@fdkey/mcp 0.2.0

package/dist/index.js

@@ -0,0 +1,409 @@
+import { z } from 'zod';
+import { jwtVerify, decodeProtectedHeader, decodeJwt } from 'jose';
+import { InitializeRequestSchema } from '@modelcontextprotocol/sdk/types.js';
+import { normalisePolicy } from './types.js';
+import { canCall, markVerified, consumePolicy } from './guard.js';
+import { VpsClient, VpsHttpError } from './vps-client.js';
+import { StaticRouter } from './router-static.js';
+import { createSessionStore } from './session-store.js';
+import { WellKnownClient } from './well-known.js';
+/** @internal Test-only export. Not part of the supported public API;
+ *  may change or disappear without notice. Used by `index.test.ts` to
+ *  verify the lazy-import contract directly. */
+export { LazyVpsRouter as __LazyVpsRouterForTesting };
+/** Hardcoded SDK version. Forwarded to the VPS as `integrator.sdk_version`
+ *  on every challenge fetch so we can correlate failures with SDK releases.
+ *  MUST be kept in sync with package.json version on every release — there's
+ *  a smoke test that checks this match. */
+const SDK_VERSION = '0.2.0';
+/** Default VPS URL used when no `vpsUrl` and no `discoveryUrl` are provided. */
+const DEFAULT_VPS_URL = 'https://api.fdkey.com';
+/** Lazy wrapper around the multi-VPS `VpsRouter`. Defers `await import('./vps-router.js')`
+ *  until the first `getTarget()` call so Workers/Bun/Deno builds — which never hit this
+ *  path unless `discoveryUrl` is set — don't pull undici into the bundle.
+ *
+ *  If `undici` is not installed (it's an `optionalDependency`), the dynamic
+ *  import will fail. We catch that and rethrow with a clear, actionable
+ *  error so the integrator doesn't have to debug a `Cannot find module
+ *  'undici'` stack trace. */
+class LazyVpsRouter {
+    discoveryUrl;
+    inner = null;
+    constructor(discoveryUrl) {
+        this.discoveryUrl = discoveryUrl;
+    }
+    async getTarget() {
+        if (!this.inner) {
+            try {
+                const { VpsRouter } = await import('./vps-router.js');
+                this.inner = new VpsRouter(this.discoveryUrl);
+            }
+            catch (err) {
+                // We want to rethrow with a friendly message ONLY for the specific
+                // case "undici not installed" (the optionalDependency wasn't
+                // resolved). Match the Node module-resolution error code AND the
+                // module name so an unrelated bundler glitch on `vps-router.js`
+                // itself doesn't surface a misleading "install undici" error.
+                const code = err.code;
+                const isModuleNotFound = code === 'ERR_MODULE_NOT_FOUND' || code === 'MODULE_NOT_FOUND';
+                const msg = err instanceof Error ? err.message : String(err);
+                if (isModuleNotFound && msg.includes('undici')) {
+                    throw new Error("@fdkey/mcp: `discoveryUrl` is set but `undici` is not installed. " +
+                        "Multi-VPS routing requires undici (Node-only). Run " +
+                        "`npm install undici` to enable it, or remove `discoveryUrl` to " +
+                        "use the single-VPS StaticRouter path which works on Workers/Bun/Deno.");
+                }
+                throw err;
+            }
+        }
+        return this.inner.getTarget();
+    }
+    recordFailure(ip) {
+        if (this.inner)
+            this.inner.recordFailure(ip);
+    }
+}
+/** Maps the wrapped (and original) server objects to their bounded
+ *  SessionStore. Use getFdkeyContext() rather than touching this directly. */
+const FDKEY_REGISTRY = new WeakMap();
+/** Read the current FDKEY context for a given session. Pass either the `extra`
+ *  argument from a tool handler or a session ID string. Returns null if the server
+ *  was not wrapped with withFdkey() or the session doesn't exist yet.
+ *
+ *  Reads use `store.peek()` which does NOT slide the LRU position — querying
+ *  the context shouldn't extend a session's lifetime; only actual tool calls
+ *  do that. */
+export function getFdkeyContext(server, extraOrSessionId) {
+    const store = FDKEY_REGISTRY.get(server);
+    if (!store)
+        return null;
+    const sid = typeof extraOrSessionId === 'string'
+        ? extraOrSessionId
+        : extraOrSessionId?.sessionId ?? 'stdio';
+    const s = store.peek(sid);
+    if (!s)
+        return { verified: false, verifiedAt: null, score: null, tier: null, claims: null };
+    return {
+        verified: s.verified,
+        verifiedAt: s.verifiedAt,
+        score: extractScore(s.lastClaims),
+        tier: extractTier(s.lastClaims),
+        claims: s.lastClaims,
+    };
+}
+function extractScore(claims) {
+    if (!claims)
+        return null;
+    const v = claims.score;
+    return typeof v === 'number' ? v : null;
+}
+function extractTier(claims) {
+    if (!claims)
+        return null;
+    const v = claims.tier;
+    return typeof v === 'string' ? v : null;
+}
+const GET_CHALLENGE_TOOL = 'fdkey_get_challenge';
+const SUBMIT_CHALLENGE_TOOL = 'fdkey_submit_challenge';
+const GET_CHALLENGE_DESC = 'Request an AI identity verification challenge. Call this when a tool returns fdkey_verification_required, when asked to verify, or to verify proactively. There is a time limit on your answers.';
+const SUBMIT_CHALLENGE_DESC = 'Submit answers to the active FDKEY challenge. On verified:true, retry the tool that was blocked. On verified:false, call fdkey_get_challenge to try again.';
+function mkError(text) {
+    return { content: [{ type: 'text', text }], isError: true };
+}
+function mkResult(obj) {
+    return { content: [{ type: 'text', text: JSON.stringify(obj) }] };
+}
+function expiresInSeconds(expiresAtIso) {
+    const ms = new Date(expiresAtIso).getTime() - Date.now();
+    return Math.max(0, Math.round(ms / 1000));
+}
+function challengePayload(c) {
+    return {
+        expires_in_seconds: c.expires_in_seconds ?? expiresInSeconds(c.expires_at),
+        difficulty: c.difficulty,
+        types_served: c.types_served,
+        header: c.header,
+        puzzles: c.puzzles,
+        footer: c.footer,
+    };
+}
+/**
+ * Wraps an MCP server with FDKEY verification middleware.
