@okrlinkhub/agent-bridge 2.0.1 → 3.0.0

package/dist/component/schema.d.ts

@@ -2,10 +2,10 @@ declare const _default: import("convex/server").SchemaDefinition<{
     agents: import("convex/server").TableDefinition<import("convex/values").VObject<{
         appKey?: string | undefined;
         lastUsed?: number | undefined;
-        enabled: boolean;
         name: string;
-        rateLimit: number;
         apiKeyHash: string;
+        enabled: boolean;
+        rateLimit: number;
         createdAt: number;
     }, {
         name: import("convex/values").VString<string, "required">;
@@ -15,7 +15,7 @@ declare const _default: import("convex/server").SchemaDefinition<{
         rateLimit: import("convex/values").VFloat64<number, "required">;
         lastUsed: import("convex/values").VFloat64<number | undefined, "optional">;
         createdAt: import("convex/values").VFloat64<number, "required">;
-    }, "required", "appKey" | "enabled" | "name" | "rateLimit" | "apiKeyHash" | "lastUsed" | "createdAt">, {
+    }, "required", "name" | "appKey" | "apiKeyHash" | "enabled" | "rateLimit" | "lastUsed" | "createdAt">, {
         by_apiKeyHash: ["apiKeyHash", "_creationTime"];
         by_appKey: ["appKey", "_creationTime"];
         by_enabled: ["enabled", "_creationTime"];
@@ -56,8 +56,9 @@ declare const _default: import("convex/server").SchemaDefinition<{
         by_key: ["key", "_creationTime"];
     }, {}, {}>;
     agentLogs: import("convex/server").TableDefinition<import("convex/values").VObject<{
-        error?: string | undefined;
+        serviceId?: string | undefined;
         result?: any;
+        error?: string | undefined;
         agentId: import("convex/values").GenericId<"agents">;
         functionKey: string;
         args: any;
@@ -65,14 +66,16 @@ declare const _default: import("convex/server").SchemaDefinition<{
         timestamp: number;
     }, {
         agentId: import("convex/values").VId<import("convex/values").GenericId<"agents">, "required">;
+        serviceId: import("convex/values").VString<string | undefined, "optional">;
         functionKey: import("convex/values").VString<string, "required">;
         args: import("convex/values").VAny<any, "required", string>;
         result: import("convex/values").VAny<any, "optional", string>;
         error: import("convex/values").VString<string | undefined, "optional">;
         duration: import("convex/values").VFloat64<number, "required">;
         timestamp: import("convex/values").VFloat64<number, "required">;
-    }, "required", "agentId" | "functionKey" | "args" | "duration" | "error" | "result" | "timestamp" | `args.${string}` | `result.${string}`>, {
+    }, "required", "agentId" | "serviceId" | "functionKey" | "args" | "result" | "error" | "duration" | "timestamp" | `args.${string}` | `result.${string}`>, {
         by_agentId_and_timestamp: ["agentId", "timestamp", "_creationTime"];
+        by_serviceId_and_timestamp: ["serviceId", "timestamp", "_creationTime"];
         by_functionKey: ["functionKey", "_creationTime"];
         by_timestamp: ["timestamp", "_creationTime"];
     }, {}, {}>;

package/dist/component/schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/component/schema.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA,wBAiDG"}
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/component/schema.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA,wBAmDG"}

package/dist/component/schema.js

@@ -30,6 +30,7 @@ export default defineSchema({
     }).index("by_key", ["key"]),
     agentLogs: defineTable({
         agentId: v.id("agents"),
+        serviceId: v.optional(v.string()),
         functionKey: v.string(),
         args: v.any(),
         result: v.optional(v.any()),
@@ -38,6 +39,7 @@ export default defineSchema({
         timestamp: v.number(),
     })
         .index("by_agentId_and_timestamp", ["agentId", "timestamp"])
+        .index("by_serviceId_and_timestamp", ["serviceId", "timestamp"])
         .index("by_functionKey", ["functionKey"])
         .index("by_timestamp", ["timestamp"]),
 });

