@farthershore/backend 0.8.1 → 0.8.2

package/README.md

@@ -4,7 +4,7 @@ Runtime metering and gateway-verification SDK for builder upstreams. Install one
 package, set one token (`FS_RUNTIME_TOKEN`), and Farther Shore handles signed
 gateway-to-upstream request verification plus response-bound usage reporting.
 
-> **Status: `0.8.1` (lockstep SDK family).** Published at the SAME version as
+> **Status: `0.8.2` (lockstep SDK family).** Published at the SAME version as
 > `@farthershore/farthershore-js` and `@farthershore/product` — pin the three
 > together. Pre-1.0: minor bumps may break.
 

package/dist/generated/runtime-contract.js

@@ -54,8 +54,8 @@ var RUNTIME_BOOTSTRAP_CONTRACT = {
       perEventMax: "number"
     },
     transport: {
-      mode: "public_origin | mtls | cloudflare_tunnel",
-      runner: "managed_cloudflared | sidecar | null",
+      mode: "direct | tunnel",
+      runner: "embedded | sidecar | null",
       originUrl: "string?",
       originHostname: "string?",
       localTarget: "string?",
@@ -247,17 +247,16 @@ var RUNTIME_HEALTH_CONTRACT = {
 };
 var RUNTIME_TRANSPORT_CONTRACT = {
   modes: {
-    public_origin: "Gateway fetches the builder's public origin URL; the SDK middleware fail-closed-verifies every request. Provisions zero Cloudflare objects. Standard tier; also the dev path.",
-    mtls: "Gateway presents a Farther-Shore-issued platform-wide client cert; the builder's ingress requires + verifies it. Channel-level mutual auth; provisions zero Cloudflare objects. Standard-plus / self-hosted tier.",
-    cloudflare_tunnel: "Farther Shore provisions a private outbound Cloudflare Tunnel; no inbound port. The only Production-secure tier. Consumes Cloudflare tunnel/route slots."
+    direct: "Gateway fetches the builder's public origin URL; the SDK middleware fail-closed-verifies every request via Ed25519 request signing. Provisions zero Cloudflare objects. Available on all tiers; also the dev path.",
+    tunnel: "Farther Shore provisions a private outbound Cloudflare Tunnel; no inbound port. The Production-secure tier. Consumes Cloudflare tunnel/route slots."
   },
   runners: {
-    managed_cloudflared: "fs.start() supervises cloudflared as a child process (default DX).",
+    embedded: "fs.start() supervises cloudflared as a child process (default DX).",
     sidecar: "Vanilla cloudflare/cloudflared container beside the app (production / non-Node)."
   },
-  channelTrust: ["mtls", "cloudflare_tunnel"],
+  channelTrust: ["tunnel"],
   requestTrust: "x-fs-signature",
-  invariant: "Channel trust (mtls/tunnel) and request trust (the X-FS-* signature) are distinct layers; both always apply. CF-Access-* headers are transport-layer only and are IGNORED by the SDK."
+  invariant: "Channel trust (tunnel) and request trust (the X-FS-* signature) are distinct layers; both always apply. CF-Access-* headers are transport-layer only and are IGNORED by the SDK."
 };
 export {
   RUNTIME_BODY_HASH_CONTRACT,

