@nkmc/server 0.1.0

package/dist/config.js

@@ -0,0 +1,31 @@
+// src/config.ts
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+var DEFAULT_DATA_DIR = join(homedir(), ".nkmc", "server");
+function loadConfig() {
+  const dataDir = process.env.NKMC_DATA_DIR ?? DEFAULT_DATA_DIR;
+  const configPath = join(dataDir, "config.json");
+  let fileConfig = {};
+  if (existsSync(configPath)) {
+    try {
+      fileConfig = JSON.parse(readFileSync(configPath, "utf-8"));
+    } catch {
+    }
+  }
+  function get(envKey, fileKey) {
+    return process.env[envKey] ?? fileConfig[fileKey];
+  }
+  return {
+    port: parseInt(process.env.NKMC_PORT ?? fileConfig.port ?? "9090", 10),
+    host: process.env.NKMC_HOST ?? fileConfig.host ?? "0.0.0.0",
+    dataDir,
+    adminToken: get("NKMC_ADMIN_TOKEN", "adminToken"),
+    encryptionKey: get("NKMC_ENCRYPTION_KEY", "encryptionKey"),
+    gatewayPrivateKey: get("NKMC_GATEWAY_PRIVATE_KEY", "gatewayPrivateKey"),
+    gatewayPublicKey: get("NKMC_GATEWAY_PUBLIC_KEY", "gatewayPublicKey")
+  };
+}
+export {
+  loadConfig
+};

package/dist/index.js

@@ -0,0 +1,338 @@
+#!/usr/bin/env node
+
+// src/config.ts
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+var DEFAULT_DATA_DIR = join(homedir(), ".nkmc", "server");
+function loadConfig() {
+  const dataDir = process.env.NKMC_DATA_DIR ?? DEFAULT_DATA_DIR;
+  const configPath = join(dataDir, "config.json");
+  let fileConfig = {};
+  if (existsSync(configPath)) {
+    try {
+      fileConfig = JSON.parse(readFileSync(configPath, "utf-8"));
+    } catch {
+    }
+  }
+  function get(envKey, fileKey) {
+    return process.env[envKey] ?? fileConfig[fileKey];
+  }
+  return {
+    port: parseInt(process.env.NKMC_PORT ?? fileConfig.port ?? "9090", 10),
+    host: process.env.NKMC_HOST ?? fileConfig.host ?? "0.0.0.0",
+    dataDir,
+    adminToken: get("NKMC_ADMIN_TOKEN", "adminToken"),
+    encryptionKey: get("NKMC_ENCRYPTION_KEY", "encryptionKey"),
+    gatewayPrivateKey: get("NKMC_GATEWAY_PRIVATE_KEY", "gatewayPrivateKey"),
+    gatewayPublicKey: get("NKMC_GATEWAY_PUBLIC_KEY", "gatewayPublicKey")
+  };
+}
+
+// src/server.ts
+import { existsSync as existsSync2, mkdirSync, readFileSync as readFileSync2, writeFileSync, chmodSync } from "fs";
+import { join as join2 } from "path";
+import { randomUUID, randomBytes } from "crypto";
+import Database from "better-sqlite3";
+import { serve } from "@hono/node-server";
+import { generateKeyPair, exportJWK } from "jose";
+import { createSqliteD1, D1RegistryStore, D1CredentialVault, D1PeerStore } from "@nkmc/gateway";
+import { createGateway } from "@nkmc/gateway/http";
+import { createDefaultToolRegistry } from "@nkmc/gateway/proxy";
+import { nanoid } from "nanoid";
+
+// src/exec.ts
+import { spawn } from "child_process";
+function createExec(opts) {
+  const timeout = opts?.timeout ?? 3e4;
+  return (tool, args, env) => {
+    return new Promise((resolve) => {
+      const child = spawn(tool, args, {
+        env: { ...process.env, ...env },
+        timeout,
+        stdio: ["ignore", "pipe", "pipe"]
+      });
+      let stdout = "";
+      let stderr = "";
+      child.stdout.on("data", (data) => {
+        stdout += data;
+      });
+      child.stderr.on("data", (data) => {
+        stderr += data;
+      });
+      child.on("close", (code) => {
+        resolve({ stdout, stderr, exitCode: code ?? 1 });
+      });
+      child.on("error", (err) => {
+        resolve({ stdout: "", stderr: err.message, exitCode: 1 });
+      });
+    });
+  };
+}
+
+// src/migrations.ts
+var migrations = [
+  {
+    name: "0001_init",
+    sql: `
+-- Services registry
+CREATE TABLE IF NOT EXISTS services (
