@nkmc/gateway 0.1.0

package/dist/proxy-ClPcDgsO.d.cts

@@ -0,0 +1,283 @@
+import { HttpAuth } from '@nkmc/agent-fs';
+import * as hono_types from 'hono/types';
+import { Hono } from 'hono';
+import { JWK } from 'jose';
+import { D as D1Database } from './types-C6JC9oTm.cjs';
+
+type ServiceStatus = "active" | "deprecated" | "sunset";
+interface EndpointPricing {
+    cost: number;
+    currency: string;
+    per: "call" | "byte" | "minute";
+}
+interface EndpointAnnotations {
+    rateLimit?: number;
+    cacheTtl?: number;
+    tags?: string[];
+}
+interface EndpointParam {
+    name: string;
+    in: "path" | "query" | "header";
+    required: boolean;
+    type: string;
+    description?: string;
+}
+interface SchemaProperty {
+    name: string;
+    type: string;
+    required: boolean;
+    description?: string;
+}
+interface EndpointRecord {
+    method: string;
+    path: string;
+    description: string;
+    price?: string;
+    pricing?: EndpointPricing;
+    annotations?: EndpointAnnotations;
+    parameters?: EndpointParam[];
+    requestBody?: {
+        contentType: string;
+        required: boolean;
+        properties: SchemaProperty[];
+    };
+    responses?: {
+        status: number;
+        description: string;
+        properties?: SchemaProperty[];
+    }[];
+}
+/** @deprecated Use EndpointRecord instead */
+type EndpointSummary = EndpointRecord;
+interface RpcSourceMeta {
+    rpcUrl: string;
+    convention: "crud" | "evm" | "raw";
+    resources: Array<{
+        name: string;
+        idField?: string;
+        methods: Record<string, string>;
+    }>;
+}
+interface SourceConfig {
+    type: "skillmd" | "openapi" | "wellknown" | "jsonrpc";
+    url?: string;
+    basePath?: string;
+    refreshInterval?: number;
+    lastRefresh?: number;
+    rpc?: RpcSourceMeta;
+}
+interface ServiceRecord {
+    domain: string;
+    name: string;
+    description: string;
+    version: string;
+    roles: string[];
+    skillMd: string;
+    endpoints: EndpointRecord[];
+    isFirstParty: boolean;
+    createdAt: number;
+    updatedAt: number;
+    status: ServiceStatus;
+    isDefault: boolean;
+    sunsetDate?: number;
+    source?: SourceConfig;
+    authMode?: "nkmc-jwt";
+}
+interface ServiceSummary {
+    domain: string;
+    name: string;
+    description: string;
+    isFirstParty: boolean;
+}
+interface SearchResult {
+    domain: string;
+    name: string;
+    description: string;
+    isFirstParty: boolean;
+    matchedEndpoints: Pick<EndpointRecord, "method" | "path" | "description">[];
+}
+interface VersionSummary {
+    version: string;
+    status: ServiceStatus;
+    isDefault: boolean;
+    createdAt: number;
+    updatedAt: number;
+}
+interface RegistryStats {
+    serviceCount: number;
+    endpointCount: number;
+}
+interface RegistryStore {
+    get(domain: string): Promise<ServiceRecord | null>;
+    getVersion(domain: string, version: string): Promise<ServiceRecord | null>;
+    listVersions(domain: string): Promise<VersionSummary[]>;
+    put(domain: string, record: ServiceRecord): Promise<void>;
+    delete(domain: string): Promise<void>;
+    list(): Promise<ServiceSummary[]>;
+    search(query: string): Promise<SearchResult[]>;
+    stats?(): Promise<RegistryStats>;
+}
+
+interface StoredCredential {
+    domain: string;
+    auth: HttpAuth;
+    scope: "pool" | "byok";
+    developerId?: string;
+}
+interface CredentialVault {
+    get(domain: string, developerId?: string): Promise<StoredCredential | null>;
+    putPool(domain: string, auth: HttpAuth): Promise<void>;
+    putByok(domain: string, developerId: string, auth: HttpAuth): Promise<void>;
+    delete(domain: string, developerId?: string): Promise<void>;
+    listDomains(): Promise<string[]>;
+}
+
+/** Field names that can be extracted from an HttpAuth credential. */
+type AuthField = "token" | "key" | "username" | "password";
+/**
+ * Defines how a CLI tool maps to a credential domain and which
+ * environment variables should be injected at runtime.
