@nkmc/gateway 0.1.0

package/src/http/routes/__tests__/peers.test.ts

@@ -0,0 +1,290 @@
+import { describe, it, expect } from "vitest";
+import { Hono } from "hono";
+import { MemoryPeerStore } from "../../../federation/peer-store.js";
+import { adminAuth } from "../../middleware/admin-auth.js";
+import { peerRoutes } from "../peers.js";
+
+const ADMIN_TOKEN = "test-admin-token";
+
+function createTestApp(peerStore?: MemoryPeerStore) {
+  const store = peerStore ?? new MemoryPeerStore();
+  const app = new Hono();
+  app.use("/admin/federation/*", adminAuth(ADMIN_TOKEN));
+  app.route("/admin/federation", peerRoutes({ peerStore: store }));
+  return { app, peerStore: store };
+}
+
+function adminHeaders() {
+  return {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${ADMIN_TOKEN}`,
+  };
+}
+
+describe("peer admin routes", () => {
+  describe("PUT /admin/federation/peers/:id", () => {
+    it("creates a new peer", async () => {
+      const { app, peerStore } = createTestApp();
+
+      const res = await app.request("/admin/federation/peers/peer-1", {
+        method: "PUT",
+        headers: adminHeaders(),
+        body: JSON.stringify({
+          name: "Peer One",
+          url: "https://peer1.example.com",
+          sharedSecret: "secret-123",
+        }),
+      });
+
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body).toEqual({ ok: true, id: "peer-1" });
+
+      const stored = await peerStore.getPeer("peer-1");
+      expect(stored).not.toBeNull();
+      expect(stored!.name).toBe("Peer One");
+      expect(stored!.url).toBe("https://peer1.example.com");
+      expect(stored!.sharedSecret).toBe("secret-123");
+      expect(stored!.status).toBe("active");
+    });
+
+    it("updates an existing peer", async () => {
+      const peerStore = new MemoryPeerStore();
+      await peerStore.putPeer({
+        id: "peer-1",
+        name: "Old Name",
+        url: "https://old.example.com",
+        sharedSecret: "old-secret",
+        status: "active",
+        advertisedDomains: ["api.example.com"],
+        lastSeen: 1000,
+        createdAt: 500,
+      });
+
+      const { app } = createTestApp(peerStore);
+
+      const res = await app.request("/admin/federation/peers/peer-1", {
+        method: "PUT",
+        headers: adminHeaders(),
+        body: JSON.stringify({
+          name: "New Name",
+          url: "https://new.example.com",
+          sharedSecret: "new-secret",
+        }),
+      });
+
+      expect(res.status).toBe(200);
+
+      const stored = await peerStore.getPeer("peer-1");
+      expect(stored!.name).toBe("New Name");
+      expect(stored!.url).toBe("https://new.example.com");
+      // Preserves existing fields
+      expect(stored!.advertisedDomains).toEqual(["api.example.com"]);
+      expect(stored!.createdAt).toBe(500);
+    });
+
+    it("rejects when missing required fields", async () => {
+      const { app } = createTestApp();
+
+      const res = await app.request("/admin/federation/peers/peer-1", {
+        method: "PUT",
+        headers: adminHeaders(),
+        body: JSON.stringify({ name: "Missing url and secret" }),
+      });
+
+      expect(res.status).toBe(400);
+      const body = await res.json();
+      expect(body.error).toContain("Missing required fields");
+    });
+
+    it("rejects without admin auth", async () => {
+      const { app } = createTestApp();
+
+      const res = await app.request("/admin/federation/peers/peer-1", {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          name: "Peer",
+          url: "https://peer.example.com",
+          sharedSecret: "secret",
+        }),
+      });
+
+      expect(res.status).toBe(401);
+    });
+  });
+
+  describe("GET /admin/federation/peers", () => {
+    it("lists peers without sharedSecret", async () => {
+      const peerStore = new MemoryPeerStore();
+      await peerStore.putPeer({
+        id: "peer-1",
+        name: "Peer One",
+        url: "https://peer1.example.com",
+        sharedSecret: "secret-should-not-appear",
+        status: "active",
+        advertisedDomains: [],
+        lastSeen: 0,
+        createdAt: Date.now(),
+      });
+
+      const { app } = createTestApp(peerStore);
+
+      const res = await app.request("/admin/federation/peers", {
+        headers: adminHeaders(),
+      });
+
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.peers).toHaveLength(1);
