@bookedsolid/reagent 0.1.0 → 0.3.0

package/dist/gateway/middleware/chain.js

@@ -0,0 +1,37 @@
+import { InvocationStatus } from '../../types/index.js';
+/**
+ * Execute a middleware chain in onion (koa-style) order.
+ * Each middleware calls `next()` to pass control to the next one.
+ * The innermost middleware is the actual tool execution.
+ *
+ * SECURITY: Once status is set to Denied, it is locked for the remainder
+ * of the chain. No middleware can revert a denial.
+ */
+export function executeChain(middlewares, ctx) {
+    let index = -1;
+    let deniedOnce = false;
+    let savedError;
+    function dispatch(i) {
+        if (i <= index) {
+            return Promise.reject(new Error('next() called multiple times'));
+        }
+        index = i;
+        const mw = middlewares[i];
+        if (!mw) {
+            return Promise.resolve();
+        }
+        return Promise.resolve(mw(ctx, () => dispatch(i + 1))).then(() => {
+            // SECURITY: If any middleware ever set Denied, lock it permanently
+            if (ctx.status === InvocationStatus.Denied && !deniedOnce) {
+                deniedOnce = true;
+                savedError = ctx.error;
+            }
+            if (deniedOnce && ctx.status !== InvocationStatus.Denied) {
+                ctx.status = InvocationStatus.Denied;
+                ctx.error = savedError || 'Denial status was tampered with — re-locked';
+            }
+        });
+    }
+    return dispatch(0);
+}
+//# sourceMappingURL=chain.js.map

package/dist/gateway/middleware/chain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"chain.js","sourceRoot":"","sources":["../../../src/gateway/middleware/chain.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAmBxD;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,WAAyB,EAAE,GAAsB;IAC5E,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC;IACf,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,IAAI,UAA8B,CAAC;IAEnC,SAAS,QAAQ,CAAC,CAAS;QACzB,IAAI,CAAC,IAAI,KAAK,EAAE,CAAC;YACf,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC,CAAC;QACnE,CAAC;QACD,KAAK,GAAG,CAAC,CAAC;QAEV,MAAM,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAC1B,IAAI,CAAC,EAAE,EAAE,CAAC;YACR,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;QAC3B,CAAC;QAED,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE;YAC/D,mEAAmE;YACnE,IAAI,GAAG,CAAC,MAAM,KAAK,gBAAgB,CAAC,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC1D,UAAU,GAAG,IAAI,CAAC;gBAClB,UAAU,GAAG,GAAG,CAAC,KAAK,CAAC;YACzB,CAAC;YAED,IAAI,UAAU,IAAI,GAAG,CAAC,MAAM,KAAK,gBAAgB,CAAC,MAAM,EAAE,CAAC;gBACzD,GAAG,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;gBACrC,GAAG,CAAC,KAAK,GAAG,UAAU,IAAI,6CAA6C,CAAC;YAC1E,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC;AACrB,CAAC"}

package/dist/gateway/middleware/kill-switch.d.ts

@@ -0,0 +1,10 @@
+import type { Middleware } from './chain.js';
+/**
+ * Checks for `.reagent/HALT` file. If present, denies the invocation.
+ *
+ * SECURITY: Validates HALT is a regular file (not directory/symlink to sensitive file).
+ * SECURITY: Caps read size to prevent oversized error strings.
+ * PERFORMANCE: All fs operations are async to avoid blocking the event loop.
+ */
+export declare function createKillSwitchMiddleware(baseDir: string): Middleware;
+//# sourceMappingURL=kill-switch.d.ts.map

package/dist/gateway/middleware/kill-switch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kill-switch.d.ts","sourceRoot":"","sources":["../../../src/gateway/middleware/kill-switch.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAI7C;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,CAiDtE"}

