@apifuse/provider-sdk 2.1.0-beta.0 → 2.1.0-beta.10

package/dist/runtime/key-derivation.js

@@ -0,0 +1,73 @@
+import { createHash, hkdfSync } from "node:crypto";
+const SALT_PREFIX = "apifuse:v1:";
+const OUTPUT_LENGTH = 32;
+const cache = new Map();
+function cacheKey(keyVersion, providerId, purpose) {
+    return `${keyVersion}\u0000${providerId}\u0000${purpose}`;
+}
+function computeSalt(purpose) {
+    return createHash("sha256")
+        .update(SALT_PREFIX + purpose)
+        .digest();
+}
+function computeInfo(providerId) {
+    return Buffer.from(`provider=${providerId}`, "utf8");
+}
+/** @internal Trusted loaders only; not re-exported to provider-importable paths. */
+export function decodeMasterKey(encoded) {
+    if (typeof encoded !== "string" || encoded.length === 0) {
+        throw new ConfigurationError("master key is empty; set APIFUSE__KEYRING__MASTER_KEY_V{n} in the external secret manager");
+    }
+    const normalized = encoded.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = normalized.length % 4 === 0
+        ? normalized
+        : normalized + "=".repeat(4 - (normalized.length % 4));
+    // Pre-decode character set guard — Buffer.from silently accepts invalid base64.
+    if (!/^[A-Za-z0-9+/]*={0,2}$/.test(padded)) {
+        throw new ConfigurationError("master key is not valid base64");
+    }
+    const raw = Buffer.from(padded, "base64");
+    // Invalid base64 truncates silently; compare against the expected decode length.
+    const expectedMinLength = Math.floor((padded.length * 3) / 4) - 2;
+    if (raw.length < expectedMinLength) {
+        throw new ConfigurationError("master key is not valid base64");
+    }
+    if (raw.length < 32) {
+        throw new ConfigurationError(`master key must be ≥ 32 bytes after base64 decode (got ${raw.length})`);
+    }
+    return raw;
+}
+export class ConfigurationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "ConfigurationError";
+    }
+}
+/** @internal Trusted loaders only; not re-exported to provider-importable paths. */
+export function deriveSubkey(masterSecret, providerId, purpose, keyVersion) {
+    if (masterSecret.length < 32) {
+        throw new ConfigurationError(`master key must be ≥ 32 bytes (got ${masterSecret.length})`);
+    }
+    if (providerId.length === 0) {
+        throw new ConfigurationError("providerId is empty");
+    }
+    const key = cacheKey(keyVersion, providerId, purpose);
+    const cached = cache.get(key);
+    if (cached) {
+        return cached;
+    }
+    const salt = computeSalt(purpose);
+    const info = computeInfo(providerId);
+    const subkey = Buffer.from(hkdfSync("sha256", masterSecret, salt, info, OUTPUT_LENGTH));
+    cache.set(key, subkey);
+    return subkey;
+}
+/**
+ * Invalidate the subkey cache. Used by the master-key rotation worker after a
+ * writer version change, and by tests to assert determinism.
+ *
+ * @internal
+ */
+export function invalidateSubkeyCache() {
+    cache.clear();
+}

package/dist/runtime/keyring.d.ts

@@ -0,0 +1,25 @@
+export interface KeyRingOptions {
+    env: NodeJS.ProcessEnv;
+    envPrefix?: string;
+    acceptListVar?: string;
+    writerVersionVar?: string;
+}
+export interface KeyRingEntry {
+    version: number;
+    key: Buffer;
+}
+export interface KeyRing {
+    accept(version: number): KeyRingEntry;
+    activeWriter(): KeyRingEntry;
+    versions(): number[];
+    purgeVersion(version: number, isActiveInStore: (v: number) => Promise<boolean>): Promise<void>;
+}
+/**
+ * @internal Trusted loaders only; not re-exported to provider-importable paths.
+ *
+ * Loads master keys from the external-secret-manager-injected env (one entry per
+ * accepted version). Caller must keep the resulting {@link KeyRing} alive for the
+ * process lifetime; rotation requires a restart (or an explicit reload utility
+ * added later).
+ */
+export declare function loadKeyRing(options: KeyRingOptions): KeyRing;