+      expect(body.peers[0].id).toBe("peer-1");
+      expect(body.peers[0].name).toBe("Peer One");
+      expect(body.peers[0]).not.toHaveProperty("sharedSecret");
+    });
+  });
+
+  describe("DELETE /admin/federation/peers/:id", () => {
+    it("removes a peer", async () => {
+      const peerStore = new MemoryPeerStore();
+      await peerStore.putPeer({
+        id: "peer-1",
+        name: "Peer One",
+        url: "https://peer1.example.com",
+        sharedSecret: "secret",
+        status: "active",
+        advertisedDomains: [],
+        lastSeen: 0,
+        createdAt: Date.now(),
+      });
+
+      const { app } = createTestApp(peerStore);
+
+      const res = await app.request("/admin/federation/peers/peer-1", {
+        method: "DELETE",
+        headers: adminHeaders(),
+      });
+
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body).toEqual({ ok: true, id: "peer-1" });
+
+      const stored = await peerStore.getPeer("peer-1");
+      expect(stored).toBeNull();
+    });
+  });
+
+  describe("PUT /admin/federation/rules/:domain", () => {
+    it("creates a lending rule", async () => {
+      const { app, peerStore } = createTestApp();
+
+      const res = await app.request(
+        "/admin/federation/rules/api.example.com",
+        {
+          method: "PUT",
+          headers: adminHeaders(),
+          body: JSON.stringify({
+            allow: true,
+            peers: ["peer-1", "peer-2"],
+            pricing: { mode: "per-request", amount: 100 },
+            rateLimit: { requests: 60, window: "minute" },
+          }),
+        },
+      );
+
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body).toEqual({ ok: true, domain: "api.example.com" });
+
+      const rule = await peerStore.getRule("api.example.com");
+      expect(rule).not.toBeNull();
+      expect(rule!.allow).toBe(true);
+      expect(rule!.peers).toEqual(["peer-1", "peer-2"]);
+      expect(rule!.pricing).toEqual({ mode: "per-request", amount: 100 });
+      expect(rule!.rateLimit).toEqual({ requests: 60, window: "minute" });
+    });
+
+    it("rejects when missing allow field", async () => {
+      const { app } = createTestApp();
+
+      const res = await app.request(
+        "/admin/federation/rules/api.example.com",
+        {
+          method: "PUT",
+          headers: adminHeaders(),
+          body: JSON.stringify({ peers: "*" }),
+        },
+      );
+
+      expect(res.status).toBe(400);
+      const body = await res.json();
+      expect(body.error).toContain("allow");
+    });
+  });
+
+  describe("GET /admin/federation/rules", () => {
+    it("lists all lending rules", async () => {
+      const peerStore = new MemoryPeerStore();
+      await peerStore.putRule({
+        domain: "api.example.com",
+        allow: true,
+        peers: "*",
+        pricing: { mode: "free" },
+        createdAt: Date.now(),
+        updatedAt: Date.now(),
+      });
+      await peerStore.putRule({
+        domain: "github.com",
+        allow: false,
+        peers: ["peer-1"],
+        pricing: { mode: "per-token", amount: 50 },
+        createdAt: Date.now(),
+        updatedAt: Date.now(),
+      });
+
+      const { app } = createTestApp(peerStore);
+
+      const res = await app.request("/admin/federation/rules", {
+        headers: adminHeaders(),
+      });
+
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.rules).toHaveLength(2);
+      expect(body.rules.map((r: any) => r.domain).sort()).toEqual([
+        "api.example.com",
+        "github.com",
+      ]);
+    });
+  });
+
+  describe("DELETE /admin/federation/rules/:domain", () => {
+    it("removes a lending rule", async () => {
+      const peerStore = new MemoryPeerStore();
+      await peerStore.putRule({
+        domain: "api.example.com",
+        allow: true,
+        peers: "*",
+        pricing: { mode: "free" },
+        createdAt: Date.now(),
+        updatedAt: Date.now(),
+      });
+
+      const { app } = createTestApp(peerStore);
+
+      const res = await app.request(
+        "/admin/federation/rules/api.example.com",
+        {
+          method: "DELETE",
+          headers: adminHeaders(),
+        },
+      );
+
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body).toEqual({ ok: true, domain: "api.example.com" });
+
+      const rule = await peerStore.getRule("api.example.com");
+      expect(rule).toBeNull();
+    });
+  });
+});

