@camstack/core 0.1.37 → 0.1.39

package/dist/builtins/local-auth/oauth-grants.d.ts

@@ -0,0 +1,46 @@
+import { ISsoBridgeProvider, TokenScope } from '@camstack/types';
+import { OauthSessionManager } from './oauth-session-manager.js';
+interface IssueCodeInput {
+    integrationId: string;
+    userId: string;
+    username: string;
+    scopes: TokenScope[];
+    redirectUri: string;
+    hubUrl: string;
+}
+interface TokenPair {
+    accessToken: string;
+    refreshToken: string;
+    expiresIn: number;
+}
+interface VerifiedAccess {
+    userId: string;
+    username: string;
+    scopes: TokenScope[];
+}
+/** OAuth account-linking grant logic. Pure over an injected sso-bridge
+ *  signer so it is unit-testable without the capability registry.
+ *
+ *  Authorization codes are short-lived (60 s). The `redirectUri`,
+ *  `integrationId`, and a unique `jti` are embedded in the signed JWT
+ *  so the HMAC signature is the real security boundary. Single-use is
+ *  enforced by a `jti` consumed-set. The old in-process `pendingCodes`
+ *  Map is gone — a hub restart no longer breaks in-flight exchanges,
+ *  only risking a single replay within the remaining 60 s TTL. */
+export declare function createOauthGrants(ssoBridge: ISsoBridgeProvider, sessionManager: OauthSessionManager): {
+    oauthIssueCode(input: IssueCodeInput): Promise<{
+        code: string;
+    }>;
+    oauthExchangeCode(input: {
+        code: string;
+        redirectUri: string;
+    }): Promise<TokenPair | null>;
+    oauthRefresh(input: {
+        refreshToken: string;
+    }): Promise<TokenPair | null>;
+    oauthVerifyAccessToken(input: {
+        token: string;
+    }): Promise<VerifiedAccess | null>;
+};
+export {};
+//# sourceMappingURL=oauth-grants.d.ts.map

package/dist/builtins/local-auth/oauth-grants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-grants.d.ts","sourceRoot":"","sources":["../../../src/builtins/local-auth/oauth-grants.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AACrE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAIrE,UAAU,cAAc;IACtB,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAE,UAAU,EAAE,CAAA;IACpB,WAAW,EAAE,MAAM,CAAA;IACnB,MAAM,EAAE,MAAM,CAAA;CACf;AAED,UAAU,SAAS;IACjB,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,UAAU,cAAc;IACtB,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAE,UAAU,EAAE,CAAA;CACrB;AAED;;;;;;;;kEAQkE;AAClE,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,kBAAkB,EAAE,cAAc,EAAE,mBAAmB;0BAgCpE,cAAc,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;6BAevC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;wBA0BtE;QAAE,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;kCAe1C;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;EAiBzF"}

package/dist/builtins/local-auth/oauth-session-manager.d.ts

@@ -0,0 +1,51 @@
+import { TokenScope, SettingsStoreClient } from '@camstack/types';
+export interface OauthSession {
+    readonly id: string;
+    readonly userId: string;
+    readonly username: string;
+    readonly integrationId: string;
+    readonly scopes: TokenScope[];
+    readonly createdAt: number;
+    readonly lastUsedAt: number;
+    readonly revokedAt: number | null;
+}
+interface CreateInput {
+    readonly userId: string;
+    readonly username: string;
+    readonly integrationId: string;
+    readonly scopes: TokenScope[];
+}
+export declare class OauthSessionManager {
+    private readonly store;
+    constructor(store: SettingsStoreClient);
+    /**
+     * Create a new OAuth session record. Generates a UUID as the session id,
+     * sets `createdAt` and `lastUsedAt` to now, `revokedAt` to null.
+     */
+    create(input: CreateInput): Promise<OauthSession>;
+    /**
+     * Return all sessions — both active and revoked. Callers decide
+     * whether to filter by `revokedAt`.
+     */
+    list(): Promise<OauthSession[]>;
+    /**
+     * Look up a session by its id. Returns null when not found.
+     */
+    getById(id: string): Promise<OauthSession | null>;
+    /**
+     * Mark a session as revoked by setting `revokedAt = now`.
+     *
+     * - Returns `true` on success (including idempotent re-revoke — the
+     *   existing `revokedAt` timestamp is preserved; it is NOT updated).
+     * - Returns `false` when the session id is not found.
+     */
+    markRevoked(id: string): Promise<boolean>;
+    /**
+     * Update `lastUsedAt` to now. No-op (does not throw) when the session
+     * id is not found — the caller (token-use hot path) should not fail
+     * for a missing session that may have been concurrently revoked.
+     */
+    touch(id: string): Promise<void>;
+}
+export {};
+//# sourceMappingURL=oauth-session-manager.d.ts.map

package/dist/builtins/local-auth/oauth-session-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-session-manager.d.ts","sourceRoot":"","sources":["../../../src/builtins/local-auth/oauth-session-manager.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAA;AAgBtE,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,EAAE,EAAa,MAAM,CAAA;IAC9B,QAAQ,CAAC,MAAM,EAAS,MAAM,CAAA;IAC9B,QAAQ,CAAC,QAAQ,EAAO,MAAM,CAAA;IAC9B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAA;IAC9B,QAAQ,CAAC,MAAM,EAAS,UAAU,EAAE,CAAA;IACpC,QAAQ,CAAC,SAAS,EAAM,MAAM,CAAA;IAC9B,QAAQ,CAAC,UAAU,EAAK,MAAM,CAAA;IAC9B,QAAQ,CAAC,SAAS,EAAM,MAAM,GAAG,IAAI,CAAA;CACtC;AAED,UAAU,WAAW;IACnB,QAAQ,CAAC,MAAM,EAAS,MAAM,CAAA;IAC9B,QAAQ,CAAC,QAAQ,EAAO,MAAM,CAAA;IAC9B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAA;IAC9B,QAAQ,CAAC,MAAM,EAAS,UAAU,EAAE,CAAA;CACrC;AAgCD,qBAAa,mBAAmB;IAClB,OAAO,CAAC,QAAQ,CAAC,KAAK;gBAAL,KAAK,EAAE,mBAAmB;IAEvD;;;OAGG;IACG,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC;IAqBvD;;;OAGG;IACG,IAAI,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;IAQrC;;OAEG;IACG,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IASvD;;;;;;OAMG;IACG,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAe/C;;;;OAIG;IACG,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAWvC"}

package/dist/builtins/remote-access-orchestrator/enabled-providers-reconcile.d.ts

