@nkmc/gateway 0.1.0

package/src/tunnel/types.ts

@@ -0,0 +1,28 @@
+export interface TunnelRecord {
+  id: string;
+  agentId: string;
+  tunnelId: string; // Cloudflare tunnel ID
+  publicUrl: string; // https://{id}.tunnel.example.com
+  status: "active" | "deleted";
+  createdAt: number;
+  /** Domains this gateway has credentials for (for discovery) */
+  advertisedDomains: string[];
+  /** Display name for the gateway */
+  gatewayName?: string;
+  /** Last heartbeat timestamp (ms since epoch) */
+  lastSeen: number;
+}
+
+export interface TunnelStore {
+  get(id: string): Promise<TunnelRecord | null>;
+  getByAgent(agentId: string): Promise<TunnelRecord | null>;
+  put(record: TunnelRecord): Promise<void>;
+  delete(id: string): Promise<void>;
+  list(): Promise<TunnelRecord[]>;
+}
+
+/** Interface for Cloudflare Tunnel API operations */
+export interface TunnelProvider {
+  create(name: string, hostname: string): Promise<{ tunnelId: string; tunnelToken: string }>;
+  delete(tunnelId: string): Promise<void>;
+}

package/test/credential/d1-vault.test.ts

@@ -0,0 +1,127 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { D1CredentialVault } from "../../src/credential/d1-vault.js";
+import { SqliteD1 } from "../../src/testing/sqlite-d1.js";
+
+describe("D1CredentialVault", () => {
+  let db: SqliteD1;
+  let vault: D1CredentialVault;
+  let key: CryptoKey;
+
+  beforeEach(async () => {
+    db = new SqliteD1();
+    key = await crypto.subtle.generateKey(
+      { name: "AES-GCM", length: 256 },
+      false,
+      ["encrypt", "decrypt"],
+    );
+    vault = new D1CredentialVault(db, key);
+    await vault.initSchema();
+  });
+
+  afterEach(() => {
+    db.close();
+  });
+
+  it("should store and retrieve pool credential", async () => {
+    await vault.putPool("api.example.com", { type: "bearer", token: "tok_123" });
+    const cred = await vault.get("api.example.com");
+    expect(cred).not.toBeNull();
+    expect(cred!.auth).toEqual({ type: "bearer", token: "tok_123" });
+    expect(cred!.scope).toBe("pool");
+  });
+
+  it("should return null for unknown domain", async () => {
+    expect(await vault.get("unknown.com")).toBeNull();
+  });
+
+  it("should prefer BYOK over pool", async () => {
+    await vault.putPool("api.example.com", { type: "bearer", token: "pool_tok" });
+    await vault.putByok("api.example.com", "dev-1", { type: "bearer", token: "byok_tok" });
+    const cred = await vault.get("api.example.com", "dev-1");
+    expect(cred!.auth).toEqual({ type: "bearer", token: "byok_tok" });
+  });
+
+  it("should fall back to pool when no BYOK", async () => {
+    await vault.putPool("api.example.com", { type: "bearer", token: "pool_tok" });
+    const cred = await vault.get("api.example.com", "dev-2");
+    expect(cred!.auth).toEqual({ type: "bearer", token: "pool_tok" });
+  });
+
+  it("should delete pool credential", async () => {
+    await vault.putPool("api.example.com", { type: "bearer", token: "tok" });
+    await vault.delete("api.example.com");
+    expect(await vault.get("api.example.com")).toBeNull();
+  });
+
+  it("should delete BYOK credential", async () => {
+    await vault.putByok("api.example.com", "dev-1", { type: "bearer", token: "tok" });
+    await vault.delete("api.example.com", "dev-1");
+    expect(await vault.get("api.example.com", "dev-1")).toBeNull();
+  });
+
+  it("should list domains", async () => {
+    await vault.putPool("api.example.com", { type: "bearer", token: "t1" });
+    await vault.putPool("other.api.com", { type: "bearer", token: "t2" });
+    const domains = await vault.listDomains();
+    expect(domains).toContain("api.example.com");
+    expect(domains).toContain("other.api.com");
+  });
+
+  it("should call initSchema multiple times (idempotent)", async () => {
+    await vault.initSchema();
+    await vault.putPool("test.com", { type: "bearer", token: "x" });
+    expect(await vault.get("test.com")).not.toBeNull();
+  });
+
+  it("should decrypt legacy base64-encoded credentials", async () => {
+    // Simulate legacy data: plain base64(JSON) without AES-GCM encryption
+    const legacyAuth = { type: "bearer", token: "legacy_tok" };
+    const legacyEncoded = btoa(JSON.stringify(legacyAuth));
+    const now = Date.now();
+    await db
+      .prepare(
+        `INSERT INTO credentials (domain, scope, developer_id, auth_encrypted, created_at, updated_at)
+         VALUES (?, 'pool', '', ?, ?, ?)`,
+      )
+      .bind("legacy.example.com", legacyEncoded, now, now)
+      .run();
+
+    const cred = await vault.get("legacy.example.com");
+    expect(cred).not.toBeNull();
+    expect(cred!.auth).toEqual({ type: "bearer", token: "legacy_tok" });
+  });
+
+  it("should produce different ciphertext for same input (random IV)", async () => {
+    await vault.putPool("api.example.com", { type: "bearer", token: "tok" });
+    // Read raw encrypted value
+    const row1 = await db
+      .prepare("SELECT auth_encrypted FROM credentials WHERE domain = ?")
+      .bind("api.example.com")
+      .first<{ auth_encrypted: string }>();
+
+    // Re-encrypt with same data
+    await vault.putPool("api.example.com", { type: "bearer", token: "tok" });
+    const row2 = await db
+      .prepare("SELECT auth_encrypted FROM credentials WHERE domain = ?")
+      .bind("api.example.com")
+      .first<{ auth_encrypted: string }>();
+
+    // Random IV means ciphertext should differ
+    expect(row1!.auth_encrypted).not.toBe(row2!.auth_encrypted);
+  });
+
+  it("should not decrypt with a different key", async () => {
+    await vault.putPool("api.example.com", { type: "bearer", token: "secret" });
+
+    // Create vault with different key
+    const otherKey = await crypto.subtle.generateKey(
+      { name: "AES-GCM", length: 256 },
+      false,
+      ["encrypt", "decrypt"],
+    );
+    const otherVault = new D1CredentialVault(db, otherKey);
+
+    // AES-GCM decrypt fails → fallback to base64 decode → JSON.parse fails → throws
+    await expect(otherVault.get("api.example.com")).rejects.toThrow();
+  });
+});

