gateway.rb +95 -0
data/test/test_logger.rb +101 -0
data/test/test_maidenhead_example.rb +86 -0
data/test/test_mcp.rb +264 -0
data/test/test_misc_v02.rb +54 -0
data/test/test_modular.rb +43 -0
data/test/test_multi_filters.rb +40 -0
data/test/test_mustache.rb +57 -0
data/test/test_openai_server.rb +598 -0
data/test/test_optional_segments.rb +45 -0
data/test/test_parallel.rb +102 -0
data/test/test_params.rb +99 -0
data/test/test_pass.rb +42 -0
data/test/test_password.rb +101 -0
data/test/test_pg.rb +673 -0
data/test/test_presence.rb +374 -0
data/test/test_presence_pg.rb +309 -0
data/test/test_proxy.rb +556 -0
data/test/test_proxy_dsl.rb +119 -0
data/test/test_proxy_streaming.rb +146 -0
data/test/test_real_world.rb +397 -0
data/test/test_regex_routes.rb +52 -0
data/test/test_request_methods.rb +102 -0
data/test/test_response.rb +123 -0
data/test/test_routing.rb +109 -0
data/test/test_scheduler.rb +153 -0
data/test/test_security.rb +72 -0
data/test/test_server_scheduled.rb +56 -0
data/test/test_sessions.rb +59 -0
data/test/test_shell.rb +54 -0
data/test/test_sqlite.rb +148 -0
data/test/test_sqlite_cached.rb +171 -0
data/test/test_static.rb +57 -0
data/test/test_streaming.rb +96 -0
data/test/test_unsupported.rb +32 -0
data/test/test_websocket.rb +152 -0
data/test/test_websocket_echo.rb +138 -0
data/test/views/greet.erb +5 -0
data/test/views/hello.erb +5 -0
data/test/views/list.erb +5 -0
data/test/views/m_ivars.mustache +3 -0
data/test/views/m_simple.mustache +4 -0
data/test/views/mixed.erb +3 -0
metadata +264 -0

data/examples/agentic_chat/README.md ADDED Viewed

@@ -0,0 +1,103 @@
+# agentic chat -- the four-battery demo
+A small chat room exercising every battery in tep's agentic
+story: identity, broadcast, presence, server-rendered HTML
+pushed over WebSocket.
+```
+┌───────────────────────────────────────────────────────────┐
+│  agentic chat                      you are user:uXsC2g    │
+├──────────────────────────────────────┬────────────────────┤
+│  user:42  hi                         │  HUMANS (2)        │
+│  user:99  hello                      │  • user:42         │
+│  agent:summarizer-bot/user:42        │  • user:99         │
+│           i'm here -- watching for   │                    │
+│           things to summarize.       │  AGENTS (1)        │
+│                                      │  • user:42         │
+│  [ type message      ]        [send] │      via summari…  │
+│                                      │      busy:         │
+│  [+ summarizer]                      │      summarizing   │
+└──────────────────────────────────────┴────────────────────┘
+```
+## Run
+```sh
+bin/tep build examples/agentic_chat/app.rb -o /tmp/agentic_chat
+/tmp/agentic_chat -p 4567
+# open http://127.0.0.1:4567/ in two browsers
+```
+Every chat message + agent spawn arrives in the other tab in
+<100ms via a WebSocket push. No polling, no full-page reload --
+the server re-renders the `#messages` + `#presence` regions on
+every change and broadcasts both to all subscribed sockets.
+Click **+ summarizer** to invite a synthetic agent into the
+room -- it appears in the presence sidebar with `kind=agent_for`,
+shares the inviter's `principal_id`, and posts an arrival
+message.
