@aria-cli/tools 1.0.19 → 1.0.31

package/dist/network-runtime/pair-route-contract.js

@@ -0,0 +1,78 @@
+import { z } from "zod";
+import { ControlEndpointAdvertisementSchema, NodeIdSchema, PrincipalFingerprintSchema, SigningPublicKeySchema, TransportEndpointAdvertisementSchema, } from "./address-types.js";
+import { SignedContinuityBindSchema } from "./protocol-schemas.js";
+const NonEmptyStringSchema = z.string().trim().min(1);
+function toFastifyBodyJsonSchema(schema) {
+    const jsonSchema = z.toJSONSchema(schema);
+    delete jsonSchema.$schema;
+    return jsonSchema;
+}
+export const PairRequestRouteBodySchema = z
+    .object({
+    displayNameSnapshot: NonEmptyStringSchema,
+    nodeId: NodeIdSchema,
+    signingPublicKey: SigningPublicKeySchema,
+    port: z.number().int().min(1).max(65535),
+    ephemeralPublicKey: z.string().max(512),
+    ephemeralKeySignature: z.string().max(512),
+    caCert: z.string().max(4096).optional(),
+    protocolVersion: z.number().min(1).max(100).optional(),
+    wait: z.boolean().optional(),
+})
+    .strict();
+export const PairRequestRouteBodyJsonSchema = toFastifyBodyJsonSchema(PairRequestRouteBodySchema);
+export const AcceptInviteRequestSchema = z
+    .object({
+    inviteToken: NonEmptyStringSchema,
+    nodeId: NodeIdSchema,
+    displayNameSnapshot: NonEmptyStringSchema.optional(),
+    transportEndpoint: TransportEndpointAdvertisementSchema,
+    controlEndpoint: ControlEndpointAdvertisementSchema,
+    continuity: SignedContinuityBindSchema.optional(),
+})
+    .strict();
+export const AcceptInviteRequestBodyJsonSchema = toFastifyBodyJsonSchema(AcceptInviteRequestSchema);
+export const PairRelayRouteBodySchema = z
+    .object({
+    targetNodeId: NodeIdSchema,
+    displayNameSnapshot: NonEmptyStringSchema,
+    nodeId: NodeIdSchema,
+    signingPublicKey: SigningPublicKeySchema,
+    port: z.number().int().min(1).max(65535),
+    ephemeralPublicKey: z.string().max(512),
+    ephemeralKeySignature: z.string().max(512),
+    caCert: z.string().max(4096).optional(),
+})
+    .strict();
+export const PairRelayRouteBodyJsonSchema = toFastifyBodyJsonSchema(PairRelayRouteBodySchema);
+export const RelayPendingQuerySchema = z
+    .object({
+    targetNodeId: NodeIdSchema,
+    signingPublicKey: SigningPublicKeySchema,
+    signature: NonEmptyStringSchema.max(512),
+    timestamp: NonEmptyStringSchema.max(20),
+})
+    .strict();
+export const RelayPendingQueryJsonSchema = toFastifyBodyJsonSchema(RelayPendingQuerySchema);
+export const RelayPendingRequestSchema = z
+    .object({
+    id: NonEmptyStringSchema,
+    nodeId: NodeIdSchema,
+    displayNameSnapshot: NonEmptyStringSchema.optional(),
+    principalFingerprint: PrincipalFingerprintSchema,
+    signingPublicKey: SigningPublicKeySchema,
+    port: z.number().int().min(1).max(65535),
+    ingressHost: NonEmptyStringSchema,
+    responderControlHostHint: NonEmptyStringSchema.optional(),
+    ephemeralPublicKey: z.string().max(512).optional(),
+    ephemeralKeySignature: z.string().max(512).optional(),
+    caCert: z.string().max(4096).optional(),
+    expiresAt: z.number().int().nonnegative(),
+})
+    .strict();
+export const RelayPendingResponseSchema = z
+    .object({
+    requests: RelayPendingRequestSchema.array(),
+})
+    .strict();
+//# sourceMappingURL=pair-route-contract.js.map