+ *
+ * @example
+ * const server = withFdkey(new McpServer({ name: 'my-server', version: '1.0.0' }), {
+ *   apiKey: process.env.FDKEY_API_KEY!,
+ *   protect: {
+ *     login:    { policy: 'each_call' },
+ *     register: { policy: 'once_per_session' },
+ *   },
+ * });
+ * server.registerTool('login', { inputSchema: { username: z.string() } }, async (args) => { ... });
+ */
+export function withFdkey(server, config) {
+    const protect = config.protect ?? {};
+    const onFail = config.onFail ?? 'block';
+    // Default is 'allow' (fail-open) so an FDKEY service outage doesn't
+    // brick integrator workflows — protected tools fall through to their
+    // original handler. Override with `onVpsError: 'block'` if your threat
+    // model prefers fail-closed.
+    const onVpsError = config.onVpsError ?? 'allow';
+    const inlineChallenge = config.inlineChallenge ?? false;
+    // Router selection:
+    //   discoveryUrl set      → multi-VPS routing via undici-backed VpsRouter
+    //                           (Node-only; lazy-imported to keep undici out
+    //                            of Workers/Bun/Deno bundles)
+    //   vpsUrl set            → StaticRouter pinned to that URL (default fetch)
+    //   neither set           → StaticRouter at https://api.fdkey.com
+    const router = config.discoveryUrl
+        ? new LazyVpsRouter(config.discoveryUrl)
+        : new StaticRouter(config.vpsUrl ?? DEFAULT_VPS_URL);
+    const vpsClient = new VpsClient(router, config.apiKey, config.difficulty ?? 'medium');
+    const wellKnown = new WellKnownClient(router);
+    // Bounded per-server session store. See session-store.ts for the
+    // full TTL + LRU eviction contract; the wrapped server itself only
+    // sees `get()` and `peek()`.
+    const store = createSessionStore();
+    const getSession = (id) => store.get(id);
+    let latestClientInfo = null;
+    let latestProtocolVersion = null;
+    // Hook (1): wrap the existing initialize handler so we can read protocolVersion
+    // from the request params before delegating. The Server class registers its
+    // own _oninitialize via setRequestHandler in its constructor; calling
+    // setRequestHandler again replaces the entry. We retrieve the prior handler
+    // through the protocol's private _requestHandlers map and re-invoke it,
+    // preserving the official init behavior. Private-API access is bounded to
+    // these few lines and documented; if MCP SDK refactors this away we update.
+    const protocolPrivate = server.server;
+    const origInitialize = protocolPrivate._requestHandlers?.get('initialize');
+    if (origInitialize) {
+        server.server.setRequestHandler(InitializeRequestSchema, async (request, extra) => {
+            try {
+                // request.params.protocolVersion is what the client sent
+                const pv = request.params?.protocolVersion;
+                if (typeof pv === 'string')
+                    latestProtocolVersion = pv;
+            }
+            catch {
+                // Reading the field must never break initialize; swallow errors.
+            }
+            return origInitialize(request, extra);
+        });
+    }
+    // Hook (2): post-init capture for clientInfo + capabilities.
+    const previousOnInitialized = server.server.oninitialized;
+    server.server.oninitialized = () => {
+        const ci = server.server.getClientVersion();
+        const caps = server.server.getClientCapabilities();
+        if (ci) {
+            latestClientInfo = {
+                name: ci.name,
+                version: ci.version,
+                title: ci.title,
+                capabilities: caps,
+            };
+        }
+        if (previousOnInitialized)
+            previousOnInitialized();
+    };
+    // Integrator-side block — same value every challenge call. Read once at
+    // wrap time. server_info comes from McpServer's ctor args; the underlying
+    // Server stores it as private `_serverInfo`. Accessing via type assertion
+    // because there's no public getter as of MCP TS SDK 1.x.
+    const serverPrivate = server.server;
+    const integratorMeta = {
+        server_name: serverPrivate._serverInfo?.name,
+        server_version: serverPrivate._serverInfo?.version,
+        sdk_version: SDK_VERSION,
+    };
+    // Tags: integrator-supplied free-form key/value dimensions. Forwarded as-is
+    // on every challenge fetch. VPS bounds them at 16 keys / 50 char keys / 200
+    // char values and rejects with HTTP 400 on overflow.