package/dist/runtime/keyring.js

@@ -0,0 +1,93 @@
+import { ConfigurationError, decodeMasterKey } from "./key-derivation";
+const DEFAULT_KEY_PREFIX = "APIFUSE__KEYRING__MASTER_KEY_V";
+const DEFAULT_ACCEPT_LIST_VAR = "APIFUSE__KEYRING__MASTER_KEY_ACCEPT_LIST";
+const DEFAULT_WRITER_VERSION_VAR = "APIFUSE__KEYRING__MASTER_KEY_WRITER_VERSION";
+function parseAcceptList(raw) {
+    if (!raw || raw.trim().length === 0) {
+        throw new ConfigurationError(`accept-list env var is empty; expected comma-separated master key versions`);
+    }
+    const parts = raw
+        .split(",")
+        .map((s) => s.trim())
+        .filter((s) => s.length > 0);
+    const versions = [];
+    for (const part of parts) {
+        const v = Number.parseInt(part, 10);
+        if (!Number.isInteger(v) || v <= 0 || String(v) !== part) {
+            throw new ConfigurationError(`accept-list contains invalid version "${part}"; expected positive integers`);
+        }
+        versions.push(v);
+    }
+    if (versions.length === 0) {
+        throw new ConfigurationError("accept-list is empty after parsing");
+    }
+    return versions;
+}
+function parseWriterVersion(raw, acceptList) {
+    if (!raw || raw.trim().length === 0) {
+        throw new ConfigurationError("writer-version env var is empty");
+    }
+    const trimmed = raw.trim();
+    const v = Number.parseInt(trimmed, 10);
+    if (!Number.isInteger(v) || v <= 0 || String(v) !== trimmed) {
+        throw new ConfigurationError(`writer-version "${trimmed}" is not a positive integer`);
+    }
+    if (!acceptList.includes(v)) {
+        throw new ConfigurationError(`writer-version ${v} is not in the accept-list [${acceptList.join(", ")}]`);
+    }
+    return v;
+}
+/**
+ * @internal Trusted loaders only; not re-exported to provider-importable paths.
+ *
+ * Loads master keys from the external-secret-manager-injected env (one entry per
+ * accepted version). Caller must keep the resulting {@link KeyRing} alive for the
+ * process lifetime; rotation requires a restart (or an explicit reload utility
+ * added later).
+ */
+export function loadKeyRing(options) {
+    const env = options.env;
+    const prefix = options.envPrefix ?? DEFAULT_KEY_PREFIX;
+    const acceptListVar = options.acceptListVar ?? DEFAULT_ACCEPT_LIST_VAR;
+    const writerVersionVar = options.writerVersionVar ?? DEFAULT_WRITER_VERSION_VAR;
+    const acceptList = parseAcceptList(env[acceptListVar]);
+    const writerVersion = parseWriterVersion(env[writerVersionVar], acceptList);
+    const entries = new Map();
+    for (const version of acceptList) {
+        const raw = env[`${prefix}${version}`];
+        if (raw === undefined) {
+            throw new ConfigurationError(`${prefix}${version} is missing (listed in accept-list)`);
+        }
+        const key = decodeMasterKey(raw);
+        entries.set(version, { version, key });
+    }
+    return {
+        accept(version) {
+            const entry = entries.get(version);
+            if (!entry) {
+                throw new ConfigurationError(`version ${version} is not accepted; accept-list is [${acceptList.join(", ")}]`);
+            }
+            return entry;
+        },
+        activeWriter() {
+            const entry = entries.get(writerVersion);
+            if (!entry) {
+                throw new ConfigurationError(`writer version ${writerVersion} is missing from accept-list entries`);
+            }
+            return entry;
+        },
+        versions() {
+            return [...acceptList];
+        },
+        async purgeVersion(version, isActiveInStore) {
+            if (!entries.has(version)) {
+                return;
+            }
+            const active = await isActiveInStore(version);
+            if (active) {
+                throw new ConfigurationError(`cannot purge master-key version ${version}: active connection rows still reference it`);
+            }
+            entries.delete(version);
+        },
+    };
+}

package/dist/runtime/namespace.d.ts

@@ -0,0 +1,9 @@
+/**
+ * @internal Trusted loaders only; not re-exported to provider-importable paths.
+ *
+ * Returns `provider:{HMAC16(contextNamespaceSubkey, providerId)}:{sessionId}`
+ * per the `context-namespace` HKDF purpose. Knowing `providerId` alone is
+ * insufficient to reconstruct the namespace — the HMAC requires the derived
+ * subkey, which is never exposed outside trusted code.
+ */
+export declare function deriveContextNamespace(masterSecret: Buffer, providerId: string, sessionId: string, keyVersion: number): string;

