@nkmc/gateway 0.1.0

package/dist/index.js

@@ -0,0 +1,1434 @@
+import {
+  Context7Backend,
+  Context7Client,
+  VirtualFileBackend,
+  createRegistryResolver,
+  credentialRoutes,
+  extractDomainPath,
+  fetchAndCompile,
+  parsePricingAnnotation,
+  parseSkillMd,
+  queryDnsTxt,
+  skillToHttpConfig,
+  tunnelRoutes
+} from "./chunk-CZJ75YTV.js";
+import "./chunk-QGM4M3NI.js";
+
+// src/registry/memory-store.ts
+var MemoryRegistryStore = class {
+  // key = "domain@version"
+  records = /* @__PURE__ */ new Map();
+  key(domain, version) {
+    return `${domain}@${version}`;
+  }
+  async get(domain) {
+    for (const record of this.records.values()) {
+      if (record.domain === domain && record.isDefault) return record;
+    }
+    return null;
+  }
+  async getVersion(domain, version) {
+    return this.records.get(this.key(domain, version)) ?? null;
+  }
+  async listVersions(domain) {
+    const versions = [];
+    for (const record of this.records.values()) {
+      if (record.domain === domain) {
+        versions.push({
+          version: record.version,
+          status: record.status,
+          isDefault: record.isDefault,
+          createdAt: record.createdAt,
+          updatedAt: record.updatedAt
+        });
+      }
+    }
+    return versions.sort((a, b) => b.createdAt - a.createdAt);
+  }
+  async put(domain, record) {
+    this.records.set(this.key(domain, record.version), record);
+  }
+  async delete(domain) {
+    const keysToDelete = [];
+    for (const [key, record] of this.records.entries()) {
+      if (record.domain === domain) keysToDelete.push(key);
+    }
+    for (const key of keysToDelete) {
+      this.records.delete(key);
+    }
+  }
+  async list() {
+    const results = [];
+    for (const record of this.records.values()) {
+      if (record.isDefault) results.push(toSummary(record));
+    }
+    return results;
+  }
+  async search(query) {
+    const q = query.toLowerCase();
+    const results = [];
+    for (const record of this.records.values()) {
+      if (!record.isDefault) continue;
+      const nameMatch = record.name.toLowerCase().includes(q) || record.description.toLowerCase().includes(q);
+      const matched = record.endpoints.filter(
+        (e) => e.description.toLowerCase().includes(q) || e.method.toLowerCase().includes(q) || e.path.toLowerCase().includes(q)
+      );
+      if (nameMatch || matched.length > 0) {
+        results.push({
+          ...toSummary(record),
+          matchedEndpoints: matched.map((e) => ({
+            method: e.method,
+            path: e.path,
+            description: e.description
+          }))
+        });
+      }
+    }
+    return results;
+  }
+};
+function toSummary(record) {
+  return {
+    domain: record.domain,
+    name: record.name,
+    description: record.description,
+    isFirstParty: record.isFirstParty
+  };
+}
+
+// src/registry/d1-store.ts
+var CREATE_SERVICES = `
+CREATE TABLE IF NOT EXISTS services (
+  domain TEXT NOT NULL,
+  version TEXT NOT NULL,
+  name TEXT NOT NULL,
+  description TEXT,
+  roles TEXT,
+  skill_md TEXT NOT NULL,
+  endpoints TEXT,
+  is_first_party INTEGER DEFAULT 0,
+  status TEXT DEFAULT 'active',
+  is_default INTEGER DEFAULT 1,
+  source TEXT,
+  sunset_date INTEGER,
+  auth_mode TEXT,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  PRIMARY KEY (domain, version)
+)`;
+var CREATE_SERVICES_DEFAULT_INDEX = `
+CREATE INDEX IF NOT EXISTS idx_services_default ON services(domain, is_default)`;
+var CREATE_DOMAIN_CHALLENGES = `
+CREATE TABLE IF NOT EXISTS domain_challenges (
+  domain TEXT PRIMARY KEY,
+  challenge_code TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'pending',
+  created_at INTEGER NOT NULL,
+  verified_at INTEGER,
+  expires_at INTEGER NOT NULL
+)`;
+function rowToRecord(row) {
+  return {
+    domain: row.domain,
+    name: row.name,
+    description: row.description,
+    version: row.version,
+    roles: JSON.parse(row.roles),
+    skillMd: row.skill_md,
+    endpoints: JSON.parse(row.endpoints),
+    isFirstParty: row.is_first_party === 1,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+    status: row.status,
+    isDefault: row.is_default === 1,
+    ...row.source ? { source: JSON.parse(row.source) } : {},
+    ...row.sunset_date ? { sunsetDate: row.sunset_date } : {},
+    ...row.auth_mode ? { authMode: row.auth_mode } : {}
+  };
+}
+function toSummary2(row) {
+  return {
+    domain: row.domain,
+    name: row.name,
+    description: row.description,
+    isFirstParty: row.is_first_party === 1
+  };
+}
+var D1RegistryStore = class _D1RegistryStore {
+  constructor(db) {
+    this.db = db;
+  }
+  async initSchema() {
+    await this.db.exec(CREATE_SERVICES);
+    await this.db.exec(CREATE_SERVICES_DEFAULT_INDEX);
+    await this.db.exec(CREATE_DOMAIN_CHALLENGES);
+  }
+  async get(domain) {
+    const row = await this.db.prepare("SELECT * FROM services WHERE domain = ? AND is_default = 1").bind(domain).first();
+    return row ? rowToRecord(row) : null;
+  }
+  async getVersion(domain, version) {
+    const row = await this.db.prepare("SELECT * FROM services WHERE domain = ? AND version = ?").bind(domain, version).first();
+    return row ? rowToRecord(row) : null;
+  }
+  async listVersions(domain) {
+    const { results } = await this.db.prepare(
+      "SELECT version, status, is_default, created_at, updated_at FROM services WHERE domain = ? ORDER BY created_at DESC"
+    ).bind(domain).all();
+    return results.map((row) => ({
+      version: row.version,
+      status: row.status,
+      isDefault: row.is_default === 1,
+      createdAt: row.created_at,
+      updatedAt: row.updated_at
+    }));
+  }
+  /** Max endpoints JSON size before stripping verbose fields (parameters, requestBody, responses). */
+  static ENDPOINTS_SIZE_LIMIT = 8e5;
+  // ~800 KB, well under D1's ~1 MB per-value limit
+  async put(domain, record) {
+    let endpointsJson = JSON.stringify(record.endpoints);
+    if (endpointsJson.length > _D1RegistryStore.ENDPOINTS_SIZE_LIMIT) {
