@attested-intelligence/aga-mcp-server 2.0.1 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (241) hide show
  1. package/README.md +197 -124
  2. package/SECURITY.md +59 -0
  3. package/dist/adapters/openclaw.d.ts +43 -0
  4. package/dist/adapters/openclaw.d.ts.map +1 -0
  5. package/dist/adapters/openclaw.js +86 -0
  6. package/dist/adapters/openclaw.js.map +1 -0
  7. package/dist/core/bundle.d.ts +9 -2
  8. package/dist/core/bundle.d.ts.map +1 -1
  9. package/dist/core/bundle.js +16 -2
  10. package/dist/core/bundle.js.map +1 -1
  11. package/dist/core/identity.d.ts +19 -10
  12. package/dist/core/identity.d.ts.map +1 -1
  13. package/dist/core/identity.js +45 -11
  14. package/dist/core/identity.js.map +1 -1
  15. package/dist/core/portal.d.ts +10 -1
  16. package/dist/core/portal.d.ts.map +1 -1
  17. package/dist/core/portal.js +16 -12
  18. package/dist/core/portal.js.map +1 -1
  19. package/dist/core/types.d.ts +29 -2
  20. package/dist/core/types.d.ts.map +1 -1
  21. package/dist/crypto/index.d.ts +5 -6
  22. package/dist/crypto/index.d.ts.map +1 -1
  23. package/dist/crypto/index.js +5 -6
  24. package/dist/crypto/index.js.map +1 -1
  25. package/dist/crypto/sign.d.ts +2 -0
  26. package/dist/crypto/sign.d.ts.map +1 -1
  27. package/dist/crypto/sign.js +6 -0
  28. package/dist/crypto/sign.js.map +1 -1
  29. package/dist/index.js +1 -1
  30. package/dist/index.js.map +1 -1
  31. package/dist/middleware/governance.d.ts +7 -1
  32. package/dist/middleware/governance.d.ts.map +1 -1
  33. package/dist/middleware/governance.js +18 -11
  34. package/dist/middleware/governance.js.map +1 -1
  35. package/dist/proxy/evaluator.d.ts +14 -0
  36. package/dist/proxy/evaluator.d.ts.map +1 -0
  37. package/dist/proxy/evaluator.js +141 -0
  38. package/dist/proxy/evaluator.js.map +1 -0
  39. package/dist/proxy/index.d.ts +22 -0
  40. package/dist/proxy/index.d.ts.map +1 -0
  41. package/dist/proxy/index.js +230 -0
  42. package/dist/proxy/index.js.map +1 -0
  43. package/dist/proxy/profiles.d.ts +16 -0
  44. package/dist/proxy/profiles.d.ts.map +1 -0
  45. package/dist/proxy/profiles.js +43 -0
  46. package/dist/proxy/profiles.js.map +1 -0
  47. package/dist/proxy/server.d.ts +106 -0
  48. package/dist/proxy/server.d.ts.map +1 -0
  49. package/dist/proxy/server.js +389 -0
  50. package/dist/proxy/server.js.map +1 -0
  51. package/dist/proxy/stdio-bridge.d.ts +42 -0
  52. package/dist/proxy/stdio-bridge.d.ts.map +1 -0
  53. package/dist/proxy/stdio-bridge.js +142 -0
  54. package/dist/proxy/stdio-bridge.js.map +1 -0
  55. package/dist/proxy/types.d.ts +36 -0
  56. package/dist/proxy/types.d.ts.map +1 -0
  57. package/dist/proxy/types.js +11 -0
  58. package/dist/proxy/types.js.map +1 -0
  59. package/dist/proxy/verify.d.ts +29 -0
  60. package/dist/proxy/verify.d.ts.map +1 -0
  61. package/dist/proxy/verify.js +183 -0
  62. package/dist/proxy/verify.js.map +1 -0
  63. package/dist/server.d.ts +7 -3
  64. package/dist/server.d.ts.map +1 -1
  65. package/dist/server.js +342 -214
  66. package/dist/server.js.map +1 -1
  67. package/dist/storage/sqlite.js +6 -6
  68. package/independent-verifier/README.md +31 -0
  69. package/independent-verifier/package.json +18 -0
  70. package/independent-verifier/verify.ts +211 -0
  71. package/package.json +97 -71
  72. package/src/adapters/openclaw.ts +125 -0
  73. package/src/core/artifact.ts +45 -0
  74. package/src/core/attestation.ts +33 -0
  75. package/src/core/behavioral.ts +132 -0
  76. package/src/core/bundle.ts +45 -0
  77. package/src/core/chain.ts +72 -0
  78. package/src/core/checkpoint.ts +22 -0
  79. package/src/core/delegation.ts +146 -0
  80. package/src/core/disclosure.ts +32 -0
  81. package/src/core/identity.ts +62 -0
  82. package/src/core/index.ts +14 -0
  83. package/src/core/portal.ts +117 -0
  84. package/src/core/quarantine.ts +16 -0
  85. package/src/core/receipt.ts +33 -0
  86. package/src/core/subject.ts +11 -0
  87. package/src/core/types.ts +285 -0
  88. package/src/crypto/hash.ts +33 -0
  89. package/src/crypto/index.ts +5 -0
  90. package/src/crypto/merkle.ts +43 -0
  91. package/src/crypto/salt.ts +18 -0
  92. package/src/crypto/sign.ts +42 -0
  93. package/src/crypto/types.ts +19 -0
  94. package/src/index.ts +12 -0
  95. package/src/middleware/governance.ts +95 -0
  96. package/src/middleware/index.ts +1 -0
  97. package/src/proxy/evaluator.ts +176 -0
  98. package/src/proxy/index.ts +259 -0
  99. package/src/proxy/profiles.ts +48 -0
  100. package/src/proxy/server.ts +499 -0
  101. package/src/proxy/stdio-bridge.ts +171 -0
  102. package/src/proxy/types.ts +40 -0
  103. package/src/proxy/verify.ts +202 -0
  104. package/src/server.ts +435 -0
  105. package/src/storage/index.ts +3 -0
  106. package/src/storage/interface.ts +21 -0
  107. package/src/storage/memory.ts +27 -0
  108. package/src/storage/sqlite.ts +45 -0
  109. package/src/tools/README.md +13 -0
  110. package/src/utils/canonical.ts +14 -0
  111. package/src/utils/constants.ts +3 -0
  112. package/src/utils/timestamp.ts +12 -0
  113. package/src/utils/uuid.ts +2 -0
  114. package/dist/context.d.ts +0 -39
  115. package/dist/context.d.ts.map +0 -1
  116. package/dist/context.js +0 -113
  117. package/dist/context.js.map +0 -1
  118. package/dist/core/measurement.d.ts +0 -16
  119. package/dist/core/measurement.d.ts.map +0 -1
  120. package/dist/core/measurement.js +0 -18
  121. package/dist/core/measurement.js.map +0 -1
  122. package/dist/crypto/canonicalize.d.ts +0 -7
  123. package/dist/crypto/canonicalize.d.ts.map +0 -1
  124. package/dist/crypto/canonicalize.js +0 -21
  125. package/dist/crypto/canonicalize.js.map +0 -1
  126. package/dist/crypto/keys.d.ts +0 -10
  127. package/dist/crypto/keys.d.ts.map +0 -1
  128. package/dist/crypto/keys.js +0 -19
  129. package/dist/crypto/keys.js.map +0 -1
  130. package/dist/prompts/drift-analysis.d.ts +0 -13
  131. package/dist/prompts/drift-analysis.d.ts.map +0 -1
  132. package/dist/prompts/drift-analysis.js +0 -43
  133. package/dist/prompts/drift-analysis.js.map +0 -1