+  domain TEXT NOT NULL,
+  version TEXT NOT NULL,
+  name TEXT NOT NULL,
+  description TEXT,
+  roles TEXT,
+  skill_md TEXT NOT NULL,
+  endpoints TEXT,
+  is_first_party INTEGER DEFAULT 0,
+  status TEXT DEFAULT 'active',
+  is_default INTEGER DEFAULT 1,
+  source TEXT,
+  sunset_date INTEGER,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  PRIMARY KEY (domain, version)
+);
+
+CREATE INDEX IF NOT EXISTS idx_services_default ON services(domain, is_default);
+
+-- Credentials vault
+CREATE TABLE IF NOT EXISTS credentials (
+  domain TEXT NOT NULL,
+  scope TEXT NOT NULL DEFAULT 'pool',
+  developer_id TEXT NOT NULL DEFAULT '',
+  auth_encrypted TEXT NOT NULL,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  PRIMARY KEY (domain, scope, developer_id)
+);
+
+-- Metering records
+CREATE TABLE IF NOT EXISTS meter_records (
+  id TEXT PRIMARY KEY,
+  timestamp INTEGER NOT NULL,
+  domain TEXT NOT NULL,
+  version TEXT NOT NULL,
+  endpoint TEXT NOT NULL,
+  agent_id TEXT NOT NULL,
+  developer_id TEXT,
+  cost REAL NOT NULL,
+  currency TEXT NOT NULL DEFAULT 'USDC'
+);
+
+CREATE INDEX IF NOT EXISTS idx_meter_domain ON meter_records(domain, timestamp);
+CREATE INDEX IF NOT EXISTS idx_meter_agent ON meter_records(agent_id, timestamp);
+
+-- Domain verification challenges
+CREATE TABLE IF NOT EXISTS domain_challenges (
+  domain TEXT PRIMARY KEY,
+  challenge_code TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'pending',
+  created_at INTEGER NOT NULL,
+  verified_at INTEGER,
+  expires_at INTEGER NOT NULL
+);
+
+-- Developer-Agent binding
+CREATE TABLE IF NOT EXISTS developer_agents (
+  user_id TEXT NOT NULL,
+  agent_id TEXT NOT NULL,
+  label TEXT,
+  created_at INTEGER NOT NULL,
+  PRIMARY KEY (user_id, agent_id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_da_agent ON developer_agents(agent_id);
+
+-- Claim tokens (for agent-first onboarding)
+CREATE TABLE IF NOT EXISTS claim_tokens (
+  token TEXT PRIMARY KEY,
+  agent_id TEXT NOT NULL,
+  expires_at INTEGER NOT NULL,
+  created_at INTEGER NOT NULL
+);
+`
+  },
+  {
+    name: "0002_auth_mode",
+    sql: `ALTER TABLE services ADD COLUMN auth_mode TEXT`
+  },
+  {
+    name: "0003_federation",
+    sql: `
+-- Federation: peer gateways and lending rules
+
+CREATE TABLE IF NOT EXISTS peers (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  url TEXT NOT NULL,
+  shared_secret TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'active',
+  advertised_domains TEXT NOT NULL DEFAULT '[]',
+  last_seen INTEGER NOT NULL,
+  created_at INTEGER NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS lending_rules (
+  domain TEXT PRIMARY KEY,
+  allow INTEGER NOT NULL DEFAULT 1,
+  peers TEXT NOT NULL DEFAULT '"*"',
+  pricing TEXT NOT NULL DEFAULT '{"mode":"free"}',
+  rate_limit TEXT,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+);
+`
+  }
+];
+
+// src/server.ts
+async function startServer(options) {
+  const { config, silent } = options;
+  const log = silent ? () => {
+  } : console.log.bind(console);
+  mkdirSync(config.dataDir, { recursive: true });
+  const dbPath = join2(config.dataDir, "nkmc.db");
+  const sqlite = new Database(dbPath);
+  sqlite.pragma("journal_mode = WAL");
+  sqlite.pragma("foreign_keys = ON");
+  const db = createSqliteD1(sqlite);
+  sqlite.exec(`CREATE TABLE IF NOT EXISTS _nkmc_migrations (name TEXT PRIMARY KEY, applied_at INTEGER NOT NULL DEFAULT (unixepoch()))`);
+  for (const m of migrations) {
+    const applied = sqlite.prepare("SELECT 1 FROM _nkmc_migrations WHERE name = ?").get(m.name);
+    if (applied) continue;
+    try {
+      sqlite.exec(m.sql);