+    const configuredTags = config.tags;
+    /** Lazy-copy session-scoped agent metadata on first tool call. Idempotent —
+     *  re-runs are no-ops because we use ??= guards. Returns a ChallengeMeta
+     *  bundle ready to pass to vpsClient.fetchChallenge(). */
+    function captureChallengeMeta(session, extra) {
+        session.mcpSessionId ??= extra.sessionId ?? 'stdio';
+        if (session.transport === 'unknown') {
+            session.transport = extra.sessionId ? 'http' : 'stdio';
+        }
+        session.clientInfo ??= latestClientInfo;
+        session.protocolVersion ??= latestProtocolVersion;
+        const agent = {
+            transport: session.transport,
+            mcp_session_id: session.mcpSessionId ?? undefined,
+        };
+        if (session.clientInfo) {
+            agent.client_name = session.clientInfo.name;
+            agent.client_version = session.clientInfo.version;
+            if (session.clientInfo.title)
+                agent.client_title = session.clientInfo.title;
+            if (session.clientInfo.capabilities) {
+                agent.client_capabilities = session.clientInfo.capabilities;
+            }
+        }
+        if (session.protocolVersion)
+            agent.protocol_version = session.protocolVersion;
+        return {
+            agent,
+            integrator: integratorMeta,
+            tags: configuredTags,
+        };
+    }
+    // --- Injected tool: fdkey_get_challenge ---
+    server.registerTool(GET_CHALLENGE_TOOL, { description: GET_CHALLENGE_DESC }, async (extra) => {
+        const e = extra;
+        const session = getSession(e.sessionId ?? 'stdio');
+        const meta = captureChallengeMeta(session, e);
+        try {
+            const challenge = await vpsClient.fetchChallenge(meta);
+            session.pendingChallengeId = challenge.challenge_id;
+            return mkResult(challengePayload(challenge));
+        }
+        catch (err) {
+            return mkError(`fdkey_service_unavailable: ${String(err)}`);
+        }
+    });
+    // --- Injected tool: fdkey_submit_challenge ---
+    server.registerTool(SUBMIT_CHALLENGE_TOOL, {
+        description: SUBMIT_CHALLENGE_DESC,
+        inputSchema: { answers: z.record(z.string(), z.unknown()) },
+    }, async (args, extra) => {
+        const session = getSession(extra.sessionId ?? 'stdio');
+        if (!session.pendingChallengeId) {
+            return mkResult({
+                verified: false,
+                error: 'no_active_challenge',
+                message: `No active challenge. Call ${GET_CHALLENGE_TOOL} first.`,
+            });
+        }
+        let result;
+        try {
+            result = await vpsClient.submitAnswers(session.pendingChallengeId, args.answers);
+        }
+        catch (err) {
+            session.pendingChallengeId = null;
+            if (err instanceof VpsHttpError && err.body.error === 'challenge_expired') {
+                return mkResult({
+                    verified: false,
+                    error: 'challenge_expired',
+                    message: `Challenge expired. Call ${GET_CHALLENGE_TOOL} to start a new one.`,
+                });
+            }
+            if (err instanceof VpsHttpError && err.status >= 400 && err.status < 500) {
+                // 4xx (e.g. wrong_user, already_submitted) — treat as a failed verification
+                if (onFail === 'allow') {
+                    markVerified(session);
+                    return mkResult({ verified: true, message: 'Verification skipped per server configuration.' });
+                }
+                return mkResult({ verified: false, error: err.body.error ?? 'verification_failed' });
+            }
+            // 5xx or transport error
+            if (onVpsError === 'allow') {
+                markVerified(session);
+                return mkResult({ verified: true, message: 'VPS unreachable — access allowed per server configuration.' });
+            }
+            return mkError(`fdkey_service_unavailable: verification service is temporarily unreachable. Retry in a few seconds or contact the server operator. (${String(err)})`);
+        }
+        session.pendingChallengeId = null;
+        if (result.verified && result.jwt) {
+            try {
+                const header = decodeProtectedHeader(result.jwt);
+                const kid = header.kid;
+                if (!kid)
+                    throw new Error('JWT missing kid header');
+                const pubKey = await wellKnown.getKey(kid);
+                if (!pubKey)
+                    throw new Error(`Unknown key id: ${kid}`);
+                // 30s clock tolerance — covers NTP drift between the VPS and the SDK host.
+                // Without this, JWTs with `nbf` slightly in the future (issuer clock ahead)
+                // get rejected by recipients with slightly slower clocks.
+                await jwtVerify(result.jwt, pubKey, { clockTolerance: 30 });
+                // Cache decoded claims so getFdkeyContext() can surface them to integrator handlers (G3)
+                session.lastClaims = decodeJwt(result.jwt);
+            }
+            catch (jwtErr) {
+                if (onFail === 'allow') {
+                    markVerified(session);
+                    return mkResult({ verified: true, message: 'Verification passed (JWT validation skipped).' });
+                }
+                return mkResult({
+                    verified: false,
+                    message: `Verification failed: invalid JWT — ${String(jwtErr)}`,
+                });
+            }
+            markVerified(session);
+            return mkResult({ verified: true, message: 'Verification passed. You can now access protected tools.' });
+        }
+        // VPS responded 200 with verified=false
+        if (onFail === 'allow') {
+            markVerified(session);
+            return mkResult({ verified: true, message: 'Verification failed but access allowed per server configuration.' });
+        }
+        return mkResult({ verified: false, message: 'Verification failed. Call fdkey_get_challenge to try again.' });
+    });
+    // --- Proxy: intercept registerTool() and deprecated tool() to gate protected tools ---
+    function makeInterceptor(targetFn) {
+        return function (...toolArgs) {
+            const name = toolArgs[0];
+            // Our injected tools are already registered — pass through unchanged
+            if (name === GET_CHALLENGE_TOOL || name === SUBMIT_CHALLENGE_TOOL) {
+                return Reflect.apply(targetFn, server, toolArgs);
+            }
+            const entry = protect[name];
+            if (!entry) {
+                return Reflect.apply(targetFn, server, toolArgs);
+            }
+            const idx = toolArgs.length - 1;
+            const original = toolArgs[idx];
+            const policy = normalisePolicy(entry.policy);
+            toolArgs[idx] = async (...cbArgs) => {
+                // extra is always the last cb arg: (args, extra) or (extra) for no-arg tools
+                const extra = cbArgs[cbArgs.length - 1];
+                const session = getSession(extra?.sessionId ?? 'stdio');
+                // Capture client info on every protected-tool call too — the agent
+                // may hit a gated tool before fdkey_get_challenge runs (the natural
+                // first-blocked-then-verify flow), and we still want metadata.
+                const meta = captureChallengeMeta(session, extra ?? {});
+                if (canCall(policy, name, session)) {
+                    const result = await original(...cbArgs);
+                    consumePolicy(policy, session);
+                    return result;
+                }
+                if (inlineChallenge) {
+                    try {
+                        const challenge = await vpsClient.fetchChallenge(meta);
+                        session.pendingChallengeId = challenge.challenge_id;
+                        return mkError(`fdkey_verification_required. Solve the challenge below then call ${SUBMIT_CHALLENGE_TOOL} with your answers, then retry this tool.\n` +
+                            JSON.stringify(challengePayload(challenge)));
+                    }
+                    catch {
+                        if (onVpsError === 'allow')
+                            return original(...cbArgs);
+                        return mkError('fdkey_service_unavailable: verification service is temporarily unreachable. Retry in a few seconds or contact the server operator.');
+                    }
+                }
+                return mkError(`fdkey_verification_required. Call ${GET_CHALLENGE_TOOL} to start verification, then ${SUBMIT_CHALLENGE_TOOL} with your answers, then retry this tool.`);
+            };
+            return Reflect.apply(targetFn, server, toolArgs);
+        };
+    }
+    const wrapped = new Proxy(server, {
+        get(target, prop, receiver) {
+            if (prop === 'registerTool') {
+                return makeInterceptor(target.registerTool);
+            }
+            if (prop === 'tool') {
+                return makeInterceptor(target.tool);
+            }
+            return Reflect.get(target, prop, receiver);
+        },
+    });
+    // Register both the original and the wrapped reference so getFdkeyContext()
+    // works regardless of which the integrator passes.
