npm - latchkey - Versions diffs - 2.6.1 → 2.7.1 - Mend

latchkey 2.6.1 → 2.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (193) hide show

package/README.md +50 -1
package/dist/scripts/recordBrowserSession.js +3 -3
package/dist/scripts/recordBrowserSession.js.map +1 -1
package/dist/src/{apiCredentials.d.ts → apiCredentials/base.d.ts} +6 -6
package/dist/src/apiCredentials/base.d.ts.map +1 -0
package/dist/src/{apiCredentials.js → apiCredentials/base.js} +5 -5
package/dist/src/apiCredentials/base.js.map +1 -0
package/dist/src/{apiCredentialsSerialization.d.ts → apiCredentials/serialization.d.ts} +5 -5
package/dist/src/apiCredentials/serialization.d.ts.map +1 -0
package/dist/src/{apiCredentialsSerialization.js → apiCredentials/serialization.js} +9 -9
package/dist/src/apiCredentials/serialization.js.map +1 -0
package/dist/src/{apiCredentialStore.d.ts → apiCredentials/store.d.ts} +3 -3
package/dist/src/apiCredentials/store.d.ts.map +1 -0
package/dist/src/{apiCredentialStore.js → apiCredentials/store.js} +2 -2
package/dist/src/apiCredentials/store.js.map +1 -0
package/dist/src/apiCredentials/utils.d.ts +13 -0
package/dist/src/apiCredentials/utils.d.ts.map +1 -0
package/dist/src/apiCredentials/utils.js +27 -0
package/dist/src/apiCredentials/utils.js.map +1 -0
package/dist/src/browserConfig.d.ts +5 -1
package/dist/src/browserConfig.d.ts.map +1 -1
package/dist/src/browserConfig.js +17 -3
package/dist/src/browserConfig.js.map +1 -1
package/dist/src/cli.js +42 -39
package/dist/src/cli.js.map +1 -1
package/dist/src/cliCommands.d.ts +5 -2
package/dist/src/cliCommands.d.ts.map +1 -1
package/dist/src/cliCommands.js +270 -190
package/dist/src/cliCommands.js.map +1 -1
package/dist/src/config.d.ts +32 -2
package/dist/src/config.d.ts.map +1 -1
package/dist/src/config.js +107 -20
package/dist/src/config.js.map +1 -1
package/dist/src/configDataStore.d.ts +44 -0
package/dist/src/configDataStore.d.ts.map +1 -1
package/dist/src/configDataStore.js +27 -0
package/dist/src/configDataStore.js.map +1 -1
package/dist/src/curl.d.ts +41 -8
package/dist/src/curl.d.ts.map +1 -1
package/dist/src/curl.js +80 -75
package/dist/src/curl.js.map +1 -1
package/dist/src/curlInjection.d.ts +46 -0
package/dist/src/curlInjection.d.ts.map +1 -0
package/dist/src/curlInjection.js +99 -0
package/dist/src/curlInjection.js.map +1 -0
package/dist/src/errorMessages.d.ts +14 -0
package/dist/src/errorMessages.d.ts.map +1 -0
package/dist/src/errorMessages.js +22 -0
package/dist/src/errorMessages.js.map +1 -0
package/dist/src/gateway/client.d.ts +32 -0
package/dist/src/gateway/client.d.ts.map +1 -0
package/dist/src/gateway/client.js +89 -0
package/dist/src/gateway/client.js.map +1 -0
package/dist/src/gateway/gatewayEndpoint.d.ts +43 -0
package/dist/src/gateway/gatewayEndpoint.d.ts.map +1 -0
package/dist/src/gateway/gatewayEndpoint.js +297 -0
package/dist/src/gateway/gatewayEndpoint.js.map +1 -0
package/dist/src/gateway/latchkeyEndpoint.d.ts +105 -0
package/dist/src/gateway/latchkeyEndpoint.d.ts.map +1 -0
package/dist/src/gateway/latchkeyEndpoint.js +144 -0
package/dist/src/gateway/latchkeyEndpoint.js.map +1 -0
package/dist/src/gateway/server.d.ts +20 -0
package/dist/src/gateway/server.d.ts.map +1 -0
package/dist/src/gateway/server.js +90 -0
package/dist/src/gateway/server.js.map +1 -0
package/dist/src/index.d.ts +4 -4
package/dist/src/index.d.ts.map +1 -1
package/dist/src/index.js +5 -5
package/dist/src/index.js.map +1 -1
package/dist/src/permissions.d.ts.map +1 -1
package/dist/src/permissions.js +4 -2
package/dist/src/permissions.js.map +1 -1
package/dist/src/playwrightDownload.d.ts +1 -1
package/dist/src/playwrightDownload.d.ts.map +1 -1
package/dist/src/playwrightDownload.js +5 -4
package/dist/src/playwrightDownload.js.map +1 -1
package/dist/src/playwrightLoader.d.ts +17 -0
package/dist/src/playwrightLoader.d.ts.map +1 -0
package/dist/src/playwrightLoader.js +47 -0
package/dist/src/playwrightLoader.js.map +1 -0
package/dist/src/playwrightUtils.d.ts.map +1 -1
package/dist/src/playwrightUtils.js +2 -1
package/dist/src/playwrightUtils.js.map +1 -1
package/dist/src/{registry.d.ts → serviceRegistry.d.ts} +4 -4
package/dist/src/serviceRegistry.d.ts.map +1 -0
package/dist/src/{registry.js → serviceRegistry.js} +4 -4
package/dist/src/serviceRegistry.js.map +1 -0
package/dist/src/services/aws.d.ts +2 -2
package/dist/src/services/aws.d.ts.map +1 -1
package/dist/src/services/aws.js +17 -10
package/dist/src/services/aws.js.map +1 -1
package/dist/src/services/core/base.d.ts +2 -2
package/dist/src/services/core/base.d.ts.map +1 -1
package/dist/src/services/core/base.js +3 -3
package/dist/src/services/core/base.js.map +1 -1
package/dist/src/services/core/registered.d.ts +2 -2
package/dist/src/services/core/registered.d.ts.map +1 -1
package/dist/src/services/core/registered.js +2 -2
package/dist/src/services/core/registered.js.map +1 -1
package/dist/src/services/discord.d.ts +1 -1
package/dist/src/services/discord.d.ts.map +1 -1
package/dist/src/services/discord.js +1 -1
package/dist/src/services/discord.js.map +1 -1
package/dist/src/services/dropbox.d.ts +1 -1
package/dist/src/services/dropbox.d.ts.map +1 -1
package/dist/src/services/dropbox.js +1 -1
package/dist/src/services/dropbox.js.map +1 -1
