@slashfi/agents-sdk 0.81.0 → 0.83.0

package/src/config-store.test.ts

@@ -488,175 +488,6 @@ describe("ADK ref.call() full auto-refresh flow", () => {
   });
 });
 
-// ─── ADK Config Store: registry proxy routing ───────────────────
-
-describe("ADK registry proxy routing", () => {
-  let proxyServer: AgentServer;
-  let proxyServerAdk: ReturnType<typeof createAdk>;
-  const PROXY_PORT = 19930;
-
-  beforeAll(async () => {
-    // Real server-side adk that the proxy agent operates on. When the
-    // local adk forwards ref ops, they land on this backing store via
-    // the real @config `ref` tool produced by createAdkTools — no mocks.
-    const proxyServerFs = createMemoryFs();
-    proxyServerAdk = createAdk(proxyServerFs);
-    await proxyServerAdk.writeConfig({
-      refs: [
-        {
-          ref: "@gmail",
-          scheme: "mcp",
-          url: "https://gmail.example.com/mcp",
-        },
-      ],
-    });
-
-    // Expose that adk via the same tool surface production uses.
-    const adkTools = createAdkTools({ resolveScope: () => proxyServerAdk });
-    const configAgent = defineAgent({
-      path: "@config",
-      entrypoint: "@config agent for proxy routing tests",
-      tools: adkTools,
-      visibility: "public",
-    });
-
-    const proxyRegistry = createAgentRegistry();
-    proxyRegistry.register(configAgent);
-    proxyServer = createAgentServer(proxyRegistry, {
-      port: PROXY_PORT,
-      // Advertise proxy mode in the MCP initialize response so the
-      // "registry.add auto-detects proxy" test can verify discovery.
-      registry: { version: "1.0", proxy: { mode: "required" } },
-    });
-    await proxyServer.start();
-  });
-
-  afterAll(async () => {
-    await proxyServer.stop();
-  });
-
-  /**
-   * Seed the local consumer config with a ref sourced from the proxy
-   * registry. We bypass ref.add's reachability check because we're
-   * specifically testing how proxying routes around local state.
-   */
-  async function seedLocalRefFromProxy(fs: FsStore, refName: string) {
-    const raw = (await fs.readFile("consumer-config.json")) ?? "{}";
-    const config = JSON.parse(raw);
-    config.refs = [
-      {
-        ref: refName,
-        scheme: "registry",
-        sourceRegistry: {
-          url: `http://localhost:${PROXY_PORT}`,
-          agentPath: refName,
-        },
-      },
-    ];
-    await fs.writeFile("consumer-config.json", JSON.stringify(config));
-  }
-
-  test("ref.authStatus forwards to the real @config on the proxy registry", async () => {
-    const fs = createMemoryFs();
-    const adk = createAdk(fs);
-
-    await adk.registry.add({
-      url: `http://localhost:${PROXY_PORT}`,
-      name: "cloud",
-      proxy: { mode: "required" },
-    });
-    await seedLocalRefFromProxy(fs, "@gmail");
-
-    // The proxy-side adk owns the @gmail ref (no security declared in
-    // its config above) so authStatus should report { complete: true }
-    // with security: null.
-    const status = await adk.ref.authStatus("@gmail");
-    expect(status).toBeDefined();
-    // The remote @config returned something — local adk never saw the ref,
-    // so this would throw "Ref not found" if proxying wasn't wired.
