@nkmc/gateway 0.1.0

package/src/http/routes/domains.ts

@@ -0,0 +1,174 @@
+import { Hono } from "hono";
+import { nanoid } from "nanoid";
+import type { JWK } from "jose";
+import { signPublishToken } from "@nkmc/core";
+import type { D1Database } from "../../d1/types.js";
+import { queryDnsTxt } from "../lib/dns.js";
+
+export interface DomainRouteOptions {
+  db: D1Database;
+  gatewayPrivateKey: JWK;
+}
+
+interface ChallengeRow {
+  domain: string;
+  challenge_code: string;
+  status: string;
+  created_at: number;
+  verified_at: number | null;
+  expires_at: number;
+}
+
+const SEVEN_DAYS_MS = 7 * 24 * 60 * 60 * 1000;
+const ONE_YEAR_MS = 365 * 24 * 60 * 60 * 1000;
+
+function isValidDomain(domain: string): boolean {
+  return /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)+$/.test(domain);
+}
+
+export function domainRoutes(options: DomainRouteOptions) {
+  const { db, gatewayPrivateKey } = options;
+  const app = new Hono();
+
+  // Request a DNS challenge for domain ownership
+  app.post("/challenge", async (c) => {
+    const body = await c.req.json<{ domain: string }>().catch(() => null);
+    const domain = body?.domain;
+
+    if (!domain || !isValidDomain(domain)) {
+      return c.json({ error: "Invalid or missing domain" }, 400);
+    }
+
+    const now = Date.now();
+
+    // Already verified and not expired → no new challenge needed
+    const verified = await db
+      .prepare(
+        "SELECT * FROM domain_challenges WHERE domain = ? AND status = 'verified' AND expires_at > ?",
+      )
+      .bind(domain, now)
+      .first<ChallengeRow>();
+
+    if (verified) {
+      return c.json(
+        {
+          error: "Domain already verified. Use `nkmc claim <domain> --verify` to renew your token.",
+          expiresAt: verified.expires_at,
+        },
+        409,
+      );
+    }
+
+    // Check for existing unexpired pending challenge
+    const existing = await db
+      .prepare(
+        "SELECT * FROM domain_challenges WHERE domain = ? AND status = 'pending' AND expires_at > ?",
+      )
+      .bind(domain, now)
+      .first<ChallengeRow>();
+
+    if (existing) {
+      return c.json({
+        domain,
+        txtRecord: `_nkmc.${domain}`,
+        txtValue: `nkmc-verify=${existing.challenge_code}`,
+        expiresAt: existing.expires_at,
+      });
+    }
+
+    // Generate new challenge (also covers expired verified domains)
+    const challengeCode = nanoid(32);
+    const expiresAt = now + SEVEN_DAYS_MS;
+
+    await db
+      .prepare(
+        `INSERT OR REPLACE INTO domain_challenges (domain, challenge_code, status, created_at, expires_at)
+         VALUES (?, ?, 'pending', ?, ?)`,
+      )
+      .bind(domain, challengeCode, now, expiresAt)
+      .run();
+
+    return c.json({
+      domain,
+      txtRecord: `_nkmc.${domain}`,
+      txtValue: `nkmc-verify=${challengeCode}`,
+      expiresAt,
+    });
+  });
+
+  // Verify DNS record and issue publish token
+  app.post("/verify", async (c) => {
+    const body = await c.req.json<{ domain: string }>().catch(() => null);
+    const domain = body?.domain;
+
+    if (!domain || !isValidDomain(domain)) {
+      return c.json({ error: "Invalid or missing domain" }, 400);
+    }
+
+    const now = Date.now();
+
+    // 1. Already verified and not expired → issue new token without DNS check
+    const verified = await db
+      .prepare(
+        "SELECT * FROM domain_challenges WHERE domain = ? AND status = 'verified' AND expires_at > ?",
+      )
+      .bind(domain, now)
+      .first<ChallengeRow>();
+
+    if (verified) {
+      const publishToken = await signPublishToken(gatewayPrivateKey, domain);
+      return c.json({ ok: true, domain, publishToken });
+    }
+
+    // 2. Pending challenge → verify DNS
+    const challenge = await db
+      .prepare(
+        "SELECT * FROM domain_challenges WHERE domain = ? AND status = 'pending' AND expires_at > ?",
+      )
+      .bind(domain, now)
+      .first<ChallengeRow>();
+
+    if (!challenge) {
+      return c.json(
+        { error: "No pending challenge found. Run `nkmc claim <domain>` first." },
+        404,
+      );
+    }
+
+    // Query DNS TXT records
+    const expectedValue = `nkmc-verify=${challenge.challenge_code}`;
+    let txtRecords: string[];
+    try {
+      txtRecords = await queryDnsTxt(`_nkmc.${domain}`);
+    } catch {
+      return c.json(
+        { error: "Failed to query DNS. Please try again later." },
+        502,
+      );
+    }
+
+    if (!txtRecords.includes(expectedValue)) {
+      return c.json(
+        {
+          error: `DNS TXT record not found. Expected TXT record on _nkmc.${domain} with value "${expectedValue}". DNS propagation can take up to 5 minutes.`,
+        },
+        422,
+      );
+    }
+
+    // Mark as verified (ownership valid for 1 year)
+    await db
+      .prepare(
+        "UPDATE domain_challenges SET status = 'verified', verified_at = ?, expires_at = ? WHERE domain = ?",
+      )
+      .bind(now, now + ONE_YEAR_MS, domain)
+      .run();
+
+    // Sign publish token (24h expiry, scoped to domain)
+    const publishToken = await signPublishToken(gatewayPrivateKey, domain);
+
+    return c.json({ ok: true, domain, publishToken });
+  });
+
+  return app;
+}

