@agent-vm/mcp-portal 0.0.59

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025-2026 Shravan Sunder
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,34 @@
+# @agent-vm/mcp-portal
+
+Agent-scoped MCP Portal server and Tool VM helpers.
+
+## What This Package Owns
+
+- The standalone `agent-vm-mcp-portal-server` HTTP MCP server.
+- The four model-facing portal tools: `mcp_portal_list`, `mcp_portal_search`, `mcp_portal_describe`, and `mcp_portal_call`.
+- JSON-Schema-derived Zod validation before upstream tool calls.
+- HMAC approval-token verification for portal calls that OpenClaw approved.
+- Tool VM helper exports for agents that need to reconstruct derived schemas.
+
+## Runtime Shape
+
+The server is launched in the OpenClaw gateway VM and listens on a loopback port,
+normally `127.0.0.1:18790`.
+
+Each agent receives a distinct MCP URL:
+
+```text
+http://127.0.0.1:18790/agents/<agentId>/mcp
+```
+
+The portal loads two files from `--config-dir`:
+
+- `mcp.config.jsonc`: upstream MCP provider catalog and credentials.
+- `mcp-portal.config.jsonc`: portal access header, agents, profiles, and policy.
+
+## Start Reading
+
+- `src/bin/portal-server.ts` for CLI boot and config loading.
+- `src/mcp-server/portal-http-server.ts` for Hono routing and MCP transport.
+- `src/mcp-server/portal-tools.ts` for portal tool behavior.
+- `src/auth/hmac-token.ts` for approval-token signing and verification.

package/dist/bin/agent-vm-mcp-portal.d.ts

@@ -0,0 +1,10 @@
+import { n as PortalToolRecord } from "../catalog-types--gUGFPpN.js";
+
+//#region src/bin/agent-vm-mcp-portal.d.ts
+interface PortalCatalogFile {
+  readonly tools: readonly PortalToolRecord[];
+}
+declare function runAgentVmMcpPortal(args: readonly string[]): Promise<number>;
+//#endregion
+export { PortalCatalogFile, runAgentVmMcpPortal };
+//# sourceMappingURL=agent-vm-mcp-portal.d.ts.map

package/dist/bin/agent-vm-mcp-portal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-vm-mcp-portal.d.ts","names":[],"sources":["../../src/bin/agent-vm-mcp-portal.ts"],"mappings":";;;UAgBiB,iBAAA;EAAA,SACP,KAAA,WAAgB,gBAAA;AAAA;AAAA,iBAyBJ,mBAAA,CAAoB,IAAA,sBAA0B,OAAA"}

package/dist/bin/agent-vm-mcp-portal.js

@@ -0,0 +1,56 @@
+#!/usr/bin/env node
+import { a as portalToolRecordSchema, t as generateTypescriptCatalogArtifact } from "../typescript-artifact-BqU8okQy.js";
+import { z } from "zod";
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { join } from "node:path";
+//#region src/bin/agent-vm-mcp-portal.ts
+const catalogFileSchema = z.object({ tools: z.array(portalToolRecordSchema) }).strict();
+async function readCatalogFile(catalogPath) {
+	const rawCatalog = await readFile(catalogPath, "utf-8");
+	const parsedJson = JSON.parse(rawCatalog);
+	return catalogFileSchema.parse(parsedJson);
+}
+function parseOutputDirectory(args) {
+	const outputFlagIndex = args.indexOf("--out");
+	if (outputFlagIndex === -1) return null;
+	return args[outputFlagIndex + 1] ?? null;
+}
+function printUsage() {
+	process.stderr.write("Usage: agent-vm-mcp-portal validate <catalog.json>\n");
+	process.stderr.write("Usage: agent-vm-mcp-portal generate-helper <catalog.json> --out <directory>\n");
+}
+async function runAgentVmMcpPortal(args) {
+	const [command, catalogPath, ...restArgs] = args;
+	if (!command || !catalogPath) {
+		printUsage();
+		return 1;
+	}
+	try {
+		const catalog = await readCatalogFile(catalogPath);
+		switch (command) {
+			case "validate": return 0;
+			case "generate-helper": {
+				const outputDirectory = parseOutputDirectory(restArgs);
+				if (!outputDirectory) {
+					printUsage();
+					return 1;
+				}
+				await mkdir(outputDirectory, { recursive: true });
+				await writeFile(join(outputDirectory, "catalog.json"), JSON.stringify(catalog, null, "	"));
+				await writeFile(join(outputDirectory, "catalog.ts"), generateTypescriptCatalogArtifact(catalog));
+				return 0;
+			}
+			default:
+				printUsage();
+				return 1;
+		}
+	} catch (error) {
+		process.stderr.write(`${error instanceof Error ? error.message : String(error)}\n`);
+		return 1;
+	}
+}
+if (process.argv[1]?.endsWith("agent-vm-mcp-portal.js")) process.exitCode = await runAgentVmMcpPortal(process.argv.slice(2));
+//#endregion
+export { runAgentVmMcpPortal };
+
+//# sourceMappingURL=agent-vm-mcp-portal.js.map

package/dist/bin/agent-vm-mcp-portal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-vm-mcp-portal.js","names":[],"sources":["../../src/bin/agent-vm-mcp-portal.ts"],"sourcesContent":["#!/usr/bin/env node\n\nimport { mkdir, readFile, writeFile } from 'node:fs/promises';\nimport { join } from 'node:path';\n\nimport { z } from 'zod';\n\nimport { portalToolRecordSchema, type PortalToolRecord } from '../catalog-types.js';\nimport { generateTypescriptCatalogArtifact } from '../tool-vm/typescript-artifact.js';\n\nconst catalogFileSchema = z\n\t.object({\n\t\ttools: z.array(portalToolRecordSchema),\n\t})\n\t.strict();\n\nexport interface PortalCatalogFile {\n\treadonly tools: readonly PortalToolRecord[];\n}\n\nasync function readCatalogFile(catalogPath: string): Promise<PortalCatalogFile> {\n\tconst rawCatalog = await readFile(catalogPath, 'utf-8');\n\tconst parsedJson = JSON.parse(rawCatalog) as unknown;\n\treturn catalogFileSchema.parse(parsedJson);\n}\n\nfunction parseOutputDirectory(args: readonly string[]): string | null {\n\tconst outputFlagIndex = args.indexOf('--out');\n\tif (outputFlagIndex === -1) {\n\t\treturn null;\n\t}\n\n\treturn args[outputFlagIndex + 1] ?? null;\n}\n\nfunction printUsage(): void {\n\tprocess.stderr.write('Usage: agent-vm-mcp-portal validate <catalog.json>\\n');\n\tprocess.stderr.write(\n\t\t'Usage: agent-vm-mcp-portal generate-helper <catalog.json> --out <directory>\\n',\n\t);\n}\n\nexport async function runAgentVmMcpPortal(args: readonly string[]): Promise<number> {\n\tconst [command, catalogPath, ...restArgs] = args;\n\tif (!command || !catalogPath) {\n\t\tprintUsage();\n\t\treturn 1;\n\t}\n\n\ttry {\n\t\tconst catalog = await readCatalogFile(catalogPath);\n\t\tswitch (command) {\n\t\t\tcase 'validate':\n\t\t\t\treturn 0;\n\t\t\tcase 'generate-helper': {\n\t\t\t\tconst outputDirectory = parseOutputDirectory(restArgs);\n\t\t\t\tif (!outputDirectory) {\n\t\t\t\t\tprintUsage();\n\t\t\t\t\treturn 1;\n\t\t\t\t}\n\n\t\t\t\tawait mkdir(outputDirectory, { recursive: true });\n\t\t\t\tawait writeFile(join(outputDirectory, 'catalog.json'), JSON.stringify(catalog, null, '\\t'));\n\t\t\t\tawait writeFile(\n\t\t\t\t\tjoin(outputDirectory, 'catalog.ts'),\n\t\t\t\t\tgenerateTypescriptCatalogArtifact(catalog),\n\t\t\t\t);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tdefault:\n\t\t\t\tprintUsage();\n\t\t\t\treturn 1;\n\t\t}\n\t} catch (error) {\n\t\tprocess.stderr.write(`${error instanceof Error ? error.message : String(error)}\\n`);\n\t\treturn 1;\n\t}\n}\n\nif (process.argv[1]?.endsWith('agent-vm-mcp-portal.js')) {\n\tprocess.exitCode = await runAgentVmMcpPortal(process.argv.slice(2));\n}\n"],"mappings":";;;;;;AAUA,MAAM,oBAAoB,EACxB,OAAO,EACP,OAAO,EAAE,MAAM,uBAAuB,EACtC,CAAC,CACD,QAAQ;AAMV,eAAe,gBAAgB,aAAiD;CAC/E,MAAM,aAAa,MAAM,SAAS,aAAa,QAAQ;CACvD,MAAM,aAAa,KAAK,MAAM,WAAW;CACzC,OAAO,kBAAkB,MAAM,WAAW;;AAG3C,SAAS,qBAAqB,MAAwC;CACrE,MAAM,kBAAkB,KAAK,QAAQ,QAAQ;CAC7C,IAAI,oBAAoB,IACvB,OAAO;CAGR,OAAO,KAAK,kBAAkB,MAAM;;AAGrC,SAAS,aAAmB;CAC3B,QAAQ,OAAO,MAAM,uDAAuD;CAC5E,QAAQ,OAAO,MACd,gFACA;;AAGF,eAAsB,oBAAoB,MAA0C;CACnF,MAAM,CAAC,SAAS,aAAa,GAAG,YAAY;CAC5C,IAAI,CAAC,WAAW,CAAC,aAAa;EAC7B,YAAY;EACZ,OAAO;;CAGR,IAAI;EACH,MAAM,UAAU,MAAM,gBAAgB,YAAY;EAClD,QAAQ,SAAR;GACC,KAAK,YACJ,OAAO;GACR,KAAK,mBAAmB;IACvB,MAAM,kBAAkB,qBAAqB,SAAS;IACtD,IAAI,CAAC,iBAAiB;KACrB,YAAY;KACZ,OAAO;;IAGR,MAAM,MAAM,iBAAiB,EAAE,WAAW,MAAM,CAAC;IACjD,MAAM,UAAU,KAAK,iBAAiB,eAAe,EAAE,KAAK,UAAU,SAAS,MAAM,IAAK,CAAC;IAC3F,MAAM,UACL,KAAK,iBAAiB,aAAa,EACnC,kCAAkC,QAAQ,CAC1C;IACD,OAAO;;GAER;IACC,YAAY;IACZ,OAAO;;UAED,OAAO;EACf,QAAQ,OAAO,MAAM,GAAG,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,CAAC,IAAI;EACnF,OAAO;;;AAIT,IAAI,QAAQ,KAAK,IAAI,SAAS,yBAAyB,EACtD,QAAQ,WAAW,MAAM,oBAAoB,QAAQ,KAAK,MAAM,EAAE,CAAC"}

