npm - @lobu/gateway - Versions diffs - 3.0.5 → 3.0.7 - Mend

@lobu/gateway 3.0.5 → 3.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (175) hide show

package/package.json +2 -2
package/src/__tests__/agent-config-routes.test.ts +254 -0
package/src/__tests__/agent-history-routes.test.ts +72 -0
package/src/__tests__/agent-routes.test.ts +68 -0
package/src/__tests__/agent-schedules-routes.test.ts +59 -0
package/src/__tests__/agent-settings-store.test.ts +323 -0
package/src/__tests__/chat-instance-manager-slack.test.ts +204 -0
package/src/__tests__/chat-response-bridge.test.ts +131 -0
package/src/__tests__/config-memory-plugins.test.ts +92 -0
package/src/__tests__/config-request-store.test.ts +127 -0
package/src/__tests__/connection-routes.test.ts +144 -0
package/src/__tests__/core-services-store-selection.test.ts +92 -0
package/src/__tests__/docker-deployment.test.ts +1211 -0
package/src/__tests__/embedded-deployment.test.ts +342 -0
package/src/__tests__/grant-store.test.ts +148 -0
package/src/__tests__/http-proxy.test.ts +281 -0
package/src/__tests__/instruction-service.test.ts +37 -0
package/src/__tests__/link-buttons.test.ts +112 -0
package/src/__tests__/lobu.test.ts +32 -0
package/src/__tests__/mcp-config-service.test.ts +347 -0
package/src/__tests__/mcp-proxy.test.ts +696 -0
package/src/__tests__/message-handler-bridge.test.ts +17 -0
package/src/__tests__/model-selection.test.ts +172 -0
package/src/__tests__/oauth-templates.test.ts +39 -0
package/src/__tests__/platform-adapter-slack-send.test.ts +114 -0
package/src/__tests__/platform-helpers-model-resolution.test.ts +253 -0
package/src/__tests__/provider-inheritance.test.ts +212 -0
package/src/__tests__/routes/cli-auth.test.ts +337 -0
package/src/__tests__/routes/interactions.test.ts +121 -0
package/src/__tests__/secret-proxy.test.ts +85 -0
package/src/__tests__/session-manager.test.ts +572 -0
package/src/__tests__/setup.ts +133 -0
package/src/__tests__/skill-and-mcp-registry.test.ts +203 -0
package/src/__tests__/slack-routes.test.ts +161 -0
package/src/__tests__/system-config-resolver.test.ts +75 -0
package/src/__tests__/system-message-limiter.test.ts +89 -0
package/src/__tests__/system-skills-service.test.ts +362 -0
package/src/__tests__/transcription-service.test.ts +222 -0
package/src/__tests__/utils/rate-limiter.test.ts +102 -0
package/src/__tests__/worker-connection-manager.test.ts +497 -0
package/src/__tests__/worker-job-router.test.ts +722 -0
package/src/api/index.ts +1 -0
package/src/api/platform.ts +292 -0
package/src/api/response-renderer.ts +157 -0
package/src/auth/agent-metadata-store.ts +168 -0
package/src/auth/api-auth-middleware.ts +69 -0
package/src/auth/api-key-provider-module.ts +213 -0
package/src/auth/base-provider-module.ts +201 -0
package/src/auth/chatgpt/chatgpt-oauth-module.ts +185 -0
package/src/auth/chatgpt/device-code-client.ts +218 -0
package/src/auth/chatgpt/index.ts +1 -0
package/src/auth/claude/oauth-module.ts +280 -0
package/src/auth/cli/token-service.ts +249 -0
package/src/auth/external/client.ts +560 -0
package/src/auth/external/device-code-client.ts +225 -0
package/src/auth/mcp/config-service.ts +392 -0
package/src/auth/mcp/proxy.ts +1088 -0
package/src/auth/mcp/string-substitution.ts +17 -0
package/src/auth/mcp/tool-cache.ts +90 -0
package/src/auth/oauth/base-client.ts +267 -0
package/src/auth/oauth/client.ts +153 -0
package/src/auth/oauth/credentials.ts +7 -0
package/src/auth/oauth/providers.ts +69 -0
package/src/auth/oauth/state-store.ts +150 -0
package/src/auth/oauth-templates.ts +179 -0
package/src/auth/provider-catalog.ts +220 -0
package/src/auth/provider-model-options.ts +41 -0
package/src/auth/settings/agent-settings-store.ts +565 -0
