@aria-cli/server 1.0.19

package/README.md

@@ -0,0 +1,17 @@
+# @aria-cli/server
+
+
+
+Part of [ARIA](https://www.npmjs.com/package/@aria-cli/cli) — Adaptive Reasoning Intelligence Agent.
+
+## Install
+
+```bash
+npm i @aria-cli/server
+```
+
+See the main [`@aria-cli/cli`](https://www.npmjs.com/package/@aria-cli/cli) package for full documentation.
+
+## License
+
+MIT

package/dist/.aria-build-stamp.json

@@ -0,0 +1,4 @@
+{
+  "label": "@aria-cli/server",
+  "fingerprint": "f4bf2d5acc118f4de66fea6e47e03ab18e3b9ad4203319b5f4720480b930d558"
+}

package/dist/auth/api-key.d.ts

@@ -0,0 +1,106 @@
+/**
+ * API Key Authentication for ARIA Server
+ *
+ * Provides functions for generating, storing, and validating API keys.
+ * Keys are stored in ~/.aria/api-keys.json with hashed values.
+ */
+/**
+ * Represents a stored API key entry
+ */
+export interface ApiKeyEntry {
+    /** Unique identifier for the key */
+    id: string;
+    /** Human-readable name for the key */
+    name: string;
+    /** SHA-256 hash of the key (we never store the actual key) */
+    keyHash: string;
+    /** ISO timestamp of when the key was created */
+    createdAt: string;
+}
+/**
+ * Configuration structure for stored API keys
+ */
+export interface ApiKeyConfig {
+    keys: ApiKeyEntry[];
+}
+/**
+ * Result of generating a new API key
+ */
+export interface GenerateKeyResult {
+    /** The generated key (only returned once, not stored) */
+    key: string;
+    /** Unique identifier for the key */
+    id: string;
+    /** Human-readable name for the key */
+    name: string;
+    /** ISO timestamp of creation */
+    createdAt: string;
+}
+export interface GenerateApiKeyOptions {
+    /** Remove existing keys with the same name before generating a new one */
+    replaceExistingName?: boolean;
+    /** Prefix-scoped retention policy (for example: "peer:") */
+    prunePrefix?: string;
+    /** Maximum retained keys for the prunePrefix scope */
+    maxKeysForPrefix?: number;
+}
+/**
+ * Load API keys from ~/.aria/api-keys.json
+ * @returns The API key configuration, or empty config if file doesn't exist
+ */
+export declare function loadApiKeys(): ApiKeyConfig;
+/**
+ * Save API keys to ~/.aria/api-keys.json
+ * @param config - The API key configuration to save
+ */
+export declare function saveApiKeys(config: ApiKeyConfig): void;
+/**
+ * Generate a new API key with the given name
+ * @param name - Human-readable name for the key
+ * @returns The generated key details (key is only returned once)
+ */
+export declare function generateApiKey(name: string, options?: GenerateApiKeyOptions): Promise<GenerateKeyResult>;
+/**
+ * Validate an API key
+ * @param key - The API key to validate
+ * @returns true if the key is valid, false otherwise
+ */
+export declare function validateApiKey(key: string): Promise<boolean>;
+/**
+ * Extract the `api_key` query parameter from a request URL.
+ * Returns undefined when absent.
+ */
+export declare function extractApiKeyFromQuery(url: string | undefined): string | undefined;
+/**
+ * Record a failed auth attempt for an IP address.
+ * Returns `true` if the IP is now rate-limited (at or above threshold).
+ */
+export declare function recordFailedAuth(ip: string): boolean;
+/**
+ * Check whether an IP address is currently rate-limited.
+ */
+export declare function isRateLimited(ip: string): boolean;
+/**
+ * Reset all rate-limit state. Intended for testing only.
+ */
+export declare function resetRateLimits(): void;
+/**
+ * Start periodic eviction of expired rate limit entries.
+ * Safe to call multiple times; only one timer will be active.
+ */
+export declare function startRateLimitEviction(): void;
+/**
+ * Stop the periodic eviction timer. Call on server shutdown.
+ */
+export declare function stopRateLimitEviction(): void;
+/**
+ * List all API keys (without revealing the actual keys)
+ * @returns Array of key entries (id, name, createdAt)
+ */
+export declare function listApiKeys(): Omit<ApiKeyEntry, "keyHash">[];
+/**
+ * Delete an API key by ID
+ * @param id - The key ID to delete
+ * @returns true if the key was deleted, false if not found
+ */
+export declare function deleteApiKey(id: string): boolean;

package/dist/config.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Server-side configuration loader.
+ *
+ * Reads activeArion/preferredTier from ~/.aria/config.json and resolves MCP
+ * server configs from global + optional project aria.config.json (same merge
+ * precedence as CLI: project overrides global by server name).
+ *
+ * Fix for aria-mhq.1: server routes were passing config: {} to
+ * RunSession.create(), breaking tier derivation and ignoring
+ * user preferences.
+ */
+import type { RunSessionConfig } from "@aria-cli/aria";
+import type { MCPServerConfig } from "@aria-cli/aria";
+export declare function resolveServerAriaHome(explicitAriaHome?: string): string;
+/**
+ * Load RunSession config from ~/.aria/config.json.
+ * Caches after first load (server lifetime).
+ */
+export declare function loadServerConfig(): RunSessionConfig;
+/**
+ * Load MCP servers from global config plus optional project aria.config.json.
+ * Merge precedence: project > global by server name.
+ */
+export declare function loadServerMcpServers(projectDir?: string): MCPServerConfig[];
+/**
+ * Reset cached config (for testing).
+ */
+export declare function resetServerConfig(): void;

package/dist/daemon-launcher.d.ts

@@ -0,0 +1,23 @@
+import { type DaemonSafetyPolicy } from "@aria-cli/aria";
+export interface DaemonLauncherCliOptions {
+    arion?: string;
+    port?: string;
+    intervalMs?: string;
+    allowedToolCategories?: string;
+    allowedShellCommands?: string;
+    maxWriteOpsPerMinute?: string;
+    maxGitPushesPerHour?: string;
+}
+interface ParsedDaemonLauncherOptions {
+    arion?: string;
+    port: number;
+    intervalMs: number;
+    allowedToolCategories?: string[];
+    allowedShellCommands?: string[];
+    maxWriteOpsPerMinute?: number;
+    maxGitPushesPerHour?: number;
+}
+export declare function buildDaemonSafetyPolicy(options: ParsedDaemonLauncherOptions): DaemonSafetyPolicy;
+export declare function runServerDaemonLauncherFromCli(options?: DaemonLauncherCliOptions): Promise<void>;
+export declare function runServerDaemonLauncher(options: ParsedDaemonLauncherOptions): Promise<void>;
+export {};

