@nkmc/gateway 0.1.0

package/dist/http.js

@@ -0,0 +1,748 @@
+import {
+  Context7Backend,
+  createRegistryResolver,
+  credentialRoutes,
+  fetchAndCompile,
+  parseSkillMd,
+  queryDnsTxt,
+  tunnelRoutes
+} from "./chunk-CZJ75YTV.js";
+import {
+  proxyRoutes
+} from "./chunk-56RA53VS.js";
+import "./chunk-QGM4M3NI.js";
+
+// src/http/app.ts
+import { Hono as Hono8 } from "hono";
+import { AgentFs } from "@nkmc/agent-fs";
+
+// src/http/middleware/admin-auth.ts
+import { createMiddleware } from "hono/factory";
+function adminAuth(adminToken) {
+  return createMiddleware(async (c, next) => {
+    const auth = c.req.header("Authorization");
+    if (!auth || !auth.startsWith("Bearer ")) {
+      return c.json({ error: "Missing Authorization header" }, 401);
+    }
+    const token = auth.slice(7);
+    if (token !== adminToken) {
+      return c.json({ error: "Invalid admin token" }, 403);
+    }
+    await next();
+  });
+}
+
+// src/http/middleware/publish-auth.ts
+import { createMiddleware as createMiddleware2 } from "hono/factory";
+import { verifyPublishToken } from "@nkmc/core";
+function publishOrAdminAuth(adminToken, publicKey) {
+  return createMiddleware2(async (c, next) => {
+    const auth = c.req.header("Authorization");
+    if (!auth || !auth.startsWith("Bearer ")) {
+      return c.json({ error: "Missing Authorization header" }, 401);
+    }
+    const token = auth.slice(7);
+    if (token === adminToken) {
+      c.set("publishAuth", { type: "admin" });
+      return next();
+    }
+    try {
+      const payload = await verifyPublishToken(token, publicKey);
+      c.set("publishAuth", { type: "publish", domain: payload.sub });
+      return next();
+    } catch {
+      return c.json({ error: "Invalid token" }, 403);
+    }
+  });
+}
+
+// src/http/middleware/agent-auth.ts
+import { createMiddleware as createMiddleware3 } from "hono/factory";
+import { verifyJwt } from "@nkmc/core";
+function agentAuth(publicKey) {
+  return createMiddleware3(async (c, next) => {
+    const auth = c.req.header("Authorization");
+    if (!auth || !auth.startsWith("Bearer ")) {
+      return c.json({ error: "Missing Authorization header" }, 401);
+    }
+    const token = auth.slice(7);
+    try {
+      const payload = await verifyJwt(token, publicKey);
+      c.set("agent", { id: payload.sub, roles: payload.roles });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Invalid token";
+      if (message.includes("exp") || message.includes("expired")) {
+        return c.json({ error: "Token has expired" }, 401);
+      }
+      return c.json({ error: "Invalid token" }, 401);
+    }
+    await next();
+  });
+}
+
+// src/http/routes/auth.ts
+import { Hono } from "hono";
+import { signJwt } from "@nkmc/core";
+function authRoutes(options) {
+  const app = new Hono();
+  app.post("/token", async (c) => {
+    const body = await c.req.json();
+    if (!body.sub || !body.svc) {
+      return c.json({ error: "Missing required fields: sub, svc" }, 400);
+    }
+    const token = await signJwt(
+      options.privateKey,
+      {
+        sub: body.sub,
+        roles: body.roles ?? ["agent"],
+        svc: body.svc
+      },
+      body.expiresIn ? { expiresIn: body.expiresIn } : void 0
+    );
+    return c.json({ token });
+  });
+  return app;
+}
+
+// src/http/routes/registry.ts
+import { Hono as Hono2 } from "hono";
+var OPENAPI_PATHS = [
+  "/openapi.json",
+  "/openapi.yaml",
+  "/swagger.json",
+  "/swagger.yaml",
+  "/docs/openapi.json",
+  "/api-docs",
+  "/api/openapi.json",
+  "/.well-known/openapi.json",
+  "/.well-known/openapi.yaml"
+];
+function registryRoutes(options) {
+  const { store } = options;
+  const app = new Hono2();
+  app.post("/services", async (c) => {
+    const domain = c.req.query("domain");
+    if (!domain) {
+      return c.json({ error: "Missing ?domain= query parameter" }, 400);
+    }
+    const auth = c.get("publishAuth");
+    if (auth?.type === "publish" && auth.domain !== domain) {
+      return c.json(
+        { error: `Token is scoped to "${auth.domain}", cannot register "${domain}"` },
+        403
+      );
+    }
+    const contentType = c.req.header("Content-Type") ?? "";
+    let skillMd;
+    if (contentType.includes("text/markdown") || contentType.includes("text/plain")) {
+      skillMd = await c.req.text();
+    } else {
