tripwire-server 0.1.1 → 0.3.0

data/lib/tripwire/server/gate_delivery.rb

@@ -0,0 +1,298 @@
+require "base64"
+require "digest"
+require "json"
+require "openssl"
+
+module Tripwire
+  module Server
+    module GateDelivery
+      GATE_DELIVERY_VERSION = 1
+      GATE_DELIVERY_ALGORITHM = "x25519-hkdf-sha256/aes-256-gcm"
+      GATE_AGENT_TOKEN_ENV_SUFFIX = "_GATE_AGENT_TOKEN"
+      BLOCKED_GATE_ENV_VAR_KEYS = %w[
+        BASH_ENV
+        BROWSER
+        CDPATH
+        DYLD_INSERT_LIBRARIES
+        DYLD_LIBRARY_PATH
+        EDITOR
+        ENV
+        GIT_ASKPASS
+        GIT_SSH_COMMAND
+        HOME
+        LD_LIBRARY_PATH
+        LD_PRELOAD
+        NODE_OPTIONS
+        NODE_PATH
+        PATH
+        PERL5OPT
+        PERLLIB
+        PROMPT_COMMAND
+        PYTHONHOME
+        PYTHONPATH
+        PYTHONSTARTUP
+        RUBYLIB
+        RUBYOPT
+        SHELLOPTS
+        SSH_ASKPASS
+        VISUAL
+        XDG_CONFIG_HOME
+      ].freeze
+      BLOCKED_GATE_ENV_VAR_PREFIXES = %w[NPM_CONFIG_ BUN_CONFIG_ GIT_CONFIG_].freeze
+      GATE_DELIVERY_HKDF_INFO = "tripwire-gate-delivery:v1".b.freeze
+      X25519_SPKI_PREFIX = ["302a300506032b656e032100"].pack("H*").freeze
+
+      module_function
+
+      def derive_gate_agent_token_env_key(service_id)
+        normalized = service_id.to_s.strip.gsub(/[^A-Za-z0-9]+/, "_").gsub(/^_+|_+$/, "").gsub(/_+/, "_").upcase
+        raise ArgumentError, "service_id is required to derive a Gate agent token env key" if normalized.empty?
+
+        "#{normalized}#{GATE_AGENT_TOKEN_ENV_SUFFIX}"
+      end
+
+      def is_gate_managed_env_var_key(key)
+        key == "TRIPWIRE_AGENT_TOKEN" || key.to_s.end_with?(GATE_AGENT_TOKEN_ENV_SUFFIX)
+      end
+
+      def is_blocked_gate_env_var_key(key)
+        normalized = key.to_s.strip.upcase
+        BLOCKED_GATE_ENV_VAR_KEYS.include?(normalized) || BLOCKED_GATE_ENV_VAR_PREFIXES.any? { |prefix| normalized.start_with?(prefix) }
+      end
+
+      def raw_x25519_public_key_from_key_object(public_key)
+        der = public_key.public_to_der
+        raise ArgumentError, "Unexpected X25519 public key encoding" unless der.bytesize == X25519_SPKI_PREFIX.bytesize + 32
+        raise ArgumentError, "Unexpected X25519 public key prefix" unless der.byteslice(0, X25519_SPKI_PREFIX.bytesize) == X25519_SPKI_PREFIX
+
+        der.byteslice(X25519_SPKI_PREFIX.bytesize, 32)
+      end
+
+      def key_id_for_raw_x25519_public_key(raw_public_key)
+        raise ArgumentError, "X25519 public key must be 32 bytes" unless raw_public_key.bytesize == 32
+
+        Base64.urlsafe_encode64(Digest::SHA256.digest(raw_public_key), padding: false)
+      end
+
+      def create_delivery_key_pair
+        CryptoSupport.ensure_supported_runtime!
+        private_key = OpenSSL::PKey.generate_key("X25519")
+        raw_public_key = raw_x25519_public_key_from_key_object(private_key.public_key)
+        {
+          delivery: {
+            version: GATE_DELIVERY_VERSION,
+            algorithm: GATE_DELIVERY_ALGORITHM,
+            key_id: key_id_for_raw_x25519_public_key(raw_public_key),
+            public_key: Base64.urlsafe_encode64(raw_public_key, padding: false)
+          },
+          private_key: private_key
+        }
+      end
+
+      def export_delivery_private_key_pkcs8(private_key)
