@nkmc/server 0.1.0

package/src/config.ts

@@ -0,0 +1,44 @@
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+
+export interface ServerConfig {
+  port: number;
+  host: string;
+  dataDir: string;
+  adminToken?: string;
+  encryptionKey?: string;
+  gatewayPrivateKey?: string;
+  gatewayPublicKey?: string;
+}
+
+const DEFAULT_DATA_DIR = join(homedir(), ".nkmc", "server");
+
+export function loadConfig(): ServerConfig {
+  const dataDir = process.env.NKMC_DATA_DIR ?? DEFAULT_DATA_DIR;
+
+  // Load config file if it exists
+  const configPath = join(dataDir, "config.json");
+  let fileConfig: Record<string, unknown> = {};
+  if (existsSync(configPath)) {
+    try {
+      fileConfig = JSON.parse(readFileSync(configPath, "utf-8"));
+    } catch {
+      // Ignore malformed config files
+    }
+  }
+
+  function get(envKey: string, fileKey: string): string | undefined {
+    return process.env[envKey] ?? (fileConfig[fileKey] as string | undefined);
+  }
+
+  return {
+    port: parseInt(process.env.NKMC_PORT ?? (fileConfig.port as string | undefined) ?? "9090", 10),
+    host: process.env.NKMC_HOST ?? (fileConfig.host as string | undefined) ?? "0.0.0.0",
+    dataDir,
+    adminToken: get("NKMC_ADMIN_TOKEN", "adminToken"),
+    encryptionKey: get("NKMC_ENCRYPTION_KEY", "encryptionKey"),
+    gatewayPrivateKey: get("NKMC_GATEWAY_PRIVATE_KEY", "gatewayPrivateKey"),
+    gatewayPublicKey: get("NKMC_GATEWAY_PUBLIC_KEY", "gatewayPublicKey"),
+  };
+}

package/src/exec.ts

@@ -0,0 +1,44 @@
+import { spawn } from "node:child_process";
+
+export interface ExecResult {
+  stdout: string;
+  stderr: string;
+  exitCode: number;
+}
+
+export function createExec(opts?: {
+  timeout?: number;
+}): (
+  tool: string,
+  args: string[],
+  env: Record<string, string>,
+) => Promise<ExecResult> {
+  const timeout = opts?.timeout ?? 30_000;
+
+  return (tool, args, env) => {
+    return new Promise((resolve) => {
+      const child = spawn(tool, args, {
+        env: { ...process.env, ...env },
+        timeout,
+        stdio: ["ignore", "pipe", "pipe"],
+      });
+
+      let stdout = "";
+      let stderr = "";
+      child.stdout.on("data", (data: Buffer) => {
+        stdout += data;
+      });
+      child.stderr.on("data", (data: Buffer) => {
+        stderr += data;
+      });
+
+      child.on("close", (code) => {
+        resolve({ stdout, stderr, exitCode: code ?? 1 });
+      });
+
+      child.on("error", (err) => {
+        resolve({ stdout: "", stderr: err.message, exitCode: 1 });
+      });
+    });
+  };
+}

package/src/index.ts

@@ -0,0 +1,12 @@
+import { loadConfig } from "./config.js";
+import { startServer } from "./server.js";
+
+async function main() {
+  const config = loadConfig();
+  await startServer({ config });
+}
+
+main().catch((err) => {
+  console.error("[nkmc] Fatal error:", err);
+  process.exit(1);
+});

