@agent-trust/gateway 1.0.0

package/dist/gateway.d.ts

@@ -0,0 +1,59 @@
+import { Router } from 'express';
+import { BehaviorTracker } from './behavior-tracker';
+import { GatewayConfig } from './types';
+/**
+ * AgentGateway — the core class that website owners instantiate.
+ * Creates an Express router with discovery, authentication, action execution,
+ * and real-time behavioral tracking.
+ *
+ * Usage:
+ *   const gateway = new AgentGateway({ ... });
+ *   app.use('/agent-gateway', gateway.router());
+ */
+export declare class AgentGateway {
+    private stationClient;
+    private actionRegistry;
+    private behaviorTracker;
+    private config;
+    constructor(config: GatewayConfig);
+    /**
+     * Get the behavior tracker instance (for monitoring/dashboard).
+     */
+    getBehaviorTracker(): BehaviorTracker;
+    /**
+     * Create and return the Express router for this gateway.
+     * Mount it on any path: app.use('/agent-gateway', gateway.router())
+     */
+    router(): Router;
+    /**
+     * Destroy the gateway and clean up resources.
+     */
+    destroy(): void;
+}
+/**
+ * Factory function — creates an AgentGateway instance.
+ *
+ * Example:
+ *   const gateway = createGateway({
+ *     stationUrl: 'https://station.example.com',
+ *     gatewayId: 'my-site',
+ *     stationApiKey: 'ats_xxxxx',
+ *     actions: {
+ *       'search': {
+ *         description: 'Search products',
+ *         minScore: 30,
+ *         parameters: { query: { type: 'string', required: true } },
+ *         handler: async (params) => db.search(params.query)
+ *       }
+ *     },
+ *     behavior: {
+ *       maxActionsPerMinute: 20,  // Stricter rate limit
+ *       onSuspiciousActivity: (event) => {
+ *         console.warn('Suspicious agent:', event);
+ *       }
+ *     }
+ *   });
+ *   app.use('/agent-gateway', gateway.router());
+ */
+export declare function createGateway(config: GatewayConfig): AgentGateway;
+//# sourceMappingURL=gateway.d.ts.map

package/dist/gateway.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../src/gateway.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGjC,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAErD,OAAO,EACL,aAAa,EAId,MAAM,SAAS,CAAC;AAEjB;;;;;;;;GAQG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,eAAe,CAAkB;IACzC,OAAO,CAAC,MAAM,CAAgB;gBAElB,MAAM,EAAE,aAAa;IAWjC;;OAEG;IACH,kBAAkB,IAAI,eAAe;IAIrC;;;OAGG;IACH,MAAM,IAAI,MAAM;IA6MhB;;OAEG;IACH,OAAO,IAAI,IAAI;CAGhB;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,aAAa,GAAG,YAAY,CAEjE"}

