@slashfi/agents-sdk 0.75.0 → 0.76.0

package/src/adk.ts

@@ -54,12 +54,8 @@ function wantsHelp(): boolean {
 }
 
 const HELP_SECTIONS: Record<string, string> = {
-  proxy: `Proxy operations:
-  adk proxy add <url> --name <name> [--type mcp|registry] [--agent @config] [--default]
-  adk proxy remove <name>
-  adk proxy list`,
   registry: `Registry operations:
-  adk registry add <url> --name <name> [--auth-type bearer|api-key|none]
+  adk registry add <url> --name <name> [--auth-type bearer|api-key|none] [--proxy [--proxy-agent @config]]
   adk registry remove <name>
   adk registry list
   adk registry browse <name> [--query <q>]
@@ -98,19 +94,13 @@ adk — Agent Development Kit
 Usage:
   adk init [--target <agent>:<path>]  Setup + install skills for coding agents
   adk sync [--ref <name>]             Materialize tool docs for all refs in config
-  adk proxy <op> [options]           Manage remote adk proxies
   adk registry <op> [options]        Manage registry connections
   adk ref <op> [options]             Manage agent refs
   adk config-path                    Print config directory path
   adk error [id]                     View recent errors or a specific error
 
-Proxy operations:
-  adk proxy add <url> --name <name> [--type mcp|registry] [--agent @config] [--default]
-  adk proxy remove <name>
-  adk proxy list
-
 Registry operations:
-  adk registry add <url> --name <name> [--auth-type bearer|api-key|none]
+  adk registry add <url> --name <name> [--auth-type bearer|api-key|none] [--proxy [--proxy-agent @config]]
   adk registry remove <name>
   adk registry list
   adk registry browse <name> [--query <q>]
@@ -157,52 +147,6 @@ Examples:
 // Commands
 // ============================================
 
-async function runProxy() {
-  if (wantsHelp()) { console.log(HELP_SECTIONS.proxy); process.exit(0); }
-  const op = args[1];
-  const adk = getAdk();
-
-  switch (op) {
-    case "add": {
-      const url = args[2];
-      const name = getArg("--name");
-      if (!url || !name) { console.error("Usage: adk proxy add <url> --name <name> [--type mcp|registry] [--agent @config] [--default]"); process.exit(1); }
-      const type = (getArg("--type") ?? (url.startsWith("http") ? "mcp" : "registry")) as "mcp" | "registry";
-      const agent = getArg("--agent");
-      const isDefault = hasFlag("--default");
-      await adk.proxy.add({ name, url, type, ...(agent && { agent }), ...(isDefault && { default: true }) });
-      console.log(`Added proxy: ${name} → ${url}${isDefault ? " (default)" : ""}`);
-      break;
-    }
-    case "remove": {
-      const name = args[2];
-      if (!name) { console.error("Usage: adk proxy remove <name>"); process.exit(1); }
-      const removed = await adk.proxy.remove(name);
-      console.log(removed ? `Removed: ${name}` : `Not found: ${name}`);
-      break;
-    }
-    case "list": {
-      const proxies = await adk.proxy.list();
-      if (proxies.length === 0) {
-        console.log("No proxies configured.");
-        break;
-      }
-      console.log(`\n${proxies.length} proxy(s)\n`);
-      for (const p of proxies) {
-        const def = p.default ? " (default)" : "";
-        console.log(`  ${p.name}${def}`);
-        console.log(`    ${p.url} [${p.type}${p.agent ? ` → ${p.agent}` : ""}]`);
-        console.log();
-      }
-      break;
-    }
-    default:
-      console.error(`Unknown proxy operation: ${op}`);
-      console.error("Operations: add, remove, list");
-      process.exit(1);
-  }
-}
-
 // ============================================
 // Registry CLI
 // ============================================
@@ -224,8 +168,40 @@ async function runRegistry() {
       const auth = authType && authType !== "none"
         ? { type: authType as "bearer" | "api-key" }
         : undefined;
-      await adk.registry.add({ url, name: name ?? new URL(url).hostname, ...(auth && { auth }) });
-      console.log(`Added registry: ${name ?? url}`);
+      // Proxy modifier: when set, ref ops for agents sourced from this
+      // registry are forwarded to a server-side adk-tools agent instead of
+      // running locally. Use for cloud-hosted registries that own OAuth
+      // client creds / user tokens (e.g. Twin).
+      //
+      // If the registry advertises `capabilities.registry.proxy` in its
+      // MCP initialize response, `adk.registry.add` auto-populates this
+      // field during probe — these flags are only for explicit opt-in or
+      // override.
+      const wantProxy = hasFlag("--proxy") || hasFlag("--proxy-required");
+      const proxyOptional = hasFlag("--proxy-optional");
+      const proxyAgent = getArg("--proxy-agent") ?? undefined;
+      const proxy = wantProxy || proxyOptional
+        ? {
+            mode: (proxyOptional ? "optional" : "required") as "required" | "optional",
+            ...(proxyAgent && { agent: proxyAgent }),
+          }
+        : undefined;
+      const displayName = name ?? new URL(url).hostname;
+      await adk.registry.add({
+        url,
+        name: displayName,
+        ...(auth && { auth }),
+        ...(proxy && { proxy }),
+      });
+      // Discovery on the add path may have auto-populated proxy; read back.
+      const stored = (await adk.registry.list()).find(
+        (r) => r.name === displayName || r.url === url,
+      );
+      const effectiveProxy = stored?.proxy ?? proxy;
+      const source = !proxy && stored?.proxy ? " (auto-detected)" : "";
+      console.log(
+        `Added registry: ${displayName}${effectiveProxy ? ` (proxy: ${effectiveProxy.mode} → ${effectiveProxy.agent ?? "@config"}${source})` : ""}`,
+      );
       break;
     }
     case "remove": {
@@ -246,6 +222,7 @@ async function runRegistry() {
         console.log(`  ${r.name ?? r.url}`);
         console.log(`    ${r.url}`);
         if (r.auth) console.log(`    auth: ${r.auth.type}`);
+        if (r.proxy) console.log(`    proxy: ${r.proxy.mode} → ${r.proxy.agent ?? "@config"}`);
         console.log();
       }
       break;
@@ -555,9 +532,6 @@ switch (command) {
     }
     break;
   }
-  case "proxy":
-    await runProxy();
-    break;
   case "registry":
     await runRegistry();
     break;