@@ -0,0 +1,97 @@
+/**
+ * Pure reconciliation core for the remote-access orchestrator's durable
+ * `enabledProviders` set (D8 delivery-rule fix).
+ *
+ * Why this module exists
+ * ----------------------
+ * `enabledProviders: string[]` is the operator's "auto-start on boot"
+ * intent — a DURABLE setting. Historically it was written ONLY from two
+ * fire-and-forget bus events (`NetworkTunnelStarted` / `Stopped`). A
+ * dropped event (hub restart, addon crash-respawn, hub↔orchestrator
+ * partition) silently diverges the persisted set from reality:
+ *   - dropped `Started` → tunnel running, not recorded → no auto-start
+ *   - dropped `Stopped` → tunnel stopped, still recorded → boot restarts
+ *     an operator-stopped tunnel.
+ *
+ * A durable setting must not be written by a lossy event. The fix is an
+ * idempotent reconcile pass that pulls authoritative state via an
+ * ACKNOWLEDGED RPC (`network-access` cap `getStatus`) on every provider
+ * (re)connect — mirroring the kernel readiness-registry hydration via
+ * `$readiness.getSnapshot`. The lifecycle events stay (still fine for
+ * live UI dashboards); only the PERSISTENCE WRITE moves to the RPC pull.
+ *
+ * Reconcile semantics — ADD-ONLY (deliberately conservative)
+ * ----------------------------------------------------------
+ * `connected: true` from an acked RPC is UNAMBIGUOUS: the tunnel is up,
+ * so the operator must have started it → safe to ADD to `enabledProviders`
+ * (recovers a dropped `NetworkTunnelStarted` event).
+ *
+ * `connected: false` is AMBIGUOUS:
+ *   - Provider registered but not yet started (normal cold-boot state,
+ *     BEFORE `autoStartEnabledProviders` has called `start()`).
+ *   - Provider transiently down (network blip, restart in progress).
+ *   - Provider intentionally stopped by the operator.
+ * `getStatus()` reports connectivity, NOT operator intent. Acting on
+ * `connected: false` would wipe `enabledProviders` on every hub restart
+ * (providers re-register ~15-20 s before `start()` is called), defeating
+ * the purpose of the durable enabled-set. Therefore the reconcile pass
+ * NEVER removes on `connected: false`.
+ *
+ * Removal of operator intent stays event-driven (`NetworkTunnelStopped`
+ * → `markEnabled(id, false)`). That event is emitted synchronously by
+ * the provider's own `stop()` call — it is the reliable signal that the
+ * operator actually stopped the tunnel. A failed/absent RPC probe also
+ * leaves the provider untouched.
+ *
+ * // Follow-up: covering the dropped-`Stopped` direction (a `Stopped`
+ * // event lost → tunnel stopped but still in enabledProviders → boot
+ * // wrongly restarts it) would require a provider-side persisted
+ * // operator-intent flag that `getStatus()` surfaces. That is a larger
+ * // multi-addon change (the audit's "approach 2") and is OUT OF SCOPE
+ * // for this backstop. The current fix covers the higher-impact direction
+ * // (dropped `Started` → operator's running tunnel not auto-restarted).
+ *
+ * The function is pure: the addon owns the RPC fan-out + the persist
+ * call, so this core is unit-testable without a CapabilityRegistry.
+ */
+/**
+ * Outcome of one provider's `getStatus()` RPC probe.
+ *
+ * `ok: true`  → the RPC was acknowledged; `connected` is authoritative.
+ * `ok: false` → the RPC threw / timed out; state is unknown and the
+ *               provider's membership must be left as-is.
+ */
+export type ProviderProbeResult = {
+    readonly addonId: string;
+    readonly ok: true;
+    readonly connected: boolean;
+} | {
+    readonly addonId: string;
+    readonly ok: false;
+};
+export interface ReconcileResult {
+    /** The corrected enabled-set, sorted for stable persistence. */
+    readonly nextEnabled: readonly string[];
+    /** `true` when `nextEnabled` differs from the input — caller persists only then. */
+    readonly changed: boolean;
+    /** addonIds added because an acked RPC reported them connected. */
+    readonly added: readonly string[];
+    /**
+     * Always empty — reconcile is add-only. Removal of operator intent is
+     * event-driven (`NetworkTunnelStopped`). Kept in the type so callers
+     * that log `result.removed` continue to compile without changes.
+     */
+    readonly removed: readonly string[];
+}
+/**
+ * Reconcile the durable `enabledProviders` set against authoritative
+ * RPC probe results. Pure — no I/O. ADD-ONLY: only adds providers whose
+ * acked `getStatus()` reports `connected: true`. Never removes on
+ * `connected: false` — see module doc for the full rationale.
+ *
+ * @param currentEnabled - the persisted enabled-set before reconcile.
+ * @param probes - one entry per provider whose `getStatus()` RPC was
+ *   attempted this pass. Providers absent from this list are untouched.
+ */
+export declare function reconcileEnabledProviders(currentEnabled: readonly string[], probes: readonly ProviderProbeResult[]): ReconcileResult;
+//# sourceMappingURL=enabled-providers-reconcile.d.ts.map

package/dist/builtins/remote-access-orchestrator/enabled-providers-reconcile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"enabled-providers-reconcile.d.ts","sourceRoot":"","sources":["../../../src/builtins/remote-access-orchestrator/enabled-providers-reconcile.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AAEH;;;;;;GAMG;AACH,MAAM,MAAM,mBAAmB,GAC3B;IAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAAC,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAA;CAAE,GAC5E;IAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAA;CAAE,CAAA;AAEpD,MAAM,WAAW,eAAe;IAC9B,gEAAgE;IAChE,QAAQ,CAAC,WAAW,EAAE,SAAS,MAAM,EAAE,CAAA;IACvC,oFAAoF;IACpF,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,mEAAmE;IACnE,QAAQ,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,CAAA;IACjC;;;;OAIG;IACH,QAAQ,CAAC,OAAO,EAAE,SAAS,MAAM,EAAE,CAAA;CACpC;AAED;;;;;;;;;GASG;AACH,wBAAgB,yBAAyB,CACvC,cAAc,EAAE,SAAS,MAAM,EAAE,EACjC,MAAM,EAAE,SAAS,mBAAmB,EAAE,GACrC,eAAe,CA0BjB"}

package/dist/builtins/remote-access-orchestrator/remote-access-orchestrator.addon.d.ts

@@ -9,10 +9,33 @@ interface RemoteAccessOrchestratorConfig {
 export declare class RemoteAccessOrchestratorAddon extends BaseAddon<RemoteAccessOrchestratorConfig> {
     constructor();
     protected onInitialize(): Promise<ProviderRegistration[]>;
+    /**
+     * Maintain the persisted `enabledProviders` set from a tunnel
+     * lifecycle event. `source.id` is `string | number`; `network-access`
+     * providers emit with `type: 'addon'` so it is always the addonId
+     * string. Non-string / non-addon sources are ignored defensively.
+     */
+    private onTunnelLifecycle;
+    /**
+     * Probe every locally-visible `network-access` provider's
+     * `getStatus()` over RPC and reconcile the durable `enabledProviders`
+     * set against the result. This is the D8 backstop for dropped
+     * `NetworkTunnelStarted` events: if `connected: true` is acked, the
+     * provider is added to `enabledProviders`. ADD-ONLY — never removes on
+     * `connected: false` (see enabled-providers-reconcile.ts for rationale).
+     *
+     * `getStatus()` is an acknowledged cap RPC — a transport blip surfaces
+     * as a rejected promise (recorded as `ok: false`, membership left
+     * untouched), never as a silent lossy write. Runs on every provider
+     * (re)connect via the `watchCapability` hooks, mirroring the kernel
+     * readiness-registry hydration on `$node.connected`. Safe to call
+     * before `autoStartEnabledProviders`: add-only semantics mean it cannot
+     * wipe the enabled-set even when providers are registered-not-yet-started.
+     */
+    private reconcileAndPersist;
     private autoStartEnabledProviders;
     private markEnabled;
     private resolveImpl;
-    private listProviders;
 }
 export default RemoteAccessOrchestratorAddon;
 //# sourceMappingURL=remote-access-orchestrator.addon.d.ts.map

package/dist/builtins/remote-access-orchestrator/remote-access-orchestrator.addon.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"remote-access-orchestrator.addon.d.ts","sourceRoot":"","sources":["../../../src/builtins/remote-access-orchestrator/remote-access-orchestrator.addon.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EACL,SAAS,EAIT,KAAK,oBAAoB,EAC1B,MAAM,iBAAiB,CAAA;AAgBxB,UAAU,8BAA8B;IACtC;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,SAAS,MAAM,EAAE,CAAA;CAC7C;AAED,qBAAa,6BAA8B,SAAQ,SAAS,CAAC,8BAA8B,CAAC;;cAK1E,YAAY,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;YAyDjD,yBAAyB;YA8CzB,WAAW;IAQzB,OAAO,CAAC,WAAW;YAQL,aAAa;CAkC5B;AAED,eAAe,6BAA6B,CAAA"}
+{"version":3,"file":"remote-access-orchestrator.addon.d.ts","sourceRoot":"","sources":["../../../src/builtins/remote-access-orchestrator/remote-access-orchestrator.addon.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,OAAO,EACL,SAAS,EAET,KAAK,oBAAoB,EAC1B,MAAM,iBAAiB,CAAA;AAexB,UAAU,8BAA8B;IACtC;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,SAAS,MAAM,EAAE,CAAA;CAC7C;AAED,qBAAa,6BAA8B,SAAQ,SAAS,CAAC,8BAA8B,CAAC;;cAK1E,YAAY,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAwD/D;;;;;OAKG;YACW,iBAAiB;IAa/B;;;;;;;;;;;;;;;OAeG;YACW,mBAAmB;YAiCnB,yBAAyB;YAmDzB,WAAW;IAWzB,OAAO,CAAC,WAAW;CAOpB;AAED,eAAe,6BAA6B,CAAA"}

package/dist/builtins/remote-access-orchestrator/remote-access-orchestrator.addon.js