+      sqlite.prepare("INSERT OR IGNORE INTO _nkmc_migrations (name) VALUES (?)").run(m.name);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (msg.includes("duplicate column")) {
+        sqlite.prepare("INSERT OR IGNORE INTO _nkmc_migrations (name) VALUES (?)").run(m.name);
+      } else {
+        throw err;
+      }
+    }
+  }
+  log("[nkmc] Migrations applied");
+  let privateKey;
+  let publicKey;
+  const keysPath = join2(config.dataDir, "keys.json");
+  if (config.gatewayPrivateKey && config.gatewayPublicKey) {
+    privateKey = JSON.parse(config.gatewayPrivateKey);
+    publicKey = JSON.parse(config.gatewayPublicKey);
+    log("[nkmc] Loaded gateway keys from config/env");
+  } else if (existsSync2(keysPath)) {
+    const keys = JSON.parse(readFileSync2(keysPath, "utf-8"));
+    privateKey = keys.privateKey;
+    publicKey = keys.publicKey;
+    log("[nkmc] Loaded gateway keys from", keysPath);
+  } else {
+    const pair = await generateKeyPair("EdDSA", { crv: "Ed25519", extractable: true });
+    privateKey = { ...await exportJWK(pair.privateKey), kty: "OKP", crv: "Ed25519" };
+    publicKey = { ...await exportJWK(pair.publicKey), kty: "OKP", crv: "Ed25519" };
+    const kid = nanoid(12);
+    privateKey.kid = kid;
+    publicKey.kid = kid;
+    writeFileSync(keysPath, JSON.stringify({ privateKey, publicKey }, null, 2), "utf-8");
+    chmodSync(keysPath, 384);
+    log("[nkmc] Generated new gateway key pair ->", keysPath);
+  }
+  try {
+    chmodSync(keysPath, 384);
+  } catch {
+  }
+  const encKeyPath = join2(config.dataDir, "encryption.key");
+  let rawKeyB64;
+  if (config.encryptionKey) {
+    rawKeyB64 = config.encryptionKey;
+    log("[nkmc] Using encryption key from config/env");
+  } else if (existsSync2(encKeyPath)) {
+    rawKeyB64 = readFileSync2(encKeyPath, "utf-8").trim();
+    log("[nkmc] Loaded encryption key from", encKeyPath);
+  } else {
+    const buf = randomBytes(32);
+    rawKeyB64 = buf.toString("base64");
+    writeFileSync(encKeyPath, rawKeyB64, "utf-8");
+    chmodSync(encKeyPath, 384);
+    log("[nkmc] Generated new encryption key ->", encKeyPath);
+  }
+  try {
+    chmodSync(encKeyPath, 384);
+  } catch {
+  }
+  const rawKey = Uint8Array.from(atob(rawKeyB64), (c) => c.charCodeAt(0));
+  const encryptionKey = await crypto.subtle.importKey("raw", rawKey, "AES-GCM", false, [
+    "encrypt",
+    "decrypt"
+  ]);
+  const adminTokenPath = join2(config.dataDir, "admin-token");
+  let adminToken = config.adminToken;
+  if (!adminToken) {
+    if (existsSync2(adminTokenPath)) {
+      adminToken = readFileSync2(adminTokenPath, "utf-8").trim();
+      log("[nkmc] Loaded admin token from", adminTokenPath);
+    } else {
+      adminToken = randomUUID();
+      writeFileSync(adminTokenPath, adminToken, "utf-8");
+      chmodSync(adminTokenPath, 384);
+      log("[nkmc] Generated admin token ->", adminTokenPath);
+    }
+  }
+  try {
+    chmodSync(adminTokenPath, 384);
+  } catch {
+  }
+  const store = new D1RegistryStore(db);
+  const vault = new D1CredentialVault(db, encryptionKey);
+  const peerStore = new D1PeerStore(db);
+  const toolRegistry = createDefaultToolRegistry();
+  const exec = createExec();
+  const gateway = createGateway({
+    store,
+    vault,
+    db,
+    gatewayPrivateKey: privateKey,
+    gatewayPublicKey: publicKey,
+    adminToken,
+    peerStore,
+    proxy: { toolRegistry, exec }
+  });
+  return new Promise((resolve) => {
+    const server = serve(
+      {
+        fetch: gateway.fetch,
+        port: config.port,
+        hostname: config.host
+      },
+      (info) => {
+        log();
+        log("  \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510");