+## What's wired
+| Battery | What it does here |
+|---|---|
+| `Tep::Auth` (`Tep::AuthSessionCookie`) | Every visitor's first request auto-creates an `identity` cookie. Subsequent requests land with `req.identity` populated; `req.identity.subject` is rendered in the header + drives presence rows. |
+| `Tep::AuthOAuth2`-style delegation | The `+ summarizer` route constructs a `Tep::AgentDelegation` + `Tep::Identity` with `kind=:agent_for, origin=:oauth_grant` -- same shape an external bot would receive over the real OAuth flow. |
+| `Tep::Broadcast` | Every `POST /chat/send` and `POST /agent/add` calls `publish_room`, which builds the updated `#messages` + `#presence` HTML once and publishes a single TEXT frame to every WS subscriber via `Tep::Broadcast.publish`. |
+| `Tep::Presence` | Humans tracked on every `GET /chat` (one row per principal_id). Agents tracked on `+ summarizer` with `status_state=:busy, status_note="summarizing the room"`. Sidebar renders both groups with the agentic kind + status. |
+| `Tep::LiveView` | `CHAT.render` + `render_presence` are the live-view content targets. The WS push delivers the new HTML; client-side JS does `outerHTML = ...` on both regions in place. The same render functions run for the initial page load and for every push -- no special template-vs-push divergence. |
+## Wire shape
+```
+client                          server
+   |  GET  /chat                   |
+   |<------------------------------|  full page (HTML + JS)
+   |                               |
+   |  GET  /chat/ws (Upgrade)      |
+   |------------------------------>|  websocket "/chat/ws" do |ws|
+   |<------------------------------|    on_open -> subscribe_ws
+   |     101 Switching             |
+   |                               |
+   |  POST /chat/send {body:"hi"}  |
+   |------------------------------>|  CHAT.add + publish_room
+   |<------------------------------|  204 No Content
+   |                               |
+   |<------------------------------|  WS TEXT frame:
+   |   "<<TEP>><div id='messages'> |   "<<TEP>>{messages}
+   |     ...<<TEP>><aside id='     |    <<TEP>>{presence}"
+   |     presence'>..."            |
+   |                               |
+   |   JS: e.data.split('<<TEP>>') |
+   |       -> swap each outerHTML  |
+```
+`<<TEP>>` is a sentinel separator (ASCII, unlikely to appear in
+user text). The server packs both regions into one frame so
+subscribers see them update atomically.
+## Code size
+| File | LOC |
+|---|---|
+| `app.rb` | ~270 (incl. CSS + JS inline) |
+| `README.md` | this file |
+No CSS framework, no JS bundler, no DB.
+## What this demo does NOT show
+- **Cross-worker presence/broadcast.** Single worker. Both
+  `Tep::Broadcast.enable_pg_backend` and
+  `Tep::Presence.enable_pg_mirror` would make this multi-
+  worker; left out for demo simplicity.
+- **Real bot in a separate process.** The "+ summarizer"
+  button adds a synthetic presence row + posts one message
+  in the same process. A real bot would open its own WS with
+  the JWT minted by `Tep::AuthOAuth2.exchange_code` and chat
+  alongside the humans -- the framework surface is identical.
+- **Per-subscriber rendering.** Every WS subscriber gets the
+  same HTML payload. Personalized views (e.g. mention
+  highlights for the current user) would need either per-fd
+  render filters or a client-side template that consumes a
+  structured payload instead of HTML.

data/examples/agentic_chat/app.rb ADDED Viewed

@@ -0,0 +1,310 @@
+# Agentic chat -- the four-battery demo, now WS-driven.
+#
+# Exercises all four batteries in tep's agentic story:
+#   * Tep::Auth (session-cookie identity)
+#   * Tep::Broadcast (in-process pub-sub over WS)
+#   * Tep::Presence (who's here, agent-aware, with structured status)
+#   * Tep::LiveView (server-rendered HTML pushed over WS on change)
+#
+# Run:
+#   bin/tep build examples/agentic_chat/app.rb -o /tmp/agentic_chat
+#   /tmp/agentic_chat -p 4567
+# Open http://127.0.0.1:4567/ in two browsers; each message + agent
+# spawn lands in <100ms via WS push, no polling, no reloads.
+require 'sinatra'
+set :scheduler, :scheduled
+Tep.session_secret = "demo-only-do-not-use-in-prod-XXXXXXXXXX"
+Tep::Auth.install!
+CHAT_TOPIC = "agentic_chat:room"
+# Sentinel for the WS payload's two-region split. ASCII-only,
+# unlikely to appear in any user-typed message.
