agent-auth-broker 0.0.2

package/dist/index.js

@@ -0,0 +1,2064 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Command as Command11 } from "commander";
+
+// src/commands/init.ts
+import fs2 from "fs";
+import { Command } from "commander";
+import { stringify as stringifyYaml2 } from "yaml";
+
+// src/utils.ts
+import fs from "fs";
+import path from "path";
+import { parse as parseYaml, stringify as stringifyYaml } from "yaml";
+var DEFAULT_CONFIG_NAME = "broker.yaml";
+function resolveConfigPath(configOption) {
+  if (configOption) {
+    return path.resolve(configOption);
+  }
+  let dir = process.cwd();
+  while (true) {
+    const candidate = path.join(dir, DEFAULT_CONFIG_NAME);
+    if (fs.existsSync(candidate)) return candidate;
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return path.resolve(DEFAULT_CONFIG_NAME);
+}
+function readRawConfig(configPath) {
+  if (!fs.existsSync(configPath)) {
+    throw new Error(`\u914D\u7F6E\u6587\u4EF6\u4E0D\u5B58\u5728: ${configPath}`);
+  }
+  const raw = fs.readFileSync(configPath, "utf-8");
+  return parseYaml(raw);
+}
+function writeConfig(configPath, config) {
+  const yaml = stringifyYaml(config, { lineWidth: 120 });
+  fs.writeFileSync(configPath, yaml, "utf-8");
+}
+function log(message) {
+  console.log(message);
+}
+function logError(message) {
+  console.error(`\u274C ${message}`);
+}
+function logSuccess(message) {
+  console.log(`\u2705 ${message}`);
+}
+function logWarn(message) {
+  console.log(`\u26A0\uFE0F  ${message}`);
+}
+
+// src/commands/init.ts
+var initCommand = new Command("init").description("\u521D\u59CB\u5316 broker.yaml \u914D\u7F6E\u6587\u4EF6").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).option("--force", "\u8986\u76D6\u5DF2\u5B58\u5728\u7684\u914D\u7F6E\u6587\u4EF6", false).action((opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  if (fs2.existsSync(configPath) && !opts.force) {
+    logWarn(`\u914D\u7F6E\u6587\u4EF6\u5DF2\u5B58\u5728: ${configPath}`);
+    logWarn("\u4F7F\u7528 --force \u8986\u76D6");
+    return;
+  }
+  const template = {
+    version: "1",
+    agents: [
+      {
+        id: "my-agent",
+        name: "My AI Agent"
+      }
+    ],
+    credentials: [
+      {
+        id: "github-main",
+        connector: "github",
+        token: "${GITHUB_TOKEN}"
+      }
+    ],
+    policies: [
+      {
+        agent: "my-agent",
+        credential: "github-main",
+        actions: ["*"]
+      }
+    ],
+    audit: {
+      enabled: true,
+      output: "stdout"
+    }
+  };
+  const yaml = stringifyYaml2(template, { lineWidth: 120 });
+  fs2.writeFileSync(configPath, yaml, "utf-8");
+  logSuccess(`\u5DF2\u521B\u5EFA\u914D\u7F6E\u6587\u4EF6: ${configPath}`);
+  log_hint();
+});
+function log_hint() {
+  console.log(`
+\u4E0B\u4E00\u6B65\uFF1A
+  1. \u8BBE\u7F6E\u73AF\u5883\u53D8\u91CF: export GITHUB_TOKEN=your_token
+  2. \u9A8C\u8BC1\u914D\u7F6E: broker validate
+  3. \u8BCA\u65AD\u8FDE\u63A5: broker diagnose
+  4. \u542F\u52A8\u670D\u52A1: broker serve
+`);
+}
+
+// src/commands/validate.ts
+import { Command as Command2 } from "commander";
+
+// ../../packages/local-runtime/src/config-loader.ts
+import fs3 from "fs";
+import path2 from "path";
+import { parse as parseYaml2 } from "yaml";
+import { z } from "zod";
+var RateLimitSchema = z.object({
+  max_calls: z.number().int().positive(),
+  window_seconds: z.number().int().positive()
+}).optional();
+var ParamConstraintSchema = z.record(
+  z.string(),
+  z.object({ pattern: z.string().optional() })
+);
+var AgentSchema = z.object({
+  id: z.string().min(1),
+  name: z.string().min(1),
+  token_hash: z.string().optional(),
+  token_prefix: z.string().optional()
+});
+var CredentialSchema = z.object({
+  id: z.string().min(1),
+  connector: z.string().min(1),
+  token: z.string().optional(),
+  encrypted: z.string().optional()
+});
+var PolicySchema = z.object({
+  agent: z.string().min(1),
+  credential: z.string().min(1),
+  actions: z.array(z.string()).default(["*"]),
+  param_constraints: ParamConstraintSchema.optional(),
+  rate_limit: RateLimitSchema,
+  expires_at: z.string().datetime().optional()
+});
+var AuditSchema = z.object({
+  enabled: z.boolean().default(true),
+  output: z.enum(["stdout", "file"]).default("stdout"),
+  file: z.string().optional()
+}).default({ enabled: true, output: "stdout" });
+var BrokerConfigSchema = z.object({
+  version: z.string().default("1"),
+  encryption_key: z.string().optional(),
+  agents: z.array(AgentSchema).min(1),
+  credentials: z.array(CredentialSchema).min(1),
+  policies: z.array(PolicySchema).min(1),
+  audit: AuditSchema
+});
+function resolveEnvVars(value) {
+  return value.replace(/\$\{([^}]+)\}/g, (_, envName) => {
+    const envValue = process.env[envName];
+    if (envValue === void 0) {
+      throw new Error(`\u73AF\u5883\u53D8\u91CF ${envName} \u672A\u8BBE\u7F6E`);
+    }
+    return envValue;
+  });
+}
+function resolveEnvVarsInObject(obj) {
+  if (typeof obj === "string") {
+    return resolveEnvVars(obj);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item) => resolveEnvVarsInObject(item));
+  }
+  if (obj !== null && typeof obj === "object") {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      result[key] = resolveEnvVarsInObject(value);
+    }
+    return result;
+  }
+  return obj;
+}
+function loadConfig(configPath) {
+  const absolutePath = path2.resolve(configPath);
+  if (!fs3.existsSync(absolutePath)) {
+    throw new Error(`\u914D\u7F6E\u6587\u4EF6\u4E0D\u5B58\u5728: ${absolutePath}`);
+  }
+  const raw = fs3.readFileSync(absolutePath, "utf-8");
+  const parsed = parseYaml2(raw);
+  const resolved = resolveEnvVarsInObject(parsed);
+  const result = BrokerConfigSchema.parse(resolved);
+  for (const cred of result.credentials) {
+    if (!cred.token && !cred.encrypted) {
+      throw new Error(`\u51ED\u8BC1 "${cred.id}" \u5FC5\u987B\u8BBE\u7F6E token \u6216 encrypted \u5B57\u6BB5`);
+    }
+    if (cred.encrypted && !result.encryption_key) {
+      throw new Error(`\u51ED\u8BC1 "${cred.id}" \u4F7F\u7528\u52A0\u5BC6\u5B58\u50A8\uFF0C\u4F46\u672A\u8BBE\u7F6E encryption_key`);
+    }
+  }
+  const agentIds = new Set(result.agents.map((a) => a.id));
+  const credentialIds = new Set(result.credentials.map((c) => c.id));
+  for (const policy of result.policies) {
+    if (!agentIds.has(policy.agent)) {
+      throw new Error(`\u7B56\u7565\u5F15\u7528\u4E86\u4E0D\u5B58\u5728\u7684 agent: "${policy.agent}"`);
+    }
+    if (!credentialIds.has(policy.credential)) {
+      throw new Error(`\u7B56\u7565\u5F15\u7528\u4E86\u4E0D\u5B58\u5728\u7684 credential: "${policy.credential}"`);
+    }
+  }
+  return result;
+}
+function validateConfigFile(configPath) {
+  const errors = [];
+  try {
+    const absolutePath = path2.resolve(configPath);
+    if (!fs3.existsSync(absolutePath)) {
+      return { valid: false, errors: [`\u914D\u7F6E\u6587\u4EF6\u4E0D\u5B58\u5728: ${absolutePath}`] };
+    }
+    const raw = fs3.readFileSync(absolutePath, "utf-8");
+    const parsed = parseYaml2(raw);
+    const result = BrokerConfigSchema.safeParse(parsed);
+    if (!result.success) {
+      for (const issue of result.error.issues) {
+        errors.push(`${issue.path.join(".")}: ${issue.message}`);
+      }
+    }
+  } catch (err) {
+    errors.push(err instanceof Error ? err.message : String(err));
+  }
+  return { valid: errors.length === 0, errors };
+}
+
+// ../../packages/local-runtime/src/local-store.ts
+var LocalStore = class {
+  agents;
+  credentials;
+  policies;
+  audit;
+  encryptionKey;
+  constructor(config) {
+    this.agents = new Map(config.agents.map((a) => [a.id, a]));
+    this.credentials = new Map(config.credentials.map((c) => [c.id, c]));
+    this.policies = config.policies;
+    this.audit = config.audit;
+    this.encryptionKey = config.encryption_key;
+  }
+  getAgent(id) {
+    return this.agents.get(id);
+  }
+  listAgents() {
+    return Array.from(this.agents.values());
+  }
+  getCredential(id) {
+    return this.credentials.get(id);
+  }
+  listCredentials() {
+    return Array.from(this.credentials.values());
+  }
+  /**
+   * 查找 agent 对 connector 的策略
+   */
+  findPolicy(agentId, connectorId) {
+    return this.policies.find((p) => {
+      if (p.agent !== agentId) return false;
+      const cred = this.credentials.get(p.credential);
+      if (!cred || cred.connector !== connectorId) return false;
+      if (p.expires_at && new Date(p.expires_at) < /* @__PURE__ */ new Date()) return false;
+      return true;
+    });
+  }
+  /**
+   * 获取 agent 的所有活跃策略
+   */
+  getAgentPolicies(agentId) {
+    const result = [];
+    for (const policy of this.policies) {
+      if (policy.agent !== agentId) continue;
+      if (policy.expires_at && new Date(policy.expires_at) < /* @__PURE__ */ new Date()) continue;
+      const cred = this.credentials.get(policy.credential);
+      if (!cred) continue;
+      result.push({ ...policy, credentialConfig: cred });
+    }
+    return result;
+  }
+  /**
+   * 通过 token hash 查找对应的 agent
+   */
+  findAgentByTokenHash(hash) {
+    return this.listAgents().find((a) => a.token_hash === hash);
+  }
+  /**
+   * 重新加载配置
+   */
+  reload(config) {
+    this.agents = new Map(config.agents.map((a) => [a.id, a]));
+    this.credentials = new Map(config.credentials.map((c) => [c.id, c]));
+    this.policies = config.policies;
+    this.audit = config.audit;
+    this.encryptionKey = config.encryption_key;
+  }
+};
+
+// ../../packages/connectors/src/github/index.ts
+var GITHUB_API = "https://api.github.com";
+async function githubRequest(method, path3, token, body) {