+      const slim = record.endpoints.map(({ method, path, description, price, pricing }) => ({
+        method,
+        path,
+        description,
+        ...price ? { price } : {},
+        ...pricing ? { pricing } : {}
+      }));
+      endpointsJson = JSON.stringify(slim);
+    }
+    await this.db.prepare(
+      `INSERT OR REPLACE INTO services
+         (domain, version, name, description, roles, skill_md, endpoints, is_first_party, status, is_default, source, sunset_date, auth_mode, created_at, updated_at)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+    ).bind(
+      domain,
+      record.version,
+      record.name,
+      record.description,
+      JSON.stringify(record.roles),
+      record.skillMd,
+      endpointsJson,
+      record.isFirstParty ? 1 : 0,
+      record.status,
+      record.isDefault ? 1 : 0,
+      record.source ? JSON.stringify(record.source) : null,
+      record.sunsetDate ?? null,
+      record.authMode ?? null,
+      record.createdAt,
+      record.updatedAt
+    ).run();
+  }
+  async delete(domain) {
+    await this.db.prepare("DELETE FROM services WHERE domain = ?").bind(domain).run();
+  }
+  async list() {
+    const { results } = await this.db.prepare("SELECT domain, name, description, is_first_party FROM services WHERE is_default = 1").all();
+    return results.map(toSummary2);
+  }
+  async search(query) {
+    const pattern = `%${query}%`;
+    const { results: rows } = await this.db.prepare(
+      `SELECT * FROM services
+         WHERE is_default = 1 AND (name LIKE ? OR description LIKE ? OR endpoints LIKE ?)`
+    ).bind(pattern, pattern, pattern).all();
+    const q = query.toLowerCase();
+    return rows.map((row) => {
+      const endpoints = JSON.parse(row.endpoints);
+      const matched = endpoints.filter(
+        (e) => e.description.toLowerCase().includes(q) || e.method.toLowerCase().includes(q) || e.path.toLowerCase().includes(q)
+      );
+      return {
+        ...toSummary2(row),
+        matchedEndpoints: matched.map((e) => ({
+          method: e.method,
+          path: e.path,
+          description: e.description
+        }))
+      };
+    });
+  }
+  async stats() {
+    const row = await this.db.prepare(
+      `SELECT COUNT(*) as service_count, COALESCE(SUM(json_array_length(endpoints)), 0) as endpoint_count
+         FROM services WHERE is_default = 1`
+    ).first();
+    return {
+      serviceCount: row?.service_count ?? 0,
+      endpointCount: row?.endpoint_count ?? 0
+    };
+  }
+};
+
+// src/metering/memory-store.ts
+var MemoryMeterStore = class {
+  records = [];
+  async record(entry) {
+    this.records.push(entry);
+  }
+  async query(filter) {
+    return this.records.filter((r) => this.matches(r, filter));
+  }
+  async sum(filter) {
+    const matched = this.records.filter((r) => this.matches(r, filter));
+    const total = matched.reduce((acc, r) => acc + r.cost, 0);
+    const currency = matched[0]?.currency ?? "USDC";
+    return { total, currency };
+  }
+  matches(record, filter) {
+    if (filter.domain && record.domain !== filter.domain) return false;
+    if (filter.agentId && record.agentId !== filter.agentId) return false;
+    if (filter.developerId && record.developerId !== filter.developerId) return false;
+    if (filter.from && record.timestamp < filter.from) return false;
+    if (filter.to && record.timestamp > filter.to) return false;
+    return true;
+  }
+};
+
+// src/metering/d1-store.ts
+var CREATE_METER_RECORDS = `
+CREATE TABLE IF NOT EXISTS meter_records (
+  id TEXT PRIMARY KEY,
+  timestamp INTEGER NOT NULL,
+  domain TEXT NOT NULL,
+  version TEXT NOT NULL,
+  endpoint TEXT NOT NULL,
+  agent_id TEXT NOT NULL,
+  developer_id TEXT,
+  cost REAL NOT NULL,
+  currency TEXT NOT NULL DEFAULT 'USDC'
+)`;
+var CREATE_METER_INDEX_DOMAIN = `
+CREATE INDEX IF NOT EXISTS idx_meter_domain ON meter_records(domain, timestamp)`;
+var CREATE_METER_INDEX_AGENT = `
+CREATE INDEX IF NOT EXISTS idx_meter_agent ON meter_records(agent_id, timestamp)`;
+var D1MeterStore = class {
+  constructor(db) {
+    this.db = db;
+  }
+  async initSchema() {
+    await this.db.exec(CREATE_METER_RECORDS);
+    await this.db.exec(CREATE_METER_INDEX_DOMAIN);
+    await this.db.exec(CREATE_METER_INDEX_AGENT);
+  }
+  async record(entry) {
+    await this.db.prepare(
+      `INSERT INTO meter_records (id, timestamp, domain, version, endpoint, agent_id, developer_id, cost, currency)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`
+    ).bind(
+      entry.id,
+      entry.timestamp,
+      entry.domain,
+      entry.version,
+      entry.endpoint,
+      entry.agentId,
+      entry.developerId ?? null,
+      entry.cost,
+      entry.currency
+    ).run();
+  }
+  async query(filter) {
+    const { sql, bindings } = this.buildQuery("SELECT *", filter);
+    const { results } = await this.db.prepare(sql).bind(...bindings).all();
+    return results.map(rowToRecord2);
+  }
+  async sum(filter) {
+    const { sql, bindings } = this.buildQuery("SELECT COALESCE(SUM(cost), 0) as total, COALESCE(MIN(currency), 'USDC') as currency", filter);
+    const row = await this.db.prepare(sql).bind(...bindings).first();
+    return { total: row?.total ?? 0, currency: row?.currency ?? "USDC" };
+  }
+  buildQuery(select, filter) {
+    const conditions = [];
+    const bindings = [];
+    if (filter.domain) {
+      conditions.push("domain = ?");
+      bindings.push(filter.domain);
+    }
+    if (filter.agentId) {
+      conditions.push("agent_id = ?");
+      bindings.push(filter.agentId);
+    }
+    if (filter.developerId) {
+      conditions.push("developer_id = ?");
+      bindings.push(filter.developerId);
+    }
+    if (filter.from) {
+      conditions.push("timestamp >= ?");
+      bindings.push(filter.from);
+    }
+    if (filter.to) {
+      conditions.push("timestamp <= ?");
+      bindings.push(filter.to);
+    }
+    let sql = `${select} FROM meter_records`;