package/src/auth/settings/auth-profiles-manager.ts +216 -0
package/src/auth/settings/index.ts +12 -0
package/src/auth/settings/model-preference-store.ts +52 -0
package/src/auth/settings/model-selection.ts +135 -0
package/src/auth/settings/resolved-settings-view.ts +298 -0
package/src/auth/settings/template-utils.ts +44 -0
package/src/auth/settings/token-service.ts +88 -0
package/src/auth/system-env-store.ts +98 -0
package/src/auth/user-agents-store.ts +68 -0
package/src/channels/binding-service.ts +214 -0
package/src/channels/index.ts +4 -0
package/src/cli/gateway.ts +1304 -0
package/src/cli/index.ts +74 -0
package/src/commands/built-in-commands.ts +80 -0
package/src/commands/command-dispatcher.ts +94 -0
package/src/commands/command-reply-adapters.ts +27 -0
package/src/config/file-loader.ts +618 -0
package/src/config/index.ts +588 -0
package/src/config/network-allowlist.ts +71 -0
package/src/connections/chat-instance-manager.ts +1284 -0
package/src/connections/chat-response-bridge.ts +618 -0
package/src/connections/index.ts +7 -0
package/src/connections/interaction-bridge.ts +831 -0
package/src/connections/message-handler-bridge.ts +415 -0
package/src/connections/platform-auth-methods.ts +15 -0
package/src/connections/types.ts +84 -0
package/src/gateway/connection-manager.ts +291 -0
package/src/gateway/index.ts +700 -0
package/src/gateway/job-router.ts +201 -0
package/src/gateway-main.ts +200 -0
package/src/index.ts +41 -0
package/src/infrastructure/queue/index.ts +12 -0
package/src/infrastructure/queue/queue-producer.ts +148 -0
package/src/infrastructure/queue/redis-queue.ts +361 -0
package/src/infrastructure/queue/types.ts +133 -0
package/src/infrastructure/redis/system-message-limiter.ts +94 -0
package/src/interactions/config-request-store.ts +198 -0
package/src/interactions.ts +363 -0
package/src/lobu.ts +311 -0
package/src/metrics/prometheus.ts +159 -0
package/src/modules/module-system.ts +179 -0
package/src/orchestration/base-deployment-manager.ts +900 -0
package/src/orchestration/deployment-utils.ts +98 -0
package/src/orchestration/impl/docker-deployment.ts +620 -0
package/src/orchestration/impl/embedded-deployment.ts +268 -0
package/src/orchestration/impl/index.ts +8 -0
package/src/orchestration/impl/k8s/deployment.ts +1061 -0
package/src/orchestration/impl/k8s/helpers.ts +610 -0
package/src/orchestration/impl/k8s/index.ts +1 -0
package/src/orchestration/index.ts +333 -0
package/src/orchestration/message-consumer.ts +584 -0
package/src/orchestration/scheduled-wakeup.ts +704 -0
package/src/permissions/approval-policy.ts +36 -0
package/src/permissions/grant-store.ts +219 -0
package/src/platform/file-handler.ts +66 -0
package/src/platform/link-buttons.ts +57 -0
package/src/platform/renderer-utils.ts +44 -0
package/src/platform/response-renderer.ts +84 -0
package/src/platform/unified-thread-consumer.ts +187 -0
package/src/platform.ts +318 -0
package/src/proxy/http-proxy.ts +752 -0
package/src/proxy/proxy-manager.ts +81 -0
package/src/proxy/secret-proxy.ts +402 -0
package/src/proxy/token-refresh-job.ts +143 -0
package/src/routes/internal/audio.ts +141 -0
package/src/routes/internal/device-auth.ts +566 -0
package/src/routes/internal/files.ts +226 -0
package/src/routes/internal/history.ts +69 -0
package/src/routes/internal/images.ts +127 -0
package/src/routes/internal/interactions.ts +84 -0
package/src/routes/internal/middleware.ts +23 -0
package/src/routes/internal/schedule.ts +226 -0
package/src/routes/internal/types.ts +22 -0
package/src/routes/openapi-auto.ts +239 -0
package/src/routes/public/agent-access.ts +23 -0
package/src/routes/public/agent-config.ts +675 -0
package/src/routes/public/agent-history.ts +422 -0
package/src/routes/public/agent-schedules.ts +296 -0
