@bookedsolid/rea 0.1.0

package/dist/gateway/middleware/injection.d.ts

@@ -0,0 +1,22 @@
+import type { Middleware } from './chain.js';
+/**
+ * Scan a string for known prompt injection phrases.
+ * Also decodes base64 tokens and checks the decoded content.
+ * Returns an array of matched phrase descriptions, empty if clean.
+ */
+export declare function scanForInjection(input: string): string[];
+export type InjectionAction = 'block' | 'warn';
+/**
+ * PostToolUse middleware: scans tool results for prompt injection patterns.
+ *
+ * Operates on tool output (ctx.result) returned from downstream MCP servers.
+ * On detection:
+ *   - Always logs to audit metadata and emits a warning to stderr.
+ *   - If action is 'block' (default), sets ctx.status to Denied and blocks the result.
+ *   - If action is 'warn', allows the result through with a warning only.
+ *
+ * SECURITY: Checking PostToolUse (after downstream execution, before the result
+ * reaches the LLM) is the correct place to catch injection in tool descriptions
+ * and resource content coming from potentially untrusted downstream servers.
+ */
+export declare function createInjectionMiddleware(action?: InjectionAction): Middleware;

package/dist/gateway/middleware/injection.js

@@ -0,0 +1,128 @@
+import { InvocationStatus } from '../../policy/types.js';
+/**
+ * Known prompt injection phrases (lowercase for case-insensitive matching).
+ * These patterns are commonly used to override system instructions in tool
+ * descriptions or resource content returned by downstream MCP servers.
+ */
+const INJECTION_PHRASES = [
+    'ignore previous instructions',
+    'disregard your',
+    'your new instructions are',
+    'system prompt override',
+    'forget all previous',
+    // 'you are now' is too broad — fires on "you are now connected", "you are now in /home/foo", etc.
+    // The role-reassignment vector is "you are now a [different persona]" — the trailing space+article
+    // is what distinguishes injection from ordinary status messages.
+    'you are now a ',
+    'you are now an ',
+];
+/**
+ * Decode a base64 string, returning the decoded text or null if decoding fails.
+ * Only decodes if the input looks like base64 (64-char alphabet, length divisible by 4 or padded).
+ */
+function tryDecodeBase64(input) {
+    // Quick heuristic: must be at least 20 chars and use only base64 chars
+    if (input.length < 20)
+        return null;
+    if (!/^[A-Za-z0-9+/]+=*$/.test(input))
+        return null;
+    try {
+        return Buffer.from(input, 'base64').toString('utf8');
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Scan a string for known prompt injection phrases.
+ * Also decodes base64 tokens and checks the decoded content.
+ * Returns an array of matched phrase descriptions, empty if clean.
+ */
+export function scanForInjection(input) {
+    if (!input || typeof input !== 'string')
+        return [];
+    const lower = input.toLowerCase();
+    const matches = [];
+    // Check literal phrases
+    for (const phrase of INJECTION_PHRASES) {
+        if (lower.includes(phrase)) {
+            matches.push(`literal: "${phrase}"`);
+        }
+    }
+    // Check base64-encoded variants — scan word-like tokens that look like base64
+    const base64Tokens = input.match(/[A-Za-z0-9+/]{20,}={0,2}/g) ?? [];
+    for (const token of base64Tokens) {
+        const decoded = tryDecodeBase64(token);
+        if (!decoded)
+            continue;
+        const decodedLower = decoded.toLowerCase();
+        for (const phrase of INJECTION_PHRASES) {
+            if (decodedLower.includes(phrase)) {
+                matches.push(`base64-encoded: "${phrase}"`);
+                break; // One report per token is enough
+            }
+        }
+    }
+    return matches;
+}
+/**
+ * Scan an unknown value recursively, collecting all injection matches.
+ * Walks strings, arrays, and plain objects.
+ */
+function scanValue(value, matches) {
+    if (typeof value === 'string') {
+        matches.push(...scanForInjection(value));
+        return;
+    }
+    if (Array.isArray(value)) {
+        for (const item of value) {
+            scanValue(item, matches);
+        }
+        return;
+    }
+    if (value !== null && typeof value === 'object') {
+        for (const v of Object.values(value)) {
+            scanValue(v, matches);
+        }
+    }
+}
+/**
+ * PostToolUse middleware: scans tool results for prompt injection patterns.
+ *
+ * Operates on tool output (ctx.result) returned from downstream MCP servers.
+ * On detection:
+ *   - Always logs to audit metadata and emits a warning to stderr.
+ *   - If action is 'block' (default), sets ctx.status to Denied and blocks the result.
+ *   - If action is 'warn', allows the result through with a warning only.
+ *
+ * SECURITY: Checking PostToolUse (after downstream execution, before the result
+ * reaches the LLM) is the correct place to catch injection in tool descriptions
+ * and resource content coming from potentially untrusted downstream servers.
+ */
+export function createInjectionMiddleware(action = 'block') {
+    return async (ctx, next) => {
+        await next();
+        // Only scan if we have a result to inspect
+        if (ctx.result == null)
+            return;
+        const matches = [];
+        scanValue(ctx.result, matches);
+        if (matches.length === 0)
+            return;
+        // Deduplicate matches
+        const unique = [...new Set(matches)];
+        // Always log to audit metadata
+        ctx.metadata.injection_matches = unique;
+        // Always emit warning to stderr
+        process.stderr.write(`[rea] INJECTION-GUARD: Prompt injection pattern detected in tool "${ctx.tool_name}" result\n`);
+        for (const match of unique) {
+            process.stderr.write(`  Pattern: ${match}\n`);
+        }
+        process.stderr.write(`  Action: ${action} — review the downstream server "${ctx.server_name}" for compromise.\n`);
+        if (action === 'block') {
+            ctx.status = InvocationStatus.Denied;
+            ctx.error = `Prompt injection detected in tool result (${unique.length} pattern(s) matched). Result blocked.`;
+            ctx.result = undefined;
+        }
+    };
+}

