npm - @de-otio/chaoskb-client - Versions diffs - 0.2.0 - Mend

@de-otio/chaoskb-client 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (355) hide show

package/dist/cli/agent-registry/config-merger.d.ts +28 -0
package/dist/cli/agent-registry/config-merger.d.ts.map +1 -0
package/dist/cli/agent-registry/config-merger.js +90 -0
package/dist/cli/agent-registry/config-merger.js.map +1 -0
package/dist/cli/agent-registry/detector.d.ts +7 -0
package/dist/cli/agent-registry/detector.d.ts.map +1 -0
package/dist/cli/agent-registry/detector.js +100 -0
package/dist/cli/agent-registry/detector.js.map +1 -0
package/dist/cli/agent-registry/index.d.ts +26 -0
package/dist/cli/agent-registry/index.d.ts.map +1 -0
package/dist/cli/agent-registry/index.js +77 -0
package/dist/cli/agent-registry/index.js.map +1 -0
package/dist/cli/agent-registry/path-validator.d.ts +11 -0
package/dist/cli/agent-registry/path-validator.d.ts.map +1 -0
package/dist/cli/agent-registry/path-validator.js +69 -0
package/dist/cli/agent-registry/path-validator.js.map +1 -0
package/dist/cli/agent-registry/registry.json +108 -0
package/dist/cli/agent-registry/types.d.ts +29 -0
package/dist/cli/agent-registry/types.d.ts.map +1 -0
package/dist/cli/agent-registry/types.js +2 -0
package/dist/cli/agent-registry/types.js.map +1 -0
package/dist/cli/bootstrap-lock.d.ts +7 -0
package/dist/cli/bootstrap-lock.d.ts.map +1 -0
package/dist/cli/bootstrap-lock.js +62 -0
package/dist/cli/bootstrap-lock.js.map +1 -0
package/dist/cli/bootstrap.d.ts +23 -0
package/dist/cli/bootstrap.d.ts.map +1 -0
package/dist/cli/bootstrap.js +438 -0
package/dist/cli/bootstrap.js.map +1 -0
package/dist/cli/commands/config.d.ts +13 -0
package/dist/cli/commands/config.d.ts.map +1 -0
package/dist/cli/commands/config.js +244 -0
package/dist/cli/commands/config.js.map +1 -0
package/dist/cli/commands/devices.d.ts +21 -0
package/dist/cli/commands/devices.d.ts.map +1 -0
package/dist/cli/commands/devices.js +229 -0
package/dist/cli/commands/devices.js.map +1 -0
package/dist/cli/commands/export.d.ts +12 -0
package/dist/cli/commands/export.d.ts.map +1 -0
package/dist/cli/commands/export.js +183 -0
package/dist/cli/commands/export.js.map +1 -0
package/dist/cli/commands/import.d.ts +26 -0
package/dist/cli/commands/import.d.ts.map +1 -0
package/dist/cli/commands/import.js +311 -0
package/dist/cli/commands/import.js.map +1 -0
package/dist/cli/commands/kb.d.ts +39 -0
package/dist/cli/commands/kb.d.ts.map +1 -0
package/dist/cli/commands/kb.js +138 -0
package/dist/cli/commands/kb.js.map +1 -0
package/dist/cli/commands/project.d.ts +6 -0
package/dist/cli/commands/project.d.ts.map +1 -0
package/dist/cli/commands/project.js +115 -0
package/dist/cli/commands/project.js.map +1 -0
package/dist/cli/commands/projects.d.ts +33 -0
package/dist/cli/commands/projects.d.ts.map +1 -0
package/dist/cli/commands/projects.js +189 -0
package/dist/cli/commands/projects.js.map +1 -0
package/dist/cli/commands/register.d.ts +8 -0
package/dist/cli/commands/register.d.ts.map +1 -0
package/dist/cli/commands/register.js +146 -0
package/dist/cli/commands/register.js.map +1 -0
package/dist/cli/commands/rotate-key.d.ts +16 -0
package/dist/cli/commands/rotate-key.d.ts.map +1 -0
package/dist/cli/commands/rotate-key.js +197 -0
package/dist/cli/commands/rotate-key.js.map +1 -0
package/dist/cli/commands/setup-sync.d.ts +2 -0
package/dist/cli/commands/setup-sync.d.ts.map +1 -0
package/dist/cli/commands/setup-sync.js +165 -0
package/dist/cli/commands/setup-sync.js.map +1 -0
package/dist/cli/commands/setup.d.ts +12 -0
package/dist/cli/commands/setup.d.ts.map +1 -0
package/dist/cli/commands/setup.js +39 -0
package/dist/cli/commands/setup.js.map +1 -0
package/dist/cli/commands/status.d.ts +5 -0
package/dist/cli/commands/status.d.ts.map +1 -0
package/dist/cli/commands/status.js +96 -0
package/dist/cli/commands/status.js.map +1 -0
package/dist/cli/commands/uninstall.d.ts +4 -0
package/dist/cli/commands/uninstall.d.ts.map +1 -0
package/dist/cli/commands/uninstall.js +85 -0
package/dist/cli/commands/uninstall.js.map +1 -0
package/dist/cli/commands/unregister.d.ts +2 -0
package/dist/cli/commands/unregister.d.ts.map +1 -0
package/dist/cli/commands/unregister.js +46 -0
package/dist/cli/commands/unregister.js.map +1 -0
package/dist/cli/device-metadata.d.ts +15 -0
package/dist/cli/device-metadata.d.ts.map +1 -0
package/dist/cli/device-metadata.js +58 -0
package/dist/cli/device-metadata.js.map +1 -0
package/dist/cli/github.d.ts +38 -0
package/dist/cli/github.d.ts.map +1 -0
package/dist/cli/github.js +159 -0
package/dist/cli/github.js.map +1 -0
package/dist/cli/guide-hashes.json +13 -0
package/dist/cli/index.d.ts +3 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +226 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/mcp-server.d.ts +205 -0
package/dist/cli/mcp-server.d.ts.map +1 -0
package/dist/cli/mcp-server.js +366 -0
package/dist/cli/mcp-server.js.map +1 -0
package/dist/cli/tools/kb-delete.d.ts +10 -0
package/dist/cli/tools/kb-delete.d.ts.map +1 -0
package/dist/cli/tools/kb-delete.js +28 -0
package/dist/cli/tools/kb-delete.js.map +1 -0
package/dist/cli/tools/kb-ingest.d.ts +13 -0
package/dist/cli/tools/kb-ingest.d.ts.map +1 -0
package/dist/cli/tools/kb-ingest.js +72 -0
package/dist/cli/tools/kb-ingest.js.map +1 -0