package/src/routes/public/agent.ts +1086 -0
package/src/routes/public/agents.ts +373 -0
package/src/routes/public/channels.ts +191 -0
package/src/routes/public/cli-auth.ts +883 -0
package/src/routes/public/connections.ts +574 -0
package/src/routes/public/landing.ts +16 -0
package/src/routes/public/oauth.ts +147 -0
package/src/routes/public/settings-auth.ts +104 -0
package/src/routes/public/slack.ts +173 -0
package/src/routes/shared/agent-ownership.ts +101 -0
package/src/routes/shared/token-verifier.ts +34 -0
package/src/services/core-services.ts +1053 -0
package/src/services/image-generation-service.ts +257 -0
package/src/services/instruction-service.ts +318 -0
package/src/services/mcp-registry.ts +94 -0
package/src/services/platform-helpers.ts +287 -0
package/src/services/session-manager.ts +262 -0
package/src/services/settings-resolver.ts +74 -0
package/src/services/system-config-resolver.ts +90 -0
package/src/services/system-skills-service.ts +229 -0
package/src/services/transcription-service.ts +684 -0
package/src/session.ts +110 -0
package/src/spaces/index.ts +1 -0
package/src/spaces/space-resolver.ts +17 -0
package/src/stores/in-memory-agent-store.ts +403 -0
package/src/stores/redis-agent-store.ts +279 -0
package/src/utils/public-url.ts +44 -0
package/src/utils/rate-limiter.ts +94 -0
package/tsconfig.json +33 -0

package/src/auth/external/device-code-client.ts ADDED Viewed

@@ -0,0 +1,225 @@
+import { BaseOAuth2Client } from "../oauth/base-client";
+import type { OAuthCredentials } from "../oauth/credentials";
+export const DEVICE_CODE_GRANT_TYPE =
+  "urn:ietf:params:oauth:grant-type:device_code";
+export interface DeviceCodeClientConfig {
+  clientId: string;
+  clientSecret?: string;
+  tokenUrl: string;
+  deviceAuthorizationUrl: string;
+  scope: string;
+  tokenEndpointAuthMethod?:
+    | "none"
+    | "client_secret_post"
+    | "client_secret_basic";
+}
+export interface DeviceAuthorizationStartResult {
+  deviceAuthId: string;
+  userCode: string;
+  verificationUri: string;
+  verificationUriComplete?: string;
+  interval: number;
+  expiresIn: number;
+}
+export type DeviceAuthorizationPollResult =
+  | {
+      status: "pending";
+      interval?: number;
+    }
+  | {
+      status: "complete";
+      credentials: OAuthCredentials;
+    }
+  | {
+      status: "error";
+      error: string;
+      errorCode?: string;
+    };
+interface DeviceAuthorizationResponse {
+  device_code: string;
+  user_code: string;
+  verification_uri: string;
+  verification_uri_complete?: string;
+  expires_in: number;
+  interval?: number;
+}
+interface DeviceTokenSuccessResponse {
+  access_token: string;
+  refresh_token?: string;
+  token_type?: string;
+  expires_in?: number;
+  scope?: string;
+}
+interface DeviceTokenErrorResponse {
+  error: string;
+  error_description?: string;
+}
+export class GenericDeviceCodeClient extends BaseOAuth2Client {
+  constructor(private readonly config: DeviceCodeClientConfig) {
+    super("external-device-code-client");
+  }
+  async requestDeviceCode(): Promise<DeviceAuthorizationStartResult> {
+    const { headers, body } = this.buildAuthenticatedFormBody({
+      client_id: this.config.clientId,
+      scope: this.config.scope,
+    });
+    const response = await fetch(this.config.deviceAuthorizationUrl, {
+      method: "POST",
+      headers,
+      body: body.toString(),
+    });
+    const data = await this.parseJsonResponse<
+      DeviceAuthorizationResponse | DeviceTokenErrorResponse
+    >(response);
+    if (!response.ok || "error" in data) {
+      throw new Error(
+        this.formatOAuthError("Device authorization failed", data)
+      );
+    }
+    return {
