@nkmc/gateway 0.1.0

package/dist/http.cjs

@@ -0,0 +1,1772 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/http.ts
+var http_exports = {};
+__export(http_exports, {
+  adminAuth: () => adminAuth,
+  agentAuth: () => agentAuth,
+  authRoutes: () => authRoutes,
+  createGateway: () => createGateway,
+  domainRoutes: () => domainRoutes,
+  fsRoutes: () => fsRoutes,
+  publishOrAdminAuth: () => publishOrAdminAuth,
+  registryRoutes: () => registryRoutes,
+  tunnelRoutes: () => tunnelRoutes
+});
+module.exports = __toCommonJS(http_exports);
+
+// src/http/app.ts
+var import_hono11 = require("hono");
+var import_agent_fs2 = require("@nkmc/agent-fs");
+
+// src/registry/resolver.ts
+var import_agent_fs = require("@nkmc/agent-fs");
+var import_core = require("@nkmc/core");
+
+// src/registry/skill-to-config.ts
+function skillToHttpConfig(record) {
+  let baseUrl = `https://${record.domain}`;
+  if (record.source?.basePath) {
+    baseUrl += record.source.basePath;
+  }
+  const resources = extractResources(record.skillMd);
+  const endpoints = extractHttpEndpoints(record.skillMd);
+  return {
+    baseUrl,
+    resources,
+    endpoints
+  };
+}
+function extractResources(skillMd) {
+  const resources = [];
+  const lines = skillMd.split("\n");
+  let inSchema = false;
+  let current = null;
+  for (const line of lines) {
+    if (line.startsWith("## Schema")) {
+      inSchema = true;
+      continue;
+    }
+    if (inSchema && line.startsWith("## ") && !line.startsWith("## Schema")) {
+      break;
+    }
+    if (!inSchema) continue;
+    const tableMatch = line.match(/^### (\w+)\s/);
+    if (tableMatch) {
+      if (current) resources.push(toHttpResource(current));
+      current = { name: tableMatch[1], fields: [] };
+      continue;
+    }
+    if (current && line.startsWith("|") && !line.startsWith("|--") && !line.startsWith("| field")) {
+      const cells = line.split("|").map((c) => c.trim()).filter(Boolean);
+      if (cells.length >= 3) {
+        current.fields.push({
+          name: cells[0],
+          type: cells[1],
+          description: cells[2]
+        });
+      }
+    }
+  }
+  if (current) resources.push(toHttpResource(current));
+  return resources;
+}
+function toHttpResource(parsed) {
+  return {
+    name: parsed.name,
+    apiPath: `/${parsed.name}`,
+    fields: parsed.fields
+  };
+}
+function extractHttpEndpoints(skillMd) {
+  const endpoints = [];
+  const lines = skillMd.split("\n");
+  let inApi = false;
+  let currentHeading = null;
+  for (const line of lines) {
+    if (line.startsWith("## API")) {
+      inApi = true;
+      continue;
+    }
+    if (inApi && line.startsWith("## ") && !line.startsWith("## API")) {
+      break;
+    }
+    if (!inApi) continue;
+    if (line.startsWith("### ")) {
+      currentHeading = line.slice(4).trim();
+      continue;
+    }
+    const match = line.match(/^`(GET|POST|PUT|PATCH|DELETE)\s+(\S+)`/);
+    if (match && currentHeading) {
+      const slug = currentHeading.toLowerCase().replace(/\s+/g, "-");
+      endpoints.push({
+        name: slug,
+        method: match[1],
+        apiPath: match[2],
+        description: currentHeading
+      });
+      currentHeading = null;
+    }
+  }
+  return endpoints;
+}
+function skillToRpcConfig(meta) {
+  const resources = meta.resources.map((r) => {
+    const methods = {};
+    const builder = getParamsBuilder(meta.convention);
+    for (const [fsOp, rpcMethod] of Object.entries(r.methods)) {
+      const key = fsOp;
+      methods[key] = {
+        method: rpcMethod,
+        params: builder(key)
+      };
+    }
+    const resource = {
+      name: r.name,
+      ...r.idField ? { idField: r.idField } : {},
+      methods
+    };
+    if (meta.convention === "evm") {
+      resource.transform = buildEvmTransforms(r.name);
+    }
+    return resource;
+  });
+  return { resources };
+}
+function getParamsBuilder(convention) {
+  switch (convention) {
+    case "crud":
+      return crudParamsBuilder;
+    case "evm":
+      return evmParamsBuilder;
+    case "raw":
+    default:
+      return rawParamsBuilder;
+  }
+}
+function rawParamsBuilder(_fsOp) {
+  return (ctx) => {
+    if (ctx.data !== void 0) return [ctx.data];
+    if (ctx.id !== void 0) return [ctx.id];
+    return [];
+  };
+}
+function crudParamsBuilder(fsOp) {
+  switch (fsOp) {
+    case "list":
+      return () => [];
+    case "read":
+      return (ctx) => [ctx.id];
+    case "write":
+      return (ctx) => [ctx.id, ctx.data];
+    case "create":
+      return (ctx) => [ctx.data];
+    case "remove":
+      return (ctx) => [ctx.id];
+    case "search":
+      return (ctx) => [ctx.pattern];
+    default:
+      return () => [];
+  }
+}
+function evmParamsBuilder(fsOp) {
+  switch (fsOp) {
+    case "list":
+      return () => [];
+    case "read":
+      return (ctx) => {
+        const id = ctx.id;
+        const hexId = /^\d+$/.test(id) ? "0x" + Number(id).toString(16) : id;
+        return [hexId, "latest"];
+      };
+    default:
+      return rawParamsBuilder(fsOp);
+  }
+}
+function buildEvmTransforms(resourceName) {
+  const transform = {};
+  if (resourceName === "blocks") {
+    transform.list = (data) => {
+      const hex = String(data);
+      const latest = parseInt(hex, 16);
+      if (isNaN(latest)) return [];
+      return Array.from({ length: 10 }, (_, i) => `${latest - i}.json`);
+    };
+  }
+  if (resourceName === "balances") {
+    transform.read = (data) => {
+      const hex = String(data);
+      return { wei: hex, raw: hex };
+    };
+  }
+  return Object.keys(transform).length > 0 ? transform : void 0;
+}
+
+// src/registry/virtual-files.ts
+var VIRTUAL_FILES = ["_pricing.json", "_versions.json", "skill.md"];
+var VirtualFileBackend = class {
+  inner;
+  domain;
+  store;
+  constructor(options) {
+    this.inner = options.inner;
+    this.domain = options.domain;
+    this.store = options.store;
+  }
+  async list(path) {
+    const entries = await this.inner.list(path);
+    if (path === "/" || path === "" || path === ".") {
+      return [...entries, ...VIRTUAL_FILES];
+    }
+    return entries;
+  }
+  async read(path) {
+    const cleaned = path.replace(/^\/+/, "").replace(/\/+$/, "");
+    if (cleaned === "_pricing.json") {
+      const record = await this.store.get(this.domain);
+      if (!record) return { endpoints: [] };
+      return {
+        domain: this.domain,
+        endpoints: record.endpoints.filter((ep) => ep.pricing).map((ep) => ({
+          method: ep.method,
+          path: ep.path,
+          description: ep.description,
+          pricing: ep.pricing
+        }))
+      };
+    }
+    if (cleaned === "_versions.json") {
+      const versions = await this.store.listVersions(this.domain);
+      return { domain: this.domain, versions };
+    }
+    if (cleaned === "skill.md") {
+      const record = await this.store.get(this.domain);
+      if (!record) return "# Not found\n";
+      return record.skillMd;
+    }
+    return this.inner.read(path);
+  }
+  async write(path, data) {
+    return this.inner.write(path, data);
+  }
+  async remove(path) {
+    return this.inner.remove(path);
+  }
+  async search(path, pattern) {
+    return this.inner.search(path, pattern);
+  }
+};
+
+// src/federation/peer-backend.ts
+var PeerBackend = class {
+  constructor(client, peer, agentId) {
+    this.client = client;
+    this.peer = peer;
+    this.agentId = agentId;
+  }
+  async list(path) {
+    const result = await this.execOnPeer(`ls ${path}`);
+    return result.data ?? [];
+  }
