feat: Add intelligent auto-router and enhanced integrations

- Add intelligent-router.sh hook for automatic agent routing
- Add AUTO-TRIGGER-SUMMARY.md documentation
- Add FINAL-INTEGRATION-SUMMARY.md documentation
- Complete Prometheus integration (6 commands + 4 tools)
- Complete Dexto integration (12 commands + 5 tools)
- Enhanced Ralph with access to all agents
- Fix /clawd command (removed disable-model-invocation)
- Update hooks.json to v5 with intelligent routing
- 291 total skills now available
- All 21 commands with automatic routing

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

dexto/packages/server/SECURITY.md

@@ -0,0 +1,225 @@
+# Dexto Server Security
+
+## 🔒 Authentication Overview
+
+The Dexto server implements **API key authentication** to protect against unauthorized access.
+
+## Configuration
+
+### Environment Variables
+
+```bash
+# Required for production security
+DEXTO_SERVER_API_KEY=your-secret-api-key-here
+
+# Optional: Enable production mode (requires API key)
+NODE_ENV=production
+
+# Optional: Explicitly require auth even in development
+DEXTO_SERVER_REQUIRE_AUTH=true
+```
+
+### Security Modes
+
+| Mode | Environment | Auth Required | Notes |
+|------|-------------|---------------|-------|
+| **Development (default)** | No env vars | ❌ No | Default mode - safe for local dev |
+| **Production** | `NODE_ENV=production` + `DEXTO_SERVER_API_KEY` | ✅ Yes | Requires API key authentication |
+| **Explicit Auth** | `DEXTO_SERVER_REQUIRE_AUTH=true` + `DEXTO_SERVER_API_KEY` | ✅ Yes | Force auth in any environment |
+
+## Usage
+
+### Client Authentication
+
+**HTTP Requests:**
+```bash
+curl -H "Authorization: Bearer your-api-key" \
+     http://localhost:3000/api/llm/current
+```
+
+**JavaScript Fetch:**
+```javascript
+fetch('http://localhost:3000/api/message', {
+  method: 'POST',
+  headers: {
+    'Authorization': 'Bearer your-api-key',
+    'Content-Type': 'application/json'
+  },
+  body: JSON.stringify({ message: 'Hello' })
+});
+```
+
+### Public Routes (No Auth Required)
+
+These routes are always accessible:
+- `GET /health` - Health check
+- `GET /.well-known/agent-card.json` - A2A agent discovery
+- `GET /openapi.json` - API documentation
+
+## Security Best Practices
+
+### ✅ DO:
+
+1. **Set DEXTO_SERVER_API_KEY in production**
+   ```bash
+   export DEXTO_SERVER_API_KEY=$(openssl rand -base64 32)
+   ```
+
+2. **Use HTTPS in production**
+   - Deploy behind reverse proxy (nginx, Caddy, Cloudflare)
+   - Never send API keys over unencrypted HTTP
+
+3. **Rotate API keys regularly**
+   ```bash
+   # Generate new key
+   NEW_KEY=$(openssl rand -base64 32)
+   # Update environment variable
+   export DEXTO_SERVER_API_KEY=$NEW_KEY
+   # Restart server
+   ```
+
+4. **Use environment-specific keys**
+   - Different keys for dev/staging/production
+   - Never commit keys to version control
+
+5. **Monitor unauthorized access attempts**
+   - Check logs for "Unauthorized API access attempt" warnings
+   - Set up alerts for repeated failures
+
+### ❌ DON'T:
+
+1. **Don't use weak or guessable API keys**
+   - ❌ `DEXTO_SERVER_API_KEY=password123`
+   - ❌ `DEXTO_SERVER_API_KEY=dexto`
+   - ✅ `DEXTO_SERVER_API_KEY=$(openssl rand -base64 32)`
+
+2. **Don't expose API keys in client-side code**
+   ```javascript
+   // ❌ NEVER DO THIS
+   const apiKey = 'sk-abc123...';
+   fetch('/api/message', { headers: { 'Authorization': `Bearer ${apiKey}` }});
+   ```
+
+3. **Don't set DEXTO_SERVER_REQUIRE_AUTH=false in production**
+   - Only use for testing on isolated networks
+
+4. **Don't share API keys across environments**
+   - Each environment should have its own key
+
+## Development Workflow
+
+### Local Development (No Auth)
+
+```bash
+# Start server in development mode
+NODE_ENV=development npm start
+
+# Access from browser without auth
+curl http://localhost:3000/api/llm/current
+```
+
+### Production Deployment
+
+```bash
+# Generate secure API key
+export DEXTO_SERVER_API_KEY=$(openssl rand -base64 32)
+
+# Start server in production mode
+NODE_ENV=production npm start
+
+# All requests now require authentication
+curl -H "Authorization: Bearer $DEXTO_SERVER_API_KEY" \
+     https://api.example.com/api/llm/current
+```
+
+## Threat Model
+
+### Protected Against:
+
+- ✅ Unauthorized API access
+- ✅ Unauthorized message sending
+- ✅ Unauthorized configuration changes
+- ✅ Unauthorized session/memory access
+- ✅ Brute force attacks (when combined with rate limiting)
+
+### Not Protected Against (Additional Measures Needed):
+
+- ⚠️ DDoS attacks → Add rate limiting middleware
+- ⚠️ API key leakage → Use secrets management (Vault, AWS Secrets Manager)
+- ⚠️ Man-in-the-middle → Use HTTPS/TLS
+- ⚠️ Insider threats → Implement audit logging
+
+## Additional Security Layers (Recommended)
+
+### 1. Rate Limiting
+
+```typescript
+import { rateLimiter } from 'hono-rate-limiter';
+
+app.use('*', rateLimiter({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // limit each IP to 100 requests per windowMs
+}));
+```
+
+### 2. IP Whitelisting
+
+```bash
+# Add to your reverse proxy (nginx example)
+location /api {
+  allow 10.0.0.0/8;
+  deny all;
+  proxy_pass http://localhost:3000;
+}
+```
+
+### 3. Network Isolation
+
+- Deploy API server on private network
+- Use VPN or private networking for access
+- Firewall rules to restrict incoming connections
+
+## Logging and Monitoring
+
+The server logs authentication events:
+
+```log
+# Successful auth (debug level)
+Authorization successful for /api/llm/current
+
+# Failed auth (warning level)
+⚠️ Unauthorized API access attempt
+  path: /api/message
+  hasKey: false
+  origin: https://malicious.com
+  userAgent: curl/7.81.0
+```
+
+Set up monitoring for:
+- Repeated 401 responses
+- Unusual access patterns
+- Requests from unexpected IPs/origins
+
+## FAQ
+
+**Q: Can I use the API without authentication in development?**
+A: Yes, set `NODE_ENV=development` and access from localhost.
+
+**Q: How do I generate a secure API key?**
+A: Use `openssl rand -base64 32` or a password manager.
+
+**Q: Can I use multiple API keys?**
+A: Currently no. For multi-tenant scenarios, implement token-based auth with JWT.
+
+**Q: What if my API key is compromised?**
+A: Generate a new key immediately and update all clients.
+
+**Q: Does SSE need authentication too?**
+A: Yes, pass `Authorization: Bearer <key>` header when connecting to the event stream.
+
+**Q: Can I disable auth for specific routes?**
+A: Public routes (/health, /.well-known/agent-card.json) are always accessible. To add more, modify `PUBLIC_ROUTES` in `middleware/auth.ts`.
+
+## Contact
+
+For security concerns or to report vulnerabilities, contact: security@dexto.dev