+TEP_SEP = "<<TEP>>"
+# ---- shared chat state ----
+class ChatRoom
+  def initialize
+    @msg_subjects = [""]
+    @msg_subjects.delete_at(0)
+    @msg_bodies = [""]
+    @msg_bodies.delete_at(0)
+    @msg_kinds = [""]
+    @msg_kinds.delete_at(0)
+  end
+  def add(subject, body, kind)
+    @msg_subjects.push(subject)
+    @msg_bodies.push(body)
+    @msg_kinds.push(kind)
+    while @msg_subjects.length > 50
+      @msg_subjects.delete_at(0)
+      @msg_bodies.delete_at(0)
+      @msg_kinds.delete_at(0)
+    end
+    0
+  end
+  def render
+    out = "<div id='messages'>"
+    if @msg_subjects.length == 0
+      out = out + "<div class='msg empty'>" +
+        "<em>no messages yet. say hi using the form below.</em></div>"
+    end
+    i = 0
+    while i < @msg_subjects.length
+      out = out + "<div class='msg " + @msg_kinds[i] + "'>" +
+        "<span class='who'>" + Tep.h(@msg_subjects[i]) + "</span>" +
+        "<span class='body'>" + Tep.h(@msg_bodies[i]) + "</span>" +
+        "</div>"
+      i += 1
+    end
+    out + "</div>"
+  end
+end
+CHAT = ChatRoom.new
+# ---- synthetic agent state ----
+AGENT_FD_COUNTER = [-9000]
+def next_agent_fd
+  AGENT_FD_COUNTER[0] = AGENT_FD_COUNTER[0] - 1
+  AGENT_FD_COUNTER[0]
+end
+def spawn_agent(principal_id)
+  fd = next_agent_fd
+  agent_req = Tep::Request.new
+  delegation = Tep::AgentDelegation.new(
+    "summarizer-bot", Time.now.to_i,
+    Time.now.to_i + 3600, :oauth_grant)
+  agent_req.identity = Tep::Identity.new(
+    principal_id, delegation, [:read, :post_summary])
+  Tep::Presence.track(agent_req, CHAT_TOPIC, fd)
+  Tep::Presence.set_status(
+    CHAT_TOPIC, fd, :busy, "summarizing the room",
+    Time.now.to_i + 60)
+  CHAT.add(
+    "agent:summarizer-bot/" + principal_id,
+    "i'm here -- watching for things to summarize.", "agent")
+  fd
+end
+# ---- presence sidebar ----
+def render_presence
+  entries = Tep::Presence.list(CHAT_TOPIC)
+  humans = ""
+  agents = ""
+  hcount = 0
+  acount = 0
+  i = 0
+  while i < entries.length
+    e = entries[i]
+    row = "<div class='pres-row " + e.kind.to_s + " " +
+      e.status_state.to_s + "'>" +
+      "<span class='dot'></span>" +
+      "<span class='who'>" + Tep.h(e.principal_id) + "</span>"
+    if e.kind == :agent_for
+      row = row + "<span class='agent-of'>via " +
+        Tep.h(e.agent_id) + "</span>"
+    end
+    if e.status_state != :available
+      row = row + "<div class='note'>" + e.status_state.to_s +
+        ": " + Tep.h(e.status_note) + "</div>"
+    end
+    row = row + "</div>"
+    if e.kind == :human
+      humans = humans + row
+      hcount += 1
+    else
+      agents = agents + row
+      acount += 1
+    end
+    i += 1
+  end
+  "<aside id='presence'>" +
+    "<h3>humans (" + hcount.to_s + ")</h3>" +
+    "<div class='group humans'>" + humans + "</div>" +
+    "<h3>agents (" + acount.to_s + ")</h3>" +
+    "<div class='group agents'>" + agents + "</div>" +
+  "</aside>"
+end
+# Broadcast both regions in one frame. Subscribers' JS splits on
+# TEP_SEP and swaps each outerHTML in place -- no full reload.
+def publish_room
+  payload = TEP_SEP + CHAT.render + TEP_SEP + render_presence
+  Tep::Broadcast.publish(CHAT_TOPIC, payload)
+  0
+end
+# ---- routes ----
+before do
+  if req.session.get("identity_sub").length == 0
+    pid = Crypto.sp_crypto_random_b64url(4)
+    ident = Tep::Identity.new(pid, nil, [:read, :write])
+    Tep::AuthSessionCookie.set(req, ident, 0)
+    req.identity = ident
+  end
+end
+get '/' do
+  res.set_status(302)
+  res.headers["Location"] = "/chat"
+  ""
+end
+get '/chat' do
+  res.headers["Content-Type"] = "text/html; charset=utf-8"
+  # Presence tracking happens at WS upgrade (see the websocket
+  # block below) -- gives a true "currently connected" view with
+  # auto-cleanup on close instead of synthesizing a per-principal
+  # fd at page-render time.