+  async read(path) {
+    const result = await this.execOnPeer(`cat ${path}`);
+    return result.data;
+  }
+  async write(path, data) {
+    const result = await this.execOnPeer(
+      `write ${path} ${JSON.stringify(data)}`
+    );
+    return result.data ?? { id: "" };
+  }
+  async remove(path) {
+    await this.execOnPeer(`rm ${path}`);
+  }
+  async search(path, pattern) {
+    const result = await this.execOnPeer(`grep ${pattern} ${path}`);
+    return result.data ?? [];
+  }
+  async execOnPeer(command) {
+    const result = await this.client.exec(this.peer, {
+      command,
+      agentId: this.agentId
+    });
+    if (!result.ok) {
+      if (result.paymentRequired) {
+        throw new Error(
+          `Payment required: ${result.paymentRequired.price} ${result.paymentRequired.currency}`
+        );
+      }
+      throw new Error(result.error ?? "Peer execution failed");
+    }
+    return result;
+  }
+};
+
+// src/registry/resolver.ts
+function createRegistryResolver(storeOrOptions) {
+  const options = "get" in storeOrOptions && "put" in storeOrOptions ? { store: storeOrOptions } : storeOrOptions;
+  const { store, vault, gatewayPrivateKey } = options;
+  const loaded = /* @__PURE__ */ new Set();
+  async function tryPeerFallback(domain, version, addMount, agent) {
+    if (!options.peerClient || !options.peerStore) return false;
+    const peers = await options.peerStore.listPeers();
+    for (const peer of peers) {
+      if (peer.advertisedDomains.length > 0 && !peer.advertisedDomains.includes(domain)) {
+        continue;
+      }
+      const result = await options.peerClient.query(peer, domain);
+      if (result.available) {
+        const peerBackend = new PeerBackend(options.peerClient, peer, agent?.id ?? "anonymous");
+        const mountPath = version ? `/${domain}@${version}` : `/${domain}`;
+        addMount({ path: mountPath, backend: peerBackend });
+        return true;
+      }
+    }
+    return false;
+  }
+  async function onMiss(path, addMount, agent) {
+    const { domain, version } = extractDomainPath(path);
+    if (!domain) return false;
+    const cacheKey = version ? `${domain}@${version}` : domain;
+    const record = version ? await store.getVersion(domain, version) : await store.get(domain);
+    if (!record) {
+      return tryPeerFallback(domain, version, addMount, agent);
+    }
+    const isNkmcJwt = record.authMode === "nkmc-jwt";
+    if (!isNkmcJwt && loaded.has(cacheKey)) return false;
+    if (record.status === "sunset") return false;
+    let auth;
+    if (isNkmcJwt && gatewayPrivateKey && agent) {
+      const token = await (0, import_core.signJwt)(gatewayPrivateKey, {
+        sub: agent.id,
+        roles: agent.roles,
+        svc: domain
+      }, { expiresIn: "5m" });
+      auth = { type: "bearer", token };
+    } else if (vault) {
+      const cred = await vault.get(domain, agent?.id);
+      if (cred) {
+        auth = cred.auth;
+      }
+    }
+    if (!auth && !isNkmcJwt) {
+      const peerMounted = await tryPeerFallback(domain, version, addMount, agent);
+      if (peerMounted) return true;
+    }
+    let backend;
+    if (record.source?.type === "jsonrpc" && record.source.rpc) {
+      const { resources } = skillToRpcConfig(record.source.rpc);
+      const headers = {};
+      if (auth) {
+        if (auth.type === "bearer") {
+          headers["Authorization"] = `${auth.prefix ?? "Bearer"} ${auth.token}`;
+        } else if (auth.type === "api-key") {
+          headers[auth.header] = auth.key;
+        }
+      }
+      const transport = new import_agent_fs.JsonRpcTransport({ url: record.source.rpc.rpcUrl, headers });
+      backend = new import_agent_fs.RpcBackend({ transport, resources });
+    } else {
+      const config = skillToHttpConfig(record);
+      config.auth = auth;
+      backend = new import_agent_fs.HttpBackend(config);
+    }
+    let finalBackend = backend;
+    if (options.wrapVirtualFiles !== false) {
+      finalBackend = new VirtualFileBackend({ inner: backend, domain, store: options.store });
+    }
+    const mountPath = version ? `/${domain}@${version}` : `/${domain}`;
+    addMount({ path: mountPath, backend: finalBackend });
+    if (!isNkmcJwt) {
+      loaded.add(cacheKey);
+    }
+    return true;
+  }
+  async function listDomains() {
+    const summaries = await store.list();
+    return summaries.map((s) => s.domain);
+  }
+  async function searchDomains(query) {
+    return store.search(query);
+  }
+  async function searchEndpoints(domain, query) {
+    const record = await store.get(domain);
+    if (!record) return [];
+    const q = query.toLowerCase();
+    return record.endpoints.filter(
+      (e) => e.description.toLowerCase().includes(q) || e.method.toLowerCase().includes(q) || e.path.toLowerCase().includes(q)
+    ).map((e) => ({ method: e.method, path: e.path, description: e.description }));
+  }
+  return { onMiss, listDomains, searchDomains, searchEndpoints };
+}
+function extractDomainPath(path) {
+  const segments = path.split("/").filter(Boolean);
+  if (segments.length === 0) return { domain: null, version: null };
+  const first = segments[0];
+  const atIndex = first.indexOf("@");
+  if (atIndex > 0) {
+    return {
+      domain: first.slice(0, atIndex),
+      version: first.slice(atIndex + 1)
+    };
+  }
+  return { domain: first, version: null };
+}
+
+// src/registry/context7.ts
+var Context7Client = class {
+  apiKey;
+  baseUrl;
+  fetchFn;
+  constructor(options) {
+    this.apiKey = options?.apiKey;
+    this.baseUrl = options?.baseUrl ?? "https://context7.com/api/v2";
+    this.fetchFn = options?.fetchFn ?? globalThis.fetch.bind(globalThis);
+  }
+  /** Search for a library by name. Returns matching library entries. */
+  async searchLibraries(libraryName, query) {
+    const params = new URLSearchParams({ libraryName });
+    if (query) params.set("query", query);
+    const resp = await this.fetchFn(`${this.baseUrl}/libs/search?${params}`, {
+      headers: this.headers()
+    });
+    if (!resp.ok) throw new Error(`Context7 search failed: ${resp.status}`);
+    return resp.json();
+  }
+  /** Query documentation for a specific library. Returns documentation text. */
+  async queryDocs(libraryId, query) {
+    const params = new URLSearchParams({ libraryId, query, type: "txt" });
+    const resp = await this.fetchFn(`${this.baseUrl}/context?${params}`, {
+      headers: this.headers()
+    });
+    if (!resp.ok) throw new Error(`Context7 query failed: ${resp.status}`);
+    return resp.text();
+  }
+  headers() {
+    const h = {};
+    if (this.apiKey) h["Authorization"] = `Bearer ${this.apiKey}`;
+    return h;
+  }
+};
+
+// src/registry/context7-backend.ts
+var Context7Backend = class {
+  client;
+  constructor(options) {
+    this.client = new Context7Client(options);
+  }
+  async list(path) {
+    const cleaned = path.replace(/^\/+/, "").replace(/\/+$/, "");
+    if (!cleaned) {
+      return [
+        'grep "<\u5173\u952E\u8BCD>" /context7/     \u2014 \u641C\u7D22\u5E93',
+        'grep "<\u95EE\u9898>" /context7/{id}   \u2014 \u67E5\u8BE2\u6587\u6863',
+        "cat /context7/{owner}/{repo}   \u2014 \u5E93\u6982\u89C8"
+      ];
+    }
+    return ['grep "<\u95EE\u9898>" /context7/' + cleaned + " \u2014 \u67E5\u8BE2\u6B64\u5E93\u6587\u6863"];
+  }
+  async read(path) {
+    const libraryId = parseLibraryId(path);
+    if (!libraryId) {
+      return { usage: 'grep "<\u5173\u952E\u8BCD>" /context7/ \u2014 \u641C\u7D22\u5E93' };
+    }
+    const name = libraryId.split("/").pop() ?? libraryId;
