@farthershore/backend 0.8.0 → 0.8.2

package/README.md

@@ -4,7 +4,7 @@ Runtime metering and gateway-verification SDK for builder upstreams. Install one
 package, set one token (`FS_RUNTIME_TOKEN`), and Farther Shore handles signed
 gateway-to-upstream request verification plus response-bound usage reporting.
 
-> **Status: `0.8.0` (lockstep SDK family).** Published at the SAME version as
+> **Status: `0.8.2` (lockstep SDK family).** Published at the SAME version as
 > `@farthershore/farthershore-js` and `@farthershore/product` — pin the three
 > together. Pre-1.0: minor bumps may break.
 

package/dist/generated/runtime-contract.js

@@ -54,8 +54,8 @@ var RUNTIME_BOOTSTRAP_CONTRACT = {
       perEventMax: "number"
     },
     transport: {
-      mode: "public_origin | mtls | cloudflare_tunnel",
-      runner: "managed_cloudflared | sidecar | null",
+      mode: "direct | tunnel",
+      runner: "embedded | sidecar | null",
       originUrl: "string?",
       originHostname: "string?",
       localTarget: "string?",
@@ -247,17 +247,16 @@ var RUNTIME_HEALTH_CONTRACT = {
 };
 var RUNTIME_TRANSPORT_CONTRACT = {
   modes: {
-    public_origin: "Gateway fetches the builder's public origin URL; the SDK middleware fail-closed-verifies every request. Provisions zero Cloudflare objects. Standard tier; also the dev path.",
-    mtls: "Gateway presents a Farther-Shore-issued platform-wide client cert; the builder's ingress requires + verifies it. Channel-level mutual auth; provisions zero Cloudflare objects. Standard-plus / self-hosted tier.",
-    cloudflare_tunnel: "Farther Shore provisions a private outbound Cloudflare Tunnel; no inbound port. The only Production-secure tier. Consumes Cloudflare tunnel/route slots."
+    direct: "Gateway fetches the builder's public origin URL; the SDK middleware fail-closed-verifies every request via Ed25519 request signing. Provisions zero Cloudflare objects. Available on all tiers; also the dev path.",
+    tunnel: "Farther Shore provisions a private outbound Cloudflare Tunnel; no inbound port. The Production-secure tier. Consumes Cloudflare tunnel/route slots."
   },
   runners: {
-    managed_cloudflared: "fs.start() supervises cloudflared as a child process (default DX).",
+    embedded: "fs.start() supervises cloudflared as a child process (default DX).",
     sidecar: "Vanilla cloudflare/cloudflared container beside the app (production / non-Node)."
   },
-  channelTrust: ["mtls", "cloudflare_tunnel"],
+  channelTrust: ["tunnel"],
   requestTrust: "x-fs-signature",
-  invariant: "Channel trust (mtls/tunnel) and request trust (the X-FS-* signature) are distinct layers; both always apply. CF-Access-* headers are transport-layer only and are IGNORED by the SDK."
+  invariant: "Channel trust (tunnel) and request trust (the X-FS-* signature) are distinct layers; both always apply. CF-Access-* headers are transport-layer only and are IGNORED by the SDK."
 };
 export {
   RUNTIME_BODY_HASH_CONTRACT,

package/dist/index.js

@@ -12,7 +12,7 @@ var __export = (target, all) => {
 // src/reflect/route-canon.ts
 import { createHash } from "node:crypto";
 function normalizeSegment(seg) {
-  if (seg === "**") return "{rest}";
+  if (seg === "**") return "{__fs_rest}";
   if (seg === "*") return "{splat}";
   if (seg.startsWith(":")) return `{${seg.slice(1)}}`;
   if (seg.startsWith("[") && seg.endsWith("]")) return `{${seg.slice(1, -1)}}`;
@@ -62,6 +62,7 @@ function methodsOf(route) {
   for (const s of route.stack ?? []) {
     if (typeof s.method === "string") out.add(s.method.toUpperCase());
   }
+  if (out.has("GET")) out.delete("HEAD");
   return [...out].filter((m) => VALID_METHODS.has(m));
 }
 function rootStack(app) {
@@ -105,7 +106,6 @@ function reflectRoutesDetailed(app, _opts) {
   const seen = /* @__PURE__ */ new Set();
   const routes = [];
   for (const r of raw) {
-    if (r.method === "HEAD") continue;
     const key2 = `${r.method} ${r.path}`;
     if (seen.has(key2)) continue;
     seen.add(key2);
@@ -123,6 +123,7 @@ var init_reflect = __esm({
     init_route_canon();
     VALID_METHODS = /* @__PURE__ */ new Set([
       "GET",
+      "HEAD",
       "POST",
       "PUT",
       "PATCH",
@@ -917,6 +918,7 @@ var ShutdownManager = class {
 
