@nkmc/gateway 0.1.0

package/test/http/byok-e2e.test.ts

@@ -0,0 +1,240 @@
+import { describe, it, expect, beforeAll, beforeEach, afterEach } from "vitest";
+import { createGateway } from "../../src/http/app.js";
+import { D1RegistryStore } from "../../src/registry/d1-store.js";
+import { D1CredentialVault } from "../../src/credential/d1-vault.js";
+import { SqliteD1 } from "../../src/testing/sqlite-d1.js";
+import { generateGatewayKeyPair, createTestToken } from "@nkmc/core/testing";
+import type { GatewayKeyPair } from "@nkmc/core";
+
+const ADMIN_TOKEN = "byok-e2e-admin";
+
+const SKILL_MD = `---
+name: "Secured API"
+gateway: nkmc
+version: "1.0"
+roles: [agent]
+---
+
+# Secured API
+
+An API that requires authentication.
+
+## Schema
+
+### data (read: agent)
+
+Some data.
+
+| field | type | description |
+|-------|------|-------------|
+| id | string | ID |
+
+## API
+
+### List data
+
+\`GET /api/data\` — agent
+
+Returns data.
+`;
+
+describe("BYOK E2E", () => {
+  let keys: GatewayKeyPair;
+  let encryptionKey: CryptoKey;
+
+  beforeAll(async () => {
+    keys = await generateGatewayKeyPair();
+    encryptionKey = await crypto.subtle.generateKey(
+      { name: "AES-GCM", length: 256 },
+      false,
+      ["encrypt", "decrypt"],
+    );
+  });
+
+  let db: SqliteD1;
+  let store: D1RegistryStore;
+  let vault: D1CredentialVault;
+
+  beforeEach(async () => {
+    db = new SqliteD1();
+    store = new D1RegistryStore(db);
+    await store.initSchema();
+    vault = new D1CredentialVault(db, encryptionKey);
+    await vault.initSchema();
+  });
+
+  afterEach(() => {
+    db.close();
+  });
+
+  function createApp() {
+    return createGateway({
+      store,
+      vault,
+      gatewayPrivateKey: keys.privateKey,
+      gatewayPublicKey: keys.publicKey,
+      adminToken: ADMIN_TOKEN,
+    });
+  }
+
+  it("agent uploads BYOK → resolver uses BYOK credential over pool", async () => {
+    const app = createApp();
+
+    // 1. Register a service
+    await app.request("/registry/services?domain=secured-api.com", {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${ADMIN_TOKEN}`,
+        "Content-Type": "text/markdown",
+      },
+      body: SKILL_MD,
+    });
+
+    // 2. Set a pool credential (shared fallback)
+    await app.request("/credentials/secured-api.com", {
+      method: "PUT",
+      headers: {
+        Authorization: `Bearer ${ADMIN_TOKEN}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({ auth: { type: "bearer", token: "pool-token-shared" } }),
+    });
+
+    // 3. Agent obtains JWT
+    const authRes = await app.request("/auth/token", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ sub: "agent-byok-1", svc: "gateway", roles: ["agent"] }),
+    });
+    const { token: agentJwt } = (await authRes.json()) as { token: string };
+
+    // 4. Agent uploads BYOK credential
+    const byokRes = await app.request("/byok/secured-api.com", {
+      method: "PUT",
+      headers: {
+        Authorization: `Bearer ${agentJwt}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({ auth: { type: "bearer", token: "byok-agent-secret" } }),
+    });
+    expect(byokRes.status).toBe(200);
+
+    // 5. Verify BYOK takes priority: vault.get(domain, agentId) → BYOK
+    const cred = await vault.get("secured-api.com", "agent-byok-1");
+    expect(cred).not.toBeNull();
+    expect(cred!.scope).toBe("byok");
+    expect(cred!.auth).toEqual({ type: "bearer", token: "byok-agent-secret" });
+
+    // 6. Verify pool still available for other agents
+    const poolCred = await vault.get("secured-api.com");
+    expect(poolCred!.scope).toBe("pool");
+    expect(poolCred!.auth).toEqual({ type: "bearer", token: "pool-token-shared" });
+  });
+
+  it("agent lists only their own BYOK domains", async () => {
+    const app = createApp();
+
+    // Two agents
+    const auth1 = await app.request("/auth/token", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ sub: "agent-a", svc: "gateway", roles: ["agent"] }),
+    });
+    const jwt1 = ((await auth1.json()) as { token: string }).token;
+
+    const auth2 = await app.request("/auth/token", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ sub: "agent-b", svc: "gateway", roles: ["agent"] }),
+    });
+    const jwt2 = ((await auth2.json()) as { token: string }).token;
+
+    // Agent A uploads 2 BYOK keys
+    for (const domain of ["api.openai.com", "api.github.com"]) {
+      await app.request(`/byok/${domain}`, {
+        method: "PUT",