package/dist/runtime/namespace.js

@@ -0,0 +1,19 @@
+import { createHmac } from "node:crypto";
+import { deriveSubkey } from "./key-derivation";
+const HMAC_HEX_LENGTH = 16;
+/**
+ * @internal Trusted loaders only; not re-exported to provider-importable paths.
+ *
+ * Returns `provider:{HMAC16(contextNamespaceSubkey, providerId)}:{sessionId}`
+ * per the `context-namespace` HKDF purpose. Knowing `providerId` alone is
+ * insufficient to reconstruct the namespace — the HMAC requires the derived
+ * subkey, which is never exposed outside trusted code.
+ */
+export function deriveContextNamespace(masterSecret, providerId, sessionId, keyVersion) {
+    if (sessionId.length === 0) {
+        throw new Error("sessionId is empty");
+    }
+    const subkey = deriveSubkey(masterSecret, providerId, "context-namespace", keyVersion);
+    const hmac = createHmac("sha256", subkey).update(providerId).digest("hex");
+    return `provider:${hmac.slice(0, HMAC_HEX_LENGTH)}:${sessionId}`;
+}

package/dist/runtime/otlp.d.ts

@@ -0,0 +1,39 @@
+import type { TraceSpan } from "../types";
+export interface OTLPExportOptions {
+    endpoint: string;
+    headers?: Record<string, string>;
+    timeout?: number;
+}
+export declare function spansToOTLP(spans: TraceSpan[], resourceAttributes?: Record<string, string>): {
+    resourceSpans: Array<{
+        resource: {
+            attributes: Array<{
+                key: string;
+                value: Record<string, string>;
+            }>;
+        };
+        scopeSpans: Array<{
+            scope: {
+                name: string;
+                version: string;
+            };
+            spans: Array<{
+                attributes: Array<{
+                    key: string;
+                    value: Record<string, string | number | boolean>;
+                }>;
+                endTimeUnixNano: string;
+                kind: number;
+                name: string;
+                parentSpanId?: string;
+                spanId: string;
+                startTimeUnixNano: string;
+                status: {
+                    code: number;
+                };
+                traceId: string;
+            }>;
+        }>;
+    }>;
+};
+export declare function exportSpansOTLP(spans: TraceSpan[], options: OTLPExportOptions, resourceAttributes?: Record<string, string>): Promise<void>;

package/dist/runtime/otlp.js

@@ -0,0 +1,103 @@
+let nextTraceId = 1n;
+let replayableTraceId = null;
+function createBatchSignature(spans, resourceAttributes) {
+    return JSON.stringify({
+        resourceAttributes: resourceAttributes ?? null,
+        spans,
+    });
+}
+function createTraceId(signature) {
+    if (replayableTraceId?.signature === signature) {
+        const traceId = replayableTraceId.traceId;
+        replayableTraceId = null;
+        return traceId;
+    }
+    const traceId = nextTraceId.toString(16).padStart(32, "0");
+    nextTraceId += 1n;
+    replayableTraceId = { signature, traceId };
+    return traceId;
+}
+function normalizeHexId(value, length) {
+    if (!value) {
+        return undefined;
+    }
+    const normalized = value.replace(/[^a-fA-F0-9]/g, "").toLowerCase();
+    return normalized.padStart(length, "0").slice(-length);
+}
+function toAttributeValue(value) {
+    if (typeof value === "string") {
+        return { stringValue: value };
+    }
+    if (typeof value === "number") {
+        return { doubleValue: value };
+    }
+    if (typeof value === "boolean") {
+        return { boolValue: value };
+    }
+    return { stringValue: String(value) };
+}
+export function spansToOTLP(spans, resourceAttributes) {
+    const traceId = createTraceId(createBatchSignature(spans, resourceAttributes));
+    return {
+        resourceSpans: [
+            {
+                resource: {
+                    attributes: Object.entries(resourceAttributes ?? {}).map(([key, value]) => ({
+                        key,
+                        value: { stringValue: value },
+                    })),
+                },
+                scopeSpans: [
+                    {
+                        scope: {
+                            name: "apifuse-provider-sdk",
+                            version: "0.1.0",
+                        },
+                        spans: spans.map((span) => ({
+                            traceId,
+                            spanId: normalizeHexId(span.id, 16) ?? "0000000000000001",
+                            parentSpanId: normalizeHexId(span.parentId, 16),
+                            name: span.name,
+                            kind: 2,
+                            startTimeUnixNano: String(span.startedAt * 1_000_000),
+                            endTimeUnixNano: String(span.endedAt * 1_000_000),
+                            status: { code: span.status === "ok" ? 1 : 2 },
+                            attributes: Object.entries(span.attributes ?? {}).map(([key, value]) => ({
+                                key,
+                                value: toAttributeValue(value),
+                            })),
+                        })),
+                    },
+                ],
+            },
+        ],
+    };
+}
+export async function exportSpansOTLP(spans, options, resourceAttributes) {
+    if (spans.length === 0) {
+        return;
+    }
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), options.timeout ?? 5_000);
+    try {
+        const response = await fetch(options.endpoint, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                ...options.headers,
+            },
+            body: JSON.stringify(spansToOTLP(spans, resourceAttributes)),
+            signal: controller.signal,
+        });
+        if (!response.ok) {
+            throw new Error(`HTTP ${response.status}`);
+        }
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.warn("[apifuse] OTLP export failed:", message);
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}