+        CryptoSupport.ensure_supported_runtime!
+        Base64.urlsafe_encode64(private_key.private_to_der, padding: false)
+      end
+
+      def import_delivery_private_key_pkcs8(value)
+        CryptoSupport.ensure_supported_runtime!
+        OpenSSL::PKey.read(b64url_decode(value, "delivery.private_key_pkcs8"))
+      end
+
+      def validate_gate_delivery_request(value)
+        candidate = symbolize(value)
+        raise ArgumentError, "delivery.version must be 1" unless candidate[:version] == GATE_DELIVERY_VERSION
+        raise ArgumentError, "delivery.algorithm must be #{GATE_DELIVERY_ALGORITHM}" unless candidate[:algorithm] == GATE_DELIVERY_ALGORITHM
+        raise ArgumentError, "delivery.public_key is required" if candidate[:public_key].to_s.empty?
+        raise ArgumentError, "delivery.key_id is required" if candidate[:key_id].to_s.empty?
+
+        raw_public_key = b64url_decode(candidate[:public_key], "delivery.public_key")
+        raise ArgumentError, "delivery.public_key must be a raw X25519 public key" unless raw_public_key.bytesize == 32
+        raise ArgumentError, "delivery.key_id does not match delivery.public_key" unless key_id_for_raw_x25519_public_key(raw_public_key) == candidate[:key_id]
+
+        {
+          version: GATE_DELIVERY_VERSION,
+          algorithm: GATE_DELIVERY_ALGORITHM,
+          key_id: candidate[:key_id],
+          public_key: candidate[:public_key]
+        }
+      end
+
+      def create_encrypted_delivery_response(input)
+        {
+          encrypted_delivery: encrypt_gate_delivery_payload(
+            input.fetch(:delivery),
+            {
+              version: GATE_DELIVERY_VERSION,
+              outputs: input.fetch(:outputs)
+            }
+          )
+        }
+      end
+
+      def create_gate_approved_webhook_response(input)
+        create_encrypted_delivery_response(input)
+      end
+
+      def validate_encrypted_gate_delivery_envelope(value)
+        candidate = symbolize(value)
+        raise ArgumentError, "encrypted_delivery.version must be 1" unless candidate[:version] == GATE_DELIVERY_VERSION
+        raise ArgumentError, "encrypted_delivery.algorithm must be #{GATE_DELIVERY_ALGORITHM}" unless candidate[:algorithm] == GATE_DELIVERY_ALGORITHM
+        %i[key_id ephemeral_public_key salt iv ciphertext tag].each do |field|
+          raise ArgumentError, "encrypted_delivery.#{field} is required" if candidate[field].to_s.empty?
+        end
+        raise ArgumentError, "encrypted_delivery.ephemeral_public_key must be 32 bytes" unless b64url_decode(candidate[:ephemeral_public_key], "encrypted_delivery.ephemeral_public_key").bytesize == 32
+        raise ArgumentError, "encrypted_delivery.salt must be 32 bytes" unless b64url_decode(candidate[:salt], "encrypted_delivery.salt").bytesize == 32
+        raise ArgumentError, "encrypted_delivery.iv must be 12 bytes" unless b64url_decode(candidate[:iv], "encrypted_delivery.iv").bytesize == 12
+        raise ArgumentError, "encrypted_delivery.tag must be 16 bytes" unless b64url_decode(candidate[:tag], "encrypted_delivery.tag").bytesize == 16
+
+        candidate
+      end
+
+      def encrypt_gate_delivery_payload(delivery, payload)
+        CryptoSupport.ensure_supported_runtime!
+        validated_delivery = validate_gate_delivery_request(delivery)