+        headers: {
+          Authorization: `Bearer ${jwt1}`,
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({ auth: { type: "bearer", token: `key-a-${domain}` } }),
+      });
+    }
+
+    // Agent B uploads 1 BYOK key
+    await app.request("/byok/api.stripe.com", {
+      method: "PUT",
+      headers: {
+        Authorization: `Bearer ${jwt2}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({ auth: { type: "bearer", token: "key-b-stripe" } }),
+    });
+
+    // Agent A lists → sees only their 2 domains
+    const listA = await app.request("/byok", {
+      headers: { Authorization: `Bearer ${jwt1}` },
+    });
+    const bodyA = (await listA.json()) as { domains: string[] };
+    expect(bodyA.domains.sort()).toEqual(["api.github.com", "api.openai.com"]);
+
+    // Agent B lists → sees only their 1 domain
+    const listB = await app.request("/byok", {
+      headers: { Authorization: `Bearer ${jwt2}` },
+    });
+    const bodyB = (await listB.json()) as { domains: string[] };
+    expect(bodyB.domains).toEqual(["api.stripe.com"]);
+  });
+
+  it("agent deletes BYOK → falls back to pool", async () => {
+    const app = createApp();
+
+    // Pool credential
+    await vault.putPool("api.example.com", { type: "bearer", token: "pool-tok" });
+
+    // Agent JWT
+    const authRes = await app.request("/auth/token", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ sub: "agent-del", svc: "gateway", roles: ["agent"] }),
+    });
+    const jwt = ((await authRes.json()) as { token: string }).token;
+
+    // Upload BYOK
+    await app.request("/byok/api.example.com", {
+      method: "PUT",
+      headers: {
+        Authorization: `Bearer ${jwt}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({ auth: { type: "bearer", token: "byok-tok" } }),
+    });
+
+    // BYOK takes priority
+    let cred = await vault.get("api.example.com", "agent-del");
+    expect(cred!.auth).toEqual({ type: "bearer", token: "byok-tok" });
+
+    // Delete BYOK
+    const delRes = await app.request("/byok/api.example.com", {
+      method: "DELETE",
+      headers: { Authorization: `Bearer ${jwt}` },
+    });
+    expect(delRes.status).toBe(200);
+
+    // Falls back to pool
+    cred = await vault.get("api.example.com", "agent-del");
+    expect(cred!.scope).toBe("pool");
+    expect(cred!.auth).toEqual({ type: "bearer", token: "pool-tok" });
+  });
+
+  it("BYOK requires agent auth — rejects unauthenticated requests", async () => {
+    const app = createApp();
+
+    const res = await app.request("/byok/api.example.com", {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ auth: { type: "bearer", token: "x" } }),
+    });
+    expect(res.status).toBe(401);
+  });
+});

package/test/http/byok.test.ts

@@ -0,0 +1,115 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import { Hono } from "hono";
+import { byokRoutes } from "../../src/http/routes/byok.js";
+import { MemoryCredentialVault } from "../../src/credential/memory-vault.js";
+
+type Env = {
+  Variables: {
+    agent: { id: string; roles: string[] };
+  };
+};
+
+describe("BYOK Routes", () => {
+  let vault: MemoryCredentialVault;
+  let app: Hono<Env>;
+  const agentId = "agent-test-1";
+
+  beforeEach(() => {
+    vault = new MemoryCredentialVault();
+    app = new Hono<Env>();
+    // Simulate agentAuth middleware — inject agent context
+    app.use("/*", async (c, next) => {
+      c.set("agent", { id: agentId, roles: ["agent"] });
+      await next();
+    });
+    app.route("/byok", byokRoutes({ vault }));
+  });
+
+  it("should upload BYOK credential via PUT", async () => {
+    const res = await app.request("/byok/api.openai.com", {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ auth: { type: "bearer", token: "sk-test-123" } }),
+    });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as any;
+    expect(body.ok).toBe(true);
+
+    // Verify credential is stored as BYOK for this agent
+    const cred = await vault.get("api.openai.com", agentId);
+    expect(cred).not.toBeNull();
+    expect(cred!.scope).toBe("byok");
+    expect(cred!.developerId).toBe(agentId);
+    expect(cred!.auth).toEqual({ type: "bearer", token: "sk-test-123" });
+  });
+
+  it("should list only this agent's BYOK domains", async () => {
+    // Agent's BYOK
+    await vault.putByok("api.openai.com", agentId, {
+      type: "bearer",
+      token: "sk-1",
+    });
+    // Another agent's BYOK
+    await vault.putByok("api.github.com", "agent-other", {
+      type: "bearer",