package/dist/runtime/perf.d.ts

@@ -0,0 +1,12 @@
+import type { Span } from "./trace";
+export type PerfStats = {
+    p50: number;
+    p95: number;
+    p99: number;
+    avg: number;
+    min: number;
+    max: number;
+};
+export declare function computePercentile(sortedValues: number[], p: number): number;
+export declare function computeStats(durations: number[]): PerfStats;
+export declare function groupSpansByName(allSpans: Span[][]): Map<string, number[]>;

package/dist/runtime/perf.js

@@ -0,0 +1,52 @@
+export function computePercentile(sortedValues, p) {
+    if (sortedValues.length === 0) {
+        return 0;
+    }
+    if (sortedValues.length === 1) {
+        return sortedValues[0] ?? 0;
+    }
+    const percentile = Math.min(100, Math.max(0, p));
+    const position = (percentile / 100) * (sortedValues.length - 1);
+    const lowerIndex = Math.floor(position);
+    const upperIndex = Math.ceil(position);
+    const lower = sortedValues[lowerIndex] ?? 0;
+    const upper = sortedValues[upperIndex] ?? lower;
+    if (lowerIndex === upperIndex) {
+        return lower;
+    }
+    const weight = position - lowerIndex;
+    return lower + (upper - lower) * weight;
+}
+export function computeStats(durations) {
+    if (durations.length === 0) {
+        return {
+            p50: 0,
+            p95: 0,
+            p99: 0,
+            avg: 0,
+            min: 0,
+            max: 0,
+        };
+    }
+    const sorted = [...durations].sort((a, b) => a - b);
+    const total = sorted.reduce((sum, value) => sum + value, 0);
+    return {
+        p50: computePercentile(sorted, 50),
+        p95: computePercentile(sorted, 95),
+        p99: computePercentile(sorted, 99),
+        avg: total / sorted.length,
+        min: sorted[0] ?? 0,
+        max: sorted[sorted.length - 1] ?? 0,
+    };
+}
+export function groupSpansByName(allSpans) {
+    const grouped = new Map();
+    for (const spans of allSpans) {
+        for (const span of spans) {
+            const durations = grouped.get(span.name) ?? [];
+            durations.push(span.duration_ms);
+            grouped.set(span.name, durations);
+        }
+    }
+    return grouped;
+}

package/dist/runtime/prevalidate.d.ts

@@ -0,0 +1,12 @@
+export interface PrevalidateResult {
+    valid: boolean;
+    errors?: Array<{
+        path: string;
+        message: string;
+    }>;
+}
+type JsonSchema = Record<string, unknown>;
+export declare function prevalidate(schema: JsonSchema, data: unknown, options?: {
+    timeoutMs?: number;
+}): PrevalidateResult;
+export {};