+        payload = symbolize(payload)
+        raise ArgumentError, "Gate delivery payload version must be 1" unless payload[:version] == GATE_DELIVERY_VERSION
+
+        recipient_public_key = OpenSSL::PKey.read(X25519_SPKI_PREFIX + b64url_decode(validated_delivery[:public_key], "delivery.public_key"))
+        ephemeral_private_key = OpenSSL::PKey.generate_key("X25519")
+        shared_secret = ephemeral_private_key.derive(recipient_public_key)
+        salt = OpenSSL::Random.random_bytes(32)
+        iv = OpenSSL::Random.random_bytes(12)
+        key = OpenSSL::KDF.hkdf(shared_secret, salt: salt, info: GATE_DELIVERY_HKDF_INFO, length: 32, hash: "SHA256")
+
+        cipher = OpenSSL::Cipher.new("aes-256-gcm")
+        cipher.encrypt
+        cipher.key = key
+        cipher.iv = iv
+        ciphertext = cipher.update(JSON.generate(compact_payload(payload))) + cipher.final
+        tag = cipher.auth_tag
+
+        {
+          version: GATE_DELIVERY_VERSION,
+          algorithm: GATE_DELIVERY_ALGORITHM,
+          key_id: validated_delivery[:key_id],
+          ephemeral_public_key: Base64.urlsafe_encode64(raw_x25519_public_key_from_key_object(ephemeral_private_key.public_key), padding: false),
+          salt: Base64.urlsafe_encode64(salt, padding: false),
+          iv: Base64.urlsafe_encode64(iv, padding: false),
+          ciphertext: Base64.urlsafe_encode64(ciphertext, padding: false),
+          tag: Base64.urlsafe_encode64(tag, padding: false)
+        }
+      end
+
+      def decrypt_gate_delivery_envelope(private_key, envelope)
+        CryptoSupport.ensure_supported_runtime!
+        validated = validate_encrypted_gate_delivery_envelope(envelope)
+        shared_secret = private_key.derive(
+          OpenSSL::PKey.read(X25519_SPKI_PREFIX + b64url_decode(validated[:ephemeral_public_key], "encrypted_delivery.ephemeral_public_key"))
+        )
+        key = OpenSSL::KDF.hkdf(
+          shared_secret,
+          salt: b64url_decode(validated[:salt], "encrypted_delivery.salt"),
+          info: GATE_DELIVERY_HKDF_INFO,
+          length: 32,
+          hash: "SHA256"
+        )
+        cipher = OpenSSL::Cipher.new("aes-256-gcm")
+        cipher.decrypt
+        cipher.key = key
+        cipher.iv = b64url_decode(validated[:iv], "encrypted_delivery.iv")
+        cipher.auth_tag = b64url_decode(validated[:tag], "encrypted_delivery.tag")
+        cipher.auth_data = ""
+        plaintext = cipher.update(b64url_decode(validated[:ciphertext], "encrypted_delivery.ciphertext")) + cipher.final
+        payload = JSON.parse(plaintext)
+        raise ArgumentError, "encrypted_delivery payload must be an object" unless payload.is_a?(Hash)
+
+        symbolize(payload).tap do |candidate|
+          raise ArgumentError, "encrypted_delivery payload version must be 1" unless candidate[:version] == GATE_DELIVERY_VERSION
+          raise ArgumentError, "encrypted_delivery payload outputs must be an object" unless candidate[:outputs].is_a?(Hash)
+          candidate[:outputs].each do |key_name, item|
+            raise ArgumentError, "encrypted_delivery output #{key_name} must be a string" unless item.is_a?(String)
+          end
+        end
+      rescue JSON::ParserError
+        raise ArgumentError, "encrypted_delivery decrypted to invalid JSON"
+      end