+      const body = await c.req.json().catch(() => null);
+      if (!body?.skillMd) {
+        return c.json({ error: "Body must be skill.md text or JSON with skillMd field" }, 400);
+      }
+      skillMd = body.skillMd;
+      if (Array.isArray(body.endpoints) && body.endpoints.length > 0) {
+        if (!skillMd.trim()) {
+          return c.json({ error: "Empty skill.md content" }, 400);
+        }
+        const isFirstParty2 = c.req.query("first_party") === "true";
+        const authMode2 = c.req.query("auth_mode");
+        const record2 = parseSkillMd(domain, skillMd, { isFirstParty: isFirstParty2 });
+        record2.endpoints = body.endpoints;
+        if (body.source) {
+          record2.source = body.source;
+        }
+        if (authMode2 === "nkmc-jwt") {
+          record2.authMode = "nkmc-jwt";
+        }
+        await store.put(domain, record2);
+        return c.json({ ok: true, domain, name: record2.name }, 201);
+      }
+    }
+    if (!skillMd.trim()) {
+      return c.json({ error: "Empty skill.md content" }, 400);
+    }
+    const isFirstParty = c.req.query("first_party") === "true";
+    const authMode = c.req.query("auth_mode");
+    const record = parseSkillMd(domain, skillMd, { isFirstParty });
+    if (authMode === "nkmc-jwt") {
+      record.authMode = "nkmc-jwt";
+    }
+    await store.put(domain, record);
+    return c.json({ ok: true, domain, name: record.name }, 201);
+  });
+  app.post("/services/discover", async (c) => {
+    const body = await c.req.json().catch(() => null);
+    if (!body?.url) {
+      return c.json({ error: "Missing 'url' field (base URL of the service)" }, 400);
+    }
+    const baseUrl = body.url.replace(/\/+$/, "");
+    let domain;
+    try {
+      domain = body.domain ?? new URL(baseUrl).hostname;
+    } catch {
+      return c.json({ error: "Invalid URL" }, 400);
+    }
+    const auth = c.get("publishAuth");
+    if (auth?.type === "publish" && auth.domain !== domain) {
+      return c.json(
+        { error: `Token is scoped to "${auth.domain}", cannot register "${domain}"` },
+        403
+      );
+    }
+    if (body.specUrl) {
+      try {
+        const result = await fetchAndCompile(body.specUrl, { domain });
+        await store.put(domain, result.record);
+        return c.json({
+          ok: true,
+          domain,
+          name: result.record.name,
+          endpoints: result.record.endpoints.length,
+          source: body.specUrl
+        }, 201);
+      } catch (err) {
+        return c.json({ error: `Failed to compile spec: ${err instanceof Error ? err.message : err}` }, 400);
+      }
+    }
+    for (const path of OPENAPI_PATHS) {
+      const specUrl = `${baseUrl}${path}`;
+      try {
+        const resp = await fetch(specUrl, { method: "GET", headers: { Accept: "application/json, application/yaml" } });
+        if (!resp.ok) continue;
+        const text = await resp.text();
+        if (!text.trim() || text.length < 20) continue;
+        try {
+          const result = await fetchAndCompile(specUrl, { domain });
+          await store.put(domain, result.record);
+          return c.json({
+            ok: true,
+            domain,
+            name: result.record.name,
+            endpoints: result.record.endpoints.length,
+            source: specUrl
+          }, 201);
+        } catch {
+          continue;
+        }
+      } catch {
+        continue;
+      }
+    }
+    return c.json({
+      error: "Could not find OpenAPI spec",
+      probed: OPENAPI_PATHS.map((p) => `${baseUrl}${p}`),
+      hint: "Use --spec-url to provide the spec location directly"
+    }, 404);
+  });
+  app.get("/services", async (c) => {
+    const query = c.req.query("q");
+    if (query) {
+      const results = await store.search(query);
+      return c.json(results);
+    }
+    const list = await store.list();
+    return c.json(list);
+  });
+  app.get("/services/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const record = await store.get(domain);
+    if (!record) {
+      return c.json({ error: "Service not found" }, 404);
+    }
+    return c.json(record);
+  });
+  app.get("/services/:domain/versions", async (c) => {
+    const domain = c.req.param("domain");
+    const versions = await store.listVersions(domain);
+    return c.json({ domain, versions });
+  });