+      token: "ghp-1",
+    });
+    // Pool credential (should not appear)
+    await vault.putPool("api.stripe.com", {
+      type: "bearer",
+      token: "sk_pool",
+    });
+
+    const res = await app.request("/byok");
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as any;
+    expect(body.domains).toContain("api.openai.com");
+    expect(body.domains).not.toContain("api.github.com");
+    expect(body.domains).not.toContain("api.stripe.com");
+  });
+
+  it("should delete agent's BYOK credential", async () => {
+    await vault.putByok("api.openai.com", agentId, {
+      type: "bearer",
+      token: "sk-1",
+    });
+
+    const res = await app.request("/byok/api.openai.com", {
+      method: "DELETE",
+    });
+    expect(res.status).toBe(200);
+
+    // BYOK should be gone
+    const cred = await vault.get("api.openai.com", agentId);
+    // Should fall back to pool (which doesn't exist), so null
+    expect(cred).toBeNull();
+  });
+
+  it("should reject missing auth.type", async () => {
+    const res = await app.request("/byok/api.openai.com", {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ auth: {} }),
+    });
+    expect(res.status).toBe(400);
+  });
+
+  it("BYOK should take priority over pool in vault.get()", async () => {
+    await vault.putPool("api.openai.com", {
+      type: "bearer",
+      token: "pool-token",
+    });
+    await vault.putByok("api.openai.com", agentId, {
+      type: "bearer",
+      token: "byok-token",
+    });
+
+    // With developerId → BYOK
+    const byok = await vault.get("api.openai.com", agentId);
+    expect(byok!.auth).toEqual({ type: "bearer", token: "byok-token" });
+
+    // Without developerId → pool
+    const pool = await vault.get("api.openai.com");
+    expect(pool!.auth).toEqual({ type: "bearer", token: "pool-token" });
+  });
+});

package/test/http/credentials.test.ts

@@ -0,0 +1,57 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import { Hono } from "hono";
+import { credentialRoutes } from "../../src/http/routes/credentials.js";
+import { MemoryCredentialVault } from "../../src/credential/memory-vault.js";
+
+describe("Credential Routes", () => {
+  let vault: MemoryCredentialVault;
+  let app: Hono;
+
+  beforeEach(() => {
+    vault = new MemoryCredentialVault();
+    app = new Hono();
+    app.route("/credentials", credentialRoutes({ vault }));
+  });
+
+  it("should set pool credential via PUT", async () => {
+    const res = await app.request("/credentials/api.example.com", {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ auth: { type: "bearer", token: "tok_123" } }),
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json() as any;
+    expect(body.ok).toBe(true);
+
+    const cred = await vault.get("api.example.com");
+    expect(cred!.auth).toEqual({ type: "bearer", token: "tok_123" });
+  });
+
+  it("should list domains with credentials", async () => {
+    await vault.putPool("api.example.com", { type: "bearer", token: "tok" });
+    await vault.putPool("other.com", { type: "bearer", token: "tok2" });
+
+    const res = await app.request("/credentials");
+    expect(res.status).toBe(200);
+    const body = await res.json() as any;
+    expect(body.domains).toContain("api.example.com");
+    expect(body.domains).toContain("other.com");
+  });
+
+  it("should delete credential", async () => {
+    await vault.putPool("api.example.com", { type: "bearer", token: "tok" });
+    const res = await app.request("/credentials/api.example.com", { method: "DELETE" });
+    expect(res.status).toBe(200);
+
+    expect(await vault.get("api.example.com")).toBeNull();
+  });
+
+  it("should reject missing auth.type", async () => {
+    const res = await app.request("/credentials/api.example.com", {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ auth: {} }),
+    });
+    expect(res.status).toBe(400);
+  });
+});

package/test/http/e2e.test.ts

@@ -0,0 +1,260 @@
+import { describe, it, expect, beforeAll, beforeEach, afterEach } from "vitest";
+import { createGateway } from "../../src/http/app.js";
+import { D1RegistryStore } from "../../src/registry/d1-store.js";
+import { SqliteD1 } from "../../src/testing/sqlite-d1.js";
+import { generateGatewayKeyPair, createTestToken } from "@nkmc/core/testing";
+import type { GatewayKeyPair } from "@nkmc/core";
+
+const SKILL_MD = `---
+name: "Acme Store"
+gateway: nkmc
+version: "1.0"
+roles: [agent]
+---
+
+# Acme Store
+
+E-commerce service for products and orders.