+ */
+interface ToolDefinition {
+    /** CLI tool name, e.g. "gh", "stripe" */
+    name: string;
+    /** Domain used to look up credentials in the vault */
+    credentialDomain: string;
+    /** Maps env var name → field to extract from HttpAuth */
+    envMapping: Record<string, AuthField>;
+}
+/**
+ * Registry of CLI tools that can be proxied through the gateway.
+ * Each tool declares the credential domain it needs and how to
+ * translate stored credentials into environment variables.
+ */
+declare class ToolRegistry {
+    private tools;
+    /** Register a tool definition. Overwrites any existing entry with the same name. */
+    register(tool: ToolDefinition): void;
+    /** Look up a tool by name. Returns null if not found. */
+    get(name: string): ToolDefinition | null;
+    /** Return all registered tool definitions. */
+    list(): ToolDefinition[];
+    /**
+     * Build a record of environment variables for the given tool by
+     * extracting the requested fields from the HttpAuth credential.
+     *
+     * If the auth type does not contain the requested field (e.g.
+     * requesting "token" from a basic-auth credential), that env var
+     * is silently omitted.
+     */
+    buildEnv(tool: ToolDefinition, auth: HttpAuth): Record<string, string>;
+}
+/** Create a ToolRegistry pre-populated with common CLI tools. */
+declare function createDefaultToolRegistry(): ToolRegistry;
+
+interface ExecResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+}
+interface ProxyRouteOptions {
+    vault: CredentialVault;
+    toolRegistry: ToolRegistry;
+    exec: (tool: string, args: string[], env: Record<string, string>) => Promise<ExecResult>;
+}
+declare function proxyRoutes(options: ProxyRouteOptions): Hono<Env, hono_types.BlankSchema, "/">;
+
+interface PeerGateway {
+    id: string;
+    name: string;
+    url: string;
+    sharedSecret: string;
+    status: "active" | "inactive";
+    advertisedDomains: string[];
+    lastSeen: number;
+    createdAt: number;
+}
+interface LendingRule {
+    domain: string;
+    allow: boolean;
+    peers: string[] | "*";
+    pricing: {
+        mode: "free" | "per-request" | "per-token";
+        amount?: number;
+    };
+    rateLimit?: {
+        requests: number;
+        window: "minute" | "hour" | "day";
+    };
+    createdAt: number;
+    updatedAt: number;
+}
+interface PeerStore {
+    getPeer(id: string): Promise<PeerGateway | null>;
+    putPeer(peer: PeerGateway): Promise<void>;
+    deletePeer(id: string): Promise<void>;
+    listPeers(): Promise<PeerGateway[]>;
+    updateLastSeen(id: string, timestamp: number): Promise<void>;
+    getRule(domain: string): Promise<LendingRule | null>;
+    putRule(rule: LendingRule): Promise<void>;
+    deleteRule(domain: string): Promise<void>;
+    listRules(): Promise<LendingRule[]>;
+}
+
+interface TunnelRecord {
+    id: string;
+    agentId: string;
+    tunnelId: string;
+    publicUrl: string;
+    status: "active" | "deleted";
+    createdAt: number;
+    /** Domains this gateway has credentials for (for discovery) */
+    advertisedDomains: string[];
+    /** Display name for the gateway */
+    gatewayName?: string;
+    /** Last heartbeat timestamp (ms since epoch) */
+    lastSeen: number;
+}
+interface TunnelStore {
+    get(id: string): Promise<TunnelRecord | null>;
+    getByAgent(agentId: string): Promise<TunnelRecord | null>;
+    put(record: TunnelRecord): Promise<void>;
+    delete(id: string): Promise<void>;