package/dist/component/schema.js.map

@@ -1 +1 @@
-{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/component/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC1D,OAAO,EAAE,CAAC,EAAE,MAAM,eAAe,CAAC;AAElC,eAAe,YAAY,CAAC;IAC1B,MAAM,EAAE,WAAW,CAAC;QAClB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC9B,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE;QACpB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;QACrB,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC;SACC,KAAK,CAAC,eAAe,EAAE,CAAC,YAAY,CAAC,CAAC;SACtC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC;SAC9B,KAAK,CAAC,YAAY,EAAE,CAAC,SAAS,CAAC,CAAC;IAEnC,gBAAgB,EAAE,WAAW,CAAC;QAC5B,OAAO,EAAE,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC;QACvB,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE;QAC3B,UAAU,EAAE,CAAC,CAAC,KAAK,CACjB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAClB,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EACjB,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,CAC1B;QACD,eAAe,EAAE,CAAC,CAAC,QAAQ,CACzB,CAAC,CAAC,MAAM,CAAC;YACP,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE;YAC3B,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACpC,CAAC,CACH;QACD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC,SAAS,CAAC,CAAC;IAEnC,cAAc,EAAE,WAAW,CAAC;QAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;QACf,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE;QACpB,eAAe,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KACxC,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,CAAC;IAE3B,SAAS,EAAE,WAAW,CAAC;QACrB,OAAO,EAAE,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC;QACvB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;QACvB,IAAI,EAAE,CAAC,CAAC,GAAG,EAAE;QACb,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;QAC3B,KAAK,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC7B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;QACpB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC;SACC,KAAK,CAAC,0BAA0B,EAAE,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;SAC3D,KAAK,CAAC,gBAAgB,EAAE,CAAC,aAAa,CAAC,CAAC;SACxC,KAAK,CAAC,cAAc,EAAE,CAAC,WAAW,CAAC,CAAC;CACxC,CAAC,CAAC"}
+{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/component/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC1D,OAAO,EAAE,CAAC,EAAE,MAAM,eAAe,CAAC;AAElC,eAAe,YAAY,CAAC;IAC1B,MAAM,EAAE,WAAW,CAAC;QAClB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC9B,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE;QACpB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;QACrB,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC;SACC,KAAK,CAAC,eAAe,EAAE,CAAC,YAAY,CAAC,CAAC;SACtC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC;SAC9B,KAAK,CAAC,YAAY,EAAE,CAAC,SAAS,CAAC,CAAC;IAEnC,gBAAgB,EAAE,WAAW,CAAC;QAC5B,OAAO,EAAE,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC;QACvB,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE;QAC3B,UAAU,EAAE,CAAC,CAAC,KAAK,CACjB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAClB,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EACjB,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,CAC1B;QACD,eAAe,EAAE,CAAC,CAAC,QAAQ,CACzB,CAAC,CAAC,MAAM,CAAC;YACP,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE;YAC3B,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACpC,CAAC,CACH;QACD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC,SAAS,CAAC,CAAC;IAEnC,cAAc,EAAE,WAAW,CAAC;QAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;QACf,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE;QACpB,eAAe,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KACxC,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,CAAC;IAE3B,SAAS,EAAE,WAAW,CAAC;QACrB,OAAO,EAAE,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC;QACvB,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACjC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;QACvB,IAAI,EAAE,CAAC,CAAC,GAAG,EAAE;QACb,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;QAC3B,KAAK,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC7B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;QACpB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC;SACC,KAAK,CAAC,0BAA0B,EAAE,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;SAC3D,KAAK,CAAC,4BAA4B,EAAE,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;SAC/D,KAAK,CAAC,gBAAgB,EAAE,CAAC,aAAa,CAAC,CAAC;SACxC,KAAK,CAAC,cAAc,EAAE,CAAC,WAAW,CAAC,CAAC;CACxC,CAAC,CAAC"}