package/dist/gateway/middleware/kill-switch.d.ts

@@ -0,0 +1,10 @@
+import type { Middleware } from './chain.js';
+/**
+ * Checks for `.rea/HALT` file. If present, denies the invocation.
+ *
+ * SECURITY: Validates HALT is a regular file (not directory/symlink to sensitive file).
+ * SECURITY: Symlinks must resolve to a target within `.rea/`.
+ * SECURITY: Caps read size to prevent oversized error strings.
+ * SECURITY: Fails closed on unexpected errors.
+ */
+export declare function createKillSwitchMiddleware(baseDir: string): Middleware;

package/dist/gateway/middleware/kill-switch.js

@@ -0,0 +1,58 @@
+import fs from 'node:fs/promises';
+import { constants as fsConstants } from 'node:fs';
+import path from 'node:path';
+import { InvocationStatus } from '../../policy/types.js';
+const MAX_HALT_READ_BYTES = 1024;
+const REA_DIR = '.rea';
+const HALT_FILE = 'HALT';
+/**
+ * Checks for `.rea/HALT` file. If present, denies the invocation.
+ *
+ * SECURITY: Validates HALT is a regular file (not directory/symlink to sensitive file).
+ * SECURITY: Symlinks must resolve to a target within `.rea/`.
+ * SECURITY: Caps read size to prevent oversized error strings.
+ * SECURITY: Fails closed on unexpected errors.
+ */
+export function createKillSwitchMiddleware(baseDir) {
+    return async (ctx, next) => {
+        const haltPath = path.join(baseDir, REA_DIR, HALT_FILE);
+        try {
+            const stat = await fs.stat(haltPath);
+            if (!stat.isFile()) {
+                ctx.status = InvocationStatus.Denied;
+                ctx.error = 'Kill switch active: HALT exists (non-file)';
+                return;
+            }
+            const lstat = await fs.lstat(haltPath);
+            if (lstat.isSymbolicLink()) {
+                const target = await fs.realpath(haltPath);
+                const reaDir = path.join(baseDir, REA_DIR);
+                if (!target.startsWith(reaDir)) {
+                    ctx.status = InvocationStatus.Denied;
+                    ctx.error = 'Kill switch active: HALT is a symlink outside .rea/';
+                    return;
+                }
+            }
+            const fh = await fs.open(haltPath, fsConstants.O_RDONLY);
+            try {
+                const buf = Buffer.alloc(MAX_HALT_READ_BYTES);
+                const { bytesRead } = await fh.read(buf, 0, MAX_HALT_READ_BYTES, 0);
+                const reason = buf.subarray(0, bytesRead).toString('utf8').trim();
+                ctx.status = InvocationStatus.Denied;
+                ctx.error = `Kill switch active: ${reason}`;
+            }
+            finally {
+                await fh.close();
+            }
+            return;
+        }
+        catch (err) {
+            if (err.code === 'ENOENT') {
+                await next();
+                return;
+            }
+            ctx.status = InvocationStatus.Denied;
+            ctx.error = `Kill switch check failed: ${err.message}`;
+        }
+    };
+}