package/src/config-store.test.ts

@@ -1,8 +1,9 @@
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import {
+  createAdk,
+  createAdkTools,
   createAgentRegistry,
   createAgentServer,
-  createAdk,
   defineAgent,
   defineTool,
 } from "./index";
@@ -458,3 +459,170 @@ describe("ADK ref.call() full auto-refresh flow", () => {
     expect((result as any)?.result?.token).toBe("refreshed-token");
   });
 });
+
+// ─── ADK Config Store: registry proxy routing ───────────────────
+
+describe("ADK registry proxy routing", () => {
+  let proxyServer: AgentServer;
+  let proxyServerAdk: ReturnType<typeof createAdk>;
+  const PROXY_PORT = 19930;
+
+  beforeAll(async () => {
+    // Real server-side adk that the proxy agent operates on. When the
+    // local adk forwards ref ops, they land on this backing store via
+    // the real @config `ref` tool produced by createAdkTools — no mocks.
+    const proxyServerFs = createMemoryFs();
+    proxyServerAdk = createAdk(proxyServerFs);
+    await proxyServerAdk.writeConfig({
+      refs: [
+        {
+          ref: "@gmail",
+          scheme: "mcp",
+          url: "https://gmail.example.com/mcp",
+        },
+      ],
+    });
+
+    // Expose that adk via the same tool surface production uses.
+    const adkTools = createAdkTools({ resolveScope: () => proxyServerAdk });
+    const configAgent = defineAgent({
+      path: "@config",
+      entrypoint: "@config agent for proxy routing tests",
+      tools: adkTools,
+      visibility: "public",
+    });
+
+    const proxyRegistry = createAgentRegistry();
+    proxyRegistry.register(configAgent);
+    proxyServer = createAgentServer(proxyRegistry, {
+      port: PROXY_PORT,
+      // Advertise proxy mode in the MCP initialize response so the
+      // "registry.add auto-detects proxy" test can verify discovery.
+      registry: { version: "1.0", proxy: { mode: "required" } },
+    });
+    await proxyServer.start();
+  });
+
+  afterAll(async () => {
+    await proxyServer.stop();
+  });
+
+  /**
+   * Seed the local consumer config with a ref sourced from the proxy
+   * registry. We bypass ref.add's reachability check because we're
+   * specifically testing how proxying routes around local state.
+   */
+  async function seedLocalRefFromProxy(fs: FsStore, refName: string) {
+    const raw = (await fs.readFile("consumer-config.json")) ?? "{}";
+    const config = JSON.parse(raw);
+    config.refs = [
+      {
+        ref: refName,
+        scheme: "registry",
+        sourceRegistry: {
+          url: `http://localhost:${PROXY_PORT}`,
+          agentPath: refName,
+        },
+      },
+    ];
+    await fs.writeFile("consumer-config.json", JSON.stringify(config));
+  }
+
+  test("ref.authStatus forwards to the real @config on the proxy registry", async () => {
+    const fs = createMemoryFs();
+    const adk = createAdk(fs);
+
+    await adk.registry.add({
+      url: `http://localhost:${PROXY_PORT}`,
+      name: "cloud",
+      proxy: { mode: "required" },
+    });
+    await seedLocalRefFromProxy(fs, "@gmail");
+
+    // The proxy-side adk owns the @gmail ref (no security declared in
+    // its config above) so authStatus should report { complete: true }
+    // with security: null.
+    const status = await adk.ref.authStatus("@gmail");
