@aria-cli/tools 1.0.12 → 1.0.14

package/dist/network-runtime/pair-route-contract.js

@@ -1,77 +0,0 @@
-import { z } from "zod";
-import { ControlEndpointAdvertisementSchema, NodeIdSchema, PrincipalFingerprintSchema, SigningPublicKeySchema, TransportEndpointAdvertisementSchema, } from "./address-types.js";
-import { SignedContinuityBindSchema } from "./protocol-schemas.js";
-const NonEmptyStringSchema = z.string().trim().min(1);
-function toFastifyBodyJsonSchema(schema) {
-    const jsonSchema = z.toJSONSchema(schema);
-    delete jsonSchema.$schema;
-    return jsonSchema;
-}
-export const PairRequestRouteBodySchema = z
-    .object({
-    displayNameSnapshot: NonEmptyStringSchema,
-    nodeId: NodeIdSchema,
-    signingPublicKey: SigningPublicKeySchema,
-    port: z.number().int().min(1).max(65535),
-    ephemeralPublicKey: z.string().max(512),
-    ephemeralKeySignature: z.string().max(512),
-    caCert: z.string().max(4096).optional(),
-    protocolVersion: z.number().min(1).max(100).optional(),
-    wait: z.boolean().optional(),
-})
-    .strict();
-export const PairRequestRouteBodyJsonSchema = toFastifyBodyJsonSchema(PairRequestRouteBodySchema);
-export const AcceptInviteRequestSchema = z
-    .object({
-    inviteToken: NonEmptyStringSchema,
-    nodeId: NodeIdSchema,
-    displayNameSnapshot: NonEmptyStringSchema.optional(),
-    transportEndpoint: TransportEndpointAdvertisementSchema,
-    controlEndpoint: ControlEndpointAdvertisementSchema,
-    continuity: SignedContinuityBindSchema.optional(),
-})
-    .strict();
-export const AcceptInviteRequestBodyJsonSchema = toFastifyBodyJsonSchema(AcceptInviteRequestSchema);
-export const PairRelayRouteBodySchema = z
-    .object({
-    targetNodeId: NodeIdSchema,
-    displayNameSnapshot: NonEmptyStringSchema,
-    nodeId: NodeIdSchema,
-    signingPublicKey: SigningPublicKeySchema,
-    port: z.number().int().min(1).max(65535),
-    ephemeralPublicKey: z.string().max(512),
-    ephemeralKeySignature: z.string().max(512),
-    caCert: z.string().max(4096).optional(),
-})
-    .strict();
-export const PairRelayRouteBodyJsonSchema = toFastifyBodyJsonSchema(PairRelayRouteBodySchema);
-export const RelayPendingQuerySchema = z
-    .object({
-    targetNodeId: NodeIdSchema,
-    signingPublicKey: SigningPublicKeySchema,
-    signature: NonEmptyStringSchema.max(512),
-    timestamp: NonEmptyStringSchema.max(20),
-})
-    .strict();
-export const RelayPendingQueryJsonSchema = toFastifyBodyJsonSchema(RelayPendingQuerySchema);
-export const RelayPendingRequestSchema = z
-    .object({
-    id: NonEmptyStringSchema,
-    nodeId: NodeIdSchema,
-    displayNameSnapshot: NonEmptyStringSchema.optional(),
-    principalFingerprint: PrincipalFingerprintSchema,
-    signingPublicKey: SigningPublicKeySchema,
-    port: z.number().int().min(1).max(65535),
-    ingressHost: NonEmptyStringSchema,
-    responderControlHostHint: NonEmptyStringSchema.optional(),
-    ephemeralPublicKey: z.string().max(512).optional(),
-    ephemeralKeySignature: z.string().max(512).optional(),
-    caCert: z.string().max(4096).optional(),
-    expiresAt: z.number().int().nonnegative(),
-})
-    .strict();
-export const RelayPendingResponseSchema = z
-    .object({
-    requests: RelayPendingRequestSchema.array(),
-})
-    .strict();