package/dist/src/services/github.d.ts +2 -2
package/dist/src/services/github.d.ts.map +1 -1
package/dist/src/services/github.js +2 -2
package/dist/src/services/github.js.map +1 -1
package/dist/src/services/google/base.d.ts +2 -2
package/dist/src/services/google/base.d.ts.map +1 -1
package/dist/src/services/google/base.js +3 -3
package/dist/src/services/google/base.js.map +1 -1
package/dist/src/services/google/directions.d.ts +1 -1
package/dist/src/services/google/directions.d.ts.map +1 -1
package/dist/src/services/linear.d.ts +1 -1
package/dist/src/services/linear.d.ts.map +1 -1
package/dist/src/services/linear.js +1 -1
package/dist/src/services/linear.js.map +1 -1
package/dist/src/services/notion.d.ts +1 -1
package/dist/src/services/notion.d.ts.map +1 -1
package/dist/src/services/notion.js +1 -1
package/dist/src/services/notion.js.map +1 -1
package/dist/src/services/sentry.d.ts +2 -2
package/dist/src/services/sentry.d.ts.map +1 -1
package/dist/src/services/sentry.js +6 -3
package/dist/src/services/sentry.js.map +1 -1
package/dist/src/services/slack.d.ts +3 -3
package/dist/src/services/slack.d.ts.map +1 -1
package/dist/src/services/slack.js +5 -5
package/dist/src/services/slack.js.map +1 -1
package/dist/src/services/telegram.d.ts +2 -2
package/dist/src/services/telegram.d.ts.map +1 -1
package/dist/src/services/telegram.js +2 -2
package/dist/src/services/telegram.js.map +1 -1
package/dist/src/sharedOperations.d.ts +44 -0
package/dist/src/sharedOperations.d.ts.map +1 -0
package/dist/src/sharedOperations.js +131 -0
package/dist/src/sharedOperations.js.map +1 -0
package/dist/src/version.d.ts +2 -0
package/dist/src/version.d.ts.map +1 -0
package/dist/src/version.js +4 -0
package/dist/src/version.js.map +1 -0
package/dist/tests/apiCredentialStore.test.js +2 -2
package/dist/tests/apiCredentialStore.test.js.map +1 -1
package/dist/tests/apiCredentials.test.js +37 -36
package/dist/tests/apiCredentials.test.js.map +1 -1
package/dist/tests/cli.test.js +240 -55
package/dist/tests/cli.test.js.map +1 -1
package/dist/tests/config.test.d.ts +2 -0
package/dist/tests/config.test.d.ts.map +1 -0
package/dist/tests/config.test.js +150 -0
package/dist/tests/config.test.js.map +1 -0
package/dist/tests/gateway.test.d.ts +2 -0
package/dist/tests/gateway.test.d.ts.map +1 -0
package/dist/tests/gateway.test.js +566 -0
package/dist/tests/gateway.test.js.map +1 -0
package/dist/tests/gatewayClient.test.d.ts +2 -0
package/dist/tests/gatewayClient.test.d.ts.map +1 -0
package/dist/tests/gatewayClient.test.js +85 -0
package/dist/tests/gatewayClient.test.js.map +1 -0
package/dist/tests/latchkeyEndpoint.test.d.ts +2 -0
package/dist/tests/latchkeyEndpoint.test.d.ts.map +1 -0
package/dist/tests/latchkeyEndpoint.test.js +385 -0
package/dist/tests/latchkeyEndpoint.test.js.map +1 -0
package/dist/tests/permissions.test.js +15 -0
package/dist/tests/permissions.test.js.map +1 -1
package/dist/tests/playwrightDownload.test.js +2 -2
package/dist/tests/playwrightDownload.test.js.map +1 -1
package/dist/tests/serviceRegistry.test.d.ts +2 -0
package/dist/tests/serviceRegistry.test.d.ts.map +1 -0
package/dist/tests/{registry.test.js → serviceRegistry.test.js} +17 -17
package/dist/tests/serviceRegistry.test.js.map +1 -0
package/dist/tests/servicesAgainstRecordings.test.js +3 -3
package/dist/tests/servicesAgainstRecordings.test.js.map +1 -1
package/dist/tests/sharedOperations.test.d.ts +2 -0
package/dist/tests/sharedOperations.test.d.ts.map +1 -0
package/dist/tests/sharedOperations.test.js +264 -0
package/dist/tests/sharedOperations.test.js.map +1 -0
package/package.json +10 -3
package/dist/src/apiCredentialStore.d.ts.map +0 -1
package/dist/src/apiCredentialStore.js.map +0 -1
package/dist/src/apiCredentials.d.ts.map +0 -1
package/dist/src/apiCredentials.js.map +0 -1
package/dist/src/apiCredentialsSerialization.d.ts.map +0 -1
package/dist/src/apiCredentialsSerialization.js.map +0 -1
package/dist/src/registry.d.ts.map +0 -1
package/dist/src/registry.js.map +0 -1
package/dist/tests/registry.test.d.ts +0 -2
package/dist/tests/registry.test.d.ts.map +0 -1
package/dist/tests/registry.test.js.map +0 -1

package/dist/tests/cli.test.js CHANGED Viewed

@@ -5,12 +5,12 @@ import { tmpdir } from 'node:os';
 import { execSync } from 'node:child_process';
 import { Command } from 'commander';
 import { registerCommands } from '../src/cliCommands.js';
-import { extractUrlFromCurlArguments } from '../src/curl.js';
+import { CurlParseError, extractUrlFromCurlArguments } from '../src/curl.js';
 import { hasGraphicalEnvironment } from '../src/playwrightUtils.js';
 import { EncryptedStorage } from '../src/encryptedStorage.js';
 import { Config } from '../src/config.js';
-import { Registry } from '../src/registry.js';
-import { ApiCredentialStatus } from '../src/apiCredentials.js';
+import { ServiceRegistry } from '../src/serviceRegistry.js';
+import { ApiCredentialStatus } from '../src/apiCredentials/base.js';
 import { SlackApiCredentials } from '../src/services/slack.js';
 import { NoCurlCredentialsNotSupportedError, Service } from '../src/services/core/base.js';
 import { RegisteredService } from '../src/services/core/registered.js';
@@ -18,7 +18,7 @@ import { GITLAB } from '../src/services/gitlab.js';
 import { GITHUB } from '../src/services/github.js';