package/src/migrations/0001_init.sql

@@ -0,0 +1,76 @@
+-- Services registry
+CREATE TABLE IF NOT EXISTS services (
+  domain TEXT NOT NULL,
+  version TEXT NOT NULL,
+  name TEXT NOT NULL,
+  description TEXT,
+  roles TEXT,
+  skill_md TEXT NOT NULL,
+  endpoints TEXT,
+  is_first_party INTEGER DEFAULT 0,
+  status TEXT DEFAULT 'active',
+  is_default INTEGER DEFAULT 1,
+  source TEXT,
+  sunset_date INTEGER,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  PRIMARY KEY (domain, version)
+);
+
+CREATE INDEX IF NOT EXISTS idx_services_default ON services(domain, is_default);
+
+-- Credentials vault
+CREATE TABLE IF NOT EXISTS credentials (
+  domain TEXT NOT NULL,
+  scope TEXT NOT NULL DEFAULT 'pool',
+  developer_id TEXT NOT NULL DEFAULT '',
+  auth_encrypted TEXT NOT NULL,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  PRIMARY KEY (domain, scope, developer_id)
+);
+
+-- Metering records
+CREATE TABLE IF NOT EXISTS meter_records (
+  id TEXT PRIMARY KEY,
+  timestamp INTEGER NOT NULL,
+  domain TEXT NOT NULL,
+  version TEXT NOT NULL,
+  endpoint TEXT NOT NULL,
+  agent_id TEXT NOT NULL,
+  developer_id TEXT,
+  cost REAL NOT NULL,
+  currency TEXT NOT NULL DEFAULT 'USDC'
+);
+
+CREATE INDEX IF NOT EXISTS idx_meter_domain ON meter_records(domain, timestamp);
+CREATE INDEX IF NOT EXISTS idx_meter_agent ON meter_records(agent_id, timestamp);
+
+-- Domain verification challenges
+CREATE TABLE IF NOT EXISTS domain_challenges (
+  domain TEXT PRIMARY KEY,
+  challenge_code TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'pending',
+  created_at INTEGER NOT NULL,
+  verified_at INTEGER,
+  expires_at INTEGER NOT NULL
+);
+
+-- Developer-Agent binding
+CREATE TABLE IF NOT EXISTS developer_agents (
+  user_id TEXT NOT NULL,
+  agent_id TEXT NOT NULL,
+  label TEXT,
+  created_at INTEGER NOT NULL,
+  PRIMARY KEY (user_id, agent_id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_da_agent ON developer_agents(agent_id);
+
+-- Claim tokens (for agent-first onboarding)
+CREATE TABLE IF NOT EXISTS claim_tokens (
+  token TEXT PRIMARY KEY,
+  agent_id TEXT NOT NULL,
+  expires_at INTEGER NOT NULL,
+  created_at INTEGER NOT NULL
+);

package/src/migrations/0002_auth_mode.sql

@@ -0,0 +1,2 @@
+-- Add auth_mode column for nkmc-jwt proxy authentication
+ALTER TABLE services ADD COLUMN auth_mode TEXT;

package/src/migrations.ts

@@ -0,0 +1,120 @@
+/**
+ * Embedded migration SQL statements.
+ * These are copied from migrations/ (repo root) and kept in sync manually.
+ * Each migration is idempotent (uses IF NOT EXISTS patterns).
+ */
+
+export const migrations: { name: string; sql: string }[] = [
+  {
+    name: "0001_init",
+    sql: `
+-- Services registry
+CREATE TABLE IF NOT EXISTS services (
+  domain TEXT NOT NULL,
+  version TEXT NOT NULL,
+  name TEXT NOT NULL,
+  description TEXT,
+  roles TEXT,
+  skill_md TEXT NOT NULL,
+  endpoints TEXT,
+  is_first_party INTEGER DEFAULT 0,
+  status TEXT DEFAULT 'active',
+  is_default INTEGER DEFAULT 1,
+  source TEXT,
+  sunset_date INTEGER,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  PRIMARY KEY (domain, version)
+);
+
+CREATE INDEX IF NOT EXISTS idx_services_default ON services(domain, is_default);
+
+-- Credentials vault
+CREATE TABLE IF NOT EXISTS credentials (
+  domain TEXT NOT NULL,
+  scope TEXT NOT NULL DEFAULT 'pool',
+  developer_id TEXT NOT NULL DEFAULT '',
+  auth_encrypted TEXT NOT NULL,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  PRIMARY KEY (domain, scope, developer_id)
+);
+
+-- Metering records
+CREATE TABLE IF NOT EXISTS meter_records (
+  id TEXT PRIMARY KEY,
+  timestamp INTEGER NOT NULL,
+  domain TEXT NOT NULL,
+  version TEXT NOT NULL,
+  endpoint TEXT NOT NULL,
+  agent_id TEXT NOT NULL,
+  developer_id TEXT,
+  cost REAL NOT NULL,
+  currency TEXT NOT NULL DEFAULT 'USDC'
+);
+
+CREATE INDEX IF NOT EXISTS idx_meter_domain ON meter_records(domain, timestamp);
+CREATE INDEX IF NOT EXISTS idx_meter_agent ON meter_records(agent_id, timestamp);
+
+-- Domain verification challenges
+CREATE TABLE IF NOT EXISTS domain_challenges (
+  domain TEXT PRIMARY KEY,
+  challenge_code TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'pending',
+  created_at INTEGER NOT NULL,
+  verified_at INTEGER,
+  expires_at INTEGER NOT NULL
+);
+
+-- Developer-Agent binding
+CREATE TABLE IF NOT EXISTS developer_agents (
+  user_id TEXT NOT NULL,
+  agent_id TEXT NOT NULL,
+  label TEXT,
+  created_at INTEGER NOT NULL,
+  PRIMARY KEY (user_id, agent_id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_da_agent ON developer_agents(agent_id);
+
+-- Claim tokens (for agent-first onboarding)
+CREATE TABLE IF NOT EXISTS claim_tokens (
+  token TEXT PRIMARY KEY,
+  agent_id TEXT NOT NULL,
+  expires_at INTEGER NOT NULL,
+  created_at INTEGER NOT NULL
+);
+`,
+  },
+  {
+    name: "0002_auth_mode",
+    sql: `ALTER TABLE services ADD COLUMN auth_mode TEXT`,
+  },
+  {
+    name: "0003_federation",
+    sql: `
+-- Federation: peer gateways and lending rules
+
+CREATE TABLE IF NOT EXISTS peers (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  url TEXT NOT NULL,
+  shared_secret TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'active',
+  advertised_domains TEXT NOT NULL DEFAULT '[]',
+  last_seen INTEGER NOT NULL,
+  created_at INTEGER NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS lending_rules (
+  domain TEXT PRIMARY KEY,
+  allow INTEGER NOT NULL DEFAULT 1,
+  peers TEXT NOT NULL DEFAULT '"*"',
+  pricing TEXT NOT NULL DEFAULT '{"mode":"free"}',
+  rate_limit TEXT,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+);
+`,
+  },
+];