package/dist/daemon-launcher.js

@@ -0,0 +1,3 @@
+import{y as F}from"./index-mnt9k223.js";import{G as I,H as D}from"./index-pe0pkp0v.js";import"./index-rr0sea4c.js";import"./index-9n50yafd.js";import"./index-5tav2m70.js";import"./index-6extw9n6.js";import"./index-raeajnr7.js";import"./index-ghh3ag4c.js";import"./index-9xs3gn0p.js";import*as L from"node:os";import*as X from"node:path";import{pathToFileURL as f}from"node:url";import{acquireLock as g,releaseLock as _}from"@aria-cli/aria";import{log as V}from"@aria-cli/types";import{MemoriaPool as h}from"@aria-cli/aria/server-memory";import{createRuntimeDefaultRouter as d}from"@aria-cli/aria/server-models";import{createRuntimeAuthContext as c}from"@aria-cli/auth";import{appendFileSync as b,statSync as H,renameSync as N,mkdirSync as k,unlinkSync as y}from"node:fs";import{dirname as A}from"node:path";var S=/\x1b\[[0-9;]*m/g;function R(z){if(typeof z==="string")return z.replace(S,"");if(z instanceof Error)return z.stack??z.message;try{return JSON.stringify(z)}catch{return String(z)}}function C(z){return z.map(R).join(" ")}var P=52428800,w=3,x=100;function T(z,G){let J=G?.maxBytes??P,Q=G?.maxFiles??w,W=0;k(A(z),{recursive:!0});function $(){if(++W%x!==0)return;try{if(H(z).size<J)return;try{y(`${z}.${Q}`)}catch{}for(let K=Q-1;K>=1;K--)try{N(`${z}.${K}`,`${z}.${K+1}`)}catch{}N(z,`${z}.1`)}catch{}}return{write(q,K){let M=JSON.stringify({ts:new Date().toISOString(),level:q,msg:C(K)});try{b(z,M+`
+`),$()}catch{}}}}function m(){let z=process.env.ARIA_HARNESS_OWNER_PID;if(!z)return()=>{};let G=Number.parseInt(z,10);if(!Number.isFinite(G)||G<=0)throw Error(`ARIA_HARNESS_OWNER_PID must be a positive integer, got: ${z}`);let J=!1,Q=setInterval(()=>{if(J)return;try{process.kill(G,0)}catch($){let q=$&&typeof $==="object"&&"code"in $?$.code:void 0;if(q&&q!=="ESRCH")return;J=!0,clearInterval(Q),process.kill(process.pid,"SIGTERM")}},1000);Q.unref?.();let W=()=>{if(J)return;J=!0,clearInterval(Q)};return process.once("exit",W),W}function B(z,G,J){if(z===void 0||z.trim()==="")return J;let Q=Number.parseInt(z,10);if(!Number.isFinite(Q)||Q<=0)throw Error(`${G} must be a positive integer`);return Q}function v(z,G){if(z===void 0||z.trim()==="")return G;let J=Number.parseInt(z,10);if(!Number.isFinite(J)||J<0)throw Error("port must be a non-negative integer (0 = OS-assigned)");return J}function E(z){if(!z)return;let G=z.split(",").map((J)=>J.trim()).filter((J)=>J.length>0);return G.length>0?G:void 0}function u(z){return{arion:z.arion,port:v(z.port,0),intervalMs:B(z.intervalMs,"intervalMs",60000),allowedToolCategories:E(z.allowedToolCategories),allowedShellCommands:E(z.allowedShellCommands),maxWriteOpsPerMinute:z.maxWriteOpsPerMinute!==void 0?B(z.maxWriteOpsPerMinute,"maxWriteOpsPerMinute",30):void 0,maxGitPushesPerHour:z.maxGitPushesPerHour!==void 0?B(z.maxGitPushesPerHour,"maxGitPushesPerHour",5):void 0}}function p(){let z=process.env.ARIA_HOME?.trim();if(z)return z;return X.join(process.env.HOME||L.homedir(),".aria")}function l(z){if(z.aborted)return Promise.resolve();return new Promise((G)=>{z.addEventListener("abort",()=>G(),{once:!0})})}function s(){let z=process.env.AWS_REGION??process.env.AWS_DEFAULT_REGION,G=process.env.AWS_PROFILE;if(!z&&!G)return;return{...z?{awsRegion:z}:{},...G?{awsProfile:G}:{}}}async function n(z,G){let J=c({ariaHome:z,bedrock:s()}),[Q,W,$]=await Promise.all([d({ariaHome:z,authResolver:J.authResolver,anthropic:J.legacyApiKeys.anthropic,openai:J.legacyApiKeys.openai,google:J.legacyApiKeys.google,...J.bedrock?{bedrock:J.bedrock}:{}}),Promise.resolve(I()),Promise.resolve(D(G))]),q=new h(z,Q);return{router:Q,authResolver:J.authResolver,memoriaFactory:q.toFactory(),runSessionConfig:W,mcpServers:$,close:async()=>{await q.closeAll()}}}function r(z){let G={};if(z.allowedToolCategories)G.allowedToolCategories=z.allowedToolCategories;if(z.allowedShellCommands)G.allowedShellCommands=z.allowedShellCommands;if(z.maxWriteOpsPerMinute!==void 0)G.maxWriteOpsPerMinute=z.maxWriteOpsPerMinute;if(z.maxGitPushesPerHour!==void 0)G.maxGitPushesPerHour=z.maxGitPushesPerHour;return G}async function i(z={}){await a(u(z))}async function a(z){m();let G=p(),J=T(X.join(G,"logs","daemon.jsonl"));V.addSink(J),V.removeConsoleSink();let Q=X.join(G,"daemon-launcher.lock");try{await g(Q)}catch{V.info("[daemon] another daemon is already running for this ARIA_HOME; exiting");return}let W=new AbortController,$=()=>W.abort(),q=()=>{V.warn("[daemon] received SIGHUP (ignored)")};process.on("SIGINT",$),process.on("SIGHUP",q);let K=()=>_(Q);process.on("beforeExit",K);let M=I(),O=z.arion?.trim()||M.activeArion?.trim()||"ARIA",U=F(),Z=null,Y=null;try{if(Z=await U.attach({ariaHome:G,arionName:O,clientKind:"daemon-launcher",signal:W.signal,port:z.port}),Z.ownership==="started")Y=await n(G,process.cwd()),await U.startRuntimeAutonomousLoop(Z.nodeId,{memoriaFactory:Y.memoriaFactory,router:Y.router,authResolver:Y.authResolver,runSessionConfig:{...Y.runSessionConfig,activeArion:O},mcpServers:Y.mcpServers,daemonSafetyPolicy:r(z),autonomousIntervalMs:z.intervalMs});let j=await Z.control.getRuntimeStatus();V.info(`[daemon] runtime node ${Z.nodeId}`),V.info(`[daemon] runtime ${j.runtimeId} listening on port ${j.port}`),V.info(`[daemon] running arion "${O}" (interval ${z.intervalMs}ms)`);try{await l(W.signal)}finally{if(Z.release(),Z.ownership==="started")await U.shutdownRuntime(Z.nodeId);await Y?.close().catch(()=>{}),V.info("[daemon] stopped")}}catch(j){if(Z){if(Z.release(),Z.ownership==="started")await U.shutdownRuntime(Z.nodeId).catch(()=>{})}throw await Y?.close().catch(()=>{}),j}finally{_(Q),process.removeListener("beforeExit",K),process.removeListener("SIGINT",$),process.removeListener("SIGHUP",q)}}function t(z){let G={};for(let J=0;J<z.length;J+=1){let Q=z[J],W=z[J+1];switch(Q){case"--arion":G.arion=W,J+=1;break;case"--port":G.port=W,J+=1;break;case"--interval-ms":G.intervalMs=W,J+=1;break;case"--allowed-tool-categories":G.allowedToolCategories=W,J+=1;break;case"--allowed-shell-commands":G.allowedShellCommands=W,J+=1;break;case"--max-write-ops-per-minute":G.maxWriteOpsPerMinute=W,J+=1;break;case"--max-git-pushes-per-hour":G.maxGitPushesPerHour=W,J+=1;break;case"--help":case"-h":console.log(["Usage: node packages/server/dist/daemon-launcher.js [options]","","Options:","  --arion <name>","  --port <port>","  --interval-ms <ms>","  --allowed-tool-categories <list>","  --allowed-shell-commands <list>","  --max-write-ops-per-minute <count>","  --max-git-pushes-per-hour <count>"].join(`
+`)),process.exit(0);default:if(Q.startsWith("-"))throw Error(`Unknown daemon launcher option: ${Q}`);throw Error(`Unexpected positional argument: ${Q}`)}}return G}async function o(z){try{await i(t(z))}catch(G){V.error(`[daemon] ${G instanceof Error?G.message:String(G)}`),process.exit(1)}}if(process.argv[1]&&f(X.resolve(process.argv[1])).href===import.meta.url)o(process.argv.slice(2));export{i as runServerDaemonLauncherFromCli,a as runServerDaemonLauncher,r as buildDaemonSafetyPolicy};

package/dist/index-5tav2m70.js

@@ -0,0 +1,3 @@
+import{xa as g,ya as d}from"./index-ghh3ag4c.js";import*as a from"node:fs";import*as s from"node:path";import{NodeMetadataSchema as h}from"@aria-cli/tools/network-runtime";var N=1,v=new Map,M=new Map;function R(e){return new Promise((t)=>setTimeout(t,e))}function I(e){if(!Number.isFinite(e)||e<=0)return!1;try{return process.kill(e,0),!0}catch{return!1}}function c(e){let t=s.resolve(e);try{return a.realpathSync.native(t)}catch{return t}}function l(e){return g(e)}function S(e){return`${l(e)}.lock`}function w(e){return[s.join(e,"network","config.json"),s.join(e,"network","state.db"),s.join(e,"signing-key.json"),s.join(e,"peers.db")].some((r)=>a.existsSync(r))}async function x(e){a.mkdirSync(s.dirname(e),{recursive:!0});let t=Date.now();while(!0)try{let r=await a.promises.open(e,"wx",384);return await r.writeFile(`${process.pid}
+`,"utf8"),await r.close(),async()=>{try{if((await a.promises.readFile(e,"utf8")).trim()===String(process.pid))await a.promises.rm(e,{force:!0})}catch{}}}catch(r){if(r.code!=="EEXIST")throw r;let o=null;try{o=Number.parseInt((await a.promises.readFile(e,"utf8")).trim(),10)}catch{o=null}if(!o||!I(o)){await a.promises.rm(e,{force:!0});continue}if(Date.now()-t>5000)throw Error(`[node-metadata] Timed out waiting for lock ${e}`);await R(25)}}function u(e,t,r){if(r.schemaVersion!==N)throw Error(`[node-metadata] Unsupported schema version ${r.schemaVersion} at ${t}`);return{ariaHome:e,metadataPath:t,...r}}function m(e,t,r){if(!r)return null;return u(e,t,h.parse(r))}async function p(e,t){let r=l(e),n=await x(S(e));try{let o=new d({ariaHome:e});try{return t(o,r)}catch(i){throw Error(`[node-metadata] Failed to resolve node metadata at ${r}: ${i instanceof Error?i.message:String(i)}`)}finally{o.close()}}finally{await n()}}async function y(e,t,r){let n=e.get(t);if(n)return n;let o=r();e.set(t,o);try{return await o}finally{if(e.get(t)===o)e.delete(t)}}async function b(e){let t=c(e.ariaHome);return y(v,t,async()=>p(t,(r,n)=>{let o=m(t,n,r.readNodeMetadata());if(o)return o;let i={...r.resolveOrCreateNode(),migratedFromLegacy:w(t)};return r.writeNodeMetadata(i),u(t,n,i)}))}async function $(e){let t=c(e.ariaHome),r=`${t}\x00${e.nodeId}`;return y(M,r,async()=>p(t,(n,o)=>{let i=m(t,o,n.readNodeMetadata());if(i){if(i.nodeId!==e.nodeId)throw Error(`[node-metadata] Configured nodeId ${e.nodeId} does not match durable node metadata ${i.nodeId} at ${o}`);return i}let f={nodeId:e.nodeId,createdAt:new Date().toISOString(),schemaVersion:N,migratedFromLegacy:w(t)};return n.writeNodeMetadata(f),u(t,o,f)}))}function A(e){let t=c(e.ariaHome),r=l(t),n=new d({ariaHome:t});try{return m(t,r,n.readNodeMetadata())}finally{n.close()}}
+export{N as ea,c as fa,l as ga,b as ha,$ as ia,A as ja};

