@cardelli/ambit 0.1.5 → 0.2.0

package/esm/providers/tailscale.js

@@ -0,0 +1,150 @@
+// =============================================================================
+// Tailscale API Client
+// =============================================================================
+import { die } from "../lib/cli.js";
+import { createAuthKeyPayload, TailscaleDevicesListSchema, } from "../schemas/tailscale.js";
+// =============================================================================
+// Constants
+// =============================================================================
+const API_BASE = "https://api.tailscale.com/api/v2";
+// =============================================================================
+// Create Tailscale Provider
+// =============================================================================
+export const createTailscaleProvider = (apiKey, tailnet = "-") => {
+    const headers = () => ({
+        "Content-Type": "application/json",
+        Accept: "application/json",
+        Authorization: `Basic ${btoa(apiKey + ":")}`,
+    });
+    const request = async (method, path, body) => {
+        try {
+            const response = await fetch(`${API_BASE}${path}`, {
+                method,
+                headers: headers(),
+                body: body ? JSON.stringify(body) : undefined,
+            });
+            if (!response.ok) {
+                const text = await response.text();
+                return {
+                    ok: false,
+                    status: response.status,
+                    error: text || `HTTP ${response.status}`,
+                };
+            }
+            const text = await response.text();
+            if (!text) {
+                return { ok: true, status: response.status };
+            }
+            return { ok: true, status: response.status, data: JSON.parse(text) };
+        }
+        catch (error) {
+            return {
+                ok: false,
+                status: 0,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    };
+    const provider = {
+        auth: {
+            async validateKey() {
+                const result = await request("GET", `/tailnet/${tailnet}/devices`);
+                return result.ok;
+            },
+            async createKey(opts) {
+                const payload = createAuthKeyPayload(opts ?? {});
+                const result = await request("POST", `/tailnet/${tailnet}/keys`, payload);
+                if (!result.ok || !result.data?.key) {
+                    return die(`Failed to Create Auth Key: ${result.error}`);
+                }
+                return result.data.key;
+            },
+        },
+        devices: {
+            async list() {
+                const result = await request("GET", `/tailnet/${tailnet}/devices`);
+                if (!result.ok) {
+                    return die(`Failed to List Devices: ${result.error}`);
+                }
+                const parsed = TailscaleDevicesListSchema.safeParse(result.data);
+                return parsed.success ? parsed.data.devices : [];
+            },
+            async getByHostname(hostname) {
+                const devices = await provider.devices.list();
+                const exact = devices.find((d) => d.hostname === hostname);
+                if (exact)
+                    return exact;
+                // Fallback: find by prefix if Tailscale added suffix (e.g., hostname-1)
+                // Prefer online devices, then most recently seen
+                const prefixMatches = devices
+                    .filter((d) => d.hostname.startsWith(hostname + "-"))
+                    .sort((a, b) => {
+                    if (a.online && !b.online)
+                        return -1;
+                    if (!a.online && b.online)
+                        return 1;
+                    const aTime = a.lastSeen ? new Date(a.lastSeen).getTime() : 0;
+                    const bTime = b.lastSeen ? new Date(b.lastSeen).getTime() : 0;
+                    return bTime - aTime;
+                });
+                return prefixMatches[0] ?? null;
+            },
+            async delete(id) {
+                const result = await request("DELETE", `/device/${id}`);
+                if (!result.ok) {
+                    return die(`Failed to Delete Device: ${result.error}`);
+                }
+            },
+        },
+        routes: {
+            async get(deviceId) {
+                const result = await request("GET", `/device/${deviceId}/routes`);
+                if (!result.ok || !result.data)
+                    return null;
+                const advertised = result.data.advertisedRoutes ?? [];
+                const enabled = result.data.enabledRoutes ?? [];
+                const enabledSet = new Set(enabled);
+                return {
+                    advertised,
+                    enabled,
+                    unapproved: advertised.filter((r) => !enabledSet.has(r)),
+                };
+            },
+            async approve(deviceId, routes) {
+                const result = await request("POST", `/device/${deviceId}/routes`, { routes });
+                if (!result.ok) {
+                    return die(`Failed to Approve Routes: ${result.error}`);
+                }
+            },
+        },
+        dns: {
+            async getSplit() {
+                const result = await request("GET", `/tailnet/${tailnet}/dns/split-dns`);
+                return result.ok && result.data ? result.data : {};
+            },
+            async setSplit(domain, nameservers) {
+                // PATCH performs partial update - only specified domains are modified
+                const result = await request("PATCH", `/tailnet/${tailnet}/dns/split-dns`, { [domain]: nameservers });
+                if (!result.ok) {
+                    return die(`Failed to Configure Split DNS: ${result.error}`);
+                }
+            },
+            async clearSplit(domain) {
+                const result = await request("PATCH", `/tailnet/${tailnet}/dns/split-dns`, { [domain]: null });
+                if (!result.ok) {
+                    return die(`Failed to Clear Split DNS: ${result.error}`);
+                }
+            },
+        },
+        acl: {
+            async getPolicy() {
+                const result = await request("GET", `/tailnet/${tailnet}/acl`);
+                if (!result.ok || !result.data) {
+                    return null;
+                }
+                return result.data;
+            },
+        },
+    };
+    return provider;
+};