+  user_subject = req.identity.subject
+  "<!doctype html><html><head>" +
+    "<meta charset='utf-8'>" +
+    "<title>agentic chat (tep)</title>" +
+    "<link rel='stylesheet' href='/agentic_chat/style.css'>" +
+    "</head><body>" +
+    "<header>" +
+      "<span class='title'>agentic chat</span>" +
+      "<span class='user'>you are <code>" +
+        Tep.h(user_subject) + "</code></span>" +
+    "</header>" +
+    "<main>" +
+      "<section id='room'>" +
+        CHAT.render +
+        "<form id='compose' onsubmit='return tepSend(event)' method='POST' action='/chat/send'>" +
+          "<input name='body' placeholder='message...' autocomplete='off' autofocus>" +
+          "<button type='submit'>send</button>" +
+        "</form>" +
+        "<form id='agent-form' onsubmit='return tepSend(event)' method='POST' action='/agent/add'>" +
+          "<button type='submit'>+ summarizer</button>" +
+        "</form>" +
+      "</section>" +
+      render_presence +
+    "</main>" +
+    "<script>" + agentic_chat_js + "</script>" +
+    "</body></html>"
+end
+post '/chat/send' do
+  body = req.params["body"]
+  if body.length > 0
+    CHAT.add(req.identity.subject, body, "human")
+    publish_room
+  end
+  res.set_status(204)
+  ""
+end
+post '/agent/add' do
+  pid = req.identity.principal_id + ""
+  spawn_agent(pid)
+  publish_room
+  res.set_status(204)
+  ""
+end
+get '/agentic_chat/style.css' do
+  res.headers["Content-Type"] = "text/css"
+  agentic_chat_css
+end
+websocket "/chat/ws" do |ws|
+  on_open do |evt|
+    # req is the upgrade-time request, so req.identity is the
+    # session-cookie identity of whoever opened the socket.
+    Tep::Broadcast.subscribe_ws(CHAT_TOPIC, ws.fd)
+    Tep::Presence.track(req, CHAT_TOPIC, ws.fd)
+    publish_room
+  end
+  # No explicit on_close needed -- Tep::WebSocket::Connection auto-
+  # drops every Broadcast subscription AND Presence row keyed on
+  # the closed fd. Apps that want to do additional work on close
+  # (logging, custom cleanup) still register on_close blocks
+  # normally.
+end
+# ---- inline assets ----
+def agentic_chat_js
+  "var __tepSep = '" + TEP_SEP + "';" +
+  "var __tepWs = new WebSocket((location.protocol==='https:'?'wss://':'ws://')+location.host+'/chat/ws');" +
+  "__tepWs.onmessage = function(e){" +
+    "var parts = e.data.split(__tepSep);" +
+    "if (parts[1]) {" +
+      "var m = document.getElementById('messages');" +
+      "if (m) m.outerHTML = parts[1];" +
+    "}" +
+    "if (parts[2]) {" +
+      "var p = document.getElementById('presence');" +
+      "if (p) p.outerHTML = parts[2];" +
+    "}" +
+  "};" +
+  "function tepSend(ev){" +
+    "ev.preventDefault();" +
+    "var f = ev.target;" +
+    "fetch(f.action, {method:f.method, body:new FormData(f)});" +
+    "var inp = f.querySelector('input[name=body]');" +
+    "if (inp) inp.value='';" +
+    "return false;" +
+  "}"
+end
+def agentic_chat_css
+  "*{box-sizing:border-box}" +
+  "body{margin:0;font:14px/1.4 system-ui,-apple-system,Segoe UI,Roboto,sans-serif;" +
+    "background:#f6f7f9;color:#1a1a1a}" +
+  "header{display:flex;justify-content:space-between;align-items:center;" +
+    "padding:.6rem 1rem;background:#1a1a1a;color:#f6f7f9}" +
+  "header .title{font-weight:600}" +
+  "header .user code{background:#2a2a2a;padding:.15em .4em;border-radius:3px;" +
+    "font-size:.85em;color:#cde}" +
