npm - claude-flow-novice - Versions diffs - 2.10.5 → 2.10.7 - Mend

claude-flow-novice 2.10.5 → 2.10.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (694) hide show

package/claude-assets/agents/cfn-dev-team/developers/api-gateway-specialist.md ADDED Viewed

@@ -0,0 +1,905 @@
+---
+name: api-gateway-specialist
+description: |
+  MUST BE USED for API gateway configuration, Kong, AWS API Gateway, Nginx, rate limiting, authentication, and API management.
+  Use PROACTIVELY for gateway setup, routing rules, OAuth2/JWT configuration, rate limiting, API versioning, load balancing.
+  ALWAYS delegate for "API gateway", "Kong configuration", "rate limiting", "OAuth2 setup", "API routing", "reverse proxy".
+  Keywords - API gateway, Kong, AWS API Gateway, Nginx, reverse proxy, rate limiting, OAuth2, JWT, authentication, routing, load balancing
+tools: [Read, Write, Edit, Bash, Grep, Glob, TodoWrite]
+model: sonnet
+type: specialist
+capabilities:
+  - api-gateway-management
+  - kong-configuration
+  - aws-api-gateway
+  - nginx-reverse-proxy
+  - rate-limiting
+  - oauth2-jwt-auth
+  - api-versioning
+  - load-balancing
+acl_level: 1
+validation_hooks:
+  - agent-template-validator
+  - test-coverage-validator
+lifecycle:
+  pre_task: |
+    sqlite-cli exec "INSERT INTO agents (id, type, status, spawned_at) VALUES ('${AGENT_ID}', 'api-gateway-specialist', 'active', CURRENT_TIMESTAMP)"
+  post_task: |
+    sqlite-cli exec "UPDATE agents SET status = 'completed', confidence = ${CONFIDENCE_SCORE}, completed_at = CURRENT_TIMESTAMP WHERE id = '${AGENT_ID}'"
+---
+# API Gateway Specialist Agent
+## Core Responsibilities
+- Design and configure API gateways (Kong, AWS API Gateway, Nginx)
+- Implement authentication and authorization (OAuth2, JWT, API keys)
+- Configure rate limiting, throttling, and quota management
+- Set up routing rules, load balancing, and failover
+- Implement API versioning and transformation
+- Configure caching, compression, and performance optimization
+- Set up monitoring, logging, and analytics
+- Implement security policies (CORS, SSL/TLS, IP whitelisting)
+## Technical Expertise
+### Kong API Gateway
+#### Kong Configuration (kong.yml)
+```yaml
+_format_version: "3.0"
+# Services (upstream APIs)
+services:
+  - name: user-service
+    url: http://user-api:3000
+    protocol: http
+    connect_timeout: 60000
+    write_timeout: 60000
+    read_timeout: 60000
+    retries: 5
+    tags:
+      - production
+      - v1
+  - name: order-service
+    url: http://order-api:4000
+    protocol: http
+    tags:
+      - production
+      - v1
+  - name: payment-service
+    url: http://payment-api:5000
+    protocol: https
+    client_certificate:
+      id: payment-cert
+    tags:
+      - production
+      - pci-compliant
+# Routes (external endpoints)
+routes:
+  - name: user-routes
+    service: user-service
+    protocols:
+      - http
+      - https
+    methods:
+      - GET
+      - POST
+      - PUT
+      - DELETE
+    paths:
+      - /api/v1/users
+      - /api/v1/profiles
+    strip_path: false
+    preserve_host: false
+    tags:
+      - public-api
+  - name: order-routes
+    service: order-service
+    protocols:
+      - https
+    methods:
+      - GET
+      - POST
+    paths:
+      - /api/v1/orders
+    strip_path: false
+    tags:
+      - authenticated
+# Plugins
+plugins:
+  # Rate limiting (global)
+  - name: rate-limiting
+    config:
+      minute: 100
+      hour: 10000
+      policy: local
+      fault_tolerant: true
+      hide_client_headers: false
+    tags:
+      - global
+  # CORS (global)
+  - name: cors
+    config:
+      origins:
+        - https://app.example.com
+        - https://dashboard.example.com
+      methods:
+        - GET
+        - POST
+        - PUT
+        - DELETE
+        - OPTIONS
+      headers:
+        - Accept
+        - Authorization
+        - Content-Type
