@agentproto/secrets 0.1.0-alpha.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,486 @@
1
+ import { signTranscript, identityFingerprint, verifyTranscript } from '../chunk-2DL6W33G.mjs';
2
+ import { seal, unseal, SealError } from '../chunk-MVHOJPML.mjs';
3
+ import { generateKeyPairSync, diffieHellman, hkdfSync, createPublicKey, createHash, createPrivateKey, createHmac, timingSafeEqual } from 'crypto';
4
+
5
+ /**
6
+ * @agentproto/secrets v0.1.0-alpha
7
+ * AIP-19 SECRETS.md `defineSecrets` reference implementation.
8
+ */
9
+ var PAIR_VERSION = 1;
10
+ var HKDF_INFO = "agentproto/pair/v1";
11
+ var KEY_LEN = 32;
12
+ var PairingError = class extends Error {
13
+ code;
14
+ constructor(code, message) {
15
+ super(message);
16
+ this.name = "PairingError";
17
+ this.code = code;
18
+ }
19
+ };
20
+ function x25519PublicKey(b64Der, what) {
21
+ try {
22
+ return createPublicKey({
23
+ key: Buffer.from(b64Der, "base64"),
24
+ format: "der",
25
+ type: "spki"
26
+ });
27
+ } catch {
28
+ throw new PairingError("invalid_key", `invalid ${what} X25519 public key`);
29
+ }
30
+ }
31
+ function x25519PrivateKey(b64Der, what) {
32
+ try {
33
+ return createPrivateKey({
34
+ key: Buffer.from(b64Der, "base64"),
35
+ format: "der",
36
+ type: "pkcs8"
37
+ });
38
+ } catch {
39
+ throw new PairingError("invalid_key", `invalid ${what} X25519 private key`);
40
+ }
41
+ }
42
+ function transcriptHash(ePubB64, ct0, dePubB64) {
43
+ return createHash("sha256").update(Buffer.from(ePubB64, "base64")).update(Buffer.from(ct0, "utf8")).update(Buffer.from(dePubB64, "base64")).digest();
44
+ }
45
+ function deriveDirectionKeys(ecdhEphemeral, ecdhStatic, transcript) {
46
+ const ikm = Buffer.concat([ecdhEphemeral, ecdhStatic]);
47
+ const okm = Buffer.from(hkdfSync("sha256", ikm, transcript, HKDF_INFO, KEY_LEN * 2));
48
+ return {
49
+ kc2d: okm.subarray(0, KEY_LEN),
50
+ kd2c: okm.subarray(KEY_LEN, KEY_LEN * 2)
51
+ };
52
+ }
53
+ function startClientHandshake(params) {
54
+ const daemonStatic = x25519PublicKey(params.daemonX25519Pub, "daemon");
55
+ const ephemeral = generateKeyPairSync("x25519");
56
+ const ePubB64 = ephemeral.publicKey.export({ type: "spki", format: "der" }).toString("base64");
57
+ const payload = {
58
+ clientPub: ePubB64,
59
+ clientName: params.clientName,
60
+ offerToken: params.offerToken
61
+ };
62
+ const ct0 = seal(JSON.stringify(payload), params.daemonX25519Pub);
63
+ const hello = { v: PAIR_VERSION, ePub: ePubB64, ct0 };
64
+ const complete = (reply) => {
65
+ if (reply.v !== PAIR_VERSION) {
66
+ throw new PairingError("malformed_reply", `unsupported reply version ${reply.v}`);
67
+ }
68
+ const dePub = x25519PublicKey(reply.dePub, "daemon ephemeral");
69
+ const transcript = transcriptHash(ePubB64, ct0, reply.dePub);
70
+ if (!verifyTranscript(params.daemonEd25519Pub, transcript, reply.sig)) {
71
+ throw new PairingError(
72
+ "bad_signature",
73
+ "daemon transcript signature did not verify against the offered key"
74
+ );
75
+ }
76
+ const ecdhEphemeral = diffieHellman({ privateKey: ephemeral.privateKey, publicKey: dePub });
77
+ const ecdhStatic = diffieHellman({ privateKey: ephemeral.privateKey, publicKey: daemonStatic });
78
+ const { kc2d, kd2c } = deriveDirectionKeys(ecdhEphemeral, ecdhStatic, transcript);
79
+ return {
80
+ sendKey: kc2d,
81
+ recvKey: kd2c,
82
+ peerFingerprint: identityFingerprint(params.daemonX25519Pub),
83
+ transcriptHash: transcript,
84
+ clientName: params.clientName
85
+ };
86
+ };
87
+ return { hello, complete };
88
+ }
89
+ function respondToHandshake(hello, params) {
90
+ if (hello.v !== PAIR_VERSION) {
91
+ throw new PairingError("malformed_hello", `unsupported hello version ${hello.v}`);
92
+ }
93
+ const clientEphemeral = x25519PublicKey(hello.ePub, "client ephemeral");
94
+ let payloadJson;
95
+ try {
96
+ payloadJson = unseal(hello.ct0, params.identity.x25519.priv);
97
+ } catch (err) {
98
+ if (err instanceof SealError) {
99
+ throw new PairingError(
100
+ "unseal_failed",
101
+ "could not open sealed hello \u2014 wrong daemon key or tampered ct\u2080"
102
+ );
103
+ }
104
+ throw err;
105
+ }
106
+ const payload = parseHelloPayload(payloadJson);
107
+ if (payload.clientPub !== hello.ePub) {
108
+ throw new PairingError(
109
+ "ephemeral_mismatch",
110
+ "sealed clientPub does not match the hello ephemeral key"
111
+ );
112
+ }
113
+ if (!params.verifyOfferToken(payload.offerToken)) {
114
+ throw new PairingError("offer_rejected", "offer token was rejected (unknown, expired, or spent)");
115
+ }
116
+ const daemonEphemeral = generateKeyPairSync("x25519");
117
+ const dePubB64 = daemonEphemeral.publicKey.export({ type: "spki", format: "der" }).toString("base64");
118
+ const transcript = transcriptHash(hello.ePub, hello.ct0, dePubB64);
119
+ const sig = signTranscript(params.identity.ed25519.priv, transcript);
120
+ const daemonStaticPriv = x25519PrivateKey(params.identity.x25519.priv, "daemon static");
121
+ const ecdhEphemeral = diffieHellman({ privateKey: daemonEphemeral.privateKey, publicKey: clientEphemeral });
122
+ const ecdhStatic = diffieHellman({ privateKey: daemonStaticPriv, publicKey: clientEphemeral });
123
+ const { kc2d, kd2c } = deriveDirectionKeys(ecdhEphemeral, ecdhStatic, transcript);
124
+ return {
125
+ reply: { v: PAIR_VERSION, dePub: dePubB64, sig },
126
+ session: {
127
+ // Daemon sends on c2d's counterpart: it RECEIVES client→daemon (kc2d)
128
+ // and SENDS daemon→client (kd2c).
129
+ sendKey: kd2c,
130
+ recvKey: kc2d,
131
+ peerFingerprint: identityFingerprint(payload.clientPub),
132
+ transcriptHash: transcript,
133
+ clientName: payload.clientName
134
+ }
135
+ };
136
+ }
137
+ function isRecord(v) {
138
+ return typeof v === "object" && v !== null;
139
+ }
140
+ function parseHelloPayload(json) {
141
+ let parsed;
142
+ try {
143
+ parsed = JSON.parse(json);
144
+ } catch {
145
+ throw new PairingError("malformed_hello", "sealed hello payload was not valid JSON");
146
+ }
147
+ if (!isRecord(parsed) || typeof parsed["clientPub"] !== "string" || typeof parsed["clientName"] !== "string" || typeof parsed["offerToken"] !== "string") {
148
+ throw new PairingError("malformed_hello", "sealed hello payload is missing required fields");
149
+ }
150
+ return {
151
+ clientPub: parsed["clientPub"],
152
+ clientName: parsed["clientName"],
153
+ offerToken: parsed["offerToken"]
154
+ };
155
+ }
156
+ function encodePairingMessage(message) {
157
+ return Buffer.from(JSON.stringify(message), "utf8");
158
+ }
159
+ function decodePairingHello(bytes) {
160
+ const parsed = parseJson(bytes, "malformed_hello");
161
+ if (!isRecord(parsed) || parsed["v"] !== PAIR_VERSION || typeof parsed["ePub"] !== "string" || typeof parsed["ct0"] !== "string") {
162
+ throw new PairingError("malformed_hello", "hello message is malformed");
163
+ }
164
+ return { v: PAIR_VERSION, ePub: parsed["ePub"], ct0: parsed["ct0"] };
165
+ }
166
+ function decodePairingReply(bytes) {
167
+ const parsed = parseJson(bytes, "malformed_reply");
168
+ if (!isRecord(parsed) || parsed["v"] !== PAIR_VERSION || typeof parsed["dePub"] !== "string" || typeof parsed["sig"] !== "string") {
169
+ throw new PairingError("malformed_reply", "reply message is malformed");
170
+ }
171
+ return { v: PAIR_VERSION, dePub: parsed["dePub"], sig: parsed["sig"] };
172
+ }
173
+ function parseJson(bytes, code) {
174
+ try {
175
+ return JSON.parse(Buffer.from(bytes).toString("utf8"));
176
+ } catch {
177
+ throw new PairingError(code, "message was not valid JSON (truncated or corrupt)");
178
+ }
179
+ }
180
+
181
+ // src/pairing/offer-url.ts
182
+ var OFFER_URL_SCHEME = "agentproto:";
183
+ var OFFER_URL_HOST = "pair";
184
+ var OFFER_VERSION = 1;
185
+ function b64ToB64url(b64) {
186
+ return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
187
+ }
188
+ function b64urlToB64(b64url2) {
189
+ const replaced = b64url2.replace(/-/g, "+").replace(/_/g, "/");
190
+ const pad = replaced.length % 4;
191
+ return pad === 0 ? replaced : replaced + "=".repeat(4 - pad);
192
+ }
193
+ function isB64url(s) {
194
+ return s.length > 0 && /^[A-Za-z0-9_-]+$/.test(s);
195
+ }
196
+ function encodeOfferUrl(offer) {
197
+ const params = new URLSearchParams();
198
+ params.set("v", String(OFFER_VERSION));
199
+ params.set("rv", offer.rendezvousUrl);
200
+ params.set("id", offer.fingerprint);
201
+ params.set("pk", b64ToB64url(offer.daemonX25519Pub));
202
+ params.set("sk", b64ToB64url(offer.daemonEd25519Pub));
203
+ params.set("t", offer.token);
204
+ params.set("exp", String(offer.exp));
205
+ return `${OFFER_URL_SCHEME}//${OFFER_URL_HOST}?${params.toString()}`;
206
+ }
207
+ function parseOfferUrl(url, opts = {}) {
208
+ let parsed;
209
+ try {
210
+ parsed = new URL(url);
211
+ } catch {
212
+ throw new PairingError("malformed_offer", "offer is not a valid URL");
213
+ }
214
+ if (parsed.protocol !== OFFER_URL_SCHEME) {
215
+ throw new PairingError(
216
+ "malformed_offer",
217
+ `offer scheme must be "${OFFER_URL_SCHEME}//" (got "${parsed.protocol}//")`
218
+ );
219
+ }
220
+ const host = parsed.host || parsed.pathname.replace(/^\/+/, "");
221
+ if (host !== OFFER_URL_HOST) {
222
+ throw new PairingError("malformed_offer", `offer host must be "${OFFER_URL_HOST}"`);
223
+ }
224
+ const q = parsed.searchParams;
225
+ const v = q.get("v");
226
+ if (v !== String(OFFER_VERSION)) {
227
+ throw new PairingError("malformed_offer", `unsupported offer version "${v ?? "(absent)"}"`);
228
+ }
229
+ const rendezvousUrl = req(q, "rv");
230
+ let rvParsed;
231
+ try {
232
+ rvParsed = new URL(rendezvousUrl);
233
+ } catch {
234
+ throw new PairingError("malformed_offer", "offer `rv` is not a valid URL");
235
+ }
236
+ if (rvParsed.protocol !== "ws:" && rvParsed.protocol !== "wss:") {
237
+ throw new PairingError("malformed_offer", "offer `rv` must be a ws:// or wss:// URL");
238
+ }
239
+ const fingerprint = req(q, "id");
240
+ if (!/^[0-9a-f]{16}$/.test(fingerprint)) {
241
+ throw new PairingError("malformed_offer", "offer `id` is not a 16-hex fingerprint");
242
+ }
243
+ const pkUrl = req(q, "pk");
244
+ const skUrl = req(q, "sk");
245
+ if (!isB64url(pkUrl) || !isB64url(skUrl)) {
246
+ throw new PairingError("malformed_offer", "offer `pk`/`sk` must be base64url");
247
+ }
248
+ const daemonX25519Pub = b64urlToB64(pkUrl);
249
+ const daemonEd25519Pub = b64urlToB64(skUrl);
250
+ const token = req(q, "t");
251
+ if (!isB64url(token)) {
252
+ throw new PairingError("malformed_offer", "offer `t` (token) must be base64url");
253
+ }
254
+ const expRaw = req(q, "exp");
255
+ const exp = Number(expRaw);
256
+ if (!Number.isInteger(exp) || exp <= 0) {
257
+ throw new PairingError("malformed_offer", "offer `exp` is not a positive unix timestamp");
258
+ }
259
+ if (identityFingerprint(daemonX25519Pub) !== fingerprint) {
260
