@vellumai/vellum-gateway 0.8.11 → 0.8.12-staging.2

package/Dockerfile

@@ -11,6 +11,7 @@ COPY --from=bun /usr/local/bin/bun /usr/local/bin/bun
 # Copy shared packages needed by gateway's repo-local dependencies
 COPY packages/assistant-client ./packages/assistant-client
 COPY packages/ces-client ./packages/ces-client
+COPY packages/gateway-client ./packages/gateway-client
 COPY packages/ipc-server-utils ./packages/ipc-server-utils
 COPY packages/service-contracts ./packages/service-contracts
 COPY packages/slack-text ./packages/slack-text
@@ -18,6 +19,7 @@ COPY packages/twilio-client ./packages/twilio-client
 
 # Install deps for shared packages whose source is loaded at runtime.
 RUN cd /app/packages/ces-client && bun install --frozen-lockfile
+RUN cd /app/packages/gateway-client && bun install --frozen-lockfile
 RUN cd /app/packages/service-contracts && bun install --frozen-lockfile
 
 # Install gateway dependencies first for cache reuse

package/bun.lock

@@ -7,6 +7,7 @@
       "dependencies": {
         "@vellumai/assistant-client": "file:../packages/assistant-client",
         "@vellumai/ces-client": "file:../packages/ces-client",
+        "@vellumai/gateway-client": "file:../packages/gateway-client",
         "@vellumai/ipc-server-utils": "file:../packages/ipc-server-utils",
         "@vellumai/service-contracts": "file:../packages/service-contracts",
         "@vellumai/slack-text": "file:../packages/slack-text",
@@ -210,6 +211,8 @@
 
     "@vellumai/ces-client": ["@vellumai/ces-client@file:../packages/ces-client", { "dependencies": { "@vellumai/service-contracts": "file:../service-contracts" }, "devDependencies": { "@types/bun": "1.2.4", "typescript": "5.7.3" } }],
 
+    "@vellumai/gateway-client": ["@vellumai/gateway-client@file:../packages/gateway-client", { "dependencies": { "@vellumai/service-contracts": "file:../service-contracts", "zod": "4.3.6" }, "devDependencies": { "@types/bun": "1.3.10", "typescript": "5.9.3" } }],
+
     "@vellumai/ipc-server-utils": ["@vellumai/ipc-server-utils@file:../packages/ipc-server-utils", { "devDependencies": { "@types/bun": "1.3.10", "typescript": "5.9.3" } }],
 
     "@vellumai/service-contracts": ["@vellumai/service-contracts@file:../packages/service-contracts", { "dependencies": { "zod": "4.3.6" }, "devDependencies": { "@types/bun": "1.2.4", "typescript": "5.7.3" } }],
@@ -504,6 +507,10 @@
 
     "@vellumai/ces-client/typescript": ["typescript@5.7.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-84MVSjMEHP+FQRPy3pX9sTVV/INIex71s9TL2Gm5FG/WG1SqXeKyZ0k7/blY/4FdOzI12CBy1vGc4og/eus0fw=="],
 
+    "@vellumai/gateway-client/@types/bun": ["@types/bun@1.3.10", "", { "dependencies": { "bun-types": "1.3.10" } }, "sha512-0+rlrUrOrTSskibryHbvQkDOWRJwJZqZlxrUs1u4oOoTln8+WIXBPmAuCF35SWB2z4Zl3E84Nl/D0P7803nigQ=="],
+
+    "@vellumai/gateway-client/@vellumai/service-contracts": ["@vellumai/service-contracts@file:../packages/service-contracts", {}],
+
     "@vellumai/ipc-server-utils/@types/bun": ["@types/bun@1.3.10", "", { "dependencies": { "bun-types": "1.3.10" } }, "sha512-0+rlrUrOrTSskibryHbvQkDOWRJwJZqZlxrUs1u4oOoTln8+WIXBPmAuCF35SWB2z4Zl3E84Nl/D0P7803nigQ=="],
 
     "@vellumai/service-contracts/@types/bun": ["@types/bun@1.2.4", "", { "dependencies": { "bun-types": "1.2.4" } }, "sha512-QtuV5OMR8/rdKJs213iwXDpfVvnskPXY/S0ZiFbsTjQZycuqPbMW8Gf/XhLfwE5njW8sxI2WjISURXPlHypMFA=="],
@@ -572,6 +579,8 @@
 