+        log("  \u2502  nakamichi gateway (standalone)           \u2502");
+        log("  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518");
+        log();
+        log(`  Port:     ${info.port}`);
+        log(`  Host:     ${config.host}`);
+        log(`  Data dir: ${config.dataDir}`);
+        log(`  Database: ${dbPath}`);
+        log();
+        resolve({
+          port: info.port,
+          close: () => {
+            server.close();
+            sqlite.close();
+          }
+        });
+      }
+    );
+  });
+}
+
+// src/index.ts
+async function main() {
+  const config = loadConfig();
+  await startServer({ config });
+}
+main().catch((err) => {
+  console.error("[nkmc] Fatal error:", err);
+  process.exit(1);
+});

package/dist/server.js

@@ -0,0 +1,300 @@
+// src/server.ts
+import { existsSync, mkdirSync, readFileSync, writeFileSync, chmodSync } from "fs";
+import { join } from "path";
+import { randomUUID, randomBytes } from "crypto";
+import Database from "better-sqlite3";
+import { serve } from "@hono/node-server";
+import { generateKeyPair, exportJWK } from "jose";
+import { createSqliteD1, D1RegistryStore, D1CredentialVault, D1PeerStore } from "@nkmc/gateway";
+import { createGateway } from "@nkmc/gateway/http";
+import { createDefaultToolRegistry } from "@nkmc/gateway/proxy";
+import { nanoid } from "nanoid";
+
+// src/exec.ts
+import { spawn } from "child_process";
+function createExec(opts) {
+  const timeout = opts?.timeout ?? 3e4;
+  return (tool, args, env) => {
+    return new Promise((resolve) => {
+      const child = spawn(tool, args, {
+        env: { ...process.env, ...env },
+        timeout,
+        stdio: ["ignore", "pipe", "pipe"]
+      });
+      let stdout = "";
+      let stderr = "";
+      child.stdout.on("data", (data) => {
+        stdout += data;
+      });
+      child.stderr.on("data", (data) => {
+        stderr += data;
+      });
+      child.on("close", (code) => {
+        resolve({ stdout, stderr, exitCode: code ?? 1 });
+      });
+      child.on("error", (err) => {
+        resolve({ stdout: "", stderr: err.message, exitCode: 1 });
+      });
+    });
+  };
+}
+
+// src/migrations.ts
+var migrations = [
+  {
+    name: "0001_init",
+    sql: `
+-- Services registry
+CREATE TABLE IF NOT EXISTS services (
+  domain TEXT NOT NULL,
+  version TEXT NOT NULL,
+  name TEXT NOT NULL,
+  description TEXT,
+  roles TEXT,
+  skill_md TEXT NOT NULL,
+  endpoints TEXT,
+  is_first_party INTEGER DEFAULT 0,
+  status TEXT DEFAULT 'active',
+  is_default INTEGER DEFAULT 1,
+  source TEXT,
+  sunset_date INTEGER,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  PRIMARY KEY (domain, version)
+);
+
+CREATE INDEX IF NOT EXISTS idx_services_default ON services(domain, is_default);
+
+-- Credentials vault
+CREATE TABLE IF NOT EXISTS credentials (
+  domain TEXT NOT NULL,
+  scope TEXT NOT NULL DEFAULT 'pool',
+  developer_id TEXT NOT NULL DEFAULT '',
+  auth_encrypted TEXT NOT NULL,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  PRIMARY KEY (domain, scope, developer_id)
+);
+
+-- Metering records
+CREATE TABLE IF NOT EXISTS meter_records (
+  id TEXT PRIMARY KEY,
+  timestamp INTEGER NOT NULL,
+  domain TEXT NOT NULL,
+  version TEXT NOT NULL,
+  endpoint TEXT NOT NULL,
+  agent_id TEXT NOT NULL,
+  developer_id TEXT,
+  cost REAL NOT NULL,
+  currency TEXT NOT NULL DEFAULT 'USDC'
+);
+
+CREATE INDEX IF NOT EXISTS idx_meter_domain ON meter_records(domain, timestamp);
+CREATE INDEX IF NOT EXISTS idx_meter_agent ON meter_records(agent_id, timestamp);
+
+-- Domain verification challenges
+CREATE TABLE IF NOT EXISTS domain_challenges (
+  domain TEXT PRIMARY KEY,