package/dist/index-6extw9n6.js

@@ -0,0 +1,2 @@
+import{ta as $1}from"./index-raeajnr7.js";import{wa as C0,ya as l}from"./index-ghh3ag4c.js";import v from"node:crypto";import*as W1 from"node:os";import*as J1 from"node:path";import*as B1 from"node:http";import*as R1 from"node:https";import{log as a0}from"@aria-cli/types";import{createHash as D1}from"node:crypto";import{log as G1}from"@aria-cli/types";import{NodeIdSchema as I0,PeerTransportIdSchema as J0,PrincipalFingerprintSchema as V1,SigningPublicKeySchema as v0}from"@aria-cli/tools/network-runtime";function w0($){let J=Q0($.signingPublicKey);if(!J)return{error:"signing_key_fingerprint_mismatch"};if(J!==$.principalFingerprint)return{error:"signing_key_fingerprint_mismatch"};return{nodeId:$.nodeId,principalFingerprint:$.principalFingerprint,signingPublicKey:$.signingPublicKey}}function U0($,J){return{...$,transportPublicKey:J0.parse($.transportPublicKey),...J?{signingPublicKey:J}:{}}}function Q0($){try{return V1.parse(D1("sha256").update(Buffer.from($,"base64")).digest("hex"))}catch{return}}function m0($,J){let Z=J?.getRecord?.($.nodeId)?.signingPublicKey??J?.get?.($.nodeId);if(!Z)return;return Q0(Z)===$.principalFingerprint?Z:void 0}function q0($){return $.trim().replace(/^\[|\]$/g,"").toLowerCase()}class y0{ariaHome;ownerGeneration;peerSigningKeyStore;onBindingChanged;localBindingProjection;constructor($){this.ariaHome=$.ariaHome,this.ownerGeneration=$.ownerGeneration,this.peerSigningKeyStore=$.peerSigningKeyStore,this.localBindingProjection=$.localBindingProjection}openStore(){return new l({ariaHome:this.ariaHome,...typeof this.ownerGeneration==="number"?{ownerGeneration:this.ownerGeneration}:{}})}resolveWriteOwnerGeneration(){if(typeof this.ownerGeneration==="number"&&Number.isInteger(this.ownerGeneration))return this.ownerGeneration;let $=this.openStore();try{let J=$.readNodeMetadata()?.nodeId;if(!J)return 1;return Math.max($.readRuntimeOwnerRecord(J)?.ownerGeneration??0,$.readRuntimeBootstrapRecord(J)?.ownerGeneration??0,1)}finally{$.close()}}openWritableStore(){return new l({ariaHome:this.ariaHome,ownerGeneration:this.resolveWriteOwnerGeneration()})}resolveLocalNodeIdentity(){let $=this.openStore();try{return $.resolveOrCreateNode()}finally{$.close()}}resolveLocalVerifiedPrincipal(){let $=this.openStore();try{let J=$.resolveOrCreateNode(),Z=$.readRuntimeBootstrapRecord(J.nodeId);if(!Z?.signingPublicKey)return;let U=Q0(Z.signingPublicKey);if(!U)return;return{nodeId:J.nodeId,principalFingerprint:U,transportPublicKey:J0.parse(Z.transportPublicKey),signingPublicKey:Z.signingPublicKey,isLocalAuthority:!0,...Z.displayNameSnapshot?{displayNameSnapshot:Z.displayNameSnapshot}:{}}}finally{$.close()}}hasRemoteBindings(){let $=this.openStore();try{return $.listPeerBindings().length>0}finally{$.close()}}resolveRemoteBinding($){let J=this.openStore();try{let Z=J.readPeerBinding($);if(!Z)return;let U=m0(Z,this.peerSigningKeyStore);return U0(Z,U)}finally{J.close()}}resolveContinuityBase($){let J=this.resolveRemoteBinding($);if(J)return{nodeId:J.nodeId,principalFingerprint:J.principalFingerprint,continuityRevision:J.continuityRevision,...J.displayNameSnapshot?{displayNameSnapshot:J.displayNameSnapshot}:{},binding:J};let Z=this.openStore();try{let U=Z.readPeerRevocation($);if(!U)return;return{nodeId:U.nodeId,principalFingerprint:U.fingerprint,continuityRevision:0,revocationGeneration:U.revocationGeneration,...U.displayNameSnapshot?{displayNameSnapshot:U.displayNameSnapshot}:{},revokedPeer:U}}finally{Z.close()}}resolveBindingByControlEndpoint($){let J=q0($.host),Z=this.listRemoteBindings().filter((L)=>typeof L.controlEndpointHost==="string"&&typeof L.controlEndpointPort==="number"&&q0(L.controlEndpointHost)===J&&L.controlEndpointPort===$.port);if(new Set(Z.map((L)=>L.nodeId)).size>1)return"ambiguous";return Z[0]}listRemoteBindings(){let $=this.openStore();try{return $.listPeerBindings().map((J)=>{let Z=m0(J,this.peerSigningKeyStore);return{...J,transportPublicKey:J0.parse(J.transportPublicKey),...Z?{signingPublicKey:Z}:{}}})}finally{$.close()}}listAuthoritativeBindings(){let $=this.resolveLocalBinding(),J=this.listRemoteBindings();if(!$)return J;return[$,...J.filter((Z)=>Z.nodeId!==$.nodeId)]}resolveLocalBinding(){let $=this.localBindingProjection?.();if(!$)return;let J=this.resolveLocalNodeIdentity();if($.nodeId!==J.nodeId)return;let Z=Q0($.signingPublicKey);if(!Z)return;return{nodeId:J.nodeId,principalFingerprint:Z,transportPublicKey:$.transportPublicKey,continuityRevision:0,displayNameSnapshot:$.displayNameSnapshot,updatedAt:J.createdAt,signingPublicKey:$.signingPublicKey,isLocalBinding:!0}}resolveBindingByPrincipalFingerprint($){let J=this.listAuthoritativeBindings().filter((L)=>L.principalFingerprint===$);if(new Set(J.map((L)=>L.nodeId)).size>1)return"ambiguous";let U=J[0];if(!U?.signingPublicKey)return;return U}resolveVerifiedPrincipalByFingerprint($){let J=[],Z=this.resolveLocalVerifiedPrincipal();if(Z?.principalFingerprint===$)J.push(Z);let U=this.resolveBindingByPrincipalFingerprint($);if(U==="ambiguous")return"ambiguous";if(U)J.push(U);if(new Set(J.map((H)=>H.nodeId)).size>1)return"ambiguous";return J[0]}resolveNodeIdFromVerifiedPrincipal($){let J=Q0($.signingPublicKey);if(!J)return;let Z=this.resolveLocalBinding();if(Z&&Z.principalFingerprint===J){if(!$.claimedNodeId||$.claimedNodeId===Z.nodeId)return{nodeId:Z.nodeId,principalFingerprint:J,...Z.displayNameSnapshot?{displayNameSnapshot:Z.displayNameSnapshot}:{}};return}if($.claimedNodeId){let L=this.resolveLocalVerifiedPrincipal();if(L&&L.nodeId===$.claimedNodeId&&L.principalFingerprint===J)return{nodeId:L.nodeId,principalFingerprint:J,...L.displayNameSnapshot?{displayNameSnapshot:L.displayNameSnapshot}:{}};let H=this.resolveRemoteBinding($.claimedNodeId);if(!H||H.principalFingerprint!==J)return;return{nodeId:H.nodeId,principalFingerprint:J,...H.displayNameSnapshot?{displayNameSnapshot:H.displayNameSnapshot}:{}}}let U=this.resolveVerifiedPrincipalByFingerprint(J);if(!U||U==="ambiguous")return;return{nodeId:U.nodeId,principalFingerprint:J,...U.displayNameSnapshot?{displayNameSnapshot:U.displayNameSnapshot}:{}}}commitFirstTrustBind($,J){let Z=this.openWritableStore();try{let U={nodeId:$.nodeId,principalFingerprint:$.principalFingerprint,transportPublicKey:J.transportPublicKey,continuityRevision:J.continuityRevision,endpointHost:J.endpointHost,endpointPort:J.endpointPort,endpointRevision:J.endpointRevision??0,displayNameSnapshot:J.displayNameSnapshot,controlEndpointHost:J.controlEndpointHost,controlEndpointPort:J.controlEndpointPort,controlTlsCaFingerprint:J.controlTlsCaFingerprint},L=Z.commitPairContinuity(U);if(J.projectSigningKey!==!1)this.peerSigningKeyStore?.set?.({nodeId:L.nodeId,displayName:L.displayNameSnapshot??L.nodeId,signingPublicKey:$.signingPublicKey});return this.resolveRemoteBinding(L.nodeId)??U0(L)}finally{Z.close()}}applyVerifiedContinuityMutation($){let J=this.openWritableStore();try{let Z=typeof $.expectedRevocationGeneration==="number"?J.commitPairContinuityClearingRevocation({...$,expectedRevocationGeneration:$.expectedRevocationGeneration}):J.commitPairContinuity($);if($.signingPublicKey&&$.projectSigningKey!==!1)this.peerSigningKeyStore?.set?.({nodeId:Z.nodeId,displayName:Z.displayNameSnapshot??Z.nodeId,signingPublicKey:$.signingPublicKey});return this.resolveRemoteBinding(Z.nodeId)??U0(Z)}finally{J.close()}}commitVerifiedContinuityBind($,J,Z){let U=this.openStore();try{let L=J.statement,H=U.readPeerBinding($),C=L.newTransportPublicKey?J0.parse(L.newTransportPublicKey):void 0,B=Z?.transportPublicKey??C??H?.transportPublicKey;if(!B)throw Error("Verified continuity bind requires canonical transport evidence");let M0=H!==null&&H.transportPublicKey!==B,a=this.applyVerifiedContinuityMutation({nodeId:$,principalFingerprint:L.newPrincipalFingerprint,transportPublicKey:B,continuityRevision:L.bindingGeneration,endpointHost:Z?.endpointHost,endpointPort:Z?.endpointPort,endpointRevision:Z?.endpointRevision??H?.endpointRevision??0,displayNameSnapshot:Z?.displayNameSnapshot,controlEndpointHost:Z?.controlEndpointHost,controlEndpointPort:Z?.controlEndpointPort,controlTlsCaFingerprint:Z?.controlTlsCaFingerprint,signingPublicKey:v0.parse(J.newPublicKey),projectSigningKey:Z?.projectSigningKey,...typeof L.revocationGeneration==="number"?{expectedRevocationGeneration:L.revocationGeneration}:{}});if(this.onBindingChanged&&M0)this.onBindingChanged({nodeId:a.nodeId,transportKeyChanged:!0,newTransportPublicKey:a.transportPublicKey,previousTransportPublicKey:H?.transportPublicKey,newPrincipalFingerprint:a.principalFingerprint,previousPrincipalFingerprint:H?.principalFingerprint,continuityRevision:a.continuityRevision});return a}finally{U.close()}}recordRevocationConflict($){let J=this.openWritableStore();try{return J.commitRevocationConflict($)}finally{J.close()}}recordVerifiedRevocation($){let J=this.openWritableStore();try{return J.commitPeerRevocation($)}finally{J.close()}}commitPeerEndpointProjection($){let J=this.openWritableStore();try{let Z=J.commitPeerEndpointProjection($);if(Z.kind==="not_found")return Z;let U=this.resolveRemoteBinding(Z.binding.nodeId)??U0(Z.binding);return{kind:Z.kind,binding:U}}finally{J.close()}}}function E1($){if(typeof $.ariaNodeId==="string"){let Z=I0.safeParse($.ariaNodeId.trim());if(Z.success)return Z.data}let J=$.ariaNetworkManager?.getConfig?.