 import { TELEGRAM } from '../src/services/telegram.js';
 import { deleteRegisteredService, loadRegisteredServices, saveRegisteredService, } from '../src/configDataStore.js';
-import { loadRegisteredServicesIntoRegistry } from '../src/registry.js';
+import { loadRegisteredServicesIntoServiceRegistry } from '../src/serviceRegistry.js';
 // Use a fixed test key for deterministic test behavior (32 bytes = 256 bits, base64 encoded)
 const TEST_ENCRYPTION_KEY = 'dGVzdGtleXRlc3RrZXl0ZXN0a2V5dGVzdGtleXRlc3Q=';
 async function writeSecureFile(path, content) {
@@ -98,13 +98,13 @@ describe('extractUrlFromCurlArguments', () => {
         const arguments_ = ['--header', 'Authorization: Bearer token', 'https://api.example.com'];
         expect(extractUrlFromCurlArguments(arguments_)).toBe('https://api.example.com');
     });
-    it('should return null when no URL is present', () => {
+    it('should throw CurlParseError when no URL is present', () => {
         const arguments_ = ['-X', 'POST', '-H', 'Content-Type: application/json'];
-        expect(extractUrlFromCurlArguments(arguments_)).toBeNull();
+        expect(() => extractUrlFromCurlArguments(arguments_)).toThrow(CurlParseError);
     });
-    it('should return null for empty arguments', () => {
+    it('should throw CurlParseError for empty arguments', () => {
         const arguments_ = [];
-        expect(extractUrlFromCurlArguments(arguments_)).toBeNull();
+        expect(() => extractUrlFromCurlArguments(arguments_)).toThrow(CurlParseError);
     });
     it('should handle verbose flag', () => {
         let arguments_ = ['-v', 'https://api.example.com'];
@@ -118,6 +118,16 @@ describe('extractUrlFromCurlArguments', () => {
         const arguments_ = ['-k', '--compressed', '-s', '-i', 'https://api.example.com'];
         expect(extractUrlFromCurlArguments(arguments_)).toBe('https://api.example.com');
     });
+    it('should return the raw arg for schemeless URLs (curl defaults to http://)', () => {
+        expect(extractUrlFromCurlArguments(['www.seznam.cz'])).toBe('www.seznam.cz');
+        expect(extractUrlFromCurlArguments(['-X', 'POST', 'api.example.com/path'])).toBe('api.example.com/path');
+    });
+    it('should return null for non-http(s) schemes', () => {
+        expect(extractUrlFromCurlArguments(['ftp://example.com/'])).toBeNull();
+    });
+    it('should propagate CurlParseError for malformed arguments', () => {
+        expect(() => extractUrlFromCurlArguments(['-H', 'no-colon-here'])).toThrow(CurlParseError);
+    });
 });
 describe('hasGraphicalEnvironment', () => {
     const originalPlatform = process.platform;
@@ -258,6 +268,10 @@ describe('CLI commands with dependency injection', () => {
             browserDisabled: overrides.browserDisabled ?? false,
             countingDisabled: overrides.countingDisabled ?? false,
             permissionsDoNotUseBuiltinSchemas: overrides.permissionsDoNotUseBuiltinSchemas ?? false,
+            passthroughUnknown: overrides.passthroughUnknown ?? false,
+            gatewayUrl: overrides.gatewayUrl ?? null,
+            gatewayListenHost: overrides.gatewayListenHost ?? 'localhost',
+            gatewayListenPort: overrides.gatewayListenPort ?? 1989,
             checkSensitiveFilePermissions: () => undefined,
             checkSystemPrerequisites: () => undefined,
         };
@@ -270,7 +284,7 @@ describe('CLI commands with dependency injection', () => {
             loginUrl: 'https://slack.com/signin',
             info: 'Test info for Slack service.',
             credentialCheckCurlArguments: ['https://slack.com/api/auth.test'],
-            checkApiCredentials: vi.fn().mockReturnValue(ApiCredentialStatus.Valid),
+            checkApiCredentials: vi.fn().mockResolvedValue(ApiCredentialStatus.Valid),
             setCredentialsExample(serviceName) {
                 return `latchkey auth set ${serviceName} -H "Authorization: Bearer xoxb-your-token"`;
             },
@@ -281,7 +295,7 @@ describe('CLI commands with dependency injection', () => {
                 login: vi.fn().mockResolvedValue(new SlackApiCredentials('xoxc-test-token', 'test-cookie')),
             }),
         };
-        const mockRegistry = new Registry([mockSlackService]);
+        const mockRegistry = new ServiceRegistry([mockSlackService]);
         return {
             registry: mockRegistry,
             config: createMockConfig(),
@@ -289,6 +303,7 @@ describe('CLI commands with dependency injection', () => {
                 capturedArgs.push(...args);
                 return { returncode: 0, stdout: '', stderr: '' };
             },
+            runCurlAsync: () => Promise.resolve({ returncode: 0, stdout: Buffer.from(''), stderr: '' }),
             checkPermission: () => Promise.resolve(true),
             confirm: () => Promise.resolve(true),
             exit: (code) => {
@@ -301,6 +316,7 @@ describe('CLI commands with dependency injection', () => {
             errorLog: (message) => {
                 errorLogs.push(message);
             },
+            version: '0.0.0-test',
             ...overrides,
         };
     }
@@ -400,7 +416,7 @@ describe('CLI commands with dependency injection', () => {
