@nkmc/gateway 0.1.0

package/dist/index.cjs

@@ -0,0 +1,2436 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  CloudflareTunnelProvider: () => CloudflareTunnelProvider,
+  Context7Backend: () => Context7Backend,
+  Context7Client: () => Context7Client,
+  D1CredentialVault: () => D1CredentialVault,
+  D1MeterStore: () => D1MeterStore,
+  D1PeerStore: () => D1PeerStore,
+  D1RegistryStore: () => D1RegistryStore,
+  MemoryCredentialVault: () => MemoryCredentialVault,
+  MemoryMeterStore: () => MemoryMeterStore,
+  MemoryRegistryStore: () => MemoryRegistryStore,
+  MemoryTunnelStore: () => MemoryTunnelStore,
+  OnboardPipeline: () => OnboardPipeline,
+  VERSION: () => VERSION,
+  VirtualFileBackend: () => VirtualFileBackend,
+  checkAccess: () => checkAccess,
+  createRegistryResolver: () => createRegistryResolver,
+  createSqliteD1: () => createSqliteD1,
+  credentialRoutes: () => credentialRoutes,
+  discoverFromApisGuru: () => discoverFromApisGuru,
+  extractDomainPath: () => extractDomainPath,
+  lookupPricing: () => lookupPricing,
+  meter: () => meter,
+  parsePricingAnnotation: () => parsePricingAnnotation,
+  parseSkillMd: () => parseSkillMd,
+  queryDnsTxt: () => queryDnsTxt,
+  skillToHttpConfig: () => skillToHttpConfig,
+  tunnelRoutes: () => tunnelRoutes
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/registry/memory-store.ts
+var MemoryRegistryStore = class {
+  // key = "domain@version"
+  records = /* @__PURE__ */ new Map();
+  key(domain, version) {
+    return `${domain}@${version}`;
+  }
+  async get(domain) {
+    for (const record of this.records.values()) {
+      if (record.domain === domain && record.isDefault) return record;
+    }
+    return null;
+  }
+  async getVersion(domain, version) {
+    return this.records.get(this.key(domain, version)) ?? null;
+  }
+  async listVersions(domain) {
+    const versions = [];
+    for (const record of this.records.values()) {
+      if (record.domain === domain) {
+        versions.push({
+          version: record.version,
+          status: record.status,
+          isDefault: record.isDefault,
+          createdAt: record.createdAt,
+          updatedAt: record.updatedAt
+        });
+      }
+    }
+    return versions.sort((a, b) => b.createdAt - a.createdAt);
+  }
+  async put(domain, record) {
+    this.records.set(this.key(domain, record.version), record);
+  }
+  async delete(domain) {
+    const keysToDelete = [];
+    for (const [key, record] of this.records.entries()) {
+      if (record.domain === domain) keysToDelete.push(key);
+    }
+    for (const key of keysToDelete) {
+      this.records.delete(key);
+    }
+  }
+  async list() {
+    const results = [];
+    for (const record of this.records.values()) {
+      if (record.isDefault) results.push(toSummary(record));
+    }
+    return results;
+  }
+  async search(query) {
+    const q = query.toLowerCase();
+    const results = [];
+    for (const record of this.records.values()) {
+      if (!record.isDefault) continue;
+      const nameMatch = record.name.toLowerCase().includes(q) || record.description.toLowerCase().includes(q);
+      const matched = record.endpoints.filter(
+        (e) => e.description.toLowerCase().includes(q) || e.method.toLowerCase().includes(q) || e.path.toLowerCase().includes(q)
+      );
+      if (nameMatch || matched.length > 0) {
+        results.push({
+          ...toSummary(record),
+          matchedEndpoints: matched.map((e) => ({
+            method: e.method,
+            path: e.path,
+            description: e.description
+          }))
+        });
+      }
+    }
+    return results;
+  }
+};
+function toSummary(record) {
+  return {
+    domain: record.domain,
+    name: record.name,
+    description: record.description,
+    isFirstParty: record.isFirstParty
+  };
+}
+
+// src/registry/d1-store.ts
+var CREATE_SERVICES = `
+CREATE TABLE IF NOT EXISTS services (
+  domain TEXT NOT NULL,
+  version TEXT NOT NULL,
+  name TEXT NOT NULL,
+  description TEXT,
+  roles TEXT,
+  skill_md TEXT NOT NULL,
+  endpoints TEXT,
+  is_first_party INTEGER DEFAULT 0,
+  status TEXT DEFAULT 'active',
+  is_default INTEGER DEFAULT 1,
+  source TEXT,
+  sunset_date INTEGER,
+  auth_mode TEXT,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  PRIMARY KEY (domain, version)
+)`;
+var CREATE_SERVICES_DEFAULT_INDEX = `
+CREATE INDEX IF NOT EXISTS idx_services_default ON services(domain, is_default)`;
+var CREATE_DOMAIN_CHALLENGES = `
+CREATE TABLE IF NOT EXISTS domain_challenges (
+  domain TEXT PRIMARY KEY,
+  challenge_code TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'pending',
+  created_at INTEGER NOT NULL,
+  verified_at INTEGER,
+  expires_at INTEGER NOT NULL
+)`;
+function rowToRecord(row) {
+  return {
+    domain: row.domain,
+    name: row.name,
+    description: row.description,
+    version: row.version,
+    roles: JSON.parse(row.roles),
+    skillMd: row.skill_md,
+    endpoints: JSON.parse(row.endpoints),
+    isFirstParty: row.is_first_party === 1,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+    status: row.status,
+    isDefault: row.is_default === 1,
+    ...row.source ? { source: JSON.parse(row.source) } : {},
+    ...row.sunset_date ? { sunsetDate: row.sunset_date } : {},
+    ...row.auth_mode ? { authMode: row.auth_mode } : {}
+  };
+}
+function toSummary2(row) {
+  return {
+    domain: row.domain,
+    name: row.name,
+    description: row.description,
+    isFirstParty: row.is_first_party === 1
+  };
+}
+var D1RegistryStore = class _D1RegistryStore {
+  constructor(db) {
+    this.db = db;
+  }
+  async initSchema() {
+    await this.db.exec(CREATE_SERVICES);
+    await this.db.exec(CREATE_SERVICES_DEFAULT_INDEX);
+    await this.db.exec(CREATE_DOMAIN_CHALLENGES);
+  }
+  async get(domain) {
+    const row = await this.db.prepare("SELECT * FROM services WHERE domain = ? AND is_default = 1").bind(domain).first();
+    return row ? rowToRecord(row) : null;
+  }
+  async getVersion(domain, version) {
+    const row = await this.db.prepare("SELECT * FROM services WHERE domain = ? AND version = ?").bind(domain, version).first();
+    return row ? rowToRecord(row) : null;
+  }
+  async listVersions(domain) {
+    const { results } = await this.db.prepare(
+      "SELECT version, status, is_default, created_at, updated_at FROM services WHERE domain = ? ORDER BY created_at DESC"
+    ).bind(domain).all();
+    return results.map((row) => ({
+      version: row.version,
+      status: row.status,
+      isDefault: row.is_default === 1,
+      createdAt: row.created_at,
+      updatedAt: row.updated_at
+    }));
+  }
+  /** Max endpoints JSON size before stripping verbose fields (parameters, requestBody, responses). */
+  static ENDPOINTS_SIZE_LIMIT = 8e5;
+  // ~800 KB, well under D1's ~1 MB per-value limit
+  async put(domain, record) {
+    let endpointsJson = JSON.stringify(record.endpoints);
+    if (endpointsJson.length > _D1RegistryStore.ENDPOINTS_SIZE_LIMIT) {
+      const slim = record.endpoints.map(({ method, path, description, price, pricing }) => ({
+        method,
+        path,
+        description,
+        ...price ? { price } : {},
+        ...pricing ? { pricing } : {}
+      }));
+      endpointsJson = JSON.stringify(slim);
+    }
+    await this.db.prepare(
+      `INSERT OR REPLACE INTO services
+         (domain, version, name, description, roles, skill_md, endpoints, is_first_party, status, is_default, source, sunset_date, auth_mode, created_at, updated_at)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+    ).bind(
+      domain,
+      record.version,
+      record.name,
+      record.description,
+      JSON.stringify(record.roles),
+      record.skillMd,
+      endpointsJson,
+      record.isFirstParty ? 1 : 0,
+      record.status,
+      record.isDefault ? 1 : 0,
+      record.source ? JSON.stringify(record.source) : null,
+      record.sunsetDate ?? null,
+      record.authMode ?? null,
+      record.createdAt,
+      record.updatedAt
+    ).run();
+  }
+  async delete(domain) {
+    await this.db.prepare("DELETE FROM services WHERE domain = ?").bind(domain).run();
+  }
+  async list() {
+    const { results } = await this.db.prepare("SELECT domain, name, description, is_first_party FROM services WHERE is_default = 1").all();
+    return results.map(toSummary2);
+  }
+  async search(query) {
+    const pattern = `%${query}%`;
+    const { results: rows } = await this.db.prepare(
+      `SELECT * FROM services
+         WHERE is_default = 1 AND (name LIKE ? OR description LIKE ? OR endpoints LIKE ?)`
+    ).bind(pattern, pattern, pattern).all();
+    const q = query.toLowerCase();
+    return rows.map((row) => {
+      const endpoints = JSON.parse(row.endpoints);
+      const matched = endpoints.filter(
+        (e) => e.description.toLowerCase().includes(q) || e.method.toLowerCase().includes(q) || e.path.toLowerCase().includes(q)
+      );
+      return {
+        ...toSummary2(row),
+        matchedEndpoints: matched.map((e) => ({
+          method: e.method,
+          path: e.path,
+          description: e.description
+        }))
+      };
+    });
+  }
+  async stats() {
+    const row = await this.db.prepare(
+      `SELECT COUNT(*) as service_count, COALESCE(SUM(json_array_length(endpoints)), 0) as endpoint_count
+         FROM services WHERE is_default = 1`
+    ).first();
+    return {
+      serviceCount: row?.service_count ?? 0,
+      endpointCount: row?.endpoint_count ?? 0
+    };
+  }
+};
+
+// src/registry/skill-parser.ts
+var import_yaml = require("yaml");
+function parseSkillMd(domain, raw, options) {
+  const { frontmatter, body } = extractFrontmatter(raw);
+  const parsed = (0, import_yaml.parse)(frontmatter) ?? {};
+  const description = extractDescription(body);
+  const endpoints = extractEndpoints(body);
+  const now = Date.now();
+  return {
+    domain,
+    name: parsed.name ?? domain,
+    description,
+    version: parsed.version ?? "0.0",
