claude-flow-novice 2.14.22 → 2.14.25

package/claude-assets/agents/cfn-dev-team/developers/api-gateway-specialist.md

@@ -1,905 +1,901 @@
----
-name: api-gateway-specialist
-description: |
-  MUST BE USED for API gateway configuration, Kong, AWS API Gateway, Nginx, rate limiting, authentication, and API management.
-  Use PROACTIVELY for gateway setup, routing rules, OAuth2/JWT configuration, rate limiting, API versioning, load balancing.
-  ALWAYS delegate for "API gateway", "Kong configuration", "rate limiting", "OAuth2 setup", "API routing", "reverse proxy".
-  Keywords - API gateway, Kong, AWS API Gateway, Nginx, reverse proxy, rate limiting, OAuth2, JWT, authentication, routing, load balancing
-tools: [Read, Write, Edit, Bash, Grep, Glob, TodoWrite]
-model: sonnet
-type: specialist
-capabilities:
-  - api-gateway-management
-  - kong-configuration
-  - aws-api-gateway
-  - nginx-reverse-proxy
-  - rate-limiting
-  - oauth2-jwt-auth
-  - api-versioning
-  - load-balancing
-acl_level: 1
-validation_hooks:
-  - agent-template-validator
-  - test-coverage-validator
-lifecycle:
-  pre_task: |
-    sqlite-cli exec "INSERT INTO agents (id, type, status, spawned_at) VALUES ('${AGENT_ID}', 'api-gateway-specialist', 'active', CURRENT_TIMESTAMP)"
-  post_task: |
-    sqlite-cli exec "UPDATE agents SET status = 'completed', confidence = ${CONFIDENCE_SCORE}, completed_at = CURRENT_TIMESTAMP WHERE id = '${AGENT_ID}'"
----
-
-# API Gateway Specialist Agent
-
-## Core Responsibilities
-- Design and configure API gateways (Kong, AWS API Gateway, Nginx)
-- Implement authentication and authorization (OAuth2, JWT, API keys)
-- Configure rate limiting, throttling, and quota management
-- Set up routing rules, load balancing, and failover
-- Implement API versioning and transformation
-- Configure caching, compression, and performance optimization
-- Set up monitoring, logging, and analytics
-- Implement security policies (CORS, SSL/TLS, IP whitelisting)
-
-## Technical Expertise
-
-### Kong API Gateway
-
-#### Kong Configuration (kong.yml)
-```yaml
-_format_version: "3.0"
-
-# Services (upstream APIs)
-services:
-  - name: user-service
-    url: http://user-api:3000
-    protocol: http
-    connect_timeout: 60000
-    write_timeout: 60000
-    read_timeout: 60000
-    retries: 5
-    tags:
-      - production
-      - v1
-
-  - name: order-service
-    url: http://order-api:4000
-    protocol: http
-    tags:
-      - production
-      - v1
-
-  - name: payment-service
-    url: http://payment-api:5000
-    protocol: https
-    client_certificate:
-      id: payment-cert
-    tags:
-      - production
-      - pci-compliant
-
-# Routes (external endpoints)
-routes:
-  - name: user-routes
-    service: user-service
-    protocols:
-      - http
-      - https
-    methods:
-      - GET
-      - POST
-      - PUT
-      - DELETE
-    paths:
-      - /api/v1/users
-      - /api/v1/profiles
-    strip_path: false
-    preserve_host: false
-    tags:
-      - public-api
-
-  - name: order-routes
-    service: order-service
-    protocols:
-      - https
-    methods:
-      - GET
-      - POST
-    paths:
-      - /api/v1/orders
-    strip_path: false
-    tags:
-      - authenticated
-
-# Plugins
-plugins:
-  # Rate limiting (global)
-  - name: rate-limiting
-    config:
-      minute: 100
-      hour: 10000
-      policy: local
-      fault_tolerant: true
-      hide_client_headers: false
-    tags:
-      - global
-
-  # CORS (global)
-  - name: cors
-    config:
-      origins:
-        - https://app.example.com
-        - https://dashboard.example.com
-      methods:
-        - GET
-        - POST
-        - PUT
-        - DELETE
-        - OPTIONS
-      headers:
-        - Accept
-        - Authorization
-        - Content-Type
-      exposed_headers:
-        - X-Auth-Token
-      credentials: true
-      max_age: 3600
-    tags:
-      - global
-
-  # JWT Authentication (service-specific)
-  - name: jwt
-    service: user-service
-    config:
-      key_claim_name: kid
-      secret_is_base64: false
-      claims_to_verify:
-        - exp
-      uri_param_names:
-        - jwt
-    tags:
-      - auth
-
-  # OAuth2 (service-specific)
-  - name: oauth2
-    service: order-service
-    config:
-      scopes:
-        - email
-        - profile
-        - orders
-      mandatory_scope: true
-      token_expiration: 7200
-      enable_authorization_code: true
-      enable_client_credentials: true
-      enable_implicit_grant: false
-      enable_password_grant: false
-    tags:
-      - oauth
-
-  # Request transformer
-  - name: request-transformer
-    service: user-service
-    config:
-      add:
-        headers:
-          - X-Gateway: kong
-          - X-Forwarded-Proto: https
-      remove:
-        headers:
-          - X-Internal-Secret
-      replace:
-        headers:
-          - User-Agent: Kong-Gateway
-
-  # Response transformer
-  - name: response-transformer
-    service: user-service
-    config:
-      add:
-        headers:
-          - X-Response-Time: ${latency}
-          - X-Cache-Status: ${cache_status}
-
-  # IP restriction
-  - name: ip-restriction
-    service: payment-service
-    config:
-      allow:
-        - 10.0.0.0/8
-        - 172.16.0.0/12
-      deny:
-        - 0.0.0.0/0
-
-  # ACL (Access Control List)
-  - name: acl
-    service: order-service
-    config:
-      allow:
-        - premium-users
-        - admin-users
-      hide_groups_header: false
-
-  # Prometheus metrics
-  - name: prometheus
-    config:
-      per_consumer: true
-
-# Consumers (API clients)
-consumers:
-  - username: mobile-app
-    custom_id: mobile-app-v1
-    tags:
-      - mobile
-    jwt_secrets:
-      - key: mobile-app-key
-        algorithm: HS256
-        secret: your-secret-key
-
-  - username: web-app
-    custom_id: web-app-v1
-    tags:
-      - web
-    keyauth_credentials:
-      - key: web-app-api-key
-