package/test/credential/injection.test.ts

@@ -0,0 +1,67 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import { MemoryRegistryStore } from "../../src/registry/memory-store.js";
+import { MemoryCredentialVault } from "../../src/credential/memory-vault.js";
+import { parseSkillMd } from "../../src/registry/skill-parser.js";
+import { createRegistryResolver } from "../../src/registry/resolver.js";
+
+const SKILL_MD = `---
+name: "Test API"
+gateway: nkmc
+version: "1.0"
+roles: [agent]
+---
+
+# Test API
+
+A test service.
+
+## API
+
+### Get data
+
+\`GET /api/data\` — public
+`;
+
+describe("Credential Injection", () => {
+  let store: MemoryRegistryStore;
+  let vault: MemoryCredentialVault;
+
+  beforeEach(async () => {
+    store = new MemoryRegistryStore();
+    vault = new MemoryCredentialVault();
+    const record = parseSkillMd("test-api.com", SKILL_MD);
+    await store.put("test-api.com", record);
+  });
+
+  it("should create resolver with vault", async () => {
+    const { onMiss, listDomains } = createRegistryResolver({ store, vault });
+    expect(typeof onMiss).toBe("function");
+    const domains = await listDomains();
+    expect(domains).toContain("test-api.com");
+  });
+
+  it("should mount backend when credentials exist", async () => {
+    await vault.putPool("test-api.com", { type: "bearer", token: "secret_token" });
+    const { onMiss } = createRegistryResolver({ store, vault });
+
+    let mountedBackend: any = null;
+    await onMiss("/test-api.com/data", (mount) => {
+      mountedBackend = mount.backend;
+    });
+
+    expect(mountedBackend).not.toBeNull();
+    // The backend is created — we can verify it was created with auth by checking
+    // that it exists (the auth is internal to HttpBackend, so we verify integration)
+  });
+
+  it("should mount backend even without credentials", async () => {
+    const { onMiss } = createRegistryResolver({ store, vault });
+
+    let mountPath = "";
+    await onMiss("/test-api.com/data", (mount) => {
+      mountPath = mount.path;
+    });
+
+    expect(mountPath).toBe("/test-api.com");
+  });
+});