package/esm/{src/schemas → schemas}/fly.d.ts

@@ -1,5 +1,4 @@
-import "../../_dnt.polyfills.js";
-import { z } from "../../deps/jsr.io/@zod/zod/4.3.6/src/index.js";
+import { z } from "../deps/jsr.io/@zod/zod/4.3.6/src/index.js";
 export declare const FlyAuthSchema: z.ZodObject<{
     email: z.ZodString;
 }, z.core.$loose>;
@@ -106,15 +105,6 @@ export declare const FlyDeploySchema: z.ZodObject<{
     ID: z.ZodOptional<z.ZodString>;
     Status: z.ZodOptional<z.ZodString>;
 }, z.core.$loose>;
-/**
- * Map Fly machine state to internal state.
- * Fly states: created, starting, started, stopping, stopped, destroying, destroyed
- */
-export declare const mapFlyMachineState: (flyState: string) => "creating" | "running" | "frozen" | "failed";
-/**
- * Map Fly guest config to machine size enum.
- */
-export declare const mapFlyMachineSize: (guest?: z.infer<typeof FlyMachineGuestSchema>) => "shared-cpu-1x" | "shared-cpu-2x" | "shared-cpu-4x";
 export type FlyOrgs = z.infer<typeof FlyOrgsSchema>;
 export declare const FlyIpNetworkSchema: z.ZodObject<{
     Name: z.ZodString;

package/esm/schemas/fly.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fly.d.ts","sourceRoot":"","sources":["../../src/schemas/fly.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,CAAC,EAAE,MAAM,4CAA4C,CAAC;AAM/D,eAAO,MAAM,aAAa;;iBAEhB,CAAC;AAEX,MAAM,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,aAAa,CAAC,CAAC;AAMpD,eAAO,MAAM,YAAY;;;;;;iBAMf,CAAC;AAEX,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAElD,eAAO,MAAM,iBAAiB;;;;;;kBAAwB,CAAC;AAMvD,eAAO,MAAM,eAAe;;;;;iBAKlB,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAMxD,eAAO,MAAM,qBAAqB;;;;iBAIxB,CAAC;AAEX,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;iBAgBzB,CAAC;AAEX,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;iBASnB,CAAC;AAEX,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;kBAA4B,CAAC;AAM/D,eAAO,MAAM,aAAa,uCAAmC,CAAC;AAM9D,eAAO,MAAM,eAAe;;;iBAGlB,CAAC;AAEX,MAAM,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,aAAa,CAAC,CAAC;AAMpD,eAAO,MAAM,kBAAkB;;;;;iBAGrB,CAAC;AAEX,eAAO,MAAM,WAAW;;;;;;;;;;;;iBAOd,CAAC;AAEX,MAAM,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEhD,eAAO,MAAM,eAAe;;;;;;;;;;;;kBAAuB,CAAC;AAMpD,eAAO,MAAM,gBAAgB;;;;;;;iBAKnB,CAAC;AAEX,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D,eAAO,MAAM,oBAAoB;;;;;;;;;;iBAGvB,CAAC"}