+    if (conditions.length > 0) {
+      sql += ` WHERE ${conditions.join(" AND ")}`;
+    }
+    sql += " ORDER BY timestamp DESC";
+    return { sql, bindings };
+  }
+};
+function rowToRecord2(row) {
+  return {
+    id: row.id,
+    timestamp: row.timestamp,
+    domain: row.domain,
+    version: row.version,
+    endpoint: row.endpoint,
+    agentId: row.agent_id,
+    ...row.developer_id ? { developerId: row.developer_id } : {},
+    cost: row.cost,
+    currency: row.currency
+  };
+}
+
+// src/metering/pricing-guard.ts
+function lookupPricing(record, method, path) {
+  for (const ep of record.endpoints) {
+    if (ep.method.toUpperCase() !== method.toUpperCase()) continue;
+    if (matchPath(ep.path, path)) {
+      return ep.pricing ?? null;
+    }
+  }
+  return null;
+}
+function checkAccess(record) {
+  if (record.status === "sunset") {
+    return { allowed: false, reason: "Service has been sunset" };
+  }
+  if (record.sunsetDate && record.sunsetDate < Date.now()) {
+    return { allowed: false, reason: "Service sunset date has passed" };
+  }
+  return { allowed: true };
+}
+async function meter(store, opts) {
+  const entry = {
+    id: `m_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+    timestamp: Date.now(),
+    domain: opts.domain,
+    version: opts.version,
+    endpoint: opts.endpoint,
+    agentId: opts.agentId,
+    developerId: opts.developerId,
+    cost: opts.pricing.cost,
+    currency: opts.pricing.currency
+  };
+  await store.record(entry);
+  return entry;
+}
+function matchPath(pattern, actual) {
+  const patternParts = pattern.split("/").filter(Boolean);
+  const actualParts = actual.split("/").filter(Boolean);
+  if (patternParts.length !== actualParts.length) return false;
+  for (let i = 0; i < patternParts.length; i++) {
+    if (patternParts[i].startsWith(":")) continue;
+    if (patternParts[i] !== actualParts[i]) return false;
+  }
+  return true;
+}
+
+// src/credential/memory-vault.ts
+var MemoryCredentialVault = class {
+  // key = "pool:domain" or "byok:domain:developerId"
+  credentials = /* @__PURE__ */ new Map();
+  poolKey(domain) {
+    return `pool:${domain}`;
+  }
+  byokKey(domain, developerId) {
+    return `byok:${domain}:${developerId}`;
+  }
+  async get(domain, developerId) {
+    if (developerId) {
+      const byok = this.credentials.get(this.byokKey(domain, developerId));
+      if (byok) return byok;
+    }
+    return this.credentials.get(this.poolKey(domain)) ?? null;
+  }
+  async putPool(domain, auth) {
+    this.credentials.set(this.poolKey(domain), { domain, auth, scope: "pool" });
+  }
+  async putByok(domain, developerId, auth) {
+    this.credentials.set(this.byokKey(domain, developerId), {
+      domain,
+      auth,
+      scope: "byok",
+      developerId
+    });
+  }
+  async delete(domain, developerId) {
+    if (developerId) {
+      this.credentials.delete(this.byokKey(domain, developerId));
+    } else {
+      this.credentials.delete(this.poolKey(domain));
+    }
+  }
+  async listDomains() {
+    const domains = /* @__PURE__ */ new Set();
+    for (const cred of this.credentials.values()) {
+      domains.add(cred.domain);
+    }
+    return Array.from(domains);
+  }
+};
+
+// src/credential/d1-vault.ts
+var CREATE_CREDENTIALS = `
+CREATE TABLE IF NOT EXISTS credentials (
+  domain TEXT NOT NULL,
+  scope TEXT NOT NULL DEFAULT 'pool',
+  developer_id TEXT NOT NULL DEFAULT '',
+  auth_encrypted TEXT NOT NULL,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  PRIMARY KEY (domain, scope, developer_id)
+)`;
+async function encrypt(auth, key) {
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const plaintext = new TextEncoder().encode(JSON.stringify(auth));
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    key,
+    plaintext
+  );
+  const combined = new Uint8Array(iv.length + ciphertext.byteLength);
+  combined.set(iv);
+  combined.set(new Uint8Array(ciphertext), iv.length);
+  return btoa(String.fromCharCode(...combined));
+}
+async function decrypt(encoded, key) {
+  const bytes = Uint8Array.from(atob(encoded), (c) => c.charCodeAt(0));
+  const iv = bytes.slice(0, 12);
+  const ciphertext = bytes.slice(12);
+  try {
+    const plaintext = await crypto.subtle.decrypt(
+      { name: "AES-GCM", iv },
+      key,
+      ciphertext
+    );
+    return JSON.parse(new TextDecoder().decode(plaintext));
+  } catch {
+    return JSON.parse(atob(encoded));
+  }
+}
+var D1CredentialVault = class {
+  constructor(db, encryptionKey) {
+    this.db = db;
+    this.encryptionKey = encryptionKey;
+  }
+  async initSchema() {
+    await this.db.exec(CREATE_CREDENTIALS);
+  }
+  async get(domain, developerId) {
+    if (developerId) {
+      const byok = await this.db.prepare("SELECT * FROM credentials WHERE domain = ? AND scope = 'byok' AND developer_id = ?").bind(domain, developerId).first();
+      if (byok) return await this.rowToCredential(byok);
+    }
+    const pool = await this.db.prepare("SELECT * FROM credentials WHERE domain = ? AND scope = 'pool' AND developer_id = ''").bind(domain).first();
+    return pool ? await this.rowToCredential(pool) : null;
+  }
+  async putPool(domain, auth) {
+    const now = Date.now();
+    await this.db.prepare(
+      `INSERT OR REPLACE INTO credentials (domain, scope, developer_id, auth_encrypted, created_at, updated_at)
+         VALUES (?, 'pool', '', ?, ?, ?)`
+    ).bind(domain, await encrypt(auth, this.encryptionKey), now, now).run();
+  }
+  async putByok(domain, developerId, auth) {
+    const now = Date.now();
+    await this.db.prepare(
+      `INSERT OR REPLACE INTO credentials (domain, scope, developer_id, auth_encrypted, created_at, updated_at)
+         VALUES (?, 'byok', ?, ?, ?, ?)`
+    ).bind(domain, developerId, await encrypt(auth, this.encryptionKey), now, now).run();
+  }
+  async delete(domain, developerId) {
+    if (developerId) {
+      await this.db.prepare("DELETE FROM credentials WHERE domain = ? AND scope = 'byok' AND developer_id = ?").bind(domain, developerId).run();