package/src/http/routes/__tests__/proxy.test.ts

@@ -0,0 +1,159 @@
+import { describe, it, expect, vi } from "vitest";
+import { Hono } from "hono";
+import { MemoryCredentialVault } from "../../../credential/memory-vault.js";
+import {
+  ToolRegistry,
+  createDefaultToolRegistry,
+} from "../../../proxy/tool-registry.js";
+import { proxyRoutes, type ExecResult } from "../proxy.js";
+
+/**
+ * Helper: create a test app with agent middleware stubbed out
+ * so we can test the proxy routes in isolation.
+ */
+function createTestApp(options?: {
+  vault?: MemoryCredentialVault;
+  toolRegistry?: ToolRegistry;
+  exec?: (tool: string, args: string[], env: Record<string, string>) => Promise<ExecResult>;
+}) {
+  const vault = options?.vault ?? new MemoryCredentialVault();
+  const toolRegistry = options?.toolRegistry ?? createDefaultToolRegistry();
+  const exec = options?.exec ?? vi.fn(async () => ({ stdout: "", stderr: "", exitCode: 0 }));
+
+  type Env = {
+    Variables: {
+      agent: { id: string; roles: string[] };
+    };
+  };
+
+  const app = new Hono<Env>();
+
+  // Stub agent auth — always set a fixed agent identity
+  app.use("*", async (c, next) => {
+    c.set("agent", { id: "agent-1", roles: ["read"] });
+    await next();
+  });
+
+  app.route("/", proxyRoutes({ vault, toolRegistry, exec }));
+
+  return { app, vault, toolRegistry, exec };
+}
+
+describe("proxy routes", () => {
+  describe("POST /exec", () => {
+    it("executes a tool with valid credential and returns stdout", async () => {
+      const vault = new MemoryCredentialVault();
+      await vault.putPool("github.com", { type: "bearer", token: "ghp_test123" });
+
+      const exec = vi.fn(async (_tool: string, _args: string[], _env: Record<string, string>) => ({
+        stdout: "Hello from gh\n",
+        stderr: "",
+        exitCode: 0,
+      }));
+
+      const { app } = createTestApp({ vault, exec });
+
+      const res = await app.request("/exec", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ tool: "gh", args: ["auth", "status"] }),
+      });
+
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body).toEqual({
+        stdout: "Hello from gh\n",
+        stderr: "",
+        exitCode: 0,
+      });
+
+      // Verify exec was called with correct env injection
+      expect(exec).toHaveBeenCalledWith(
+        "gh",
+        ["auth", "status"],
+        { GH_TOKEN: "ghp_test123" },
+      );
+    });
+
+    it("returns 404 for an unknown tool", async () => {
+      const { app } = createTestApp();
+
+      const res = await app.request("/exec", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ tool: "nonexistent", args: [] }),
+      });
+
+      expect(res.status).toBe(404);
+      const body = await res.json();
+      expect(body.error).toContain("Unknown tool");
+    });
+
+    it("returns 401 when no credential is available", async () => {
+      // Vault is empty — no credential for github.com
+      const vault = new MemoryCredentialVault();
+      const { app } = createTestApp({ vault });
+
+      const res = await app.request("/exec", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ tool: "gh", args: ["pr", "list"] }),
+      });
+
+      expect(res.status).toBe(401);
+      const body = await res.json();
+      expect(body.error).toContain("No credential");
+    });
+
+    it("returns 400 when tool field is missing", async () => {
+      const { app } = createTestApp();
+
+      const res = await app.request("/exec", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ args: ["foo"] }),
+      });
+
+      expect(res.status).toBe(400);
+      const body = await res.json();
+      expect(body.error).toContain("Missing 'tool' field");
+    });
+
+    it("defaults args to empty array when not provided", async () => {
+      const vault = new MemoryCredentialVault();
+      await vault.putPool("github.com", { type: "bearer", token: "ghp_x" });
+
+      const exec = vi.fn(async () => ({ stdout: "", stderr: "", exitCode: 0 }));
+      const { app } = createTestApp({ vault, exec });
+
+      const res = await app.request("/exec", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ tool: "gh" }),
+      });
+
+      expect(res.status).toBe(200);
+      expect(exec).toHaveBeenCalledWith("gh", [], { GH_TOKEN: "ghp_x" });
+    });
+  });
+
+  describe("GET /tools", () => {
+    it("returns the list of available tools", async () => {
+      const { app } = createTestApp();
+
+      const res = await app.request("/tools", { method: "GET" });
+
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.tools).toBeInstanceOf(Array);
+      expect(body.tools.length).toBe(5);
+
+      const names = body.tools.map((t: { name: string }) => t.name).sort();
+      expect(names).toEqual(["anthropic", "aws", "gh", "openai", "stripe"]);
+
+      // Each tool should expose name and credentialDomain only
+      const gh = body.tools.find((t: { name: string }) => t.name === "gh");
+      expect(gh).toEqual({ name: "gh", credentialDomain: "github.com" });
+    });
+  });
+});