-    expect((status as { name?: string }).name ?? "@gmail").toBe("@gmail");
-  });
-
-  test("ref.auth forwards and returns the remote auth start result", async () => {
-    const fs = createMemoryFs();
-    const adk = createAdk(fs);
-
-    await adk.registry.add({
-      url: `http://localhost:${PROXY_PORT}`,
-      name: "cloud",
-      proxy: { mode: "required" },
-    });
-    await seedLocalRefFromProxy(fs, "@gmail");
-
-    // @gmail on the proxy side has no security schema, so the real
-    // @config.ref tool returns { type: 'none', complete: true }. The
-    // assertion here is that we got *something* back from the remote,
-    // proving the call made a round trip instead of throwing locally.
-    const result = await adk.ref.auth("@gmail");
-    expect(result).toBeDefined();
-    expect((result as { type?: string }).type).toBeDefined();
-  });
-
-  test("registry.add auto-detects proxy from the server's handshake", async () => {
-    const fs = createMemoryFs();
-    const adk = createAdk(fs);
-
-    // Caller passes NO proxy config. The server advertises
-    // `capabilities.registry.proxy: { mode: 'required' }` in its MCP
-    // initialize response (see beforeAll), so registry.add should
-    // auto-populate the RegistryEntry at probe time.
-    await adk.registry.add({
-      url: `http://localhost:${PROXY_PORT}`,
-      name: "cloud-autodetect",
-    });
-
-    const list = await adk.registry.list();
-    const entry = list.find((r) => r.name === "cloud-autodetect");
-    expect(entry?.proxy?.mode).toBe("required");
-  });
-
-  test("explicit proxy on registry.add is not overwritten by auto-detection", async () => {
-    const fs = createMemoryFs();
-    const adk = createAdk(fs);
-
-    // Server advertises required; caller explicitly sets optional. The
-    // caller's choice wins — discovery only fills in blanks.
-    await adk.registry.add({
-      url: `http://localhost:${PROXY_PORT}`,
-      name: "cloud-explicit",
-      proxy: { mode: "optional", agent: "@custom" },
-    });
-
-    const entry = (await adk.registry.list()).find(
-      (r) => r.name === "cloud-explicit",
-    );
-    expect(entry?.proxy?.mode).toBe("optional");
-    expect(entry?.proxy?.agent).toBe("@custom");
-  });
-
-  test("optional proxy honors preferLocal and skips forwarding", async () => {
-    const fs = createMemoryFs();
-    const adk = createAdk(fs);
-
-    await adk.registry.add({
-      url: `http://localhost:${PROXY_PORT}`,
-      name: "cloud",
-      proxy: { mode: "optional" },
-    });
-    await seedLocalRefFromProxy(fs, "@gmail");
-
-    // With preferLocal:true we should fall through to the local path.
-    // The local adk has no usable config for @gmail, so this path
-    // throws or returns an empty status — either way, we prove we
-    // stayed local by catching and confirming no exception bubbled
-    // with "authorizeUrl" (which only the proxy path returns).
-    const result = await adk.ref
-      .auth("@gmail", { preferLocal: true })
-      .catch((err: Error) => ({ _error: err.message }));
-    expect((result as { authorizeUrl?: string }).authorizeUrl).toBeUndefined();
-  });
-});
-
 // ─── Registry auth lifecycle ─────────────────────────────────────
 
