@aster-rpc/aster 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/capabilities.d.ts +26 -0
- package/dist/capabilities.d.ts.map +1 -0
- package/dist/capabilities.js +29 -0
- package/dist/capabilities.js.map +1 -0
- package/dist/client.d.ts +65 -0
- package/dist/client.d.ts.map +1 -0
- package/dist/client.js +108 -0
- package/dist/client.js.map +1 -0
- package/dist/codec.d.ts +156 -0
- package/dist/codec.d.ts.map +1 -0
- package/dist/codec.js +477 -0
- package/dist/codec.js.map +1 -0
- package/dist/config.d.ts +102 -0
- package/dist/config.d.ts.map +1 -0
- package/dist/config.js +454 -0
- package/dist/config.js.map +1 -0
- package/dist/contract/identity.d.ts +115 -0
- package/dist/contract/identity.d.ts.map +1 -0
- package/dist/contract/identity.js +188 -0
- package/dist/contract/identity.js.map +1 -0
- package/dist/contract/manifest.d.ts +77 -0
- package/dist/contract/manifest.d.ts.map +1 -0
- package/dist/contract/manifest.js +127 -0
- package/dist/contract/manifest.js.map +1 -0
- package/dist/contract/publication.d.ts +71 -0
- package/dist/contract/publication.d.ts.map +1 -0
- package/dist/contract/publication.js +85 -0
- package/dist/contract/publication.js.map +1 -0
- package/dist/decorators.d.ts +139 -0
- package/dist/decorators.d.ts.map +1 -0
- package/dist/decorators.js +175 -0
- package/dist/decorators.js.map +1 -0
- package/dist/dynamic.d.ts +61 -0
- package/dist/dynamic.d.ts.map +1 -0
- package/dist/dynamic.js +147 -0
- package/dist/dynamic.js.map +1 -0
- package/dist/framing.d.ts +74 -0
- package/dist/framing.d.ts.map +1 -0
- package/dist/framing.js +162 -0
- package/dist/framing.js.map +1 -0
- package/dist/health.d.ts +127 -0
- package/dist/health.d.ts.map +1 -0
- package/dist/health.js +236 -0
- package/dist/health.js.map +1 -0
- package/dist/index.d.ts +67 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +101 -0
- package/dist/index.js.map +1 -0
- package/dist/interceptors/audit.d.ts +25 -0
- package/dist/interceptors/audit.d.ts.map +1 -0
- package/dist/interceptors/audit.js +46 -0
- package/dist/interceptors/audit.js.map +1 -0
- package/dist/interceptors/auth.d.ts +13 -0
- package/dist/interceptors/auth.d.ts.map +1 -0
- package/dist/interceptors/auth.js +34 -0
- package/dist/interceptors/auth.js.map +1 -0
- package/dist/interceptors/base.d.ts +74 -0
- package/dist/interceptors/base.d.ts.map +1 -0
- package/dist/interceptors/base.js +103 -0
- package/dist/interceptors/base.js.map +1 -0
- package/dist/interceptors/capability.d.ts +16 -0
- package/dist/interceptors/capability.d.ts.map +1 -0
- package/dist/interceptors/capability.js +63 -0
- package/dist/interceptors/capability.js.map +1 -0
- package/dist/interceptors/circuit-breaker.d.ts +40 -0
- package/dist/interceptors/circuit-breaker.d.ts.map +1 -0
- package/dist/interceptors/circuit-breaker.js +91 -0
- package/dist/interceptors/circuit-breaker.js.map +1 -0
- package/dist/interceptors/compression.d.ts +11 -0
- package/dist/interceptors/compression.d.ts.map +1 -0
- package/dist/interceptors/compression.js +12 -0
- package/dist/interceptors/compression.js.map +1 -0
- package/dist/interceptors/deadline.d.ts +12 -0
- package/dist/interceptors/deadline.d.ts.map +1 -0
- package/dist/interceptors/deadline.js +28 -0
- package/dist/interceptors/deadline.js.map +1 -0
- package/dist/interceptors/metrics.d.ts +43 -0
- package/dist/interceptors/metrics.d.ts.map +1 -0
- package/dist/interceptors/metrics.js +132 -0
- package/dist/interceptors/metrics.js.map +1 -0
- package/dist/interceptors/rate-limit.d.ts +24 -0
- package/dist/interceptors/rate-limit.d.ts.map +1 -0
- package/dist/interceptors/rate-limit.js +84 -0
- package/dist/interceptors/rate-limit.js.map +1 -0
- package/dist/interceptors/retry.d.ts +25 -0
- package/dist/interceptors/retry.d.ts.map +1 -0
- package/dist/interceptors/retry.js +55 -0
- package/dist/interceptors/retry.js.map +1 -0
- package/dist/limits.d.ts +77 -0
- package/dist/limits.d.ts.map +1 -0
- package/dist/limits.js +137 -0
- package/dist/limits.js.map +1 -0
- package/dist/logging.d.ts +40 -0
- package/dist/logging.d.ts.map +1 -0
- package/dist/logging.js +92 -0
- package/dist/logging.js.map +1 -0
- package/dist/metadata.d.ts +14 -0
- package/dist/metadata.d.ts.map +1 -0
- package/dist/metadata.js +68 -0
- package/dist/metadata.js.map +1 -0
- package/dist/metrics.d.ts +40 -0
- package/dist/metrics.d.ts.map +1 -0
- package/dist/metrics.js +92 -0
- package/dist/metrics.js.map +1 -0
- package/dist/peer-store.d.ts +53 -0
- package/dist/peer-store.d.ts.map +1 -0
- package/dist/peer-store.js +105 -0
- package/dist/peer-store.js.map +1 -0
- package/dist/protocol.d.ts +44 -0
- package/dist/protocol.d.ts.map +1 -0
- package/dist/protocol.js +59 -0
- package/dist/protocol.js.map +1 -0
- package/dist/registration.d.ts +81 -0
- package/dist/registration.d.ts.map +1 -0
- package/dist/registration.js +161 -0
- package/dist/registration.js.map +1 -0
- package/dist/registry/acl.d.ts +57 -0
- package/dist/registry/acl.d.ts.map +1 -0
- package/dist/registry/acl.js +104 -0
- package/dist/registry/acl.js.map +1 -0
- package/dist/registry/client.d.ts +70 -0
- package/dist/registry/client.d.ts.map +1 -0
- package/dist/registry/client.js +115 -0
- package/dist/registry/client.js.map +1 -0
- package/dist/registry/gossip.d.ts +43 -0
- package/dist/registry/gossip.d.ts.map +1 -0
- package/dist/registry/gossip.js +102 -0
- package/dist/registry/gossip.js.map +1 -0
- package/dist/registry/keys.d.ts +25 -0
- package/dist/registry/keys.d.ts.map +1 -0
- package/dist/registry/keys.js +47 -0
- package/dist/registry/keys.js.map +1 -0
- package/dist/registry/models.d.ts +80 -0
- package/dist/registry/models.d.ts.map +1 -0
- package/dist/registry/models.js +35 -0
- package/dist/registry/models.js.map +1 -0
- package/dist/registry/publisher.d.ts +65 -0
- package/dist/registry/publisher.d.ts.map +1 -0
- package/dist/registry/publisher.js +164 -0
- package/dist/registry/publisher.js.map +1 -0
- package/dist/runtime.d.ts +267 -0
- package/dist/runtime.d.ts.map +1 -0
- package/dist/runtime.js +1366 -0
- package/dist/runtime.js.map +1 -0
- package/dist/server.d.ts +100 -0
- package/dist/server.d.ts.map +1 -0