@@ -4,42 +4,81 @@ Object.defineProperties(exports, {
 });
 require("../../chunk-C13QxCFV.js");
 let _camstack_types = require("@camstack/types");
+//#region src/builtins/remote-access-orchestrator/enabled-providers-reconcile.ts
+/**
+* Reconcile the durable `enabledProviders` set against authoritative
+* RPC probe results. Pure — no I/O. ADD-ONLY: only adds providers whose
+* acked `getStatus()` reports `connected: true`. Never removes on
+* `connected: false` — see module doc for the full rationale.
+*
+* @param currentEnabled - the persisted enabled-set before reconcile.
+* @param probes - one entry per provider whose `getStatus()` RPC was
+*   attempted this pass. Providers absent from this list are untouched.
+*/
+function reconcileEnabledProviders(currentEnabled, probes) {
+	const next = new Set(currentEnabled);
+	const added = [];
+	for (const probe of probes) {
+		if (!probe.ok) continue;
+		if (probe.connected) {
+			if (!next.has(probe.addonId)) {
+				next.add(probe.addonId);
+				added.push(probe.addonId);
+			}
+		}
+	}
+	return {
+		nextEnabled: [...next].sort(),
+		changed: added.length > 0,
+		added,
+		removed: []
+	};
+}
+//#endregion
 //#region src/builtins/remote-access-orchestrator/remote-access-orchestrator.addon.ts
 /**
-* Remote-access orchestrator — singleton facade over the
-* `network-access` collection (Cloudflare Tunnel, ngrok, Tailscale, …).
-* Mirrors the auth-orchestrator and backup-orchestrator patterns.
+* Remote-access orchestrator — backend-only boot-autostart service for
+* the `network-access` collection (Cloudflare Tunnel, ngrok, Tailscale, …).
+*
+* Retired its `remote-access` facade cap (2026-05-15): the admin UI now
+* talks to the `network-access` collection cap directly via generic
+* per-`addonId` routing, so this addon registers NO capability.
 *
-* Persistence + autostart contract:
+* What it still owns — the load-bearing logic:
 *   The orchestrator owns the "operator wants this provider running"
-*   intent — a `enabledProviders: string[]` slice in its addon-store
+*   intent — an `enabledProviders: string[]` slice in its addon-store
 *   blob (BaseAddon.config). On boot we iterate the list and call
-*   `provider.start()` for each enabled entry. `startProvider` /
-*   `stopProvider` mutate this list so a Start press persists across
-*   restarts. Same shape as turn-orchestrator's setProviderEnabled.
+*   `provider.start()` for each enabled entry, so a tunnel set up once
+*   stays up across hub restarts.
+*
+*   Since start/stop no longer flow through this addon, the enabled-set
+*   is kept in sync from two sources:
+*     1. `NetworkTunnelStarted` / `NetworkTunnelStopped` bus events —
+*        fast, but lossy (fire-and-forget broadcasts). They drive both
+*        the live UI and removal from the durable set (`Stopped` is the
+*        only reliable "operator stopped it" signal).
+*     2. An RPC-driven ADD-ONLY RECONCILE pass (`reconcileEnabledProviders`)
+*        that pulls authoritative `connected` state via the `network-access`
+*        cap's `getStatus()` on every provider (re)connect. THIS covers
+*        dropped `NetworkTunnelStarted` events — if `connected: true` is
+*        acked, the provider is added to `enabledProviders`. It NEVER
+*        removes on `connected: false` because that signal is ambiguous
+*        (registered-not-yet-started vs transiently-down vs intentionally
+*        stopped). Running before `autoStartEnabledProviders` is safe:
+*        it can only add already-connected providers, never evict.
 */
 var RemoteAccessOrchestratorAddon = class extends _camstack_types.BaseAddon {
 	constructor() {
 		super({ enabledProviders: [] });
 	}
 	async onInitialize() {
-		const provider = {
-			listProviders: async () => this.listProviders(),
-			startProvider: async ({ addonId }) => {
-				const impl = this.resolveImpl(addonId);
-				if (!impl?.start) throw new Error(`Remote-access provider "${addonId}" does not support start`);
-				const endpoint = await impl.start();
-				await this.markEnabled(addonId, true);
-				return endpoint;
-			},
-			stopProvider: async ({ addonId }) => {
-				const impl = this.resolveImpl(addonId);
-				if (impl?.stop) await impl.stop();
-				await this.markEnabled(addonId, false);
-				return { success: true };
-			}
-		};
-		this.ctx.logger.info("Remote-access orchestrator initialized", { meta: { enabledCount: this.config.enabledProviders.length } });
+		this.ctx.logger.info("Remote-access orchestrator initialized (backend-only)", { meta: { enabledCount: this.config.enabledProviders.length } });
+		this.ctx.eventBus?.subscribe({ category: _camstack_types.EventCategory.NetworkTunnelStarted }, (event) => {
+			this.onTunnelLifecycle(event.source, true);
+		});
+		this.ctx.eventBus?.subscribe({ category: _camstack_types.EventCategory.NetworkTunnelStopped }, (event) => {
+			this.onTunnelLifecycle(event.source, false);
+		});
 		setImmediate(() => {
 			this.autoStartEnabledProviders();
 		});
@@ -49,12 +88,76 @@ var RemoteAccessOrchestratorAddon = class extends _camstack_types.BaseAddon {
 		this.watchCapability("mesh-network", { onReady: () => {
 			this.autoStartEnabledProviders();
 		} });
-		return [{
-			capability: _camstack_types.remoteAccessCapability,
-			provider
-		}];
+		return [];
+	}
+	/**
+	* Maintain the persisted `enabledProviders` set from a tunnel
+	* lifecycle event. `source.id` is `string | number`; `network-access`
+	* providers emit with `type: 'addon'` so it is always the addonId
+	* string. Non-string / non-addon sources are ignored defensively.
+	*/
+	async onTunnelLifecycle(source, started) {
+		if (source.type !== "addon" || typeof source.id !== "string") {
+			this.ctx.logger.warn("tunnel lifecycle event with non-addon source — ignoring", { meta: {
+				sourceType: source.type,
+				sourceId: source.id,
+				started
+			} });
+			return;
+		}
+		await this.markEnabled(source.id, started);
+	}
+	/**
+	* Probe every locally-visible `network-access` provider's
+	* `getStatus()` over RPC and reconcile the durable `enabledProviders`
+	* set against the result. This is the D8 backstop for dropped
+	* `NetworkTunnelStarted` events: if `connected: true` is acked, the
+	* provider is added to `enabledProviders`. ADD-ONLY — never removes on
+	* `connected: false` (see enabled-providers-reconcile.ts for rationale).
+	*
+	* `getStatus()` is an acknowledged cap RPC — a transport blip surfaces
+	* as a rejected promise (recorded as `ok: false`, membership left
+	* untouched), never as a silent lossy write. Runs on every provider
+	* (re)connect via the `watchCapability` hooks, mirroring the kernel
+	* readiness-registry hydration on `$node.connected`. Safe to call
+	* before `autoStartEnabledProviders`: add-only semantics mean it cannot
+	* wipe the enabled-set even when providers are registered-not-yet-started.
+	*/
+	async reconcileAndPersist() {
+		const entries = this.capabilities?.getCollectionEntries("network-access") ?? [];
+		if (entries.length === 0) return;
+		const probes = await Promise.all(entries.map(async ([addonId, impl]) => {
+			if (!impl.getStatus) return {
+				addonId,
+				ok: false
+			};
+			try {
+				return {
+					addonId,
+					ok: true,
+					connected: (await impl.getStatus()).connected
+				};
+			} catch (err) {
+				this.ctx.logger.warn("reconcile: getStatus RPC failed — leaving membership as-is", { meta: {
+					addonId,
+					error: err instanceof Error ? err.message : String(err)
+				} });
+				return {
+					addonId,
+					ok: false
+				};
+			}
+		}));
+		const result = reconcileEnabledProviders(this.config.enabledProviders, probes);
+		if (!result.changed) return;
+		this.ctx.logger.info("reconcile: corrected enabledProviders from RPC-pulled state", { meta: {
+			added: result.added,
+			removed: result.removed
+		} });
+		await this.updateGlobalSettings({ enabledProviders: result.nextEnabled });
 	}
 	async autoStartEnabledProviders() {
+		await this.reconcileAndPersist();
 		const ids = this.config.enabledProviders;
 		if (ids.length === 0) return;
 		this.ctx.logger.info("Auto-starting enabled remote-access providers", { meta: { addonIds: [...ids] } });
@@ -96,38 +199,15 @@ var RemoteAccessOrchestratorAddon = class extends _camstack_types.BaseAddon {
 		if (enabled) current.add(addonId);
 		else current.delete(addonId);
 		if (wasEnabled === enabled) return;
+		this.ctx.logger.info("remote-access intent updated", { meta: {
+			addonId,
+			enabled
+		} });
 		await this.updateGlobalSettings({ enabledProviders: [...current] });
 	}
 	resolveImpl(addonId) {
 		return (this.capabilities?.getCollectionEntries("network-access") ?? []).find(([id]) => id === addonId)?.[1] ?? null;
 	}
-	async listProviders() {
-		const entries = this.capabilities?.getCollectionEntries("network-access") ?? [];
-		const enabled = new Set(this.config.enabledProviders);
-		const out = [];
-		for (const [addonId, impl] of entries) {
-			let connected = false;
-			let endpoint = null;
-			let error;
-			if (impl.getStatus) try {
-				const s = await impl.getStatus();
-				connected = s.connected;
-				endpoint = s.endpoint;
-				error = s.error;
-			} catch (err) {
-				error = err instanceof Error ? err.message : String(err);
-			}
-			out.push({
-				addonId,
-				displayName: impl.displayName ?? addonId,
-				enabled: enabled.has(addonId),
-				connected,
-				endpoint,
-				...error !== void 0 ? { error } : {}
-			});
-		}
-		return out;
-	}
 };
 //#endregion
 exports.RemoteAccessOrchestratorAddon = RemoteAccessOrchestratorAddon;