+    expect(status).toBeDefined();
+    // The remote @config returned something — local adk never saw the ref,
+    // so this would throw "Ref not found" if proxying wasn't wired.
+    expect((status as { name?: string }).name ?? "@gmail").toBe("@gmail");
+  });
+
+  test("ref.auth forwards and returns the remote auth start result", async () => {
+    const fs = createMemoryFs();
+    const adk = createAdk(fs);
+
+    await adk.registry.add({
+      url: `http://localhost:${PROXY_PORT}`,
+      name: "cloud",
+      proxy: { mode: "required" },
+    });
+    await seedLocalRefFromProxy(fs, "@gmail");
+
+    // @gmail on the proxy side has no security schema, so the real
+    // @config.ref tool returns { type: 'none', complete: true }. The
+    // assertion here is that we got *something* back from the remote,
+    // proving the call made a round trip instead of throwing locally.
+    const result = await adk.ref.auth("@gmail");
+    expect(result).toBeDefined();
+    expect((result as { type?: string }).type).toBeDefined();
+  });
+
+  test("registry.add auto-detects proxy from the server's handshake", async () => {
+    const fs = createMemoryFs();
+    const adk = createAdk(fs);
+
+    // Caller passes NO proxy config. The server advertises
+    // `capabilities.registry.proxy: { mode: 'required' }` in its MCP
+    // initialize response (see beforeAll), so registry.add should
+    // auto-populate the RegistryEntry at probe time.
+    await adk.registry.add({
+      url: `http://localhost:${PROXY_PORT}`,
+      name: "cloud-autodetect",
+    });
+
+    const list = await adk.registry.list();
+    const entry = list.find((r) => r.name === "cloud-autodetect");
+    expect(entry?.proxy?.mode).toBe("required");
+  });
+
+  test("explicit proxy on registry.add is not overwritten by auto-detection", async () => {
+    const fs = createMemoryFs();
+    const adk = createAdk(fs);
+
+    // Server advertises required; caller explicitly sets optional. The
+    // caller's choice wins — discovery only fills in blanks.
+    await adk.registry.add({
+      url: `http://localhost:${PROXY_PORT}`,
+      name: "cloud-explicit",
+      proxy: { mode: "optional", agent: "@custom" },
+    });
+
+    const entry = (await adk.registry.list()).find((r) => r.name === "cloud-explicit");
+    expect(entry?.proxy?.mode).toBe("optional");
+    expect(entry?.proxy?.agent).toBe("@custom");
+  });
+
+  test("optional proxy honors preferLocal and skips forwarding", async () => {
+    const fs = createMemoryFs();
+    const adk = createAdk(fs);
+
+    await adk.registry.add({
+      url: `http://localhost:${PROXY_PORT}`,
+      name: "cloud",
+      proxy: { mode: "optional" },
+    });
+    await seedLocalRefFromProxy(fs, "@gmail");
+
+    // With preferLocal:true we should fall through to the local path.
+    // The local adk has no usable config for @gmail, so this path
+    // throws or returns an empty status — either way, we prove we
+    // stayed local by catching and confirming no exception bubbled
+    // with "authorizeUrl" (which only the proxy path returns).
+    const result = await adk.ref
+      .auth("@gmail", { preferLocal: true })
+      .catch((err: Error) => ({ _error: err.message }));
+    expect((result as { authorizeUrl?: string }).authorizeUrl).toBeUndefined();
+  });
+});