package/dist/network-runtime/peer-capabilities.js

@@ -0,0 +1,29 @@
+export function canRecordPendingPair(identityState) {
+    return identityState === "invited" || identityState === "joining";
+}
+export function canCommitVerifiedPair(identityState, proof) {
+    return identityState === "paired_unverified" && proof.proofValid;
+}
+export function canRefreshEndpoint(identityState) {
+    return (identityState === "joining" ||
+        identityState === "paired_unverified" ||
+        identityState === "verified");
+}
+export function canHeartbeat(identityState) {
+    return identityState === "paired_unverified" || identityState === "verified";
+}
+export function canAttemptBestEffortTransport(identityState, transportState) {
+    if (identityState === "revoked")
+        return false;
+    return (transportState === "endpoint_known" ||
+        transportState === "connecting" ||
+        transportState === "connected" ||
+        transportState === "degraded");
+}
+export function canAttemptDurableDelivery(identityState, transportState) {
+    return identityState === "verified" && transportState === "connected";
+}
+export function canMutateTrustedState(identityState) {
+    return identityState === "verified";
+}
+//# sourceMappingURL=peer-capabilities.js.map

package/dist/network-runtime/peer-principal-ref.js

@@ -0,0 +1,13 @@
+import { z } from "zod";
+import { BindingGenerationSchema, NodeIdSchema, PrincipalFingerprintSchema, PeerTransportIdSchema, } from "./address-types.js";
+const NonEmptyStringSchema = z.string().trim().min(1);
+export const NodePrincipalBindingRefSchema = z
+    .object({
+    nodeId: NodeIdSchema,
+    principalFingerprint: PrincipalFingerprintSchema,
+    transportPublicKey: PeerTransportIdSchema,
+    bindingGeneration: BindingGenerationSchema,
+    displayNameSnapshot: NonEmptyStringSchema.optional(),
+})
+    .strict();
+//# sourceMappingURL=peer-principal-ref.js.map