+    roles: parsed.roles ?? ["agent"],
+    skillMd: raw,
+    endpoints,
+    isFirstParty: options?.isFirstParty ?? false,
+    createdAt: now,
+    updatedAt: now,
+    status: "active",
+    isDefault: true
+  };
+}
+function parsePricingAnnotation(text) {
+  const match = text.match(
+    /(\d+(?:\.\d+)?)\s+(\w+)\s*\/\s*(call|byte|minute|次)/i
+  );
+  if (!match) return void 0;
+  return {
+    cost: parseFloat(match[1]),
+    currency: match[2].toUpperCase(),
+    per: match[3] === "\u6B21" ? "call" : match[3].toLowerCase()
+  };
+}
+function extractFrontmatter(raw) {
+  const match = raw.match(/^---\n([\s\S]*?)\n---\n([\s\S]*)$/);
+  if (!match) return { frontmatter: "", body: raw };
+  return { frontmatter: match[1], body: match[2] };
+}
+function extractDescription(body) {
+  const lines = body.split("\n");
+  let foundTitle = false;
+  const descLines = [];
+  for (const line of lines) {
+    if (!foundTitle) {
+      if (line.startsWith("# ")) foundTitle = true;
+      continue;
+    }
+    if (line.startsWith("## ")) break;
+    const trimmed = line.trim();
+    if (trimmed === "" && descLines.length > 0) break;
+    if (trimmed !== "") descLines.push(trimmed);
+  }
+  return descLines.join(" ");
+}
+function extractEndpoints(body) {
+  const endpoints = [];
+  const lines = body.split("\n");
+  let inApiSection = false;
+  let currentHeading = null;
+  for (const line of lines) {
+    if (line.startsWith("## API")) {
+      inApiSection = true;
+      continue;
+    }
+    if (inApiSection && line.startsWith("## ") && !line.startsWith("## API")) {
+      break;
+    }
+    if (!inApiSection) continue;
+    if (line.startsWith("### ")) {
+      currentHeading = line.slice(4).trim();
+      continue;
+    }
+    const endpointMatch = line.match(/^`(GET|POST|PUT|PATCH|DELETE)\s+(\S+)`/);
+    if (endpointMatch && currentHeading) {
+      const afterBacktick = line.slice(line.indexOf("`", 1) + 1).trim();
+      const pricing = afterBacktick.startsWith("\u2014") ? parsePricingAnnotation(afterBacktick.slice(1).trim()) : void 0;
+      endpoints.push({
+        method: endpointMatch[1],
+        path: endpointMatch[2],
+        description: currentHeading,
+        ...pricing ? { pricing } : {}
+      });
+      currentHeading = null;
+    }
+  }
+  return endpoints;
+}
+
+// src/registry/skill-to-config.ts
+function skillToHttpConfig(record) {
+  let baseUrl = `https://${record.domain}`;
+  if (record.source?.basePath) {
+    baseUrl += record.source.basePath;
+  }
+  const resources = extractResources(record.skillMd);
+  const endpoints = extractHttpEndpoints(record.skillMd);
+  return {
+    baseUrl,
+    resources,
+    endpoints
+  };
+}
+function extractResources(skillMd) {
+  const resources = [];
+  const lines = skillMd.split("\n");
+  let inSchema = false;
+  let current = null;
+  for (const line of lines) {
+    if (line.startsWith("## Schema")) {
+      inSchema = true;
+      continue;
+    }
+    if (inSchema && line.startsWith("## ") && !line.startsWith("## Schema")) {
+      break;
+    }
+    if (!inSchema) continue;
+    const tableMatch = line.match(/^### (\w+)\s/);
+    if (tableMatch) {
+      if (current) resources.push(toHttpResource(current));
+      current = { name: tableMatch[1], fields: [] };
+      continue;
+    }
+    if (current && line.startsWith("|") && !line.startsWith("|--") && !line.startsWith("| field")) {
+      const cells = line.split("|").map((c) => c.trim()).filter(Boolean);
+      if (cells.length >= 3) {
+        current.fields.push({
+          name: cells[0],
+          type: cells[1],
+          description: cells[2]
+        });
+      }
+    }
+  }
+  if (current) resources.push(toHttpResource(current));
+  return resources;
+}
+function toHttpResource(parsed) {
+  return {
+    name: parsed.name,
+    apiPath: `/${parsed.name}`,
+    fields: parsed.fields
+  };
+}
+function extractHttpEndpoints(skillMd) {
+  const endpoints = [];
+  const lines = skillMd.split("\n");
+  let inApi = false;
+  let currentHeading = null;
+  for (const line of lines) {
+    if (line.startsWith("## API")) {
+      inApi = true;
+      continue;
+    }
+    if (inApi && line.startsWith("## ") && !line.startsWith("## API")) {
+      break;
+    }
+    if (!inApi) continue;
+    if (line.startsWith("### ")) {
+      currentHeading = line.slice(4).trim();
+      continue;
+    }
+    const match = line.match(/^`(GET|POST|PUT|PATCH|DELETE)\s+(\S+)`/);
+    if (match && currentHeading) {
+      const slug = currentHeading.toLowerCase().replace(/\s+/g, "-");
+      endpoints.push({
+        name: slug,
+        method: match[1],
+        apiPath: match[2],
+        description: currentHeading
+      });
+      currentHeading = null;
+    }
+  }
+  return endpoints;
+}
+function skillToRpcConfig(meta) {
+  const resources = meta.resources.map((r) => {
+    const methods = {};
+    const builder = getParamsBuilder(meta.convention);
+    for (const [fsOp, rpcMethod] of Object.entries(r.methods)) {
+      const key = fsOp;
+      methods[key] = {
+        method: rpcMethod,
+        params: builder(key)
+      };
+    }
+    const resource = {
+      name: r.name,
+      ...r.idField ? { idField: r.idField } : {},
+      methods
+    };
+    if (meta.convention === "evm") {
+      resource.transform = buildEvmTransforms(r.name);
+    }
+    return resource;
+  });
+  return { resources };
+}
+function getParamsBuilder(convention) {
+  switch (convention) {
+    case "crud":
+      return crudParamsBuilder;
+    case "evm":
+      return evmParamsBuilder;
+    case "raw":
+    default:
+      return rawParamsBuilder;
+  }
+}
+function rawParamsBuilder(_fsOp) {
+  return (ctx) => {
+    if (ctx.data !== void 0) return [ctx.data];
+    if (ctx.id !== void 0) return [ctx.id];
+    return [];
+  };
+}
+function crudParamsBuilder(fsOp) {
+  switch (fsOp) {
+    case "list":
+      return () => [];
+    case "read":
+      return (ctx) => [ctx.id];
+    case "write":
+      return (ctx) => [ctx.id, ctx.data];
+    case "create":
+      return (ctx) => [ctx.data];
+    case "remove":
+      return (ctx) => [ctx.id];
+    case "search":
+      return (ctx) => [ctx.pattern];
+    default:
+      return () => [];
+  }
+}
+function evmParamsBuilder(fsOp) {
+  switch (fsOp) {
+    case "list":
+      return () => [];
+    case "read":
+      return (ctx) => {
+        const id = ctx.id;
+        const hexId = /^\d+$/.test(id) ? "0x" + Number(id).toString(16) : id;
+        return [hexId, "latest"];
+      };
+    default:
+      return rawParamsBuilder(fsOp);
+  }
+}
+function buildEvmTransforms(resourceName) {
+  const transform = {};
+  if (resourceName === "blocks") {
+    transform.list = (data) => {
+      const hex = String(data);
+      const latest = parseInt(hex, 16);
+      if (isNaN(latest)) return [];
+      return Array.from({ length: 10 }, (_, i) => `${latest - i}.json`);
+    };
+  }
+  if (resourceName === "balances") {
+    transform.read = (data) => {
+      const hex = String(data);
+      return { wei: hex, raw: hex };
+    };
+  }
+  return Object.keys(transform).length > 0 ? transform : void 0;
+}
+
+// src/registry/resolver.ts
+var import_agent_fs = require("@nkmc/agent-fs");
+var import_core = require("@nkmc/core");
+
+// src/registry/virtual-files.ts
+var VIRTUAL_FILES = ["_pricing.json", "_versions.json", "skill.md"];
+var VirtualFileBackend = class {
+  inner;
+  domain;
+  store;
+  constructor(options) {
+    this.inner = options.inner;
+    this.domain = options.domain;
+    this.store = options.store;
+  }
+  async list(path) {
+    const entries = await this.inner.list(path);
+    if (path === "/" || path === "" || path === ".") {
+      return [...entries, ...VIRTUAL_FILES];
+    }
+    return entries;
+  }
+  async read(path) {
+    const cleaned = path.replace(/^\/+/, "").replace(/\/+$/, "");
+    if (cleaned === "_pricing.json") {
+      const record = await this.store.get(this.domain);
+      if (!record) return { endpoints: [] };
+      return {
+        domain: this.domain,
+        endpoints: record.endpoints.filter((ep) => ep.pricing).map((ep) => ({
+          method: ep.method,
+          path: ep.path,
+          description: ep.description,
+          pricing: ep.pricing
+        }))
+      };
+    }
+    if (cleaned === "_versions.json") {
+      const versions = await this.store.listVersions(this.domain);
+      return { domain: this.domain, versions };
+    }
+    if (cleaned === "skill.md") {
+      const record = await this.store.get(this.domain);
+      if (!record) return "# Not found\n";
+      return record.skillMd;
+    }
+    return this.inner.read(path);
+  }
+  async write(path, data) {
+    return this.inner.write(path, data);
+  }
+  async remove(path) {
+    return this.inner.remove(path);
+  }
+  async search(path, pattern) {
+    return this.inner.search(path, pattern);
+  }
+};
+
+// src/federation/peer-backend.ts
+var PeerBackend = class {
+  constructor(client, peer, agentId) {
+    this.client = client;
+    this.peer = peer;
+    this.agentId = agentId;
+  }
+  async list(path) {
+    const result = await this.execOnPeer(`ls ${path}`);
+    return result.data ?? [];
+  }
+  async read(path) {
+    const result = await this.execOnPeer(`cat ${path}`);
+    return result.data;
+  }
+  async write(path, data) {
+    const result = await this.execOnPeer(
+      `write ${path} ${JSON.stringify(data)}`
+    );
+    return result.data ?? { id: "" };
+  }
+  async remove(path) {
+    await this.execOnPeer(`rm ${path}`);
+  }
+  async search(path, pattern) {
+    const result = await this.execOnPeer(`grep ${pattern} ${path}`);
+    return result.data ?? [];
+  }
+  async execOnPeer(command) {
+    const result = await this.client.exec(this.peer, {
+      command,
+      agentId: this.agentId
+    });
+    if (!result.ok) {
+      if (result.paymentRequired) {
+        throw new Error(
+          `Payment required: ${result.paymentRequired.price} ${result.paymentRequired.currency}`