package/esm/{src/schemas → schemas}/fly.js

@@ -1,14 +1,13 @@
 // =============================================================================
 // Fly.io CLI Response Schemas
 // =============================================================================
-import "../../_dnt.polyfills.js";
-import { z } from "../../deps/jsr.io/@zod/zod/4.3.6/src/index.js";
+import { z } from "../deps/jsr.io/@zod/zod/4.3.6/src/index.js";
 // =============================================================================
 // Auth Response
 // =============================================================================
 export const FlyAuthSchema = z.object({
     email: z.string(),
-}).passthrough();
+}).loose();
 // =============================================================================
 // App Schemas
 // =============================================================================
@@ -18,7 +17,7 @@ export const FlyAppSchema = z.object({
     Organization: z.object({
         Slug: z.string(),
     }).optional(),
-}).passthrough();
+}).loose();
 export const FlyAppsListSchema = z.array(FlyAppSchema);
 // =============================================================================
 // App Status
@@ -28,7 +27,7 @@ export const FlyStatusSchema = z.object({
     Name: z.string().optional(),
     Hostname: z.string().optional(),
     Deployed: z.boolean().optional(),
-}).passthrough();
+}).loose();
 // =============================================================================
 // Machine Schemas
 // =============================================================================
@@ -36,7 +35,7 @@ export const FlyMachineGuestSchema = z.object({
     cpu_kind: z.string(),
     cpus: z.number(),
     memory_mb: z.number(),
-}).passthrough();
+}).loose();
 export const FlyMachineConfigSchema = z.object({
     guest: FlyMachineGuestSchema.optional(),
     metadata: z.record(z.string(), z.string()).optional(),
@@ -45,11 +44,11 @@ export const FlyMachineConfigSchema = z.object({
         ports: z.array(z.object({
             port: z.number(),
             handlers: z.array(z.string()).optional(),
-        }).passthrough()).optional(),
+        }).loose()).optional(),
         protocol: z.string().optional(),
         internal_port: z.number().optional(),
-    }).passthrough()).optional(),
-}).passthrough();
+    }).loose()).optional(),
+}).loose();
 export const FlyMachineSchema = z.object({
     id: z.string(),
     name: z.string(),
@@ -59,7 +58,7 @@ export const FlyMachineSchema = z.object({
     config: FlyMachineConfigSchema.optional(),
     created_at: z.string().optional(),
     updated_at: z.string().optional(),
-}).passthrough();
+}).loose();
 export const FlyMachinesListSchema = z.array(FlyMachineSchema);
 // =============================================================================
 // Organization Schemas
@@ -71,55 +70,14 @@ export const FlyOrgsSchema = z.record(z.string(), z.string());
 export const FlyDeploySchema = z.object({
     ID: z.string().optional(),
     Status: z.string().optional(),
-}).passthrough();
-// =============================================================================
-// Machine State Mapping
-// =============================================================================
-/**
- * Map Fly machine state to internal state.
- * Fly states: created, starting, started, stopping, stopped, destroying, destroyed
- */
-export const mapFlyMachineState = (flyState) => {
-    switch (flyState.toLowerCase()) {
-        case "started":
-            return "running";
-        case "stopped":
-        case "suspended":
-            return "frozen";
-        case "created":
-        case "starting":
-            return "creating";
-        case "destroying":
-        case "destroyed":
-        case "failed":
-            return "failed";
-        default:
-            return "creating";
-    }
-};
-// =============================================================================
-// Machine Size Mapping
-// =============================================================================
-/**
- * Map Fly guest config to machine size enum.
- */
-export const mapFlyMachineSize = (guest) => {
-    if (!guest)
-        return "shared-cpu-1x";
-    const cpus = guest.cpus;
-    if (cpus >= 4)
-        return "shared-cpu-4x";
-    if (cpus >= 2)
-        return "shared-cpu-2x";
-    return "shared-cpu-1x";
-};
+}).loose();
 // =============================================================================
 // IP Schemas
 // =============================================================================
 export const FlyIpNetworkSchema = z.object({
     Name: z.string(),
     Organization: z.object({ Slug: z.string() }).optional(),
-}).passthrough();
+}).loose();
 export const FlyIpSchema = z.object({
     ID: z.string().optional(),
     Address: z.string(),
@@ -127,7 +85,7 @@ export const FlyIpSchema = z.object({
     Region: z.string().optional(),
     CreatedAt: z.string().optional(),
     Network: FlyIpNetworkSchema.optional(),
-}).passthrough();
+}).loose();
 export const FlyIpListSchema = z.array(FlyIpSchema);
 // =============================================================================
 // REST API Schemas (Machines API - api.machines.dev)
@@ -137,8 +95,8 @@ export const FlyAppInfoSchema = z.object({
     network: z.string(),
     status: z.string(),
     organization: z.object({ slug: z.string() }).optional(),
-}).passthrough();
+}).loose();
 export const FlyAppInfoListSchema = z.object({
     total_apps: z.number(),
     apps: z.array(FlyAppInfoSchema),
-}).passthrough();
+}).loose();