     "@vellumai/ces-client/@types/bun/bun-types": ["bun-types@1.2.4", "", { "dependencies": { "@types/node": "*", "@types/ws": "~8.5.10" } }, "sha512-nDPymR207ZZEoWD4AavvEaa/KZe/qlrbMSchqpQwovPZCKc7pwMoENjEtHgMKaAjJhy+x6vfqSBA1QU3bJgs0Q=="],
 
+    "@vellumai/gateway-client/@types/bun/bun-types": ["bun-types@1.3.10", "", { "dependencies": { "@types/node": "*" } }, "sha512-tcpfCCl6XWo6nCVnpcVrxQ+9AYN1iqMIzgrSKYMB/fjLtV2eyAVEg7AxQJuCq/26R6HpKWykQXuSOq/21RYcbg=="],
+
     "@vellumai/ipc-server-utils/@types/bun/bun-types": ["bun-types@1.3.10", "", { "dependencies": { "@types/node": "*" } }, "sha512-tcpfCCl6XWo6nCVnpcVrxQ+9AYN1iqMIzgrSKYMB/fjLtV2eyAVEg7AxQJuCq/26R6HpKWykQXuSOq/21RYcbg=="],
 
     "@vellumai/service-contracts/@types/bun/bun-types": ["bun-types@1.2.4", "", { "dependencies": { "@types/node": "*", "@types/ws": "~8.5.10" } }, "sha512-nDPymR207ZZEoWD4AavvEaa/KZe/qlrbMSchqpQwovPZCKc7pwMoENjEtHgMKaAjJhy+x6vfqSBA1QU3bJgs0Q=="],

package/knip.json

@@ -4,6 +4,7 @@
   "ignoreDependencies": [
     "@vellumai/assistant-client",
     "@vellumai/ces-client",
+    "@vellumai/gateway-client",
     "@vellumai/ipc-server-utils",
     "@vellumai/service-contracts",
     "@vellumai/slack-text",

package/node_modules/@vellumai/gateway-client/bun.lock

@@ -0,0 +1,40 @@
+{
+  "lockfileVersion": 1,
+  "configVersion": 1,
+  "workspaces": {
+    "": {
+      "name": "@vellumai/gateway-client",
+      "dependencies": {
+        "@vellumai/service-contracts": "file:../service-contracts",
+        "zod": "4.3.6",
+      },
+      "devDependencies": {
+        "@types/bun": "1.3.10",
+        "typescript": "5.9.3",
+      },
+    },
+  },
+  "packages": {
+    "@types/bun": ["@types/bun@1.3.10", "", { "dependencies": { "bun-types": "1.3.10" } }, "sha512-0+rlrUrOrTSskibryHbvQkDOWRJwJZqZlxrUs1u4oOoTln8+WIXBPmAuCF35SWB2z4Zl3E84Nl/D0P7803nigQ=="],
+
+    "@types/node": ["@types/node@25.6.0", "", { "dependencies": { "undici-types": "~7.19.0" } }, "sha512-+qIYRKdNYJwY3vRCZMdJbPLJAtGjQBudzZzdzwQYkEPQd+PJGixUL5QfvCLDaULoLv+RhT3LDkwEfKaAkgSmNQ=="],
+
+    "@types/ws": ["@types/ws@8.5.14", "", { "dependencies": { "@types/node": "*" } }, "sha512-bd/YFLW+URhBzMXurx7lWByOu+xzU9+kb3RboOteXYDfW+tr+JZa99OyNmPINEGB/ahzKrEuc8rcv4gnpJmxTw=="],
+
+    "@vellumai/service-contracts": ["@vellumai/service-contracts@file:../service-contracts", { "dependencies": { "zod": "4.3.6" }, "devDependencies": { "@types/bun": "1.2.4", "typescript": "5.7.3" } }],
+
+    "bun-types": ["bun-types@1.3.10", "", { "dependencies": { "@types/node": "*" } }, "sha512-tcpfCCl6XWo6nCVnpcVrxQ+9AYN1iqMIzgrSKYMB/fjLtV2eyAVEg7AxQJuCq/26R6HpKWykQXuSOq/21RYcbg=="],
+
+    "typescript": ["typescript@5.9.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="],
+
+    "undici-types": ["undici-types@7.19.2", "", {}, "sha512-qYVnV5OEm2AW8cJMCpdV20CDyaN3g0AjDlOGf1OW4iaDEx8MwdtChUp4zu4H0VP3nDRF/8RKWH+IPp9uW0YGZg=="],
+
+    "zod": ["zod@4.3.6", "", {}, "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg=="],
+
+    "@vellumai/service-contracts/@types/bun": ["@types/bun@1.2.4", "", { "dependencies": { "bun-types": "1.2.4" } }, "sha512-QtuV5OMR8/rdKJs213iwXDpfVvnskPXY/S0ZiFbsTjQZycuqPbMW8Gf/XhLfwE5njW8sxI2WjISURXPlHypMFA=="],
+
+    "@vellumai/service-contracts/typescript": ["typescript@5.7.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-84MVSjMEHP+FQRPy3pX9sTVV/INIex71s9TL2Gm5FG/WG1SqXeKyZ0k7/blY/4FdOzI12CBy1vGc4og/eus0fw=="],
+
+    "@vellumai/service-contracts/@types/bun/bun-types": ["bun-types@1.2.4", "", { "dependencies": { "@types/node": "*", "@types/ws": "~8.5.10" } }, "sha512-nDPymR207ZZEoWD4AavvEaa/KZe/qlrbMSchqpQwovPZCKc7pwMoENjEtHgMKaAjJhy+x6vfqSBA1QU3bJgs0Q=="],
+  }
+}