  134. package/dist/prompts/governance-report.d.ts +0 -7
  135. package/dist/prompts/governance-report.d.ts.map +0 -1
  136. package/dist/prompts/governance-report.js +0 -26
  137. package/dist/prompts/governance-report.js.map +0 -1
  138. package/dist/prompts/nccoe-demo.d.ts +0 -14
  139. package/dist/prompts/nccoe-demo.d.ts.map +0 -1
  140. package/dist/prompts/nccoe-demo.js +0 -47
  141. package/dist/prompts/nccoe-demo.js.map +0 -1
  142. package/dist/resources/cosai-mapping.d.ts +0 -24
  143. package/dist/resources/cosai-mapping.d.ts.map +0 -1
  144. package/dist/resources/cosai-mapping.js +0 -127
  145. package/dist/resources/cosai-mapping.js.map +0 -1
  146. package/dist/resources/crypto-primitives.d.ts +0 -3
  147. package/dist/resources/crypto-primitives.d.ts.map +0 -1
  148. package/dist/resources/crypto-primitives.js +0 -52
  149. package/dist/resources/crypto-primitives.js.map +0 -1
  150. package/dist/resources/sample-bundle.d.ts +0 -6
  151. package/dist/resources/sample-bundle.d.ts.map +0 -1
  152. package/dist/resources/sample-bundle.js +0 -58
  153. package/dist/resources/sample-bundle.js.map +0 -1
  154. package/dist/resources/specification.d.ts +0 -3
  155. package/dist/resources/specification.d.ts.map +0 -1
  156. package/dist/resources/specification.js +0 -161
  157. package/dist/resources/specification.js.map +0 -1
  158. package/dist/tools/create-artifact.d.ts +0 -25
  159. package/dist/tools/create-artifact.d.ts.map +0 -1
  160. package/dist/tools/create-artifact.js +0 -85
  161. package/dist/tools/create-artifact.js.map +0 -1
  162. package/dist/tools/delegate-subagent.d.ts +0 -18
  163. package/dist/tools/delegate-subagent.d.ts.map +0 -1
  164. package/dist/tools/delegate-subagent.js +0 -50
  165. package/dist/tools/delegate-subagent.js.map +0 -1
  166. package/dist/tools/disclose-claim.d.ts +0 -14
  167. package/dist/tools/disclose-claim.d.ts.map +0 -1
  168. package/dist/tools/disclose-claim.js +0 -23
  169. package/dist/tools/disclose-claim.js.map +0 -1
  170. package/dist/tools/export-bundle.d.ts +0 -8
  171. package/dist/tools/export-bundle.d.ts.map +0 -1
  172. package/dist/tools/export-bundle.js +0 -25
  173. package/dist/tools/export-bundle.js.map +0 -1
  174. package/dist/tools/full-lifecycle.d.ts +0 -16
  175. package/dist/tools/full-lifecycle.d.ts.map +0 -1
  176. package/dist/tools/full-lifecycle.js +0 -121
  177. package/dist/tools/full-lifecycle.js.map +0 -1
  178. package/dist/tools/generate-receipt.d.ts +0 -16
  179. package/dist/tools/generate-receipt.d.ts.map +0 -1
  180. package/dist/tools/generate-receipt.js +0 -31
  181. package/dist/tools/generate-receipt.js.map +0 -1
  182. package/dist/tools/get-chain.d.ts +0 -14
  183. package/dist/tools/get-chain.d.ts.map +0 -1
  184. package/dist/tools/get-chain.js +0 -45
  185. package/dist/tools/get-chain.js.map +0 -1
  186. package/dist/tools/get-portal-state.d.ts +0 -8
  187. package/dist/tools/get-portal-state.d.ts.map +0 -1
  188. package/dist/tools/get-portal-state.js +0 -15
  189. package/dist/tools/get-portal-state.js.map +0 -1
  190. package/dist/tools/init-chain.d.ts +0 -10
  191. package/dist/tools/init-chain.d.ts.map +0 -1
  192. package/dist/tools/init-chain.js +0 -13
  193. package/dist/tools/init-chain.js.map +0 -1
  194. package/dist/tools/measure-behavior.d.ts +0 -12
  195. package/dist/tools/measure-behavior.d.ts.map +0 -1
  196. package/dist/tools/measure-behavior.js +0 -29
  197. package/dist/tools/measure-behavior.js.map +0 -1
  198. package/dist/tools/measure-subject.d.ts +0 -15
  199. package/dist/tools/measure-subject.d.ts.map +0 -1
  200. package/dist/tools/measure-subject.js +0 -106
  201. package/dist/tools/measure-subject.js.map +0 -1
  202. package/dist/tools/quarantine-status.d.ts +0 -8
  203. package/dist/tools/quarantine-status.d.ts.map +0 -1
  204. package/dist/tools/quarantine-status.js +0 -16
  205. package/dist/tools/quarantine-status.js.map +0 -1
  206. package/dist/tools/revoke-artifact.d.ts +0 -13
  207. package/dist/tools/revoke-artifact.d.ts.map +0 -1
  208. package/dist/tools/revoke-artifact.js +0 -24
  209. package/dist/tools/revoke-artifact.js.map +0 -1
  210. package/dist/tools/rotate-keys.d.ts +0 -13
  211. package/dist/tools/rotate-keys.d.ts.map +0 -1
  212. package/dist/tools/rotate-keys.js +0 -39
  213. package/dist/tools/rotate-keys.js.map +0 -1
  214. package/dist/tools/server-info.d.ts +0 -8
  215. package/dist/tools/server-info.d.ts.map +0 -1
  216. package/dist/tools/server-info.js +0 -23
  217. package/dist/tools/server-info.js.map +0 -1
  218. package/dist/tools/set-verification-tier.d.ts +0 -11
  219. package/dist/tools/set-verification-tier.d.ts.map +0 -1
  220. package/dist/tools/set-verification-tier.js +0 -31
  221. package/dist/tools/set-verification-tier.js.map +0 -1
  222. package/dist/tools/start-monitoring.d.ts +0 -12
  223. package/dist/tools/start-monitoring.d.ts.map +0 -1
  224. package/dist/tools/start-monitoring.js +0 -17
  225. package/dist/tools/start-monitoring.js.map +0 -1
  226. package/dist/tools/trigger-measurement.d.ts +0 -15
  227. package/dist/tools/trigger-measurement.d.ts.map +0 -1
  228. package/dist/tools/trigger-measurement.js +0 -86
  229. package/dist/tools/trigger-measurement.js.map +0 -1
  230. package/dist/tools/verify-artifact.d.ts +0 -13
  231. package/dist/tools/verify-artifact.d.ts.map +0 -1
  232. package/dist/tools/verify-artifact.js +0 -6
  233. package/dist/tools/verify-artifact.js.map +0 -1
  234. package/dist/tools/verify-bundle.d.ts +0 -13
  235. package/dist/tools/verify-bundle.d.ts.map +0 -1
  236. package/dist/tools/verify-bundle.js +0 -6
  237. package/dist/tools/verify-bundle.js.map +0 -1
  238. package/dist/types.d.ts +0 -261
  239. package/dist/types.d.ts.map +0 -1
  240. package/dist/types.js +0 -8
  241. package/dist/types.js.map +0 -1
@@ -0,0 +1,389 @@
1
+ /**
2
+ * AGA Governance Proxy Server
3
+ * TCP proxy that intercepts MCP JSON-RPC 2.0 tool calls,
4
+ * evaluates them against a sealed policy, and produces
5
+ * Ed25519-signed governance receipts.