+    FDKEY_REGISTRY.set(server, store);
+    FDKEY_REGISTRY.set(wrapped, store);
+    return wrapped;
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,oCAAoC,CAAC;AAU7E,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAClE,OAAO,EAAE,SAAS,EAAE,YAAY,EAA0B,MAAM,iBAAiB,CAAC;AAClF,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAqB,MAAM,oBAAoB,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAIlD;;gDAEgD;AAChD,OAAO,EAAE,aAAa,IAAI,yBAAyB,EAAE,CAAC;AAEtD;;;2CAG2C;AAC3C,MAAM,WAAW,GAAG,OAAO,CAAC;AAE5B,gFAAgF;AAChF,MAAM,eAAe,GAAG,uBAAuB,CAAC;AAoBhD;;;;;;;6BAO6B;AAC7B,MAAM,aAAa;IAEY;IADrB,KAAK,GAAsB,IAAI,CAAC;IACxC,YAA6B,YAAgC;QAAhC,iBAAY,GAAZ,YAAY,CAAoB;IAAG,CAAC;IACjE,KAAK,CAAC,SAAS;QACb,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC;gBACH,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;gBACtD,IAAI,CAAC,KAAK,GAAG,IAAI,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAChD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,mEAAmE;gBACnE,6DAA6D;gBAC7D,iEAAiE;gBACjE,gEAAgE;gBAChE,8DAA8D;gBAC9D,MAAM,IAAI,GAAI,GAAyB,CAAC,IAAI,CAAC;gBAC7C,MAAM,gBAAgB,GACpB,IAAI,KAAK,sBAAsB,IAAI,IAAI,KAAK,kBAAkB,CAAC;gBACjE,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC7D,IAAI,gBAAgB,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC/C,MAAM,IAAI,KAAK,CACb,mEAAmE;wBACjE,qDAAqD;wBACrD,iEAAiE;wBACjE,uEAAuE,CAC1E,CAAC;gBACJ,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;IAChC,CAAC;IACD,aAAa,CAAC,EAAsB;QAClC,IAAI,IAAI,CAAC,KAAK;YAAE,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;IAC/C,CAAC;CACF;AAED;8EAC8E;AAC9E,MAAM,cAAc,GAAG,IAAI,OAAO,EAAwB,CAAC;AAE3D;;;;;;eAMe;AACf,MAAM,UAAU,eAAe,CAC7B,MAAiB,EACjB,gBAA6D;IAE7D,MAAM,KAAK,GAAG,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACzC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,GAAG,GACP,OAAO,gBAAgB,KAAK,QAAQ;QAClC,CAAC,CAAC,gBAAgB;QAClB,CAAC,CAAC,gBAAgB,EAAE,SAAS,IAAI,OAAO,CAAC;IAC7C,MAAM,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC1B,IAAI,CAAC,CAAC;QAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAC5F,OAAO;QACL,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,UAAU,EAAE,CAAC,CAAC,UAAU;QACxB,KAAK,EAAE,YAAY,CAAC,CAAC,CAAC,UAAU,CAAC;QACjC,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,UAAU,CAAC;QAC/B,MAAM,EAAE,CAAC,CAAC,UAAU;KACrB,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,MAAsC;IAC1D,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC;IACvB,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC1C,CAAC;AAED,SAAS,WAAW,CAAC,MAAsC;IACzD,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC;IACtB,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC1C,CAAC;AAED,MAAM,kBAAkB,GAAG,qBAAqB,CAAC;AACjD,MAAM,qBAAqB,GAAG,wBAAwB,CAAC;AAEvD,MAAM,kBAAkB,GACtB,kMAAkM,CAAC;AAErM,MAAM,qBAAqB,GACzB,4JAA4J,CAAC;AAE/J,SAAS,OAAO,CAAC,IAAY;IAC3B,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,IAAa,EAAE,CAAC;AAChF,CAAC;AAED,SAAS,QAAQ,CAAC,GAAY;IAC5B,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;AAC7E,CAAC;AAED,SAAS,gBAAgB,CAAC,YAAoB;IAC5C,MAAM,EAAE,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,gBAAgB,CAAC,CAAoB;IAC5C,OAAO;QACL,kBAAkB,EAAE,CAAC,CAAC,kBAAkB,IAAI,gBAAgB,CAAC,CAAC,CAAC,UAAU,CAAC;QAC1E,UAAU,EAAE,CAAC,CAAC,UAAU;QACxB,YAAY,EAAE,CAAC,CAAC,YAAY;QAC5B,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,OAAO,EAAE,CAAC,CAAC,OAAO;QAClB,MAAM,EAAE,CAAC,CAAC,MAAM;KACjB,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,SAAS,CAAC,MAAiB,EAAE,MAAmB;IAC9D,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;IACrC,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,OAAO,CAAC;IACxC,oEAAoE;IACpE,qEAAqE;IACrE,uEAAuE;IACvE,6BAA6B;IAC7B,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,OAAO,CAAC;IAChD,MAAM,eAAe,GAAG,MAAM,CAAC,eAAe,IAAI,KAAK,CAAC;IAExD,oBAAoB;IACpB,0EAA0E;IAC1E,yEAAyE;IACzE,0DAA0D;IAC1D,4EAA4E;IAC5E,kEAAkE;IAClE,MAAM,MAAM,GAAe,MAAM,CAAC,YAAY;QAC5C,CAAC,CAAC,IAAI,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC;QACxC,CAAC,CAAC,IAAI,YAAY,CAAC,MAAM,CAAC,MAAM,IAAI,eAAe,CAAC,CAAC;IAEvD,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,UAAU,IAAI,QAAQ,CAAC,CAAC;IACtF,MAAM,SAAS,GAAG,IAAI,eAAe,CAAC,MAAM,CAAC,CAAC;IAE9C,iEAAiE;IACjE,mEAAmE;IACnE,6BAA6B;IAC7B,MAAM,KAAK,GAAG,kBAAkB,EAAE,CAAC;IACnC,MAAM,UAAU,GAAG,CAAC,EAAU,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IA4BjD,IAAI,gBAAgB,GAAsB,IAAI,CAAC;IAC/C,IAAI,qBAAqB,GAAkB,IAAI,CAAC;IAEhD,gFAAgF;IAChF,4EAA4E;IAC5E,sEAAsE;IACtE