+        );
+      }
+      throw new Error(result.error ?? "Peer execution failed");
+    }
+    return result;
+  }
+};
+
+// src/registry/resolver.ts
+function createRegistryResolver(storeOrOptions) {
+  const options = "get" in storeOrOptions && "put" in storeOrOptions ? { store: storeOrOptions } : storeOrOptions;
+  const { store, vault, gatewayPrivateKey } = options;
+  const loaded = /* @__PURE__ */ new Set();
+  async function tryPeerFallback(domain, version, addMount, agent) {
+    if (!options.peerClient || !options.peerStore) return false;
+    const peers = await options.peerStore.listPeers();
+    for (const peer of peers) {
+      if (peer.advertisedDomains.length > 0 && !peer.advertisedDomains.includes(domain)) {
+        continue;
+      }
+      const result = await options.peerClient.query(peer, domain);
+      if (result.available) {
+        const peerBackend = new PeerBackend(options.peerClient, peer, agent?.id ?? "anonymous");
+        const mountPath = version ? `/${domain}@${version}` : `/${domain}`;
+        addMount({ path: mountPath, backend: peerBackend });
+        return true;
+      }
+    }
+    return false;
+  }
+  async function onMiss(path, addMount, agent) {
+    const { domain, version } = extractDomainPath(path);
+    if (!domain) return false;
+    const cacheKey = version ? `${domain}@${version}` : domain;
+    const record = version ? await store.getVersion(domain, version) : await store.get(domain);
+    if (!record) {
+      return tryPeerFallback(domain, version, addMount, agent);
+    }
+    const isNkmcJwt = record.authMode === "nkmc-jwt";
+    if (!isNkmcJwt && loaded.has(cacheKey)) return false;
+    if (record.status === "sunset") return false;
+    let auth;
+    if (isNkmcJwt && gatewayPrivateKey && agent) {
+      const token = await (0, import_core.signJwt)(gatewayPrivateKey, {
+        sub: agent.id,
+        roles: agent.roles,
+        svc: domain
+      }, { expiresIn: "5m" });
+      auth = { type: "bearer", token };
+    } else if (vault) {
+      const cred = await vault.get(domain, agent?.id);
+      if (cred) {
+        auth = cred.auth;
+      }
+    }
+    if (!auth && !isNkmcJwt) {
+      const peerMounted = await tryPeerFallback(domain, version, addMount, agent);
+      if (peerMounted) return true;
+    }
+    let backend;
+    if (record.source?.type === "jsonrpc" && record.source.rpc) {
+      const { resources } = skillToRpcConfig(record.source.rpc);
+      const headers = {};
+      if (auth) {
+        if (auth.type === "bearer") {
+          headers["Authorization"] = `${auth.prefix ?? "Bearer"} ${auth.token}`;
+        } else if (auth.type === "api-key") {
+          headers[auth.header] = auth.key;
+        }
+      }
+      const transport = new import_agent_fs.JsonRpcTransport({ url: record.source.rpc.rpcUrl, headers });
+      backend = new import_agent_fs.RpcBackend({ transport, resources });
+    } else {
+      const config = skillToHttpConfig(record);
+      config.auth = auth;
+      backend = new import_agent_fs.HttpBackend(config);
+    }
+    let finalBackend = backend;
+    if (options.wrapVirtualFiles !== false) {
+      finalBackend = new VirtualFileBackend({ inner: backend, domain, store: options.store });
+    }
+    const mountPath = version ? `/${domain}@${version}` : `/${domain}`;
+    addMount({ path: mountPath, backend: finalBackend });
+    if (!isNkmcJwt) {
+      loaded.add(cacheKey);
+    }
+    return true;
+  }
+  async function listDomains() {
+    const summaries = await store.list();
+    return summaries.map((s) => s.domain);
+  }
+  async function searchDomains(query) {
+    return store.search(query);
+  }
+  async function searchEndpoints(domain, query) {
+    const record = await store.get(domain);
+    if (!record) return [];
+    const q = query.toLowerCase();
+    return record.endpoints.filter(
+      (e) => e.description.toLowerCase().includes(q) || e.method.toLowerCase().includes(q) || e.path.toLowerCase().includes(q)
+    ).map((e) => ({ method: e.method, path: e.path, description: e.description }));
+  }
+  return { onMiss, listDomains, searchDomains, searchEndpoints };
+}
+function extractDomainPath(path) {
+  const segments = path.split("/").filter(Boolean);
+  if (segments.length === 0) return { domain: null, version: null };
+  const first = segments[0];
+  const atIndex = first.indexOf("@");
+  if (atIndex > 0) {
+    return {
+      domain: first.slice(0, atIndex),
+      version: first.slice(atIndex + 1)
+    };
+  }
+  return { domain: first, version: null };
+}
+
+// src/metering/memory-store.ts
+var MemoryMeterStore = class {
+  records = [];
+  async record(entry) {
+    this.records.push(entry);
+  }
+  async query(filter) {
+    return this.records.filter((r) => this.matches(r, filter));
+  }
+  async sum(filter) {
+    const matched = this.records.filter((r) => this.matches(r, filter));
+    const total = matched.reduce((acc, r) => acc + r.cost, 0);
+    const currency = matched[0]?.currency ?? "USDC";
+    return { total, currency };
+  }
+  matches(record, filter) {
+    if (filter.domain && record.domain !== filter.domain) return false;
+    if (filter.agentId && record.agentId !== filter.agentId) return false;
+    if (filter.developerId && record.developerId !== filter.developerId) return false;
+    if (filter.from && record.timestamp < filter.from) return false;
+    if (filter.to && record.timestamp > filter.to) return false;
+    return true;
+  }
+};
+
+// src/metering/d1-store.ts
+var CREATE_METER_RECORDS = `
+CREATE TABLE IF NOT EXISTS meter_records (
+  id TEXT PRIMARY KEY,
+  timestamp INTEGER NOT NULL,
+  domain TEXT NOT NULL,
+  version TEXT NOT NULL,
+  endpoint TEXT NOT NULL,
+  agent_id TEXT NOT NULL,
+  developer_id TEXT,
+  cost REAL NOT NULL,
+  currency TEXT NOT NULL DEFAULT 'USDC'
+)`;
+var CREATE_METER_INDEX_DOMAIN = `
+CREATE INDEX IF NOT EXISTS idx_meter_domain ON meter_records(domain, timestamp)`;
+var CREATE_METER_INDEX_AGENT = `
+CREATE INDEX IF NOT EXISTS idx_meter_agent ON meter_records(agent_id, timestamp)`;
+var D1MeterStore = class {
+  constructor(db) {
+    this.db = db;
+  }
+  async initSchema() {
+    await this.db.exec(CREATE_METER_RECORDS);
+    await this.db.exec(CREATE_METER_INDEX_DOMAIN);
+    await this.db.exec(CREATE_METER_INDEX_AGENT);
+  }
+  async record(entry) {
+    await this.db.prepare(
+      `INSERT INTO meter_records (id, timestamp, domain, version, endpoint, agent_id, developer_id, cost, currency)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`
+    ).bind(
+      entry.id,
+      entry.timestamp,
+      entry.domain,
+      entry.version,
+      entry.endpoint,
+      entry.agentId,
+      entry.developerId ?? null,
+      entry.cost,
+      entry.currency
+    ).run();
+  }
+  async query(filter) {
+    const { sql, bindings } = this.buildQuery("SELECT *", filter);
+    const { results } = await this.db.prepare(sql).bind(...bindings).all();
+    return results.map(rowToRecord2);
+  }
+  async sum(filter) {
+    const { sql, bindings } = this.buildQuery("SELECT COALESCE(SUM(cost), 0) as total, COALESCE(MIN(currency), 'USDC') as currency", filter);
+    const row = await this.db.prepare(sql).bind(...bindings).first();
+    return { total: row?.total ?? 0, currency: row?.currency ?? "USDC" };
+  }
+  buildQuery(select, filter) {
+    const conditions = [];
+    const bindings = [];
+    if (filter.domain) {
+      conditions.push("domain = ?");
+      bindings.push(filter.domain);
+    }
+    if (filter.agentId) {
+      conditions.push("agent_id = ?");
+      bindings.push(filter.agentId);
+    }
+    if (filter.developerId) {
+      conditions.push("developer_id = ?");
+      bindings.push(filter.developerId);
+    }
+    if (filter.from) {
+      conditions.push("timestamp >= ?");
+      bindings.push(filter.from);
+    }
+    if (filter.to) {
+      conditions.push("timestamp <= ?");
+      bindings.push(filter.to);
+    }
+    let sql = `${select} FROM meter_records`;
+    if (conditions.length > 0) {
+      sql += ` WHERE ${conditions.join(" AND ")}`;
+    }
+    sql += " ORDER BY timestamp DESC";
+    return { sql, bindings };
+  }
+};
+function rowToRecord2(row) {
+  return {
+    id: row.id,
+    timestamp: row.timestamp,
+    domain: row.domain,
+    version: row.version,
+    endpoint: row.endpoint,
+    agentId: row.agent_id,
+    ...row.developer_id ? { developerId: row.developer_id } : {},
+    cost: row.cost,
+    currency: row.currency
+  };
+}
+
+// src/metering/pricing-guard.ts
+function lookupPricing(record, method, path) {
+  for (const ep of record.endpoints) {
+    if (ep.method.toUpperCase() !== method.toUpperCase()) continue;
+    if (matchPath(ep.path, path)) {
+      return ep.pricing ?? null;
+    }
+  }
+  return null;
+}
+function checkAccess(record) {
+  if (record.status === "sunset") {
+    return { allowed: false, reason: "Service has been sunset" };
+  }
+  if (record.sunsetDate && record.sunsetDate < Date.now()) {
+    return { allowed: false, reason: "Service sunset date has passed" };
+  }
+  return { allowed: true };
+}
+async function meter(store, opts) {
+  const entry = {
+    id: `m_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+    timestamp: Date.now(),
+    domain: opts.domain,
+    version: opts.version,
+    endpoint: opts.endpoint,
+    agentId: opts.agentId,
+    developerId: opts.developerId,
+    cost: opts.pricing.cost,
+    currency: opts.pricing.currency
+  };
+  await store.record(entry);
+  return entry;
+}
+function matchPath(pattern, actual) {
+  const patternParts = pattern.split("/").filter(Boolean);
+  const actualParts = actual.split("/").filter(Boolean);
+  if (patternParts.length !== actualParts.length) return false;
+  for (let i = 0; i < patternParts.length; i++) {
+    if (patternParts[i].startsWith(":")) continue;
+    if (patternParts[i] !== actualParts[i]) return false;
+  }
+  return true;
+}
+
+// src/credential/memory-vault.ts