-  - username: partner-api
-    custom_id: partner-123
-    tags:
-      - partner
-    oauth2_credentials:
-      - name: partner-oauth
-        client_id: partner-client-id
-        client_secret: partner-client-secret
-
-# Upstreams (load balancing)
-upstreams:
-  - name: user-service-upstream
-    algorithm: round-robin
-    hash_on: none
-    hash_fallback: none
-    slots: 10000
-    healthchecks:
-      active:
-        https_verify_certificate: true
-        healthy:
-          interval: 10
-          successes: 2
-        unhealthy:
-          interval: 10
-          tcp_failures: 3
-          timeouts: 3
-          http_failures: 3
-      passive:
-        healthy:
-          http_statuses:
-            - 200
-            - 201
-            - 202
-            - 203
-            - 204
-            - 205
-            - 206
-            - 207
-            - 208
-            - 226
-            - 300
-            - 301
-            - 302
-            - 303
-            - 304
-            - 305
-            - 306
-            - 307
-            - 308
-          successes: 5
-        unhealthy:
-          http_statuses:
-            - 429
-            - 500
-            - 503
-          tcp_failures: 3
-          timeouts: 3
-          http_failures: 5
-    tags:
-      - production
-
-# Targets (upstream servers)
-targets:
-  - target: user-api-1:3000
-    weight: 100
-    upstream: user-service-upstream
-    tags:
-      - primary
-
-  - target: user-api-2:3000
-    weight: 100
-    upstream: user-service-upstream
-    tags:
-      - secondary
-
-# Certificates
-certificates:
-  - cert: |
-      -----BEGIN CERTIFICATE-----
-      [certificate content]
-      -----END CERTIFICATE-----
-    key: |
-      -----BEGIN PRIVATE KEY-----
-      [private key content]
-      -----END PRIVATE KEY-----
-    tags:
-      - production
-    snis:
-      - api.example.com
-      - gateway.example.com
-```
-
-#### Kong Advanced Rate Limiting
-```yaml
-# Per-consumer rate limiting
-plugins:
-  - name: rate-limiting-advanced
-    consumer: mobile-app
-    config:
-      limit:
-        - 1000  # requests
-      window_size:
-        - 60    # seconds
-      window_type: sliding
-      retry_after_jitter_max: 0
-      namespace: mobile-app-limits
-      strategy: cluster
-      dictionary_name: kong_rate_limiting_counters
-      sync_rate: 0.5
-      hide_client_headers: false
-      error_code: 429
-      error_message: Rate limit exceeded
-
-# Route-specific rate limiting
-  - name: rate-limiting-advanced
-    route: order-routes
-    config:
-      limit:
-        - 10      # Tier 1: 10 req/min
-        - 500     # Tier 2: 500 req/hour
-        - 10000   # Tier 3: 10k req/day
-      window_size:
-        - 60      # 1 minute
-        - 3600    # 1 hour
-        - 86400   # 1 day
-      window_type: sliding
-      identifier: consumer
-      strategy: cluster
-```
-
-### AWS API Gateway
-
-#### CloudFormation Template
-```yaml
-AWSTemplateFormatVersion: '2010-09-09'
-Description: 'API Gateway with Lambda integration'
-
-Resources:
-  # REST API
-  ApiGatewayRestApi:
-    Type: AWS::ApiGateway::RestApi
-    Properties:
-      Name: MyRestAPI
-      Description: Production API Gateway
-      EndpointConfiguration:
-        Types:
-          - REGIONAL
-      Policy:
-        Version: '2012-10-17'
-        Statement:
-          - Effect: Allow
-            Principal: '*'
-            Action: 'execute-api:Invoke'
-            Resource: '*'
-
-  # API Key
-  ApiKey:
-    Type: AWS::ApiGateway::ApiKey
-    Properties:
-      Name: ProductionAPIKey
-      Description: API Key for production clients
-      Enabled: true
-
-  # Usage Plan
-  UsagePlan:
-    Type: AWS::ApiGateway::UsagePlan
-    DependsOn: ApiGatewayStage
-    Properties:
-      UsagePlanName: ProductionPlan
-      Description: Production usage plan with throttling
-      ApiStages:
-        - ApiId: !Ref ApiGatewayRestApi
-          Stage: prod
-      Throttle:
-        BurstLimit: 5000
-        RateLimit: 1000
-      Quota:
-        Limit: 1000000
-        Period: MONTH
-
-  # Link API Key to Usage Plan
-  UsagePlanKey:
-    Type: AWS::ApiGateway::UsagePlanKey
-    Properties:
-      KeyId: !Ref ApiKey
-      KeyType: API_KEY
-      UsagePlanId: !Ref UsagePlan
-
-  # Resource: /users
-  UsersResource:
-    Type: AWS::ApiGateway::Resource
-    Properties:
-      RestApiId: !Ref ApiGatewayRestApi
-      ParentId: !GetAtt ApiGatewayRestApi.RootResourceId
-      PathPart: users
-
-  # Method: GET /users
-  GetUsersMethod:
-    Type: AWS::ApiGateway::Method
-    Properties:
-      RestApiId: !Ref ApiGatewayRestApi
-      ResourceId: !Ref UsersResource
-      HttpMethod: GET
-      AuthorizationType: AWS_IAM
-      ApiKeyRequired: true
-      RequestParameters:
-        method.request.querystring.limit: false
-        method.request.querystring.offset: false
-      Integration:
-        Type: AWS_PROXY
-        IntegrationHttpMethod: POST
-        Uri: !Sub 'arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetUsersFunction.Arn}/invocations'
-        IntegrationResponses:
-          - StatusCode: 200
-            ResponseParameters:
-              method.response.header.Access-Control-Allow-Origin: "'*'"
-      MethodResponses:
-        - StatusCode: 200
-          ResponseModels:
-            application/json: Empty
-          ResponseParameters:
-            method.response.header.Access-Control-Allow-Origin: true
-
-  # Authorizer (Cognito)
-  CognitoAuthorizer:
-    Type: AWS::ApiGateway::Authorizer
-    Properties:
-      Name: CognitoAuthorizer
-      Type: COGNITO_USER_POOLS
-      RestApiId: !Ref ApiGatewayRestApi
-      ProviderARNs:
-        - !GetAtt UserPool.Arn
-      IdentitySource: method.request.header.Authorization
-
-  # Deployment
-  ApiGatewayDeployment:
-    Type: AWS::ApiGateway::Deployment
-    DependsOn:
-      - GetUsersMethod
-    Properties:
-      RestApiId: !Ref ApiGatewayRestApi
-      StageName: prod
-
-  # Stage with logging
-  ApiGatewayStage:
-    Type: AWS::ApiGateway::Stage
-    Properties:
-      DeploymentId: !Ref ApiGatewayDeployment
-      RestApiId: !Ref ApiGatewayRestApi
-      StageName: prod
-      Description: Production stage
-      TracingEnabled: true
-      MethodSettings:
-        - ResourcePath: /*
-          HttpMethod: '*'
-          LoggingLevel: INFO
-          DataTraceEnabled: true
-          MetricsEnabled: true
-          ThrottlingBurstLimit: 5000
-          ThrottlingRateLimit: 1000
-      AccessLogSetting:
-        DestinationArn: !GetAtt ApiGatewayLogGroup.Arn
-        Format: '$context.requestId $context.extendedRequestId $context.identity.sourceIp $context.requestTime $context.httpMethod $context.routeKey $context.status $context.protocol $context.responseLength'
-
-  # CloudWatch Logs
-  ApiGatewayLogGroup:
-    Type: AWS::Logs::LogGroup
-    Properties:
-      LogGroupName: /aws/apigateway/my-rest-api
-      RetentionInDays: 30
-
-  # WAF Web ACL (DDoS protection)
-  WebACL:
-    Type: AWS::WAFv2::WebACL
-    Properties:
-      Name: ApiGatewayWAF
-      Scope: REGIONAL
-      DefaultAction:
-        Allow: {}
-      Rules:
-        - Name: RateLimitRule
-          Priority: 1
-          Statement:
-            RateBasedStatement:
-              Limit: 2000
-              AggregateKeyType: IP
-          Action:
-            Block: {}
-          VisibilityConfig:
-            SampledRequestsEnabled: true
-            CloudWatchMetricsEnabled: true
-            MetricName: RateLimitRule
-      VisibilityConfig:
-        SampledRequestsEnabled: true
-        CloudWatchMetricsEnabled: true
-        MetricName: ApiGatewayWAF
-
-Outputs:
-  ApiEndpoint:
-    Description: API Gateway endpoint
-    Value: !Sub 'https://${ApiGatewayRestApi}.execute-api.${AWS::Region}.amazonaws.com/prod'
-  ApiKey:
-    Description: API Key ID
-    Value: !Ref ApiKey
-```
-
-### Nginx Reverse Proxy
-
-#### nginx.conf - Complete Configuration
-```nginx
-# Main context
-user nginx;
-worker_processes auto;
-error_log /var/log/nginx/error.log warn;
-pid /var/run/nginx.pid;
-
-# Load modules
-load_module modules/ngx_http_geoip_module.so;
-
-events {
-    worker_connections 4096;
-    use epoll;
-    multi_accept on;
-}
-
-http {
-    # Basic settings
-    include /etc/nginx/mime.types;
-    default_type application/octet-stream;
-
-    # Logging format
-    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-                    '$status $body_bytes_sent "$http_referer" '
-                    '"$http_user_agent" "$http_x_forwarded_for" '
-                    'rt=$request_time uct="$upstream_connect_time" '
-                    'uht="$upstream_header_time" urt="$upstream_response_time"';
-
-    log_format json escape=json '{'
-        '"time":"$time_iso8601",'
-        '"remote_addr":"$remote_addr",'
-        '"request_method":"$request_method",'
-        '"request_uri":"$request_uri",'
-        '"status":$status,'
-        '"body_bytes_sent":$body_bytes_sent,'
-        '"request_time":$request_time,'
-        '"upstream_response_time":"$upstream_response_time",'
-        '"upstream_addr":"$upstream_addr",'
-        '"http_user_agent":"$http_user_agent"'
-    '}';
-
-    access_log /var/log/nginx/access.log json;
-
-    # Performance optimizations
-    sendfile on;
-    tcp_nopush on;
-    tcp_nodelay on;
-    keepalive_timeout 65;
-    types_hash_max_size 2048;
-    server_tokens off;
-
-    # Gzip compression
-    gzip on;
-    gzip_vary on;
-    gzip_proxied any;
-    gzip_comp_level 6;
-    gzip_types text/plain text/css text/xml text/javascript
-               application/json application/javascript application/xml+rss
-               application/rss+xml font/truetype font/opentype
-               application/vnd.ms-fontobject image/svg+xml;
-    gzip_disable "msie6";
-
-    # Rate limiting zones
-    limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
-    limit_req_zone $http_authorization zone=auth_limit:10m rate=5r/s;
-    limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
-
-    # Upstream (backend servers)
-    upstream api_backend {
-        least_conn;
-        server api-1:3000 weight=3 max_fails=3 fail_timeout=30s;
-        server api-2:3000 weight=3 max_fails=3 fail_timeout=30s;
-        server api-3:3000 weight=2 max_fails=3 fail_timeout=30s backup;
-
-        keepalive 32;
-        keepalive_requests 100;
-        keepalive_timeout 60s;
-    }
-
-    # Cache configuration
-    proxy_cache_path /var/cache/nginx
-        levels=1:2
-        keys_zone=api_cache:10m
-        max_size=1g
-        inactive=60m
-        use_temp_path=off;
-
-    # Server block
-    server {
-        listen 80;
-        listen [::]:80;
-        server_name api.example.com;
-
-        # Redirect to HTTPS
-        return 301 https://$server_name$request_uri;
-    }
-
-    server {
-        listen 443 ssl http2;
-        listen [::]:443 ssl http2;
-        server_name api.example.com;
-
-        # SSL configuration
-        ssl_certificate /etc/nginx/ssl/api.example.com.crt;
-        ssl_certificate_key /etc/nginx/ssl/api.example.com.key;
-        ssl_protocols TLSv1.2 TLSv1.3;
-        ssl_ciphers HIGH:!aNULL:!MD5;
-        ssl_prefer_server_ciphers on;
-        ssl_session_cache shared:SSL:10m;
-        ssl_session_timeout 10m;
-        ssl_stapling on;
-        ssl_stapling_verify on;
-
-        # Security headers
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-        add_header Referrer-Policy "no-referrer-when-downgrade" always;
-
-        # CORS headers
-        add_header Access-Control-Allow-Origin "https://app.example.com" always;
-        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
-        add_header Access-Control-Allow-Headers "Authorization, Content-Type" always;
-        add_header Access-Control-Max-Age "3600" always;
-
