feat(#249): Custom REST API endpoints backend foundation

README.md

@@ -85,3 +85,4 @@ Configure your agent with the base URL and API key. Agents can use REST or MCP.
 ## License
 
 ISC
+

package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentgate",
-  "version": "0.12.2",
+  "version": "0.16.0",
   "type": "module",
   "description": "API gateway for AI agents with human-in-the-loop write approval",
   "main": "src/index.js",
@@ -12,7 +12,8 @@
   },
   "files": [
     "src/",
-    "public/"
+    "public/",
+    "views/"
   ],
   "repository": {
     "type": "git",
@@ -61,8 +62,10 @@
     "ejs": "^3.1.10"
   },
   "devDependencies": {
+    "@eslint/js": "^9.0.0",
     "eslint": "^9.0.0",
     "jest": "^29.7.0",
     "supertest": "^7.0.0"
   }
 }
+

src/index.js

@@ -31,6 +31,7 @@ import { setupHumanChannelProxy, setAdminTokenValidator } from './routes/channel
 import { setupAgentChannelProxy } from './routes/channel-agent.js';
 import { validateAdminChatToken } from './routes/ui/keys.js';
 import llmRoutes from './routes/llm.js';
+import customProxyRoutes from './routes/custom-proxy.js';
 import { createMCPPostHandler, createMCPGetHandler, createMCPDeleteHandler } from './routes/mcp.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -100,6 +101,9 @@ app.use('/api/agents/memento', apiKeyAuth, (req, res, next) => {
 // LLM proxy - require auth, no read-only enforcement (POST for completions)
 app.use('/api/llm', apiKeyAuth, llmRoutes);
 
+// Custom service proxy - require auth
+app.use('/api/custom', apiKeyAuth, customProxyRoutes);
+
 // MCP server - Streamable HTTP transport (requires auth)
 // POST handles initialization + messages, GET opens optional SSE stream, DELETE terminates session
 app.post('/mcp', apiKeyAuth, createMCPPostHandler());

src/lib/credentials.js

@@ -0,0 +1,62 @@
+// Credential encryption utilities for custom service accounts (#283)
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'crypto';
+
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LENGTH = 32;
+const IV_LENGTH = 16;
+const TAG_LENGTH = 16;
+const SALT = 'agentgate-credentials-v1'; // Static salt; key uniqueness comes from the secret
+
+let _cachedKey = null;
+
+function getEncryptionKey() {
+  if (_cachedKey) return _cachedKey;
+  const secret = process.env.CREDENTIALS_SECRET || process.env.AGENTGATE_SECRET;
+  if (!secret) {
+    throw new Error('CREDENTIALS_SECRET or AGENTGATE_SECRET environment variable must be set to use credential encryption');
+  }
+  _cachedKey = scryptSync(secret, SALT, KEY_LENGTH);
+  return _cachedKey;
+}
+
+/**
+ * Encrypt a plaintext string. Returns a hex-encoded string: iv + tag + ciphertext.
+ */
+export function encrypt(plaintext) {
+  const key = getEncryptionKey();
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  // Pack as: iv (16) + tag (16) + ciphertext
+  return Buffer.concat([iv, tag, encrypted]).toString('hex');
+}
+
+/**
+ * Decrypt a hex-encoded string produced by encrypt().
+ * Returns the original plaintext.
+ */
+export function decrypt(hexString) {
+  const key = getEncryptionKey();
+  const data = Buffer.from(hexString, 'hex');
+  const iv = data.subarray(0, IV_LENGTH);
+  const tag = data.subarray(IV_LENGTH, IV_LENGTH + TAG_LENGTH);
+  const ciphertext = data.subarray(IV_LENGTH + TAG_LENGTH);
+  const decipher = createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+  return decipher.update(ciphertext) + decipher.final('utf8');
+}
+
+/**
+ * Encrypt a credentials object (JSON-serializes then encrypts).
+ */
+export function encryptCredentials(credentials) {
+  return encrypt(JSON.stringify(credentials));
+}
+
+/**
+ * Decrypt a credentials string back to an object.
+ */
+export function decryptCredentials(encryptedHex) {
+  return JSON.parse(decrypt(encryptedHex));
+}