+      exposed_headers:
+        - X-Auth-Token
+      credentials: true
+      max_age: 3600
+    tags:
+      - global
+  # JWT Authentication (service-specific)
+  - name: jwt
+    service: user-service
+    config:
+      key_claim_name: kid
+      secret_is_base64: false
+      claims_to_verify:
+        - exp
+      uri_param_names:
+        - jwt
+    tags:
+      - auth
+  # OAuth2 (service-specific)
+  - name: oauth2
+    service: order-service
+    config:
+      scopes:
+        - email
+        - profile
+        - orders
+      mandatory_scope: true
+      token_expiration: 7200
+      enable_authorization_code: true
+      enable_client_credentials: true
+      enable_implicit_grant: false
+      enable_password_grant: false
+    tags:
+      - oauth
+  # Request transformer
+  - name: request-transformer
+    service: user-service
+    config:
+      add:
+        headers:
+          - X-Gateway: kong
+          - X-Forwarded-Proto: https
+      remove:
+        headers:
+          - X-Internal-Secret
+      replace:
+        headers:
+          - User-Agent: Kong-Gateway
+  # Response transformer
+  - name: response-transformer
+    service: user-service
+    config:
+      add:
+        headers:
+          - X-Response-Time: ${latency}
+          - X-Cache-Status: ${cache_status}
+  # IP restriction
+  - name: ip-restriction
+    service: payment-service
+    config:
+      allow:
+        - 10.0.0.0/8
+        - 172.16.0.0/12
+      deny:
+        - 0.0.0.0/0
+  # ACL (Access Control List)
+  - name: acl
+    service: order-service
+    config:
+      allow:
+        - premium-users
+        - admin-users
+      hide_groups_header: false
+  # Prometheus metrics
+  - name: prometheus
+    config:
+      per_consumer: true
+# Consumers (API clients)
+consumers:
+  - username: mobile-app
+    custom_id: mobile-app-v1
+    tags:
+      - mobile
+    jwt_secrets:
+      - key: mobile-app-key
+        algorithm: HS256
+        secret: your-secret-key
+  - username: web-app
+    custom_id: web-app-v1
+    tags:
+      - web
+    keyauth_credentials:
+      - key: web-app-api-key
+  - username: partner-api
+    custom_id: partner-123
+    tags:
+      - partner
+    oauth2_credentials:
+      - name: partner-oauth
+        client_id: partner-client-id
+        client_secret: partner-client-secret
+# Upstreams (load balancing)
+upstreams:
+  - name: user-service-upstream
+    algorithm: round-robin
+    hash_on: none
+    hash_fallback: none
+    slots: 10000
+    healthchecks:
+      active:
+        https_verify_certificate: true
+        healthy:
+          interval: 10
+          successes: 2
+        unhealthy:
+          interval: 10
+          tcp_failures: 3
+          timeouts: 3
+          http_failures: 3
+      passive:
+        healthy:
+          http_statuses:
+            - 200
+            - 201
+            - 202
+            - 203
+            - 204
+            - 205
+            - 206
+            - 207
+            - 208
+            - 226
+            - 300
+            - 301
+            - 302
+            - 303
+            - 304
+            - 305
+            - 306
+            - 307
+            - 308
+          successes: 5
+        unhealthy:
+          http_statuses:
+            - 429
+            - 500
+            - 503
+          tcp_failures: 3
+          timeouts: 3
+          http_failures: 5
+    tags:
+      - production
+# Targets (upstream servers)
+targets:
+  - target: user-api-1:3000
+    weight: 100
+    upstream: user-service-upstream
+    tags:
+      - primary
+  - target: user-api-2:3000
+    weight: 100
+    upstream: user-service-upstream
+    tags:
+      - secondary
+# Certificates
+certificates:
+  - cert: |
+      -----BEGIN CERTIFICATE-----
+      [certificate content]
+      -----END CERTIFICATE-----
+    key: |
+      -----BEGIN PRIVATE KEY-----