+  app.get("/services/:domain/versions/:version", async (c) => {
+    const domain = c.req.param("domain");
+    const version = c.req.param("version");
+    const record = await store.getVersion(domain, version);
+    if (!record) {
+      return c.json({ error: "Version not found" }, 404);
+    }
+    return c.json(record);
+  });
+  app.delete("/services/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const existing = await store.get(domain);
+    if (!existing) {
+      return c.json({ error: "Service not found" }, 404);
+    }
+    await store.delete(domain);
+    return c.json({ ok: true, domain });
+  });
+  return app;
+}
+
+// src/http/routes/domains.ts
+import { Hono as Hono3 } from "hono";
+import { nanoid } from "nanoid";
+import { signPublishToken } from "@nkmc/core";
+var SEVEN_DAYS_MS = 7 * 24 * 60 * 60 * 1e3;
+var ONE_YEAR_MS = 365 * 24 * 60 * 60 * 1e3;
+function isValidDomain(domain) {
+  return /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)+$/.test(domain);
+}
+function domainRoutes(options) {
+  const { db, gatewayPrivateKey } = options;
+  const app = new Hono3();
+  app.post("/challenge", async (c) => {
+    const body = await c.req.json().catch(() => null);
+    const domain = body?.domain;
+    if (!domain || !isValidDomain(domain)) {
+      return c.json({ error: "Invalid or missing domain" }, 400);
+    }
+    const now = Date.now();
+    const verified = await db.prepare(
+      "SELECT * FROM domain_challenges WHERE domain = ? AND status = 'verified' AND expires_at > ?"
+    ).bind(domain, now).first();
+    if (verified) {
+      return c.json(
+        {
+          error: "Domain already verified. Use `nkmc claim <domain> --verify` to renew your token.",
+          expiresAt: verified.expires_at
+        },
+        409
+      );
+    }
+    const existing = await db.prepare(
+      "SELECT * FROM domain_challenges WHERE domain = ? AND status = 'pending' AND expires_at > ?"
+    ).bind(domain, now).first();
+    if (existing) {
+      return c.json({
+        domain,
+        txtRecord: `_nkmc.${domain}`,
+        txtValue: `nkmc-verify=${existing.challenge_code}`,
+        expiresAt: existing.expires_at
+      });
+    }
+    const challengeCode = nanoid(32);
+    const expiresAt = now + SEVEN_DAYS_MS;
+    await db.prepare(
+      `INSERT OR REPLACE INTO domain_challenges (domain, challenge_code, status, created_at, expires_at)
+         VALUES (?, ?, 'pending', ?, ?)`
+    ).bind(domain, challengeCode, now, expiresAt).run();
+    return c.json({
+      domain,
+      txtRecord: `_nkmc.${domain}`,
+      txtValue: `nkmc-verify=${challengeCode}`,
+      expiresAt
+    });
+  });
+  app.post("/verify", async (c) => {
+    const body = await c.req.json().catch(() => null);
+    const domain = body?.domain;
+    if (!domain || !isValidDomain(domain)) {
+      return c.json({ error: "Invalid or missing domain" }, 400);
+    }
+    const now = Date.now();
+    const verified = await db.prepare(
+      "SELECT * FROM domain_challenges WHERE domain = ? AND status = 'verified' AND expires_at > ?"
+    ).bind(domain, now).first();
+    if (verified) {
+      const publishToken2 = await signPublishToken(gatewayPrivateKey, domain);
+      return c.json({ ok: true, domain, publishToken: publishToken2 });
+    }
+    const challenge = await db.prepare(
+      "SELECT * FROM domain_challenges WHERE domain = ? AND status = 'pending' AND expires_at > ?"
+    ).bind(domain, now).first();
+    if (!challenge) {
+      return c.json(
+        { error: "No pending challenge found. Run `nkmc claim <domain>` first." },
+        404
+      );
+    }
+    const expectedValue = `nkmc-verify=${challenge.challenge_code}`;
+    let txtRecords;
+    try {
+      txtRecords = await queryDnsTxt(`_nkmc.${domain}`);
+    } catch {
+      return c.json(
+        { error: "Failed to query DNS. Please try again later." },
+        502
+      );
+    }
+    if (!txtRecords.includes(expectedValue)) {
+      return c.json(
+        {
+          error: `DNS TXT record not found. Expected TXT record on _nkmc.${domain} with value "${expectedValue}". DNS propagation can take up to 5 minutes.`
+        },
+        422
+      );
+    }
+    await db.prepare(
+      "UPDATE domain_challenges SET status = 'verified', verified_at = ?, expires_at = ? WHERE domain = ?"