 // src/core/tunnel.ts
 import { spawn as nodeChildSpawn } from "node:child_process";
+import { createRequire } from "node:module";
 var REDACTED_TOKEN = "***REDACTED***";
 var CLOUDFLARED_RUN_ARGS = [
   "tunnel",
@@ -924,12 +926,12 @@ var CLOUDFLARED_RUN_ARGS = [
   "run",
   "--token"
 ];
-var DEFAULT_BINARY_CANDIDATES = [
-  "cloudflared",
-  "/usr/local/bin/cloudflared",
-  "/usr/bin/cloudflared",
-  "/opt/cloudflared/cloudflared"
-];
+var CLOUDFLARED_BINARY_PACKAGES = {
+  "linux-x64": "@farthershore/cloudflared-linux-x64",
+  "linux-arm64": "@farthershore/cloudflared-linux-arm64",
+  "darwin-arm64": "@farthershore/cloudflared-darwin-arm64",
+  "darwin-x64": "@farthershore/cloudflared-darwin-x64"
+};
 var DEFAULT_BASE_BACKOFF_MS = 1e3;
 var DEFAULT_MAX_BACKOFF_MS = 6e4;
 var DEFAULT_BINARY = "cloudflared";
@@ -1047,15 +1049,24 @@ var CloudflaredSupervisor = class {
     child.on("exit", (code, signal) => this.handleExit(code, signal));
   }
   /**
-   * Resolve the cloudflared binary path. Explicit `binaryPath` wins; otherwise
-   * the injected locator runs (Linux-first). Missing ⇒ a clear, redacted error.
+   * Resolve the cloudflared binary path. Order:
+   *   1. an installed `@farthershore/cloudflared-<platform>` optional-dependency
+   *      matching process.platform+arch (the injected locator), then
+   *   2. an explicit `binaryPath` supplied by the host, then
+   *   3. the bare `cloudflared` name on PATH (resolved at spawn time).
+   *
+   * On an unsupported arch (no optional dep, no binaryPath) AND no usable PATH
+   * fallback, this raises a clear, redacted error pointing at the sidecar — it
+   * NEVER downloads a binary at runtime. (Cross-platform binary management is the
+   * optional-dep packages' job, populated at publish time.)
    */
   resolveBinary() {
-    if (this.binaryPath) return this.binaryPath;
     const located = this.locateBinary();
     if (located) return located;
+    if (this.binaryPath) return this.binaryPath;
+    if (currentBinaryPackageName() !== null) return DEFAULT_BINARY;
     throw new Error(
-      "cloudflared binary not found \u2014 install it in the image, supply binaryPath, or run the sidecar runner instead. (Linux container is the V1 supported target.)"
+      "cloudflared binary not found for this platform/arch \u2014 install an @farthershore/cloudflared-<platform> package, supply binaryPath, or run the sidecar runner instead (no binary is downloaded at runtime)."
     );
   }
   /** Pipe stdout/stderr to the logger with the tunnel token redacted. */
@@ -1184,8 +1195,30 @@ function nodeProcess() {
   const proc = globalThis.process;
   return proc && typeof proc.on === "function" ? proc : null;
 }
+function currentBinaryPackageName() {
+  const proc = globalThis.process;
+  if (!proc?.platform || !proc.arch) return null;
+  return CLOUDFLARED_BINARY_PACKAGES[`${proc.platform}-${proc.arch}`] ?? null;
+}
 function defaultLocateBinary() {
-  return DEFAULT_BINARY_CANDIDATES[0] ?? DEFAULT_BINARY;
+  const pkg = currentBinaryPackageName();
+  if (!pkg) return null;
+  try {
+    const require2 = createRequire(import.meta.url);
+    const manifestPath = require2.resolve(`${pkg}/package.json`);
+    return resolvePackageBinary(require2, pkg, manifestPath);
+  } catch {
+    return null;
+  }
+}
+function resolvePackageBinary(require2, pkg, manifestPath) {
+  const sep = manifestPath.includes("\\") ? "\\" : "/";
+  const root = manifestPath.slice(0, manifestPath.lastIndexOf(sep));
+  const manifest = require2(manifestPath);
+  const binField = manifest.bin;
+  const relative = typeof binField === "string" ? binField : binField?.cloudflared ?? `bin${sep}cloudflared`;
+  const normalized = relative.replace(/^\.[\\/]/, "");
+  return `${root}${sep}${normalized}`;
 }
 