package/dist/gateway.js

@@ -0,0 +1,241 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AgentGateway = void 0;
+exports.createGateway = createGateway;
+const express_1 = require("express");
+const station_client_1 = require("./station-client");
+const action_registry_1 = require("./action-registry");
+const behavior_tracker_1 = require("./behavior-tracker");
+const certificate_1 = require("./middleware/certificate");
+/**
+ * AgentGateway — the core class that website owners instantiate.
+ * Creates an Express router with discovery, authentication, action execution,
+ * and real-time behavioral tracking.
+ *
+ * Usage:
+ *   const gateway = new AgentGateway({ ... });
+ *   app.use('/agent-gateway', gateway.router());
+ */
+class AgentGateway {
+    constructor(config) {
+        this.config = config;
+        this.stationClient = new station_client_1.StationClient(config.stationUrl, config.stationApiKey, config.publicKeyRefreshInterval ?? 3600000 // 1 hour default
+        );
+        this.actionRegistry = new action_registry_1.ActionRegistry(config.actions);
+        this.behaviorTracker = new behavior_tracker_1.BehaviorTracker(config.behavior ?? {});
+    }
+    /**
+     * Get the behavior tracker instance (for monitoring/dashboard).
+     */
+    getBehaviorTracker() {
+        return this.behaviorTracker;
+    }
+    /**
+     * Create and return the Express router for this gateway.
+     * Mount it on any path: app.use('/agent-gateway', gateway.router())
+     */
+    router() {
+        const router = (0, express_1.Router)();
+        // ─── Discovery Endpoints ───
+        /**
+         * GET /.well-known/agent-gateway
+         * Machine-readable manifest of available actions.
+         * Agents call this to discover what this gateway offers.
+         */
+        router.get('/.well-known/agent-gateway', (_req, res) => {
+            const payload = {
+                gatewayId: this.config.gatewayId,
+                actions: this.actionRegistry.getDiscoveryPayload(),
+                certificateIssuer: 'agent-trust-station',
+                version: '1.0.0'
+            };
+            res.json(payload);
+        });
+        /**
+         * GET /actions
+         * Alternative discovery endpoint — list available actions.
+         */
+        router.get('/actions', (_req, res) => {
+            res.json({
+                gatewayId: this.config.gatewayId,
+                actions: this.actionRegistry.getDiscoveryPayload()
+            });
+        });
+        /**
+         * GET /behavior/sessions
+         * Monitoring endpoint — view active agent sessions and their behavioral scores.
+         * Useful for dashboards and real-time monitoring.
+         */
+        router.get('/behavior/sessions', (_req, res) => {
+            res.json({
+                success: true,
+                data: {
+                    activeSessions: this.behaviorTracker.getActiveSessions()
+                }
+            });
+        });
+        // ─── Protected Action Endpoints ───
+        // Certificate validation middleware
+        const validateCert = (0, certificate_1.createCertificateMiddleware)(this.stationClient);
+        /**
+         * POST /actions/:actionName
+         * Execute an action. Requires a valid agent certificate.
+         *
+         * Flow:
+         * 1. Validate certificate (JWT signature + expiry)
+         * 2. Check behavioral score (is agent blocked mid-session?)
+         * 3. Check reputation score vs. action minScore
+         * 4. Validate parameters
+         * 5. Execute handler
+         * 6. Record behavior + report to station
+         */
+        router.post('/actions/:actionName', validateCert, async (req, res) => {
+            const { actionName } = req.params;
+            const params = req.body.params || {};
+            const certificate = req.agentCertificate;
+            // ─── Behavioral Check: Is agent blocked mid-session? ───
+            if (this.behaviorTracker.isBlocked(certificate.sub)) {
+                const stats = this.behaviorTracker.getStats(certificate.sub);
+                res.status(403).json({
+                    success: false,
+                    error: 'Agent blocked due to suspicious behavior',
+                    behaviorScore: 0,
+                    flags: stats?.flagsTriggered || [],
+                    hint: 'Your behavioral score dropped too low. Wait for session to expire and improve behavior.'
+                });
+                // Report the block to station
+                this.stationClient.submitReport({
+                    agentId: certificate.sub,
+                    gatewayId: this.config.gatewayId,
+                    certificateJti: certificate.jti,
+                    actions: [{
+                            actionType: actionName,
+                            outcome: 'failure',
+                            metadata: { reason: 'behavioral_block', params },
+                            performedAt: new Date().toISOString()
+                        }]
+                }).catch(err => {
+                    console.error(`[@agent-trust/gateway] Failed to submit report:`, err.message);