+
+## Schema
+
+### products (read: public / write: agent)
+
+Product catalog
+
+| field | type | description |
+|-------|------|-------------|
+| id | string | Product ID |
+| name | string | Product name |
+| price | number | Price in USD |
+
+## API
+
+### List products
+
+\`GET /api/products\` — public
+
+Returns all products.
+
+### Create order
+
+\`POST /api/orders\` — 0.05 USDC / call, agent
+
+Creates a new order.
+`;
+
+const ADMIN_TOKEN = "e2e-admin-secret";
+
+describe("Gateway E2E", () => {
+  let keys: GatewayKeyPair;
+
+  beforeAll(async () => {
+    keys = await generateGatewayKeyPair();
+  });
+
+  let db: SqliteD1;
+  let store: D1RegistryStore;
+
+  beforeEach(async () => {
+    db = new SqliteD1();
+    store = new D1RegistryStore(db);
+    await store.initSchema();
+  });
+
+  afterEach(() => {
+    db.close();
+  });
+
+  function createApp() {
+    return createGateway({
+      store,
+      gatewayPrivateKey: keys.privateKey,
+      gatewayPublicKey: keys.publicKey,
+      adminToken: ADMIN_TOKEN,
+    });
+  }
+
+  it("full flow: register → list → auth → execute → fs", async () => {
+    const app = createApp();
+
+    // 1. Admin: Register service via skill.md
+    const registerRes = await app.request(
+      "/registry/services?domain=acme-store.com",
+      {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${ADMIN_TOKEN}`,
+          "Content-Type": "text/markdown",
+        },
+        body: SKILL_MD,
+      },
+    );
+    expect(registerRes.status).toBe(201);
+    const registerBody = await registerRes.json();
+    expect(registerBody).toEqual({
+      ok: true,
+      domain: "acme-store.com",
+      name: "Acme Store",
+    });
+
+    // 2. Admin: List services and verify
+    const listRes = await app.request("/registry/services", {
+      headers: { Authorization: `Bearer ${ADMIN_TOKEN}` },
+    });
+    expect(listRes.status).toBe(200);
+    const list = (await listRes.json()) as Array<{ domain: string }>;
+    expect(list).toHaveLength(1);
+    expect(list[0].domain).toBe("acme-store.com");
+
+    // 3. Admin: Get service details
+    const detailRes = await app.request(
+      "/registry/services/acme-store.com",
+      {
+        headers: { Authorization: `Bearer ${ADMIN_TOKEN}` },
+      },
+    );
+    expect(detailRes.status).toBe(200);
+    const detail = (await detailRes.json()) as {
+      domain: string;
+      name: string;
+      endpoints: Array<{ method: string; path: string }>;
+    };
+    expect(detail.name).toBe("Acme Store");
+    expect(detail.endpoints.length).toBeGreaterThan(0);
+
+    // 4. Auth: Obtain agent JWT
+    const authRes = await app.request("/auth/token", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        sub: "agent-42",
+        svc: "acme-store.com",
+        roles: ["agent"],
+      }),
+    });
+    expect(authRes.status).toBe(200);
+    const { token } = (await authRes.json()) as { token: string };
+    expect(token).toBeTruthy();
+
+    // 5. Agent: Execute ls / (shows registered domains)
+    const execRes = await app.request("/execute", {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({ command: "ls /" }),
+    });
+    expect(execRes.status).toBe(200);
+    const execBody = (await execRes.json()) as {
+      ok: boolean;
+      data: string[];
+    };
+    expect(execBody.ok).toBe(true);
+    // ls returns domain names with trailing slash
+    expect(execBody.data).toContain("acme-store.com/");