package/dist/cli/tools/kb-list.d.ts +20 -0
package/dist/cli/tools/kb-list.d.ts.map +1 -0
package/dist/cli/tools/kb-list.js +24 -0
package/dist/cli/tools/kb-list.js.map +1 -0
package/dist/cli/tools/kb-query-shared.d.ts +27 -0
package/dist/cli/tools/kb-query-shared.d.ts.map +1 -0
package/dist/cli/tools/kb-query-shared.js +28 -0
package/dist/cli/tools/kb-query-shared.js.map +1 -0
package/dist/cli/tools/kb-query.d.ts +20 -0
package/dist/cli/tools/kb-query.d.ts.map +1 -0
package/dist/cli/tools/kb-query.js +109 -0
package/dist/cli/tools/kb-query.js.map +1 -0
package/dist/cli/tools/kb-summary.d.ts +29 -0
package/dist/cli/tools/kb-summary.d.ts.map +1 -0
package/dist/cli/tools/kb-summary.js +89 -0
package/dist/cli/tools/kb-summary.js.map +1 -0
package/dist/cli/tools/kb-sync-status.d.ts +7 -0
package/dist/cli/tools/kb-sync-status.d.ts.map +1 -0
package/dist/cli/tools/kb-sync-status.js +48 -0
package/dist/cli/tools/kb-sync-status.js.map +1 -0
package/dist/crypto/aad.d.ts +8 -0
package/dist/crypto/aad.d.ts.map +1 -0
package/dist/crypto/aad.js +11 -0
package/dist/crypto/aad.js.map +1 -0
package/dist/crypto/aead.d.ts +21 -0
package/dist/crypto/aead.d.ts.map +1 -0
package/dist/crypto/aead.js +43 -0
package/dist/crypto/aead.js.map +1 -0
package/dist/crypto/argon2.d.ts +11 -0
package/dist/crypto/argon2.d.ts.map +1 -0
package/dist/crypto/argon2.js +33 -0
package/dist/crypto/argon2.js.map +1 -0
package/dist/crypto/blob-id.d.ts +6 -0
package/dist/crypto/blob-id.d.ts.map +1 -0
package/dist/crypto/blob-id.js +33 -0
package/dist/crypto/blob-id.js.map +1 -0
package/dist/crypto/canonical-json.d.ts +6 -0
package/dist/crypto/canonical-json.d.ts.map +1 -0
package/dist/crypto/canonical-json.js +88 -0
package/dist/crypto/canonical-json.js.map +1 -0
package/dist/crypto/commitment.d.ts +12 -0
package/dist/crypto/commitment.d.ts.map +1 -0
package/dist/crypto/commitment.js +37 -0
package/dist/crypto/commitment.js.map +1 -0
package/dist/crypto/encryption-service.d.ts +19 -0
package/dist/crypto/encryption-service.d.ts.map +1 -0
package/dist/crypto/encryption-service.js +38 -0
package/dist/crypto/encryption-service.js.map +1 -0
package/dist/crypto/envelope-cbor.d.ts +37 -0
package/dist/crypto/envelope-cbor.d.ts.map +1 -0
package/dist/crypto/envelope-cbor.js +124 -0
package/dist/crypto/envelope-cbor.js.map +1 -0
package/dist/crypto/envelope.d.ts +34 -0
package/dist/crypto/envelope.d.ts.map +1 -0
package/dist/crypto/envelope.js +160 -0
package/dist/crypto/envelope.js.map +1 -0
package/dist/crypto/hkdf.d.ts +16 -0
package/dist/crypto/hkdf.d.ts.map +1 -0
package/dist/crypto/hkdf.js +33 -0
package/dist/crypto/hkdf.js.map +1 -0
package/dist/crypto/index.d.ts +15 -0
package/dist/crypto/index.d.ts.map +1 -0
package/dist/crypto/index.js +15 -0
package/dist/crypto/index.js.map +1 -0
package/dist/crypto/invite.d.ts +31 -0
package/dist/crypto/invite.d.ts.map +1 -0
package/dist/crypto/invite.js +137 -0
package/dist/crypto/invite.js.map +1 -0
package/dist/crypto/keyring.d.ts +37 -0
package/dist/crypto/keyring.d.ts.map +1 -0
package/dist/crypto/keyring.js +219 -0
package/dist/crypto/keyring.js.map +1 -0
package/dist/crypto/known-keys.d.ts +34 -0
package/dist/crypto/known-keys.d.ts.map +1 -0
package/dist/crypto/known-keys.js +106 -0
package/dist/crypto/known-keys.js.map +1 -0
package/dist/crypto/project-keys.d.ts +26 -0
package/dist/crypto/project-keys.d.ts.map +1 -0
package/dist/crypto/project-keys.js +69 -0
package/dist/crypto/project-keys.js.map +1 -0
package/dist/crypto/secure-buffer.d.ts +31 -0
package/dist/crypto/secure-buffer.d.ts.map +1 -0
package/dist/crypto/secure-buffer.js +61 -0
package/dist/crypto/secure-buffer.js.map +1 -0
package/dist/crypto/ssh-agent.d.ts +16 -0
package/dist/crypto/ssh-agent.d.ts.map +1 -0
package/dist/crypto/ssh-agent.js +225 -0
package/dist/crypto/ssh-agent.js.map +1 -0
package/dist/crypto/ssh-keys.d.ts +19 -0
package/dist/crypto/ssh-keys.d.ts.map +1 -0
package/dist/crypto/ssh-keys.js +121 -0
package/dist/crypto/ssh-keys.js.map +1 -0
package/dist/crypto/tiers/enhanced.d.ts +25 -0
package/dist/crypto/tiers/enhanced.d.ts.map +1 -0
package/dist/crypto/tiers/enhanced.js +56 -0
package/dist/crypto/tiers/enhanced.js.map +1 -0
package/dist/crypto/tiers/maximum.d.ts +19 -0
package/dist/crypto/tiers/maximum.d.ts.map +1 -0
package/dist/crypto/tiers/maximum.js +25 -0
package/dist/crypto/tiers/maximum.js.map +1 -0
package/dist/crypto/tiers/standard.d.ts +27 -0
package/dist/crypto/tiers/standard.d.ts.map +1 -0
package/dist/crypto/tiers/standard.js +147 -0
package/dist/crypto/tiers/standard.js.map +1 -0
package/dist/crypto/types.d.ts +169 -0
package/dist/crypto/types.d.ts.map +1 -0
package/dist/crypto/types.js +11 -0
package/dist/crypto/types.js.map +1 -0
package/dist/pipeline/chunker.d.ts +27 -0
package/dist/pipeline/chunker.d.ts.map +1 -0
package/dist/pipeline/chunker.js +96 -0
package/dist/pipeline/chunker.js.map +1 -0
package/dist/pipeline/content-pipeline.d.ts +24 -0
package/dist/pipeline/content-pipeline.d.ts.map +1 -0
package/dist/pipeline/content-pipeline.js +49 -0
package/dist/pipeline/content-pipeline.js.map +1 -0
package/dist/pipeline/embedder.d.ts +49 -0
package/dist/pipeline/embedder.d.ts.map +1 -0
package/dist/pipeline/embedder.js +195 -0
package/dist/pipeline/embedder.js.map +1 -0
package/dist/pipeline/extract.d.ts +17 -0