package/dist/network-runtime/peer-state-machine.js

@@ -0,0 +1,122 @@
+import { z } from "zod";
+export const LegacyPeerRegistryStatusSchema = z.enum([
+    "active",
+    "pending",
+    "pending_tunnel",
+    "pending_verification",
+    "revoked",
+]);
+export const PeerIdentityStateSchema = z.enum([
+    "invited",
+    "joining",
+    "paired_unverified",
+    "verified",
+    "revoked",
+]);
+export const PeerTransportStateSchema = z.enum([
+    "unknown",
+    "endpoint_known",
+    "connecting",
+    "connected",
+    "degraded",
+    "disconnected",
+]);
+export const PeerMutationKindSchema = z.enum(["repair", "continuity", "revocation"]);
+export const LegacyPeerRuntimeShapeSchema = z.object({
+    status: LegacyPeerRegistryStatusSchema,
+    endpointHost: z.string().nullable().optional(),
+    endpointPort: z.number().int().nullable().optional(),
+    lastHandshake: z.number().int().nullable().optional(),
+});
+const VALID_TRANSPORT_BY_IDENTITY = {
+    invited: ["unknown", "endpoint_known"],
+    joining: ["unknown", "endpoint_known", "connecting"],
+    paired_unverified: [
+        "unknown",
+        "endpoint_known",
+        "connecting",
+        "connected",
+        "degraded",
+        "disconnected",
+    ],
+    verified: ["unknown", "endpoint_known", "connecting", "connected", "degraded", "disconnected"],
+    revoked: ["unknown", "disconnected"],
+};
+export function isValidPeerStateCombination(identityState, transportState) {
+    return VALID_TRANSPORT_BY_IDENTITY[identityState].includes(transportState);
+}
+export const PeerStateSnapshotSchema = z
+    .object({
+    identityState: PeerIdentityStateSchema,
+    transportState: PeerTransportStateSchema,
+})
+    .superRefine((value, ctx) => {
+    if (!isValidPeerStateCombination(value.identityState, value.transportState)) {
+        ctx.addIssue({
+            code: z.ZodIssueCode.custom,
+            message: `invalid peer state combination: ${value.identityState}/${value.transportState}`,
+        });
+    }
+});
+export function derivePeerStateFromLegacyStatus(input) {
+    const legacy = LegacyPeerRuntimeShapeSchema.parse(input);
+    const hasEndpoint = Boolean(legacy.endpointHost && legacy.endpointPort);
+    const hasHandshake = typeof legacy.lastHandshake === "number" &&
+        Number.isFinite(legacy.lastHandshake) &&
+        legacy.lastHandshake > 0;
+    const identityState = legacy.status === "pending"
+        ? "invited"
+        : legacy.status === "revoked"
+            ? "revoked"
+            : legacy.status === "active"
+                ? "verified"
+                : "paired_unverified";
+    const transportState = (() => {
+        switch (legacy.status) {
+            case "active":
+                return hasHandshake ? "connected" : hasEndpoint ? "endpoint_known" : "disconnected";
+            case "pending_tunnel":
+                return hasHandshake ? "connected" : hasEndpoint ? "connecting" : "unknown";
+            case "pending_verification":
+                return hasHandshake ? "connected" : hasEndpoint ? "endpoint_known" : "unknown";
+            case "pending":
+                return hasEndpoint ? "endpoint_known" : "unknown";
+            case "revoked":
+                return hasEndpoint ? "disconnected" : "unknown";
+        }
+    })();
+    return PeerStateSnapshotSchema.parse({ identityState, transportState });
+}
+const IDENTITY_TRANSITIONS = {
+    invited: ["invited", "joining", "revoked"],
+    joining: ["joining", "paired_unverified", "revoked"],
+    paired_unverified: ["paired_unverified", "verified", "revoked"],
+    verified: ["verified", "revoked"],
+    revoked: ["revoked"],
+};
+export function isValidPeerIdentityTransition(from, to, options = {}) {
+    if (from === "verified" && to === "paired_unverified") {
+        return options.viaContinuity === true;
+    }
+    return IDENTITY_TRANSITIONS[from].includes(to);
+}
+const TRANSPORT_TRANSITIONS = {
+    unknown: ["unknown", "endpoint_known"],
+    endpoint_known: ["endpoint_known", "connecting", "disconnected"],
+    connecting: ["connecting", "connected", "endpoint_known", "disconnected"],
+    connected: ["connected", "degraded", "disconnected"],
+    degraded: ["degraded", "connected", "disconnected"],
+    disconnected: ["disconnected", "endpoint_known"],
+};
+export function isValidPeerTransportTransition(from, to) {
+    return TRANSPORT_TRANSITIONS[from].includes(to);
+}
+const MUTATION_PRECEDENCE = {
+    repair: 0,
+    continuity: 1,
+    revocation: 2,
+};
+export function comparePeerMutationPrecedence(left, right) {
+    return MUTATION_PRECEDENCE[left] - MUTATION_PRECEDENCE[right];
+}
+//# sourceMappingURL=peer-state-machine.js.map