package/dist/gateway/middleware/kill-switch.js

@@ -0,0 +1,61 @@
+import fs from 'node:fs/promises';
+import { constants as fsConstants } from 'node:fs';
+import path from 'node:path';
+import { InvocationStatus } from '../../types/index.js';
+const MAX_HALT_READ_BYTES = 1024; // Cap HALT file reads to prevent oversized error strings
+/**
+ * Checks for `.reagent/HALT` file. If present, denies the invocation.
+ *
+ * SECURITY: Validates HALT is a regular file (not directory/symlink to sensitive file).
+ * SECURITY: Caps read size to prevent oversized error strings.
+ * PERFORMANCE: All fs operations are async to avoid blocking the event loop.
+ */
+export function createKillSwitchMiddleware(baseDir) {
+    return async (ctx, next) => {
+        const haltPath = path.join(baseDir, '.reagent', 'HALT');
+        try {
+            const stat = await fs.stat(haltPath);
+            // SECURITY: Only read regular files — reject directories, symlinks to sensitive files
+            if (!stat.isFile()) {
+                ctx.status = InvocationStatus.Denied;
+                ctx.error = 'Kill switch active: HALT exists (non-file)';
+                return;
+            }
+            // SECURITY: Use lstat to detect symlinks — resolve target path must be within .reagent/
+            const lstat = await fs.lstat(haltPath);
+            if (lstat.isSymbolicLink()) {
+                const target = await fs.realpath(haltPath);
+                const reagentDir = path.join(baseDir, '.reagent');
+                if (!target.startsWith(reagentDir)) {
+                    ctx.status = InvocationStatus.Denied;
+                    ctx.error = 'Kill switch active: HALT is a symlink outside .reagent/';
+                    return;
+                }
+            }
+            // Read with size cap using async file handle
+            const fh = await fs.open(haltPath, fsConstants.O_RDONLY);
+            try {
+                const buf = Buffer.alloc(MAX_HALT_READ_BYTES);
+                const { bytesRead } = await fh.read(buf, 0, MAX_HALT_READ_BYTES, 0);
+                const reason = buf.subarray(0, bytesRead).toString('utf8').trim();
+                ctx.status = InvocationStatus.Denied;
+                ctx.error = `Kill switch active: ${reason}`;
+            }
+            finally {
+                await fh.close();
+            }
+            return; // Do not call next — short-circuit
+        }
+        catch (err) {
+            // ENOENT = file doesn't exist = no kill switch = proceed
+            if (err.code === 'ENOENT') {
+                await next();
+                return;
+            }
+            // Other errors (permission denied, etc.) — fail-closed
+            ctx.status = InvocationStatus.Denied;
+            ctx.error = `Kill switch check failed: ${err.message}`;
+        }
+    };
+}
+//# sourceMappingURL=kill-switch.js.map

package/dist/gateway/middleware/kill-switch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kill-switch.js","sourceRoot":"","sources":["../../../src/gateway/middleware/kill-switch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,EAAE,SAAS,IAAI,WAAW,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAGxD,MAAM,mBAAmB,GAAG,IAAI,CAAC,CAAC,yDAAyD;AAE3F;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAAe;IACxD,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;QAExD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAErC,sFAAsF;YACtF,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;gBACnB,GAAG,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;gBACrC,GAAG,CAAC,KAAK,GAAG,4CAA4C,CAAC;gBACzD,OAAO;YACT,CAAC;YAED,wFAAwF;YACxF,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YACvC,IAAI,KAAK,CAAC,cAAc,EAAE,EAAE,CAAC;gBAC3B,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBAC3C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;gBAClD,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;oBACnC,GAAG,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;oBACrC,GAAG,CAAC,KAAK,GAAG,yDAAyD,CAAC;oBACtE,OAAO;gBACT,CAAC;YACH,CAAC;YAED,6CAA6C;YAC7C,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;YACzD,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;gBAC9C,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,mBAAmB,EAAE,CAAC,CAAC,CAAC;gBACpE,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;gBAClE,GAAG,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;gBACrC,GAAG,CAAC,KAAK,GAAG,uBAAuB,MAAM,EAAE,CAAC;YAC9C,CAAC;oBAAS,CAAC;gBACT,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC;YACnB,CAAC;YACD,OAAO,CAAC,mCAAmC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,yDAAyD;YACzD,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACrD,MAAM,IAAI,EAAE,CAAC;gBACb,OAAO;YACT,CAAC;YACD,uDAAuD;YACvD,GAAG,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;YACrC,GAAG,CAAC,KAAK,GAAG,6BAA8B,GAAa,CAAC,OAAO,EAAE,CAAC;QACpE,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/gateway/middleware/policy.d.ts