package/dist/network-runtime/peer-capabilities.js

@@ -1,28 +0,0 @@
-export function canRecordPendingPair(identityState) {
-    return identityState === "invited" || identityState === "joining";
-}
-export function canCommitVerifiedPair(identityState, proof) {
-    return identityState === "paired_unverified" && proof.proofValid;
-}
-export function canRefreshEndpoint(identityState) {
-    return (identityState === "joining" ||
-        identityState === "paired_unverified" ||
-        identityState === "verified");
-}
-export function canHeartbeat(identityState) {
-    return identityState === "paired_unverified" || identityState === "verified";
-}
-export function canAttemptBestEffortTransport(identityState, transportState) {
-    if (identityState === "revoked")
-        return false;
-    return (transportState === "endpoint_known" ||
-        transportState === "connecting" ||
-        transportState === "connected" ||
-        transportState === "degraded");
-}
-export function canAttemptDurableDelivery(identityState, transportState) {
-    return identityState === "verified" && transportState === "connected";
-}
-export function canMutateTrustedState(identityState) {
-    return identityState === "verified";
-}

package/dist/network-runtime/peer-principal-ref.js

@@ -1,12 +0,0 @@
-import { z } from "zod";
-import { BindingGenerationSchema, NodeIdSchema, PrincipalFingerprintSchema, PeerTransportIdSchema, } from "./address-types.js";
-const NonEmptyStringSchema = z.string().trim().min(1);
-export const NodePrincipalBindingRefSchema = z
-    .object({
-    nodeId: NodeIdSchema,
-    principalFingerprint: PrincipalFingerprintSchema,
-    transportPublicKey: PeerTransportIdSchema,
-    bindingGeneration: BindingGenerationSchema,
-    displayNameSnapshot: NonEmptyStringSchema.optional(),
-})
-    .strict();