+ throw new PairingError(
261
+ "malformed_offer",
262
+ "offer `id` does not match fingerprint(pk) \u2014 tampered or corrupt offer"
263
+ );
264
+ }
265
+ if (opts.now !== void 0 && exp * 1e3 <= opts.now) {
266
+ throw new PairingError("offer_expired", "offer has expired");
267
+ }
268
+ return {
269
+ v: OFFER_VERSION,
270
+ rendezvousUrl,
271
+ fingerprint,
272
+ daemonX25519Pub,
273
+ daemonEd25519Pub,
274
+ token,
275
+ exp
276
+ };
277
+ }
278
+ function req(q, key) {
279
+ const v = q.get(key);
280
+ if (v === null || v === "") {
281
+ throw new PairingError("malformed_offer", `offer is missing required param "${key}"`);
282
+ }
283
+ return v;
284
+ }
285
+
286
+ // src/pairing/rendezvous.ts
287
+ var HOSTED_RENDEZVOUS_URL = "wss://rdv.agentproto.sh/v1";
288
+ var PAIR_ROOT_INFO = "agentproto/pair-root";
289
+ var RV_ROUTE_INFO_PREFIX = "agentproto/rv-route";
290
+ var RV_ROUTE_SALT = "agentproto/rv-route-salt";
291
+ var ROUTE_TOKEN_LEN = 16;
292
+ var PAIR_ROOT_LEN = 32;
293
+ var MS_PER_DAY = 864e5;
294
+ function toBuf(u8) {
295
+ return Buffer.isBuffer(u8) ? u8 : Buffer.from(u8);
296
+ }
297
+ function b64url(bytes) {
298
+ return bytes.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
299
+ }
300
+ function derivePairRoot(session) {
301
+ const k1 = toBuf(session.sendKey);
302
+ const k2 = toBuf(session.recvKey);
303
+ const [lo, hi] = Buffer.compare(k1, k2) <= 0 ? [k1, k2] : [k2, k1];
304
+ const ikm = Buffer.concat([lo, hi]);
305
+ const okm = hkdfSync("sha256", ikm, toBuf(session.transcriptHash), PAIR_ROOT_INFO, PAIR_ROOT_LEN);
306
+ return Buffer.from(okm).toString("base64");
307
+ }
308
+ function currentEpoch(now = Date.now()) {
309
+ return Math.floor(now / MS_PER_DAY);
310
+ }
311
+ function deriveEpochRoutingToken(pairRoot, epoch) {
312
+ const ikm = Buffer.from(pairRoot, "base64");
313
+ const epochBytes = Buffer.alloc(8);
314
+ epochBytes.writeBigUInt64BE(BigInt(epoch));
315
+ const info = Buffer.concat([Buffer.from(RV_ROUTE_INFO_PREFIX, "utf8"), epochBytes]);
316
+ const okm = hkdfSync("sha256", ikm, Buffer.from(RV_ROUTE_SALT, "utf8"), info, ROUTE_TOKEN_LEN);
317
+ return b64url(Buffer.from(okm));
318
+ }
319
+ function epochRoutingTokens(pairRoot, now = Date.now()) {
320
+ const epoch = currentEpoch(now);
321
+ return [
322
+ { epoch, token: deriveEpochRoutingToken(pairRoot, epoch) },
323
+ { epoch: epoch - 1, token: deriveEpochRoutingToken(pairRoot, epoch - 1) }
324
+ ];
325
+ }
326
+ var TUNNEL_E2E_VERSION = 1;
327
+ var SESSION_INFO = "agentproto/tunnel-e2e/v1";
328
+ var AUTH_INFO = "agentproto/tunnel-e2e/auth/v1";
329
+ var OFFER_MAC_LABEL = "offer/v1";
330
+ var ACCEPT_MAC_LABEL = "accept/v1";
331
+ var KEY_LEN2 = 32;
332
+ var AUTH_KEY_LEN = 32;
333
+ var TunnelHandshakeError = class extends Error {
334
+ code;
335
+ constructor(code, message) {
336
+ super(message);
337
+ this.name = "TunnelHandshakeError";
338
+ this.code = code;
339
+ }
340
+ };
341
+ function tokenSalt(token) {
342
+ return createHash("sha256").update(Buffer.from(token, "utf8")).digest();
343
+ }
344
+ function deriveAuthKey(token) {
345
+ return Buffer.from(
346
+ hkdfSync("sha256", Buffer.from(token, "utf8"), tokenSalt(token), AUTH_INFO, AUTH_KEY_LEN)
347
+ );
348
+ }
349
+ function computeMac(authKey, label, ...parts) {
350
+ const h = createHmac("sha256", authKey);
351
+ h.update(Buffer.from(label, "utf8"));
352
+ for (const p of parts) h.update(p);
353
+ return h.digest();
354
+ }
355
+ function macMatches(expected, receivedB64) {
356
+ let received;
357
+ try {
358
+ received = Buffer.from(receivedB64, "base64");
359
+ } catch {
360
+ return false;
361
+ }
362
+ if (received.length !== expected.length) return false;
363
+ return timingSafeEqual(received, expected);
364
+ }
365
+ function x25519PublicKey2(b64Der) {
366
+ try {
367
+ return createPublicKey({ key: Buffer.from(b64Der, "base64"), format: "der", type: "spki" });
368
+ } catch {
369
+ throw new TunnelHandshakeError("invalid_key", "peer ephemeral X25519 public key is invalid");
370
+ }
371
+ }
372
+ function transcriptHash2(ePubDRaw, ePubHRaw) {
373
+ return createHash("sha256").update(Buffer.from(SESSION_INFO, "utf8")).update(ePubDRaw).update(ePubHRaw).digest();
374
+ }
375
+ function deriveDirectionKeys2(ecdh, salt) {
376
+ const okm = Buffer.from(hkdfSync("sha256", ecdh, salt, SESSION_INFO, KEY_LEN2 * 2));
377
+ return { kd2h: okm.subarray(0, KEY_LEN2), kh2d: okm.subarray(KEY_LEN2, KEY_LEN2 * 2) };
378
+ }
379
+ function generateEphemeral() {
380
+ const kp = generateKeyPairSync("x25519");
381
+ const pubRaw = kp.publicKey.export({ type: "spki", format: "der" });
382
+ return { priv: kp.privateKey, pubB64: pubRaw.toString("base64"), pubRaw };
383
+ }
384
+ function startTunnelHandshake(token) {
385
+ const authKey = deriveAuthKey(token);
386
+ const salt = tokenSalt(token);
387
+ const eph = generateEphemeral();
388
+ const offer = {
389
+ v: TUNNEL_E2E_VERSION,
390
+ ePub: eph.pubB64,
391
+ mac: computeMac(authKey, OFFER_MAC_LABEL, eph.pubRaw).toString("base64")
392
+ };
393
+ const complete = (accept) => {
394
+ if (accept.v !== TUNNEL_E2E_VERSION) {
395
+ throw new TunnelHandshakeError(
396
+ "unsupported_version",
397
+ `unsupported accept version ${String(accept.v)}`
398
+ );
399
+ }
400
+ const hostPub = x25519PublicKey2(accept.ePub);
401
+ const hostPubRaw = Buffer.from(accept.ePub, "base64");
402
+ const expected = computeMac(authKey, ACCEPT_MAC_LABEL, eph.pubRaw, hostPubRaw);
403
+ if (!macMatches(expected, accept.mac)) {
404
+ throw new TunnelHandshakeError(
405
+ "bad_auth",
406
+ "host accept did not authenticate under the shared tunnel token"
407
+ );
408
+ }
409
+ const ecdh = diffieHellman({ privateKey: eph.priv, publicKey: hostPub });
410
+ const { kd2h, kh2d } = deriveDirectionKeys2(ecdh, salt);
411
+ return {
412
+ // Daemon SENDS daemon→host (kd2h) and RECEIVES host→daemon (kh2d).
413
+ sendKey: kd2h,
414
+ recvKey: kh2d,
415
+ transcriptHash: transcriptHash2(eph.pubRaw, hostPubRaw)
416
+ };
417
+ };
418
+ return { offer, complete };
419
+ }
420
+ function respondToTunnelHandshake(offer, token) {
421
+ if (offer.v !== TUNNEL_E2E_VERSION) {
422
+ throw new TunnelHandshakeError(
423
+ "unsupported_version",
424
+ `unsupported offer version ${String(offer.v)}`
425
+ );
426
+ }
427
+ const authKey = deriveAuthKey(token);
428
+ const salt = tokenSalt(token);
429
+ const daemonPub = x25519PublicKey2(offer.ePub);
430
+ const daemonPubRaw = Buffer.from(offer.ePub, "base64");
431
+ const expected = computeMac(authKey, OFFER_MAC_LABEL, daemonPubRaw);
432
+ if (!macMatches(expected, offer.mac)) {
433
+ throw new TunnelHandshakeError(
434
+ "bad_auth",
435
+ "daemon offer did not authenticate under the shared tunnel token"
436
+ );
437
+ }
438
+ const eph = generateEphemeral();
439
+ const accept = {
440
+ v: TUNNEL_E2E_VERSION,
441
+ ePub: eph.pubB64,
442
+ mac: computeMac(authKey, ACCEPT_MAC_LABEL, daemonPubRaw, eph.pubRaw).toString("base64")
443
+ };
444
+ const ecdh = diffieHellman({ privateKey: eph.priv, publicKey: daemonPub });
445
+ const { kd2h, kh2d } = deriveDirectionKeys2(ecdh, salt);
446
+ return {
447
+ accept,
448
+ session: {
449
+ // Host SENDS host→daemon (kh2d) and RECEIVES daemon→host (kd2h).
450
+ sendKey: kh2d,
451
+ recvKey: kd2h,
452
+ transcriptHash: transcriptHash2(daemonPubRaw, eph.pubRaw)
453
+ }
454
+ };
455
+ }
456
+ function isRecord2(v) {
457
+ return typeof v === "object" && v !== null;
458
+ }
459
+ function encodeTunnelMessage(message) {
460
+ return Buffer.from(JSON.stringify(message), "utf8");
461
+ }
462
+ function parseJson2(bytes, code) {
463
+ try {
464
+ return JSON.parse(Buffer.from(bytes).toString("utf8"));
465
+ } catch {
466
+ throw new TunnelHandshakeError(code, "message was not valid JSON (truncated or corrupt)");
467
+ }
468
+ }
469
+ function decodeTunnelOffer(bytes) {
470
+ const parsed = parseJson2(bytes, "malformed_offer");
471
+ if (!isRecord2(parsed) || parsed["v"] !== TUNNEL_E2E_VERSION || typeof parsed["ePub"] !== "string" || typeof parsed["mac"] !== "string") {
472
+ throw new TunnelHandshakeError("malformed_offer", "offer message is malformed");
473
+ }
474
+ return { v: TUNNEL_E2E_VERSION, ePub: parsed["ePub"], mac: parsed["mac"] };
475
+ }
476
+ function decodeTunnelAccept(bytes) {
477
+ const parsed = parseJson2(bytes, "malformed_accept");
478
+ if (!isRecord2(parsed) || parsed["v"] !== TUNNEL_E2E_VERSION || typeof parsed["ePub"] !== "string" || typeof parsed["mac"] !== "string") {
479
+ throw new TunnelHandshakeError("malformed_accept", "accept message is malformed");
480
+ }
481
+ return { v: TUNNEL_E2E_VERSION, ePub: parsed["ePub"], mac: parsed["mac"] };
482
+ }
483
+
484
+ export { HOSTED_RENDEZVOUS_URL, OFFER_URL_HOST, OFFER_URL_SCHEME, OFFER_VERSION, PAIR_VERSION, PairingError, TUNNEL_E2E_VERSION, TunnelHandshakeError, currentEpoch, decodePairingHello, decodePairingReply, decodeTunnelAccept, decodeTunnelOffer, deriveEpochRoutingToken, derivePairRoot, encodeOfferUrl, encodePairingMessage, encodeTunnelMessage, epochRoutingTokens, parseOfferUrl, respondToHandshake, respondToTunnelHandshake, startClientHandshake, startTunnelHandshake };
485
+ //# sourceMappingURL=index.mjs.map
486