+
+      def validate_gate_approved_webhook_payload(value)
+        candidate = symbolize(value)
+        raise ArgumentError, "event must be gate.session.approved" unless candidate[:event] == "gate.session.approved"
+        raise ArgumentError, "service_id is required" if candidate[:service_id].to_s.empty?
+        raise ArgumentError, "gate_session_id is required" if candidate[:gate_session_id].to_s.empty?
+        raise ArgumentError, "gate_account_id is required" if candidate[:gate_account_id].to_s.empty?
+        raise ArgumentError, "account_name is required" if candidate[:account_name].to_s.empty?
+        raise ArgumentError, "metadata must be an object or null" unless candidate[:metadata].nil? || candidate[:metadata].is_a?(Hash)
+        raise ArgumentError, "tripwire must be an object" unless candidate[:tripwire].is_a?(Hash)
+        verdict = candidate[:tripwire][:verdict]
+        raise ArgumentError, "tripwire.verdict is invalid" unless %w[bot human inconclusive].include?(verdict)
+        score = candidate[:tripwire][:score]
+        raise ArgumentError, "tripwire.score must be a number or null" unless score.nil? || score.is_a?(Numeric)
+
+        {
+          event: "gate.session.approved",
+          service_id: candidate[:service_id],
+          gate_session_id: candidate[:gate_session_id],
+          gate_account_id: candidate[:gate_account_id],
+          account_name: candidate[:account_name],
+          metadata: candidate[:metadata]&.dup,
+          tripwire: {
+            verdict: verdict,
+            score: score
+          },
+          delivery: validate_gate_delivery_request(candidate[:delivery])
+        }
+      end
+
+      def verify_gate_webhook_signature(secret:, timestamp:, raw_body:, signature:, max_age_seconds: 300, now_seconds: nil)
+        parsed_timestamp = Integer(timestamp)
+        current = now_seconds || Time.now.to_i
+        return false if (current - parsed_timestamp).abs > max_age_seconds
+
+        expected = OpenSSL::HMAC.hexdigest("SHA256", secret, "#{timestamp}.#{raw_body}")
+        secure_compare(expected, signature)
+      rescue ArgumentError
+        false
+      end
+
+      def symbolize(value)
+        case value
+        when Array
+          value.map { |item| symbolize(item) }
+        when Hash
+          value.each_with_object({}) do |(key, item), memo|
+            memo[key.to_sym] = symbolize(item)
+          end
+        else
+          value
+        end
+      end
+      private_class_method :symbolize
+
+      def compact_payload(payload)
+        {
+          version: payload[:version],
+          outputs: payload[:outputs],
+          **(payload[:ack_token] ? { ack_token: payload[:ack_token] } : {})
+        }
+      end
+      private_class_method :compact_payload
+
+      def b64url_decode(value, label)
+        Base64.urlsafe_decode64(value.to_s)
+      rescue ArgumentError => error
+        raise ArgumentError, "Invalid #{label}: #{error.message}"
+      end
+      private_class_method :b64url_decode
+
+      def secure_compare(left, right)
+        return false unless left.bytesize == right.bytesize
+
+        result = 0
+        left.bytes.zip(right.bytes) { |a, b| result |= a ^ b }
+        result.zero?
+      end
+      private_class_method :secure_compare
+    end
+  end
+end