()?.nodeId;if(typeof J==="string"){let Z=I0.safeParse(J.trim());if(Z.success)return Z.data}return}function T1($,J){if(!J)return;let Z=new l({ariaHome:$});try{let U=typeof Z.readRuntimeOwnerRecord==="function"?Z.readRuntimeOwnerRecord(J)?.ownerGeneration??0:0,L=typeof Z.readRuntimeBootstrapRecord==="function"?Z.readRuntimeBootstrapRecord(J)?.ownerGeneration??0:0,H=Math.max(U,L,0);return H>0?H:void 0}finally{Z.close()}}function Z0($,J){let Z=$.ariaBasePath?.trim();if(!Z)return;let U=J?.ownerGeneration??T1(Z,E1($)),L=new y0({ariaHome:Z,ownerGeneration:U,peerSigningKeyStore:$.ariaPeerSigningKeyStore,localBindingProjection:()=>{let H=$.ariaNetworkManager?.getConfig?.();if(!H?.nodeId||!H.signingPublicKey||!H.publicKey)return;return{nodeId:H.nodeId,displayNameSnapshot:$.ariaNetworkManager?.getLocalDisplayNameSnapshot?.(),signingPublicKey:v0.parse(H.signingPublicKey),transportPublicKey:J0.parse(H.publicKey)}}});return L.onBindingChanged=(H)=>{if(H.transportKeyChanged)G1.debug(`[principal-binding-authority] Transport key changed for ${H.nodeId}`),$.ariaNetworkManager?.refreshPeerEndpoint?.(H.nodeId)},L}import{computeSigningKeyFingerprint as k1}from"@aria-cli/aria";import{RuntimeBootstrapRecordSchema as f1,SigningPublicKeySchema as w1}from"@aria-cli/tools";var j1=new Set(["control_ready","network_ready","mesh_ready"]);function x1($,J){let Z=f1.parse($);if(!j1.has(Z.phase))throw Error(`${J} unavailable during ${Z.phase}`);return j0(Z,J),Z}async function Y0($,J){let Z=$.ariaRuntimeBootstrapControl;if(!Z?.getRuntimeBootstrap)throw Error(`${J} unavailable`);return x1(await Z.getRuntimeBootstrap(),J)}function j0($,J="Runtime bootstrap"){let Z=w1.parse($.signingPublicKey),U=k1(Z);if(!U)throw Error(`${J} missing durable principal TLS identity`);if($.tls.principalIdentity!==U)throw Error(`${J} missing durable principal TLS identity`);return U}import*as c0 from"node:os";import{isPrivateLanIP as x0}from"@aria-cli/aria";var i="127.0.0.1";function O0($){let J=$?.trim();if(!J)return;let Z=J.replace(/^\[(.*)\]$/,"$1").split("%")[0]??J;if(Z==="localhost"||Z==="::1"||Z==="::ffff:127.0.0.1"||Z.startsWith("127."))return i;if(Z==="0.0.0.0"||Z==="::")return;return Z}function F1(){let $=c0.networkInterfaces(),J=[];for(let U of Object.values($))for(let L of U??[]){let H=O0(L.address);if(!H||L.internal||!x0(H)||H===i)continue;J.push({host:H,family:L.family})}return J.find((U)=>U.family==="IPv4")?.host??J[0]?.host}function L0($){let J=O0($.ingressHost);if(J&&x0(J))return J;let Z=O0($.peerHost);if(Z===i)return i;if(Z&&x0(Z))return F1()??i;let U=O0($.externalHost);if(U)return U;return i}import{createInviteTokenV4 as N1,generateEphemeralKeypair as K1,deriveSharedKey as P1,encryptToken as S1,signEphemeralKey as b1,deserializeInviteToken as I1,serializeInviteToken as m1,validateInviteTokenV4 as q1,validateDirectPairPayload as p0,computeSigningKeyFingerprint as e,certFingerprint as v1,isPrivateLanIP as d0,validateEnvelope as y1,computeContextHash as c1}from"@aria-cli/aria";import{AcceptInviteRequestSchema as g1,assertSupportedNetworkRuntimeProtocolVersion as o0,DirectPairRequestJsonSchema as u1,NodeIdSchema as b,PeerTransportIdSchema as l1,PairRelayRouteBodySchema as s1,RelayPendingQueryJsonSchema as a1,PrincipalFingerprintSchema as A0,SigningPublicKeySchema as s,TlsCaFingerprintSchema as p1,RelayPendingRequestSchema as d1,PairRequestRouteBodySchema as o1,SignedContinuityBindSchema as t1}from"@aria-cli/tools";import{createHash as h1}from"node:crypto";import g0 from"node:crypto";import{PrincipalFingerprintSchema as C1}from"@aria-cli/tools";import{verifyContinuitySignature as u0}from"@aria-cli/aria/server-network";function l0($){try{return C1.parse(h1("sha256").update(Buffer.from($,"base64")).digest("hex"))}catch{return}}function s0($,J){let Z=l0($.previousPublicKey);if(!Z||Z!==$.statement.previousPrincipalFingerprint)return{kind:"fingerprint_key_mismatch",field:"previous"};let U=l0($.newPublicKey);if(!U||U!==$.statement.newPrincipalFingerprint)return{kind:"fingerprint_key_mismatch",field:"new"};if($.statement.previousPrincipalFingerprint!==J.principalFingerprint)return{kind:"previous_fingerprint_mismatch",expected:J.principalFingerprint,actual:$.statement.previousPrincipalFingerprint};if($.statement.bindingGeneration<=J.continuityRevision)return{kind:"generation_not_monotonic",current:J.continuityRevision,proposed:$.statement.bindingGeneration};if(J.revocationGeneration!==void 0){if($.statement.revocationGeneration!==J.revocationGeneration)return{kind:"revocation_generation_mismatch",expected:J.revocationGeneration,actual:$.statement.revocationGeneration}}let L=g0.createPublicKey({key:Buffer.from($.previousPublicKey,"base64"),format:"der",type:"spki"});if(!u0($.statement,$.delegationSignature,L))return{kind:"delegation_signature_invalid"};let H=g0.createPublicKey({key:Buffer.from($.newPublicKey,"base64"),format:"der",type:"spki"});if(!u0($.statement,$.acceptanceSignature,H))return{kind:"acceptance_signature_invalid"};return $}function _0($){return{id:$.id,nodeId:b.parse($.nodeId),displayNameSnapshot:$.displayNameSnapshot,principalFingerprint:A0.parse($.principalFingerprint)}}function o($,J,Z){J2({nodeStore:$,nodeId:J,previousBinding:Z.binding})}function F0($,J){if(!($ instanceof Error))return null;if($.message.includes("direct transport endpoint conflict"))return{statusCode:409,message:"Direct transport endpoint already owned by another peer principal"};if($.message.includes("Peer binding continuity revision conflict")||$.message.includes("continuity revision conflict"))return{statusCode:409,message:J};return null}var H0=300000,t0=300000,r1=3,n1=30,i1=60000,r0=1e4,e1=50;async function n0($,J){let{targetNodeId:Z,signingPublicKey:U}=J;try{let C=await Y0($,"Pair relay target bootstrap unavailable");if(C.nodeId.trim()===Z)return C.signingPublicKey===U?{status:"found"}:{status:"mismatch"}}catch{}let L=Z0($);if(!L)return{status:"missing"};if(!L.resolveContinuityBase(Z))return{status:"missing"};return L.resolveNodeIdFromVerifiedPrincipal({claimedNodeId:Z,signingPublicKey:U})?{status:"found"}:{status:"mismatch"}}function $2($,J,Z){let U=K1(),L;if(Z)try{L=b1(U.publicKey,Buffer.from(Z,"base64"))}catch{}let H=P1(U.privateKey,$),C=S1(J,H);return{encryptedToken:C.ciphertext,ephemeralPublicKey:U.publicKey,ephemeralKeySignature:L,nonce:C.nonce,tag:C.tag}}var i0=1000;function _($,J){let Z=Error(J);return Z.statusCode=$,Z}function X0($,J=500){return typeof $==="object"&&$!==null&&"statusCode"in $&&typeof $.statusCode==="number"?$.statusCode??J:J}function h0($,J){let Z=$.safeParse(J);if(Z.success)return Z.data;let U=Z.error.issues[0],L=U?.path.join("."),H=U?L&&L.length>0?`${L}: ${U.message}`:U.message:"Invalid request";throw _(400,H)}function e0($){return{nodeId:$.nodeId,principalFingerprint:$.principalFingerprint,transportPublicKey:$.transportPublicKey,continuityRevision:$.continuityRevision,displayNameSnapshot:$.displayNameSnapshot,controlEndpointHost:$.controlEndpoint.host,controlEndpointPort:$.controlEndpoint.port,controlTlsCaFingerprint:$.controlEndpoint.tlsCaFingerprint}}function W2($){let J=$.peerInfo.controlEndpoint;if(J&&typeof J==="object"&&typeof J.host==="string"&&typeof J.port==="number"&&typeof J.tlsCaFingerprint==="string"&&typeof J.tlsServerIdentity==="string"&&typeof J.protocolVersion==="number")return J;throw _(500,"Accepted invite did not return the remote control endpoint tlsServerIdentity for durable peer binding")}function J2($){if($.previousBinding)$.nodeStore.commitPairContinuity($.previousBinding);else $.nodeStore.deletePeerBinding($.nodeId)}function Q2($){if(!$)throw _(503,"Network manager not available");let J=[];if(typeof $.applyDirectPairActivation!=="function")J.push("applyDirectPairActivation");if(J.length>0)throw _(503,`Network manager missing direct-pair activation capabilities: ${J.join(", ")}`);return $}async function N2($){let J=new Map,Z=$.ariaDurablePairStore,U=new Map,L=new Map,H=0,C=new Map,B=new Map;function M0(W){return{id:W.id,nodeId:b.parse(W.nodeId),displayNameSnapshot:W.displayNameSnapshot,principalFingerprint:W.principalFingerprint,signingPublicKey:W.signingPublicKey,port:W.port,host:W.host,responderControlHostHint:W.responderControlHostHint,ingressHost:W.ingressHost,createdAt:W.createdAt,expiresAt:W.expiresAt,ephemeralPublicKey:W.ephemeralPublicKey,ephemeralKeySignature:W.ephemeralKeySignature,caCert:W.caCert,relayed:W.relayed??!1,targetNodeId:W.relayTargetNodeId?b.parse(W.relayTargetNodeId):void 0}}function a(W){return{id:W.id,nodeId:W.nodeId,displayNameSnapshot:W.displayNameSnapshot,principalFingerprint:W.principalFingerprint,signingPublicKey:s.parse(W.signingPublicKey),port:W.port,host:W.host,responderControlHostHint:W.responderControlHostHint,ingressHost:W.ingressHost??W.host,createdAt:W.createdAt,expiresAt:W.expiresAt,ephemeralPublicKey:W.ephemeralPublicKey,ephemeralKeySignature:W.ephemeralKeySignature,caCert:W.caCert,relayed:W.relayed,relayTargetNodeId:W.targetNodeId}}function D0(W){if(U.set(W.id,W),W.relayed&&W.relayTargetNodeId){let Q=B.get(W.relayTargetNodeId)??