- package/dist/server.js +511 -0
- package/dist/server.js.map +1 -0
- package/dist/service.d.ts +72 -0
- package/dist/service.d.ts.map +1 -0
- package/dist/service.js +98 -0
- package/dist/service.js.map +1 -0
- package/dist/session.d.ts +64 -0
- package/dist/session.d.ts.map +1 -0
- package/dist/session.js +350 -0
- package/dist/session.js.map +1 -0
- package/dist/status.d.ts +113 -0
- package/dist/status.d.ts.map +1 -0
- package/dist/status.js +206 -0
- package/dist/status.js.map +1 -0
- package/dist/transport/base.d.ts +46 -0
- package/dist/transport/base.d.ts.map +1 -0
- package/dist/transport/base.js +10 -0
- package/dist/transport/base.js.map +1 -0
- package/dist/transport/iroh.d.ts +45 -0
- package/dist/transport/iroh.d.ts.map +1 -0
- package/dist/transport/iroh.js +225 -0
- package/dist/transport/iroh.js.map +1 -0
- package/dist/transport/local.d.ts +48 -0
- package/dist/transport/local.d.ts.map +1 -0
- package/dist/transport/local.js +139 -0
- package/dist/transport/local.js.map +1 -0
- package/dist/trust/admission.d.ts +60 -0
- package/dist/trust/admission.d.ts.map +1 -0
- package/dist/trust/admission.js +149 -0
- package/dist/trust/admission.js.map +1 -0
- package/dist/trust/bootstrap.d.ts +109 -0
- package/dist/trust/bootstrap.d.ts.map +1 -0
- package/dist/trust/bootstrap.js +311 -0
- package/dist/trust/bootstrap.js.map +1 -0
- package/dist/trust/clock.d.ts +93 -0
- package/dist/trust/clock.d.ts.map +1 -0
- package/dist/trust/clock.js +154 -0
- package/dist/trust/clock.js.map +1 -0
- package/dist/trust/consumer.d.ts +139 -0
- package/dist/trust/consumer.d.ts.map +1 -0
- package/dist/trust/consumer.js +323 -0
- package/dist/trust/consumer.js.map +1 -0
- package/dist/trust/credentials.d.ts +98 -0
- package/dist/trust/credentials.d.ts.map +1 -0
- package/dist/trust/credentials.js +250 -0
- package/dist/trust/credentials.js.map +1 -0
- package/dist/trust/delegated.d.ts +118 -0
- package/dist/trust/delegated.d.ts.map +1 -0
- package/dist/trust/delegated.js +292 -0
- package/dist/trust/delegated.js.map +1 -0
- package/dist/trust/gossip.d.ts +146 -0
- package/dist/trust/gossip.d.ts.map +1 -0
- package/dist/trust/gossip.js +334 -0
- package/dist/trust/gossip.js.map +1 -0
- package/dist/trust/hooks.d.ts +84 -0
- package/dist/trust/hooks.d.ts.map +1 -0
- package/dist/trust/hooks.js +125 -0
- package/dist/trust/hooks.js.map +1 -0
- package/dist/trust/iid.d.ts +65 -0
- package/dist/trust/iid.d.ts.map +1 -0
- package/dist/trust/iid.js +104 -0
- package/dist/trust/iid.js.map +1 -0
- package/dist/trust/mesh.d.ts +43 -0
- package/dist/trust/mesh.d.ts.map +1 -0
- package/dist/trust/mesh.js +105 -0
- package/dist/trust/mesh.js.map +1 -0
- package/dist/trust/nonce.d.ts +39 -0
- package/dist/trust/nonce.d.ts.map +1 -0
- package/dist/trust/nonce.js +46 -0
- package/dist/trust/nonce.js.map +1 -0
- package/dist/trust/producer.d.ts +80 -0
- package/dist/trust/producer.d.ts.map +1 -0
- package/dist/trust/producer.js +151 -0
- package/dist/trust/producer.js.map +1 -0
- package/dist/trust/rcan.d.ts +29 -0
- package/dist/trust/rcan.d.ts.map +1 -0
- package/dist/trust/rcan.js +57 -0
- package/dist/trust/rcan.js.map +1 -0
- package/dist/types.d.ts +57 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +50 -0
- package/dist/types.js.map +1 -0
- package/dist/xlang.d.ts +26 -0
- package/dist/xlang.d.ts.map +1 -0
- package/dist/xlang.js +55 -0
- package/dist/xlang.js.map +1 -0
- package/package.json +59 -0
|
@@ -0,0 +1,125 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Gate 0 connection hooks — ALPN-level connection gating.
|
|
3
|
+
*
|
|
4
|
+
* Spec reference: Aster-trust-spec.md
|
|
5
|
+
*
|
|
6
|
+
* The MeshEndpointHook runs a background loop reading hook events
|
|
7
|
+
* from the IrohNode and accepting/denying connections based on
|
|
8
|
+
* admission policy.
|
|
9
|
+
*/
|
|
10
|
+
/** Default policy: allow all connections. */
|
|
11
|
+
export class AllowAllPolicy {
|
|
12
|
+
async onBeforeConnect() {
|
|
13
|
+
return { allow: true };
|
|
14
|
+
}
|
|
15
|
+
}
|
|
16
|
+
/** Policy that denies all connections. */
|
|
17
|
+
export class DenyAllPolicy {
|
|
18
|
+
async onBeforeConnect() {
|
|
19
|
+
return { allow: false, errorCode: 1, reason: 'connections disabled' };
|
|
20
|
+
}
|
|
21
|
+
}
|
|
22
|
+
// ── ALPN constants ────────────────────────────────────────────────────────────
|
|
23
|
+
const _encoder = new TextEncoder();
|
|
24
|
+
const _decoder = new TextDecoder();
|
|
25
|
+
/** Admission ALPN for producer enrollment. */
|
|
26
|
+
export const PRODUCER_ADMISSION_ALPN = _encoder.encode('aster.producer_admission');
|
|
27
|
+
/** Admission ALPN for consumer enrollment. */
|
|
28
|
+
export const CONSUMER_ADMISSION_ALPN = _encoder.encode('aster.consumer_admission');
|
|
29
|
+
const _ADMISSION_ALPN_STRINGS = new Set([
|
|
30
|
+
'aster.producer_admission',
|
|
31
|
+
'aster.consumer_admission',
|
|
32
|
+
]);
|
|
33
|
+
// ── MeshEndpointHook ──────────────────────────────────────────────────────────
|
|
34
|
+
/**
|
|
35
|
+
* Connection-level admission gate (Gate 0, S3.3).
|
|
36
|
+
*
|
|
37
|
+
* Maintains an allowlist of admitted peer endpoint IDs. The decision logic is:
|
|
38
|
+
*
|
|
39
|
+
* - Admission ALPNs (aster.producer_admission, aster.consumer_admission)
|
|
40
|
+
* -> always allow (credential presentation must be possible).
|
|
41
|
+
* - Any other ALPN, peer in admitted set -> allow.
|
|
42
|
+
* - Any other ALPN, peer NOT in admitted and allowUnenrolled=false -> deny.
|
|
43
|
+
* - allowUnenrolled=true -> allow all (local/dev mode; must be explicit opt-in).
|
|
44
|
+
*/
|
|
45
|
+
export class MeshEndpointHook {
|
|
46
|
+
admitted = new Set();
|
|
47
|
+
allowUnenrolled;
|
|
48
|
+
_peerStore;
|
|
49
|
+
constructor(allowUnenrolled = false, peerStore) {
|
|
50
|
+
this.allowUnenrolled = allowUnenrolled;
|
|
51
|
+
this._peerStore = peerStore;
|
|
52
|
+
}
|
|
53
|
+
// ── Decision logic ──────────────────────────────────────────────────────
|
|
54
|
+
/**
|
|
55
|
+
* Return true if this connection should be allowed.
|
|
56
|
+
*
|
|
57
|
+
* @param remoteEndpointId - NodeId of the connecting peer (from handshake).