,4EAA4E;IAC5E,wEAAwE;IACxE,0EAA0E;IAC1E,4EAA4E;IAC5E,MAAM,eAAe,GAAG,MAAM,CAAC,MAE9B,CAAC;IACF,MAAM,cAAc,GAAG,eAAe,CAAC,gBAAgB,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC;IAC3E,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAC7B,uBAAuB,EACvB,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;YACvB,IAAI,CAAC;gBACH,yDAAyD;gBACzD,MAAM,EAAE,GAAI,OAAqD,CAAC,MAAM,EAAE,eAAe,CAAC;gBAC1F,IAAI,OAAO,EAAE,KAAK,QAAQ;oBAAE,qBAAqB,GAAG,EAAE,CAAC;YACzD,CAAC;YAAC,MAAM,CAAC;gBACP,iEAAiE;YACnE,CAAC;YACD,OAAO,cAAc,CAAC,OAAO,EAAE,KAAK,CAAsC,CAAC;QAC7E,CAAC,CACF,CAAC;IACJ,CAAC;IAED,6DAA6D;IAC7D,MAAM,qBAAqB,GAAG,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC;IAC1D,MAAM,CAAC,MAAM,CAAC,aAAa,GAAG,GAAG,EAAE;QACjC,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC5C,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,qBAAqB,EAAE,CAAC;QACnD,IAAI,EAAE,EAAE,CAAC;YACP,gBAAgB,GAAG;gBACjB,IAAI,EAAE,EAAE,CAAC,IAAI;gBACb,OAAO,EAAE,EAAE,CAAC,OAAO;gBACnB,KAAK,EAAG,EAAyB,CAAC,KAAK;gBACvC,YAAY,EAAE,IAA2C;aAC1D,CAAC;QACJ,CAAC;QACD,IAAI,qBAAqB;YAAE,qBAAqB,EAAE,CAAC;IACrD,CAAC,CAAC;IAEF,wEAAwE;IACxE,0EAA0E;IAC1E,0EAA0E;IAC1E,yDAAyD;IACzD,MAAM,aAAa,GAAG,MAAM,CAAC,MAE5B,CAAC;IACF,MAAM,cAAc,GAAmB;QACrC,WAAW,EAAE,aAAa,CAAC,WAAW,EAAE,IAAI;QAC5C,cAAc,EAAE,aAAa,CAAC,WAAW,EAAE,OAAO;QAClD,WAAW,EAAE,WAAW;KACzB,CAAC;IAEF,4EAA4E;IAC5E,4EAA4E;IAC5E,qDAAqD;IACrD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC;IAEnC;;8DAE0D;IAC1D,SAAS,oBAAoB,CAC3B,OAAqB,EACrB,KAA6B;QAE7B,OAAO,CAAC,YAAY,KAAK,KAAK,CAAC,SAAS,IAAI,OAAO,CAAC;QACpD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACpC,OAAO,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;QACzD,CAAC;QACD,OAAO,CAAC,UAAU,KAAK,gBAAgB,CAAC;QACxC,OAAO,CAAC,eAAe,KAAK,qBAAqB,CAAC;QAElD,MAAM,KAAK,GAA2B;YACpC,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,cAAc,EAAE,OAAO,CAAC,YAAY,IAAI,SAAS;SAClD,CAAC;QACF,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,KAAK,CAAC,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;YAC5C,KAAK,CAAC,cAAc,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC;YAClD,IAAI,OAAO,CAAC,UAAU,CAAC,KAAK;gBAAE,KAAK,CAAC,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC;YAC5E,IAAI,OAAO,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC;gBACpC,KAAK,CAAC,mBAAmB,GAAG,OAAO,CAAC,UAAU,CAAC,YAAY,CAAC;YAC9D,CAAC;QACH,CAAC;QACD,IAAI,OAAO,CAAC,eAAe;YAAE,KAAK,CAAC,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;QAE9E,OAAO;YACL,KAAK;YACL,UAAU,EAAE,cAAc;YAC1B,IAAI,EAAE,cAAc;SACrB,CAAC;IACJ,CAAC;IAED,6CAA6C;IAC7C,MAAM,CAAC,YAAY,CACjB,kBAAkB,EAClB,EAAE,WAAW,EAAE,kBAAkB,EAAE,EACnC,KAAK,EAAE,KAAK,EAAE,EAAE;QACd,MAAM,CAAC,GAAG,KAA+B,CAAC;QAC1C,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,SAAS,IAAI,OAAO,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,oBAAoB,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAC9C,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;YACvD,OAAO,CAAC,kBAAkB,GAAG,SAAS,CAAC,YAAY,CAAC;YACpD,OAAO,QAAQ,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC,CAAC;QAC/C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,OAAO,CAAC,8BAA8B,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC,CACF,CAAC;IAEF,gDAAgD;IAChD,MAAM,CAAC,YAAY,CACjB,qBAAqB,EACrB;QACE,WAAW,EAAE,qBAAqB;QAClC,WAAW,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE;KAC5D,EACD,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE;QACpB,MAAM,OAAO,GAAG,UAAU,CAAE,KAAgC,CAAC,SAAS,IAAI,OAAO,CAAC,CAAC;QACnF,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,CAAC;YAChC,OAAO,QAAQ,CAAC;gBACd,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,qBAAqB;gBAC5B,OAAO,EAAE,6BAA6B,kBAAkB,SAAS;aAClE,CAAC,CAAC;QACL,CAAC;QAED,IAAI,MAAuD,CAAC;QAC5D,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,SAAS,CAAC,aAAa,CACpC,OAAO,CAAC,kBAAkB,EAC1B,IAAI,CAAC,OAAkC,CACxC,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;YAClC,IAAI,GAAG,YAAY,YAAY,IAAI,GAAG,CAAC,IAAI,CAAC,KAAK,KAAK,mBAAmB,EAAE,CAAC;gBAC1E,OAAO,QAAQ,CAAC;oBACd,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,mBAAmB;oBAC1B,OAAO,EAAE,2BAA2B,kBAAkB,sBAAsB;iBAC7E,CAAC,CAAC;YACL,CAAC;YACD,IAAI,GAAG,YAAY,YAAY,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;gBACzE,4EAA4E;gBAC5E,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;oBACvB,YAAY,CAAC,OAAO,CAAC,CAAC;oBACtB,OAAO,QAAQ,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,gDAAgD,EAAE,CAAC,CAAC;gBACjG,CAAC;gBACD,OAAO,QAAQ,