package/esm/{src/schemas → schemas}/tailscale.d.ts

@@ -1,5 +1,4 @@
-import "../../_dnt.polyfills.js";
-import { z } from "../../deps/jsr.io/@zod/zod/4.3.6/src/index.js";
+import { z } from "../deps/jsr.io/@zod/zod/4.3.6/src/index.js";
 export declare const TailscaleAuthKeySchema: z.ZodObject<{
     key: z.ZodString;
     id: z.ZodOptional<z.ZodString>;

package/esm/schemas/tailscale.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tailscale.d.ts","sourceRoot":"","sources":["../../src/schemas/tailscale.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,CAAC,EAAE,MAAM,4CAA4C,CAAC;AAM/D,eAAO,MAAM,sBAAsB;;;;;iBAKjC,CAAC;AAEH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAMtE,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;iBAcxB,CAAC;AAEX,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;iBAErC,CAAC;AAEH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAM9E,eAAO,MAAM,qBAAqB;;;iBAGhC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAMpE,eAAO,MAAM,6BAA6B;;iBAExC,CAAC;AAEH,eAAO,MAAM,uBAAuB,mDAGnC,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAMxE,eAAO,MAAM,oBAAoB;;iBAE/B,CAAC;AAEH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAMlE,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,eAAO,MAAM,oBAAoB,GAAI,MAAM,mBAAmB,KAAG,MA+BhE,CAAC"}

package/esm/{src/schemas → schemas}/tailscale.js

@@ -1,8 +1,7 @@
 // =============================================================================
 // Tailscale API Response Schemas
 // =============================================================================
-import "../../_dnt.polyfills.js";
-import { z } from "../../deps/jsr.io/@zod/zod/4.3.6/src/index.js";
+import { z } from "../deps/jsr.io/@zod/zod/4.3.6/src/index.js";
 // =============================================================================
 // Auth Key Schemas
 // =============================================================================
@@ -29,7 +28,7 @@ export const TailscaleDeviceSchema = z.object({
     tags: z.array(z.string()).optional(),
     advertisedRoutes: z.array(z.string()).optional(),
     enabledRoutes: z.array(z.string()).optional(),
-}).passthrough();
+}).loose();
 export const TailscaleDevicesListSchema = z.object({
     devices: z.array(TailscaleDeviceSchema),
 });

package/esm/src/{docker/router → router}/Dockerfile

@@ -6,7 +6,6 @@ FROM alpine:3.23.3
 
 ARG TAILSCALE_VERSION=1.94.1
 ARG COREDNS_VERSION=1.14.1
-ARG MICROSOCKS_VERSION=1.0.5
 
 RUN apk add --no-cache \
     bash \
@@ -25,16 +24,6 @@ RUN cd /tmp \
     && mv coredns /usr/local/bin/coredns \
     && chmod +x /usr/local/bin/coredns
 
-RUN apk add --no-cache gcc musl-dev make \
-    && cd /tmp \
-    && wget -q "https://github.com/rofl0r/microsocks/archive/refs/tags/v${MICROSOCKS_VERSION}.tar.gz" \
-    && tar xzf "v${MICROSOCKS_VERSION}.tar.gz" \
-    && cd "microsocks-${MICROSOCKS_VERSION}" \
-    && make \
-    && cp microsocks /usr/local/bin/ \
-    && cd / && rm -rf /tmp/microsocks* /tmp/v${MICROSOCKS_VERSION}.tar.gz \
-    && apk del gcc musl-dev make
-
 RUN mkdir -p /var/lib/tailscale /var/run/tailscale /etc/coredns
 
 COPY start.sh /start.sh

package/esm/src/{docker/router → router}/start.sh

@@ -16,10 +16,16 @@ echo 'net.ipv4.ip_forward = 1' | tee -a /etc/sysctl.conf
 echo 'net.ipv6.conf.all.forwarding = 1' | tee -a /etc/sysctl.conf
 sysctl -p /etc/sysctl.conf
 