+var MemoryCredentialVault = class {
+  // key = "pool:domain" or "byok:domain:developerId"
+  credentials = /* @__PURE__ */ new Map();
+  poolKey(domain) {
+    return `pool:${domain}`;
+  }
+  byokKey(domain, developerId) {
+    return `byok:${domain}:${developerId}`;
+  }
+  async get(domain, developerId) {
+    if (developerId) {
+      const byok = this.credentials.get(this.byokKey(domain, developerId));
+      if (byok) return byok;
+    }
+    return this.credentials.get(this.poolKey(domain)) ?? null;
+  }
+  async putPool(domain, auth) {
+    this.credentials.set(this.poolKey(domain), { domain, auth, scope: "pool" });
+  }
+  async putByok(domain, developerId, auth) {
+    this.credentials.set(this.byokKey(domain, developerId), {
+      domain,
+      auth,
+      scope: "byok",
+      developerId
+    });
+  }
+  async delete(domain, developerId) {
+    if (developerId) {
+      this.credentials.delete(this.byokKey(domain, developerId));
+    } else {
+      this.credentials.delete(this.poolKey(domain));
+    }
+  }
+  async listDomains() {
+    const domains = /* @__PURE__ */ new Set();
+    for (const cred of this.credentials.values()) {
+      domains.add(cred.domain);
+    }
+    return Array.from(domains);
+  }
+};
+
+// src/credential/d1-vault.ts
+var CREATE_CREDENTIALS = `
+CREATE TABLE IF NOT EXISTS credentials (
+  domain TEXT NOT NULL,
+  scope TEXT NOT NULL DEFAULT 'pool',
+  developer_id TEXT NOT NULL DEFAULT '',
+  auth_encrypted TEXT NOT NULL,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  PRIMARY KEY (domain, scope, developer_id)
+)`;
+async function encrypt(auth, key) {
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const plaintext = new TextEncoder().encode(JSON.stringify(auth));
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    key,
+    plaintext
+  );
+  const combined = new Uint8Array(iv.length + ciphertext.byteLength);
+  combined.set(iv);
+  combined.set(new Uint8Array(ciphertext), iv.length);
+  return btoa(String.fromCharCode(...combined));
+}
+async function decrypt(encoded, key) {
+  const bytes = Uint8Array.from(atob(encoded), (c) => c.charCodeAt(0));
+  const iv = bytes.slice(0, 12);
+  const ciphertext = bytes.slice(12);
+  try {
+    const plaintext = await crypto.subtle.decrypt(
+      { name: "AES-GCM", iv },
+      key,
+      ciphertext
+    );
+    return JSON.parse(new TextDecoder().decode(plaintext));
+  } catch {
+    return JSON.parse(atob(encoded));
+  }
+}
+var D1CredentialVault = class {
+  constructor(db, encryptionKey) {
+    this.db = db;
+    this.encryptionKey = encryptionKey;
+  }
+  async initSchema() {
+    await this.db.exec(CREATE_CREDENTIALS);
+  }
+  async get(domain, developerId) {
+    if (developerId) {
+      const byok = await this.db.prepare("SELECT * FROM credentials WHERE domain = ? AND scope = 'byok' AND developer_id = ?").bind(domain, developerId).first();
+      if (byok) return await this.rowToCredential(byok);
+    }
+    const pool = await this.db.prepare("SELECT * FROM credentials WHERE domain = ? AND scope = 'pool' AND developer_id = ''").bind(domain).first();
+    return pool ? await this.rowToCredential(pool) : null;
+  }
+  async putPool(domain, auth) {
+    const now = Date.now();
+    await this.db.prepare(
+      `INSERT OR REPLACE INTO credentials (domain, scope, developer_id, auth_encrypted, created_at, updated_at)
+         VALUES (?, 'pool', '', ?, ?, ?)`
+    ).bind(domain, await encrypt(auth, this.encryptionKey), now, now).run();
+  }
+  async putByok(domain, developerId, auth) {
+    const now = Date.now();
+    await this.db.prepare(
+      `INSERT OR REPLACE INTO credentials (domain, scope, developer_id, auth_encrypted, created_at, updated_at)
+         VALUES (?, 'byok', ?, ?, ?, ?)`
+    ).bind(domain, developerId, await encrypt(auth, this.encryptionKey), now, now).run();
+  }
+  async delete(domain, developerId) {
+    if (developerId) {
+      await this.db.prepare("DELETE FROM credentials WHERE domain = ? AND scope = 'byok' AND developer_id = ?").bind(domain, developerId).run();
+    } else {
+      await this.db.prepare("DELETE FROM credentials WHERE domain = ? AND scope = 'pool' AND developer_id = ''").bind(domain).run();
+    }
+  }
+  async listDomains() {
+    const { results } = await this.db.prepare("SELECT DISTINCT domain FROM credentials").all();
+    return results.map((r) => r.domain);
+  }
+  async rowToCredential(row) {
+    return {
+      domain: row.domain,
+      auth: await decrypt(row.auth_encrypted, this.encryptionKey),
+      scope: row.scope,
+      ...row.developer_id ? { developerId: row.developer_id } : {}
+    };
+  }
+};
+
+// src/http/routes/credentials.ts
+var import_hono = require("hono");
+function credentialRoutes(options) {
+  const { vault } = options;
+  const app = new import_hono.Hono();
+  app.put("/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    const body = await c.req.json();
+    if (!body.auth?.type) {
+      return c.json({ error: "Missing auth.type" }, 400);
+    }
+    await vault.putPool(domain, body.auth);
+    return c.json({ ok: true, domain });
+  });
+  app.get("/", async (c) => {
+    const domains = await vault.listDomains();
+    return c.json({ domains });
+  });
+  app.delete("/:domain", async (c) => {
+    const domain = c.req.param("domain");
+    await vault.delete(domain);
+    return c.json({ ok: true, domain });
+  });
+  return app;
+}
+
+// src/http/lib/dns.ts
+async function queryDnsTxt(domain) {
+  const url = new URL("https://cloudflare-dns.com/dns-query");
+  url.searchParams.set("name", domain);
+  url.searchParams.set("type", "TXT");
+  const res = await fetch(url.toString(), {
+    headers: { Accept: "application/dns-json" }
+  });
+  if (!res.ok) {
+    throw new Error(`DNS query failed: ${res.status}`);
+  }
+  const data = await res.json();
+  return (data.Answer ?? []).filter((a) => a.type === 16).map((a) => a.data.replace(/^"|"$/g, ""));
+}
+
+// src/registry/context7.ts
+var Context7Client = class {
+  apiKey;
+  baseUrl;
+  fetchFn;
+  constructor(options) {
+    this.apiKey = options?.apiKey;
+    this.baseUrl = options?.baseUrl ?? "https://context7.com/api/v2";
+    this.fetchFn = options?.fetchFn ?? globalThis.fetch.bind(globalThis);
+  }
+  /** Search for a library by name. Returns matching library entries. */
+  async searchLibraries(libraryName, query) {
+    const params = new URLSearchParams({ libraryName });
+    if (query) params.set("query", query);
+    const resp = await this.fetchFn(`${this.baseUrl}/libs/search?${params}`, {
+      headers: this.headers()
+    });
+    if (!resp.ok) throw new Error(`Context7 search failed: ${resp.status}`);
+    return resp.json();
+  }
+  /** Query documentation for a specific library. Returns documentation text. */
+  async queryDocs(libraryId, query) {
+    const params = new URLSearchParams({ libraryId, query, type: "txt" });
+    const resp = await this.fetchFn(`${this.baseUrl}/context?${params}`, {
+      headers: this.headers()
+    });
+    if (!resp.ok) throw new Error(`Context7 query failed: ${resp.status}`);
+    return resp.text();
+  }
+  headers() {
+    const h = {};
+    if (this.apiKey) h["Authorization"] = `Bearer ${this.apiKey}`;
+    return h;
+  }
+};
+
+// src/registry/context7-backend.ts
+var Context7Backend = class {
+  client;
+  constructor(options) {
+    this.client = new Context7Client(options);
+  }
+  async list(path) {
+    const cleaned = path.replace(/^\/+/, "").replace(/\/+$/, "");
+    if (!cleaned) {
+      return [
+        'grep "<\u5173\u952E\u8BCD>" /context7/     \u2014 \u641C\u7D22\u5E93',
+        'grep "<\u95EE\u9898>" /context7/{id}   \u2014 \u67E5\u8BE2\u6587\u6863',
+        "cat /context7/{owner}/{repo}   \u2014 \u5E93\u6982\u89C8"
+      ];
+    }
+    return ['grep "<\u95EE\u9898>" /context7/' + cleaned + " \u2014 \u67E5\u8BE2\u6B64\u5E93\u6587\u6863"];
+  }
+  async read(path) {
+    const libraryId = parseLibraryId(path);
+    if (!libraryId) {
+      return { usage: 'grep "<\u5173\u952E\u8BCD>" /context7/ \u2014 \u641C\u7D22\u5E93' };
+    }
+    const name = libraryId.split("/").pop() ?? libraryId;
+    const docs = await this.client.queryDocs(libraryId, `${name} overview getting started`);
+    return { libraryId, docs };
+  }
+  async write(_path, _data) {
+    throw new Error("context7 is read-only");
+  }
+  async remove(_path) {
+    throw new Error("context7 is read-only");
+  }
+  async search(path, pattern) {
+    const cleaned = path.replace(/^\/+/, "").replace(/\/+$/, "");
+    if (!cleaned) {
+      const results = await this.client.searchLibraries(pattern);
+      return results.map(formatSearchResult);
+    }
+    const libraryId = parseLibraryId(path);
+    if (!libraryId) return [];
+    const docs = await this.client.queryDocs(libraryId, pattern);
+    if (!docs) return [];
+    return [{ libraryId, query: pattern, docs }];
+  }
+};
+function parseLibraryId(path) {
+  const cleaned = path.replace(/^\/+/, "").replace(/\/+$/, "");
+  if (!cleaned) return null;
+  const parts = cleaned.split("/");
+  if (parts.length < 2) return null;
+  return "/" + parts.slice(0, 2).join("/");
+}
+function formatSearchResult(r) {
+  return {
+    id: r.id,
+    name: r.name,
+    description: r.description ?? "",
+    snippets: r.totalSnippets ?? 0
+  };
+}
+
+// src/onboard/pipeline.ts
+var import_agent_fs2 = require("@nkmc/agent-fs");
+
+// src/registry/openapi-compiler.ts
+var import_yaml2 = __toESM(require("yaml"), 1);
+function extractBasePath(spec) {
+  const servers = spec.servers;
+  if (!Array.isArray(servers) || servers.length === 0) return "";
+  const serverUrl = servers[0]?.url;
+  if (!serverUrl || typeof serverUrl !== "string") return "";
+  try {
+    if (serverUrl.startsWith("/")) {
+      return serverUrl.replace(/\/+$/, "");
+    }
+    const parsed = new URL(serverUrl);
+    const pathname = parsed.pathname.replace(/\/+$/, "");
+    return pathname || "";
+  } catch {
+    return "";
+  }
+}
+function resolveRef(spec, ref) {