 // src/core/verifyRequest.ts
@@ -1337,8 +1370,8 @@ function headerGetter(headers) {
 
 // src/core/runtime.ts
 var DEFAULT_CORE_URL = "https://core.farthershore.com";
-var SDK_VERSION = "0.8.0".length > 0 ? "0.8.0" : "0.0.0-dev";
-var CONTRACTS_FP = "af8995b9467842b6".length > 0 ? "af8995b9467842b6" : "0000000000000000";
+var SDK_VERSION = "0.8.2".length > 0 ? "0.8.2" : "0.0.0-dev";
+var CONTRACTS_FP = "5beebf042c7ce96d".length > 0 ? "5beebf042c7ce96d" : "0000000000000000";
 var FartherShore = class {
   bootstrapClient;
   fetchImpl;
@@ -1418,7 +1451,7 @@ var FartherShore = class {
    * The reflection code is dynamically imported so it stays OFF the per-request
    * verification hot path (the runtime stays route-unaware there). The report is
    * an OUTBOUND backend→core call (same channel as bootstrap/metering), so it
-   * works for every transport (public_origin / mTLS / cloudflare_tunnel).
+   * works for every transport (direct / tunnel).
    *
    * Returns the reconcile result (or null if reflection is unavailable / boot
    * reporting failed). v1 reflects Express; `app` omitted → no-op.
@@ -1493,11 +1526,11 @@ var FartherShore = class {
     return config.verification.required;
   }
   /**
-   * Start the managed runner. For a `cloudflare_tunnel` backend whose runner is
-   * `managed_cloudflared`, this supervises `cloudflared` as a child process
+   * Start the embedded runner. For a `tunnel` backend whose runner is
+   * `embedded`, this supervises `cloudflared` as a child process
    * (spawned via the injected/default spawner) using the tunnel token from
-   * bootstrap. For every other transport (`public_origin`, `mtls`, or the
-   * `sidecar` runner) it is a no-op — there is no SDK-managed process to run.
+   * bootstrap. For every other transport (`direct`, or the `sidecar` runner)
+   * it is a no-op — there is no SDK-managed process to run.
    *
    * Fail-open by default: a tunnel that cannot start does NOT crash the host app
    * (request verification stays fail-closed regardless — a different axis).
@@ -1506,7 +1539,7 @@ var FartherShore = class {
     if (this.tunnelOptions.enabled === false) return;
     const config = await this.ensureBootstrapped();
     const transport = config.transport;
-    if (transport.mode !== "cloudflare_tunnel" || transport.runner !== "managed_cloudflared") {
+    if (transport.mode !== "tunnel" || transport.runner !== "embedded") {
       return;
     }
     const tunnelToken = transport.cloudflared?.tunnelToken;
@@ -1514,7 +1547,7 @@ var FartherShore = class {
       if (this.tunnelOptions.failClosed) {
         throw new FartherShoreError(
           "invalid_token",
-          "managed cloudflared runner requires a tunnel token from bootstrap"
+          "embedded cloudflared runner requires a tunnel token from bootstrap"
         );
       }
       return;
@@ -1551,8 +1584,8 @@ var FartherShore = class {
     return buildHealthReport({
       runtimeToken: this.runtimeToken.length > 0,
       bootstrap: this.bootstrapped && config !== null,
-      // Populated by the managed-cloudflared supervisor (Slice 3). Null until
-      // fs.start() launches a managed tunnel; otherwise the supervisor state.
+      // Populated by the embedded-cloudflared supervisor (Slice 3). Null until
+      // fs.start() launches an embedded tunnel; otherwise the supervisor state.
       tunnel: this.tunnel ? this.tunnel.healthString() : null,
       verification: this.verificationEnabled && config !== null,
       metering: this.meteringClient !== null