package/dist/index.js

@@ -918,6 +918,7 @@ var ShutdownManager = class {
 
 // src/core/tunnel.ts
 import { spawn as nodeChildSpawn } from "node:child_process";
+import { createRequire } from "node:module";
 var REDACTED_TOKEN = "***REDACTED***";
 var CLOUDFLARED_RUN_ARGS = [
   "tunnel",
@@ -925,12 +926,12 @@ var CLOUDFLARED_RUN_ARGS = [
   "run",
   "--token"
 ];
-var DEFAULT_BINARY_CANDIDATES = [
-  "cloudflared",
-  "/usr/local/bin/cloudflared",
-  "/usr/bin/cloudflared",
-  "/opt/cloudflared/cloudflared"
-];
+var CLOUDFLARED_BINARY_PACKAGES = {
+  "linux-x64": "@farthershore/cloudflared-linux-x64",
+  "linux-arm64": "@farthershore/cloudflared-linux-arm64",
+  "darwin-arm64": "@farthershore/cloudflared-darwin-arm64",
+  "darwin-x64": "@farthershore/cloudflared-darwin-x64"
+};
 var DEFAULT_BASE_BACKOFF_MS = 1e3;
 var DEFAULT_MAX_BACKOFF_MS = 6e4;
 var DEFAULT_BINARY = "cloudflared";
@@ -1048,15 +1049,24 @@ var CloudflaredSupervisor = class {
     child.on("exit", (code, signal) => this.handleExit(code, signal));
   }
   /**
-   * Resolve the cloudflared binary path. Explicit `binaryPath` wins; otherwise
-   * the injected locator runs (Linux-first). Missing ⇒ a clear, redacted error.
+   * Resolve the cloudflared binary path. Order:
+   *   1. an installed `@farthershore/cloudflared-<platform>` optional-dependency
+   *      matching process.platform+arch (the injected locator), then
+   *   2. an explicit `binaryPath` supplied by the host, then
+   *   3. the bare `cloudflared` name on PATH (resolved at spawn time).
+   *
+   * On an unsupported arch (no optional dep, no binaryPath) AND no usable PATH
+   * fallback, this raises a clear, redacted error pointing at the sidecar — it
+   * NEVER downloads a binary at runtime. (Cross-platform binary management is the
+   * optional-dep packages' job, populated at publish time.)
    */
   resolveBinary() {
-    if (this.binaryPath) return this.binaryPath;
     const located = this.locateBinary();
     if (located) return located;
+    if (this.binaryPath) return this.binaryPath;
+    if (currentBinaryPackageName() !== null) return DEFAULT_BINARY;
     throw new Error(
-      "cloudflared binary not found \u2014 install it in the image, supply binaryPath, or run the sidecar runner instead. (Linux container is the V1 supported target.)"
+      "cloudflared binary not found for this platform/arch \u2014 install an @farthershore/cloudflared-<platform> package, supply binaryPath, or run the sidecar runner instead (no binary is downloaded at runtime)."
     );
   }
   /** Pipe stdout/stderr to the logger with the tunnel token redacted. */
@@ -1185,8 +1195,30 @@ function nodeProcess() {
   const proc = globalThis.process;
   return proc && typeof proc.on === "function" ? proc : null;
 }
+function currentBinaryPackageName() {
+  const proc = globalThis.process;
+  if (!proc?.platform || !proc.arch) return null;
+  return CLOUDFLARED_BINARY_PACKAGES[`${proc.platform}-${proc.arch}`] ?? null;
+}
 function defaultLocateBinary() {
-  return DEFAULT_BINARY_CANDIDATES[0] ?? DEFAULT_BINARY;
+  const pkg = currentBinaryPackageName();
+  if (!pkg) return null;
+  try {
+    const require2 = createRequire(import.meta.url);
+    const manifestPath = require2.resolve(`${pkg}/package.json`);
+    return resolvePackageBinary(require2, pkg, manifestPath);
+  } catch {
+    return null;
+  }
+}
+function resolvePackageBinary(require2, pkg, manifestPath) {
+  const sep = manifestPath.includes("\\") ? "\\" : "/";
+  const root = manifestPath.slice(0, manifestPath.lastIndexOf(sep));
+  const manifest = require2(manifestPath);
+  const binField = manifest.bin;
+  const relative = typeof binField === "string" ? binField : binField?.cloudflared ?? `bin${sep}cloudflared`;
+  const normalized = relative.replace(/^\.[\\/]/, "");
+  return `${root}${sep}${normalized}`;
 }
 
 // src/core/verifyRequest.ts
@@ -1338,8 +1370,8 @@ function headerGetter(headers) {
 