package/package.json

@@ -9,7 +9,7 @@
   "bugs": {
     "url": "https://github.com/okrlinkhub/agent-bridge/issues"
   },
-  "version": "2.0.1",
+  "version": "3.0.0",
   "license": "Apache-2.0",
   "keywords": [
     "convex",

package/src/cli/init.ts

@@ -60,9 +60,7 @@ export function registerAgentBridgeRoutes(
 ) {
   registerRoutes(http, components.agentBridge, config, {
     pathPrefix: "/agent",
-    serviceKey:
-      (globalThis as { process?: { env?: Record<string, string> } }).process?.env
-        ?.AGENT_BRIDGE_SERVICE_KEY,
+    serviceKeysEnvVar: "AGENT_BRIDGE_SERVICE_KEYS_JSON",
   });
 }
 `;
@@ -94,10 +92,10 @@ export default http;
 - components.agentBridge.permissions.setAgentPermissions
 - components.agentBridge.permissions.setFunctionOverrides
 
-4) For multi-app OpenClaw deployments, set one service secret in Railway:
-- AGENT_BRIDGE_SERVICE_KEY=<shared-secret>
-- OpenClaw sends X-Agent-Service-Key and X-Agent-App headers
-- Bridge resolves app -> agent internally (keep legacy X-Agent-API-Key for compatibility)
+4) Configure strict service auth map (required):
+- AGENT_BRIDGE_SERVICE_KEYS_JSON={"openclaw-prod":"<key>","openclaw-staging":"<key>"}
+- OpenClaw must send X-Agent-Service-Id, X-Agent-Service-Key and X-Agent-App
+- Legacy X-Agent-API-Key is not supported in strict mode
 `;
 
 async function main() {

package/src/client/index.test.ts

@@ -7,7 +7,10 @@ import {
 
 function setupExecuteHandler(
   config: AgentBridgeConfig,
-  options?: { serviceKey?: string },
+  options?: {
+    serviceKeys?: Record<string, string>;
+    serviceKeysEnvVar?: string;
+  },
 ) {
   const routes: Array<{
     path: string;
@@ -34,7 +37,8 @@ function setupExecuteHandler(
 
   registerRoutes(http as never, component as never, config, {
     pathPrefix: "/agent",
-    serviceKey: options?.serviceKey,
+    serviceKeys: options?.serviceKeys,
+    serviceKeysEnvVar: options?.serviceKeysEnvVar,
   });
   const executeRoute = routes.find(
     (route) => route.path === "/agent/execute" && route.method === "POST",
@@ -45,7 +49,9 @@ function setupExecuteHandler(
   return executeRoute.handler;
 }
 
-describe("registerRoutes auth modes", () => {
+describe("registerRoutes strict service auth", () => {
+  const originalEnv = process.env.AGENT_BRIDGE_SERVICE_KEYS_JSON;
+
   const config = defineAgentBridgeConfig({
     functions: {
       "demo.list": {
@@ -55,8 +61,10 @@ describe("registerRoutes auth modes", () => {
     },
   });
 
-  test("uses legacy api key flow when X-Agent-API-Key is present", async () => {
-    const executeHandler = setupExecuteHandler(config, { serviceKey: "svc_key" });
+  test("authorizes with strict headers and service id map", async () => {
+    const executeHandler = setupExecuteHandler(config, {
+      serviceKeys: { "railway-a": "svc_key_a" },
+    });
     const runMutation = vi
       .fn()
       .mockResolvedValueOnce({
@@ -72,7 +80,9 @@ describe("registerRoutes auth modes", () => {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
-          "X-Agent-API-Key": "legacy_key",
+          "X-Agent-Service-Id": "railway-a",
+          "X-Agent-Service-Key": "svc_key_a",
+          "X-Agent-App": "crm",
         },
         body: JSON.stringify({
           functionKey: "demo.list",
@@ -82,15 +92,26 @@ describe("registerRoutes auth modes", () => {
     );
 