package/dist/network-runtime/protocol-schemas.js

@@ -0,0 +1,206 @@
+import { z } from "zod";
+import { BindingGenerationSchema, ControlEndpointAdvertisementSchema, EndpointRevisionSchema, NodeAdvertisementSchema, NodeIdSchema, PeerTransportIdSchema, PublicationRevisionSchema, PrincipalFingerprintSchema, RevocationGenerationSchema, SigningPublicKeySchema, TransportEndpointAdvertisementSchema, } from "./address-types.js";
+export { RuntimeEventKindSchema, RuntimeEventSchema, } from "./node-store-contract.js";
+import { NodePrincipalBindingRefSchema } from "./peer-principal-ref.js";
+const NonEmptyStringSchema = z.string().trim().min(1);
+// Signed transport invite tokens must preserve PEM bytes verbatim; trimming
+// a trailing newline changes the signed payload and breaks verification.
+const NonBlankVerbatimStringSchema = z
+    .string()
+    .min(1)
+    .refine((value) => value.trim().length > 0);
+const RecordSchema = z.record(z.string(), z.unknown());
+function toFastifyBodyJsonSchema(schema) {
+    const jsonSchema = z.toJSONSchema(schema);
+    delete jsonSchema.$schema;
+    return jsonSchema;
+}
+export const NETWORK_RUNTIME_PROTOCOL_VERSION = 1;
+export const NetworkRuntimeProtocolVersionSchema = z.literal(NETWORK_RUNTIME_PROTOCOL_VERSION);
+export function isSupportedNetworkRuntimeProtocolVersion(version) {
+    return version === NETWORK_RUNTIME_PROTOCOL_VERSION;
+}
+export function assertSupportedNetworkRuntimeProtocolVersion(version, context = "network runtime") {
+    if (!isSupportedNetworkRuntimeProtocolVersion(version)) {
+        throw new Error(`Unsupported ${context} protocol version ${String(version)}. Supported: ${NETWORK_RUNTIME_PROTOCOL_VERSION}`);
+    }
+    return version;
+}
+/**
+ * Shared delivery-ack wire contract.
+ * Durable settlement is keyed by stable peer identity, not display-name strings.
+ */
+export const DeliveryAckSchema = z
+    .object({
+    protocolVersion: NetworkRuntimeProtocolVersionSchema,
+    messageId: NonEmptyStringSchema,
+    senderNodeId: NodeIdSchema,
+    recipientNodeId: NodeIdSchema,
+    storedAt: z.number().int().nonnegative(),
+})
+    .strict();
+export const TransportInviteTokenSchema = z
+    .object({
+    nodeId: NodeIdSchema,
+    audienceNodeId: NodeIdSchema.optional(),
+    publicKey: PeerTransportIdSchema,
+    leaderDisplayNameSnapshot: NonEmptyStringSchema.optional(),
+    host: NonEmptyStringSchema,
+    port: z.number().int().min(1).max(65535),
+    controlEndpoint: ControlEndpointAdvertisementSchema.optional(),
+    psk: NonEmptyStringSchema,
+    displayNameSnapshot: NonEmptyStringSchema.optional(),
+    signingPublicKey: SigningPublicKeySchema.optional(),
+    caCert: NonBlankVerbatimStringSchema.optional(),
+    createdAt: z.number().int().nonnegative(),
+    expiresAt: z.number().int().nonnegative(),
+    tokenNonce: NonEmptyStringSchema,
+    coordinationUrl: NonEmptyStringSchema.optional(),
+    networkId: NonEmptyStringSchema.optional(),
+})
+    .strict();
+export const JoinRequestSchema = z
+    .object({
+    protocolVersion: NetworkRuntimeProtocolVersionSchema,
+    nodeId: NodeIdSchema,
+    principalFingerprint: PrincipalFingerprintSchema,
+    peerPublicKey: PeerTransportIdSchema,
+    signingPublicKey: SigningPublicKeySchema,
+    transportEndpoint: TransportEndpointAdvertisementSchema,
+    controlEndpoint: ControlEndpointAdvertisementSchema.optional(),
+    displayNameSnapshot: NonEmptyStringSchema.optional(),
+    inviteTokenNonce: NonEmptyStringSchema,
+})
+    .strict();
+export const JoinRouteBodySchema = JoinRequestSchema.extend({
+    proofOfWork: NonEmptyStringSchema,
+}).strict();
+export const JoinRouteBodyJsonSchema = toFastifyBodyJsonSchema(JoinRouteBodySchema);
+export const RuntimeIngressEnvelopeSchema = z.union([
+    z
+        .object({
+        protocolVersion: NetworkRuntimeProtocolVersionSchema,
+        deliveryAck: DeliveryAckSchema,
+    })
+        .strict(),
+    z
+        .object({
+        protocolVersion: NetworkRuntimeProtocolVersionSchema,
+        ariaMessage: z.unknown(),
+    })
+        .strict(),
+    z
+        .object({
+        protocolVersion: NetworkRuntimeProtocolVersionSchema,
+        joinRequest: JoinRequestSchema,