6
+ *
7
+ * Receipt format: Ed25519-SHA256-JCS (canonical across TS gateway,
8
+ * Python SDK, Go CLI, and browser verifier).
9
+ *
10
+ * Architecture: Client → Proxy (:18800) → Downstream MCP Server
11
+ * The proxy holds ALL signing keys. The client holds NONE.
12
+ *
13
+ * Patent: USPTO App. No. 19/433,835
14
+ * Copyright (c) 2026 Attested Intelligence Holdings LLC
15
+ * SPDX-License-Identifier: MIT
16
+ */
17
+ import * as net from 'node:net';
18
+ import { EventEmitter } from 'node:events';
19
+ import { generateKeyPair, pkToHex, signStr } from '../crypto/sign.js';
20
+ import { bytesToHex, hexToBytes as utilHexToBytes } from '@noble/hashes/utils';
21
+ import { sha256 } from '@noble/hashes/sha256';
22
+ import { sha256Str } from '../crypto/hash.js';
23
+ import { canonicalize } from '../utils/canonical.js';
24
+ import { evaluate, resetRateLimits } from './evaluator.js';
25
+ import { StdioBridge } from './stdio-bridge.js';
26
+ import { PERMISSIVE } from './profiles.js';
27
+ import { utcNow } from '../utils/timestamp.js';
28
+ import { uuid } from '../utils/uuid.js';
29
+ export class GovernanceProxy extends EventEmitter {
30
+ server = null;
31
+ bridge = null;
32
+ // Crypto key - never leaves this process
33
+ signingKP;
34
+ // State
35
+ policy;
36
+ port;
37
+ started = false;
38
+ upstreamOptions;
39
+ upstreamUrl;
40
+ gatewayId;
41
+ // Receipt chain
42
+ receipts = [];
43
+ lastReceiptHash = '';
44
+ policyHash = '';
45
+ // Stats
46
+ stats = { permitted: 0, denied: 0, total: 0, started_at: '' };
47
+ constructor(options = {}) {
48
+ super();
49
+ this.port = options.port ?? 18800;
50
+ this.policy = options.policy ?? PERMISSIVE;
51
+ this.upstreamOptions = options.upstream ?? null;
52
+ this.upstreamUrl = options.upstreamUrl ?? null;
53
+ this.gatewayId = options.gatewayId ?? 'aga-proxy';
54
+ this.signingKP = generateKeyPair();
55
+ }
56
+ // ── Start / Stop ───────────────────────────────────────────
57
+ async start() {
58
+ if (this.started)
59
+ throw new Error('Proxy already running');
60
+ this.policyHash = sha256Str(canonicalize(this.policy));
61
+ // Start downstream bridge if configured
62
+ if (this.upstreamOptions) {
63
+ this.bridge = new StdioBridge(this.upstreamOptions);
64
+ await this.bridge.start();
65
+ this.bridge.on('error', (err) => this.emit('error', err));
66
+ this.bridge.on('exit', (code) => {
67
+ process.stderr.write(`[aga-proxy] Downstream exited with code ${code}\n`);
68
+ });
69
+ }
70
+ // Start TCP server
71
+ this.server = net.createServer((socket) => this.handleConnection(socket));
72
+ await new Promise((resolve, reject) => {
73
+ this.server.listen(this.port, () => resolve());
74
+ this.server.on('error', reject);
75
+ });
76
+ this.started = true;
77
+ this.stats.started_at = new Date().toISOString();
78
+ resetRateLimits();
79
+ this.emit('started', { port: this.port });
80
+ }
81
+ async stop() {
82
+ if (!this.started)
83
+ return;
84
+ if (this.bridge) {
85
+ await this.bridge.stop();
86
+ this.bridge = null;
87
+ }
88
+ if (this.server) {
89
+ await new Promise((resolve) => {
90
+ this.server.close(() => resolve());
91
+ });
92
+ this.server = null;
93
+ }
94
+ this.started = false;
95
+ this.emit('stopped');
96
+ }
97
+ // ── Connection handler ─────────────────────────────────────
98
+ handleConnection(socket) {
99
+ let buffer = '';
100
+ socket.on('data', (chunk) => {
101
+ buffer += chunk.toString();
102
+ const lines = buffer.split('\n');
103
+ buffer = lines.pop() || '';
104
+ for (const line of lines) {
105
+ const trimmed = line.trim();
106
+ if (!trimmed)
107
+ continue;
108
+ this.handleMessage(trimmed, socket).catch((err) => {
109
+ process.stderr.write(`[aga-proxy] Error handling message: ${err}\n`);
110
+ });
111
+ }
112
+ });
113
+ socket.on('error', () => { });
114
+ }
115
+ async handleMessage(raw, socket) {
116
+ let parsed;
117
+ try {
118
+ parsed = JSON.parse(raw);
119
+ }
120
+ catch {
121
+ this.respond(socket, { jsonrpc: '2.0', error: { code: -32700, message: 'Parse error' }, id: null });
122
+ return;
123
+ }
124
+ if (parsed.jsonrpc !== '2.0') {
125
+ this.respond(socket, { jsonrpc: '2.0', error: { code: -32600, message: 'Invalid Request: missing jsonrpc 2.0' }, id: null });
126
+ return;
127
+ }
128
+ const requestId = parsed.id ?? null;
129
+ const method = parsed.method;
130
+ // Non-tools/call methods: forward transparently
131
+ if (method !== 'tools/call') {
132
+ if (this.bridge) {
133
+ try {
134
+ const response = await this.bridge.send(parsed);
135
+ this.respond(socket, response);
136
+ }
137
+ catch (err) {
138
+ this.respond(socket, {
139
+ jsonrpc: '2.0',
140
+ error: { code: -32603, message: `Downstream error: ${err}` },
141
+ id: requestId,
142
+ });
143
+ }
144
+ }
145
+ else if (this.upstreamUrl) {
146
+ await this.forwardHttp(raw, socket, requestId);
147
+ }
148
+ else {
149
+ this.respond(socket, {
150
+ jsonrpc: '2.0',
151
+ error: { code: -32603, message: 'No upstream configured' },
152
+ id: requestId,
153
+ });
154
+ }
155
+ return;
156
+ }
157
+ // tools/call - governance intercept
158
+ await this.interceptToolCall(parsed, socket, requestId);
159
+ }
160
+ // ── Tool call interception ─────────────────────────────────
161
+ async interceptToolCall(parsed, socket, requestId) {
162
+ const params = parsed.params;
163
+ const toolName = params?.name;
164
+ const toolArgs = params?.arguments;
165
+ this.stats.total++;
166
+ // Fail-closed: no tool name
167
+ if (!toolName) {
168
+ const receipt = this.generateReceipt('UNKNOWN', 'DENIED', 'tool name extraction failed, fail-closed', requestId, undefined);
169
+ this.stats.denied++;
170
+ this.respond(socket, {
171
+ jsonrpc: '2.0',
172
+ error: {
173
+ code: -32600,
174
+ message: 'Missing tool name',
175
+ data: { receipt_id: receipt.receipt_id, decision: 'DENIED' },
176
+ },
177
+ id: requestId,
178
+ });
179
+ return;
180
