aai-gateway 0.3.4 → 0.4.0

package/README.md

@@ -1,407 +1,301 @@
 # AAI Gateway
 
-## One MCP. All Apps. Zero Code Changes.
+## One MCP. Many Apps. Less Context.
 
-> A single MCP server that connects AI Agents to all Web and Desktop applications.
-> Apps conforming to the **[AAI Protocol](https://github.com/gybob/aai-protocol)** can be **seamlessly integrated** without developing any source code—just provide a descriptor.
+AAI Gateway turns many apps, agents, skills, and MCP servers into one MCP server.
 
-[![npm version](https://img.shields.io/npm/v/aai-gateway.svg)](https://www.npmjs.com/package/aai-gateway)
-[![License](https://img.shields.io/npm/l/aai-gateway.svg)](https://github.com/gybob/aai-gateway/blob/main/LICENSE)
+You connect your AI tool once. AAI Gateway handles discovery, import, routing, and exposure control behind that single entrypoint.
 
----
+Why this matters:
 
-## Why AAI Gateway?
+- One MCP connection instead of one MCP per app
+- Smaller context because tools are exposed at the app level first, not dumped all at once
+- A cleaner path to mix MCP servers, skills, ACP agents, and CLI-backed apps
 
-| Traditional Approach                        | AAI Gateway                                       |
-| ------------------------------------------- | ------------------------------------------------- |
-| One MCP Server per App                      | **One MCP for all applications**                  |
-| Requires modifying app code                 | **Zero-code integration, just a descriptor**      |
-| Loads all tools at once (context explosion) | **Progressive disclosure, load on-demand**        |
-| Platform-specific only                      | **Cross-platform: Web + macOS + Windows + Linux** |
+AAI Gateway is for one goal: make tool ecosystems feel smaller, sharper, and easier for agents to use.
 
----
+## How To Use
 
-## 🚀 Core Innovation: Progressive Disclosure
+### 1. Connect Your AI Tool To AAI Gateway
 
-Traditional MCP servers return all tools on `tools/list`, causing:
+You do not need to preinstall `aai-gateway`.
 
+Use the same style users already know from mainstream MCP setups: launch it through `npx`.
+
+### Claude Code
+
+Official docs: <https://code.claude.com/docs/en/mcp>
+
+```bash
+claude mcp add --transport stdio aai-gateway -- npx -y aai-gateway
 ```
-50 apps × 20 tools per app = 1000+ tool entries
-→ Context window explosion
-→ Agent performance degradation
-→ Reduced response accuracy
-```
 
-**AAI Gateway's Solution**:
+### Codex
+
+Official docs: <https://developers.openai.com/learn/docs-mcp>
 
+```bash
+codex mcp add aai-gateway -- npx -y aai-gateway
 ```
-tools/list returns only lightweight entries:
-├── web:discover         → Discover web apps and get their capabilities
-├── app:<desktop-app-id> → Discovered desktop apps (one entry per app)
-└── aai:exec             → Universal executor for all operations
 
-= 50 apps + 2 tools = 52 entries ✅
+### OpenCode
+
+Official docs: <https://opencode.ai/docs/config> and <https://opencode.ai/docs/mcp-servers/>
 