data/lib/tripwire/server/sealed_token.rb

@@ -12,6 +12,7 @@ module Tripwire
       module_function
 
       def verify_tripwire_token(sealed_token, secret_key = nil)
+        CryptoSupport.ensure_supported_runtime!
         resolved_secret = secret_key || ENV["TRIPWIRE_SECRET_KEY"]
         raise ConfigurationError, "Missing Tripwire secret key. Pass secret_key explicitly or set TRIPWIRE_SECRET_KEY." if resolved_secret.nil? || resolved_secret.empty?
 
@@ -30,6 +31,7 @@ module Tripwire
         cipher.key = derive_key(resolved_secret)
         cipher.iv = nonce
         cipher.auth_tag = tag
+        cipher.auth_data = ""
 
         compressed = cipher.update(ciphertext) + cipher.final
         payload = JSON.parse(Zlib::Inflate.inflate(compressed))

data/lib/tripwire/server/version.rb

@@ -1,5 +1,5 @@
 module Tripwire
   module Server
-    VERSION = "0.1.1".freeze
+    VERSION = "0.3.0".freeze
   end
 end

data/lib/tripwire/server.rb

@@ -1,7 +1,9 @@
 require_relative "server/version"
 require_relative "server/errors"
+require_relative "server/crypto_support"
 require_relative "server/types"
 require_relative "server/sealed_token"
+require_relative "server/gate_delivery"
 require_relative "server/client"
 
 module Tripwire
@@ -15,5 +17,15 @@ module Tripwire
     def safe_verify_tripwire_token(sealed_token, secret_key = nil)
       SealedToken.safe_verify_tripwire_token(sealed_token, secret_key)
     end
+
+    def method_missing(name, *args, **kwargs, &block)
+      return GateDelivery.public_send(name, *args, **kwargs, &block) if GateDelivery.respond_to?(name)
+
+      super
+    end
+
+    def respond_to_missing?(name, include_private = false)
+      GateDelivery.respond_to?(name) || super
+    end
   end
 end

data/spec/README.md

@@ -4,18 +4,24 @@ This directory is the authoritative cross-language contract for Tripwire server
 
 It defines:
 
-- the supported public server API surface
+- the supported server API surface
 - the shared sealed token verification behavior
-- golden fixtures for success, error, and pagination flows
+- the shared Gate delivery/webhook helper behavior
+- golden fixtures for success, error, pagination, and helper flows
 
 ## Scope
 
-Server SDKs include only customer-facing public APIs:
+Server SDKs include only customer-facing APIs:
 
 - `/v1/sessions`
 - `/v1/fingerprints`
 - `/v1/teams`
 - `/v1/teams/:teamId/api-keys`
+- `/v1/gate/registry`
+- `/v1/gate/services`
+- `/v1/gate/sessions`
+- `/v1/gate/login-sessions`
+- `/v1/gate/agent-tokens/*`
 
 Server SDKs do **not** include:
 
@@ -47,9 +53,24 @@ Every server SDK should expose these top-level capabilities:
   - list
   - revoke
   - rotate
+- Gate
+  - registry list/get
+  - services list/get/create/update/disable
+  - sessions create/poll/acknowledge
+  - login sessions create/consume
+  - agent tokens verify/revoke
 - sealed token helpers
   - strict verify
   - safe verify
+- Gate delivery/webhook helpers
+  - generate delivery keypair
+  - import/export delivery private key
+  - validate delivery request
+  - encrypt/decrypt delivery envelopes
+  - validate approved webhook payload
+  - verify webhook signature
+  - derive agent-token env keys
+  - check blocked/managed Gate env vars
 
 ## Shared Defaults
 
@@ -57,7 +78,7 @@ Every SDK should default to:
 
 - `base_url = https://api.tripwirejs.com`
 - `secret_key = env(TRIPWIRE_SECRET_KEY)`
-- secret-key-only auth via `Authorization: Bearer <secret>`
+- support for public, bearer-token, and secret-key auth as required by the Gate surface
 - request timeout support
 - no automatic retries
 
@@ -74,7 +95,7 @@ The underlying API responses remain cursor-based. SDKs may expose helper iterato
 
 ## Error Model
 
-SDKs should parse public API failures into structured errors with, at minimum:
+SDKs should parse API failures into structured errors with, at minimum:
 
 - `status`
 - `code`
@@ -99,6 +120,16 @@ Use both:
 
 to validate correctness and failure behavior.
 