|
|
58
|
+
* @param alpn - ALPN negotiated for this connection (Uint8Array).
|
|
59
|
+
*/
|
|
60
|
+
shouldAllow(remoteEndpointId, alpn) {
|
|
61
|
+
// Admission ALPNs are always open -- credential presentation
|
|
62
|
+
const alpnStr = _decoder.decode(alpn);
|
|
63
|
+
if (_ADMISSION_ALPN_STRINGS.has(alpnStr)) {
|
|
64
|
+
return true;
|
|
65
|
+
}
|
|
66
|
+
// If we have a peer store, use it for expiry-aware checks
|
|
67
|
+
if (this._peerStore) {
|
|
68
|
+
if (this._peerStore.get(remoteEndpointId) != null) {
|
|
69
|
+
return true;
|
|
70
|
+
}
|
|
71
|
+
}
|
|
72
|
+
else if (this.admitted.has(remoteEndpointId)) {
|
|
73
|
+
return true;
|
|
74
|
+
}
|
|
75
|
+
// Open-mode bypass (local/dev only)
|
|
76
|
+
if (this.allowUnenrolled) {
|
|
77
|
+
return true;
|
|
78
|
+
}
|
|
79
|
+
return false;
|
|
80
|
+
}
|
|
81
|
+
// ── Allowlist management ────────────────────────────────────────────────
|
|
82
|
+
/** Add a peer to the admitted set after successful credential check. */
|
|
83
|
+
addPeer(endpointId) {
|
|
84
|
+
this.admitted.add(endpointId);
|
|
85
|
+
}
|
|
86
|
+
/** Remove a peer from the admitted set (e.g., on lease expiry). */
|
|
87
|
+
removePeer(endpointId) {
|
|
88
|
+
this.admitted.delete(endpointId);
|
|
89
|
+
}
|
|
90
|
+
// ── Iroh hook-loop integration ──────────────────────────────────────────
|
|
91
|
+
/**
|
|
92
|
+
* Background loop: poll hookReceiver and apply Gate 0 decisions.
|
|
93
|
+
*
|
|
94
|
+
* Wires this hook to Iroh's Phase 1b HookReceiver. Run via a detached
|
|
95
|
+
* promise after obtaining the receiver from netClient.takeHookReceiver().
|
|
96
|
+
*
|
|
97
|
+
* @param hookReceiver - An object with recvBeforeConnect() that returns
|
|
98
|
+
* { info: { remoteEndpointId: string; alpn: Uint8Array }, respond(d: HookDecision): Promise<void> } | null
|
|
99
|
+
*/
|
|
100
|
+
async runHookLoop(hookReceiver) {
|
|
101
|
+
try {
|
|
102
|
+
while (true) {
|
|
103
|
+
const event = await hookReceiver.recvBeforeConnect();
|
|
104
|
+
if (event == null)
|
|
105
|
+
break;
|
|
106
|
+
const { info, respond } = event;
|
|
107
|
+
if (this.shouldAllow(info.remoteEndpointId, info.alpn)) {
|
|
108
|
+
await respond({ allow: true });
|
|
109
|
+
}
|
|
110
|
+
else {
|
|
111
|
+
await respond({ allow: false, errorCode: 403, reason: 'not admitted' });
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
}
|
|
115
|
+
catch (err) {
|
|
116
|
+
// Cancellation or shutdown — silently exit
|
|
117
|
+
const msg = err instanceof Error ? err.message : String(err);
|
|
118
|
+
if (msg.includes('abort') || msg.includes('cancel'))
|
|
119
|
+
return;
|
|
120
|
+
// Log unexpected errors (no logger abstraction yet — console.error)
|
|
121
|
+
console.error('Hook loop error:', msg);
|
|
122
|
+
}
|
|
123
|
+
}
|
|
124
|
+
}
|
|
125
|
+
//# sourceMappingURL=hooks.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"hooks.js","sourceRoot":"","sources":["../../src/trust/hooks.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAkBH,6CAA6C;AAC7C,MAAM,OAAO,cAAc;IACzB,KAAK,CAAC,eAAe;QACnB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;CACF;AAED,0CAA0C;AAC1C,MAAM,OAAO,aAAa;IACxB,KAAK,CAAC,eAAe;QACnB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IACxE,CAAC;CACF;AAED,iFAAiF;AAEjF,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC;AACnC,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC;AAEnC,8CAA8C;AAC9C,MAAM,CAAC,MAAM,uBAAuB,GAAe,QAAQ,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC;AAE/F,8CAA8C;AAC9C,MAAM,CAAC,MAAM,uBAAuB,GAAe,QAAQ,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC;AAE/F,MAAM,uBAAuB,GAAwB,IAAI,GAAG,CAAC;IAC3D,0BAA0B;IAC1B,0BAA0B;CAC3B,CAAC,CAAC;AAEH,iFAAiF;AAEjF;;;;;;;;;;GAUG;AACH,MAAM,OAAO,gBAAgB;IAClB,QAAQ,GAAgB,IAAI,GAAG,EAAE,CAAC;IAClC,eAAe,CAAU;IAC1B,UAAU,CAAoD;IAEtE,YAAY,eAAe,GAAG,KAAK,EAAE,SAA4D;QAC/F,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;QACvC,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;IAC9B,CAAC;IAED,2EAA2E;IAE3E;;;;;OAKG;IACH,WAAW,CAAC,gBAAwB,EAAE,IAAgB;QACpD,6DAA6D;QAC7D,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,uBAAuB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,0DAA0D;QAC1D,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,IAAI,EAAE,CAAC;gBAClD,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;aAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC/C,OAAO,IAAI,CAAC;QACd,CAAC;QACD,oCAAoC;QACpC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,2EAA2E;IAE3E,wEAAwE;IACxE,OAAO,CAAC,UAAkB;QACxB,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAChC,CAAC;IAED,mEAAmE;IACnE,UAAU,CAAC,UAAkB;QAC3B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACnC,CAAC;IAED,2EAA2E;IAE3E;;;;;;;;OAQG;IACH,KAAK,CAAC,WAAW,CAAC,YAKjB;QACC,IAAI,CAAC;YACH,OAAO,IAAI,EAAE,CAAC;gBACZ,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,iBAAiB,EAAE,CAAC;gBACrD,IAAI,KAAK,IAAI,IAAI;oBAAE,MAAM;gBAEzB,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,KAAK,CAAC;gBAChC,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,gBAAgB,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvD,MAAM,OAAO,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;gBACjC,CAAC;qBAAM,CAAC;oBACN,MAAM,OAAO,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,CAAC;gBAC1E,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,2CAA2C;YAC3C,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAAE,OAAO;YAC5D,oEAAoE;YACpE,OAAO,CAAC,KAAK,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;CACF"}
|
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* IID (Instance Identity Document) — cloud identity verification.
|
|
3
|
+
*
|
|
4
|
+
* Spec reference: Aster-trust-spec.md
|
|
5
|
+
*
|
|
6
|
+
* Validates that a connecting peer is running on an expected cloud instance
|
|
7
|
+
* (AWS/GCP/Azure) with specific attributes (account, region, role ARN).
|
|
8
|
+
*
|
|
9
|
+
* IID verification is Gate 2 (runtime check) in the admission pipeline.
|
|
10
|
+
* Triggered when credential attributes carry aster.iid_provider.
|
|
11
|
+
*/
|
|
12
|
+
/** Reserved IID attribute keys. */
|
|
13
|
+
export declare const ATTR_IID_PROVIDER = "aster.iid_provider";
|
|
14
|
+
export declare const ATTR_IID_ACCOUNT = "aster.iid_account";
|
|
15
|
+
export declare const ATTR_IID_REGION = "aster.iid_region";
|
|
16
|
+
export declare const ATTR_IID_ROLE_ARN = "aster.iid_role_arn";
|
|
17
|
+
/** IID verification backend interface. */
|
|
18
|
+
export interface IIDBackend {
|
|
19
|
+
verify(attributes: Record<string, string>, iidToken?: string): Promise<[boolean, string | undefined]>;
|
|
20
|
+
}
|
|
21
|
+
/**
|
|
22
|
+
* Mock IID backend for testing.