+                });
+                return;
+            }
+            // Check if action exists
+            const action = this.actionRegistry.getAction(actionName);
+            if (!action) {
+                // Record the unknown action attempt
+                this.behaviorTracker.recordAction(certificate.sub, certificate.agentExternalId, actionName, params, false, false);
+                res.status(404).json({
+                    success: false,
+                    error: `Action "${actionName}" not found`,
+                    availableActions: this.actionRegistry.getActionNames()
+                });
+                return;
+            }
+            // Build agent context from certificate
+            const agentContext = {
+                agentId: certificate.sub,
+                externalId: certificate.agentExternalId,
+                developerId: certificate.developerId,
+                score: certificate.score,
+                identityVerified: certificate.identityVerified
+            };
+            // Check if score meets threshold BEFORE executing
+            const scoreMet = agentContext.score >= action.minScore;
+            // Execute the action (actionRegistry handles score check internally)
+            const result = await this.actionRegistry.execute(actionName, params, agentContext);
+            // ─── Record behavior and analyze ───
+            const behavior = this.behaviorTracker.recordAction(certificate.sub, certificate.agentExternalId, actionName, params, result.success, scoreMet);
+            // Attach behavioral data to response
+            req.behaviorScore = behavior.behaviorScore;
+            req.behaviorFlags = behavior.flags;
+            // Submit report to station asynchronously (fire-and-forget)
+            this.stationClient.submitReport({
+                agentId: certificate.sub,
+                gatewayId: this.config.gatewayId,
+                certificateJti: certificate.jti,
+                actions: [{
+                        actionType: actionName,
+                        outcome: result.success ? 'success' : 'failure',
+                        metadata: {
+                            params,
+                            behaviorScore: behavior.behaviorScore,
+                            behaviorFlags: behavior.flags,
+                            blocked: behavior.blocked
+                        },
+                        performedAt: new Date().toISOString()
+                    }]
+            }).catch(err => {
+                console.error(`[@agent-trust/gateway] Failed to submit report to station:`, err.message);
+            });
+            // Return result to the agent
+            const response = { ...result };
+            // Include behavioral info in response
+            if (behavior.flags.length > 0 || behavior.behaviorScore < 80) {
+                response.behavior = {
+                    score: behavior.behaviorScore,
+                    flags: behavior.flags,
+                    warning: behavior.behaviorScore < 50
+                        ? 'Your behavioral score is low. Continued suspicious activity will result in blocking.'
+                        : behavior.flags.length > 0
+                            ? 'Behavioral flags detected. Adjust your interaction pattern.'
+                            : undefined
+                };
+            }
+            // If agent was just blocked by this action
+            if (behavior.blocked) {
+                res.status(403).json({
+                    success: false,
+                    error: 'Agent blocked due to suspicious behavior detected during this session',
+                    behavior: {
+                        score: behavior.behaviorScore,
+                        flags: behavior.flags
+                    }
+                });
+                return;
+            }
+            if (result.success) {
+                res.json(response);
+            }
+            else {
+                res.status(403).json(response);
+            }
+        });
+        return router;
+    }
+    /**
+     * Destroy the gateway and clean up resources.
+     */
+    destroy() {
+        this.behaviorTracker.destroy();
+    }
+}
+exports.AgentGateway = AgentGateway;
+/**
+ * Factory function — creates an AgentGateway instance.
+ *
+ * Example:
+ *   const gateway = createGateway({
+ *     stationUrl: 'https://station.example.com',
+ *     gatewayId: 'my-site',
+ *     stationApiKey: 'ats_xxxxx',
+ *     actions: {
+ *       'search': {
+ *         description: 'Search products',
+ *         minScore: 30,
+ *         parameters: { query: { type: 'string', required: true } },
+ *         handler: async (params) => db.search(params.query)
+ *       }
+ *     },
+ *     behavior: {
+ *       maxActionsPerMinute: 20,  // Stricter rate limit
+ *       onSuspiciousActivity: (event) => {
+ *         console.warn('Suspicious agent:', event);
+ *       }
+ *     }
+ *   });
+ *   app.use('/agent-gateway', gateway.router());
+ */
+function createGateway(config) {
+    return new AgentGateway(config);
+}
+//# sourceMappingURL=gateway.js.map