+    })
+        .strict(),
+]);
+export const RuntimeNodeAdvertisementSchema = NodeAdvertisementSchema.extend({
+    protocolVersion: NetworkRuntimeProtocolVersionSchema,
+    publicationRevision: PublicationRevisionSchema,
+    signingPublicKey: SigningPublicKeySchema,
+    transportEndpoint: TransportEndpointAdvertisementSchema,
+    advertisedHosts: z.array(NonEmptyStringSchema).min(1).optional(),
+}).strict();
+export const RuntimeDiscoveryAdvertisementSchema = z
+    .object({
+    protocolVersion: NetworkRuntimeProtocolVersionSchema,
+    nodeId: NodeIdSchema,
+    displayNameSnapshot: NonEmptyStringSchema,
+    principalFingerprint: PrincipalFingerprintSchema,
+    controlPort: z.number().int().min(1).max(65535),
+    advertisedHosts: z.array(NonEmptyStringSchema).min(1),
+    tlsCaFingerprint: z.string().trim().min(1).optional(),
+})
+    .strict();
+export const RuntimeRegisterRequestSchema = z
+    .object({
+    protocolVersion: NetworkRuntimeProtocolVersionSchema,
+    nodeId: NodeIdSchema,
+    transportPublicKey: PeerTransportIdSchema,
+    principalFingerprint: PrincipalFingerprintSchema,
+    endpointRevision: EndpointRevisionSchema,
+    controlEndpoint: ControlEndpointAdvertisementSchema.optional(),
+    displayNameSnapshot: NonEmptyStringSchema.optional(),
+})
+    .strict();
+export const PairProposalSchema = z
+    .object({
+    protocolVersion: NetworkRuntimeProtocolVersionSchema,
+    nodeId: NodeIdSchema,
+    principalFingerprint: PrincipalFingerprintSchema,
+    transportPublicKey: PeerTransportIdSchema,
+    controlEndpoint: ControlEndpointAdvertisementSchema.optional(),
+    displayNameSnapshot: NonEmptyStringSchema.optional(),
+    presharedKey: NonEmptyStringSchema,
+})
+    .strict();
+/**
+ * Canonical statement of a continuity bind transition.
+ * This is the byte-exact payload that both parties sign.
+ */
+export const ContinuityStatementSchema = z
+    .object({
+    nodeId: NodeIdSchema,
+    previousPrincipalFingerprint: PrincipalFingerprintSchema,
+    newPrincipalFingerprint: PrincipalFingerprintSchema,
+    newTransportPublicKey: PeerTransportIdSchema.optional(),
+    bindingGeneration: BindingGenerationSchema,
+    revocationGeneration: RevocationGenerationSchema.optional(),
+    createdAt: NonEmptyStringSchema,
+})
+    .strict();
+/**
+ * Dual-signed continuity bind: delegation (previous principal) + acceptance
+ * (new principal). Both public keys are included for independent verification.
+ */
+export const SignedContinuityBindSchema = z
+    .object({
+    statement: ContinuityStatementSchema,
+    delegationSignature: NonEmptyStringSchema,
+    acceptanceSignature: NonEmptyStringSchema,
+    previousPublicKey: NonEmptyStringSchema,
+    newPublicKey: NonEmptyStringSchema,
+})
+    .strict();
+export const MutationOperationSchema = z.enum([
+    "network.register",
+    "network.revoke",
+    "network.list_peers",
+    "pair.direct",
+    "pair.relay",
+    "pair.relay_response",
+    "peer.update_capabilities",
+    "peer.update_trust_tier",
+]);
+export const MutationEnvelopeSchema = z
+    .object({
+    version: NetworkRuntimeProtocolVersionSchema,
+    id: NonEmptyStringSchema,
+    operation: MutationOperationSchema,
+    principal: NodePrincipalBindingRefSchema,
+    target: NodePrincipalBindingRefSchema,
+    namespace: NonEmptyStringSchema,
+    policyEpoch: z.number().int().nonnegative(),
+    nonce: NonEmptyStringSchema,
+    timestamp: z.number().int().nonnegative(),
+    ttl: z.number().int().positive(),
+    contextHash: NonEmptyStringSchema,
+    payload: RecordSchema,
+    signature: NonEmptyStringSchema,
+    method: NonEmptyStringSchema.optional(),
+    path: NonEmptyStringSchema.optional(),
+    metadata: RecordSchema.optional(),
+    reason: NonEmptyStringSchema.optional(),
+    parentEnvelopeId: NonEmptyStringSchema.optional(),
+})
+    .strict();
+export const NetworkRouteRevokeRequestSchema = z
+    .object({
+    nodeId: NodeIdSchema,
+    envelope: MutationEnvelopeSchema,
+})
+    .strict();
+export const NetworkRouteRevokeRequestJsonSchema = toFastifyBodyJsonSchema(NetworkRouteRevokeRequestSchema);
+//# sourceMappingURL=protocol-schemas.js.map