@@ -0,0 +1,10 @@
+import type { Policy, GatewayConfig } from '../../types/index.js';
+import type { Middleware } from './chain.js';
+/**
+ * Checks autonomy level against tool tier, and checks blocked tools.
+ *
+ * SECURITY: Re-derives tier from tool_name independently — never trusts ctx.tier.
+ * SECURITY: Undefined/unknown tier defaults to DENY (fail-closed).
+ */
+export declare function createPolicyMiddleware(policy: Policy, gatewayConfig?: GatewayConfig): Middleware;
+//# sourceMappingURL=policy.d.ts.map

package/dist/gateway/middleware/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/gateway/middleware/policy.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAgB7C;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,MAAM,EAAE,aAAa,CAAC,EAAE,aAAa,GAAG,UAAU,CAkChG"}

package/dist/gateway/middleware/policy.js

@@ -0,0 +1,52 @@
+import { AutonomyLevel, InvocationStatus, Tier } from '../../types/index.js';
+import { classifyTool, isToolBlocked } from '../../config/tier-map.js';
+/**
+ * Autonomy level tier permissions:
+ * - L0: Read only
+ * - L1: Read + Write (no destructive)
+ * - L2: Read + Write (no destructive)
+ * - L3: All tiers allowed
+ */
+const TIER_ALLOWED = {
+    [AutonomyLevel.L0]: new Set([Tier.Read]),
+    [AutonomyLevel.L1]: new Set([Tier.Read, Tier.Write]),
+    [AutonomyLevel.L2]: new Set([Tier.Read, Tier.Write]),
+    [AutonomyLevel.L3]: new Set([Tier.Read, Tier.Write, Tier.Destructive]),
+};
+/**
+ * Checks autonomy level against tool tier, and checks blocked tools.
+ *
+ * SECURITY: Re-derives tier from tool_name independently — never trusts ctx.tier.
+ * SECURITY: Undefined/unknown tier defaults to DENY (fail-closed).
+ */
+export function createPolicyMiddleware(policy, gatewayConfig) {
+    return async (ctx, next) => {
+        // Check if tool is explicitly blocked
+        if (isToolBlocked(ctx.tool_name, ctx.server_name, gatewayConfig)) {
+            ctx.status = InvocationStatus.Denied;
+            ctx.error = `Tool "${ctx.tool_name}" is explicitly blocked in gateway config`;
+            return;
+        }
+        // SECURITY: Re-derive tier from tool_name — do NOT trust ctx.tier from prior middleware.
+        // This prevents a rogue middleware from downgrading a destructive tool to read-tier.
+        const tier = classifyTool(ctx.tool_name, ctx.server_name, gatewayConfig);
+        ctx.tier = tier; // Overwrite with authoritative classification
+        // Validate autonomy level is known
+        const allowed = TIER_ALLOWED[policy.autonomy_level];
+        if (!allowed) {
+            ctx.status = InvocationStatus.Denied;
+            ctx.error = `Unknown autonomy level: ${policy.autonomy_level}. Denying by default.`;
+            return;
+        }
+        // Check autonomy level vs tier (fail-closed: deny if tier unknown)
+        if (!allowed.has(tier)) {
+            ctx.status = InvocationStatus.Denied;
+            ctx.error = `Autonomy level ${policy.autonomy_level} does not allow ${tier}-tier tools. Tool: ${ctx.tool_name}`;
+            return;
+        }
+        await next();
+        // SECURITY: Re-assert denial status cannot be undone by downstream middleware.
+        // Once denied, status is locked.
+    };
+}
+//# sourceMappingURL=policy.js.map