package/dist/gateway.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway.js","sourceRoot":"","sources":["../src/gateway.ts"],"names":[],"mappings":";;;AA+RA,sCAEC;AAjSD,qCAAiC;AACjC,qDAAiD;AACjD,uDAAmD;AACnD,yDAAqD;AACrD,0DAAuE;AAQvE;;;;;;;;GAQG;AACH,MAAa,YAAY;IAMvB,YAAY,MAAqB;QAC/B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,aAAa,GAAG,IAAI,8BAAa,CACpC,MAAM,CAAC,UAAU,EACjB,MAAM,CAAC,aAAa,EACpB,MAAM,CAAC,wBAAwB,IAAI,OAAO,CAAC,iBAAiB;SAC7D,CAAC;QACF,IAAI,CAAC,cAAc,GAAG,IAAI,gCAAc,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACzD,IAAI,CAAC,eAAe,GAAG,IAAI,kCAAe,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC;IACpE,CAAC;IAED;;OAEG;IACH,kBAAkB;QAChB,OAAO,IAAI,CAAC,eAAe,CAAC;IAC9B,CAAC;IAED;;;OAGG;IACH,MAAM;QACJ,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAC;QAExB,8BAA8B;QAE9B;;;;WAIG;QACH,MAAM,CAAC,GAAG,CAAC,4BAA4B,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;YACrD,MAAM,OAAO,GAAqB;gBAChC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;gBAChC,OAAO,EAAE,IAAI,CAAC,cAAc,CAAC,mBAAmB,EAAE;gBAClD,iBAAiB,EAAE,qBAAqB;gBACxC,OAAO,EAAE,OAAO;aACjB,CAAC;YACF,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpB,CAAC,CAAC,CAAC;QAEH;;;WAGG;QACH,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;YACnC,GAAG,CAAC,IAAI,CAAC;gBACP,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;gBAChC,OAAO,EAAE,IAAI,CAAC,cAAc,CAAC,mBAAmB,EAAE;aACnD,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH;;;;WAIG;QACH,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;YAC7C,GAAG,CAAC,IAAI,CAAC;gBACP,OAAO,EAAE,IAAI;gBACb,IAAI,EAAE;oBACJ,cAAc,EAAE,IAAI,CAAC,eAAe,CAAC,iBAAiB,EAAE;iBACzD;aACF,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,qCAAqC;QAErC,oCAAoC;QACpC,MAAM,YAAY,GAAG,IAAA,yCAA2B,EAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAErE;;;;;;;;;;;WAWG;QACH,MAAM,CAAC,IAAI,CAAC,sBAAsB,EAAE,YAAY,EAAE,KAAK,EAAE,GAAmB,EAAE,GAAG,EAAE,EAAE;YACnF,MAAM,EAAE,UAAU,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;YAClC,MAAM,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC;YACrC,MAAM,WAAW,GAAG,GAAG,CAAC,gBAAiB,CAAC;YAE1C,0DAA0D;YAC1D,IAAI,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;gBACpD,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;gBAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,0CAA0C;oBACjD,aAAa,EAAE,CAAC;oBAChB,KAAK,EAAE,KAAK,EAAE,cAAc,IAAI,EAAE;oBAClC,IAAI,EAAE,yFAAyF;iBAChG,CAAC,CAAC;gBAEH,8BAA8B;gBAC9B,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC;oBAC9B,OAAO,EAAE,WAAW,CAAC,GAAG;oBACxB,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;oBAChC,cAAc,EAAE,WAAW,CAAC,GAAG;oBAC/B,OAAO,EAAE,CAAC;4BACR,UAAU,EAAE,UAAU;4BACtB,OAAO,EAAE,SAAS;4BAClB,QAAQ,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,MAAM,EAAE;4BAChD,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;yBACtC,CAAC;iBACH,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;oBACb,OAAO,CAAC,KAAK,CAAC,iDAAiD,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;gBAChF,CAAC,CAAC,CAAC;gBAEH,OAAO;YACT,CAAC;YAED,yBAAyB;YACzB,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;YACzD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,oCAAoC;gBACpC,IAAI,CAAC,eAAe,CAAC,YAAY,CAC/B,WAAW,CAAC,GAAG,EACf,WAAW,CAAC,eAAe,EAC3B,UAAU,EACV,MAAM,EACN,KAAK,EACL,KAAK,CACN,CAAC;gBAEF