+ }
181
+ // Evaluate against policy
182
+ const decision = evaluate(this.policy, toolName, toolArgs);
183
+ const receipt = this.generateReceipt(toolName, decision.allowed ? 'PERMITTED' : 'DENIED', decision.reason, requestId, toolArgs);
184
+ if (!decision.allowed) {
185
+ this.stats.denied++;
186
+ this.respond(socket, {
187
+ jsonrpc: '2.0',
188
+ error: {
189
+ code: -32600,
190
+ message: `Tool denied: ${decision.reason}`,
191
+ data: { receipt_id: receipt.receipt_id, decision: 'DENIED', reason: decision.reason },
192
+ },
193
+ id: requestId,
194
+ });
195
+ return;
196
+ }
197
+ // Permitted - forward to downstream
198
+ this.stats.permitted++;
199
+ if (this.bridge) {
200
+ try {
201
+ const response = await this.bridge.send(parsed);
202
+ this.respond(socket, response);
203
+ }
204
+ catch (err) {
205
+ this.respond(socket, {
206
+ jsonrpc: '2.0',
207
+ error: { code: -32603, message: `Downstream error: ${err}` },
208
+ id: requestId,
209
+ });
210
+ }
211
+ }
212
+ else if (this.upstreamUrl) {
213
+ await this.forwardHttp(JSON.stringify(parsed), socket, requestId);
214
+ }
215
+ else {
216
+ // No upstream - return success with receipt info
217
+ this.respond(socket, {
218
+ jsonrpc: '2.0',
219
+ result: {
220
+ content: [{ type: 'text', text: JSON.stringify({ permitted: true, receipt_id: receipt.receipt_id, tool: toolName }) }],
221
+ },
222
+ id: requestId,
223
+ });
224
+ }
225
+ }
226
+ // ── Receipt generation (Ed25519-SHA256-JCS canonical format) ─
227
+ generateReceipt(toolName, decision, reason, requestId, toolArgs) {
228
+ const pubKeyHex = pkToHex(this.signingKP.publicKey);
229
+ // Arguments hash tri-state per spec Section 3.5
230
+ let argumentsHash;
231
+ if (toolArgs === undefined) {
232
+ argumentsHash = '';
233
+ }
234
+ else {
235
+ argumentsHash = sha256Str(canonicalize(toolArgs));
236
+ }
237
+ const unsigned = {
238
+ receipt_id: uuid(),
239
+ receipt_version: '1.0',
240
+ algorithm: 'Ed25519-SHA256-JCS',
241
+ timestamp: utcNow(),
242
+ request_id: requestId,
243
+ method: 'tools/call',
244
+ tool_name: toolName,
245
+ decision,
246
+ reason,
247
+ policy_reference: this.policyHash,
248
+ arguments_hash: argumentsHash,
249
+ previous_receipt_hash: this.lastReceiptHash,
250
+ gateway_id: this.gatewayId,
251
+ public_key: pubKeyHex,
252
+ };
253
+ const sig = signStr(canonicalize(unsigned), this.signingKP.secretKey);
254
+ const receipt = { ...unsigned, signature: bytesToHex(sig) };
255
+ this.receipts.push(receipt);
256
+ this.lastReceiptHash = sha256Str(canonicalize(receipt));
257
+ return receipt;
258
+ }
259
+ // ── Merkle tree (binary, odd-node promotion, binary concat) ─
260
+ merkleNodeHash(leftHex, rightHex) {
261
+ const left = utilHexToBytes(leftHex);
262
+ const right = utilHexToBytes(rightHex);
263
+ const combined = new Uint8Array(left.length + right.length);
264
+ combined.set(left, 0);
265
+ combined.set(right, left.length);
266
+ return bytesToHex(sha256(combined));
267
+ }
268
+ computeMerkleRoot(leaves) {
269
+ if (leaves.length === 0)
270
+ return '';
271
+ if (leaves.length === 1)
272
+ return leaves[0];
273
+ let level = [...leaves];
274
+ while (level.length > 1) {
275
+ const next = [];
276
+ for (let i = 0; i < level.length; i += 2) {
277
+ if (i + 1 < level.length) {
278
+ next.push(this.merkleNodeHash(level[i], level[i + 1]));
279
+ }
280
+ else {
281
+ next.push(level[i]);
282
+ }
283
+ }
284
+ level = next;
285
+ }
286
+ return level[0];
287
+ }
288
+ computeMerkleProof(leaves, leafIndex) {
289
+ const siblings = [];
290
+ const directions = [];
291
+ let level = [...leaves];
292
+ let idx = leafIndex;
293
+ while (level.length > 1) {
294
+ const next = [];
295
+ for (let i = 0; i < level.length; i += 2) {
296
+ if (i + 1 < level.length) {
297
+ next.push(this.merkleNodeHash(level[i], level[i + 1]));
298
+ }
299
+ else {
300
+ next.push(level[i]);
301
+ }
302
+ }
303
+ if (idx % 2 === 0) {
304
+ if (idx + 1 < level.length) {
305
+ siblings.push(level[idx + 1]);
306
+ directions.push('right');
307
+ }
308
+ }
309
+ else {
310
+ siblings.push(level[idx - 1]);
311
+ directions.push('left');
312
+ }
313
+ idx = Math.floor(idx / 2);
314
+ level = next;
315
+ }
316
+ return {
317
+ leaf_hash: leaves[leafIndex],
318
+ leaf_index: leafIndex,
319
+ siblings,
320
+ directions,
321
+ merkle_root: level[0],
322
+ };
323
+ }
324
+ // ── HTTP forwarding ────────────────────────────────────────
325
+ async forwardHttp(body, socket, requestId) {
326
+ try {
327
+ const resp = await fetch(this.upstreamUrl, {
328
+ method: 'POST',
329
+ headers: { 'Content-Type': 'application/json' },
330
+ body,
331
+ });
332
+ const data = await resp.json();
333
+ this.respond(socket, data);
334
+ }
335
+ catch (err) {
336
+ this.respond(socket, {
337
+ jsonrpc: '2.0',
338
+ error: { code: -32603, message: `HTTP upstream error: ${err}` },
339
+ id: requestId,
340
+ });
341
+ }
342
+ }
343
+ // ── Response helper ────────────────────────────────────────
344
+ respond(socket, msg) {
345
+ if (!socket.destroyed) {
346
+ socket.write(JSON.stringify(msg) + '\n');
347
+ }
348
+ }
349
+ // ── Public API ─────────────────────────────────────────────
350
+ async switchPolicy(newPolicy) {
351
+ this.policy = newPolicy;
352
+ this.policyHash = sha256Str(canonicalize(newPolicy));
353
+ resetRateLimits();
354
+ this.emit('policy_switched');
355
+ }
356
+ exportBundle() {
357
+ if (this.receipts.length === 0)
358
+ throw new Error('No receipts');
359
+ const leafHashes = this.receipts.map(r => sha256Str(canonicalize(r)));
360
+ const root = this.computeMerkleRoot(leafHashes);
361
+ const proofs = leafHashes.map((_, i) => this.computeMerkleProof(leafHashes, i));
362
+ return {
363
+ schema_version: '1.0',
364
+ bundle_id: uuid(),
365
+ algorithm: 'Ed25519-SHA256-JCS',
366
+ generated_at: utcNow(),
367
+ gateway_id: this.gatewayId,
368
+ public_key: pkToHex(this.signingKP.publicKey),