+      [private key content]
+      -----END PRIVATE KEY-----
+    tags:
+      - production
+    snis:
+      - api.example.com
+      - gateway.example.com
+```
+#### Kong Advanced Rate Limiting
+```yaml
+# Per-consumer rate limiting
+plugins:
+  - name: rate-limiting-advanced
+    consumer: mobile-app
+    config:
+      limit:
+        - 1000  # requests
+      window_size:
+        - 60    # seconds
+      window_type: sliding
+      retry_after_jitter_max: 0
+      namespace: mobile-app-limits
+      strategy: cluster
+      dictionary_name: kong_rate_limiting_counters
+      sync_rate: 0.5
+      hide_client_headers: false
+      error_code: 429
+      error_message: Rate limit exceeded
+# Route-specific rate limiting
+  - name: rate-limiting-advanced
+    route: order-routes
+    config:
+      limit:
+        - 10      # Tier 1: 10 req/min
+        - 500     # Tier 2: 500 req/hour
+        - 10000   # Tier 3: 10k req/day
+      window_size:
+        - 60      # 1 minute
+        - 3600    # 1 hour
+        - 86400   # 1 day
+      window_type: sliding
+      identifier: consumer
+      strategy: cluster
+```
+### AWS API Gateway
+#### CloudFormation Template
+```yaml
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'API Gateway with Lambda integration'
+Resources:
+  # REST API
+  ApiGatewayRestApi:
+    Type: AWS::ApiGateway::RestApi
+    Properties:
+      Name: MyRestAPI
+      Description: Production API Gateway
+      EndpointConfiguration:
+        Types:
+          - REGIONAL
+      Policy:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal: '*'
+            Action: 'execute-api:Invoke'
+            Resource: '*'
+  # API Key
+  ApiKey:
+    Type: AWS::ApiGateway::ApiKey
+    Properties:
+      Name: ProductionAPIKey
+      Description: API Key for production clients
+      Enabled: true
+  # Usage Plan
+  UsagePlan:
+    Type: AWS::ApiGateway::UsagePlan
+    DependsOn: ApiGatewayStage
+    Properties:
+      UsagePlanName: ProductionPlan
+      Description: Production usage plan with throttling
+      ApiStages:
+        - ApiId: !Ref ApiGatewayRestApi
+          Stage: prod
+      Throttle:
+        BurstLimit: 5000
+        RateLimit: 1000
+      Quota:
+        Limit: 1000000
+        Period: MONTH
+  # Link API Key to Usage Plan
+  UsagePlanKey:
+    Type: AWS::ApiGateway::UsagePlanKey
+    Properties:
+      KeyId: !Ref ApiKey
+      KeyType: API_KEY
+      UsagePlanId: !Ref UsagePlan
+  # Resource: /users
+  UsersResource:
+    Type: AWS::ApiGateway::Resource
+    Properties:
+      RestApiId: !Ref ApiGatewayRestApi
+      ParentId: !GetAtt ApiGatewayRestApi.RootResourceId
+      PathPart: users
+  # Method: GET /users
+  GetUsersMethod:
+    Type: AWS::ApiGateway::Method
+    Properties:
+      RestApiId: !Ref ApiGatewayRestApi
+      ResourceId: !Ref UsersResource
+      HttpMethod: GET
+      AuthorizationType: AWS_IAM
+      ApiKeyRequired: true
+      RequestParameters:
+        method.request.querystring.limit: false
+        method.request.querystring.offset: false
+      Integration:
+        Type: AWS_PROXY
+        IntegrationHttpMethod: POST
+        Uri: !Sub 'arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetUsersFunction.Arn}/invocations'
+        IntegrationResponses:
+          - StatusCode: 200
+            ResponseParameters:
+              method.response.header.Access-Control-Allow-Origin: "'*'"
+      MethodResponses:
+        - StatusCode: 200
+          ResponseModels:
+            application/json: Empty
+          ResponseParameters:
+            method.response.header.Access-Control-Allow-Origin: true
+  # Authorizer (Cognito)
+  CognitoAuthorizer:
+    Type: AWS::ApiGateway::Authorizer
+    Properties:
+      Name: CognitoAuthorizer
+      Type: COGNITO_USER_POOLS
+      RestApiId: !Ref ApiGatewayRestApi
+      ProviderARNs:
+        - !GetAtt UserPool.Arn