package/dist/pipeline/extract.d.ts.map +1 -0
package/dist/pipeline/extract.js +70 -0
package/dist/pipeline/extract.js.map +1 -0
package/dist/pipeline/fetch.d.ts +26 -0
package/dist/pipeline/fetch.d.ts.map +1 -0
package/dist/pipeline/fetch.js +91 -0
package/dist/pipeline/fetch.js.map +1 -0
package/dist/pipeline/index.d.ts +10 -0
package/dist/pipeline/index.d.ts.map +1 -0
package/dist/pipeline/index.js +10 -0
package/dist/pipeline/index.js.map +1 -0
package/dist/pipeline/model-manager.d.ts +57 -0
package/dist/pipeline/model-manager.d.ts.map +1 -0
package/dist/pipeline/model-manager.js +234 -0
package/dist/pipeline/model-manager.js.map +1 -0
package/dist/pipeline/search.d.ts +37 -0
package/dist/pipeline/search.d.ts.map +1 -0
package/dist/pipeline/search.js +65 -0
package/dist/pipeline/search.js.map +1 -0
package/dist/pipeline/tokenizer.d.ts +29 -0
package/dist/pipeline/tokenizer.d.ts.map +1 -0
package/dist/pipeline/tokenizer.js +54 -0
package/dist/pipeline/tokenizer.js.map +1 -0
package/dist/pipeline/types.d.ts +86 -0
package/dist/pipeline/types.d.ts.map +1 -0
package/dist/pipeline/types.js +2 -0
package/dist/pipeline/types.js.map +1 -0
package/dist/pipeline/wordpiece-tokenizer.d.ts +60 -0
package/dist/pipeline/wordpiece-tokenizer.d.ts.map +1 -0
package/dist/pipeline/wordpiece-tokenizer.js +251 -0
package/dist/pipeline/wordpiece-tokenizer.js.map +1 -0
package/dist/storage/chunk-repo.d.ts +29 -0
package/dist/storage/chunk-repo.d.ts.map +1 -0
package/dist/storage/chunk-repo.js +115 -0
package/dist/storage/chunk-repo.js.map +1 -0
package/dist/storage/database-manager.d.ts +17 -0
package/dist/storage/database-manager.d.ts.map +1 -0
package/dist/storage/database-manager.js +100 -0
package/dist/storage/database-manager.js.map +1 -0
package/dist/storage/database.d.ts +10 -0
package/dist/storage/database.d.ts.map +1 -0
package/dist/storage/database.js +34 -0
package/dist/storage/database.js.map +1 -0
package/dist/storage/embedding-index.d.ts +22 -0
package/dist/storage/embedding-index.d.ts.map +1 -0
package/dist/storage/embedding-index.js +78 -0
package/dist/storage/embedding-index.js.map +1 -0
package/dist/storage/index.d.ts +10 -0
package/dist/storage/index.d.ts.map +1 -0
package/dist/storage/index.js +10 -0
package/dist/storage/index.js.map +1 -0
package/dist/storage/kb-database.d.ts +11 -0
package/dist/storage/kb-database.d.ts.map +1 -0
package/dist/storage/kb-database.js +24 -0
package/dist/storage/kb-database.js.map +1 -0
package/dist/storage/schema.d.ts +6 -0
package/dist/storage/schema.d.ts.map +1 -0
package/dist/storage/schema.js +122 -0
package/dist/storage/schema.js.map +1 -0
package/dist/storage/source-repo.d.ts +20 -0
package/dist/storage/source-repo.d.ts.map +1 -0
package/dist/storage/source-repo.js +120 -0
package/dist/storage/source-repo.js.map +1 -0
package/dist/storage/sync-status-repo.d.ts +15 -0
package/dist/storage/sync-status-repo.d.ts.map +1 -0
package/dist/storage/sync-status-repo.js +40 -0
package/dist/storage/sync-status-repo.js.map +1 -0
package/dist/storage/types.d.ts +139 -0
package/dist/storage/types.d.ts.map +1 -0
package/dist/storage/types.js +9 -0
package/dist/storage/types.js.map +1 -0
package/dist/sync/canary.d.ts +14 -0
package/dist/sync/canary.d.ts.map +1 -0
package/dist/sync/canary.js +53 -0
package/dist/sync/canary.js.map +1 -0
package/dist/sync/full-sync.d.ts +16 -0
package/dist/sync/full-sync.d.ts.map +1 -0
package/dist/sync/full-sync.js +91 -0
package/dist/sync/full-sync.js.map +1 -0
package/dist/sync/http-client.d.ts +28 -0
package/dist/sync/http-client.d.ts.map +1 -0
package/dist/sync/http-client.js +90 -0
package/dist/sync/http-client.js.map +1 -0
package/dist/sync/incremental-sync.d.ts +17 -0
package/dist/sync/incremental-sync.d.ts.map +1 -0
package/dist/sync/incremental-sync.js +155 -0
package/dist/sync/incremental-sync.js.map +1 -0
package/dist/sync/index.d.ts +12 -0
package/dist/sync/index.d.ts.map +1 -0
package/dist/sync/index.js +12 -0
package/dist/sync/index.js.map +1 -0
package/dist/sync/quota.d.ts +17 -0
package/dist/sync/quota.d.ts.map +1 -0
package/dist/sync/quota.js +48 -0
package/dist/sync/quota.js.map +1 -0
package/dist/sync/sequence.d.ts +21 -0
package/dist/sync/sequence.d.ts.map +1 -0
package/dist/sync/sequence.js +49 -0
package/dist/sync/sequence.js.map +1 -0
package/dist/sync/ssh-signer.d.ts +59 -0
package/dist/sync/ssh-signer.d.ts.map +1 -0
package/dist/sync/ssh-signer.js +241 -0
package/dist/sync/ssh-signer.js.map +1 -0
package/dist/sync/sync-service.d.ts +48 -0
package/dist/sync/sync-service.d.ts.map +1 -0
package/dist/sync/sync-service.js +116 -0
package/dist/sync/sync-service.js.map +1 -0
package/dist/sync/types.d.ts +106 -0
package/dist/sync/types.d.ts.map +1 -0
package/dist/sync/types.js +2 -0
package/dist/sync/types.js.map +1 -0
package/dist/sync/upload-queue.d.ts +40 -0
package/dist/sync/upload-queue.d.ts.map +1 -0
package/dist/sync/upload-queue.js +148 -0
package/dist/sync/upload-queue.js.map +1 -0
package/dist/sync/verification.d.ts +17 -0
package/dist/sync/verification.d.ts.map +1 -0
package/dist/sync/verification.js +25 -0
package/dist/sync/verification.js.map +1 -0
package/dist/vitest.config.d.ts +3 -0
package/dist/vitest.config.d.ts.map +1 -0
package/dist/vitest.config.js +16 -0
package/dist/vitest.config.js.map +1 -0
package/package.json +68 -0