+    } else {
+      await this.db.prepare("DELETE FROM credentials WHERE domain = ? AND scope = 'pool' AND developer_id = ''").bind(domain).run();
+    }
+  }
+  async listDomains() {
+    const { results } = await this.db.prepare("SELECT DISTINCT domain FROM credentials").all();
+    return results.map((r) => r.domain);
+  }
+  async rowToCredential(row) {
+    return {
+      domain: row.domain,
+      auth: await decrypt(row.auth_encrypted, this.encryptionKey),
+      scope: row.scope,
+      ...row.developer_id ? { developerId: row.developer_id } : {}
+    };
+  }
+};
+
+// src/onboard/pipeline.ts
+import { AgentFs } from "@nkmc/agent-fs";
+
+// src/registry/rpc-compiler.ts
+function compileRpcDef(domain, rpcDef, options) {
+  const convention = rpcDef.convention ?? "raw";
+  const endpoints = rpcDef.methods.map((m) => ({
+    method: "RPC",
+    path: m.rpcMethod,
+    description: m.description
+  }));
+  const resourceMap = /* @__PURE__ */ new Map();
+  for (const m of rpcDef.methods) {
+    const resName = m.resource ?? inferResource(m.rpcMethod);
+    if (!resourceMap.has(resName)) {
+      resourceMap.set(resName, { name: resName, methods: {} });
+    }
+    const entry = resourceMap.get(resName);
+    if (m.fsOp) {
+      entry.methods[m.fsOp] = m.rpcMethod;
+    }
+  }
+  const rpcMeta = {
+    rpcUrl: rpcDef.url,
+    convention,
+    resources: Array.from(resourceMap.values())
+  };
+  const skillMd = generateSkillMd(domain, rpcDef, endpoints);
+  const now = Date.now();
+  const record = {
+    domain,
+    name: domain,
+    description: `JSON-RPC service at ${domain}`,
+    version: options?.version ?? "1.0",
+    roles: ["agent"],
+    skillMd,
+    endpoints,
+    isFirstParty: options?.isFirstParty ?? false,
+    createdAt: now,
+    updatedAt: now,
+    status: "active",
+    isDefault: true,
+    source: {
+      type: "jsonrpc",
+      url: rpcDef.url,
+      rpc: rpcMeta
+    }
+  };
+  return { record, skillMd };
+}
+function inferResource(rpcMethod) {
+  const underscoreIdx = rpcMethod.indexOf("_");
+  if (underscoreIdx < 0) return rpcMethod;
+  const action = rpcMethod.slice(underscoreIdx + 1);
+  const verbPrefixes = ["get", "send", "subscribe", "unsubscribe", "new", "call"];
+  let noun = action;
+  for (const prefix of verbPrefixes) {
+    if (action.startsWith(prefix) && action.length > prefix.length) {
+      noun = action.slice(prefix.length);
+      break;
+    }
+  }
+  const camelMatch = noun.match(/^([A-Z][a-z]+)/);
+  if (camelMatch) {
+    noun = camelMatch[1];
+  }
+  const lower = noun.toLowerCase();
+  return lower.endsWith("s") ? lower : lower + "s";
+}
+function generateSkillMd(domain, rpcDef, endpoints) {
+  const lines = [
+    "---",
+    `name: "${domain}"`,
+    `version: "1.0"`,
+    `roles: [agent]`,
+    "---",
+    "",
+    `# ${domain}`,
+    "",
+    `JSON-RPC service at ${rpcDef.url}`,
+    "",
+    `Convention: ${rpcDef.convention ?? "raw"}`,
+    "",
+    "## RPC Methods",
+    "",
+    "| method | description |",
+    "|--------|-------------|"
+  ];
+  for (const ep of endpoints) {
+    lines.push(`| ${ep.path} | ${ep.description} |`);
+  }
+  return lines.join("\n");
+}
+
+// src/onboard/pipeline.ts
+var OnboardPipeline = class {
+  store;
+  vault;
+  smokeTest;
+  concurrency;
+  fetchFn;
+  onProgress;
+  constructor(options) {
+    this.store = options.store;
+    this.vault = options.vault;
+    this.smokeTest = options.smokeTest !== false;
+    this.concurrency = options.concurrency ?? 5;
+    this.fetchFn = options.fetchFn ?? globalThis.fetch.bind(globalThis);
+    this.onProgress = options.onProgress;
+  }
+  /** Onboard a single service */
+  async onboardOne(entry) {
+    const start = Date.now();
+    const base = {
+      domain: entry.domain,
+      source: "none",
+      endpoints: 0,
+      resources: 0,
+      hasCredentials: false
+    };
+    if (entry.disabled) {
+      return { ...base, status: "skipped", durationMs: Date.now() - start };
+    }
+    try {
+      if (entry.specUrl) {
+        const result = await fetchAndCompile(entry.specUrl, { domain: entry.domain }, this.fetchFn);
+        await this.store.put(entry.domain, result.record);
+        base.source = "openapi";
+        base.endpoints = result.record.endpoints.length;
+        base.resources = result.resources.length;
+      } else if (entry.skillMdUrl) {
+        const resp = await this.fetchFn(entry.skillMdUrl);
+        if (!resp.ok) throw new Error(`Failed to fetch skill.md: ${resp.status}`);
+        const md = await resp.text();
+        const record = parseSkillMd(entry.domain, md);
+        await this.store.put(entry.domain, record);
+        base.source = "wellknown";
+        base.endpoints = record.endpoints.length;
+      } else if (entry.skillMd) {
+        const record = parseSkillMd(entry.domain, entry.skillMd);
+        await this.store.put(entry.domain, record);
+        base.source = "skillmd";
+        base.endpoints = record.endpoints.length;
+      } else if (entry.rpcDef) {
+        const { record } = compileRpcDef(entry.domain, entry.rpcDef);
+        await this.store.put(entry.domain, record);
+        base.source = "jsonrpc";
+        base.endpoints = record.endpoints.length;
+        base.resources = record.source?.rpc?.resources.length ?? 0;
+      } else {
+        return { ...base, status: "skipped", error: "No spec, skillMdUrl, or skillMd provided", durationMs: Date.now() - start };
+      }
+      if (entry.auth && this.vault) {
+        const auth = resolveAuth(entry.auth);
+        await this.vault.putPool(entry.domain, auth);
+        base.hasCredentials = true;
+      }
+      if (this.smokeTest) {
+        base.smokeTest = await this.runSmokeTest(entry.domain, base.hasCredentials);
+      }
+      return { ...base, status: "ok", durationMs: Date.now() - start };
+    } catch (err) {
+      return {
+        ...base,
+        status: "failed",
+        error: err instanceof Error ? err.message : String(err),