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,WAAW,UAAU,aAAa;oBACzC,gBAAgB,EAAE,IAAI,CAAC,cAAc,CAAC,cAAc,EAAE;iBACvD,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,uCAAuC;YACvC,MAAM,YAAY,GAAiB;gBACjC,OAAO,EAAE,WAAW,CAAC,GAAG;gBACxB,UAAU,EAAE,WAAW,CAAC,eAAe;gBACvC,WAAW,EAAE,WAAW,CAAC,WAAW;gBACpC,KAAK,EAAE,WAAW,CAAC,KAAK;gBACxB,gBAAgB,EAAE,WAAW,CAAC,gBAAgB;aAC/C,CAAC;YAEF,kDAAkD;YAClD,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,IAAI,MAAM,CAAC,QAAQ,CAAC;YAEvD,qEAAqE;YACrE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;YAEnF,sCAAsC;YACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,eAAe,CAAC,YAAY,CAChD,WAAW,CAAC,GAAG,EACf,WAAW,CAAC,eAAe,EAC3B,UAAU,EACV,MAAM,EACN,MAAM,CAAC,OAAO,EACd,QAAQ,CACT,CAAC;YAEF,qCAAqC;YACrC,GAAG,CAAC,aAAa,GAAG,QAAQ,CAAC,aAAa,CAAC;YAC3C,GAAG,CAAC,aAAa,GAAG,QAAQ,CAAC,KAAK,CAAC;YAEnC,4DAA4D;YAC5D,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC;gBAC9B,OAAO,EAAE,WAAW,CAAC,GAAG;gBACxB,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;gBAChC,cAAc,EAAE,WAAW,CAAC,GAAG;gBAC/B,OAAO,EAAE,CAAC;wBACR,UAAU,EAAE,UAAU;wBACtB,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;wBAC/C,QAAQ,EAAE;4BACR,MAAM;4BACN,aAAa,EAAE,QAAQ,CAAC,aAAa;4BACrC,aAAa,EAAE,QAAQ,CAAC,KAAK;4BAC7B,OAAO,EAAE,QAAQ,CAAC,OAAO;yBAC1B;wBACD,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;qBACtC,CAAC;aACH,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;gBACb,OAAO,CAAC,KAAK,CAAC,4DAA4D,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAC3F,CAAC,CAAC,CAAC;YAEH,6BAA6B;YAC7B,MAAM,QAAQ,GAA4B,EAAE,GAAG,MAAM,EAAE,CAAC;YAExD,sCAAsC;YACtC,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,CAAC,aAAa,GAAG,EAAE,EAAE,CAAC;gBAC7D,QAAQ,CAAC,QAAQ,GAAG;oBAClB,KAAK,EAAE,QAAQ,CAAC,aAAa;oBAC7B,KAAK,EAAE,QAAQ,CAAC,KAAK;oBACrB,OAAO,EAAE,QAAQ,CAAC,aAAa,GAAG,EAAE;wBAClC,CAAC,CAAC,sFAAsF;wBACxF,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;4BACzB,CAAC,CAAC,6DAA6D;4BAC/D,CAAC,CAAC,SAAS;iBAChB,CAAC;YACJ,CAAC;YAED,2CAA2C;YAC3C,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;gBACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,uEAAuE;oBAC9E,QAAQ,EAAE;wBACR,KAAK,EAAE,QAAQ,CAAC,aAAa;wBAC7B,KAAK,EAAE,QAAQ,CAAC,KAAK;qBACtB;iBACF,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACrB,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACjC,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,OAAO;QACL,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;IACjC,CAAC;CACF;AA/OD,oCA+OC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,SAAgB,aAAa,CAAC,MAAqB;IACjD,OAAO,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+export { AgentGateway, createGateway } from './gateway';
+export { StationClient } from './station-client';
+export { ActionRegistry } from './action-registry';
+export { BehaviorTracker } from './behavior-tracker';
+export type { GatewayConfig, ActionDefinition, ParameterDefinition, ActionHandler, AgentContext, ActionResult, PublicActionInfo, DiscoveryPayload, GatewayRequest, BehaviorConfig, BehaviorEvent, BehaviorFlag, SessionStats, AgentSession } from './types';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAErD,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,EACb,YAAY,EACZ,YAAY,EACZ,gBAAgB,EAChB,gBAAgB,EAChB,cAAc,EAEd,cAAc,EACd,aAAa,EACb,YAAY,EACZ,YAAY,EACZ,YAAY,EACb,MAAM,SAAS,CAAC"}