+    ).bind(now, now + ONE_YEAR_MS, domain).run();
+    const publishToken = await signPublishToken(gatewayPrivateKey, domain);
+    return c.json({ ok: true, domain, publishToken });
+  });
+  return app;
+}
+
+// src/http/routes/byok.ts
+import { Hono as Hono4 } from "hono";
+function byokRoutes(options) {
+  const { vault } = options;
+  const app = new Hono4();
+  app.put("/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const agent = c.get("agent");
+    const body = await c.req.json();
+    if (!body.auth?.type) {
+      return c.json({ error: "Missing auth.type" }, 400);
+    }
+    await vault.putByok(domain, agent.id, body.auth);
+    return c.json({ ok: true, domain });
+  });
+  app.get("/", async (c) => {
+    const agent = c.get("agent");
+    const allDomains = await vault.listDomains();
+    const byokDomains = [];
+    for (const domain of allDomains) {
+      const cred = await vault.get(domain, agent.id);
+      if (cred && cred.scope === "byok" && cred.developerId === agent.id) {
+        byokDomains.push(domain);
+      }
+    }
+    return c.json({ domains: byokDomains });
+  });
+  app.delete("/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const agent = c.get("agent");
+    await vault.delete(domain, agent.id);
+    return c.json({ ok: true, domain });
+  });
+  return app;
+}
+
+// src/http/routes/fs.ts
+import { Hono as Hono5 } from "hono";
+function errorToStatus(code) {
+  switch (code) {
+    case "PARSE_ERROR":
+    case "INVALID_PATH":
+      return 400;
+    case "PERMISSION_DENIED":
+      return 403;
+    case "NOT_FOUND":
+    case "NO_MOUNT":
+      return 404;
+    default:
+      return 500;
+  }
+}
+function fsRoutes(options) {
+  const { agentFs } = options;
+  const app = new Hono5();
+  app.post("/execute", async (c) => {
+    const body = await c.req.json();
+    if (!body.command || typeof body.command !== "string") {
+      return c.json({ error: "Missing 'command' field" }, 400);
+    }
+    const agent = c.get("agent");
+    const roles = body.roles ?? agent?.roles;
+    const result = await agentFs.execute(body.command, roles, agent);
+    const status = result.ok ? 200 : errorToStatus(result.error.code);
+    return c.json(result, status);
+  });
+  app.all("/fs/*", async (c) => {
+    const fullPath = c.req.path;
+    const virtualPath = fullPath.slice(fullPath.indexOf("/fs") + 3) || "/";
+    const query = c.req.query("q");
+    const agent = c.get("agent");
+    const roles = agent?.roles;
+    let op;
+    let data;
+    let pattern;
+    switch (c.req.method) {
+      case "GET":
+        if (query) {
+          op = "grep";
+          pattern = query;
+        } else if (virtualPath.endsWith("/")) {
+          op = "ls";
+        } else {
+          op = "cat";
+        }
+        break;
+      case "POST":
+      case "PUT":
+        op = "write";
+        data = await c.req.json();
+        break;
+      case "DELETE":
+        op = "rm";
+        break;
+      default:
+        return c.json({ error: "Method not allowed" }, 405);
+    }
+    const result = await agentFs.executeCommand(
+      { op, path: virtualPath, data, pattern },
+      roles,
+      agent
+    );
+    const status = result.ok ? 200 : errorToStatus(result.error.code);
+    return c.json(result, status);
+  });
+  return app;
+}
+
+// src/http/routes/peers.ts
+import { Hono as Hono6 } from "hono";
+function peerRoutes(options) {
+  const { peerStore } = options;
+  const app = new Hono6();
+  app.get("/peers", async (c) => {
+    const peers = await peerStore.listPeers();
+    const safe = peers.map(({ sharedSecret: _, ...rest }) => rest);
+    return c.json({ peers: safe });
+  });
+  app.put("/peers/:id", async (c) => {
+    const id = c.req.param("id");
+    const body = await c.req.json();
+    if (!body.name || !body.url || !body.sharedSecret) {
+      return c.json({ error: "Missing required fields: name, url, sharedSecret" }, 400);
+    }
+    const existing = await peerStore.getPeer(id);