+    list(): Promise<TunnelRecord[]>;
+}
+/** Interface for Cloudflare Tunnel API operations */
+interface TunnelProvider {
+    create(name: string, hostname: string): Promise<{
+        tunnelId: string;
+        tunnelToken: string;
+    }>;
+    delete(tunnelId: string): Promise<void>;
+}
+
+type Env = {
+    Variables: {
+        agent: {
+            id: string;
+            roles: string[];
+        };
+    };
+};
+interface GatewayOptions {
+    store: RegistryStore;
+    gatewayPrivateKey: JWK;
+    gatewayPublicKey: JWK;
+    adminToken: string;
+    db?: D1Database;
+    vault?: CredentialVault;
+    context7ApiKey?: string;
+    peerStore?: PeerStore;
+    proxy?: {
+        toolRegistry: ToolRegistry;
+        exec: (tool: string, args: string[], env: Record<string, string>) => Promise<ExecResult>;
+    };
+    tunnel?: {
+        store: TunnelStore;
+        provider: TunnelProvider;
+        domain: string;
+    };
+}
+declare function createGateway(options: GatewayOptions): Hono<Env>;
+
+export { type AuthField as A, type CredentialVault as C, type Env as E, type GatewayOptions as G, type LendingRule as L, type PeerGateway as P, type RegistryStore as R, type ServiceRecord as S, type TunnelStore as T, type VersionSummary as V, type TunnelProvider as a, type ServiceSummary as b, createGateway as c, type SearchResult as d, type RegistryStats as e, type EndpointPricing as f, type EndpointRecord as g, type StoredCredential as h, type PeerStore as i, type TunnelRecord as j, type EndpointAnnotations as k, type EndpointSummary as l, type ServiceStatus as m, type SourceConfig as n, type ExecResult as o, type ProxyRouteOptions as p, type ToolDefinition as q, ToolRegistry as r, createDefaultToolRegistry as s, proxyRoutes as t };

package/dist/proxy-qpda1ANS.d.ts

@@ -0,0 +1,283 @@
+import { HttpAuth } from '@nkmc/agent-fs';
+import * as hono_types from 'hono/types';
+import { Hono } from 'hono';
+import { JWK } from 'jose';
+import { D as D1Database } from './types-C6JC9oTm.js';
+
+type ServiceStatus = "active" | "deprecated" | "sunset";
+interface EndpointPricing {
+    cost: number;
+    currency: string;
+    per: "call" | "byte" | "minute";
+}
+interface EndpointAnnotations {
+    rateLimit?: number;
+    cacheTtl?: number;
+    tags?: string[];
+}
+interface EndpointParam {
+    name: string;
+    in: "path" | "query" | "header";
+    required: boolean;
+    type: string;
+    description?: string;
+}
+interface SchemaProperty {
+    name: string;
+    type: string;
+    required: boolean;
+    description?: string;
+}
+interface EndpointRecord {
+    method: string;
+    path: string;
+    description: string;
+    price?: string;
+    pricing?: EndpointPricing;
+    annotations?: EndpointAnnotations;
+    parameters?: EndpointParam[];
+    requestBody?: {
+        contentType: string;
+        required: boolean;
+        properties: SchemaProperty[];
+    };
+    responses?: {
+        status: number;
+        description: string;
+        properties?: SchemaProperty[];
+    }[];
+}
+/** @deprecated Use EndpointRecord instead */
+type EndpointSummary = EndpointRecord;
+interface RpcSourceMeta {
+    rpcUrl: string;
+    convention: "crud" | "evm" | "raw";
+    resources: Array<{
+        name: string;
+        idField?: string;
+        methods: Record<string, string>;
+    }>;
+}
+interface SourceConfig {
+    type: "skillmd" | "openapi" | "wellknown" | "jsonrpc";
+    url?: string;
+    basePath?: string;