+
+    // 6. Agent: GET /fs/ (list root via REST)
+    const fsRootRes = await app.request("/fs/", {
+      headers: { Authorization: `Bearer ${token}` },
+    });
+    expect(fsRootRes.status).toBe(200);
+    const fsRootBody = (await fsRootRes.json()) as {
+      ok: boolean;
+      data: string[];
+    };
+    expect(fsRootBody.ok).toBe(true);
+    expect(fsRootBody.data).toContain("acme-store.com/");
+  });
+
+  it("should persist services across requests via D1", async () => {
+    const app = createApp();
+
+    // Register two services
+    for (const domain of ["svc-a.com", "svc-b.com"]) {
+      const md = `---\nname: ${domain}\ngateway: nkmc\nversion: "1.0"\nroles: [agent]\n---\n# ${domain}\nService ${domain}.`;
+      await app.request(`/registry/services?domain=${domain}`, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${ADMIN_TOKEN}`,
+          "Content-Type": "text/markdown",
+        },
+        body: md,
+      });
+    }
+
+    // Verify both exist
+    const listRes = await app.request("/registry/services", {
+      headers: { Authorization: `Bearer ${ADMIN_TOKEN}` },
+    });
+    const list = (await listRes.json()) as Array<{ domain: string }>;
+    expect(list).toHaveLength(2);
+    expect(list.map((s) => s.domain).sort()).toEqual(["svc-a.com", "svc-b.com"]);
+
+    // Delete one
+    await app.request("/registry/services/svc-a.com", {
+      method: "DELETE",
+      headers: { Authorization: `Bearer ${ADMIN_TOKEN}` },
+    });
+
+    // Verify only one remains
+    const listRes2 = await app.request("/registry/services", {
+      headers: { Authorization: `Bearer ${ADMIN_TOKEN}` },
+    });
+    const list2 = (await listRes2.json()) as Array<{ domain: string }>;
+    expect(list2).toHaveLength(1);
+    expect(list2[0].domain).toBe("svc-b.com");
+  });
+
+  it("should search services via registry", async () => {
+    const app = createApp();
+
+    // Register with specific description
+    await app.request(
+      "/registry/services?domain=weather.io",
+      {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${ADMIN_TOKEN}`,
+          "Content-Type": "text/markdown",
+        },
+        body: `---\nname: Weather API\ngateway: nkmc\nversion: "1.0"\nroles: [agent]\n---\n# Weather API\nWeather forecasts and climate data.`,
+      },
+    );
+
+    await app.request(
+      "/registry/services?domain=shop.io",
+      {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${ADMIN_TOKEN}`,
+          "Content-Type": "text/markdown",
+        },
+        body: `---\nname: Shop API\ngateway: nkmc\nversion: "1.0"\nroles: [agent]\n---\n# Shop API\nOnline shopping platform.`,
+      },
+    );
+
+    // Search for weather
+    const searchRes = await app.request("/registry/services?q=weather", {
+      headers: { Authorization: `Bearer ${ADMIN_TOKEN}` },
+    });
+    expect(searchRes.status).toBe(200);
+    const results = (await searchRes.json()) as Array<{ domain: string }>;
+    expect(results).toHaveLength(1);
+    expect(results[0].domain).toBe("weather.io");
+  });
+
+  it("should reject agent requests with invalid JWT", async () => {
+    const app = createApp();
+
+    const res = await app.request("/execute", {
+      method: "POST",
+      headers: {
+        Authorization: "Bearer invalid-token",
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({ command: "ls /" }),
+    });
+    expect(res.status).toBe(401);
+  });
+});