package/dist/sync/incremental-sync.js ADDED Viewed

@@ -0,0 +1,155 @@
+import { SyncStatus } from '../storage/types.js';
+/**
+ * Download changes from the server since the last sync timestamp.
+ *
+ * On first sync (no lastSyncTimestamp), downloads metadata for all blobs.
+ * For each new/updated blob, downloads the content and stores it locally.
+ * For each tombstone, soft-deletes the local record if it exists.
+ *
+ * Conflict resolution strategy:
+ *   - New remote blobs (not present locally): accept as-is
+ *   - Remote blob updated, local is synced: accept remote update
+ *   - Remote blob updated, local has unsynchronized changes: last-write-wins
+ *   - Remote tombstone, local has unsynchronized changes: keep local (local_wins)
+ */
+export async function incrementalSync(client, storage, lastSyncTimestamp) {
+    const errors = [];
+    const conflicts = [];
+    let newBlobs = 0;
+    let updatedBlobs = 0;
+    let deletedBlobs = 0;
+    // Fetch blob list from server
+    const listPath = lastSyncTimestamp
+        ? `/v1/blobs?since=${encodeURIComponent(lastSyncTimestamp)}`
+        : '/v1/blobs';
+    const listResponse = await client.get(listPath);
+    if (!listResponse.ok) {
+        return {
+            newBlobs: 0,
+            updatedBlobs: 0,
+            deletedBlobs: 0,
+            conflicts: [],
+            errors: [
+                {
+                    message: `Failed to list blobs: HTTP ${listResponse.status}`,
+                    code: 'LIST_FAILED',
+                    retryable: listResponse.status >= 500,
+                },
+            ],
+            success: false,
+        };
+    }
+    const data = (await listResponse.json());
+    // Download each new/updated blob
+    for (const blobMeta of data.blobs) {
+        try {
+            // Check for conflict: blob exists locally with unsynchronized changes
+            const existing = storage.syncStatus.get(blobMeta.id);
+            if (existing && existing.status === SyncStatus.LocalOnly) {
+                // Conflict: local has unsynchronized changes, remote also has changes.
+                // Resolve with last-write-wins based on timestamp.
+                const localTimestamp = existing.lastAttempt ?? '';
+                const remoteTimestamp = blobMeta.ts;
+                if (localTimestamp > remoteTimestamp) {
+                    // Local is newer — keep local version, skip remote
+                    conflicts.push({
+                        blobId: blobMeta.id,
+                        resolution: 'local_wins',
+                        reason: 'Local changes are newer than remote',
+                        localTimestamp,
+                        remoteTimestamp,
+                    });
+                    continue;
+                }
+                else {
+                    // Remote is newer — accept remote, overwrite local
+                    conflicts.push({
+                        blobId: blobMeta.id,
+                        resolution: 'remote_wins',
+                        reason: 'Remote changes are newer than local',
+                        localTimestamp,
+                        remoteTimestamp,
+                    });
+                }
+            }
+            if (existing && existing.status === SyncStatus.SyncFailed) {
+                // Previously failed sync — try again with remote version
+                conflicts.push({
+                    blobId: blobMeta.id,
+                    resolution: 'remote_wins',
+                    reason: 'Local sync had failed, accepting remote version',
+                });
+            }
+            const blobResponse = await client.get(`/v1/blobs/${blobMeta.id}`);
+            if (!blobResponse.ok) {
+                errors.push({
+                    blobId: blobMeta.id,
+                    message: `Failed to download blob: HTTP ${blobResponse.status}`,
+                    code: 'DOWNLOAD_FAILED',
+                    retryable: blobResponse.status >= 500,
+                });
+                continue;
+            }
+            const blobData = new Uint8Array(await blobResponse.arrayBuffer());
+            if (existing) {
+                updatedBlobs++;
+            }
+            else {
+                newBlobs++;
+            }
+            // Store blob data — the caller is responsible for decryption.
+            // We store the raw encrypted envelope bytes as a source record.
+            // For now, update sync status to mark it as synced.
+            storage.syncStatus.set(blobMeta.id, SyncStatus.Synced);
+            // Store the blob data in the chunk repository as raw bytes.
+            // The actual deserialization into sources/chunks happens at a higher layer.
+            // Here we just track sync status.
+            void blobData; // Consumed by higher-layer processing
+        }
+        catch (error) {
+            errors.push({
+                blobId: blobMeta.id,
+                message: error instanceof Error ? error.message : String(error),
+                code: 'DOWNLOAD_ERROR',
+                retryable: true,
+            });
+        }
+    }
+    // Process tombstones
+    for (const tombstone of data.tombstones) {
+        try {
+            const existing = storage.syncStatus.get(tombstone.id);
+            if (existing) {
+                if (existing.status === SyncStatus.LocalOnly) {
+                    // Conflict: remote deleted, but local has unsynchronized changes.
+                    // Keep local version — user's local edits take priority over remote deletion.
+                    conflicts.push({
+                        blobId: tombstone.id,
+                        resolution: 'local_wins',
+                        reason: 'Remote deleted but local has unsynchronized changes',
+                    });
+                    continue;
+                }
+                storage.syncStatus.set(tombstone.id, SyncStatus.PendingDelete);
+                deletedBlobs++;
+            }
+        }
+        catch (error) {
+            errors.push({
+                blobId: tombstone.id,
+                message: error instanceof Error ? error.message : String(error),
+                code: 'TOMBSTONE_ERROR',
+                retryable: false,
+            });
+        }
+    }
+    return {
+        newBlobs,
+        updatedBlobs,
+        deletedBlobs,
+        conflicts,
+        errors,
+        success: errors.length === 0,
+    };
+}
+//# sourceMappingURL=incremental-sync.js.map