package/node_modules/@vellumai/gateway-client/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "@vellumai/gateway-client",
+  "version": "0.0.1",
+  "private": true,
+  "license": "MIT",
+  "type": "module",
+  "exports": {
+    ".": "./src/index.ts",
+    "./gateway-ipc-contracts": "./src/gateway-ipc-contracts.ts",
+    "./http-delivery": "./src/http-delivery.ts",
+    "./ipc-client": "./src/ipc-client.ts"
+  },
+  "scripts": {
+    "typecheck": "bunx tsc --noEmit",
+    "test": "bun test src/"
+  },
+  "dependencies": {
+    "@vellumai/service-contracts": "file:../service-contracts",
+    "zod": "4.3.6"
+  },
+  "devDependencies": {
+    "@types/bun": "1.3.10",
+    "typescript": "5.9.3"
+  }
+}

package/node_modules/@vellumai/gateway-client/src/__tests__/gateway-client.test.ts

@@ -0,0 +1,343 @@
+/**
+ * Tests for @vellumai/gateway-client
+ *
+ * Covers:
+ * 1. Package independence — no imports from assistant/ or gateway/.
+ * 2. IPC NDJSON framing and timeout behavior.
+ * 3. HTTP delivery auth headers and error handling.
+ */
+
+import { createServer, type Server } from "node:net";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { randomUUID } from "node:crypto";
+import { unlinkSync } from "node:fs";
+
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+
+import { ipcCall, PersistentIpcClient } from "../ipc-client.js";
+import { ChannelDeliveryError, deliverChannelReply } from "../http-delivery.js";
+import type { Logger } from "../types.js";
+
+// ---------------------------------------------------------------------------
+// Independence guard — package must not pull in assistant or gateway modules.
+// ---------------------------------------------------------------------------
+
+describe("package independence", () => {
+  const sourceFiles = [
+    "../index.ts",
+    "../types.ts",
+    "../http-delivery.ts",
+    "../ipc-client.ts",
+    "../gateway-ipc-contracts.ts",
+  ];
+
+  for (const file of sourceFiles) {
+    test(`${file} does not import from assistant/ or gateway/`, () => {
+      const src = require("node:fs").readFileSync(
+        require("node:path").resolve(__dirname, file),
+        "utf-8",
+      );
+      expect(src).not.toMatch(/from\s+['"].*assistant\//);
+      expect(src).not.toMatch(/from\s+['"].*gateway\//);
+      expect(src).not.toMatch(/require\(['"].*assistant\//);
+      expect(src).not.toMatch(/require\(['"].*gateway\//);
+    });
+  }
+});
+
+// ---------------------------------------------------------------------------
+// Test helpers
+// ---------------------------------------------------------------------------
+
+/** Create a no-op logger that collects messages for assertions. */
+function createTestLogger(): Logger & {
+  messages: Array<{ level: string; msg: string }>;
+} {
+  const messages: Array<{ level: string; msg: string }> = [];
+  return {
+    messages,
+    debug(_obj: Record<string, unknown>, msg: string) {
+      messages.push({ level: "debug", msg });
+    },
+    info(_obj: Record<string, unknown>, msg: string) {
+      messages.push({ level: "info", msg });
+    },
+    warn(_obj: Record<string, unknown>, msg: string) {
+      messages.push({ level: "warn", msg });
+    },
+    error(_obj: Record<string, unknown>, msg: string) {
+      messages.push({ level: "error", msg });
+    },
+  };
+}
+
+/** Create a temporary Unix socket path for tests. */
+function tmpSocketPath(): string {
+  return join(tmpdir(), `gw-client-test-${randomUUID()}.sock`);
+}
+
+// ---------------------------------------------------------------------------
+// IPC: NDJSON framing
+// ---------------------------------------------------------------------------
+
+describe("ipc-client", () => {
+  describe("ipcCall — one-shot", () => {
+    let server: Server;
+    let socketPath: string;
+