369
+ policy_reference: this.policyHash,
370
+ receipts: this.receipts,
371
+ merkle_root: root,
372
+ merkle_proofs: proofs,
373
+ offline_capable: true,
374
+ };
375
+ }
376
+ getStatus() {
377
+ return {
378
+ running: this.started,
379
+ port: this.port,
380
+ policy_mode: this.policy.mode,
381
+ receipt_count: this.receipts.length,
382
+ ...this.stats,
383
+ public_key: pkToHex(this.signingKP.publicKey),
384
+ };
385
+ }
386
+ getPublicKey() { return pkToHex(this.signingKP.publicKey); }
387
+ getReceipts() { return this.receipts; }
388
+ }
389
+ //# sourceMappingURL=server.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/proxy/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,GAAG,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,UAAU,EAAE,UAAU,IAAI,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC/E,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAA2B,MAAM,mBAAmB,CAAC;AACzE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAwDxC,MAAM,OAAO,eAAgB,SAAQ,YAAY;IACvC,MAAM,GAAsB,IAAI,CAAC;IACjC,MAAM,GAAuB,IAAI,CAAC;IAE1C,yCAAyC;IACjC,SAAS,CAAU;IAE3B,QAAQ;IACA,MAAM,CAAa;IACnB,IAAI,CAAS;IACb,OAAO,GAAG,KAAK,CAAC;IAChB,eAAe,CAA4B;IAC3C,WAAW,CAAgB;IAC3B,SAAS,CAAS;IAE1B,gBAAgB;IACR,QAAQ,GAAwB,EAAE,CAAC;IACnC,eAAe,GAAW,EAAE,CAAC;IAC7B,UAAU,GAAW,EAAE,CAAC;IAEhC,QAAQ;IACA,KAAK,GAAG,EAAE,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAEtE,YAAY,UAA8B,EAAE;QAC1C,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,KAAK,CAAC;QAClC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,UAAU,CAAC;QAC3C,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC;QAChD,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC;QAC/C,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,WAAW,CAAC;QAClD,IAAI,CAAC,SAAS,GAAG,eAAe,EAAE,CAAC;IACrC,CAAC;IAED,8DAA8D;IAE9D,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAE3D,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QAEvD,wCAAwC;QACxC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACpD,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAC1B,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;YAC1D,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;gBACtC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2CAA2C,IAAI,IAAI,CAAC,CAAC;YAC5E,CAAC,CAAC,CAAC;QACL,CAAC;QAED,mBAAmB;QACnB,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1E,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,IAAI,CAAC,MAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YAChD,IAAI,CAAC,MAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACjD,eAAe,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAE1B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;gBAClC,IAAI,CAAC,MAAO,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YACtC,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;QAED,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACvB,CAAC;IAED,8DAA8D;IAEtD,gBAAgB,CAAC,MAAkB;QACzC,IAAI,MAAM,GAAG,EAAE,CAAC;QAEhB,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE;YAC1B,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;YAE3B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,CAAC,OAAO;oBAAE,SAAS;gBACvB,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;oBAChD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uCAAuC,GAAG,IAAI,CAAC,CAAC;gBACvE,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,GAA6B,CAAC,CAAC,CAAC;IAC1D,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,GAAW,EAAE,MAAkB;QACzD,IAAI,MAA+B,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;YACpG,OAAO;QACT,CAAC;QAED,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAC7B,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,sCAAsC,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;YAC7H,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAI,MAAM,CAAC,EAA6B,IAAI,IAAI,CAAC;QAChE,MAAM,MAAM,GAAG,MAAM,CAAC,MAA4B,CAAC;QAEnD,gDAAgD;QAChD,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,IAAI,CAAC;oBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBAChD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;gBACjC,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;wBACnB,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,GAAG,EAAE,EAAE;wBAC5D,EAAE,EAAE,SAAS;qBACd,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;iBAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC5B,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,wBAAwB,EAAE;oBAC1D,EAAE,EAAE,SAAS;iBACd,CAAC,CAAC;YACL,CAAC;YACD,OAAO;QACT,CAAC;QAED,oCAAoC;QACpC,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1D,CAAC;IAED,8DAA8D;IAEtD,KAAK,CAAC,iBAAiB,CAC7B,MAA+B,EAC/B,MAAkB,EAClB,SAAiC;QAEjC,MAAM,MAAM,GAAG,MAAM,CAAC,MAA6C,CAAC;QACpE,MAAM,QAAQ,GAAG,MAAM,EAAE,IAA0B,CAAC;QACpD,MAAM,QAAQ,GAAG,MAAM,EAAE,SAAgD,CAAC;QAE1E,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QAEnB,4BAA4B;QAC5B,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,QAAQ,EAAE,0CAA0C,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;YAC5H,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,mBAAmB;oBAC5B,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE;iBAC7D;gBACD,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAClC,QAAQ,EACR,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,EACzC,QAAQ,CAAC,MAAM,EACf,SAAS,EACT,QAAQ,CACT,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtB,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,gBAAgB,QAAQ,CAAC,MAAM,EAAE;oBAC1C,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE;iBACtF;gBACD,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,oCAAoC;QACpC,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;QAEvB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAChD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACjC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,GAAG,EAAE,EAAE;oBAC5D,EAAE,EAAE,SAAS;iBACd,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAC5B,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