package/src/server.ts

@@ -0,0 +1,183 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync, chmodSync } from "node:fs";
+import { join } from "node:path";
+import { randomUUID, randomBytes } from "node:crypto";
+import Database from "better-sqlite3";
+import { serve } from "@hono/node-server";
+import { generateKeyPair, exportJWK } from "jose";
+import { createSqliteD1, D1RegistryStore, D1CredentialVault, D1PeerStore } from "@nkmc/gateway";
+import { createGateway } from "@nkmc/gateway/http";
+import { createDefaultToolRegistry } from "@nkmc/gateway/proxy";
+import { nanoid } from "nanoid";
+import { createExec } from "./exec.js";
+import { migrations } from "./migrations.js";
+import type { ServerConfig } from "./config.js";
+
+export interface StartServerOptions {
+  config: ServerConfig;
+  /** If true, suppress banner output */
+  silent?: boolean;
+}
+
+export interface ServerHandle {
+  /** The port the server is listening on */
+  port: number;
+  /** Close the server and database */
+  close: () => void;
+}
+
+export async function startServer(options: StartServerOptions): Promise<ServerHandle> {
+  const { config, silent } = options;
+  const log = silent ? () => {} : console.log.bind(console);
+
+  // Ensure data directory exists
+  mkdirSync(config.dataDir, { recursive: true });
+
+  // ── SQLite ────────────────────────────────────────────────
+  const dbPath = join(config.dataDir, "nkmc.db");
+  const sqlite = new Database(dbPath);
+  sqlite.pragma("journal_mode = WAL");
+  sqlite.pragma("foreign_keys = ON");
+
+  const db = createSqliteD1(sqlite);
+
+  // ── Migrations ────────────────────────────────────────────
+  sqlite.exec(`CREATE TABLE IF NOT EXISTS _nkmc_migrations (name TEXT PRIMARY KEY, applied_at INTEGER NOT NULL DEFAULT (unixepoch()))`);
+
+  for (const m of migrations) {
+    const applied = sqlite.prepare("SELECT 1 FROM _nkmc_migrations WHERE name = ?").get(m.name);
+    if (applied) continue;
+    try {
+      sqlite.exec(m.sql);
+      sqlite.prepare("INSERT OR IGNORE INTO _nkmc_migrations (name) VALUES (?)").run(m.name);
+    } catch (err: unknown) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (msg.includes("duplicate column")) {
+        sqlite.prepare("INSERT OR IGNORE INTO _nkmc_migrations (name) VALUES (?)").run(m.name);
+      } else {
+        throw err;
+      }
+    }
+  }
+
+  log("[nkmc] Migrations applied");
+
+  // ── Gateway Key Pair (EdDSA / Ed25519) ───────────────────
+  let privateKey: Record<string, unknown>;
+  let publicKey: Record<string, unknown>;
+  const keysPath = join(config.dataDir, "keys.json");
+
+  if (config.gatewayPrivateKey && config.gatewayPublicKey) {
+    privateKey = JSON.parse(config.gatewayPrivateKey);
+    publicKey = JSON.parse(config.gatewayPublicKey);
+    log("[nkmc] Loaded gateway keys from config/env");
+  } else if (existsSync(keysPath)) {
+    const keys = JSON.parse(readFileSync(keysPath, "utf-8"));
+    privateKey = keys.privateKey;
+    publicKey = keys.publicKey;
+    log("[nkmc] Loaded gateway keys from", keysPath);
+  } else {
+    const pair = await generateKeyPair("EdDSA", { crv: "Ed25519", extractable: true });
+    privateKey = { ...(await exportJWK(pair.privateKey)), kty: "OKP", crv: "Ed25519" };
+    publicKey = { ...(await exportJWK(pair.publicKey)), kty: "OKP", crv: "Ed25519" };
+    const kid = nanoid(12);