                 loginUrl: 'https://nologin.example.com',
                 info: 'A service without browser login support.',
                 credentialCheckCurlArguments: [],
-                checkApiCredentials: vi.fn().mockReturnValue(ApiCredentialStatus.Missing),
+                checkApiCredentials: vi.fn().mockResolvedValue(ApiCredentialStatus.Missing),
                 setCredentialsExample(serviceName) {
                     return `latchkey auth set ${serviceName} -H "Authorization: Bearer <token>"`;
                 },
@@ -409,7 +425,7 @@ describe('CLI commands with dependency injection', () => {
                 },
             };
             const deps = createMockDependencies({
-                registry: new Registry([noLoginService]),
+                registry: new ServiceRegistry([noLoginService]),
             });
             await runCommand(['services', 'list', '--viable'], deps);
             expect(logs).toHaveLength(1);
@@ -564,7 +580,7 @@ describe('CLI commands with dependency injection', () => {
                 loginUrl: 'https://nologin.example.com',
                 info: 'A service without browser login support.',
                 credentialCheckCurlArguments: [],
-                checkApiCredentials: vi.fn().mockReturnValue(ApiCredentialStatus.Missing),
+                checkApiCredentials: vi.fn().mockResolvedValue(ApiCredentialStatus.Missing),
                 setCredentialsExample(serviceName) {
                     return `latchkey auth set ${serviceName} -H "Authorization: Bearer <token>"`;
                 },
@@ -573,7 +589,7 @@ describe('CLI commands with dependency injection', () => {
                 },
             };
             const deps = createMockDependencies({
-                registry: new Registry([noLoginService]),
+                registry: new ServiceRegistry([noLoginService]),
             });
             await runCommand(['services', 'info', 'nologin'], deps);
             const info = JSON.parse(logs[0] ?? '');
@@ -744,7 +760,7 @@ describe('CLI commands with dependency injection', () => {
             const storePath = join(tempDir, 'credentials.json');
             await writeSecureFile(storePath, '{}');
             const deps = createMockDependencies({
-                registry: new Registry([TELEGRAM]),
+                registry: new ServiceRegistry([TELEGRAM]),
             });
             await runCommand(['auth', 'set-nocurl', 'telegram', '123456:ABC-DEF'], deps);
             expect(logs).toContain('Credentials stored.');
@@ -766,14 +782,14 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should return error when telegram token is missing', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([TELEGRAM]),
+                registry: new ServiceRegistry([TELEGRAM]),
             });
             await runCommand(['auth', 'set-nocurl', 'telegram'], deps);
             expect(exitCode).toBe(1);
         });
         it('should return error when telegram token format is invalid', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([TELEGRAM]),
+                registry: new ServiceRegistry([TELEGRAM]),
             });
             await runCommand(['auth', 'set-nocurl', 'telegram', 'not-a-valid-token'], deps);
             expect(exitCode).toBe(1);
@@ -849,6 +865,38 @@ describe('CLI commands with dependency injection', () => {
             await runCommand(['curl', 'https://unknown-api.example.com'], deps);
             expect(exitCode).toBe(1);
         });
+        it('should pass through unknown service when passthroughUnknown is enabled', async () => {
+            const deps = createMockDependencies({
+                config: createMockConfig({ passthroughUnknown: true }),
+            });
+            await runCommand(['curl', 'https://unknown-api.example.com/test'], deps);
+            expect(exitCode).toBe(0);
+            expect(capturedArgs).toEqual(['https://unknown-api.example.com/test']);
+            expect(errorLogs).toHaveLength(0);
+        });
+        it('should pass through missing credentials when passthroughUnknown is enabled', async () => {
+            const storePath = join(tempDir, 'credentials.json');
+            await writeSecureFile(storePath, '{}');
+            const deps = createMockDependencies({
+                config: createMockConfig({ passthroughUnknown: true }),
+            });
+            await runCommand(['curl', 'https://slack.com/api/test'], deps);
+            expect(exitCode).toBe(0);
+            expect(capturedArgs).toEqual(['https://slack.com/api/test']);
+            expect(errorLogs).toHaveLength(0);
+        });
+        it('should still inject credentials for known services when passthroughUnknown is enabled', async () => {
+            const storePath = join(tempDir, 'credentials.json');
+            await writeSecureFile(storePath, JSON.stringify({
+                slack: { objectType: 'slack', token: 'stored-token', dCookie: 'stored-cookie' },
+            }));
+            const deps = createMockDependencies({
+                config: createMockConfig({ passthroughUnknown: true }),
+            });
+            await runCommand(['curl', 'https://slack.com/api/test'], deps);
+            expect(exitCode).toBe(0);