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI,qBAAqB,EAAE,CAAC,CAAC;YACvF,CAAC;YACD,yBAAyB;YACzB,IAAI,UAAU,KAAK,OAAO,EAAE,CAAC;gBAC3B,YAAY,CAAC,OAAO,CAAC,CAAC;gBACtB,OAAO,QAAQ,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,4DAA4D,EAAE,CAAC,CAAC;YAC7G,CAAC;YACD,OAAO,OAAO,CACZ,uIAAuI,MAAM,CAAC,GAAG,CAAC,GAAG,CACtJ,CAAC;QACJ,CAAC;QAED,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;QAElC,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;YAClC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,qBAAqB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACjD,MAAM,GAAG,GAAG,MAAM,CAAC,GAAyB,CAAC;gBAC7C,IAAI,CAAC,GAAG;oBAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;gBACpD,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC3C,IAAI,CAAC,MAAM;oBAAE,MAAM,IAAI,KAAK,CAAC,mBAAmB,GAAG,EAAE,CAAC,CAAC;gBACvD,2EAA2E;gBAC3E,4EAA4E;gBAC5E,0DAA0D;gBAC1D,MAAM,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE,CAAC,CAAC;gBAC5D,yFAAyF;gBACzF,OAAO,CAAC,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,GAAG,CAA4B,CAAC;YACxE,CAAC;YAAC,OAAO,MAAM,EAAE,CAAC;gBAChB,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;oBACvB,YAAY,CAAC,OAAO,CAAC,CAAC;oBACtB,OAAO,QAAQ,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,+CAA+C,EAAE,CAAC,CAAC;gBAChG,CAAC;gBACD,OAAO,QAAQ,CAAC;oBACd,QAAQ,EAAE,KAAK;oBACf,OAAO,EAAE,sCAAsC,MAAM,CAAC,MAAM,CAAC,EAAE;iBAChE,CAAC,CAAC;YACL,CAAC;YACD,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,OAAO,QAAQ,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,0DAA0D,EAAE,CAAC,CAAC;QAC3G,CAAC;QAED,wCAAwC;QACxC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACvB,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,OAAO,QAAQ,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,kEAAkE,EAAE,CAAC,CAAC;QACnH,CAAC;QACD,OAAO,QAAQ,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,6DAA6D,EAAE,CAAC,CAAC;IAC/G,CAAC,CACF,CAAC;IAEF,wFAAwF;IACxF,SAAS,eAAe,CAAC,QAAsC;QAC7D,OAAO,UAAU,GAAG,QAAmB;YACrC,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAW,CAAC;YAEnC,qEAAqE;YACrE,IAAI,IAAI,KAAK,kBAAkB,IAAI,IAAI,KAAK,qBAAqB,EAAE,CAAC;gBAClE,OAAO,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YACnD,CAAC;YAED,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;YAC5B,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YACnD,CAAC;YAED,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;YAChC,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAA+C,CAAC;YAC7E,MAAM,MAAM,GAAW,eAAe,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAErD,QAAQ,CAAC,GAAG,CAAC,GAAG,KAAK,EAAE,GAAG,MAAiB,EAAE,EAAE;gBAC7C,6EAA6E;gBAC7E,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAA2B,CAAC;gBAClE,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,EAAE,SAAS,IAAI,OAAO,CAAC,CAAC;gBACxD,mEAAmE;gBACnE,oEAAoE;gBACpE,+DAA+D;gBAC/D,MAAM,IAAI,GAAG,oBAAoB,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;gBAExD,IAAI,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;oBACnC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,GAAG,MAAM,CAAC,CAAC;oBACzC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;oBAC/B,OAAO,MAAM,CAAC;gBAChB,CAAC;gBAED,IAAI,eAAe,EAAE,CAAC;oBACpB,IAAI,CAAC;wBACH,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;wBACvD,OAAO,CAAC,kBAAkB,GAAG,SAAS,CAAC,YAAY,CAAC;wBACpD,OAAO,OAAO,CACZ,oEAAoE,qBAAqB,6CAA6C;4BACpI,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC,CAC9C,CAAC;oBACJ,CAAC;oBAAC,MAAM,CAAC;wBACP,IAAI,UAAU,KAAK,OAAO;4BAAE,OAAO,QAAQ,CAAC,GAAG,MAAM,CAAC,CAAC;wBACvD,OAAO,OAAO,CACZ,oIAAoI,CACrI,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,OAAO,OAAO,CACZ,qCAAqC,kBAAkB,gCAAgC,qBAAqB,2CAA2C,CACxJ,CAAC;YACJ,CAAC,CAAC;YAEF,OAAO,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;QACnD,CAAC,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,KAAK,CAAC,MAAM,EAAE;QAChC,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ;YACxB,IAAI,IAAI,KAAK,cAAc,EAAE,CAAC;gBAC5B,OAAO,eAAe,CAAC,MAAM,CAAC,YAA4C,CAAC,CAAC;YAC9E,CAAC;YACD,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;gBACpB,OAAO,eAAe,CAAC,MAAM,CAAC,IAAoC,CAAC,CAAC;YACtE,CAAC;YACD,OAAO,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;QAC7C,CAAC;KACF,CAAC,CAAC;IACH,4EAA4E;IAC5E,mDAAmD;IACnD,cAAc,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAClC,cAAc,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACnC,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/router-static.d.ts

@@ -0,0 +1,13 @@