package/dist/network-runtime/peer-state-machine.js

@@ -1,121 +0,0 @@
-import { z } from "zod";
-export const LegacyPeerRegistryStatusSchema = z.enum([
-    "active",
-    "pending",
-    "pending_tunnel",
-    "pending_verification",
-    "revoked",
-]);
-export const PeerIdentityStateSchema = z.enum([
-    "invited",
-    "joining",
-    "paired_unverified",
-    "verified",
-    "revoked",
-]);
-export const PeerTransportStateSchema = z.enum([
-    "unknown",
-    "endpoint_known",
-    "connecting",
-    "connected",
-    "degraded",
-    "disconnected",
-]);
-export const PeerMutationKindSchema = z.enum(["repair", "continuity", "revocation"]);
-export const LegacyPeerRuntimeShapeSchema = z.object({
-    status: LegacyPeerRegistryStatusSchema,
-    endpointHost: z.string().nullable().optional(),
-    endpointPort: z.number().int().nullable().optional(),
-    lastHandshake: z.number().int().nullable().optional(),
-});
-const VALID_TRANSPORT_BY_IDENTITY = {
-    invited: ["unknown", "endpoint_known"],
-    joining: ["unknown", "endpoint_known", "connecting"],
-    paired_unverified: [
-        "unknown",
-        "endpoint_known",
-        "connecting",
-        "connected",
-        "degraded",
-        "disconnected",
-    ],
-    verified: ["unknown", "endpoint_known", "connecting", "connected", "degraded", "disconnected"],
-    revoked: ["unknown", "disconnected"],
-};
-export function isValidPeerStateCombination(identityState, transportState) {
-    return VALID_TRANSPORT_BY_IDENTITY[identityState].includes(transportState);
-}
-export const PeerStateSnapshotSchema = z
-    .object({
-    identityState: PeerIdentityStateSchema,
-    transportState: PeerTransportStateSchema,
-})
-    .superRefine((value, ctx) => {
-    if (!isValidPeerStateCombination(value.identityState, value.transportState)) {
-        ctx.addIssue({
-            code: z.ZodIssueCode.custom,
-            message: `invalid peer state combination: ${value.identityState}/${value.transportState}`,
-        });
-    }
-});
-export function derivePeerStateFromLegacyStatus(input) {
-    const legacy = LegacyPeerRuntimeShapeSchema.parse(input);
-    const hasEndpoint = Boolean(legacy.endpointHost && legacy.endpointPort);
-    const hasHandshake = typeof legacy.lastHandshake === "number" &&
-        Number.isFinite(legacy.lastHandshake) &&
-        legacy.lastHandshake > 0;
-    const identityState = legacy.status === "pending"
-        ? "invited"
-        : legacy.status === "revoked"
-            ? "revoked"
-            : legacy.status === "active"
-                ? "verified"
-                : "paired_unverified";
-    const transportState = (() => {
-        switch (legacy.status) {
-            case "active":
-                return hasHandshake ? "connected" : hasEndpoint ? "endpoint_known" : "disconnected";
-            case "pending_tunnel":
-                return hasHandshake ? "connected" : hasEndpoint ? "connecting" : "unknown";
-            case "pending_verification":
-                return hasHandshake ? "connected" : hasEndpoint ? "endpoint_known" : "unknown";
-            case "pending":
-                return hasEndpoint ? "endpoint_known" : "unknown";
-            case "revoked":
-                return hasEndpoint ? "disconnected" : "unknown";
-        }
-    })();
-    return PeerStateSnapshotSchema.parse({ identityState, transportState });
-}
-const IDENTITY_TRANSITIONS = {
-    invited: ["invited", "joining", "revoked"],
-    joining: ["joining", "paired_unverified", "revoked"],
-    paired_unverified: ["paired_unverified", "verified", "revoked"],
-    verified: ["verified", "revoked"],
-    revoked: ["revoked"],
-};
-export function isValidPeerIdentityTransition(from, to, options = {}) {
-    if (from === "verified" && to === "paired_unverified") {
-        return options.viaContinuity === true;
-    }
-    return IDENTITY_TRANSITIONS[from].includes(to);
-}
-const TRANSPORT_TRANSITIONS = {
-    unknown: ["unknown", "endpoint_known"],
-    endpoint_known: ["endpoint_known", "connecting", "disconnected"],
-    connecting: ["connecting", "connected", "endpoint_known", "disconnected"],
-    connected: ["connected", "degraded", "disconnected"],
-    degraded: ["degraded", "connected", "disconnected"],
-    disconnected: ["disconnected", "endpoint_known"],
-};
-export function isValidPeerTransportTransition(from, to) {
-    return TRANSPORT_TRANSITIONS[from].includes(to);
-}
-const MUTATION_PRECEDENCE = {
-    repair: 0,
-    continuity: 1,
-    revocation: 2,
-};
-export function comparePeerMutationPrecedence(left, right) {
-    return MUTATION_PRECEDENCE[left] - MUTATION_PRECEDENCE[right];
-}