+  "main{display:grid;grid-template-columns:1fr 260px;height:calc(100vh - 44px)}" +
+  "#room{display:flex;flex-direction:column;background:#fff}" +
+  "#messages{flex:1;overflow-y:auto;padding:1rem;display:flex;" +
+    "flex-direction:column;gap:.4rem}" +
+  ".msg{display:flex;gap:.6rem;padding:.3rem .5rem;border-radius:4px}" +
+  ".msg.empty{justify-content:center;color:#888}" +
+  ".msg .who{color:#666;font-size:.85em;min-width:11rem;text-align:right;" +
+    "flex-shrink:0;font-family:ui-monospace,monospace}" +
+  ".msg .body{flex:1}" +
+  ".msg.agent{background:#fef8eb}" +
+  ".msg.agent .who{color:#a07412}" +
+  "#compose{display:flex;gap:.5rem;padding:.7rem;border-top:1px solid #e8e9eb;" +
+    "background:#fafbfc}" +
+  "#compose input{flex:1;padding:.5rem .7rem;border:1px solid #d0d3d8;" +
+    "border-radius:4px;font:inherit;background:#fff}" +
+  "#compose input:focus{outline:none;border-color:#3b82f6}" +
+  "#compose button{padding:.5rem .9rem;border:1px solid #d0d3d8;background:#1a1a1a;" +
+    "color:#fff;border-color:#1a1a1a;border-radius:4px;font:inherit;cursor:pointer}" +
+  "#compose button:hover{background:#000}" +
+  "#agent-form{padding:.5rem .7rem;background:#fafbfc;border-top:1px solid #e8e9eb}" +
+  "#agent-form button{padding:.4rem .8rem;border:1px solid #d0d3d8;background:#fff;" +
+    "border-radius:4px;font:inherit;cursor:pointer}" +
+  "#agent-form button:hover{background:#f0f1f3}" +
+  "#presence{background:#fafbfc;border-left:1px solid #e8e9eb;padding:1rem;" +
+    "overflow-y:auto}" +
+  "#presence h3{margin:0 0 .5rem;font-size:.7em;text-transform:uppercase;" +
+    "letter-spacing:.08em;color:#888;font-weight:600}" +
+  "#presence .group{margin-bottom:1.5rem;display:flex;flex-direction:column;gap:.4rem}" +
+  ".pres-row{display:flex;align-items:center;gap:.5rem;font-size:.9em;flex-wrap:wrap}" +
+  ".pres-row .dot{width:.6rem;height:.6rem;border-radius:50%;background:#22c55e;" +
+    "flex-shrink:0}" +
+  ".pres-row.busy .dot{background:#eab308}" +
+  ".pres-row.blocked .dot{background:#ef4444}" +
+  ".pres-row .who{font-family:ui-monospace,monospace;font-size:.85em;color:#1a1a1a}" +
+  ".pres-row.agent_for .who{color:#a07412}" +
+  ".pres-row .agent-of{font-size:.75em;color:#888;font-family:ui-monospace,monospace}" +
+  ".pres-row .note{width:100%;padding-left:1.1rem;font-size:.8em;color:#888;" +
+    "font-style:italic}"
+end

data/examples/api_gateway/README.md ADDED Viewed

@@ -0,0 +1,49 @@
+# api_gateway — a capability-gated API gateway on `Tep::Proxy`
+The non-streaming sibling of [`examples/llm_gateway`](../llm_gateway).
+Fronts an upstream HTTP API on the buffered (6.1) proxy path and adds
+the three jobs of a gateway in ~30 lines:
+1. **Authorization** — `before` short-circuits with `403` unless
+   `req.identity.may?(:call_upstream)`. The upstream is never hit for
+   a denied request.
+2. **Credential swap** — for an authorized request, strip the
+   client's key and attach the server-side one (`ureq.set_header`).
+3. **Observability** — `after` logs the call and stamps
+   `X-Proxy-Status` / `X-Proxy-Upstream` on the response — **including
+   for rejected requests** (`after` runs on the short-circuit path
+   too, so the audit log sees denials).
+Uses the **block-form proxy DSL** (`api.before do … end`), which
+`bin/tep` lowers to a `Tep::Proxy` subclass.