package/src/http/routes/federation.ts

@@ -0,0 +1,170 @@
+import { Hono } from "hono";
+import type { AgentFs } from "@nkmc/agent-fs";
+import type { PeerStore } from "../../federation/types.js";
+import type { CredentialVault } from "../../credential/types.js";
+import type { Env } from "../app.js";
+
+export interface FederationRouteOptions {
+  peerStore: PeerStore;
+  vault: CredentialVault;
+  agentFs: AgentFs;
+}
+
+/**
+ * Verify that the request comes from a known peer.
+ * Returns the peer ID or null if auth fails.
+ */
+async function authenticatePeer(
+  peerStore: PeerStore,
+  peerId: string | undefined,
+  authHeader: string | undefined,
+): ReturnType<typeof peerStore.getPeer> {
+  if (!peerId || !authHeader) return null;
+
+  const peer = await peerStore.getPeer(peerId);
+  if (!peer || peer.status !== "active") return null;
+
+  const token = authHeader.replace(/^Bearer\s+/i, "");
+  if (token !== peer.sharedSecret) return null;
+
+  return peer;
+}
+
+/**
+ * Extract the domain from a command string.
+ * e.g. "ls /api.example.com/data" => "api.example.com"
+ *      "cat /github.com/repos"   => "github.com"
+ */
+function extractDomainFromCommand(command: string): string | null {
+  const parts = command.trim().split(/\s+/);
+  if (parts.length < 2) return null;
+  const path = parts[1];
+  if (!path.startsWith("/")) return null;
+  const segments = path.slice(1).split("/");
+  return segments[0] || null;
+}
+
+export function federationRoutes(options: FederationRouteOptions) {
+  const { peerStore, vault, agentFs } = options;
+  const app = new Hono<Env>();
+
+  // POST /federation/query — Check if we have credentials for a domain
+  app.post("/query", async (c) => {
+    const peerId = c.req.header("X-Peer-Id");
+    const authHeader = c.req.header("Authorization");
+
+    const peer = await authenticatePeer(peerStore, peerId, authHeader);
+    if (!peer) {
+      return c.json({ error: "Unauthorized peer" }, 403);
+    }
+
+    const body = await c.req.json<{ domain: string }>();
+    if (!body.domain) {
+      return c.json({ error: "Missing 'domain' field" }, 400);
+    }
+
+    // Update last seen
+    await peerStore.updateLastSeen(peer.id, Date.now());
+
+    // Check if we have a credential for this domain
+    const credential = await vault.get(body.domain);
+    if (!credential) {
+      return c.json({ available: false });
+    }
+
+    // Check lending rule
+    const rule = await peerStore.getRule(body.domain);
+    if (!rule || !rule.allow) {
+      return c.json({ available: false });
+    }
+
+    // Check if this peer is in the allowed list
+    if (rule.peers !== "*" && !rule.peers.includes(peer.id)) {
+      return c.json({ available: false });