package/dist/network-runtime/protocol-schemas.js

@@ -1,205 +0,0 @@
-import { z } from "zod";
-import { BindingGenerationSchema, ControlEndpointAdvertisementSchema, EndpointRevisionSchema, NodeAdvertisementSchema, NodeIdSchema, PeerTransportIdSchema, PublicationRevisionSchema, PrincipalFingerprintSchema, RevocationGenerationSchema, SigningPublicKeySchema, TransportEndpointAdvertisementSchema, } from "./address-types.js";
-export { RuntimeEventKindSchema, RuntimeEventSchema, } from "./node-store-contract.js";
-import { NodePrincipalBindingRefSchema } from "./peer-principal-ref.js";
-const NonEmptyStringSchema = z.string().trim().min(1);
-// Signed transport invite tokens must preserve PEM bytes verbatim; trimming
-// a trailing newline changes the signed payload and breaks verification.
-const NonBlankVerbatimStringSchema = z
-    .string()
-    .min(1)
-    .refine((value) => value.trim().length > 0);
-const RecordSchema = z.record(z.string(), z.unknown());
-function toFastifyBodyJsonSchema(schema) {
-    const jsonSchema = z.toJSONSchema(schema);
-    delete jsonSchema.$schema;
-    return jsonSchema;
-}
-export const NETWORK_RUNTIME_PROTOCOL_VERSION = 1;
-export const NetworkRuntimeProtocolVersionSchema = z.literal(NETWORK_RUNTIME_PROTOCOL_VERSION);
-export function isSupportedNetworkRuntimeProtocolVersion(version) {
-    return version === NETWORK_RUNTIME_PROTOCOL_VERSION;
-}
-export function assertSupportedNetworkRuntimeProtocolVersion(version, context = "network runtime") {
-    if (!isSupportedNetworkRuntimeProtocolVersion(version)) {
-        throw new Error(`Unsupported ${context} protocol version ${String(version)}. Supported: ${NETWORK_RUNTIME_PROTOCOL_VERSION}`);
-    }
-    return version;
-}
-/**
- * Shared delivery-ack wire contract.
- * Durable settlement is keyed by stable peer identity, not display-name strings.
- */
-export const DeliveryAckSchema = z
-    .object({
-    protocolVersion: NetworkRuntimeProtocolVersionSchema,
-    messageId: NonEmptyStringSchema,
-    senderNodeId: NodeIdSchema,
-    recipientNodeId: NodeIdSchema,
-    storedAt: z.number().int().nonnegative(),
-})
-    .strict();
-export const TransportInviteTokenSchema = z
-    .object({
-    nodeId: NodeIdSchema,
-    audienceNodeId: NodeIdSchema.optional(),
-    publicKey: PeerTransportIdSchema,
-    leaderDisplayNameSnapshot: NonEmptyStringSchema.optional(),
-    host: NonEmptyStringSchema,
-    port: z.number().int().min(1).max(65535),
-    controlEndpoint: ControlEndpointAdvertisementSchema.optional(),
-    psk: NonEmptyStringSchema,
-    displayNameSnapshot: NonEmptyStringSchema.optional(),
-    signingPublicKey: SigningPublicKeySchema.optional(),
-    caCert: NonBlankVerbatimStringSchema.optional(),
-    createdAt: z.number().int().nonnegative(),
-    expiresAt: z.number().int().nonnegative(),
-    tokenNonce: NonEmptyStringSchema,
-    coordinationUrl: NonEmptyStringSchema.optional(),
-    networkId: NonEmptyStringSchema.optional(),
-})
-    .strict();
-export const JoinRequestSchema = z
-    .object({
-    protocolVersion: NetworkRuntimeProtocolVersionSchema,
-    nodeId: NodeIdSchema,
-    principalFingerprint: PrincipalFingerprintSchema,
-    peerPublicKey: PeerTransportIdSchema,
-    signingPublicKey: SigningPublicKeySchema,
-    transportEndpoint: TransportEndpointAdvertisementSchema,
-    controlEndpoint: ControlEndpointAdvertisementSchema.optional(),
-    displayNameSnapshot: NonEmptyStringSchema.optional(),
-    inviteTokenNonce: NonEmptyStringSchema,
-})
-    .strict();
-export const JoinRouteBodySchema = JoinRequestSchema.extend({
-    proofOfWork: NonEmptyStringSchema,
-}).strict();
-export const JoinRouteBodyJsonSchema = toFastifyBodyJsonSchema(JoinRouteBodySchema);
-export const RuntimeIngressEnvelopeSchema = z.union([
-    z
-        .object({
-        protocolVersion: NetworkRuntimeProtocolVersionSchema,
-        deliveryAck: DeliveryAckSchema,
-    })
-        .strict(),
-    z
-        .object({
-        protocolVersion: NetworkRuntimeProtocolVersionSchema,
-        ariaMessage: z.unknown(),
-    })
-        .strict(),
-    z
-        .object({
-        protocolVersion: NetworkRuntimeProtocolVersionSchema,