package/test/credential/memory-vault.test.ts

@@ -0,0 +1,63 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import { MemoryCredentialVault } from "../../src/credential/memory-vault.js";
+
+describe("MemoryCredentialVault", () => {
+  let vault: MemoryCredentialVault;
+
+  beforeEach(() => {
+    vault = new MemoryCredentialVault();
+  });
+
+  it("should store and retrieve pool credential", async () => {
+    await vault.putPool("api.example.com", { type: "bearer", token: "tok_123" });
+    const cred = await vault.get("api.example.com");
+    expect(cred).not.toBeNull();
+    expect(cred!.auth).toEqual({ type: "bearer", token: "tok_123" });
+    expect(cred!.scope).toBe("pool");
+  });
+
+  it("should return null for unknown domain", async () => {
+    const cred = await vault.get("unknown.com");
+    expect(cred).toBeNull();
+  });
+
+  it("should prefer BYOK over pool", async () => {
+    await vault.putPool("api.example.com", { type: "bearer", token: "pool_tok" });
+    await vault.putByok("api.example.com", "dev-1", { type: "bearer", token: "byok_tok" });
+    const cred = await vault.get("api.example.com", "dev-1");
+    expect(cred!.auth).toEqual({ type: "bearer", token: "byok_tok" });
+    expect(cred!.scope).toBe("byok");
+  });
+
+  it("should fall back to pool when no BYOK for developer", async () => {
+    await vault.putPool("api.example.com", { type: "bearer", token: "pool_tok" });
+    const cred = await vault.get("api.example.com", "dev-2");
+    expect(cred!.auth).toEqual({ type: "bearer", token: "pool_tok" });
+  });
+
+  it("should delete pool credential", async () => {
+    await vault.putPool("api.example.com", { type: "bearer", token: "tok" });
+    await vault.delete("api.example.com");
+    expect(await vault.get("api.example.com")).toBeNull();
+  });
+
+  it("should delete BYOK credential", async () => {
+    await vault.putByok("api.example.com", "dev-1", { type: "bearer", token: "tok" });
+    await vault.delete("api.example.com", "dev-1");
+    expect(await vault.get("api.example.com", "dev-1")).toBeNull();
+  });
+
+  it("should list domains", async () => {
+    await vault.putPool("api.example.com", { type: "bearer", token: "t1" });
+    await vault.putPool("other.api.com", { type: "bearer", token: "t2" });
+    const domains = await vault.listDomains();
+    expect(domains).toContain("api.example.com");
+    expect(domains).toContain("other.api.com");
+  });
+
+  it("should support api-key auth type", async () => {
+    await vault.putPool("cf.com", { type: "api-key", header: "X-Auth-Key", key: "abc" });
+    const cred = await vault.get("cf.com");
+    expect(cred!.auth).toEqual({ type: "api-key", header: "X-Auth-Key", key: "abc" });
+  });
+});