package/dist/builtins/remote-access-orchestrator/remote-access-orchestrator.addon.js.map

@@ -1 +1 @@
-{"version":3,"file":"remote-access-orchestrator.addon.js","names":[],"sources":["../../../src/builtins/remote-access-orchestrator/remote-access-orchestrator.addon.ts"],"sourcesContent":["/**\n * Remote-access orchestrator — singleton facade over the\n * `network-access` collection (Cloudflare Tunnel, ngrok, Tailscale, …).\n * Mirrors the auth-orchestrator and backup-orchestrator patterns.\n *\n * Persistence + autostart contract:\n *   The orchestrator owns the \"operator wants this provider running\"\n *   intent — a `enabledProviders: string[]` slice in its addon-store\n *   blob (BaseAddon.config). On boot we iterate the list and call\n *   `provider.start()` for each enabled entry. `startProvider` /\n *   `stopProvider` mutate this list so a Start press persists across\n *   restarts. Same shape as turn-orchestrator's setProviderEnabled.\n */\nimport {\n  BaseAddon,\n  remoteAccessCapability,\n  type IRemoteAccessOrchestrator,\n  type RemoteAccessProviderInfo,\n  type ProviderRegistration,\n} from '@camstack/types'\n\ninterface NetworkAccessLike {\n  start?: () => Promise<{ url: string; hostname: string; port: number; protocol: 'http' | 'https' }>\n  stop?: () => Promise<void>\n  getStatus?: () => Promise<{\n    connected: boolean\n    endpoint: { url: string; hostname: string; port: number; protocol: 'http' | 'https' } | null\n    error?: string\n  }>\n}\n\ninterface NetworkAccessRegistrationMeta {\n  readonly displayName?: string\n}\n\ninterface RemoteAccessOrchestratorConfig {\n  /**\n   * addonIds the operator has explicitly Started. Auto-respawned on\n   * boot so a tunnel set up once stays up across hub restarts.\n   */\n  readonly enabledProviders: readonly string[]\n}\n\nexport class RemoteAccessOrchestratorAddon extends BaseAddon<RemoteAccessOrchestratorConfig> {\n  constructor() {\n    super({ enabledProviders: [] })\n  }\n\n  protected async onInitialize(): Promise<ProviderRegistration[]> {\n    const provider: IRemoteAccessOrchestrator = {\n      listProviders: async () => this.listProviders(),\n      startProvider: async ({ addonId }) => {\n        const impl = this.resolveImpl(addonId)\n        if (!impl?.start) throw new Error(`Remote-access provider \"${addonId}\" does not support start`)\n        const endpoint = await impl.start()\n        // Persist intent — next boot will auto-respawn this provider.\n        await this.markEnabled(addonId, true)\n        return endpoint\n      },\n      stopProvider: async ({ addonId }) => {\n        const impl = this.resolveImpl(addonId)\n        if (impl?.stop) await impl.stop()\n        // Clear intent — boot must NOT respawn this on next start.\n        await this.markEnabled(addonId, false)\n        return { success: true as const }\n      },\n    } satisfies IRemoteAccessOrchestrator\n    this.ctx.logger.info('Remote-access orchestrator initialized', {\n      meta: { enabledCount: this.config.enabledProviders.length },\n    })\n    // Defer autostart to next tick so the orchestrator's own provider\n    // registration completes first. `resolveImpl` reads from the\n    // capabilities registry which only sees in-process / cluster-mirrored\n    // providers once they've ALSO registered — small delay gives the\n    // cluster bridge time to discover them on cold boot. Errors are\n    // logged but never block init.\n    setImmediate(() => { this.autoStartEnabledProviders() })\n\n    // Lazy retry — forked providers (cloudflare-tunnel etc) typically\n    // register 15-20 s after this orchestrator boots, well past the\n    // `setImmediate` above. Hook BaseAddon's `system.ready-state`\n    // subscription so we re-run autoStart every time the\n    // `network-access` cap transitions to ready (whichever node holds\n    // it). The inner logic is idempotent + skips already-connected\n    // providers.\n    this.watchCapability('network-access', {\n      onReady: () => { void this.autoStartEnabledProviders() },\n    })\n\n    // Same watch for `mesh-network`. The tailscale-ingress provider\n    // registers `network-access` synchronously at boot, but `start()`\n    // throws when the tailnet isn't joined yet — so the boot-time\n    // autoStart call fails for tailscale ingresses if the tailscale\n    // daemon hadn't logged in by then. Watching `mesh-network` here\n    // re-triggers autoStart the moment the client transitions to\n    // joined (manual operator login or auto-rejoin), without needing\n    // a server restart. Same idempotency rules: providers already\n    // connected are skipped.\n    this.watchCapability('mesh-network', {\n      onReady: () => { void this.autoStartEnabledProviders() },\n    })\n\n    return [{ capability: remoteAccessCapability, provider }]\n  }\n\n  private async autoStartEnabledProviders(): Promise<void> {\n    const ids = this.config.enabledProviders\n    if (ids.length === 0) return\n    this.ctx.logger.info('Auto-starting enabled remote-access providers', {\n      meta: { addonIds: [...ids] },\n    })\n    for (const addonId of ids) {\n      try {\n        const impl = this.resolveImpl(addonId)\n        if (!impl?.start) {\n          // Provider isn't loaded yet (worker bridge still hydrating)\n          // OR it doesn't implement start. Log at debug level — the\n          // provider-registered subscription below will retry as soon\n          // as the addon appears.\n          this.ctx.logger.warn('autostart: provider not ready or unsupported', {\n            meta: { addonId, hasImpl: !!impl, hasStart: !!impl?.start },\n          })\n          continue\n        }\n        // Idempotent: skip when the provider is already connected.\n        // Avoids spamming start() on every provider-registered event\n        // and prevents respawning a child process that's already alive.