+    beforeEach(() => {
+      socketPath = tmpSocketPath();
+    });
+
+    afterEach(() => {
+      server?.close();
+      try {
+        unlinkSync(socketPath);
+      } catch {
+        // Already cleaned up
+      }
+    });
+
+    test("sends NDJSON request and parses NDJSON response", async () => {
+      server = createServer((conn) => {
+        let buf = "";
+        conn.on("data", (chunk) => {
+          buf += chunk.toString();
+          const idx = buf.indexOf("\n");
+          if (idx !== -1) {
+            const line = buf.slice(0, idx);
+            const req = JSON.parse(line);
+            const resp = JSON.stringify({
+              id: req.id,
+              result: { flags: { browser: true } },
+            });
+            conn.write(resp + "\n");
+          }
+        });
+      });
+
+      await new Promise<void>((resolve) => {
+        server.listen(socketPath, () => resolve());
+      });
+
+      const result = await ipcCall(socketPath, "get_feature_flags");
+      expect(result).toEqual({ flags: { browser: true } });
+    });
+
+    test("returns undefined when server sends error response", async () => {
+      const log = createTestLogger();
+      server = createServer((conn) => {
+        let buf = "";
+        conn.on("data", (chunk) => {
+          buf += chunk.toString();
+          const idx = buf.indexOf("\n");
+          if (idx !== -1) {
+            const req = JSON.parse(buf.slice(0, idx));
+            conn.write(
+              JSON.stringify({ id: req.id, error: "method not found" }) + "\n",
+            );
+          }
+        });
+      });
+
+      await new Promise<void>((resolve) => {
+        server.listen(socketPath, () => resolve());
+      });
+
+      const result = await ipcCall(
+        socketPath,
+        "unknown_method",
+        undefined,
+        log,
+      );
+      expect(result).toBeUndefined();
+      expect(
+        log.messages.some((m) => m.msg === "IPC call returned error"),
+      ).toBe(true);
+    });
+
+    test("returns undefined when socket does not exist", async () => {
+      const log = createTestLogger();
+      const result = await ipcCall(
+        "/tmp/nonexistent-socket.sock",
+        "test_method",
+        undefined,
+        log,
+      );
+      expect(result).toBeUndefined();
+    });
+
+    test("forwards params in the request", async () => {
+      let receivedParams: Record<string, unknown> | undefined;
+      server = createServer((conn) => {
+        let buf = "";
+        conn.on("data", (chunk) => {
+          buf += chunk.toString();
+          const idx = buf.indexOf("\n");
+          if (idx !== -1) {
+            const req = JSON.parse(buf.slice(0, idx));
+            receivedParams = req.params;
+            conn.write(JSON.stringify({ id: req.id, result: "ok" }) + "\n");
+          }
+        });
+      });
+
+      await new Promise<void>((resolve) => {
+        server.listen(socketPath, () => resolve());
+      });
+
+      await ipcCall(socketPath, "test", { key: "value" });
+      expect(receivedParams).toEqual({ key: "value" });
+    });
+
+    test("handles fragmented NDJSON across multiple data chunks", async () => {
+      server = createServer((conn) => {
+        let buf = "";
+        conn.on("data", (chunk) => {
+          buf += chunk.toString();
+          const idx = buf.indexOf("\n");
+          if (idx !== -1) {
+            const req = JSON.parse(buf.slice(0, idx));
+            const resp = JSON.stringify({ id: req.id, result: 42 });
+            // Send the response in two separate chunks
+            const mid = Math.floor(resp.length / 2);
+            conn.write(resp.slice(0, mid));
+            setTimeout(() => {
+              conn.write(resp.slice(mid) + "\n");
+            }, 10);
+          }
+        });
+      });
+