package/dist/gateway/middleware/policy.d.ts

@@ -0,0 +1,12 @@
+import type { Policy } from '../../policy/types.js';
+import type { GatewayConfig } from '../../config/types.js';
+import type { Middleware } from './chain.js';
+/**
+ * Checks autonomy level against tool tier, and checks blocked tools.
+ *
+ * SECURITY: Re-reads policy.yaml on every invocation so autonomy level changes
+ * take effect immediately without gateway restart.
+ * SECURITY: Re-derives tier from tool_name independently — never trusts ctx.tier.
+ * SECURITY: Undefined/unknown tier defaults to DENY (fail-closed).
+ */
+export declare function createPolicyMiddleware(initialPolicy: Policy, gatewayConfig?: GatewayConfig, baseDir?: string): Middleware;

package/dist/gateway/middleware/policy.js

@@ -0,0 +1,70 @@
+import { AutonomyLevel, InvocationStatus, Tier } from '../../policy/types.js';
+import { classifyTool, isToolBlocked } from '../../config/tier-map.js';
+import { loadPolicyAsync } from '../../policy/loader.js';
+/**
+ * Autonomy level tier permissions:
+ * - L0: Read only
+ * - L1: Read + Write (no destructive)
+ * - L2: Read + Write (no destructive)
+ * - L3: All tiers allowed
+ */
+const TIER_ALLOWED = {
+    [AutonomyLevel.L0]: new Set([Tier.Read]),
+    [AutonomyLevel.L1]: new Set([Tier.Read, Tier.Write]),
+    [AutonomyLevel.L2]: new Set([Tier.Read, Tier.Write]),
+    [AutonomyLevel.L3]: new Set([Tier.Read, Tier.Write, Tier.Destructive]),
+};
+/**
+ * Checks autonomy level against tool tier, and checks blocked tools.
+ *
+ * SECURITY: Re-reads policy.yaml on every invocation so autonomy level changes
+ * take effect immediately without gateway restart.
+ * SECURITY: Re-derives tier from tool_name independently — never trusts ctx.tier.
+ * SECURITY: Undefined/unknown tier defaults to DENY (fail-closed).
+ */
+export function createPolicyMiddleware(initialPolicy, gatewayConfig, baseDir) {
+    // SECURITY: Cache last successfully parsed policy for fallback.
+    // This prevents falling back to a potentially more permissive initial policy
+    // if the file is corrupted after a stricter policy was loaded.
+    let lastGoodPolicy = initialPolicy;
+    return async (ctx, next) => {
+        // SECURITY: Re-read policy on each invocation for live autonomy changes.
+        // Falls back to last successfully parsed policy on read failure.
+        let policy = lastGoodPolicy;
+        if (baseDir) {
+            try {
+                policy = await loadPolicyAsync(baseDir);
+                lastGoodPolicy = policy; // Cache successful parse
+            }
+            catch {
+                // Fail-safe: use last successfully parsed policy if re-read fails
+            }
+        }
+        // Check if tool is explicitly blocked
+        if (isToolBlocked(ctx.tool_name, ctx.server_name, gatewayConfig)) {
+            ctx.status = InvocationStatus.Denied;
+            ctx.error = `Tool "${ctx.tool_name}" is explicitly blocked in gateway config`;
+            return;
+        }
+        // SECURITY: Re-derive tier from tool_name — do NOT trust ctx.tier from prior middleware.
+        // This prevents a rogue middleware from downgrading a destructive tool to read-tier.
+        const tier = classifyTool(ctx.tool_name, ctx.server_name, gatewayConfig);
+        ctx.tier = tier; // Overwrite with authoritative classification
+        // Validate autonomy level is known
+        const allowed = TIER_ALLOWED[policy.autonomy_level];
+        if (!allowed) {
+            ctx.status = InvocationStatus.Denied;
+            ctx.error = `Unknown autonomy level: ${policy.autonomy_level}. Denying by default.`;
+            return;
+        }
+        // Check autonomy level vs tier (fail-closed: deny if tier unknown)
+        if (!allowed.has(tier)) {
+            ctx.status = InvocationStatus.Denied;
+            ctx.error = `Autonomy level ${policy.autonomy_level} does not allow ${tier}-tier tools. Tool: ${ctx.tool_name}`;
+            return;
+        }
+        // Store current autonomy level in metadata for audit middleware
+        ctx.metadata.autonomy_level = policy.autonomy_level;
+        await next();
+    };
+}