package/dist/bin/portal-server.d.ts

@@ -0,0 +1,54 @@
+import { McpPortalAgentConfig, SecretValue } from "@agent-vm/config-contracts";
+import { serve } from "@hono/node-server";
+
+//#region src/bin/portal-server.d.ts
+type PortalServeFunction = typeof serve;
+type PortalServerLogEvent = {
+  readonly agentId: string;
+  readonly conservativeCallCount: number;
+  readonly event: 'conservative_approval_fallback';
+  readonly level: 'warn';
+  readonly primaryReason: string;
+  readonly strictCallCount: number;
+  readonly toolRefs: readonly string[];
+} | {
+  readonly event: 'server_error';
+  readonly level: 'error';
+  readonly message: string;
+  readonly stack?: string;
+};
+interface PortalServerLogger {
+  readonly log: (event: PortalServerLogEvent) => void;
+}
+interface PortalServerCliArgs {
+  readonly agentOverrides: readonly string[];
+  readonly configDir: string;
+  readonly port?: number;
+}
+interface StartPortalServerProps {
+  readonly args: PortalServerCliArgs;
+  readonly env: Readonly<Record<string, string | undefined>>;
+  readonly logger?: PortalServerLogger;
+  readonly resolveSecret?: (secret: SecretValue) => Promise<string>;
+  readonly serveFn?: PortalServeFunction;
+}
+declare function parsePortalServerCliArgs(argv: readonly string[]): PortalServerCliArgs;
+declare function applyAgentOverrides(agents: Readonly<Record<string, McpPortalAgentConfig>>, overrides: readonly string[]): Readonly<Record<string, McpPortalAgentConfig>>;
+interface DeferredPort {
+  readonly promise: Promise<number>;
+  readonly reject: (error: Error) => void;
+  readonly resolve: (port: number) => void;
+}
+declare function handlePortalServerError(props: {
+  readonly error: Error;
+  readonly hasListened: boolean;
+  readonly listeningPort: DeferredPort;
+  readonly logger: PortalServerLogger;
+}): void;
+declare function startPortalServer(props: StartPortalServerProps): Promise<{
+  readonly close: () => Promise<void>;
+  readonly port: number;
+}>;
+//#endregion
+export { DeferredPort, PortalServerCliArgs, PortalServerLogEvent, PortalServerLogger, StartPortalServerProps, applyAgentOverrides, handlePortalServerError, parsePortalServerCliArgs, startPortalServer };
+//# sourceMappingURL=portal-server.d.ts.map

package/dist/bin/portal-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"portal-server.d.ts","names":[],"sources":["../../src/bin/portal-server.ts"],"mappings":";;;;KAmCK,mBAAA,UAA6B,KAAA;AAAA,KAEtB,oBAAA;EAAA,SAEA,OAAA;EAAA,SACA,qBAAA;EAAA,SACA,KAAA;EAAA,SACA,KAAA;EAAA,SACA,aAAA;EAAA,SACA,eAAA;EAAA,SACA,QAAA;AAAA;EAAA,SAGA,KAAA;EAAA,SACA,KAAA;EAAA,SACA,OAAA;EAAA,SACA,KAAA;AAAA;AAAA,UAGK,kBAAA;EAAA,SACP,GAAA,GAAM,KAAA,EAAO,oBAAA;AAAA;AAAA,UAGN,mBAAA;EAAA,SACP,cAAA;EAAA,SACA,SAAA;EAAA,SACA,IAAA;AAAA;AAAA,UAGO,sBAAA;EAAA,SACP,IAAA,EAAM,mBAAA;EAAA,SACN,GAAA,EAAK,QAAA,CAAS,MAAA;EAAA,SACd,MAAA,GAAS,kBAAA;EAAA,SACT,aAAA,IAAiB,MAAA,EAAQ,WAAA,KAAgB,OAAA;EAAA,SACzC,OAAA,GAAU,mBAAA;AAAA;AAAA,iBAoBJ,wBAAA,CAAyB,IAAA,sBAA0B,mBAAA;AAAA,iBAuBnD,mBAAA,CACf,MAAA,EAAQ,QAAA,CAAS,MAAA,SAAe,oBAAA,IAChC,SAAA,sBACE,QAAA,CAAS,MAAA,SAAe,oBAAA;AAAA,UAsBV,YAAA;EAAA,SACP,OAAA,EAAS,OAAA;EAAA,SACT,MAAA,GAAS,KAAA,EAAO,KAAA;EAAA,SAChB,OAAA,GAAU,IAAA;AAAA;AAAA,iBAmCJ,uBAAA,CAAwB,KAAA;EAAA,SAC9B,KAAA,EAAO,KAAA;EAAA,SACP,WAAA;EAAA,SACA,aAAA,EAAe,YAAA;EAAA,SACf,MAAA,EAAQ,kBAAA;AAAA;AAAA,iBAiHI,iBAAA,CACrB,KAAA,EAAO,sBAAA,GACL,OAAA;EAAA,SAAmB,KAAA,QAAa,OAAA;EAAA,SAAwB,IAAA;AAAA"}