-echo "Router: Starting Tailscaled"
+PRIVATE_IP=$(grep fly-local-6pn /etc/hosts | awk '{print $1}')
+
+# tailscaled's built-in SOCKS5 proxy routes through the WireGuard tunnel
+# directly (no tun device needed). This handles both TCP routing and DNS
+# resolution through the tailnet — MagicDNS, split DNS, everything.
+echo "Router: Starting Tailscaled with SOCKS5 Proxy on [${PRIVATE_IP}]:1080"
 /usr/local/bin/tailscaled \
   --state=/var/lib/tailscale/tailscaled.state \
-  --socket=/var/run/tailscale/tailscaled.sock &
+  --socket=/var/run/tailscale/tailscaled.sock \
+  --socks5-server=[${PRIVATE_IP}]:1080 &
 
 # Wait for tailscaled to be ready
 sleep 3
@@ -50,25 +56,26 @@ fi
 
 echo "Router: Fully Configured"
 
-# Start SOCKS5 proxy for bidirectional tailnet access
-PRIVATE_IP=$(grep fly-local-6pn /etc/hosts | awk '{print $1}')
-echo "Router: Starting SOCKS5 Proxy on [${PRIVATE_IP}]:1080"
-/usr/local/bin/microsocks -i "$PRIVATE_IP" -p 1080 &
+# Get Tailscale IPv4 for CoreDNS bind — split DNS queries arrive here
+TAILSCALE_IP=$(/usr/local/bin/tailscale ip -4)
+echo "Router: Tailscale IP ${TAILSCALE_IP}"
 
 echo "Router: Starting DNS Proxy"
 
 # Generate Corefile for CoreDNS
+# Binds to the Fly private IP and the Tailscale IP. Split DNS queries from
+# tailnet clients arrive on the Tailscale IP. Does NOT bind to all interfaces,
+# so tailscaled's MagicDNS resolver on 100.100.100.100:53 remains unblocked.
+#
 # Rewrites NETWORK_NAME TLD to .flycast before forwarding to Fly DNS.
 # When ROUTER_ID is set, workload app names are suffixed: app.network ->
 # app-ROUTER_ID.flycast. This ties workloads to their router and avoids
 # name collisions across networks.
-# .flycast resolves to the Flycast address (private_v6) which routes through
-# Fly Proxy — enabling autostart/autostop and load balancing. The Flycast IP
-# is within the network's /48 subnet so it's routable through the tailnet.
 if [ -n "${NETWORK_NAME}" ] && [ -n "${ROUTER_ID}" ]; then
   echo "Router: DNS Rewrite *.${NETWORK_NAME} -> *-${ROUTER_ID}.flycast"
   cat > /etc/coredns/Corefile <<EOF
 .:53 {
+    bind ${PRIVATE_IP} ${TAILSCALE_IP}
     rewrite name regex (.+)\.${NETWORK_NAME}\. {1}-${ROUTER_ID}.flycast. answer auto
     forward . fdaa::3
 }
@@ -77,6 +84,7 @@ elif [ -n "${NETWORK_NAME}" ]; then
   echo "Router: DNS Rewrite ${NETWORK_NAME} -> flycast"
   cat > /etc/coredns/Corefile <<EOF
 .:53 {
+    bind ${PRIVATE_IP} ${TAILSCALE_IP}
     rewrite name suffix .${NETWORK_NAME}. .flycast. answer auto
     forward . fdaa::3
 }
@@ -84,6 +92,7 @@ EOF
 else
   cat > /etc/coredns/Corefile <<EOF
 .:53 {
+    bind ${PRIVATE_IP} ${TAILSCALE_IP}
     forward . fdaa::3
 }
 EOF

package/esm/util/constants.d.ts

@@ -0,0 +1,13 @@
+export declare const ROUTER_APP_PREFIX = "ambit-";
+export declare const DEFAULT_FLY_NETWORK = "default";
+export declare const ROUTER_DOCKER_DIR: string;
+export declare const SOCKS_PROXY_PORT = 1080;
+export declare const FLY_PRIVATE_SUBNET = "fdaa::/16";
+export declare const TAILSCALE_API_KEY_PREFIX = "tskey-api-";
+export declare const ENV_TAILSCALE_API_KEY = "TAILSCALE_API_KEY";
+export declare const FLYCTL_INSTALL_URL = "https://fly.io/docs/flyctl/install/";
+export declare const SECRET_TAILSCALE_AUTHKEY = "TAILSCALE_AUTHKEY";
+export declare const SECRET_NETWORK_NAME = "NETWORK_NAME";
+export declare const SECRET_ROUTER_ID = "ROUTER_ID";
+export declare const SECRET_AMBIT_OUTBOUND_PROXY = "AMBIT_OUTBOUND_PROXY";
+//# sourceMappingURL=constants.d.ts.map