package/dist/reflect/index.js

@@ -0,0 +1,94 @@
+import { createRequire as __createRequire } from "node:module";const require=__createRequire(import.meta.url);
+
+// src/reflect/route-canon.ts
+function normalizeSegment(seg) {
+  if (seg === "**") return "{__fs_rest}";
+  if (seg === "*") return "{splat}";
+  if (seg.startsWith(":")) return `{${seg.slice(1)}}`;
+  if (seg.startsWith("[") && seg.endsWith("]")) return `{${seg.slice(1, -1)}}`;
+  return seg;
+}
+function normalizePath(path) {
+  if (path === "/" || path === "") return "/";
+  const lead = path.startsWith("/");
+  const out = path.split("/").filter((s) => s.length > 0).map(normalizeSegment).join("/");
+  return lead ? `/${out}` : out;
+}
+
+// src/reflect/index.ts
+var VALID_METHODS = /* @__PURE__ */ new Set([
+  "GET",
+  "HEAD",
+  "POST",
+  "PUT",
+  "PATCH",
+  "DELETE",
+  "OPTIONS"
+]);
+function methodsOf(route) {
+  const out = /* @__PURE__ */ new Set();
+  if (route.methods) {
+    for (const [m, on] of Object.entries(route.methods))
+      if (on) out.add(m.toUpperCase());
+  }
+  for (const s of route.stack ?? []) {
+    if (typeof s.method === "string") out.add(s.method.toUpperCase());
+  }
+  if (out.has("GET")) out.delete("HEAD");
+  return [...out].filter((m) => VALID_METHODS.has(m));
+}
+function rootStack(app) {
+  const a = app;
+  return a?.router?.stack ?? a?._router?.stack;
+}
+function prefixFromRegexp(re) {
+  if (!re) return void 0;
+  let s = re.source;
+  if (s === "^\\/?$" || s === "^\\/") return "";
+  s = s.replace(/^\^/, "").replace(/\\\/\?\(\?=\\\/\|\$\)$/, "").replace(/\(\?=\\\/\|\$\)$/, "").replace(/\\\/\?$/, "").replace(/\$$/, "");
+  s = s.replace(/\\\//g, "/");
+  if (/[()?:*+\[\]|]/.test(s)) return void 0;
+  return s.startsWith("/") ? s : `/${s}`;
+}
+function walk(stack, prefix, out, counters) {
+  for (const layer of stack) {
+    if (layer.route && typeof layer.route.path === "string") {
+      const path = normalizePath(`${prefix}${layer.route.path}`);
+      for (const method of methodsOf(layer.route)) {
+        out.push({ method, path });
+      }
+    } else if (layer.handle?.stack && Array.isArray(layer.handle.stack)) {
+      const sub = prefixFromRegexp(layer.regexp);
+      if (sub === void 0 && layer.name === "router") {
+        counters.unreflectable += layer.handle.stack.filter(
+          (l) => l.route
+        ).length;
+        continue;
+      }
+      walk(layer.handle.stack, `${prefix}${sub ?? ""}`, out, counters);
+    }
+  }
+}
+function reflectRoutesDetailed(app, _opts) {
+  const stack = rootStack(app);
+  if (!stack) return { routes: [], unreflectable: 0 };
+  const raw = [];
+  const counters = { unreflectable: 0 };
+  walk(stack, "", raw, counters);
+  const seen = /* @__PURE__ */ new Set();
+  const routes = [];
+  for (const r of raw) {
+    const key = `${r.method} ${r.path}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    routes.push(r);
+  }
+  return { routes, unreflectable: counters.unreflectable };
+}
+function reflectRoutes(app, opts) {
+  return reflectRoutesDetailed(app, opts).routes;
+}
+export {
+  reflectRoutes,
+  reflectRoutesDetailed
+};