 // src/core/runtime.ts
 var DEFAULT_CORE_URL = "https://core.farthershore.com";
-var SDK_VERSION = "0.8.1".length > 0 ? "0.8.1" : "0.0.0-dev";
-var CONTRACTS_FP = "3c1f8e3d44799bd4".length > 0 ? "3c1f8e3d44799bd4" : "0000000000000000";
+var SDK_VERSION = "0.8.2".length > 0 ? "0.8.2" : "0.0.0-dev";
+var CONTRACTS_FP = "5beebf042c7ce96d".length > 0 ? "5beebf042c7ce96d" : "0000000000000000";
 var FartherShore = class {
   bootstrapClient;
   fetchImpl;
@@ -1419,7 +1451,7 @@ var FartherShore = class {
    * The reflection code is dynamically imported so it stays OFF the per-request
    * verification hot path (the runtime stays route-unaware there). The report is
    * an OUTBOUND backend→core call (same channel as bootstrap/metering), so it
-   * works for every transport (public_origin / mTLS / cloudflare_tunnel).
+   * works for every transport (direct / tunnel).
    *
    * Returns the reconcile result (or null if reflection is unavailable / boot
    * reporting failed). v1 reflects Express; `app` omitted → no-op.
@@ -1494,11 +1526,11 @@ var FartherShore = class {
     return config.verification.required;
   }
   /**
-   * Start the managed runner. For a `cloudflare_tunnel` backend whose runner is
-   * `managed_cloudflared`, this supervises `cloudflared` as a child process
+   * Start the embedded runner. For a `tunnel` backend whose runner is
+   * `embedded`, this supervises `cloudflared` as a child process
    * (spawned via the injected/default spawner) using the tunnel token from
-   * bootstrap. For every other transport (`public_origin`, `mtls`, or the
-   * `sidecar` runner) it is a no-op — there is no SDK-managed process to run.
+   * bootstrap. For every other transport (`direct`, or the `sidecar` runner)
+   * it is a no-op — there is no SDK-managed process to run.
    *
    * Fail-open by default: a tunnel that cannot start does NOT crash the host app
    * (request verification stays fail-closed regardless — a different axis).
@@ -1507,7 +1539,7 @@ var FartherShore = class {
     if (this.tunnelOptions.enabled === false) return;
     const config = await this.ensureBootstrapped();
     const transport = config.transport;
-    if (transport.mode !== "cloudflare_tunnel" || transport.runner !== "managed_cloudflared") {
+    if (transport.mode !== "tunnel" || transport.runner !== "embedded") {
       return;
     }
     const tunnelToken = transport.cloudflared?.tunnelToken;
@@ -1515,7 +1547,7 @@ var FartherShore = class {
       if (this.tunnelOptions.failClosed) {
         throw new FartherShoreError(
           "invalid_token",
-          "managed cloudflared runner requires a tunnel token from bootstrap"
+          "embedded cloudflared runner requires a tunnel token from bootstrap"
         );
       }
       return;
@@ -1552,8 +1584,8 @@ var FartherShore = class {
     return buildHealthReport({
       runtimeToken: this.runtimeToken.length > 0,
       bootstrap: this.bootstrapped && config !== null,
-      // Populated by the managed-cloudflared supervisor (Slice 3). Null until
-      // fs.start() launches a managed tunnel; otherwise the supervisor state.
+      // Populated by the embedded-cloudflared supervisor (Slice 3). Null until
+      // fs.start() launches an embedded tunnel; otherwise the supervisor state.
       tunnel: this.tunnel ? this.tunnel.healthString() : null,
       verification: this.verificationEnabled && config !== null,
       metering: this.meteringClient !== null