 describe("ADK registry auth lifecycle", () => {
@@ -1190,22 +1021,6 @@ describe("isRefAuthComplete + cached authFields", () => {
     expect(result).toBeNull();
   });
 
-  test("proxy mode short-circuits to true regardless of cache", async () => {
-    const { isRefAuthComplete } = await import("./config-store");
-    const result = isRefAuthComplete(
-      {
-        ref: "slash",
-        name: "slash",
-        scheme: "registry",
-        // proxy mode set by ref.add when registry inspection includes it.
-        // biome-ignore lint/suspicious/noExplicitAny: mode isn't on the public type
-        mode: "proxy",
-      } as any,
-      undefined,
-    );
-    expect(result).toBe(true);
-  });
-
   test("required field present → true", async () => {
     const { isRefAuthComplete } = await import("./config-store");
     const result = isRefAuthComplete(

package/src/config-store.ts

@@ -103,12 +103,6 @@ export interface RegistryCacheEntry {
    * entry's `config` — no network round-trip needed. Absent when the
    * scheme couldn't be fetched (e.g. registry was offline at add
    * time); fall back to whatever heuristic the caller chooses.
-   *
-   * Note on proxy refs: when the entry is in `proxy` mode the
-   * security scheme is exposed by the *proxy*, and the answer to
-   * "is this callable?" lives server-side — `authFields` is omitted
-   * locally and hosts should treat proxy refs as authoritative
-   * regardless of entry-side fields.
    */
   authFields?: Record<string, RegistryCacheAuthField>;
   /** ISO timestamp of the most recent registry round-trip that wrote this. */
@@ -151,8 +145,6 @@ export interface RefAuthCompleteOptions {
  * we evaluate satisfaction against the entry's current `config`.
  *
  * Behavior:
- *   - `mode: 'proxy'` refs → always true. Auth lives server-side; the
- *     proxy is the source of truth, no entry-side fields involved.
  *   - Cache miss (no `authFields` for this ref yet) → returns `null`,
  *     signaling "I don't know — caller should fall back to its own
  *     heuristic or call `auth-status` to populate the cache".
@@ -173,7 +165,6 @@ export function isRefAuthComplete(
   opts?: RefAuthCompleteOptions,
 ): boolean | null {
   if (typeof entry === "string") return false;
-  if ((entry as { mode?: unknown }).mode === "proxy") return true;
   const authFields = cacheEntry?.authFields;
   if (!authFields) return null;
   const config = entry.config ?? {};
@@ -432,12 +423,6 @@ export interface AdkRefApi {
       stateContext?: Record<string, unknown>;
       /** Additional scopes to request (e.g., optional scopes declared by the agent) */
       scopes?: string[];
-      /**
-       * Opt out of proxy routing when the ref's source registry has
-       * `proxy: { mode: 'optional' }`. Ignored for `mode: 'required'`.
-       * Defaults to `false` — if a registry offers a proxy we use it.
-       */
-      preferLocal?: boolean;
     },
   ): Promise<AuthStartResult>;
   /**
@@ -1188,96 +1173,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
     return fallback;
   }
 
-  // ==========================================
-  // Proxy Routing
-  // ==========================================
-
-  /**
-   * Find the configured RegistryEntry for a ref, consulting `sourceRegistry`
-   * first and falling back to the first registry in config. Returns `null` when
-   * the ref is sourced from a raw URL (no registry), in which case proxy routing
-   * does not apply.
-   */
-  async function findRegistryEntryForRef(
-    entry: RefEntry,
-  ): Promise<RegistryEntry | null> {
-    const sourceUrl = entry.sourceRegistry?.url;
-    if (!sourceUrl) return null;
-    const config = await readConfig();
-    const match = (config.registries ?? []).find((r) => {
-      if (typeof r === "string") return r === sourceUrl;
-      return r.url === sourceUrl;
-    });
-    if (!match || typeof match === "string") return null;
-    return match;
-  }
-
-  /**
-   * Returns the proxy settings for a ref when its source registry has
-   * `proxy` configured. `null` means "run locally".
-   *
-   * Callers pass `{ preferLocal: true }` to opt out of `mode: 'optional'`
-   * proxying when they already hold credentials locally. `mode: 'required'`
-   * cannot be bypassed — the registry owns auth server-side and there is
-   * nothing useful the local SDK can do.
-   */
-  async function resolveProxyForRef(
-    entry: RefEntry,
-    opts?: { preferLocal?: boolean },
-  ): Promise<{ reg: RegistryEntry; agent: string } | null> {
-    const reg = await findRegistryEntryForRef(entry);
-    if (!reg?.proxy) return null;
-    if (reg.proxy.mode === "optional" && opts?.preferLocal) return null;
-    return { reg, agent: reg.proxy.agent ?? "@config" };
-  }
-
-  /**
-   * Forward an `@config ref` operation to the proxy agent on a remote registry.
-   *
-   * The remote side speaks the standard adk-tools surface, so the call shape is
-   * identical to what the local `ref` API would do — the only difference is
-   * that tokens and secrets live server-side. `callRegistry` returns the
-   * standard CallAgentResponse envelope: `{ success: true, result }` on
-   * success or `{ success: false, error }` on failure. We unwrap once and
-   * throw on error so callers get a result that matches the local signature.
-   */
-  async function forwardRefOpToProxy<T>(
-    reg: RegistryEntry,
-    agent: string,
-    operation: string,
-    params: Record<string, unknown>,
-  ): Promise<T> {
-    const consumer = await buildConsumerForRef({
-      ref: "",
-      name: "",
-      sourceRegistry: { url: reg.url, agentPath: agent },
-    });
-    const resolved = consumer.registries().find((r) => r.url === reg.url);
-    if (!resolved)
-      throw new Error(
-        `Registry ${reg.url} not resolvable for proxy forwarding`,
-      );
-
-    const response = await consumer.callRegistry(resolved, {
-      action: "execute_tool",
-      path: agent,
-      tool: "ref",
-      params: { operation, ...params },
-    });
-
-    if (!response.success) {
-      const errResponse = response as {
-        success: false;
-        error?: string;
-        code?: string;
-      };
-      const msg =
-        errResponse.error ?? `Proxy ${agent}.ref(${operation}) failed`;
-      throw new Error(msg);
-    }
-    return (response as { success: true; result: unknown }).result as T;
-  }
-
   // ==========================================
   // Registry API
   // ==========================================
@@ -1292,39 +1187,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
     return `${SECRET_PREFIX}${await encryptSecret(value, options.encryptionKey)}`;
   }
 