+    const docs = await this.client.queryDocs(libraryId, `${name} overview getting started`);
+    return { libraryId, docs };
+  }
+  async write(_path, _data) {
+    throw new Error("context7 is read-only");
+  }
+  async remove(_path) {
+    throw new Error("context7 is read-only");
+  }
+  async search(path, pattern) {
+    const cleaned = path.replace(/^\/+/, "").replace(/\/+$/, "");
+    if (!cleaned) {
+      const results = await this.client.searchLibraries(pattern);
+      return results.map(formatSearchResult);
+    }
+    const libraryId = parseLibraryId(path);
+    if (!libraryId) return [];
+    const docs = await this.client.queryDocs(libraryId, pattern);
+    if (!docs) return [];
+    return [{ libraryId, query: pattern, docs }];
+  }
+};
+function parseLibraryId(path) {
+  const cleaned = path.replace(/^\/+/, "").replace(/\/+$/, "");
+  if (!cleaned) return null;
+  const parts = cleaned.split("/");
+  if (parts.length < 2) return null;
+  return "/" + parts.slice(0, 2).join("/");
+}
+function formatSearchResult(r) {
+  return {
+    id: r.id,
+    name: r.name,
+    description: r.description ?? "",
+    snippets: r.totalSnippets ?? 0
+  };
+}
+
+// src/http/middleware/admin-auth.ts
+var import_factory = require("hono/factory");
+function adminAuth(adminToken) {
+  return (0, import_factory.createMiddleware)(async (c, next) => {
+    const auth = c.req.header("Authorization");
+    if (!auth || !auth.startsWith("Bearer ")) {
+      return c.json({ error: "Missing Authorization header" }, 401);
+    }
+    const token = auth.slice(7);
+    if (token !== adminToken) {
+      return c.json({ error: "Invalid admin token" }, 403);
+    }
+    await next();
+  });
+}
+
+// src/http/middleware/publish-auth.ts
+var import_factory2 = require("hono/factory");
+var import_core2 = require("@nkmc/core");
+function publishOrAdminAuth(adminToken, publicKey) {
+  return (0, import_factory2.createMiddleware)(async (c, next) => {
+    const auth = c.req.header("Authorization");
+    if (!auth || !auth.startsWith("Bearer ")) {
+      return c.json({ error: "Missing Authorization header" }, 401);
+    }
+    const token = auth.slice(7);
+    if (token === adminToken) {
+      c.set("publishAuth", { type: "admin" });
+      return next();
+    }
+    try {
+      const payload = await (0, import_core2.verifyPublishToken)(token, publicKey);
+      c.set("publishAuth", { type: "publish", domain: payload.sub });
+      return next();
+    } catch {
+      return c.json({ error: "Invalid token" }, 403);
+    }
+  });
+}
+
+// src/http/middleware/agent-auth.ts
+var import_factory3 = require("hono/factory");
+var import_core3 = require("@nkmc/core");
+function agentAuth(publicKey) {
+  return (0, import_factory3.createMiddleware)(async (c, next) => {
+    const auth = c.req.header("Authorization");
+    if (!auth || !auth.startsWith("Bearer ")) {
+      return c.json({ error: "Missing Authorization header" }, 401);
+    }
+    const token = auth.slice(7);
+    try {
+      const payload = await (0, import_core3.verifyJwt)(token, publicKey);
+      c.set("agent", { id: payload.sub, roles: payload.roles });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Invalid token";
+      if (message.includes("exp") || message.includes("expired")) {
+        return c.json({ error: "Token has expired" }, 401);
+      }
+      return c.json({ error: "Invalid token" }, 401);
+    }
+    await next();
+  });
+}
+
+// src/http/routes/auth.ts
+var import_hono = require("hono");
+var import_core4 = require("@nkmc/core");
+function authRoutes(options) {
+  const app = new import_hono.Hono();
+  app.post("/token", async (c) => {
+    const body = await c.req.json();
+    if (!body.sub || !body.svc) {
+      return c.json({ error: "Missing required fields: sub, svc" }, 400);
+    }
+    const token = await (0, import_core4.signJwt)(
+      options.privateKey,
+      {
+        sub: body.sub,
+        roles: body.roles ?? ["agent"],
+        svc: body.svc
+      },
+      body.expiresIn ? { expiresIn: body.expiresIn } : void 0
+    );
+    return c.json({ token });
+  });
+  return app;
+}
+
+// src/http/routes/registry.ts
+var import_hono2 = require("hono");
+
+// src/registry/skill-parser.ts
+var import_yaml = require("yaml");
+function parseSkillMd(domain, raw, options) {
+  const { frontmatter, body } = extractFrontmatter(raw);
+  const parsed = (0, import_yaml.parse)(frontmatter) ?? {};
+  const description = extractDescription(body);
+  const endpoints = extractEndpoints(body);
+  const now = Date.now();
+  return {
+    domain,
+    name: parsed.name ?? domain,
+    description,
+    version: parsed.version ?? "0.0",
+    roles: parsed.roles ?? ["agent"],
+    skillMd: raw,
+    endpoints,
+    isFirstParty: options?.isFirstParty ?? false,
+    createdAt: now,
+    updatedAt: now,
+    status: "active",
+    isDefault: true
+  };
+}
+function parsePricingAnnotation(text) {
+  const match = text.match(
+    /(\d+(?:\.\d+)?)\s+(\w+)\s*\/\s*(call|byte|minute|次)/i
+  );
+  if (!match) return void 0;
+  return {
+    cost: parseFloat(match[1]),
+    currency: match[2].toUpperCase(),
+    per: match[3] === "\u6B21" ? "call" : match[3].toLowerCase()
+  };
+}
+function extractFrontmatter(raw) {
+  const match = raw.match(/^---\n([\s\S]*?)\n---\n([\s\S]*)$/);
+  if (!match) return { frontmatter: "", body: raw };
+  return { frontmatter: match[1], body: match[2] };
+}
+function extractDescription(body) {
+  const lines = body.split("\n");
+  let foundTitle = false;
+  const descLines = [];
+  for (const line of lines) {
+    if (!foundTitle) {
+      if (line.startsWith("# ")) foundTitle = true;
+      continue;
+    }
+    if (line.startsWith("## ")) break;
+    const trimmed = line.trim();
+    if (trimmed === "" && descLines.length > 0) break;
+    if (trimmed !== "") descLines.push(trimmed);
+  }
+  return descLines.join(" ");
+}
+function extractEndpoints(body) {
+  const endpoints = [];
+  const lines = body.split("\n");
+  let inApiSection = false;
+  let currentHeading = null;
+  for (const line of lines) {
+    if (line.startsWith("## API")) {
+      inApiSection = true;
+      continue;
+    }
+    if (inApiSection && line.startsWith("## ") && !line.startsWith("## API")) {
+      break;
+    }
+    if (!inApiSection) continue;
+    if (line.startsWith("### ")) {
+      currentHeading = line.slice(4).trim();
+      continue;
+    }
+    const endpointMatch = line.match(/^`(GET|POST|PUT|PATCH|DELETE)\s+(\S+)`/);
+    if (endpointMatch && currentHeading) {
+      const afterBacktick = line.slice(line.indexOf("`", 1) + 1).trim();
+      const pricing = afterBacktick.startsWith("\u2014") ? parsePricingAnnotation(afterBacktick.slice(1).trim()) : void 0;
+      endpoints.push({
+        method: endpointMatch[1],
+        path: endpointMatch[2],
+        description: currentHeading,
+        ...pricing ? { pricing } : {}
+      });
+      currentHeading = null;
+    }
+  }
+  return endpoints;
+}
+
+// src/registry/openapi-compiler.ts
+var import_yaml2 = __toESM(require("yaml"), 1);
+function extractBasePath(spec) {
+  const servers = spec.servers;
+  if (!Array.isArray(servers) || servers.length === 0) return "";
+  const serverUrl = servers[0]?.url;
+  if (!serverUrl || typeof serverUrl !== "string") return "";
+  try {
+    if (serverUrl.startsWith("/")) {
+      return serverUrl.replace(/\/+$/, "");
+    }
+    const parsed = new URL(serverUrl);
+    const pathname = parsed.pathname.replace(/\/+$/, "");
+    return pathname || "";
+  } catch {