+            expect(capturedArgs).toContain('Authorization: Bearer stored-token');
+        });
         it('should read credentials from store and not call login', async () => {
             const storePath = join(tempDir, 'credentials.json');
             await writeSecureFile(storePath, JSON.stringify({
@@ -872,7 +920,7 @@ describe('CLI commands with dependency injection', () => {
                 getSession: vi.fn().mockReturnValue({ login: mockLogin }),
             };
             const deps = createMockDependencies({
-                registry: new Registry([mockSlackService]),
+                registry: new ServiceRegistry([mockSlackService]),
             });
             await runCommand(['curl', 'https://slack.com/api/test'], deps);
             expect(mockLogin).not.toHaveBeenCalled();
@@ -891,7 +939,7 @@ describe('CLI commands with dependency injection', () => {
                 telegram: { objectType: 'telegramBot', token: '123456:ABC-DEF' },
             }));
             const deps = createMockDependencies({
-                registry: new Registry([TELEGRAM]),
+                registry: new ServiceRegistry([TELEGRAM]),
             });
             await runCommand(['curl', 'https://api.telegram.org/getMe'], deps);
             expect(capturedArgs).toEqual(['https://api.telegram.org/bot123456:ABC-DEF/getMe']);
@@ -909,7 +957,7 @@ describe('CLI commands with dependency injection', () => {
                 loginUrl: 'https://nologin.example.com',
                 info: 'A service without browser login support.',
                 credentialCheckCurlArguments: [],
-                checkApiCredentials: vi.fn().mockReturnValue(ApiCredentialStatus.Valid),
+                checkApiCredentials: vi.fn().mockResolvedValue(ApiCredentialStatus.Valid),
                 setCredentialsExample(serviceName) {
                     return `latchkey auth set ${serviceName} -H "Authorization: Bearer <token>"`;
                 },
@@ -919,7 +967,7 @@ describe('CLI commands with dependency injection', () => {
                 // No getSession - service doesn't support browser login
             };
             const deps = createMockDependencies({
-                registry: new Registry([noLoginService]),
+                registry: new ServiceRegistry([noLoginService]),
             });
             await runCommand(['curl', 'https://nologin.example.com/api/test'], deps);
             expect(exitCode).toBe(0);
@@ -986,7 +1034,7 @@ describe('CLI commands with dependency injection', () => {
                 // No getSession - service doesn't support browser login
             };
             const deps = createMockDependencies({
-                registry: new Registry([noLoginService]),
+                registry: new ServiceRegistry([noLoginService]),
             });
             await runCommand(['auth', 'browser', 'nologin'], deps);
             expect(exitCode).toBe(1);
@@ -1043,7 +1091,7 @@ describe('CLI commands with dependency injection', () => {
                 // No getSession - service doesn't support browser login
             };
             const deps = createMockDependencies({
-                registry: new Registry([nocurlService]),
+                registry: new ServiceRegistry([nocurlService]),
             });
             await runCommand(['auth', 'browser', 'nocurl-only'], deps);
             expect(exitCode).toBe(1);
@@ -1052,7 +1100,7 @@ describe('CLI commands with dependency injection', () => {
     describe('services register command', () => {
         it('should register a new service', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             await runCommand([
                 'services',
@@ -1072,7 +1120,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should persist registration to config.json', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             await runCommand([
                 'services',
@@ -1092,7 +1140,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should reject unknown service family', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             await runCommand([
                 'services',
@@ -1108,7 +1156,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should reject duplicate service name', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             await runCommand([
                 'services',
@@ -1124,7 +1172,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should canonicalize service name to lowercase', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             await runCommand([
                 'services',
@@ -1141,7 +1189,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should convert spaces to hyphens in service name', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             await runCommand(['services', 'register', 'my api', '--base-api-url', 'https://api.example.com/'], deps);
             expect(exitCode).toBeNull();
@@ -1150,7 +1198,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should reject service name with invalid characters', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             await runCommand(['services', 'register', 'my@service!', '--base-api-url', 'https://api.example.com/'], deps);
             expect(exitCode).toBe(1);