+ //# sourceMappingURL=index.mjs.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../../src/pairing/handshake.ts","../../src/pairing/offer-url.ts","../../src/pairing/rendezvous.ts","../../src/pairing/derive.ts","../../src/pairing/tunnel-handshake.ts"],"names":["b64url","hkdfSync","KEY_LEN","createHash","x25519PublicKey","createPublicKey","transcriptHash","deriveDirectionKeys","generateKeyPairSync","diffieHellman","isRecord","parseJson"],"mappings":";;;;;;;;AA2DO,IAAM,YAAA,GAAe;AAI5B,IAAM,SAAA,GAAY,oBAAA;AAGlB,IAAM,OAAA,GAAU,EAAA;AAkBT,IAAM,YAAA,GAAN,cAA2B,KAAA,CAAM;AAAA,EAC7B,IAAA;AAAA,EACT,WAAA,CAAY,MAAwB,OAAA,EAAiB;AACnD,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,cAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAAA,EACd;AACF;AA4DA,SAAS,eAAA,CAAgB,QAAgB,IAAA,EAAyB;AAChE,EAAA,IAAI;AACF,IAAA,OAAO,eAAA,CAAgB;AAAA,MACrB,GAAA,EAAK,MAAA,CAAO,IAAA,CAAK,MAAA,EAAQ,QAAQ,CAAA;AAAA,MACjC,MAAA,EAAQ,KAAA;AAAA,MACR,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,YAAA,CAAa,aAAA,EAAe,CAAA,QAAA,EAAW,IAAI,CAAA,kBAAA,CAAoB,CAAA;AAAA,EAC3E;AACF;AAEA,SAAS,gBAAA,CAAiB,QAAgB,IAAA,EAAyB;AACjE,EAAA,IAAI;AACF,IAAA,OAAO,gBAAA,CAAiB;AAAA,MACtB,GAAA,EAAK,MAAA,CAAO,IAAA,CAAK,MAAA,EAAQ,QAAQ,CAAA;AAAA,MACjC,MAAA,EAAQ,KAAA;AAAA,MACR,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,YAAA,CAAa,aAAA,EAAe,CAAA,QAAA,EAAW,IAAI,CAAA,mBAAA,CAAqB,CAAA;AAAA,EAC5E;AACF;AAOA,SAAS,cAAA,CAAe,OAAA,EAAiB,GAAA,EAAa,QAAA,EAA0B;AAC9E,EAAA,OAAO,UAAA,CAAW,QAAQ,CAAA,CACvB,MAAA,CAAO,MAAA,CAAO,KAAK,OAAA,EAAS,QAAQ,CAAC,CAAA,CACrC,MAAA,CAAO,MAAA,CAAO,KAAK,GAAA,EAAK,MAAM,CAAC,CAAA,CAC/B,MAAA,CAAO,MAAA,CAAO,KAAK,QAAA,EAAU,QAAQ,CAAC,CAAA,CACtC,MAAA,EAAO;AACZ;AAKA,SAAS,mBAAA,CACP,aAAA,EACA,UAAA,EACA,UAAA,EACgC;AAChC,EAAA,MAAM,MAAM,MAAA,CAAO,MAAA,CAAO,CAAC,aAAA,EAAe,UAAU,CAAC,CAAA;AACrD,EAAA,MAAM,GAAA,GAAM,MAAA,CAAO,IAAA,CAAK,QAAA,CAAS,QAAA,EAAU,KAAK,UAAA,EAAY,SAAA,EAAW,OAAA,GAAU,CAAC,CAAC,CAAA;AACnF,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,GAAA,CAAI,QAAA,CAAS,CAAA,EAAG,OAAO,CAAA;AAAA,IAC7B,IAAA,EAAM,GAAA,CAAI,QAAA,CAAS,OAAA,EAAS,UAAU,CAAC;AAAA,GACzC;AACF;AAiCO,SAAS,qBACd,MAAA,EACwB;AAExB,EAAA,MAAM,YAAA,GAAe,eAAA,CAAgB,MAAA,CAAO,eAAA,EAAiB,QAAQ,CAAA;AAErE,EAAA,MAAM,SAAA,GAAY,oBAAoB,QAAQ,CAAA;AAC9C,EAAA,MAAM,OAAA,GAAU,SAAA,CAAU,SAAA,CACvB,MAAA,CAAO,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAA,EAAQ,KAAA,EAAO,CAAA,CACtC,QAAA,CAAS,QAAQ,CAAA;AAEpB,EAAA,MAAM,OAAA,GAAwB;AAAA,IAC5B,SAAA,EAAW,OAAA;AAAA,IACX,YAAY,MAAA,CAAO,UAAA;AAAA,IACnB,YAAY,MAAA,CAAO;AAAA,GACrB;AACA,EAAA,MAAM,MAAM,IAAA,CAAK,IAAA,CAAK,UAAU,OAAO,CAAA,EAAG,OAAO,eAAe,CAAA;AAChE,EAAA,MAAM,QAAsB,EAAE,CAAA,EAAG,YAAA,EAAc,IAAA,EAAM,SAAS,GAAA,EAAI;AAElE,EAAA,MAAM,QAAA,GAAW,CAAC,KAAA,KAAwC;AACxD,IAAA,IAAI,KAAA,CAAM,MAAM,YAAA,EAAc;AAC5B,MAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,CAAA,0BAAA,EAA6B,KAAA,CAAM,CAAC,CAAA,CAAE,CAAA;AAAA,IAClF;AACA,IAAA,MAAM,KAAA,GAAQ,eAAA,CAAgB,KAAA,CAAM,KAAA,EAAO,kBAAkB,CAAA;AAC7D,IAAA,MAAM,UAAA,GAAa,cAAA,CAAe,OAAA,EAAS,GAAA,EAAK,MAAM,KAAK,CAAA;AAE3D,IAAA,IAAI,CAAC,gBAAA,CAAiB,MAAA,CAAO,kBAAkB,UAAA,EAAY,KAAA,CAAM,GAAG,CAAA,EAAG;AACrE,MAAA,MAAM,IAAI,YAAA;AAAA,QACR,eAAA;AAAA,QACA;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,aAAA,GAAgB,cAAc,EAAE,UAAA,EAAY,UAAU,UAAA,EAAY,SAAA,EAAW,OAAO,CAAA;AAC1F,IAAA,MAAM,UAAA,GAAa,cAAc,EAAE,UAAA,EAAY,UAAU,UAAA,EAAY,SAAA,EAAW,cAAc,CAAA;AAC9F,IAAA,MAAM,EAAE,IAAA,EAAM,IAAA,KAAS,mBAAA,CAAoB,aAAA,EAAe,YAAY,UAAU,CAAA;AAEhF,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,IAAA;AAAA,MACT,OAAA,EAAS,IAAA;AAAA,MACT,eAAA,EAAiB,mBAAA,CAAoB,MAAA,CAAO,eAAe,CAAA;AAAA,MAC3D,cAAA,EAAgB,UAAA;AAAA,MAChB,YAAY,MAAA,CAAO;AAAA,KACrB;AAAA,EACF,CAAA;AAEA,EAAA,OAAO,EAAE,OAAO,QAAA,EAAS;AAC3B;AA8BO,SAAS,kBAAA,CACd,OACA,MAAA,EACuB;AACvB,EAAA,IAAI,KAAA,CAAM,MAAM,YAAA,EAAc;AAC5B,IAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,CAAA,0BAAA,EAA6B,KAAA,CAAM,CAAC,CAAA,CAAE,CAAA;AAAA,EAClF;AACA,EAAA,MAAM,eAAA,GAAkB,eAAA,CAAgB,KAAA,CAAM,IAAA,EAAM,kBAAkB,CAAA;AAEtE,EAAA,IAAI,WAAA;AACJ,EAAA,IAAI;AACF,IAAA,WAAA,GAAc,OAAO,KAAA,CAAM,GAAA,EAAK,MAAA,CAAO,QAAA,CAAS,OAAO,IAAI,CAAA;AAAA,EAC7D,SAAS,GAAA,EAAK;AACZ,IAAA,IAAI,eAAe,SAAA,EAAW;AAC5B,MAAA,MAAM,IAAI,YAAA;AAAA,QACR,eAAA;AAAA,QACA;AAAA,OACF;AAAA,IACF;AACA,IAAA,MAAM,GAAA;AAAA,EACR;AAEA,EAAA,MAAM,OAAA,GAAU,kBAAkB,WAAW,CAAA;AAK7C,EAAA,IAAI,OAAA,CAAQ,SAAA,KAAc,KAAA,CAAM,IAAA,EAAM;AACpC,IAAA,MAAM,IAAI,YAAA;AAAA,MACR,oBAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IAAI,CAAC,MAAA,CAAO,gBAAA,CAAiB,OAAA,CAAQ,UAAU,CAAA,EAAG;AAChD,IAAA,MAAM,IAAI,YAAA,CAAa,gBAAA,EAAkB,uDAAuD,CAAA;AAAA,EAClG;AAEA,EAAA,MAAM,eAAA,GAAkB,oBAAoB,QAAQ,CAAA;AACpD,EAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,SAAA,CAC9B,MAAA,CAAO,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAA,EAAQ,KAAA,EAAO,CAAA,CACtC,QAAA,CAAS,QAAQ,CAAA;AAEpB,EAAA,MAAM,aAAa,cAAA,CAAe,KAAA,CAAM,IAAA,EAAM,KAAA,CAAM,KAAK,QAAQ,CAAA;AACjE,EAAA,MAAM,MAAM,cAAA,CAAe,MAAA,CAAO,QAAA,CAAS,OAAA,CAAQ,MAAM,UAAU,CAAA;AAEnE,EAAA,MAAM,mBAAmB,gBAAA,CAAiB,MAAA,CAAO,QAAA,CAAS,MAAA,CAAO,MAAM,eAAe,CAAA;AACtF,EAAA,MAAM,aAAA,GAAgB,cAAc,EAAE,UAAA,EAAY,gBAAgB,UAAA,EAAY,SAAA,EAAW,iBAAiB,CAAA;AAC1G,EAAA,MAAM,aAAa,aAAA,CAAc,EAAE,YAAY,gBAAA,EAAkB,SAAA,EAAW,iBAAiB,CAAA;AAC7F,EAAA,MAAM,EAAE,IAAA,EAAM,IAAA,KAAS,mBAAA,CAAoB,aAAA,EAAe,YAAY,UAAU,CAAA;AAEhF,EAAA,OAAO;AAAA,IACL,OAAO,EAAE,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,UAAU,GAAA,EAAI;AAAA,IAC/C,OAAA,EAAS;AAAA;AAAA;AAAA,MAGP,OAAA,EAAS,IAAA;AAAA,MACT,OAAA,EAAS,IAAA;AAAA,MACT,eAAA,EAAiB,mBAAA,CAAoB,OAAA,CAAQ,SAAS,CAAA;AAAA,MACtD,cAAA,EAAgB,UAAA;AAAA,MAChB,YAAY,OAAA,CAAQ;AAAA;AACtB,GACF;AACF;AAIA,SAAS,SAAS,CAAA,EAA0C;AAC1D,EAAA,OAAO,OAAO,CAAA,KAAM,QAAA,IAAY,CAAA,KAAM,IAAA;AACxC;AAEA,SAAS,kBAAkB,IAAA,EAA4B;AACrD,EAAA,IAAI,MAAA;AACJ,EAAA,IAAI;AACF,IAAA,MAAA,GAAS,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA,EAC1B,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,yCAAyC,CAAA;AAAA,EACrF;AACA,EAAA,IACE,CAAC,QAAA,CAAS,MAAM,KAChB,OAAO,MAAA,CAAO,WAAW,CAAA,KAAM,QAAA,IAC/B,OAAO,MAAA,CAAO,YAAY,CAAA,KAAM,QAAA,IAChC,OAAO,MAAA,CAAO,YAAY,MAAM,QAAA,EAChC;AACA,IAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,iDAAiD,CAAA;AAAA,EAC7F;AACA,EAAA,OAAO;AAAA,IACL,SAAA,EAAW,OAAO,WAAW,CAAA;AAAA,IAC7B,UAAA,EAAY,OAAO,YAAY,CAAA;AAAA,IAC/B,UAAA,EAAY,OAAO,YAAY;AAAA,GACjC;AACF;AAGO,SAAS,qBAAqB,OAAA,EAAkD;AACrF,EAAA,OAAO,OAAO,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,OAAO,GAAG,MAAM,CAAA;AACpD;AAIO,SAAS,mBAAmB,KAAA,EAAiC;AAClE,EAAA,MAAM,MAAA,GAAS,SAAA,CAAU,KAAA,EAAO,iBAAiB,CAAA;AACjD,EAAA,IACE,CAAC,QAAA,CAAS,MAAM,CAAA,IAChB,MAAA,CAAO,GAAG,CAAA,KAAM,YAAA,IAChB,OAAO,MAAA,CAAO,MAAM,CAAA,KAAM,QAAA,IAC1B,OAAO,MAAA,CAAO,KAAK,MAAM,QAAA,EACzB;AACA,IAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,4BAA4B,CAAA;AAAA,EACxE;AACA,EAAA,OAAO,EAAE,CAAA,EAAG,YAAA,EAAc,IAAA,EAAM,MAAA,CAAO,MAAM,CAAA,EAAG,GAAA,EAAK,MAAA,CAAO,KAAK,CAAA,EAAE;AACrE;AAIO,SAAS,mBAAmB,KAAA,EAAiC;AAClE,EAAA,MAAM,MAAA,GAAS,SAAA,CAAU,KAAA,EAAO,iBAAiB,CAAA;AACjD,EAAA,IACE,CAAC,QAAA,CAAS,MAAM,CAAA,IAChB,MAAA,CAAO,GAAG,CAAA,KAAM,YAAA,IAChB,OAAO,MAAA,CAAO,OAAO,CAAA,KAAM,QAAA,IAC3B,OAAO,MAAA,CAAO,KAAK,MAAM,QAAA,EACzB;AACA,IAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,4BAA4B,CAAA;AAAA,EACxE;AACA,EAAA,OAAO,EAAE,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,MAAA,CAAO,OAAO,CAAA,EAAG,GAAA,EAAK,MAAA,CAAO,KAAK,CAAA,EAAE;AACvE;AAEA,SAAS,SAAA,CAAU,OAAmB,IAAA,EAAiC;AACrE,EAAA,IAAI;AACF,IAAA,OAAO,IAAA,CAAK,MAAM,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,QAAA,CAAS,MAAM,CAAC,CAAA;AAAA,EACvD,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,YAAA,CAAa,IAAA,EAAM,mDAAmD,CAAA;AAAA,EAClF;AACF;;;AC3ZO,IAAM,gBAAA,GAAmB;AACzB,IAAM,cAAA,GAAiB;AAEvB,IAAM,aAAA,GAAgB;AA0B7B,SAAS,YAAY,GAAA,EAAqB;AACxC,EAAA,OAAO,GAAA,CAAI,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AACtE;AAEA,SAAS,YAAYA,OAAAA,EAAwB;AAC3C,EAAA,MAAM,QAAA,GAAWA,QAAO,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AAC5D,EAAA,MAAM,GAAA,GAAM,SAAS,MAAA,GAAS,CAAA;AAC9B,EAAA,OAAO,QAAQ,CAAA,GAAI,QAAA,GAAW,WAAW,GAAA,CAAI,MAAA,CAAO,IAAI,GAAG,CAAA;AAC7D;AAGA,SAAS,SAAS,CAAA,EAAoB;AACpC,EAAA,OAAO,CAAA,CAAE,MAAA,GAAS,CAAA,IAAK,kBAAA,CAAmB,KAAK,CAAC,CAAA;AAClD;AASO,SAAS,eAAe,KAAA,EAA6B;AAC1D,EAAA,MAAM,MAAA,GAAS,IAAI,eAAA,EAAgB;AACnC,EAAA,MAAA,CAAO,GAAA,CAAI,GAAA,EAAK,MAAA,CAAO,aAAa,CAAC,CAAA;AACrC,EAAA,MAAA,CAAO,GAAA,CAAI,IAAA,EAAM,KAAA,CAAM,aAAa,CAAA;AACpC,EAAA,MAAA,CAAO,GAAA,CAAI,IAAA,EAAM,KAAA,CAAM,WAAW,CAAA;AAClC,EAAA,MAAA,CAAO,GAAA,CAAI,IAAA,EAAM,WAAA,CAAY,KAAA,CAAM,eAAe,CAAC,CAAA;AACnD,EAAA,MAAA,CAAO,GAAA,CAAI,IAAA,EAAM,WAAA,CAAY,KAAA,CAAM,gBAAgB,CAAC,CAAA;AACpD,EAAA,MAAA,CAAO,GAAA,CAAI,GAAA,EAAK,KAAA,CAAM,KAAK,CAAA;AAC3B,EAAA,MAAA,CAAO,GAAA,CAAI,KAAA,EAAO,MAAA,CAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AACnC,EAAA,OAAO,GAAG,gBAAgB,CAAA,EAAA,EAAK,cAAc,CAAA,CAAA,EAAI,MAAA,CAAO,UAAU,CAAA,CAAA;AACpE;AAwBO,SAAS,aAAA,CAAc,GAAA,EAAa,IAAA,GAA0B,EAAC,EAAiB;AACrF,EAAA,IAAI,MAAA;AACJ,EAAA,IAAI;AACF,IAAA,MAAA,GAAS,IAAI,IAAI,GAAG,CAAA;AAAA,EACtB,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,0BAA0B,CAAA;AAAA,EACtE;AACA,EAAA,IAAI,MAAA,CAAO,aAAa,gBAAA,EAAkB;AACxC,IAAA,MAAM,IAAI,YAAA;AAAA,MACR,iBAAA;AAAA,MACA,CAAA,sBAAA,EAAyB,gBAAgB,CAAA,UAAA,EAAa,MAAA,CAAO,QAAQ,CAAA,IAAA;AAAA,KACvE;AAAA,EACF;AAIA,EAAA,MAAM,OAAO,MAAA,CAAO,IAAA,IAAQ,OAAO,QAAA,CAAS,OAAA,CAAQ,QAAQ,EAAE,CAAA;AAC9D,EAAA,IAAI,SAAS,cAAA,EAAgB;AAC3B,IAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,CAAA,oBAAA,EAAuB,cAAc,CAAA,CAAA,CAAG,CAAA;AAAA,EACpF;AAEA,EAAA,MAAM,IAAI,MAAA,CAAO,YAAA;AACjB,EAAA,MAAM,CAAA,GAAI,CAAA,CAAE,GAAA,CAAI,GAAG,CAAA;AACnB,EAAA,IAAI,CAAA,KAAM,MAAA,CAAO,aAAa,CAAA,EAAG;AAC/B,IAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,CAAA,2BAAA,EAA8B,CAAA,IAAK,UAAU,CAAA,CAAA,CAAG,CAAA;AAAA,EAC5F;AAEA,EAAA,MAAM,aAAA,GAAgB,GAAA,CAAI,CAAA,EAAG,IAAI,CAAA;AAGjC,EAAA,IAAI,QAAA;AACJ,EAAA,IAAI;AACF,IAAA,QAAA,GAAW,IAAI,IAAI,aAAa,CAAA;AAAA,EAClC,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,+BAA+B,CAAA;AAAA,EAC3E;AACA,EAAA,IAAI,QAAA,CAAS,QAAA,KAAa,KAAA,IAAS,QAAA,CAAS,aAAa,MAAA,EAAQ;AAC/D,IAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,0CAA0C,CAAA;AAAA,EACtF;AAEA,EAAA,MAAM,WAAA,GAAc,GAAA,CAAI,CAAA,EAAG,IAAI,CAAA;AAC/B,EAAA,IAAI,CAAC,gBAAA,CAAiB,IAAA,CAAK,WAAW,CAAA,EAAG;AACvC,IAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,wCAAwC,CAAA;AAAA,EACpF;AAEA,EAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,CAAA,EAAG,IAAI,CAAA;AACzB,EAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,CAAA,EAAG,IAAI,CAAA;AACzB,EAAA,IAAI,CAAC,QAAA,CAAS,KAAK,KAAK,CAAC,QAAA,CAAS,KAAK,CAAA,EAAG;AACxC,IAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,mCAAmC,CAAA;AAAA,EAC/E;AACA,EAAA,MAAM,eAAA,GAAkB,YAAY,KAAK,CAAA;AACzC,EAAA,MAAM,gBAAA,GAAmB,YAAY,KAAK,CAAA;AAE1C,EAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,CAAA,EAAG,GAAG,CAAA;AACxB,EAAA,IAAI,CAAC,QAAA,CAAS,KAAK,CAAA,EAAG;AACpB,IAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,qCAAqC,CAAA;AAAA,EACjF;AAEA,EAAA,MAAM,MAAA,GAAS,GAAA,CAAI,CAAA,EAAG,KAAK,CAAA;AAC3B,EAAA,MAAM,GAAA,GAAM,OAAO,MAAM,CAAA;AACzB,EAAA,IAAI,CAAC,MAAA,CAAO,SAAA,CAAU,GAAG,CAAA,IAAK,OAAO,CAAA,EAAG;AACtC,IAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,8CAA8C,CAAA;AAAA,EAC1F;AAMA,EAAA,IAAI,mBAAA,CAAoB,eAAe,CAAA,KAAM,WAAA,EAAa;AACxD,IAAA,MAAM,IAAI,YAAA;AAAA,MACR,iBAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IAAI,KAAK,GAAA,KAAQ,MAAA,IAAa,GAAA,GAAM,GAAA,IAAQ,KAAK,GAAA,EAAK;AACpD,IAAA,MAAM,IAAI,YAAA,CAAa,eAAA,EAAiB,mBAAmB,CAAA;AAAA,EAC7D;AAEA,EAAA,OAAO;AAAA,IACL,CAAA,EAAG,aAAA;AAAA,IACH,aAAA;AAAA,IACA,WAAA;AAAA,IACA,eAAA;AAAA,IACA,gBAAA;AAAA,IACA,KAAA;AAAA,IACA;AAAA,GACF;AACF;AAEA,SAAS,GAAA,CAAI,GAAoB,GAAA,EAAqB;AACpD,EAAA,MAAM,CAAA,GAAI,CAAA,CAAE,GAAA,CAAI,GAAG,CAAA;AACnB,EAAA,IAAI,CAAA,KAAM,IAAA,IAAQ,CAAA,KAAM,EAAA,EAAI;AAC1B,IAAA,MAAM,IAAI,YAAA,CAAa,iBAAA,EAAmB,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAA,CAAG,CAAA;AAAA,EACtF;AACA,EAAA,OAAO,CAAA;AACT;;;ACzLO,IAAM,qBAAA,GAAwB;ACCrC,IAAM,cAAA,GAAiB,sBAAA;AACvB,IAAM,oBAAA,GAAuB,qBAAA;AAG7B,IAAM,aAAA,GAAgB,0BAAA;AAItB,IAAM,eAAA,GAAkB,EAAA;AAExB,IAAM,aAAA,GAAgB,EAAA;AAEtB,IAAM,UAAA,GAAa,KAAA;AAEnB,SAAS,MAAM,EAAA,EAAwB;AACrC,EAAA,OAAO,OAAO,QAAA,CAAS,EAAE,IAAI,EAAA,GAAK,MAAA,CAAO,KAAK,EAAE,CAAA;AAClD;AAEA,SAAS,OAAO,KAAA,EAAuB;AACrC,EAAA,OAAO,KAAA,CAAM,QAAA,CAAS,QAAQ,CAAA,CAAE,QAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC3F;AAOO,SAAS,eAAe,OAAA,EAAiC;AAC9D,EAAA,MAAM,EAAA,GAAK,KAAA,CAAM,OAAA,CAAQ,OAAO,CAAA;AAChC,EAAA,MAAM,EAAA,GAAK,KAAA,CAAM,OAAA,CAAQ,OAAO,CAAA;AAGhC,EAAA,MAAM,CAAC,EAAA,EAAI,EAAE,CAAA,GAAI,MAAA,CAAO,QAAQ,EAAA,EAAI,EAAE,CAAA,IAAK,CAAA,GAAI,CAAC,EAAA,EAAI,EAAE,CAAA,GAAI,CAAC,IAAI,EAAE,CAAA;AACjE,EAAA,MAAM,MAAM,MAAA,CAAO,MAAA,CAAO,CAAC,EAAA,EAAI,EAAE,CAAC,CAAA;AAClC,EAAA,MAAM,GAAA,GAAMC,SAAS,QAAA,EAAU,GAAA,EAAK,MAAM,OAAA,CAAQ,cAAc,CAAA,EAAG,cAAA,EAAgB,aAAa,CAAA;AAChG,EAAA,OAAO,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA,CAAE,SAAS,QAAQ,CAAA;AAC3C;AAIO,SAAS,YAAA,CAAa,GAAA,GAAc,IAAA,CAAK,GAAA,EAAI,EAAW;AAC7D,EAAA,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,GAAM,UAAU,CAAA;AACpC;AAQO,SAAS,uBAAA,CAAwB,UAAkB,KAAA,EAAuB;AAC/E,EAAA,MAAM,GAAA,GAAM,MAAA,CAAO,IAAA,CAAK,QAAA,EAAU,QAAQ,CAAA;AAG1C,EAAA,MAAM,UAAA,GAAa,MAAA,CAAO,KAAA,CAAM,CAAC,CAAA;AACjC,EAAA,UAAA,CAAW,gBAAA,CAAiB,MAAA,CAAO,KAAK,CAAC,CAAA;AACzC,EAAA,MAAM,IAAA,GAAO,MAAA,CAAO,MAAA,CAAO,CAAC,MAAA,CAAO,KAAK,oBAAA,EAAsB,MAAM,CAAA,EAAG,UAAU,CAAC,CAAA;AAClF,EAAA,MAAM,GAAA,GAAMA,QAAAA,CAAS,QAAA,EAAU,GAAA,EAAK,MAAA,CAAO,KAAK,aAAA,EAAe,MAAM,CAAA,EAAG,IAAA,EAAM,eAAe,CAAA;AAC7F,EAAA,OAAO,MAAA,CAAO,MAAA,CAAO,IAAA,CAAK,GAAG,CAAC,CAAA;AAChC;AASO,SAAS,kBAAA,CACd,QAAA,EACA,GAAA,GAAc,IAAA,CAAK,KAAI,EACa;AACpC,EAAA,MAAM,KAAA,GAAQ,aAAa,GAAG,CAAA;AAC9B,EAAA,OAAO;AAAA,IACL,EAAE,KAAA,EAAO,KAAA,EAAO,uBAAA,CAAwB,QAAA,EAAU,KAAK,CAAA,EAAE;AAAA,IACzD,EAAE,OAAO,KAAA,GAAQ,CAAA,EAAG,OAAO,uBAAA,CAAwB,QAAA,EAAU,KAAA,GAAQ,CAAC,CAAA;AAAE,GAC1E;AACF;AClDO,IAAM,kBAAA,GAAqB;AAIlC,IAAM,YAAA,GAAe,0BAAA;AAErB,IAAM,SAAA,GAAY,+BAAA;AAGlB,IAAM,eAAA,GAAkB,UAAA;AACxB,IAAM,gBAAA,GAAmB,WAAA;AAGzB,IAAMC,QAAAA,GAAU,EAAA;AAEhB,IAAM,YAAA,GAAe,EAAA;AAad,IAAM,oBAAA,GAAN,cAAmC,KAAA,CAAM;AAAA,EACrC,IAAA;AAAA,EACT,WAAA,CAAY,MAAgC,OAAA,EAAiB;AAC3D,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,sBAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAAA,EACd;AACF;AAuCA,SAAS,UAAU,KAAA,EAAuB;AACxC,EAAA,OAAOC,UAAAA,CAAW,QAAQ,CAAA,CAAE,MAAA,CAAO,MAAA,CAAO,KAAK,KAAA,EAAO,MAAM,CAAC,CAAA,CAAE,MAAA,EAAO;AACxE;AAIA,SAAS,cAAc,KAAA,EAAuB;AAC5C,EAAA,OAAO,MAAA,CAAO,IAAA;AAAA,IACZF,QAAAA,CAAS,QAAA,EAAU,MAAA,CAAO,IAAA,CAAK,KAAA,EAAO,MAAM,CAAA,EAAG,SAAA,CAAU,KAAK,CAAA,EAAG,SAAA,EAAW,YAAY;AAAA,GAC1F;AACF;AAKA,SAAS,UAAA,CAAW,OAAA,EAAiB,KAAA,EAAA,GAAkB,KAAA,EAAyB;AAC9E,EAAA,MAAM,CAAA,GAAI,UAAA,CAAW,QAAA,EAAU,OAAO,CAAA;AACtC,EAAA,CAAA,CAAE,MAAA,CAAO,MAAA,CAAO,IAAA,CAAK,KAAA,EAAO,MAAM,CAAC,CAAA;AACnC,EAAA,KAAA,MAAW,CAAA,IAAK,KAAA,EAAO,CAAA,CAAE,MAAA,CAAO,CAAC,CAAA;AACjC,EAAA,OAAO,EAAE,MAAA,EAAO;AAClB;AAIA,SAAS,UAAA,CAAW,UAAkB,WAAA,EAA8B;AAClE,EAAA,IAAI,QAAA;AACJ,EAAA,IAAI;AACF,IAAA,QAAA,GAAW,MAAA,CAAO,IAAA,CAAK,WAAA,EAAa,QAAQ,CAAA;AAAA,EAC9C,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACA,EAAA,IAAI,QAAA,CAAS,MAAA,KAAW,QAAA,CAAS,MAAA,EAAQ,OAAO,KAAA;AAChD,EAAA,OAAO,eAAA,CAAgB,UAAU,QAAQ,CAAA;AAC3C;AAEA,SAASG,iBAAgB,MAAA,EAA2B;AAClD,EAAA,IAAI;AACF,IAAA,OAAOC,eAAAA,CAAgB,EAAE,GAAA,EAAK,MAAA,CAAO,IAAA,CAAK,MAAA,EAAQ,QAAQ,CAAA,EAAG,MAAA,EAAQ,KAAA,EAAO,IAAA,EAAM,MAAA,EAAQ,CAAA;AAAA,EAC5F,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,oBAAA,CAAqB,aAAA,EAAe,6CAA6C,CAAA;AAAA,EAC7F;AACF;AAGA,SAASC,eAAAA,CAAe,UAAkB,QAAA,EAA0B;AAClE,EAAA,OAAOH,WAAW,QAAQ,CAAA,CACvB,MAAA,CAAO,MAAA,CAAO,KAAK,YAAA,EAAc,MAAM,CAAC,CAAA,CACxC,OAAO,QAAQ,CAAA,CACf,MAAA,CAAO,QAAQ,EACf,MAAA,EAAO;AACZ;AAIA,SAASI,oBAAAA,CACP,MACA,IAAA,EACgC;AAChC,EAAA,MAAM,GAAA,GAAM,MAAA,CAAO,IAAA,CAAKN,QAAAA,CAAS,QAAA,EAAU,MAAM,IAAA,EAAM,YAAA,EAAcC,QAAAA,GAAU,CAAC,CAAC,CAAA;AACjF,EAAA,OAAO,EAAE,IAAA,EAAM,GAAA,CAAI,QAAA,CAAS,CAAA,EAAGA,QAAO,CAAA,EAAG,IAAA,EAAM,GAAA,CAAI,QAAA,CAASA,QAAAA,EAASA,QAAAA,GAAU,CAAC,CAAA,EAAE;AACpF;AAKA,SAAS,iBAAA,GAAyE;AAChF,EAAA,MAAM,EAAA,GAAKM,oBAAoB,QAAQ,CAAA;AACvC,EAAA,MAAM,MAAA,GAAS,GAAG,SAAA,CAAU,MAAA,CAAO,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAA,EAAQ,KAAA,EAAO,CAAA;AAClE,EAAA,OAAO,EAAE,MAAM,EAAA,CAAG,UAAA,EAAY,QAAQ,MAAA,CAAO,QAAA,CAAS,QAAQ,CAAA,EAAG,MAAA,EAAO;AAC1E;AAqBO,SAAS,qBAAqB,KAAA,EAAuC;AAC1E,EAAA,MAAM,OAAA,GAAU,cAAc,KAAK,CAAA;AACnC,EAAA,MAAM,IAAA,GAAO,UAAU,KAAK,CAAA;AAC5B,EAAA,MAAM,MAAM,iBAAA,EAAkB;AAE9B,EAAA,MAAM,KAAA,GAAqB;AAAA,IACzB,CAAA,EAAG,kBAAA;AAAA,IACH,MAAM,GAAA,CAAI,MAAA;AAAA,IACV,GAAA,EAAK,WAAW,OAAA,EAAS,eAAA,EAAiB,IAAI,MAAM,CAAA,CAAE,SAAS,QAAQ;AAAA,GACzE;AAEA,EAAA,MAAM,QAAA,GAAW,CAAC,MAAA,KAA2C;AAC3D,IAAA,IAAI,MAAA,CAAO,MAAM,kBAAA,EAAoB;AACnC,MAAA,MAAM,IAAI,oBAAA;AAAA,QACR,qBAAA;AAAA,QACA,CAAA,2BAAA,EAA8B,MAAA,CAAO,MAAA,CAAO,CAAC,CAAC,CAAA;AAAA,OAChD;AAAA,IACF;AACA,IAAA,MAAM,OAAA,GAAUJ,gBAAAA,CAAgB,MAAA,CAAO,IAAI,CAAA;AAC3C,IAAA,MAAM,UAAA,GAAa,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,MAAM,QAAQ,CAAA;AAEpD,IAAA,MAAM,WAAW,UAAA,CAAW,OAAA,EAAS,gBAAA,EAAkB,GAAA,CAAI,QAAQ,UAAU,CAAA;AAC7E,IAAA,IAAI,CAAC,UAAA,CAAW,QAAA,EAAU,MAAA,CAAO,GAAG,CAAA,EAAG;AACrC,MAAA,MAAM,IAAI,oBAAA;AAAA,QACR,UAAA;AAAA,QACA;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,IAAA,GAAOK,cAAc,EAAE,UAAA,EAAY,IAAI,IAAA,EAAM,SAAA,EAAW,SAAS,CAAA;AACvE,IAAA,MAAM,EAAE,IAAA,EAAM,IAAA,EAAK,GAAIF,oBAAAA,CAAoB,MAAM,IAAI,CAAA;AACrD,IAAA,OAAO;AAAA;AAAA,MAEL,OAAA,EAAS,IAAA;AAAA,MACT,OAAA,EAAS,IAAA;AAAA,MACT,cAAA,EAAgBD,eAAAA,CAAe,GAAA,CAAI,MAAA,EAAQ,UAAU;AAAA,KACvD;AAAA,EACF,CAAA;AAEA,EAAA,OAAO,EAAE,OAAO,QAAA,EAAS;AAC3B;AAiBO,SAAS,wBAAA,CACd,OACA,KAAA,EACuB;AACvB,EAAA,IAAI,KAAA,CAAM,MAAM,kBAAA,EAAoB;AAClC,IAAA,MAAM,IAAI,oBAAA;AAAA,MACR,qBAAA;AAAA,MACA,CAAA,0BAAA,EAA6B,MAAA,CAAO,KAAA,CAAM,CAAC,CAAC,CAAA;AAAA,KAC9C;AAAA,EACF;AACA,EAAA,MAAM,OAAA,GAAU,cAAc,KAAK,CAAA;AACnC,EAAA,MAAM,IAAA,GAAO,UAAU,KAAK,CAAA;AAE5B,EAAA,MAAM,SAAA,GAAYF,gBAAAA,CAAgB,KAAA,CAAM,IAAI,CAAA;AAC5C,EAAA,MAAM,YAAA,GAAe,MAAA,CAAO,IAAA,CAAK,KAAA,CAAM,MAAM,QAAQ,CAAA;AAErD,EAAA,MAAM,QAAA,GAAW,UAAA,CAAW,OAAA,EAAS,eAAA,EAAiB,YAAY,CAAA;AAClE,EAAA,IAAI,CAAC,UAAA,CAAW,QAAA,EAAU,KAAA,CAAM,GAAG,CAAA,EAAG;AACpC,IAAA,MAAM,IAAI,oBAAA;AAAA,MACR,UAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,MAAM,MAAM,iBAAA,EAAkB;AAC9B,EAAA,MAAM,MAAA,GAAuB;AAAA,IAC3B,CAAA,EAAG,kBAAA;AAAA,IACH,MAAM,GAAA,CAAI,MAAA;AAAA,IACV,GAAA,EAAK,WAAW,OAAA,EAAS,gBAAA,EAAkB,cAAc,GAAA,CAAI,MAAM,CAAA,CAAE,QAAA,CAAS,QAAQ;AAAA,GACxF;AAEA,EAAA,MAAM,IAAA,GAAOK,cAAc,EAAE,UAAA,EAAY,IAAI,IAAA,EAAM,SAAA,EAAW,WAAW,CAAA;AACzE,EAAA,MAAM,EAAE,IAAA,EAAM,IAAA,EAAK,GAAIF,oBAAAA,CAAoB,MAAM,IAAI,CAAA;AACrD,EAAA,OAAO;AAAA,IACL,MAAA;AAAA,IACA,OAAA,EAAS;AAAA;AAAA,MAEP,OAAA,EAAS,IAAA;AAAA,MACT,OAAA,EAAS,IAAA;AAAA,MACT,cAAA,EAAgBD,eAAAA,CAAe,YAAA,EAAc,GAAA,CAAI,MAAM;AAAA;AACzD,GACF;AACF;AAIA,SAASI,UAAS,CAAA,EAA0C;AAC1D,EAAA,OAAO,OAAO,CAAA,KAAM,QAAA,IAAY,CAAA,KAAM,IAAA;AACxC;AAGO,SAAS,oBAAoB,OAAA,EAAiD;AACnF,EAAA,OAAO,OAAO,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,OAAO,GAAG,MAAM,CAAA;AACpD;AAEA,SAASC,UAAAA,CAAU,OAAmB,IAAA,EAAyC;AAC7E,EAAA,IAAI;AACF,IAAA,OAAO,IAAA,CAAK,MAAM,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,QAAA,CAAS,MAAM,CAAC,CAAA;AAAA,EACvD,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,oBAAA,CAAqB,IAAA,EAAM,mDAAmD,CAAA;AAAA,EAC1F;AACF;AAIO,SAAS,kBAAkB,KAAA,EAAgC;AAChE,EAAA,MAAM,MAAA,GAASA,UAAAA,CAAU,KAAA,EAAO,iBAAiB,CAAA;AACjD,EAAA,IACE,CAACD,SAAAA,CAAS,MAAM,CAAA,IAChB,MAAA,CAAO,GAAG,CAAA,KAAM,kBAAA,IAChB,OAAO,MAAA,CAAO,MAAM,CAAA,KAAM,QAAA,IAC1B,OAAO,MAAA,CAAO,KAAK,MAAM,QAAA,EACzB;AACA,IAAA,MAAM,IAAI,oBAAA,CAAqB,iBAAA,EAAmB,4BAA4B,CAAA;AAAA,EAChF;AACA,EAAA,OAAO,EAAE,CAAA,EAAG,kBAAA,EAAoB,IAAA,EAAM,MAAA,CAAO,MAAM,CAAA,EAAG,GAAA,EAAK,MAAA,CAAO,KAAK,CAAA,EAAE;AAC3E;AAIO,SAAS,mBAAmB,KAAA,EAAiC;AAClE,EAAA,MAAM,MAAA,GAASC,UAAAA,CAAU,KAAA,EAAO,kBAAkB,CAAA;AAClD,EAAA,IACE,CAACD,SAAAA,CAAS,MAAM,CAAA,IAChB,MAAA,CAAO,GAAG,CAAA,KAAM,kBAAA,IAChB,OAAO,MAAA,CAAO,MAAM,CAAA,KAAM,QAAA,IAC1B,OAAO,MAAA,CAAO,KAAK,MAAM,QAAA,EACzB;AACA,IAAA,MAAM,IAAI,oBAAA,CAAqB,kBAAA,EAAoB,6BAA6B,CAAA;AAAA,EAClF;AACA,EAAA,OAAO,EAAE,CAAA,EAAG,kBAAA,EAAoB,IAAA,EAAM,MAAA,CAAO,MAAM,CAAA,EAAG,GAAA,EAAK,MAAA,CAAO,KAAK,CAAA,EAAE;AAC3E","file":"index.mjs","sourcesContent":["/**\n * @agentproto/secrets/pairing — the `pair/v1` session handshake\n * (design: DESIGN §4).\n *\n * A Noise-flavoured, two-message handshake that lets a client and a daemon —\n * connected only through an untrusted rendezvous that byte-splices their\n * sockets — derive per-direction AEAD keys such that the rendezvous can neither\n * read nor forge the session:\n *\n * ```\n * client → daemon: e_pub // ephemeral X25519\n * ct₀ = Seal(to = daemon_x25519,\n * {clientPub: e_pub, clientName, offerToken})\n * daemon → client: d_e_pub, sig = Ed25519(daemon_ed25519,\n * transcript = sha256(e_pub ‖ ct₀ ‖ d_e_pub))\n * both: K = HKDF-SHA256(ECDH(e, d_e) ‖ ECDH(e, daemon_x25519),\n * salt = transcript, info = \"agentproto/pair/v1\")\n * → K_c2d ‖ K_d2c (two AES-256-GCM keys)\n * ```\n *\n * Why this shape:\n * - The client learned the daemon's static public keys out-of-band (the offer\n * URL / QR). Verifying `sig` against the offer's Ed25519 key proves the peer\n * is the daemon the human scanned, not a rendezvous impersonating it — MITM\n * protection without a CA.\n * - The daemon proves the client is authorised by opening `ct₀` (only the\n * daemon's X25519 private key can) and checking the one-time `offerToken`.\n * - `sig` covers the whole transcript and the transcript salts the key\n * schedule, so any tampering with `e_pub`, `ct₀`, or `d_e_pub` in flight\n * makes either the signature or the derived keys disagree — the session\n * fails closed, never continuing with attacker-chosen material.\n *\n * This module is deliberately **transport-agnostic**: it produces and consumes\n * plain messages (`encode*`/`decode*` give byte arrays). The code that pumps\n * those bytes over a `FrameSink` lives in `@agentproto/acp/tunnel`, which stays\n * free of any dependency on this package — it receives only the derived keys.\n * All crypto stays here so the acp layer never touches key material beyond the\n * two symmetric session keys.\n */\n\nimport {\n createPublicKey,\n createPrivateKey,\n createHash,\n diffieHellman,\n hkdfSync,\n generateKeyPairSync,\n type KeyObject,\n} from \"node:crypto\"\nimport { seal, unseal, SealError } from \"../seal/index.js\"\nimport {\n identityFingerprint,\n signTranscript,\n verifyTranscript,\n type DaemonIdentity,\n} from \"../identity/index.js\"\n\n/** Wire version of the handshake. Bumped if the message shape or key schedule\n * changes; both sides refuse a version they don't recognise. */\nexport const PAIR_VERSION = 1 as const\n\n/** HKDF `info` — domain-separates this key schedule from every other HKDF use\n * in the codebase (seal boxes, future rendezvous-token derivation). */\nconst HKDF_INFO = \"agentproto/pair/v1\"\n\n/** Length of each direction key: AES-256 → 32 bytes, two of them → 64. */\nconst KEY_LEN = 32\n\n/** Stable, machine-readable failure codes. Every rejection maps to one of\n * these so callers (and tests) branch on a code, not a message string. */\nexport type PairingErrorCode =\n | \"malformed_hello\"\n | \"malformed_reply\"\n | \"invalid_key\"\n | \"unseal_failed\"\n | \"ephemeral_mismatch\"\n | \"offer_rejected\"\n | \"bad_signature\"\n // P2: offer-URL codec (offer-url.ts) rejection vectors.