+  if (!ref.startsWith("#/")) return void 0;
+  const parts = ref.slice(2).split("/");
+  let current = spec;
+  for (const part of parts) {
+    if (current == null || typeof current !== "object") return void 0;
+    current = current[part];
+  }
+  return current;
+}
+function resolveSchema(spec, schema) {
+  if (!schema) return void 0;
+  if (schema.$ref) return resolveRef(spec, schema.$ref);
+  return schema;
+}
+function extractProperties(spec, schema) {
+  const resolved = resolveSchema(spec, schema);
+  if (!resolved || resolved.type !== "object" || !resolved.properties) return [];
+  const requiredSet = new Set(resolved.required ?? []);
+  const props = [];
+  for (const [name, prop] of Object.entries(resolved.properties)) {
+    const p = resolveSchema(spec, prop) ?? prop;
+    props.push({
+      name,
+      type: p.type ?? (p.enum ? "enum" : "unknown"),
+      required: requiredSet.has(name),
+      ...p.description ? { description: p.description } : {}
+    });
+  }
+  return props;
+}
+function extractParams(spec, operation) {
+  const params = operation.parameters;
+  if (!Array.isArray(params) || params.length === 0) return void 0;
+  const result = [];
+  for (const raw of params) {
+    const p = resolveSchema(spec, raw) ?? raw;
+    if (!p.name || !p.in) continue;
+    if (!["path", "query", "header"].includes(p.in)) continue;
+    const schema = resolveSchema(spec, p.schema) ?? p.schema;
+    result.push({
+      name: p.name,
+      in: p.in,
+      required: !!p.required,
+      type: schema?.type ?? "string",
+      ...p.description ? { description: p.description } : {}
+    });
+  }
+  return result.length > 0 ? result : void 0;
+}
+function extractRequestBody(spec, operation) {
+  const body = resolveSchema(spec, operation.requestBody);
+  if (!body?.content) return void 0;
+  const jsonContent = body.content["application/json"];
+  if (!jsonContent?.schema) return void 0;
+  const properties = extractProperties(spec, jsonContent.schema);
+  if (properties.length === 0) return void 0;
+  return {
+    contentType: "application/json",
+    required: !!body.required,
+    properties
+  };
+}
+function extractResponses(spec, operation) {
+  const responses = operation.responses;
+  if (!responses || typeof responses !== "object") return void 0;
+  const result = [];
+  for (const [code, raw] of Object.entries(responses)) {
+    const status = parseInt(code, 10);
+    if (isNaN(status) || status < 200 || status >= 300) continue;
+    const resp = resolveSchema(spec, raw) ?? raw;
+    const jsonContent = resp?.content?.["application/json"];
+    const properties = jsonContent?.schema ? extractProperties(spec, jsonContent.schema) : void 0;
+    result.push({
+      status,
+      description: resp?.description ?? "",
+      ...properties && properties.length > 0 ? { properties } : {}
+    });
+  }
+  return result.length > 0 ? result : void 0;
+}
+function compileOpenApiSpec(spec, options) {
+  const info = spec.info ?? {};
+  const name = info.title ?? options.domain;
+  const description = info.description ?? "";
+  const version = options.version ?? info.version ?? "1.0";
+  const basePath = extractBasePath(spec);
+  const endpoints = [];
+  const resources = [];
+  const resourcePaths = /* @__PURE__ */ new Map();
+  const paths = spec.paths ?? {};
+  for (const [path, methods] of Object.entries(paths)) {
+    if (typeof methods !== "object" || methods === null) continue;
+    for (const [method, op] of Object.entries(methods)) {
+      if (!["get", "post", "put", "patch", "delete"].includes(method)) continue;
+      const operation = op;
+      const parameters = extractParams(spec, operation);
+      const requestBody = extractRequestBody(spec, operation);
+      const responses = extractResponses(spec, operation);
+      endpoints.push({
+        method: method.toUpperCase(),
+        path,
+        description: operation.summary ?? operation.operationId ?? `${method.toUpperCase()} ${path}`,
+        ...parameters ? { parameters } : {},
+        ...requestBody ? { requestBody } : {},
+        ...responses ? { responses } : {}
+      });
+    }
+    const segments = path.split("/").filter(Boolean);
+    if (segments.length >= 1) {
+      const resourceName = segments[0];
+      if (!resourcePaths.has(resourceName) && !resourceName.startsWith("{")) {
+        resourcePaths.set(resourceName, {
+          name: resourceName,
+          apiPath: `/${resourceName}`
+        });
+      }
+    }
+  }
+  for (const r of resourcePaths.values()) {
+    resources.push(r);
+  }
+  const skillMd = generateSkillMd(name, version, description, endpoints, resources);
+  const now = Date.now();
+  const record = {
+    domain: options.domain,
+    name,
+    description,
+    version,
+    roles: ["agent"],
+    skillMd,
+    endpoints,
+    isFirstParty: options.isFirstParty ?? false,
+    createdAt: now,
+    updatedAt: now,
+    status: "active",
+    isDefault: true,
+    source: { type: "openapi", ...basePath ? { basePath } : {} }
+  };
+  return { record, resources, skillMd };
+}
+async function fetchAndCompile(specUrl, options, fetchFn = globalThis.fetch.bind(globalThis)) {
+  const resp = await fetchFn(specUrl);
+  if (!resp.ok) throw new Error(`Failed to fetch spec: ${resp.status} ${resp.statusText}`);
+  const text = await resp.text();
+  const spec = parseSpec(specUrl, resp.headers.get("content-type") ?? "", text);
+  const result = compileOpenApiSpec(spec, options);
+  const basePath = result.record.source?.basePath;
+  result.record.source = { type: "openapi", url: specUrl, ...basePath ? { basePath } : {} };
+  return result;
+}
+function parseSpec(url, contentType, text) {
+  const isJson = contentType.includes("json") || url.endsWith(".json") || text.trimStart().startsWith("{");
+  if (isJson) return JSON.parse(text);
+  return import_yaml2.default.parse(text);
+}
+function propsTable(props) {
+  let t = "| name | type | required |\n|------|------|----------|\n";
+  for (const p of props) {
+    t += `| ${p.name} | ${p.type} | ${p.required ? "*" : ""} |
+`;
+  }
+  return t;
+}
+function generateSkillMd(name, version, description, endpoints, resources) {
+  let md = `---
+name: "${name}"
+gateway: nkmc
+version: "${version}"
+roles: [agent]
+---
+
+`;
+  md += `# ${name}
+
+${description}
+
+`;
+  if (resources.length > 0) {
+    md += `## Schema
+
+`;
+    for (const r of resources) {
+      md += `### ${r.name} (public)
+
+`;
+    }
+  }
+  if (endpoints.length > 0) {
+    md += `## API
+
+`;
+    for (const ep of endpoints) {
+      md += `### ${ep.description}
+
+`;
+      md += `\`${ep.method} ${ep.path}\`
+
+`;
+      if (ep.parameters && ep.parameters.length > 0) {
+        md += "**Parameters:**\n\n";
+        md += "| name | in | type | required |\n|------|-----|------|----------|\n";
+        for (const p of ep.parameters) {
+          md += `| ${p.name} | ${p.in} | ${p.type} | ${p.required ? "*" : ""} |
+`;
+        }
+        md += "\n";
+      }
+      if (ep.requestBody) {
+        const req = ep.requestBody;
+        md += `**Body** (${req.contentType}${req.required ? ", required" : ""}):
+
+`;
+        md += propsTable(req.properties);
+        md += "\n";
+      }
+      if (ep.responses && ep.responses.length > 0) {
+        for (const r of ep.responses) {
+          md += `**Response ${r.status}**${r.description ? `: ${r.description}` : ""}
+
+`;
+          if (r.properties && r.properties.length > 0) {
+            md += propsTable(r.properties);
+            md += "\n";
+          }
+        }
+      }
+    }
+  }
+  return md;
+}
+
+// src/registry/rpc-compiler.ts
+function compileRpcDef(domain, rpcDef, options) {
+  const convention = rpcDef.convention ?? "raw";
+  const endpoints = rpcDef.methods.map((m) => ({
+    method: "RPC",
+    path: m.rpcMethod,
+    description: m.description
+  }));
+  const resourceMap = /* @__PURE__ */ new Map();
+  for (const m of rpcDef.methods) {
+    const resName = m.resource ?? inferResource(m.rpcMethod);
+    if (!resourceMap.has(resName)) {
+      resourceMap.set(resName, { name: resName, methods: {} });
+    }
+    const entry = resourceMap.get(resName);
+    if (m.fsOp) {
+      entry.methods[m.fsOp] = m.rpcMethod;
+    }
+  }
+  const rpcMeta = {
+    rpcUrl: rpcDef.url,
+    convention,
+    resources: Array.from(resourceMap.values())
+  };
+  const skillMd = generateSkillMd2(domain, rpcDef, endpoints);
+  const now = Date.now();
+  const record = {
+    domain,
+    name: domain,
+    description: `JSON-RPC service at ${domain}`,
+    version: options?.version ?? "1.0",
+    roles: ["agent"],
+    skillMd,
+    endpoints,
+    isFirstParty: options?.isFirstParty ?? false,
+    createdAt: now,
+    updatedAt: now,
+    status: "active",
+    isDefault: true,
+    source: {
+      type: "jsonrpc",
+      url: rpcDef.url,
+      rpc: rpcMeta
+    }
+  };
+  return { record, skillMd };
+}
+function inferResource(rpcMethod) {
+  const underscoreIdx = rpcMethod.indexOf("_");
+  if (underscoreIdx < 0) return rpcMethod;
+  const action = rpcMethod.slice(underscoreIdx + 1);
+  const verbPrefixes = ["get", "send", "subscribe", "unsubscribe", "new", "call"];
+  let noun = action;
+  for (const prefix of verbPrefixes) {
+    if (action.startsWith(prefix) && action.length > prefix.length) {
+      noun = action.slice(prefix.length);
+      break;
+    }
+  }
+  const camelMatch = noun.match(/^([A-Z][a-z]+)/);
+  if (camelMatch) {
+    noun = camelMatch[1];
+  }
+  const lower = noun.toLowerCase();
+  return lower.endsWith("s") ? lower : lower + "s";
+}
+function generateSkillMd2(domain, rpcDef, endpoints) {
+  const lines = [
+    "---",
+    `name: "${domain}"`,
+    `version: "1.0"`,
+    `roles: [agent]`,
+    "---",
+    "",
+    `# ${domain}`,
+    "",
+    `JSON-RPC service at ${rpcDef.url}`,
+    "",
+    `Convention: ${rpcDef.convention ?? "raw"}`,
+    "",
+    "## RPC Methods",
+    "",
+    "| method | description |",