package/dist/gateway/middleware/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../src/gateway/middleware/policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC7E,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAIvE;;;;;;GAMG;AACH,MAAM,YAAY,GAAqC;IACrD,CAAC,aAAa,CAAC,EAAE,CAAC,EAAE,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC,aAAa,CAAC,EAAE,CAAC,EAAE,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;IACpD,CAAC,aAAa,CAAC,EAAE,CAAC,EAAE,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;IACpD,CAAC,aAAa,CAAC,EAAE,CAAC,EAAE,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;CACvE,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAAc,EAAE,aAA6B;IAClF,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,sCAAsC;QACtC,IAAI,aAAa,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE,aAAa,CAAC,EAAE,CAAC;YACjE,GAAG,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;YACrC,GAAG,CAAC,KAAK,GAAG,SAAS,GAAG,CAAC,SAAS,2CAA2C,CAAC;YAC9E,OAAO;QACT,CAAC;QAED,yFAAyF;QACzF,qFAAqF;QACrF,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;QACzE,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,8CAA8C;QAE/D,mCAAmC;QACnC,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QACpD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,GAAG,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;YACrC,GAAG,CAAC,KAAK,GAAG,2BAA2B,MAAM,CAAC,cAAc,uBAAuB,CAAC;YACpF,OAAO;QACT,CAAC;QAED,mEAAmE;QACnE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACvB,GAAG,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;YACrC,GAAG,CAAC,KAAK,GAAG,kBAAkB,MAAM,CAAC,cAAc,mBAAmB,IAAI,sBAAsB,GAAG,CAAC,SAAS,EAAE,CAAC;YAChH,OAAO;QACT,CAAC;QAED,MAAM,IAAI,EAAE,CAAC;QAEb,+EAA+E;QAC/E,iCAAiC;IACnC,CAAC,CAAC;AACJ,CAAC"}

package/dist/gateway/middleware/redact.d.ts

@@ -0,0 +1,17 @@
+import type { Middleware } from './chain.js';
+/**
+ * Redact secrets from a string, returning the redacted string and list of redacted field names.
+ */
+export declare function redactSecrets(input: string): {
+    output: string;
+    redacted: string[];
+};
+/**
+ * Post-execution middleware: scans tool output for secret patterns and redacts them.
+ *
+ * SECURITY: For non-string results, redaction operates on individual string values
+ * within the object structure rather than JSON.stringify→replace→JSON.parse, which
+ * could corrupt the result if a replacement changes JSON structure.
+ */
+export declare const redactMiddleware: Middleware;
+//# sourceMappingURL=redact.d.ts.map

package/dist/gateway/middleware/redact.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.d.ts","sourceRoot":"","sources":["../../../src/gateway/middleware/redact.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAkC7C;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,EAAE,CAAA;CAAE,CAenF;AAED;;;;;;GAMG;AACH,eAAO,MAAM,gBAAgB,EAAE,UAoB9B,CAAC"}