package/dist/gateway/middleware/rate-limit.d.ts

@@ -0,0 +1,12 @@
+import type { RateLimiter } from '../rate-limiter.js';
+import type { Middleware } from './chain.js';
+/**
+ * PreToolUse + PostToolUse middleware: enforces per-server concurrency and rate limits.
+ *
+ * On entry: tries to acquire a slot. If over limit, denies the call immediately
+ * without ever reaching the downstream server.
+ *
+ * On exit (finally): releases the concurrency slot so the next queued call can proceed.
+ * The slot is released even if the downstream call errors — we track capacity, not success.
+ */
+export declare function createRateLimitMiddleware(limiter: RateLimiter): Middleware;

package/dist/gateway/middleware/rate-limit.js

@@ -0,0 +1,31 @@
+import { InvocationStatus } from '../../policy/types.js';
+/**
+ * PreToolUse + PostToolUse middleware: enforces per-server concurrency and rate limits.
+ *
+ * On entry: tries to acquire a slot. If over limit, denies the call immediately
+ * without ever reaching the downstream server.
+ *
+ * On exit (finally): releases the concurrency slot so the next queued call can proceed.
+ * The slot is released even if the downstream call errors — we track capacity, not success.
+ */
+export function createRateLimitMiddleware(limiter) {
+    return async (ctx, next) => {
+        const err = limiter.tryAcquire(ctx.server_name);
+        if (err !== null) {
+            ctx.status = InvocationStatus.Denied;
+            ctx.error = err.message;
+            ctx.metadata.rate_limit_exceeded = {
+                type: err.type,
+                current: err.current,
+                limit: err.limit,
+            };
+            return; // Do not call next() — gate is closed
+        }
+        try {
+            await next();
+        }
+        finally {
+            limiter.release(ctx.server_name);
+        }
+    };
+}

package/dist/gateway/middleware/redact.d.ts

@@ -0,0 +1,16 @@
+import type { Middleware } from './chain.js';
+/**
+ * Redact secrets from a string, returning the redacted string and list of redacted field names.
+ */
+export declare function redactSecrets(input: string): {
+    output: string;
+    redacted: string[];
+};
+/**
+ * Post-execution middleware: scans tool output for secret patterns and redacts them.
+ *
+ * SECURITY: For non-string results, redaction operates on individual string values
+ * within the object structure rather than JSON.stringify→replace→JSON.parse, which
+ * could corrupt the result if a replacement changes JSON structure.
+ */
+export declare const redactMiddleware: Middleware;