+## Run
+```sh
+UPSTREAM=https://api.example.com \
+UPSTREAM_KEY=secret \
+GATEWAY_KEY=let-me-in \
+  bin/tep build examples/api_gateway/app.rb -o /tmp/ag && /tmp/ag -p 4567
+curl -i localhost:4567/v1/data                          # 403, missing capability
+curl -i localhost:4567/v1/data -H 'x-api-key: let-me-in'  # forwarded with upstream key
+```
+Both responses carry `X-Proxy-Status` / `X-Proxy-Upstream`.
+## Notes
+- The `before do … end` filter granting `:call_upstream` on the
+  gateway key is a **stand-in** for the Auth battery — a real app
+  installs `Tep::Auth` (bearer JWT / session / OAuth2), which
+  populates `req.identity` the same way, so the `may?` gate is
+  unchanged.
+- One `Tep::Proxy` instance serves many routes; mount whatever paths
+  you proxy.
+- Non-streaming (buffered) — for SSE/streaming upstreams + per-request
+  telemetry, see `examples/llm_gateway`.
+## See also
+- [`docs/PROXY-BATTERY.md`](../../docs/PROXY-BATTERY.md) — the battery.
+- [`examples/llm_gateway`](../llm_gateway) — the streaming half of 6.3.

data/examples/api_gateway/app.rb ADDED Viewed

@@ -0,0 +1,66 @@
+# examples/api_gateway -- a capability-gated API gateway on Tep::Proxy.
+#
+# The non-streaming sibling of examples/llm_gateway. Fronts an upstream
+# HTTP API and adds the three things a gateway exists for, on the
+# buffered (6.1) proxy path:
+#
+#   1. Authorization  -- gate on req.identity.may?(:call_upstream);
+#                        reject (403) before the upstream is ever hit.
+#   2. Credential swap -- strip the client's key, attach the server's.
+#   3. Observability   -- log + stamp X-Proxy-* headers on the way out,
+#                         including for rejected requests (audit).
+#
+# Run:
+#   UPSTREAM=https://api.example.com UPSTREAM_KEY=secret \
+#   GATEWAY_KEY=let-me-in \
+#     bin/tep build examples/api_gateway/app.rb -o /tmp/ag && /tmp/ag -p 4567
+#
+#   curl -i localhost:4567/v1/data                       # 403 (no key)
+#   curl -i localhost:4567/v1/data -H 'x-api-key: let-me-in'   # forwarded
+require 'sinatra'
+UPSTREAM     = ENV["UPSTREAM"]     || "http://127.0.0.1:8080"
+UPSTREAM_KEY = ENV["UPSTREAM_KEY"] || ""
+GATEWAY_KEY  = ENV["GATEWAY_KEY"]  || "let-me-in"
+LOGGER       = Tep::Logger.new   # stderr; .to_file(path) to redirect
+# Stand-in for the Auth battery: grant :call_upstream to callers
+# presenting the gateway key. A real app installs Tep::Auth (bearer
+# JWT / session / OAuth2), which populates req.identity the same way.
+before do
+  if req.req_headers["x-api-key"] == GATEWAY_KEY
+    req.identity = Tep::Identity.new("client:demo", nil, [:call_upstream])
+  end
+end
+api = Tep::Proxy.new(UPSTREAM)
+# Capability gate + credential swap. Returning true short-circuits --
+# the upstream is never called; res (set here) goes straight back.
+api.before do |req, res, ureq|
+  if !req.identity.may?(:call_upstream)
+    res.set_status(403)
+    res.set_body("{\"error\":\"missing capability: call_upstream\"}")
+    true
+  else
+    if UPSTREAM_KEY.length > 0
+      ureq.set_header("Authorization", "Bearer " + UPSTREAM_KEY)
+    end
+    false
+  end
+end
+# Observability. Runs on the forwarded path AND the short-circuit path
+# (ures.status is 0 when before_forward rejected) -- so the audit log
+# sees denied requests too.
+api.after do |req, ures, res|
+  res.headers["X-Proxy-Status"]   = ures.status.to_s
+  res.headers["X-Proxy-Upstream"] = UPSTREAM
+  LOGGER.info("[api_gateway] " + req.verb + " " + req.raw_path +
+              " -> " + ures.status.to_s)
+  0
+end
+# Mount whatever paths you proxy (one instance serves many).
+Tep.get  "/v1/data",   api
+Tep.post "/v1/submit", api