-Agent calls web:discover or app:<id> on-demand to get detailed operation guides
+Add this to `~/.config/opencode/opencode.json` or your project `opencode.json`:
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "mcp": {
+    "aai-gateway": {
+      "type": "local",
+      "command": ["npx", "-y", "aai-gateway"],
+      "enabled": true
+    }
+  }
+}
 ```
 
-**Result**: **95% reduction** in context usage, faster and more accurate Agent responses.
+### What You Get After Connecting
 
----
+Once connected, your AI tool can use AAI Gateway tools such as:
 
-## How It Works
+- `remote:discover`
+- `aai:exec`
+- `mcp:import`
+- `skill:import`
+- `mcp:refresh`
+- `import:config`
 
-### Web App Workflow
+### 2. Import An MCP Server
 
-```
-1. User: "Search my Notion workspace"
-2. Agent recognizes "Notion" as a web application
-   → Calls web:discover to fetch Notion's capabilities
-3. tools/call("web:discover", {url: "notion.com"})
-   → Returns operation guide: listDatabases(), queryDatabase(id), search(query)
-4. tools/call("aai:exec", {app: "notion.com", tool: "search", args: {...}})
-   → Executes and returns result
-```
+The main workflow is: copy a mainstream MCP config snippet into your AI tool and ask it to import that server through AAI Gateway.
 
-### Desktop App Workflow
+The AI tool should:
 
-```
-1. AAI Gateway scans system for AAI-enabled desktop apps
-   → Found apps appear as app:<id> entries in tools/list
-2. User: "Show my work tasks"
-   → Agent finds matching app:guanchen.worklens
-3. tools/call("app:guanchen.worklens")
-   → Returns operation guide: listTasks(), getTaskDetail(id), createTask()
-4. tools/call("aai:exec", {app: "guanchen.worklens", tool: "listTasks", args: {}})
-   → Executes and returns result
-```
+1. read the MCP config you pasted
+2. ask you to choose an exposure mode
+3. call `mcp:import`
 
----
+AAI Gateway keeps the import parameters close to normal MCP config shapes:
 
-## 🔐 Security & Consent
+- stdio MCP: `command`, `args`, `env`, `cwd`
+- remote MCP: `url`, optional `transport`, optional `headers`
 
-AAI Gateway implements a **caller-aware consent mechanism** to protect user privacy and control:
+Before import, the AI tool should ask you to choose:
 
-### Per-Caller Authorization
+- `summary`: easier automatic triggering
+- `keywords`: leaves room for more tools, but usually needs more explicit keyword mentions
 
-- **Client Identification**: When an MCP client (Claude Desktop, Cursor, Windsurf, etc.) requests tool access, AAI Gateway identifies the caller from the MCP protocol metadata
-- **Isolated Consent**: Consent decisions are stored **per caller**, meaning authorization granted to Claude Desktop is NOT automatically granted to Cursor
-- **Clear Dialogs**: Consent dialogs clearly show which client is requesting access: "Claude Desktop wants to use: sendEmail"
-- **Re-authorization Required**: Different MCP clients must obtain their own authorization for the same tools
+Example: import a normal stdio MCP config
 
-### Consent Flow
+```json
+{
+  "command": "npx",
+  "args": ["-y", "@modelcontextprotocol/server-filesystem", "/tmp"]
+}
+```
 
+Example: import a normal remote Streamable HTTP MCP config
+
+```json
+{
+  "url": "https://example.com/mcp"
+}
 ```
-1. MCP client (e.g., Cursor) calls a tool for the first time
-2. AAI Gateway checks: Has Cursor been authorized for this tool?
-3. If not → Show consent dialog: "Cursor wants to use: sendEmail"
-4. User decision is stored with caller identity: consents["Cursor"]["com.example.mail"]["sendEmail"]
-5. Next call from Cursor → No dialog (already authorized)
-6. Claude Desktop calls same tool → Consent dialog shown (different caller)
+
+Example: import a normal remote SSE MCP config
+
+```json
+{
+  "url": "https://example.com/sse",
+  "transport": "sse"
+}
 ```
 
-This ensures that each MCP client has explicit user authorization, preventing cross-client authorization leakage.
+After import, AAI Gateway returns:
 
-> 💡 **Note**: Caller identity is informational and not a security boundary. The real security is enforced by the operating system (TCC on macOS, UAC on Windows, etc.).
----
+- the generated app id
+- the generated `keywords`
+- the generated `summary`
+- the guide tool name: `app:<id>`
 
-## 📱 Supported Apps
+Important:
 
-These apps have built-in descriptors and work out of the box:
+- Restart your AI tool before using the newly imported tool.
+- After restart, the imported app will appear as `app:<id>`.
+- Use `aai:exec` to actually run the imported app’s operations.
 
-| App               | Auth Type      | Tools | Description                                         |
-| ----------------- | -------------- | ----- | --------------------------------------------------- |
-| **Notion**        | API Key        | 11    | Notes, docs, knowledge base, project management     |
-| **Yuque (语雀)**  | API Key        | 7     | Alibaba Cloud knowledge management platform         |
-| **Feishu / Lark** | App Credential | 11    | Enterprise collaboration (docs, wiki, IM, calendar) |
-> 💡 Want to add your app? See [How to Integrate](#how-to-integrate) | [Upcoming Apps](#upcoming-apps)
+### 3. Import A Skill
 
-> ⚠️ **Note**: AAI Gateway is currently in active development. Bugs may exist. Contributions are welcome!
+Skills are imported through the AI tool as well.
 
----
+Ask the AI tool to call `skill:import`, then give it either:
 
-## Installation
+- a local skill path
+- a remote skill root URL that exposes `SKILL.md`
 
-Add AAI Gateway to your MCP client configuration:
+Examples:
 
 ```json
 {
-  "mcpServers": {
-    "aai-gateway": {
-      "command": "npx",
-      "args": ["aai-gateway"]
-    }
-  }
+  "path": "/absolute/path/to/skill"
 }
 ```
 
-<details>
-<summary>Claude Code</summary>
-
-```bash
-claude mcp add aai-gateway npx aai-gateway
+```json
+{
+  "url": "https://example.com/skill"
+}
 ```
 
-</details>
+Just like MCP import, skill import returns:
 
-<details>
-<summary>Claude Desktop</summary>
+- the generated app id
+- generated `keywords`
+- generated `summary`
+- the guide tool name: `app:<id>`
 
-Follow the [MCP installation guide](https://modelcontextprotocol.io/quickstart/user). Config: `~/Library/Application Support/Claude/claude_desktop_config.json`
+Then restart your AI tool before using the imported skill.
 