+  const res = await fetch(`${GITHUB_API}${path3}`, {
+    method,
+    headers: {
+      Authorization: `Bearer ${token}`,
+      Accept: "application/vnd.github.v3+json",
+      "Content-Type": "application/json",
+      "User-Agent": "agent-auth-broker/1.0"
+    },
+    body: body ? JSON.stringify(body) : void 0
+  });
+  const data = await res.json().catch(() => ({}));
+  return { status: res.status, data };
+}
+function ok(data, status) {
+  return { success: true, data, httpStatus: status };
+}
+function fail(message, code, status) {
+  return { success: false, error: { code, message }, httpStatus: status };
+}
+var githubConnector = {
+  info: {
+    id: "github",
+    name: "GitHub",
+    description: "GitHub \u4ED3\u5E93\u3001Issue\u3001PR \u64CD\u4F5C",
+    authType: "oauth2"
+  },
+  getActions() {
+    return [
+      { id: "list_repos", name: "\u5217\u51FA\u4ED3\u5E93", description: "\u5217\u51FA\u5DF2\u6388\u6743\u7528\u6237\u7684\u4ED3\u5E93", inputSchema: { type: "object", properties: { per_page: { type: "number" }, page: { type: "number" } } } },
+      { id: "get_repo", name: "\u83B7\u53D6\u4ED3\u5E93", description: "\u83B7\u53D6\u4ED3\u5E93\u4FE1\u606F", inputSchema: { type: "object", required: ["repo"], properties: { repo: { type: "string", description: "owner/repo" } } } },
+      { id: "list_issues", name: "\u5217\u51FA Issue", description: "\u5217\u51FA\u4ED3\u5E93\u7684 Issue", inputSchema: { type: "object", required: ["repo"], properties: { repo: { type: "string" }, state: { type: "string", enum: ["open", "closed", "all"] }, per_page: { type: "number" } } } },
+      { id: "get_issue", name: "\u83B7\u53D6 Issue", description: "\u83B7\u53D6\u5355\u4E2A Issue \u8BE6\u60C5", inputSchema: { type: "object", required: ["repo", "issue_number"], properties: { repo: { type: "string" }, issue_number: { type: "number" } } } },
+      { id: "create_issue", name: "\u521B\u5EFA Issue", description: "\u5728\u4ED3\u5E93\u4E2D\u521B\u5EFA Issue", inputSchema: { type: "object", required: ["repo", "title"], properties: { repo: { type: "string" }, title: { type: "string" }, body: { type: "string" }, labels: { type: "array", items: { type: "string" } } } } },
+      { id: "comment_issue", name: "\u8BC4\u8BBA Issue", description: "\u5728 Issue \u4E0A\u6DFB\u52A0\u8BC4\u8BBA", inputSchema: { type: "object", required: ["repo", "issue_number", "body"], properties: { repo: { type: "string" }, issue_number: { type: "number" }, body: { type: "string" } } } },
+      { id: "list_prs", name: "\u5217\u51FA PR", description: "\u5217\u51FA\u4ED3\u5E93\u7684 Pull Request", inputSchema: { type: "object", required: ["repo"], properties: { repo: { type: "string" }, state: { type: "string", enum: ["open", "closed", "all"] }, per_page: { type: "number" } } } },
+      { id: "create_pr", name: "\u521B\u5EFA PR", description: "\u521B\u5EFA Pull Request", inputSchema: { type: "object", required: ["repo", "title", "head", "base"], properties: { repo: { type: "string" }, title: { type: "string" }, head: { type: "string" }, base: { type: "string" }, body: { type: "string" }, draft: { type: "boolean" } } } },
+      { id: "get_file", name: "\u83B7\u53D6\u6587\u4EF6", description: "\u83B7\u53D6\u4ED3\u5E93\u4E2D\u7684\u6587\u4EF6\u5185\u5BB9", inputSchema: { type: "object", required: ["repo", "path"], properties: { repo: { type: "string" }, path: { type: "string" }, ref: { type: "string" } } } },
+      { id: "search_code", name: "\u641C\u7D22\u4EE3\u7801", description: "\u5728 GitHub \u4E0A\u641C\u7D22\u4EE3\u7801", inputSchema: { type: "object", required: ["q"], properties: { q: { type: "string" }, per_page: { type: "number" } } } }
+    ];
+  },
+  async execute(action, params, credential) {
+    const token = credential.accessToken;
+    switch (action) {
+      case "list_repos": {
+        const { per_page = 30, page = 1 } = params;
+        const r = await githubRequest("GET", `/user/repos?per_page=${per_page}&page=${page}&sort=updated`, token);
+        return r.status === 200 ? ok(r.data, r.status) : fail("Failed to list repos", "GITHUB_ERROR", r.status);
+      }
+      case "get_repo": {
+        const r = await githubRequest("GET", `/repos/${params.repo}`, token);
+        return r.status === 200 ? ok(r.data, r.status) : fail("Repo not found", "NOT_FOUND", r.status);
+      }
+      case "list_issues": {
+        const { repo, state = "open", per_page = 30 } = params;
+        const r = await githubRequest("GET", `/repos/${repo}/issues?state=${state}&per_page=${per_page}`, token);
+        return r.status === 200 ? ok(r.data, r.status) : fail("Failed to list issues", "GITHUB_ERROR", r.status);
+      }
+      case "get_issue": {
+        const r = await githubRequest("GET", `/repos/${params.repo}/issues/${params.issue_number}`, token);
+        return r.status === 200 ? ok(r.data, r.status) : fail("Issue not found", "NOT_FOUND", r.status);
+      }
+      case "create_issue": {
+        const { repo, ...body } = params;
+        const r = await githubRequest("POST", `/repos/${repo}/issues`, token, body);
+        return r.status === 201 ? ok(r.data, r.status) : fail("Failed to create issue", "GITHUB_ERROR", r.status);
+      }
+      case "comment_issue": {
+        const { repo, issue_number, body } = params;
+        const r = await githubRequest("POST", `/repos/${repo}/issues/${issue_number}/comments`, token, { body });
+        return r.status === 201 ? ok(r.data, r.status) : fail("Failed to add comment", "GITHUB_ERROR", r.status);
+      }
+      case "list_prs": {
+        const { repo, state = "open", per_page = 30 } = params;
+        const r = await githubRequest("GET", `/repos/${repo}/pulls?state=${state}&per_page=${per_page}`, token);
+        return r.status === 200 ? ok(r.data, r.status) : fail("Failed to list PRs", "GITHUB_ERROR", r.status);
+      }
+      case "create_pr": {
+        const { repo, ...body } = params;
+        const r = await githubRequest("POST", `/repos/${repo}/pulls`, token, body);
+        return r.status === 201 ? ok(r.data, r.status) : fail("Failed to create PR", "GITHUB_ERROR", r.status);
+      }
+      case "get_file": {
+        const { repo, path: path3, ref } = params;
+        const query = ref ? `?ref=${ref}` : "";
+        const r = await githubRequest("GET", `/repos/${repo}/contents/${path3}${query}`, token);
+        if (r.status === 200) {
+          const file = r.data;
+          if (file.content && file.encoding === "base64") {
+            file.content = Buffer.from(file.content.replace(/\n/g, ""), "base64").toString("utf8");
+          }
+          return ok(file, r.status);
+        }
+        return fail("File not found", "NOT_FOUND", r.status);
+      }
+      case "search_code": {
+        const { q, per_page = 10 } = params;
+        const r = await githubRequest("GET", `/search/code?q=${encodeURIComponent(q)}&per_page=${per_page}`, token);
+        return r.status === 200 ? ok(r.data, r.status) : fail("Search failed", "GITHUB_ERROR", r.status);
+      }
+      default:
+        return fail(`Unknown action: ${action}`, "UNKNOWN_ACTION");
+    }
+  }
+};
+
+// ../../packages/connectors/src/registry.ts
+var connectors = /* @__PURE__ */ new Map([
+  ["github", githubConnector]
+]);
+function getConnector(id) {
+  return connectors.get(id);
+}
+function listConnectors() {
+  return Array.from(connectors.values());
+}
+
+// ../../packages/connectors/src/scopes.ts
+var CONNECTOR_SCOPES = {
+  github: {
+    "github:read": [
+      "github:list_repos",
+      "github:get_repo",
+      "github:list_issues",
+      "github:get_issue",
+      "github:list_prs",
+      "github:get_file",
+      "github:search_code"
+    ],
+    "github:write": [
+      "github:create_issue",
+      "github:comment_issue",
+      "github:create_pr"
+    ]
+  }
+};
+function expandScopes(actions) {
+  if (actions.length === 1 && actions[0] === "*") return actions;
+  const expanded = /* @__PURE__ */ new Set();
+  for (const action of actions) {
+    let found = false;
+    for (const scopes of Object.values(CONNECTOR_SCOPES)) {
+      if (action in scopes) {
+        for (const a of scopes[action]) {
+          expanded.add(a);
+        }
+        found = true;
+        break;
+      }
+    }
+    if (!found) {
+      expanded.add(action);
+    }
+  }
+  return Array.from(expanded);
+}
+
+// ../../packages/local-runtime/src/rate-limiter.ts
+var RateLimiter = class {
+  /** key = `${agentId}:${credentialId}` */
+  windows = /* @__PURE__ */ new Map();
+  /**
+   * 检查是否允许请求
+   * @returns { allowed: true } 或 { allowed: false, retryAfterMs }
+   */
+  check(agentId, credentialId, config) {
+    const key = `${agentId}:${credentialId}`;
+    const now = Date.now();
+    const windowMs = config.window_seconds * 1e3;
+    const windowStart = now - windowMs;
+    let entry = this.windows.get(key);
+    if (!entry) {
+      entry = { timestamps: [] };
+      this.windows.set(key, entry);
+    }
+    entry.timestamps = entry.timestamps.filter((t) => t > windowStart);
+    if (entry.timestamps.length >= config.max_calls) {
+      const earliest = entry.timestamps[0];
+      const retryAfterMs = earliest + windowMs - now;
+      return { allowed: false, retryAfterMs: Math.max(retryAfterMs, 0) };
+    }
+    entry.timestamps.push(now);
+    return { allowed: true };
+  }
+  /**
+   * 清除所有计数器
+   */
+  reset() {
+    this.windows.clear();
+  }
+};
+
+// ../../packages/local-runtime/src/local-permission.ts
+var globalRateLimiter = new RateLimiter();
+function checkLocalPermission(input, store) {
+  const { agentId, connectorId, action } = input;
+  const fullAction = `${connectorId}:${action}`;