+    privateKey.kid = kid;
+    publicKey.kid = kid;
+    writeFileSync(keysPath, JSON.stringify({ privateKey, publicKey }, null, 2), "utf-8");
+    chmodSync(keysPath, 0o600);
+    log("[nkmc] Generated new gateway key pair ->", keysPath);
+  }
+  try { chmodSync(keysPath, 0o600); } catch {}
+
+  // ── Encryption Key (AES-GCM) ─────────────────────────────
+  const encKeyPath = join(config.dataDir, "encryption.key");
+  let rawKeyB64: string;
+
+  if (config.encryptionKey) {
+    rawKeyB64 = config.encryptionKey;
+    log("[nkmc] Using encryption key from config/env");
+  } else if (existsSync(encKeyPath)) {
+    rawKeyB64 = readFileSync(encKeyPath, "utf-8").trim();
+    log("[nkmc] Loaded encryption key from", encKeyPath);
+  } else {
+    const buf = randomBytes(32);
+    rawKeyB64 = buf.toString("base64");
+    writeFileSync(encKeyPath, rawKeyB64, "utf-8");
+    chmodSync(encKeyPath, 0o600);
+    log("[nkmc] Generated new encryption key ->", encKeyPath);
+  }
+  // Ensure encryption key file is always owner-only
+  try { chmodSync(encKeyPath, 0o600); } catch {}
+
+  const rawKey = Uint8Array.from(atob(rawKeyB64), (c) => c.charCodeAt(0));
+  const encryptionKey = await crypto.subtle.importKey("raw", rawKey, "AES-GCM", false, [
+    "encrypt",
+    "decrypt",
+  ]);
+
+  // ── Admin Token ───────────────────────────────────────────
+  const adminTokenPath = join(config.dataDir, "admin-token");
+  let adminToken = config.adminToken;
+  if (!adminToken) {
+    if (existsSync(adminTokenPath)) {
+      adminToken = readFileSync(adminTokenPath, "utf-8").trim();
+      log("[nkmc] Loaded admin token from", adminTokenPath);
+    } else {
+      adminToken = randomUUID();
+      writeFileSync(adminTokenPath, adminToken, "utf-8");
+      chmodSync(adminTokenPath, 0o600);
+      log("[nkmc] Generated admin token ->", adminTokenPath);
+    }
+  }
+  try { chmodSync(adminTokenPath, 0o600); } catch {}
+
+  // ── Stores ────────────────────────────────────────────────
+  const store = new D1RegistryStore(db);
+  const vault = new D1CredentialVault(db, encryptionKey);
+  const peerStore = new D1PeerStore(db);
+
+  // ── Create Gateway ────────────────────────────────────────
+  const toolRegistry = createDefaultToolRegistry();
+  const exec = createExec();
+
+  const gateway = createGateway({
+    store,
+    vault,
+    db,
+    gatewayPrivateKey: privateKey,
+    gatewayPublicKey: publicKey,
+    adminToken,
+    peerStore,
+    proxy: { toolRegistry, exec },
+  });
+
+  // ── Start Server ──────────────────────────────────────────
+  return new Promise<ServerHandle>((resolve) => {
+    const server = serve(
+      {
+        fetch: gateway.fetch,
+        port: config.port,
+        hostname: config.host,
+      },
+      (info) => {
+        log();
+        log("  ┌──────────────────────────────────────────┐");
+        log("  │  nakamichi gateway (standalone)           │");
+        log("  └──────────────────────────────────────────┘");
+        log();
+        log(`  Port:     ${info.port}`);
+        log(`  Host:     ${config.host}`);
+        log(`  Data dir: ${config.dataDir}`);
+        log(`  Database: ${dbPath}`);
+        log();
+
+        resolve({
+          port: info.port,
+          close: () => {
+            server.close();
+            sqlite.close();
+          },
+        });
+      },
+    );
+  });
+}