[];Q.push(W),B.set(W.relayTargetNodeId,Q)}Z?.store(M0(W))}function G0(W,Q){if(!Q)return;let X=B.get(Q);if(!X)return;let z=X.filter((Y)=>Y.id!==W);if(z.length===0)B.delete(Q);else B.set(Q,z)}function m(W,Q){U.delete(W),G0(W,Q),Z?.delete(W)}function Q1(){if(!Z)return;Z.cleanup();for(let W of Z.findAllActive()){let Q=a(W);if(U.set(Q.id,Q),Q.relayed&&Q.relayTargetNodeId){let X=B.get(Q.relayTargetNodeId)??[];X.push(Q),B.set(Q.relayTargetNodeId,X)}}}Q1();function $0(W){let Q=(X)=>X==="127.0.0.1"||X==="::1"||X==="::ffff:127.0.0.1"||X==="localhost";return Q(W.raw.socket?.remoteAddress)||Q(W.ip)}function B0(W){let{nodeId:Q,signingPublicKey:X}=W,z=Z0($);if(!z)return{ok:!0};if(z?.resolveContinuityBase(Q)&&!z.resolveNodeIdFromVerifiedPrincipal({claimedNodeId:Q,signingPublicKey:X}))return{ok:!1,error:`Peer principal "${Q}" identity mismatch for signing key`};return{ok:!0}}function Z1(W){return W.peerDisplayName?.trim()||W.peerNodeId.trim()}async function X1(W){let{networkManager:Q,payload:X,requestIp:z,isLocalCall:Y}=W,O=Q2(Q),{peerWgPubkey:A,peerSigningPubkey:V,transportEndpoint:G,controlEndpoint:D,psk:w}=X,M=s.parse(V);try{if(!D.tlsServerIdentity?.trim())throw _(400,"Accept invite requires controlEndpoint.tlsServerIdentity");o0(D.protocolVersion,"pair control endpoint")}catch(K){throw _(400,K.message)}let T=O.getConfig?.(),E=W0(),x=T?.publicKey??E?.publicKey,R=(typeof T?.signingPublicKey==="string"?s.safeParse(T.signingPublicKey).data:void 0)??E?.signingPublicKey;if(x&&A===x||R&&M===R)throw _(409,"Direct pairing payload matches the local machine identity");let f=Z1(X),k=b.parse(X.peerNodeId),P=e(M);if(!P||X.principalFingerprint!==P)throw _(400,"Direct pair principal fingerprint mismatch");if(!B0({nodeId:k,signingPublicKey:M}).ok)throw a0.warn(`[pair/direct] Rejected signing key overwrite for peer "${f}" — use interactive pairing for key rotation`),_(409,`Signing key identity mismatch for peer "${f}" — revoke and re-pair required`);let I=Y?G.host:z||G.host,S=Z0($);if(!S)throw _(503,"Principal binding authority unavailable for direct pair activation");let y=w0({nodeId:k,principalFingerprint:A0.parse(X.principalFingerprint),signingPublicKey:M});if("error"in y)throw _(400,"Direct pair principal fingerprint mismatch");let h=$.ariaBasePath,N=$.ariaRuntimeOwnerGeneration??$.ariaOwnerGeneration;if(!h)throw _(503,"ARIA base path unavailable for direct pair activation");let t=new l({ariaHome:h,...N!==void 0?{ownerGeneration:N}:{}}),j=t.readPeerBinding(k);t.close();try{S.commitFirstTrustBind(y,{transportPublicKey:A,continuityRevision:(j?.continuityRevision??0)+1,endpointHost:I,endpointPort:G.port,endpointRevision:D.endpointRevision??j?.endpointRevision??0,displayNameSnapshot:f,controlEndpointHost:D.host,controlEndpointPort:D.port,controlTlsCaFingerprint:D.tlsCaFingerprint,projectSigningKey:!1})}catch(K){let q=F0(K,`Direct pair continuity conflict for peer "${f}"`);if(q)throw _(q.statusCode,q.message);throw K}try{await O.applyDirectPairActivation({nodeId:k,displayNameSnapshot:f,peerPublicKey:A,signingPublicKey:M,transportEndpoint:{host:I,port:G.port},controlEndpoint:D,presharedKey:w})}catch(K){if(N!==void 0){let q=new l({ariaHome:h,ownerGeneration:N});try{o(q,k,{binding:j})}finally{q.close()}}throw K}return{received:!0,pairingProofState:"pending_verification"}}function V0(W){if(J.size>=r0&&!J.has(W)){let O=Date.now();for(let[A,V]of J)if(O>V.resetAt)J.delete(A);if(J.size>=r0){let A=J.keys().next().value;if(A)J.delete(A)}}let Q=Date.now(),X=J.get(W);if(!X||Q>X.resetAt)return J.set(W,{count:1,resetAt:Q+i1}),!0;let Y=W==="127.0.0.1"||W==="::1"||W==="::ffff:127.0.0.1"||W==="localhost"?n1:r1;if(X.count>=Y)return!1;return X.count++,!0}let R0=setInterval(()=>{let W=Date.now();Z?.cleanup();for(let[Q,X]of U)if(W>X.expiresAt){m(Q,X.relayTargetNodeId);let z=L.get(Q);if(z)clearTimeout(z.timer),z.resolve({accepted:!1}),L.delete(Q)}for(let[Q,X]of J)if(W>X.resetAt)J.delete(Q);for(let[Q]of C)if(!U.has(Q))C.delete(Q)},60000);R0.unref(),$.addHook("onClose",()=>{clearInterval(R0);for(let[,W]of L)clearTimeout(W.timer)});async function E0(){let W;try{W=await Y0($,"Local pair bootstrap")}catch{throw _(503,"Runtime bootstrap unavailable — pairing requires bootstrap authority")}if(W.phase==="degraded"||W.degradedReason||W.failedPhase)throw _(503,"Runtime bootstrap is not healthy enough for pairing");let Q=W.tls.caFingerprint.trim().toLowerCase(),X=v1(W.tls.caCertPem).toLowerCase();if(Q!==X)throw _(503,"Runtime bootstrap advertised an inconsistent TLS fingerprint");return W}function z1(W,Q,X,z){let Y=Q.getConfig?.(),O=X?.trim().replace(/^\[|\]$/g,""),A=O&&(O==="localhost"||d0(O))?O:void 0;return{host:L0({ingressHost:z??A,peerHost:A,externalHost:Y?.externalEndpoint?.address?.trim()??W.controlEndpoint.host}),port:W.controlEndpoint.port,tlsCaFingerprint:p1.parse(W.tls.caFingerprint),tlsServerIdentity:j0(W),protocolVersion:W.protocolVersion,endpointRevision:Y?.endpointRevision??0}}function U1(W){let Q=W.hostname?.trim().replace(/^\[|\]$/g,"");if(!Q)return;if(Q==="localhost"||d0(Q))return Q;return}function Y1(){return $.ariaNetworkManager?.getConfig?.()?.coordinationUrl||void 0}function W0(){let W=$.ariaBasePath?.trim(),Q=$.ariaNetworkManager?.getConfig?.(),X,z,Y,O;if(W){let G=new l({ariaHome:W});try{let D=G.readNodeMetadata();if(D){X=D.nodeId;let w=G.readRuntimeBootstrapRecord(D.nodeId);z=w?.displayNameSnapshot,Y=w?.transportPublicKey,O=w?.signingPublicKey}}finally{G.close()}}let A=X?.trim()??$.ariaNodeId?.trim()??Q?.nodeId?.trim(),V=z?.trim()??$.ariaNetworkManager?.getLocalDisplayNameSnapshot?.()?.trim();if(!Q&&!X&&!V)return null;return{nodeId:A,displayNameSnapshot:V,publicKey:Y??(typeof Q?.publicKey==="string"&&Q.publicKey.trim().length>0?Q.publicKey:void 0),signingPublicKey:O??(typeof Q?.signingPublicKey==="string"?s.safeParse(Q.signingPublicKey.trim()).data:void 0),signingPrivateKey:typeof Q?.signingPrivateKey==="string"&&Q.signingPrivateKey.trim().length>0?Q.signingPrivateKey:void 0}}function O1(W,Q){if(!W)return{ok:!1,status:401,error:"MutationEnvelope required for direct pairing"};let X=p0(W.payload);if(!X.ok)return{ok:!1,status:400,error:X.error};let z=X.data,Y=$.ariaNonceStore;if(!Y||typeof Y.consume!=="function"||typeof Y.isConsumed!=="function"||!Y.isDurable)return{ok:!1,status:503,error:"Durable nonce store required for direct pairing"};let O=$0(Q),A=W0(),V=A?.nodeId,G=s.parse(z.peerSigningPubkey),D=O?[A?.signingPublicKey,G].filter((E)=>Boolean(E)):[G],w=O?new Set([V,z.peerNodeId].filter((E)=>Boolean(E))):new Set([z.peerNodeId]);if(D.length===0)return{ok:!1,status:503,error:"Signing key unavailable for direct pairing"};if(!V)return{ok:!1,status:503,error:"Local node identity unavailable for direct pairing"};if(W.operation!=="pair.direct")return{ok:!1,status:403,error:"Direct pairing envelope operation mismatch"};if(W.target.nodeId!==V)return{ok:!1,status:403,error:"Direct pairing envelope target mismatch"};if(!w.has(W.principal.nodeId))return{ok:!1,status:403,error:"Direct pairing envelope principal mismatch"};if(A?.publicKey&&W.target.transportPublicKey!==A.publicKey)return{ok:!1,status:403,error:"Direct pairing envelope target transport mismatch"};if(!D.some((E)=>e(E)===W.principal.principalFingerprint))return{ok:!1,status:403,error:"Direct pairing envelope fingerprint mismatch"};let M=c1({method:"POST",path:"/api/v1/pair/direct",body:{...z},operation:"pair.direct",targetKey:V});if(W.contextHash!==M)return{ok:!1,status:403,error:"Direct pairing envelope context mismatch"};let T=y1(W,{keyResolver:(E)=>{let x=A0.safeParse(E);if(!x.success)return;return D.find((R)=>e(R)===x.data)},nonceStore:Y,namespace:"mesh"});if(!T.valid)return{ok:!1,status:403,error:T.error??"Direct pairing envelope validation failed"};return{ok:!0,payload:z}}async function L1(){let W=Date.now(),Q=[];for(let[X,z]of U)if(W>z.expiresAt)m(X,z.relayTargetNodeId);else if(!z.relayed)Q.push(_0(z));for(let[,X]of B)for(let z of X)if(W<z.expiresAt)Q.push(_0(z));return Q}async function _1(W){let Q=d1.parse(W),X=b.parse(W0()?.nodeId??