     expect(response.status).toBe(200);
-    expect(runMutation).toHaveBeenNthCalledWith(1, "authorizeRequestRef", {
-      apiKey: "legacy_key",
+    expect(runMutation).toHaveBeenNthCalledWith(1, "authorizeByAppKeyRef", {
+      appKey: "crm",
       functionKey: "demo.list",
       estimatedCost: undefined,
     });
+    expect(runMutation).toHaveBeenNthCalledWith(2, "logAccessRef", {
+      agentId: "agent_1",
+      serviceId: "railway-a",
+      functionKey: "demo.list",
+      args: {},
+      result: { ok: true },
+      duration: expect.any(Number),
+      timestamp: expect.any(Number),
+    });
   });
 
-  test("returns 401 when service key is invalid", async () => {
-    const executeHandler = setupExecuteHandler(config, { serviceKey: "svc_key" });
+  test("returns 400 when service id header is missing", async () => {
+    const executeHandler = setupExecuteHandler(config, {
+      serviceKeys: { "railway-a": "svc_key_a" },
+    });
     const runMutation = vi.fn();
 
     const response = await executeHandler(
@@ -99,7 +120,7 @@ describe("registerRoutes auth modes", () => {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
-          "X-Agent-Service-Key": "wrong_key",
+          "X-Agent-Service-Key": "svc_key_a",
           "X-Agent-App": "crm",
         },
         body: JSON.stringify({
@@ -109,17 +130,15 @@ describe("registerRoutes auth modes", () => {
       }),
     );
 
-    expect(response.status).toBe(401);
+    expect(response.status).toBe(400);
     expect(runMutation).not.toHaveBeenCalled();
   });
 
-  test("returns app-level authorization error when app is missing", async () => {
-    const executeHandler = setupExecuteHandler(config, { serviceKey: "svc_key" });
-    const runMutation = vi.fn().mockResolvedValue({
-      authorized: false,
-      error: "App crm is not registered",
-      statusCode: 404,
+  test("returns 400 when service key header is missing", async () => {
+    const executeHandler = setupExecuteHandler(config, {
+      serviceKeys: { "railway-a": "svc_key_a" },
     });
+    const runMutation = vi.fn();
 
     const response = await executeHandler(
       { runMutation, runQuery: vi.fn(), runAction: vi.fn() },
@@ -127,7 +146,7 @@ describe("registerRoutes auth modes", () => {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
-          "X-Agent-Service-Key": "svc_key",
+          "X-Agent-Service-Id": "railway-a",
           "X-Agent-App": "crm",
         },
         body: JSON.stringify({
@@ -137,11 +156,140 @@ describe("registerRoutes auth modes", () => {
       }),
     );
 