+    const now = Date.now();
+    const peer = {
+      id,
+      name: body.name,
+      url: body.url,
+      sharedSecret: body.sharedSecret,
+      status: "active",
+      advertisedDomains: existing?.advertisedDomains ?? [],
+      lastSeen: existing?.lastSeen ?? 0,
+      createdAt: existing?.createdAt ?? now
+    };
+    await peerStore.putPeer(peer);
+    return c.json({ ok: true, id });
+  });
+  app.delete("/peers/:id", async (c) => {
+    const id = c.req.param("id");
+    await peerStore.deletePeer(id);
+    return c.json({ ok: true, id });
+  });
+  app.get("/rules", async (c) => {
+    const rules = await peerStore.listRules();
+    return c.json({ rules });
+  });
+  app.put("/rules/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const body = await c.req.json();
+    if (body.allow === void 0) {
+      return c.json({ error: "Missing required field: allow" }, 400);
+    }
+    const existing = await peerStore.getRule(domain);
+    const now = Date.now();
+    const rule = {
+      domain,
+      allow: body.allow,
+      peers: body.peers ?? existing?.peers ?? "*",
+      pricing: body.pricing ?? existing?.pricing ?? { mode: "free" },
+      rateLimit: body.rateLimit,
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now
+    };
+    await peerStore.putRule(rule);
+    return c.json({ ok: true, domain });
+  });
+  app.delete("/rules/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    await peerStore.deleteRule(domain);
+    return c.json({ ok: true, domain });
+  });
+  return app;
+}
+
+// src/http/routes/federation.ts
+import { Hono as Hono7 } from "hono";
+async function authenticatePeer(peerStore, peerId, authHeader) {
+  if (!peerId || !authHeader) return null;
+  const peer = await peerStore.getPeer(peerId);
+  if (!peer || peer.status !== "active") return null;
+  const token = authHeader.replace(/^Bearer\s+/i, "");
+  if (token !== peer.sharedSecret) return null;
+  return peer;
+}
+function extractDomainFromCommand(command) {
+  const parts = command.trim().split(/\s+/);
+  if (parts.length < 2) return null;
+  const path = parts[1];
+  if (!path.startsWith("/")) return null;
+  const segments = path.slice(1).split("/");
+  return segments[0] || null;
+}
+function federationRoutes(options) {
+  const { peerStore, vault, agentFs } = options;
+  const app = new Hono7();
+  app.post("/query", async (c) => {
+    const peerId = c.req.header("X-Peer-Id");
+    const authHeader = c.req.header("Authorization");
+    const peer = await authenticatePeer(peerStore, peerId, authHeader);
+    if (!peer) {
+      return c.json({ error: "Unauthorized peer" }, 403);
+    }
+    const body = await c.req.json();
+    if (!body.domain) {
+      return c.json({ error: "Missing 'domain' field" }, 400);
+    }
+    await peerStore.updateLastSeen(peer.id, Date.now());
+    const credential = await vault.get(body.domain);
+    if (!credential) {
+      return c.json({ available: false });
+    }
+    const rule = await peerStore.getRule(body.domain);
+    if (!rule || !rule.allow) {
+      return c.json({ available: false });
+    }
+    if (rule.peers !== "*" && !rule.peers.includes(peer.id)) {
+      return c.json({ available: false });
+    }
+    return c.json({
+      available: true,
+      pricing: rule.pricing
+    });
+  });
+  app.post("/exec", async (c) => {
+    const peerId = c.req.header("X-Peer-Id");
+    const authHeader = c.req.header("Authorization");
+    const peer = await authenticatePeer(peerStore, peerId, authHeader);
+    if (!peer) {
+      return c.json({ error: "Unauthorized peer" }, 403);
+    }
+    const body = await c.req.json();
+    if (!body.command) {
+      return c.json({ error: "Missing 'command' field" }, 400);
+    }
+    await peerStore.updateLastSeen(peer.id, Date.now());
+    const domain = extractDomainFromCommand(body.command);
+    if (domain) {
+      const rule = await peerStore.getRule(domain);
+      if (!rule || !rule.allow) {
+        return c.json({ error: "Domain not available for lending" }, 403);