\n | \"malformed_offer\"\n | \"offer_expired\"\n\n/** Raised for every handshake failure. Never carries key material or\n * plaintext; the `code` is the contract, the message is for humans. */\nexport class PairingError extends Error {\n readonly code: PairingErrorCode\n constructor(code: PairingErrorCode, message: string) {\n super(message)\n this.name = \"PairingError\"\n this.code = code\n }\n}\n\n/** Client → daemon. `ePub` is the client ephemeral X25519 public key (base64\n * SPKI DER); `ct0` is the sealed hello payload (a `seal()` envelope string). */\nexport interface PairingHello {\n v: typeof PAIR_VERSION\n ePub: string\n ct0: string\n}\n\n/** Daemon → client. `dePub` is the daemon ephemeral X25519 public key (base64\n * SPKI DER); `sig` is the Ed25519 transcript signature (base64). */\nexport interface PairingReply {\n v: typeof PAIR_VERSION\n dePub: string\n sig: string\n}\n\n/** The sealed hello payload, opened only by the daemon. */\ninterface HelloPayload {\n /** Echo of the client ephemeral public key — bound inside the seal so a\n * rendezvous can't swap `ePub` without breaking the seal. */\n clientPub: string\n /** Human-facing client label the daemon shows on `pair accept`. */\n clientName: string\n /** One-time offer token from the offer URL — the daemon's proof the client\n * holds a fresh, unspent offer. */\n offerToken: string\n}\n\n/**\n * The result of a completed handshake, on either side. `sendKey`/`recvKey` are\n * already role-adjusted (a client's `sendKey` is a daemon's `recvKey`), so the\n * consumer — `wrapE2E` — never has to know which side it is.\n */\nexport interface PairingSession {\n /** AES-256-GCM key for frames THIS side sends. 32 bytes. */\n sendKey: Uint8Array\n /** AES-256-GCM key for frames THIS side receives. 32 bytes. */\n recvKey: Uint8Array\n /** Fingerprint of the peer's static identity (the daemon's X25519 key on the\n * client side; in P1, the client's ephemeral key on the daemon side, since\n * clients have no persisted identity until P2's pairings store). */\n peerFingerprint: string\n /** `sha256(e_pub ‖ ct₀ ‖ d_e_pub)` — the exact transcript both sides bound\n * to. A later phase channel-binds reconnect tokens to this. */\n transcriptHash: Uint8Array\n /**\n * The human-facing client label carried in the sealed hello. On the daemon\n * side this is the name the peer chose (surfaced in `pairings.json` and on\n * `pair accept`); on the client side it echoes the name this side supplied.\n * Optional so pre-P2 callers constructing a session literal are unaffected —\n * P2 (pairing-registry) reads it to name a persisted pairing without opening\n * the seal a second time. Populated by both handshake entry points below.\n */\n clientName?: string\n}\n\n// ─── key helpers ────────────────────────────────────────────────\n\nfunction x25519PublicKey(b64Der: string, what: string): KeyObject {\n try {\n return createPublicKey({\n key: Buffer.from(b64Der, \"base64\"),\n format: \"der\",\n type: \"spki\",\n })\n } catch {\n throw new PairingError(\"invalid_key\", `invalid ${what} X25519 public key`)\n }\n}\n\nfunction x25519PrivateKey(b64Der: string, what: string): KeyObject {\n try {\n return createPrivateKey({\n key: Buffer.from(b64Der, \"base64\"),\n format: \"der\",\n type: \"pkcs8\",\n })\n } catch {\n throw new PairingError(\"invalid_key\", `invalid ${what} X25519 private key`)\n }\n}\n\n/**\n * Compute the transcript hash from the raw wire bytes of each message part.\n * Using the wire bytes (not a re-export of the parsed key) guarantees both\n * sides hash identical bytes regardless of any DER canonicalisation.\n */\nfunction transcriptHash(ePubB64: string, ct0: string, dePubB64: string): Buffer {\n return createHash(\"sha256\")\n .update(Buffer.from(ePubB64, \"base64\"))\n .update(Buffer.from(ct0, \"utf8\"))\n .update(Buffer.from(dePubB64, \"base64\"))\n .digest()\n}\n\n/** Derive the two direction keys from the two ECDH outputs, salted by the\n * transcript. Concatenation order (ECDH(e,d_e) then ECDH(e,static)) and the\n * key split (c2d then d2c) are identical on both sides. */\nfunction deriveDirectionKeys(\n ecdhEphemeral: Buffer,\n ecdhStatic: Buffer,\n transcript: Buffer\n): { kc2d: Buffer; kd2c: Buffer } {\n const ikm = Buffer.concat([ecdhEphemeral, ecdhStatic])\n const okm = Buffer.from(hkdfSync(\"sha256\", ikm, transcript, HKDF_INFO, KEY_LEN * 2))\n return {\n kc2d: okm.subarray(0, KEY_LEN),\n kd2c: okm.subarray(KEY_LEN, KEY_LEN * 2),\n }\n}\n\n// ─── client side ────────────────────────────────────────────────\n\n/** Everything the client learned from the offer URL, plus its chosen name. */\nexport interface ClientHandshakeParams {\n /** Daemon static X25519 public key (base64 SPKI DER) — the seal recipient\n * and one ECDH input. From the offer's `pk`. */\n daemonX25519Pub: string\n /** Daemon static Ed25519 public key (base64 SPKI DER) — verifies `sig`.\n * From the offer's `sk`. */\n daemonEd25519Pub: string\n /** One-time offer token. From the offer's `t`. */\n offerToken: string\n /** Human-facing client label the daemon displays on accept. */\n clientName: string\n}\n\n/** A started client handshake: send `hello`, then feed the daemon's reply to\n * `complete` to derive the session. */\nexport interface StartedClientHandshake {\n hello: PairingHello\n /** Verify the daemon reply and derive the session. Throws `PairingError` on\n * a bad signature, malformed reply, or invalid key — never returns partial\n * state. */\n complete(reply: PairingReply): PairingSession\n}\n\n/**\n * Begin a client handshake. Generates the client ephemeral keypair, seals the\n * hello payload to the daemon's static key, and returns the `hello` to send\n * plus a `complete` to run once the daemon replies.\n */\nexport function startClientHandshake(\n params: ClientHandshakeParams\n): StartedClientHandshake {\n // Validate the daemon keys up front so a bad offer fails before we transmit.\n const daemonStatic = x25519PublicKey(params.daemonX25519Pub, \"daemon\")\n\n const ephemeral = generateKeyPairSync(\"x25519\")\n const ePubB64 = ephemeral.publicKey\n .export({ type: \"spki\", format: \"der\" })\n .toString(\"base64\")\n\n const payload: HelloPayload = {\n clientPub: ePubB64,\n clientName: params.clientName,\n offerToken: params.offerToken,\n }\n const ct0 = seal(JSON.stringify(payload), params.daemonX25519Pub)\n const hello: PairingHello = { v: PAIR_VERSION, ePub: ePubB64, ct0 }\n\n const complete = (reply: PairingReply): PairingSession => {\n if (reply.v !== PAIR_VERSION) {\n throw new PairingError(\"malformed_reply\", `unsupported reply version ${reply.v}`)\n }\n const dePub = x25519PublicKey(reply.dePub, \"daemon ephemeral\")\n const transcript = transcriptHash(ePubB64, ct0, reply.dePub)\n\n if (!verifyTranscript(params.daemonEd25519Pub, transcript, reply.sig)) {\n throw new PairingError(\n \"bad_signature\",\n \"daemon transcript signature did not verify against the offered key\"\n )\n }\n\n const ecdhEphemeral = diffieHellman({ privateKey: ephemeral.privateKey, publicKey: dePub })\n const ecdhStatic = diffieHellman({ privateKey: ephemeral.privateKey, publicKey: daemonStatic })\n const { kc2d, kd2c } = deriveDirectionKeys(ecdhEphemeral, ecdhStatic, transcript)\n\n return {\n sendKey: kc2d,\n recvKey: kd2c,\n peerFingerprint: identityFingerprint(params.daemonX25519Pub),\n transcriptHash: transcript,\n clientName: params.clientName,\n }\n }\n\n return { hello, complete }\n}\n\n// ─── daemon side ────────────────────────────────────────────────\n\n/** What the daemon brings to the handshake: its identity, and a predicate that\n * validates (and, in P2, spends) the one-time offer token. */\nexport interface DaemonHandshakeParams {\n identity: DaemonIdentity\n /**\n * Validate the presented offer token. Returning false rejects the handshake\n * with `offer_rejected`. The daemon owns single-use + expiry policy here so\n * this module never needs to know about the offer store — a stale or already\n * spent token simply returns false.\n */\n verifyOfferToken: (token: string) => boolean\n}\n\n/** A completed daemon handshake: send `reply`, keep `session`. */\nexport interface DaemonHandshakeResult {\n reply: PairingReply\n session: PairingSession\n}\n\n/**\n * Respond to a client hello. Opens the sealed payload with the daemon's X25519\n * private key, checks the offer token and the ephemeral-key binding, signs the\n * transcript, and derives the session. Throws `PairingError` on any failure —\n * a tampered `ct₀`, a swapped `ePub`, a rejected token — before producing any\n * reply, so a rejected client learns nothing and gets no session.\n */\nexport function respondToHandshake(\n hello: PairingHello,\n params: DaemonHandshakeParams\n): DaemonHandshakeResult {\n if (hello.v !== PAIR_VERSION) {\n throw new PairingError(\"malformed_hello\", `unsupported hello version ${hello.v}`)\n }\n const clientEphemeral = x25519PublicKey(hello.ePub, \"client ephemeral\")\n\n let payloadJson: string\n try {\n payloadJson = unseal(hello.ct0, params.identity.x25519.priv)\n } catch (err) {\n if (err instanceof SealError) {\n throw new PairingError(\n \"unseal_failed\",\n \"could not open sealed hello — wrong daemon key or tampered ct₀\"\n )\n }\n throw err\n }\n\n const payload = parseHelloPayload(payloadJson)\n\n // The sealed payload echoes the client ephemeral key; it must match the\n // cleartext ePub, or a rendezvous swapped ePub while relaying the intact\n // (opaque) seal. Binds the ephemeral to the sealed offer proof.\n if (payload.clientPub !== hello.ePub) {\n throw new PairingError(\n \"ephemeral_mismatch\",\n \"sealed clientPub does not match the hello ephemeral key\"\n )\n }\n\n if (!params.verifyOfferToken(payload.offerToken)) {\n throw new PairingError(\"offer_rejected\", \"offer token was rejected (unknown, expired, or spent)\")\n }\n\n const daemonEphemeral = generateKeyPairSync(\"x25519\")\n const dePubB64 = daemonEphemeral.publicKey\n .export({ type: \"spki\", format: \"der\" })\n .toString(\"base64\")\n\n const transcript = transcriptHash(hello.ePub, hello.ct0, dePubB64)\n const sig = signTranscript(params.identity.ed25519.priv, transcript)\n\n const daemonStaticPriv = x25519PrivateKey(params.identity.x25519.priv, \"daemon static\")\n const ecdhEphemeral = diffieHellman({ privateKey: daemonEphemeral.privateKey, publicKey: clientEphemeral })\n const ecdhStatic = diffieHellman({ privateKey: daemonStaticPriv, publicKey: clientEphemeral })\n const { kc2d, kd2c } = deriveDirectionKeys(ecdhEphemeral, ecdhStatic, transcript)\n\n return {\n reply: { v: PAIR_VERSION, dePub: dePubB64, sig },\n session: {\n // Daemon sends on c2d's counterpart: it RECEIVES client→daemon (kc2d)\n // and SENDS daemon→client (kd2c).