package/dist/bin/portal-server.js

@@ -0,0 +1,277 @@
+#!/usr/bin/env node
+import { f as createPortalAgentRuntimeRecords, g as createPortalHttpApp, h as resolveAgentHmacKeys, j as parseHmacKeysFromEnv, l as createPortalSessionManager, m as createPortalHttpAgentResolver, p as createPortalApprovalVerifier, t as createUpstreamMcpClientRuntime } from "../upstream-mcp-client-runtime-DiBCBsDj.js";
+import { loadMcpConfig, loadMcpPortalConfig, mcpConfigToResolvedProviders, resolveMcpPortalProfile } from "@agent-vm/config-contracts";
+import { join } from "node:path";
+import { parseArgs, promisify } from "node:util";
+import { serve } from "@hono/node-server";
+import { execFile } from "node:child_process";
+//#region src/bin/secret-value-resolver.ts
+const execFileAsync = promisify(execFile);
+async function resolveSecretValue(secret, props) {
+	if (secret.source === "environment") {
+		const value = props.env[secret.name];
+		if (value === void 0 || value.length === 0) throw new Error(`Missing environment secret ${secret.name}.`);
+		return value;
+	}
+	return await (props.readOnePasswordSecret ?? readOnePasswordCliSecret)(secret.ref);
+}
+async function readOnePasswordCliSecret(ref) {
+	const { stdout } = await execFileAsync("op", ["read", ref], { encoding: "utf8" });
+	return stdout.trimEnd();
+}
+//#endregion
+//#region src/bin/portal-server.ts
+function parsePort(value) {
+	if (value === void 0) return;
+	const port = Number(value);
+	if (!Number.isInteger(port) || port < 0 || port > 65535) throw new Error(`Invalid --port value "${value}".`);
+	return port;
+}
+function parsePortalServerCliArgs(argv) {
+	const parsed = parseArgs({
+		args: [...argv],
+		options: {
+			agent: {
+				multiple: true,
+				type: "string"
+			},
+			"config-dir": { type: "string" },
+			port: {
+				short: "p",
+				type: "string"
+			}
+		},
+		strict: true
+	});
+	const configDir = parsed.values["config-dir"];
+	if (typeof configDir !== "string" || configDir.length === 0) throw new Error("--config-dir <path> is required.");
+	const rawAgentOverrides = parsed.values.agent;
+	const args = {
+		agentOverrides: Array.isArray(rawAgentOverrides) ? rawAgentOverrides : [],
+		configDir
+	};
+	const port = parsePort(parsed.values.port);
+	return port === void 0 ? args : {
+		...args,
+		port
+	};
+}
+function applyAgentOverrides(agents, overrides) {
+	const nextAgents = { ...agents };
+	for (const override of overrides) {
+		const [agentId, profileName, extra] = override.split("=");
+		if (agentId === void 0 || profileName === void 0 || extra !== void 0 || agentId.length === 0 || profileName.length === 0) throw new Error(`Invalid --agent override "${override}". Expected <agentId>=<profile>.`);
+		const existingAgent = nextAgents[agentId];
+		if (existingAgent === void 0) throw new Error(`Cannot override unknown MCP Portal agent "${agentId}".`);
+		nextAgents[agentId] = {
+			...existingAgent,
+			profile: profileName
+		};
+	}
+	return nextAgents;
+}
+function createDeferredPort() {
+	let rejectPort;
+	let resolvePort;
+	return {
+		promise: new Promise((resolve, reject) => {
+			rejectPort = reject;
+			resolvePort = resolve;
+		}),
+		reject: (error) => {
+			if (rejectPort === void 0) throw new Error("MCP Portal port rejector was not initialized.");
+			rejectPort(error);
+		},
+		resolve: (port) => {
+			if (resolvePort === void 0) throw new Error("MCP Portal port resolver was not initialized.");
+			resolvePort(port);
+		}
+	};
+}
+function defaultPortalServerLogger() {
+	return { log: (event) => {
+		process.stderr.write(`${JSON.stringify(event)}\n`);
+	} };
+}
+function handlePortalServerError(props) {
+	props.logger.log({
+		event: "server_error",
+		level: "error",
+		message: props.error.message,
+		...props.error.stack === void 0 ? {} : { stack: props.error.stack }
+	});
+	if (!props.hasListened) props.listeningPort.reject(props.error);
+}
+function closeNodeServer(server) {
+	return new Promise((resolve, reject) => {
+		server.close((error) => {
+			if (error) reject(error);
+			else resolve();
+		});
+	});
+}
+async function resolveProviderSecretRecord(secrets, resolveSecret) {
+	const resolvedEntries = await Promise.all(Object.entries(secrets).map(async ([name, secret]) => [name, await resolveSecret(secret)]));
+	return Object.fromEntries(resolvedEntries);
+}
+async function resolveUpstreamServer(provider, resolveSecret) {
+	if (provider.transport === "stdio") return {
+		args: provider.args,
+		command: provider.command,
+		...provider.cwd === void 0 ? {} : { cwd: provider.cwd },
+		env: await resolveProviderSecretRecord(provider.env, resolveSecret),
+		namespace: provider.namespace,
+		transport: "stdio"
+	};
+	return {
+		headers: await resolveProviderSecretRecord(provider.headers, resolveSecret),
+		namespace: provider.namespace,
+		transport: provider.transport,
+		url: provider.url
+	};
+}
+async function resolveUpstreamServers(mcpConfig, resolveSecret) {
+	return await Promise.all(mcpConfigToResolvedProviders(mcpConfig).map(async (provider) => resolveUpstreamServer(provider, resolveSecret)));
+}
+function selectorsFromNamespaceTools(namespaceTools) {
+	return Object.entries(namespaceTools).flatMap(([namespace, toolNames]) => toolNames.map((toolName) => ({
+		namespace,
+		toolName
+	})));
+}
+function buildProfilePolicyMaps(portalConfig) {
+	const enabledNamespacesByAgent = {};
+	const enabledToolsByAgent = {};
+	const hiddenToolsByAgent = {};
+	const profileTtls = [];
+	for (const [agentId, agent] of Object.entries(portalConfig.agents)) {
+		const profile = resolveMcpPortalProfile(portalConfig, agent.profile);
+		enabledNamespacesByAgent[agentId] = profile.enabledNamespaces;
+		enabledToolsByAgent[agentId] = selectorsFromNamespaceTools(profile.enabledToolsByNamespace);
+		hiddenToolsByAgent[agentId] = selectorsFromNamespaceTools(profile.hiddenToolsByNamespace);
+		profileTtls.push(profile.cache.catalogTtlMs);
+	}
+	return {
+		cacheTtlMs: profileTtls.length === 0 ? 6e4 : Math.min(...profileTtls),
+		enabledNamespacesByAgent,
+		enabledToolsByAgent,
+		hiddenToolsByAgent
+	};
+}
+function withAgentOverrides(portalConfig, agentOverrides) {
+	return {
+		...portalConfig,
+		agents: applyAgentOverrides(portalConfig.agents, agentOverrides)
+	};
+}
+async function startPortalServer(props) {
+	const logger = props.logger ?? defaultPortalServerLogger();
+	const serveFn = props.serveFn ?? serve;
+	const resolveSecret = props.resolveSecret ?? ((secret) => resolveSecretValue(secret, { env: props.env }));
+	const mcpConfig = await loadMcpConfig(join(props.args.configDir, "mcp.config.jsonc"));
+	const portalConfig = withAgentOverrides(await loadMcpPortalConfig(join(props.args.configDir, "mcp-portal.config.jsonc")), props.args.agentOverrides);
+	const serverAccessSecret = await resolveSecret(portalConfig.server.accessHeader.secret);
+	const agentRecords = createPortalAgentRuntimeRecords({
+		hmacKeys: await resolveAgentHmacKeys({
+			agents: portalConfig.agents,
+			envKeys: parseHmacKeysFromEnv(props.env),
+			resolveSecret
+		}),
+		portalConfig
+	});
+	const upstreamServers = await resolveUpstreamServers(mcpConfig, resolveSecret);
+	const upstreamRuntime = createUpstreamMcpClientRuntime({ servers: upstreamServers });
+	const profilePolicyMaps = buildProfilePolicyMaps(portalConfig);
+	const sessionManager = createPortalSessionManager({
+		accessPolicy: {
+			defaultPolicy: "deny-all",
+			enabledNamespacesByAgent: profilePolicyMaps.enabledNamespacesByAgent,
+			enabledToolsByAgent: profilePolicyMaps.enabledToolsByAgent,
+			hiddenToolsByAgent: profilePolicyMaps.hiddenToolsByAgent
+		},
+		catalogTtlMs: profilePolicyMaps.cacheTtlMs,
+		runtime: upstreamRuntime,
+		upstreamNamespaces: upstreamServers.map((server) => server.namespace)
+	});
+	const verifyApproval = createPortalApprovalVerifier({
+		onConservativeApprovalFallback: (event) => {
+			logger.log({
+				agentId: event.agentId,
+				conservativeCallCount: event.conservativeCallCount,
+				event: "conservative_approval_fallback",
+				level: "warn",
+				primaryReason: event.primaryReason,
+				strictCallCount: event.strictCallCount,
+				toolRefs: event.toolRefs
+			});
+		},
+		records: agentRecords
+	});
+	const app = createPortalHttpApp({
+		onSessionClosed: async (identity) => {
+			await sessionManager.invalidateSession(identity);
+		},
+		registeredAgentIds: Object.keys(portalConfig.agents),
+		resolveAgentIdentity: createPortalHttpAgentResolver(agentRecords),
+		serverAccess: {
+			expectedValue: serverAccessSecret,
+			headerName: portalConfig.server.accessHeader.name
+		},
+		toolRuntime: {
+			approval: (calls, identity, approvalToken) => verifyApproval(calls, identity.agentId, approvalToken),
+			callUpstreamTool: upstreamRuntime.callTool,
+			getSession: sessionManager.getSession
+		}
+	});
+	const listeningPort = createDeferredPort();
+	let hasListened = false;
+	const server = serveFn({
+		fetch: app.fetch,
+		hostname: portalConfig.server.host,
+		port: props.args.port ?? portalConfig.server.port
+	}, (info) => {
+		hasListened = true;
+		process.stdout.write(`listening port=${String(info.port)}\n`);
+		listeningPort.resolve(info.port);
+	});
+	server.on("error", (error) => {
+		handlePortalServerError({
+			error,
+			hasListened,
+			listeningPort,
+			logger
+		});
+	});
+	return {
+		close: async () => {
+			await app.closePortalSessions();
+			await Promise.all(Object.keys(portalConfig.agents).map((agentId) => sessionManager.invalidateAgentScope(agentId)));
+			await closeNodeServer(server);
+		},
+		port: await listeningPort.promise
+	};
+}
+async function main() {
+	const startedServer = await startPortalServer({
+		args: parsePortalServerCliArgs(process.argv.slice(2)),
+		env: process.env
+	});
+	const shutdown = async () => {
+		await startedServer.close();
+		process.exit(0);
+	};
+	process.on("SIGINT", () => {
+		shutdown();
+	});
+	process.on("SIGTERM", () => {
+		shutdown();
+	});
+}
+if (import.meta.url === `file://${process.argv[1]}`) main().catch((error) => {
+	process.stderr.write(`${error instanceof Error ? error.message : String(error)}\n`);
+	process.exit(1);
+});
+//#endregion
+export { applyAgentOverrides, handlePortalServerError, parsePortalServerCliArgs, startPortalServer };
+
+//# sourceMappingURL=portal-server.js.map