package/dist/types/core/runtime.d.ts

@@ -3,9 +3,9 @@ import type { ReconcileResult } from "../reflect/reconcile.js";
 import { type MeterOptions } from "./metering.js";
 import { type SpawnFn } from "./tunnel.js";
 import { type FartherShoreRequestContext, type VerifyRequestInput } from "./verifyRequest.js";
-/** Advanced opt-in tunnel config. The managed runner is the default DX. */
+/** Advanced opt-in tunnel config. The embedded runner is the default DX. */
 export type FartherShoreTunnelOptions = {
-    /** Opt out of the managed cloudflared runner (e.g. sidecar mode). */
+    /** Opt out of the embedded cloudflared runner (e.g. sidecar mode). */
     enabled?: boolean;
     /** Injected spawner (tests/non-default hosts). Defaults to node:child_process. */
     spawn?: SpawnFn;
@@ -35,7 +35,7 @@ export type FartherShoreInitOptions = {
     metering?: {
         enabled?: boolean;
     };
-    /** Managed-cloudflared runner config (advanced opt-in; default DX is on). */
+    /** Embedded-cloudflared runner config (advanced opt-in; default DX is on). */
     tunnel?: FartherShoreTunnelOptions;
     /** SDK metadata forwarded to bootstrap. */
     instanceId?: string;
@@ -73,7 +73,7 @@ export declare class FartherShore {
      * The reflection code is dynamically imported so it stays OFF the per-request
      * verification hot path (the runtime stays route-unaware there). The report is
      * an OUTBOUND backend→core call (same channel as bootstrap/metering), so it
-     * works for every transport (public_origin / mTLS / cloudflare_tunnel).
+     * works for every transport (direct / tunnel).
      *
      * Returns the reconcile result (or null if reflection is unavailable / boot
      * reporting failed). v1 reflects Express; `app` omitted → no-op.
@@ -89,11 +89,11 @@ export declare class FartherShore {
     /** Whether verification is required (bootstrap × opt-out). */
     verificationRequired(): Promise<boolean>;
     /**
-     * Start the managed runner. For a `cloudflare_tunnel` backend whose runner is
-     * `managed_cloudflared`, this supervises `cloudflared` as a child process
+     * Start the embedded runner. For a `tunnel` backend whose runner is
+     * `embedded`, this supervises `cloudflared` as a child process
      * (spawned via the injected/default spawner) using the tunnel token from
-     * bootstrap. For every other transport (`public_origin`, `mtls`, or the
-     * `sidecar` runner) it is a no-op — there is no SDK-managed process to run.
+     * bootstrap. For every other transport (`direct`, or the `sidecar` runner)
+     * it is a no-op — there is no SDK-managed process to run.
      *
      * Fail-open by default: a tunnel that cannot start does NOT crash the host app
      * (request verification stays fail-closed regardless — a different axis).

package/dist/types/core/tunnel.d.ts

@@ -121,8 +121,16 @@ export declare class CloudflaredSupervisor {
     healthString(): string;
     private spawnChild;
     /**
-     * Resolve the cloudflared binary path. Explicit `binaryPath` wins; otherwise
-     * the injected locator runs (Linux-first). Missing ⇒ a clear, redacted error.
+     * Resolve the cloudflared binary path. Order:
+     *   1. an installed `@farthershore/cloudflared-<platform>` optional-dependency
+     *      matching process.platform+arch (the injected locator), then
+     *   2. an explicit `binaryPath` supplied by the host, then
+     *   3. the bare `cloudflared` name on PATH (resolved at spawn time).
+     *
+     * On an unsupported arch (no optional dep, no binaryPath) AND no usable PATH
+     * fallback, this raises a clear, redacted error pointing at the sidecar — it
+     * NEVER downloads a binary at runtime. (Cross-platform binary management is the
+     * optional-dep packages' job, populated at publish time.)
      */
     private resolveBinary;
     /** Pipe stdout/stderr to the logger with the tunnel token redacted. */