package/dist/gateway/middleware/redact.js

@@ -0,0 +1,128 @@
+/**
+ * Patterns that match common secret formats.
+ * Each pattern has a name (for audit logging) and a regex.
+ *
+ * SECURITY: Patterns use case-insensitive flag where applicable.
+ * SECURITY: Input is sanitized (null bytes stripped) before matching.
+ */
+const SECRET_PATTERNS = [
+    { name: 'AWS Access Key', pattern: /AKIA[0-9A-Z]{16}/gi },
+    {
+        name: 'AWS Secret Key',
+        pattern: /(?:aws_secret_access_key|secret_key)\s*[:=]\s*[A-Za-z0-9/+=]{40}/gi,
+    },
+    { name: 'GitHub Token', pattern: /gh[pousr]_[A-Za-z0-9_]{36,}/g },
+    {
+        name: 'Generic API Key',
+        pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*["']?[A-Za-z0-9\-_.]{20,}["']?/gi,
+    },
+    { name: 'Bearer Token', pattern: /bearer\s+[A-Za-z0-9\-_.~+/]+=*/gi },
+    { name: 'Private Key', pattern: /-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+)?PRIVATE\s+KEY-----/gi },
+    { name: 'Discord Token', pattern: /[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27,}/g },
+    // Base64-encoded AWS access key (AKIA... in base64 starts with QUTJQ)
+    { name: 'Base64 AWS Key', pattern: /QUtJQ[A-Za-z0-9+/]{17,}={0,2}/g },
+    // Anthropic API keys (sk-ant-api03-... and similar)
+    { name: 'Anthropic API Key', pattern: /sk-ant-[a-zA-Z0-9\-_]{32,}/g },
+    // OpenAI API keys — project keys (sk-proj-...) and legacy (sk-...)
+    { name: 'OpenAI Project Key', pattern: /sk-proj-[a-zA-Z0-9\-_]{32,}/g },
+    { name: 'OpenAI API Key', pattern: /sk-[a-zA-Z0-9]{32,}/g },
+    // Hugging Face access tokens
+    { name: 'Hugging Face Token', pattern: /hf_[a-zA-Z0-9]{32,}/g },
+];
+/**
+ * Strip null bytes and other control characters that could break regex matching.
+ */
+function sanitizeInput(input) {
+    return input.replace(/[\x00-\x08\x0b\x0c\x0e-\x1f]/g, '');
+}
+/**
+ * Redact secrets from a string, returning the redacted string and list of redacted field names.
+ */
+export function redactSecrets(input) {
+    let output = sanitizeInput(input);
+    const redacted = [];
+    for (const { name, pattern } of SECRET_PATTERNS) {
+        // Reset lastIndex for global regexes
+        pattern.lastIndex = 0;
+        if (pattern.test(output)) {
+            pattern.lastIndex = 0;
+            output = output.replace(pattern, '[REDACTED]');
+            redacted.push(name);
+        }
+    }
+    return { output, redacted };
+}
+/**
+ * Post-execution middleware: scans tool output for secret patterns and redacts them.
+ *
+ * SECURITY: For non-string results, redaction operates on individual string values
+ * within the object structure rather than JSON.stringify→replace→JSON.parse, which
+ * could corrupt the result if a replacement changes JSON structure.
+ */
+export const redactMiddleware = async (ctx, next) => {
+    // SECURITY: Pre-execution — scan arguments for secrets before they reach the downstream tool.
+    if (ctx.arguments) {
+        const argRedacted = [];
+        redactDeep(ctx.arguments, argRedacted);
+        if (argRedacted.length > 0) {
+            ctx.redacted_fields = [...new Set(argRedacted)];
+        }
+    }
+    await next();
+    if (ctx.result == null)
+        return;
+    if (typeof ctx.result === 'string') {
+        const { output, redacted } = redactSecrets(ctx.result);
+        if (redacted.length > 0) {
+            ctx.result = output;
+            ctx.redacted_fields = [...new Set([...(ctx.redacted_fields ?? []), ...redacted])];
+        }
+        return;
+    }
+    // For objects, deeply redact all string values in-place
+    const allRedacted = [];
+    redactDeep(ctx.result, allRedacted);
+    if (allRedacted.length > 0) {
+        ctx.redacted_fields = [...new Set([...(ctx.redacted_fields ?? []), ...allRedacted])];
+    }
+};
+/**
+ * Recursively walk an object/array and redact string values in-place.
+ * Uses a WeakSet to guard against circular references.
+ */
+function redactDeep(obj, redacted, seen = new WeakSet()) {
+    if (obj == null || typeof obj !== 'object')
+        return;
+    // Guard against circular references
+    if (seen.has(obj))
+        return;
+    seen.add(obj);
+    if (Array.isArray(obj)) {
+        for (let i = 0; i < obj.length; i++) {
+            if (typeof obj[i] === 'string') {
+                const { output, redacted: r } = redactSecrets(obj[i]);
+                if (r.length > 0) {
+                    obj[i] = output;
+                    redacted.push(...r);
+                }
+            }
+            else {
+                redactDeep(obj[i], redacted, seen);
+            }
+        }
+        return;
+    }
+    const record = obj;
+    for (const key of Object.keys(record)) {
+        if (typeof record[key] === 'string') {
+            const { output, redacted: r } = redactSecrets(record[key]);
+            if (r.length > 0) {
+                record[key] = output;
+                redacted.push(...r);
+            }
+        }
+        else {
+            redactDeep(record[key], redacted, seen);
+        }
+    }
+}