\n        if (impl.getStatus) {\n          const status = await impl.getStatus().catch(() => null)\n          if (status?.connected) {\n            this.ctx.logger.info('autostart: provider already connected — skipping', {\n              meta: { addonId, url: status.endpoint?.url },\n            })\n            continue\n          }\n        }\n        const endpoint = await impl.start()\n        this.ctx.logger.info('autostart: provider started', {\n          meta: { addonId, url: endpoint.url },\n        })\n      } catch (err) {\n        this.ctx.logger.error('autostart: provider start failed', {\n          meta: {\n            addonId,\n            error: err instanceof Error ? err.message : String(err),\n          },\n        })\n      }\n    }\n  }\n\n  private async markEnabled(addonId: string, enabled: boolean): Promise<void> {\n    const current = new Set(this.config.enabledProviders)\n    const wasEnabled = current.has(addonId)\n    if (enabled) current.add(addonId); else current.delete(addonId)\n    if (wasEnabled === enabled) return\n    await this.updateGlobalSettings({ enabledProviders: [...current] })\n  }\n\n  private resolveImpl(addonId: string): (NetworkAccessLike & NetworkAccessRegistrationMeta) | null {\n    const entries = this.capabilities?.getCollectionEntries<NetworkAccessLike & NetworkAccessRegistrationMeta>(\n      'network-access',\n    ) ?? []\n    const found = entries.find(([id]) => id === addonId)\n    return found?.[1] ?? null\n  }\n\n  private async listProviders(): Promise<readonly RemoteAccessProviderInfo[]> {\n    const entries = this.capabilities?.getCollectionEntries<NetworkAccessLike & NetworkAccessRegistrationMeta>(\n      'network-access',\n    ) ?? []\n    const enabled = new Set(this.config.enabledProviders)\n    const out: RemoteAccessProviderInfo[] = []\n    for (const [addonId, impl] of entries) {\n      let connected = false\n      let endpoint: RemoteAccessProviderInfo['endpoint'] = null\n      let error: string | undefined\n      if (impl.getStatus) {\n        try {\n          const s = await impl.getStatus()\n          connected = s.connected\n          endpoint = s.endpoint\n          error = s.error\n        } catch (err) {\n          error = err instanceof Error ? err.message : String(err)\n        }\n      }\n      out.push({\n        addonId,\n        displayName: impl.displayName ?? addonId,\n        // `enabled` is now the operator's persisted intent — orthogonal\n        // to `connected` (which reflects the live tunnel state). Boot\n        // tries to bring enabled→connected automatically.\n        enabled: enabled.has(addonId),\n        connected,\n        endpoint,\n        ...(error !== undefined ? { error } : {}),\n      })\n    }\n    return out\n  }\n}\n\nexport default RemoteAccessOrchestratorAddon\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AA2CA,IAAa,gCAAb,cAAmD,gBAAA,UAA0C;CAC3F,cAAc;EACZ,MAAM,EAAE,kBAAkB,EAAE,EAAE,CAAC;;CAGjC,MAAgB,eAAgD;EAC9D,MAAM,WAAsC;GAC1C,eAAe,YAAY,KAAK,eAAe;GAC/C,eAAe,OAAO,EAAE,cAAc;IACpC,MAAM,OAAO,KAAK,YAAY,QAAQ;IACtC,IAAI,CAAC,MAAM,OAAO,MAAM,IAAI,MAAM,2BAA2B,QAAQ,0BAA0B;IAC/F,MAAM,WAAW,MAAM,KAAK,OAAO;IAEnC,MAAM,KAAK,YAAY,SAAS,KAAK;IACrC,OAAO;;GAET,cAAc,OAAO,EAAE,cAAc;IACnC,MAAM,OAAO,KAAK,YAAY,QAAQ;IACtC,IAAI,MAAM,MAAM,MAAM,KAAK,MAAM;IAEjC,MAAM,KAAK,YAAY,SAAS,MAAM;IACtC,OAAO,EAAE,SAAS,MAAe;;GAEpC;EACD,KAAK,IAAI,OAAO,KAAK,0CAA0C,EAC7D,MAAM,EAAE,cAAc,KAAK,OAAO,iBAAiB,QAAQ,EAC5D,CAAC;EAOF,mBAAmB;GAAE,KAAK,2BAA2B;IAAG;EASxD,KAAK,gBAAgB,kBAAkB,EACrC,eAAe;GAAE,KAAU,2BAA2B;KACvD,CAAC;EAWF,KAAK,gBAAgB,gBAAgB,EACnC,eAAe;GAAE,KAAU,2BAA2B;KACvD,CAAC;EAEF,OAAO,CAAC;GAAE,YAAY,gBAAA;GAAwB;GAAU,CAAC;;CAG3D,MAAc,4BAA2C;EACvD,MAAM,MAAM,KAAK,OAAO;EACxB,IAAI,IAAI,WAAW,GAAG;EACtB,KAAK,IAAI,OAAO,KAAK,iDAAiD,EACpE,MAAM,EAAE,UAAU,CAAC,GAAG,IAAI,EAAE,EAC7B,CAAC;EACF,KAAK,MAAM,WAAW,KACpB,IAAI;GACF,MAAM,OAAO,KAAK,YAAY,QAAQ;GACtC,IAAI,CAAC,MAAM,OAAO;IAKhB,KAAK,IAAI,OAAO,KAAK,gDAAgD,EACnE,MAAM;KAAE;KAAS,SAAS,CAAC,CAAC;KAAM,UAAU,CAAC,CAAC,MAAM;KAAO,EAC5D,CAAC;IACF;;GAKF,IAAI,KAAK,WAAW;IAClB,MAAM,SAAS,MAAM,KAAK,WAAW,CAAC,YAAY,KAAK;IACvD,IAAI,QAAQ,WAAW;KACrB,KAAK,IAAI,OAAO,KAAK,oDAAoD,EACvE,MAAM;MAAE;MAAS,KAAK,OAAO,UAAU;MAAK,EAC7C,CAAC;KACF;;;GAGJ,MAAM,WAAW,MAAM,KAAK,OAAO;GACnC,KAAK,IAAI,OAAO,KAAK,+BAA+B,EAClD,MAAM;IAAE;IAAS,KAAK,SAAS;IAAK,EACrC,CAAC;WACK,KAAK;GACZ,KAAK,IAAI,OAAO,MAAM,oCAAoC,EACxD,MAAM;IACJ;IACA,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;IACxD,EACF,CAAC;;;CAKR,MAAc,YAAY,SAAiB,SAAiC;EAC1E,MAAM,UAAU,IAAI,IAAI,KAAK,OAAO,iBAAiB;EACrD,MAAM,aAAa,QAAQ,IAAI,QAAQ;EACvC,IAAI,SAAS,QAAQ,IAAI,QAAQ;OAAO,QAAQ,OAAO,QAAQ;EAC/D,IAAI,eAAe,SAAS;EAC5B,MAAM,KAAK,qBAAqB,EAAE,kBAAkB,CAAC,GAAG,QAAQ,EAAE,CAAC;;CAGrE,YAAoB,SAA6E;EAK/F,QAJgB,KAAK,cAAc,qBACjC,iBACD,IAAI,EAAE,EACe,MAAM,CAAC,QAAQ,OAAO,QACrC,GAAQ,MAAM;;CAGvB,MAAc,gBAA8D;EAC1E,MAAM,UAAU,KAAK,cAAc,qBACjC,iBACD,IAAI,EAAE;EACP,MAAM,UAAU,IAAI,IAAI,KAAK,OAAO,iBAAiB;EACrD,MAAM,MAAkC,EAAE;EAC1C,KAAK,MAAM,CAAC,SAAS,SAAS,SAAS;GACrC,IAAI,YAAY;GAChB,IAAI,WAAiD;GACrD,IAAI;GACJ,IAAI,KAAK,WACP,IAAI;IACF,MAAM,IAAI,MAAM,KAAK,WAAW;IAChC,YAAY,EAAE;IACd,WAAW,EAAE;IACb,QAAQ,EAAE;YACH,KAAK;IACZ,QAAQ,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;;GAG5D,IAAI,KAAK;IACP;IACA,aAAa,KAAK,eAAe;IAIjC,SAAS,QAAQ,IAAI,QAAQ;IAC7B;IACA;IACA,GAAI,UAAU,KAAA,IAAY,EAAE,OAAO,GAAG,EAAE;IACzC,CAAC;;EAEJ,OAAO"}
+{"version":3,"file":"remote-access-orchestrator.addon.js","names":[],"sources":["../../../src/builtins/remote-access-orchestrator/enabled-providers-reconcile.ts","../../../src/builtins/remote-access-orchestrator/remote-access-orchestrator.addon.ts"],"sourcesContent":["/**\n * Pure reconciliation core for the remote-access orchestrator's durable\n * `enabledProviders` set (D8 delivery-rule fix).\n *\n * Why this module exists\n * ----------------------\n * `enabledProviders: string[]` is the operator's \"auto-start on boot\"\n * intent — a DURABLE setting. Historically it was written ONLY from two\n * fire-and-forget bus events (`NetworkTunnelStarted` / `Stopped`). A\n * dropped event (hub restart, addon crash-respawn, hub↔orchestrator\n * partition) silently diverges the persisted set from reality:\n *   - dropped `Started` → tunnel running, not recorded → no auto-start\n *   - dropped `Stopped` → tunnel stopped, still recorded → boot restarts\n *     an operator-stopped tunnel.\n *\n * A durable setting must not be written by a lossy event. The fix is an\n * idempotent reconcile pass that pulls authoritative state via an\n * ACKNOWLEDGED RPC (`network-access` cap `getStatus`) on every provider\n * (re)connect — mirroring the kernel readiness-registry hydration via\n * `$readiness.getSnapshot`. The lifecycle events stay (still fine for\n * live UI dashboards); only the PERSISTENCE WRITE moves to the RPC pull.