package/test/config.test.ts

@@ -0,0 +1,123 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdirSync, writeFileSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { randomUUID } from "node:crypto";
+import { loadConfig } from "../src/config.js";
+
+/**
+ * Save and restore env vars touched by loadConfig() so tests are isolated.
+ */
+const ENV_KEYS = [
+  "NKMC_PORT",
+  "NKMC_HOST",
+  "NKMC_DATA_DIR",
+  "NKMC_ADMIN_TOKEN",
+  "NKMC_ENCRYPTION_KEY",
+  "NKMC_GATEWAY_PRIVATE_KEY",
+  "NKMC_GATEWAY_PUBLIC_KEY",
+] as const;
+
+describe("loadConfig()", () => {
+  const saved = new Map<string, string | undefined>();
+
+  beforeEach(() => {
+    for (const key of ENV_KEYS) {
+      saved.set(key, process.env[key]);
+      delete process.env[key];
+    }
+  });
+
+  afterEach(() => {
+    for (const key of ENV_KEYS) {
+      const v = saved.get(key);
+      if (v === undefined) {
+        delete process.env[key];
+      } else {
+        process.env[key] = v;
+      }
+    }
+  });
+
+  it("returns sensible defaults when no env vars or config file are present", () => {
+    const cfg = loadConfig();
+    expect(cfg.port).toBe(9090);
+    expect(cfg.host).toBe("0.0.0.0");
+    expect(cfg.dataDir).toMatch(/\.nkmc[/\\]server$/);
+    expect(cfg.adminToken).toBeUndefined();
+  });
+
+  it("NKMC_PORT overrides default port", () => {
+    process.env.NKMC_PORT = "4321";
+    const cfg = loadConfig();
+    expect(cfg.port).toBe(4321);
+  });
+
+  it("NKMC_DATA_DIR overrides default data directory", () => {
+    const tmp = join(tmpdir(), `nkmc-test-${randomUUID()}`);
+    mkdirSync(tmp, { recursive: true });
+    try {
+      process.env.NKMC_DATA_DIR = tmp;
+      const cfg = loadConfig();
+      expect(cfg.dataDir).toBe(tmp);
+    } finally {
+      rmSync(tmp, { recursive: true, force: true });
+    }
+  });
+
+  it("NKMC_ADMIN_TOKEN env var is picked up", () => {
+    process.env.NKMC_ADMIN_TOKEN = "super-secret";
+    const cfg = loadConfig();
+    expect(cfg.adminToken).toBe("super-secret");
+  });
+
+  it("reads values from config.json when env vars are absent", () => {
+    const tmp = join(tmpdir(), `nkmc-test-${randomUUID()}`);
+    mkdirSync(tmp, { recursive: true });
+    try {
+      writeFileSync(
+        join(tmp, "config.json"),
+        JSON.stringify({ port: "7777", adminToken: "from-file" }),
+      );
+      process.env.NKMC_DATA_DIR = tmp;
+      const cfg = loadConfig();
+      expect(cfg.port).toBe(7777);
+      expect(cfg.adminToken).toBe("from-file");
+    } finally {
+      rmSync(tmp, { recursive: true, force: true });
+    }
+  });
+
+  it("env vars take precedence over config.json values", () => {
+    const tmp = join(tmpdir(), `nkmc-test-${randomUUID()}`);
+    mkdirSync(tmp, { recursive: true });
+    try {
+      writeFileSync(
+        join(tmp, "config.json"),
+        JSON.stringify({ port: "7777", adminToken: "from-file" }),
+      );
+      process.env.NKMC_DATA_DIR = tmp;
+      process.env.NKMC_PORT = "8888";
+      process.env.NKMC_ADMIN_TOKEN = "from-env";
+      const cfg = loadConfig();
+      expect(cfg.port).toBe(8888);
+      expect(cfg.adminToken).toBe("from-env");
+    } finally {
+      rmSync(tmp, { recursive: true, force: true });
+    }
+  });
+
+  it("ignores a malformed config.json", () => {
+    const tmp = join(tmpdir(), `nkmc-test-${randomUUID()}`);
+    mkdirSync(tmp, { recursive: true });
+    try {
+      writeFileSync(join(tmp, "config.json"), "NOT VALID JSON {{{");
+      process.env.NKMC_DATA_DIR = tmp;
+      const cfg = loadConfig();
+      // Should fall back to defaults without throwing
+      expect(cfg.port).toBe(9090);
+    } finally {
+      rmSync(tmp, { recursive: true, force: true });
+    }
+  });
+});