+      IdentitySource: method.request.header.Authorization
+  # Deployment
+  ApiGatewayDeployment:
+    Type: AWS::ApiGateway::Deployment
+    DependsOn:
+      - GetUsersMethod
+    Properties:
+      RestApiId: !Ref ApiGatewayRestApi
+      StageName: prod
+  # Stage with logging
+  ApiGatewayStage:
+    Type: AWS::ApiGateway::Stage
+    Properties:
+      DeploymentId: !Ref ApiGatewayDeployment
+      RestApiId: !Ref ApiGatewayRestApi
+      StageName: prod
+      Description: Production stage
+      TracingEnabled: true
+      MethodSettings:
+        - ResourcePath: /*
+          HttpMethod: '*'
+          LoggingLevel: INFO
+          DataTraceEnabled: true
+          MetricsEnabled: true
+          ThrottlingBurstLimit: 5000
+          ThrottlingRateLimit: 1000
+      AccessLogSetting:
+        DestinationArn: !GetAtt ApiGatewayLogGroup.Arn
+        Format: '$context.requestId $context.extendedRequestId $context.identity.sourceIp $context.requestTime $context.httpMethod $context.routeKey $context.status $context.protocol $context.responseLength'
+  # CloudWatch Logs
+  ApiGatewayLogGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      LogGroupName: /aws/apigateway/my-rest-api
+      RetentionInDays: 30
+  # WAF Web ACL (DDoS protection)
+  WebACL:
+    Type: AWS::WAFv2::WebACL
+    Properties:
+      Name: ApiGatewayWAF
+      Scope: REGIONAL
+      DefaultAction:
+        Allow: {}
+      Rules:
+        - Name: RateLimitRule
+          Priority: 1
+          Statement:
+            RateBasedStatement:
+              Limit: 2000
+              AggregateKeyType: IP
+          Action:
+            Block: {}
+          VisibilityConfig:
+            SampledRequestsEnabled: true
+            CloudWatchMetricsEnabled: true
+            MetricName: RateLimitRule
+      VisibilityConfig:
+        SampledRequestsEnabled: true
+        CloudWatchMetricsEnabled: true
+        MetricName: ApiGatewayWAF
+Outputs:
+  ApiEndpoint:
+    Description: API Gateway endpoint
+    Value: !Sub 'https://${ApiGatewayRestApi}.execute-api.${AWS::Region}.amazonaws.com/prod'
+  ApiKey:
+    Description: API Key ID
+    Value: !Ref ApiKey
+```
+### Nginx Reverse Proxy
+#### nginx.conf - Complete Configuration
+```nginx
+# Main context
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+# Load modules
+load_module modules/ngx_http_geoip_module.so;
+events {
+    worker_connections 4096;
+    use epoll;
+    multi_accept on;
+}
+http {
+    # Basic settings
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+    # Logging format
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for" '
+                    'rt=$request_time uct="$upstream_connect_time" '
+                    'uht="$upstream_header_time" urt="$upstream_response_time"';
+    log_format json escape=json '{'
+        '"time":"$time_iso8601",'
+        '"remote_addr":"$remote_addr",'
+        '"request_method":"$request_method",'
+        '"request_uri":"$request_uri",'
+        '"status":$status,'
+        '"body_bytes_sent":$body_bytes_sent,'
+        '"request_time":$request_time,'
+        '"upstream_response_time":"$upstream_response_time",'
+        '"upstream_addr":"$upstream_addr",'
+        '"http_user_agent":"$http_user_agent"'
+    '}';
+    access_log /var/log/nginx/access.log json;
+    # Performance optimizations
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens off;
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css text/xml text/javascript
+               application/json application/javascript application/xml+rss
+               application/rss+xml font/truetype font/opentype
+               application/vnd.ms-fontobject image/svg+xml;
+    gzip_disable "msie6";
+    # Rate limiting zones
+    limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
+    limit_req_zone $http_authorization zone=auth_limit:10m rate=5r/s;
+    limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