+      deviceAuthId: data.device_code,
+      userCode: data.user_code,
+      verificationUri: data.verification_uri,
+      verificationUriComplete: data.verification_uri_complete,
+      interval: Math.max(data.interval ?? 5, 1),
+      expiresIn: data.expires_in,
+    };
+  }
+  async pollForToken(
+    deviceAuthId: string,
+    intervalSeconds?: number
+  ): Promise<DeviceAuthorizationPollResult> {
+    const { headers, body } = this.buildAuthenticatedFormBody({
+      grant_type: DEVICE_CODE_GRANT_TYPE,
+      device_code: deviceAuthId,
+      client_id: this.config.clientId,
+    });
+    const response = await fetch(this.config.tokenUrl, {
+      method: "POST",
+      headers,
+      body: body.toString(),
+    });
+    const data = await this.parseJsonResponse<
+      DeviceTokenSuccessResponse | DeviceTokenErrorResponse
+    >(response);
+    if (!response.ok || "error" in data) {
+      if ("error" in data) {
+        if (data.error === "authorization_pending") {
+          return { status: "pending", interval: intervalSeconds };
+        }
+        if (data.error === "slow_down") {
+          return {
+            status: "pending",
+            interval: Math.max((intervalSeconds ?? 5) + 5, 1),
+          };
+        }
+        if (data.error === "expired_token" || data.error === "access_denied") {
+          return {
+            status: "error",
+            error: data.error_description || data.error,
+            errorCode: data.error,
+          };
+        }
+      }
+      throw new Error(
+        this.formatOAuthError("Device token polling failed", data)
+      );
+    }
+    const credentials = this.buildCredentials(data);
+    return {
+      status: "complete",
+      credentials,
+    };
+  }
+  private buildCredentials(
+    tokenData: DeviceTokenSuccessResponse
+  ): OAuthCredentials {
+    return {
+      accessToken: tokenData.access_token,
+      refreshToken: tokenData.refresh_token,
+      tokenType: tokenData.token_type || "Bearer",
+      expiresAt:
+        this.calculateExpiresAt(tokenData.expires_in) ?? Date.now() + 3_600_000,
+      scopes: this.parseScopes(tokenData.scope),
+    };
+  }
+  private buildAuthenticatedFormBody(params: Record<string, string>): {
+    headers: Record<string, string>;
+    body: URLSearchParams;
+  } {
+    const body = new URLSearchParams(params);
+    const headers: Record<string, string> = {
+      Accept: "application/json",
+      "Content-Type": "application/x-www-form-urlencoded",
+    };
+    const authMethod = this.config.tokenEndpointAuthMethod || "none";
+    if (authMethod === "client_secret_basic") {
+      headers.Authorization = `Basic ${Buffer.from(
+        `${this.config.clientId}:${this.config.clientSecret || ""}`
+      ).toString("base64")}`;
+    } else if (
+      authMethod === "client_secret_post" &&
+      this.config.clientSecret
+    ) {
+      body.set("client_secret", this.config.clientSecret);
+    }
+    return { headers, body };
+  }
+  private async parseJsonResponse<T>(response: Response): Promise<T> {
+    const contentType = response.headers.get("content-type") || "";
+    if (contentType.includes("application/json")) {
+      return (await response.json()) as T;
+    }
+    const text = await response.text();
+    try {
+      return JSON.parse(text) as T;
+    } catch {
+      return { error: text || response.statusText } as T;
+    }
+  }
+  private formatOAuthError(prefix: string, data: unknown): string {
+    if (data && typeof data === "object" && "error" in data) {
+      const record = data as {
+        error?: unknown;
+        error_description?: unknown;
+      };
+      const error =
+        typeof record.error === "string" ? record.error : "unknown_error";