|
|
23
|
+
*/
|
|
24
|
+
export declare class MockIIDBackend implements IIDBackend {
|
|
25
|
+
private shouldPass;
|
|
26
|
+
private reason;
|
|
27
|
+
private expectedAttributes;
|
|
28
|
+
constructor(opts?: {
|
|
29
|
+
shouldPass?: boolean;
|
|
30
|
+
reason?: string;
|
|
31
|
+
expectedAttributes?: Record<string, string>;
|
|
32
|
+
});
|
|
33
|
+
verify(attributes: Record<string, string>, _iidToken?: string): Promise<[boolean, string | undefined]>;
|
|
34
|
+
}
|
|
35
|
+
/**
|
|
36
|
+
* AWS IID backend (stub — full RSA verification deferred to production).
|
|
37
|
+
*/
|
|
38
|
+
export declare class AWSIIDBackend implements IIDBackend {
|
|
39
|
+
verify(attributes: Record<string, string>, _iidToken?: string): Promise<[boolean, string | undefined]>;
|
|
40
|
+
}
|
|
41
|
+
/**
|
|
42
|
+
* GCP IID backend (stub).
|
|
43
|
+
*/
|
|
44
|
+
export declare class GCPIIDBackend implements IIDBackend {
|
|
45
|
+
verify(_attributes: Record<string, string>, _iidToken?: string): Promise<[boolean, string | undefined]>;
|
|
46
|
+
}
|
|
47
|
+
/**
|
|
48
|
+
* Azure IID backend (stub).
|
|
49
|
+
*/
|
|
50
|
+
export declare class AzureIIDBackend implements IIDBackend {
|
|
51
|
+
verify(_attributes: Record<string, string>, _iidToken?: string): Promise<[boolean, string | undefined]>;
|
|
52
|
+
}
|
|
53
|
+
/**
|
|
54
|
+
* Factory: get the appropriate IID backend for a provider.
|
|
55
|
+
*/
|
|
56
|
+
export declare function getIIDBackend(provider: string): IIDBackend;
|
|
57
|
+
/**
|
|
58
|
+
* Run IID verification against credential attributes.
|
|
59
|
+
*
|
|
60
|
+
* If no backend supplied, auto-selects based on aster.iid_provider attribute.
|
|
61
|
+
*
|
|
62
|
+
* @returns [ok, reason]
|
|
63
|
+
*/
|
|
64
|
+
export declare function verifyIID(attributes: Record<string, string>, backend?: IIDBackend, iidToken?: string): Promise<[boolean, string | undefined]>;
|
|
65
|
+
//# sourceMappingURL=iid.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"iid.d.ts","sourceRoot":"","sources":["../../src/trust/iid.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,mCAAmC;AACnC,eAAO,MAAM,iBAAiB,uBAAuB,CAAC;AACtD,eAAO,MAAM,gBAAgB,sBAAsB,CAAC;AACpD,eAAO,MAAM,eAAe,qBAAqB,CAAC;AAClD,eAAO,MAAM,iBAAiB,uBAAuB,CAAC;AAEtD,0CAA0C;AAC1C,MAAM,WAAW,UAAU;IACzB,MAAM,CACJ,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAClC,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC;CAC3C;AAED;;GAEG;AACH,qBAAa,cAAe,YAAW,UAAU;IAC/C,OAAO,CAAC,UAAU,CAAU;IAC5B,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,kBAAkB,CAAqC;gBAEnD,IAAI,CAAC,EAAE;QACjB,UAAU,CAAC,EAAE,OAAO,CAAC;QACrB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAC7C;IAMK,MAAM,CACV,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAClC,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;CAU1C;AAED;;GAEG;AACH,qBAAa,aAAc,YAAW,UAAU;IACxC,MAAM,CACV,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAClC,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;CAW1C;AAED;;GAEG;AACH,qBAAa,aAAc,YAAW,UAAU;IACxC,MAAM,CACV,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EACnC,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;CAG1C;AAED;;GAEG;AACH,qBAAa,eAAgB,YAAW,UAAU;IAC1C,MAAM,CACV,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EACnC,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;CAG1C;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU,CAa1D;AAED;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAClC,OAAO,CAAC,EAAE,UAAU,EACpB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAQxC"}
|
|
@@ -0,0 +1,104 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* IID (Instance Identity Document) — cloud identity verification.
|
|
3
|
+
*
|
|
4
|
+
* Spec reference: Aster-trust-spec.md
|
|
5
|
+
*
|
|
6
|
+
* Validates that a connecting peer is running on an expected cloud instance
|
|
7
|
+
* (AWS/GCP/Azure) with specific attributes (account, region, role ARN).
|
|
8
|
+
*
|
|
9
|
+
* IID verification is Gate 2 (runtime check) in the admission pipeline.
|
|
10
|
+
* Triggered when credential attributes carry aster.iid_provider.
|
|
11
|
+
*/
|
|
12
|
+
/** Reserved IID attribute keys. */
|
|
13
|
+
export const ATTR_IID_PROVIDER = 'aster.iid_provider';
|
|
14
|
+
export const ATTR_IID_ACCOUNT = 'aster.iid_account';
|
|
15
|
+
export const ATTR_IID_REGION = 'aster.iid_region';
|
|
16
|
+
export const ATTR_IID_ROLE_ARN = 'aster.iid_role_arn';
|
|
17
|
+
/**
|
|
18
|
+
* Mock IID backend for testing.
|
|
19
|
+
*/
|
|
20
|
+
export class MockIIDBackend {
|
|
21
|
+
shouldPass;
|
|
22
|
+
reason;
|
|
23
|
+
expectedAttributes;
|
|
24
|
+
constructor(opts) {
|
|
25
|
+
this.shouldPass = opts?.shouldPass ?? true;
|
|
26
|
+
this.reason = opts?.reason;
|
|
27
|
+
this.expectedAttributes = opts?.expectedAttributes;
|
|
28
|
+
}
|
|
29
|
+
async verify(attributes, _iidToken) {
|
|
30
|
+
if (this.expectedAttributes) {
|
|
31
|
+
for (const [key, expected] of Object.entries(this.expectedAttributes)) {
|
|
32
|
+
if (attributes[key] !== expected) {
|
|
33
|
+
return [false, `attribute mismatch: ${key}`];
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
}
|
|
37
|
+
return [this.shouldPass, this.reason];
|
|
38
|
+
}
|
|
39
|
+
}
|
|
40
|
+
/**
|
|
41
|
+
* AWS IID backend (stub — full RSA verification deferred to production).
|
|
42
|
+
*/
|
|
43
|
+
export class AWSIIDBackend {
|
|
44
|
+
async verify(attributes, _iidToken) {
|
|
45
|
+
// Stub: check that required attributes are present
|
|
46
|
+
if (!attributes[ATTR_IID_ACCOUNT]) {
|
|
47
|
+
return [false, 'missing aster.iid_account'];
|
|
48
|
+
}
|
|
49
|
+
if (!attributes[ATTR_IID_REGION]) {
|
|
50
|
+
return [false, 'missing aster.iid_region'];
|
|
51
|
+
}
|
|
52
|
+
// Full verification would fetch instance identity from metadata service
|
|
53
|
+
return [true, undefined];
|
|
54
|
+
}
|
|
55
|
+
}
|
|
56
|
+
/**
|
|
57
|
+
* GCP IID backend (stub).