+  const agent = store.getAgent(agentId);
+  if (!agent) {
+    return { result: "DENIED_AGENT_INACTIVE", message: "Agent \u4E0D\u5B58\u5728" };
+  }
+  const policy = store.findPolicy(agentId, connectorId);
+  if (!policy) {
+    return { result: "DENIED_NO_POLICY", message: `\u672A\u627E\u5230 agent "${agentId}" \u5BF9 connector "${connectorId}" \u7684\u7B56\u7565` };
+  }
+  if (policy.expires_at && new Date(policy.expires_at) < /* @__PURE__ */ new Date()) {
+    return { result: "DENIED_NO_POLICY", message: `\u7B56\u7565\u5DF2\u8FC7\u671F\uFF08${policy.expires_at}\uFF09` };
+  }
+  const expandedActions = expandScopes(policy.actions);
+  const actionsAllowAll = expandedActions.length === 0 || expandedActions.length === 1 && expandedActions[0] === "*";
+  if (!actionsAllowAll && !expandedActions.includes(fullAction)) {
+    return {
+      result: "DENIED_ACTION_NOT_ALLOWED",
+      message: `\u64CD\u4F5C "${fullAction}" \u4E0D\u5728\u5141\u8BB8\u5217\u8868\u4E2D`
+    };
+  }
+  if (policy.param_constraints && input.params) {
+    for (const [key, constraint] of Object.entries(policy.param_constraints)) {
+      const paramValue = input.params[key];
+      if (constraint.pattern && typeof paramValue === "string") {
+        const regex = new RegExp(constraint.pattern);
+        if (!regex.test(paramValue)) {
+          return {
+            result: "DENIED_PARAM_CONSTRAINT",
+            message: `\u53C2\u6570 "${key}" \u7684\u503C "${paramValue}" \u4E0D\u5339\u914D\u6A21\u5F0F "${constraint.pattern}"`
+          };
+        }
+      }
+    }
+  }
+  if (policy.rate_limit) {
+    const rateCheck = globalRateLimiter.check(agentId, policy.credential, policy.rate_limit);
+    if (!rateCheck.allowed) {
+      const retrySeconds = Math.ceil(rateCheck.retryAfterMs / 1e3);
+      return {
+        result: "DENIED_ACTION_NOT_ALLOWED",
+        message: `\u901F\u7387\u9650\u5236\uFF1A\u8D85\u8FC7 ${policy.rate_limit.max_calls} \u6B21/${policy.rate_limit.window_seconds}\u79D2\uFF0C\u8BF7 ${retrySeconds} \u79D2\u540E\u91CD\u8BD5`
+      };
+    }
+  }
+  const credentialId = policy.credential;
+  return { result: "ALLOWED", credentialId };
+}
+
+// ../../packages/crypto/src/index.ts
+import crypto from "crypto";
+var ALGORITHM = "aes-256-gcm";
+var IV_LENGTH = 12;
+var TAG_LENGTH = 16;
+function getMasterKey() {
+  const key = process.env.BROKER_MASTER_KEY;
+  if (!key) throw new Error("BROKER_MASTER_KEY is not set");
+  const buf = Buffer.from(key, "hex");
+  if (buf.length !== 32) throw new Error("BROKER_MASTER_KEY must be 32 bytes (64 hex chars)");
+  return buf;
+}
+function decryptWithKey(encoded, key) {
+  const buf = Buffer.from(encoded, "base64");
+  const iv = buf.subarray(0, IV_LENGTH);
+  const tag = buf.subarray(IV_LENGTH, IV_LENGTH + TAG_LENGTH);
+  const ciphertext = buf.subarray(IV_LENGTH + TAG_LENGTH);
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+}
+function decryptCredential(encrypted) {
+  const mek = getMasterKey();
+  const dek = decryptWithKey(encrypted.encryptionKeyId, mek);
+  const plaintext = decryptWithKey(encrypted.encryptedData, dek);
+  return JSON.parse(plaintext.toString("utf8"));
+}
+function generateAgentToken() {
+  const bytes = crypto.randomBytes(32);
+  const token = `agnt_${bytes.toString("base64url")}`;
+  const prefix = token.substring(0, 12);
+  return { token, prefix };
+}
+function hashToken(token) {
+  return crypto.createHash("sha256").update(token).digest("hex");
+}
+
+// ../../packages/local-runtime/src/local-vault.ts
+function loadLocalCredential(credentialId, store) {
+  const cred = store.getCredential(credentialId);
+  if (!cred) {
+    throw new Error(`\u51ED\u8BC1\u4E0D\u5B58\u5728: ${credentialId}`);
+  }
+  if (cred.token) {
+    return {
+      accessToken: cred.token,
+      tokenType: "bearer"
+    };
+  }
+  if (cred.encrypted) {
+    if (!store.encryptionKey) {
+      throw new Error(`\u51ED\u8BC1 "${credentialId}" \u4F7F\u7528\u52A0\u5BC6\u5B58\u50A8\uFF0C\u4F46\u914D\u7F6E\u4E2D\u672A\u8BBE\u7F6E encryption_key`);
+    }
+    const prevKey = process.env.BROKER_MASTER_KEY;
+    try {
+      process.env.BROKER_MASTER_KEY = store.encryptionKey;
+      const decrypted = decryptCredential({
+        encryptedData: cred.encrypted,
+        encryptionKeyId: ""
+        // 单层加密模式，encrypted 包含完整密文
+      });
+      return decrypted;
+    } finally {
+      if (prevKey !== void 0) {
+        process.env.BROKER_MASTER_KEY = prevKey;
+      } else {
+        delete process.env.BROKER_MASTER_KEY;
+      }
+    }
+  }
+  throw new Error(`\u51ED\u8BC1 "${credentialId}" \u672A\u914D\u7F6E token \u6216 encrypted`);
+}
+
+// ../../packages/local-runtime/src/local-audit.ts
+import fs4 from "fs";
+var SENSITIVE_KEYS = ["token", "secret", "password", "key", "credential"];
+function sanitizeParams(params) {
+  return Object.fromEntries(
+    Object.entries(params).map(([k, v]) => [
+      k,
+      SENSITIVE_KEYS.some((s) => k.toLowerCase().includes(s)) ? "[REDACTED]" : v
+    ])
+  );
+}
+var LocalAuditLogger = class {
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  log(entry) {
+    if (!this.config.enabled) return;
+    const record = {
+      ...entry,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      params: sanitizeParams(entry.params)
+    };
+    const line = JSON.stringify(record);
+    if (this.config.output === "file" && this.config.file) {
+      fs4.appendFileSync(this.config.file, line + "\n", "utf-8");
+    } else {
+      console.error(`[broker-audit] ${line}`);
+    }
+  }
+};
+
+// ../../packages/local-runtime/src/local-broker.ts
+var LocalBroker = class {
+  store;
+  audit;
+  constructor(store) {
+    this.store = store;
+    this.audit = new LocalAuditLogger(store.audit);
+  }
+  /**
+   * 列出 agent 被授权的所有工具
+   */
+  listTools(agentId, connectorFilter) {
+    const policies = this.store.getAgentPolicies(agentId);
+    const tools = [];
+    for (const policy of policies) {
+      const connectorId = policy.credentialConfig.connector;
+      if (connectorFilter && connectorId !== connectorFilter) continue;
+      const conn = getConnector(connectorId);
+      if (!conn) continue;
+      const actions = conn.getActions();
+      const expandedActions = expandScopes(policy.actions);
+      const actionsAllowAll = expandedActions.length === 0 || expandedActions.length === 1 && expandedActions[0] === "*";
+      for (const action of actions) {
+        const fullAction = `${connectorId}:${action.id}`;
+        if (!actionsAllowAll && !expandedActions.includes(fullAction)) continue;
+        tools.push({
+          connector: connectorId,
+          connectorName: conn.info.name,
+          credentialName: policy.credentialConfig.id,
+          action: action.id,
+          actionName: action.name,
+          description: action.description
+        });
+      }
+    }
+    return tools;
+  }
+  /**
+   * 调用工具
+   */
+  async callTool(agentId, connectorId, action, params) {
+    const permCheck = checkLocalPermission(
+      { agentId, connectorId, action, params },
+      this.store
+    );
+    if (permCheck.result !== "ALLOWED" || !permCheck.credentialId) {
+      this.audit.log({
+        agentId,
+        connectorId,
+        action: `${connectorId}:${action}`,
+        params,
+        permissionResult: permCheck.result,
+        responseStatus: 403
+      });
+      return {
+        success: false,
+        error: permCheck.message,
+        permissionResult: permCheck.result
+      };
+    }
+    const connector = getConnector(connectorId);
+    if (!connector) {
+      return { success: false, error: `\u672A\u77E5\u7684 connector: ${connectorId}` };
+    }
+    try {
+      const credential = loadLocalCredential(permCheck.credentialId, this.store);
+      const result = await connector.execute(action, params, credential);
+      this.audit.log({
+        agentId,
+        connectorId,
+        action: `${connectorId}:${action}`,
+        params,
+        permissionResult: "ALLOWED",
+        responseStatus: result.httpStatus ?? (result.success ? 200 : 500),
+        errorMessage: result.success ? void 0 : result.error?.message
+      });
+      return {
+        success: result.success,
+        data: result.data,
+        error: result.error?.message
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Internal error";
+      this.audit.log({
+        agentId,
+        connectorId,
+        action: `${connectorId}:${action}`,
+        params,
+        permissionResult: "ALLOWED",
+        responseStatus: 500,
+        errorMessage: message
+      });
+      return { success: false, error: message };
+    }
+  }
+};
+
+// ../../packages/local-runtime/src/token-auth.ts
+function authenticateByToken(token, store) {
+  const hash = hashToken(token);
+  return store.findAgentByTokenHash(hash) ?? null;
+}
+
+// ../../packages/local-runtime/src/config-watcher.ts
+import fs5 from "fs";
+var ConfigWatcher = class {
+  constructor(configPath, store, opts) {
+    this.configPath = configPath;
+    this.store = store;
+    this.debounceMs = opts?.debounceMs ?? 300;
+  }
+  watcher = null;
+  debounceTimer = null;
+  debounceMs;
+  start() {
+    if (this.watcher) return;
+    this.watcher = fs5.watch(this.configPath, (_eventType) => {
+      if (this.debounceTimer) clearTimeout(this.debounceTimer);
+      this.debounceTimer = setTimeout(() => this.reload(), this.debounceMs);
+    });
+    this.watcher.on("error", (err) => {
+      console.error(`[config-watcher] \u76D1\u89C6\u6587\u4EF6\u51FA\u9519: ${err.message}`);
+    });
+  }
+  stop() {
+    if (this.debounceTimer) {