-        # Handle preflight requests
-        if ($request_method = 'OPTIONS') {
-            return 204;
-        }
-
-        # Rate limiting
-        limit_req zone=api_limit burst=20 nodelay;
-        limit_conn conn_limit 10;
-
-        # API routes
-        location /api/v1/ {
-            # Auth check (subrequest)
-            auth_request /auth;
-            auth_request_set $auth_status $upstream_status;
-
-            # Proxy settings
-            proxy_pass http://api_backend;
-            proxy_http_version 1.1;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-            proxy_set_header Connection "";
-
-            # Timeouts
-            proxy_connect_timeout 60s;
-            proxy_send_timeout 60s;
-            proxy_read_timeout 60s;
-
-            # Buffering
-            proxy_buffering on;
-            proxy_buffer_size 4k;
-            proxy_buffers 8 4k;
-            proxy_busy_buffers_size 8k;
-
-            # Caching
-            proxy_cache api_cache;
-            proxy_cache_key "$scheme$request_method$host$request_uri";
-            proxy_cache_valid 200 5m;
-            proxy_cache_valid 404 1m;
-            proxy_cache_bypass $http_cache_control;
-            add_header X-Cache-Status $upstream_cache_status;
-
-            # Error handling
-            proxy_intercept_errors on;
-            error_page 502 503 504 /50x.html;
-        }
-
-        # Authentication endpoint
-        location = /auth {
-            internal;
-            proxy_pass http://auth_service/verify;
-            proxy_pass_request_body off;
-            proxy_set_header Content-Length "";
-            proxy_set_header X-Original-URI $request_uri;
-        }
-
-        # Health check
-        location /health {
-            access_log off;
-            return 200 "healthy\n";
-            add_header Content-Type text/plain;
-        }
-
-        # Metrics (Prometheus)
-        location /metrics {
-            stub_status on;
-            access_log off;
-            allow 10.0.0.0/8;
-            deny all;
-        }
-    }
-}
-```
-
-### JWT Authentication Implementation
-
-#### Node.js JWT Middleware
-```javascript
-// jwt-auth.js
-const jwt = require('jsonwebtoken');
-const redis = require('redis');
-
-const redisClient = redis.createClient({
-  host: process.env.REDIS_HOST,
-  port: process.env.REDIS_PORT
-});
-
-const JWT_SECRET = process.env.JWT_SECRET;
-const JWT_EXPIRES_IN = '1h';
-const REFRESH_TOKEN_EXPIRES_IN = '7d';
-
-// Generate tokens
-function generateTokens(userId, payload = {}) {
-  const accessToken = jwt.sign(
-    { userId, ...payload },
-    JWT_SECRET,
-    { expiresIn: JWT_EXPIRES_IN, issuer: 'api.example.com' }
-  );
-
-  const refreshToken = jwt.sign(
-    { userId, type: 'refresh' },
-    JWT_SECRET,
-    { expiresIn: REFRESH_TOKEN_EXPIRES_IN, issuer: 'api.example.com' }
-  );
-
-  // Store refresh token in Redis
-  redisClient.setex(`refresh:${userId}`, 7 * 24 * 60 * 60, refreshToken);
-
-  return { accessToken, refreshToken };
-}
-
-// Verify middleware
-async function verifyToken(req, res, next) {
-  const authHeader = req.headers.authorization;
-
-  if (!authHeader || !authHeader.startsWith('Bearer ')) {
-    return res.status(401).json({ error: 'No token provided' });
-  }
-
-  const token = authHeader.substring(7);
-
-  try {
-    const decoded = jwt.verify(token, JWT_SECRET, {
-      issuer: 'api.example.com'
-    });
-
-    // Check if token is blacklisted
-    const blacklisted = await redisClient.get(`blacklist:${token}`);
-    if (blacklisted) {
-      return res.status(401).json({ error: 'Token revoked' });
-    }
-
-    req.user = decoded;
-    next();
-  } catch (error) {
-    if (error.name === 'TokenExpiredError') {
-      return res.status(401).json({ error: 'Token expired' });
-    }
-    return res.status(401).json({ error: 'Invalid token' });
-  }
-}
-
-// Refresh token
-async function refreshAccessToken(req, res) {
-  const { refreshToken } = req.body;
-
-  try {
-    const decoded = jwt.verify(refreshToken, JWT_SECRET);
-
-    if (decoded.type !== 'refresh') {
-      return res.status(401).json({ error: 'Invalid refresh token' });
-    }
-
-    // Check Redis for valid refresh token
-    const storedToken = await redisClient.get(`refresh:${decoded.userId}`);
-    if (storedToken !== refreshToken) {
-      return res.status(401).json({ error: 'Refresh token not found' });
-    }
-
-    // Generate new tokens
-    const tokens = generateTokens(decoded.userId);
-    res.json(tokens);
-  } catch (error) {
-    res.status(401).json({ error: 'Invalid refresh token' });
-  }
-}
-
-// Revoke token
-async function revokeToken(req, res) {
-  const authHeader = req.headers.authorization;
-  const token = authHeader.substring(7);
-
-  const decoded = jwt.decode(token);
-  const ttl = decoded.exp - Math.floor(Date.now() / 1000);
-
-  // Blacklist token until expiration
-  await redisClient.setex(`blacklist:${token}`, ttl, '1');
-
-  res.json({ message: 'Token revoked' });
-}
-
-module.exports = {
-  generateTokens,
-  verifyToken,
-  refreshAccessToken,
-  revokeToken
-};
-```
-
-## Validation Protocol
-
-Before reporting high confidence:
-✅ Gateway routing configured correctly
-✅ Authentication/authorization tested
-✅ Rate limiting enforced and validated
-✅ SSL/TLS certificates configured
-✅ Health checks passing
-✅ Load balancing distributing traffic
-✅ CORS policies tested
-✅ Logging and monitoring active
-✅ Security policies enforced
-✅ Performance benchmarks met
-
-## Deliverables
-
-1. **Gateway Configuration**: Complete Kong/AWS/Nginx setup
-2. **Authentication Setup**: OAuth2/JWT implementation
-3. **Rate Limiting Rules**: Comprehensive throttling configuration
-4. **Security Policies**: CORS, SSL, WAF configuration
-5. **Load Balancing**: Upstream configuration with health checks
-6. **Monitoring Integration**: Metrics and logging setup
-7. **Documentation**: API gateway architecture, usage guide