-  /**
-   * Re-probe a registry with the current stored credentials to see whether it
-   * advertises `capabilities.registry.proxy` in its MCP `initialize` response,
-   * and persist the proxy config when it does. Safe to call after a successful
-   * `auth()` / `authLocal()` — on the add path we skip the proxy probe when
-   * auth is required, so this is the second chance to back-fill it.
-   *
-   * Respects explicit user config: if `proxy` is already set, we leave it
-   * alone. Any discovery failure is swallowed — proxy is an optimization,
-   * not a correctness requirement.
-   */
-  async function discoverProxyAfterAuth(nameOrUrl: string): Promise<void> {
-    const config = await readConfig();
-    const target = findRegistry(config.registries ?? [], nameOrUrl);
-    if (!target || typeof target === "string") return;
-    if (target.proxy) return;
-
-    try {
-      const consumer = await buildConsumer(nameOrUrl);
-      const discovered = await consumer.discover(target.url);
-      if (!discovered.proxy?.mode) return;
-      await updateRegistryEntry(nameOrUrl, (existing) => {
-        if (existing.proxy) return;
-        existing.proxy = {
-          mode: discovered.proxy!.mode,
-          ...(discovered.proxy!.agent && { agent: discovered.proxy!.agent }),
-        };
-      });
-    } catch {
-      // Proxy probe is best-effort — auth itself already succeeded.
-    }
-  }
-
   /**
    * Atomic read-modify-write on a registry entry by name or URL. Used by
    * `authLocal` to persist both `auth` and `oauth` together, which `auth()`
@@ -1476,14 +1338,10 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         (r) => registryDisplayName(r) !== alias,
       );
 
-      // Probe the registry before saving. Two things fall out of the probe:
-      //   1. Auth challenge — 401 + WWW-Authenticate points at RFC 9728
-      //      resource metadata; we persist it on `authRequirement` so
-      //      subsequent ops can refuse early with a friendly message.
-      //   2. Proxy capability — the MCP `initialize` response may advertise
-      //      `capabilities.registry.proxy`, which auto-populates `proxy`.
-      // Users who set `proxy` or `auth` explicitly on the entry always win:
-      // discovery only fills in blanks.
+      // Probe the registry before saving. If it returns 401 with a
+      // WWW-Authenticate / RFC 9728 resource metadata pointer, persist
+      // that on `authRequirement` so subsequent ops can refuse early
+      // with a friendly message.
       let final: RegistryEntry = entry;
       let authRequirement: RegistryAuthRequirement | undefined;
 
@@ -1502,33 +1360,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         }
       }
 