package/src/config-store.ts

@@ -20,7 +20,6 @@
 import type { FsStore } from "./agent-definitions/config.js";
 import type {
   ConsumerConfig,
-  ProxyEntry,
   RefEntry,
   RegistryEntry,
   ResolvedRef,
@@ -242,6 +241,12 @@ export interface AdkRefApi {
     stateContext?: Record<string, unknown>;
     /** Additional scopes to request (e.g., optional scopes declared by the agent) */
     scopes?: string[];
+    /**
+     * Opt out of proxy routing when the ref's source registry has
+     * `proxy: { mode: 'optional' }`. Ignored for `mode: 'required'`.
+     * Defaults to `false` — if a registry offers a proxy we use it.
+     */
+    preferLocal?: boolean;
   }): Promise<AuthStartResult>;
   /**
    * Run the full OAuth flow locally: start auth, spin up a callback
@@ -265,14 +270,7 @@ export interface AdkRefApi {
   refreshToken(name: string): Promise<{ accessToken: string } | null>;
 }
 
-export interface AdkProxyApi {
-  add(entry: ProxyEntry): Promise<void>;
-  remove(name: string): Promise<boolean>;
-  list(): Promise<ProxyEntry[]>;
-}
-
 export interface Adk {
-  proxy: AdkProxyApi;
   registry: AdkRegistryApi;
   ref: AdkRefApi;
   readConfig(): Promise<ConsumerConfig>;
@@ -724,6 +722,82 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
     return fallback;
   }
 
+  // ==========================================
+  // Proxy Routing
+  // ==========================================
+
+  /**
+   * Find the configured RegistryEntry for a ref, consulting `sourceRegistry`
+   * first and falling back to the first registry in config. Returns `null` when
+   * the ref is sourced from a raw URL (no registry), in which case proxy routing
+   * does not apply.
+   */
+  async function findRegistryEntryForRef(entry: RefEntry): Promise<RegistryEntry | null> {
+    const sourceUrl = entry.sourceRegistry?.url;
+    if (!sourceUrl) return null;
+    const config = await readConfig();
+    const match = (config.registries ?? []).find((r) => {
+      if (typeof r === "string") return r === sourceUrl;
+      return r.url === sourceUrl;
+    });
+    if (!match || typeof match === "string") return null;
+    return match;
+  }
+
+  /**
+   * Returns the proxy settings for a ref when its source registry has
+   * `proxy` configured. `null` means "run locally".
+   *
+   * Callers pass `{ preferLocal: true }` to opt out of `mode: 'optional'`
+   * proxying when they already hold credentials locally. `mode: 'required'`
+   * cannot be bypassed — the registry owns auth server-side and there is
+   * nothing useful the local SDK can do.
+   */
+  async function resolveProxyForRef(
+    entry: RefEntry,
+    opts?: { preferLocal?: boolean },
+  ): Promise<{ reg: RegistryEntry; agent: string } | null> {
+    const reg = await findRegistryEntryForRef(entry);
+    if (!reg?.proxy) return null;
+    if (reg.proxy.mode === "optional" && opts?.preferLocal) return null;
+    return { reg, agent: reg.proxy.agent ?? "@config" };
+  }
+
+  /**
+   * Forward an `@config ref` operation to the proxy agent on a remote registry.
+   *
+   * The remote side speaks the standard adk-tools surface, so the call shape is
+   * identical to what the local `ref` API would do — the only difference is
+   * that tokens and secrets live server-side. `callRegistry` returns the
+   * standard CallAgentResponse envelope: `{ success: true, result }` on
+   * success or `{ success: false, error }` on failure. We unwrap once and
+   * throw on error so callers get a result that matches the local signature.
+   */
+  async function forwardRefOpToProxy<T>(
+    reg: RegistryEntry,
+    agent: string,
+    operation: string,
+    params: Record<string, unknown>,
+  ): Promise<T> {
+    const consumer = await buildConsumerForRef({ ref: "", sourceRegistry: { url: reg.url, agentPath: agent } } as RefEntry);
+    const resolved = consumer.registries().find((r) => r.url === reg.url);
+    if (!resolved) throw new Error(`Registry ${reg.url} not resolvable for proxy forwarding`);
+
+    const response = await consumer.callRegistry(resolved, {
+      action: "execute_tool",
+      path: agent,
+      tool: "ref",
+      params: { operation, ...params },
+    });
+
+    if (!response.success) {
+      const errResponse = response as { success: false; error?: string; code?: string };
+      const msg = errResponse.error ?? `Proxy ${agent}.ref(${operation}) failed`;
+      throw new Error(msg);
+    }
+    return (response as { success: true; result: unknown }).result as T;
+  }
+
   // ==========================================
   // Registry API
   // ==========================================
@@ -735,7 +809,37 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
       const registries = (config.registries ?? []).filter(
         (r) => registryDisplayName(r) !== alias,
       );
-      registries.push(entry);
+
+      // Probe the registry's MCP initialize response so we can auto-populate
+      // `proxy` when the server advertises it. Users who pass an explicit
+      // `proxy` on the entry always win — discovery only fills in blanks.
+      let final: RegistryEntry = entry;
+      if (!entry.proxy) {
+        try {
+          const probeConsumer = await createRegistryConsumer(
+            { registries: [entry], refs: [] },
+            { token: options.token, fetch: options.fetch },
+          );
+          const resolved = probeConsumer.registries()[0];
+          if (resolved) {
+            const discovered = await probeConsumer.discover(resolved.url);
+            if (discovered.proxy?.mode) {
+              final = {
+                ...entry,
+                proxy: {
+                  mode: discovered.proxy.mode,
+                  ...(discovered.proxy.agent && { agent: discovered.proxy.agent }),
+                },
+              };
+            }
+          }
+        } catch {
+          // Discovery is best-effort — offline, unreachable, or non-adk
+          // registries simply skip proxy auto-configuration.
+        }
+      }
+
+      registries.push(final);
       await writeConfig({ ...config, registries });
     },
 