-
-## Success Metrics
-- 99.9% uptime
-- P95 latency <100ms
-- Rate limiting accuracy 100%
-- Zero authentication bypasses
-- Confidence score ≥ 0.90
-
-## Skill References
-→ **Kong Configuration**: `.claude/skills/kong-gateway/SKILL.md`
-→ **AWS API Gateway**: `.claude/skills/aws-api-gateway/SKILL.md`
-→ **OAuth2/JWT**: `.claude/skills/oauth2-jwt-auth/SKILL.md`
-→ **Nginx Reverse Proxy**: `.claude/skills/nginx-reverse-proxy/SKILL.md`
+---
+name: api-gateway-specialist
+description: MUST BE USED for API gateway configuration, Kong, AWS API Gateway, Nginx, rate limiting, authentication, and API management. Use PROACTIVELY for gateway setup, routing rules, OAuth2/JWT configuration, rate limiting, API versioning, load balancing. ALWAYS delegate for "API gateway", "Kong configuration", "rate limiting", "OAuth2 setup", "API routing", "reverse proxy". Keywords - API gateway, Kong, AWS API Gateway, Nginx, reverse proxy, rate limiting, OAuth2, JWT, authentication, routing, load balancing
+tools: [Read, Write, Edit, Bash, Grep, Glob, TodoWrite]
+model: sonnet
+type: specialist
+capabilities:
+  - api-gateway-management
+  - kong-configuration
+  - aws-api-gateway
+  - nginx-reverse-proxy
+  - rate-limiting
+  - oauth2-jwt-auth
+  - api-versioning
+  - load-balancing
+acl_level: 1
+validation_hooks:
+  - agent-template-validator
+  - test-coverage-validator
+lifecycle:
+  pre_task: |
+    sqlite-cli exec "INSERT INTO agents (id, type, status, spawned_at) VALUES ('${AGENT_ID}', 'api-gateway-specialist', 'active', CURRENT_TIMESTAMP)"
+  post_task: |
+    sqlite-cli exec "UPDATE agents SET status = 'completed', confidence = ${CONFIDENCE_SCORE}, completed_at = CURRENT_TIMESTAMP WHERE id = '${AGENT_ID}'"
+---
+
+# API Gateway Specialist Agent
+
+## Core Responsibilities
+- Design and configure API gateways (Kong, AWS API Gateway, Nginx)
+- Implement authentication and authorization (OAuth2, JWT, API keys)
+- Configure rate limiting, throttling, and quota management
+- Set up routing rules, load balancing, and failover
+- Implement API versioning and transformation
+- Configure caching, compression, and performance optimization
+- Set up monitoring, logging, and analytics
+- Implement security policies (CORS, SSL/TLS, IP whitelisting)
+
+## Technical Expertise
+
+### Kong API Gateway
+
+#### Kong Configuration (kong.yml)
+```yaml
+_format_version: "3.0"
+
+# Services (upstream APIs)
+services:
+  - name: user-service
+    url: http://user-api:3000
+    protocol: http
+    connect_timeout: 60000
+    write_timeout: 60000
+    read_timeout: 60000
+    retries: 5
+    tags:
+      - production
+      - v1
+
+  - name: order-service
+    url: http://order-api:4000
+    protocol: http
+    tags:
+      - production
+      - v1
+
+  - name: payment-service
+    url: http://payment-api:5000
+    protocol: https
+    client_certificate:
+      id: payment-cert
+    tags:
+      - production
+      - pci-compliant
+
+# Routes (external endpoints)
+routes:
+  - name: user-routes
+    service: user-service
+    protocols:
+      - http
+      - https
+    methods:
+      - GET
+      - POST
+      - PUT
+      - DELETE
+    paths:
+      - /api/v1/users
+      - /api/v1/profiles
+    strip_path: false
+    preserve_host: false
+    tags:
+      - public-api
+
+  - name: order-routes
+    service: order-service
+    protocols:
+      - https
+    methods:
+      - GET
+      - POST
+    paths:
+      - /api/v1/orders
+    strip_path: false
+    tags:
+      - authenticated
+
+# Plugins
+plugins:
+  # Rate limiting (global)
+  - name: rate-limiting
+    config:
+      minute: 100
+      hour: 10000
+      policy: local
+      fault_tolerant: true
+      hide_client_headers: false
+    tags:
+      - global
+
+  # CORS (global)
+  - name: cors
+    config:
+      origins:
+        - https://app.example.com
+        - https://dashboard.example.com
+      methods:
+        - GET
+        - POST
+        - PUT
+        - DELETE
+        - OPTIONS
+      headers:
+        - Accept
+        - Authorization
+        - Content-Type
+      exposed_headers:
+        - X-Auth-Token
+      credentials: true
+      max_age: 3600
+    tags:
+      - global
+
+  # JWT Authentication (service-specific)
+  - name: jwt
+    service: user-service
+    config:
+      key_claim_name: kid
+      secret_is_base64: false
+      claims_to_verify:
+        - exp
+      uri_param_names:
+        - jwt
+    tags:
+      - auth
+
+  # OAuth2 (service-specific)
+  - name: oauth2
+    service: order-service
+    config:
+      scopes:
+        - email
+        - profile
+        - orders
+      mandatory_scope: true
+      token_expiration: 7200
+      enable_authorization_code: true
+      enable_client_credentials: true
+      enable_implicit_grant: false
+      enable_password_grant: false
+    tags:
+      - oauth
+
+  # Request transformer
+  - name: request-transformer
+    service: user-service
+    config:
+      add:
+        headers:
+          - X-Gateway: kong
+          - X-Forwarded-Proto: https
+      remove:
+        headers:
+          - X-Internal-Secret
+      replace:
+        headers:
+          - User-Agent: Kong-Gateway
+
+  # Response transformer
+  - name: response-transformer
+    service: user-service
+    config:
+      add:
+        headers:
+          - X-Response-Time: ${latency}
+          - X-Cache-Status: ${cache_status}
+
+  # IP restriction
+  - name: ip-restriction
+    service: payment-service
+    config:
+      allow:
+        - 10.0.0.0/8
+        - 172.16.0.0/12
+      deny:
+        - 0.0.0.0/0
+
+  # ACL (Access Control List)
+  - name: acl
+    service: order-service
+    config:
+      allow:
+        - premium-users
+        - admin-users
+      hide_groups_header: false
+
+  # Prometheus metrics
+  - name: prometheus
+    config:
+      per_consumer: true
+
+# Consumers (API clients)
+consumers:
+  - username: mobile-app