,iDAAiD;YACjD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE;oBACN,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;iBACvH;gBACD,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,gEAAgE;IAExD,eAAe,CACrB,QAAgB,EAChB,QAAgC,EAChC,MAAc,EACd,SAAiC,EACjC,QAA6C;QAE7C,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAEpD,gDAAgD;QAChD,IAAI,aAAqB,CAAC;QAC1B,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,aAAa,GAAG,EAAE,CAAC;QACrB,CAAC;aAAM,CAAC;YACN,aAAa,GAAG,SAAS,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG;YACf,UAAU,EAAE,IAAI,EAAE;YAClB,eAAe,EAAE,KAAK;YACtB,SAAS,EAAE,oBAAoB;YAC/B,SAAS,EAAE,MAAM,EAAE;YACnB,UAAU,EAAE,SAAS;YACrB,MAAM,EAAE,YAAY;YACpB,SAAS,EAAE,QAAQ;YACnB,QAAQ;YACR,MAAM;YACN,gBAAgB,EAAE,IAAI,CAAC,UAAU;YACjC,cAAc,EAAE,aAAa;YAC7B,qBAAqB,EAAE,IAAI,CAAC,eAAe;YAC3C,UAAU,EAAE,IAAI,CAAC,SAAS;YAC1B,UAAU,EAAE,SAAS;SACtB,CAAC;QAEF,MAAM,GAAG,GAAG,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACtE,MAAM,OAAO,GAAsB,EAAE,GAAG,QAAQ,EAAE,SAAS,EAAE,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAE/E,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5B,IAAI,CAAC,eAAe,GAAG,SAAS,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC;QAExD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,+DAA+D;IAEvD,cAAc,CAAC,OAAe,EAAE,QAAgB;QACtD,MAAM,IAAI,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,KAAK,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QACvC,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QAC5D,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QACtB,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACjC,OAAO,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;IACtC,CAAC;IAEO,iBAAiB,CAAC,MAAgB;QACxC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QACnC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;QAC1C,IAAI,KAAK,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;QACxB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,GAAa,EAAE,CAAC;YAC1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzC,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACzB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACzD,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtB,CAAC;YACH,CAAC;YACD,KAAK,GAAG,IAAI,CAAC;QACf,CAAC;QACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAEO,kBAAkB,CAAC,MAAgB,EAAE,SAAiB;QAC5D,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,MAAM,UAAU,GAAyB,EAAE,CAAC;QAC5C,IAAI,KAAK,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;QACxB,IAAI,GAAG,GAAG,SAAS,CAAC;QAEpB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,GAAa,EAAE,CAAC;YAC1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzC,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACzB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACzD,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtB,CAAC;YACH,CAAC;YACD,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBAClB,IAAI,GAAG,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBAC3B,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;oBAC9B,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC3B,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;gBAC9B,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC1B,CAAC;YACD,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;YAC1B,KAAK,GAAG,IAAI,CAAC;QACf,CAAC;QAED,OAAO;YACL,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC;YAC5B,UAAU,EAAE,SAAS;YACrB,QAAQ;YACR,UAAU;YACV,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;SACtB,CAAC;IACJ,CAAC;IAED,8DAA8D;IAEtD,KAAK,CAAC,WAAW,CAAC,IAAY,EAAE,MAAkB,EAAE,SAAiC;QAC3F,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,WAAY,EAAE;gBAC1C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI;aACL,CAAC,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/B,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAA+B,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,wBAAwB,GAAG,EAAE,EAAE;gBAC/D,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,8DAA8D;IAEtD,OAAO,CAAC,MAAkB,EAAE,GAA4B;QAC9D,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,8DAA8D;IAE9D,KAAK,CAAC,YAAY,CAAC,SAAqB;QACtC,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC;QACxB,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC;QACrD,eAAe,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC/B,CAAC;IAED,YAAY;QACV,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC;QAE/D,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACtE,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC;QAEhF,OAAO;YACL,cAAc,EAAE,KAAK;YACrB,SAAS,EAAE,IAAI,EAAE;YACjB,SAAS,EAAE,oBAAoB;YAC/B,YAAY,EAAE,MAAM,EAAE;YACtB,UAAU,EAAE,IAAI,CAAC,SAAS;YAC1B,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;YAC7C,gBAAgB,EAAE,IAAI,CAAC,UAAU;YACjC,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,WAAW,EAAE,IAAI;YACjB,aAAa,EAAE,MAAM;YACrB,eAAe,EAAE,IAAI;SACtB,CAAC;IACJ,CAAC;IAED,SAAS;QACP,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YAC7B,aAAa,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM;YACnC,GAAG,IAAI,CAAC,KAAK;YACb,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;SAC9C,CAAC;IACJ,CAAC;IAED,YAAY,KAAa,OAAO,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACpE,WAAW,KAA0B,OAAO,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;CAC7D"}
@@ -0,0 +1,42 @@
1
+ /**
2
+ * AGA Governance Proxy - Stdio Bridge
3
+ * Spawns a downstream MCP server as a child process and manages
4
+ * JSON-RPC message framing over stdin/stdout.
5
+ *
6
+ * Patent: USPTO App. No. 19/433,835
7
+ * Copyright (c) 2026 Attested Intelligence Holdings LLC
8
+ * SPDX-License-Identifier: MIT
9
+ */
10
+ import { EventEmitter } from 'node:events';
11
+ export interface StdioBridgeOptions {
12
+ command: string;
13
+ args?: string[];
14
+ env?: Record<string, string>;
15
+ cwd?: string;
16
+ }
17
+ /**
18
+ * Bridges JSON-RPC messages to/from a child process via stdio.
19
+ * Handles newline-delimited JSON framing.