|
|
58
|
+
*/
|
|
59
|
+
export class GCPIIDBackend {
|
|
60
|
+
async verify(_attributes, _iidToken) {
|
|
61
|
+
return [true, undefined];
|
|
62
|
+
}
|
|
63
|
+
}
|
|
64
|
+
/**
|
|
65
|
+
* Azure IID backend (stub).
|
|
66
|
+
*/
|
|
67
|
+
export class AzureIIDBackend {
|
|
68
|
+
async verify(_attributes, _iidToken) {
|
|
69
|
+
return [true, undefined];
|
|
70
|
+
}
|
|
71
|
+
}
|
|
72
|
+
/**
|
|
73
|
+
* Factory: get the appropriate IID backend for a provider.
|
|
74
|
+
*/
|
|
75
|
+
export function getIIDBackend(provider) {
|
|
76
|
+
switch (provider.toLowerCase()) {
|
|
77
|
+
case 'aws':
|
|
78
|
+
return new AWSIIDBackend();
|
|
79
|
+
case 'gcp':
|
|
80
|
+
return new GCPIIDBackend();
|
|
81
|
+
case 'azure':
|
|
82
|
+
return new AzureIIDBackend();
|
|
83
|
+
case 'mock':
|
|
84
|
+
return new MockIIDBackend();
|
|
85
|
+
default:
|
|
86
|
+
throw new Error(`unknown IID provider: ${provider}`);
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
/**
|
|
90
|
+
* Run IID verification against credential attributes.
|
|
91
|
+
*
|
|
92
|
+
* If no backend supplied, auto-selects based on aster.iid_provider attribute.
|
|
93
|
+
*
|
|
94
|
+
* @returns [ok, reason]
|
|
95
|
+
*/
|
|
96
|
+
export async function verifyIID(attributes, backend, iidToken) {
|
|
97
|
+
const provider = attributes[ATTR_IID_PROVIDER];
|
|
98
|
+
if (!provider) {
|
|
99
|
+
return [true, undefined]; // No IID required
|
|
100
|
+
}
|
|
101
|
+
const iidBackend = backend ?? getIIDBackend(provider);
|
|
102
|
+
return iidBackend.verify(attributes, iidToken);
|
|
103
|
+
}
|
|
104
|
+
//# sourceMappingURL=iid.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"iid.js","sourceRoot":"","sources":["../../src/trust/iid.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,mCAAmC;AACnC,MAAM,CAAC,MAAM,iBAAiB,GAAG,oBAAoB,CAAC;AACtD,MAAM,CAAC,MAAM,gBAAgB,GAAG,mBAAmB,CAAC;AACpD,MAAM,CAAC,MAAM,eAAe,GAAG,kBAAkB,CAAC;AAClD,MAAM,CAAC,MAAM,iBAAiB,GAAG,oBAAoB,CAAC;AAUtD;;GAEG;AACH,MAAM,OAAO,cAAc;IACjB,UAAU,CAAU;IACpB,MAAM,CAAqB;IAC3B,kBAAkB,CAAqC;IAE/D,YAAY,IAIX;QACC,IAAI,CAAC,UAAU,GAAG,IAAI,EAAE,UAAU,IAAI,IAAI,CAAC;QAC3C,IAAI,CAAC,MAAM,GAAG,IAAI,EAAE,MAAM,CAAC;QAC3B,IAAI,CAAC,kBAAkB,GAAG,IAAI,EAAE,kBAAkB,CAAC;IACrD,CAAC;IAED,KAAK,CAAC,MAAM,CACV,UAAkC,EAClC,SAAkB;QAElB,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC5B,KAAK,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBACtE,IAAI,UAAU,CAAC,GAAG,CAAC,KAAK,QAAQ,EAAE,CAAC;oBACjC,OAAO,CAAC,KAAK,EAAE,uBAAuB,GAAG,EAAE,CAAC,CAAC;gBAC/C,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,aAAa;IACxB,KAAK,CAAC,MAAM,CACV,UAAkC,EAClC,SAAkB;QAElB,mDAAmD;QACnD,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAClC,OAAO,CAAC,KAAK,EAAE,2BAA2B,CAAC,CAAC;QAC9C,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,KAAK,EAAE,0BAA0B,CAAC,CAAC;QAC7C,CAAC;QACD,wEAAwE;QACxE,OAAO,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IAC3B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,aAAa;IACxB,KAAK,CAAC,MAAM,CACV,WAAmC,EACnC,SAAkB;QAElB,OAAO,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IAC3B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,eAAe;IAC1B,KAAK,CAAC,MAAM,CACV,WAAmC,EACnC,SAAkB;QAElB,OAAO,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IAC3B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,QAAgB;IAC5C,QAAQ,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;QAC/B,KAAK,KAAK;YACR,OAAO,IAAI,aAAa,EAAE,CAAC;QAC7B,KAAK,KAAK;YACR,OAAO,IAAI,aAAa,EAAE,CAAC;QAC7B,KAAK,OAAO;YACV,OAAO,IAAI,eAAe,EAAE,CAAC;QAC/B,KAAK,MAAM;YACT,OAAO,IAAI,cAAc,EAAE,CAAC;QAC9B;YACE,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,EAAE,CAAC,CAAC;IACzD,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,UAAkC,EAClC,OAAoB,EACpB,QAAiB;IAEjB,MAAM,QAAQ,GAAG,UAAU,CAAC,iBAAiB,CAAC,CAAC;IAC/C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,kBAAkB;IAC9C,CAAC;IAED,MAAM,UAAU,GAAG,OAAO,IAAI,aAAa,CAAC,QAAQ,CAAC,CAAC;IACtD,OAAO,UAAU,CAAC,MAAM,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;AACjD,CAAC"}
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Mesh state — gossip-based service discovery.
|
|
3
|
+
*
|
|
4
|
+
* Tracks which peers offer which services, updated via gossip broadcasts.
|
|
5
|
+
* Supports JSON persistence to ~/.aster/mesh_state.json.