+    return "";
+  }
+}
+function resolveRef(spec, ref) {
+  if (!ref.startsWith("#/")) return void 0;
+  const parts = ref.slice(2).split("/");
+  let current = spec;
+  for (const part of parts) {
+    if (current == null || typeof current !== "object") return void 0;
+    current = current[part];
+  }
+  return current;
+}
+function resolveSchema(spec, schema) {
+  if (!schema) return void 0;
+  if (schema.$ref) return resolveRef(spec, schema.$ref);
+  return schema;
+}
+function extractProperties(spec, schema) {
+  const resolved = resolveSchema(spec, schema);
+  if (!resolved || resolved.type !== "object" || !resolved.properties) return [];
+  const requiredSet = new Set(resolved.required ?? []);
+  const props = [];
+  for (const [name, prop] of Object.entries(resolved.properties)) {
+    const p = resolveSchema(spec, prop) ?? prop;
+    props.push({
+      name,
+      type: p.type ?? (p.enum ? "enum" : "unknown"),
+      required: requiredSet.has(name),
+      ...p.description ? { description: p.description } : {}
+    });
+  }
+  return props;
+}
+function extractParams(spec, operation) {
+  const params = operation.parameters;
+  if (!Array.isArray(params) || params.length === 0) return void 0;
+  const result = [];
+  for (const raw of params) {
+    const p = resolveSchema(spec, raw) ?? raw;
+    if (!p.name || !p.in) continue;
+    if (!["path", "query", "header"].includes(p.in)) continue;
+    const schema = resolveSchema(spec, p.schema) ?? p.schema;
+    result.push({
+      name: p.name,
+      in: p.in,
+      required: !!p.required,
+      type: schema?.type ?? "string",
+      ...p.description ? { description: p.description } : {}
+    });
+  }
+  return result.length > 0 ? result : void 0;
+}
+function extractRequestBody(spec, operation) {
+  const body = resolveSchema(spec, operation.requestBody);
+  if (!body?.content) return void 0;
+  const jsonContent = body.content["application/json"];
+  if (!jsonContent?.schema) return void 0;
+  const properties = extractProperties(spec, jsonContent.schema);
+  if (properties.length === 0) return void 0;
+  return {
+    contentType: "application/json",
+    required: !!body.required,
+    properties
+  };
+}
+function extractResponses(spec, operation) {
+  const responses = operation.responses;
+  if (!responses || typeof responses !== "object") return void 0;
+  const result = [];
+  for (const [code, raw] of Object.entries(responses)) {
+    const status = parseInt(code, 10);
+    if (isNaN(status) || status < 200 || status >= 300) continue;
+    const resp = resolveSchema(spec, raw) ?? raw;
+    const jsonContent = resp?.content?.["application/json"];
+    const properties = jsonContent?.schema ? extractProperties(spec, jsonContent.schema) : void 0;
+    result.push({
+      status,
+      description: resp?.description ?? "",
+      ...properties && properties.length > 0 ? { properties } : {}
+    });
+  }
+  return result.length > 0 ? result : void 0;
+}
+function compileOpenApiSpec(spec, options) {
+  const info = spec.info ?? {};
+  const name = info.title ?? options.domain;
+  const description = info.description ?? "";
+  const version = options.version ?? info.version ?? "1.0";
+  const basePath = extractBasePath(spec);
+  const endpoints = [];
+  const resources = [];
+  const resourcePaths = /* @__PURE__ */ new Map();
+  const paths = spec.paths ?? {};
+  for (const [path, methods] of Object.entries(paths)) {
+    if (typeof methods !== "object" || methods === null) continue;
+    for (const [method, op] of Object.entries(methods)) {
+      if (!["get", "post", "put", "patch", "delete"].includes(method)) continue;
+      const operation = op;
+      const parameters = extractParams(spec, operation);
+      const requestBody = extractRequestBody(spec, operation);
+      const responses = extractResponses(spec, operation);
+      endpoints.push({
+        method: method.toUpperCase(),
+        path,
+        description: operation.summary ?? operation.operationId ?? `${method.toUpperCase()} ${path}`,
+        ...parameters ? { parameters } : {},
+        ...requestBody ? { requestBody } : {},
+        ...responses ? { responses } : {}
+      });
+    }
+    const segments = path.split("/").filter(Boolean);
+    if (segments.length >= 1) {
+      const resourceName = segments[0];
+      if (!resourcePaths.has(resourceName) && !resourceName.startsWith("{")) {
+        resourcePaths.set(resourceName, {
+          name: resourceName,
+          apiPath: `/${resourceName}`
+        });
+      }
+    }
+  }
+  for (const r of resourcePaths.values()) {
+    resources.push(r);
+  }
+  const skillMd = generateSkillMd(name, version, description, endpoints, resources);
+  const now = Date.now();
+  const record = {
+    domain: options.domain,
+    name,
+    description,
+    version,
+    roles: ["agent"],
+    skillMd,
+    endpoints,
+    isFirstParty: options.isFirstParty ?? false,
+    createdAt: now,
+    updatedAt: now,
+    status: "active",
+    isDefault: true,
+    source: { type: "openapi", ...basePath ? { basePath } : {} }
+  };
+  return { record, resources, skillMd };
+}
+async function fetchAndCompile(specUrl, options, fetchFn = globalThis.fetch.bind(globalThis)) {
+  const resp = await fetchFn(specUrl);
+  if (!resp.ok) throw new Error(`Failed to fetch spec: ${resp.status} ${resp.statusText}`);
+  const text = await resp.text();
+  const spec = parseSpec(specUrl, resp.headers.get("content-type") ?? "", text);
+  const result = compileOpenApiSpec(spec, options);
+  const basePath = result.record.source?.basePath;
+  result.record.source = { type: "openapi", url: specUrl, ...basePath ? { basePath } : {} };
+  return result;
+}
+function parseSpec(url, contentType, text) {
+  const isJson = contentType.includes("json") || url.endsWith(".json") || text.trimStart().startsWith("{");
+  if (isJson) return JSON.parse(text);
+  return import_yaml2.default.parse(text);
+}
+function propsTable(props) {
+  let t = "| name | type | required |\n|------|------|----------|\n";
+  for (const p of props) {
+    t += `| ${p.name} | ${p.type} | ${p.required ? "*" : ""} |
+`;
+  }
+  return t;
+}
+function generateSkillMd(name, version, description, endpoints, resources) {
+  let md = `---
+name: "${name}"
+gateway: nkmc
+version: "${version}"
+roles: [agent]
+---
+
+`;
+  md += `# ${name}
+
+${description}
+
+`;
+  if (resources.length > 0) {
+    md += `## Schema
+
+`;
+    for (const r of resources) {
+      md += `### ${r.name} (public)
+
+`;
+    }
+  }
+  if (endpoints.length > 0) {
+    md += `## API
+
+`;
+    for (const ep of endpoints) {
+      md += `### ${ep.description}
+
+`;
+      md += `\`${ep.method} ${ep.path}\`
+
+`;
+      if (ep.parameters && ep.parameters.length > 0) {
+        md += "**Parameters:**\n\n";
+        md += "| name | in | type | required |\n|------|-----|------|----------|\n";
+        for (const p of ep.parameters) {
+          md += `| ${p.name} | ${p.in} | ${p.type} | ${p.required ? "*" : ""} |
+`;
+        }
+        md += "\n";
+      }
+      if (ep.requestBody) {
+        const req = ep.requestBody;
+        md += `**Body** (${req.contentType}${req.required ? ", required" : ""}):
+
+`;
+        md += propsTable(req.properties);
+        md += "\n";
+      }
+      if (ep.responses && ep.responses.length > 0) {
+        for (const r of ep.responses) {
+          md += `**Response ${r.status}**${r.description ? `: ${r.description}` : ""}
+
+`;
+          if (r.properties && r.properties.length > 0) {
+            md += propsTable(r.properties);