package/dist/index.js

@@ -0,0 +1,19 @@
+"use strict";
+// @agent-trust/gateway — AI Agent Gateway middleware for Express
+//
+// Install on any Express app to let trusted AI agents interact with your site.
+// Agents present cryptographically signed certificates from the Agent Trust Station.
+// The gateway verifies the certificate, checks the agent's reputation score,
+// monitors real-time behavior, and executes the requested action if trusted.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BehaviorTracker = exports.ActionRegistry = exports.StationClient = exports.createGateway = exports.AgentGateway = void 0;
+var gateway_1 = require("./gateway");
+Object.defineProperty(exports, "AgentGateway", { enumerable: true, get: function () { return gateway_1.AgentGateway; } });
+Object.defineProperty(exports, "createGateway", { enumerable: true, get: function () { return gateway_1.createGateway; } });
+var station_client_1 = require("./station-client");
+Object.defineProperty(exports, "StationClient", { enumerable: true, get: function () { return station_client_1.StationClient; } });
+var action_registry_1 = require("./action-registry");
+Object.defineProperty(exports, "ActionRegistry", { enumerable: true, get: function () { return action_registry_1.ActionRegistry; } });
+var behavior_tracker_1 = require("./behavior-tracker");
+Object.defineProperty(exports, "BehaviorTracker", { enumerable: true, get: function () { return behavior_tracker_1.BehaviorTracker; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA,iEAAiE;AACjE,EAAE;AACF,+EAA+E;AAC/E,qFAAqF;AACrF,6EAA6E;AAC7E,6EAA6E;;;AAE7E,qCAAwD;AAA/C,uGAAA,YAAY,OAAA;AAAE,wGAAA,aAAa,OAAA;AACpC,mDAAiD;AAAxC,+GAAA,aAAa,OAAA;AACtB,qDAAmD;AAA1C,iHAAA,cAAc,OAAA;AACvB,uDAAqD;AAA5C,mHAAA,eAAe,OAAA"}

package/dist/middleware/certificate.d.ts

@@ -0,0 +1,10 @@
+import { Response, NextFunction } from 'express';
+import { StationClient } from '../station-client';
+import { GatewayRequest } from '../types';
+/**
+ * Create Express middleware that validates agent certificates.
+ * Verifies the JWT signature locally using the station's cached public key.
+ * Attaches the decoded certificate payload to req.agentCertificate.
+ */
+export declare function createCertificateMiddleware(stationClient: StationClient): (req: GatewayRequest, res: Response, next: NextFunction) => Promise<void>;
+//# sourceMappingURL=certificate.d.ts.map

package/dist/middleware/certificate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"certificate.d.ts","sourceRoot":"","sources":["../../src/middleware/certificate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAEjD,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAsB,cAAc,EAAE,MAAM,UAAU,CAAC;AAsB9D;;;;GAIG;AACH,wBAAgB,2BAA2B,CAAC,aAAa,EAAE,aAAa,IACxD,KAAK,cAAc,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,mBAyDrE"}

package/dist/middleware/certificate.js

@@ -0,0 +1,83 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createCertificateMiddleware = createCertificateMiddleware;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+/**
+ * Extract the JWT token from the request.
+ * Supports Authorization: Bearer header and X-Agent-Certificate header.
+ */
+function extractToken(req) {
+    // Check Authorization header
+    const authHeader = req.headers.authorization;
+    if (authHeader?.startsWith('Bearer ')) {
+        return authHeader.slice(7);
+    }
+    // Check custom header
+    const certHeader = req.headers['x-agent-certificate'];
+    if (certHeader) {
+        return certHeader;
+    }
+    return null;
+}
+/**
+ * Create Express middleware that validates agent certificates.
+ * Verifies the JWT signature locally using the station's cached public key.
+ * Attaches the decoded certificate payload to req.agentCertificate.
+ */
+function createCertificateMiddleware(stationClient) {
+    return async (req, res, next) => {
+        const token = extractToken(req);
+        if (!token) {
+            res.status(401).json({
+                success: false,
+                error: 'Agent certificate required — pass JWT in Authorization: Bearer header'
+            });
+            return;
+        }
+        try {
+            // Fetch the station's public key (cached)
+            const publicKey = await stationClient.getPublicKey();
+            // Verify the JWT locally
+            const payload = jsonwebtoken_1.default.verify(token, publicKey, {
+                algorithms: ['RS256'],
+                issuer: 'agent-trust-station'
+            });
+            // Check agent status
+            if (payload.status === 'banned' || payload.status === 'suspended') {
+                res.status(403).json({
+                    success: false,
+                    error: `Agent is ${payload.status}`
+                });
+                return;
+            }
+            // Attach to request
+            req.agentCertificate = payload;
+            req.agentToken = token;
+            next();
+        }
+        catch (error) {
+            if (error instanceof jsonwebtoken_1.default.TokenExpiredError) {
+                res.status(401).json({
+                    success: false,
+                    error: 'Certificate expired — request a new one from the station'
+                });
+                return;
+            }
+            if (error instanceof jsonwebtoken_1.default.JsonWebTokenError) {
+                res.status(401).json({
+                    success: false,
+                    error: 'Invalid certificate — signature verification failed'
+                });
+                return;
+            }
+            res.status(500).json({
+                success: false,
+                error: 'Certificate validation failed'
+            });
+        }
+    };
+}
+//# sourceMappingURL=certificate.js.map