+      clearTimeout(this.debounceTimer);
+      this.debounceTimer = null;
+    }
+    if (this.watcher) {
+      this.watcher.close();
+      this.watcher = null;
+    }
+  }
+  reload() {
+    try {
+      const config = loadConfig(this.configPath);
+      this.store.reload(config);
+      console.error(`[config-watcher] \u914D\u7F6E\u5DF2\u91CD\u8F7D: ${this.configPath}`);
+    } catch (err) {
+      console.error(`[config-watcher] \u91CD\u8F7D\u5931\u8D25\uFF08\u4FDD\u7559\u65E7\u914D\u7F6E\uFF09: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+};
+
+// src/commands/validate.ts
+var validateCommand = new Command2("validate").description("\u9A8C\u8BC1 broker.yaml \u914D\u7F6E\u6587\u4EF6\u683C\u5F0F").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).action((opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  console.log(`\u9A8C\u8BC1\u914D\u7F6E\u6587\u4EF6: ${configPath}`);
+  const { valid, errors } = validateConfigFile(configPath);
+  if (valid) {
+    logSuccess("\u914D\u7F6E\u6587\u4EF6\u683C\u5F0F\u6B63\u786E");
+  } else {
+    logError("\u914D\u7F6E\u6587\u4EF6\u5B58\u5728\u4EE5\u4E0B\u95EE\u9898:");
+    for (const err of errors) {
+      console.log(`  - ${err}`);
+    }
+    process.exitCode = 1;
+  }
+});
+
+// src/commands/diagnose.ts
+import { Command as Command3 } from "commander";
+var diagnoseCommand = new Command3("diagnose").description("\u8BCA\u65AD\u914D\u7F6E\u548C\u51ED\u8BC1\u8FDE\u63A5\u72B6\u6001").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).action(async (opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  log("1. \u52A0\u8F7D\u914D\u7F6E...");
+  let config;
+  try {
+    config = loadConfig(configPath);
+    logSuccess(`\u914D\u7F6E\u52A0\u8F7D\u6210\u529F (${config.agents.length} agents, ${config.credentials.length} credentials, ${config.policies.length} policies)`);
+  } catch (err) {
+    logError(`\u914D\u7F6E\u52A0\u8F7D\u5931\u8D25: ${err instanceof Error ? err.message : String(err)}`);
+    process.exitCode = 1;
+    return;
+  }
+  log("\n2. \u68C0\u67E5 Connector...");
+  const connectors2 = listConnectors();
+  const registeredIds = new Set(connectors2.map((c) => c.info.id));
+  for (const cred of config.credentials) {
+    if (registeredIds.has(cred.connector)) {
+      logSuccess(`Connector "${cred.connector}" \u5DF2\u6CE8\u518C`);
+    } else {
+      logError(`Connector "${cred.connector}" \u672A\u6CE8\u518C`);
+    }
+  }
+  log("\n3. \u6D4B\u8BD5\u51ED\u8BC1...");
+  const store = new LocalStore(config);
+  const broker = new LocalBroker(store);
+  for (const cred of config.credentials) {
+    const testAction = getTestAction(cred.connector);
+    if (!testAction) {
+      logWarn(`\u51ED\u8BC1 "${cred.id}" (${cred.connector}): \u65E0\u6D4B\u8BD5\u64CD\u4F5C`);
+      continue;
+    }
+    const policy = config.policies.find((p) => p.credential === cred.id);
+    if (!policy) {
+      logWarn(`\u51ED\u8BC1 "${cred.id}": \u65E0\u5173\u8054\u7B56\u7565\uFF0C\u8DF3\u8FC7\u6D4B\u8BD5`);
+      continue;
+    }
+    try {
+      const result = await broker.callTool(policy.agent, cred.connector, testAction, {});
+      if (result.success) {
+        logSuccess(`\u51ED\u8BC1 "${cred.id}" (${cred.connector}): \u8FDE\u63A5\u6B63\u5E38`);
+      } else {
+        logError(`\u51ED\u8BC1 "${cred.id}" (${cred.connector}): ${result.error}`);
+      }
+    } catch (err) {
+      logError(`\u51ED\u8BC1 "${cred.id}" (${cred.connector}): ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+  log("\n\u8BCA\u65AD\u5B8C\u6210");
+});
+function getTestAction(connector) {
+  const testActions = {
+    github: "list_repos",
+    feishu: "get_user_info"
+  };
+  return testActions[connector];
+}
+
+// src/commands/serve.ts
+import { Command as Command4 } from "commander";
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema
+} from "@modelcontextprotocol/sdk/types.js";
+var serveCommand = new Command4("serve").description("\u542F\u52A8 MCP Server\uFF08stdio \u6A21\u5F0F\uFF09").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).option("-a, --agent <id>", "Agent ID\uFF08\u9ED8\u8BA4\u4F7F\u7528\u914D\u7F6E\u4E2D\u7684\u7B2C\u4E00\u4E2A agent\uFF09", void 0).action(async (opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  let config;
+  try {
+    config = loadConfig(configPath);
+  } catch (err) {
+    logError(`\u914D\u7F6E\u52A0\u8F7D\u5931\u8D25: ${err instanceof Error ? err.message : String(err)}`);
+    process.exitCode = 1;
+    return;
+  }
+  const store = new LocalStore(config);
+  const broker = new LocalBroker(store);
+  let agentId;
+  const envToken = process.env.BROKER_AGENT_TOKEN;
+  if (envToken) {
+    const matched = authenticateByToken(envToken, store);
+    if (!matched) {
+      logError("BROKER_AGENT_TOKEN \u8BA4\u8BC1\u5931\u8D25\uFF1Atoken \u4E0D\u5339\u914D\u4EFB\u4F55 agent");
+      process.exitCode = 1;
+      return;
+    }
+    agentId = matched.id;
+    console.error(`[broker-cli] Token \u8BA4\u8BC1\u6210\u529F: ${matched.name} (${agentId})`);
+  } else {
+    agentId = opts.agent ?? config.agents[0].id;
+  }
+  const agent = store.getAgent(agentId);
+  if (!agent) {
+    logError(`Agent "${agentId}" \u4E0D\u5B58\u5728`);
+    process.exitCode = 1;
+    return;
+  }
+  console.error(`[broker-cli] \u4F7F\u7528\u914D\u7F6E: ${configPath}`);
+  console.error(`[broker-cli] Agent: ${agent.name} (${agentId})`);
+  const server = new Server(
+    { name: "agent-auth-broker", version: "0.1.0" },
+    { capabilities: { tools: {} } }
+  );
+  server.setRequestHandler(ListToolsRequestSchema, async () => {
+    const tools = broker.listTools(agentId);
+    const mcpTools = [
+      {
+        name: "broker_call",
+        description: "\u901A\u8FC7 Auth Broker \u8C03\u7528\u7B2C\u4E09\u65B9\u670D\u52A1\uFF08GitHub\u3001\u98DE\u4E66\u7B49\uFF09\uFF0C\u51ED\u8BC1\u7531 Broker \u5B89\u5168\u7BA1\u7406",
+        inputSchema: {
+          type: "object",
+          required: ["connector", "action", "params"],
+          properties: {
+            connector: { type: "string", description: '\u76EE\u6807\u670D\u52A1\u540D\u79F0\uFF0C\u5982 "github"' },
+            action: { type: "string", description: '\u64CD\u4F5C\u540D\u79F0\uFF0C\u5982 "create_issue"' },
+            params: { type: "object", description: "\u64CD\u4F5C\u53C2\u6570" }
+          }
+        }
+      },
+      {
+        name: "broker_list_tools",
+        description: "\u5217\u51FA\u5F53\u524D Agent \u88AB\u6388\u6743\u7684\u6240\u6709\u5DE5\u5177",
+        inputSchema: {
+          type: "object",
+          properties: {
+            connector: { type: "string", description: "\u53EF\u9009\uFF0C\u8FC7\u6EE4\u7279\u5B9A connector \u7684\u5DE5\u5177" }
+          }
+        }
+      }
+    ];
+    const toolMap = /* @__PURE__ */ new Map();
+    for (const t of tools) {
+      const toolName = `${t.connector}_${t.action}`;
+      if (toolMap.has(toolName)) continue;
+      toolMap.set(toolName, {
+        name: toolName,
+        description: `[${t.connectorName}] ${t.description}\uFF08\u51ED\u8BC1\uFF1A${t.credentialName}\uFF09`,
+        inputSchema: {
+          type: "object",
+          description: `\u8C03\u7528 ${t.connectorName} \u7684 ${t.actionName} \u64CD\u4F5C`
+        }
+      });
+    }
+    return { tools: [...mcpTools, ...toolMap.values()] };
+  });
+  server.setRequestHandler(CallToolRequestSchema, async (request) => {
+    const { name, arguments: args = {} } = request.params;
+    const params = args;
+    try {
+      if (name === "broker_list_tools") {
+        const tools = broker.listTools(agentId, params.connector);
+        return {
+          content: [{ type: "text", text: JSON.stringify(tools, null, 2) }]
+        };
+      }
+      let connector;
+      let action;
+      let callParams;
+      if (name === "broker_call") {
+        connector = params.connector;
+        action = params.action;
+        callParams = params.params ?? {};
+      } else {
+        const allTools = broker.listTools(agentId);
+        const matched = allTools.find((t) => `${t.connector}_${t.action}` === name);
+        if (!matched) {
+          return {
+            content: [{ type: "text", text: `No permission for tool: ${name}` }],
+            isError: true
+          };
+        }
+        connector = matched.connector;
+        action = matched.action;
+        callParams = params;
+      }
+      const result = await broker.callTool(agentId, connector, action, callParams);
+      if (!result.success) {
+        const errorText = result.permissionResult ? `Permission denied (${result.permissionResult}): ${result.error}` : `Error: ${result.error}`;
+        return { content: [{ type: "text", text: errorText }], isError: true };
+      }
+      return {
+        content: [{ type: "text", text: JSON.stringify(result.data, null, 2) }]
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return { content: [{ type: "text", text: `Internal error: ${message}` }], isError: true };
+    }
+  });
+  const watcher = new ConfigWatcher(configPath, store);
+  watcher.start();
+  console.error("[broker-cli] \u914D\u7F6E\u70ED\u91CD\u8F7D\u5DF2\u542F\u7528");
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+  console.error("[broker-cli] MCP Server started (stdio mode)");
+  process.on("SIGINT", () => {
+    watcher.stop();
+    process.exit(0);
+  });
+  process.on("SIGTERM", () => {
+    watcher.stop();
+    process.exit(0);
+  });
+});
+
+// src/commands/credential.ts
+import { Command as Command5 } from "commander";
+var credentialCommand = new Command5("credential").description("\u51ED\u8BC1\u7BA1\u7406");