|
|
6
|
+
*/
|
|
7
|
+
/** A service available from a peer. */
|
|
8
|
+
export interface PeerService {
|
|
9
|
+
peerEndpointId: string;
|
|
10
|
+
serviceName: string;
|
|
11
|
+
serviceVersion: number;
|
|
12
|
+
contractId: string;
|
|
13
|
+
}
|
|
14
|
+
/** Mesh state: tracks discovered peers and their services. */
|
|
15
|
+
export declare class MeshState {
|
|
16
|
+
private peers;
|
|
17
|
+
private _acceptedProducers;
|
|
18
|
+
/** Hex-encoded 32-byte gossip topic ID for the producer mesh. */
|
|
19
|
+
topicId: string;
|
|
20
|
+
/** Add a peer to the accepted set (used by producer admission). */
|
|
21
|
+
addPeer(peerEndpointId: string): void;
|
|
22
|
+
/** Check if a peer is in the accepted set. */
|
|
23
|
+
isPeerAccepted(peerEndpointId: string): boolean;
|
|
24
|
+
/** Record services from a peer. */
|
|
25
|
+
update(peerEndpointId: string, services: PeerService[]): void;
|
|
26
|
+
/** Remove a peer. */
|
|
27
|
+
remove(peerEndpointId: string): void;
|
|
28
|
+
/** Find peers offering a service by name. */
|
|
29
|
+
findService(serviceName: string): PeerService[];
|
|
30
|
+
/** All known peers. */
|
|
31
|
+
allPeers(): string[];
|
|
32
|
+
/** Number of known peers. */
|
|
33
|
+
get size(): number;
|
|
34
|
+
/** Serialize to JSON-compatible dict. */
|
|
35
|
+
toJson(): Record<string, unknown>;
|
|
36
|
+
/** Deserialize from JSON dict. */
|
|
37
|
+
static fromJson(data: Record<string, unknown>): MeshState;
|
|
38
|
+
}
|
|
39
|
+
/** Save mesh state to ~/.aster/mesh_state.json (atomic rename). */
|
|
40
|
+
export declare function saveMeshState(state: MeshState, path?: string): void;
|
|
41
|
+
/** Load mesh state from ~/.aster/mesh_state.json. Returns null if not found. */
|
|
42
|
+
export declare function loadMeshState(path?: string): MeshState | null;
|
|
43
|
+
//# sourceMappingURL=mesh.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"mesh.d.ts","sourceRoot":"","sources":["../../src/trust/mesh.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,uCAAuC;AACvC,MAAM,WAAW,WAAW;IAC1B,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,8DAA8D;AAC9D,qBAAa,SAAS;IACpB,OAAO,CAAC,KAAK,CAAoC;IACjD,OAAO,CAAC,kBAAkB,CAAqB;IAC/C,iEAAiE;IACjE,OAAO,SAAM;IAEb,mEAAmE;IACnE,OAAO,CAAC,cAAc,EAAE,MAAM,GAAG,IAAI;IAOrC,8CAA8C;IAC9C,cAAc,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO;IAI/C,mCAAmC;IACnC,MAAM,CAAC,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,IAAI;IAI7D,qBAAqB;IACrB,MAAM,CAAC,cAAc,EAAE,MAAM,GAAG,IAAI;IAKpC,6CAA6C;IAC7C,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,WAAW,EAAE;IAU/C,uBAAuB;IACvB,QAAQ,IAAI,MAAM,EAAE;IAIpB,6BAA6B;IAC7B,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED,yCAAyC;IACzC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAUjC,kCAAkC;IAClC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS;CAe1D;AAOD,mEAAmE;AACnE,wBAAgB,aAAa,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,SAAkB,GAAG,IAAI,CAM5E;AAED,gFAAgF;AAChF,wBAAgB,aAAa,CAAC,IAAI,SAAkB,GAAG,SAAS,GAAG,IAAI,CAQtE"}
|
|
@@ -0,0 +1,105 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Mesh state — gossip-based service discovery.
|
|
3
|
+
*
|
|
4
|
+
* Tracks which peers offer which services, updated via gossip broadcasts.
|
|
5
|
+
* Supports JSON persistence to ~/.aster/mesh_state.json.
|
|
6
|
+
*/
|
|
7
|
+
import { existsSync, mkdirSync, readFileSync, writeFileSync, renameSync } from 'node:fs';
|
|
8
|
+
import { join, dirname } from 'node:path';
|
|
9
|
+
import { homedir } from 'node:os';
|
|
10
|
+
/** Mesh state: tracks discovered peers and their services. */
|
|
11
|
+
export class MeshState {
|
|
12
|
+
peers = new Map();
|
|
13
|
+
_acceptedProducers = new Set();
|
|
14
|
+
/** Hex-encoded 32-byte gossip topic ID for the producer mesh. */
|
|
15
|
+
topicId = '';
|
|
16
|
+
/** Add a peer to the accepted set (used by producer admission). */
|
|
17
|
+
addPeer(peerEndpointId) {
|
|
18
|
+
this._acceptedProducers.add(peerEndpointId);
|
|
19
|
+
if (!this.peers.has(peerEndpointId)) {
|
|
20
|
+
this.peers.set(peerEndpointId, []);
|
|
21
|
+
}
|
|
22
|
+
}
|
|
23
|
+
/** Check if a peer is in the accepted set. */
|
|
24
|
+
isPeerAccepted(peerEndpointId) {
|
|
25
|
+
return this._acceptedProducers.has(peerEndpointId);
|
|
26
|
+
}
|
|
27
|
+
/** Record services from a peer. */
|
|
28
|
+
update(peerEndpointId, services) {
|
|
29
|
+
this.peers.set(peerEndpointId, services);
|
|
30
|
+
}
|
|
31
|
+
/** Remove a peer. */
|
|
32
|
+
remove(peerEndpointId) {
|
|
33
|
+
this.peers.delete(peerEndpointId);
|
|
34
|
+
this._acceptedProducers.delete(peerEndpointId);
|
|
35
|
+
}
|
|
36
|
+
/** Find peers offering a service by name. */
|
|
37
|
+
findService(serviceName) {
|
|
38
|
+
const results = [];
|
|
39
|
+
for (const services of this.peers.values()) {
|
|
40
|
+
for (const svc of services) {
|
|
41
|
+
if (svc.serviceName === serviceName)
|
|
42
|
+
results.push(svc);
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
return results;
|
|
46
|
+
}
|
|
47
|
+
/** All known peers. */
|
|
48
|
+
allPeers() {
|
|
49
|
+
return [...this.peers.keys()];
|
|
50
|
+
}
|
|
51
|
+
/** Number of known peers. */
|
|
52
|
+
get size() {
|
|
53
|
+
return this.peers.size;
|
|
54
|
+
}
|
|
55
|
+
/** Serialize to JSON-compatible dict. */
|
|
56
|
+
toJson() {
|
|
57
|
+
return {
|
|
58
|
+
accepted_producers: [...this._acceptedProducers],
|
|
59
|
+
peers: Object.fromEntries([...this.peers.entries()].map(([k, v]) => [k, v])),
|
|
60
|
+
topic_id: this.topicId,
|
|
61
|
+
};
|
|
62
|
+
}
|
|
63
|
+
/** Deserialize from JSON dict. */
|
|
64
|
+
static fromJson(data) {
|
|
65
|
+
const state = new MeshState();
|
|
66
|
+
const producers = data.accepted_producers;
|
|
67
|
+
if (producers) {
|
|
68
|
+
for (const p of producers)
|
|
69
|
+
state._acceptedProducers.add(p);
|
|
70
|
+
}
|
|
71
|
+
const peers = data.peers;
|
|
72
|
+
if (peers) {
|
|
73
|
+
for (const [k, v] of Object.entries(peers)) {
|
|
74
|
+
state.peers.set(k, v);
|
|
75
|
+
}
|
|
76
|
+
}
|
|
77
|
+
state.topicId = data.topic_id ?? '';
|
|
78
|
+
return state;
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
// -- Mesh state persistence ---------------------------------------------------
|
|
82
|
+
const MESH_STATE_DIR = join(homedir(), '.aster');
|
|
83
|
+
const MESH_STATE_FILE = join(MESH_STATE_DIR, 'mesh_state.json');
|
|
84
|
+
/** Save mesh state to ~/.aster/mesh_state.json (atomic rename). */
|
|
85
|
+
export function saveMeshState(state, path = MESH_STATE_FILE) {
|
|
86
|
+
const dir = dirname(path);
|
|
87
|
+
if (!existsSync(dir))
|
|
88
|
+
mkdirSync(dir, { recursive: true });
|
|
89
|
+
const tmp = path + '.tmp';
|
|
90
|
+