package/dist/runtime/prevalidate.js

@@ -0,0 +1,173 @@
+import Ajv from "ajv";
+import { RE2 } from "re2-wasm";
+const DEFAULT_TIMEOUT_MS = 500;
+function now() {
+    return Date.now();
+}
+function cloneWithoutPatterns(value) {
+    if (Array.isArray(value)) {
+        return value.map((entry) => cloneWithoutPatterns(entry));
+    }
+    if (!value || typeof value !== "object") {
+        return value;
+    }
+    const cloned = {};
+    for (const [key, entry] of Object.entries(value)) {
+        if (key === "pattern") {
+            continue;
+        }
+        cloned[key] = cloneWithoutPatterns(entry);
+    }
+    return cloned;
+}
+function buildAjv() {
+    return new Ajv({ allErrors: true, strict: true, strictSchema: true });
+}
+function createTimeoutGuard(timeoutMs) {
+    const startedAt = now();
+    return () => {
+        if (now() - startedAt > timeoutMs) {
+            throw new Error("prevalidation_timeout");
+        }
+    };
+}
+function formatInstancePath(path) {
+    return path.length > 0 ? path : "$";
+}
+function appendPath(basePath, segment) {
+    if (segment.startsWith("[")) {
+        return `${basePath}${segment}`;
+    }
+    return basePath === "$" ? `${basePath}.${segment}` : `${basePath}.${segment}`;
+}
+function isRecord(value) {
+    return !!value && typeof value === "object" && !Array.isArray(value);
+}
+function collectPatternErrors(schema, data, path, guard, errors) {
+    guard();
+    if (!isRecord(schema)) {
+        return;
+    }
+    if (typeof schema.pattern === "string" && typeof data === "string") {
+        try {
+            const regex = new RE2(schema.pattern, "u");
+            if (!regex.test(data)) {
+                errors.push({
+                    path,
+                    message: `must match pattern ${schema.pattern}`,
+                });
+            }
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Invalid RE2 pattern";
+            errors.push({ path, message });
+        }
+    }
+    if (schema.$ref !== undefined) {
+        return;
+    }
+    if (Array.isArray(schema.allOf)) {
+        for (const entry of schema.allOf) {
+            collectPatternErrors(entry, data, path, guard, errors);
+        }
+    }
+    if (Array.isArray(schema.anyOf)) {
+        for (const entry of schema.anyOf) {
+            collectPatternErrors(entry, data, path, guard, errors);
+        }
+    }
+    if (Array.isArray(schema.oneOf)) {
+        for (const entry of schema.oneOf) {
+            collectPatternErrors(entry, data, path, guard, errors);
+        }
+    }
+    if (isRecord(schema.not)) {
+        collectPatternErrors(schema.not, data, path, guard, errors);
+    }
+    if (isRecord(schema.if)) {
+        collectPatternErrors(schema.if, data, path, guard, errors);
+    }
+    if (isRecord(schema.then)) {
+        collectPatternErrors(schema.then, data, path, guard, errors);
+    }
+    if (isRecord(schema.else)) {
+        collectPatternErrors(schema.else, data, path, guard, errors);
+    }
+    if (Array.isArray(data) && schema.items !== undefined) {
+        for (const [index, item] of data.entries()) {
+            collectPatternErrors(schema.items, item, appendPath(path, `[${index}]`), guard, errors);
+        }
+    }
+    if (!isRecord(data)) {
+        return;
+    }
+    if (isRecord(schema.properties)) {
+        for (const [key, childSchema] of Object.entries(schema.properties)) {
+            if (key in data) {
+                collectPatternErrors(childSchema, data[key], appendPath(path, key), guard, errors);
+            }
+        }
+    }
+    if (isRecord(schema.patternProperties)) {
+        for (const [pattern, childSchema] of Object.entries(schema.patternProperties)) {
+            const keyPattern = new RE2(pattern, "u");
+            for (const [key, value] of Object.entries(data)) {
+                guard();
+                if (keyPattern.test(key)) {
+                    collectPatternErrors(childSchema, value, appendPath(path, key), guard, errors);
+                }
+            }
+        }
+    }
+    if (schema.additionalProperties && isRecord(schema.additionalProperties)) {
+        const declaredKeys = isRecord(schema.properties)
+            ? new Set(Object.keys(schema.properties))
+            : new Set();
+        for (const [key, value] of Object.entries(data)) {
+            if (!declaredKeys.has(key)) {
+                collectPatternErrors(schema.additionalProperties, value, appendPath(path, key), guard, errors);
+            }
+        }
+    }
+}
+export function prevalidate(schema, data, options = {}) {
+    const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    const guard = createTimeoutGuard(timeoutMs);
+    try {
+        guard();
+        const ajv = buildAjv();
+        const strippedSchema = cloneWithoutPatterns(schema);
+        if (!strippedSchema || typeof strippedSchema !== "object") {
+            return {
+                valid: false,
+                errors: [{ path: "$", message: "Invalid schema" }],
+            };
+        }
+        const validate = ajv.compile(strippedSchema);
+        const schemaValid = validate(data);
+        const errors = validate.errors?.map((error) => ({
+            path: formatInstancePath(error.instancePath),
+            message: error.message ?? "Invalid value",
+        })) ?? [];
+        collectPatternErrors(schema, data, "$", guard, errors);
+        if (!schemaValid || errors.length > 0) {
+            return { valid: false, errors };
+        }
+        return { valid: true };
+    }
+    catch (error) {
+        if (error instanceof Error && error.message === "prevalidation_timeout") {
+            return {
+                valid: false,
+                errors: [
+                    {
+                        path: "$",
+                        message: `Prevalidation timed out after ${timeoutMs}ms`,
+                    },
+                ],
+            };
+        }
+        const message = error instanceof Error ? error.message : "Prevalidation failed";
+        return { valid: false, errors: [{ path: "$", message }] };
+    }
+}