package/dist/types/generated/runtime-contract.d.ts

@@ -51,8 +51,8 @@ export declare const RUNTIME_BOOTSTRAP_CONTRACT: {
             readonly perEventMax: "number";
         };
         readonly transport: {
-            readonly mode: "public_origin | mtls | cloudflare_tunnel";
-            readonly runner: "managed_cloudflared | sidecar | null";
+            readonly mode: "direct | tunnel";
+            readonly runner: "embedded | sidecar | null";
             readonly originUrl: "string?";
             readonly originHostname: "string?";
             readonly localTarget: "string?";
@@ -214,15 +214,14 @@ export declare const RUNTIME_HEALTH_CONTRACT: {
 };
 export declare const RUNTIME_TRANSPORT_CONTRACT: {
     readonly modes: {
-        readonly public_origin: "Gateway fetches the builder's public origin URL; the SDK middleware fail-closed-verifies every request. Provisions zero Cloudflare objects. Standard tier; also the dev path.";
-        readonly mtls: "Gateway presents a Farther-Shore-issued platform-wide client cert; the builder's ingress requires + verifies it. Channel-level mutual auth; provisions zero Cloudflare objects. Standard-plus / self-hosted tier.";
-        readonly cloudflare_tunnel: "Farther Shore provisions a private outbound Cloudflare Tunnel; no inbound port. The only Production-secure tier. Consumes Cloudflare tunnel/route slots.";
+        readonly direct: "Gateway fetches the builder's public origin URL; the SDK middleware fail-closed-verifies every request via Ed25519 request signing. Provisions zero Cloudflare objects. Available on all tiers; also the dev path.";
+        readonly tunnel: "Farther Shore provisions a private outbound Cloudflare Tunnel; no inbound port. The Production-secure tier. Consumes Cloudflare tunnel/route slots.";
     };
     readonly runners: {
-        readonly managed_cloudflared: "fs.start() supervises cloudflared as a child process (default DX).";
+        readonly embedded: "fs.start() supervises cloudflared as a child process (default DX).";
         readonly sidecar: "Vanilla cloudflare/cloudflared container beside the app (production / non-Node).";
     };
-    readonly channelTrust: readonly ["mtls", "cloudflare_tunnel"];
+    readonly channelTrust: readonly ["tunnel"];
     readonly requestTrust: "x-fs-signature";
-    readonly invariant: "Channel trust (mtls/tunnel) and request trust (the X-FS-* signature) are distinct layers; both always apply. CF-Access-* headers are transport-layer only and are IGNORED by the SDK.";
+    readonly invariant: "Channel trust (tunnel) and request trust (the X-FS-* signature) are distinct layers; both always apply. CF-Access-* headers are transport-layer only and are IGNORED by the SDK.";
 };

package/dist/types/runtime-types.d.ts

@@ -103,8 +103,8 @@ export type CanonicalSigningInput = {
     policyVersion: string;
 };
 export type RuntimeEnvironmentKind = RuntimeTokenKind;
-export type TransportMode = "public_origin" | "mtls" | "cloudflare_tunnel";
-export type TransportRunner = "managed_cloudflared" | "sidecar";
+export type TransportMode = "direct" | "tunnel";
+export type TransportRunner = "embedded" | "sidecar";
 export type RuntimeBootstrapRequest = {
     instanceId?: string;
     sdkVersion?: string;
@@ -135,7 +135,6 @@ export type RuntimeTransportConfig = {
         tunnelToken: string;
         version: string;
     };
-    mtlsClientCertRef?: string;
 };
 export type RuntimeRouteDescriptor = {
     id: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@farthershore/backend",
-  "version": "0.8.1",
+  "version": "0.8.2",
   "description": "Farther Shore backend SDK for builder upstreams: signed response usage, fail-closed gateway request verification, health, and lifecycle from FS_RUNTIME_TOKEN",
   "type": "module",
   "main": "./dist/index.js",
@@ -31,6 +31,12 @@
   "publishConfig": {
     "access": "public"
   },
+  "optionalDependencies": {
+    "@farthershore/cloudflared-linux-x64": "0.0.0",
+    "@farthershore/cloudflared-linux-arm64": "0.0.0",
+    "@farthershore/cloudflared-darwin-arm64": "0.0.0",
+    "@farthershore/cloudflared-darwin-x64": "0.0.0"
+  },
   "peerDependencies": {
     "express": "^4.0.0 || ^5.0.0"
   },