package/dist/bin/portal-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"portal-server.js","names":[],"sources":["../../src/bin/secret-value-resolver.ts","../../src/bin/portal-server.ts"],"sourcesContent":["import { execFile } from 'node:child_process';\nimport { promisify } from 'node:util';\n\nimport type { SecretValue } from '@agent-vm/config-contracts';\n\nconst execFileAsync = promisify(execFile);\n\nexport interface ResolveSecretValueProps {\n\treadonly env: Readonly<Record<string, string | undefined>>;\n\treadonly readOnePasswordSecret?: (ref: string) => Promise<string>;\n}\n\nexport async function resolveSecretValue(\n\tsecret: SecretValue,\n\tprops: ResolveSecretValueProps,\n): Promise<string> {\n\tif (secret.source === 'environment') {\n\t\tconst value = props.env[secret.name];\n\t\tif (value === undefined || value.length === 0) {\n\t\t\tthrow new Error(`Missing environment secret ${secret.name}.`);\n\t\t}\n\t\treturn value;\n\t}\n\n\tconst readOnePasswordSecret = props.readOnePasswordSecret ?? readOnePasswordCliSecret;\n\treturn await readOnePasswordSecret(secret.ref);\n}\n\nasync function readOnePasswordCliSecret(ref: string): Promise<string> {\n\tconst { stdout } = await execFileAsync('op', ['read', ref], { encoding: 'utf8' });\n\treturn stdout.trimEnd();\n}\n","#!/usr/bin/env node\nimport { join } from 'node:path';\nimport { parseArgs } from 'node:util';\n\nimport {\n\tloadMcpConfig,\n\tloadMcpPortalConfig,\n\tmcpConfigToResolvedProviders,\n\tresolveMcpPortalProfile,\n\ttype McpConfig,\n\ttype McpPortalAgentConfig,\n\ttype McpPortalConfig,\n\ttype ResolvedMcpProvider,\n\ttype ResolvedMcpPortalProfile,\n\ttype SecretValue,\n} from '@agent-vm/config-contracts';\nimport { serve } from '@hono/node-server';\n\nimport { parseHmacKeysFromEnv } from '../auth/hmac-env.js';\nimport { createPortalHttpApp } from '../mcp-server/portal-http-server.js';\nimport {\n\tcreatePortalAgentRuntimeRecords,\n\tcreatePortalApprovalVerifier,\n\tcreatePortalHttpAgentResolver,\n\tresolveAgentHmacKeys,\n} from '../mcp-server/resolve-agent-identity.js';\nimport type { PortalToolSelector } from '../portal-access-policy.js';\nimport { createPortalSessionManager } from '../portal-session.js';\nimport {\n\tcreateUpstreamMcpClientRuntime,\n\ttype NormalizedUpstreamMcpServer,\n} from '../upstream-mcp-client-runtime.js';\nimport { resolveSecretValue } from './secret-value-resolver.js';\n\ntype PortalNodeServer = ReturnType<typeof serve>;\ntype PortalServeFunction = typeof serve;\n\nexport type PortalServerLogEvent =\n\t| {\n\t\t\treadonly agentId: string;\n\t\t\treadonly conservativeCallCount: number;\n\t\t\treadonly event: 'conservative_approval_fallback';\n\t\t\treadonly level: 'warn';\n\t\t\treadonly primaryReason: string;\n\t\t\treadonly strictCallCount: number;\n\t\t\treadonly toolRefs: readonly string[];\n\t  }\n\t| {\n\t\t\treadonly event: 'server_error';\n\t\t\treadonly level: 'error';\n\t\t\treadonly message: string;\n\t\t\treadonly stack?: string;\n\t  };\n\nexport interface PortalServerLogger {\n\treadonly log: (event: PortalServerLogEvent) => void;\n}\n\nexport interface PortalServerCliArgs {\n\treadonly agentOverrides: readonly string[];\n\treadonly configDir: string;\n\treadonly port?: number;\n}\n\nexport interface StartPortalServerProps {\n\treadonly args: PortalServerCliArgs;\n\treadonly env: Readonly<Record<string, string | undefined>>;\n\treadonly logger?: PortalServerLogger;\n\treadonly resolveSecret?: (secret: SecretValue) => Promise<string>;\n\treadonly serveFn?: PortalServeFunction;\n}\n\ninterface ProfilePolicyMaps {\n\treadonly enabledNamespacesByAgent: Readonly<Record<string, readonly string[]>>;\n\treadonly enabledToolsByAgent: Readonly<Record<string, readonly PortalToolSelector[]>>;\n\treadonly hiddenToolsByAgent: Readonly<Record<string, readonly PortalToolSelector[]>>;\n}\n\nfunction parsePort(value: string | undefined): number | undefined {\n\tif (value === undefined) {\n\t\treturn undefined;\n\t}\n\tconst port = Number(value);\n\tif (!Number.isInteger(port) || port < 0 || port > 65_535) {\n\t\tthrow new Error(`Invalid --port value \"${value}\".`);\n\t}\n\treturn port;\n}\n\nexport function parsePortalServerCliArgs(argv: readonly string[]): PortalServerCliArgs {\n\tconst parsed = parseArgs({\n\t\targs: [...argv],\n\t\toptions: {\n\t\t\tagent: { multiple: true, type: 'string' },\n\t\t\t'config-dir': { type: 'string' },\n\t\t\tport: { short: 'p', type: 'string' },\n\t\t},\n\t\tstrict: true,\n\t});\n\tconst configDir = parsed.values['config-dir'];\n\tif (typeof configDir !== 'string' || configDir.length === 0) {\n\t\tthrow new Error('--config-dir <path> is required.');\n\t}\n\tconst rawAgentOverrides = parsed.values.agent;\n\tconst args = {\n\t\tagentOverrides: Array.isArray(rawAgentOverrides) ? rawAgentOverrides : [],\n\t\tconfigDir,\n\t};\n\tconst port = parsePort(parsed.values.port);\n\treturn port === undefined ? args : { ...args, port };\n}\n\nexport function applyAgentOverrides(\n\tagents: Readonly<Record<string, McpPortalAgentConfig>>,\n\toverrides: readonly string[],\n): Readonly<Record<string, McpPortalAgentConfig>> {\n\tconst nextAgents: Record<string, McpPortalAgentConfig> = { ...agents };\n\tfor (const override of overrides) {\n\t\tconst [agentId, profileName, extra] = override.split('=');\n\t\tif (\n\t\t\tagentId === undefined ||\n\t\t\tprofileName === undefined ||\n\t\t\textra !