package/dist/sync/incremental-sync.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"incremental-sync.js","sourceRoot":"","sources":["../../sync/incremental-sync.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEjD;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,MAAuB,EACvB,OAAkB,EAClB,iBAA0B;IAE1B,MAAM,MAAM,GAAgB,EAAE,CAAC;IAC/B,MAAM,SAAS,GAAmB,EAAE,CAAC;IACrC,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,YAAY,GAAG,CAAC,CAAC;IAErB,8BAA8B;IAC9B,MAAM,QAAQ,GAAG,iBAAiB;QAChC,CAAC,CAAC,mBAAmB,kBAAkB,CAAC,iBAAiB,CAAC,EAAE;QAC5D,CAAC,CAAC,WAAW,CAAC;IAEhB,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAChD,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;QACrB,OAAO;YACL,QAAQ,EAAE,CAAC;YACX,YAAY,EAAE,CAAC;YACf,YAAY,EAAE,CAAC;YACf,SAAS,EAAE,EAAE;YACb,MAAM,EAAE;gBACN;oBACE,OAAO,EAAE,8BAA8B,YAAY,CAAC,MAAM,EAAE;oBAC5D,IAAI,EAAE,aAAa;oBACnB,SAAS,EAAE,YAAY,CAAC,MAAM,IAAI,GAAG;iBACtC;aACF;YACD,OAAO,EAAE,KAAK;SACf,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,YAAY,CAAC,IAAI,EAAE,CAAqB,CAAC;IAE7D,iCAAiC;IACjC,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QAClC,IAAI,CAAC;YACH,sEAAsE;YACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAErD,IAAI,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,UAAU,CAAC,SAAS,EAAE,CAAC;gBACzD,uEAAuE;gBACvE,mDAAmD;gBACnD,MAAM,cAAc,GAAG,QAAQ,CAAC,WAAW,IAAI,EAAE,CAAC;gBAClD,MAAM,eAAe,GAAG,QAAQ,CAAC,EAAE,CAAC;gBAEpC,IAAI,cAAc,GAAG,eAAe,EAAE,CAAC;oBACrC,mDAAmD;oBACnD,SAAS,CAAC,IAAI,CAAC;wBACb,MAAM,EAAE,QAAQ,CAAC,EAAE;wBACnB,UAAU,EAAE,YAAY;wBACxB,MAAM,EAAE,qCAAqC;wBAC7C,cAAc;wBACd,eAAe;qBAChB,CAAC,CAAC;oBACH,SAAS;gBACX,CAAC;qBAAM,CAAC;oBACN,mDAAmD;oBACnD,SAAS,CAAC,IAAI,CAAC;wBACb,MAAM,EAAE,QAAQ,CAAC,EAAE;wBACnB,UAAU,EAAE,aAAa;wBACzB,MAAM,EAAE,qCAAqC;wBAC7C,cAAc;wBACd,eAAe;qBAChB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,IAAI,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,UAAU,CAAC,UAAU,EAAE,CAAC;gBAC1D,yDAAyD;gBACzD,SAAS,CAAC,IAAI,CAAC;oBACb,MAAM,EAAE,QAAQ,CAAC,EAAE;oBACnB,UAAU,EAAE,aAAa;oBACzB,MAAM,EAAE,iDAAiD;iBAC1D,CAAC,CAAC;YACL,CAAC;YAED,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,aAAa,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAC;YAClE,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;gBACrB,MAAM,CAAC,IAAI,CAAC;oBACV,MAAM,EAAE,QAAQ,CAAC,EAAE;oBACnB,OAAO,EAAE,iCAAiC,YAAY,CAAC,MAAM,EAAE;oBAC/D,IAAI,EAAE,iBAAiB;oBACvB,SAAS,EAAE,YAAY,CAAC,MAAM,IAAI,GAAG;iBACtC,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,MAAM,YAAY,CAAC,WAAW,EAAE,CAAC,CAAC;YAElE,IAAI,QAAQ,EAAE,CAAC;gBACb,YAAY,EAAE,CAAC;YACjB,CAAC;iBAAM,CAAC;gBACN,QAAQ,EAAE,CAAC;YACb,CAAC;YAED,8DAA8D;YAC9D,gEAAgE;YAChE,oDAAoD;YACpD,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;YAEvD,4DAA4D;YAC5D,4EAA4E;YAC5E,kCAAkC;YAClC,KAAK,QAAQ,CAAC,CAAC,sCAAsC;QACvD,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC;gBACV,MAAM,EAAE,QAAQ,CAAC,EAAE;gBACnB,OAAO,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC/D,IAAI,EAAE,gBAAgB;gBACtB,SAAS,EAAE,IAAI;aAChB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACxC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YACtD,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,QAAQ,CAAC,MAAM,KAAK,UAAU,CAAC,SAAS,EAAE,CAAC;oBAC7C,kEAAkE;oBAClE,8EAA8E;oBAC9E,SAAS,CAAC,IAAI,CAAC;wBACb,MAAM,EAAE,SAAS,CAAC,EAAE;wBACpB,UAAU,EAAE,YAAY;wBACxB,MAAM,EAAE,qDAAqD;qBAC9D,CAAC,CAAC;oBACH,SAAS;gBACX,CAAC;gBAED,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,EAAE,UAAU,CAAC,aAAa,CAAC,CAAC;gBAC/D,YAAY,EAAE,CAAC;YACjB,CAAC;QACH,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC;gBACV,MAAM,EAAE,SAAS,CAAC,EAAE;gBACpB,OAAO,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC/D,IAAI,EAAE,iBAAiB;gBACvB,SAAS,EAAE,KAAK;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ;QACR,YAAY;QACZ,YAAY;QACZ,SAAS;QACT,MAAM;QACN,OAAO,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;KAC7B,CAAC;AACJ,CAAC"}

package/dist/sync/index.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+export * from './types.js';
+export { SSHSigner } from './ssh-signer.js';
+export { SequenceCounter } from './sequence.js';
+export { SyncHttpClient, RetryableError } from './http-client.js';
+export { incrementalSync } from './incremental-sync.js';
+export { fullSync } from './full-sync.js';
+export { UploadQueue } from './upload-queue.js';
+export { verifyCanary } from './canary.js';
+export { verifyBlobCount } from './verification.js';
+export { parseQuotaError, getQuotaWarning } from './quota.js';
+export { SyncService } from './sync-service.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/sync/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../sync/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC9D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/sync/index.js ADDED Viewed