+        durationMs: Date.now() - start
+      };
+    }
+  }
+  /** Onboard many services with controlled concurrency */
+  async onboardMany(entries) {
+    const start = Date.now();
+    const results = [];
+    let index = 0;
+    for (let i = 0; i < entries.length; i += this.concurrency) {
+      const batch = entries.slice(i, i + this.concurrency);
+      const batchResults = await Promise.all(
+        batch.map(async (entry) => {
+          const result = await this.onboardOne(entry);
+          const idx = index++;
+          this.onProgress?.(result, idx, entries.length);
+          return result;
+        })
+      );
+      results.push(...batchResults);
+    }
+    return {
+      total: results.length,
+      ok: results.filter((r) => r.status === "ok").length,
+      failed: results.filter((r) => r.status === "failed").length,
+      skipped: results.filter((r) => r.status === "skipped").length,
+      results,
+      durationMs: Date.now() - start
+    };
+  }
+  async runSmokeTest(domain, hasCredentials) {
+    const resolverOpts = this.vault ? { store: this.store, vault: this.vault, wrapVirtualFiles: false } : { store: this.store, wrapVirtualFiles: false };
+    const { onMiss, listDomains } = createRegistryResolver(resolverOpts);
+    const fs = new AgentFs({ mounts: [], onMiss, listDomains });
+    const test = { ls: false, cat: false };
+    const lsResult = await fs.execute(`ls /${domain}/`);
+    test.ls = lsResult.ok === true;
+    if (test.ls && lsResult.ok) {
+      const entries = lsResult.data;
+      const resource = entries.find((e) => e.endsWith("/") && !e.startsWith("_"));
+      if (resource) {
+        const catResult = await fs.execute(`ls /${domain}/${resource}`);
+        test.cat = catResult.ok === true;
+        test.catEndpoint = `ls /${domain}/${resource}`;
+      } else if (entries.includes("_api/")) {
+        const apiResult = await fs.execute(`ls /${domain}/_api/`);
+        test.cat = apiResult.ok === true;
+        test.catEndpoint = `ls /${domain}/_api/`;
+      }
+    }
+    return test;
+  }
+};
+function resolveAuth(auth) {
+  const resolve = (val) => {
+    if (!val) return void 0;
+    const match = val.match(/^\$\{(\w+)\}$/);
+    if (match) {
+      const envVal = process.env[match[1]];
+      if (!envVal) throw new Error(`Environment variable ${match[1]} is not set`);
+      return envVal;
+    }
+    return val;
+  };
+  if (auth.type === "bearer") {
+    const token = resolve(auth.token);
+    if (!token) throw new Error("Bearer auth requires token");
+    return { type: "bearer", token, ...auth.prefix ? { prefix: auth.prefix } : {} };
+  }
+  if (auth.type === "api-key") {
+    const header = resolve(auth.header);
+    const key = resolve(auth.key);
+    if (!header || !key) throw new Error("API key auth requires header and key");
+    return { type: "api-key", header, key };
+  }
+  if (auth.type === "basic") {
+    const username = resolve(auth.username);
+    const password = resolve(auth.password);
+    if (!username || !password) throw new Error("Basic auth requires username and password");
+    return { type: "basic", username, password };
+  }
+  if (auth.type === "oauth2") {
+    const tokenUrl = resolve(auth.tokenUrl);
+    const clientId = resolve(auth.clientId);
+    const clientSecret = resolve(auth.clientSecret);
+    if (!tokenUrl || !clientId || !clientSecret) throw new Error("OAuth2 auth requires tokenUrl, clientId, and clientSecret");
+    return { type: "oauth2", tokenUrl, clientId, clientSecret, ...auth.scope ? { scope: auth.scope } : {} };
+  }
+  throw new Error(`Unknown auth type: ${auth.type}`);
+}
+
+// src/onboard/apis-guru.ts
+var APIS_GURU_LIST = "https://api.apis.guru/v2/list.json";
+async function discoverFromApisGuru(options) {
+  const fetchFn = options?.fetchFn ?? globalThis.fetch.bind(globalThis);
+  const limit = options?.limit ?? 100;
+  const filter = options?.filter?.toLowerCase();
+  const resp = await fetchFn(APIS_GURU_LIST);
+  if (!resp.ok) throw new Error(`apis.guru fetch failed: ${resp.status}`);
+  const catalog = await resp.json();
+  const entries = [];
+  for (const [key, api] of Object.entries(catalog)) {
+    if (entries.length >= limit) break;
+    const version = api.versions[api.preferred];
+    if (!version?.swaggerUrl) continue;
+    const title = version.info?.title ?? key;
+    const desc = version.info?.description ?? "";
+    if (filter) {
+      const text = `${key} ${title} ${desc}`.toLowerCase();
+      if (!text.includes(filter)) continue;
+    }
+    const domain = key.split(":")[0];
+    entries.push({
+      domain,
+      specUrl: version.swaggerUrl,
+      tags: ["apis-guru", "public"]
+    });
+  }
+  return entries;
+}
+
+// src/onboard/manifest.ts
+var FREE_APIS = [
+  {
+    domain: "petstore3.swagger.io",
+    specUrl: "https://petstore3.swagger.io/api/v3/openapi.json",
+    tags: ["demo", "free"]
+  },
+  {
+    domain: "api.weather.gov",
+    specUrl: "https://api.weather.gov/openapi.json",
+    tags: ["weather", "government", "free"]
+  },
+  {
+    domain: "en.wikipedia.org",
+    specUrl: "https://en.wikipedia.org/api/rest_v1/?spec",
+    tags: ["knowledge", "encyclopedia", "free"]
+  }
+];
+var FREEMIUM_APIS = [
+  {
+    domain: "api.github.com",
+    specUrl: "https://raw.githubusercontent.com/github/rest-api-description/main/descriptions/api.github.com/api.github.com.2022-11-28.json",
+    auth: { type: "bearer", token: "${GITHUB_TOKEN}" },
+    tags: ["developer-tools", "vcs", "freemium"]
+  },
+  {
+    domain: "huggingface.co",
+    specUrl: "https://huggingface.co/.well-known/openapi.json",
+    auth: { type: "bearer", token: "${HF_TOKEN}" },
+    tags: ["ai", "ml", "models", "freemium"]
+  }
+];
+var DEVELOPER_TOOL_APIS = [
+  {
+    domain: "gitlab.com",
+    specUrl: "https://gitlab.com/gitlab-org/gitlab/-/raw/master/doc/api/openapi/openapi.yaml",
+    auth: { type: "bearer", token: "${GITLAB_TOKEN}" },
+    tags: ["developer-tools", "vcs"]
+  },
+  {