package/dist/gateway/middleware/redact.js

@@ -0,0 +1,109 @@
+/**
+ * Patterns that match common secret formats.
+ * Each pattern has a name (for audit logging) and a regex.
+ *
+ * SECURITY: Patterns use case-insensitive flag where applicable.
+ * SECURITY: Input is sanitized (null bytes stripped) before matching.
+ */
+const SECRET_PATTERNS = [
+    { name: 'AWS Access Key', pattern: /AKIA[0-9A-Z]{16}/gi },
+    {
+        name: 'AWS Secret Key',
+        pattern: /(?:aws_secret_access_key|secret_key)\s*[:=]\s*[A-Za-z0-9/+=]{40}/gi,
+    },
+    { name: 'GitHub Token', pattern: /gh[pousr]_[A-Za-z0-9_]{36,}/g },
+    {
+        name: 'Generic API Key',
+        pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*["']?[A-Za-z0-9\-_.]{20,}["']?/gi,
+    },
+    { name: 'Bearer Token', pattern: /bearer\s+[A-Za-z0-9\-_.~+/]+=*/gi },
+    { name: 'Private Key', pattern: /-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+)?PRIVATE\s+KEY-----/gi },
+    { name: 'Discord Token', pattern: /[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27,}/g },
+    // Base64-encoded AWS access key (AKIA... in base64 starts with QUTJQ)
+    { name: 'Base64 AWS Key', pattern: /QUtJQ[A-Za-z0-9+/]{17,}={0,2}/g },
+];
+/**
+ * Strip null bytes and other control characters that could break regex matching.
+ */
+function sanitizeInput(input) {
+    return input.replace(/[\x00-\x08\x0b\x0c\x0e-\x1f]/g, '');
+}
+/**
+ * Redact secrets from a string, returning the redacted string and list of redacted field names.
+ */
+export function redactSecrets(input) {
+    let output = sanitizeInput(input);
+    const redacted = [];
+    for (const { name, pattern } of SECRET_PATTERNS) {
+        // Reset lastIndex for global regexes
+        pattern.lastIndex = 0;
+        if (pattern.test(output)) {
+            pattern.lastIndex = 0;
+            output = output.replace(pattern, '[REDACTED]');
+            redacted.push(name);
+        }
+    }
+    return { output, redacted };
+}
+/**
+ * Post-execution middleware: scans tool output for secret patterns and redacts them.
+ *
+ * SECURITY: For non-string results, redaction operates on individual string values
+ * within the object structure rather than JSON.stringify→replace→JSON.parse, which
+ * could corrupt the result if a replacement changes JSON structure.
+ */
+export const redactMiddleware = async (ctx, next) => {
+    await next();
+    if (ctx.result == null)
+        return;
+    if (typeof ctx.result === 'string') {
+        const { output, redacted } = redactSecrets(ctx.result);
+        if (redacted.length > 0) {
+            ctx.result = output;
+            ctx.redacted_fields = redacted;
+        }
+        return;
+    }
+    // For objects, deeply redact all string values in-place
+    const allRedacted = [];
+    redactDeep(ctx.result, allRedacted);
+    if (allRedacted.length > 0) {
+        ctx.redacted_fields = [...new Set(allRedacted)];
+    }
+};
+/**
+ * Recursively walk an object/array and redact string values in-place.
+ */
+function redactDeep(obj, redacted) {
+    if (obj == null || typeof obj !== 'object')
+        return;
+    if (Array.isArray(obj)) {
+        for (let i = 0; i < obj.length; i++) {
+            if (typeof obj[i] === 'string') {
+                const { output, redacted: r } = redactSecrets(obj[i]);
+                if (r.length > 0) {
+                    obj[i] = output;
+                    redacted.push(...r);
+                }
+            }
+            else {
+                redactDeep(obj[i], redacted);
+            }
+        }
+        return;
+    }
+    const record = obj;
+    for (const key of Object.keys(record)) {
+        if (typeof record[key] === 'string') {
+            const { output, redacted: r } = redactSecrets(record[key]);
+            if (r.length > 0) {
+                record[key] = output;
+                redacted.push(...r);
+            }
+        }
+        else {
+            redactDeep(record[key], redacted);
+        }
+    }
+}
+//# sourceMappingURL=redact.js.map

package/dist/gateway/middleware/redact.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.js","sourceRoot":"","sources":["../../../src/gateway/middleware/redact.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,MAAM,eAAe,GAA6C;IAChE,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,oBAAoB,EAAE;IACzD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,oEAAoE;KAC9E;IACD,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,8BAA8B,EAAE;IACjE;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,kEAAkE;KAC5E;IACD,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,kCAAkC,EAAE;IACrE,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,2DAA2D,EAAE;IAC7F,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,4CAA4C,EAAE;IAChF,sEAAsE;IACtE,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,gCAAgC,EAAE;CACtE,CAAC;AAEF;;GAEG;AACH,SAAS,aAAa,CAAC,KAAa;IAClC,OAAO,KAAK,CAAC,OAAO,CAAC,+BAA+B,EAAE,EAAE,CAAC,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,IAAI,MAAM,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,eAAe,EAAE,CAAC;QAChD,qCAAqC;QACrC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACtB,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;YAC/C,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AAC9B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAe,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IAC9D,MAAM,IAAI,EAAE,CAAC;IAEb,IAAI,GAAG,CAAC,MAAM,IAAI,IAAI;QAAE,OAAO;IAE/B,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QACnC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACvD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC;YACpB,GAAG,CAAC,eAAe,GAAG,QAAQ,CAAC;QACjC,CAAC;QACD,OAAO;IACT,CAAC;IAED,wDAAwD;IACxD,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACpC,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,GAAG,CAAC,eAAe,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;IAClD,CAAC;AACH,CAAC,CAAC;AAEF;;GAEG;AACH,SAAS,UAAU,CAAC,GAAY,EAAE,QAAkB;IAClD,IAAI,GAAG,IAAI,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO;IAEnD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACpC,IAAI,OAAO,GAAG,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;gBAC/B,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,EAAE,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtD,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACjB,GAAG,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC;oBAChB,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;gBACtB,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;QACD,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,GAA8B,CAAC;IAC9C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACtC,IAAI,OAAO,MAAM,CAAC,GAAG,CAAC,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,EAAE,GAAG,aAAa,CAAC,MAAM,CAAC,GAAG,CAAW,CAAC,CAAC;YACrE,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACjB,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC;gBACrB,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;aAAM,CAAC;YACN,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/gateway/middleware/session.d.ts