+    refreshInterval?: number;
+    lastRefresh?: number;
+    rpc?: RpcSourceMeta;
+}
+interface ServiceRecord {
+    domain: string;
+    name: string;
+    description: string;
+    version: string;
+    roles: string[];
+    skillMd: string;
+    endpoints: EndpointRecord[];
+    isFirstParty: boolean;
+    createdAt: number;
+    updatedAt: number;
+    status: ServiceStatus;
+    isDefault: boolean;
+    sunsetDate?: number;
+    source?: SourceConfig;
+    authMode?: "nkmc-jwt";
+}
+interface ServiceSummary {
+    domain: string;
+    name: string;
+    description: string;
+    isFirstParty: boolean;
+}
+interface SearchResult {
+    domain: string;
+    name: string;
+    description: string;
+    isFirstParty: boolean;
+    matchedEndpoints: Pick<EndpointRecord, "method" | "path" | "description">[];
+}
+interface VersionSummary {
+    version: string;
+    status: ServiceStatus;
+    isDefault: boolean;
+    createdAt: number;
+    updatedAt: number;
+}
+interface RegistryStats {
+    serviceCount: number;
+    endpointCount: number;
+}
+interface RegistryStore {
+    get(domain: string): Promise<ServiceRecord | null>;
+    getVersion(domain: string, version: string): Promise<ServiceRecord | null>;
+    listVersions(domain: string): Promise<VersionSummary[]>;
+    put(domain: string, record: ServiceRecord): Promise<void>;
+    delete(domain: string): Promise<void>;
+    list(): Promise<ServiceSummary[]>;
+    search(query: string): Promise<SearchResult[]>;
+    stats?(): Promise<RegistryStats>;
+}
+
+interface StoredCredential {
+    domain: string;
+    auth: HttpAuth;
+    scope: "pool" | "byok";
+    developerId?: string;
+}
+interface CredentialVault {
+    get(domain: string, developerId?: string): Promise<StoredCredential | null>;
+    putPool(domain: string, auth: HttpAuth): Promise<void>;
+    putByok(domain: string, developerId: string, auth: HttpAuth): Promise<void>;
+    delete(domain: string, developerId?: string): Promise<void>;
+    listDomains(): Promise<string[]>;
+}
+
+/** Field names that can be extracted from an HttpAuth credential. */
+type AuthField = "token" | "key" | "username" | "password";
+/**
+ * Defines how a CLI tool maps to a credential domain and which
+ * environment variables should be injected at runtime.
+ */
+interface ToolDefinition {
+    /** CLI tool name, e.g. "gh", "stripe" */
+    name: string;
+    /** Domain used to look up credentials in the vault */
+    credentialDomain: string;
+    /** Maps env var name → field to extract from HttpAuth */
+    envMapping: Record<string, AuthField>;
+}
+/**
+ * Registry of CLI tools that can be proxied through the gateway.
+ * Each tool declares the credential domain it needs and how to
+ * translate stored credentials into environment variables.
+ */
+declare class ToolRegistry {
+    private tools;
+    /** Register a tool definition. Overwrites any existing entry with the same name. */
+    register(tool: ToolDefinition): void;
+    /** Look up a tool by name. Returns null if not found. */
+    get(name: string): ToolDefinition | null;
+    /** Return all registered tool definitions. */
+    list(): ToolDefinition[];
+    /**
+     * Build a record of environment variables for the given tool by
+     * extracting the requested fields from the HttpAuth credential.
+     *
+     * If the auth type does not contain the requested field (e.g.
+     * requesting "token" from a basic-auth credential), that env var
+     * is silently omitted.