+    domain: "api.vercel.com",
+    specUrl: "https://openapi.vercel.sh",
+    auth: { type: "bearer", token: "${VERCEL_TOKEN}" },
+    tags: ["developer-tools", "hosting"]
+  },
+  {
+    domain: "sentry.io",
+    specUrl: "https://raw.githubusercontent.com/getsentry/sentry-api-schema/main/openapi-derefed.json",
+    auth: { type: "bearer", token: "${SENTRY_AUTH_TOKEN}" },
+    tags: ["developer-tools", "monitoring"]
+  },
+  {
+    domain: "api.pagerduty.com",
+    specUrl: "https://raw.githubusercontent.com/PagerDuty/api-schema/main/reference/REST/openapiv3.json",
+    auth: { type: "bearer", token: "${PAGERDUTY_TOKEN}" },
+    tags: ["developer-tools", "incident-management"]
+  }
+];
+var AI_APIS = [
+  {
+    domain: "api.mistral.ai",
+    specUrl: "https://raw.githubusercontent.com/mistralai/platform-docs-public/main/openapi.yaml",
+    auth: { type: "bearer", token: "${MISTRAL_API_KEY}" },
+    tags: ["ai", "llm"],
+    disabled: true
+    // upstream YAML spec has unescaped quotes in example data
+  },
+  {
+    domain: "api.openai.com",
+    specUrl: "https://raw.githubusercontent.com/openai/openai-openapi/manual_spec/openapi.yaml",
+    auth: { type: "bearer", token: "${OPENAI_API_KEY}" },
+    tags: ["ai", "llm"]
+  },
+  {
+    domain: "openrouter.ai",
+    specUrl: "https://openrouter.ai/openapi.json",
+    auth: { type: "bearer", token: "${OPENROUTER_API_KEY}" },
+    tags: ["ai", "llm", "gateway"]
+  }
+];
+var CLOUD_APIS = [
+  {
+    domain: "api.cloudflare.com",
+    specUrl: "https://raw.githubusercontent.com/cloudflare/api-schemas/main/openapi.yaml",
+    auth: { type: "bearer", token: "${CLOUDFLARE_API_TOKEN}" },
+    tags: ["cloud", "cdn", "dns"]
+  },
+  {
+    domain: "api.digitalocean.com",
+    specUrl: "https://raw.githubusercontent.com/digitalocean/openapi/main/specification/DigitalOcean-public.v2.yaml",
+    auth: { type: "bearer", token: "${DIGITALOCEAN_TOKEN}" },
+    tags: ["cloud", "infrastructure"]
+  },
+  {
+    domain: "fly.io",
+    specUrl: "https://docs.machines.dev/spec/openapi3.json",
+    auth: { type: "bearer", token: "${FLY_API_TOKEN}" },
+    tags: ["cloud", "deployment"]
+  },
+  {
+    domain: "api.render.com",
+    specUrl: "https://api-docs.render.com/v1.0/openapi/render-public-api-1.json",
+    auth: { type: "bearer", token: "${RENDER_API_KEY}" },
+    tags: ["cloud", "deployment"]
+  }
+];
+var PRODUCTIVITY_APIS = [
+  {
+    domain: "api.notion.com",
+    specUrl: "https://raw.githubusercontent.com/makenotion/notion-mcp-server/main/scripts/notion-openapi.json",
+    auth: { type: "bearer", token: "${NOTION_API_KEY}" },
+    tags: ["productivity", "database"]
+  },
+  {
+    domain: "app.asana.com",
+    specUrl: "https://raw.githubusercontent.com/Asana/openapi/master/defs/asana_oas.yaml",
+    auth: { type: "bearer", token: "${ASANA_ACCESS_TOKEN}" },
+    tags: ["productivity", "project-management"]
+  },
+  {
+    domain: "jira.atlassian.com",
+    specUrl: "https://developer.atlassian.com/cloud/jira/platform/swagger-v3.v3.json",
+    auth: { type: "bearer", token: "${ATLASSIAN_API_TOKEN}" },
+    tags: ["productivity", "project-management"]
+  },
+  {
+    domain: "api.spotify.com",
+    specUrl: "https://raw.githubusercontent.com/sonallux/spotify-web-api/main/fixed-spotify-open-api.yml",
+    auth: { type: "bearer", token: "${SPOTIFY_ACCESS_TOKEN}" },
+    tags: ["media", "music"]
+  },
+  {
+    domain: "api.getpostman.com",
+    specUrl: "https://api.apis.guru/v2/specs/getpostman.com/1.20.0/openapi.json",
+    auth: { type: "api-key", header: "X-Api-Key", key: "${POSTMAN_API_KEY}" },
+    tags: ["developer-tools", "api-testing"]
+  }
+];
+var DEVOPS_APIS = [
+  {
+    domain: "circleci.com",
+    specUrl: "https://circleci.com/api/v2/openapi.json",
+    auth: { type: "bearer", token: "${CIRCLECI_TOKEN}" },
+    tags: ["devops", "ci-cd"]
+  },
+  {
+    domain: "api.datadoghq.com",
+    specUrl: "https://raw.githubusercontent.com/DataDog/datadog-api-client-python/master/.generator/schemas/v2/openapi.yaml",
+    auth: { type: "api-key", header: "DD-API-KEY", key: "${DATADOG_API_KEY}" },
+    tags: ["devops", "monitoring"]
+  }
+];
+var DATABASE_APIS = [
+  {
+    domain: "api.supabase.com",
+    specUrl: "https://raw.githubusercontent.com/supabase/supabase/master/apps/docs/spec/api_v1_openapi.json",
+    auth: { type: "bearer", token: "${SUPABASE_ACCESS_TOKEN}" },
+    tags: ["database", "baas"]
+  },
+  {
+    domain: "api.turso.tech",
+    specUrl: "https://raw.githubusercontent.com/tursodatabase/turso-docs/main/api-reference/openapi.json",
+    auth: { type: "bearer", token: "${TURSO_API_TOKEN}" },
+    tags: ["database", "edge"]
+  },
+  {
+    domain: "console.neon.tech",
+    specUrl: "https://raw.githubusercontent.com/neondatabase/neon-api-python/main/v2.json",
+    auth: { type: "bearer", token: "${NEON_API_KEY}" },
+    tags: ["database", "serverless-postgres"]
+  }
+];
+var COMMERCE_APIS = [
+  {
+    domain: "api.stripe.com",
+    specUrl: "https://raw.githubusercontent.com/stripe/openapi/master/openapi/spec3.json",
+    auth: { type: "bearer", token: "${STRIPE_SECRET_KEY}" },
+    tags: ["commerce", "payments"]
+  }
+];
+var COMMUNICATION_APIS = [
+  {
+    domain: "slack.com",
+    specUrl: "https://raw.githubusercontent.com/slackapi/slack-api-specs/master/web-api/slack_web_openapi_v2.json",
+    auth: { type: "bearer", token: "${SLACK_BOT_TOKEN}" },
+    tags: ["communication", "messaging"]
+  },
+  {
+    domain: "discord.com",
+    specUrl: "https://raw.githubusercontent.com/discord/discord-api-spec/main/specs/openapi.json",
+    auth: { type: "bearer", token: "${DISCORD_BOT_TOKEN}", prefix: "Bot" },
+    tags: ["communication", "messaging"]
+  },
+  {
+    domain: "api.twilio.com",
+    specUrl: "https://raw.githubusercontent.com/twilio/twilio-oai/main/spec/json/twilio_api_v2010.json",
+    auth: { type: "basic", token: "${TWILIO_ACCOUNT_SID}:${TWILIO_AUTH_TOKEN}" },
+    tags: ["communication", "sms", "voice"]
+  },
+  {