-    expect(response.status).toBe(404);
-    expect(runMutation).toHaveBeenCalledWith("authorizeByAppKeyRef", {
-      appKey: "crm",
-      functionKey: "demo.list",
-      estimatedCost: undefined,
+    expect(response.status).toBe(400);
+    expect(runMutation).not.toHaveBeenCalled();
+  });
+
+  test("returns 400 when app header is missing", async () => {
+    const executeHandler = setupExecuteHandler(config, {
+      serviceKeys: { "railway-a": "svc_key_a" },
     });
+    const runMutation = vi.fn();
+
+    const response = await executeHandler(
+      { runMutation, runQuery: vi.fn(), runAction: vi.fn() },
+      new Request("https://example.com/agent/execute", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-Agent-Service-Id": "railway-a",
+          "X-Agent-Service-Key": "svc_key_a",
+        },
+        body: JSON.stringify({
+          functionKey: "demo.list",
+          args: {},
+        }),
+      }),
+    );
+
+    expect(response.status).toBe(400);
+    expect(runMutation).not.toHaveBeenCalled();
+  });
+
+  test("returns 401 when service id is not configured", async () => {
+    const executeHandler = setupExecuteHandler(config, {
+      serviceKeys: { "railway-a": "svc_key_a" },
+    });
+    const runMutation = vi.fn();
+
+    const response = await executeHandler(
+      { runMutation, runQuery: vi.fn(), runAction: vi.fn() },
+      new Request("https://example.com/agent/execute", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-Agent-Service-Id": "railway-b",
+          "X-Agent-Service-Key": "svc_key_b",
+          "X-Agent-App": "crm",
+        },
+        body: JSON.stringify({
+          functionKey: "demo.list",
+          args: {},
+        }),
+      }),
+    );
+
+    expect(response.status).toBe(401);
+    expect(runMutation).not.toHaveBeenCalled();
+  });
+
+  test("returns 401 when service key mismatches configured service id", async () => {
+    const executeHandler = setupExecuteHandler(config, {
+      serviceKeys: { "railway-a": "svc_key_a" },
+    });
+    const runMutation = vi.fn();
+
+    const response = await executeHandler(
+      { runMutation, runQuery: vi.fn(), runAction: vi.fn() },
+      new Request("https://example.com/agent/execute", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-Agent-Service-Id": "railway-a",
+          "X-Agent-Service-Key": "wrong_key",
+          "X-Agent-App": "crm",
+        },
+        body: JSON.stringify({
+          functionKey: "demo.list",
+          args: {},
+        }),
+      }),
+    );
+
+    expect(response.status).toBe(401);
+    expect(runMutation).not.toHaveBeenCalled();
+  });
+
+  test("returns 500 when service key map is missing", async () => {
+    delete process.env.AGENT_BRIDGE_SERVICE_KEYS_JSON;
+    const executeHandler = setupExecuteHandler(config);
+    const runMutation = vi.fn();
+
+    const response = await executeHandler(
+      { runMutation, runQuery: vi.fn(), runAction: vi.fn() },
+      new Request("https://example.com/agent/execute", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-Agent-Service-Id": "railway-a",
+          "X-Agent-Service-Key": "svc_key_a",
+          "X-Agent-App": "crm",
+        },
+        body: JSON.stringify({
+          functionKey: "demo.list",
+          args: {},
+        }),
+      }),
+    );
+
+    expect(response.status).toBe(500);
+    expect(runMutation).not.toHaveBeenCalled();
+  });
+
+  test("returns 500 when env service key map is invalid JSON", async () => {
+    process.env.AGENT_BRIDGE_SERVICE_KEYS_JSON = "not-json";
+    const executeHandler = setupExecuteHandler(config);
+    const runMutation = vi.fn();
+
+    const response = await executeHandler(
+      { runMutation, runQuery: vi.fn(), runAction: vi.fn() },
+      new Request("https://example.com/agent/execute", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-Agent-Service-Id": "railway-a",
+          "X-Agent-Service-Key": "svc_key_a",
+          "X-Agent-App": "crm",
+        },
+        body: JSON.stringify({
+          functionKey: "demo.list",
+          args: {},
+        }),
+      }),
+    );
+
+    expect(response.status).toBe(500);
+    expect(runMutation).not.toHaveBeenCalled();
+    process.env.AGENT_BRIDGE_SERVICE_KEYS_JSON = originalEnv;
   });
 });

package/src/client/index.ts

@@ -136,8 +136,8 @@ type ExecuteRequestBody = {
 
 type RegisterRoutesOptions = {
   pathPrefix?: string;
-  serviceKey?: string;
-  serviceKeyEnvVar?: string;
+  serviceKeys?: Record<string, string>;
+  serviceKeysEnvVar?: string;
 };
 
 export function registerRoutes(
@@ -147,9 +147,10 @@ export function registerRoutes(
   options?: RegisterRoutesOptions,
 ) {
   const prefix = options?.pathPrefix ?? "/agent";
-  const expectedServiceKey =
-    options?.serviceKey ??
-    readRuntimeEnv(options?.serviceKeyEnvVar ?? "AGENT_BRIDGE_SERVICE_KEY");
+  const configuredServiceKeys = resolveConfiguredServiceKeys({
+    serviceKeys: options?.serviceKeys,
+    serviceKeysEnvVar: options?.serviceKeysEnvVar ?? "AGENT_BRIDGE_SERVICE_KEYS_JSON",
+  });
   const normalizedConfig = normalizeAgentBridgeConfig(bridgeConfig);
   const availableFunctionKeys = Object.keys(normalizedConfig.functions);
 