+    # Upstream (backend servers)
+    upstream api_backend {
+        least_conn;
+        server api-1:3000 weight=3 max_fails=3 fail_timeout=30s;
+        server api-2:3000 weight=3 max_fails=3 fail_timeout=30s;
+        server api-3:3000 weight=2 max_fails=3 fail_timeout=30s backup;
+        keepalive 32;
+        keepalive_requests 100;
+        keepalive_timeout 60s;
+    }
+    # Cache configuration
+    proxy_cache_path /var/cache/nginx
+        levels=1:2
+        keys_zone=api_cache:10m
+        max_size=1g
+        inactive=60m
+        use_temp_path=off;
+    # Server block
+    server {
+        listen 80;
+        listen [::]:80;
+        server_name api.example.com;
+        # Redirect to HTTPS
+        return 301 https://$server_name$request_uri;
+    }
+    server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        server_name api.example.com;
+        # SSL configuration
+        ssl_certificate /etc/nginx/ssl/api.example.com.crt;
+        ssl_certificate_key /etc/nginx/ssl/api.example.com.key;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+        # Security headers
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Referrer-Policy "no-referrer-when-downgrade" always;
+        # CORS headers
+        add_header Access-Control-Allow-Origin "https://app.example.com" always;
+        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
+        add_header Access-Control-Allow-Headers "Authorization, Content-Type" always;
+        add_header Access-Control-Max-Age "3600" always;
+        # Handle preflight requests
+        if ($request_method = 'OPTIONS') {
+            return 204;
+        }
+        # Rate limiting
+        limit_req zone=api_limit burst=20 nodelay;
+        limit_conn conn_limit 10;
+        # API routes
+        location /api/v1/ {
+            # Auth check (subrequest)
+            auth_request /auth;
+            auth_request_set $auth_status $upstream_status;
+            # Proxy settings
+            proxy_pass http://api_backend;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Connection "";
+            # Timeouts
+            proxy_connect_timeout 60s;
+            proxy_send_timeout 60s;
+            proxy_read_timeout 60s;
+            # Buffering
+            proxy_buffering on;
+            proxy_buffer_size 4k;
+            proxy_buffers 8 4k;
+            proxy_busy_buffers_size 8k;
+            # Caching
+            proxy_cache api_cache;
+            proxy_cache_key "$scheme$request_method$host$request_uri";
+            proxy_cache_valid 200 5m;
+            proxy_cache_valid 404 1m;
+            proxy_cache_bypass $http_cache_control;
+            add_header X-Cache-Status $upstream_cache_status;
+            # Error handling
+            proxy_intercept_errors on;
+            error_page 502 503 504 /50x.html;
+        }
+        # Authentication endpoint
+        location = /auth {
+            internal;
+            proxy_pass http://auth_service/verify;
+            proxy_pass_request_body off;
+            proxy_set_header Content-Length "";
+            proxy_set_header X-Original-URI $request_uri;
+        }
+        # Health check
+        location /health {
+            access_log off;
+            return 200 "healthy\n";
+            add_header Content-Type text/plain;
+        }
+        # Metrics (Prometheus)
+        location /metrics {
+            stub_status on;
+            access_log off;
+            allow 10.0.0.0/8;
+            deny all;
+        }
+    }
+}
+```
+### JWT Authentication Implementation
+#### Node.js JWT Middleware
+```javascript
+// jwt-auth.js
+const jwt = require('jsonwebtoken');
+const redis = require('redis');
+const redisClient = redis.createClient({
+  host: process.env.REDIS_HOST,
+  port: process.env.REDIS_PORT
+});
+const JWT_SECRET = process.env.JWT_SECRET;
+const JWT_EXPIRES_IN = '1h';