package/dist/runtime/provider.d.ts

@@ -0,0 +1,2 @@
+import type { ProviderDefinition } from "../types";
+export declare function getProviderBaseUrl(provider: ProviderDefinition): string | undefined;

package/dist/runtime/provider.js

@@ -0,0 +1,11 @@
+export function getProviderBaseUrl(provider) {
+    const operations = Object.values(provider.operations);
+    for (const operation of operations) {
+        const baseUrl = operation.upstream
+            ?.baseUrl;
+        if (typeof baseUrl === "string" && baseUrl.length > 0) {
+            return baseUrl;
+        }
+    }
+    return undefined;
+}

package/dist/runtime/proxy-errors.d.ts

@@ -0,0 +1,21 @@
+import { TransportError } from "../errors";
+export declare const PROXY_AUTH_IP_DENIED_CODE = "PROXY_AUTH_IP_DENIED";
+export declare const PROXY_AUTH_IP_DENIED_MESSAGE = "Proxy source IP is not authorized. Add the runtime egress IP to the proxy provider allowlist.";
+export declare const PROXY_EDGE_AUTH_REJECTED_CODE = "PROXY_EDGE_AUTH_REJECTED";
+export declare const PROXY_EDGE_AUTH_REJECTED_MESSAGE = "Proxy provider rejected a candidate endpoint during authentication. The SDK will retry or refresh the proxy pool when safe.";
+export declare const PROXY_POOL_STALE_CODE = "PROXY_POOL_STALE";
+export declare const PROXY_EDGE_TLS_REJECTED_CODE = "PROXY_EDGE_TLS_REJECTED";
+export declare const PROXY_POOL_EXHAUSTED_CODE = "PROXY_POOL_EXHAUSTED";
+export declare const PROXY_POOL_EXHAUSTED_MESSAGE = "Proxy provider pool was exhausted. The SDK refreshed the proxy allocation, but all candidate endpoints failed.";
+export declare function isProxyAuthIpDeniedMessage(message: string): boolean;
+export declare function createProxyAuthIpDeniedError(cause?: Error): TransportError;
+export declare function isProxyEdgeAuthRejectedMessage(message: string): boolean;
+export declare function createProxyEdgeAuthRejectedError(cause?: Error): TransportError;
+export declare function isProxyPoolStaleStatus(status: number): boolean;
+export declare function isProxyEdgeTlsRejectedResponse(status: number, evidence: string): boolean;
+export declare function isProxyPoolStaleMessage(message: string): boolean;
+export declare function isProxyPoolRefreshableError(error: unknown): boolean;
+export declare const isProxyPoolStaleError: typeof isProxyPoolRefreshableError;
+export declare function createProxyPoolStaleError(status: number, cause?: Error): TransportError;
+export declare function createProxyEdgeTlsRejectedError(status: number, cause?: Error): TransportError;
+export declare function createProxyPoolExhaustedError(cause?: Error): TransportError;