package/esm/util/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/util/constants.ts"],"names":[],"mappings":"AAQA,eAAO,MAAM,iBAAiB,WAAW,CAAC;AAE1C,eAAO,MAAM,mBAAmB,YAAY,CAAC;AAE7C,eAAO,MAAM,iBAAiB,QACnB,CAAC;AAMZ,eAAO,MAAM,gBAAgB,OAAO,CAAC;AAErC,eAAO,MAAM,kBAAkB,cAAc,CAAC;AAM9C,eAAO,MAAM,wBAAwB,eAAe,CAAC;AAErD,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AAMzD,eAAO,MAAM,kBAAkB,wCAAwC,CAAC;AAMxE,eAAO,MAAM,wBAAwB,sBAAsB,CAAC;AAC5D,eAAO,MAAM,mBAAmB,iBAAiB,CAAC;AAClD,eAAO,MAAM,gBAAgB,cAAc,CAAC;AAM5C,eAAO,MAAM,2BAA2B,yBAAyB,CAAC"}

package/esm/util/constants.js

@@ -0,0 +1,34 @@
+// =============================================================================
+// Constants - Shared Magic Values
+// =============================================================================
+// =============================================================================
+// Router / App Identity
+// =============================================================================
+export const ROUTER_APP_PREFIX = "ambit-";
+export const DEFAULT_FLY_NETWORK = "default";
+export const ROUTER_DOCKER_DIR = new URL("../router", globalThis[Symbol.for("import-meta-ponyfill-esmodule")](import.meta).url)
+    .pathname;
+// =============================================================================
+// Networking
+// =============================================================================
+export const SOCKS_PROXY_PORT = 1080;
+export const FLY_PRIVATE_SUBNET = "fdaa::/16";
+// =============================================================================
+// Tailscale
+// =============================================================================
+export const TAILSCALE_API_KEY_PREFIX = "tskey-api-";
+export const ENV_TAILSCALE_API_KEY = "TAILSCALE_API_KEY";
+// =============================================================================
+// External URLs
+// =============================================================================
+export const FLYCTL_INSTALL_URL = "https://fly.io/docs/flyctl/install/";
+// =============================================================================
+// Fly.io Secret Names (set on router machines)
+// =============================================================================
+export const SECRET_TAILSCALE_AUTHKEY = "TAILSCALE_AUTHKEY";
+export const SECRET_NETWORK_NAME = "NETWORK_NAME";
+export const SECRET_ROUTER_ID = "ROUTER_ID";
+// =============================================================================
+// Fly.io Secret Names (set on workload machines)
+// =============================================================================
+export const SECRET_AMBIT_OUTBOUND_PROXY = "AMBIT_OUTBOUND_PROXY";

package/esm/{src → util}/credentials.d.ts

@@ -1,4 +1,3 @@
-import "../_dnt.polyfills.js";
 export interface CredentialStore {
     getTailscaleApiKey(): Promise<string | null>;
     setTailscaleApiKey(key: string): Promise<void>;

package/esm/util/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/util/credentials.ts"],"names":[],"mappings":"AAsBA,MAAM,WAAW,eAAe;IAC9B,kBAAkB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC7C,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAChD;AAQD,eAAO,MAAM,2BAA2B,QAAO,eA0B9C,CAAC;AAMF,eAAO,MAAM,kBAAkB,QAAO,eAerC,CAAC;AAMF;;;;;;;GAOG;AACH,eAAO,MAAM,iBAAiB,GAC5B,KAAK;IAAE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAAC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,KAAK,CAAA;CAAE,KAC1D,OAAO,CAAC;IAAE,YAAY,EAAE,MAAM,CAAA;CAAE,CAyBlC,CAAC"}