package/dist/types/core/runtime.d.ts

@@ -3,9 +3,9 @@ import type { ReconcileResult } from "../reflect/reconcile.js";
 import { type MeterOptions } from "./metering.js";
 import { type SpawnFn } from "./tunnel.js";
 import { type FartherShoreRequestContext, type VerifyRequestInput } from "./verifyRequest.js";
-/** Advanced opt-in tunnel config. The managed runner is the default DX. */
+/** Advanced opt-in tunnel config. The embedded runner is the default DX. */
 export type FartherShoreTunnelOptions = {
-    /** Opt out of the managed cloudflared runner (e.g. sidecar mode). */
+    /** Opt out of the embedded cloudflared runner (e.g. sidecar mode). */
     enabled?: boolean;
     /** Injected spawner (tests/non-default hosts). Defaults to node:child_process. */
     spawn?: SpawnFn;
@@ -35,7 +35,7 @@ export type FartherShoreInitOptions = {
     metering?: {
         enabled?: boolean;
     };
-    /** Managed-cloudflared runner config (advanced opt-in; default DX is on). */
+    /** Embedded-cloudflared runner config (advanced opt-in; default DX is on). */
     tunnel?: FartherShoreTunnelOptions;
     /** SDK metadata forwarded to bootstrap. */
     instanceId?: string;
@@ -73,7 +73,7 @@ export declare class FartherShore {
      * The reflection code is dynamically imported so it stays OFF the per-request
      * verification hot path (the runtime stays route-unaware there). The report is
      * an OUTBOUND backend→core call (same channel as bootstrap/metering), so it
-     * works for every transport (public_origin / mTLS / cloudflare_tunnel).
+     * works for every transport (direct / tunnel).
      *
      * Returns the reconcile result (or null if reflection is unavailable / boot
      * reporting failed). v1 reflects Express; `app` omitted → no-op.
@@ -89,11 +89,11 @@ export declare class FartherShore {
     /** Whether verification is required (bootstrap × opt-out). */
     verificationRequired(): Promise<boolean>;
     /**
-     * Start the managed runner. For a `cloudflare_tunnel` backend whose runner is
-     * `managed_cloudflared`, this supervises `cloudflared` as a child process
+     * Start the embedded runner. For a `tunnel` backend whose runner is
+     * `embedded`, this supervises `cloudflared` as a child process
      * (spawned via the injected/default spawner) using the tunnel token from
-     * bootstrap. For every other transport (`public_origin`, `mtls`, or the
-     * `sidecar` runner) it is a no-op — there is no SDK-managed process to run.
+     * bootstrap. For every other transport (`direct`, or the `sidecar` runner)
+     * it is a no-op — there is no SDK-managed process to run.
      *
      * Fail-open by default: a tunnel that cannot start does NOT crash the host app
      * (request verification stays fail-closed regardless — a different axis).

package/dist/types/core/tunnel.d.ts

@@ -121,8 +121,16 @@ export declare class CloudflaredSupervisor {
     healthString(): string;
     private spawnChild;
     /**
-     * Resolve the cloudflared binary path. Explicit `binaryPath` wins; otherwise
-     * the injected locator runs (Linux-first). Missing ⇒ a clear, redacted error.
+     * Resolve the cloudflared binary path. Order:
+     *   1. an installed `@farthershore/cloudflared-<platform>` optional-dependency
+     *      matching process.platform+arch (the injected locator), then
+     *   2. an explicit `binaryPath` supplied by the host, then
+     *   3. the bare `cloudflared` name on PATH (resolved at spawn time).
+     *
+     * On an unsupported arch (no optional dep, no binaryPath) AND no usable PATH
+     * fallback, this raises a clear, redacted error pointing at the sidecar — it
+     * NEVER downloads a binary at runtime. (Cross-platform binary management is the
+     * optional-dep packages' job, populated at publish time.)
      */
     private resolveBinary;
     /** Pipe stdout/stderr to the logger with the tunnel token redacted. */