+  challenge_code TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'pending',
+  created_at INTEGER NOT NULL,
+  verified_at INTEGER,
+  expires_at INTEGER NOT NULL
+);
+
+-- Developer-Agent binding
+CREATE TABLE IF NOT EXISTS developer_agents (
+  user_id TEXT NOT NULL,
+  agent_id TEXT NOT NULL,
+  label TEXT,
+  created_at INTEGER NOT NULL,
+  PRIMARY KEY (user_id, agent_id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_da_agent ON developer_agents(agent_id);
+
+-- Claim tokens (for agent-first onboarding)
+CREATE TABLE IF NOT EXISTS claim_tokens (
+  token TEXT PRIMARY KEY,
+  agent_id TEXT NOT NULL,
+  expires_at INTEGER NOT NULL,
+  created_at INTEGER NOT NULL
+);
+`
+  },
+  {
+    name: "0002_auth_mode",
+    sql: `ALTER TABLE services ADD COLUMN auth_mode TEXT`
+  },
+  {
+    name: "0003_federation",
+    sql: `
+-- Federation: peer gateways and lending rules
+
+CREATE TABLE IF NOT EXISTS peers (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  url TEXT NOT NULL,
+  shared_secret TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'active',
+  advertised_domains TEXT NOT NULL DEFAULT '[]',
+  last_seen INTEGER NOT NULL,
+  created_at INTEGER NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS lending_rules (
+  domain TEXT PRIMARY KEY,
+  allow INTEGER NOT NULL DEFAULT 1,
+  peers TEXT NOT NULL DEFAULT '"*"',
+  pricing TEXT NOT NULL DEFAULT '{"mode":"free"}',
+  rate_limit TEXT,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+);
+`
+  }
+];
+
+// src/server.ts
+async function startServer(options) {
+  const { config, silent } = options;
+  const log = silent ? () => {
+  } : console.log.bind(console);
+  mkdirSync(config.dataDir, { recursive: true });
+  const dbPath = join(config.dataDir, "nkmc.db");
+  const sqlite = new Database(dbPath);
+  sqlite.pragma("journal_mode = WAL");
+  sqlite.pragma("foreign_keys = ON");
+  const db = createSqliteD1(sqlite);
+  sqlite.exec(`CREATE TABLE IF NOT EXISTS _nkmc_migrations (name TEXT PRIMARY KEY, applied_at INTEGER NOT NULL DEFAULT (unixepoch()))`);
+  for (const m of migrations) {
+    const applied = sqlite.prepare("SELECT 1 FROM _nkmc_migrations WHERE name = ?").get(m.name);
+    if (applied) continue;
+    try {
+      sqlite.exec(m.sql);
+      sqlite.prepare("INSERT OR IGNORE INTO _nkmc_migrations (name) VALUES (?)").run(m.name);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (msg.includes("duplicate column")) {
+        sqlite.prepare("INSERT OR IGNORE INTO _nkmc_migrations (name) VALUES (?)").run(m.name);
+      } else {
+        throw err;
+      }
+    }
+  }
+  log("[nkmc] Migrations applied");
+  let privateKey;
+  let publicKey;
+  const keysPath = join(config.dataDir, "keys.json");
+  if (config.gatewayPrivateKey && config.gatewayPublicKey) {
+    privateKey = JSON.parse(config.gatewayPrivateKey);
+    publicKey = JSON.parse(config.gatewayPublicKey);
+    log("[nkmc] Loaded gateway keys from config/env");
+  } else if (existsSync(keysPath)) {
+    const keys = JSON.parse(readFileSync(keysPath, "utf-8"));
+    privateKey = keys.privateKey;
+    publicKey = keys.publicKey;
+    log("[nkmc] Loaded gateway keys from", keysPath);
+  } else {
+    const pair = await generateKeyPair("EdDSA", { crv: "Ed25519", extractable: true });
+    privateKey = { ...await exportJWK(pair.privateKey), kty: "OKP", crv: "Ed25519" };
+    publicKey = { ...await exportJWK(pair.publicKey), kty: "OKP", crv: "Ed25519" };
+    const kid = nanoid(12);
+    privateKey.kid = kid;
+    publicKey.kid = kid;
+    writeFileSync(keysPath, JSON.stringify({ privateKey, publicKey }, null, 2), "utf-8");
+    chmodSync(keysPath, 384);
+    log("[nkmc] Generated new gateway key pair ->", keysPath);