@@ -778,6 +882,7 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         if (updates.name) existing.name = updates.name;
         if (updates.auth) existing.auth = updates.auth;
         if (updates.headers) existing.headers = { ...existing.headers, ...updates.headers };
+        if (updates.proxy !== undefined) existing.proxy = updates.proxy;
         return existing;
       });
       if (!found) return false;
@@ -1103,6 +1208,13 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
       const entry = findRef(config.refs ?? [], name);
       if (!entry) throw new Error(`Ref "${name}" not found`);
 
+      // Registry-proxied refs: ask the remote @config for state (secrets live
+      // server-side so local inspection would always return "missing").
+      const proxy = await resolveProxyForRef(entry);
+      if (proxy) {
+        return forwardRefOpToProxy<RefAuthStatus>(proxy.reg, proxy.agent, "auth-status", { name });
+      }
+
       let security: SecuritySchemeSummary | null = null;
       try {
         const consumer = await buildConsumerForRef(entry);
@@ -1229,11 +1341,30 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
       stateContext?: Record<string, unknown>;
       /** Additional scopes to request (e.g., optional scopes declared by the agent) */
       scopes?: string[];
+      /**
+       * Opt out of proxy routing when the ref's source registry has
+       * `proxy: { mode: 'optional' }`. Ignored for `mode: 'required'`.
+       */
+      preferLocal?: boolean;
     }): Promise<AuthStartResult> {
       const config = await readConfig();
       const entry = findRef(config.refs ?? [], name);
       if (!entry) throw new Error(`Ref "${name}" not found`);
 
+      // Registry-proxied auth: forward the start-of-flow to the remote @config
+      // agent. The registry owns the client_id/secret and returns an authorize
+      // URL pointing at the registry's OAuth callback domain, so the user
+      // completes the flow against the registry instead of localhost.
+      const proxy = await resolveProxyForRef(entry, { preferLocal: opts?.preferLocal });
+      if (proxy) {
+        const params: Record<string, unknown> = { name };
+        if (opts?.apiKey !== undefined) params.apiKey = opts.apiKey;
+        if (opts?.credentials) params.credentials = opts.credentials;
+        if (opts?.scopes) params.scopes = opts.scopes;
+        if (opts?.stateContext) params.stateContext = opts.stateContext;
+        return forwardRefOpToProxy<AuthStartResult>(proxy.reg, proxy.agent, "auth", params);
+      }
+
       const status = await ref.authStatus(name);
       const security = status.security;
       const resolve = options.resolveCredentials;
@@ -1488,16 +1619,34 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
       onAuthorizeUrl?: (url: string) => void;
       timeoutMs?: number;
     }): Promise<{ complete: boolean }> {
+      // `ref.auth` is already proxy-aware — for proxied refs it returns
+      // the authorizeUrl that the registry minted against its own
+      // callback domain. Everything below is identical for local and
+      // proxied refs except the last step (polling for the callback),
+      // which only makes sense when we own the redirect URI.
       const result = await ref.auth(name);
-
       if (result.complete) return { complete: true };
 