-      if (!entry.proxy && !authRequirement) {
-        try {
-          const probeConsumer = await createRegistryConsumer(
-            { registries: [entry], refs: [] },
-            { token: options.token, fetch: options.fetch },
-          );
-          const resolved = probeConsumer.registries()[0];
-          if (resolved) {
-            const discovered = await probeConsumer.discover(resolved.url);
-            if (discovered.proxy?.mode) {
-              final = {
-                ...final,
-                proxy: {
-                  mode: discovered.proxy.mode,
-                  ...(discovered.proxy.agent && {
-                    agent: discovered.proxy.agent,
-                  }),
-                },
-              };
-            }
-          }
-        } catch {
-          // Discovery is best-effort — offline, unreachable, or non-adk
-          // registries simply skip proxy auto-configuration.
-        }
-      }
-
       registries.push(final);
       await writeConfig({ ...config, registries });
       return authRequirement ? { authRequirement } : {};
@@ -1579,7 +1410,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         if (updates.auth) existing.auth = updates.auth;
         if (updates.headers)
           existing.headers = { ...existing.headers, ...updates.headers };
-        if (updates.proxy !== undefined) existing.proxy = updates.proxy;
         return existing;
       });
       if (!found) return false;
@@ -1696,7 +1526,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         }
         delete existing.authRequirement;
       });
-      if (updated) await discoverProxyAfterAuth(nameOrUrl);
       return updated;
     },
 
@@ -1877,7 +1706,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
                 };
                 delete existing.authRequirement;
               });
-              await discoverProxyAfterAuth(displayName);
               resOut.writeHead(200, { "Content-Type": "text/html" });
               resOut.end(renderAuthSuccess(displayName));
               server.close();
@@ -2324,18 +2152,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
       const entry = findRef(config.refs ?? [], name);
       if (!entry) throw new Error(`Ref "${name}" not found`);
 
-      // Registry-proxied refs: ask the remote @config for state (secrets live
-      // server-side so local inspection would always return "missing").
-      const proxy = await resolveProxyForRef(entry);
-      if (proxy) {
-        return forwardRefOpToProxy<RefAuthStatus>(
-          proxy.reg,
-          proxy.agent,
-          "auth-status",
-          { name },
-        );
-      }
-
       let security: SecuritySchemeSummary | null = null;
       try {
         const consumer = await buildConsumerForRef(entry);
@@ -2492,38 +2308,12 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         stateContext?: Record<string, unknown>;
         /** Additional scopes to request (e.g., optional scopes declared by the agent) */
         scopes?: string[];
-        /**
-         * Opt out of proxy routing when the ref's source registry has
-         * `proxy: { mode: 'optional' }`. Ignored for `mode: 'required'`.
-         */
-        preferLocal?: boolean;
       },
     ): Promise<AuthStartResult> {
       const config = await readConfig();
       const entry = findRef(config.refs ?? [], name);
       if (!entry) throw new Error(`Ref "${name}" not found`);
 
-      // Registry-proxied auth: forward the start-of-flow to the remote @config
-      // agent. The registry owns the client_id/secret and returns an authorize
-      // URL pointing at the registry's OAuth callback domain, so the user
-      // completes the flow against the registry instead of localhost.
-      const proxy = await resolveProxyForRef(entry, {
-        preferLocal: opts?.preferLocal,
-      });
-      if (proxy) {
-        const params: Record<string, unknown> = { name };
-        if (opts?.apiKey !== undefined) params.apiKey = opts.apiKey;
-        if (opts?.credentials) params.credentials = opts.credentials;
-        if (opts?.scopes) params.scopes = opts.scopes;
-        if (opts?.stateContext) params.stateContext = opts.stateContext;
-        return forwardRefOpToProxy<AuthStartResult>(
-          proxy.reg,
-          proxy.agent,
-          "auth",
-          params,
-        );
-      }
-
       const status = await ref.authStatus(name);
       const security = status.security;
       const tryResolve = makeTryResolve({ name, entry, security });
@@ -2852,38 +2642,19 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         timeoutMs?: number;
       },
     ): Promise<{ complete: boolean }> {
-      // `ref.auth` is already proxy-aware — for proxied refs it returns
-      // the authorizeUrl that the registry minted against its own
-      // callback domain. Everything below is identical for local and
-      // proxied refs except the last step (polling for the callback),
-      // which only makes sense when we own the redirect URI.
       const result = await ref.auth(name);
       if (result.complete) return { complete: true };
 
-      const config = await readConfig();
-      const entry = findRef(config.refs ?? [], name);
-      const proxy = entry ? await resolveProxyForRef(entry) : null;
-
       const port = options.oauthCallbackPort ?? 8919;
       const timeout = opts?.timeoutMs ?? 300_000;
       const { createServer } = await import("node:http");
 