writeFileSync(tmp, JSON.stringify(state.toJson(), null, 2));
|
|
91
|
+
renameSync(tmp, path);
|
|
92
|
+
}
|
|
93
|
+
/** Load mesh state from ~/.aster/mesh_state.json. Returns null if not found. */
|
|
94
|
+
export function loadMeshState(path = MESH_STATE_FILE) {
|
|
95
|
+
try {
|
|
96
|
+
if (!existsSync(path))
|
|
97
|
+
return null;
|
|
98
|
+
const data = JSON.parse(readFileSync(path, 'utf-8'));
|
|
99
|
+
return MeshState.fromJson(data);
|
|
100
|
+
}
|
|
101
|
+
catch {
|
|
102
|
+
return null;
|
|
103
|
+
}
|
|
104
|
+
}
|
|
105
|
+
//# sourceMappingURL=mesh.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"mesh.js","sourceRoot":"","sources":["../../src/trust/mesh.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACzF,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAUlC,8DAA8D;AAC9D,MAAM,OAAO,SAAS;IACZ,KAAK,GAAG,IAAI,GAAG,EAAyB,CAAC;IACzC,kBAAkB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/C,iEAAiE;IACjE,OAAO,GAAG,EAAE,CAAC;IAEb,mEAAmE;IACnE,OAAO,CAAC,cAAsB;QAC5B,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAC5C,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;YACpC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED,8CAA8C;IAC9C,cAAc,CAAC,cAAsB;QACnC,OAAO,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACrD,CAAC;IAED,mCAAmC;IACnC,MAAM,CAAC,cAAsB,EAAE,QAAuB;QACpD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC;IAC3C,CAAC;IAED,qBAAqB;IACrB,MAAM,CAAC,cAAsB;QAC3B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAClC,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IACjD,CAAC;IAED,6CAA6C;IAC7C,WAAW,CAAC,WAAmB;QAC7B,MAAM,OAAO,GAAkB,EAAE,CAAC;QAClC,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAC3C,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;gBAC3B,IAAI,GAAG,CAAC,WAAW,KAAK,WAAW;oBAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACzD,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,uBAAuB;IACvB,QAAQ;QACN,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IAChC,CAAC;IAED,6BAA6B;IAC7B,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IACzB,CAAC;IAED,yCAAyC;IACzC,MAAM;QACJ,OAAO;YACL,kBAAkB,EAAE,CAAC,GAAG,IAAI,CAAC,kBAAkB,CAAC;YAChD,KAAK,EAAE,MAAM,CAAC,WAAW,CACvB,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAClD;YACD,QAAQ,EAAE,IAAI,CAAC,OAAO;SACvB,CAAC;IACJ,CAAC;IAED,kCAAkC;IAClC,MAAM,CAAC,QAAQ,CAAC,IAA6B;QAC3C,MAAM,KAAK,GAAG,IAAI,SAAS,EAAE,CAAC;QAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,kBAA0C,CAAC;QAClE,IAAI,SAAS,EAAE,CAAC;YACd,KAAK,MAAM,CAAC,IAAI,SAAS;gBAAE,KAAK,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAC7D,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAkD,CAAC;QACtE,IAAI,KAAK,EAAE,CAAC;YACV,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC3C,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QACD,KAAK,CAAC,OAAO,GAAI,IAAI,CAAC,QAAmB,IAAI,EAAE,CAAC;QAChD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED,gFAAgF;AAEhF,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;AACjD,MAAM,eAAe,GAAG,IAAI,CAAC,cAAc,EAAE,iBAAiB,CAAC,CAAC;AAEhE,mEAAmE;AACnE,MAAM,UAAU,aAAa,CAAC,KAAgB,EAAE,IAAI,GAAG,eAAe;IACpE,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1D,MAAM,GAAG,GAAG,IAAI,GAAG,MAAM,CAAC;IAC1B,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC5D,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;AACxB,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,aAAa,CAAC,IAAI,GAAG,eAAe;IAClD,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;QACrD,OAAO,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Nonce store for OTT (one-time-token) replay protection.
|
|
3
|
+
*
|
|
4
|
+
* Spec reference: Aster-trust-spec.md
|
|
5
|
+
*
|
|
6
|
+
* Tracks consumed nonces to prevent credential replay attacks.
|
|
7
|
+
* Each OTT nonce can only be used once.
|
|
8
|
+
*/
|
|
9
|
+
/** Nonce store interface. */
|
|
10
|
+
export interface NonceStore {
|
|
11
|
+
/** Check if a nonce has been consumed. */
|
|
12
|
+
has(nonce: string): boolean;
|
|
13
|
+
/** Mark a nonce as consumed. */
|
|
14
|
+
consume(nonce: string): void;
|
|
15
|
+
/** Number of consumed nonces. */
|
|
16
|
+
readonly size: number;
|
|
17
|
+
}
|
|
18
|
+
/**
|
|
19
|
+
* In-memory nonce store with optional TTL expiry.
|
|
20
|
+
*
|
|
21
|
+
* Nonces are stored in a Map with their consumption timestamp.
|
|
22
|
+
* Expired nonces are cleaned up periodically to prevent unbounded growth.
|
|
23
|
+
*/
|
|
24
|
+
export declare class InMemoryNonceStore implements NonceStore {
|
|
25
|
+
private nonces;
|
|
26
|
+
private ttlMs;
|
|
27
|
+
/**
|
|
28
|
+
* @param ttlMs - How long to remember consumed nonces (default: 24 hours).
|
|
29
|
+
* After this time, a nonce could theoretically be replayed, but the
|
|
30
|
+
* credential itself should have expired by then.
|
|
31
|
+
*/
|
|
32
|
+
constructor(ttlMs?: number);
|
|
33
|
+
has(nonce: string): boolean;
|
|
34
|
+
consume(nonce: string): void;
|
|
35
|
+
get size(): number;
|
|
36
|
+
/** Remove expired nonces. */
|
|
37
|
+
private cleanup;
|
|
38
|
+
}
|
|
39
|
+
//# sourceMappingURL=nonce.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"nonce.d.ts","sourceRoot":"","sources":["../../src/trust/nonce.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,6BAA6B;AAC7B,MAAM,WAAW,UAAU;IACzB,0CAA0C;IAC1C,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IAC5B,gCAAgC;IAChC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,iCAAiC;IACjC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;GAKG;AACH,qBAAa,kBAAmB,YAAW,UAAU;IACnD,OAAO,CAAC,MAAM,CAA6B;IAC3C,OAAO,CAAC,KAAK,CAAS;IAEtB;;;;OAIG;gBACS,KAAK,SAAsB;IAIvC,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAK3B,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAI5B,IAAI,IAAI,IAAI,MAAM,CAGjB;IAED,6BAA6B;IAC7B,OAAO,CAAC,OAAO;CAMhB"}
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Nonce store for OTT (one-time-token) replay protection.
|
|
3
|
+
*
|
|
4
|
+
* Spec reference: Aster-trust-spec.md
|
|
5
|
+
*
|
|
6
|
+
* Tracks consumed nonces to prevent credential replay attacks.
|
|
7
|
+
* Each OTT nonce can only be used once.
|
|
8
|
+
*/
|
|
9
|
+
/**
|
|
10
|
+
* In-memory nonce store with optional TTL expiry.
|
|
11
|
+
*
|
|
12
|
+
* Nonces are stored in a Map with their consumption timestamp.
|
|
13
|
+
* Expired nonces are cleaned up periodically to prevent unbounded growth.
|
|
14
|
+
*/
|
|
15
|
+
export class InMemoryNonceStore {
|
|
16
|
+
nonces = new Map(); // nonce -> consumed_epoch_ms
|
|
17
|
+
ttlMs;
|
|
18
|
+
/**
|
|
19
|
+
* @param ttlMs - How long to remember consumed nonces (default: 24 hours).
|
|
20
|
+
* After this time, a nonce could theoretically be replayed, but the
|
|
21
|
+
* credential itself should have expired by then.