package/dist/middleware/certificate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"certificate.js","sourceRoot":"","sources":["../../src/middleware/certificate.ts"],"names":[],"mappings":";;;;;AA8BA,kEA0DC;AAvFD,gEAA+B;AAI/B;;;GAGG;AACH,SAAS,YAAY,CAAC,GAAmB;IACvC,6BAA6B;IAC7B,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;IAC7C,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IAED,sBAAsB;IACtB,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,qBAAqB,CAAuB,CAAC;IAC5E,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,SAAgB,2BAA2B,CAAC,aAA4B;IACtE,OAAO,KAAK,EAAE,GAAmB,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QACtE,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QAEhC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,uEAAuE;aAC/E,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,0CAA0C;YAC1C,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,YAAY,EAAE,CAAC;YAErD,yBAAyB;YACzB,MAAM,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,KAAK,EAAE,SAAS,EAAE;gBAC3C,UAAU,EAAE,CAAC,OAAO,CAAC;gBACrB,MAAM,EAAE,qBAAqB;aAC9B,CAAuB,CAAC;YAEzB,qBAAqB;YACrB,IAAI,OAAO,CAAC,MAAM,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;gBAClE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,YAAY,OAAO,CAAC,MAAM,EAAE;iBACpC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,oBAAoB;YACpB,GAAG,CAAC,gBAAgB,GAAG,OAAO,CAAC;YAC/B,GAAG,CAAC,UAAU,GAAG,KAAK,CAAC;YACvB,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,sBAAG,CAAC,iBAAiB,EAAE,CAAC;gBAC3C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,0DAA0D;iBAClE,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,IAAI,KAAK,YAAY,sBAAG,CAAC,iBAAiB,EAAE,CAAC;gBAC3C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,qDAAqD;iBAC7D,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,+BAA+B;aACvC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/station-client.d.ts

@@ -0,0 +1,29 @@
+import { GatewayReportPayload } from './types';
+/**
+ * HTTP client for communicating with the Agent Trust Station.
+ * Handles public key caching and report submission.
+ */
+export declare class StationClient {
+    private stationUrl;
+    private apiKey;
+    private cachedPublicKey;
+    private publicKeyFetchedAt;
+    private refreshInterval;
+    constructor(stationUrl: string, apiKey: string, refreshInterval: number);
+    /**
+     * Fetch the station's public key (PEM format).
+     * Caches the key and only refreshes after the refresh interval expires.
+     */
+    getPublicKey(): Promise<string>;
+    /**
+     * Submit a behavior report to the station.
+     * Called after an agent performs actions through the gateway.
+     */
+    submitReport(report: GatewayReportPayload): Promise<void>;
+    /**
+     * Verify a certificate remotely via the station (fallback).
+     * Prefer local verification using the public key for speed.
+     */
+    verifyRemote(token: string): Promise<Record<string, unknown> | null>;
+}
+//# sourceMappingURL=station-client.d.ts.map

package/dist/station-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"station-client.d.ts","sourceRoot":"","sources":["../src/station-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAE/C;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,eAAe,CAAuB;IAC9C,OAAO,CAAC,kBAAkB,CAAa;IACvC,OAAO,CAAC,eAAe,CAAS;gBAEpB,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM;IAOvE;;;OAGG;IACG,YAAY,IAAI,OAAO,CAAC,MAAM,CAAC;IA6BrC;;;OAGG;IACG,YAAY,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC;IAgB/D;;;OAGG;IACG,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAY3E"}