+    custom_id: mobile-app-v1
+    tags:
+      - mobile
+    jwt_secrets:
+      - key: mobile-app-key
+        algorithm: HS256
+        secret: your-secret-key
+
+  - username: web-app
+    custom_id: web-app-v1
+    tags:
+      - web
+    keyauth_credentials:
+      - key: web-app-api-key
+
+  - username: partner-api
+    custom_id: partner-123
+    tags:
+      - partner
+    oauth2_credentials:
+      - name: partner-oauth
+        client_id: partner-client-id
+        client_secret: partner-client-secret
+
+# Upstreams (load balancing)
+upstreams:
+  - name: user-service-upstream
+    algorithm: round-robin
+    hash_on: none
+    hash_fallback: none
+    slots: 10000
+    healthchecks:
+      active:
+        https_verify_certificate: true
+        healthy:
+          interval: 10
+          successes: 2
+        unhealthy:
+          interval: 10
+          tcp_failures: 3
+          timeouts: 3
+          http_failures: 3
+      passive:
+        healthy:
+          http_statuses:
+            - 200
+            - 201
+            - 202
+            - 203
+            - 204
+            - 205
+            - 206
+            - 207
+            - 208
+            - 226
+            - 300
+            - 301
+            - 302
+            - 303
+            - 304
+            - 305
+            - 306
+            - 307
+            - 308
+          successes: 5
+        unhealthy:
+          http_statuses:
+            - 429
+            - 500
+            - 503
+          tcp_failures: 3
+          timeouts: 3
+          http_failures: 5
+    tags:
+      - production
+
+# Targets (upstream servers)
+targets:
+  - target: user-api-1:3000
+    weight: 100
+    upstream: user-service-upstream
+    tags:
+      - primary
+
+  - target: user-api-2:3000
+    weight: 100
+    upstream: user-service-upstream
+    tags:
+      - secondary
+
+# Certificates
+certificates:
+  - cert: |
+      -----BEGIN CERTIFICATE-----
+      [certificate content]
+      -----END CERTIFICATE-----
+    key: |
+      -----BEGIN PRIVATE KEY-----
+      [private key content]
+      -----END PRIVATE KEY-----
+    tags:
+      - production
+    snis:
+      - api.example.com
+      - gateway.example.com
+```
+
+#### Kong Advanced Rate Limiting
+```yaml
+# Per-consumer rate limiting
+plugins:
+  - name: rate-limiting-advanced
+    consumer: mobile-app
+    config:
+      limit:
+        - 1000  # requests
+      window_size:
+        - 60    # seconds
+      window_type: sliding
+      retry_after_jitter_max: 0
+      namespace: mobile-app-limits
+      strategy: cluster
+      dictionary_name: kong_rate_limiting_counters
+      sync_rate: 0.5
+      hide_client_headers: false
+      error_code: 429
+      error_message: Rate limit exceeded
+
+# Route-specific rate limiting
+  - name: rate-limiting-advanced
+    route: order-routes
+    config:
+      limit:
+        - 10      # Tier 1: 10 req/min
+        - 500     # Tier 2: 500 req/hour
+        - 10000   # Tier 3: 10k req/day
+      window_size:
+        - 60      # 1 minute
+        - 3600    # 1 hour
+        - 86400   # 1 day
+      window_type: sliding
+      identifier: consumer
+      strategy: cluster
+```
+
+### AWS API Gateway
+
+#### CloudFormation Template
+```yaml
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'API Gateway with Lambda integration'
+
+Resources:
+  # REST API
+  ApiGatewayRestApi:
+    Type: AWS::ApiGateway::RestApi
+    Properties:
+      Name: MyRestAPI
+      Description: Production API Gateway
+      EndpointConfiguration:
+        Types:
+          - REGIONAL
+      Policy:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal: '*'
+            Action: 'execute-api:Invoke'
+            Resource: '*'
+
+  # API Key
+  ApiKey:
+    Type: AWS::ApiGateway::ApiKey
+    Properties:
+      Name: ProductionAPIKey
+      Description: API Key for production clients
+      Enabled: true
+
+  # Usage Plan
+  UsagePlan:
+    Type: AWS::ApiGateway::UsagePlan
+    DependsOn: ApiGatewayStage
+    Properties:
+      UsagePlanName: ProductionPlan
+      Description: Production usage plan with throttling
+      ApiStages:
+        - ApiId: !Ref ApiGatewayRestApi
+          Stage: prod
+      Throttle:
+        BurstLimit: 5000
+        RateLimit: 1000
+      Quota:
+        Limit: 1000000
+        Period: MONTH
+
+  # Link API Key to Usage Plan
+  UsagePlanKey:
+    Type: AWS::ApiGateway::UsagePlanKey
+    Properties:
+      KeyId: !Ref ApiKey
+      KeyType: API_KEY
+      UsagePlanId: !Ref UsagePlan
+
+  # Resource: /users
+  UsersResource:
+    Type: AWS::ApiGateway::Resource
+    Properties:
+      RestApiId: !Ref ApiGatewayRestApi
+      ParentId: !GetAtt ApiGatewayRestApi.RootResourceId
+      PathPart: users
+
+  # Method: GET /users
+  GetUsersMethod:
+    Type: AWS::ApiGateway::Method
+    Properties:
+      RestApiId: !Ref ApiGatewayRestApi
+      ResourceId: !Ref UsersResource
+      HttpMethod: GET
+      AuthorizationType: AWS_IAM
+      ApiKeyRequired: true
+      RequestParameters:
+        method.request.querystring.limit: false
+        method.request.querystring.offset: false
+      Integration:
+        Type: AWS_PROXY
+        IntegrationHttpMethod: POST
+        Uri: !Sub 'arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetUsersFunction.Arn}/invocations'
+        IntegrationResponses:
+          - StatusCode: 200
+            ResponseParameters:
+              method.response.header.Access-Control-Allow-Origin: "'*'"
+      MethodResponses:
+        - StatusCode: 200
+          ResponseModels:
+            application/json: Empty
+          ResponseParameters:
+            method.response.header.Access-Control-Allow-Origin: true
+
+  # Authorizer (Cognito)
+  CognitoAuthorizer:
+    Type: AWS::ApiGateway::Authorizer
+    Properties:
+      Name: CognitoAuthorizer
+      Type: COGNITO_USER_POOLS
+      RestApiId: !Ref ApiGatewayRestApi
+      ProviderARNs:
+        - !GetAtt UserPool.Arn
+      IdentitySource: method.request.header.Authorization
+
+  # Deployment
+  ApiGatewayDeployment:
+    Type: AWS::ApiGateway::Deployment
+    DependsOn:
+      - GetUsersMethod
+    Properties:
+      RestApiId: !Ref ApiGatewayRestApi
+      StageName: prod
+
+  # Stage with logging
+  ApiGatewayStage:
+    Type: AWS::ApiGateway::Stage
+    Properties:
+      DeploymentId: !Ref ApiGatewayDeployment
+      RestApiId: !Ref ApiGatewayRestApi
+      StageName: prod
+      Description: Production stage
+      TracingEnabled: true
+      MethodSettings:
+        - ResourcePath: /*
+          HttpMethod: '*'
+          LoggingLevel: INFO
+          DataTraceEnabled: true
+          MetricsEnabled: true
+          ThrottlingBurstLimit: 5000
+          ThrottlingRateLimit: 1000
+      AccessLogSetting:
+        DestinationArn: !GetAtt ApiGatewayLogGroup.Arn
+        Format: '$context.requestId $context.extendedRequestId $context.identity.sourceIp $context.requestTime $context.httpMethod $context.routeKey $context.status $context.protocol $context.responseLength'
+
+  # CloudWatch Logs
+  ApiGatewayLogGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      LogGroupName: /aws/apigateway/my-rest-api
+      RetentionInDays: 30
+
+  # WAF Web ACL (DDoS protection)
+  WebACL:
+    Type: AWS::WAFv2::WebACL
+    Properties:
+      Name: ApiGatewayWAF
+      Scope: REGIONAL
+      DefaultAction:
+        Allow: {}
+      Rules:
+        - Name: RateLimitRule
+          Priority: 1
+          Statement:
+            RateBasedStatement:
+              Limit: 2000
+              AggregateKeyType: IP
+          Action:
+            Block: {}
+          VisibilityConfig:
+            SampledRequestsEnabled: true
+            CloudWatchMetricsEnabled: true
+            MetricName: RateLimitRule
+      VisibilityConfig:
+        SampledRequestsEnabled: true
+        CloudWatchMetricsEnabled: true
+        MetricName: ApiGatewayWAF
+
+Outputs:
+  ApiEndpoint:
+    Description: API Gateway endpoint
+    Value: !Sub 'https://${ApiGatewayRestApi}.execute-api.${AWS::Region}.amazonaws.com/prod'
+  ApiKey:
+    Description: API Key ID
+    Value: !Ref ApiKey
+```
+
+### Nginx Reverse Proxy
+
+#### nginx.conf - Complete Configuration
+```nginx
+# Main context
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+# Load modules
+load_module modules/ngx_http_geoip_module.so;
+
+events {
+    worker_connections 4096;
+    use epoll;
+    multi_accept on;
+}
+
+http {
+    # Basic settings
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # Logging format
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for" '
+                    'rt=$request_time uct="$upstream_connect_time" '
+                    'uht="$upstream_header_time" urt="$upstream_response_time"';
+
+    log_format json escape=json '{'
+        '"time":"$time_iso8601",'
+        '"remote_addr":"$remote_addr",'
+        '"request_method":"$request_method",'
+        '"request_uri":"$request_uri",'
+        '"status":$status,'
+        '"body_bytes_sent":$body_bytes_sent,'
+        '"request_time":$request_time,'
+        '"upstream_response_time":"$upstream_response_time",'
+        '"upstream_addr":"$upstream_addr",'
+        '"http_user_agent":"$http_user_agent"'
+    '}';
+
+    access_log /var/log/nginx/access.log json;
+
+    # Performance optimizations
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens off;
+
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css text/xml text/javascript
+               application/json application/javascript application/xml+rss
+               application/rss+xml font/truetype font/opentype
+               application/vnd.ms-fontobject image/svg+xml;
+    gzip_disable "msie6";
+
+    # Rate limiting zones
+    limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
+    limit_req_zone $http_authorization zone=auth_limit:10m rate=5r/s;
+    limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
+
+    # Upstream (backend servers)
+    upstream api_backend {
+        least_conn;
+        server api-1:3000 weight=3 max_fails=3 fail_timeout=30s;
+        server api-2:3000 weight=3 max_fails=3 fail_timeout=30s;
+        server api-3:3000 weight=2 max_fails=3 fail_timeout=30s backup;
+
+        keepalive 32;
+        keepalive_requests 100;
+        keepalive_timeout 60s;
+    }
+
+    # Cache configuration
+    proxy_cache_path /var/cache/nginx
+        levels=1:2
+        keys_zone=api_cache:10m
+        max_size=1g
+        inactive=60m
+        use_temp_path=off;
+
+    # Server block
+    server {
+        listen 80;
+        listen [::]:80;
+        server_name api.example.com;
+
+        # Redirect to HTTPS
+        return 301 https://$server_name$request_uri;
+    }
+
+    server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        server_name api.example.com;
+
+        # SSL configuration
+        ssl_certificate /etc/nginx/ssl/api.example.com.crt;
+        ssl_certificate_key /etc/nginx/ssl/api.example.com.key;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        # Security headers
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Referrer-Policy "no-referrer-when-downgrade" always;
+
+        # CORS headers
+        add_header Access-Control-Allow-Origin "https://app.example.com" always;
+        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
+        add_header Access-Control-Allow-Headers "Authorization, Content-Type" always;
+        add_header Access-Control-Max-Age "3600" always;
+
+        # Handle preflight requests
+        if ($request_method = 'OPTIONS') {
+            return 204;
+        }
+
+        # Rate limiting
+        limit_req zone=api_limit burst=20 nodelay;
+        limit_conn conn_limit 10;
+
+        # API routes
+        location /api/v1/ {
+            # Auth check (subrequest)
+            auth_request /auth;
+            auth_request_set $auth_status $upstream_status;