+## Gate Delivery Helper Coverage
+
+Use the shared fixtures in `fixtures/gate-delivery/` to validate:
+
+- delivery request validation and key-id derivation
+- envelope encrypt/decrypt roundtrips
+- approved webhook payload validation
+- webhook signature verification
+- Gate env-var policy helpers
+
 ## Sync Model
 
 This repo is the source of truth for the shared server SDK contract.
@@ -123,7 +154,7 @@ When changing any server SDK:
   - `limit`
   - `has_more`
   - `next_cursor`
-- preserve structured public API errors
+- preserve structured API errors
 - keep sealed token golden-vector coverage
 - keep one live smoke suite per SDK
 - only update the vendored SDK `spec/` copies or the monorepo submodule pointer after the relevant CI is green

data/spec/fixtures/api/fingerprints/detail.json

@@ -0,0 +1,70 @@
+{
+  "data": {
+    "object": "visitor_fingerprint",
+    "id": "vid_456789abcdefghjkmnpqrstvwx",
+    "lifecycle": {
+      "first_seen_at": "2026-03-24T19:58:00.000Z",
+      "last_seen_at": "2026-03-24T20:00:05.000Z",
+      "seen_count": 3,
+      "expires_at": "2026-06-22T20:00:05.000Z"
+    },
+    "latest_request": {
+      "user_agent": "Mozilla/5.0",
+      "ip_address": "203.0.113.9"
+    },
+    "storage": {
+      "cookies": true,
+      "local_storage": true,
+      "indexed_db": true,
+      "service_worker": false,
+      "window_name": false
+    },
+    "anchors": {
+      "webgl_hash": null,
+      "parameters_hash": null,
+      "audio_hash": null
+    },
+    "components": {
+      "vector": [
+        1,
+        0,
+        1
+      ]
+    },
+    "activity": {
+      "sessions": [
+        {
+          "session_id": "sid_0123456789abcdefghjkmnpqrs",
+          "decision": {
+            "event_id": "evt_23456789abcdefghjkmnpqrstv",
+            "verdict": "human",
+            "risk_score": 9,
+            "phase": "behavioral",
+            "is_provisional": false,
+            "manipulation": {
+              "score": 0,
+              "verdict": "none"
+            },
+            "evaluation_duration_ms": 142,
+            "evaluated_at": "2026-03-24T20:00:05.000Z"
+          },
+          "request": {
+            "url": "https://example.com/signup",
+            "user_agent": "Mozilla/5.0",
+            "ip_address": "203.0.113.9",
+            "screen_size": "1440x900",
+            "is_touch_capable": false
+          },
+          "score_breakdown": {
+            "categories": {
+              "behavioral": 9
+            }
+          }
+        }
+      ]
+    }
+  },
+  "meta": {
+    "request_id": "req_0123456789abcdef0123456789abcdef"
+  }
+}

data/spec/fixtures/api/fingerprints/list.json

@@ -0,0 +1,37 @@
+{
+  "data": [
+    {
+      "object": "visitor_fingerprint",
+      "id": "vid_456789abcdefghjkmnpqrstvwx",
+      "lifecycle": {
+        "first_seen_at": "2026-03-24T19:58:00.000Z",
+        "last_seen_at": "2026-03-24T20:00:05.000Z",
+        "seen_count": 3,
+        "expires_at": "2026-06-22T20:00:05.000Z"
+      },
+      "latest_request": {
+        "user_agent": "Mozilla/5.0",
+        "ip_address": "203.0.113.9"
+      },
+      "storage": {
+        "cookies": true,
+        "local_storage": true,
+        "indexed_db": true,
+        "service_worker": false,
+        "window_name": false
+      },
+      "anchors": {
+        "webgl_hash": null,
+        "parameters_hash": null,
+        "audio_hash": null
+      }
+    }
+  ],
+  "pagination": {
+    "limit": 50,
+    "has_more": false
+  },
+  "meta": {
+    "request_id": "req_0123456789abcdef0123456789abcdef"
+  }
+}

data/spec/fixtures/api/gate/agent-token-verify.json

@@ -0,0 +1,12 @@
+{
+  "data": {
+    "valid": true,
+    "gate_account_id": "gacct_0123456789abcdefghjkmnpqrs",
+    "status": "active",
+    "created_at": "2026-04-01T12:00:00.000Z",
+    "expires_at": "2026-06-30T12:00:00.000Z"
+  },
+  "meta": {
+    "request_id": "req_0123456789abcdef0123456789abcdef"
+  }
+}