(await E0()).nodeId),z=U.get(Q.id);if(z)m(Q.id,z.relayTargetNodeId);let{ingressHost:Y,displayNameSnapshot:O,...A}=Q;D0({...A,displayNameSnapshot:O??Q.nodeId,ingressHost:Y,host:Y,createdAt:Date.now(),relayed:!0,relayTargetNodeId:X})}async function N0(W){let{requestId:Q,accepted:X}=W,z=U.get(Q);if(!z)throw _(404,"Pair request not found or expired");if(Date.now()>z.expiresAt)throw m(Q,z.relayTargetNodeId),_(404,"Pair request not found or expired");if(!X)return m(Q,z.relayTargetNodeId),await P0(Q,z,{accepted:!1}),{accepted:!1};let Y=$.ariaNetworkManager;if(!Y)throw _(503,"Network manager not available");if(!z.ephemeralPublicKey)throw _(400,"Encrypted pairing required — ephemeralPublicKey missing from pair request");if(!z.ephemeralKeySignature)throw _(400,"Signed ephemeral key required — ephemeralKeySignature missing");if(!K0(z.ephemeralPublicKey,z.ephemeralKeySignature,z.signingPublicKey))throw _(400,"Ephemeral key signature verification failed — possible MITM");let A=B0({nodeId:b.parse(z.nodeId),signingPublicKey:z.signingPublicKey});if(!A.ok)throw _(409,A.error);let V=Y.getConfig(),G=await E0(),D=W0(),w=G.signingPublicKey?.trim()??V?.signingPublicKey??D?.signingPublicKey??"",M=G.displayNameSnapshot?.trim()||D?.displayNameSnapshot?.trim()||void 0,T=G.tls.caCertPem,E=V?.signingPrivateKey??D?.signingPrivateKey??"";if(!w||!E)throw Error("Hard cutover requires the responder signing identity to build a principal-addressed invite");let x=b.parse(G.nodeId);if(!M)throw Error("Hard cutover requires the responder display snapshot to build a principal-addressed invite");let{token:R}=Y.invite(z.displayNameSnapshot,{nodeId:z.nodeId,durationMs:H0,controlEndpoint:z1(G,Y,z.responderControlHostHint,z.ingressHost),caCert:G.tls.caCertPem,transportHostOverride:z.responderControlHostHint??z.ingressHost}),f=m1(N1({issuerNodeId:x,issuerDisplayName:M,issuerSigningPublicKey:w,audienceNodeId:z.nodeId,audienceDisplayName:z.displayNameSnapshot,initialTier:"member",namespace:"default",expiresAt:z.expiresAt,transportInviteToken:R},E)),k=$2(z.ephemeralPublicKey,f,E),P={accepted:!0,encryptedToken:k.encryptedToken,ephemeralPublicKey:k.ephemeralPublicKey,ephemeralKeySignature:k.ephemeralKeySignature,nonce:k.nonce,tag:k.tag,caCert:T};return await P0(Q,z,P),{accepted:!0,inviteToken:f}}async function H1(W){let{inviteToken:Q,nodeId:X,displayNameSnapshot:z,transportEndpoint:Y,controlEndpoint:O,continuity:A}=W;try{o0(O.protocolVersion,"pair control endpoint")}catch(F){throw _(400,F.message)}let V=$.ariaNetworkManager;if(!V?.acceptInvite)throw _(503,"Network manager or acceptInvite not available");let G,D,w,M=I1(Q);if(!M)throw _(400,"Invalid invite token: unsupported token format");let T=$.ariaInviteConsumeLedger,E;try{E=await Y0($,"Local runtime bootstrap unavailable for invite validation")}catch(F){throw _(503,F.message)}let x=E.nodeId.trim(),R=E.displayNameSnapshot?.trim()??x;if(M.claims.nonce&&T?.isConsumed(M.claims.nonce))throw _(400,"Invalid invite token: Invite token already consumed (nonce reuse)");let f=q1(M,{isNonceConsumed:(F)=>T?.isConsumed(F)??!1,myNodeId:x});if(!f.valid)throw a0.warn(`[pair] V4 invite validation failed: ${f.error} (localNodeId=${x}, localDisplayNameSnapshot=${R}, audienceNodeId=${M.claims.audienceNodeId})`),_(400,`Invalid invite token: ${f.error}`);if(G=typeof M.claims.transportInviteToken==="string"?M.claims.transportInviteToken:void 0,!G)throw _(400,"Invalid invite token: missing embedded transport token");if(M.claims.nonce)D=M.claims.nonce;let k=M.claims.issuerNodeId?.trim();if(!k)throw _(400,"Invite token did not carry issuer nodeId");if(w=k,X!==k)throw _(400,"Invite token issuer nodeId mismatch");let P=s.safeParse(M.claims.issuerSigningPublicKey?.trim()).data;if(!P)throw _(400,"Invite token did not carry issuer signing public key");let u=e(P);if(!u)throw _(400,"Invite token carried an invalid issuer signing public key");let I=A0.parse(u),S=typeof z==="string"&&z.trim().length>0?z.trim():typeof M.claims.issuerDisplayName==="string"&&M.claims.issuerDisplayName.trim().length>0?M.claims.issuerDisplayName.trim():k,y=A?t1.parse(A):void 0,h=y?.statement,N=h?.bindingGeneration??1,t=$.ariaBasePath??J1.join(W1.homedir(),".aria"),j=b.parse(k),K=Z0($);if(!K)throw _(503,"Principal binding authority unavailable for invite acceptance");let q=$.ariaRevocationStore?.isPeerRevoked?.(j)===!0,S0=q?$.ariaRevocationStore?.getPeerRevocationGeneration?.(j)??null:null;if(q&&!y)throw _(409,"Peer is revoked; continuity approval is required before re-binding nodeId");if(y){if(!h||h.nodeId!==k)throw _(400,"Continuity bind nodeId mismatch");if(h.newPrincipalFingerprint!==I)throw K.recordRevocationConflict({nodeId:j,previousFingerprint:I,conflictingFingerprint:h.newPrincipalFingerprint,reason:"continuity bind principal fingerprint mismatch"}),_(409,"Continuity bind principal fingerprint mismatch");if(q&&S0!==null&&h.revocationGeneration!==S0)throw _(409,"Continuity bind is stale");let F=K.resolveRemoteBinding(j);if(F&&F.continuityRevision>N)throw _(409,"Continuity bind is stale");if(F&&F.continuityRevision===N&&h.newTransportPublicKey&&!C0(F,e0({nodeId:j,principalFingerprint:I,transportPublicKey:h.newTransportPublicKey,continuityRevision:N,displayNameSnapshot:S,controlEndpoint:O})))throw _(409,"Continuity bind is stale")}let T0=await V.acceptInvite(G,{nodeId:b.parse(k),displayNameSnapshot:S,transportEndpoint:Y,controlEndpoint:O}),z0=T0.name??S,k0=l1.safeParse(T0.publicKey).data;if(!k0)throw _(500,"Accepted invite did not return transport public key for continuity commit");let f0=I,M1=W2({peerInfo:T0}),b0=$.ariaRuntimeOwnerGeneration??$.ariaOwnerGeneration;if(b0===void 0)throw _(503,"Runtime owner generation unavailable for durable invite acceptance");let p=new l({ariaHome:t,ownerGeneration:b0});try{let F=K.resolveRemoteBinding(j),r={binding:F??null};if(y&&F&&F.continuityRevision>N)throw _(409,"Continuity bind is stale");let d=e0({nodeId:j,principalFingerprint:f0,transportPublicKey:k0,continuityRevision:N,displayNameSnapshot:z0,controlEndpoint:M1});if(F&&F.continuityRevision===N&&!C0(F,d))throw _(409,"Continuity bind is stale");if(y){if(!F)throw _(409,"Continuity bind requires an existing peer binding");let c=s0(y,{principalFingerprint:F.principalFingerprint,continuityRevision:F.continuityRevision});if("kind"in c)throw _({delegation_signature_invalid:403,acceptance_signature_invalid:403,fingerprint_key_mismatch:403,generation_not_monotonic:409,previous_fingerprint_mismatch:409}[c.kind]??403,`Continuity bind verification failed: ${c.kind}`);try{if(K.commitVerifiedContinuityBind(j,c,{transportPublicKey:k0,endpointHost:Y.host,endpointPort:Y.port,endpointRevision:O.endpointRevision??0,displayNameSnapshot:z0,controlEndpointHost:O.host,controlEndpointPort:O.port,controlTlsCaFingerprint:O.tlsCaFingerprint,projectSigningKey:!1}).continuityRevision!==N)throw _(409,"Continuity bind is stale");if(q&&$.ariaRevocationStore?.isPeerRevoked?.(j)===!0)$.ariaRevocationStore.clearRevocationForNodeId?.(j,h.revocationGeneration)}catch(g){let n=F0(g,"Continuity bind is stale");if(n?.message==="Direct transport endpoint already owned by another peer principal")throw o(p,j,r),_(n.statusCode,n.message);if(g instanceof Error&&g.message.includes("could not clear revoked principal binding"))throw K.recordRevocationConflict({nodeId:j,previousFingerprint:I,conflictingFingerprint:h?.newPrincipalFingerprint??f0,reason:"continuity bind could not clear revoked principal binding"}),o(p,j,r),_(409,"Continuity bind could not clear revoked principal binding");if(n)throw o(p,j,r),_(n.statusCode,n.message);throw o(p,j,r),g}}else try{let c=w0({nodeId:j,principalFingerprint:f0,signingPublicKey:P});if("error"in c)throw _(400,"Invite token signing principal fingerprint mismatch");K.commitFirstTrustBind(c,{transportPublicKey:d.transportPublicKey,continuityRevision:d.continuityRevision,endpointHost:Y.host,endpointPort:Y.port,endpointRevision:O.endpointRevision??0,displayNameSnapshot:d.displayNameSnapshot,controlEndpointHost:d.controlEndpointHost,controlEndpointPort:d.controlEndpointPort,controlTlsCaFingerprint:d.controlTlsCaFingerprint,projectSigningKey:!1})}catch(c){let g=F0(c,"Continuity proposal is stale");if(g)throw o(p,j,r),_(g.statusCode,g.message);throw o(p,j,r),c}}finally{p.close()}if(D)$.ariaInviteConsumeLedger?.consume(D,w??"unknown",x);return{success:!0,nodeId:j,...z0?{displayNameSnapshot:z0}:{}}}async function A1(W,Q={ip:"127.0.0.1",raw:{socket:{remoteAddress:"127.0.0.1"}}}){let X=$.ariaNetworkManager;if(!X)throw _(503,"Network manager not available");let z=$0(Q),Y=O1(W.envelope,Q),O=p0(W),A=O.ok?"Invalid direct pairing payload":O.error;if(!V0(Q.ip))throw _(429,"Too many pair requests. Try again in 1 minute.");if(!z&&!Y.ok)throw _(Y.status,Y.error);let V=Y.ok?Y.payload:O.ok?O.data:null;if(!V)throw _(400,A);return X1({networkManager:X,payload:V,requestIp:Q.ip,isLocalCall:z})}$1($,"ariaPairControl",{listPendingPairRequests:async()=>L1(),ingestRelayedPairRequest:async(W)=>_1(W),respondToPairRequest:async(W)=>N0(W),acceptInvite:async(W)=>H1(W),directPair:async(W,Q)=>A1(W,Q)});function K0(W,Q,X){try{let z=v.createPublicKey({key:Buffer.from(X,"base64"),format:"der",type:"spki"});return v.verify(null,Buffer.from(W,"base64"),z,Buffer.from(Q,"base64"))}catch{return!1}}async function P0(W,Q,X){let z=L.get(W);if(z)clearTimeout(z.timer),z.resolve(X),L.delete(W),C.delete(W),m(W,Q.relayTargetNodeId);else C.set(W,X);if(G0(W,Q.relayTargetNodeId),Q.relayed){let Y=Y1();if(Y)try{let O=new URL(`${Y}/api/v1/pair/relay-response`),A=O.protocol==="https:"?R1:B1,V,G;try{let w=W0(),M=s.safeParse($.ariaNetworkManager?.getConfig?.()?.signingPublicKey).data,T=$.ariaNetworkManager?.getConfig?.