package/dist/network-runtime/runtime-bootstrap-contract.js

@@ -0,0 +1,61 @@
+import { z } from "zod";
+import { LoopbackTlsIdentitySchema, NodeIdSchema, OwnerGenerationSchema, PeerTransportIdSchema, PrincipalFingerprintSchema, RuntimeIdSchema, SigningPublicKeySchema, TlsCaFingerprintSchema, TransportEndpointAdvertisementSchema, } from "./address-types.js";
+import { NetworkRuntimeProtocolVersionSchema } from "./protocol-schemas.js";
+const NonEmptyTrimmedStringSchema = z.string().trim().min(1);
+const NonBlankVerbatimStringSchema = z
+    .string()
+    .min(1)
+    .refine((value) => value.trim().length > 0);
+export const RuntimeBootstrapRevisionSchema = z.number().int().nonnegative();
+export const RuntimeBootstrapPhaseSchema = z.enum([
+    "starting",
+    "tls_bound",
+    "control_ready",
+    "network_ready",
+    "mesh_ready",
+    "degraded",
+    "stopped",
+]);
+export const RuntimeBootstrapControlEndpointSchema = z
+    .object({
+    host: NonEmptyTrimmedStringSchema,
+    port: z.number().int().min(1).max(65535),
+})
+    .strict();
+export const RuntimeBootstrapTlsSchema = z
+    .object({
+    caFingerprint: TlsCaFingerprintSchema,
+    caCertPem: NonBlankVerbatimStringSchema,
+    principalIdentity: PrincipalFingerprintSchema,
+    loopbackIdentity: LoopbackTlsIdentitySchema,
+})
+    .strict();
+export const RuntimeBootstrapIdentitySchema = z
+    .object({
+    signingPublicKey: SigningPublicKeySchema,
+    transportPublicKey: PeerTransportIdSchema,
+    transportEndpoint: TransportEndpointAdvertisementSchema,
+    displayNameSnapshot: NonEmptyTrimmedStringSchema.optional(),
+})
+    .strict();
+export const RuntimeBootstrapRecordSchema = z
+    .object({
+    nodeId: NodeIdSchema,
+    runtimeId: RuntimeIdSchema,
+    arionName: NonEmptyTrimmedStringSchema.optional(),
+    ownerGeneration: OwnerGenerationSchema,
+    bootstrapRevision: RuntimeBootstrapRevisionSchema,
+    phase: RuntimeBootstrapPhaseSchema,
+    protocolVersion: NetworkRuntimeProtocolVersionSchema,
+    controlEndpoint: RuntimeBootstrapControlEndpointSchema,
+    displayNameSnapshot: NonEmptyTrimmedStringSchema.optional(),
+    signingPublicKey: SigningPublicKeySchema,
+    transportPublicKey: PeerTransportIdSchema,
+    transportEndpoint: TransportEndpointAdvertisementSchema,
+    tls: RuntimeBootstrapTlsSchema,
+    publishedAt: NonEmptyTrimmedStringSchema,
+    degradedReason: NonEmptyTrimmedStringSchema.optional(),
+    failedPhase: RuntimeBootstrapPhaseSchema.optional(),
+})
+    .strict();
+//# sourceMappingURL=runtime-bootstrap-contract.js.map