+            md += "\n";
+          }
+        }
+      }
+    }
+  }
+  return md;
+}
+
+// src/http/routes/registry.ts
+var OPENAPI_PATHS = [
+  "/openapi.json",
+  "/openapi.yaml",
+  "/swagger.json",
+  "/swagger.yaml",
+  "/docs/openapi.json",
+  "/api-docs",
+  "/api/openapi.json",
+  "/.well-known/openapi.json",
+  "/.well-known/openapi.yaml"
+];
+function registryRoutes(options) {
+  const { store } = options;
+  const app = new import_hono2.Hono();
+  app.post("/services", async (c) => {
+    const domain = c.req.query("domain");
+    if (!domain) {
+      return c.json({ error: "Missing ?domain= query parameter" }, 400);
+    }
+    const auth = c.get("publishAuth");
+    if (auth?.type === "publish" && auth.domain !== domain) {
+      return c.json(
+        { error: `Token is scoped to "${auth.domain}", cannot register "${domain}"` },
+        403
+      );
+    }
+    const contentType = c.req.header("Content-Type") ?? "";
+    let skillMd;
+    if (contentType.includes("text/markdown") || contentType.includes("text/plain")) {
+      skillMd = await c.req.text();
+    } else {
+      const body = await c.req.json().catch(() => null);
+      if (!body?.skillMd) {
+        return c.json({ error: "Body must be skill.md text or JSON with skillMd field" }, 400);
+      }
+      skillMd = body.skillMd;
+      if (Array.isArray(body.endpoints) && body.endpoints.length > 0) {
+        if (!skillMd.trim()) {
+          return c.json({ error: "Empty skill.md content" }, 400);
+        }
+        const isFirstParty2 = c.req.query("first_party") === "true";
+        const authMode2 = c.req.query("auth_mode");
+        const record2 = parseSkillMd(domain, skillMd, { isFirstParty: isFirstParty2 });
+        record2.endpoints = body.endpoints;
+        if (body.source) {
+          record2.source = body.source;
+        }
+        if (authMode2 === "nkmc-jwt") {
+          record2.authMode = "nkmc-jwt";
+        }
+        await store.put(domain, record2);
+        return c.json({ ok: true, domain, name: record2.name }, 201);
+      }
+    }
+    if (!skillMd.trim()) {
+      return c.json({ error: "Empty skill.md content" }, 400);
+    }
+    const isFirstParty = c.req.query("first_party") === "true";
+    const authMode = c.req.query("auth_mode");
+    const record = parseSkillMd(domain, skillMd, { isFirstParty });
+    if (authMode === "nkmc-jwt") {
+      record.authMode = "nkmc-jwt";
+    }
+    await store.put(domain, record);
+    return c.json({ ok: true, domain, name: record.name }, 201);
+  });
+  app.post("/services/discover", async (c) => {
+    const body = await c.req.json().catch(() => null);
+    if (!body?.url) {
+      return c.json({ error: "Missing 'url' field (base URL of the service)" }, 400);
+    }
+    const baseUrl = body.url.replace(/\/+$/, "");
+    let domain;
+    try {
+      domain = body.domain ?? new URL(baseUrl).hostname;
+    } catch {
+      return c.json({ error: "Invalid URL" }, 400);
+    }
+    const auth = c.get("publishAuth");
+    if (auth?.type === "publish" && auth.domain !== domain) {
+      return c.json(
+        { error: `Token is scoped to "${auth.domain}", cannot register "${domain}"` },
+        403
+      );
+    }
+    if (body.specUrl) {
+      try {
+        const result = await fetchAndCompile(body.specUrl, { domain });
+        await store.put(domain, result.record);
+        return c.json({
+          ok: true,
+          domain,
+          name: result.record.name,
+          endpoints: result.record.endpoints.length,
+          source: body.specUrl
+        }, 201);
+      } catch (err) {
+        return c.json({ error: `Failed to compile spec: ${err instanceof Error ? err.message : err}` }, 400);
+      }
+    }
+    for (const path of OPENAPI_PATHS) {
+      const specUrl = `${baseUrl}${path}`;
+      try {
+        const resp = await fetch(specUrl, { method: "GET", headers: { Accept: "application/json, application/yaml" } });
+        if (!resp.ok) continue;
+        const text = await resp.text();
+        if (!text.trim() || text.length < 20) continue;
+        try {
+          const result = await fetchAndCompile(specUrl, { domain });
+          await store.put(domain, result.record);
+          return c.json({
+            ok: true,
+            domain,
+            name: result.record.name,
+            endpoints: result.record.endpoints.length,
+            source: specUrl
+          }, 201);
+        } catch {
+          continue;
+        }
+      } catch {
+        continue;
+      }
+    }
+    return c.json({
+      error: "Could not find OpenAPI spec",
+      probed: OPENAPI_PATHS.map((p) => `${baseUrl}${p}`),
+      hint: "Use --spec-url to provide the spec location directly"
+    }, 404);
+  });
+  app.get("/services", async (c) => {
+    const query = c.req.query("q");
+    if (query) {
+      const results = await store.search(query);
+      return c.json(results);
+    }
+    const list = await store.list();
+    return c.json(list);
+  });
+  app.get("/services/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const record = await store.get(domain);
+    if (!record) {
+      return c.json({ error: "Service not found" }, 404);
+    }
+    return c.json(record);
+  });
+  app.get("/services/:domain/versions", async (c) => {
+    const domain = c.req.param("domain");
+    const versions = await store.listVersions(domain);
+    return c.json({ domain, versions });
+  });
+  app.get("/services/:domain/versions/:version", async (c) => {
+    const domain = c.req.param("domain");
+    const version = c.req.param("version");
+    const record = await store.getVersion(domain, version);
+    if (!record) {
+      return c.json({ error: "Version not found" }, 404);
+    }
+    return c.json(record);
+  });
+  app.delete("/services/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const existing = await store.get(domain);
+    if (!existing) {
+      return c.json({ error: "Service not found" }, 404);
+    }
+    await store.delete(domain);
+    return c.json({ ok: true, domain });
+  });
+  return app;
+}
+
+// src/http/routes/domains.ts
+var import_hono3 = require("hono");
+var import_nanoid = require("nanoid");
+var import_core5 = require("@nkmc/core");
+
+// src/http/lib/dns.ts
+async function queryDnsTxt(domain) {
+  const url = new URL("https://cloudflare-dns.com/dns-query");
+  url.searchParams.set("name", domain);
+  url.searchParams.set("type", "TXT");
+  const res = await fetch(url.toString(), {
+    headers: { Accept: "application/dns-json" }
+  });
+  if (!res.ok) {
+    throw new Error(`DNS query failed: ${res.status}`);
+  }
+  const data = await res.json();
+  return (data.Answer ?? []).filter((a) => a.type === 16).map((a) => a.data.replace(/^"|"$/g, ""));
+}
+
+// src/http/routes/domains.ts
+var SEVEN_DAYS_MS = 7 * 24 * 60 * 60 * 1e3;
+var ONE_YEAR_MS = 365 * 24 * 60 * 60 * 1e3;
+function isValidDomain(domain) {
+  return /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)+$/.test(domain);
+}
+function domainRoutes(options) {
+  const { db, gatewayPrivateKey } = options;
+  const app = new import_hono3.Hono();
+  app.post("/challenge", async (c) => {
+    const body = await c.req.json().catch(() => null);
+    const domain = body?.domain;
+    if (!domain || !isValidDomain(domain)) {
+      return c.json({ error: "Invalid or missing domain" }, 400);
+    }
+    const now = Date.now();
+    const verified = await db.prepare(
+      "SELECT * FROM domain_challenges WHERE domain = ? AND status = 'verified' AND expires_at > ?"