+    "|--------|-------------|"
+  ];
+  for (const ep of endpoints) {
+    lines.push(`| ${ep.path} | ${ep.description} |`);
+  }
+  return lines.join("\n");
+}
+
+// src/onboard/pipeline.ts
+var OnboardPipeline = class {
+  store;
+  vault;
+  smokeTest;
+  concurrency;
+  fetchFn;
+  onProgress;
+  constructor(options) {
+    this.store = options.store;
+    this.vault = options.vault;
+    this.smokeTest = options.smokeTest !== false;
+    this.concurrency = options.concurrency ?? 5;
+    this.fetchFn = options.fetchFn ?? globalThis.fetch.bind(globalThis);
+    this.onProgress = options.onProgress;
+  }
+  /** Onboard a single service */
+  async onboardOne(entry) {
+    const start = Date.now();
+    const base = {
+      domain: entry.domain,
+      source: "none",
+      endpoints: 0,
+      resources: 0,
+      hasCredentials: false
+    };
+    if (entry.disabled) {
+      return { ...base, status: "skipped", durationMs: Date.now() - start };
+    }
+    try {
+      if (entry.specUrl) {
+        const result = await fetchAndCompile(entry.specUrl, { domain: entry.domain }, this.fetchFn);
+        await this.store.put(entry.domain, result.record);
+        base.source = "openapi";
+        base.endpoints = result.record.endpoints.length;
+        base.resources = result.resources.length;
+      } else if (entry.skillMdUrl) {
+        const resp = await this.fetchFn(entry.skillMdUrl);
+        if (!resp.ok) throw new Error(`Failed to fetch skill.md: ${resp.status}`);
+        const md = await resp.text();
+        const record = parseSkillMd(entry.domain, md);
+        await this.store.put(entry.domain, record);
+        base.source = "wellknown";
+        base.endpoints = record.endpoints.length;
+      } else if (entry.skillMd) {
+        const record = parseSkillMd(entry.domain, entry.skillMd);
+        await this.store.put(entry.domain, record);
+        base.source = "skillmd";
+        base.endpoints = record.endpoints.length;
+      } else if (entry.rpcDef) {
+        const { record } = compileRpcDef(entry.domain, entry.rpcDef);
+        await this.store.put(entry.domain, record);
+        base.source = "jsonrpc";
+        base.endpoints = record.endpoints.length;
+        base.resources = record.source?.rpc?.resources.length ?? 0;
+      } else {
+        return { ...base, status: "skipped", error: "No spec, skillMdUrl, or skillMd provided", durationMs: Date.now() - start };
+      }
+      if (entry.auth && this.vault) {
+        const auth = resolveAuth(entry.auth);
+        await this.vault.putPool(entry.domain, auth);
+        base.hasCredentials = true;
+      }
+      if (this.smokeTest) {
+        base.smokeTest = await this.runSmokeTest(entry.domain, base.hasCredentials);
+      }
+      return { ...base, status: "ok", durationMs: Date.now() - start };
+    } catch (err) {
+      return {
+        ...base,
+        status: "failed",
+        error: err instanceof Error ? err.message : String(err),
+        durationMs: Date.now() - start
+      };
+    }
+  }
+  /** Onboard many services with controlled concurrency */
+  async onboardMany(entries) {
+    const start = Date.now();
+    const results = [];
+    let index = 0;
+    for (let i = 0; i < entries.length; i += this.concurrency) {
+      const batch = entries.slice(i, i + this.concurrency);
+      const batchResults = await Promise.all(
+        batch.map(async (entry) => {
+          const result = await this.onboardOne(entry);
+          const idx = index++;
+          this.onProgress?.(result, idx, entries.length);
+          return result;
+        })
+      );
+      results.push(...batchResults);
+    }
+    return {
+      total: results.length,
+      ok: results.filter((r) => r.status === "ok").length,
+      failed: results.filter((r) => r.status === "failed").length,
+      skipped: results.filter((r) => r.status === "skipped").length,
+      results,
+      durationMs: Date.now() - start
+    };
+  }
+  async runSmokeTest(domain, hasCredentials) {
+    const resolverOpts = this.vault ? { store: this.store, vault: this.vault, wrapVirtualFiles: false } : { store: this.store, wrapVirtualFiles: false };
+    const { onMiss, listDomains } = createRegistryResolver(resolverOpts);
+    const fs = new import_agent_fs2.AgentFs({ mounts: [], onMiss, listDomains });
+    const test = { ls: false, cat: false };
+    const lsResult = await fs.execute(`ls /${domain}/`);
+    test.ls = lsResult.ok === true;
+    if (test.ls && lsResult.ok) {
+      const entries = lsResult.data;
+      const resource = entries.find((e) => e.endsWith("/") && !e.startsWith("_"));
+      if (resource) {
+        const catResult = await fs.execute(`ls /${domain}/${resource}`);
+        test.cat = catResult.ok === true;
+        test.catEndpoint = `ls /${domain}/${resource}`;
+      } else if (entries.includes("_api/")) {
+        const apiResult = await fs.execute(`ls /${domain}/_api/`);
+        test.cat = apiResult.ok === true;
+        test.catEndpoint = `ls /${domain}/_api/`;
+      }
+    }
+    return test;
+  }
+};
+function resolveAuth(auth) {
+  const resolve = (val) => {
+    if (!val) return void 0;
+    const match = val.match(/^\$\{(\w+)\}$/);
+    if (match) {
+      const envVal = process.env[match[1]];
+      if (!envVal) throw new Error(`Environment variable ${match[1]} is not set`);
+      return envVal;
+    }
+    return val;
+  };
+  if (auth.type === "bearer") {
+    const token = resolve(auth.token);
+    if (!token) throw new Error("Bearer auth requires token");
+    return { type: "bearer", token, ...auth.prefix ? { prefix: auth.prefix } : {} };
+  }
+  if (auth.type === "api-key") {
+    const header = resolve(auth.header);
+    const key = resolve(auth.key);
+    if (!header || !key) throw new Error("API key auth requires header and key");
+    return { type: "api-key", header, key };
+  }
+  if (auth.type === "basic") {
+    const username = resolve(auth.username);
+    const password = resolve(auth.password);
+    if (!username || !password) throw new Error("Basic auth requires username and password");
+    return { type: "basic", username, password };
+  }
+  if (auth.type === "oauth2") {
+    const tokenUrl = resolve(auth.tokenUrl);
+    const clientId = resolve(auth.clientId);
+    const clientSecret = resolve(auth.clientSecret);
+    if (!tokenUrl || !clientId || !clientSecret) throw new Error("OAuth2 auth requires tokenUrl, clientId, and clientSecret");
+    return { type: "oauth2", tokenUrl, clientId, clientSecret, ...auth.scope ? { scope: auth.scope } : {} };
+  }
+  throw new Error(`Unknown auth type: ${auth.type}`);
+}
+
+// src/onboard/apis-guru.ts
+var APIS_GURU_LIST = "https://api.apis.guru/v2/list.json";
+async function discoverFromApisGuru(options) {
+  const fetchFn = options?.fetchFn ?? globalThis.fetch.bind(globalThis);
+  const limit = options?.limit ?? 100;
+  const filter = options?.filter?.toLowerCase();
+  const resp = await fetchFn(APIS_GURU_LIST);
+  if (!resp.ok) throw new Error(`apis.guru fetch failed: ${resp.status}`);
+  const catalog = await resp.json();
+  const entries = [];
+  for (const [key, api] of Object.entries(catalog)) {
+    if (entries.length >= limit) break;
+    const version = api.versions[api.preferred];
+    if (!version?.swaggerUrl) continue;
+    const title = version.info?.title ?? key;
+    const desc = version.info?.description ?? "";
+    if (filter) {
+      const text = `${key} ${title} ${desc}`.toLowerCase();
+      if (!text.includes(filter)) continue;
+    }
+    const domain = key.split(":")[0];
+    entries.push({
+      domain,
+      specUrl: version.swaggerUrl,
+      tags: ["apis-guru", "public"]
+    });
+  }
+  return entries;
+}
+
+// src/onboard/manifest.ts
+var FREE_APIS = [
+  {
+    domain: "petstore3.swagger.io",
+    specUrl: "https://petstore3.swagger.io/api/v3/openapi.json",
+    tags: ["demo", "free"]
+  },
+  {
+    domain: "api.weather.gov",
+    specUrl: "https://api.weather.gov/openapi.json",
+    tags: ["weather", "government", "free"]
+  },
+  {
+    domain: "en.wikipedia.org",
+    specUrl: "https://en.wikipedia.org/api/rest_v1/?spec",
+    tags: ["knowledge", "encyclopedia", "free"]
+  }
+];
+var FREEMIUM_APIS = [
+  {
+    domain: "api.github.com",
+    specUrl: "https://raw.githubusercontent.com/github/rest-api-description/main/descriptions/api.github.com/api.github.com.2022-11-28.json",
+    auth: { type: "bearer", token: "${GITHUB_TOKEN}" },
+    tags: ["developer-tools", "vcs", "freemium"]
+  },
+  {
+    domain: "huggingface.co",
+    specUrl: "https://huggingface.co/.well-known/openapi.json",
+    auth: { type: "bearer", token: "${HF_TOKEN}" },
+    tags: ["ai", "ml", "models", "freemium"]
+  }
+];
+var DEVELOPER_TOOL_APIS = [
+  {
+    domain: "gitlab.com",
+    specUrl: "https://gitlab.com/gitlab-org/gitlab/-/raw/master/doc/api/openapi/openapi.yaml",
+    auth: { type: "bearer", token: "${GITLAB_TOKEN}" },
+    tags: ["developer-tools", "vcs"]
+  },
+  {
+    domain: "api.vercel.com",
+    specUrl: "https://openapi.vercel.sh",
+    auth: { type: "bearer", token: "${VERCEL_TOKEN}" },
+    tags: ["developer-tools", "hosting"]
+  },
+  {
+    domain: "sentry.io",
+    specUrl: "https://raw.githubusercontent.com/getsentry/sentry-api-schema/main/openapi-derefed.json",
+    auth: { type: "bearer", token: "${SENTRY_AUTH_TOKEN}" },
+    tags: ["developer-tools", "monitoring"]
+  },
+  {
+    domain: "api.pagerduty.com",
+    specUrl: "https://raw.githubusercontent.com/PagerDuty/api-schema/main/reference/REST/openapiv3.json",
+    auth: { type: "bearer", token: "${PAGERDUTY_TOKEN}" },
+    tags: ["developer-tools", "incident-management"]
+  }
+];
+var AI_APIS = [
+  {
+    domain: "api.mistral.ai",
+    specUrl: "https://raw.githubusercontent.com/mistralai/platform-docs-public/main/openapi.yaml",
+    auth: { type: "bearer", token: "${MISTRAL_API_KEY}" },
+    tags: ["ai", "llm"],
+    disabled: true
+    // upstream YAML spec has unescaped quotes in example data