+      const description =
+        typeof record.error_description === "string"
+          ? record.error_description
+          : undefined;
+      return description
+        ? `${prefix}: ${error} - ${description}`
+        : `${prefix}: ${error}`;
+    }
+    return prefix;
+  }
+}

package/src/auth/mcp/config-service.ts ADDED Viewed

@@ -0,0 +1,392 @@
+import { createLogger, verifyWorkerToken } from "@lobu/core";
+import type { SystemConfigResolver } from "../../services/system-config-resolver";
+import type { AgentSettingsStore } from "../settings/agent-settings-store";
+const logger = createLogger("mcp-config-service");
+interface McpInput {
+  type: "promptString";
+  id: string;
+  description: string;
+}
+interface HttpMcpServerConfig {
+  id: string;
+  upstreamUrl: string;
+  oauth?: unknown;
+  inputs?: McpInput[];
+  headers?: Record<string, string>;
+  loginUrl?: string;
+  resource?: string;
+}
+interface WorkerMcpConfig {
+  mcpServers: Record<string, any>;
+}
+interface McpStatus {
+  id: string;
+  name: string;
+  requiresAuth: boolean;
+  requiresInput: boolean;
+}
+interface LoadedConfig {
+  rawServers: Record<string, any>;
+  httpServers: Map<string, HttpMcpServerConfig>;
+}
+interface McpConfigServiceOptions {
+  agentSettingsStore?: AgentSettingsStore;
+  configResolver?: SystemConfigResolver;
+}
+export class McpConfigService {
+  private cache?: LoadedConfig;
+  private agentSettingsStore?: AgentSettingsStore;
+  private configResolver?: SystemConfigResolver;
+  constructor(options: McpConfigServiceOptions = {}) {
+    this.agentSettingsStore = options.agentSettingsStore;
+    this.configResolver = options.configResolver;
+    logger.debug(`McpConfigService initialized`);
+  }
+  /**
+   * Register additional global MCP servers (e.g. from system skills).
+   */
+  registerGlobalServers(servers: Record<string, any>): void {
+    if (!this.cache) {
+      this.cache = {
+        rawServers: {},
+        httpServers: new Map(),
+      };
+    }
+    const normalized = normalizeConfig({ mcpServers: servers });
+    for (const [id, raw] of Object.entries(normalized.rawServers)) {
+      if (this.cache.rawServers[id]) continue;
+      this.cache.rawServers[id] = raw;
+    }
+    for (const [id, http] of normalized.httpServers) {
+      if (this.cache.httpServers.has(id)) continue;
+      this.cache.httpServers.set(id, http);
+    }
+    logger.info(
+      `Registered ${Object.keys(servers).length} global MCP(s) from system skills: ${Object.keys(servers).join(", ")}`
+    );
+  }
+  /**
+   * Return MCP config tailored for a worker request.
+   */
+  async getWorkerConfig(options: {
+    baseUrl: string;
+    workerToken: string;
+    deploymentName?: string;
+  }): Promise<WorkerMcpConfig> {
+    const { baseUrl, workerToken } = options;
+    const config = await this.loadConfig();
+    const workerConfig: WorkerMcpConfig = { mcpServers: {} };
+    const tokenData = verifyWorkerToken(workerToken);
+    if (!tokenData) {
+      logger.warn("Failed to verify worker token");
+      return workerConfig;
+    }
+    const { userId, agentId } = tokenData;
+    const effectiveAgentId = agentId || userId;
+    logger.info(`Building MCP config for user ${userId}`);
+    // Process global MCPs
+    for (const [id, serverConfig] of Object.entries(config.rawServers)) {
+      const cloned = cloneConfig(serverConfig);
+      const httpServer = config.httpServers.get(id);
+      if (httpServer) {
+        logger.info(`Configuring global MCP ${id}: baseUrl=${baseUrl}`);
+        cloned.url = baseUrl;
+        cloned.type = "sse";
+        cloned.headers = mergeHeaders(cloned.headers, workerToken, id);
+        logger.info(