+    ).bind(domain, now).first();
+    if (verified) {
+      return c.json(
+        {
+          error: "Domain already verified. Use `nkmc claim <domain> --verify` to renew your token.",
+          expiresAt: verified.expires_at
+        },
+        409
+      );
+    }
+    const existing = await db.prepare(
+      "SELECT * FROM domain_challenges WHERE domain = ? AND status = 'pending' AND expires_at > ?"
+    ).bind(domain, now).first();
+    if (existing) {
+      return c.json({
+        domain,
+        txtRecord: `_nkmc.${domain}`,
+        txtValue: `nkmc-verify=${existing.challenge_code}`,
+        expiresAt: existing.expires_at
+      });
+    }
+    const challengeCode = (0, import_nanoid.nanoid)(32);
+    const expiresAt = now + SEVEN_DAYS_MS;
+    await db.prepare(
+      `INSERT OR REPLACE INTO domain_challenges (domain, challenge_code, status, created_at, expires_at)
+         VALUES (?, ?, 'pending', ?, ?)`
+    ).bind(domain, challengeCode, now, expiresAt).run();
+    return c.json({
+      domain,
+      txtRecord: `_nkmc.${domain}`,
+      txtValue: `nkmc-verify=${challengeCode}`,
+      expiresAt
+    });
+  });
+  app.post("/verify", async (c) => {
+    const body = await c.req.json().catch(() => null);
+    const domain = body?.domain;
+    if (!domain || !isValidDomain(domain)) {
+      return c.json({ error: "Invalid or missing domain" }, 400);
+    }
+    const now = Date.now();
+    const verified = await db.prepare(
+      "SELECT * FROM domain_challenges WHERE domain = ? AND status = 'verified' AND expires_at > ?"
+    ).bind(domain, now).first();
+    if (verified) {
+      const publishToken2 = await (0, import_core5.signPublishToken)(gatewayPrivateKey, domain);
+      return c.json({ ok: true, domain, publishToken: publishToken2 });
+    }
+    const challenge = await db.prepare(
+      "SELECT * FROM domain_challenges WHERE domain = ? AND status = 'pending' AND expires_at > ?"
+    ).bind(domain, now).first();
+    if (!challenge) {
+      return c.json(
+        { error: "No pending challenge found. Run `nkmc claim <domain>` first." },
+        404
+      );
+    }
+    const expectedValue = `nkmc-verify=${challenge.challenge_code}`;
+    let txtRecords;
+    try {
+      txtRecords = await queryDnsTxt(`_nkmc.${domain}`);
+    } catch {
+      return c.json(
+        { error: "Failed to query DNS. Please try again later." },
+        502
+      );
+    }
+    if (!txtRecords.includes(expectedValue)) {
+      return c.json(
+        {
+          error: `DNS TXT record not found. Expected TXT record on _nkmc.${domain} with value "${expectedValue}". DNS propagation can take up to 5 minutes.`
+        },
+        422
+      );
+    }
+    await db.prepare(
+      "UPDATE domain_challenges SET status = 'verified', verified_at = ?, expires_at = ? WHERE domain = ?"
+    ).bind(now, now + ONE_YEAR_MS, domain).run();
+    const publishToken = await (0, import_core5.signPublishToken)(gatewayPrivateKey, domain);
+    return c.json({ ok: true, domain, publishToken });
+  });
+  return app;
+}
+
+// src/http/routes/credentials.ts
+var import_hono4 = require("hono");
+function credentialRoutes(options) {
+  const { vault } = options;
+  const app = new import_hono4.Hono();
+  app.put("/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const body = await c.req.json();
+    if (!body.auth?.type) {
+      return c.json({ error: "Missing auth.type" }, 400);
+    }
+    await vault.putPool(domain, body.auth);
+    return c.json({ ok: true, domain });
+  });
+  app.get("/", async (c) => {
+    const domains = await vault.listDomains();
+    return c.json({ domains });
+  });
+  app.delete("/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    await vault.delete(domain);
+    return c.json({ ok: true, domain });
+  });
+  return app;
+}
+
+// src/http/routes/byok.ts
+var import_hono5 = require("hono");
+function byokRoutes(options) {
+  const { vault } = options;
+  const app = new import_hono5.Hono();
+  app.put("/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const agent = c.get("agent");
+    const body = await c.req.json();
+    if (!body.auth?.type) {
+      return c.json({ error: "Missing auth.type" }, 400);
+    }
+    await vault.putByok(domain, agent.id, body.auth);
+    return c.json({ ok: true, domain });
+  });
+  app.get("/", async (c) => {
+    const agent = c.get("agent");
+    const allDomains = await vault.listDomains();
+    const byokDomains = [];
+    for (const domain of allDomains) {
+      const cred = await vault.get(domain, agent.id);
+      if (cred && cred.scope === "byok" && cred.developerId === agent.id) {
+        byokDomains.push(domain);
+      }
+    }
+    return c.json({ domains: byokDomains });
+  });
+  app.delete("/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const agent = c.get("agent");
+    await vault.delete(domain, agent.id);
+    return c.json({ ok: true, domain });
+  });
+  return app;
+}
+
+// src/http/routes/fs.ts
+var import_hono6 = require("hono");
+function errorToStatus(code) {
+  switch (code) {
+    case "PARSE_ERROR":
+    case "INVALID_PATH":
+      return 400;
+    case "PERMISSION_DENIED":
+      return 403;
+    case "NOT_FOUND":
+    case "NO_MOUNT":
+      return 404;
+    default:
+      return 500;
+  }
+}
+function fsRoutes(options) {
+  const { agentFs } = options;
+  const app = new import_hono6.Hono();
+  app.post("/execute", async (c) => {
+    const body = await c.req.json();
+    if (!body.command || typeof body.command !== "string") {
+      return c.json({ error: "Missing 'command' field" }, 400);
+    }
+    const agent = c.get("agent");
+    const roles = body.roles ?? agent?.roles;
+    const result = await agentFs.execute(body.command, roles, agent);
+    const status = result.ok ? 200 : errorToStatus(result.error.code);
+    return c.json(result, status);
+  });
+  app.all("/fs/*", async (c) => {
+    const fullPath = c.req.path;
+    const virtualPath = fullPath.slice(fullPath.indexOf("/fs") + 3) || "/";
+    const query = c.req.query("q");
+    const agent = c.get("agent");
+    const roles = agent?.roles;
+    let op;
+    let data;
+    let pattern;
+    switch (c.req.method) {
+      case "GET":
+        if (query) {
+          op = "grep";
+          pattern = query;
+        } else if (virtualPath.endsWith("/")) {
+          op = "ls";
+        } else {
+          op = "cat";
+        }
+        break;
+      case "POST":
+      case "PUT":
+        op = "write";
+        data = await c.req.json();
+        break;
+      case "DELETE":
+        op = "rm";
+        break;
+      default:
+        return c.json({ error: "Method not allowed" }, 405);
+    }
+    const result = await agentFs.executeCommand(
+      { op, path: virtualPath, data, pattern },
+      roles,
+      agent
+    );
+    const status = result.ok ? 200 : errorToStatus(result.error.code);
+    return c.json(result, status);
+  });
+  return app;
+}
+
+// src/http/routes/proxy.ts
+var import_hono7 = require("hono");
+function proxyRoutes(options) {
+  const { vault, toolRegistry, exec } = options;
+  const app = new import_hono7.Hono();
+  app.post("/exec", async (c) => {
+    const body = await c.req.json();
+    if (!body.tool || typeof body.tool !== "string") {
+      return c.json({ error: "Missing 'tool' field" }, 400);
+    }
+    const toolDef = toolRegistry.get(body.tool);
+    if (!toolDef) {
+      return c.json({ error: `Unknown tool: ${body.tool}` }, 404);
+    }
+    const agent = c.get("agent");
+    const credential = await vault.get(toolDef.credentialDomain, agent.id);
+    if (!credential) {
+      return c.json({ error: `No credential for domain: ${toolDef.credentialDomain}` }, 401);
+    }
+    const env = toolRegistry.buildEnv(toolDef, credential.auth);
+    const args = body.args ?? [];
+    const result = await exec(body.tool, args, env);
+    return c.json(result);
+  });
+  app.get("/tools", (c) => {
+    const tools = toolRegistry.list().map((t) => ({
+      name: t.name,
+      credentialDomain: t.credentialDomain
+    }));
+    return c.json({ tools });
+  });
+  return app;
+}
+
+// src/http/routes/peers.ts
+var import_hono8 = require("hono");
+function peerRoutes(options) {
+  const { peerStore } = options;
+  const app = new import_hono8.Hono();
+  app.get("/peers", async (c) => {
+    const peers = await peerStore.listPeers();
+    const safe = peers.map(({ sharedSecret: _, ...rest }) => rest);
+    return c.json({ peers: safe });
+  });
+  app.put("/peers/:id", async (c) => {
+    const id = c.req.param("id");
+    const body = await c.req.json();
+    if (!body.name || !body.url || !body.sharedSecret) {
+      return c.json({ error: "Missing required fields: name, url, sharedSecret" }, 400);
+    }
+    const existing = await peerStore.getPeer(id);
+    const now = Date.now();
+    const peer = {
+      id,
+      name: body.name,
+      url: body.url,
+      sharedSecret: body.sharedSecret,
+      status: "active",
+      advertisedDomains: existing?.advertisedDomains ?? [],
+      lastSeen: existing?.lastSeen ?? 0,
+      createdAt: existing?.createdAt ?? now
+    };
+    await peerStore.putPeer(peer);
+    return c.json({ ok: true, id });
+  });
+  app.delete("/peers/:id", async (c) => {
+    const id = c.req.param("id");
+    await peerStore.deletePeer(id);
+    return c.json({ ok: true, id });
+  });
+  app.get("/rules", async (c) => {
+    const rules = await peerStore.listRules();
+    return c.json({ rules });
+  });
+  app.put("/rules/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const body = await c.req.json();
+    if (body.allow === void 0) {
+      return c.json({ error: "Missing required field: allow" }, 400);
+    }
+    const existing = await peerStore.getRule(domain);
+    const now = Date.now();
+    const rule = {
+      domain,
+      allow: body.allow,
+      peers: body.peers ?? existing?.peers ?? "*",
+      pricing: body.pricing ?? existing?.pricing ?? { mode: "free" },
+      rateLimit: body.rateLimit,
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now
+    };
+    await peerStore.putRule(rule);
+    return c.json({ ok: true, domain });
+  });
+  app.delete("/rules/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    await peerStore.deleteRule(domain);
+    return c.json({ ok: true, domain });
+  });
+  return app;
+}
+
+// src/http/routes/federation.ts
+var import_hono9 = require("hono");
+async function authenticatePeer(peerStore, peerId, authHeader) {
+  if (!peerId || !authHeader) return null;
+  const peer = await peerStore.getPeer(peerId);
+  if (!peer || peer.status !== "active") return null;
+  const token = authHeader.replace(/^Bearer\s+/i, "");
+  if (token !== peer.sharedSecret) return null;
+  return peer;
+}
+function extractDomainFromCommand(command) {
+  const parts = command.trim().split(/\s+/);
+  if (parts.length < 2) return null;
+  const path = parts[1];
+  if (!path.startsWith("/")) return null;
+  const segments = path.slice(1).split("/");
+  return segments[0] || null;
+}
+function federationRoutes(options) {
+  const { peerStore, vault, agentFs } = options;
+  const app = new import_hono9.Hono();
+  app.post("/query", async (c) => {
+    const peerId = c.req.header("X-Peer-Id");
+    const authHeader = c.req.header("Authorization");
+    const peer = await authenticatePeer(peerStore, peerId, authHeader);
+    if (!peer) {
+      return c.json({ error: "Unauthorized peer" }, 403);
+    }
+    const body = await c.req.json();
+    if (!body.domain) {
+      return c.json({ error: "Missing 'domain' field" }, 400);
+    }
+    await peerStore.updateLastSeen(peer.id, Date.now());
+    const credential = await vault.get(body.domain);
+    if (!credential) {
+      return c.json({ available: false });
+    }
+    const rule = await peerStore.getRule(body.domain);
+    if (!rule || !rule.allow) {
+      return c.json({ available: false });
+    }
+    if (rule.peers !== "*" && !rule.peers.includes(peer.id)) {
+      return c.json({ available: false });
+    }
+    return c.json({
+      available: true,
+      pricing: rule.pricing
+    });
+  });
+  app.post("/exec", async (c) => {
+    const peerId = c.req.header("X-Peer-Id");
+    const authHeader = c.req.header("Authorization");
+    const peer = await authenticatePeer(peerStore, peerId, authHeader);
+    if (!peer) {
+      return c.json({ error: "Unauthorized peer" }, 403);
+    }
+    const body = await c.req.json();
+    if (!body.command) {
+      return c.json({ error: "Missing 'command' field" }, 400);
+    }
+    await peerStore.updateLastSeen(peer.id, Date.now());
+    const domain = extractDomainFromCommand(body.command);
+    if (domain) {
+      const rule = await peerStore.getRule(domain);
+      if (!rule || !rule.allow) {
+        return c.json({ error: "Domain not available for lending" }, 403);
+      }
+      if (rule.peers !== "*" && !rule.peers.includes(peer.id)) {
+        return c.json({ error: "Peer not in allowed list" }, 403);
+      }
+      if (rule.pricing.mode !== "free") {
+        const paymentHeader = c.req.header("X-402-Payment");
+        if (!paymentHeader) {
+          return c.json({ error: "Payment required" }, 402);
+        }