package/test/http/app.test.ts

@@ -0,0 +1,300 @@
+import { describe, it, expect, beforeAll, beforeEach } from "vitest";
+import { createGateway } from "../../src/http/app.js";
+import { MemoryRegistryStore } from "../../src/registry/memory-store.js";
+import { generateGatewayKeyPair, createTestToken } from "@nkmc/core/testing";
+import type { GatewayKeyPair } from "@nkmc/core";
+
+const SKILL_MD = `---
+name: "Acme Store"
+gateway: nkmc
+version: "1.0"
+roles: [agent]
+---
+
+# Acme Store
+
+E-commerce service for products.
+
+## Schema
+
+### products (read: public / write: agent)
+
+Product catalog
+
+| field | type | description |
+|-------|------|-------------|
+| id | string | Product ID |
+| name | string | Product name |
+| price | number | Price in USD |
+
+## API
+
+### List products
+
+\`GET /api/products\` — public
+
+Returns all products.
+
+### Create product
+
+\`POST /api/products\` — 0.01 USDC / call, agent
+
+Creates a new product.
+`;
+
+const ADMIN_TOKEN = "test-admin-secret";
+
+describe("Gateway HTTP", () => {
+  let keys: GatewayKeyPair;
+
+  beforeAll(async () => {
+    keys = await generateGatewayKeyPair();
+  });
+
+  function createApp() {
+    const store = new MemoryRegistryStore();
+    const app = createGateway({
+      store,
+      gatewayPrivateKey: keys.privateKey,
+      gatewayPublicKey: keys.publicKey,
+      adminToken: ADMIN_TOKEN,
+    });
+    return { app, store };
+  }
+
+  describe("Admin Auth", () => {
+    it("should reject requests without auth", async () => {
+      const { app } = createApp();
+      const res = await app.request("/registry/services");
+      expect(res.status).toBe(401);
+    });
+
+    it("should reject requests with wrong token", async () => {
+      const { app } = createApp();
+      const res = await app.request("/registry/services", {
+        headers: { Authorization: "Bearer wrong-token" },
+      });
+      expect(res.status).toBe(403);
+    });
+
+    it("should accept requests with correct admin token", async () => {
+      const { app } = createApp();
+      const res = await app.request("/registry/services", {
+        headers: { Authorization: `Bearer ${ADMIN_TOKEN}` },
+      });
+      expect(res.status).toBe(200);
+    });
+  });
+
+  describe("Registry Routes", () => {
+    it("should register a service via skill.md", async () => {
+      const { app } = createApp();
+      const res = await app.request(
+        "/registry/services?domain=acme-store.com",
+        {
+          method: "POST",
+          headers: {
+            Authorization: `Bearer ${ADMIN_TOKEN}`,
+            "Content-Type": "text/markdown",
+          },
+          body: SKILL_MD,
+        },
+      );
+      expect(res.status).toBe(201);
+      const body = await res.json();
+      expect(body.ok).toBe(true);
+      expect(body.domain).toBe("acme-store.com");
+      expect(body.name).toBe("Acme Store");
+    });
+
+    it("should register a service via JSON body", async () => {
+      const { app } = createApp();
+      const res = await app.request(
+        "/registry/services?domain=acme-store.com",
+        {
+          method: "POST",
+          headers: {
+            Authorization: `Bearer ${ADMIN_TOKEN}`,
+            "Content-Type": "application/json",
+          },
+          body: JSON.stringify({ skillMd: SKILL_MD }),
+        },
+      );
+      expect(res.status).toBe(201);
+    });
+
+    it("should list registered services", async () => {
+      const { app } = createApp();
+      // Register first
+      await app.request("/registry/services?domain=acme-store.com", {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${ADMIN_TOKEN}`,
+          "Content-Type": "text/markdown",
+        },
+        body: SKILL_MD,
+      });
+
+      const res = await app.request("/registry/services", {
+        headers: { Authorization: `Bearer ${ADMIN_TOKEN}` },
+      });
+      expect(res.status).toBe(200);
+      const list = await res.json();
+      expect(list).toHaveLength(1);
+      expect(list[0].domain).toBe("acme-store.com");
+    });
+
+    it("should get service details", async () => {
+      const { app } = createApp();
+      await app.request("/registry/services?domain=acme-store.com", {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${ADMIN_TOKEN}`,