+          `Including global MCP ${id} with URL=${cloned.url} and X-Mcp-Id header`
+        );
+      }
+      workerConfig.mcpServers[id] = cloned;
+    }
+    // Merge per-agent MCPs from live agent settings
+    const agentSettingsMcpServers =
+      (await this.getAgentMcpServers(effectiveAgentId)) || {};
+    for (const [id, serverConfig] of Object.entries(agentSettingsMcpServers)) {
+      if (workerConfig.mcpServers[id]) {
+        logger.warn(
+          `Per-agent MCP ${id} skipped - global MCP with same ID exists`
+        );
+        continue;
+      }
+      const cloned = cloneConfig(serverConfig);
+      if (cloned.enabled === false) {
+        logger.debug(`Skipping disabled per-agent MCP ${id}`);
+        continue;
+      }
+      if (cloned.url) {
+        logger.info(`Configuring per-agent HTTP MCP ${id}: baseUrl=${baseUrl}`);
+        cloned.originalUrl = cloned.url;
+        cloned.url = baseUrl;
+        cloned.type = "sse";
+        cloned.headers = mergeHeaders(cloned.headers, workerToken, id);
+        cloned.perAgent = true;
+        logger.info(`Including per-agent HTTP MCP ${id}`);
+      } else if (cloned.command) {
+        logger.info(`Including per-agent stdio MCP ${id}: ${cloned.command}`);
+      }
+      workerConfig.mcpServers[id] = cloned;
+    }
+    if (Object.keys(agentSettingsMcpServers).length > 0) {
+      logger.info(
+        `Merged ${Object.keys(agentSettingsMcpServers).length} per-agent MCPs from settings for agent ${effectiveAgentId}`
+      );
+    }
+    logger.info(
+      `Returning worker config with ${Object.keys(workerConfig.mcpServers).length} MCPs for user ${userId}:`,
+      {
+        mcpIds: Object.keys(workerConfig.mcpServers),
+        configs: Object.entries(workerConfig.mcpServers).map(([id, cfg]) => ({
+          id,
+          type: cfg.type,
+          hasUrl: !!cfg.url,
+          hasCommand: !!cfg.command,
+          perAgent: cfg.perAgent || false,
+        })),
+      }
+    );
+    return workerConfig;
+  }
+  /**
+   * Get status of all MCPs for a specific agent
+   */
+  async getMcpStatus(agentId: string): Promise<McpStatus[]> {
+    const httpServers = await this.getAllHttpServers(agentId);
+    const statuses: McpStatus[] = [];
+    for (const [id, httpServer] of httpServers) {
+      const hasOAuth = !!httpServer.oauth;
+      const hasLoginUrl = !!httpServer.loginUrl;
+      const requiresAuth = hasOAuth || hasLoginUrl;
+      const requiresInput = !!(
+        httpServer.inputs && httpServer.inputs.length > 0
+      );
+      statuses.push({
+        id,
+        name: id,
+        requiresAuth,
+        requiresInput,
+      });
+    }
+    return statuses;
+  }
+  /**
+   * Get HTTP proxy metadata for a specific MCP server.
+   */
+  async getHttpServer(
+    id: string,
+    agentId?: string
+  ): Promise<HttpMcpServerConfig | undefined> {
+    const httpServers = await this.getAllHttpServers(agentId);
+    return httpServers.get(id);
+  }
+  /**
+   * Get all HTTP proxy metadata for all MCP servers.
+   */
+  async getAllHttpServers(
+    agentId?: string
+  ): Promise<Map<string, HttpMcpServerConfig>> {
+    const config = await this.loadConfig();
+    const merged = new Map(config.httpServers);
+    if (agentId) {
+      const agentMcpServers = await this.getAgentMcpServers(agentId);
+      for (const [id, serverConfig] of Object.entries(agentMcpServers)) {
+        if (merged.has(id)) continue;
+        const httpServer = toHttpServerConfig(id, serverConfig);
+        if (httpServer) {
+          merged.set(id, httpServer);
+        }
+      }
+    }
+    return merged;
+  }
+  /**
+   * Return global MCP server configs in settings-compatible format.