+credentialCommand.command("add").description("\u6DFB\u52A0\u51ED\u8BC1").argument("<connector>", "\u670D\u52A1\u7C7B\u578B (\u5982 github)").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).option("--id <id>", "\u51ED\u8BC1 ID\uFF08\u9ED8\u8BA4\u4E3A connector \u540D\u79F0\uFF09", void 0).option("--env <name>", "\u73AF\u5883\u53D8\u91CF\u540D\u79F0\uFF08\u4F7F\u7528 ${ENV_VAR} \u5F15\u7528\uFF09", void 0).option("--token <token>", "\u76F4\u63A5\u6307\u5B9A token \u503C", void 0).action((connector, opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  const credentialId = opts.id ?? `${connector}-main`;
+  const connectors2 = listConnectors();
+  const supported = connectors2.find((c) => c.info.id === connector);
+  if (!supported) {
+    logError(`\u4E0D\u652F\u6301\u7684 connector: "${connector}"`);
+    log(`\u652F\u6301\u7684 connector: ${connectors2.map((c) => c.info.id).join(", ")}`);
+    process.exitCode = 1;
+    return;
+  }
+  let tokenValue;
+  if (opts.env) {
+    tokenValue = `\${${opts.env}}`;
+  } else if (opts.token) {
+    tokenValue = opts.token;
+    logWarn("\u76F4\u63A5\u6307\u5B9A token \u503C\u4E0D\u5B89\u5168\uFF0C\u5EFA\u8BAE\u4F7F\u7528 --env \u5F15\u7528\u73AF\u5883\u53D8\u91CF");
+  } else {
+    logError("\u8BF7\u6307\u5B9A --env <ENV_VAR> \u6216 --token <value>");
+    process.exitCode = 1;
+    return;
+  }
+  const config = readRawConfig(configPath);
+  const credentials = config.credentials ?? [];
+  const existing = credentials.find((c) => c.id === credentialId);
+  if (existing) {
+    logWarn(`\u51ED\u8BC1 "${credentialId}" \u5DF2\u5B58\u5728\uFF0C\u5C06\u88AB\u66F4\u65B0`);
+    existing.token = tokenValue;
+    delete existing.encrypted;
+  } else {
+    credentials.push({
+      id: credentialId,
+      connector,
+      token: tokenValue
+    });
+  }
+  config.credentials = credentials;
+  writeConfig(configPath, config);
+  logSuccess(`\u5DF2\u6DFB\u52A0\u51ED\u8BC1 "${credentialId}" (${connector})`);
+});
+credentialCommand.command("list").description("\u5217\u51FA\u6240\u6709\u51ED\u8BC1").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).action((opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  const config = readRawConfig(configPath);
+  const credentials = config.credentials ?? [];
+  if (credentials.length === 0) {
+    log("\u6682\u65E0\u51ED\u8BC1");
+    return;
+  }
+  log(`\u51ED\u8BC1\u5217\u8868 (${credentials.length}):`);
+  for (const cred of credentials) {
+    const source = cred.token?.startsWith("${") ? `env: ${cred.token}` : cred.encrypted ? "encrypted" : "plaintext";
+    log(`  - ${cred.id} (${cred.connector}) [${source}]`);
+  }
+});
+credentialCommand.command("remove").description("\u79FB\u9664\u51ED\u8BC1").argument("<id>", "\u51ED\u8BC1 ID").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).action((id, opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  const config = readRawConfig(configPath);
+  const credentials = config.credentials ?? [];
+  const index = credentials.findIndex((c) => c.id === id);
+  if (index === -1) {
+    logError(`\u51ED\u8BC1 "${id}" \u4E0D\u5B58\u5728`);
+    process.exitCode = 1;
+    return;
+  }
+  credentials.splice(index, 1);
+  config.credentials = credentials;
+  writeConfig(configPath, config);
+  logSuccess(`\u5DF2\u79FB\u9664\u51ED\u8BC1 "${id}"`);
+});
+
+// src/commands/agent.ts
+import { Command as Command6 } from "commander";
+var agentCommand = new Command6("agent").description("Agent \u7BA1\u7406");
+agentCommand.command("create").description("\u521B\u5EFA Agent").argument("<id>", "Agent ID").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).option("-n, --name <name>", "Agent \u540D\u79F0", void 0).action((id, opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  const config = readRawConfig(configPath);
+  const agents = config.agents ?? [];
+  if (agents.find((a) => a.id === id)) {
+    logError(`Agent "${id}" \u5DF2\u5B58\u5728`);
+    process.exitCode = 1;
+    return;
+  }
+  agents.push({
+    id,
+    name: opts.name ?? id
+  });
+  config.agents = agents;
+  writeConfig(configPath, config);
+  logSuccess(`\u5DF2\u521B\u5EFA Agent "${id}"`);
+});
+agentCommand.command("list").description("\u5217\u51FA\u6240\u6709 Agent").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).action((opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  const config = readRawConfig(configPath);
+  const agents = config.agents ?? [];
+  if (agents.length === 0) {
+    log("\u6682\u65E0 Agent");
+    return;
+  }
+  log(`Agent \u5217\u8868 (${agents.length}):`);
+  for (const agent of agents) {
+    log(`  - ${agent.id} (${agent.name})`);
+  }
+});
+agentCommand.command("remove").description("\u79FB\u9664 Agent").argument("<id>", "Agent ID").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).action((id, opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  const config = readRawConfig(configPath);
+  const agents = config.agents ?? [];
+  const index = agents.findIndex((a) => a.id === id);
+  if (index === -1) {
+    logError(`Agent "${id}" \u4E0D\u5B58\u5728`);
+    process.exitCode = 1;
+    return;
+  }
+  agents.splice(index, 1);
+  config.agents = agents;
+  writeConfig(configPath, config);
+  logSuccess(`\u5DF2\u79FB\u9664 Agent "${id}"`);
+});
+
+// src/commands/policy.ts
+import { Command as Command7 } from "commander";
+var policyCommand = new Command7("policy").description("\u7B56\u7565\u7BA1\u7406");
+policyCommand.command("set").description("\u8BBE\u7F6E\u6216\u66F4\u65B0\u7B56\u7565").argument("<agent>", "Agent ID").argument("<credential>", "\u51ED\u8BC1 ID").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).option("--actions <actions>", '\u5141\u8BB8\u7684\u64CD\u4F5C\u5217\u8868\uFF0C\u9017\u53F7\u5206\u9694\uFF08"*" \u8868\u793A\u5168\u90E8\u5141\u8BB8\uFF09', "*").action((agentId, credentialId, opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  const config = readRawConfig(configPath);
+  const policies = config.policies ?? [];
+  const actions = opts.actions === "*" ? ["*"] : opts.actions.split(",").map((a) => a.trim());
+  const existing = policies.find((p) => p.agent === agentId && p.credential === credentialId);
+  if (existing) {
+    existing.actions = actions;
+    logSuccess(`\u5DF2\u66F4\u65B0\u7B56\u7565: ${agentId} -> ${credentialId}`);
+  } else {
+    policies.push({
+      agent: agentId,
+      credential: credentialId,
+      actions
+    });
+    logSuccess(`\u5DF2\u521B\u5EFA\u7B56\u7565: ${agentId} -> ${credentialId}`);
+  }
+  config.policies = policies;
+  writeConfig(configPath, config);
+});
+policyCommand.command("list").description("\u5217\u51FA\u6240\u6709\u7B56\u7565").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).action((opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  const config = readRawConfig(configPath);
+  const policies = config.policies ?? [];
+  if (policies.length === 0) {
+    log("\u6682\u65E0\u7B56\u7565");
+    return;
+  }
+  log(`\u7B56\u7565\u5217\u8868 (${policies.length}):`);
+  for (const policy of policies) {
+    const actionsStr = policy.actions.includes("*") ? "\u6240\u6709\u64CD\u4F5C" : policy.actions.join(", ");
+    log(`  - ${policy.agent} -> ${policy.credential}: [${actionsStr}]`);
+  }
+});
+policyCommand.command("remove").description("\u79FB\u9664\u7B56\u7565").argument("<agent>", "Agent ID").argument("<credential>", "\u51ED\u8BC1 ID").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).action((agentId, credentialId, opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  const config = readRawConfig(configPath);
+  const policies = config.policies ?? [];
+  const index = policies.findIndex((p) => p.agent === agentId && p.credential === credentialId);
+  if (index === -1) {
+    logError(`\u7B56\u7565 "${agentId} -> ${credentialId}" \u4E0D\u5B58\u5728`);
+    process.exitCode = 1;
+    return;
+  }
+  policies.splice(index, 1);
+  config.policies = policies;
+  writeConfig(configPath, config);
+  logSuccess(`\u5DF2\u79FB\u9664\u7B56\u7565: ${agentId} -> ${credentialId}`);
+});
+
+// src/commands/ui.ts
+import { Command as Command8 } from "commander";
+
+// src/ui/server.ts
+import http from "http";
+
+// src/ui/html.ts
+function getHtml() {
+  return `<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Agent Auth Broker \u2014 File Mode UI</title>
+  <style>
+    #broker-ui {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      max-width: 960px;
+      margin: 0 auto;
+      padding: 24px;
+      color: #1a1a1a;
+      background: #fafafa;
+      min-height: 100vh;
+    }
+    #broker-ui * { box-sizing: border-box; }
+    #broker-ui h1 { font-size: 1.5rem; margin: 0 0 24px; }
+    #broker-ui .tabs {
+      display: flex;
+      border-bottom: 2px solid #e5e7eb;
+      margin-bottom: 24px;
+      gap: 4px;
+    }
+    #broker-ui .tab {
+      padding: 8px 20px;
+      cursor: pointer;
+      border: none;
+      background: none;
+      font-size: 0.95rem;
+      color: #6b7280;
+      border-bottom: 2px solid transparent;
+      margin-bottom: -2px;
+      transition: color 0.15s, border-color 0.15s;
+    }
+    #broker-ui .tab:hover { color: #374151; }
+    #broker-ui .tab.active {
+      color: #2563eb;
+      border-bottom-color: #2563eb;
+      font-weight: 600;
+    }
+    #broker-ui .panel { display: none; }
+    #broker-ui .panel.active { display: block; }
+    #broker-ui table {
+      width: 100%;
+      border-collapse: collapse;
+      margin-bottom: 20px;
+      background: #fff;
+      border-radius: 8px;
+      overflow: hidden;
+      box-shadow: 0 1px 3px rgba(0,0,0,0.08);
+    }