\n sendKey: kd2c,\n recvKey: kc2d,\n peerFingerprint: identityFingerprint(payload.clientPub),\n transcriptHash: transcript,\n clientName: payload.clientName,\n },\n }\n}\n\n// ─── message (de)serialization ──────────────────────────────────\n\nfunction isRecord(v: unknown): v is Record<string, unknown> {\n return typeof v === \"object\" && v !== null\n}\n\nfunction parseHelloPayload(json: string): HelloPayload {\n let parsed: unknown\n try {\n parsed = JSON.parse(json)\n } catch {\n throw new PairingError(\"malformed_hello\", \"sealed hello payload was not valid JSON\")\n }\n if (\n !isRecord(parsed) ||\n typeof parsed[\"clientPub\"] !== \"string\" ||\n typeof parsed[\"clientName\"] !== \"string\" ||\n typeof parsed[\"offerToken\"] !== \"string\"\n ) {\n throw new PairingError(\"malformed_hello\", \"sealed hello payload is missing required fields\")\n }\n return {\n clientPub: parsed[\"clientPub\"],\n clientName: parsed[\"clientName\"],\n offerToken: parsed[\"offerToken\"],\n }\n}\n\n/** Serialize a handshake message to bytes for transport. */\nexport function encodePairingMessage(message: PairingHello | PairingReply): Uint8Array {\n return Buffer.from(JSON.stringify(message), \"utf8\")\n}\n\n/** Parse + validate a client hello from raw bytes. Truncated or malformed\n * input throws `PairingError(\"malformed_hello\")` — never a partial object. */\nexport function decodePairingHello(bytes: Uint8Array): PairingHello {\n const parsed = parseJson(bytes, \"malformed_hello\")\n if (\n !isRecord(parsed) ||\n parsed[\"v\"] !== PAIR_VERSION ||\n typeof parsed[\"ePub\"] !== \"string\" ||\n typeof parsed[\"ct0\"] !== \"string\"\n ) {\n throw new PairingError(\"malformed_hello\", \"hello message is malformed\")\n }\n return { v: PAIR_VERSION, ePub: parsed[\"ePub\"], ct0: parsed[\"ct0\"] }\n}\n\n/** Parse + validate a daemon reply from raw bytes. Truncated or malformed\n * input throws `PairingError(\"malformed_reply\")`. */\nexport function decodePairingReply(bytes: Uint8Array): PairingReply {\n const parsed = parseJson(bytes, \"malformed_reply\")\n if (\n !isRecord(parsed) ||\n parsed[\"v\"] !== PAIR_VERSION ||\n typeof parsed[\"dePub\"] !== \"string\" ||\n typeof parsed[\"sig\"] !== \"string\"\n ) {\n throw new PairingError(\"malformed_reply\", \"reply message is malformed\")\n }\n return { v: PAIR_VERSION, dePub: parsed[\"dePub\"], sig: parsed[\"sig\"] }\n}\n\nfunction parseJson(bytes: Uint8Array, code: PairingErrorCode): unknown {\n try {\n return JSON.parse(Buffer.from(bytes).toString(\"utf8\"))\n } catch {\n throw new PairingError(code, \"message was not valid JSON (truncated or corrupt)\")\n }\n}\n","/**\n * The pairing offer URL codec (design: DESIGN §2).\n *\n * `agentproto pair offer` prints a single URL (also renderable as a QR):\n *\n * ```\n * agentproto://pair?v=1\n * &rv=<rendezvous ws/wss url> // where both sides meet\n * &id=<fingerprint> // daemon identity fingerprint (16 hex)\n * &pk=<b64url x25519 SPKI DER> // daemon static encryption key\n * &sk=<b64url ed25519 SPKI DER> // daemon signing key\n * &t=<one-time offer token> // rendezvous routing + first-contact proof\n * &exp=<unix seconds> // offer expiry\n * ```\n *\n * The URL **is** the bootstrap secret. It carries the daemon's public keys, so\n * a client that scans it can pin the daemon and detect a man-in-the-middle\n * rendezvous (verifying the handshake signature against `sk`); and it carries a\n * one-time, short-TTL token so a stranger who never saw the URL can't pair.\n *\n * This module is a **pure codec** — it validates structure and echoes bytes; it\n * performs no I/O and no network calls, so it is safe to run on either side\n * (the daemon builds it, the client parses it). It lives in `@agentproto/secrets`\n * beside the handshake so both sides share one authority on the format.\n *\n * Key material travels **base64url** in the URL (no `+`/`/`/`=` to percent-\n * escape). The handshake, however, speaks standard base64 SPKI DER, so\n * `parseOfferUrl` returns `daemonX25519Pub`/`daemonEd25519Pub` already converted\n * back to standard base64 — feed them straight into `startClientHandshake`.\n */\n\nimport { identityFingerprint } from \"../identity/index.js\"\nimport { PairingError } from \"./handshake.js\"\n\n/** URL scheme + host for offer URLs. */\nexport const OFFER_URL_SCHEME = \"agentproto:\" as const\nexport const OFFER_URL_HOST = \"pair\" as const\n/** Offer-format version. Bumped if the param set changes. */\nexport const OFFER_VERSION = 1 as const\n\n/**\n * A parsed, structurally-valid pairing offer. `daemonX25519Pub` /\n * `daemonEd25519Pub` are standard-base64 SPKI DER (handshake-ready). `token` is\n * the opaque one-time offer token verbatim (the daemon checks it against its\n * offer store). `exp` is unix **seconds**.\n */\nexport interface PairingOffer {\n v: typeof OFFER_VERSION\n /** Rendezvous endpoint both sides dial (ws:// or wss://). */\n rendezvousUrl: string\n /** Daemon identity fingerprint (16 hex) — must equal fingerprint(pk). */\n fingerprint: string\n /** Daemon static X25519 public key, standard base64 SPKI DER. */\n daemonX25519Pub: string\n /** Daemon static Ed25519 public key, standard base64 SPKI DER. */\n daemonEd25519Pub: string\n /** One-time offer token (routing + first-contact proof). */\n token: string\n /** Offer expiry, unix seconds. */\n exp: number\n}\n\n// ─── base64 ⇄ base64url ──────────────────────────────────────────\n\nfunction b64ToB64url(b64: string): string {\n return b64.replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\")\n}\n\nfunction b64urlToB64(b64url: string): string {\n const replaced = b64url.replace(/-/g, \"+\").replace(/_/g, \"/\")\n const pad = replaced.length % 4\n return pad === 0 ? replaced : replaced + \"=\".repeat(4 - pad)\n}\n\n/** True when `s` is a non-empty base64url string (the alphabet only). */\nfunction isB64url(s: string): boolean {\n return s.length > 0 && /^[A-Za-z0-9_-]+$/.test(s)\n}\n\n// ─── encode ──────────────────────────────────────────────────────\n\n/**\n * Build the offer URL from an offer. The public keys come in as standard\n * base64 (the shape the identity file + handshake use) and are emitted as\n * base64url. `token` is emitted verbatim (callers mint it as base64url).\n */\nexport function encodeOfferUrl(offer: PairingOffer): string {\n const params = new URLSearchParams()\n params.set(\"v\", String(OFFER_VERSION))\n params.set(\"rv\", offer.rendezvousUrl)\n params.set(\"id\", offer.fingerprint)\n params.set(\"pk\", b64ToB64url(offer.daemonX25519Pub))\n params.set(\"sk\", b64ToB64url(offer.daemonEd25519Pub))\n params.set(\"t\", offer.token)\n params.set(\"exp\", String(offer.exp))\n return `${OFFER_URL_SCHEME}//${OFFER_URL_HOST}?${params.toString()}`\n}\n\n// ─── parse ───────────────────────────────────────────────────────\n\nexport interface ParseOfferOptions {\n /**\n * When set, the parser rejects an offer whose `exp` is at or before this\n * instant (unix **milliseconds**) with `PairingError(\"offer_expired\")`. Omit\n * to parse structure only and let the caller decide when to check expiry\n * (the daemon's offer store is the authoritative single-use + expiry gate).\n */\n now?: number\n}\n\n/**\n * Parse + strictly validate an offer URL. Throws `PairingError` — never returns\n * a partial object — on any structural problem:\n *\n * - `malformed_offer`: wrong scheme/host, unknown version, missing/blank\n * params, non-base64url keys/token, non-integer `exp`, or a `fingerprint`\n * that does not match `fingerprint(pk)` (tamper detection: a rendezvous or\n * link-mangler that swaps the daemon key can't keep `id` consistent).\n * - `offer_expired`: only when `opts.now` is supplied and `exp` has passed.\n */\nexport function parseOfferUrl(url: string, opts: ParseOfferOptions = {}): PairingOffer {\n let parsed: URL\n try {\n parsed = new URL(url)\n } catch {\n throw new PairingError(\"malformed_offer\", \"offer is not a valid URL\")\n }\n if (parsed.protocol !== OFFER_URL_SCHEME) {\n throw new PairingError(\n \"malformed_offer\",\n `offer scheme must be \"${OFFER_URL_SCHEME}//\" (got \"${parsed.protocol}//\")`,\n )\n }\n // `agentproto://pair?…` parses with host=\"pair\"; tolerate `agentproto:pair?…`\n // (host=\"\" pathname=\"pair\") too, since some QR scanners/relayers normalise the\n // authority away.\n const host = parsed.host || parsed.pathname.replace(/^\\/+/, \"\")\n if (host !== OFFER_URL_HOST) {\n throw new PairingError(\"malformed_offer\", `offer host must be \"${OFFER_URL_HOST}\"`)\n }\n\n const q = parsed.searchParams\n const v = q.get(\"v\")\n if (v !== String(OFFER_VERSION)) {\n throw new PairingError(\"malformed_offer\", `unsupported offer version \"${v ?? \"(absent)\"}\"`)\n }\n\n const rendezvousUrl = req(q, \"rv\")\n // The rendezvous must be a ws/wss URL; reject anything else early so a\n // tampered offer can't point the client at an arbitrary scheme.\n let rvParsed: URL\n try {\n rvParsed = new URL(rendezvousUrl)\n } catch {\n throw new PairingError(\"malformed_offer\", \"offer `rv` is not a valid URL\")\n }\n if (rvParsed.protocol !== \"ws:\" && rvParsed.protocol !== \"wss:\") {\n throw new PairingError(\"malformed_offer\", \"offer `rv` must be a ws:// or wss:// URL\")\n }\n\n const fingerprint = req(q, \"id\")\n if (!/^[0-9a-f]{16}$/.test(fingerprint)) {\n throw new PairingError(\"malformed_offer\", \"offer `id` is not a 16-hex fingerprint\")\n }\n\n const pkUrl = req(q, \"pk\")\n const skUrl = req(q, \"sk\")\n if (!isB64url(pkUrl) || !isB64url(skUrl)) {\n throw new PairingError(\"malformed_offer\", \"offer `pk`/`sk` must be base64url\")\n }\n const daemonX25519Pub = b64urlToB64(pkUrl)\n const daemonEd25519Pub = b64urlToB64(skUrl)\n\n const token = req(q, \"t\")\n if (!isB64url(token)) {\n throw new PairingError(\"malformed_offer\", \"offer `t` (token) must be base64url\")\n }\n\n const expRaw = req(q, \"exp\")\n const exp = Number(expRaw)\n if (!Number.isInteger(exp) || exp <= 0) {\n throw new PairingError(\"malformed_offer\", \"offer `exp` is not a positive unix timestamp\")\n }\n\n // Integrity: `id` must be the fingerprint OF the offered X25519 key. This is\n // what turns the URL into a self-authenticating bootstrap secret — a party\n // that swaps `pk` for their own key can't also produce a matching `id` without\n // it being obviously a different fingerprint the human never saw.\n if (identityFingerprint(daemonX25519Pub) !== fingerprint) {\n throw new PairingError(\n \"malformed_offer\",\n \"offer `id` does not match fingerprint(pk) — tampered or corrupt offer\",\n )\n }\n\n if (opts.now !== undefined && exp * 1000 <= opts.now) {\n throw new PairingError(\"offer_expired\", \"offer has expired\")\n }\n\n return {\n v: OFFER_VERSION,\n rendezvousUrl,\n fingerprint,\n daemonX25519Pub,\n daemonEd25519Pub,\n token,\n exp,\n }\n}\n\nfunction req(q: URLSearchParams, key: string): string {\n const v = q.get(key)\n if (v === null || v === \"\") {\n throw new PairingError(\"malformed_offer\", `offer is missing required param \"${key}\"`)\n }\n return v\n}\n","/**\n * The hosted rendezvous broker — the meeting point `pair offer` defaults to\n * when neither `--rendezvous` nor `pairing.rendezvous` is configured.