+    }
+
+    return c.json({
+      available: true,
+      pricing: rule.pricing,
+    });
+  });
+
+  // POST /federation/exec — Execute a command on behalf of a peer
+  app.post("/exec", async (c) => {
+    const peerId = c.req.header("X-Peer-Id");
+    const authHeader = c.req.header("Authorization");
+
+    const peer = await authenticatePeer(peerStore, peerId, authHeader);
+    if (!peer) {
+      return c.json({ error: "Unauthorized peer" }, 403);
+    }
+
+    const body = await c.req.json<{ command: string; agentId: string }>();
+    if (!body.command) {
+      return c.json({ error: "Missing 'command' field" }, 400);
+    }
+
+    // Update last seen
+    await peerStore.updateLastSeen(peer.id, Date.now());
+
+    // Extract domain from command and check lending rule
+    const domain = extractDomainFromCommand(body.command);
+    if (domain) {
+      const rule = await peerStore.getRule(domain);
+
+      if (!rule || !rule.allow) {
+        return c.json({ error: "Domain not available for lending" }, 403);
+      }
+
+      if (rule.peers !== "*" && !rule.peers.includes(peer.id)) {
+        return c.json({ error: "Peer not in allowed list" }, 403);
+      }
+
+      // Check if payment is required
+      if (rule.pricing.mode !== "free") {
+        const paymentHeader = c.req.header("X-402-Payment");
+        if (!paymentHeader) {
+          return c.json({ error: "Payment required" }, 402);
+        }
+      }
+    }
+
+    // Execute with synthetic agent context: peer:{peerId}:{agentId}
+    const syntheticAgentId = `peer:${peer.id}:${body.agentId}`;
+    const result = await agentFs.execute(body.command, ["agent"], {
+      id: syntheticAgentId,
+      roles: ["agent"],
+    });
+
+    if (!result.ok) {
+      return c.json({ ok: false, error: result.error.message }, 500);
+    }
+
+    return c.json({ ok: true, data: result.data });
+  });
+
+  // POST /federation/announce — Peer announces available domains
+  app.post("/announce", async (c) => {
+    const peerId = c.req.header("X-Peer-Id");
+    const authHeader = c.req.header("Authorization");
+
+    const peer = await authenticatePeer(peerStore, peerId, authHeader);
+    if (!peer) {
+      return c.json({ error: "Unauthorized peer" }, 403);
+    }
+
+    const body = await c.req.json<{ domains: string[] }>();
+    if (!Array.isArray(body.domains)) {
+      return c.json({ error: "Missing 'domains' field" }, 400);
+    }
+
+    // Update peer's advertised domains and last seen
+    peer.advertisedDomains = body.domains;
+    await peerStore.putPeer(peer);
+    await peerStore.updateLastSeen(peer.id, Date.now());
+
+    return c.json({ ok: true });
+  });
+
+  return app;
+}