|
|
22
|
+
*/
|
|
23
|
+
constructor(ttlMs = 24 * 60 * 60 * 1000) {
|
|
24
|
+
this.ttlMs = ttlMs;
|
|
25
|
+
}
|
|
26
|
+
has(nonce) {
|
|
27
|
+
this.cleanup();
|
|
28
|
+
return this.nonces.has(nonce);
|
|
29
|
+
}
|
|
30
|
+
consume(nonce) {
|
|
31
|
+
this.nonces.set(nonce, Date.now());
|
|
32
|
+
}
|
|
33
|
+
get size() {
|
|
34
|
+
this.cleanup();
|
|
35
|
+
return this.nonces.size;
|
|
36
|
+
}
|
|
37
|
+
/** Remove expired nonces. */
|
|
38
|
+
cleanup() {
|
|
39
|
+
const cutoff = Date.now() - this.ttlMs;
|
|
40
|
+
for (const [nonce, ts] of this.nonces) {
|
|
41
|
+
if (ts < cutoff)
|
|
42
|
+
this.nonces.delete(nonce);
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
}
|
|
46
|
+
//# sourceMappingURL=nonce.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"nonce.js","sourceRoot":"","sources":["../../src/trust/nonce.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAYH;;;;;GAKG;AACH,MAAM,OAAO,kBAAkB;IACrB,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,6BAA6B;IACjE,KAAK,CAAS;IAEtB;;;;OAIG;IACH,YAAY,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;QACrC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;IAED,GAAG,CAAC,KAAa;QACf,IAAI,CAAC,OAAO,EAAE,CAAC;QACf,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,CAAC,KAAa;QACnB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,IAAI;QACN,IAAI,CAAC,OAAO,EAAE,CAAC;QACf,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC1B,CAAC;IAED,6BAA6B;IACrB,OAAO;QACb,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QACvC,KAAK,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACtC,IAAI,EAAE,GAAG,MAAM;gBAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;CACF"}
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Producer admission — the server-side admission handshake.
|
|
3
|
+
*
|
|
4
|
+
* Spec reference: Aster-trust-spec.md S6
|
|
5
|
+
*
|
|
6
|
+
* When a producer wants to join a mesh, the accepting producer:
|
|
7
|
+
* 1. Accepts a connection on the producer admission ALPN
|
|
8
|
+
* 2. Reads an AdmissionRequest (credential JSON + optional IID token)
|
|
9
|
+
* 3. Validates the credential (signature, expiry, root pubkey)
|
|
10
|
+
* 4. Responds with AdmissionResponse (accepted/rejected + mesh state)
|
|
11
|
+
*/
|
|
12
|
+
import type { MeshState } from './mesh.js';
|
|
13
|
+
import type { NonceStore } from './nonce.js';
|
|
14
|
+
/** ALPN for producer admission. */
|
|
15
|
+
export declare const PRODUCER_ADMISSION_ALPN: Uint8Array<ArrayBuffer>;
|
|
16
|
+
/** Producer admission request (inbound). */
|
|
17
|
+
export interface ProducerAdmissionRequest {
|
|
18
|
+
credentialJson: string;
|
|
19
|
+
iidToken?: string;
|
|
20
|
+
}
|
|
21
|
+
/** Producer admission response (outbound). */
|
|
22
|
+
export interface ProducerAdmissionResponse {
|
|
23
|
+
accepted: boolean;
|
|
24
|
+
salt: string;
|
|
25
|
+
acceptedProducers: string[];
|
|
26
|
+
/** Reason is for internal logging only — never leaked to peer. */
|
|
27
|
+
reason?: string;
|
|
28
|
+
}
|
|
29
|
+
/** Options for the producer admission server. */
|
|
30
|
+
export interface ProducerAdmissionOptions {
|
|
31
|
+
/** The mesh's trusted root public key (hex). */
|
|
32
|
+
rootPubkey: string;
|
|
33
|
+
/** Current mesh state (mutated on successful admission). */
|
|
34
|
+
meshState: MeshState;
|
|
35
|
+
/** Optional nonce store for OTT replay protection. */
|
|
36
|
+
nonceStore?: NonceStore;
|
|
37
|
+
/** Logger. */
|
|
38
|
+
logger?: {
|
|
39
|
+
info(...args: any[]): void;
|
|
40
|
+
warn(...args: any[]): void;
|
|
41
|
+
error(...args: any[]): void;
|
|
42
|
+
};
|
|
43
|
+
}
|
|
44
|
+
/** QUIC connection interface for admission. */
|
|
45
|
+
interface AdmissionConnection {
|
|
46
|
+
acceptBi(): Promise<{
|
|
47
|
+
takeSend(): AdmissionSend;
|
|
48
|
+
takeRecv(): AdmissionRecv;
|
|
49
|
+
}>;
|
|
50
|
+
remoteNodeId(): string;
|
|
51
|
+
}
|
|
52
|
+
interface AdmissionSend {
|
|
53
|
+
writeAll(data: Uint8Array): Promise<void>;
|
|
54
|
+
finish(): Promise<void>;
|
|
55
|
+
}
|
|
56
|
+
interface AdmissionRecv {
|
|
57
|
+
readToEnd(maxLen: number): Promise<Uint8Array>;
|
|
58
|
+
}
|
|
59
|
+
/** Node interface for accepting admission connections. */
|
|
60
|
+
interface AdmissionNode {
|
|
61
|
+
acceptAster(): Promise<AdmissionConnection>;
|
|
62
|
+
}
|
|
63
|
+
/**
|
|
64
|
+
* Handle a single producer admission connection.
|
|
65
|
+
*
|
|
66
|
+
* Reads the credential, validates it, updates mesh state on success,
|
|
67
|
+
* and responds with the admission result.
|
|
68
|
+
*/
|
|
69
|
+
export declare function handleProducerAdmission(conn: AdmissionConnection, opts: ProducerAdmissionOptions): Promise<ProducerAdmissionResponse>;
|
|
70
|
+
/**
|
|
71
|
+
* Serve producer admission — accept loop that handles incoming
|
|
72
|
+
* producer admission connections until stopped.
|
|
73
|
+
*/
|
|
74
|
+
export declare function serveProducerAdmission(node: AdmissionNode, opts: ProducerAdmissionOptions & {
|
|
75
|
+
running?: {
|
|
76
|
+
value: boolean;
|
|
77
|
+
};
|
|
78
|
+
}): Promise<void>;
|
|
79
|
+
export {};
|
|
80
|
+
//# sourceMappingURL=producer.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"producer.d.ts","sourceRoot":"","sources":["../../src/trust/producer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAE3C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,mCAAmC;AACnC,eAAO,MAAM,uBAAuB,yBAAuD,CAAC;AAE5F,4CAA4C;AAC5C,MAAM,WAAW,wBAAwB;IACvC,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,8CAA8C;AAC9C,MAAM,WAAW,yBAAyB;IACxC,QAAQ,EAAE,OAAO,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,kEAAkE;IAClE,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,iDAAiD;AACjD,MAAM,WAAW,wBAAwB;IACvC,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,4DAA4D;IAC5D,SAAS,EAAE,SAAS,CAAC;IACrB,sDAAsD;IACtD,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,cAAc;IACd,MAAM,CAAC,EAAE;QAAE,IAAI,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAAC,IAAI,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;KAAE,CAAC;CAClG;AAED,+CAA+C;AAC/C,UAAU,mBAAmB;IAC3B,QAAQ,IAAI,OAAO,CAAC;QAAE,QAAQ,IAAI,aAAa,CAAC;QAAC,QAAQ,IAAI,aAAa,CAAA;KAAE,CAAC,CAAC;IAC9E,YAAY,IAAI,MAAM,CAAC;CACxB;AAED,UAAU,aAAa;IACrB,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1C,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACzB;AAED,UAAU,aAAa;IACrB,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CAChD;AAED,0DAA0D;AAC1D,UAAU,aAAa;IACrB,WAAW,IAAI,OAAO,CAAC,mBAAmB,CAAC,CAAC;CAC7C;AAED;;;;;GAKG;AACH,wBAAsB,uBAAuB,CAC3C,IAAI,EAAE,mBAAmB,EACzB,IAAI,EAAE,wBAAwB,GAC7B,OAAO,CAAC,yBAAyB,CAAC,CA+FpC;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,aAAa,EACnB,IAAI,EAAE,wBAAwB,GAAG;IAAE,OAAO,CAAC,EAAE;QAAE,KAAK,EAAE,OAAO,CAAA;KAAE,CAAA;CAAE,GAChE,OAAO,CAAC,IAAI,CAAC,CAef"}
|