\n *\n * ## Why it lives here\n *\n * It sits in `@agentproto/secrets/pairing`, beside `offer-url.ts` — the codec\n * that bakes this endpoint into every offer's `rv=` param. The daemon runtime\n * already depends on `@agentproto/secrets`, so it reaches this constant without\n * `@agentproto/runtime` gaining a dependency on `@agentproto/rendezvous`. That\n * matters: the broker package is a deliberately lean, standalone container (its\n * only dep is `ws`), and nothing on the daemon/CLI side should have to pull it\n * in just to learn the default endpoint's URL.\n *\n * ## What the broker sees\n *\n * The hosted broker only ever relays **ciphertext** — it learns the routing\n * token, the peers' IPs, ciphertext sizes, and timing; never plaintext, and it\n * cannot inject or alter frames (the pairing handshake is transcript-bound and\n * every frame is AEAD-sealed). See `docs/cli/concepts/pairing.md` for the full\n * threat model.\n *\n * ## Pointing elsewhere / self-hosting\n *\n * The broker is self-hostable (`agentproto rendezvous serve`). To route through\n * your own instead of the hosted default, set `pairing.rendezvous` in\n * `config.json` (or pass `--rendezvous` for a single offer). To disable the\n * default entirely — so a daemon never reaches the hosted broker unless an\n * endpoint is named explicitly — set `pairing.rendezvous: \"\"` (an explicit\n * opt-out; `pair offer` then requires `--rendezvous`).\n */\nexport const HOSTED_RENDEZVOUS_URL = \"wss://rdv.agentproto.sh/v1\" as const\n","/**\n * Pairing-derived key material (design: DESIGN §3/§4).\n *\n * Two derivations, both HKDF-SHA256 over secret session material so the\n * untrusted rendezvous — which sees the handshake transcript in the clear —\n * can never reproduce them:\n *\n * - **pair root** `K_pair = HKDF(session, \"pair-root\")`: the long-term shared\n * secret persisted by both sides (daemon `pairings.json`, client\n * `credentials.json`). Everything a reconnect needs derives from it.\n * - **epoch routing token** `t' = HKDF(K_pair, \"rv-route\" ‖ epoch)`: the\n * rendezvous routing token for a reconnect, rotated per UTC day so the\n * broker can't link a pairing's sessions across days. Both sides derive the\n * same token for the same epoch without any further communication.\n *\n * ## Why the pair root is derived order-independently\n *\n * A `PairingSession` exposes `sendKey`/`recvKey`, which are **role-swapped**\n * between the two peers (the client's `sendKey` is the daemon's `recvKey`). To\n * get an identical root on both sides without threading a \"which side am I\"\n * flag, we sort the two keys byte-wise before mixing them: the *set* {sendKey,\n * recvKey} is identical on both sides, so the sorted concatenation — and thus\n * the HKDF output — is identical. Both keys are secret ECDH-derived material the\n * rendezvous never sees, so the root (and every epoch token) stays secret.\n *\n * This uses the shipped P1 `PairingSession` verbatim (no change to the key\n * schedule) — it only reads the two direction keys and the transcript hash.\n */\n\nimport { hkdfSync } from \"node:crypto\"\nimport type { PairingSession } from \"./handshake.js\"\n\nconst PAIR_ROOT_INFO = \"agentproto/pair-root\"\nconst RV_ROUTE_INFO_PREFIX = \"agentproto/rv-route\"\n/** Fixed salt for the epoch-token HKDF — the pair root is the (secret) IKM,\n * the epoch rides in `info`, so the salt is a constant domain tag. */\nconst RV_ROUTE_SALT = \"agentproto/rv-route-salt\"\n\n/** Length of a derived epoch routing token, in bytes (→ 22 base64url chars,\n * same width as a 16-byte offer token). */\nconst ROUTE_TOKEN_LEN = 16\n/** Length of the pair root, in bytes. */\nconst PAIR_ROOT_LEN = 32\n\nconst MS_PER_DAY = 86_400_000\n\nfunction toBuf(u8: Uint8Array): Buffer {\n return Buffer.isBuffer(u8) ? u8 : Buffer.from(u8)\n}\n\nfunction b64url(bytes: Buffer): string {\n return bytes.toString(\"base64\").replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\")\n}\n\n/**\n * Derive the long-term pair root from a completed handshake session. Returns\n * standard base64 (persisted in `pairings.json` / `credentials.json`). Both\n * peers, despite role-swapped direction keys, produce the identical root.\n */\nexport function derivePairRoot(session: PairingSession): string {\n const k1 = toBuf(session.sendKey)\n const k2 = toBuf(session.recvKey)\n // Order-independent: sort the two keys so client and daemon mix them the same\n // way regardless of which is \"send\" for them.\n const [lo, hi] = Buffer.compare(k1, k2) <= 0 ? [k1, k2] : [k2, k1]\n const ikm = Buffer.concat([lo, hi])\n const okm = hkdfSync(\"sha256\", ikm, toBuf(session.transcriptHash), PAIR_ROOT_INFO, PAIR_ROOT_LEN)\n return Buffer.from(okm).toString(\"base64\")\n}\n\n/** The current pairing epoch — the UTC day number. Injectable `now` (ms) for\n * tests; defaults to the wall clock. */\nexport function currentEpoch(now: number = Date.now()): number {\n return Math.floor(now / MS_PER_DAY)\n}\n\n/**\n * Derive the rendezvous routing token for a pairing at a given epoch:\n * `t' = HKDF(pairRoot, \"rv-route\" ‖ epoch)`. Returned as base64url so it drops\n * straight into a `?t=` upgrade param. Deterministic — both sides derive the\n * same token for the same `(pairRoot, epoch)`.\n */\nexport function deriveEpochRoutingToken(pairRoot: string, epoch: number): string {\n const ikm = Buffer.from(pairRoot, \"base64\")\n // 8-byte big-endian epoch appended to the info prefix, so a bit-flip in the\n // epoch can never collide two epochs' tokens.\n const epochBytes = Buffer.alloc(8)\n epochBytes.writeBigUInt64BE(BigInt(epoch))\n const info = Buffer.concat([Buffer.from(RV_ROUTE_INFO_PREFIX, \"utf8\"), epochBytes])\n const okm = hkdfSync(\"sha256\", ikm, Buffer.from(RV_ROUTE_SALT, \"utf8\"), info, ROUTE_TOKEN_LEN)\n return b64url(Buffer.from(okm))\n}\n\n/**\n * The set of epoch routing tokens a peer should accept/dial to bridge clock\n * skew around a day boundary: the current epoch and the previous one (design:\n * PLAN \"accept current and previous epoch\"). The daemon parks on both so a\n * client whose clock sits on either side of midnight still finds it; the client\n * likewise tries both when reconnecting.\n */\nexport function epochRoutingTokens(\n pairRoot: string,\n now: number = Date.now(),\n): { epoch: number; token: string }[] {\n const epoch = currentEpoch(now)\n return [\n { epoch, token: deriveEpochRoutingToken(pairRoot, epoch) },\n { epoch: epoch - 1, token: deriveEpochRoutingToken(pairRoot, epoch - 1) },\n ]\n}\n","/**\n * @agentproto/secrets/pairing — the `tunnel-e2e/v1` handshake.\n *\n * The reverse tunnel (`agentproto serve --connect <host>`) is a DIFFERENT trust\n * relationship from the client↔daemon pairing in ./handshake.ts:\n *\n * - There is no offer URL, no QR, no PKI. The daemon and the host already\n * share one pre-provisioned secret — the `apt_` **tunnel token** the daemon\n * presents as its WS bearer. Both ends hold it before the socket opens.\n * - So instead of authenticating with a static-key seal + Ed25519 signature,\n * both ends authenticate by proving knowledge of that shared token, and get\n * forward secrecy from a fresh ephemeral X25519 exchange.\n *\n * ```\n * daemon → host: offer = { ePub_d, mac_d = HMAC(K_auth, \"offer/v1\" ‖ ePub_d) }\n * host → daemon: accept = { ePub_h, mac_h = HMAC(K_auth, \"accept/v1\" ‖ ePub_d ‖ ePub_h) }\n * both: K_auth = HKDF(ikm = utf8(token),\n * salt = sha256(token), info = \"…/auth/v1\") // token-only MAC key\n * K = HKDF(ikm = ECDH(e_d, e_h),\n * salt = sha256(token), info = \"…/v1\") // → K_d2h ‖ K_h2d\n * ```\n *\n * Why this shape:\n * - **Mutual authentication at handshake time.** `mac_d` binds the daemon\n * ephemeral to the token; the host verifies it and refuses (`bad_auth`) if\n * the token differs — no partial session, no plaintext, before the daemon's\n * first byte. `mac_h` binds BOTH ephemerals to the token; the daemon\n * verifies it symmetrically. A man-in-the-middle without the token cannot\n * forge either MAC for its own ephemeral, and cannot reuse a recorded one\n * (it lacks the matching private key to finish the ECDH). So the confirm is\n * a **transcript/confirm step that fails a token mismatch AT handshake time,\n * not mid-stream** — exactly what a wrong `tunnel.token` on one side needs.\n * - **Forward secrecy.** The session keys mix ONLY the ephemeral ECDH output;\n * the long-term token merely salts them. A later token compromise can't\n * decrypt a recorded past session.\n * - **Salt-binds the token.** Because `sha256(token)` salts the session-key\n * HKDF too, even if the MACs were somehow bypassed the derived AEAD keys\n * still disagree under a mismatched token → the channel fails closed.\n *\n * Like ./handshake.ts, this module is deliberately **transport-agnostic**: it\n * produces and consumes plain byte messages (`encode*`/`decode*`). The code that\n * pumps those bytes over a `FrameSink` and wraps the channel lives in\n * `@agentproto/acp/tunnel`, which never depends on this package — it receives\n * only the two derived symmetric keys. Everything crypto stays here.\n */\n\nimport {\n createHash,\n createHmac,\n diffieHellman,\n hkdfSync,\n generateKeyPairSync,\n createPublicKey,\n timingSafeEqual,\n type KeyObject,\n} from \"node:crypto\"\n\n/** Wire version. Bumped if the message shape or key schedule changes; both\n * sides refuse a version they don't recognise. */\nexport const TUNNEL_E2E_VERSION = 1 as const\n\n/** HKDF `info` for the two direction session keys — domain-separates this key\n * schedule from every other HKDF use in the codebase. */\nconst SESSION_INFO = \"agentproto/tunnel-e2e/v1\"\n/** HKDF `info` for the token-only MAC key used to authenticate the handshake. */\nconst AUTH_INFO = \"agentproto/tunnel-e2e/auth/v1\"\n/** Label prefixes bound into each MAC so an offer MAC can never be replayed as\n * an accept MAC (and vice versa). */\nconst OFFER_MAC_LABEL = \"offer/v1\"\nconst ACCEPT_MAC_LABEL = \"accept/v1\"\n\n/** Length of each AES-256 direction key (bytes); two of them → 64. */\nconst KEY_LEN = 32\n/** Length of the token-only MAC key (bytes). */\nconst AUTH_KEY_LEN = 32\n\n/** Stable, machine-readable failure codes. Every rejection maps to one of these\n * so callers (and tests) branch on a code, not a message string. */\nexport type TunnelHandshakeErrorCode =\n | \"malformed_offer\"\n | \"malformed_accept\"\n | \"invalid_key\"\n | \"bad_auth\" // an HMAC did not verify — the two ends hold different tunnel tokens (or a MITM)\n | \"unsupported_version\"\n\n/** Raised for every tunnel-handshake failure. Never carries key material or the\n * token; the `code` is the contract, the message is for humans. */\nexport class TunnelHandshakeError extends Error {\n readonly code: TunnelHandshakeErrorCode\n constructor(code: TunnelHandshakeErrorCode, message: string) {\n super(message)\n this.name = \"TunnelHandshakeError\"\n this.code = code\n }\n}\n\n/** Daemon → host. `ePub` is the daemon ephemeral X25519 public key (base64 SPKI\n * DER); `mac` authenticates it under the shared tunnel token. */\nexport interface TunnelOffer {\n v: typeof TUNNEL_E2E_VERSION\n ePub: string\n mac: string\n}\n\n/** Host → daemon. `ePub` is the host ephemeral X25519 public key (base64 SPKI\n * DER); `mac` authenticates both ephemerals under the shared tunnel token. */\nexport interface TunnelAccept {\n v: typeof TUNNEL_E2E_VERSION\n ePub: string\n mac: string\n}\n\n/**\n * A completed tunnel handshake, on either side. `sendKey`/`recvKey` are already\n * role-adjusted (the daemon's `sendKey` is the host's `recvKey`), so the\n * consumer — `wrapE2E` — never has to know which side it is.