+  },
+  {
+    domain: "api.openai.com",
+    specUrl: "https://raw.githubusercontent.com/openai/openai-openapi/manual_spec/openapi.yaml",
+    auth: { type: "bearer", token: "${OPENAI_API_KEY}" },
+    tags: ["ai", "llm"]
+  },
+  {
+    domain: "openrouter.ai",
+    specUrl: "https://openrouter.ai/openapi.json",
+    auth: { type: "bearer", token: "${OPENROUTER_API_KEY}" },
+    tags: ["ai", "llm", "gateway"]
+  }
+];
+var CLOUD_APIS = [
+  {
+    domain: "api.cloudflare.com",
+    specUrl: "https://raw.githubusercontent.com/cloudflare/api-schemas/main/openapi.yaml",
+    auth: { type: "bearer", token: "${CLOUDFLARE_API_TOKEN}" },
+    tags: ["cloud", "cdn", "dns"]
+  },
+  {
+    domain: "api.digitalocean.com",
+    specUrl: "https://raw.githubusercontent.com/digitalocean/openapi/main/specification/DigitalOcean-public.v2.yaml",
+    auth: { type: "bearer", token: "${DIGITALOCEAN_TOKEN}" },
+    tags: ["cloud", "infrastructure"]
+  },
+  {
+    domain: "fly.io",
+    specUrl: "https://docs.machines.dev/spec/openapi3.json",
+    auth: { type: "bearer", token: "${FLY_API_TOKEN}" },
+    tags: ["cloud", "deployment"]
+  },
+  {
+    domain: "api.render.com",
+    specUrl: "https://api-docs.render.com/v1.0/openapi/render-public-api-1.json",
+    auth: { type: "bearer", token: "${RENDER_API_KEY}" },
+    tags: ["cloud", "deployment"]
+  }
+];
+var PRODUCTIVITY_APIS = [
+  {
+    domain: "api.notion.com",
+    specUrl: "https://raw.githubusercontent.com/makenotion/notion-mcp-server/main/scripts/notion-openapi.json",
+    auth: { type: "bearer", token: "${NOTION_API_KEY}" },
+    tags: ["productivity", "database"]
+  },
+  {
+    domain: "app.asana.com",
+    specUrl: "https://raw.githubusercontent.com/Asana/openapi/master/defs/asana_oas.yaml",
+    auth: { type: "bearer", token: "${ASANA_ACCESS_TOKEN}" },
+    tags: ["productivity", "project-management"]
+  },
+  {
+    domain: "jira.atlassian.com",
+    specUrl: "https://developer.atlassian.com/cloud/jira/platform/swagger-v3.v3.json",
+    auth: { type: "bearer", token: "${ATLASSIAN_API_TOKEN}" },
+    tags: ["productivity", "project-management"]
+  },
+  {
+    domain: "api.spotify.com",
+    specUrl: "https://raw.githubusercontent.com/sonallux/spotify-web-api/main/fixed-spotify-open-api.yml",
+    auth: { type: "bearer", token: "${SPOTIFY_ACCESS_TOKEN}" },
+    tags: ["media", "music"]
+  },
+  {
+    domain: "api.getpostman.com",
+    specUrl: "https://api.apis.guru/v2/specs/getpostman.com/1.20.0/openapi.json",
+    auth: { type: "api-key", header: "X-Api-Key", key: "${POSTMAN_API_KEY}" },
+    tags: ["developer-tools", "api-testing"]
+  }
+];
+var DEVOPS_APIS = [
+  {
+    domain: "circleci.com",
+    specUrl: "https://circleci.com/api/v2/openapi.json",
+    auth: { type: "bearer", token: "${CIRCLECI_TOKEN}" },
+    tags: ["devops", "ci-cd"]
+  },
+  {
+    domain: "api.datadoghq.com",
+    specUrl: "https://raw.githubusercontent.com/DataDog/datadog-api-client-python/master/.generator/schemas/v2/openapi.yaml",
+    auth: { type: "api-key", header: "DD-API-KEY", key: "${DATADOG_API_KEY}" },
+    tags: ["devops", "monitoring"]
+  }
+];
+var DATABASE_APIS = [
+  {
+    domain: "api.supabase.com",
+    specUrl: "https://raw.githubusercontent.com/supabase/supabase/master/apps/docs/spec/api_v1_openapi.json",
+    auth: { type: "bearer", token: "${SUPABASE_ACCESS_TOKEN}" },
+    tags: ["database", "baas"]
+  },
+  {
+    domain: "api.turso.tech",
+    specUrl: "https://raw.githubusercontent.com/tursodatabase/turso-docs/main/api-reference/openapi.json",
+    auth: { type: "bearer", token: "${TURSO_API_TOKEN}" },
+    tags: ["database", "edge"]
+  },
+  {
+    domain: "console.neon.tech",
+    specUrl: "https://raw.githubusercontent.com/neondatabase/neon-api-python/main/v2.json",
+    auth: { type: "bearer", token: "${NEON_API_KEY}" },
+    tags: ["database", "serverless-postgres"]
+  }
+];
+var COMMERCE_APIS = [
+  {
+    domain: "api.stripe.com",
+    specUrl: "https://raw.githubusercontent.com/stripe/openapi/master/openapi/spec3.json",
+    auth: { type: "bearer", token: "${STRIPE_SECRET_KEY}" },
+    tags: ["commerce", "payments"]
+  }
+];
+var COMMUNICATION_APIS = [
+  {
+    domain: "slack.com",
+    specUrl: "https://raw.githubusercontent.com/slackapi/slack-api-specs/master/web-api/slack_web_openapi_v2.json",
+    auth: { type: "bearer", token: "${SLACK_BOT_TOKEN}" },
+    tags: ["communication", "messaging"]
+  },
+  {
+    domain: "discord.com",
+    specUrl: "https://raw.githubusercontent.com/discord/discord-api-spec/main/specs/openapi.json",
+    auth: { type: "bearer", token: "${DISCORD_BOT_TOKEN}", prefix: "Bot" },
+    tags: ["communication", "messaging"]
+  },
+  {
+    domain: "api.twilio.com",
+    specUrl: "https://raw.githubusercontent.com/twilio/twilio-oai/main/spec/json/twilio_api_v2010.json",
+    auth: { type: "basic", token: "${TWILIO_ACCOUNT_SID}:${TWILIO_AUTH_TOKEN}" },
+    tags: ["communication", "sms", "voice"]
+  },
+  {
+    domain: "api.resend.com",
+    specUrl: "https://raw.githubusercontent.com/resendlabs/resend-openapi/main/resend.yaml",
+    auth: { type: "bearer", token: "${RESEND_API_KEY}" },
+    tags: ["communication", "email"]
+  }
+];
+var EVM_METHODS = [
+  { rpcMethod: "eth_blockNumber", description: "Returns the latest block number", resource: "blocks", fsOp: "list" },
+  { rpcMethod: "eth_getBlockByNumber", description: "Returns block by number", resource: "blocks", fsOp: "read" },
+  { rpcMethod: "eth_getBalance", description: "Returns account balance in wei", resource: "balances", fsOp: "read" },
+  { rpcMethod: "eth_getTransactionByHash", description: "Returns transaction by hash", resource: "transactions", fsOp: "read" },
+  { rpcMethod: "eth_getTransactionReceipt", description: "Returns transaction receipt", resource: "receipts", fsOp: "read" },
+  { rpcMethod: "eth_call", description: "Executes a call without creating a transaction", resource: "calls", fsOp: "read" },
+  { rpcMethod: "eth_estimateGas", description: "Estimates gas needed for a transaction", resource: "gas", fsOp: "read" },
+  { rpcMethod: "eth_gasPrice", description: "Returns current gas price in wei" },
+  { rpcMethod: "eth_chainId", description: "Returns the chain ID" },
+  { rpcMethod: "eth_getCode", description: "Returns contract bytecode at address", resource: "code", fsOp: "read" },
+  { rpcMethod: "eth_getLogs", description: "Returns logs matching a filter", resource: "logs", fsOp: "list" },
+  { rpcMethod: "eth_getTransactionCount", description: "Returns the number of transactions sent from an address", resource: "nonces", fsOp: "read" },
+  { rpcMethod: "net_version", description: "Returns the network ID" }
+];
+var RPC_APIS = [
+  // ── Free / Public RPC Providers ──────────────────────────────────
+  {
+    domain: "rpc.ankr.com",
+    rpcDef: { url: "https://rpc.ankr.com/eth", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "ethereum", "free"]
+  },
+  {
+    domain: "cloudflare-eth.com",
+    rpcDef: { url: "https://cloudflare-eth.com", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "ethereum", "free"]
+  },
+  {
+    domain: "ethereum-rpc.publicnode.com",
+    rpcDef: { url: "https://ethereum-rpc.publicnode.com", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "ethereum", "free"]
+  },
+  // ── Auth-Required RPC Providers ──────────────────────────────────
+  {
+    domain: "eth-mainnet.g.alchemy.com",
+    rpcDef: { url: "https://eth-mainnet.g.alchemy.com/v2/${ALCHEMY_API_KEY}", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "ethereum"]
+  },
+  {
+    domain: "mainnet.infura.io",
+    rpcDef: { url: "https://mainnet.infura.io/v3/${INFURA_API_KEY}", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "ethereum"]
+  },
+  // ── L2 / Alt Chains (Free) ───────────────────────────────────────
+  {
+    domain: "arb1.arbitrum.io",
+    rpcDef: { url: "https://arb1.arbitrum.io/rpc", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "arbitrum", "l2", "free"]
+  },
+  {
+    domain: "mainnet.optimism.io",
+    rpcDef: { url: "https://mainnet.optimism.io", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "optimism", "l2", "free"]
+  },
+  {
+    domain: "mainnet.base.org",
+    rpcDef: { url: "https://mainnet.base.org", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "base", "l2", "free"]
+  },
+  {
+    domain: "polygon-rpc.com",
+    rpcDef: { url: "https://polygon-rpc.com", convention: "evm", methods: EVM_METHODS },
+    tags: ["blockchain", "polygon", "free"]
+  }
+];
+var ALL_APIS = [
+  ...FREE_APIS,
+  ...FREEMIUM_APIS,
+  ...DEVELOPER_TOOL_APIS,
+  ...AI_APIS,
+  ...CLOUD_APIS,
+  ...PRODUCTIVITY_APIS,
+  ...DEVOPS_APIS,
+  ...DATABASE_APIS,
+  ...COMMERCE_APIS,
+  ...COMMUNICATION_APIS,
+  ...RPC_APIS
+];
+
+// src/d1/sqlite-adapter.ts
+var BoundStatement = class {
+  constructor(db, sql) {
+    this.db = db;
+    this.sql = sql;
+  }
+  params = [];
+  bind(...values) {
+    this.params = values;
+    return this;
+  }
+  async first() {
+    const stmt = this.db.prepare(this.sql);
+    const row = stmt.get(...this.params);
+    return row ?? null;
+  }
+  async all() {
+    const stmt = this.db.prepare(this.sql);
+    const rows = stmt.all(...this.params);
+    return { results: rows, success: true };
+  }
+  async run() {
+    const stmt = this.db.prepare(this.sql);
+    const info = stmt.run(...this.params);
+    return {
+      success: true,
+      changes: info.changes,
+      lastRowId: Number(info.lastInsertRowid)
+    };
+  }
+};
+function createSqliteD1(db) {
+  return {
+    prepare(sql) {
+      return new BoundStatement(db, sql);
+    },
+    async exec(sql) {
+      db.exec(sql);
+    }
+  };
+}
+
+// src/federation/d1-peer-store.ts
+function rowToPeer(row) {
+  return {
+    id: row.id,
+    name: row.name,
+    url: row.url,
+    sharedSecret: row.shared_secret,
+    status: row.status,
+    advertisedDomains: JSON.parse(row.advertised_domains),
+    lastSeen: row.last_seen,
+    createdAt: row.created_at