package/src/http/routes/fs.ts

@@ -0,0 +1,89 @@
+import { Hono } from "hono";
+import type { AgentFs, FsOp } from "@nkmc/agent-fs";
+import type { Env } from "../app.js";
+
+export interface FsRouteOptions {
+  agentFs: AgentFs;
+}
+
+function errorToStatus(code: string): number {
+  switch (code) {
+    case "PARSE_ERROR":
+    case "INVALID_PATH":
+      return 400;
+    case "PERMISSION_DENIED":
+      return 403;
+    case "NOT_FOUND":
+    case "NO_MOUNT":
+      return 404;
+    default:
+      return 500;
+  }
+}
+
+export function fsRoutes(options: FsRouteOptions) {
+  const { agentFs } = options;
+  const app = new Hono<Env>();
+
+  // POST /execute — raw command execution
+  app.post("/execute", async (c) => {
+    const body = await c.req.json<{ command: string; roles?: string[] }>();
+    if (!body.command || typeof body.command !== "string") {
+      return c.json({ error: "Missing 'command' field" }, 400);
+    }
+
+    const agent = c.get("agent");
+    const roles = body.roles ?? agent?.roles;
+    const result = await agentFs.execute(body.command, roles, agent);
+    const status = result.ok ? 200 : errorToStatus(result.error.code);
+
+    return c.json(result, status as 200);
+  });
+
+  // /fs/* — REST-style access
+  app.all("/fs/*", async (c) => {
+    const fullPath = c.req.path;
+    const virtualPath = fullPath.slice(fullPath.indexOf("/fs") + 3) || "/";
+    const query = c.req.query("q");
+    const agent = c.get("agent");
+    const roles = agent?.roles;
+
+    let op: FsOp;
+    let data: unknown | undefined;
+    let pattern: string | undefined;
+
+    switch (c.req.method) {
+      case "GET":
+        if (query) {
+          op = "grep";
+          pattern = query;
+        } else if (virtualPath.endsWith("/")) {
+          op = "ls";
+        } else {
+          op = "cat";
+        }
+        break;
+      case "POST":
+      case "PUT":
+        op = "write";
+        data = await c.req.json();
+        break;
+      case "DELETE":
+        op = "rm";
+        break;
+      default:
+        return c.json({ error: "Method not allowed" }, 405);
+    }
+
+    const result = await agentFs.executeCommand(
+      { op, path: virtualPath, data, pattern },
+      roles,
+      agent,
+    );
+    const status = result.ok ? 200 : errorToStatus(result.error.code);
+
+    return c.json(result, status as 200);
+  });
+
+  return app;
+}