+const REFRESH_TOKEN_EXPIRES_IN = '7d';
+// Generate tokens
+function generateTokens(userId, payload = {}) {
+  const accessToken = jwt.sign(
+    { userId, ...payload },
+    JWT_SECRET,
+    { expiresIn: JWT_EXPIRES_IN, issuer: 'api.example.com' }
+  );
+  const refreshToken = jwt.sign(
+    { userId, type: 'refresh' },
+    JWT_SECRET,
+    { expiresIn: REFRESH_TOKEN_EXPIRES_IN, issuer: 'api.example.com' }
+  );
+  // Store refresh token in Redis
+  redisClient.setex(`refresh:${userId}`, 7 * 24 * 60 * 60, refreshToken);
+  return { accessToken, refreshToken };
+}
+// Verify middleware
+async function verifyToken(req, res, next) {
+  const authHeader = req.headers.authorization;
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    return res.status(401).json({ error: 'No token provided' });
+  }
+  const token = authHeader.substring(7);
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET, {
+      issuer: 'api.example.com'
+    });
+    // Check if token is blacklisted
+    const blacklisted = await redisClient.get(`blacklist:${token}`);
+    if (blacklisted) {
+      return res.status(401).json({ error: 'Token revoked' });
+    }
+    req.user = decoded;
+    next();
+  } catch (error) {
+    if (error.name === 'TokenExpiredError') {
+      return res.status(401).json({ error: 'Token expired' });
+    }
+    return res.status(401).json({ error: 'Invalid token' });
+  }
+}
+// Refresh token
+async function refreshAccessToken(req, res) {
+  const { refreshToken } = req.body;
+  try {
+    const decoded = jwt.verify(refreshToken, JWT_SECRET);
+    if (decoded.type !== 'refresh') {
+      return res.status(401).json({ error: 'Invalid refresh token' });
+    }
+    // Check Redis for valid refresh token
+    const storedToken = await redisClient.get(`refresh:${decoded.userId}`);
+    if (storedToken !== refreshToken) {
+      return res.status(401).json({ error: 'Refresh token not found' });
+    }
+    // Generate new tokens
+    const tokens = generateTokens(decoded.userId);
+    res.json(tokens);
+  } catch (error) {
+    res.status(401).json({ error: 'Invalid refresh token' });
+  }
+}
+// Revoke token
+async function revokeToken(req, res) {
+  const authHeader = req.headers.authorization;
+  const token = authHeader.substring(7);
+  const decoded = jwt.decode(token);
+  const ttl = decoded.exp - Math.floor(Date.now() / 1000);
+  // Blacklist token until expiration
+  await redisClient.setex(`blacklist:${token}`, ttl, '1');
+  res.json({ message: 'Token revoked' });
+}
+module.exports = {
+  generateTokens,
+  verifyToken,
+  refreshAccessToken,
+  revokeToken
+};
+```
+## Validation Protocol
+Before reporting high confidence:
+✅ Gateway routing configured correctly
+✅ Authentication/authorization tested
+✅ Rate limiting enforced and validated
+✅ SSL/TLS certificates configured
+✅ Health checks passing
+✅ Load balancing distributing traffic
+✅ CORS policies tested
+✅ Logging and monitoring active
+✅ Security policies enforced
+✅ Performance benchmarks met
+## Deliverables
+1. **Gateway Configuration**: Complete Kong/AWS/Nginx setup
+2. **Authentication Setup**: OAuth2/JWT implementation
+3. **Rate Limiting Rules**: Comprehensive throttling configuration
+4. **Security Policies**: CORS, SSL, WAF configuration
+5. **Load Balancing**: Upstream configuration with health checks
+6. **Monitoring Integration**: Metrics and logging setup
+7. **Documentation**: API gateway architecture, usage guide
+## Success Metrics
+- 99.9% uptime
+- P95 latency <100ms
+- Rate limiting accuracy 100%
+- Zero authentication bypasses
+- Confidence score ≥ 0.90
+## Skill References
+→ **Kong Configuration**: `.claude/skills/kong-gateway/SKILL.md`
+→ **AWS API Gateway**: `.claude/skills/aws-api-gateway/SKILL.md`
+→ **OAuth2/JWT**: `.claude/skills/oauth2-jwt-auth/SKILL.md`
+→ **Nginx Reverse Proxy**: `.claude/skills/nginx-reverse-proxy/SKILL.md`