@@ -0,0 +1,11 @@
+import type { Middleware } from './chain.js';
+/**
+ * Creates a session middleware instance with its own session ID.
+ * Each gateway instance gets its own session — no module-level singletons.
+ */
+export declare function createSessionMiddleware(): Middleware;
+/**
+ * Utility to get the session ID from a session middleware instance.
+ */
+export declare function getSessionId(middleware: Middleware): string;
+//# sourceMappingURL=session.d.ts.map

package/dist/gateway/middleware/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../../src/gateway/middleware/session.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C;;;GAGG;AACH,wBAAgB,uBAAuB,IAAI,UAAU,CAYpD;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,UAAU,EAAE,UAAU,GAAG,MAAM,CAE3D"}

package/dist/gateway/middleware/session.js

@@ -0,0 +1,19 @@
+/**
+ * Creates a session middleware instance with its own session ID.
+ * Each gateway instance gets its own session — no module-level singletons.
+ */
+export function createSessionMiddleware() {
+    const sessionId = crypto.randomUUID();
+    const middleware = Object.assign(async (ctx, next) => {
+        ctx.session_id = sessionId;
+        await next();
+    }, { sessionId });
+    return middleware;
+}
+/**
+ * Utility to get the session ID from a session middleware instance.
+ */
+export function getSessionId(middleware) {
+    return middleware.sessionId;
+}
+//# sourceMappingURL=session.js.map

package/dist/gateway/middleware/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../../src/gateway/middleware/session.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEtC,MAAM,UAAU,GAAuC,MAAM,CAAC,MAAM,CAClE,KAAK,EAAE,GAA8B,EAAE,IAA+B,EAAE,EAAE;QACxE,GAAG,CAAC,UAAU,GAAG,SAAS,CAAC;QAC3B,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,EACD,EAAE,SAAS,EAAE,CACd,CAAC;IAEF,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,UAAsB;IACjD,OAAQ,UAAiD,CAAC,SAAS,CAAC;AACtE,CAAC"}

package/dist/gateway/middleware/tier.d.ts

@@ -0,0 +1,7 @@
+import type { GatewayConfig } from '../../types/index.js';
+import type { Middleware } from './chain.js';
+/**
+ * Classifies the tool's tier and attaches it to the context.
+ */
+export declare function createTierMiddleware(gatewayConfig?: GatewayConfig): Middleware;
+//# sourceMappingURL=tier.d.ts.map

package/dist/gateway/middleware/tier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tier.d.ts","sourceRoot":"","sources":["../../../src/gateway/middleware/tier.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,aAAa,CAAC,EAAE,aAAa,GAAG,UAAU,CAK9E"}

package/dist/gateway/middleware/tier.js

@@ -0,0 +1,11 @@
+import { classifyTool } from '../../config/tier-map.js';
+/**
+ * Classifies the tool's tier and attaches it to the context.
+ */
+export function createTierMiddleware(gatewayConfig) {
+    return async (ctx, next) => {
+        ctx.tier = classifyTool(ctx.tool_name, ctx.server_name, gatewayConfig);
+        await next();
+    };
+}
+//# sourceMappingURL=tier.js.map

package/dist/gateway/middleware/tier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tier.js","sourceRoot":"","sources":["../../../src/gateway/middleware/tier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAIxD;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,aAA6B;IAChE,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,GAAG,CAAC,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;QACvE,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC;AACJ,CAAC"}