+      }
+      if (rule.peers !== "*" && !rule.peers.includes(peer.id)) {
+        return c.json({ error: "Peer not in allowed list" }, 403);
+      }
+      if (rule.pricing.mode !== "free") {
+        const paymentHeader = c.req.header("X-402-Payment");
+        if (!paymentHeader) {
+          return c.json({ error: "Payment required" }, 402);
+        }
+      }
+    }
+    const syntheticAgentId = `peer:${peer.id}:${body.agentId}`;
+    const result = await agentFs.execute(body.command, ["agent"], {
+      id: syntheticAgentId,
+      roles: ["agent"]
+    });
+    if (!result.ok) {
+      return c.json({ ok: false, error: result.error.message }, 500);
+    }
+    return c.json({ ok: true, data: result.data });
+  });
+  app.post("/announce", async (c) => {
+    const peerId = c.req.header("X-Peer-Id");
+    const authHeader = c.req.header("Authorization");
+    const peer = await authenticatePeer(peerStore, peerId, authHeader);
+    if (!peer) {
+      return c.json({ error: "Unauthorized peer" }, 403);
+    }
+    const body = await c.req.json();
+    if (!Array.isArray(body.domains)) {
+      return c.json({ error: "Missing 'domains' field" }, 400);
+    }
+    peer.advertisedDomains = body.domains;
+    await peerStore.putPeer(peer);
+    await peerStore.updateLastSeen(peer.id, Date.now());
+    return c.json({ ok: true });
+  });
+  return app;
+}
+
+// src/http/app.ts
+function createGateway(options) {
+  const { store, gatewayPrivateKey, gatewayPublicKey, adminToken } = options;
+  const app = new Hono8();
+  const { onMiss, listDomains, searchDomains, searchEndpoints } = createRegistryResolver(
+    options.vault ? { store, vault: options.vault, gatewayPrivateKey } : { store, gatewayPrivateKey }
+  );
+  const mounts = [];
+  if (options.context7ApiKey) {
+    mounts.push({ path: "/context7", backend: new Context7Backend({ apiKey: options.context7ApiKey }) });
+  }
+  const agentFs = new AgentFs({
+    mounts,
+    onMiss,
+    listDomains,
+    searchDomains,
+    searchEndpoints
+  });
+  app.get("/.well-known/jwks.json", (c) => {
+    return c.json({ keys: [gatewayPublicKey] });
+  });
+  app.route("/auth", authRoutes({ privateKey: gatewayPrivateKey }));
+  if (options.db) {
+    app.route("/domains", domainRoutes({ db: options.db, gatewayPrivateKey }));
+  }
+  app.use("/registry/*", publishOrAdminAuth(adminToken, gatewayPublicKey));
+  app.route("/registry", registryRoutes({ store }));
+  if (options.vault) {
+    app.use("/credentials/*", adminAuth(adminToken));
+    app.route("/credentials", credentialRoutes({ vault: options.vault }));
+    app.use("/byok/*", agentAuth(gatewayPublicKey));
+    app.route("/byok", byokRoutes({ vault: options.vault }));
+  }
+  app.use("/execute", agentAuth(gatewayPublicKey));
+  app.use("/fs/*", agentAuth(gatewayPublicKey));
+  app.route("/", fsRoutes({ agentFs }));
+  if (options.proxy && options.vault) {
+    app.use("/proxy/*", agentAuth(gatewayPublicKey));
+    app.route(
+      "/proxy",
+      proxyRoutes({
+        vault: options.vault,
+        toolRegistry: options.proxy.toolRegistry,
+        exec: options.proxy.exec
+      })
+    );
+  }
+  if (options.peerStore && options.vault) {
+    app.use("/admin/federation/*", adminAuth(adminToken));
+    app.route("/admin/federation", peerRoutes({ peerStore: options.peerStore }));
+    app.route("/federation", federationRoutes({
+      peerStore: options.peerStore,
+      vault: options.vault,
+      agentFs
+    }));
+  }
+  if (options.tunnel) {
+    app.use("/tunnels/*", agentAuth(gatewayPublicKey));
+    app.route(
+      "/tunnels",
+      tunnelRoutes({
+        tunnelStore: options.tunnel.store,
+        tunnelProvider: options.tunnel.provider,
+        tunnelDomain: options.tunnel.domain
+      })
+    );
+  }
+  return app;
+}
+export {
+  adminAuth,
+  agentAuth,
+  authRoutes,
+  createGateway,
+  domainRoutes,
+  fsRoutes,
+  publishOrAdminAuth,
+  registryRoutes,
+  tunnelRoutes
+};