-        joinRequest: JoinRequestSchema,
-    })
-        .strict(),
-]);
-export const RuntimeNodeAdvertisementSchema = NodeAdvertisementSchema.extend({
-    protocolVersion: NetworkRuntimeProtocolVersionSchema,
-    publicationRevision: PublicationRevisionSchema,
-    signingPublicKey: SigningPublicKeySchema,
-    transportEndpoint: TransportEndpointAdvertisementSchema,
-    advertisedHosts: z.array(NonEmptyStringSchema).min(1).optional(),
-}).strict();
-export const RuntimeDiscoveryAdvertisementSchema = z
-    .object({
-    protocolVersion: NetworkRuntimeProtocolVersionSchema,
-    nodeId: NodeIdSchema,
-    displayNameSnapshot: NonEmptyStringSchema,
-    principalFingerprint: PrincipalFingerprintSchema,
-    controlPort: z.number().int().min(1).max(65535),
-    advertisedHosts: z.array(NonEmptyStringSchema).min(1),
-    tlsCaFingerprint: z.string().trim().min(1).optional(),
-})
-    .strict();
-export const RuntimeRegisterRequestSchema = z
-    .object({
-    protocolVersion: NetworkRuntimeProtocolVersionSchema,
-    nodeId: NodeIdSchema,
-    transportPublicKey: PeerTransportIdSchema,
-    principalFingerprint: PrincipalFingerprintSchema,
-    endpointRevision: EndpointRevisionSchema,
-    controlEndpoint: ControlEndpointAdvertisementSchema.optional(),
-    displayNameSnapshot: NonEmptyStringSchema.optional(),
-})
-    .strict();
-export const PairProposalSchema = z
-    .object({
-    protocolVersion: NetworkRuntimeProtocolVersionSchema,
-    nodeId: NodeIdSchema,
-    principalFingerprint: PrincipalFingerprintSchema,
-    transportPublicKey: PeerTransportIdSchema,
-    controlEndpoint: ControlEndpointAdvertisementSchema.optional(),
-    displayNameSnapshot: NonEmptyStringSchema.optional(),
-    presharedKey: NonEmptyStringSchema,
-})
-    .strict();
-/**
- * Canonical statement of a continuity bind transition.
- * This is the byte-exact payload that both parties sign.
- */
-export const ContinuityStatementSchema = z
-    .object({
-    nodeId: NodeIdSchema,
-    previousPrincipalFingerprint: PrincipalFingerprintSchema,
-    newPrincipalFingerprint: PrincipalFingerprintSchema,
-    newTransportPublicKey: PeerTransportIdSchema.optional(),
-    bindingGeneration: BindingGenerationSchema,
-    revocationGeneration: RevocationGenerationSchema.optional(),
-    createdAt: NonEmptyStringSchema,
-})
-    .strict();
-/**
- * Dual-signed continuity bind: delegation (previous principal) + acceptance
- * (new principal). Both public keys are included for independent verification.
- */
-export const SignedContinuityBindSchema = z
-    .object({
-    statement: ContinuityStatementSchema,
-    delegationSignature: NonEmptyStringSchema,
-    acceptanceSignature: NonEmptyStringSchema,
-    previousPublicKey: NonEmptyStringSchema,
-    newPublicKey: NonEmptyStringSchema,
-})
-    .strict();
-export const MutationOperationSchema = z.enum([
-    "network.register",
-    "network.revoke",
-    "network.list_peers",
-    "pair.direct",
-    "pair.relay",
-    "pair.relay_response",
-    "peer.update_capabilities",
-    "peer.update_trust_tier",
-]);
-export const MutationEnvelopeSchema = z
-    .object({
-    version: NetworkRuntimeProtocolVersionSchema,
-    id: NonEmptyStringSchema,
-    operation: MutationOperationSchema,
-    principal: NodePrincipalBindingRefSchema,
-    target: NodePrincipalBindingRefSchema,
-    namespace: NonEmptyStringSchema,
-    policyEpoch: z.number().int().nonnegative(),
-    nonce: NonEmptyStringSchema,
-    timestamp: z.number().int().nonnegative(),
-    ttl: z.number().int().positive(),
-    contextHash: NonEmptyStringSchema,
-    payload: RecordSchema,
-    signature: NonEmptyStringSchema,
-    method: NonEmptyStringSchema.optional(),
-    path: NonEmptyStringSchema.optional(),
-    metadata: RecordSchema.optional(),
-    reason: NonEmptyStringSchema.optional(),
-    parentEnvelopeId: NonEmptyStringSchema.optional(),
-})
-    .strict();
-export const NetworkRouteRevokeRequestSchema = z
-    .object({
-    nodeId: NodeIdSchema,
-    envelope: MutationEnvelopeSchema,
-})
-    .strict();
-export const NetworkRouteRevokeRequestJsonSchema = toFastifyBodyJsonSchema(NetworkRouteRevokeRequestSchema);