package/esm/{src → util}/credentials.js

@@ -1,11 +1,10 @@
 // =============================================================================
 // Credential Store - Persistent Tailscale API Key Storage
 // =============================================================================
-import "../_dnt.polyfills.js";
 import * as dntShim from "../_dnt.shims.js";
 import { z } from "../deps/jsr.io/@zod/zod/4.3.6/src/index.js";
-import { commandExists, ensureConfigDir, fileExists } from "../lib/cli.js";
-import { getConfigDir } from "./schemas/config.js";
+import { commandExists, ensureConfigDir, fileExists, getConfigDir } from "../lib/cli.js";
+import { ENV_TAILSCALE_API_KEY } from "./constants.js";
 // =============================================================================
 // Schema
 // =============================================================================
@@ -46,8 +45,7 @@ export const getCredentialStore = () => {
     const fileStore = createConfigCredentialStore();
     return {
         async getTailscaleApiKey() {
-            // Environment variable takes priority
-            const envKey = dntShim.Deno.env.get("TAILSCALE_API_KEY");
+            const envKey = dntShim.Deno.env.get(ENV_TAILSCALE_API_KEY);
             if (envKey)
                 return envKey;
             return await fileStore.getTailscaleApiKey();

package/esm/{src → util}/discovery.d.ts

@@ -1,6 +1,5 @@
-import "../_dnt.polyfills.js";
-import type { FlyProvider } from "./providers/fly.js";
-import type { TailscaleProvider } from "./providers/tailscale.js";
+import type { FlyProvider } from "../providers/fly.js";
+import type { TailscaleProvider } from "../providers/tailscale.js";
 /** A router app discovered from the Fly REST API. */
 export interface RouterApp {
     appName: string;
@@ -42,4 +41,18 @@ export declare const findWorkloadApp: (fly: FlyProvider, org: string, appName: s
 export declare const getRouterMachineInfo: (fly: FlyProvider, appName: string) => Promise<RouterMachineInfo | null>;
 /** Get tailscale device info for a router. Returns null if not found. */
 export declare const getRouterTailscaleInfo: (tailscale: TailscaleProvider, appName: string) => Promise<RouterTailscaleInfo | null>;
+/** A router app with its machine and Tailscale state hydrated. */
+export type RouterWithInfo = RouterApp & {
+    machine: RouterMachineInfo | null;
+    tailscale: RouterTailscaleInfo | null;
+};
+/**
+ * Discover all routers in an org and hydrate each with machine + Tailscale state.
+ * Shows a spinner while fetching. Fetches all routers in parallel.
+ */
+export declare const discoverRouters: (out: {
+    spinner(msg: string): {
+        success(msg: string): void;
+    };
+}, fly: FlyProvider, tailscale: TailscaleProvider, org: string) => Promise<RouterWithInfo[]>;
 //# sourceMappingURL=discovery.d.ts.map

package/esm/util/discovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/util/discovery.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAWnE,qDAAqD;AACrD,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,6DAA6D;AAC7D,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,2CAA2C;AAC3C,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAMD,wDAAwD;AACxD,eAAO,MAAM,cAAc,GACzB,KAAK,WAAW,EAChB,KAAK,MAAM,KACV,OAAO,CAAC,SAAS,EAAE,CAerB,CAAC;AAEF,kDAAkD;AAClD,eAAO,MAAM,aAAa,GACxB,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,KACd,OAAO,CAAC,SAAS,GAAG,IAAI,CAG1B,CAAC;AAMF,oEAAoE;AACpE,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,uEAAuE;AACvE,eAAO,MAAM,yBAAyB,GACpC,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,KACd,OAAO,CAAC,WAAW,EAAE,CAcvB,CAAC;AAEF;;+EAE+E;AAC/E,eAAO,MAAM,eAAe,GAC1B,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,EACf,UAAU,MAAM,KACf,OAAO,CAAC,WAAW,GAAG,IAAI,CA4B5B,CAAC;AAMF,4EAA4E;AAC5E,eAAO,MAAM,oBAAoB,GAC/B,KAAK,WAAW,EAChB,SAAS,MAAM,KACd,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAclC,CAAC;AAMF,yEAAyE;AACzE,eAAO,MAAM,sBAAsB,GACjC,WAAW,iBAAiB,EAC5B,SAAS,MAAM,KACd,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAcpC,CAAC;AAMF,kEAAkE;AAClE,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG;IACvC,OAAO,EAAE,iBAAiB,GAAG,IAAI,CAAC;IAClC,SAAS,EAAE,mBAAmB,GAAG,IAAI,CAAC;CACvC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,eAAe,GAC1B,KAAK;IAAE,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG;QAAE,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAA;CAAE,EAC7D,KAAK,WAAW,EAChB,WAAW,iBAAiB,EAC5B,KAAK,MAAM,KACV,OAAO,CAAC,cAAc,EAAE,CAa1B,CAAC"}