+          "Content-Type": "text/markdown",
+        },
+        body: SKILL_MD,
+      });
+
+      const res = await app.request("/registry/services/acme-store.com", {
+        headers: { Authorization: `Bearer ${ADMIN_TOKEN}` },
+      });
+      expect(res.status).toBe(200);
+      const detail = await res.json();
+      expect(detail.domain).toBe("acme-store.com");
+      expect(detail.skillMd).toBeTruthy();
+    });
+
+    it("should return 404 for unknown service", async () => {
+      const { app } = createApp();
+      const res = await app.request("/registry/services/unknown.com", {
+        headers: { Authorization: `Bearer ${ADMIN_TOKEN}` },
+      });
+      expect(res.status).toBe(404);
+    });
+
+    it("should delete a service", async () => {
+      const { app } = createApp();
+      await app.request("/registry/services?domain=acme-store.com", {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${ADMIN_TOKEN}`,
+          "Content-Type": "text/markdown",
+        },
+        body: SKILL_MD,
+      });
+
+      const res = await app.request("/registry/services/acme-store.com", {
+        method: "DELETE",
+        headers: { Authorization: `Bearer ${ADMIN_TOKEN}` },
+      });
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.ok).toBe(true);
+
+      // Verify deleted
+      const getRes = await app.request("/registry/services/acme-store.com", {
+        headers: { Authorization: `Bearer ${ADMIN_TOKEN}` },
+      });
+      expect(getRes.status).toBe(404);
+    });
+
+    it("should search services", async () => {
+      const { app } = createApp();
+      await app.request("/registry/services?domain=acme-store.com", {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${ADMIN_TOKEN}`,
+          "Content-Type": "text/markdown",
+        },
+        body: SKILL_MD,
+      });
+
+      const res = await app.request("/registry/services?q=products", {
+        headers: { Authorization: `Bearer ${ADMIN_TOKEN}` },
+      });
+      expect(res.status).toBe(200);
+      const results = await res.json();
+      expect(results.length).toBeGreaterThan(0);
+    });
+
+    it("should reject missing domain parameter", async () => {
+      const { app } = createApp();
+      const res = await app.request("/registry/services", {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${ADMIN_TOKEN}`,
+          "Content-Type": "text/markdown",
+        },
+        body: SKILL_MD,
+      });
+      expect(res.status).toBe(400);
+    });
+  });
+
+  describe("Auth Token Route", () => {
+    it("should issue a JWT token", async () => {
+      const { app } = createApp();
+      const res = await app.request("/auth/token", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          sub: "agent-1",
+          svc: "acme-store.com",
+          roles: ["agent"],
+        }),
+      });
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.token).toBeTruthy();
+      expect(typeof body.token).toBe("string");
+    });
+
+    it("should reject missing fields", async () => {
+      const { app } = createApp();
+      const res = await app.request("/auth/token", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ sub: "agent-1" }),
+      });
+      expect(res.status).toBe(400);
+    });
+  });
+
+  describe("Agent Auth", () => {
+    it("should reject /execute without JWT", async () => {
+      const { app } = createApp();
+      const res = await app.request("/execute", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ command: "ls /" }),
+      });
+      expect(res.status).toBe(401);
+    });
+
+    it("should reject /fs/ without JWT", async () => {
+      const { app } = createApp();
+      const res = await app.request("/fs/");
+      expect(res.status).toBe(401);
+    });
+
+    it("should accept /execute with valid JWT", async () => {
+      const { app } = createApp();
+      const token = await createTestToken(keys.privateKey, {
+        sub: "agent-1",
+        roles: ["agent"],
+        svc: "gateway",
+      });
+
+      const res = await app.request("/execute", {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${token}`,
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({ command: "ls /" }),
+      });
+      // Should succeed (200) even if empty - the request was authenticated
+      expect(res.status).toBe(200);
+    });
+  });
+});