\n *\n * Reconcile semantics — ADD-ONLY (deliberately conservative)\n * ----------------------------------------------------------\n * `connected: true` from an acked RPC is UNAMBIGUOUS: the tunnel is up,\n * so the operator must have started it → safe to ADD to `enabledProviders`\n * (recovers a dropped `NetworkTunnelStarted` event).\n *\n * `connected: false` is AMBIGUOUS:\n *   - Provider registered but not yet started (normal cold-boot state,\n *     BEFORE `autoStartEnabledProviders` has called `start()`).\n *   - Provider transiently down (network blip, restart in progress).\n *   - Provider intentionally stopped by the operator.\n * `getStatus()` reports connectivity, NOT operator intent. Acting on\n * `connected: false` would wipe `enabledProviders` on every hub restart\n * (providers re-register ~15-20 s before `start()` is called), defeating\n * the purpose of the durable enabled-set. Therefore the reconcile pass\n * NEVER removes on `connected: false`.\n *\n * Removal of operator intent stays event-driven (`NetworkTunnelStopped`\n * → `markEnabled(id, false)`). That event is emitted synchronously by\n * the provider's own `stop()` call — it is the reliable signal that the\n * operator actually stopped the tunnel. A failed/absent RPC probe also\n * leaves the provider untouched.\n *\n * // Follow-up: covering the dropped-`Stopped` direction (a `Stopped`\n * // event lost → tunnel stopped but still in enabledProviders → boot\n * // wrongly restarts it) would require a provider-side persisted\n * // operator-intent flag that `getStatus()` surfaces. That is a larger\n * // multi-addon change (the audit's \"approach 2\") and is OUT OF SCOPE\n * // for this backstop. The current fix covers the higher-impact direction\n * // (dropped `Started` → operator's running tunnel not auto-restarted).\n *\n * The function is pure: the addon owns the RPC fan-out + the persist\n * call, so this core is unit-testable without a CapabilityRegistry.\n */\n\n/**\n * Outcome of one provider's `getStatus()` RPC probe.\n *\n * `ok: true`  → the RPC was acknowledged; `connected` is authoritative.\n * `ok: false` → the RPC threw / timed out; state is unknown and the\n *               provider's membership must be left as-is.\n */\nexport type ProviderProbeResult =\n  | { readonly addonId: string; readonly ok: true; readonly connected: boolean }\n  | { readonly addonId: string; readonly ok: false }\n\nexport interface ReconcileResult {\n  /** The corrected enabled-set, sorted for stable persistence. */\n  readonly nextEnabled: readonly string[]\n  /** `true` when `nextEnabled` differs from the input — caller persists only then. */\n  readonly changed: boolean\n  /** addonIds added because an acked RPC reported them connected. */\n  readonly added: readonly string[]\n  /**\n   * Always empty — reconcile is add-only. Removal of operator intent is\n   * event-driven (`NetworkTunnelStopped`). Kept in the type so callers\n   * that log `result.removed` continue to compile without changes.\n   */\n  readonly removed: readonly string[]\n}\n\n/**\n * Reconcile the durable `enabledProviders` set against authoritative\n * RPC probe results. Pure — no I/O. ADD-ONLY: only adds providers whose\n * acked `getStatus()` reports `connected: true`. Never removes on\n * `connected: false` — see module doc for the full rationale.\n *\n * @param currentEnabled - the persisted enabled-set before reconcile.\n * @param probes - one entry per provider whose `getStatus()` RPC was\n *   attempted this pass. Providers absent from this list are untouched.\n */\nexport function reconcileEnabledProviders(\n  currentEnabled: readonly string[],\n  probes: readonly ProviderProbeResult[],\n): ReconcileResult {\n  const next = new Set<string>(currentEnabled)\n  const added: string[] = []\n\n  for (const probe of probes) {\n    if (!probe.ok) continue // RPC failed → state unknown → leave membership as-is\n    if (probe.connected) {\n      // Acked connected:true is unambiguous → operator must have started\n      // this tunnel → ensure it is in the enabled-set (recovers a dropped\n      // NetworkTunnelStarted event).\n      if (!next.has(probe.addonId)) {\n        next.add(probe.addonId)\n        added.push(probe.addonId)\n      }\n    }\n    // connected:false → ambiguous (not-yet-started / transient blip /\n    // operator-stopped). Do NOT remove. Removal is event-driven only.\n  }\n\n  const nextEnabled = [...next].sort()\n  return {\n    nextEnabled,\n    changed: added.length > 0,\n    added,\n    removed: [], // always empty — reconcile is add-only\n  }\n}\n","/**\n * Remote-access orchestrator — backend-only boot-autostart service for\n * the `network-access` collection (Cloudflare Tunnel, ngrok, Tailscale, …).\n *\n * Retired its `remote-access` facade cap (2026-05-15): the admin UI now\n * talks to the `network-access` collection cap directly via generic\n * per-`addonId` routing, so this addon registers NO capability.\n *\n * What it still owns — the load-bearing logic:\n *   The orchestrator owns the \"operator wants this provider running\"\n *   intent — an `enabledProviders: string[]` slice in its addon-store\n *   blob (BaseAddon.config). On boot we iterate the list and call\n *   `provider.start()` for each enabled entry, so a tunnel set up once\n *   stays up across hub restarts.\n *\n *   Since start/stop no longer flow through this addon, the enabled-set\n *   is kept in sync from two sources:\n *     1. `NetworkTunnelStarted` / `NetworkTunnelStopped` bus events —\n *        fast, but lossy (fire-and-forget broadcasts). They drive both\n *        the live UI and removal from the durable set (`Stopped` is the\n *        only reliable \"operator stopped it\" signal).\n *     2. An RPC-driven ADD-ONLY RECONCILE pass (`reconcileEnabledProviders`)\n *        that pulls authoritative `connected` state via the `network-access`\n *        cap's `getStatus()` on every provider (re)connect. THIS covers\n *        dropped `NetworkTunnelStarted` events — if `connected: true` is\n *        acked, the provider is added to `enabledProviders`. It NEVER\n *        removes on `connected: false` because that signal is ambiguous\n *        (registered-not-yet-started vs transiently-down vs intentionally\n *        stopped). Running before `autoStartEnabledProviders` is safe:\n *        it can only add already-connected providers, never evict.