package/dist/gateway/server.d.ts

@@ -0,0 +1,14 @@
+export interface ServeOptions {
+    baseDir: string;
+}
+/**
+ * Starts the MCP gateway server.
+ *
+ * 1. Loads policy and gateway config
+ * 2. Connects to all downstream MCP servers
+ * 3. Discovers their tools
+ * 4. Re-registers tools on the gateway with middleware-wrapped handlers
+ * 5. Listens on stdio for incoming MCP requests
+ */
+export declare function startGateway(options: ServeOptions): Promise<void>;
+//# sourceMappingURL=server.d.ts.map

package/dist/gateway/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/gateway/server.ts"],"names":[],"mappings":"AAeA,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0EvE"}

package/dist/gateway/server.js

@@ -0,0 +1,79 @@
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { loadPolicy } from '../config/policy-loader.js';
+import { loadGatewayConfig } from '../config/gateway-config.js';
+import { getPkgVersion } from '../cli/utils.js';
+import { ClientManager } from './client-manager.js';
+import { ToolProxy } from './tool-proxy.js';
+import { createSessionMiddleware } from './middleware/session.js';
+import { createKillSwitchMiddleware } from './middleware/kill-switch.js';
+import { createTierMiddleware } from './middleware/tier.js';
+import { createPolicyMiddleware } from './middleware/policy.js';
+import { redactMiddleware } from './middleware/redact.js';
+import { createAuditMiddleware } from './middleware/audit.js';
+/**
+ * Starts the MCP gateway server.
+ *
+ * 1. Loads policy and gateway config
+ * 2. Connects to all downstream MCP servers
+ * 3. Discovers their tools
+ * 4. Re-registers tools on the gateway with middleware-wrapped handlers
+ * 5. Listens on stdio for incoming MCP requests
+ */
+export async function startGateway(options) {
+    const { baseDir } = options;
+    // Load configuration
+    console.error('[reagent] Loading configuration...');
+    const policy = loadPolicy(baseDir);
+    const gatewayConfig = loadGatewayConfig(baseDir);
+    console.error(`[reagent] Policy: autonomy=${policy.autonomy_level}, profile=${policy.profile}`);
+    console.error(`[reagent] Gateway: ${Object.keys(gatewayConfig.servers).length} downstream server(s)`);
+    // Build middleware chain
+    // SECURITY: Audit is outermost so it records ALL invocations, including kill-switch denials.
+    // Order (onion): audit → session → kill-switch → tier → policy → redact → [execute]
+    const middlewares = [
+        createAuditMiddleware(baseDir),
+        createSessionMiddleware(),
+        createKillSwitchMiddleware(baseDir),
+        createTierMiddleware(gatewayConfig),
+        createPolicyMiddleware(policy, gatewayConfig),
+        redactMiddleware,
+    ];
+    // Create gateway MCP server
+    const gateway = new McpServer({ name: 'reagent', version: getPkgVersion() }, { capabilities: { tools: {} } });
+    // Connect to downstream servers
+    const clientManager = new ClientManager();
+    await clientManager.connectAll(gatewayConfig);
+    // Discover and register tools
+    const toolProxy = new ToolProxy();
+    const toolCount = await toolProxy.discoverAndRegister(gateway, clientManager, middlewares);
+    console.error(`[reagent] Gateway ready: ${toolCount} tools registered`);
+    // Listen on stdio
+    const transport = new StdioServerTransport();
+    await gateway.connect(transport);
+    console.error('[reagent] Listening on stdio...');
+    // Graceful shutdown — guard against double-invocation
+    let shuttingDown = false;
+    const shutdown = async () => {
+        if (shuttingDown)
+            return;
+        shuttingDown = true;
+        console.error('[reagent] Shutting down...');
+        try {
+            await clientManager.disconnectAll();
+        }
+        catch (err) {
+            console.error('[reagent] Error during client disconnect:', err instanceof Error ? err.message : err);
+        }
+        try {
+            await gateway.close();
+        }
+        catch (err) {
+            console.error('[reagent] Error during gateway close:', err instanceof Error ? err.message : err);
+        }
+        process.exit(0);
+    };
+    process.on('SIGINT', shutdown);
+    process.on('SIGTERM', shutdown);
+}
+//# sourceMappingURL=server.js.map