+import type { IVpsRouter, RoutingTarget } from './types.js';
+/** Used when the SDK consumer passes an explicit `vpsUrl` (or accepts the
+ *  default `https://api.fdkey.com`). Bypasses all discovery and probing —
+ *  fetch uses its default DNS resolution against whatever hostname (or IP)
+ *  is in the URL. No `dispatcher` is set, so this works on every runtime
+ *  that has a global `fetch` (Node 18+, Cloudflare Workers, Bun, Deno). */
+export declare class StaticRouter implements IVpsRouter {
+    private readonly url;
+    constructor(url: string);
+    getTarget(): Promise<RoutingTarget>;
+    recordFailure(_ip: string | undefined): void;
+}
+//# sourceMappingURL=router-static.d.ts.map

package/dist/router-static.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"router-static.d.ts","sourceRoot":"","sources":["../src/router-static.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE5D;;;;2EAI2E;AAC3E,qBAAa,YAAa,YAAW,UAAU;IACjC,OAAO,CAAC,QAAQ,CAAC,GAAG;gBAAH,GAAG,EAAE,MAAM;IAClC,SAAS,IAAI,OAAO,CAAC,aAAa,CAAC;IAGzC,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI;CAC7C"}

package/dist/router-static.js

@@ -0,0 +1,16 @@
+/** Used when the SDK consumer passes an explicit `vpsUrl` (or accepts the
+ *  default `https://api.fdkey.com`). Bypasses all discovery and probing —
+ *  fetch uses its default DNS resolution against whatever hostname (or IP)
+ *  is in the URL. No `dispatcher` is set, so this works on every runtime
+ *  that has a global `fetch` (Node 18+, Cloudflare Workers, Bun, Deno). */
+export class StaticRouter {
+    url;
+    constructor(url) {
+        this.url = url;
+    }
+    async getTarget() {
+        return { url: this.url };
+    }
+    recordFailure(_ip) { }
+}
+//# sourceMappingURL=router-static.js.map

package/dist/router-static.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"router-static.js","sourceRoot":"","sources":["../src/router-static.ts"],"names":[],"mappings":"AAEA;;;;2EAI2E;AAC3E,MAAM,OAAO,YAAY;IACM;IAA7B,YAA6B,GAAW;QAAX,QAAG,GAAH,GAAG,CAAQ;IAAG,CAAC;IAC5C,KAAK,CAAC,SAAS;QACb,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;IAC3B,CAAC;IACD,aAAa,CAAC,GAAuB,IAAS,CAAC;CAChD"}

package/dist/session-store.d.ts

@@ -0,0 +1,45 @@
+import type { SessionState } from './types.js';
+/** Drop sessions that have been idle this long. One hour is comfortably
+ *  longer than the default JWT lifetime (~5 min) plus typical agent
+ *  retry/backoff windows, so an active session is never evicted while
+ *  it could legitimately make another call. */
+export declare const SESSION_IDLE_TTL_MS: number;
+/** Hard cap on the per-server session map. Hit this only on pathological
+ *  burst traffic — even at this size the eviction is O(1) thanks to the
+ *  JS Map's preserved-insertion-order semantics. */
+export declare const MAX_SESSIONS = 10000;
+export interface SessionStore {
+    /** Get-or-create the session for `id`, sliding the LRU position to the
+     *  tail. Opportunistically evicts one stale (TTL-expired) entry per
+     *  miss, and force-evicts the LRU when at the size cap. */
+    get(id: string): SessionState;
+    /** Number of currently-live sessions. Test-only convenience. */
+    size(): number;
+    /** Read-only access to a session without sliding LRU position. Returns
+     *  undefined if the session doesn't exist. Used by `getFdkeyContext` so
+     *  reading verification context doesn't extend a session's lifetime. */
+    peek(id: string): SessionState | undefined;
+}
+/** Bounded session store. Memory is bounded by `maxSize` (the hard guarantee).
+ *  Two eviction policies cooperate:
+ *
+ *    1. **TTL sweep on miss.** When a brand-new session arrives, the head
+ *       of the map (always the LRU by insertion-order) is checked: if it
+ *       has been idle longer than `idleTtlMs`, it's dropped. Sweep is
+ *       O(1) per miss and only fires on misses — a busy session with
+ *       many hits doesn't trigger it. This means stale entries can sit
+ *       in the map longer than `idleTtlMs` if the server only ever sees
+ *       hits; they're dropped opportunistically as new sessions arrive.
+ *
+ *    2. **LRU cap on insert.** When `sessions.size === maxSize`, the head
+ *       (LRU) entry is force-dropped to make room — regardless of age.
+ *       O(1) thanks to the JS Map's preserved-insertion-order semantics.
+ *       This is the actual memory bound: maps NEVER exceed `maxSize`.