+  }
+  try {
+    chmodSync(keysPath, 384);
+  } catch {
+  }
+  const encKeyPath = join(config.dataDir, "encryption.key");
+  let rawKeyB64;
+  if (config.encryptionKey) {
+    rawKeyB64 = config.encryptionKey;
+    log("[nkmc] Using encryption key from config/env");
+  } else if (existsSync(encKeyPath)) {
+    rawKeyB64 = readFileSync(encKeyPath, "utf-8").trim();
+    log("[nkmc] Loaded encryption key from", encKeyPath);
+  } else {
+    const buf = randomBytes(32);
+    rawKeyB64 = buf.toString("base64");
+    writeFileSync(encKeyPath, rawKeyB64, "utf-8");
+    chmodSync(encKeyPath, 384);
+    log("[nkmc] Generated new encryption key ->", encKeyPath);
+  }
+  try {
+    chmodSync(encKeyPath, 384);
+  } catch {
+  }
+  const rawKey = Uint8Array.from(atob(rawKeyB64), (c) => c.charCodeAt(0));
+  const encryptionKey = await crypto.subtle.importKey("raw", rawKey, "AES-GCM", false, [
+    "encrypt",
+    "decrypt"
+  ]);
+  const adminTokenPath = join(config.dataDir, "admin-token");
+  let adminToken = config.adminToken;
+  if (!adminToken) {
+    if (existsSync(adminTokenPath)) {
+      adminToken = readFileSync(adminTokenPath, "utf-8").trim();
+      log("[nkmc] Loaded admin token from", adminTokenPath);
+    } else {
+      adminToken = randomUUID();
+      writeFileSync(adminTokenPath, adminToken, "utf-8");
+      chmodSync(adminTokenPath, 384);
+      log("[nkmc] Generated admin token ->", adminTokenPath);
+    }
+  }
+  try {
+    chmodSync(adminTokenPath, 384);
+  } catch {
+  }
+  const store = new D1RegistryStore(db);
+  const vault = new D1CredentialVault(db, encryptionKey);
+  const peerStore = new D1PeerStore(db);
+  const toolRegistry = createDefaultToolRegistry();
+  const exec = createExec();
+  const gateway = createGateway({
+    store,
+    vault,
+    db,
+    gatewayPrivateKey: privateKey,
+    gatewayPublicKey: publicKey,
+    adminToken,
+    peerStore,
+    proxy: { toolRegistry, exec }
+  });
+  return new Promise((resolve) => {
+    const server = serve(
+      {
+        fetch: gateway.fetch,
+        port: config.port,
+        hostname: config.host
+      },
+      (info) => {
+        log();
+        log("  \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510");
+        log("  \u2502  nakamichi gateway (standalone)           \u2502");
+        log("  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518");
+        log();
+        log(`  Port:     ${info.port}`);
+        log(`  Host:     ${config.host}`);
+        log(`  Data dir: ${config.dataDir}`);
+        log(`  Database: ${dbPath}`);
+        log();
+        resolve({
+          port: info.port,
+          close: () => {
+            server.close();
+            sqlite.close();
+          }
+        });
+      }
+    );
+  });
+}
+export {
+  startServer
+};

package/package.json

@@ -0,0 +1,38 @@
+{
+  "name": "@nkmc/server",
+  "version": "0.1.0",
+  "type": "module",
+  "bin": {
+    "nkmc-server": "./dist/index.js"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/server.d.ts",
+      "import": "./dist/server.js"
+    },
+    "./config": {
+      "types": "./dist/config.d.ts",
+      "import": "./dist/config.js"
+    }
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "start": "node dist/index.js"
+  },
+  "dependencies": {
+    "@nkmc/gateway": "workspace:*",
+    "@nkmc/agent-fs": "workspace:*",
+    "@nkmc/core": "^0.1.1",
+    "@hono/node-server": "^1.14.1",
+    "better-sqlite3": "^12.6.2",
+    "hono": "^4.11.9",
+    "jose": "^6.1.3",
+    "nanoid": "^5.1.5"
+  },
+  "devDependencies": {
+    "@types/better-sqlite3": "^7.6.13",
+    "tsup": "^8.4.0",
+    "typescript": "^5.8.2"
+  }
+}