()?.signingPrivateKey??w?.signingPrivateKey;if(T){let E=v.createPrivateKey({key:Buffer.from(T,"base64"),format:"der",type:"pkcs8"}),x=`${W}:${X.accepted}`;V=v.sign(null,Buffer.from(x,"utf8"),E).toString("base64"),G=M??w?.signingPublicKey}}catch{return}if(!V||!G)return;let D=JSON.stringify({requestId:W,accepted:X.accepted,responseSignature:V,responderSigningKey:G,encryptedToken:X.encryptedToken,ephemeralPublicKey:X.ephemeralPublicKey,ephemeralKeySignature:X.ephemeralKeySignature,nonce:X.nonce,tag:X.tag,caCert:X.caCert});await new Promise((w,M)=>{let T=A.request(O,{method:"POST",headers:{"Content-Type":"application/json"}},(E)=>{E.resume(),E.on("end",w)});T.on("error",M),T.write(D),T.end()})}catch{}}}$.post("/api/v1/pair/request",async(W,Q)=>{try{let X=h0(o1,W.body);if(!V0(W.ip))return Q.status(429).send({error:"Too many pair requests. Try again in 1 minute."});let{displayNameSnapshot:z,nodeId:Y,signingPublicKey:O,port:A,ephemeralPublicKey:V,ephemeralKeySignature:G,caCert:D}=X,w=W.ip,M=b.parse(Y.trim()),T=U1(W),E=L0({ingressHost:W.raw.socket?.localAddress,peerHost:W.ip,externalHost:T}),x=e(O);if(!x)return Q.status(400).send({error:"Invalid signingPublicKey"});let R=await E0();if(U.size>=i0)return Q.status(503).send({error:"Too many pending pair requests. Try again later."});for(let[,h]of U)if(h.nodeId===M&&Date.now()<h.expiresAt)return Q.status(409).send({error:"Pair request for this peer principal already pending"});let f=v.randomBytes(16).toString("hex"),k=Date.now();D0({id:f,nodeId:M,displayNameSnapshot:z,principalFingerprint:x,signingPublicKey:O,port:A,host:w,responderControlHostHint:T,ingressHost:E,createdAt:k,expiresAt:k+H0,ephemeralPublicKey:V,ephemeralKeySignature:G,caCert:D});let u=$.ariaNetworkManager?.getConfig(),I=u?.signingPublicKey?v.createHash("sha256").update(Buffer.from(u.signingPublicKey,"base64")).digest("hex"):"",S=R.tls.caCertPem;if(X.wait===!0){let h=await new Promise((N)=>{let t=setTimeout(()=>{L.delete(f),N(null)},t0);L.set(f,{resolve:N,timer:t})});if(m(f),h?.accepted)return Q.send({requestId:f,status:"accepted",responderFingerprint:I,protocolVersion:2,...S&&{caCert:S},...h});return Q.send({requestId:f,status:"rejected",responderFingerprint:I,protocolVersion:2,...S&&{caCert:S}})}return Q.send({requestId:f,status:"pending",responderFingerprint:I,protocolVersion:2,...S&&{caCert:S}})}catch(X){return Q.status(X0(X,500)).send({error:X.message})}}),$.get("/api/v1/pair/pending",async(W,Q)=>{if(!$0(W))return Q.code(403).send({error:"localhost-only"});let X=Date.now(),z=[];for(let[Y,O]of U)if(X>O.expiresAt)m(Y,O.relayTargetNodeId);else if(!O.relayed)z.push(_0(O));for(let[,Y]of B)for(let O of Y)if(X<O.expiresAt)z.push(_0(O));return Q.send({requests:z})}),$.get("/api/v1/pair/status/:requestId",async(W,Q)=>{let{requestId:X}=W.params,z=U.get(X);if(!z)return Q.status(404).send({error:"Pair request not found or expired"});if(Date.now()>z.expiresAt)return m(X,z.relayTargetNodeId),Q.status(404).send({error:"Pair request not found or expired"});if(!z.relayed&&z.host!==W.ip)return Q.status(403).send({error:"IP mismatch — long-poll must come from the original requester"});let Y=C.get(X);if(Y){if(C.delete(X),m(X,z.relayTargetNodeId),!Y.accepted)return Q.send({accepted:!1});if(!Y.encryptedToken||!Y.ephemeralPublicKey||!Y.nonce||!Y.tag)return Q.send({accepted:!1});return Q.send({accepted:!0,encryptedToken:Y.encryptedToken,ephemeralPublicKey:Y.ephemeralPublicKey,nonce:Y.nonce,tag:Y.tag,...Y.caCert&&{caCert:Y.caCert}})}if(L.has(X))return Q.status(409).send({error:"Another long-poll is already waiting"});if(H>=e1)return Q.status(503).send({error:"Too many active pairing requests. Try again later."});H++;try{let O=await new Promise((A)=>{let V=setTimeout(()=>{L.delete(X),A({accepted:!1})},t0);L.set(X,{resolve:A,timer:V})});if(O.accepted){if(O.encryptedToken&&O.ephemeralPublicKey&&O.nonce&&O.tag)return Q.send({accepted:!0,encryptedToken:O.encryptedToken,ephemeralPublicKey:O.ephemeralPublicKey,...O.ephemeralKeySignature&&{ephemeralKeySignature:O.ephemeralKeySignature},nonce:O.nonce,tag:O.tag,...O.caCert&&{caCert:O.caCert}})}return Q.send({accepted:!1})}finally{H=Math.max(0,H-1)}}),$.post("/api/v1/pair/respond",{schema:{body:{type:"object",required:["requestId","accepted"],properties:{requestId:{type:"string",minLength:1,maxLength:64},accepted:{type:"boolean"}}}}},async(W,Q)=>{if(!$0(W))return Q.code(403).send({error:"localhost-only"});try{let X=await N0(W.body);return Q.send(X)}catch(X){return Q.status(X0(X,500)).send({error:X.message})}}),$.post("/api/v1/pair/accept-invite",async(W,Q)=>{if(!$0(W))return Q.code(403).send({error:"localhost-only"});try{let X=h0(g1,W.body),z=$.ariaPairControl?.acceptInvite;if(!z)throw _(503,"Pair control or acceptInvite not available");let Y=await z(X);return Q.send(Y)}catch(X){return Q.status(X0(X,500)).send({error:X.message})}}),$.post("/api/v1/pair/relay",async(W,Q)=>{try{let X=h0(s1,W.body);if(!V0(W.ip))return Q.status(429).send({error:"Too many pair requests. Try again in 1 minute."});let{targetNodeId:z,displayNameSnapshot:Y,nodeId:O,signingPublicKey:A,port:V,ephemeralPublicKey:G,ephemeralKeySignature:D,caCert:w}=X,M=b.parse(O.trim()),T=e(A);if(!T)return Q.status(400).send({error:"Invalid signingPublicKey"});if(G&&D){if(!K0(G,D,A))return Q.status(403).send({error:"Relay authentication failed — invalid ephemeral key signature"})}if(U.size>=i0)return Q.status(503).send({error:"Too many pending pair requests. Try again later."});let E=10;if((B.get(z)??[]).filter((u)=>Date.now()<u.expiresAt).length>=E)return Q.status(429).send({error:`Too many pending relay requests for target principal "${z}"`});let f=v.randomBytes(16).toString("hex"),k=Date.now(),P={id:f,nodeId:M,displayNameSnapshot:Y,principalFingerprint:T,signingPublicKey:A,port:V,host:W.ip,ingressHost:L0({ingressHost:W.raw.socket?.localAddress,peerHost:W.ip}),createdAt:k,expiresAt:k+H0,ephemeralPublicKey:G,ephemeralKeySignature:D,caCert:w,relayed:!0,relayTargetNodeId:z};return D0(P),Q.send({relayed:!0,requestId:f})}catch(X){return Q.status(X0(X,500)).send({error:X.message})}}),$.get("/api/v1/pair/relay-pending",{schema:{querystring:a1}},async(W,Q)=>{let{targetNodeId:X,signingPublicKey:z,signature:Y,timestamp:O}=W.query,A=Number(O),V=Date.now();if(isNaN(A)||Math.abs(V-A)>H0)return Q.status(403).send({error:"Timestamp expired or invalid"});let G=`relay-pending:${X}:${O}`,D=!1;try{let E=v.createPublicKey({key:Buffer.from(z,"base64"),format:"der",type:"spki"});D=v.verify(null,Buffer.from(G,"utf8"),E,Buffer.from(Y,"base64"))}catch{D=!1}if(!D)return Q.status(403).send({error:"Invalid signature — identity verification failed"});let w=await n0($,{targetNodeId:X,signingPublicKey:z});if(w.status==="missing")return Q.status(403).send({error:"Target peer identity not registered — complete pairing first"});if(w.status==="mismatch")return Q.status(403).send({error:"Signing key does not match registered key for target peer"});let M=B.get(X)??[],T=M.filter((E)=>V<E.expiresAt);if(T.length!==M.length)B.set(X,T);return Q.send({requests:T})}),$.post("/api/v1/pair/relay-response",{schema:{body:{type:"object",required:["requestId","accepted","responseSignature","responderSigningKey"],properties:{requestId:{type:"string",minLength:1,maxLength:64},accepted:{type:"boolean"},responseSignature:{type:"string",minLength:1,maxLength:512},responderSigningKey:{type:"string",minLength:1,maxLength:512},encryptedToken:{type:"string",maxLength:4096},ephemeralPublicKey:{type:"string",maxLength:512},ephemeralKeySignature:{type:"string",maxLength:512},nonce:{type:"string",maxLength:64},tag:{type:"string",maxLength:64},caCert:{type:"string",maxLength:4096}}}}},async(W,Q)=>{let{requestId:X,accepted:z,responseSignature:Y,responderSigningKey:O,encryptedToken:A,ephemeralPublicKey:V,ephemeralKeySignature:G,nonce:D,tag:w,caCert:M}=W.body;{let f=`${X}:${z}`,k=!1;try{let P=v.createPublicKey({key:Buffer.from(O,"base64"),format:"der",type:"spki"});k=v.verify(null,Buffer.from(f,"utf8"),P,Buffer.from(Y,"base64"))}catch{k=!1}if(!k)return Q.status(403).send({error:"Relay response signature verification failed"})}let T=U.get(X);if(T&&T.relayTargetNodeId&&O){let f=s.safeParse(O);if(!f.success)return Q.status(400).send({error:"Invalid responder signing key"});if((await n0($,{targetNodeId:b.parse(T.relayTargetNodeId),signingPublicKey:f.data})).status==="mismatch")return Q.status(403).send({error:"Responder signing key does not match expected target peer identity"})}let E=U.get(X);if(!E)return Q.status(404).send({error:"Pair request not found or expired"});let x=!z?{accepted:!1}:{accepted:!0,encryptedToken:A,ephemeralPublicKey:V,ephemeralKeySignature:G,nonce:D,tag:w,caCert:M},R=L.get(X);if(!R)return C.set(X,x),G0(X,E.relayTargetNodeId),Q.send({relayed:!0});return clearTimeout(R.timer),L.delete(X),C.delete(X),m(X,E.relayTargetNodeId),R.resolve(x),Q.send({relayed:!0})}),$.post("/api/v1/pair/direct",{schema:{body:{oneOf:[{...u1},{type:"object",required:["envelope"],properties:{envelope:{type:"object"}}}]}}},async(W,Q)=>{try{if(!W.body?.envelope||typeof W.body.envelope!=="object")return Q.status(401).send({error:"MutationEnvelope required for direct pairing"});let X=$.ariaPairControl?.directPair;if(!X)return Q.status(503).send({error:"Pair control not available"});return Q.send(await X(W.body,W))}catch(X){let z=X0(X,500),Y=X instanceof Error?X.message:String(X);return Q.status(z).send({error:z===500?`Failed to configure tunnel: ${Y}`:Y})}})}
+export{w0 as ka,Q0 as la,y0 as ma,Z0 as na,x1 as oa,Y0 as pa,j0 as qa,L0 as ra,N2 as sa};