\n */\nimport {\n  BaseAddon,\n  EventCategory,\n  type ProviderRegistration,\n} from '@camstack/types'\nimport {\n  reconcileEnabledProviders,\n  type ProviderProbeResult,\n} from './enabled-providers-reconcile.js'\n\ninterface NetworkAccessLike {\n  start?: () => Promise<{ url: string; hostname: string; port: number; protocol: 'http' | 'https' }>\n  getStatus?: () => Promise<{\n    connected: boolean\n    endpoint: { url: string; hostname: string; port: number; protocol: 'http' | 'https' } | null\n    error?: string\n  }>\n}\n\ninterface RemoteAccessOrchestratorConfig {\n  /**\n   * addonIds the operator has explicitly Started. Auto-respawned on\n   * boot so a tunnel set up once stays up across hub restarts.\n   */\n  readonly enabledProviders: readonly string[]\n}\n\nexport class RemoteAccessOrchestratorAddon extends BaseAddon<RemoteAccessOrchestratorConfig> {\n  constructor() {\n    super({ enabledProviders: [] })\n  }\n\n  protected async onInitialize(): Promise<ProviderRegistration[]> {\n    this.ctx.logger.info('Remote-access orchestrator initialized (backend-only)', {\n      meta: { enabledCount: this.config.enabledProviders.length },\n    })\n\n    // Lifecycle events give the persisted set a PROMPT update — but\n    // they are lossy fire-and-forget broadcasts, so they are NOT the\n    // authority. The RPC-driven `reconcileAndPersist` pass below is the\n    // backstop that corrects any divergence from a dropped event. The\n    // emitting addonId is carried on `event.source.id` (events are\n    // emitted with `source: { type: 'addon', id: ctx.id }`).\n    this.ctx.eventBus?.subscribe(\n      { category: EventCategory.NetworkTunnelStarted },\n      (event) => { void this.onTunnelLifecycle(event.source, true) },\n    )\n    this.ctx.eventBus?.subscribe(\n      { category: EventCategory.NetworkTunnelStopped },\n      (event) => { void this.onTunnelLifecycle(event.source, false) },\n    )\n\n    // Defer autostart to next tick so provider registrations from\n    // co-located addons settle first. `resolveImpl` reads from the\n    // capabilities registry which only sees in-process / cluster-mirrored\n    // providers once they've ALSO registered — small delay gives the\n    // cluster bridge time to discover them on cold boot. Errors are\n    // logged but never block init.\n    setImmediate(() => { void this.autoStartEnabledProviders() })\n\n    // Lazy retry — forked providers (cloudflare-tunnel etc) typically\n    // register 15-20 s after this orchestrator boots, well past the\n    // `setImmediate` above. Hook BaseAddon's `system.ready-state`\n    // subscription so we re-run autoStart every time the\n    // `network-access` cap transitions to ready (whichever node holds\n    // it). The inner logic is idempotent + skips already-connected\n    // providers.\n    this.watchCapability('network-access', {\n      onReady: () => { void this.autoStartEnabledProviders() },\n    })\n\n    // Same watch for `mesh-network`. The tailscale-ingress provider\n    // registers `network-access` synchronously at boot, but `start()`\n    // throws when the tailnet isn't joined yet — so the boot-time\n    // autoStart call fails for tailscale ingresses if the tailscale\n    // daemon hadn't logged in by then. Watching `mesh-network` here\n    // re-triggers autoStart the moment the client transitions to\n    // joined (manual operator login or auto-rejoin), without needing\n    // a server restart. Same idempotency rules: providers already\n    // connected are skipped.\n    this.watchCapability('mesh-network', {\n      onReady: () => { void this.autoStartEnabledProviders() },\n    })\n\n    // Backend-only addon — registers no capability.\n    return []\n  }\n\n  /**\n   * Maintain the persisted `enabledProviders` set from a tunnel\n   * lifecycle event. `source.id` is `string | number`; `network-access`\n   * providers emit with `type: 'addon'` so it is always the addonId\n   * string. Non-string / non-addon sources are ignored defensively.\n   */\n  private async onTunnelLifecycle(\n    source: { readonly type: string; readonly id: string | number },\n    started: boolean,\n  ): Promise<void> {\n    if (source.type !== 'addon' || typeof source.id !== 'string') {\n      this.ctx.logger.warn('tunnel lifecycle event with non-addon source — ignoring', {\n        meta: { sourceType: source.type, sourceId: source.id, started },\n      })\n      return\n    }\n    await this.markEnabled(source.id, started)\n  }\n\n  /**\n   * Probe every locally-visible `network-access` provider's\n   * `getStatus()` over RPC and reconcile the durable `enabledProviders`\n   * set against the result. This is the D8 backstop for dropped\n   * `NetworkTunnelStarted` events: if `connected: true` is acked, the\n   * provider is added to `enabledProviders`. ADD-ONLY — never removes on\n   * `connected: false` (see enabled-providers-reconcile.ts for rationale).\n   *\n   * `getStatus()` is an acknowledged cap RPC — a transport blip surfaces\n   * as a rejected promise (recorded as `ok: false`, membership left\n   * untouched), never as a silent lossy write. Runs on every provider\n   * (re)connect via the `watchCapability` hooks, mirroring the kernel\n   * readiness-registry hydration on `$node.connected`. Safe to call\n   * before `autoStartEnabledProviders`: add-only semantics mean it cannot\n   * wipe the enabled-set even when providers are registered-not-yet-started.\n   */\n  private async reconcileAndPersist(): Promise<void> {\n    const entries = this.capabilities?.getCollectionEntries<NetworkAccessLike>(\n      'network-access',\n    ) ?? []\n    if (entries.length === 0) return\n\n    const probes: ProviderProbeResult[] = await Promise.all(\n      entries.map(async ([addonId, impl]): Promise<ProviderProbeResult> => {\n        if (!impl.getStatus) {\n          // Provider can't report status — treat as unknown, leave as-is.