@@ -0,0 +1,12 @@
+export * from './types.js';
+export { SSHSigner } from './ssh-signer.js';
+export { SequenceCounter } from './sequence.js';
+export { SyncHttpClient, RetryableError } from './http-client.js';
+export { incrementalSync } from './incremental-sync.js';
+export { fullSync } from './full-sync.js';
+export { UploadQueue } from './upload-queue.js';
+export { verifyCanary } from './canary.js';
+export { verifyBlobCount } from './verification.js';
+export { parseQuotaError, getQuotaWarning } from './quota.js';
+export { SyncService } from './sync-service.js';
+//# sourceMappingURL=index.js.map

package/dist/sync/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../sync/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC9D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/sync/quota.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import type { QuotaInfo } from './types.js';
+/**
+ * Parse a 413 (Payload Too Large / Quota Exceeded) response into QuotaInfo.
+ *
+ * Expects the response body to contain `{ used: number, limit: number }`
+ * where both values are in bytes.
+ *
+ * @returns QuotaInfo if the response could be parsed, null otherwise.
+ */
+export declare function parseQuotaError(response: Response): Promise<QuotaInfo | null>;
+/**
+ * Get a user-facing warning string based on quota usage.
+ *
+ * @returns A warning message, or null if usage is below the warning threshold.
+ */
+export declare function getQuotaWarning(quota: QuotaInfo): string | null;
+//# sourceMappingURL=quota.d.ts.map

package/dist/sync/quota.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"quota.d.ts","sourceRoot":"","sources":["../../sync/quota.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE5C;;;;;;;GAOG;AACH,wBAAsB,eAAe,CAAC,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAmBnF;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM,GAAG,IAAI,CAc/D"}

package/dist/sync/quota.js ADDED Viewed

@@ -0,0 +1,48 @@
+/**
+ * Parse a 413 (Payload Too Large / Quota Exceeded) response into QuotaInfo.
+ *
+ * Expects the response body to contain `{ used: number, limit: number }`
+ * where both values are in bytes.
+ *
+ * @returns QuotaInfo if the response could be parsed, null otherwise.
+ */
+export async function parseQuotaError(response) {
+    if (response.status !== 413) {
+        return null;
+    }
+    try {
+        const data = (await response.json());
+        if (typeof data.used !== 'number' || typeof data.limit !== 'number') {
+            return null;
+        }
+        const percentage = data.limit > 0 ? Math.round((data.used / data.limit) * 100) : 100;
+        return {
+            used: data.used,
+            limit: data.limit,
+            percentage,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Get a user-facing warning string based on quota usage.
+ *
+ * @returns A warning message, or null if usage is below the warning threshold.
+ */
+export function getQuotaWarning(quota) {
+    const usedMB = Math.round(quota.used / (1024 * 1024));
+    const limitMB = Math.round(quota.limit / (1024 * 1024));
+    if (quota.percentage >= 100) {
+        return 'Storage limit reached. Articles are stored locally only and not synced.';
+    }
+    if (quota.percentage >= 95) {
+        return `Storage is nearly full (${usedMB}MB / ${limitMB}MB). New articles will be stored locally only.`;
+    }
+    if (quota.percentage >= 80) {
+        return `Storage is 80% full (${usedMB}MB / ${limitMB}MB)`;
+    }
+    return null;
+}
+//# sourceMappingURL=quota.js.map

package/dist/sync/quota.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"quota.js","sourceRoot":"","sources":["../../sync/quota.ts"],"names":[],"mappings":"AAEA;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,QAAkB;IACtD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAsC,CAAC;QAC1E,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACpE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QACrF,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,UAAU;SACX,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,KAAgB;IAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC;IACtD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC;IAExD,IAAI,KAAK,CAAC,UAAU,IAAI,GAAG,EAAE,CAAC;QAC5B,OAAO,yEAAyE,CAAC;IACnF,CAAC;IACD,IAAI,KAAK,CAAC,UAAU,IAAI,EAAE,EAAE,CAAC;QAC3B,OAAO,2BAA2B,MAAM,QAAQ,OAAO,gDAAgD,CAAC;IAC1G,CAAC;IACD,IAAI,KAAK,CAAC,UAAU,IAAI,EAAE,EAAE,CAAC;QAC3B,OAAO,wBAAwB,MAAM,QAAQ,OAAO,KAAK,CAAC;IAC5D,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/sync/sequence.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+/**
+ * Per-device monotonic sequence counter for replay protection.
+ *
+ * Each signed request includes a sequence number that the server tracks.
+ * The server rejects any request with a sequence <= the highest it has seen,
+ * preventing replay attacks.
+ *
+ * The counter is persisted to disk so it survives process restarts.
+ */
+export declare class SequenceCounter {
+    private readonly filePath;
+    private current;
+    constructor(filePath?: string);
+    /** Get the next sequence number (monotonically increasing). */
+    next(): number;
+    /** Get the current sequence number without incrementing. */
+    peek(): number;
+    private load;
+    private persist;
+}
+//# sourceMappingURL=sequence.d.ts.map

package/dist/sync/sequence.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"sequence.d.ts","sourceRoot":"","sources":["../../sync/sequence.ts"],"names":[],"mappings":"AAIA;;;;;;;;GAQG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,OAAO,CAAS;gBAEZ,QAAQ,CAAC,EAAE,MAAM;IAK7B,+DAA+D;IAC/D,IAAI,IAAI,MAAM;IAMd,4DAA4D;IAC5D,IAAI,IAAI,MAAM;IAId,OAAO,CAAC,IAAI;IAUZ,OAAO,CAAC,OAAO;CAShB"}

package/dist/sync/sequence.js ADDED Viewed

@@ -0,0 +1,49 @@
+import { readFileSync, writeFileSync, mkdirSync, renameSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join, dirname } from 'node:path';
+/**
+ * Per-device monotonic sequence counter for replay protection.
+ *
+ * Each signed request includes a sequence number that the server tracks.
+ * The server rejects any request with a sequence <= the highest it has seen,
+ * preventing replay attacks.
+ *
+ * The counter is persisted to disk so it survives process restarts.
+ */
+export class SequenceCounter {
+    filePath;
+    current;
+    constructor(filePath) {
+        this.filePath = filePath ?? join(homedir(), '.chaoskb', 'sequence');
+        this.current = this.load();
+    }
+    /** Get the next sequence number (monotonically increasing). */
+    next() {
+        this.current += 1;
+        this.persist();
+        return this.current;
+    }
+    /** Get the current sequence number without incrementing. */
+    peek() {
+        return this.current;
+    }
+    load() {
+        try {
+            const content = readFileSync(this.filePath, 'utf-8').trim();
+            const value = parseInt(content, 10);
+            return isNaN(value) ? 0 : value;
+        }
+        catch {
+            return 0;
+        }
+    }
+    persist() {
+        const dir = dirname(this.filePath);
+        mkdirSync(dir, { recursive: true, mode: 0o700 });
+        // Atomic write: write to temp file, then rename
+        const tmpPath = this.filePath + '.tmp';
+        writeFileSync(tmpPath, String(this.current), { mode: 0o600 });
+        renameSync(tmpPath, this.filePath);
+    }
+}
+//# sourceMappingURL=sequence.js.map