+      await new Promise<void>((resolve) => {
+        server.listen(socketPath, () => resolve());
+      });
+
+      const result = await ipcCall(socketPath, "fragmented");
+      expect(result).toBe(42);
+    });
+  });
+
+  describe("PersistentIpcClient", () => {
+    let server: Server;
+    let socketPath: string;
+
+    beforeEach(() => {
+      socketPath = tmpSocketPath();
+    });
+
+    afterEach(() => {
+      server?.close();
+      try {
+        unlinkSync(socketPath);
+      } catch {
+        // Already cleaned up
+      }
+    });
+
+    test("multiplexes concurrent calls over a single connection", async () => {
+      server = createServer((conn) => {
+        let buf = "";
+        conn.on("data", (chunk) => {
+          buf += chunk.toString();
+          let idx: number;
+          while ((idx = buf.indexOf("\n")) !== -1) {
+            const line = buf.slice(0, idx);
+            buf = buf.slice(idx + 1);
+            const req = JSON.parse(line);
+            // Echo the method as the result
+            conn.write(
+              JSON.stringify({ id: req.id, result: req.method }) + "\n",
+            );
+          }
+        });
+      });
+
+      await new Promise<void>((resolve) => {
+        server.listen(socketPath, () => resolve());
+      });
+
+      const client = new PersistentIpcClient(socketPath);
+      try {
+        const [r1, r2, r3] = await Promise.all([
+          client.call("method_a"),
+          client.call("method_b"),
+          client.call("method_c"),
+        ]);
+        expect(r1).toBe("method_a");
+        expect(r2).toBe("method_b");
+        expect(r3).toBe("method_c");
+      } finally {
+        client.destroy();
+      }
+    });
+
+    test("rejects pending calls on destroy", async () => {
+      server = createServer(() => {
+        // Server accepts but never responds
+      });
+
+      await new Promise<void>((resolve) => {
+        server.listen(socketPath, () => resolve());
+      });
+
+      const client = new PersistentIpcClient(socketPath, 30_000);
+      const callPromise = client.call("hanging_method");
+      // Give the connection time to establish
+      await new Promise((r) => setTimeout(r, 50));
+      client.destroy();
+
+      await expect(callPromise).rejects.toThrow(
+        "PersistentIpcClient destroyed",
+      );
+    });
+
+    test("rejects on server error response", async () => {
+      server = createServer((conn) => {
+        let buf = "";
+        conn.on("data", (chunk) => {
+          buf += chunk.toString();
+          const idx = buf.indexOf("\n");
+          if (idx !== -1) {
+            const req = JSON.parse(buf.slice(0, idx));
+            conn.write(
+              JSON.stringify({ id: req.id, error: "something broke" }) + "\n",
+            );
+          }
+        });
+      });
+
+      await new Promise<void>((resolve) => {
+        server.listen(socketPath, () => resolve());
+      });
+
+      const client = new PersistentIpcClient(socketPath);
+      try {
+        await expect(client.call("broken")).rejects.toThrow("something broke");
+      } finally {
+        client.destroy();
+      }
+    });
+
+    test("times out when server does not respond", async () => {
+      server = createServer(() => {
+        // Accepts connections but never responds
+      });
+
+      await new Promise<void>((resolve) => {
+        server.listen(socketPath, () => resolve());
+      });
+
+      const client = new PersistentIpcClient(socketPath, 100);
+      try {
+        await expect(client.call("slow_method")).rejects.toThrow("timed out");
+      } finally {
+        client.destroy();
+      }
+    });
+  });
+});
+
+// ---------------------------------------------------------------------------
+// HTTP delivery: auth headers and error handling