package/dist/station-client.js

@@ -0,0 +1,72 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.StationClient = void 0;
+/**
+ * HTTP client for communicating with the Agent Trust Station.
+ * Handles public key caching and report submission.
+ */
+class StationClient {
+    constructor(stationUrl, apiKey, refreshInterval) {
+        this.cachedPublicKey = null;
+        this.publicKeyFetchedAt = 0;
+        // Strip trailing slash
+        this.stationUrl = stationUrl.replace(/\/+$/, '');
+        this.apiKey = apiKey;
+        this.refreshInterval = refreshInterval;
+    }
+    /**
+     * Fetch the station's public key (PEM format).
+     * Caches the key and only refreshes after the refresh interval expires.
+     */
+    async getPublicKey() {
+        const now = Date.now();
+        // Return cached key if still fresh
+        if (this.cachedPublicKey && (now - this.publicKeyFetchedAt) < this.refreshInterval) {
+            return this.cachedPublicKey;
+        }
+        // Fetch from station
+        const response = await fetch(`${this.stationUrl}/.well-known/station-keys`);
+        if (!response.ok) {
+            throw new Error(`Failed to fetch station public key: ${response.status} ${response.statusText}`);
+        }
+        const data = await response.json();
+        if (!data.pem) {
+            throw new Error('Station response missing PEM public key');
+        }
+        this.cachedPublicKey = data.pem;
+        this.publicKeyFetchedAt = now;
+        return this.cachedPublicKey;
+    }
+    /**
+     * Submit a behavior report to the station.
+     * Called after an agent performs actions through the gateway.
+     */
+    async submitReport(report) {
+        const response = await fetch(`${this.stationUrl}/reports`, {
+            method: 'POST',
+            headers: {
+                'Authorization': `Bearer ${this.apiKey}`,
+                'Content-Type': 'application/json'
+            },
+            body: JSON.stringify(report)
+        });
+        if (!response.ok) {
+            const errorBody = await response.text().catch(() => 'Unknown error');
+            throw new Error(`Failed to submit report to station: ${response.status} — ${errorBody}`);
+        }
+    }
+    /**
+     * Verify a certificate remotely via the station (fallback).
+     * Prefer local verification using the public key for speed.
+     */
+    async verifyRemote(token) {
+        const response = await fetch(`${this.stationUrl}/certificates/verify?token=${encodeURIComponent(token)}`);
+        if (!response.ok) {
+            return null;
+        }
+        const data = await response.json();
+        return data.data?.valid ? data.data.payload ?? null : null;
+    }
+}
+exports.StationClient = StationClient;
+//# sourceMappingURL=station-client.js.map

package/dist/station-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"station-client.js","sourceRoot":"","sources":["../src/station-client.ts"],"names":[],"mappings":";;;AAEA;;;GAGG;AACH,MAAa,aAAa;IAOxB,YAAY,UAAkB,EAAE,MAAc,EAAE,eAAuB;QAJ/D,oBAAe,GAAkB,IAAI,CAAC;QACtC,uBAAkB,GAAW,CAAC,CAAC;QAIrC,uBAAuB;QACvB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACjD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;IACzC,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY;QAChB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,mCAAmC;QACnC,IAAI,IAAI,CAAC,eAAe,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;YACnF,OAAO,IAAI,CAAC,eAAe,CAAC;QAC9B,CAAC;QAED,qBAAqB;QACrB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,UAAU,2BAA2B,CAAC,CAAC;QAE5E,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,uCAAuC,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAChF,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAsB,CAAC;QAEvD,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC;QAChC,IAAI,CAAC,kBAAkB,GAAG,GAAG,CAAC;QAE9B,OAAO,IAAI,CAAC,eAAgB,CAAC;IAC/B,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,MAA4B;QAC7C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,UAAU,UAAU,EAAE;YACzD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,IAAI,CAAC,MAAM,EAAE;gBACxC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;SAC7B,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;YACrE,MAAM,IAAI,KAAK,CAAC,uCAAuC,QAAQ,CAAC,MAAM,MAAM,SAAS,EAAE,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,KAAa;QAC9B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,IAAI,CAAC,UAAU,8BAA8B,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAC5E,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAuE,CAAC;QACxG,OAAO,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;IAC7D,CAAC;CACF;AAnFD,sCAmFC"}