package/dist/sync/sequence.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sequence.js","sourceRoot":"","sources":["../../sync/sequence.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAE1C;;;;;;;;GAQG;AACH,MAAM,OAAO,eAAe;IACT,QAAQ,CAAS;IAC1B,OAAO,CAAS;IAExB,YAAY,QAAiB;QAC3B,IAAI,CAAC,QAAQ,GAAG,QAAQ,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QACpE,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC7B,CAAC;IAED,+DAA+D;IAC/D,IAAI;QACF,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC;QAClB,IAAI,CAAC,OAAO,EAAE,CAAC;QACf,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,4DAA4D;IAC5D,IAAI;QACF,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAEO,IAAI;QACV,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5D,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YACpC,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QAClC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IAEO,OAAO;QACb,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAEjD,gDAAgD;QAChD,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC;QACvC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC9D,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC;CACF"}

package/dist/sync/ssh-signer.d.ts ADDED Viewed

@@ -0,0 +1,59 @@
+/**
+ * Signs HTTP requests with an SSH private key for ChaosKB-SSH authentication.
+ *
+ * Uses Ed25519 keys. Attempts ssh-agent first if SSH_AUTH_SOCK is available,
+ * then falls back to reading the private key file from disk.
+ */
+export declare class SSHSigner {
+    private readonly keyPath;
+    constructor(sshKeyPath?: string);
+    /**
+     * Sign an HTTP request, returning headers for authentication.
+     */
+    signRequest(method: string, path: string, sequence: number, body?: Uint8Array): Promise<{
+        authorization: string;
+        timestamp: string;
+        sequence: number;
+        publicKey: string;
+    }>;
+    /**
+     * Compute SHA-256 hex digest of body bytes. Empty string if no body.
+     */
+    computeBodyHash(body?: Uint8Array): string;
+    /**
+     * Build the canonical string to be signed.
+     *
+     * Format: chaoskb-auth\nMETHOD PATH\nTIMESTAMP\nSEQUENCE\nBODY_HASH
+     * The sequence number prevents replay attacks — the server rejects
+     * any sequence <= the highest it has seen for this device.
+     */
+    buildCanonical(method: string, path: string, timestamp: string, sequence: number, bodyHash: string): string;
+    /**
+     * Read the SSH public key from the .pub file alongside the private key.
+     * Returns the raw public key content as a UTF-8 string.
+     */
+    private readPublicKey;
+    /**
+     * Sign canonical data using the Ed25519 private key.
+     *
+     * Attempts ssh-agent first if SSH_AUTH_SOCK is set, falling back to
+     * reading the key file from disk.
+     */
+    private signCanonical;
+    /**
+     * Sign using the SSH private key file on disk with Ed25519.
+     */
+    private signWithKeyFile;
+    /**
+     * Sign using ssh-agent via SSH_AUTH_SOCK.
+     *
+     * Implements the SSH agent protocol (draft-miller-ssh-agent):
+     *   1. Connect to the Unix domain socket at SSH_AUTH_SOCK
+     *   2. Send SSH_AGENTC_REQUEST_IDENTITIES to list available keys
+     *   3. Find an Ed25519 key matching our public key
+     *   4. Send SSH_AGENTC_SIGN_REQUEST with the data to sign
+     *   5. Parse the SSH_AGENT_SIGN_RESPONSE to extract the signature
+     */
+    private signWithAgent;
+}
+//# sourceMappingURL=ssh-signer.d.ts.map

package/dist/sync/ssh-signer.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ssh-signer.d.ts","sourceRoot":"","sources":["../../sync/ssh-signer.ts"],"names":[],"mappings":"AAMA;;;;;GAKG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;gBAErB,UAAU,CAAC,EAAE,MAAM;IAI/B;;OAEG;IACG,WAAW,CACf,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,IAAI,CAAC,EAAE,UAAU,GAChB,OAAO,CAAC;QACT,aAAa,EAAE,MAAM,CAAC;QACtB,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;IAiBF;;OAEG;IACH,eAAe,CAAC,IAAI,CAAC,EAAE,UAAU,GAAG,MAAM;IAO1C;;;;;;OAMG;IACH,cAAc,CACZ,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,MAAM;IAIT;;;OAGG;YACW,aAAa;IAM3B;;;;;OAKG;YACW,aAAa;IAa3B;;OAEG;YACW,eAAe;IAS7B;;;;;;;;;OASG;YACW,aAAa;CAyB5B"}