+      }
+    }
+    const syntheticAgentId = `peer:${peer.id}:${body.agentId}`;
+    const result = await agentFs.execute(body.command, ["agent"], {
+      id: syntheticAgentId,
+      roles: ["agent"]
+    });
+    if (!result.ok) {
+      return c.json({ ok: false, error: result.error.message }, 500);
+    }
+    return c.json({ ok: true, data: result.data });
+  });
+  app.post("/announce", async (c) => {
+    const peerId = c.req.header("X-Peer-Id");
+    const authHeader = c.req.header("Authorization");
+    const peer = await authenticatePeer(peerStore, peerId, authHeader);
+    if (!peer) {
+      return c.json({ error: "Unauthorized peer" }, 403);
+    }
+    const body = await c.req.json();
+    if (!Array.isArray(body.domains)) {
+      return c.json({ error: "Missing 'domains' field" }, 400);
+    }
+    peer.advertisedDomains = body.domains;
+    await peerStore.putPeer(peer);
+    await peerStore.updateLastSeen(peer.id, Date.now());
+    return c.json({ ok: true });
+  });
+  return app;
+}
+
+// src/http/routes/tunnels.ts
+var import_hono10 = require("hono");
+var import_nanoid2 = require("nanoid");
+function tunnelRoutes(options) {
+  const { tunnelStore, tunnelProvider, tunnelDomain } = options;
+  const app = new import_hono10.Hono();
+  app.post("/create", async (c) => {
+    const agent = c.get("agent");
+    const body = await c.req.json().catch(() => ({}));
+    const existing = await tunnelStore.getByAgent(agent.id);
+    if (existing && existing.status === "active") {
+      return c.json({
+        tunnelId: existing.id,
+        publicUrl: existing.publicUrl,
+        message: "Tunnel already exists"
+      });
+    }
+    const id = (0, import_nanoid2.nanoid)(12);
+    const hostname = `${id}.${tunnelDomain}`;
+    const publicUrl = `https://${hostname}`;
+    const { tunnelId, tunnelToken } = await tunnelProvider.create(
+      `nkmc-${agent.id}-${id}`,
+      hostname
+    );
+    const now = Date.now();
+    await tunnelStore.put({
+      id,
+      agentId: agent.id,
+      tunnelId,
+      publicUrl,
+      status: "active",
+      createdAt: now,
+      advertisedDomains: body.advertisedDomains ?? [],
+      gatewayName: body.gatewayName,
+      lastSeen: now
+    });
+    return c.json({ tunnelId: id, tunnelToken, publicUrl }, 201);
+  });
+  app.delete("/:id", async (c) => {
+    const id = c.req.param("id");
+    const agent = c.get("agent");
+    const record = await tunnelStore.get(id);
+    if (!record) return c.json({ error: "Tunnel not found" }, 404);
+    if (record.agentId !== agent.id)
+      return c.json({ error: "Not your tunnel" }, 403);
+    await tunnelProvider.delete(record.tunnelId);
+    await tunnelStore.delete(id);
+    return c.json({ ok: true });
+  });
+  app.get("/", async (c) => {
+    const agent = c.get("agent");
+    const all = await tunnelStore.list();
+    const mine = all.filter((t) => t.agentId === agent.id);
+    return c.json({ tunnels: mine });
+  });
+  app.get("/discover", async (c) => {
+    const domain = c.req.query("domain");
+    const all = await tunnelStore.list();
+    let results = all.filter((t) => t.status === "active");
+    if (domain) {
+      results = results.filter((t) => t.advertisedDomains.includes(domain));
+    }
+    return c.json({
+      gateways: results.map((t) => ({
+        id: t.id,
+        name: t.gatewayName ?? `gateway-${t.id}`,
+        publicUrl: t.publicUrl,
+        advertisedDomains: t.advertisedDomains
+      }))
+    });
+  });
+  app.post("/heartbeat", async (c) => {
+    const agent = c.get("agent");
+    const body = await c.req.json();
+    const record = await tunnelStore.getByAgent(agent.id);
+    if (!record) return c.json({ error: "No active tunnel" }, 404);
+    record.advertisedDomains = body.advertisedDomains ?? record.advertisedDomains;
+    record.lastSeen = Date.now();
+    await tunnelStore.put(record);
+    return c.json({ ok: true });
+  });
+  return app;
+}
+
+// src/http/app.ts
+function createGateway(options) {
+  const { store, gatewayPrivateKey, gatewayPublicKey, adminToken } = options;
+  const app = new import_hono11.Hono();
+  const { onMiss, listDomains, searchDomains, searchEndpoints } = createRegistryResolver(
+    options.vault ? { store, vault: options.vault, gatewayPrivateKey } : { store, gatewayPrivateKey }
+  );
+  const mounts = [];
+  if (options.context7ApiKey) {
+    mounts.push({ path: "/context7", backend: new Context7Backend({ apiKey: options.context7ApiKey }) });
+  }
+  const agentFs = new import_agent_fs2.AgentFs({
+    mounts,
+    onMiss,
+    listDomains,
+    searchDomains,
+    searchEndpoints
+  });
+  app.get("/.well-known/jwks.json", (c) => {
+    return c.json({ keys: [gatewayPublicKey] });
+  });
+  app.route("/auth", authRoutes({ privateKey: gatewayPrivateKey }));
+  if (options.db) {
+    app.route("/domains", domainRoutes({ db: options.db, gatewayPrivateKey }));
+  }
+  app.use("/registry/*", publishOrAdminAuth(adminToken, gatewayPublicKey));
+  app.route("/registry", registryRoutes({ store }));
+  if (options.vault) {
+    app.use("/credentials/*", adminAuth(adminToken));
+    app.route("/credentials", credentialRoutes({ vault: options.vault }));
+    app.use("/byok/*", agentAuth(gatewayPublicKey));
+    app.route("/byok", byokRoutes({ vault: options.vault }));
+  }
+  app.use("/execute", agentAuth(gatewayPublicKey));
+  app.use("/fs/*", agentAuth(gatewayPublicKey));
+  app.route("/", fsRoutes({ agentFs }));
+  if (options.proxy && options.vault) {
+    app.use("/proxy/*", agentAuth(gatewayPublicKey));
+    app.route(
+      "/proxy",
+      proxyRoutes({
+        vault: options.vault,
+        toolRegistry: options.proxy.toolRegistry,
+        exec: options.proxy.exec
+      })
+    );
+  }
+  if (options.peerStore && options.vault) {
+    app.use("/admin/federation/*", adminAuth(adminToken));
+    app.route("/admin/federation", peerRoutes({ peerStore: options.peerStore }));
+    app.route("/federation", federationRoutes({
+      peerStore: options.peerStore,
+      vault: options.vault,
+      agentFs
+    }));
+  }
+  if (options.tunnel) {
+    app.use("/tunnels/*", agentAuth(gatewayPublicKey));
+    app.route(
+      "/tunnels",
+      tunnelRoutes({
+        tunnelStore: options.tunnel.store,
+        tunnelProvider: options.tunnel.provider,
+        tunnelDomain: options.tunnel.domain
+      })
+    );
+  }
+  return app;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  adminAuth,
+  agentAuth,
+  authRoutes,
+  createGateway,
+  domainRoutes,
+  fsRoutes,
+  publishOrAdminAuth,
+  registryRoutes,
+  tunnelRoutes
+});