-</details>
+### 4. Supported ACP Agents
 
-<details>
-<summary>Copilot / VS Code</summary>
+AAI Gateway can also control app-like agents through ACP.
 
-```bash
-code --add-mcp '{"name":"aai-gateway","command":"npx","args":["aai-gateway"]}'
-```
+Currently supported ACP agent types:
+
+- OpenCode
+- Claude Code
+- Codex
+
+## App Auto Discovery
+
+AAI Gateway discovers apps from four places:
 
-</details>
+- desktop descriptors
+- web descriptors
+- gateway-managed imports
+- built-in ACP agent descriptors
 
-<details>
-<summary>Cursor</summary>
+### The AAI Descriptor
 
-`Cursor Settings` → `MCP` → `Add new MCP Server`. Name: `aai-gateway`, Type: `command`, Command: `npx aai-gateway`
+The descriptor is a small `aai.json` file. It tells AAI Gateway:
 
-</details>
+- what the app is
+- how to connect to it
+- how to expose it at low context cost
 
-<details>
-<summary>OpenCode</summary>
+Minimal example:
 
 ```json
 {
-  "$schema": "https://opencode.ai/config.json",
-  "mcp": {
-    "aai-gateway": {
-      "type": "local",
-      "command": ["npx", "aai-gateway"],
-      "enabled": true
+  "schemaVersion": "2.0",
+  "version": "1.0.0",
+  "app": {
+    "name": {
+      "default": "Example App"
     }
+  },
+  "access": {
+    "protocol": "cli",
+    "config": {
+      "command": "example-app"
+    }
+  },
+  "exposure": {
+    "keywords": ["example", "utility"],
+    "summary": "Use this app when the user wants to work with Example App."
   }
 }
 ```
 
-</details>
+Supported `access.protocol` values today:
+
+- `mcp`
+- `skill`
+- `acp-agent`
+- `cli`
 
----
+### Where To Put `aai.json`
 
-## CLI Options
+#### Web Apps
+
+Publish it at:
+
+```text
+https://<your-host>/.well-known/aai.json
+```
 
-| Option      | Description                                     |
-| ----------- | ----------------------------------------------- |
-| `--dev`     | Development mode, scans Xcode build directories |
-| `--scan`    | Scan for AAI-enabled apps and exit              |
-| `--version` | Show version                                    |
-| `--help`    | Show help                                       |
+AAI Gateway fetches that path when the user calls `remote:discover`.
 
----
+#### macOS Apps
 
-## Appendix
+Recommended locations scanned by the gateway:
 
-### How to Integrate
+- `<YourApp>.app/Contents/Resources/aai.json`
+- `~/Library/Containers/<container>/Data/Library/Application Support/aai.json`
+- `~/Library/Containers/<container>/Data/Library/Application Support/aai-gateway/aai.json`
 
-There are two ways to integrate an app with AAI Gateway:
+#### Linux Apps
 
-#### Method 1: Provide a Descriptor File
+The gateway scans for `aai.json` under:
 
-Place an `aai.json` descriptor at the standard location:
+- `/usr/share`
+- `/usr/local/share`
+- `~/.local/share`
 
-| Platform    | Location                                     |
-| ----------- | -------------------------------------------- |
-| **Web**     | `https://<your-domain>/.well-known/aai.json` |
-| **macOS**   | `<App>.app/Contents/Resources/aai.json`      |
-| **Windows** | `<App>.exe directory/aai.json`               |
-| **Linux**   | `/usr/share/<app>/aai.json`                  |
+#### Windows Apps
 
-AAI Gateway will automatically discover and load the descriptor.
+The gateway scans for `aai.json` under:
 
-#### Method 2: Contribute to Built-in Registry
+- `C:\Program Files`
+- `C:\Program Files (x86)`
+- `%LOCALAPPDATA%`
 
-For web apps without a hosted descriptor, you can add a built-in descriptor to AAI Gateway:
+### Descriptor Guidelines
 
-1. Create `src/discovery/descriptors/<app>.ts` following existing patterns
-2. Register in `src/discovery/web-registry.ts`
-3. Submit a pull request
+Keep descriptors small and practical:
 
-This is useful for:
+- make `app.name.default` clear
+- keep `keywords` short and high-signal
+- make `summary` explain when the app should be used
+- put detailed capability data in the downstream protocol, not in the descriptor
 
-- Apps without official API documentation
-- Custom auth configurations
-- Cold-start scenarios
+If your app already speaks MCP, keep the descriptor minimal and let MCP provide tool detail lazily.
 