+    #broker-ui th, #broker-ui td {
+      text-align: left;
+      padding: 10px 14px;
+      border-bottom: 1px solid #f0f0f0;
+      font-size: 0.9rem;
+    }
+    #broker-ui th {
+      background: #f9fafb;
+      font-weight: 600;
+      color: #374151;
+    }
+    #broker-ui .form-card {
+      background: #fff;
+      padding: 20px;
+      border-radius: 8px;
+      box-shadow: 0 1px 3px rgba(0,0,0,0.08);
+      margin-bottom: 20px;
+    }
+    #broker-ui .form-card h3 {
+      margin: 0 0 16px;
+      font-size: 1rem;
+      color: #374151;
+    }
+    #broker-ui .form-row {
+      display: flex;
+      gap: 12px;
+      margin-bottom: 12px;
+      align-items: flex-end;
+    }
+    #broker-ui .form-group {
+      display: flex;
+      flex-direction: column;
+      gap: 4px;
+      flex: 1;
+    }
+    #broker-ui label {
+      font-size: 0.82rem;
+      color: #6b7280;
+      font-weight: 500;
+    }
+    #broker-ui input, #broker-ui select {
+      padding: 7px 10px;
+      border: 1px solid #d1d5db;
+      border-radius: 6px;
+      font-size: 0.9rem;
+    }
+    #broker-ui input:focus, #broker-ui select:focus {
+      outline: none;
+      border-color: #2563eb;
+      box-shadow: 0 0 0 2px rgba(37,99,235,0.1);
+    }
+    #broker-ui button {
+      cursor: pointer;
+      font-size: 0.9rem;
+    }
+    #broker-ui .btn {
+      padding: 7px 16px;
+      border: none;
+      border-radius: 6px;
+      font-weight: 500;
+    }
+    #broker-ui .btn-primary {
+      background: #2563eb;
+      color: #fff;
+    }
+    #broker-ui .btn-primary:hover { background: #1d4ed8; }
+    #broker-ui .btn-danger {
+      background: #ef4444;
+      color: #fff;
+      padding: 4px 10px;
+      font-size: 0.82rem;
+    }
+    #broker-ui .btn-danger:hover { background: #dc2626; }
+    #broker-ui .btn-secondary {
+      background: #f3f4f6;
+      color: #374151;
+      border: 1px solid #d1d5db;
+    }
+    #broker-ui .btn-secondary:hover { background: #e5e7eb; }
+    #broker-ui .yaml-preview {
+      background: #1e293b;
+      color: #e2e8f0;
+      padding: 16px;
+      border-radius: 8px;
+      font-family: 'Menlo', 'Consolas', monospace;
+      font-size: 0.85rem;
+      line-height: 1.6;
+      white-space: pre-wrap;
+      overflow-x: auto;
+      max-height: 600px;
+      overflow-y: auto;
+    }
+    #broker-ui .toast {
+      position: fixed;
+      bottom: 24px;
+      right: 24px;
+      padding: 10px 20px;
+      border-radius: 8px;
+      color: #fff;
+      font-size: 0.9rem;
+      opacity: 0;
+      transition: opacity 0.3s;
+      z-index: 1000;
+    }
+    #broker-ui .toast.show { opacity: 1; }
+    #broker-ui .toast.success { background: #059669; }
+    #broker-ui .toast.error { background: #dc2626; }
+    #broker-ui .empty {
+      text-align: center;
+      color: #9ca3af;
+      padding: 32px;
+      font-size: 0.9rem;
+    }
+    #broker-ui .header {
+      display: flex;
+      justify-content: space-between;
+      align-items: center;
+      margin-bottom: 24px;
+    }
+    #broker-ui .header .status {
+      font-size: 0.82rem;
+      color: #6b7280;
+    }
+    #broker-ui .badge {
+      display: inline-block;
+      padding: 2px 8px;
+      border-radius: 9999px;
+      font-size: 0.75rem;
+      font-weight: 500;
+    }
+    #broker-ui .badge-blue { background: #dbeafe; color: #1d4ed8; }
+    #broker-ui .badge-green { background: #dcfce7; color: #15803d; }
+  </style>
+</head>
+<body>
+<div id="broker-ui">
+  <div class="header">
+    <h1>Agent Auth Broker</h1>
+    <span class="status" id="config-path"></span>
+  </div>
+  <div class="tabs">
+    <button class="tab active" data-tab="agents">Agents</button>
+    <button class="tab" data-tab="credentials">Credentials</button>
+    <button class="tab" data-tab="policies">Policies</button>
+    <button class="tab" data-tab="yaml">YAML</button>
+  </div>
+
+  <!-- Agents Panel -->
+  <div class="panel active" id="panel-agents">
+    <div class="form-card">
+      <h3>Add Agent</h3>
+      <div class="form-row">
+        <div class="form-group">
+          <label>ID</label>
+          <input id="agent-id" placeholder="my-agent">
+        </div>
+        <div class="form-group">
+          <label>Name</label>
+          <input id="agent-name" placeholder="My AI Agent">
+        </div>
+        <button class="btn btn-primary" onclick="addAgent()">Add</button>
+      </div>
+    </div>
+    <table id="agents-table">
+      <thead><tr><th>ID</th><th>Name</th><th></th></tr></thead>
+      <tbody></tbody>
+    </table>
+  </div>
+
+  <!-- Credentials Panel -->
+  <div class="panel" id="panel-credentials">
+    <div class="form-card">
+      <h3>Add Credential</h3>
+      <div class="form-row">
+        <div class="form-group">
+          <label>ID</label>
+          <input id="cred-id" placeholder="github-main">
+        </div>
+        <div class="form-group">
+          <label>Connector</label>
+          <select id="cred-connector"></select>
+        </div>
+        <div class="form-group">
+          <label>Token (env var reference)</label>
+          <input id="cred-token" placeholder="\${GITHUB_TOKEN}">
+        </div>
+        <button class="btn btn-primary" onclick="addCredential()">Add</button>
+      </div>
+    </div>
+    <table id="credentials-table">
+      <thead><tr><th>ID</th><th>Connector</th><th>Token</th><th></th></tr></thead>
+      <tbody></tbody>
+    </table>
+  </div>
+
+  <!-- Policies Panel -->
+  <div class="panel" id="panel-policies">
+    <div class="form-card">
+      <h3>Add Policy</h3>
+      <div class="form-row">
+        <div class="form-group">
+          <label>Agent</label>
+          <select id="policy-agent"></select>
+        </div>
+        <div class="form-group">
+          <label>Credential</label>
+          <select id="policy-credential"></select>
+        </div>
+        <div class="form-group">
+          <label>Actions (comma-separated, * for all)</label>
+          <input id="policy-actions" placeholder="*" value="*">
+        </div>
+        <button class="btn btn-primary" onclick="addPolicy()">Add</button>
+      </div>
+    </div>
+    <table id="policies-table">
+      <thead><tr><th>Agent</th><th>Credential</th><th>Actions</th><th></th></tr></thead>
+      <tbody></tbody>
+    </table>
+  </div>
+
+  <!-- YAML Preview Panel -->
+  <div class="panel" id="panel-yaml">
+    <div style="display:flex;justify-content:space-between;align-items:center;margin-bottom:12px;">
+      <h3 style="margin:0;font-size:1rem;color:#374151;">broker.yaml</h3>
+      <button class="btn btn-secondary" onclick="refreshYaml()">Refresh</button>
+    </div>
+    <pre class="yaml-preview" id="yaml-content"></pre>
+  </div>
+
+  <div class="toast" id="toast"></div>
+</div>
+
+<script>
+const API = '';
+
+// Tab switching
+document.querySelectorAll('#broker-ui .tab').forEach(tab => {
+  tab.addEventListener('click', () => {
+    document.querySelectorAll('#broker-ui .tab').forEach(t => t.classList.remove('active'));
+    document.querySelectorAll('#broker-ui .panel').forEach(p => p.classList.remove('active'));
+    tab.classList.add('active');
+    document.getElementById('panel-' + tab.dataset.tab).classList.add('active');
+    if (tab.dataset.tab === 'yaml') refreshYaml();
+    if (tab.dataset.tab === 'policies') refreshSelects();
+  });
+});
+
+function toast(msg, type) {
+  const el = document.getElementById('toast');
+  el.textContent = msg;
+  el.className = 'toast show ' + type;
+  setTimeout(() => el.classList.remove('show'), 2500);
+}
+
+async function api(method, path, body) {
+  const opts = { method, headers: { 'Content-Type': 'application/json' } };
+  if (body) opts.body = JSON.stringify(body);
+  const res = await fetch(API + path, opts);
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || res.statusText);
+  }
+  return res.json();
+}
+
+// ===== Agents =====
+async function loadAgents() {
+  try {
+    const data = await api('GET', '/api/agents');
+    const tbody = document.querySelector('#agents-table tbody');
+    if (!data.length) {
+      tbody.innerHTML = '<tr><td colspan="3" class="empty">No agents configured</td></tr>';
+      return;
+    }
+    tbody.innerHTML = data.map(a =>
+      '<tr><td>' + esc(a.id) + '</td><td>' + esc(a.name) + '</td>' +
+      '<td><button class="btn btn-danger" onclick="deleteAgent(\\'' + esc(a.id) + '\\')">Delete</button></td></tr>'
+    ).join('');
+  } catch (e) { toast(e.message, 'error'); }
+}
+
+async function addAgent() {
+  const id = document.getElementById('agent-id').value.trim();
+  const name = document.getElementById('agent-name').value.trim();
+  if (!id || !name) return toast('ID and Name are required', 'error');
+  try {
+    await api('POST', '/api/agents', { id, name });
+    document.getElementById('agent-id').value = '';
+    document.getElementById('agent-name').value = '';
+    toast('Agent added', 'success');
+    loadAgents();
+  } catch (e) { toast(e.message, 'error'); }
+}
+
+async function deleteAgent(id) {
+  try {
+    await api('DELETE', '/api/agents/' + id);
+    toast('Agent deleted', 'success');
+    loadAgents();
+  } catch (e) { toast(e.message, 'error'); }
+}
+
+// ===== Credentials =====
+async function loadCredentials() {
+  try {
+    const data = await api('GET', '/api/credentials');
+    const tbody = document.querySelector('#credentials-table tbody');
+    if (!data.length) {
+      tbody.innerHTML = '<tr><td colspan="4" class="empty">No credentials configured</td></tr>';
+      return;
+    }
+    tbody.innerHTML = data.map(c =>
+      '<tr><td>' + esc(c.id) + '</td><td><span class="badge badge-blue">' + esc(c.connector) + '</span></td>' +