+     */
+    buildEnv(tool: ToolDefinition, auth: HttpAuth): Record<string, string>;
+}
+/** Create a ToolRegistry pre-populated with common CLI tools. */
+declare function createDefaultToolRegistry(): ToolRegistry;
+
+interface ExecResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+}
+interface ProxyRouteOptions {
+    vault: CredentialVault;
+    toolRegistry: ToolRegistry;
+    exec: (tool: string, args: string[], env: Record<string, string>) => Promise<ExecResult>;
+}
+declare function proxyRoutes(options: ProxyRouteOptions): Hono<Env, hono_types.BlankSchema, "/">;
+
+interface PeerGateway {
+    id: string;
+    name: string;
+    url: string;
+    sharedSecret: string;
+    status: "active" | "inactive";
+    advertisedDomains: string[];
+    lastSeen: number;
+    createdAt: number;
+}
+interface LendingRule {
+    domain: string;
+    allow: boolean;
+    peers: string[] | "*";
+    pricing: {
+        mode: "free" | "per-request" | "per-token";
+        amount?: number;
+    };
+    rateLimit?: {
+        requests: number;
+        window: "minute" | "hour" | "day";
+    };
+    createdAt: number;
+    updatedAt: number;
+}
+interface PeerStore {
+    getPeer(id: string): Promise<PeerGateway | null>;
+    putPeer(peer: PeerGateway): Promise<void>;
+    deletePeer(id: string): Promise<void>;
+    listPeers(): Promise<PeerGateway[]>;
+    updateLastSeen(id: string, timestamp: number): Promise<void>;
+    getRule(domain: string): Promise<LendingRule | null>;
+    putRule(rule: LendingRule): Promise<void>;
+    deleteRule(domain: string): Promise<void>;
+    listRules(): Promise<LendingRule[]>;
+}
+
+interface TunnelRecord {
+    id: string;
+    agentId: string;
+    tunnelId: string;
+    publicUrl: string;
+    status: "active" | "deleted";
+    createdAt: number;
+    /** Domains this gateway has credentials for (for discovery) */
+    advertisedDomains: string[];
+    /** Display name for the gateway */
+    gatewayName?: string;
+    /** Last heartbeat timestamp (ms since epoch) */
+    lastSeen: number;
+}
+interface TunnelStore {
+    get(id: string): Promise<TunnelRecord | null>;
+    getByAgent(agentId: string): Promise<TunnelRecord | null>;
+    put(record: TunnelRecord): Promise<void>;
+    delete(id: string): Promise<void>;
+    list(): Promise<TunnelRecord[]>;
+}
+/** Interface for Cloudflare Tunnel API operations */
+interface TunnelProvider {
+    create(name: string, hostname: string): Promise<{
+        tunnelId: string;
+        tunnelToken: string;
+    }>;
+    delete(tunnelId: string): Promise<void>;
+}
+
+type Env = {
+    Variables: {
+        agent: {
+            id: string;
+            roles: string[];
+        };
+    };
+};
+interface GatewayOptions {
+    store: RegistryStore;
+    gatewayPrivateKey: JWK;
+    gatewayPublicKey: JWK;
+    adminToken: string;
+    db?: D1Database;
+    vault?: CredentialVault;
+    context7ApiKey?: string;
+    peerStore?: PeerStore;
+    proxy?: {
+        toolRegistry: ToolRegistry;
+        exec: (tool: string, args: string[], env: Record<string, string>) => Promise<ExecResult>;
+    };
+    tunnel?: {
+        store: TunnelStore;
+        provider: TunnelProvider;
+        domain: string;
+    };
+}
+declare function createGateway(options: GatewayOptions): Hono<Env>;
+
+export { type AuthField as A, type CredentialVault as C, type Env as E, type GatewayOptions as G, type LendingRule as L, type PeerGateway as P, type RegistryStore as R, type ServiceRecord as S, type TunnelStore as T, type VersionSummary as V, type TunnelProvider as a, type ServiceSummary as b, createGateway as c, type SearchResult as d, type RegistryStats as e, type EndpointPricing as f, type EndpointRecord as g, type StoredCredential as h, type PeerStore as i, type TunnelRecord as j, type EndpointAnnotations as k, type EndpointSummary as l, type ServiceStatus as m, type SourceConfig as n, type ExecResult as o, type ProxyRouteOptions as p, type ToolDefinition as q, ToolRegistry as r, createDefaultToolRegistry as s, proxyRoutes as t };

package/dist/proxy.cjs

@@ -0,0 +1,148 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/proxy.ts
+var proxy_exports = {};
+__export(proxy_exports, {
+  ToolRegistry: () => ToolRegistry,
+  createDefaultToolRegistry: () => createDefaultToolRegistry,
+  proxyRoutes: () => proxyRoutes
+});
+module.exports = __toCommonJS(proxy_exports);
+
+// src/proxy/tool-registry.ts
+var ToolRegistry = class {
+  tools = /* @__PURE__ */ new Map();
+  /** Register a tool definition. Overwrites any existing entry with the same name. */
+  register(tool) {
+    this.tools.set(tool.name, tool);
+  }
+  /** Look up a tool by name. Returns null if not found. */
+  get(name) {
+    return this.tools.get(name) ?? null;
+  }
+  /** Return all registered tool definitions. */
+  list() {
+    return [...this.tools.values()];
+  }
+  /**
+   * Build a record of environment variables for the given tool by
+   * extracting the requested fields from the HttpAuth credential.