-#### Descriptor Format
+## Submit A Pull Request To Preload A Descriptor
 
-The descriptor follows the **[AAI Protocol specification](https://github.com/gybob/aai-protocol/blob/main/spec/aai-json.md)**. Key points:
+If you want AAI Gateway to ship with a descriptor by default, open a PR.
 
-- All field names use **camelCase** (e.g., `schemaVersion`, `baseUrl`)
-- Supports **internationalized names** with language fallback
-- Auth types: `oauth2`, `apiKey`, `appCredential`, `cookie`
-- Tools defined with JSON Schema parameters
+What to include:
 
-For the complete spec, see **[aai.json Descriptor Spec](https://github.com/gybob/aai-protocol/blob/main/spec/aai-json.md)**.
+- the descriptor itself
+- a safe discovery rule that proves the app is actually installed
+- the connection config
+- a short explanation of why the integration should be bundled
 
-#### Supported Auth Types
+Today, built-in ACP agent descriptors live in:
 
-| Type            | Use Case           | User Flow                  |
-| --------------- | ------------------ | -------------------------- |
-| `oauth2`        | User authorization | Browser OAuth 2.0 + PKCE   |
-| `apiKey`        | Static API tokens  | Dialog prompts for token   |
-| `appCredential` | Enterprise apps    | Dialog for App ID + Secret |
-| `cookie`        | No official API    | Manual cookie extraction   |
+- `src/discovery/descriptors/`
 
-#### Platform Support
+And they are registered in:
 
-| Platform    | Discovery              | IPC          | Consent   | Storage  |
-| ----------- | ---------------------- | ------------ | --------- | -------- |
-| **macOS**   | Supported              | Apple Events | osascript | Keychain |
-| **Linux**   | XDG paths              | DBus (gdbus)  | zenity/kdialog | libsecret |
-| **Windows** | Program Files          | COM (PowerShell) | PowerShell | CredMan  |
-| **Web**     | `.well-known/aai.json` | HTTP         | N/A       | Platform |
+- `src/discovery/agent-registry.ts`
 
-> **Note**: Linux and Windows implementations are functional but may require additional testing and refinement. Contributions are welcome!
+For a typical PR:
 
-#### Windows Requirements
+1. Add the descriptor file.
+2. Add or update discovery checks.
+3. Register it in the appropriate discovery source.
+4. Update the README if the new integration is user-facing.
 
-- **PowerShell 5.1+** (comes with Windows 10+)
-- **Execution Policy**: Must allow script execution
-  ```powershell
-  # Check current policy
-  Get-ExecutionPolicy
-  
-  # Set to allow local scripts (recommended)
-  Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
-  ```
-- **Credential Manager**: Built-in Windows feature, no additional setup needed
+If you are unsure whether an integration should be bundled, open an issue first.
 