@@ -1160,7 +1208,7 @@ describe('CLI commands with dependency injection', () => {
             const storePath = join(tempDir, 'credentials.json');
             await writeSecureFile(storePath, '{}');
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             await runCommand([
                 'services',
@@ -1179,7 +1227,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should persist and restore loginUrl', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITHUB]),
+                registry: new ServiceRegistry([GITHUB]),
             });
             await runCommand([
                 'services',
@@ -1197,7 +1245,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should reject --login-url without --service-family', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([]),
+                registry: new ServiceRegistry([]),
             });
             await runCommand([
                 'services',
@@ -1213,7 +1261,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should reject --login-url when service family does not support browser login', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             await runCommand([
                 'services',
@@ -1231,7 +1279,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should require --login-url when service family supports browser login', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITHUB]),
+                registry: new ServiceRegistry([GITHUB]),
             });
             await runCommand([
                 'services',
@@ -1247,7 +1295,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should make registered service usable with auth set', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             // Register the service
             await runCommand([
@@ -1270,7 +1318,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should register a service without --service-family', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             await runCommand(['services', 'register', 'my-api', '--base-api-url', 'https://api.example.com/'], deps);
             expect(exitCode).toBeNull();
@@ -1282,7 +1330,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should persist registration without service family to config.json', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             await runCommand(['services', 'register', 'my-api', '--base-api-url', 'https://api.example.com/'], deps);
             const configPath = deps.config.configPath;
@@ -1295,7 +1343,7 @@ describe('CLI commands with dependency injection', () => {
             const storePath = join(tempDir, 'credentials.json');
             await writeSecureFile(storePath, '{}');
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             await runCommand(['services', 'register', 'my-api', '--base-api-url', 'https://api.example.com/'], deps);
             logs = [];
@@ -1306,7 +1354,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should make service without family usable with auth set and curl', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             // Register the service without family
             await runCommand(['services', 'register', 'my-api', '--base-api-url', 'https://api.example.com/'], deps);
@@ -1328,7 +1376,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should reject browser login for service without family', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             await runCommand(['services', 'register', 'my-api', '--base-api-url', 'https://api.example.com/'], deps);
             logs = [];
@@ -1340,7 +1388,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should reject set-nocurl for service without family', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             await runCommand(['services', 'register', 'my-api', '--base-api-url', 'https://api.example.com/'], deps);
             logs = [];
@@ -1352,7 +1400,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should make registered service usable with curl', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             // Register the service
             await runCommand([
@@ -1384,7 +1432,7 @@ describe('CLI commands with dependency injection', () => {
     describe('services deregister command', () => {
         it('should deregister a registered service', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             // Register a service first
             await runCommand([
@@ -1404,7 +1452,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should remove service from config.json', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             await runCommand([
                 'services',
@@ -1435,7 +1483,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should reject deregistering when credentials still exist', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             // Register a service
             await runCommand([
@@ -1468,7 +1516,7 @@ describe('CLI commands with dependency injection', () => {
         });
         it('should allow deregistering after credentials are cleared', async () => {
             const deps = createMockDependencies({
-                registry: new Registry([GITLAB]),
+                registry: new ServiceRegistry([GITLAB]),
             });