+   */
+  async getGlobalMcpServers(): Promise<
+    Record<string, { url?: string; type?: "sse" | "stdio" }>
+  > {
+    const config = await this.loadConfig();
+    const result: Record<string, { url?: string; type?: "sse" | "stdio" }> = {};
+    for (const [id, raw] of Object.entries(config.rawServers)) {
+      const type = raw.type === "stdio" ? ("stdio" as const) : ("sse" as const);
+      result[id] = { url: raw.url, type };
+    }
+    return result;
+  }
+  private async getAgentMcpServers(
+    agentId: string
+  ): Promise<Record<string, any>> {
+    if (!this.agentSettingsStore) {
+      return {};
+    }
+    try {
+      const settings = await this.agentSettingsStore.getSettings(agentId);
+      return settings?.mcpServers || {};
+    } catch (error) {
+      logger.warn(`Failed to load per-agent MCP settings for ${agentId}`, {
+        error,
+      });
+      return {};
+    }
+  }
+  private async loadConfig(): Promise<LoadedConfig> {
+    if (!this.cache) {
+      let globalMcpServers: Record<string, any> = {};
+      if (this.configResolver) {
+        globalMcpServers = await this.configResolver.getGlobalMcpServers();
+      }
+      const normalized = normalizeConfig({ mcpServers: globalMcpServers });
+      this.cache = normalized;
+    }
+    return this.cache;
+  }
+}
+function normalizeConfig(config: { mcpServers: Record<string, any> }) {
+  const rawServers: Record<string, any> = {};
+  const httpServers = new Map<string, HttpMcpServerConfig>();
+  for (const [id, serverConfig] of Object.entries(config.mcpServers)) {
+    if (!serverConfig || typeof serverConfig !== "object") {
+      continue;
+    }
+    const cloned = cloneConfig(serverConfig);
+    rawServers[id] = cloned;
+    if (typeof cloned.url === "string" && isHttpUrl(cloned.url)) {
+      httpServers.set(id, {
+        id,
+        upstreamUrl: cloned.url,
+        oauth:
+          cloned.oauth && typeof cloned.oauth === "object"
+            ? cloned.oauth
+            : undefined,
+        inputs: Array.isArray(cloned.inputs)
+          ? cloned.inputs.filter(
+              (input: any) =>
+                input &&
+                typeof input === "object" &&
+                input.type === "promptString"
+            )
+          : undefined,
+        headers:
+          cloned.headers && typeof cloned.headers === "object"
+            ? cloned.headers
+            : undefined,
+        loginUrl:
+          typeof cloned.loginUrl === "string" ? cloned.loginUrl : undefined,
+        resource:
+          typeof cloned.resource === "string" ? cloned.resource : undefined,
+      });
+    }
+  }
+  return { rawServers, httpServers };
+}
+function toHttpServerConfig(
+  id: string,
+  serverConfig: any
+): HttpMcpServerConfig | null {
+  if (!serverConfig || typeof serverConfig !== "object") {
+    return null;
+  }
+  if (serverConfig.enabled === false) {
+    return null;
+  }
+  const cloned = cloneConfig(serverConfig);
+  if (typeof cloned.url !== "string" || !isHttpUrl(cloned.url)) {
+    return null;
+  }
+  return {
+    id,
+    upstreamUrl: cloned.url,
+    oauth:
+      cloned.oauth && typeof cloned.oauth === "object"
+        ? cloned.oauth
+        : undefined,
+    inputs: Array.isArray(cloned.inputs)
+      ? cloned.inputs.filter(
+          (input: any) =>
+            input && typeof input === "object" && input.type === "promptString"
+        )
+      : undefined,
+    headers:
+      cloned.headers && typeof cloned.headers === "object"
+        ? cloned.headers
+        : undefined,
+    loginUrl: typeof cloned.loginUrl === "string" ? cloned.loginUrl : undefined,
+  };
+}
+function cloneConfig(config: any) {
+  return JSON.parse(JSON.stringify(config));
+}
+function isHttpUrl(candidate: string): boolean {
+  return candidate.startsWith("http://") || candidate.startsWith("https://");
+}
+function mergeHeaders(
+  existingHeaders: unknown,
+  workerToken: string,
+  mcpId: string
+): Record<string, string> {
+  const normalized: Record<string, string> = {};
+  if (existingHeaders && typeof existingHeaders === "object") {
+    for (const [key, value] of Object.entries(existingHeaders as any)) {
+      if (typeof value === "string") {
+        normalized[key] = value;
+      } else if (value != null) {
+        normalized[key] = String(value);
+      }
+    }
+  }
+  normalized.Authorization = `Bearer ${workerToken}`;
+  normalized["X-Mcp-Id"] = mcpId;
+  return normalized;
+}