data/spec/fixtures/api/gate/login-session-consume.json

@@ -0,0 +1,10 @@
+{
+  "data": {
+    "object": "gate_dashboard_login",
+    "gate_account_id": "gacct_0123456789abcdefghjkmnpqrs",
+    "account_name": "my-project"
+  },
+  "meta": {
+    "request_id": "req_0123456789abcdef0123456789abcdef"
+  }
+}

data/spec/fixtures/api/gate/login-session-create.json

@@ -0,0 +1,12 @@
+{
+  "data": {
+    "object": "gate_login_session",
+    "id": "gate_1123456789abcdefghjkmnpqrs",
+    "status": "pending",
+    "consent_url": "https://tripwirejs.com/gate?session=gate_1123456789abcdefghjkmnpqrs",
+    "expires_at": "2026-04-04T20:20:00.000Z"
+  },
+  "meta": {
+    "request_id": "req_0123456789abcdef0123456789abcdef"
+  }
+}

data/spec/fixtures/api/gate/registry-detail.json

@@ -0,0 +1,45 @@
+{
+  "data": {
+    "id": "tripwire",
+    "status": "active",
+    "discoverable": true,
+    "name": "Tripwire",
+    "description": "Detect AI agents and malicious users",
+    "website": "https://tripwirejs.com",
+    "dashboard_login_url": "https://dashboard.tripwirejs.com/auth/gate",
+    "env_vars": [
+      {
+        "name": "Publishable key",
+        "key": "TRIPWIRE_PUBLISHABLE_KEY",
+        "secret": false
+      },
+      {
+        "name": "Secret key",
+        "key": "TRIPWIRE_SECRET_KEY",
+        "secret": true
+      }
+    ],
+    "docs_url": "https://tripwirejs.com/docs",
+    "sdks": [
+      {
+        "label": "Node",
+        "install": "npm install @abxy/tripwire-server",
+        "url": "https://www.npmjs.com/package/@abxy/tripwire-server"
+      }
+    ],
+    "branding": {
+      "logo_url": "https://tripwirejs.com/logo.png",
+      "primary_color": "#117BE7",
+      "secondary_color": "#0B5CAD",
+      "ascii_art": "TRIPWIRE",
+      "verified": true
+    },
+    "consent": {
+      "terms_url": "https://tripwirejs.com/terms",
+      "privacy_url": "https://tripwirejs.com/privacy"
+    }
+  },
+  "meta": {
+    "request_id": "req_0123456789abcdef0123456789abcdef"
+  }
+}

data/spec/fixtures/api/gate/registry-list.json

@@ -0,0 +1,47 @@
+{
+  "data": [
+    {
+      "id": "tripwire",
+      "status": "active",
+      "discoverable": true,
+      "name": "Tripwire",
+      "description": "Detect AI agents and malicious users",
+      "website": "https://tripwirejs.com",
+      "dashboard_login_url": "https://dashboard.tripwirejs.com/auth/gate",
+      "env_vars": [
+        {
+          "name": "Publishable key",
+          "key": "TRIPWIRE_PUBLISHABLE_KEY",
+          "secret": false
+        },
+        {
+          "name": "Secret key",
+          "key": "TRIPWIRE_SECRET_KEY",
+          "secret": true
+        }
+      ],
+      "docs_url": "https://tripwirejs.com/docs",
+      "sdks": [
+        {
+          "label": "Node",
+          "install": "npm install @abxy/tripwire-server",
+          "url": "https://www.npmjs.com/package/@abxy/tripwire-server"
+        }
+      ],
+      "branding": {
+        "logo_url": "https://tripwirejs.com/logo.png",
+        "primary_color": "#117BE7",
+        "secondary_color": "#0B5CAD",
+        "ascii_art": "TRIPWIRE",
+        "verified": true
+      },
+      "consent": {
+        "terms_url": "https://tripwirejs.com/terms",
+        "privacy_url": "https://tripwirejs.com/privacy"
+      }
+    }
+  ],
+  "meta": {
+    "request_id": "req_0123456789abcdef0123456789abcdef"
+  }
+}