package/dist/index-9n50yafd.js

@@ -0,0 +1,3 @@
+import{fa as $}from"./index-5tav2m70.js";import{createHash as Z}from"node:crypto";import*as J from"node:fs";import*as K from"node:path";import{NodeIdSchema as q,RuntimeOwnerRecordSchema as z}from"@aria-cli/tools";var G=1,x=103,A=24,g=12;function N(){return process.env.HOME??"/tmp"}function O(){if(process.platform==="win32")return K.join(N(),".aria","sock");return K.join("/tmp","aria-sock")}function I(j){return Z("sha256").update(j).digest("hex").slice(0,12)}function H(j){return`${Z("sha256").update(j).digest("hex").slice(0,A)}.sock`}function E(j){return Buffer.byteLength(j,"utf8")<=x}function D(j){return K.resolve(j.trim())}function y(j){return K.join(O(),"explicit",Z("sha256").update(K.dirname(j)).digest("hex").slice(0,g))}function p(j){return`${Z("sha256").update(j).digest("hex").slice(0,A)}.sock`}function u(){let j=process.env.XDG_RUNTIME_DIR?.trim();if(j)return K.join(j,"aria");return K.join(N(),".aria","run")}function _(j){return K.join(j,"owners")}function L(j){let F=K.join(j,"sockets"),C=K.join(F,H(q.parse("socket-budget-probe")));if(E(C))return F;return K.join(O(),I(j))}function b(j,F){return K.join(_(j),`${F}.json`)}function f(j,F){let C=H(F),B=K.join(K.join(j,"sockets"),C);if(E(B))return B;return K.join(L(j),C)}function s(j){let F=D(j);if(E(F))return F;return K.join(y(F),p(F))}function w(j){J.mkdirSync(_(j),{recursive:!0,mode:448}),J.mkdirSync(L(j),{recursive:!0,mode:448})}function S(j,F){let C;try{C=JSON.parse(j)}catch(W){throw Error(`[runtime-registry] Invalid runtime owner record at ${F}: ${W instanceof Error?W.message:String(W)}`)}if(!C||typeof C!=="object")throw Error(`[runtime-registry] Invalid runtime owner record at ${F}: object required`);let B=C;if(B.schemaVersion!==G)throw Error(`[runtime-registry] Invalid runtime owner record at ${F}: unsupported schemaVersion`);let V=typeof B.ariaHome==="string"?B.ariaHome.trim():"",M=typeof B.displayNameSnapshot==="string"?B.displayNameSnapshot.trim():"",Q=typeof B.runtimeSocket==="string"?B.runtimeSocket.trim():"",Y=typeof B.startedAt==="string"?B.startedAt.trim():"",T=typeof B.lastHeartbeat==="string"?B.lastHeartbeat.trim():"",U=typeof B.runtimePid==="number"&&Number.isInteger(B.runtimePid)?B.runtimePid:NaN,X=typeof B.ownerGeneration==="number"&&Number.isInteger(B.ownerGeneration)?B.ownerGeneration:NaN;if(!V||!Q||!Y||!T)throw Error(`[runtime-registry] Invalid runtime owner record at ${F}: missing required strings`);if(!Number.isFinite(U)||U<=0)throw Error(`[runtime-registry] Invalid runtime owner record at ${F}: runtimePid must be positive`);if(!Number.isFinite(X)||X<=0)throw Error(`[runtime-registry] Invalid runtime owner record at ${F}: ownerGeneration must be positive`);return z.parse({schemaVersion:G,nodeId:B.nodeId,ariaHome:V,runtimePid:U,runtimeId:B.runtimeId,...M?{displayNameSnapshot:M}:{},runtimeSocket:Q,startedAt:Y,lastHeartbeat:T,ownerGeneration:X})}function k(j,F){let C=b(j,F);if(!J.existsSync(C))return null;return S(J.readFileSync(C,"utf8"),C)}function l(j){let F=_(j);if(!J.existsSync(F))return[];return J.readdirSync(F).filter((C)=>C.endsWith(".json")).map((C)=>S(J.readFileSync(K.join(F,C),"utf8"),C)).sort((C,B)=>C.nodeId.localeCompare(B.nodeId))}function m(j,F){w(j);let C={...F,ariaHome:$(F.ariaHome)},B=k(j,C.nodeId);if(B){if(B.ownerGeneration>C.ownerGeneration)return B;if(B.ownerGeneration===C.ownerGeneration){if(!(B.runtimeId===C.runtimeId&&B.runtimePid===C.runtimePid&&B.runtimeSocket===C.runtimeSocket&&B.startedAt===C.startedAt&&B.ariaHome===C.ariaHome))return B;if(B.lastHeartbeat.localeCompare(C.lastHeartbeat)>0)return B}}let V=b(j,C.nodeId),M=`${V}.${process.pid}.${Date.now()}.tmp`;return J.writeFileSync(M,`${JSON.stringify(C,null,2)}
+`,{encoding:"utf8",mode:384}),J.renameSync(M,V),C}function c(j,F){let C=b(j,F);try{J.rmSync(C,{force:!0})}catch{}}function a(j,F){let C=f(j,F);try{J.rmSync(C,{force:!0})}catch{}}function n(j){let F=0,C=0,B=_(j);if(J.existsSync(B))for(let M of J.readdirSync(B)){if(!M.endsWith(".json"))continue;let Q=K.join(B,M);try{let Y=J.readFileSync(Q,"utf8"),T=JSON.parse(Y),U=typeof T.runtimePid==="number"?T.runtimePid:NaN,X=typeof T.nodeId==="string"?T.nodeId:"";if(!Number.isFinite(U)||U<=0){J.rmSync(Q,{force:!0}),F++;continue}let W=!1;try{process.kill(U,0),W=!0}catch{}if(!W){if(J.rmSync(Q,{force:!0}),F++,X)try{let v=f(j,q.parse(X));J.rmSync(v,{force:!0}),C++}catch{}}}catch{try{J.rmSync(Q,{force:!0}),F++}catch{}}}let V=L(j);if(J.existsSync(V))for(let M of J.readdirSync(V)){if(!M.endsWith(".sock"))continue;let Q=K.join(V,M);try{if(!J.statSync(Q).isSocket())continue;let T=!1;if(J.existsSync(B))for(let U of J.readdirSync(B)){if(!U.endsWith(".json"))continue;try{let X=J.readFileSync(K.join(B,U),"utf8"),W=JSON.parse(X);if(typeof W.runtimeSocket==="string"&&W.runtimeSocket.endsWith(M)){T=!0;break}}catch{}}if(!T)J.rmSync(Q,{force:!0}),C++}catch{}}return{removedOwnerRecords:F,removedSockets:C}}function d(j,F){let C=$(F);return l(j).find((B)=>B.ariaHome===C)??null}
+export{G as R,u as S,_ as T,L as U,b as V,f as W,s as X,w as Y,k as Z,l as _,m as $,c as aa,a as ba,n as ca,d as da};

package/dist/index-9xs3gn0p.js

@@ -0,0 +1,2 @@
+import{createRequire as a}from"node:module";var c=a(import.meta.url);
+export{c as Aa};