package/dist/gateway/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/gateway/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,OAAO,EAAE,0BAA0B,EAAE,MAAM,6BAA6B,CAAC;AACzE,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AAO9D;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAAqB;IACtD,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC;IAE5B,qBAAqB;IACrB,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IACnC,MAAM,aAAa,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAEjD,OAAO,CAAC,KAAK,CAAC,8BAA8B,MAAM,CAAC,cAAc,aAAa,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IAChG,OAAO,CAAC,KAAK,CACX,sBAAsB,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,MAAM,uBAAuB,CACvF,CAAC;IAEF,yBAAyB;IACzB,6FAA6F;IAC7F,oFAAoF;IACpF,MAAM,WAAW,GAAiB;QAChC,qBAAqB,CAAC,OAAO,CAAC;QAC9B,uBAAuB,EAAE;QACzB,0BAA0B,CAAC,OAAO,CAAC;QACnC,oBAAoB,CAAC,aAAa,CAAC;QACnC,sBAAsB,CAAC,MAAM,EAAE,aAAa,CAAC;QAC7C,gBAAgB;KACjB,CAAC;IAEF,4BAA4B;IAC5B,MAAM,OAAO,GAAG,IAAI,SAAS,CAC3B,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,aAAa,EAAE,EAAE,EAC7C,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,CAChC,CAAC;IAEF,gCAAgC;IAChC,MAAM,aAAa,GAAG,IAAI,aAAa,EAAE,CAAC;IAC1C,MAAM,aAAa,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;IAE9C,8BAA8B;IAC9B,MAAM,SAAS,GAAG,IAAI,SAAS,EAAE,CAAC;IAClC,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,mBAAmB,CAAC,OAAO,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;IAE3F,OAAO,CAAC,KAAK,CAAC,4BAA4B,SAAS,mBAAmB,CAAC,CAAC;IAExE,kBAAkB;IAClB,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEjC,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;IAEjD,sDAAsD;IACtD,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,MAAM,QAAQ,GAAG,KAAK,IAAI,EAAE;QAC1B,IAAI,YAAY;YAAE,OAAO;QACzB,YAAY,GAAG,IAAI,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAC5C,IAAI,CAAC;YACH,MAAM,aAAa,CAAC,aAAa,EAAE,CAAC;QACtC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CACX,2CAA2C,EAC3C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAC;QACJ,CAAC;QACD,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC;QACxB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CACX,uCAAuC,EACvC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAC;QACJ,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC;IAEF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC/B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AAClC,CAAC"}

package/dist/gateway/tool-proxy.d.ts

@@ -0,0 +1,21 @@
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import type { ClientManager, ManagedClient } from './client-manager.js';
+import type { Middleware } from './middleware/chain.js';
+interface DiscoveredTool {
+    name: string;
+    description: string;
+    inputSchema: Record<string, unknown>;
+    serverName: string;
+    client: ManagedClient;
+}
+/**
+ * Discovers tools from all downstream clients and registers them on the gateway McpServer.
+ * Tool names are namespaced as `servername__toolname` to avoid collisions.
+ */
+export declare class ToolProxy {
+    private tools;
+    discoverAndRegister(gateway: McpServer, clientManager: ClientManager, middlewares: Middleware[]): Promise<number>;
+    getTools(): DiscoveredTool[];
+}
+export {};
+//# sourceMappingURL=tool-proxy.d.ts.map

package/dist/gateway/tool-proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-proxy.d.ts","sourceRoot":"","sources":["../../src/gateway/tool-proxy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACxE,OAAO,KAAK,EAAE,UAAU,EAAqB,MAAM,uBAAuB,CAAC;AAI3E,UAAU,cAAc;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,aAAa,CAAC;CACvB;AA0BD;;;GAGG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,KAAK,CAAwB;IAE/B,mBAAmB,CACvB,OAAO,EAAE,SAAS,EAClB,aAAa,EAAE,aAAa,EAC5B,WAAW,EAAE,UAAU,EAAE,GACxB,OAAO,CAAC,MAAM,CAAC;IAoHlB,QAAQ,IAAI,cAAc,EAAE;CAG7B"}