+      const config = await readConfig();
+      const entry = findRef(config.refs ?? [], name);
+      const proxy = entry ? await resolveProxyForRef(entry) : null;
+
       const port = options.oauthCallbackPort ?? 8919;
       const timeout = opts?.timeoutMs ?? 300_000;
       const { createServer } = await import("node:http");
 
-      // API key / HTTP auth — serve a local credential form
+      // API key / HTTP auth — local credential form.
+      //
+      // We refuse to serve the form for a proxied ref: the registry
+      // owns the credential store, so the user needs to submit via
+      // whatever UI the registry exposes. Supporting this through the
+      // proxy would need a remote form endpoint — out of scope here.
       if (result.fields && result.fields.length > 0 && result.type !== "oauth2") {
+        if (proxy) {
+          throw new Error(
+            `Ref "${name}" is sourced from a proxied registry; submit credentials through ${proxy.agent} instead of a local form.`,
+          );
+        }
         return new Promise<{ complete: boolean }>((resolve, reject) => {
           const server = createServer(async (req, res) => {
             const reqUrl = new URL(req.url ?? "/", `http://localhost:${port}`);
@@ -1564,15 +1713,21 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         });
       }
 
-      // OAuth2 — open authorize URL and wait for callback
+      // OAuth2 — hand the authorize URL to the caller.
       if (result.type !== "oauth2" || !result.authorizeUrl) {
         throw new Error(`authLocal cannot handle auth type: ${result.type}`);
       }
-
       if (opts?.onAuthorizeUrl) {
         opts.onAuthorizeUrl(result.authorizeUrl);
       }
 
+      // Proxied refs: the registry owns the callback endpoint, so there's
+      // nothing to poll here. Callers poll `ref.authStatus` on their own
+      // schedule once the user finishes the remote consent screen.
+      if (proxy) return { complete: false };
+
+      // Local refs: spin up the callback server on oauthCallbackPort and
+      // block until the OAuth provider redirects back.
       return new Promise<{ complete: boolean }>((resolve, reject) => {
         const server = createServer(async (req, res) => {
           const reqUrl = new URL(req.url ?? "/", `http://localhost:${port}`);
@@ -1614,6 +1769,20 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
     },
 
     async refreshToken(name: string): Promise<{ accessToken: string } | null> {
+      // Registry-proxied refs: the remote @config holds the refresh_token.
+      const entryForProxy = await ref.get(name);
+      if (entryForProxy) {
+        const proxy = await resolveProxyForRef(entryForProxy);
+        if (proxy) {
+          return forwardRefOpToProxy<{ accessToken: string } | null>(
+            proxy.reg,
+            proxy.agent,
+            "refresh-token",
+            { name },
+          );
+        }
+      }
+
       // Read stored refresh_token
       const refreshToken = await readRefSecret(name, "refresh_token");
       if (!refreshToken) return null;
@@ -1697,33 +1866,5 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
     return { refName: pending.refName, complete: true, stateContext };
   }
 
-  // ==========================================
-  // Proxy API
-  // ==========================================
-
-  const proxy: AdkProxyApi = {
-    async add(entry: ProxyEntry): Promise<void> {
-      const config = await readConfig();
-      const proxies = (config.proxies ?? []).filter((p) => p.name !== entry.name);
-      proxies.push(entry);
-      await writeConfig({ ...config, proxies });
-    },
-
-    async remove(name: string): Promise<boolean> {
-      const config = await readConfig();
-      if (!config.proxies?.length) return false;
-      const before = config.proxies.length;
-      const proxies = config.proxies.filter((p) => p.name !== name);
-      if (proxies.length === before) return false;
-      await writeConfig({ ...config, proxies });
-      return true;
-    },
-
-    async list(): Promise<ProxyEntry[]> {
-      const config = await readConfig();
-      return config.proxies ?? [];
-    },
-  };
-
-  return { proxy, registry, ref, readConfig, writeConfig, handleCallback };
+  return { registry, ref, readConfig, writeConfig, handleCallback };
 }