20
+ */
21
+ export declare class StdioBridge extends EventEmitter {
22
+ private options;
23
+ private child;
24
+ private buffer;
25
+ private pendingRequests;
26
+ constructor(options: StdioBridgeOptions);
27
+ start(): Promise<void>;
28
+ private processBuffer;
29
+ private handleMessage;
30
+ /**
31
+ * Send a JSON-RPC request to the downstream server and wait for a response.
32
+ */
33
+ send(message: Record<string, unknown>, timeoutMs?: number): Promise<Record<string, unknown>>;
34
+ /**
35
+ * Send a raw message without waiting for a response.
36
+ */
37
+ sendRaw(message: Record<string, unknown>): void;
38
+ stop(): Promise<void>;
39
+ get running(): boolean;
40
+ private rejectAllPending;
41
+ }
42
+ //# sourceMappingURL=stdio-bridge.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"stdio-bridge.d.ts","sourceRoot":"","sources":["../../src/proxy/stdio-bridge.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;GAGG;AACH,qBAAa,WAAY,SAAQ,YAAY;IAS/B,OAAO,CAAC,OAAO;IAR3B,OAAO,CAAC,KAAK,CAA6B;IAC1C,OAAO,CAAC,MAAM,CAAM;IACpB,OAAO,CAAC,eAAe,CAIlB;gBAEe,OAAO,EAAE,kBAAkB;IAIzC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IA+B5B,OAAO,CAAC,aAAa;IAkBrB,OAAO,CAAC,aAAa;IAiBrB;;OAEG;IACG,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAwBlG;;OAEG;IACH,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAOzC,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAmB3B,IAAI,OAAO,IAAI,OAAO,CAErB;IAED,OAAO,CAAC,gBAAgB;CAOzB"}
@@ -0,0 +1,142 @@
1
+ /**
2
+ * AGA Governance Proxy - Stdio Bridge
3
+ * Spawns a downstream MCP server as a child process and manages
4
+ * JSON-RPC message framing over stdin/stdout.
5
+ *
6
+ * Patent: USPTO App. No. 19/433,835
7
+ * Copyright (c) 2026 Attested Intelligence Holdings LLC
8
+ * SPDX-License-Identifier: MIT
9
+ */
10
+ import { spawn } from 'node:child_process';
11
+ import { EventEmitter } from 'node:events';
12
+ /**
13
+ * Bridges JSON-RPC messages to/from a child process via stdio.
14
+ * Handles newline-delimited JSON framing.
15
+ */
16
+ export class StdioBridge extends EventEmitter {
17
+ options;
18
+ child = null;
19
+ buffer = '';
20
+ pendingRequests = new Map();
21
+ constructor(options) {
22
+ super();
23
+ this.options = options;
24
+ }
25
+ async start() {
26
+ const { command, args = [], env, cwd } = this.options;
27
+ this.child = spawn(command, args, {
28
+ stdio: ['pipe', 'pipe', 'pipe'],
29
+ env: { ...process.env, ...env },
30
+ cwd,
31
+ shell: process.platform === 'win32',
32
+ });
33
+ this.child.stdout.on('data', (chunk) => {
34
+ this.buffer += chunk.toString();
35
+ this.processBuffer();
36
+ });
37
+ this.child.stderr.on('data', (chunk) => {
38
+ // Log downstream stderr but don't treat as JSON-RPC
39
+ process.stderr.write(`[downstream] ${chunk.toString()}`);
40
+ });
41
+ this.child.on('exit', (code, signal) => {
42
+ this.emit('exit', code, signal);
43
+ this.rejectAllPending(new Error(`Downstream process exited: code=${code} signal=${signal}`));
44
+ });
45
+ this.child.on('error', (err) => {
46
+ this.emit('error', err);
47
+ this.rejectAllPending(err);
48
+ });
49
+ }
50
+ processBuffer() {
51
+ const lines = this.buffer.split('\n');
52
+ // Keep the last (possibly incomplete) line in the buffer
53
+ this.buffer = lines.pop() || '';
54
+ for (const line of lines) {
55
+ const trimmed = line.trim();
56
+ if (!trimmed)
57
+ continue;
58
+ try {
59
+ const msg = JSON.parse(trimmed);
60
+ this.handleMessage(msg);
61
+ }
62
+ catch {
63
+ // Not valid JSON - skip
64
+ }
65
+ }
66
+ }
67
+ handleMessage(msg) {
68
+ // If it has an id and either result or error, it's a response
69
+ if ('id' in msg && ('result' in msg || 'error' in msg)) {
70
+ const id = msg.id;
71
+ const pending = this.pendingRequests.get(id);
72
+ if (pending) {
73
+ clearTimeout(pending.timer);
74
+ this.pendingRequests.delete(id);
75
+ pending.resolve(msg);
76
+ }
77
+ return;
78
+ }
79
+ // Notifications from downstream (no id, or has method) - emit for proxy to handle
80
+ this.emit('notification', msg);
81
+ }
82
+ /**
83
+ * Send a JSON-RPC request to the downstream server and wait for a response.
84
+ */
85
+ async send(message, timeoutMs = 30_000) {
86
+ if (!this.child?.stdin?.writable) {
87
+ throw new Error('Downstream process not running');
88
+ }
89
+ const id = message.id;
90
+ // Notifications (no id) - fire and forget
91
+ if (id === undefined || id === null) {
92
+ this.child.stdin.write(JSON.stringify(message) + '\n');
93
+ return { jsonrpc: '2.0', result: null, id: null };
94
+ }
95
+ return new Promise((resolve, reject) => {
96
+ const timer = setTimeout(() => {
97
+ this.pendingRequests.delete(id);
98
+ reject(new Error(`Timeout waiting for response to request ${id}`));
99
+ }, timeoutMs);
100
+ this.pendingRequests.set(id, { resolve, reject, timer });
101
+ this.child.stdin.write(JSON.stringify(message) + '\n');
102
+ });
103
+ }
104
+ /**
105
+ * Send a raw message without waiting for a response.