package/src/http/routes/auth.ts

@@ -0,0 +1,39 @@
+import { Hono } from "hono";
+import { signJwt } from "@nkmc/core";
+import type { JWK } from "jose";
+import type { Env } from "../app.js";
+
+export interface AuthRouteOptions {
+  privateKey: JWK;
+}
+
+export function authRoutes(options: AuthRouteOptions) {
+  const app = new Hono<Env>();
+
+  app.post("/token", async (c) => {
+    const body = await c.req.json<{
+      sub: string;
+      roles?: string[];
+      svc: string;
+      expiresIn?: string;
+    }>();
+
+    if (!body.sub || !body.svc) {
+      return c.json({ error: "Missing required fields: sub, svc" }, 400);
+    }
+
+    const token = await signJwt(
+      options.privateKey,
+      {
+        sub: body.sub,
+        roles: body.roles ?? ["agent"],
+        svc: body.svc,
+      },
+      body.expiresIn ? { expiresIn: body.expiresIn } : undefined,
+    );
+
+    return c.json({ token });
+  });
+
+  return app;
+}

package/src/http/routes/byok.ts

@@ -0,0 +1,62 @@
+import { Hono } from "hono";
+import type { CredentialVault } from "../../credential/types.js";
+import type { Env } from "../app.js";
+
+export interface ByokRouteOptions {
+  vault: CredentialVault;
+}
+
+export function byokRoutes(options: ByokRouteOptions) {
+  const { vault } = options;
+  const app = new Hono<Env>();
+
+  // PUT /credentials/byok/:domain — upload BYOK credential (agent JWT required)
+  app.put("/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const agent = c.get("agent");
+    const body = await c.req.json<{
+      auth: {
+        type: string;
+        token?: string;
+        header?: string;
+        key?: string;
+        username?: string;
+        password?: string;
+      };
+    }>();
+
+    if (!body.auth?.type) {
+      return c.json({ error: "Missing auth.type" }, 400);
+    }
+
+    await vault.putByok(domain, agent.id, body.auth as any);
+    return c.json({ ok: true, domain });
+  });
+
+  // GET /credentials/byok — list agent's BYOK domains
+  app.get("/", async (c) => {
+    const agent = c.get("agent");
+    const allDomains = await vault.listDomains();
+
+    // Filter to only domains where this agent has BYOK credentials
+    const byokDomains: string[] = [];
+    for (const domain of allDomains) {
+      const cred = await vault.get(domain, agent.id);
+      if (cred && cred.scope === "byok" && cred.developerId === agent.id) {
+        byokDomains.push(domain);
+      }
+    }
+
+    return c.json({ domains: byokDomains });
+  });
+
+  // DELETE /credentials/byok/:domain — delete agent's BYOK credential
+  app.delete("/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const agent = c.get("agent");
+    await vault.delete(domain, agent.id);
+    return c.json({ ok: true, domain });
+  });
+
+  return app;
+}

package/src/http/routes/credentials.ts

@@ -0,0 +1,40 @@
+import { Hono } from "hono";
+import type { CredentialVault } from "../../credential/types.js";
+import type { Env } from "../app.js";
+
+export interface CredentialRouteOptions {
+  vault: CredentialVault;
+}
+
+export function credentialRoutes(options: CredentialRouteOptions) {
+  const { vault } = options;
+  const app = new Hono<Env>();
+
+  // PUT /credentials/:domain — set pool credential
+  app.put("/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const body = await c.req.json<{ auth: { type: string; token?: string; header?: string; key?: string; username?: string; password?: string } }>();
+
+    if (!body.auth?.type) {
+      return c.json({ error: "Missing auth.type" }, 400);
+    }
+
+    await vault.putPool(domain, body.auth as any);
+    return c.json({ ok: true, domain });
+  });
+
+  // GET /credentials — list domains with credentials
+  app.get("/", async (c) => {
+    const domains = await vault.listDomains();
+    return c.json({ domains });
+  });
+
+  // DELETE /credentials/:domain — delete pool credential
+  app.delete("/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    await vault.delete(domain);
+    return c.json({ ok: true, domain });
+  });
+
+  return app;
+}