+    domain: "api.resend.com",
+    specUrl: "https://raw.githubusercontent.com/resendlabs/resend-openapi/main/resend.yaml",
+    auth: { type: "bearer", token: "${RESEND_API_KEY}" },
+    tags: ["communication", "email"]
+  }
+];
+var EVM_METHODS = [
+  { rpcMethod: "eth_blockNumber", description: "Returns the latest block number", resource: "blocks", fsOp: "list" },
+  { rpcMethod: "eth_getBlockByNumber", description: "Returns block by number", resource: "blocks", fsOp: "read" },
+  { rpcMethod: "eth_getBalance", description: "Returns account balance in wei", resource: "balances", fsOp: "read" },
+  { rpcMethod: "eth_getTransactionByHash", description: "Returns transaction by hash", resource: "transactions", fsOp: "read" },
+  { rpcMethod: "eth_getTransactionReceipt", description: "Returns transaction receipt", resource: "receipts", fsOp: "read" },
+  { rpcMethod: "eth_call", description: "Executes a call without creating a transaction", resource: "calls", fsOp: "read" },
+  { rpcMethod: "eth_estimateGas", description: "Estimates gas needed for a transaction", resource: "gas", fsOp: "read" },
+  { rpcMethod: "eth_gasPrice", description: "Returns current gas price in wei" },
+  { rpcMethod: "eth_chainId", description: "Returns the chain ID" },
+  { rpcMethod: "eth_getCode", description: "Returns contract bytecode at address", resource: "code", fsOp: "read" },
+  { rpcMethod: "eth_getLogs", description: "Returns logs matching a filter", resource: "logs", fsOp: "list" },
+  { rpcMethod: "eth_getTransactionCount", description: "Returns the number of transactions sent from an address", resource: "nonces", fsOp: "read" },
+  { rpcMethod: "net_version", description: "Returns the network ID" }
+];
+var RPC_APIS = [
+  // ── Free / Public RPC Providers ──────────────────────────────────
+  {
+    domain: "rpc.ankr.com",
+    rpcDef: { url: "https://rpc.ankr.com/eth", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "ethereum", "free"]
+  },
+  {
+    domain: "cloudflare-eth.com",
+    rpcDef: { url: "https://cloudflare-eth.com", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "ethereum", "free"]
+  },
+  {
+    domain: "ethereum-rpc.publicnode.com",
+    rpcDef: { url: "https://ethereum-rpc.publicnode.com", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "ethereum", "free"]
+  },
+  // ── Auth-Required RPC Providers ──────────────────────────────────
+  {
+    domain: "eth-mainnet.g.alchemy.com",
+    rpcDef: { url: "https://eth-mainnet.g.alchemy.com/v2/${ALCHEMY_API_KEY}", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "ethereum"]
+  },
+  {
+    domain: "mainnet.infura.io",
+    rpcDef: { url: "https://mainnet.infura.io/v3/${INFURA_API_KEY}", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "ethereum"]
+  },
+  // ── L2 / Alt Chains (Free) ───────────────────────────────────────
+  {
+    domain: "arb1.arbitrum.io",
+    rpcDef: { url: "https://arb1.arbitrum.io/rpc", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "arbitrum", "l2", "free"]
+  },
+  {
+    domain: "mainnet.optimism.io",
+    rpcDef: { url: "https://mainnet.optimism.io", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "optimism", "l2", "free"]
+  },
+  {
+    domain: "mainnet.base.org",
+    rpcDef: { url: "https://mainnet.base.org", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "base", "l2", "free"]
+  },
+  {
+    domain: "polygon-rpc.com",
+    rpcDef: { url: "https://polygon-rpc.com", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "polygon", "free"]
+  }
+];
+var ALL_APIS = [
+  ...FREE_APIS,
+  ...FREEMIUM_APIS,
+  ...DEVELOPER_TOOL_APIS,
+  ...AI_APIS,
+  ...CLOUD_APIS,
+  ...PRODUCTIVITY_APIS,
+  ...DEVOPS_APIS,
+  ...DATABASE_APIS,
+  ...COMMERCE_APIS,
+  ...COMMUNICATION_APIS,
+  ...RPC_APIS
+];
+
+// src/d1/sqlite-adapter.ts
+var BoundStatement = class {
+  constructor(db, sql) {
+    this.db = db;
+    this.sql = sql;
+  }
+  params = [];
+  bind(...values) {
+    this.params = values;
+    return this;
+  }
+  async first() {
+    const stmt = this.db.prepare(this.sql);
+    const row = stmt.get(...this.params);
+    return row ?? null;
+  }
+  async all() {
+    const stmt = this.db.prepare(this.sql);
+    const rows = stmt.all(...this.params);
+    return { results: rows, success: true };
+  }
+  async run() {
+    const stmt = this.db.prepare(this.sql);
+    const info = stmt.run(...this.params);
+    return {
+      success: true,
+      changes: info.changes,
+      lastRowId: Number(info.lastInsertRowid)
+    };
+  }
+};
+function createSqliteD1(db) {
+  return {
+    prepare(sql) {
+      return new BoundStatement(db, sql);
+    },
+    async exec(sql) {
+      db.exec(sql);
+    }
+  };
+}
+
+// src/federation/d1-peer-store.ts
+function rowToPeer(row) {
+  return {
+    id: row.id,
+    name: row.name,
+    url: row.url,
+    sharedSecret: row.shared_secret,
+    status: row.status,
+    advertisedDomains: JSON.parse(row.advertised_domains),
+    lastSeen: row.last_seen,
+    createdAt: row.created_at
+  };
+}
+function rowToRule(row) {
+  return {
+    domain: row.domain,
+    allow: row.allow === 1,
+    peers: JSON.parse(row.peers),
+    pricing: JSON.parse(row.pricing),
+    ...row.rate_limit ? { rateLimit: JSON.parse(row.rate_limit) } : {},
+    createdAt: row.created_at,
+    updatedAt: row.updated_at
+  };
+}
+var D1PeerStore = class {
+  constructor(db) {
+    this.db = db;
+  }
+  async initSchema() {
+    await this.db.exec(`
+CREATE TABLE IF NOT EXISTS peers (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  url TEXT NOT NULL,
+  shared_secret TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'active',
+  advertised_domains TEXT NOT NULL DEFAULT '[]',
+  last_seen INTEGER NOT NULL,
+  created_at INTEGER NOT NULL
+)`);
+    await this.db.exec(`
+CREATE TABLE IF NOT EXISTS lending_rules (
+  domain TEXT PRIMARY KEY,
+  allow INTEGER NOT NULL DEFAULT 1,
+  peers TEXT NOT NULL DEFAULT '"*"',
+  pricing TEXT NOT NULL DEFAULT '{"mode":"free"}',