package/dist/gateway/middleware/result-size-cap.d.ts

@@ -0,0 +1,13 @@
+import type { GatewayConfig } from '../../config/types.js';
+import type { Middleware } from './chain.js';
+/**
+ * PostToolUse middleware: truncates tool results that exceed a configurable size cap.
+ *
+ * Operates on the serialized form of the result — if the downstream tool returns
+ * a large object or binary-encoded string, we measure and truncate the serialized
+ * representation. A human-readable notice is appended so the agent knows the
+ * result was cut.
+ *
+ * Default cap: 512 KB. Override via `gateway.max_result_size_kb` in gateway.yaml.
+ */
+export declare function createResultSizeCapMiddleware(gatewayConfig?: GatewayConfig): Middleware;

package/dist/gateway/middleware/result-size-cap.js

@@ -0,0 +1,48 @@
+const DEFAULT_CAP_KB = 512;
+/**
+ * Serialize any result to a string for size measurement.
+ * If it's already a string, use it directly; otherwise JSON.stringify.
+ */
+function resultToString(value) {
+    if (typeof value === 'string')
+        return value;
+    try {
+        return JSON.stringify(value);
+    }
+    catch {
+        return String(value);
+    }
+}
+/**
+ * PostToolUse middleware: truncates tool results that exceed a configurable size cap.
+ *
+ * Operates on the serialized form of the result — if the downstream tool returns
+ * a large object or binary-encoded string, we measure and truncate the serialized
+ * representation. A human-readable notice is appended so the agent knows the
+ * result was cut.
+ *
+ * Default cap: 512 KB. Override via `gateway.max_result_size_kb` in gateway.yaml.
+ */
+export function createResultSizeCapMiddleware(gatewayConfig) {
+    const capKb = gatewayConfig?.gateway?.max_result_size_kb ?? DEFAULT_CAP_KB;
+    const capBytes = capKb * 1024;
+    return async (ctx, next) => {
+        await next();
+        if (ctx.result == null)
+            return;
+        const serialized = resultToString(ctx.result);
+        const byteLength = Buffer.byteLength(serialized, 'utf8');
+        if (byteLength <= capBytes)
+            return;
+        const removedBytes = byteLength - capBytes;
+        const removedKb = Math.ceil(removedBytes / 1024);
+        const notice = `\n[TRUNCATED: result exceeded ${capKb}KB limit. ${removedKb}KB removed.]`;
+        // Truncate to cap, then append notice. We truncate the serialized string and
+        // store it back — the agent sees the notice and knows context was lost.
+        const noticeBytes = Buffer.byteLength(notice, 'utf8');
+        const keepBytes = capBytes - noticeBytes;
+        const truncated = Buffer.from(serialized, 'utf8').subarray(0, keepBytes).toString('utf8') + notice;
+        ctx.result = truncated;
+        console.error(`[rea] result-size-cap: truncated tool "${ctx.tool_name}" result from ${Math.ceil(byteLength / 1024)}KB to ${capKb}KB`);
+    };
+}