+      '<td>' + esc(c.token || '(encrypted)') + '</td>' +
+      '<td><button class="btn btn-danger" onclick="deleteCredential(\\'' + esc(c.id) + '\\')">Delete</button></td></tr>'
+    ).join('');
+  } catch (e) { toast(e.message, 'error'); }
+}
+
+async function addCredential() {
+  const id = document.getElementById('cred-id').value.trim();
+  const connector = document.getElementById('cred-connector').value;
+  const token = document.getElementById('cred-token').value.trim();
+  if (!id || !connector || !token) return toast('All fields are required', 'error');
+  try {
+    await api('POST', '/api/credentials', { id, connector, token });
+    document.getElementById('cred-id').value = '';
+    document.getElementById('cred-token').value = '';
+    toast('Credential added', 'success');
+    loadCredentials();
+  } catch (e) { toast(e.message, 'error'); }
+}
+
+async function deleteCredential(id) {
+  try {
+    await api('DELETE', '/api/credentials/' + id);
+    toast('Credential deleted', 'success');
+    loadCredentials();
+  } catch (e) { toast(e.message, 'error'); }
+}
+
+// ===== Policies =====
+async function loadPolicies() {
+  try {
+    const data = await api('GET', '/api/policies');
+    const tbody = document.querySelector('#policies-table tbody');
+    if (!data.length) {
+      tbody.innerHTML = '<tr><td colspan="4" class="empty">No policies configured</td></tr>';
+      return;
+    }
+    tbody.innerHTML = data.map(p => {
+      const acts = Array.isArray(p.actions) ? p.actions.join(', ') : String(p.actions);
+      return '<tr><td>' + esc(p.agent) + '</td><td>' + esc(p.credential) + '</td>' +
+        '<td><span class="badge badge-green">' + esc(acts) + '</span></td>' +
+        '<td><button class="btn btn-danger" onclick="deletePolicy(\\'' + esc(p.agent) + '\\',\\'' + esc(p.credential) + '\\')">Delete</button></td></tr>';
+    }).join('');
+  } catch (e) { toast(e.message, 'error'); }
+}
+
+async function addPolicy() {
+  const agent = document.getElementById('policy-agent').value;
+  const credential = document.getElementById('policy-credential').value;
+  const actionsStr = document.getElementById('policy-actions').value.trim();
+  if (!agent || !credential || !actionsStr) return toast('All fields are required', 'error');
+  const actions = actionsStr === '*' ? ['*'] : actionsStr.split(',').map(s => s.trim()).filter(Boolean);
+  try {
+    await api('POST', '/api/policies', { agent, credential, actions });
+    toast('Policy added', 'success');
+    loadPolicies();
+  } catch (e) { toast(e.message, 'error'); }
+}
+
+async function deletePolicy(agent, credential) {
+  try {
+    await api('DELETE', '/api/policies', { agent, credential });
+    toast('Policy deleted', 'success');
+    loadPolicies();
+  } catch (e) { toast(e.message, 'error'); }
+}
+
+// ===== YAML =====
+async function refreshYaml() {
+  try {
+    const data = await api('GET', '/api/config');
+    document.getElementById('yaml-content').textContent = data.yaml;
+  } catch (e) { toast(e.message, 'error'); }
+}
+
+// ===== Helpers =====
+function esc(s) { const d = document.createElement('div'); d.textContent = s; return d.innerHTML; }
+
+async function refreshSelects() {
+  try {
+    const agents = await api('GET', '/api/agents');
+    const creds = await api('GET', '/api/credentials');
+    const pAgent = document.getElementById('policy-agent');
+    const pCred = document.getElementById('policy-credential');
+    pAgent.innerHTML = agents.map(a => '<option value="' + esc(a.id) + '">' + esc(a.id) + '</option>').join('');
+    pCred.innerHTML = creds.map(c => '<option value="' + esc(c.id) + '">' + esc(c.id) + '</option>').join('');
+  } catch (e) {}
+}
+
+async function loadConnectors() {
+  try {
+    const data = await api('GET', '/api/connectors');
+    const sel = document.getElementById('cred-connector');
+    sel.innerHTML = data.map(c => '<option value="' + esc(c.id) + '">' + esc(c.name) + '</option>').join('');
+  } catch (e) {}
+}
+
+// Initial load
+loadAgents();
+loadCredentials();
+loadPolicies();
+loadConnectors();
+
+// Show config path
+api('GET', '/api/config').then(d => {
+  document.getElementById('config-path').textContent = d.path || '';
+}).catch(() => {});
+</script>
+</body>
+</html>`;
+}
+
+// src/ui/handlers.ts
+import { stringify as stringifyYaml3 } from "yaml";
+function createHandlers(configPath) {
+  function getConfig() {
+    return readRawConfig(configPath);
+  }
+  function saveConfig(config) {
+    writeConfig(configPath, config);
+  }
+  return {
+    // GET /api/config — 返回脱敏的 YAML 和路径
+    getConfigInfo() {
+      const config = getConfig();
+      const sanitized = JSON.parse(JSON.stringify(config));
+      const creds = sanitized.credentials ?? [];
+      for (const c of creds) {
+        if (c.token && !c.token.startsWith("${")) {
+          c.token = "***";
+        }
+      }
+      const yaml = stringifyYaml3(sanitized, { lineWidth: 120 });
+      return { yaml, path: configPath };
+    },
+    // GET /api/agents
+    listAgents() {
+      const config = getConfig();
+      return config.agents ?? [];
+    },
+    // POST /api/agents
+    addAgent(body) {
+      const config = getConfig();
+      const agents = config.agents ?? [];
+      if (agents.find((a) => a.id === body.id)) {
+        throw new Error(`Agent "${body.id}" already exists`);
+      }
+      agents.push({ id: body.id, name: body.name });
+      config.agents = agents;
+      saveConfig(config);
+      return { ok: true };
+    },
+    // DELETE /api/agents/:id
+    deleteAgent(id) {
+      const config = getConfig();
+      const agents = config.agents ?? [];
+      const index = agents.findIndex((a) => a.id === id);
+      if (index === -1) throw new Error(`Agent "${id}" not found`);
+      agents.splice(index, 1);
+      config.agents = agents;
+      const policies = config.policies ?? [];
+      config.policies = policies.filter((p) => p.agent !== id);
+      saveConfig(config);
+      return { ok: true };
+    },
+    // GET /api/credentials
+    listCredentials() {
+      const config = getConfig();
+      const creds = config.credentials ?? [];
+      return creds.map((c) => ({
+        id: c.id,
+        connector: c.connector,
+        token: c.token ? c.token.startsWith("${") ? c.token : "***" : void 0
+      }));
+    },
+    // POST /api/credentials
+    addCredential(body) {
+      const config = getConfig();
+      const creds = config.credentials ?? [];
+      if (creds.find((c) => c.id === body.id)) {
+        throw new Error(`Credential "${body.id}" already exists`);
+      }
+      creds.push({ id: body.id, connector: body.connector, token: body.token });
+      config.credentials = creds;
+      saveConfig(config);
+      return { ok: true };
+    },
+    // DELETE /api/credentials/:id
+    deleteCredential(id) {
+      const config = getConfig();
+      const creds = config.credentials ?? [];
+      const index = creds.findIndex((c) => c.id === id);
+      if (index === -1) throw new Error(`Credential "${id}" not found`);
+      creds.splice(index, 1);
+      config.credentials = creds;
+      const policies = config.policies ?? [];
+      config.policies = policies.filter((p) => p.credential !== id);
+      saveConfig(config);
+      return { ok: true };
+    },
+    // GET /api/policies
+    listPolicies() {
+      const config = getConfig();
+      return config.policies ?? [];
+    },
+    // POST /api/policies
+    addPolicy(body) {
+      const config = getConfig();
+      const policies = config.policies ?? [];
+      const existing = policies.find((p) => p.agent === body.agent && p.credential === body.credential);
+      if (existing) {
+        existing.actions = body.actions;
+      } else {
+        policies.push({ agent: body.agent, credential: body.credential, actions: body.actions });
+      }
+      config.policies = policies;
+      saveConfig(config);
+      return { ok: true };
+    },
+    // DELETE /api/policies
+    deletePolicy(body) {
+      const config = getConfig();
+      const policies = config.policies ?? [];
+      const index = policies.findIndex((p) => p.agent === body.agent && p.credential === body.credential);
+      if (index === -1) throw new Error("Policy not found");
+      policies.splice(index, 1);
+      config.policies = policies;
+      saveConfig(config);
+      return { ok: true };
+    },
+    // GET /api/connectors
+    listConnectorsInfo() {
+      return listConnectors().map((c) => ({ id: c.info.id, name: c.info.name }));
+    },
+    // POST /api/validate
+    validateConfig() {
+      try {
+        return validateConfigFile(configPath);
+      } catch (e) {
+        return { valid: false, errors: [e.message] };
+      }
+    }
+  };
+}
+
+// src/ui/server.ts
+function startServer(configPath, port) {
+  const handlers = createHandlers(configPath);
+  const server = http.createServer(async (req, res) => {
+    const url = new URL(req.url ?? "/", `http://localhost:${port}`);
+    const method = req.method ?? "GET";
+    const pathname = url.pathname;
+    res.setHeader("Access-Control-Allow-Origin", "*");
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type");
+    if (method === "OPTIONS") {
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+    try {
+      if (method === "GET" && pathname === "/") {
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(getHtml());
+        return;
+      }
+      if (pathname.startsWith("/api/")) {
+        const body = method !== "GET" ? await readBody(req) : void 0;
+        let result;