+ *
+ *  Net guarantee: long-lived MCP servers stay capped at `maxSize` entries
+ *  (default 10k × ~200 bytes ≈ 2 MB) regardless of transport-level
+ *  disconnect signals. Idle entries below the cap may linger past their
+ *  TTL until pressure forces them out — that's acceptable because the
+ *  cap itself is the safety property. */
+export declare function createSessionStore(maxSize?: number, idleTtlMs?: number, now?: () => number): SessionStore;
+//# sourceMappingURL=session-store.d.ts.map

package/dist/session-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-store.d.ts","sourceRoot":"","sources":["../src/session-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C;;;+CAG+C;AAC/C,eAAO,MAAM,mBAAmB,QAAiB,CAAC;AAClD;;oDAEoD;AACpD,eAAO,MAAM,YAAY,QAAS,CAAC;AAEnC,MAAM,WAAW,YAAY;IAC3B;;+DAE2D;IAC3D,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,YAAY,CAAC;IAC9B,gEAAgE;IAChE,IAAI,IAAI,MAAM,CAAC;IACf;;4EAEwE;IACxE,IAAI,CAAC,EAAE,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS,CAAC;CAC5C;AAED;;;;;;;;;;;;;;;;;;;;yCAoByC;AACzC,wBAAgB,kBAAkB,CAChC,OAAO,GAAE,MAAqB,EAC9B,SAAS,GAAE,MAA4B,EACvC,GAAG,GAAE,MAAM,MAAiB,GAC3B,YAAY,CAwCd"}

package/dist/session-store.js

@@ -0,0 +1,71 @@
+import { newSession } from './guard.js';
+/** Drop sessions that have been idle this long. One hour is comfortably
+ *  longer than the default JWT lifetime (~5 min) plus typical agent
+ *  retry/backoff windows, so an active session is never evicted while
+ *  it could legitimately make another call. */
+export const SESSION_IDLE_TTL_MS = 60 * 60 * 1000;
+/** Hard cap on the per-server session map. Hit this only on pathological
+ *  burst traffic — even at this size the eviction is O(1) thanks to the
+ *  JS Map's preserved-insertion-order semantics. */
+export const MAX_SESSIONS = 10_000;
+/** Bounded session store. Memory is bounded by `maxSize` (the hard guarantee).
+ *  Two eviction policies cooperate:
+ *
+ *    1. **TTL sweep on miss.** When a brand-new session arrives, the head
+ *       of the map (always the LRU by insertion-order) is checked: if it
+ *       has been idle longer than `idleTtlMs`, it's dropped. Sweep is
+ *       O(1) per miss and only fires on misses — a busy session with
+ *       many hits doesn't trigger it. This means stale entries can sit
+ *       in the map longer than `idleTtlMs` if the server only ever sees
+ *       hits; they're dropped opportunistically as new sessions arrive.
+ *
+ *    2. **LRU cap on insert.** When `sessions.size === maxSize`, the head
+ *       (LRU) entry is force-dropped to make room — regardless of age.
+ *       O(1) thanks to the JS Map's preserved-insertion-order semantics.
+ *       This is the actual memory bound: maps NEVER exceed `maxSize`.
+ *
+ *  Net guarantee: long-lived MCP servers stay capped at `maxSize` entries
+ *  (default 10k × ~200 bytes ≈ 2 MB) regardless of transport-level
+ *  disconnect signals. Idle entries below the cap may linger past their
+ *  TTL until pressure forces them out — that's acceptable because the
+ *  cap itself is the safety property. */
+export function createSessionStore(maxSize = MAX_SESSIONS, idleTtlMs = SESSION_IDLE_TTL_MS, now = Date.now) {
+    const sessions = new Map();
+    return {
+        get(id) {
+            const t = now();
+            const existing = sessions.get(id);
+            if (existing) {
+                // Slide to the tail of the LRU order: delete + re-insert is O(1).
+                sessions.delete(id);
+                existing.lastTouchedAt = t;
+                sessions.set(id, existing);
+                return existing;
+            }
+            // Miss → opportunistic TTL sweep of the head, then enforce the cap.
+            const head = sessions.keys().next().value;
+            if (head !== undefined) {
+                const headSession = sessions.get(head);
+                if (headSession && t - headSession.lastTouchedAt > idleTtlMs) {
+                    sessions.delete(head);
+                }
+            }
+            if (sessions.size >= maxSize) {
+                const lruKey = sessions.keys().next().value;
+                if (lruKey !== undefined)
+                    sessions.delete(lruKey);
+            }
+            const fresh = newSession();
+            fresh.lastTouchedAt = t;
+            sessions.set(id, fresh);
+            return fresh;
+        },
+        peek(id) {
+            return sessions.get(id);
+        },
+        size() {
+            return sessions.size;
+        },
+    };
+}
+//# sourceMappingURL=session-store.js.map

package/dist/session-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-store.js","sourceRoot":"","sources":["../src/session-store.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAExC;;;+CAG+C;AAC/C,MAAM,CAAC,MAAM,mBAAmB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAClD;;oDAEoD;AACpD,MAAM,CAAC,MAAM,YAAY,GAAG,MAAM,CAAC;AAenC;;;;;;;;;;;;;;;;;;;;yCAoByC;AACzC,MAAM,UAAU,kBAAkB,CAChC,UAAkB,YAAY,EAC9B,YAAoB,mBAAmB,EACvC,MAAoB,IAAI,CAAC,GAAG;IAE5B,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAwB,CAAC;IAEjD,OAAO;QACL,GAAG,CAAC,EAAU;YACZ,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC;YAChB,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAClC,IAAI,QAAQ,EAAE,CAAC;gBACb,kEAAkE;gBAClE,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBACpB,QAAQ,CAAC,aAAa,GAAG,CAAC,CAAC;gBAC3B,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;gBAC3B,OAAO,QAAQ,CAAC;YAClB,CAAC;YACD,oEAAoE;YACpE,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;YAC1C,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvB,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACvC,IAAI,WAAW,IAAI,CAAC,GAAG,WAAW,CAAC,aAAa,GAAG,SAAS,EAAE,CAAC;oBAC7D,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBACxB,CAAC;YACH,CAAC;YACD,IAAI,QAAQ,CAAC,IAAI,IAAI,OAAO,EAAE,CAAC;gBAC7B,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;gBAC5C,IAAI,MAAM,KAAK,SAAS;oBAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACpD,CAAC;YACD,MAAM,KAAK,GAAG,UAAU,EAAE,CAAC;YAC3B,KAAK,CAAC,aAAa,GAAG,CAAC,CAAC;YACxB,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YACxB,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,EAAU;YACb,OAAO,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC1B,CAAC;QAED,IAAI;YACF,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC;KACF,CAAC;AACJ,CAAC"}