@@ -157,8 +158,6 @@ export function registerRoutes(
     path: `${prefix}/execute`,
     method: "POST",
     handler: httpActionGeneric(async (ctx, request) => {
-      const apiKey = request.headers.get("X-Agent-API-Key");
-
       let body: ExecuteRequestBody;
       try {
         body = await request.json();
@@ -185,22 +184,22 @@ export function registerRoutes(
         );
       }
 
-      const authResult = apiKey
-        ? await ctx.runMutation(component.gateway.authorizeRequest, {
-            apiKey,
-            functionKey,
-            estimatedCost: body.estimatedCost,
-          })
-        : await authorizeWithServiceHeaders({
-            request,
-            expectedServiceKey,
-            authorizeByAppKey: (appKey) =>
-              ctx.runMutation(component.gateway.authorizeByAppKey, {
-                appKey,
-                functionKey,
-                estimatedCost: body.estimatedCost,
-              }),
-          });
+      const headerValidation = validateStrictServiceHeaders({
+        request,
+        configuredServiceKeys,
+      });
+      if (!headerValidation.valid) {
+        return jsonResponse(
+          { success: false, error: headerValidation.error },
+          headerValidation.statusCode,
+        );
+      }
+
+      const authResult = await ctx.runMutation(component.gateway.authorizeByAppKey, {
+        appKey: headerValidation.appKey,
+        functionKey,
+        estimatedCost: body.estimatedCost,
+      });
 
       if (!authResult.authorized) {
         const response = jsonResponse(
@@ -239,6 +238,7 @@ export function registerRoutes(
 
         await ctx.runMutation(component.gateway.logAccess, {
           agentId: authResult.agentId as never,
+          serviceId: headerValidation.serviceId,
           functionKey,
           args,
           result,
@@ -255,6 +255,7 @@ export function registerRoutes(
 
         await ctx.runMutation(component.gateway.logAccess, {
           agentId: authResult.agentId as never,
+          serviceId: headerValidation.serviceId,
           functionKey,
           args: body.args ?? {},
           error: errorMessage,
@@ -346,54 +347,71 @@ function jsonResponse(data: unknown, status: number): Response {
   });
 }
 