package/src/http/routes/peers.ts

@@ -0,0 +1,103 @@
+import { Hono } from "hono";
+import type { Env } from "../app.js";
+import type { PeerStore, PeerGateway, LendingRule } from "../../federation/types.js";
+
+export interface PeerRouteOptions {
+  peerStore: PeerStore;
+}
+
+export function peerRoutes(options: PeerRouteOptions) {
+  const { peerStore } = options;
+  const app = new Hono<Env>();
+
+  // GET /peers — list all peers (don't expose sharedSecret)
+  app.get("/peers", async (c) => {
+    const peers = await peerStore.listPeers();
+    const safe = peers.map(({ sharedSecret: _, ...rest }) => rest);
+    return c.json({ peers: safe });
+  });
+
+  // PUT /peers/:id — create or update peer
+  app.put("/peers/:id", async (c) => {
+    const id = c.req.param("id");
+    const body = await c.req.json<{
+      name?: string;
+      url?: string;
+      sharedSecret?: string;
+    }>();
+
+    if (!body.name || !body.url || !body.sharedSecret) {
+      return c.json({ error: "Missing required fields: name, url, sharedSecret" }, 400);
+    }
+
+    const existing = await peerStore.getPeer(id);
+    const now = Date.now();
+
+    const peer: PeerGateway = {
+      id,
+      name: body.name,
+      url: body.url,
+      sharedSecret: body.sharedSecret,
+      status: "active",
+      advertisedDomains: existing?.advertisedDomains ?? [],
+      lastSeen: existing?.lastSeen ?? 0,
+      createdAt: existing?.createdAt ?? now,
+    };
+
+    await peerStore.putPeer(peer);
+    return c.json({ ok: true, id });
+  });
+
+  // DELETE /peers/:id — remove peer
+  app.delete("/peers/:id", async (c) => {
+    const id = c.req.param("id");
+    await peerStore.deletePeer(id);
+    return c.json({ ok: true, id });
+  });
+
+  // GET /rules — list all lending rules
+  app.get("/rules", async (c) => {
+    const rules = await peerStore.listRules();
+    return c.json({ rules });
+  });
+
+  // PUT /rules/:domain — create or update lending rule
+  app.put("/rules/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const body = await c.req.json<{
+      allow?: boolean;
+      peers?: string[] | "*";
+      pricing?: { mode: string; amount?: number };
+      rateLimit?: { requests: number; window: string };
+    }>();
+
+    if (body.allow === undefined) {
+      return c.json({ error: "Missing required field: allow" }, 400);
+    }
+
+    const existing = await peerStore.getRule(domain);
+    const now = Date.now();
+
+    const rule: LendingRule = {
+      domain,
+      allow: body.allow,
+      peers: body.peers ?? existing?.peers ?? "*",
+      pricing: (body.pricing as LendingRule["pricing"]) ?? existing?.pricing ?? { mode: "free" },
+      rateLimit: body.rateLimit as LendingRule["rateLimit"],
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now,
+    };
+
+    await peerStore.putRule(rule);
+    return c.json({ ok: true, domain });
+  });
+
+  // DELETE /rules/:domain — remove lending rule
+  app.delete("/rules/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    await peerStore.deleteRule(domain);
+    return c.json({ ok: true, domain });
+  });
+
+  return app;
+}

package/src/http/routes/proxy.ts

@@ -0,0 +1,57 @@
+import { Hono } from "hono";
+import type { Env } from "../app.js";
+import type { CredentialVault } from "../../credential/types.js";
+import type { ToolRegistry } from "../../proxy/tool-registry.js";
+
+export interface ExecResult {
+  stdout: string;
+  stderr: string;
+  exitCode: number;
+}
+
+export interface ProxyRouteOptions {
+  vault: CredentialVault;
+  toolRegistry: ToolRegistry;
+  exec: (tool: string, args: string[], env: Record<string, string>) => Promise<ExecResult>;
+}
+
+export function proxyRoutes(options: ProxyRouteOptions) {
+  const { vault, toolRegistry, exec } = options;
+  const app = new Hono<Env>();
+
+  // POST /exec — Execute a CLI tool with injected credentials
+  app.post("/exec", async (c) => {
+    const body = await c.req.json<{ tool: string; args?: string[] }>();
+    if (!body.tool || typeof body.tool !== "string") {
+      return c.json({ error: "Missing 'tool' field" }, 400);
+    }
+
+    const toolDef = toolRegistry.get(body.tool);
+    if (!toolDef) {
+      return c.json({ error: `Unknown tool: ${body.tool}` }, 404);
+    }
+
+    const agent = c.get("agent");
+    const credential = await vault.get(toolDef.credentialDomain, agent.id);
+    if (!credential) {
+      return c.json({ error: `No credential for domain: ${toolDef.credentialDomain}` }, 401);
+    }
+
+    const env = toolRegistry.buildEnv(toolDef, credential.auth);
+    const args = body.args ?? [];
+    const result = await exec(body.tool, args, env);
+
+    return c.json(result);
+  });
+
+  // GET /tools — List available tools
+  app.get("/tools", (c) => {
+    const tools = toolRegistry.list().map((t) => ({
+      name: t.name,
+      credentialDomain: t.credentialDomain,
+    }));
+    return c.json({ tools });
+  });
+
+  return app;
+}