             // Register
             await runCommand([
@@ -1501,6 +1549,143 @@ describe('CLI commands with dependency injection', () => {
             expect(logs).toContain("Service 'my-gitlab' deregistered.");
         });
     });
+    describe('gateway mode (LATCHKEY_GATEWAY)', () => {
+        const GATEWAY_URL = 'http://localhost:9000';
+        const originalFetch = globalThis.fetch;
+        afterEach(() => {
+            globalThis.fetch = originalFetch;
+        });
+        function makeFetchMock(response) {
+            const fetchMock = vi.fn().mockResolvedValue(response);
+            globalThis.fetch = fetchMock;
+            return fetchMock;
+        }
+        it('forwards `services list` to the gateway /latchkey endpoint', async () => {
+            const fetchMock = makeFetchMock(new Response(JSON.stringify({ result: ['slack', 'github'] }), { status: 200 }));
+            const deps = createMockDependencies({
+                config: createMockConfig({ gatewayUrl: GATEWAY_URL }),
+            });
+            await runCommand(['services', 'list', '--builtin'], deps);
+            expect(fetchMock).toHaveBeenCalledTimes(1);
+            const [url, init] = fetchMock.mock.calls[0];
+            expect(url).toBe(`${GATEWAY_URL}/latchkey`);
+            expect(init.method).toBe('POST');
+            expect(JSON.parse(init.body)).toEqual({
+                command: 'services list',
+                params: { builtin: true },
+            });
+            expect(logs).toHaveLength(1);
+            expect(JSON.parse(logs[0] ?? '')).toEqual(['slack', 'github']);
+        });
+        it('forwards `services info` to the gateway /latchkey endpoint', async () => {
+            const fetchMock = makeFetchMock(new Response(JSON.stringify({ result: { type: 'built-in' } }), { status: 200 }));
+            const deps = createMockDependencies({
+                config: createMockConfig({ gatewayUrl: GATEWAY_URL }),
+            });
+            await runCommand(['services', 'info', 'slack'], deps);
+            expect(fetchMock).toHaveBeenCalledTimes(1);
+            const [, init] = fetchMock.mock.calls[0];
+            expect(JSON.parse(init.body)).toEqual({
+                command: 'services info',
+                params: { serviceName: 'slack' },
+            });
+        });
+        it('forwards `auth list` to the gateway /latchkey endpoint', async () => {
+            const fetchMock = makeFetchMock(new Response(JSON.stringify({ result: { slack: { credentialType: 'slack' } } }), {
+                status: 200,
+            }));
+            const deps = createMockDependencies({
+                config: createMockConfig({ gatewayUrl: GATEWAY_URL }),
+            });
+            await runCommand(['auth', 'list'], deps);
+            const [, init] = fetchMock.mock.calls[0];
+            expect(JSON.parse(init.body)).toEqual({ command: 'auth list' });
+            expect(JSON.parse(logs[0] ?? '')).toEqual({
+                slack: { credentialType: 'slack' },
+            });
+        });
+        it('forwards `auth browser` to the gateway /latchkey endpoint', async () => {
+            const fetchMock = makeFetchMock(new Response(JSON.stringify({ result: null }), { status: 200 }));
+            const deps = createMockDependencies({
+                config: createMockConfig({ gatewayUrl: GATEWAY_URL }),
+            });
+            await runCommand(['auth', 'browser', 'slack'], deps);
+            const [, init] = fetchMock.mock.calls[0];
+            expect(JSON.parse(init.body)).toEqual({
+                command: 'auth browser',
+                params: { serviceName: 'slack' },
+            });
+            expect(logs).toContain('Done');
+        });
+        it('forwards `auth browser-prepare` and reports `Already prepared.` when the gateway says so', async () => {
+            makeFetchMock(new Response(JSON.stringify({ result: { alreadyPrepared: true } }), { status: 200 }));
+            const deps = createMockDependencies({
+                config: createMockConfig({ gatewayUrl: GATEWAY_URL }),
+            });
+            await runCommand(['auth', 'browser-prepare', 'slack'], deps);
+            expect(logs).toContain('Already prepared.');
+        });
+        it.each([
+            ['services list', ['services', 'list']],
+            ['services info', ['services', 'info', 'foo']],
+            ['auth list', ['auth', 'list']],
+            ['auth browser', ['auth', 'browser', 'slack']],
+            ['auth browser-prepare', ['auth', 'browser-prepare', 'slack']],
+        ])('reports gateway errors on stderr (not stdout) for `%s`', async (_name, argv) => {
+            makeFetchMock(new Response(JSON.stringify({ error: 'Unknown service: foo.' }), { status: 400 }));
+            const deps = createMockDependencies({
+                config: createMockConfig({ gatewayUrl: GATEWAY_URL }),
+            });
+            await runCommand(argv, deps);
+            expect(exitCode).toBe(1);
+            expect(errorLogs.some((message) => message.includes('Unknown service: foo.'))).toBe(true);
+            // The error message must never be printed to stdout — that would
+            // interleave into JSON output consumed by callers.