       // API key / HTTP auth — local credential form.
-      //
-      // We refuse to serve the form for a proxied ref: the registry
-      // owns the credential store, so the user needs to submit via
-      // whatever UI the registry exposes. Supporting this through the
-      // proxy would need a remote form endpoint — out of scope here.
       if (
         result.fields &&
         result.fields.length > 0 &&
         result.type !== "oauth2"
       ) {
-        if (proxy) {
-          throw new Error(
-            `Ref "${name}" is sourced from a proxied registry; submit credentials through ${proxy.agent} instead of a local form.`,
-          );
-        }
         return new Promise<{ complete: boolean }>((resolve, reject) => {
           const server = createServer(async (req, res) => {
             const reqUrl = new URL(req.url ?? "/", `http://localhost:${port}`);
@@ -2962,13 +2733,8 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
         opts.onAuthorizeUrl(result.authorizeUrl);
       }
 
-      // Proxied refs: the registry owns the callback endpoint, so there's
-      // nothing to poll here. Callers poll `ref.authStatus` on their own
-      // schedule once the user finishes the remote consent screen.
-      if (proxy) return { complete: false };
-
-      // Local refs: spin up the callback server on oauthCallbackPort and
-      // block until the OAuth provider redirects back.
+      // Spin up the callback server on oauthCallbackPort and block
+      // until the OAuth provider redirects back.
       return new Promise<{ complete: boolean }>((resolve, reject) => {
         const server = createServer(async (req, res) => {
           const reqUrl = new URL(req.url ?? "/", `http://localhost:${port}`);
@@ -3013,20 +2779,6 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
     },
 
     async refreshToken(name: string): Promise<{ accessToken: string } | null> {
-      // Registry-proxied refs: the remote @config holds the refresh_token.
-      const entryForProxy = await ref.get(name);
-      if (entryForProxy) {
-        const proxy = await resolveProxyForRef(entryForProxy);
-        if (proxy) {
-          return forwardRefOpToProxy<{ accessToken: string } | null>(
-            proxy.reg,
-            proxy.agent,
-            "refresh-token",
-            { name },
-          );
-        }
-      }
-
       // Read stored refresh_token
       const refreshToken = await readRefSecret(name, "refresh_token");
       if (!refreshToken) return null;

package/src/define-config.ts

@@ -34,30 +34,6 @@ export type RegistryAuth =
   | { type: "api-key"; key?: string; header?: string }
   | { type: "jwt"; issuer?: string };
 
-/**
- * Proxy configuration for a registry.
- *
- * When set, ref operations (`auth`, `auth-status`, `call`, `inspect`,
- * `resources`, `read`, `refresh-token`) for refs sourced from this
- * registry are forwarded to a server-side agent that implements the
- * adk-tools surface. Use this for cloud-hosted registries that own
- * OAuth client credentials and/or user tokens on behalf of consumers
- * (e.g. `api.twin.slash.com/mcp`).
- *
- * - `mode: 'required'` — all ref ops MUST route through the proxy agent.
- *   Local handshake (`ref.authLocal`) is refused for refs from this
- *   registry because the local environment has no way to build an
- *   authorize URL without the server's client credentials.
- * - `mode: 'optional'` — proxy is the default; callers may opt out via
- *   `{ preferLocal: true }` on a per-op basis when they already hold
- *   local credentials.
- */
-export interface RegistryProxy {
-  mode: "required" | "optional";
-  /** Agent path to forward to. Defaults to `@config`. */
-  agent?: string;
-}
-
 /**
  * OAuth state captured after `adk registry auth` completes a dynamic-client
  * registration + authorization-code flow against a registry. Stored alongside
@@ -121,13 +97,6 @@ export interface RegistryEntry {
   /** Connection status — set by validation/test, used to filter active entries */
   status?: "active" | "inactive" | "error";
 
-  /**
-   * If set, ref ops for refs sourced from this registry are forwarded
-   * to a server-side adk-tools agent (default `@config`) instead of
-   * running locally. See {@link RegistryProxy}.
-   */
-  proxy?: RegistryProxy;
-
   /**
    * Populated by `adk registry add` when the probe returned 401. Cleared
    * by `adk registry auth`. Registry ops refuse to run while this is set