package/dist/sync/ssh-signer.js ADDED Viewed

@@ -0,0 +1,241 @@
+import { createHash, sign as cryptoSign } from 'node:crypto';
+import { readFile } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { connect } from 'node:net';
+/**
+ * Signs HTTP requests with an SSH private key for ChaosKB-SSH authentication.
+ *
+ * Uses Ed25519 keys. Attempts ssh-agent first if SSH_AUTH_SOCK is available,
+ * then falls back to reading the private key file from disk.
+ */
+export class SSHSigner {
+    keyPath;
+    constructor(sshKeyPath) {
+        this.keyPath = sshKeyPath ?? join(homedir(), '.ssh', 'id_ed25519');
+    }
+    /**
+     * Sign an HTTP request, returning headers for authentication.
+     */
+    async signRequest(method, path, sequence, body) {
+        const timestamp = new Date().toISOString();
+        const bodyHash = this.computeBodyHash(body);
+        const canonical = this.buildCanonical(method, path, timestamp, sequence, bodyHash);
+        const publicKeyRaw = await this.readPublicKey();
+        const signature = await this.signCanonical(canonical);
+        const base64Sig = signature.toString('base64');
+        // Extract the base64 key blob from the public key line (ssh-ed25519 AAAA... comment)
+        const parts = publicKeyRaw.split(/\s+/);
+        const publicKey = parts.length >= 2 ? parts[1] : publicKeyRaw;
+        const authorization = `SSH-Signature ${base64Sig}`;
+        return { authorization, timestamp, sequence, publicKey };
+    }
+    /**
+     * Compute SHA-256 hex digest of body bytes. Empty string if no body.
+     */
+    computeBodyHash(body) {
+        if (!body || body.length === 0) {
+            return '';
+        }
+        return createHash('sha256').update(body).digest('hex');
+    }
+    /**
+     * Build the canonical string to be signed.
+     *
+     * Format: chaoskb-auth\nMETHOD PATH\nTIMESTAMP\nSEQUENCE\nBODY_HASH
+     * The sequence number prevents replay attacks — the server rejects
+     * any sequence <= the highest it has seen for this device.
+     */
+    buildCanonical(method, path, timestamp, sequence, bodyHash) {
+        return `chaoskb-auth\n${method} ${path}\n${timestamp}\n${sequence}\n${bodyHash}`;
+    }
+    /**
+     * Read the SSH public key from the .pub file alongside the private key.
+     * Returns the raw public key content as a UTF-8 string.
+     */
+    async readPublicKey() {
+        const pubKeyPath = this.keyPath + '.pub';
+        const content = await readFile(pubKeyPath, 'utf-8');
+        return content.trim();
+    }
+    /**
+     * Sign canonical data using the Ed25519 private key.
+     *
+     * Attempts ssh-agent first if SSH_AUTH_SOCK is set, falling back to
+     * reading the key file from disk.
+     */
+    async signCanonical(canonical) {
+        // Attempt ssh-agent if SSH_AUTH_SOCK is set
+        if (process.env.SSH_AUTH_SOCK) {
+            try {
+                return await this.signWithAgent(canonical);
+            }
+            catch {
+                // Fall through to file-based signing
+            }
+        }
+        return this.signWithKeyFile(canonical);
+    }
+    /**
+     * Sign using the SSH private key file on disk with Ed25519.
+     */
+    async signWithKeyFile(canonical) {
+        const keyData = await readFile(this.keyPath, 'utf-8');
+        const data = Buffer.from(canonical, 'utf-8');
+        return cryptoSign(undefined, data, {
+            key: keyData,
+            format: 'pem',
+        });
+    }
+    /**
+     * Sign using ssh-agent via SSH_AUTH_SOCK.
+     *
+     * Implements the SSH agent protocol (draft-miller-ssh-agent):
+     *   1. Connect to the Unix domain socket at SSH_AUTH_SOCK
+     *   2. Send SSH_AGENTC_REQUEST_IDENTITIES to list available keys
+     *   3. Find an Ed25519 key matching our public key
+     *   4. Send SSH_AGENTC_SIGN_REQUEST with the data to sign
+     *   5. Parse the SSH_AGENT_SIGN_RESPONSE to extract the signature
+     */
+    async signWithAgent(canonical) {
+        const socketPath = process.env.SSH_AUTH_SOCK;
+        if (!socketPath) {
+            throw new Error('SSH_AUTH_SOCK not set');
+        }
+        const pubKeyContent = await this.readPublicKey();
+        const pubKeyBlob = parseSSHPublicKey(pubKeyContent);
+        const socket = await connectToAgent(socketPath);
+        try {
+            // Request the agent sign our data
+            const data = Buffer.from(canonical, 'utf-8');
+            const signatureBlob = await agentSign(socket, pubKeyBlob, data);
+            // The signature blob from the agent is in SSH wire format:
+            //   string  signature-format (e.g., "ssh-ed25519")
+            //   string  signature-blob
+            // We need the raw signature bytes for our authorization header.
+            const sigData = parseSSHSignature(signatureBlob);
+            return sigData;
+        }
+        finally {
+            socket.destroy();
+        }
+    }
+}
+// --- SSH Agent Protocol Constants ---
+/** SSH agent message types */
+const SSH_AGENTC_SIGN_REQUEST = 13;
+const SSH_AGENT_SIGN_RESPONSE = 14;
+const SSH_AGENT_FAILURE = 5;
+// --- SSH Agent Protocol Helpers ---
+/**
+ * Connect to the ssh-agent Unix domain socket.
+ */
+function connectToAgent(socketPath) {
+    return new Promise((resolve, reject) => {
+        const socket = connect(socketPath, () => resolve(socket));
+        socket.on('error', reject);
+        socket.setTimeout(5000);
+        socket.on('timeout', () => {
+            socket.destroy();
+            reject(new Error('ssh-agent connection timed out'));
+        });
+    });
+}
+/**
+ * Send an SSH_AGENTC_SIGN_REQUEST and read the response.
+ *
+ * Wire format:
+ *   uint32  length
+ *   byte    SSH_AGENTC_SIGN_REQUEST (13)
+ *   string  key_blob
+ *   string  data
+ *   uint32  flags (0 for default)
+ */
+function agentSign(socket, keyBlob, data) {
+    return new Promise((resolve, reject) => {
+        // Build the message body
+        const bodyParts = [
+            Buffer.from([SSH_AGENTC_SIGN_REQUEST]),
+            sshString(keyBlob),
+            sshString(data),
+            uint32(0), // flags
+        ];
+        const body = Buffer.concat(bodyParts);
+        // Prepend length header
+        const message = Buffer.concat([uint32(body.length), body]);
+        socket.write(message);
+        // Read the response
+        const chunks = [];
+        socket.on('data', (chunk) => {
+            chunks.push(chunk);
+            // Check if we have enough data
+            const response = Buffer.concat(chunks);
+            if (response.length < 4)
+                return; // Need length header
+            const responseLen = response.readUInt32BE(0);
+            if (response.length < 4 + responseLen)
+                return; // Need full message
+            const msgType = response[4];
+            if (msgType === SSH_AGENT_FAILURE) {
+                reject(new Error('ssh-agent refused the signing request (key may not be loaded)'));
+                return;
+            }
+            if (msgType !== SSH_AGENT_SIGN_RESPONSE) {
+                reject(new Error(`Unexpected ssh-agent response type: ${msgType}`));
+                return;
+            }
+            // Parse: byte SSH_AGENT_SIGN_RESPONSE, string signature
+            const sigOffset = 5; // 4 (length) + 1 (type)
+            const sigLen = response.readUInt32BE(sigOffset);
+            const signatureBlob = response.subarray(sigOffset + 4, sigOffset + 4 + sigLen);
+            resolve(Buffer.from(signatureBlob));
+        });
+        socket.on('error', reject);
+        socket.on('close', () => {
+            reject(new Error('ssh-agent connection closed unexpectedly'));
+        });
+    });
+}
+/**
+ * Parse an SSH public key line (e.g., "ssh-ed25519 AAAA... comment")
+ * into the raw key blob (base64-decoded middle field).
+ */
+function parseSSHPublicKey(pubKeyLine) {
+    const parts = pubKeyLine.trim().split(/\s+/);
+    if (parts.length < 2) {
+        throw new Error('Invalid SSH public key format');
+    }
+    return Buffer.from(parts[1], 'base64');
+}
+/**
+ * Parse an SSH signature blob to extract the raw signature bytes.
+ *
+ * Wire format:
+ *   string  format (e.g., "ssh-ed25519")
+ *   string  signature
+ */
+function parseSSHSignature(blob) {
+    let offset = 0;
+    // Skip format string
+    const formatLen = blob.readUInt32BE(offset);
+    offset += 4 + formatLen;
+    // Read signature string
+    const sigLen = blob.readUInt32BE(offset);
+    offset += 4;
+    return Buffer.from(blob.subarray(offset, offset + sigLen));
+}
+/**
+ * Encode a buffer as an SSH string (uint32 length + bytes).
+ */
+function sshString(buf) {
+    return Buffer.concat([uint32(buf.length), buf]);
+}
+/**
+ * Encode a number as a big-endian uint32.
+ */
+function uint32(n) {
+    const buf = Buffer.alloc(4);
+    buf.writeUInt32BE(n);
+    return buf;
+}
+//# sourceMappingURL=ssh-signer.js.map