== undefined ||\n\t\t\tagentId.length === 0 ||\n\t\t\tprofileName.length === 0\n\t\t) {\n\t\t\tthrow new Error(`Invalid --agent override \"${override}\". Expected <agentId>=<profile>.`);\n\t\t}\n\t\tconst existingAgent = nextAgents[agentId];\n\t\tif (existingAgent === undefined) {\n\t\t\tthrow new Error(`Cannot override unknown MCP Portal agent \"${agentId}\".`);\n\t\t}\n\t\tnextAgents[agentId] = { ...existingAgent, profile: profileName };\n\t}\n\treturn nextAgents;\n}\n\nexport interface DeferredPort {\n\treadonly promise: Promise<number>;\n\treadonly reject: (error: Error) => void;\n\treadonly resolve: (port: number) => void;\n}\n\nfunction createDeferredPort(): DeferredPort {\n\tlet rejectPort: ((error: Error) => void) | undefined;\n\tlet resolvePort: ((port: number) => void) | undefined;\n\tconst promise = new Promise<number>((resolve, reject) => {\n\t\trejectPort = reject;\n\t\tresolvePort = resolve;\n\t});\n\treturn {\n\t\tpromise,\n\t\treject: (error) => {\n\t\t\tif (rejectPort === undefined) {\n\t\t\t\tthrow new Error('MCP Portal port rejector was not initialized.');\n\t\t\t}\n\t\t\trejectPort(error);\n\t\t},\n\t\tresolve: (port) => {\n\t\t\tif (resolvePort === undefined) {\n\t\t\t\tthrow new Error('MCP Portal port resolver was not initialized.');\n\t\t\t}\n\t\t\tresolvePort(port);\n\t\t},\n\t};\n}\n\nfunction defaultPortalServerLogger(): PortalServerLogger {\n\treturn {\n\t\tlog: (event) => {\n\t\t\tprocess.stderr.write(`${JSON.stringify(event)}\\n`);\n\t\t},\n\t};\n}\n\nexport function handlePortalServerError(props: {\n\treadonly error: Error;\n\treadonly hasListened: boolean;\n\treadonly listeningPort: DeferredPort;\n\treadonly logger: PortalServerLogger;\n}): void {\n\tprops.logger.log({\n\t\tevent: 'server_error',\n\t\tlevel: 'error',\n\t\tmessage: props.error.message,\n\t\t...(props.error.stack === undefined ? {} : { stack: props.error.stack }),\n\t});\n\tif (!props.hasListened) {\n\t\tprops.listeningPort.reject(props.error);\n\t}\n}\n\nfunction closeNodeServer(server: PortalNodeServer): Promise<void> {\n\treturn new Promise<void>((resolve, reject) => {\n\t\tserver.close((error) => {\n\t\t\tif (error) {\n\t\t\t\treject(error);\n\t\t\t} else {\n\t\t\t\tresolve();\n\t\t\t}\n\t\t});\n\t});\n}\n\nasync function resolveProviderSecretRecord(\n\tsecrets: Readonly<Record<string, SecretValue>>,\n\tresolveSecret: (secret: SecretValue) => Promise<string>,\n): Promise<Readonly<Record<string, string>>> {\n\tconst resolvedEntries = await Promise.all(\n\t\tObject.entries(secrets).map(\n\t\t\tasync ([name, secret]) => [name, await resolveSecret(secret)] as const,\n\t\t),\n\t);\n\treturn Object.fromEntries(resolvedEntries);\n}\n\nasync function resolveUpstreamServer(\n\tprovider: ResolvedMcpProvider,\n\tresolveSecret: (secret: SecretValue) => Promise<string>,\n): Promise<NormalizedUpstreamMcpServer> {\n\tif (provider.transport === 'stdio') {\n\t\treturn {\n\t\t\targs: provider.args,\n\t\t\tcommand: provider.command,\n\t\t\t...(provider.cwd === undefined ? {} : { cwd: provider.cwd }),\n\t\t\tenv: await resolveProviderSecretRecord(provider.env, resolveSecret),\n\t\t\tnamespace: provider.namespace,\n\t\t\ttransport: 'stdio',\n\t\t};\n\t}\n\n\treturn {\n\t\theaders: await resolveProviderSecretRecord(provider.headers, resolveSecret),\n\t\tnamespace: provider.namespace,\n\t\ttransport: provider.transport,\n\t\turl: provider.url,\n\t};\n}\n\nasync function resolveUpstreamServers(\n\tmcpConfig: McpConfig,\n\tresolveSecret: (secret: SecretValue) => Promise<string>,\n): Promise<readonly NormalizedUpstreamMcpServer[]> {\n\treturn await Promise.all(\n\t\tmcpConfigToResolvedProviders(mcpConfig).map(async (provider) =>\n\t\t\tresolveUpstreamServer(provider, resolveSecret),\n\t\t),\n\t);\n}\n\nfunction selectorsFromNamespaceTools(\n\tnamespaceTools: Readonly<Record<string, readonly string[]>>,\n): readonly PortalToolSelector[] {\n\treturn Object.entries(namespaceTools).flatMap(([namespace, toolNames]) =>\n\t\ttoolNames.map((toolName) => ({ namespace, toolName })),\n\t);\n}\n\nfunction buildProfilePolicyMaps(\n\tportalConfig: McpPortalConfig,\n): ProfilePolicyMaps & { readonly cacheTtlMs: number } {\n\tconst enabledNamespacesByAgent: Record<string, readonly string[]> = {};\n\tconst enabledToolsByAgent: Record<string, readonly PortalToolSelector[]> = {};\n\tconst hiddenToolsByAgent: Record<string, readonly PortalToolSelector[]> = {};\n\tconst profileTtls: number[] = [];\n\n\tfor (const [agentId, agent] of Object.entries(portalConfig.agents)) {\n\t\tconst profile: ResolvedMcpPortalProfile = resolveMcpPortalProfile(portalConfig, agent.profile);\n\t\tenabledNamespacesByAgent[agentId] = profile.enabledNamespaces;\n\t\tenabledToolsByAgent[agentId] = selectorsFromNamespaceTools(profile.enabledToolsByNamespace);\n\t\thiddenToolsByAgent[agentId] = selectorsFromNamespaceTools(profile.hiddenToolsByNamespace);\n\t\tprofileTtls.push(profile.cache.catalogTtlMs);\n\t}\n\n\treturn {\n\t\tcacheTtlMs: profileTtls.length === 0 ? 