package/dist/network-runtime/runtime-bootstrap-contract.js

@@ -1,60 +0,0 @@
-import { z } from "zod";
-import { LoopbackTlsIdentitySchema, NodeIdSchema, OwnerGenerationSchema, PeerTransportIdSchema, PrincipalFingerprintSchema, RuntimeIdSchema, SigningPublicKeySchema, TlsCaFingerprintSchema, TransportEndpointAdvertisementSchema, } from "./address-types.js";
-import { NetworkRuntimeProtocolVersionSchema } from "./protocol-schemas.js";
-const NonEmptyTrimmedStringSchema = z.string().trim().min(1);
-const NonBlankVerbatimStringSchema = z
-    .string()
-    .min(1)
-    .refine((value) => value.trim().length > 0);
-export const RuntimeBootstrapRevisionSchema = z.number().int().nonnegative();
-export const RuntimeBootstrapPhaseSchema = z.enum([
-    "starting",
-    "tls_bound",
-    "control_ready",
-    "network_ready",
-    "mesh_ready",
-    "degraded",
-    "stopped",
-]);
-export const RuntimeBootstrapControlEndpointSchema = z
-    .object({
-    host: NonEmptyTrimmedStringSchema,
-    port: z.number().int().min(1).max(65535),
-})
-    .strict();
-export const RuntimeBootstrapTlsSchema = z
-    .object({
-    caFingerprint: TlsCaFingerprintSchema,
-    caCertPem: NonBlankVerbatimStringSchema,
-    principalIdentity: PrincipalFingerprintSchema,
-    loopbackIdentity: LoopbackTlsIdentitySchema,
-})
-    .strict();
-export const RuntimeBootstrapIdentitySchema = z
-    .object({
-    signingPublicKey: SigningPublicKeySchema,
-    transportPublicKey: PeerTransportIdSchema,
-    transportEndpoint: TransportEndpointAdvertisementSchema,
-    displayNameSnapshot: NonEmptyTrimmedStringSchema.optional(),
-})
-    .strict();
-export const RuntimeBootstrapRecordSchema = z
-    .object({
-    nodeId: NodeIdSchema,
-    runtimeId: RuntimeIdSchema,
-    arionName: NonEmptyTrimmedStringSchema.optional(),
-    ownerGeneration: OwnerGenerationSchema,
-    bootstrapRevision: RuntimeBootstrapRevisionSchema,
-    phase: RuntimeBootstrapPhaseSchema,
-    protocolVersion: NetworkRuntimeProtocolVersionSchema,
-    controlEndpoint: RuntimeBootstrapControlEndpointSchema,
-    displayNameSnapshot: NonEmptyTrimmedStringSchema.optional(),
-    signingPublicKey: SigningPublicKeySchema,
-    transportPublicKey: PeerTransportIdSchema,
-    transportEndpoint: TransportEndpointAdvertisementSchema,
-    tls: RuntimeBootstrapTlsSchema,
-    publishedAt: NonEmptyTrimmedStringSchema,
-    degradedReason: NonEmptyTrimmedStringSchema.optional(),
-    failedPhase: RuntimeBootstrapPhaseSchema.optional(),
-})
-    .strict();