+   *
+   * If the auth type does not contain the requested field (e.g.
+   * requesting "token" from a basic-auth credential), that env var
+   * is silently omitted.
+   */
+  buildEnv(tool, auth) {
+    const env = {};
+    for (const [envVar, field] of Object.entries(tool.envMapping)) {
+      const value = extractField(auth, field);
+      if (value !== void 0) {
+        env[envVar] = value;
+      }
+    }
+    return env;
+  }
+};
+function extractField(auth, field) {
+  switch (field) {
+    case "token":
+      return auth.type === "bearer" ? auth.token : void 0;
+    case "key":
+      return auth.type === "api-key" ? auth.key : void 0;
+    case "username":
+      return auth.type === "basic" ? auth.username : void 0;
+    case "password":
+      return auth.type === "basic" ? auth.password : void 0;
+    default:
+      return void 0;
+  }
+}
+function createDefaultToolRegistry() {
+  const registry = new ToolRegistry();
+  registry.register({
+    name: "gh",
+    credentialDomain: "github.com",
+    envMapping: { GH_TOKEN: "token" }
+  });
+  registry.register({
+    name: "stripe",
+    credentialDomain: "api.stripe.com",
+    envMapping: { STRIPE_API_KEY: "key" }
+  });
+  registry.register({
+    name: "openai",
+    credentialDomain: "api.openai.com",
+    envMapping: { OPENAI_API_KEY: "key" }
+  });
+  registry.register({
+    name: "anthropic",
+    credentialDomain: "api.anthropic.com",
+    envMapping: { ANTHROPIC_API_KEY: "key" }
+  });
+  registry.register({
+    name: "aws",
+    credentialDomain: "aws.amazon.com",
+    envMapping: {
+      AWS_ACCESS_KEY_ID: "username",
+      AWS_SECRET_ACCESS_KEY: "password"
+    }
+  });
+  return registry;
+}
+
+// src/http/routes/proxy.ts
+var import_hono = require("hono");
+function proxyRoutes(options) {
+  const { vault, toolRegistry, exec } = options;
+  const app = new import_hono.Hono();
+  app.post("/exec", async (c) => {
+    const body = await c.req.json();
+    if (!body.tool || typeof body.tool !== "string") {
+      return c.json({ error: "Missing 'tool' field" }, 400);
+    }
+    const toolDef = toolRegistry.get(body.tool);
+    if (!toolDef) {
+      return c.json({ error: `Unknown tool: ${body.tool}` }, 404);
+    }
+    const agent = c.get("agent");
+    const credential = await vault.get(toolDef.credentialDomain, agent.id);
+    if (!credential) {
+      return c.json({ error: `No credential for domain: ${toolDef.credentialDomain}` }, 401);
+    }
+    const env = toolRegistry.buildEnv(toolDef, credential.auth);
+    const args = body.args ?? [];
+    const result = await exec(body.tool, args, env);
+    return c.json(result);
+  });
+  app.get("/tools", (c) => {
+    const tools = toolRegistry.list().map((t) => ({
+      name: t.name,
+      credentialDomain: t.credentialDomain
+    }));
+    return c.json({ tools });
+  });
+  return app;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ToolRegistry,
+  createDefaultToolRegistry,
+  proxyRoutes
+});