+
+            # Proxy settings
+            proxy_pass http://api_backend;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Connection "";
+
+            # Timeouts
+            proxy_connect_timeout 60s;
+            proxy_send_timeout 60s;
+            proxy_read_timeout 60s;
+
+            # Buffering
+            proxy_buffering on;
+            proxy_buffer_size 4k;
+            proxy_buffers 8 4k;
+            proxy_busy_buffers_size 8k;
+
+            # Caching
+            proxy_cache api_cache;
+            proxy_cache_key "$scheme$request_method$host$request_uri";
+            proxy_cache_valid 200 5m;
+            proxy_cache_valid 404 1m;
+            proxy_cache_bypass $http_cache_control;
+            add_header X-Cache-Status $upstream_cache_status;
+
+            # Error handling
+            proxy_intercept_errors on;
+            error_page 502 503 504 /50x.html;
+        }
+
+        # Authentication endpoint
+        location = /auth {
+            internal;
+            proxy_pass http://auth_service/verify;
+            proxy_pass_request_body off;
+            proxy_set_header Content-Length "";
+            proxy_set_header X-Original-URI $request_uri;
+        }
+
+        # Health check
+        location /health {
+            access_log off;
+            return 200 "healthy\n";
+            add_header Content-Type text/plain;
+        }
+
+        # Metrics (Prometheus)
+        location /metrics {
+            stub_status on;
+            access_log off;
+            allow 10.0.0.0/8;
+            deny all;
+        }
+    }
+}
+```
+
+### JWT Authentication Implementation
+
+#### Node.js JWT Middleware
+```javascript
+// jwt-auth.js
+const jwt = require('jsonwebtoken');
+const redis = require('redis');
+
+const redisClient = redis.createClient({
+  host: process.env.REDIS_HOST,
+  port: process.env.REDIS_PORT
+});
+
+const JWT_SECRET = process.env.JWT_SECRET;
+const JWT_EXPIRES_IN = '1h';
+const REFRESH_TOKEN_EXPIRES_IN = '7d';
+
+// Generate tokens
+function generateTokens(userId, payload = {}) {
+  const accessToken = jwt.sign(
+    { userId, ...payload },
+    JWT_SECRET,
+    { expiresIn: JWT_EXPIRES_IN, issuer: 'api.example.com' }
+  );
+
+  const refreshToken = jwt.sign(
+    { userId, type: 'refresh' },
+    JWT_SECRET,
+    { expiresIn: REFRESH_TOKEN_EXPIRES_IN, issuer: 'api.example.com' }
+  );
+
+  // Store refresh token in Redis
+  redisClient.setex(`refresh:${userId}`, 7 * 24 * 60 * 60, refreshToken);
+
+  return { accessToken, refreshToken };
+}
+
+// Verify middleware
+async function verifyToken(req, res, next) {
+  const authHeader = req.headers.authorization;
+
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    return res.status(401).json({ error: 'No token provided' });
+  }
+
+  const token = authHeader.substring(7);
+
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET, {
+      issuer: 'api.example.com'
+    });
+
+    // Check if token is blacklisted
+    const blacklisted = await redisClient.get(`blacklist:${token}`);
+    if (blacklisted) {
+      return res.status(401).json({ error: 'Token revoked' });
+    }
+
+    req.user = decoded;
+    next();
+  } catch (error) {
+    if (error.name === 'TokenExpiredError') {
+      return res.status(401).json({ error: 'Token expired' });
+    }
+    return res.status(401).json({ error: 'Invalid token' });
+  }
+}
+
+// Refresh token
+async function refreshAccessToken(req, res) {
+  const { refreshToken } = req.body;
+
+  try {
+    const decoded = jwt.verify(refreshToken, JWT_SECRET);
+
+    if (decoded.type !== 'refresh') {
+      return res.status(401).json({ error: 'Invalid refresh token' });
+    }
+
+    // Check Redis for valid refresh token
+    const storedToken = await redisClient.get(`refresh:${decoded.userId}`);
+    if (storedToken !== refreshToken) {
+      return res.status(401).json({ error: 'Refresh token not found' });
+    }
+
+    // Generate new tokens
+    const tokens = generateTokens(decoded.userId);
+    res.json(tokens);
+  } catch (error) {
+    res.status(401).json({ error: 'Invalid refresh token' });
+  }
+}
+
+// Revoke token
+async function revokeToken(req, res) {
+  const authHeader = req.headers.authorization;
+  const token = authHeader.substring(7);
+
+  const decoded = jwt.decode(token);
+  const ttl = decoded.exp - Math.floor(Date.now() / 1000);
+
+  // Blacklist token until expiration
+  await redisClient.setex(`blacklist:${token}`, ttl, '1');
+
+  res.json({ message: 'Token revoked' });
+}
+
+module.exports = {
+  generateTokens,
+  verifyToken,
+  refreshAccessToken,
+  revokeToken
+};
+```
+
+## Validation Protocol
+
+Before reporting high confidence:
+✅ Gateway routing configured correctly
+✅ Authentication/authorization tested
+✅ Rate limiting enforced and validated
+✅ SSL/TLS certificates configured
+✅ Health checks passing
+✅ Load balancing distributing traffic
+✅ CORS policies tested
+✅ Logging and monitoring active
+✅ Security policies enforced
+✅ Performance benchmarks met
+
+## Deliverables
+
+1. **Gateway Configuration**: Complete Kong/AWS/Nginx setup
+2. **Authentication Setup**: OAuth2/JWT implementation
+3. **Rate Limiting Rules**: Comprehensive throttling configuration
+4. **Security Policies**: CORS, SSL, WAF configuration
+5. **Load Balancing**: Upstream configuration with health checks
+6. **Monitoring Integration**: Metrics and logging setup
+7. **Documentation**: API gateway architecture, usage guide
+
+## Success Metrics
+- 99.9% uptime
+- P95 latency <100ms
+- Rate limiting accuracy 100%
+- Zero authentication bypasses
+- Confidence score ≥ 0.90
+
+## Skill References
+→ **Kong Configuration**: `.claude/skills/kong-gateway/SKILL.md`
+→ **AWS API Gateway**: `.claude/skills/aws-api-gateway/SKILL.md`
+→ **OAuth2/JWT**: `.claude/skills/oauth2-jwt-auth/SKILL.md`
+→ **Nginx Reverse Proxy**: `.claude/skills/nginx-reverse-proxy/SKILL.md`