\n          return { addonId, ok: false }\n        }\n        try {\n          const status = await impl.getStatus()\n          return { addonId, ok: true, connected: status.connected }\n        } catch (err) {\n          this.ctx.logger.warn('reconcile: getStatus RPC failed — leaving membership as-is', {\n            meta: { addonId, error: err instanceof Error ? err.message : String(err) },\n          })\n          return { addonId, ok: false }\n        }\n      }),\n    )\n\n    const result = reconcileEnabledProviders(this.config.enabledProviders, probes)\n    if (!result.changed) return\n\n    this.ctx.logger.info('reconcile: corrected enabledProviders from RPC-pulled state', {\n      meta: { added: result.added, removed: result.removed },\n    })\n    await this.updateGlobalSettings({ enabledProviders: result.nextEnabled })\n  }\n\n  private async autoStartEnabledProviders(): Promise<void> {\n    // RPC-driven ADD-ONLY reconcile first: recovers any dropped\n    // `NetworkTunnelStarted` events by adding providers that are already\n    // connected. Cannot evict — safe to run before start() calls.\n    await this.reconcileAndPersist()\n\n    const ids = this.config.enabledProviders\n    if (ids.length === 0) return\n    this.ctx.logger.info('Auto-starting enabled remote-access providers', {\n      meta: { addonIds: [...ids] },\n    })\n    for (const addonId of ids) {\n      try {\n        const impl = this.resolveImpl(addonId)\n        if (!impl?.start) {\n          // Provider isn't loaded yet (worker bridge still hydrating)\n          // OR it doesn't implement start. Log at warn level — the\n          // `watchCapability` subscriptions above retry as soon as the\n          // provider appears.\n          this.ctx.logger.warn('autostart: provider not ready or unsupported', {\n            meta: { addonId, hasImpl: !!impl, hasStart: !!impl?.start },\n          })\n          continue\n        }\n        // Idempotent: skip when the provider is already connected.\n        // Avoids spamming start() on every ready-state event and\n        // prevents respawning a child process that's already alive.\n        if (impl.getStatus) {\n          const status = await impl.getStatus().catch(() => null)\n          if (status?.connected) {\n            this.ctx.logger.info('autostart: provider already connected — skipping', {\n              meta: { addonId, url: status.endpoint?.url },\n            })\n            continue\n          }\n        }\n        const endpoint = await impl.start()\n        this.ctx.logger.info('autostart: provider started', {\n          meta: { addonId, url: endpoint.url },\n        })\n      } catch (err) {\n        this.ctx.logger.error('autostart: provider start failed', {\n          meta: {\n            addonId,\n            error: err instanceof Error ? err.message : String(err),\n          },\n        })\n      }\n    }\n  }\n\n  private async markEnabled(addonId: string, enabled: boolean): Promise<void> {\n    const current = new Set(this.config.enabledProviders)\n    const wasEnabled = current.has(addonId)\n    if (enabled) current.add(addonId); else current.delete(addonId)\n    if (wasEnabled === enabled) return\n    this.ctx.logger.info('remote-access intent updated', {\n      meta: { addonId, enabled },\n    })\n    await this.updateGlobalSettings({ enabledProviders: [...current] })\n  }\n\n  private resolveImpl(addonId: string): NetworkAccessLike | null {\n    const entries = this.capabilities?.getCollectionEntries<NetworkAccessLike>(\n      'network-access',\n    ) ?? []\n    const found = entries.find(([id]) => id === addonId)\n    return found?.[1] ?? null\n  }\n}\n\nexport default RemoteAccessOrchestratorAddon\n"],"mappings":";;;;;;;;;;;;;;;;;AA6FA,SAAgB,0BACd,gBACA,QACiB;CACjB,MAAM,OAAO,IAAI,IAAY,eAAe;CAC5C,MAAM,QAAkB,EAAE;CAE1B,KAAK,MAAM,SAAS,QAAQ;EAC1B,IAAI,CAAC,MAAM,IAAI;EACf,IAAI,MAAM;OAIJ,CAAC,KAAK,IAAI,MAAM,QAAQ,EAAE;IAC5B,KAAK,IAAI,MAAM,QAAQ;IACvB,MAAM,KAAK,MAAM,QAAQ;;;;CAQ/B,OAAO;EACL,aAFkB,CAAC,GAAG,KAAK,CAAC,MAE5B;EACA,SAAS,MAAM,SAAS;EACxB;EACA,SAAS,EAAE;EACZ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC/DH,IAAa,gCAAb,cAAmD,gBAAA,UAA0C;CAC3F,cAAc;EACZ,MAAM,EAAE,kBAAkB,EAAE,EAAE,CAAC;;CAGjC,MAAgB,eAAgD;EAC9D,KAAK,IAAI,OAAO,KAAK,yDAAyD,EAC5E,MAAM,EAAE,cAAc,KAAK,OAAO,iBAAiB,QAAQ,EAC5D,CAAC;EAQF,KAAK,IAAI,UAAU,UACjB,EAAE,UAAU,gBAAA,cAAc,sBAAsB,GAC/C,UAAU;GAAE,KAAU,kBAAkB,MAAM,QAAQ,KAAK;IAC7D;EACD,KAAK,IAAI,UAAU,UACjB,EAAE,UAAU,gBAAA,cAAc,sBAAsB,GAC/C,UAAU;GAAE,KAAU,kBAAkB,MAAM,QAAQ,MAAM;IAC9D;EAQD,mBAAmB;GAAE,KAAU,2BAA2B;IAAG;EAS7D,KAAK,gBAAgB,kBAAkB,EACrC,eAAe;GAAE,KAAU,2BAA2B;KACvD,CAAC;EAWF,KAAK,gBAAgB,gBAAgB,EACnC,eAAe;GAAE,KAAU,2BAA2B;KACvD,CAAC;EAGF,OAAO,EAAE;;;;;;;;CASX,MAAc,kBACZ,QACA,SACe;EACf,IAAI,OAAO,SAAS,WAAW,OAAO,OAAO,OAAO,UAAU;GAC5D,KAAK,IAAI,OAAO,KAAK,2DAA2D,EAC9E,MAAM;IAAE,YAAY,OAAO;IAAM,UAAU,OAAO;IAAI;IAAS,EAChE,CAAC;GACF;;EAEF,MAAM,KAAK,YAAY,OAAO,IAAI,QAAQ;;;;;;;;;;;;;;;;;;CAmB5C,MAAc,sBAAqC;EACjD,MAAM,UAAU,KAAK,cAAc,qBACjC,iBACD,IAAI,EAAE;EACP,IAAI,QAAQ,WAAW,GAAG;EAE1B,MAAM,SAAgC,MAAM,QAAQ,IAClD,QAAQ,IAAI,OAAO,CAAC,SAAS,UAAwC;GACnE,IAAI,CAAC,KAAK,WAER,OAAO;IAAE;IAAS,IAAI;IAAO;GAE/B,IAAI;IAEF,OAAO;KAAE;KAAS,IAAI;KAAM,YAAW,MADlB,KAAK,WAAW,EACS;KAAW;YAClD,KAAK;IACZ,KAAK,IAAI,OAAO,KAAK,8DAA8D,EACjF,MAAM;KAAE;KAAS,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;KAAE,EAC3E,CAAC;IACF,OAAO;KAAE;KAAS,IAAI;KAAO;;IAE/B,CACH;EAED,MAAM,SAAS,0BAA0B,KAAK,OAAO,kBAAkB,OAAO;EAC9E,IAAI,CAAC,OAAO,SAAS;EAErB,KAAK,IAAI,OAAO,KAAK,+DAA+D,EAClF,MAAM;GAAE,OAAO,OAAO;GAAO,SAAS,OAAO;GAAS,EACvD,CAAC;EACF,MAAM,KAAK,qBAAqB,EAAE,kBAAkB,OAAO,aAAa,CAAC;;CAG3E,MAAc,4BAA2C;EAIvD,MAAM,KAAK,qBAAqB;EAEhC,MAAM,MAAM,KAAK,OAAO;EACxB,IAAI,IAAI,WAAW,GAAG;EACtB,KAAK,IAAI,OAAO,KAAK,iDAAiD,EACpE,MAAM,EAAE,UAAU,CAAC,GAAG,IAAI,EAAE,EAC7B,CAAC;EACF,KAAK,MAAM,WAAW,KACpB,IAAI;GACF,MAAM,OAAO,KAAK,YAAY,QAAQ;GACtC,IAAI,CAAC,MAAM,OAAO;IAKhB,KAAK,IAAI,OAAO,KAAK,gDAAgD,EACnE,MAAM;KAAE;KAAS,SAAS,CAAC,CAAC;KAAM,UAAU,CAAC,CAAC,MAAM;KAAO,EAC5D,CAAC;IACF;;GAKF,IAAI,KAAK,WAAW;IAClB,MAAM,SAAS,MAAM,KAAK,WAAW,CAAC,YAAY,KAAK;IACvD,IAAI,QAAQ,WAAW;KACrB,KAAK,IAAI,OAAO,KAAK,oDAAoD,EACvE,MAAM;MAAE;MAAS,KAAK,OAAO,UAAU;MAAK,EAC7C,CAAC;KACF;;;GAGJ,MAAM,WAAW,MAAM,KAAK,OAAO;GACnC,KAAK,IAAI,OAAO,KAAK,+BAA+B,EAClD,MAAM;IAAE;IAAS,KAAK,SAAS;IAAK,EACrC,CAAC;WACK,KAAK;GACZ,KAAK,IAAI,OAAO,MAAM,oCAAoC,EACxD,MAAM;IACJ;IACA,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;IACxD,EACF,CAAC;;;CAKR,MAAc,YAAY,SAAiB,SAAiC;EAC1E,MAAM,UAAU,IAAI,IAAI,KAAK,OAAO,iBAAiB;EACrD,MAAM,aAAa,QAAQ,IAAI,QAAQ;EACvC,IAAI,SAAS,QAAQ,IAAI,QAAQ;OAAO,QAAQ,OAAO,QAAQ;EAC/D,IAAI,eAAe,SAAS;EAC5B,KAAK,IAAI,OAAO,KAAK,gCAAgC,EACnD,MAAM;GAAE;GAAS;GAAS,EAC3B,CAAC;EACF,MAAM,KAAK,qBAAqB,EAAE,kBAAkB,CAAC,GAAG,QAAQ,EAAE,CAAC;;CAGrE,YAAoB,SAA2C;EAK7D,QAJgB,KAAK,cAAc,qBACjC,iBACD,IAAI,EAAE,EACe,MAAM,CAAC,QAAQ,OAAO,QACrC,GAAQ,MAAM"}