package/dist/gateway/middleware/session.d.ts

@@ -0,0 +1,10 @@
+import type { Middleware } from './chain.js';
+/**
+ * Creates a session middleware instance with its own session ID.
+ * Each gateway instance gets its own session — no module-level singletons.
+ */
+export declare function createSessionMiddleware(): Middleware;
+/**
+ * Utility to get the session ID from a session middleware instance.
+ */
+export declare function getSessionId(middleware: Middleware): string;

package/dist/gateway/middleware/session.js

@@ -0,0 +1,18 @@
+/**
+ * Creates a session middleware instance with its own session ID.
+ * Each gateway instance gets its own session — no module-level singletons.
+ */
+export function createSessionMiddleware() {
+    const sessionId = crypto.randomUUID();
+    const middleware = Object.assign(async (ctx, next) => {
+        ctx.session_id = sessionId;
+        await next();
+    }, { sessionId });
+    return middleware;
+}
+/**
+ * Utility to get the session ID from a session middleware instance.
+ */
+export function getSessionId(middleware) {
+    return middleware.sessionId;
+}

package/dist/gateway/middleware/tier.d.ts

@@ -0,0 +1,6 @@
+import type { GatewayConfig } from '../../config/types.js';
+import type { Middleware } from './chain.js';
+/**
+ * Classifies the tool's tier and attaches it to the context.
+ */
+export declare function createTierMiddleware(gatewayConfig?: GatewayConfig): Middleware;

package/dist/gateway/middleware/tier.js

@@ -0,0 +1,10 @@
+import { classifyTool } from '../../config/tier-map.js';
+/**
+ * Classifies the tool's tier and attaches it to the context.
+ */
+export function createTierMiddleware(gatewayConfig) {
+    return async (ctx, next) => {
+        ctx.tier = classifyTool(ctx.tool_name, ctx.server_name, gatewayConfig);
+        await next();
+    };
+}

package/dist/gateway/rate-limiter.d.ts

@@ -0,0 +1,36 @@
+import type { GatewayConfig } from '../config/types.js';
+export interface LimitExceededError {
+    type: 'concurrency' | 'rate';
+    serverName: string;
+    current: number;
+    limit: number;
+    message: string;
+}
+interface ServerState {
+    activeCalls: number;
+    callTimestamps: number[];
+    maxConcurrent: number;
+    callsPerMinute: number;
+}
+/**
+ * In-memory per-server rate limiter and concurrency cap.
+ *
+ * Concurrency: tracks active in-flight calls. If at the limit, new calls
+ * are rejected immediately with a structured error.
+ *
+ * Rate: sliding window — calls in the last 60 seconds must not exceed the
+ * configured calls_per_minute. 0 means unlimited for either dimension.
+ */
+export declare class RateLimiter {
+    private state;
+    constructor(gatewayConfig?: GatewayConfig);
+    /**
+     * Try to acquire a slot for a call to `serverName`.
+     * Returns null on success, or a LimitExceededError if rejected.
+     */
+    tryAcquire(serverName: string): LimitExceededError | null;
+    /** Release a previously acquired concurrency slot. No-op for unknown servers. */
+    release(serverName: string): void;
+    getState(serverName: string): ServerState | undefined;
+}
+export {};