+  rate_limit TEXT,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+)`);
+  }
+  async getPeer(id) {
+    const row = await this.db.prepare("SELECT * FROM peers WHERE id = ?").bind(id).first();
+    return row ? rowToPeer(row) : null;
+  }
+  async putPeer(peer) {
+    await this.db.prepare(
+      `INSERT OR REPLACE INTO peers (id, name, url, shared_secret, status, advertised_domains, last_seen, created_at)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+    ).bind(
+      peer.id,
+      peer.name,
+      peer.url,
+      peer.sharedSecret,
+      peer.status,
+      JSON.stringify(peer.advertisedDomains),
+      peer.lastSeen,
+      peer.createdAt
+    ).run();
+  }
+  async deletePeer(id) {
+    await this.db.prepare("DELETE FROM peers WHERE id = ?").bind(id).run();
+  }
+  async listPeers() {
+    const { results } = await this.db.prepare("SELECT * FROM peers WHERE status = 'active'").all();
+    return results.map(rowToPeer);
+  }
+  async updateLastSeen(id, timestamp) {
+    await this.db.prepare("UPDATE peers SET last_seen = ? WHERE id = ?").bind(timestamp, id).run();
+  }
+  async getRule(domain) {
+    const row = await this.db.prepare("SELECT * FROM lending_rules WHERE domain = ?").bind(domain).first();
+    return row ? rowToRule(row) : null;
+  }
+  async putRule(rule) {
+    await this.db.prepare(
+      `INSERT OR REPLACE INTO lending_rules (domain, allow, peers, pricing, rate_limit, created_at, updated_at)
+         VALUES (?, ?, ?, ?, ?, ?, ?)`
+    ).bind(
+      rule.domain,
+      rule.allow ? 1 : 0,
+      JSON.stringify(rule.peers),
+      JSON.stringify(rule.pricing),
+      rule.rateLimit ? JSON.stringify(rule.rateLimit) : null,
+      rule.createdAt,
+      rule.updatedAt
+    ).run();
+  }
+  async deleteRule(domain) {
+    await this.db.prepare("DELETE FROM lending_rules WHERE domain = ?").bind(domain).run();
+  }
+  async listRules() {
+    const { results } = await this.db.prepare("SELECT * FROM lending_rules").all();
+    return results.map(rowToRule);
+  }
+};
+
+// src/tunnel/memory-store.ts
+var MemoryTunnelStore = class {
+  records = /* @__PURE__ */ new Map();
+  async get(id) {
+    return this.records.get(id) ?? null;
+  }
+  async getByAgent(agentId) {
+    for (const record of this.records.values()) {
+      if (record.agentId === agentId && record.status === "active") {
+        return record;
+      }
+    }
+    return null;
+  }
+  async put(record) {
+    this.records.set(record.id, record);
+  }
+  async delete(id) {
+    this.records.delete(id);
+  }
+  async list() {
+    return Array.from(this.records.values());
+  }
+};
+
+// src/tunnel/cloudflare-provider.ts
+var CF_API = "https://api.cloudflare.com/client/v4";
+var CloudflareTunnelProvider = class {
+  constructor(accountId, apiToken, tunnelDomain, zoneId) {
+    this.accountId = accountId;
+    this.apiToken = apiToken;
+    this.tunnelDomain = tunnelDomain;
+    this.zoneId = zoneId;
+  }
+  async create(name, hostname) {
+    const secretBytes = new Uint8Array(32);
+    crypto.getRandomValues(secretBytes);
+    const tunnelSecret = btoa(String.fromCharCode(...secretBytes));
+    const tunnelRes = await this.cfFetch(
+      `/accounts/${this.accountId}/cfd_tunnel`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          name,
+          tunnel_secret: tunnelSecret
+        })
+      }
+    );
+    const tunnelId = tunnelRes.id;
+    try {
+      await this.cfFetch(`/zones/${this.zoneId}/dns_records`, {
+        method: "POST",
+        body: JSON.stringify({
+          type: "CNAME",
+          name: hostname,
+          content: `${tunnelId}.cfargotunnel.com`,
+          proxied: true
+        })
+      });
+      await this.cfFetch(
+        `/accounts/${this.accountId}/cfd_tunnel/${tunnelId}/configurations`,
+        {
+          method: "PUT",
+          body: JSON.stringify({
+            config: {
+              ingress: [
+                { hostname, service: "http://localhost:9090" },
+                { service: "http_status:404" }
+              ]
+            }
+          })
+        }
+      );
+      const tokenRes = await this.cfFetch(
+        `/accounts/${this.accountId}/cfd_tunnel/${tunnelId}/token`
+      );
+      return { tunnelId, tunnelToken: tokenRes };
+    } catch (err) {
+      await this.cfFetch(
+        `/accounts/${this.accountId}/cfd_tunnel/${tunnelId}?cascade=true`,
+        { method: "DELETE" }
+      ).catch(() => {
+      });
+      throw err;
+    }
+  }
+  async delete(tunnelId) {
+    const dnsRecords = await this.cfFetch(
+      `/zones/${this.zoneId}/dns_records?type=CNAME&content=${tunnelId}.cfargotunnel.com`
+    );
+    for (const record of dnsRecords) {
+      await this.cfFetch(`/zones/${this.zoneId}/dns_records/${record.id}`, {
+        method: "DELETE"
+      });
+    }
+    await this.cfFetch(
+      `/accounts/${this.accountId}/cfd_tunnel/${tunnelId}?cascade=true`,
+      { method: "DELETE" }
+    );
+  }
+  async cfFetch(path, init) {
+    const res = await fetch(`${CF_API}${path}`, {
+      ...init,
+      headers: {
+        Authorization: `Bearer ${this.apiToken}`,
+        "Content-Type": "application/json",
+        ...init?.headers
+      }
+    });
+    const data = await res.json();
+    if (!data.success) {
+      const msg = data.errors.map((e) => e.message).join(", ");
+      throw new Error(`Cloudflare API error: ${msg}`);
+    }
+    return data.result;
+  }
+};
+
+// src/index.ts
+var VERSION = "0.1.0";
+export {
+  CloudflareTunnelProvider,
+  Context7Backend,
+  Context7Client,
+  D1CredentialVault,
+  D1MeterStore,
+  D1PeerStore,
+  D1RegistryStore,
+  MemoryCredentialVault,
+  MemoryMeterStore,
+  MemoryRegistryStore,
+  MemoryTunnelStore,
+  OnboardPipeline,
+  VERSION,
+  VirtualFileBackend,
+  checkAccess,
+  createRegistryResolver,
+  createSqliteD1,
+  credentialRoutes,
+  discoverFromApisGuru,
+  extractDomainPath,
+  lookupPricing,
+  meter,
+  parsePricingAnnotation,
+  parseSkillMd,
+  queryDnsTxt,
+  skillToHttpConfig,
+  tunnelRoutes
+};