60_000 : Math.min(...profileTtls),\n\t\tenabledNamespacesByAgent,\n\t\tenabledToolsByAgent,\n\t\thiddenToolsByAgent,\n\t};\n}\n\nfunction withAgentOverrides(\n\tportalConfig: McpPortalConfig,\n\tagentOverrides: readonly string[],\n): McpPortalConfig {\n\treturn {\n\t\t...portalConfig,\n\t\tagents: applyAgentOverrides(portalConfig.agents, agentOverrides),\n\t};\n}\n\nexport async function startPortalServer(\n\tprops: StartPortalServerProps,\n): Promise<{ readonly close: () => Promise<void>; readonly port: number }> {\n\tconst logger = props.logger ?? defaultPortalServerLogger();\n\tconst serveFn = props.serveFn ?? serve;\n\tconst resolveSecret =\n\t\tprops.resolveSecret ??\n\t\t((secret: SecretValue) => resolveSecretValue(secret, { env: props.env }));\n\tconst mcpConfig = await loadMcpConfig(join(props.args.configDir, 'mcp.config.jsonc'));\n\tconst portalConfig = withAgentOverrides(\n\t\tawait loadMcpPortalConfig(join(props.args.configDir, 'mcp-portal.config.jsonc')),\n\t\tprops.args.agentOverrides,\n\t);\n\tconst serverAccessSecret = await resolveSecret(portalConfig.server.accessHeader.secret);\n\tconst hmacKeys = await resolveAgentHmacKeys({\n\t\tagents: portalConfig.agents,\n\t\tenvKeys: parseHmacKeysFromEnv(props.env),\n\t\tresolveSecret,\n\t});\n\tconst agentRecords = createPortalAgentRuntimeRecords({ hmacKeys, portalConfig });\n\tconst upstreamServers = await resolveUpstreamServers(mcpConfig, resolveSecret);\n\tconst upstreamRuntime = createUpstreamMcpClientRuntime({ servers: upstreamServers });\n\tconst profilePolicyMaps = buildProfilePolicyMaps(portalConfig);\n\tconst sessionManager = createPortalSessionManager({\n\t\taccessPolicy: {\n\t\t\tdefaultPolicy: 'deny-all',\n\t\t\tenabledNamespacesByAgent: profilePolicyMaps.enabledNamespacesByAgent,\n\t\t\tenabledToolsByAgent: profilePolicyMaps.enabledToolsByAgent,\n\t\t\thiddenToolsByAgent: profilePolicyMaps.hiddenToolsByAgent,\n\t\t},\n\t\tcatalogTtlMs: profilePolicyMaps.cacheTtlMs,\n\t\truntime: upstreamRuntime,\n\t\tupstreamNamespaces: upstreamServers.map((server) => server.namespace),\n\t});\n\tconst verifyApproval = createPortalApprovalVerifier({\n\t\tonConservativeApprovalFallback: (event) => {\n\t\t\tlogger.log({\n\t\t\t\tagentId: event.agentId,\n\t\t\t\tconservativeCallCount: event.conservativeCallCount,\n\t\t\t\tevent: 'conservative_approval_fallback',\n\t\t\t\tlevel: 'warn',\n\t\t\t\tprimaryReason: event.primaryReason,\n\t\t\t\tstrictCallCount: event.strictCallCount,\n\t\t\t\ttoolRefs: event.toolRefs,\n\t\t\t});\n\t\t},\n\t\trecords: agentRecords,\n\t});\n\tconst app = createPortalHttpApp({\n\t\tonSessionClosed: async (identity) => {\n\t\t\tawait sessionManager.invalidateSession(identity);\n\t\t},\n\t\tregisteredAgentIds: Object.keys(portalConfig.agents),\n\t\tresolveAgentIdentity: createPortalHttpAgentResolver(agentRecords),\n\t\tserverAccess: {\n\t\t\texpectedValue: serverAccessSecret,\n\t\t\theaderName: portalConfig.server.accessHeader.name,\n\t\t},\n\t\ttoolRuntime: {\n\t\t\tapproval: (calls, identity, approvalToken) =>\n\t\t\t\tverifyApproval(calls, identity.agentId, approvalToken),\n\t\t\tcallUpstreamTool: upstreamRuntime.callTool,\n\t\t\tgetSession: sessionManager.getSession,\n\t\t},\n\t});\n\tconst listeningPort = createDeferredPort();\n\tlet hasListened = false;\n\tconst server = serveFn(\n\t\t{\n\t\t\tfetch: app.fetch,\n\t\t\thostname: portalConfig.server.host,\n\t\t\tport: props.args.port ?? portalConfig.server.port,\n\t\t},\n\t\t(info) => {\n\t\t\thasListened = true;\n\t\t\tprocess.stdout.write(`listening port=${String(info.port)}\\n`);\n\t\t\tlisteningPort.resolve(info.port);\n\t\t},\n\t);\n\tserver.on('error', (error: Error) => {\n\t\thandlePortalServerError({ error, hasListened, listeningPort, logger });\n\t});\n\tconst port = await listeningPort.promise;\n\n\treturn {\n\t\tclose: async () => {\n\t\t\tawait app.closePortalSessions();\n\t\t\tawait Promise.all(\n\t\t\t\tObject.keys(portalConfig.agents).map((agentId) =>\n\t\t\t\t\tsessionManager.invalidateAgentScope(agentId),\n\t\t\t\t),\n\t\t\t);\n\t\t\tawait closeNodeServer(server);\n\t\t},\n\t\tport,\n\t};\n}\n\nasync function main(): Promise<void> {\n\tconst startedServer = await startPortalServer({\n\t\targs: parsePortalServerCliArgs(process.argv.slice(2)),\n\t\tenv: process.env,\n\t});\n\tconst shutdown = async (): Promise<void> => {\n\t\tawait startedServer.close();\n\t\tprocess.exit(0);\n\t};\n\tprocess.on('SIGINT', () => {\n\t\tvoid shutdown();\n\t});\n\tprocess.on('SIGTERM', () => {\n\t\tvoid shutdown();\n\t});\n}\n\nif (import.meta.url === `file://${process.argv[1]}`) {\n\tvoid main().catch((error: unknown) => {\n\t\tprocess.stderr.write(`${error instanceof Error ? error.message : String(error)}\\n`);\n\t\tprocess.exit(1);\n\t});\n}\n"],"mappings":";;;;;;;;AAKA,MAAM,gBAAgB,UAAU,SAAS;AAOzC,eAAsB,mBACrB,QACA,OACkB;CAClB,IAAI,OAAO,WAAW,eAAe;EACpC,MAAM,QAAQ,MAAM,IAAI,OAAO;EAC/B,IAAI,UAAU,KAAA,KAAa,MAAM,WAAW,GAC3C,MAAM,IAAI,MAAM,8BAA8B,OAAO,KAAK,GAAG;EAE9D,OAAO;;CAIR,OAAO,OADuB,MAAM,yBAAyB,0BAC1B,OAAO,IAAI;;AAG/C,eAAe,yBAAyB,KAA8B;CACrE,MAAM,EAAE,WAAW,MAAM,cAAc,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,UAAU,QAAQ,CAAC;CACjF,OAAO,OAAO,SAAS;;;;ACgDxB,SAAS,UAAU,OAA+C;CACjE,IAAI,UAAU,KAAA,GACb;CAED,MAAM,OAAO,OAAO,MAAM;CAC1B,IAAI,CAAC,OAAO,UAAU,KAAK,IAAI,OAAO,KAAK,OAAO,OACjD,MAAM,IAAI,MAAM,yBAAyB,MAAM,IAAI;CAEpD,OAAO;;AAGR,SAAgB,yBAAyB,MAA8C;CACtF,MAAM,SAAS,UAAU;EACxB,MAAM,CAAC,GAAG,KAAK;EACf,SAAS;GACR,OAAO;IAAE,UAAU;IAAM,MAAM;IAAU;GACzC,cAAc,EAAE,MAAM,UAAU;GAChC,MAAM;IAAE,OAAO;IAAK,MAAM;IAAU;GACpC;EACD,QAAQ;EACR,CAAC;CACF,MAAM,YAAY,OAAO,OAAO;CAChC,IAAI,OAAO,cAAc,YAAY,UAAU,WAAW,GACzD,MAAM,IAAI,MAAM,mCAAmC;CAEpD,MAAM,oBAAoB,OAAO,OAAO;CACxC,MAAM,OAAO;EACZ,gBAAgB,MAAM,QAAQ,kBAAkB,GAAG,oBAAoB,EAAE;EACzE;EACA;CACD,MAAM,OAAO,UAAU,OAAO,OAAO,KAAK;CAC1C,OAAO,SAAS,KAAA,IAAY,OAAO;EAAE,GAAG;EAAM;EAAM;;AAGrD,SAAgB,oBACf,QACA,WACiD;CACjD,MAAM,aAAmD,EAAE,GAAG,QAAQ;CACtE,KAAK,MAAM,YAAY,WAAW;EACjC,MAAM,CAAC,SAAS,aAAa,SAAS,SAAS,MAAM,IAAI;EACzD,IACC,YAAY,KAAA,KACZ,gBAAgB,KAAA,KAChB,UAAU,KAAA,KACV,QAAQ,WAAW,KACnB,YAAY,WAAW,GAEvB,MAAM,IAAI,MAAM,6BAA6B,SAAS,kCAAkC;EAEzF,MAAM,gBAAgB,WAAW;EACjC,IAAI,kBAAkB,KAAA,GACrB,MAAM,IAAI,MAAM,6CAA6C,QAAQ,IAAI;EAE1E,WAAW,WAAW;GAAE,GAAG;GAAe,SAAS;GAAa;;CAEjE,OAAO;;AASR,SAAS,qBAAmC;CAC3C,IAAI;CACJ,IAAI;CAKJ,OAAO;EACN,SAAA,IALmB,SAAiB,SAAS,WAAW;GACxD,aAAa;GACb,cAAc;IAGP;EACP,SAAS,UAAU;GAClB,IAAI,eAAe,KAAA,GAClB,MAAM,IAAI,MAAM,gDAAgD;GAEjE,WAAW,MAAM;;EAElB,UAAU,SAAS;GAClB,IAAI,gBAAgB,KAAA,GACnB,MAAM,IAAI,MAAM,gDAAgD;GAEjE,YAAY,KAAK;;EAElB;;AAGF,SAAS,4BAAgD;CACxD,OAAO,EACN,MAAM,UAAU;EACf,QAAQ,OAAO,MAAM,GAAG,KAAK,UAAU,MAAM,CAAC,IAAI;IAEnD;;AAGF,SAAgB,wBAAwB,OAK/B;CACR,MAAM,OAAO,IAAI;EAChB,OAAO;EACP,OAAO;EACP,SAAS,MAAM,MAAM;EACrB,GAAI,MAAM,MAAM,UAAU,KAAA,IAAY,EAAE,GAAG,EAAE,OAAO,MAAM,MAAM,OAAO;EACvE,CAAC;CACF,IAAI,CAAC,MAAM,aACV,MAAM,cAAc,OAAO,MAAM,MAAM;;AAIzC,SAAS,gBAAgB,QAAyC;CACjE,OAAO,IAAI,SAAe,SAAS,WAAW;EAC7C,OAAO,OAAO,UAAU;GACvB,IAAI,OACH,OAAO,MAAM;QAEb,SAAS;IAET;GACD;;AAGH,eAAe,4BACd,SACA,eAC4C;CAC5C,MAAM,kBAAkB,MAAM,QAAQ,IACrC,OAAO,QAAQ,QAAQ,CAAC,IACvB,OAAO,CAAC,MAAM,YAAY,CAAC,MAAM,MAAM,cAAc,OAAO,CAAC,CAC7D,CACD;CACD,OAAO,OAAO,YAAY,gBAAgB;;AAG3C,eAAe,sBACd,UACA,eACuC;CACvC,IAAI,SAAS,cAAc,SAC1B,OAAO;EACN,MAAM,SAAS;EACf,SAAS,SAAS;EAClB,GAAI,SAAS,QAAQ,KAAA,IAAY,EAAE,GAAG,EAAE,KAAK,SAAS,KAAK;EAC3D,KAAK,MAAM,4BAA4B,SAAS,KAAK,cAAc;EACnE,WAAW,SAAS;EACpB,WAAW;EACX;CAGF,OAAO;EACN,SAAS,MAAM,4BAA4B,SAAS,SAAS,cAAc;EAC3E,WAAW,SAAS;EACpB,WAAW,SAAS;EACpB,KAAK,SAAS;EACd;;AAGF,eAAe,uBACd,WACA,eACkD;CAClD,OAAO,MAAM,QAAQ,IACpB,6BAA6B,UAAU,CAAC,IAAI,OAAO,aAClD,sBAAsB,UAAU,cAAc,CAC9C,CACD;;AAGF,SAAS,4BACR,gBACgC;CAChC,OAAO,OAAO,QAAQ,eAAe,CAAC,SAAS,CAAC,WAAW,eAC1D,UAAU,KAAK,cAAc;EAAE;EAAW;EAAU,EAAE,CACtD;;AAGF,SAAS,uBACR,cACsD;CACtD,MAAM,2BAA8D,EAAE;CACtE,MAAM,sBAAqE,EAAE;CAC7E,MAAM,qBAAoE,EAAE;CAC5E,MAAM,cAAwB,EAAE;CAEhC,KAAK,MAAM,CAAC,SAAS,UAAU,OAAO,QAAQ,aAAa,OAAO,EAAE;EACnE,MAAM,UAAoC,wBAAwB,cAAc,MAAM,QAAQ;EAC9F,yBAAyB,WAAW,QAAQ;EAC5C,oBAAoB,WAAW,4BAA4B,QAAQ,wBAAwB;EAC3F,mBAAmB,WAAW,4BAA4B,QAAQ,uBAAuB;EACzF,YAAY,KAAK,QAAQ,MAAM,aAAa;;CAG7C,OAAO;EACN,YAAY,YAAY,WAAW,IAAI,MAAS,KAAK,IAAI,GAAG,YAAY;EACxE;EACA;EACA;EACA;;AAGF,SAAS,mBACR,cACA,gBACkB;CAClB,OAAO;EACN,GAAG;EACH,QAAQ,oBAAoB,aAAa,QAAQ,eAAe;EAChE;;AAGF,eAAsB,kBACrB,OAC0E;CAC1E,MAAM,SAAS,MAAM,UAAU,2BAA2B;CAC1D,MAAM,UAAU,MAAM,WAAW;CACjC,MAAM,gBACL,MAAM,mBACJ,WAAwB,mBAAmB,QAAQ,EAAE,KAAK,MAAM,KAAK,CAAC;CACzE,MAAM,YAAY,MAAM,cAAc,KAAK,MAAM,KAAK,WAAW,mBAAmB,CAAC;CACrF,MAAM,eAAe,mBACpB,MAAM,oBAAoB,KAAK,MAAM,KAAK,WAAW,0BAA0B,CAAC,EAChF,MAAM,KAAK,eACX;CACD,MAAM,qBAAqB,MAAM,cAAc,aAAa,OAAO,aAAa,OAAO;CAMvF,MAAM,eAAe,gCAAgC;EAAE,UAAA,MALhC,qBAAqB;GAC3C,QAAQ,aAAa;GACrB,SAAS,qBAAqB,MAAM,IAAI;GACxC;GACA,CAAC;EAC+D;EAAc,CAAC;CAChF,MAAM,kBAAkB,MAAM,uBAAuB,WAAW,cAAc;CAC9E,MAAM,kBAAkB,+BAA+B,EAAE,SAAS,iBAAiB,CAAC;CACpF,MAAM,oBAAoB,uBAAuB,aAAa;CAC9D,MAAM,iBAAiB,2BAA2B;EACjD,cAAc;GACb,eAAe;GACf,0BAA0B,kBAAkB;GAC5C,qBAAqB,kBAAkB;GACvC,oBAAoB,kBAAkB;GACtC;EACD,cAAc,kBAAkB;EAChC,SAAS;EACT,oBAAoB,gBAAgB,KAAK,WAAW,OAAO,UAAU;EACrE,CAAC;CACF,MAAM,iBAAiB,6BAA6B;EACnD,iCAAiC,UAAU;GAC1C,OAAO,IAAI;IACV,SAAS,MAAM;IACf,uBAAuB,MAAM;IAC7B,OAAO;IACP,OAAO;IACP,eAAe,MAAM;IACrB,iBAAiB,MAAM;IACvB,UAAU,MAAM;IAChB,CAAC;;EAEH,SAAS;EACT,CAAC;CACF,MAAM,MAAM,oBAAoB;EAC/B,iBAAiB,OAAO,aAAa;GACpC,MAAM,eAAe,kBAAkB,SAAS;;EAEjD,oBAAoB,OAAO,KAAK,aAAa,OAAO;EACpD,sBAAsB,8BAA8B,aAAa;EACjE,cAAc;GACb,eAAe;GACf,YAAY,aAAa,OAAO,aAAa;GAC7C;EACD,aAAa;GACZ,WAAW,OAAO,UAAU,kBAC3B,eAAe,OAAO,SAAS,SAAS,cAAc;GACvD,kBAAkB,gBAAgB;GAClC,YAAY,eAAe;GAC3B;EACD,CAAC;CACF,MAAM,gBAAgB,oBAAoB;CAC1C,IAAI,cAAc;CAClB,MAAM,SAAS,QACd;EACC,OAAO,IAAI;EACX,UAAU,aAAa,OAAO;EAC9B,MAAM,MAAM,KAAK,QAAQ,aAAa,OAAO;EAC7C,GACA,SAAS;EACT,cAAc;EACd,QAAQ,OAAO,MAAM,kBAAkB,OAAO,KAAK,KAAK,CAAC,IAAI;EAC7D,cAAc,QAAQ,KAAK,KAAK;GAEjC;CACD,OAAO,GAAG,UAAU,UAAiB;EACpC,wBAAwB;GAAE;GAAO;GAAa;GAAe;GAAQ,CAAC;GACrE;CAGF,OAAO;EACN,OAAO,YAAY;GAClB,MAAM,IAAI,qBAAqB;GAC/B,MAAM,QAAQ,IACb,OAAO,KAAK,aAAa,OAAO,CAAC,KAAK,YACrC,eAAe,qBAAqB,QAAQ,CAC5C,CACD;GACD,MAAM,gBAAgB,OAAO;;EAE9B,MAAA,MAZkB,cAAc;EAahC;;AAGF,eAAe,OAAsB;CACpC,MAAM,gBAAgB,MAAM,kBAAkB;EAC7C,MAAM,yBAAyB,QAAQ,KAAK,MAAM,EAAE,CAAC;EACrD,KAAK,QAAQ;EACb,CAAC;CACF,MAAM,WAAW,YAA2B;EAC3C,MAAM,cAAc,OAAO;EAC3B,QAAQ,KAAK,EAAE;;CAEhB,QAAQ,GAAG,gBAAgB;EAC1B,UAAe;GACd;CACF,QAAQ,GAAG,iBAAiB;EAC3B,UAAe;GACd;;AAGH,IAAI,OAAO,KAAK,QAAQ,UAAU,QAAQ,KAAK,MAC9C,MAAW,CAAC,OAAO,UAAmB;CACrC,QAAQ,OAAO,MAAM,GAAG,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,CAAC,IAAI;CACnF,QAAQ,KAAK,EAAE;EACd"}