-#### Linux Requirements
+## Disclaimer
 
-- **DBus**: Usually pre-installed on modern Linux distributions
-- **Dialog Tools**: Install one of the following:
-  ```bash
-  # Ubuntu/Debian
-  sudo apt install zenity  # or kdialog
-  
-  # Fedora
-  sudo dnf install zenity  # or kdialog
-  
-  # Arch Linux
-  sudo pacman -S zenity  # or kdialog
-  ```
-- **libsecret**: For secure credential storage
-  ```bash
-  # Ubuntu/Debian
-  sudo apt install libsecret-tools
-  
-  # Fedora
-  sudo dnf install libsecret
-  ```
-
----
-
-### Upcoming Apps
-
-The following apps are planned for future integration, organized by priority:
-
-#### 🚀 Priority P0 - High Activity + Simple Integration
-
-| App | Auth Type | API Base | Description |
-|-----|-----------|----------|-------------|
-| **GitHub** | OAuth2 / API Key | `api.github.com` | Code hosting, repositories, issues, PRs |
-| **Linear** | API Key | `api.linear.app` | Modern project management |
-| **Stripe** | API Key | `api.stripe.com` | Payment processing |
-| **Slack** | OAuth2 / Bot Token | `slack.com/api` | Team messaging and channels |
-| **Jira** | OAuth2 / API Token | `api.atlassian.com` | Issue and project tracking |
-| **Gitee** | API Key | `gitee.com/api/v5` | Code hosting (China) |
-
-#### 🔥 Priority P1 - High Activity
-
-| App | Auth Type | API Base | Description |
-|-----|-----------|----------|-------------|
-| **Google Drive** | OAuth2 | `www.googleapis.com/drive` | Cloud storage and files |
-| **Google Calendar** | OAuth2 | `www.googleapis.com/calendar` | Calendar and scheduling |
-| **Airtable** | API Key / OAuth2 | `api.airtable.com` | Database and spreadsheets |
-| **Trello** | API Key + Token | `api.trello.com/1` | Kanban boards |
-| **Asana** | API Key / OAuth2 | `app.asana.com/api/1.0` | Project management |
-| **Discord** | Bot Token / OAuth2 | `discord.com/api/v10` | Community messaging |
-| **GitLab** | API Key / OAuth2 | `gitlab.com/api/v4` | DevOps platform |
-| **DingTalk (钉钉)** | App Credential | `api.dingtalk.com/v1.0` | Enterprise messaging (China) |
-| **WeCom (企业微信)** | App Credential | `qyapi.weixin.qq.com/cgi-bin` | Enterprise WeChat (China) |
-
-#### 📈 Priority P2 - Medium Activity
-
-**Project Management & Collaboration:**
-
-| App | Auth Type | Description |
-|-----|-----------|-------------|
-| Monday.com | API Key | Work management platform |
-| ClickUp | API Key | Productivity platform |
-| Basecamp | OAuth2 | Project collaboration |
-| Bitbucket | API Key / OAuth2 | Git repository hosting |
-
-**Communication & Email:**
-
-| App | Auth Type | Description |
-|-----|-----------|-------------|
-| Gmail | OAuth2 | Email by Google |
-| Microsoft Outlook | OAuth2 | Email by Microsoft |
-| SendGrid | API Key | Email delivery service |
-| Mailgun | API Key | Email API service |
-| Twilio | API Key | SMS and voice API |
-| Tencent Meeting | OAuth2 / App Credential | Video conferencing (China) |
-
-**Data & Storage:**
-
-| App | Auth Type | Description |
-|-----|-----------|-------------|
-| Supabase | API Key | Backend-as-a-Service |
-| PlanetScale | API Key | Serverless MySQL |
-| Neon | API Key | Serverless PostgreSQL |
-| Aliyun Drive | OAuth2 | Cloud storage (China) |
-| Baidu Netdisk | OAuth2 | Cloud storage (China) |
-
-**Payments & Commerce:**
-
-| App | Auth Type | Description |
-|-----|-----------|-------------|
-| PayPal | OAuth2 | Payment platform |
-| Square | API Key | Payment processing |
-| Shopify | API Key | E-commerce platform |
-| WeChat Pay | App Credential | Payment platform (China) |
-
-#### 🔍 Priority P3 - Search & AI
-
-| App | Auth Type | API Base | Description |
-|-----|-----------|----------|-------------|
-| Brave Search | API Key | `api.search.brave.com/res/v1` | Privacy-focused search |
-| Perplexity | API Key | `api.perplexity.ai` | AI search engine |
-| Exa | API Key | `api.exa.ai` | AI-powered search |
-| Tavily | API Key | `api.tavily.com` | Search API for AI |
-
-#### ❌ Not Suitable for AAI Gateway
-
-The following MCP server types are **NOT suitable** for AAI Gateway as they require local implementation:
-
-| Type | Examples | Reason |
-|------|----------|--------|
-| Local Filesystem | Filesystem, Memory | Requires local file access |
-| Version Control | Git | Requires local git commands |
-| Browser Automation | Playwright, Puppeteer | Requires browser instance |
-| Code Execution | E2B, Riza | Requires sandbox environment |
-| Database Drivers | PostgreSQL, MySQL, SQLite | Requires database drivers |
-| System Commands | Shell, Terminal | Requires local command execution |
-
----
-
-Want to see your app prioritized? [Open an issue](https://github.com/gybob/aai-gateway/issues).
-## Links
+AAI Gateway is still under active development.
 
-- **[AAI Protocol Spec](https://github.com/gybob/aai-protocol)** - Protocol specification
-- [Report Issues](https://github.com/gybob/aai-gateway/issues) - Bug reports and feature requests
+You should expect rough edges, missing pieces, and bugs.
 
----
-
-## License
-
-Apache-2.0
+Contributions are welcome.