106
+ */
107
+ sendRaw(message) {
108
+ if (!this.child?.stdin?.writable) {
109
+ throw new Error('Downstream process not running');
110
+ }
111
+ this.child.stdin.write(JSON.stringify(message) + '\n');
112
+ }
113
+ async stop() {
114
+ this.rejectAllPending(new Error('Bridge stopped'));
115
+ if (this.child) {
116
+ this.child.kill('SIGTERM');
117
+ // Give it a moment, then force kill
118
+ await new Promise(resolve => {
119
+ const timer = setTimeout(() => {
120
+ this.child?.kill('SIGKILL');
121
+ resolve();
122
+ }, 3000);
123
+ this.child.on('exit', () => {
124
+ clearTimeout(timer);
125
+ resolve();
126
+ });
127
+ });
128
+ this.child = null;
129
+ }
130
+ }
131
+ get running() {
132
+ return this.child !== null && this.child.exitCode === null;
133
+ }
134
+ rejectAllPending(err) {
135
+ for (const [id, pending] of this.pendingRequests) {
136
+ clearTimeout(pending.timer);
137
+ pending.reject(err);
138
+ }
139
+ this.pendingRequests.clear();
140
+ }
141
+ }
142
+ //# sourceMappingURL=stdio-bridge.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"stdio-bridge.js","sourceRoot":"","sources":["../../src/proxy/stdio-bridge.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,KAAK,EAAqB,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAS3C;;;GAGG;AACH,MAAM,OAAO,WAAY,SAAQ,YAAY;IASvB;IARZ,KAAK,GAAwB,IAAI,CAAC;IAClC,MAAM,GAAG,EAAE,CAAC;IACZ,eAAe,GAAG,IAAI,GAAG,EAI7B,CAAC;IAEL,YAAoB,OAA2B;QAC7C,KAAK,EAAE,CAAC;QADU,YAAO,GAAP,OAAO,CAAoB;IAE/C,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAEtD,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE;YAChC,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,GAAG,EAAE;YAC/B,GAAG;YACH,KAAK,EAAE,OAAO,CAAC,QAAQ,KAAK,OAAO;SACpC,CAAC,CAAC;QAEH,IAAI,CAAC,KAAK,CAAC,MAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC9C,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YAChC,IAAI,CAAC,aAAa,EAAE,CAAC;QACvB,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,KAAK,CAAC,MAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC9C,oDAAoD;YACpD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,KAAK,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;YAChC,IAAI,CAAC,gBAAgB,CAAC,IAAI,KAAK,CAAC,mCAAmC,IAAI,WAAW,MAAM,EAAE,CAAC,CAAC,CAAC;QAC/F,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YAC7B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YACxB,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,aAAa;QACnB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACtC,yDAAyD;QACzD,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;QAEhC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO;gBAAE,SAAS;YAEvB,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;gBAC3D,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;YAC1B,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IAEO,aAAa,CAAC,GAA4B;QAChD,8DAA8D;QAC9D,IAAI,IAAI,IAAI,GAAG,IAAI,CAAC,QAAQ,IAAI,GAAG,IAAI,OAAO,IAAI,GAAG,CAAC,EAAE,CAAC;YACvD,MAAM,EAAE,GAAG,GAAG,CAAC,EAAqB,CAAC;YACrC,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC7C,IAAI,OAAO,EAAE,CAAC;gBACZ,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;gBAC5B,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBAChC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACvB,CAAC;YACD,OAAO;QACT,CAAC;QAED,kFAAkF;QAClF,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI,CAAC,OAAgC,EAAE,SAAS,GAAG,MAAM;QAC7D,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,EAAE,GAAG,OAAO,CAAC,EAAiC,CAAC;QAErD,0CAA0C;QAC1C,IAAI,EAAE,KAAK,SAAS,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YACpC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;YACvD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACpD,CAAC;QAED,OAAO,IAAI,OAAO,CAA0B,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC9D,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC5B,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBAChC,MAAM,CAAC,IAAI,KAAK,CAAC,2CAA2C,EAAE,EAAE,CAAC,CAAC,CAAC;YACrE,CAAC,EAAE,SAAS,CAAC,CAAC;YAEd,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;YACzD,IAAI,CAAC,KAAM,CAAC,KAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,OAAgC;QACtC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;IACzD,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,CAAC,gBAAgB,CAAC,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC,CAAC;QACnD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC3B,oCAAoC;YACpC,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE;gBAChC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;oBAC5B,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;oBAC5B,OAAO,EAAE,CAAC;gBACZ,CAAC,EAAE,IAAI,CAAC,CAAC;gBACT,IAAI,CAAC,KAAM,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;oBAC1B,YAAY,CAAC,KAAK,CAAC,CAAC;oBACpB,OAAO,EAAE,CAAC;gBACZ,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QACpB,CAAC;IACH,CAAC;IAED,IAAI,OAAO;QACT,OAAO,IAAI,CAAC,KAAK,KAAK,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,KAAK,IAAI,CAAC;IAC7D,CAAC;IAEO,gBAAgB,CAAC,GAAU;QACjC,KAAK,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACjD,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5B,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACtB,CAAC;QACD,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;IAC/B,CAAC;CACF"}
@@ -0,0 +1,36 @@
1
+ /**
2
+ * AGA Governance Proxy - Types
3
+ * Adapted from aga-mcp-gateway/src/governance/types.ts
4
+ *
5
+ * Patent: USPTO App. No. 19/433,835
6
+ * Copyright (c) 2026 Attested Intelligence Holdings LLC
7
+ * SPDX-License-Identifier: MIT
8
+ */
9
+ export interface ToolConstraint {
10
+ name: string;
11
+ allowed: boolean;
12
+ max_calls_per_minute?: number;
13
+ path_prefix?: string;
14
+ path_keys?: string[];
15
+ denied_patterns?: string[];
16
+ }
17
+ export interface ToolPolicy {
18
+ mode: 'allowlist' | 'denylist' | 'audit_only';
19
+ constraints: Record<string, ToolConstraint>;
20
+ }
21
+ export interface ToolCallDecision {
22
+ allowed: boolean;
23
+ reason: string;
24
+ tool_name: string;
25
+ policy_mode: string;
26
+ }
27
+ export interface ProxyConfig {
28
+ port: number;
29
+ upstream: string;
30
+ upstreamType: 'stdio' | 'http';
31
+ policy: ToolPolicy;
32
+ dataDir: string;
33
+ }
34
+ export declare const DEFAULT_PROXY_PORT = 18800;
35
+ export declare const DEFAULT_DATA_DIR = ".aga-proxy";
36
+ //# sourceMappingURL=types.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/proxy/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,WAAW,GAAG,UAAU,GAAG,YAAY,CAAC;IAC9C,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CAC7C;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,OAAO,GAAG,MAAM,CAAC;IAC/B,MAAM,EAAE,UAAU,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,eAAO,MAAM,kBAAkB,QAAQ,CAAC;AACxC,eAAO,MAAM,gBAAgB,eAAe,CAAC"}
@@ -0,0 +1,11 @@
1
+ /**
2
+ * AGA Governance Proxy - Types
3
+ * Adapted from aga-mcp-gateway/src/governance/types.ts
4
+ *
5
+ * Patent: USPTO App. No. 19/433,835
6
+ * Copyright (c) 2026 Attested Intelligence Holdings LLC
7
+ * SPDX-License-Identifier: MIT
8
+ */
9
+ export const DEFAULT_PROXY_PORT = 18800;
10
+ export const DEFAULT_DATA_DIR = '.aga-proxy';
11
+ //# sourceMappingURL=types.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/proxy/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AA+BH,MAAM,CAAC,MAAM,kBAAkB,GAAG,KAAK,CAAC;AACxC,MAAM,CAAC,MAAM,gBAAgB,GAAG,YAAY,CAAC"}