\n */\nexport interface TunnelE2ESession {\n /** AES-256-GCM key for frames THIS side sends. 32 bytes. */\n sendKey: Uint8Array\n /** AES-256-GCM key for frames THIS side receives. 32 bytes. */\n recvKey: Uint8Array\n /** `sha256(SESSION_INFO ‖ ePub_d ‖ ePub_h)` — the exact transcript both sides\n * bound to. Exposed for parity with `PairingSession`; not required to use. */\n transcriptHash: Uint8Array\n}\n\n// ─── key + mac helpers ──────────────────────────────────────────\n\n/** Salt shared by both HKDF steps: the SHA-256 of the pre-shared tunnel token.\n * Binding it here is what authenticates the two ends — a peer without the\n * token derives a different salt, so both the MAC key and the session keys\n * disagree and the channel fails closed. */\nfunction tokenSalt(token: string): Buffer {\n return createHash(\"sha256\").update(Buffer.from(token, \"utf8\")).digest()\n}\n\n/** The token-only MAC key. Derived solely from the token (no ephemeral), so\n * each side can compute it independently before/without the peer's ephemeral. */\nfunction deriveAuthKey(token: string): Buffer {\n return Buffer.from(\n hkdfSync(\"sha256\", Buffer.from(token, \"utf8\"), tokenSalt(token), AUTH_INFO, AUTH_KEY_LEN),\n )\n}\n\n/** HMAC-SHA256 over `label ‖ <raw parts>` under the token-only auth key. The\n * parts are the raw DER bytes of the ephemeral public keys, so both sides MAC\n * identical bytes regardless of any base64 re-encoding. */\nfunction computeMac(authKey: Buffer, label: string, ...parts: Buffer[]): Buffer {\n const h = createHmac(\"sha256\", authKey)\n h.update(Buffer.from(label, \"utf8\"))\n for (const p of parts) h.update(p)\n return h.digest()\n}\n\n/** Constant-time compare of a received MAC (base64) against the expected MAC.\n * Length-guards first so `timingSafeEqual` never throws on a truncated MAC. */\nfunction macMatches(expected: Buffer, receivedB64: string): boolean {\n let received: Buffer\n try {\n received = Buffer.from(receivedB64, \"base64\")\n } catch {\n return false\n }\n if (received.length !== expected.length) return false\n return timingSafeEqual(received, expected)\n}\n\nfunction x25519PublicKey(b64Der: string): KeyObject {\n try {\n return createPublicKey({ key: Buffer.from(b64Der, \"base64\"), format: \"der\", type: \"spki\" })\n } catch {\n throw new TunnelHandshakeError(\"invalid_key\", \"peer ephemeral X25519 public key is invalid\")\n }\n}\n\n/** The transcript hash: `sha256(SESSION_INFO ‖ ePub_d_raw ‖ ePub_h_raw)`. */\nfunction transcriptHash(ePubDRaw: Buffer, ePubHRaw: Buffer): Buffer {\n return createHash(\"sha256\")\n .update(Buffer.from(SESSION_INFO, \"utf8\"))\n .update(ePubDRaw)\n .update(ePubHRaw)\n .digest()\n}\n\n/** Derive the two direction keys from the ephemeral ECDH output, salted by the\n * token. The key split (d2h then h2d) is identical on both sides. */\nfunction deriveDirectionKeys(\n ecdh: Buffer,\n salt: Buffer,\n): { kd2h: Buffer; kh2d: Buffer } {\n const okm = Buffer.from(hkdfSync(\"sha256\", ecdh, salt, SESSION_INFO, KEY_LEN * 2))\n return { kd2h: okm.subarray(0, KEY_LEN), kh2d: okm.subarray(KEY_LEN, KEY_LEN * 2) }\n}\n\n/** Generate an ephemeral X25519 keypair and return the private KeyObject plus\n * its public half as base64 SPKI DER (the wire form) and raw DER bytes (the\n * MAC/transcript form). */\nfunction generateEphemeral(): { priv: KeyObject; pubB64: string; pubRaw: Buffer } {\n const kp = generateKeyPairSync(\"x25519\")\n const pubRaw = kp.publicKey.export({ type: \"spki\", format: \"der\" })\n return { priv: kp.privateKey, pubB64: pubRaw.toString(\"base64\"), pubRaw }\n}\n\n// ─── daemon (initiator) side ────────────────────────────────────\n\n/** A started daemon handshake: send `offer`, then feed the host's `accept` to\n * `complete` to derive the session. */\nexport interface StartedTunnelHandshake {\n offer: TunnelOffer\n /**\n * Verify the host accept and derive the session. Throws `TunnelHandshakeError`\n * on a bad MAC (`bad_auth` — the host holds a different token), a malformed\n * accept, or an invalid key — never returns partial state.\n */\n complete(accept: TunnelAccept): TunnelE2ESession\n}\n\n/**\n * Begin the daemon (initiator) side. Generates the daemon ephemeral keypair,\n * MACs it under the token, and returns the `offer` to send plus a `complete` to\n * run once the host replies with its `accept`.\n */\nexport function startTunnelHandshake(token: string): StartedTunnelHandshake {\n const authKey = deriveAuthKey(token)\n const salt = tokenSalt(token)\n const eph = generateEphemeral()\n\n const offer: TunnelOffer = {\n v: TUNNEL_E2E_VERSION,\n ePub: eph.pubB64,\n mac: computeMac(authKey, OFFER_MAC_LABEL, eph.pubRaw).toString(\"base64\"),\n }\n\n const complete = (accept: TunnelAccept): TunnelE2ESession => {\n if (accept.v !== TUNNEL_E2E_VERSION) {\n throw new TunnelHandshakeError(\n \"unsupported_version\",\n `unsupported accept version ${String(accept.v)}`,\n )\n }\n const hostPub = x25519PublicKey(accept.ePub)\n const hostPubRaw = Buffer.from(accept.ePub, \"base64\")\n\n const expected = computeMac(authKey, ACCEPT_MAC_LABEL, eph.pubRaw, hostPubRaw)\n if (!macMatches(expected, accept.mac)) {\n throw new TunnelHandshakeError(\n \"bad_auth\",\n \"host accept did not authenticate under the shared tunnel token\",\n )\n }\n\n const ecdh = diffieHellman({ privateKey: eph.priv, publicKey: hostPub })\n const { kd2h, kh2d } = deriveDirectionKeys(ecdh, salt)\n return {\n // Daemon SENDS daemon→host (kd2h) and RECEIVES host→daemon (kh2d).\n sendKey: kd2h,\n recvKey: kh2d,\n transcriptHash: transcriptHash(eph.pubRaw, hostPubRaw),\n }\n }\n\n return { offer, complete }\n}\n\n// ─── host (responder) side ──────────────────────────────────────\n\n/** A completed host handshake: send `accept`, keep `session`. */\nexport interface TunnelHandshakeResult {\n accept: TunnelAccept\n session: TunnelE2ESession\n}\n\n/**\n * Respond to a daemon offer (host side). Verifies the offer MAC under the shared\n * token, generates the host ephemeral, MACs both ephemerals, and derives the\n * session. Throws `TunnelHandshakeError` on a bad MAC (`bad_auth`), malformed\n * offer, or invalid key BEFORE producing any accept — so a mismatched token\n * yields no session and no reply, failing closed at handshake time.\n */\nexport function respondToTunnelHandshake(\n offer: TunnelOffer,\n token: string,\n): TunnelHandshakeResult {\n if (offer.v !== TUNNEL_E2E_VERSION) {\n throw new TunnelHandshakeError(\n \"unsupported_version\",\n `unsupported offer version ${String(offer.v)}`,\n )\n }\n const authKey = deriveAuthKey(token)\n const salt = tokenSalt(token)\n\n const daemonPub = x25519PublicKey(offer.ePub)\n const daemonPubRaw = Buffer.from(offer.ePub, \"base64\")\n\n const expected = computeMac(authKey, OFFER_MAC_LABEL, daemonPubRaw)\n if (!macMatches(expected, offer.mac)) {\n throw new TunnelHandshakeError(\n \"bad_auth\",\n \"daemon offer did not authenticate under the shared tunnel token\",\n )\n }\n\n const eph = generateEphemeral()\n const accept: TunnelAccept = {\n v: TUNNEL_E2E_VERSION,\n ePub: eph.pubB64,\n mac: computeMac(authKey, ACCEPT_MAC_LABEL, daemonPubRaw, eph.pubRaw).toString(\"base64\"),\n }\n\n const ecdh = diffieHellman({ privateKey: eph.priv, publicKey: daemonPub })\n const { kd2h, kh2d } = deriveDirectionKeys(ecdh, salt)\n return {\n accept,\n session: {\n // Host SENDS host→daemon (kh2d) and RECEIVES daemon→host (kd2h).\n sendKey: kh2d,\n recvKey: kd2h,\n transcriptHash: transcriptHash(daemonPubRaw, eph.pubRaw),\n },\n }\n}\n\n// ─── message (de)serialization ──────────────────────────────────\n\nfunction isRecord(v: unknown): v is Record<string, unknown> {\n return typeof v === \"object\" && v !== null\n}\n\n/** Serialize a handshake message to bytes for transport. */\nexport function encodeTunnelMessage(message: TunnelOffer | TunnelAccept): Uint8Array {\n return Buffer.from(JSON.stringify(message), \"utf8\")\n}\n\nfunction parseJson(bytes: Uint8Array, code: TunnelHandshakeErrorCode): unknown {\n try {\n return JSON.parse(Buffer.from(bytes).toString(\"utf8\"))\n } catch {\n throw new TunnelHandshakeError(code, \"message was not valid JSON (truncated or corrupt)\")\n }\n}\n\n/** Parse + validate a daemon offer from raw bytes. Truncated or malformed input\n * throws `TunnelHandshakeError(\"malformed_offer\")` — never a partial object. */\nexport function decodeTunnelOffer(bytes: Uint8Array): TunnelOffer {\n const parsed = parseJson(bytes, \"malformed_offer\")\n if (\n !isRecord(parsed) ||\n parsed[\"v\"] !== TUNNEL_E2E_VERSION ||\n typeof parsed[\"ePub\"] !== \"string\" ||\n typeof parsed[\"mac\"] !== \"string\"\n ) {\n throw new TunnelHandshakeError(\"malformed_offer\", \"offer message is malformed\")\n }\n return { v: TUNNEL_E2E_VERSION, ePub: parsed[\"ePub\"], mac: parsed[\"mac\"] }\n}\n\n/** Parse + validate a host accept from raw bytes. Truncated or malformed input\n * throws `TunnelHandshakeError(\"malformed_accept\")`. */\nexport function decodeTunnelAccept(bytes: Uint8Array): TunnelAccept {\n const parsed = parseJson(bytes, \"malformed_accept\")\n if (\n !isRecord(parsed) ||\n parsed[\"v\"] !== TUNNEL_E2E_VERSION ||\n typeof parsed[\"ePub\"] !== \"string\" ||\n typeof parsed[\"mac\"] !== \"string\"\n ) {\n throw new TunnelHandshakeError(\"malformed_accept\", \"accept message is malformed\")\n }\n return { v: TUNNEL_E2E_VERSION, ePub: parsed[\"ePub\"], mac: parsed[\"mac\"] }\n}\n"]}
@@ -1,4 +1,4 @@
1
- import { S as SecretExposure } from './types-C2dZDHn7.js';
1
+ import { S as SecretExposure } from './types-DS9Qe9Cv.js';
2
2
 
3
3
  /**
4
4
  * AIP-19 SecretsDefinition + SecretsHandle.