+  };
+}
+function rowToRule(row) {
+  return {
+    domain: row.domain,
+    allow: row.allow === 1,
+    peers: JSON.parse(row.peers),
+    pricing: JSON.parse(row.pricing),
+    ...row.rate_limit ? { rateLimit: JSON.parse(row.rate_limit) } : {},
+    createdAt: row.created_at,
+    updatedAt: row.updated_at
+  };
+}
+var D1PeerStore = class {
+  constructor(db) {
+    this.db = db;
+  }
+  async initSchema() {
+    await this.db.exec(`
+CREATE TABLE IF NOT EXISTS peers (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  url TEXT NOT NULL,
+  shared_secret TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'active',
+  advertised_domains TEXT NOT NULL DEFAULT '[]',
+  last_seen INTEGER NOT NULL,
+  created_at INTEGER NOT NULL
+)`);
+    await this.db.exec(`
+CREATE TABLE IF NOT EXISTS lending_rules (
+  domain TEXT PRIMARY KEY,
+  allow INTEGER NOT NULL DEFAULT 1,
+  peers TEXT NOT NULL DEFAULT '"*"',
+  pricing TEXT NOT NULL DEFAULT '{"mode":"free"}',
+  rate_limit TEXT,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+)`);
+  }
+  async getPeer(id) {
+    const row = await this.db.prepare("SELECT * FROM peers WHERE id = ?").bind(id).first();
+    return row ? rowToPeer(row) : null;
+  }
+  async putPeer(peer) {
+    await this.db.prepare(
+      `INSERT OR REPLACE INTO peers (id, name, url, shared_secret, status, advertised_domains, last_seen, created_at)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+    ).bind(
+      peer.id,
+      peer.name,
+      peer.url,
+      peer.sharedSecret,
+      peer.status,
+      JSON.stringify(peer.advertisedDomains),
+      peer.lastSeen,
+      peer.createdAt
+    ).run();
+  }
+  async deletePeer(id) {
+    await this.db.prepare("DELETE FROM peers WHERE id = ?").bind(id).run();
+  }
+  async listPeers() {
+    const { results } = await this.db.prepare("SELECT * FROM peers WHERE status = 'active'").all();
+    return results.map(rowToPeer);
+  }
+  async updateLastSeen(id, timestamp) {
+    await this.db.prepare("UPDATE peers SET last_seen = ? WHERE id = ?").bind(timestamp, id).run();
+  }
+  async getRule(domain) {
+    const row = await this.db.prepare("SELECT * FROM lending_rules WHERE domain = ?").bind(domain).first();
+    return row ? rowToRule(row) : null;
+  }
+  async putRule(rule) {
+    await this.db.prepare(
+      `INSERT OR REPLACE INTO lending_rules (domain, allow, peers, pricing, rate_limit, created_at, updated_at)
+         VALUES (?, ?, ?, ?, ?, ?, ?)`
+    ).bind(
+      rule.domain,
+      rule.allow ? 1 : 0,
+      JSON.stringify(rule.peers),
+      JSON.stringify(rule.pricing),
+      rule.rateLimit ? JSON.stringify(rule.rateLimit) : null,
+      rule.createdAt,
+      rule.updatedAt
+    ).run();
+  }
+  async deleteRule(domain) {
+    await this.db.prepare("DELETE FROM lending_rules WHERE domain = ?").bind(domain).run();
+  }
+  async listRules() {
+    const { results } = await this.db.prepare("SELECT * FROM lending_rules").all();
+    return results.map(rowToRule);
+  }
+};
+
+// src/tunnel/memory-store.ts
+var MemoryTunnelStore = class {
+  records = /* @__PURE__ */ new Map();
+  async get(id) {
+    return this.records.get(id) ?? null;
+  }
+  async getByAgent(agentId) {
+    for (const record of this.records.values()) {
+      if (record.agentId === agentId && record.status === "active") {
+        return record;
+      }
+    }
+    return null;
+  }
+  async put(record) {
+    this.records.set(record.id, record);
+  }
+  async delete(id) {
+    this.records.delete(id);
+  }
+  async list() {
+    return Array.from(this.records.values());
+  }
+};
+
+// src/tunnel/cloudflare-provider.ts
+var CF_API = "https://api.cloudflare.com/client/v4";
+var CloudflareTunnelProvider = class {
+  constructor(accountId, apiToken, tunnelDomain, zoneId) {
+    this.accountId = accountId;
+    this.apiToken = apiToken;
+    this.tunnelDomain = tunnelDomain;
+    this.zoneId = zoneId;
+  }
+  async create(name, hostname) {
+    const secretBytes = new Uint8Array(32);
+    crypto.getRandomValues(secretBytes);
+    const tunnelSecret = btoa(String.fromCharCode(...secretBytes));
+    const tunnelRes = await this.cfFetch(
+      `/accounts/${this.accountId}/cfd_tunnel`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          name,
+          tunnel_secret: tunnelSecret
+        })
+      }
+    );
+    const tunnelId = tunnelRes.id;
+    try {
+      await this.cfFetch(`/zones/${this.zoneId}/dns_records`, {
+        method: "POST",
+        body: JSON.stringify({
+          type: "CNAME",
+          name: hostname,
+          content: `${tunnelId}.cfargotunnel.com`,
+          proxied: true
+        })
+      });
+      await this.cfFetch(
+        `/accounts/${this.accountId}/cfd_tunnel/${tunnelId}/configurations`,
+        {
+          method: "PUT",
+          body: JSON.stringify({
+            config: {
+              ingress: [
+                { hostname, service: "http://localhost:9090" },
+                { service: "http_status:404" }
+              ]
+            }
+          })
+        }
+      );
+      const tokenRes = await this.cfFetch(
+        `/accounts/${this.accountId}/cfd_tunnel/${tunnelId}/token`
+      );
+      return { tunnelId, tunnelToken: tokenRes };
+    } catch (err) {
+      await this.cfFetch(
+        `/accounts/${this.accountId}/cfd_tunnel/${tunnelId}?cascade=true`,
+        { method: "DELETE" }
+      ).catch(() => {
+      });
+      throw err;
+    }
+  }
+  async delete(tunnelId) {
+    const dnsRecords = await this.cfFetch(
+      `/zones/${this.zoneId}/dns_records?type=CNAME&content=${tunnelId}.cfargotunnel.com`
+    );
+    for (const record of dnsRecords) {
+      await this.cfFetch(`/zones/${this.zoneId}/dns_records/${record.id}`, {
+        method: "DELETE"
+      });
+    }
+    await this.cfFetch(
+      `/accounts/${this.accountId}/cfd_tunnel/${tunnelId}?cascade=true`,
+      { method: "DELETE" }
+    );
+  }
+  async cfFetch(path, init) {
+    const res = await fetch(`${CF_API}${path}`, {
+      ...init,
+      headers: {
+        Authorization: `Bearer ${this.apiToken}`,
+        "Content-Type": "application/json",
+        ...init?.headers
+      }
+    });
+    const data = await res.json();
+    if (!data.success) {
+      const msg = data.errors.map((e) => e.message).join(", ");
+      throw new Error(`Cloudflare API error: ${msg}`);
+    }
+    return data.result;
+  }
+};
+
+// src/http/routes/tunnels.ts
+var import_hono2 = require("hono");
+var import_nanoid = require("nanoid");
+function tunnelRoutes(options) {
+  const { tunnelStore, tunnelProvider, tunnelDomain } = options;
+  const app = new import_hono2.Hono();
+  app.post("/create", async (c) => {
+    const agent = c.get("agent");
+    const body = await c.req.json().catch(() => ({}));
+    const existing = await tunnelStore.getByAgent(agent.id);
+    if (existing && existing.status === "active") {
+      return c.json({
+        tunnelId: existing.id,
+        publicUrl: existing.publicUrl,
+        message: "Tunnel already exists"
+      });
+    }
+    const id = (0, import_nanoid.nanoid)(12);
+    const hostname = `${id}.${tunnelDomain}`;
+    const publicUrl = `https://${hostname}`;
+    const { tunnelId, tunnelToken } = await tunnelProvider.create(
+      `nkmc-${agent.id}-${id}`,
+      hostname
+    );
+    const now = Date.now();
+    await tunnelStore.put({
+      id,
+      agentId: agent.id,
+      tunnelId,
+      publicUrl,
+      status: "active",
+      createdAt: now,
+      advertisedDomains: body.advertisedDomains ?? [],
+      gatewayName: body.gatewayName,
+      lastSeen: now
+    });
+    return c.json({ tunnelId: id, tunnelToken, publicUrl }, 201);
+  });
+  app.delete("/:id", async (c) => {
+    const id = c.req.param("id");
+    const agent = c.get("agent");
+    const record = await tunnelStore.get(id);
+    if (!record) return c.json({ error: "Tunnel not found" }, 404);
+    if (record.agentId !== agent.id)
+      return c.json({ error: "Not your tunnel" }, 403);
+    await tunnelProvider.delete(record.tunnelId);
+    await tunnelStore.delete(id);
+    return c.json({ ok: true });
+  });
+  app.get("/", async (c) => {
+    const agent = c.get("agent");
+    const all = await tunnelStore.list();
+    const mine = all.filter((t) => t.agentId === agent.id);
+    return c.json({ tunnels: mine });
+  });
+  app.get("/discover", async (c) => {
+    const domain = c.req.query("domain");
+    const all = await tunnelStore.list();
+    let results = all.filter((t) => t.status === "active");
+    if (domain) {
+      results = results.filter((t) => t.advertisedDomains.includes(domain));
+    }
+    return c.json({
+      gateways: results.map((t) => ({
+        id: t.id,
+        name: t.gatewayName ?? `gateway-${t.id}`,
+        publicUrl: t.publicUrl,
+        advertisedDomains: t.advertisedDomains
+      }))
+    });
+  });
+  app.post("/heartbeat", async (c) => {
+    const agent = c.get("agent");
+    const body = await c.req.json();
+    const record = await tunnelStore.getByAgent(agent.id);
+    if (!record) return c.json({ error: "No active tunnel" }, 404);
+    record.advertisedDomains = body.advertisedDomains ?? record.advertisedDomains;
+    record.lastSeen = Date.now();
+    await tunnelStore.put(record);
+    return c.json({ ok: true });
+  });
+  return app;
+}
+
+// src/index.ts
+var VERSION = "0.1.0";
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  CloudflareTunnelProvider,
+  Context7Backend,
+  Context7Client,
+  D1CredentialVault,
+  D1MeterStore,
+  D1PeerStore,
+  D1RegistryStore,
+  MemoryCredentialVault,
+  MemoryMeterStore,
+  MemoryRegistryStore,
+  MemoryTunnelStore,
+  OnboardPipeline,
+  VERSION,
+  VirtualFileBackend,
+  checkAccess,
+  createRegistryResolver,
+  createSqliteD1,
+  credentialRoutes,
+  discoverFromApisGuru,
+  extractDomainPath,
+  lookupPricing,
+  meter,
+  parsePricingAnnotation,
+  parseSkillMd,
+  queryDnsTxt,
+  skillToHttpConfig,
+  tunnelRoutes
+});