package/dist/types/generated/runtime-contract.d.ts

@@ -51,8 +51,8 @@ export declare const RUNTIME_BOOTSTRAP_CONTRACT: {
             readonly perEventMax: "number";
         };
         readonly transport: {
-            readonly mode: "public_origin | mtls | cloudflare_tunnel";
-            readonly runner: "managed_cloudflared | sidecar | null";
+            readonly mode: "direct | tunnel";
+            readonly runner: "embedded | sidecar | null";
             readonly originUrl: "string?";
             readonly originHostname: "string?";
             readonly localTarget: "string?";
@@ -214,15 +214,14 @@ export declare const RUNTIME_HEALTH_CONTRACT: {
 };
 export declare const RUNTIME_TRANSPORT_CONTRACT: {
     readonly modes: {
-        readonly public_origin: "Gateway fetches the builder's public origin URL; the SDK middleware fail-closed-verifies every request. Provisions zero Cloudflare objects. Standard tier; also the dev path.";
-        readonly mtls: "Gateway presents a Farther-Shore-issued platform-wide client cert; the builder's ingress requires + verifies it. Channel-level mutual auth; provisions zero Cloudflare objects. Standard-plus / self-hosted tier.";
-        readonly cloudflare_tunnel: "Farther Shore provisions a private outbound Cloudflare Tunnel; no inbound port. The only Production-secure tier. Consumes Cloudflare tunnel/route slots.";
+        readonly direct: "Gateway fetches the builder's public origin URL; the SDK middleware fail-closed-verifies every request via Ed25519 request signing. Provisions zero Cloudflare objects. Available on all tiers; also the dev path.";
+        readonly tunnel: "Farther Shore provisions a private outbound Cloudflare Tunnel; no inbound port. The Production-secure tier. Consumes Cloudflare tunnel/route slots.";
     };
     readonly runners: {
-        readonly managed_cloudflared: "fs.start() supervises cloudflared as a child process (default DX).";
+        readonly embedded: "fs.start() supervises cloudflared as a child process (default DX).";
         readonly sidecar: "Vanilla cloudflare/cloudflared container beside the app (production / non-Node).";
     };
-    readonly channelTrust: readonly ["mtls", "cloudflare_tunnel"];
+    readonly channelTrust: readonly ["tunnel"];
     readonly requestTrust: "x-fs-signature";
-    readonly invariant: "Channel trust (mtls/tunnel) and request trust (the X-FS-* signature) are distinct layers; both always apply. CF-Access-* headers are transport-layer only and are IGNORED by the SDK.";
+    readonly invariant: "Channel trust (tunnel) and request trust (the X-FS-* signature) are distinct layers; both always apply. CF-Access-* headers are transport-layer only and are IGNORED by the SDK.";
 };

package/dist/types/runtime-types.d.ts

@@ -103,8 +103,8 @@ export type CanonicalSigningInput = {
     policyVersion: string;
 };
 export type RuntimeEnvironmentKind = RuntimeTokenKind;
-export type TransportMode = "public_origin" | "mtls" | "cloudflare_tunnel";
-export type TransportRunner = "managed_cloudflared" | "sidecar";
+export type TransportMode = "direct" | "tunnel";
+export type TransportRunner = "embedded" | "sidecar";
 export type RuntimeBootstrapRequest = {
     instanceId?: string;
     sdkVersion?: string;
@@ -135,7 +135,6 @@ export type RuntimeTransportConfig = {
         tunnelToken: string;
         version: string;
     };
-    mtlsClientCertRef?: string;
 };
 export type RuntimeRouteDescriptor = {
     id: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@farthershore/backend",
-  "version": "0.8.0",
+  "version": "0.8.2",
   "description": "Farther Shore backend SDK for builder upstreams: signed response usage, fail-closed gateway request verification, health, and lifecycle from FS_RUNTIME_TOKEN",
   "type": "module",
   "main": "./dist/index.js",
@@ -31,6 +31,12 @@
   "publishConfig": {
     "access": "public"
   },
+  "optionalDependencies": {
+    "@farthershore/cloudflared-linux-x64": "0.0.0",
+    "@farthershore/cloudflared-linux-arm64": "0.0.0",
+    "@farthershore/cloudflared-darwin-arm64": "0.0.0",
+    "@farthershore/cloudflared-darwin-x64": "0.0.0"
+  },
   "peerDependencies": {
     "express": "^4.0.0 || ^5.0.0"
   },