package/dist/catalog-types--gUGFPpN.d.ts

@@ -0,0 +1,44 @@
+import { z } from "zod";
+
+//#region src/json-schema.d.ts
+type JsonPrimitive = boolean | null | number | string;
+type JsonArray = JsonValue[];
+type JsonObject = {
+  [key: string]: JsonValue;
+};
+type JsonValue = JsonArray | JsonObject | JsonPrimitive;
+declare const jsonValueSchema: z.ZodType<JsonValue>;
+declare const jsonObjectSchema: z.ZodType<JsonObject>;
+declare function isJsonObject(value: unknown): value is JsonObject;
+declare function assertJsonObject(value: unknown, label: string): JsonObject;
+//#endregion
+//#region src/catalog-types.d.ts
+declare const portalToolAnnotationsSchema: z.ZodOptional<z.ZodObject<{
+  destructiveHint: z.ZodOptional<z.ZodBoolean>;
+  idempotentHint: z.ZodOptional<z.ZodBoolean>;
+  openWorldHint: z.ZodOptional<z.ZodBoolean>;
+  readOnlyHint: z.ZodOptional<z.ZodBoolean>;
+  title: z.ZodOptional<z.ZodString>;
+}, z.core.$catchall<z.ZodUnion<[z.ZodUnion<[z.ZodUnion<[z.ZodUnion<[z.ZodType<JsonObject, unknown, z.core.$ZodTypeInternals<JsonObject, unknown>>, z.ZodString]>, z.ZodNumber]>, z.ZodBoolean]>, z.ZodNull]>>>>;
+declare const safeToolMetadataSchema: z.ZodOptional<z.ZodType<JsonObject, unknown, z.core.$ZodTypeInternals<JsonObject, unknown>>>;
+declare const portalToolRecordSchema: z.ZodObject<{
+  annotations: z.ZodOptional<z.ZodObject<{
+    destructiveHint: z.ZodOptional<z.ZodBoolean>;
+    idempotentHint: z.ZodOptional<z.ZodBoolean>;
+    openWorldHint: z.ZodOptional<z.ZodBoolean>;
+    readOnlyHint: z.ZodOptional<z.ZodBoolean>;
+    title: z.ZodOptional<z.ZodString>;
+  }, z.core.$catchall<z.ZodUnion<[z.ZodUnion<[z.ZodUnion<[z.ZodUnion<[z.ZodType<JsonObject, unknown, z.core.$ZodTypeInternals<JsonObject, unknown>>, z.ZodString]>, z.ZodNumber]>, z.ZodBoolean]>, z.ZodNull]>>>>;
+  description: z.ZodOptional<z.ZodString>;
+  inputSchema: z.ZodType<JsonObject, unknown, z.core.$ZodTypeInternals<JsonObject, unknown>>;
+  metadata: z.ZodOptional<z.ZodType<JsonObject, unknown, z.core.$ZodTypeInternals<JsonObject, unknown>>>;
+  namespace: z.ZodString;
+  outputSchema: z.ZodOptional<z.ZodType<JsonObject, unknown, z.core.$ZodTypeInternals<JsonObject, unknown>>>;
+  title: z.ZodOptional<z.ZodString>;
+  toolName: z.ZodString;
+}, z.core.$strict>;
+type PortalToolRecord = z.infer<typeof portalToolRecordSchema>;
+type PortalToolAnnotations = z.infer<typeof portalToolAnnotationsSchema>;
+//#endregion
+export { safeToolMetadataSchema as a, JsonPrimitive as c, isJsonObject as d, jsonObjectSchema as f, portalToolRecordSchema as i, JsonValue as l, PortalToolRecord as n, JsonArray as o, jsonValueSchema as p, portalToolAnnotationsSchema as r, JsonObject as s, PortalToolAnnotations as t, assertJsonObject as u };
+//# sourceMappingURL=catalog-types--gUGFPpN.d.ts.map

package/dist/catalog-types--gUGFPpN.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"catalog-types--gUGFPpN.d.ts","names":[],"sources":["../src/json-schema.ts","../src/catalog-types.ts"],"mappings":";;;KAEY,aAAA;AAAA,KACA,SAAA,GAAY,SAAA;AAAA,KACZ,UAAA;EAAA,CAAgB,GAAA,WAAc,SAAA;AAAA;AAAA,KAC9B,SAAA,GAAY,SAAA,GAAY,UAAA,GAAa,aAAA;AAAA,cAEpC,eAAA,EAAiB,CAAA,CAAE,OAAA,CAAQ,SAAA;AAAA,cAW3B,gBAAA,EAAkB,CAAA,CAAE,OAAA,CAAQ,UAAA;AAAA,iBAEzB,YAAA,CAAa,KAAA,YAAiB,KAAA,IAAS,UAAA;AAAA,iBAIvC,gBAAA,CAAiB,KAAA,WAAgB,KAAA,WAAgB,UAAA;;;cCmBpD,2BAAA,EAA2B,CAAA,CAAA,WAAA,CAAA,CAAA,CAAA,SAAA;;;;;;;cAW3B,sBAAA,EAAsB,CAAA,CAAA,WAAA,CAAA,CAAA,CAAA,OAAA,CAAA,UAAA,WAAA,CAAA,CAAA,IAAA,CAAA,iBAAA,CAAA,UAAA;AAAA,cAgBtB,sBAAA,EAAsB,CAAA,CAAA,SAAA;;;;;;;;;;;;;;;;KAavB,gBAAA,GAAmB,CAAA,CAAE,KAAA,QAAa,sBAAA;AAAA,KAClC,qBAAA,GAAwB,CAAA,CAAE,KAAA,QAAa,2BAAA"}

package/dist/index-BcI9c8sg.d.ts

@@ -0,0 +1,42 @@
+import { n as PortalToolRecord, s as JsonObject } from "./catalog-types--gUGFPpN.js";
+
+//#region src/tool-vm/typescript-artifact.d.ts
+interface CatalogArtifactInput {
+  readonly tools: readonly PortalToolRecord[];
+}
+declare function generateTypescriptCatalogArtifact(input: CatalogArtifactInput): string;
+//#endregion
+//#region src/zod-schema-loader.d.ts
+interface InputValidationIssue {
+  readonly code: string;
+  readonly message: string;
+  readonly path: readonly (number | string)[];
+}
+interface InputValidationError {
+  readonly kind: 'input_validation';
+  readonly issues: readonly InputValidationIssue[];
+}
+interface SchemaValidationUnavailableError {
+  readonly feature: string;
+  readonly kind: 'schema_validation_unavailable';
+  readonly message: string;
+  readonly path: readonly (number | string)[];
+}
+type PortalValidationResult = {
+  readonly ok: true;
+  readonly value: unknown;
+} | {
+  readonly error: InputValidationError;
+  readonly ok: false;
+};
+type BuiltZodValidator = {
+  readonly ok: true;
+  readonly validate: (value: unknown) => PortalValidationResult;
+} | {
+  readonly error: SchemaValidationUnavailableError;
+  readonly ok: false;
+};
+declare function buildZodValidatorFromJsonSchema(jsonSchema: JsonObject): BuiltZodValidator;
+//#endregion
+export { SchemaValidationUnavailableError as a, generateTypescriptCatalogArtifact as c, PortalValidationResult as i, InputValidationError as n, buildZodValidatorFromJsonSchema as o, InputValidationIssue as r, CatalogArtifactInput as s, BuiltZodValidator as t };
+//# sourceMappingURL=index-BcI9c8sg.d.ts.map

package/dist/index-BcI9c8sg.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index-BcI9c8sg.d.ts","names":[],"sources":["../src/tool-vm/typescript-artifact.ts","../src/zod-schema-loader.ts"],"mappings":";;;UAKiB,oBAAA;EAAA,SACP,KAAA,WAAgB,gBAAA;AAAA;AAAA,iBAwBV,iCAAA,CAAkC,KAAA,EAAO,oBAAA;;;UC1BxC,oBAAA;EAAA,SACP,IAAA;EAAA,SACA,OAAA;EAAA,SACA,IAAA;AAAA;AAAA,UAGO,oBAAA;EAAA,SACP,IAAA;EAAA,SACA,MAAA,WAAiB,oBAAA;AAAA;AAAA,UAGV,gCAAA;EAAA,SACP,OAAA;EAAA,SACA,IAAA;EAAA,SACA,OAAA;EAAA,SACA,IAAA;AAAA;AAAA,KAGE,sBAAA;EAAA,SACE,EAAA;EAAA,SAAmB,KAAA;AAAA;EAAA,SACnB,KAAA,EAAO,oBAAA;EAAA,SAA+B,EAAA;AAAA;AAAA,KAExC,iBAAA;EAAA,SAEA,EAAA;EAAA,SACA,QAAA,GAAW,KAAA,cAAmB,sBAAA;AAAA;EAAA,SAG9B,KAAA,EAAO,gCAAA;EAAA,SACP,EAAA;AAAA;AAAA,iBA4EI,+BAAA,CAAgC,UAAA,EAAY,UAAA,GAAa,iBAAA"}