package/node_modules/@vellumai/gateway-client/src/__tests__/package-boundary.test.ts

@@ -0,0 +1,140 @@
+/**
+ * Package boundary tests for @vellumai/gateway-client.
+ *
+ * Ensures the package:
+ * 1. Does NOT import from assistant, gateway, or credential-executor service
+ *    runtime modules.
+ * 2. Does NOT import from runtime shared packages (@vellumai/credential-storage,
+ *    @vellumai/egress-proxy).
+ * 3. Remains a lightweight client package with no runtime service dependencies.
+ *
+ * @vellumai/gateway-client is a typed HTTP client for assistant-to-gateway
+ * calls (trust API, feature flags, log export, deliver). It may depend on
+ * @vellumai/service-contracts for shared type definitions, but must not pull
+ * in runtime service internals.
+ */
+
+import { describe, expect, test } from "bun:test";
+import { readFileSync, readdirSync, statSync } from "node:fs";
+import { join, resolve } from "node:path";
+
+const PACKAGE_ROOT = resolve(import.meta.dirname, "../..");
+const SRC_DIR = join(PACKAGE_ROOT, "src");
+
+/**
+ * Recursively collect all .ts source files, excluding test and declaration files.
+ */
+function collectSourceFiles(dir: string): string[] {
+  const files: string[] = [];
+  for (const entry of readdirSync(dir)) {
+    const full = join(dir, entry);
+    const stat = statSync(full);
+    if (stat.isDirectory()) {
+      if (entry === "node_modules" || entry === "__tests__") continue;
+      files.push(...collectSourceFiles(full));
+    } else if (
+      entry.endsWith(".ts") &&
+      !entry.endsWith(".test.ts") &&
+      !entry.endsWith(".d.ts")
+    ) {
+      files.push(full);
+    }
+  }
+  return files;
+}
+
+/**
+ * Patterns that must NOT appear in any import/require statement within
+ * source files.
+ */
+const FORBIDDEN_IMPORT_PATTERNS = [
+  // Assistant runtime internals
+  /from\s+["'](?:\.\.\/)+assistant\/src/,
+  /require\s*\(\s*["'](?:\.\.\/)+assistant\/src/,
+  /from\s+["']@vellumai\/assistant(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/assistant(?:\/|["'])/,
+
+  // Gateway runtime internals (not the gateway-client package itself)
+  /from\s+["'](?:\.\.\/)+gateway\/src/,
+  /require\s*\(\s*["'](?:\.\.\/)+gateway\/src/,
+  /from\s+["']@vellumai\/(?:vellum-)?gateway(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/(?:vellum-)?gateway(?:\/|["'])/,
+
+  // Credential executor runtime internals
+  /from\s+["'](?:\.\.\/)+credential-executor\/src/,
+  /require\s*\(\s*["'](?:\.\.\/)+credential-executor\/src/,
+  /from\s+["']@vellumai\/credential-executor(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/credential-executor(?:\/|["'])/,
+
+  // Runtime shared packages
+  /from\s+["']@vellumai\/credential-storage(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/credential-storage(?:\/|["'])/,
+  /from\s+["']@vellumai\/egress-proxy(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/egress-proxy(?:\/|["'])/,
+];
+
+describe("package boundary", () => {
+  const sourceFiles = collectSourceFiles(SRC_DIR);
+
+  test("has source files to validate", () => {
+    expect(sourceFiles.length).toBeGreaterThan(0);
+  });
+
+  test("does not import from service runtime modules or runtime shared packages", () => {
+    const violations: string[] = [];
+
+    for (const file of sourceFiles) {
+      const content = readFileSync(file, "utf-8");
+      const lines = content.split("\n");
+
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const pattern of FORBIDDEN_IMPORT_PATTERNS) {
+          if (pattern.test(line)) {
+            const relative = file.replace(PACKAGE_ROOT + "/", "");
+            violations.push(`${relative}:${i + 1}: ${line.trim()}`);
+          }
+        }
+      }
+    }
+
+    if (violations.length > 0) {
+      throw new Error(
+        `Found ${violations.length} forbidden import(s) in gateway-client package:\n` +
+          violations.map((v) => `  - ${v}`).join("\n") +
+          "\n\n" +
+          "@vellumai/gateway-client must not import from service runtime modules\n" +
+          "or runtime shared packages (credential-storage, egress-proxy).",
+      );
+    }
+  });
+
+  test("package.json declares it as private", () => {
+    const pkg = JSON.parse(
+      readFileSync(join(PACKAGE_ROOT, "package.json"), "utf-8"),
+    );
+    expect(pkg.private).toBe(true);
+  });
+
+  test("package.json does not depend on service runtime or runtime shared packages", () => {
+    const pkg = JSON.parse(
+      readFileSync(join(PACKAGE_ROOT, "package.json"), "utf-8"),
+    );
+    const allDeps = {
+      ...pkg.dependencies,
+      ...pkg.devDependencies,
+      ...pkg.peerDependencies,
+    };
+
+    const forbidden = Object.keys(allDeps).filter((dep) =>
+      [
+        "@vellumai/assistant",
+        "@vellumai/vellum-gateway",
+        "@vellumai/credential-storage",
+        "@vellumai/egress-proxy",
+      ].includes(dep),
+    );
+
+    expect(forbidden).toEqual([]);
+  });
+});