+            expect(logs.join('\n')).not.toContain('Unknown service: foo.');
+            expect(logs).toEqual([]);
+        });
+        it('rewrites the curl target URL to the gateway /gateway endpoint', async () => {
+            const fetchMock = vi.fn();
+            globalThis.fetch = fetchMock;
+            const deps = createMockDependencies({
+                config: createMockConfig({ gatewayUrl: GATEWAY_URL }),
+            });
+            await runCommand(['curl', '-X', 'GET', 'https://slack.com/api/auth.test'], deps);
+            expect(fetchMock).not.toHaveBeenCalled();
+            expect(capturedArgs).toEqual([
+                '-X',
+                'GET',
+                `${GATEWAY_URL}/gateway/https://slack.com/api/auth.test`,
+            ]);
+        });
+        it('errors when `latchkey curl` has no URL to rewrite', async () => {
+            const deps = createMockDependencies({
+                config: createMockConfig({ gatewayUrl: GATEWAY_URL }),
+            });
+            await runCommand(['curl', '-X', 'GET'], deps);
+            expect(exitCode).toBe(1);
+            expect(capturedArgs).toEqual([]);
+        });
+        it.each([
+            [
+                'services register',
+                ['services', 'register', 'my-gitlab', '--base-api-url', 'https://gitlab.example.com'],
+            ],
+            ['services deregister', ['services', 'deregister', 'my-gitlab']],
+            ['auth clear', ['auth', 'clear', 'slack']],
+            ['auth set', ['auth', 'set', 'slack', '-H', 'Authorization: Bearer xoxb-test']],
+            ['auth set-nocurl', ['auth', 'set-nocurl', 'slack', 'x']],
+            ['gateway', ['gateway']],
+            ['ensure-browser', ['ensure-browser']],
+        ])('refuses to run `%s` in gateway mode', async (_name, argv) => {
+            const deps = createMockDependencies({
+                config: createMockConfig({ gatewayUrl: GATEWAY_URL }),
+            });
+            await runCommand(argv, deps);
+            expect(exitCode).toBe(1);
+            expect(errorLogs.some((message) => message.includes('LATCHKEY_GATEWAY'))).toBe(true);
+        });
+    });
 });
 describe('registeredServiceStore', () => {
     let tempDir;
@@ -1545,8 +1730,8 @@ describe('registeredServiceStore', () => {
             baseApiUrl: 'https://gitlab.mycompany.com/api/',
             serviceFamily: 'gitlab',
         });
-        const registry = new Registry([GITLAB]);
-        loadRegisteredServicesIntoRegistry(configPath, registry);
+        const registry = new ServiceRegistry([GITLAB]);
+        loadRegisteredServicesIntoServiceRegistry(configPath, registry);
         const service = registry.getByName('my-gitlab');
         expect(service).not.toBeNull();
         expect(service.baseApiUrls).toEqual(['https://gitlab.mycompany.com/api/']);
@@ -1558,8 +1743,8 @@ describe('registeredServiceStore', () => {
             serviceFamily: 'gitlab',
             loginUrl: 'https://gitlab.mycompany.com/users/sign_in',
         });
-        const registry = new Registry([GITLAB]);
-        loadRegisteredServicesIntoRegistry(configPath, registry);
+        const registry = new ServiceRegistry([GITLAB]);
+        loadRegisteredServicesIntoServiceRegistry(configPath, registry);
         const service = registry.getByName('my-gitlab');
         expect(service).not.toBeNull();
         expect(service.loginUrl).toBe('https://gitlab.mycompany.com/users/sign_in');
@@ -1569,8 +1754,8 @@ describe('registeredServiceStore', () => {
         saveRegisteredService(configPath, 'my-api', {
             baseApiUrl: 'https://api.example.com/',
         });
-        const registry = new Registry([GITLAB]);
-        loadRegisteredServicesIntoRegistry(configPath, registry);
+        const registry = new ServiceRegistry([GITLAB]);
+        loadRegisteredServicesIntoServiceRegistry(configPath, registry);
         const service = registry.getByName('my-api');
         expect(service).not.toBeNull();
         expect(service.baseApiUrls).toEqual(['https://api.example.com/']);
@@ -1583,8 +1768,8 @@ describe('registeredServiceStore', () => {
             baseApiUrl: 'https://unknown.example.com/api/',
             serviceFamily: 'nonexistent',
         });
-        const registry = new Registry([GITLAB]);
-        loadRegisteredServicesIntoRegistry(configPath, registry);
+        const registry = new ServiceRegistry([GITLAB]);
+        loadRegisteredServicesIntoServiceRegistry(configPath, registry);
         expect(registry.getByName('my-unknown')).toBeNull();
     });
     it('should delete a registered service from config', () => {