+        if (method === "GET" && pathname === "/api/config") {
+          result = handlers.getConfigInfo();
+        } else if (method === "GET" && pathname === "/api/agents") {
+          result = handlers.listAgents();
+        } else if (method === "POST" && pathname === "/api/agents") {
+          result = handlers.addAgent(body);
+        } else if (method === "DELETE" && pathname.startsWith("/api/agents/")) {
+          const id = pathname.slice("/api/agents/".length);
+          result = handlers.deleteAgent(decodeURIComponent(id));
+        } else if (method === "GET" && pathname === "/api/credentials") {
+          result = handlers.listCredentials();
+        } else if (method === "POST" && pathname === "/api/credentials") {
+          result = handlers.addCredential(body);
+        } else if (method === "DELETE" && pathname.startsWith("/api/credentials/")) {
+          const id = pathname.slice("/api/credentials/".length);
+          result = handlers.deleteCredential(decodeURIComponent(id));
+        } else if (method === "GET" && pathname === "/api/policies") {
+          result = handlers.listPolicies();
+        } else if (method === "POST" && pathname === "/api/policies") {
+          result = handlers.addPolicy(body);
+        } else if (method === "DELETE" && pathname === "/api/policies") {
+          result = handlers.deletePolicy(body);
+        } else if (method === "GET" && pathname === "/api/connectors") {
+          result = handlers.listConnectorsInfo();
+        } else if (method === "POST" && pathname === "/api/validate") {
+          result = handlers.validateConfig();
+        } else {
+          res.writeHead(404);
+          res.end(JSON.stringify({ error: "Not found" }));
+          return;
+        }
+        res.writeHead(200, { "Content-Type": "application/json; charset=utf-8" });
+        res.end(JSON.stringify(result));
+        return;
+      }
+      res.writeHead(404);
+      res.end("Not found");
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Internal server error";
+      res.writeHead(400, { "Content-Type": "application/json; charset=utf-8" });
+      res.end(JSON.stringify({ error: message }));
+    }
+  });
+  server.listen(port, () => {
+    console.log(`Broker UI running at http://localhost:${port}`);
+    console.log(`Config: ${configPath}`);
+    console.log("Press Ctrl+C to stop");
+  });
+  return server;
+}
+function readBody(req) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    req.on("data", (chunk) => chunks.push(chunk));
+    req.on("end", () => {
+      const raw = Buffer.concat(chunks).toString("utf-8");
+      try {
+        resolve(raw ? JSON.parse(raw) : {});
+      } catch {
+        reject(new Error("Invalid JSON body"));
+      }
+    });
+    req.on("error", reject);
+  });
+}
+
+// src/commands/ui.ts
+var uiCommand = new Command8("ui").description("\u542F\u52A8 File Mode Web UI\uFF0C\u53EF\u89C6\u5316\u7BA1\u7406 broker.yaml").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).option("-p, --port <port>", "\u670D\u52A1\u7AEF\u53E3", "3200").action((opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  const port = parseInt(opts.port, 10);
+  if (isNaN(port) || port < 1 || port > 65535) {
+    console.error("Invalid port number");
+    process.exitCode = 1;
+    return;
+  }
+  startServer(configPath, port);
+});
+
+// src/commands/token.ts
+import { Command as Command9 } from "commander";
+var tokenCommand = new Command9("token").description("Agent Token \u7BA1\u7406");
+tokenCommand.command("generate").description("\u4E3A Agent \u751F\u6210\u8BA4\u8BC1 Token").argument("<agent>", "Agent ID").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).option("-f, --force", "\u8986\u76D6\u5DF2\u6709 token", false).action((agentId, opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  const config = readRawConfig(configPath);
+  const agents = config.agents ?? [];
+  const agent = agents.find((a) => a.id === agentId);
+  if (!agent) {
+    logError(`Agent "${agentId}" \u4E0D\u5B58\u5728`);
+    process.exitCode = 1;
+    return;
+  }
+  if (agent.token_hash && !opts.force) {
+    logError(`Agent "${agentId}" \u5DF2\u6709 token\uFF08prefix: ${agent.token_prefix}\uFF09\uFF0C\u4F7F\u7528 --force \u8986\u76D6`);
+    process.exitCode = 1;
+    return;
+  }
+  const { token, prefix } = generateAgentToken();
+  agent.token_hash = hashToken(token);
+  agent.token_prefix = prefix;
+  config.agents = agents;
+  writeConfig(configPath, config);
+  logSuccess(`Token \u5DF2\u751F\u6210`);
+  log("");
+  log(`  Token:  ${token}`);
+  log(`  Prefix: ${prefix}`);
+  log("");
+  log("  \u8BF7\u59A5\u5584\u4FDD\u5B58\u6B64 token\uFF0C\u5B83\u4E0D\u4F1A\u518D\u6B21\u663E\u793A\u3002");
+  log("  \u5728 MCP \u914D\u7F6E\u4E2D\u8BBE\u7F6E\u73AF\u5883\u53D8\u91CF\uFF1A");
+  log(`    BROKER_AGENT_TOKEN="${token}"`);
+});
+tokenCommand.command("revoke").description("\u64A4\u9500 Agent \u7684 Token").argument("<agent>", "Agent ID").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).action((agentId, opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  const config = readRawConfig(configPath);
+  const agents = config.agents ?? [];
+  const agent = agents.find((a) => a.id === agentId);
+  if (!agent) {
+    logError(`Agent "${agentId}" \u4E0D\u5B58\u5728`);
+    process.exitCode = 1;
+    return;
+  }
+  if (!agent.token_hash) {
+    logError(`Agent "${agentId}" \u6CA1\u6709 token`);
+    process.exitCode = 1;
+    return;
+  }
+  delete agent.token_hash;
+  delete agent.token_prefix;
+  config.agents = agents;
+  writeConfig(configPath, config);
+  logSuccess(`\u5DF2\u64A4\u9500 Agent "${agentId}" \u7684 token`);
+});
+tokenCommand.command("list").description("\u5217\u51FA\u6240\u6709 Agent \u7684 Token \u72B6\u6001").option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).action((opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  const config = readRawConfig(configPath);
+  const agents = config.agents ?? [];
+  if (agents.length === 0) {
+    log("\u6682\u65E0 Agent");
+    return;
+  }
+  log(`Agent Token \u72B6\u6001 (${agents.length}):`);
+  for (const agent of agents) {
+    if (agent.token_hash) {
+      log(`  - ${agent.id} (${agent.name}): token set (prefix: ${agent.token_prefix})`);
+    } else {
+      log(`  - ${agent.id} (${agent.name}): no token`);
+    }
+  }
+});
+
+// src/commands/test.ts
+import { Command as Command10 } from "commander";
+var testCommand = new Command10("test").description("\u6D4B\u8BD5\u8C03\u7528 connector \u64CD\u4F5C").argument("<connector>", 'Connector \u540D\u79F0\uFF0C\u5982 "github"').argument("<action>", '\u64CD\u4F5C\u540D\u79F0\uFF0C\u5982 "list_repos"').option("-c, --config <path>", "\u914D\u7F6E\u6587\u4EF6\u8DEF\u5F84", void 0).option("-a, --agent <id>", "Agent ID", void 0).option("-p, --params <json>", "\u64CD\u4F5C\u53C2\u6570\uFF08JSON \u683C\u5F0F\uFF09", "{}").option("--dry-run", "\u4EC5\u6267\u884C\u6743\u9650\u68C0\u67E5\uFF0C\u4E0D\u5B9E\u9645\u8C03\u7528 API", false).action(async (connector, action, opts) => {
+  const configPath = resolveConfigPath(opts.config);
+  let config;
+  try {
+    config = loadConfig(configPath);
+  } catch (err) {
+    logError(`\u914D\u7F6E\u52A0\u8F7D\u5931\u8D25: ${err instanceof Error ? err.message : String(err)}`);
+    process.exitCode = 1;
+    return;
+  }
+  const store = new LocalStore(config);
+  let agentId;
+  const envToken = process.env.BROKER_AGENT_TOKEN;
+  if (envToken) {
+    const matched = authenticateByToken(envToken, store);
+    if (!matched) {
+      logError("BROKER_AGENT_TOKEN \u8BA4\u8BC1\u5931\u8D25");
+      process.exitCode = 1;
+      return;
+    }
+    agentId = matched.id;
+  } else {
+    agentId = opts.agent ?? config.agents[0].id;
+  }
+  let params;
+  try {
+    params = JSON.parse(opts.params);
+  } catch {
+    logError("\u53C2\u6570\u683C\u5F0F\u9519\u8BEF\uFF0C\u8BF7\u63D0\u4F9B\u6709\u6548\u7684 JSON");
+    process.exitCode = 1;
+    return;
+  }
+  log(`Agent:     ${agentId}`);
+  log(`Connector: ${connector}`);
+  log(`Action:    ${action}`);
+  log(`Params:    ${JSON.stringify(params)}`);
+  log("");
+  const permResult = checkLocalPermission(
+    { agentId, connectorId: connector, action, params },
+    store
+  );
+  if (permResult.result !== "ALLOWED") {
+    logError(`\u6743\u9650\u68C0\u67E5\u5931\u8D25: ${permResult.result}`);
+    log(`  ${permResult.message ?? ""}`);
+    process.exitCode = 1;
+    return;
+  }
+  logSuccess("\u6743\u9650\u68C0\u67E5\u901A\u8FC7");
+  if (opts.dryRun) {
+    log("(dry-run \u6A21\u5F0F\uFF0C\u8DF3\u8FC7\u5B9E\u9645\u8C03\u7528)");
+    return;
+  }
+  log("");
+  log("\u6267\u884C\u4E2D...");
+  const broker = new LocalBroker(store);
+  const result = await broker.callTool(agentId, connector, action, params);
+  if (result.success) {
+    logSuccess("\u8C03\u7528\u6210\u529F");
+    log(JSON.stringify(result.data, null, 2));
+  } else {
+    logError(`\u8C03\u7528\u5931\u8D25: ${result.error}`);
+    process.exitCode = 1;
+  }
+});
+
+// src/index.ts
+var program = new Command11();
+program.name("broker").description("Agent Auth Broker CLI \u2014 AI Agent \u51ED\u8BC1\u7BA1\u7406\u4E0E\u6388\u6743\u4EE3\u7406").version("0.0.1");
+program.addCommand(initCommand);
+program.addCommand(validateCommand);
+program.addCommand(diagnoseCommand);
+program.addCommand(serveCommand);
+program.addCommand(credentialCommand);
+program.addCommand(agentCommand);
+program.addCommand(policyCommand);
+program.addCommand(uiCommand);
+program.addCommand(tokenCommand);
+program.addCommand(testCommand);
+program.parse();
+//# sourceMappingURL=index.js.map