-async function authorizeWithServiceHeaders(args: {
+function validateStrictServiceHeaders(args: {
   request: Request;
-  expectedServiceKey?: string;
-  authorizeByAppKey: (
-    appKey: string,
-  ) => Promise<
-    | { authorized: true; agentId: string }
-    | {
-        authorized: false;
-        error: string;
-        statusCode: number;
-        agentId?: string;
-        retryAfterSeconds?: number;
-      }
-  >;
-}) {
-  const providedServiceKey = args.request.headers.get("X-Agent-Service-Key");
-  const appKey = args.request.headers.get("X-Agent-App");
+  configuredServiceKeys:
+    | { ok: true; keysByServiceId: Record<string, string> }
+    | { ok: false; error: string };
+}):
+  | { valid: true; serviceId: string; appKey: string }
+  | { valid: false; error: string; statusCode: number } {
+  const serviceId = args.request.headers.get("X-Agent-Service-Id")?.trim();
+  const providedServiceKey = args.request.headers
+    .get("X-Agent-Service-Key")
+    ?.trim();
+  const appKey = args.request.headers.get("X-Agent-App")?.trim();
+
+  if (!serviceId) {
+    return {
+      valid: false,
+      error: "Missing required header: X-Agent-Service-Id",
+      statusCode: 400,
+    };
+  }
   if (!providedServiceKey) {
     return {
-      authorized: false as const,
-      error: "Missing authentication header: X-Agent-Service-Key",
-      statusCode: 401,
+      valid: false,
+      error: "Missing required header: X-Agent-Service-Key",
+      statusCode: 400,
     };
   }
   if (!appKey) {
     return {
-      authorized: false as const,
-      error: "Missing routing header: X-Agent-App",
+      valid: false,
+      error: "Missing required header: X-Agent-App",
       statusCode: 400,
     };
   }
-  if (!args.expectedServiceKey) {
+
+  if (!args.configuredServiceKeys.ok) {
     return {
-      authorized: false as const,
-      error:
-        "Bridge service key is not configured. Set AGENT_BRIDGE_SERVICE_KEY or pass registerRoutes({ serviceKey })",
+      valid: false,
+      error: args.configuredServiceKeys.error,
       statusCode: 500,
     };
   }
-  if (providedServiceKey !== args.expectedServiceKey) {
+
+  const expectedServiceKey = args.configuredServiceKeys.keysByServiceId[serviceId];
+  if (!expectedServiceKey) {
+    return {
+      valid: false,
+      error: `Unknown service id: ${serviceId}`,
+      statusCode: 401,
+    };
+  }
+  if (providedServiceKey !== expectedServiceKey) {
     return {
-      authorized: false as const,
+      valid: false,
       error: "Invalid service key",
       statusCode: 401,
     };
   }
-  return await args.authorizeByAppKey(appKey);
+
+  return {
+    valid: true,
+    serviceId,
+    appKey,
+  };
 }
 
 function readRuntimeEnv(name: string): string | undefined {
@@ -406,3 +424,73 @@ function readRuntimeEnv(name: string): string | undefined {
   const trimmed = value.trim();
   return trimmed.length > 0 ? trimmed : undefined;
 }
+
+function resolveConfiguredServiceKeys(args: {
+  serviceKeys?: Record<string, string>;
+  serviceKeysEnvVar: string;
+}):
+  | { ok: true; keysByServiceId: Record<string, string> }
+  | { ok: false; error: string } {
+  if (args.serviceKeys) {
+    return sanitizeServiceKeysMap(args.serviceKeys);
+  }
+
+  const json = readRuntimeEnv(args.serviceKeysEnvVar);
+  if (!json) {
+    return {
+      ok: false,
+      error: `Bridge service keys are not configured. Provide registerRoutes({ serviceKeys }) or set ${args.serviceKeysEnvVar}`,
+    };
+  }
+
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(json);
+  } catch {
+    return {
+      ok: false,
+      error: `Invalid JSON in ${args.serviceKeysEnvVar}`,
+    };
+  }
+
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    return {
+      ok: false,
+      error: `${args.serviceKeysEnvVar} must be a JSON object mapping serviceId to serviceKey`,
+    };
+  }
+
+  return sanitizeServiceKeysMap(parsed as Record<string, unknown>);
+}
+
+function sanitizeServiceKeysMap(
+  input: Record<string, unknown>,
+): { ok: true; keysByServiceId: Record<string, string> } | { ok: false; error: string } {
+  const keysByServiceId: Record<string, string> = {};
+  for (const [serviceIdRaw, serviceKeyRaw] of Object.entries(input)) {
+    if (typeof serviceKeyRaw !== "string") {
+      return {
+        ok: false,
+        error: `Invalid service key value for "${serviceIdRaw}"`,
+      };
+    }
+    const serviceId = serviceIdRaw.trim();
+    const serviceKey = serviceKeyRaw.trim();
+    if (!serviceId || !serviceKey) {
+      return {
+        ok: false,
+        error: "Service ids and service keys cannot be empty",
+      };
+    }
+    keysByServiceId[serviceId] = serviceKey;
+  }
+
+  if (Object.keys(keysByServiceId).length === 0) {
+    return {
+      ok: false,
+      error: "At least one service key must be configured",
+    };
+  }
+
+  return { ok: true, keysByServiceId };
+}