@floegence/flowersec-core 0.18.0 → 0.19.0

package/README.md

@@ -1,6 +1,6 @@
 # @floegence/flowersec-core
 
-Flowersec core TypeScript library for building an end-to-end encrypted, multiplexed connection over WebSocket (browser-friendly).
+Flowersec core TypeScript library for building end-to-end encrypted, multiplexed connections over WebSocket in browsers and Node.js.
 
 Status: experimental; not audited.
 
@@ -10,12 +10,13 @@ Status: experimental; not audited.
 npm install @floegence/flowersec-core
 ```
 
-## Usage
+## Recommended usage
 
-Browser (recommended):
+Browser:
 
 ```ts
-import { connectBrowser, requestConnectArtifact } from "@floegence/flowersec-core/browser";
+import { connectBrowser } from "@floegence/flowersec-core/browser";
+import { requestConnectArtifact } from "@floegence/flowersec-core/controlplane";
 
 const artifact = await requestConnectArtifact({
   endpointId: "env_demo",
@@ -26,27 +27,41 @@ await client.ping();
 client.close();
 ```
 
-Node.js (recommended):
+Node.js:
 
 ```ts
-import { connectNode } from "@floegence/flowersec-core/node";
+import { connectNode, createNodeReconnectConfig } from "@floegence/flowersec-core/node";
+import { requestConnectArtifact } from "@floegence/flowersec-core/controlplane";
 
-const artifactEnvelope = await fetch("https://your-app.example/api/flowersec/connect/artifact", {
-  method: "POST",
-  headers: { "content-type": "application/json" },
-  body: JSON.stringify({ endpoint_id: "env_demo" }),
-}).then((r) => r.json());
+const artifact = await requestConnectArtifact({
+  baseUrl: "https://your-app.example/api/flowersec",
+  endpointId: "env_demo",
+});
 
-const client = await connectNode(artifactEnvelope.connect_artifact, {
+const client = await connectNode(artifact, {
   origin: "https://your-app.example",
 });
 await client.ping();
 client.close();
+
+const reconnectConfig = createNodeReconnectConfig({
+  artifactControlplane: {
+    baseUrl: "https://your-app.example/api/flowersec",
+    endpointId: "env_demo",
+  },
+  connect: {
+    origin: "https://your-app.example",
+  },
+});
 ```
 
+Browser `requestConnectArtifact(...)`, `requestEntryConnectArtifact(...)`, and `ControlplaneRequestError` remain available from `@floegence/flowersec-core/browser` as stable aliases.
+
 ## Docs
 
 - Frontend quickstart: `docs/FRONTEND_QUICKSTART.md`
 - Integration guide: `docs/INTEGRATION_GUIDE.md`
 - API surface contract: `docs/API_SURFACE.md`
+- Controlplane artifact fetch: `docs/CONTROLPLANE_ARTIFACT_FETCH.md`
 - Error model: `docs/ERROR_MODEL.md`
+- Migration guide: `docs/V0_19_MIGRATION.md`

package/dist/browser/controlplane.d.ts

@@ -1,40 +1,15 @@
 import { type ChannelInitGrant } from "../facade.js";
-import { type ConnectArtifact } from "../connect/artifact.js";
-type FetchLike = typeof fetch;
-type BaseControlplaneRequestConfig = Readonly<{
-    baseUrl?: string;
+import type { ControlplaneBaseConfig as SharedControlplaneBaseConfig, RequestConnectArtifactInput, RequestEntryConnectArtifactInput } from "../controlplane/request.js";
+export { ControlplaneRequestError, requestConnectArtifact, requestEntryConnectArtifact, } from "../controlplane/request.js";
+type BaseControlplaneRequestConfig = SharedControlplaneBaseConfig & Readonly<{
     endpointId: string;
     payload?: Record<string, unknown>;
-    headers?: HeadersInit;
-    credentials?: RequestCredentials;
-    fetch?: FetchLike;
 }>;
 export type ControlplaneConfig = BaseControlplaneRequestConfig;
 export type EntryControlplaneConfig = BaseControlplaneRequestConfig & Readonly<{
     entryTicket: string;
 }>;
-export type ConnectArtifactRequestConfig = BaseControlplaneRequestConfig & Readonly<{
-    path?: string;
-    correlation?: Readonly<{
-        traceId?: string;
-    }>;
-}>;
-export type EntryConnectArtifactRequestConfig = ConnectArtifactRequestConfig & Readonly<{
-    entryTicket: string;
-}>;
-export declare class ControlplaneRequestError extends Error {
-    readonly status: number;
-    readonly code: string;
-    readonly responseBody: unknown;
-    constructor(args: Readonly<{
-        status: number;
-        message: string;
-        code?: string;
-        responseBody?: unknown;
-    }>);
-}
+export type ConnectArtifactRequestConfig = RequestConnectArtifactInput;
+export type EntryConnectArtifactRequestConfig = RequestEntryConnectArtifactInput;
 export declare function requestChannelGrant(config: ControlplaneConfig): Promise<ChannelInitGrant>;
 export declare function requestEntryChannelGrant(config: EntryControlplaneConfig): Promise<ChannelInitGrant>;
-export declare function requestConnectArtifact(config: ConnectArtifactRequestConfig): Promise<ConnectArtifact>;
-export declare function requestEntryConnectArtifact(config: EntryConnectArtifactRequestConfig): Promise<ConnectArtifact>;
-export {};

package/dist/browser/controlplane.js

@@ -1,24 +1,6 @@
 import { assertChannelInitGrant } from "../facade.js";
-import { assertConnectArtifact } from "../connect/artifact.js";
-export class ControlplaneRequestError extends Error {
-    status;
-    code;
-    responseBody;
-    constructor(args) {
-        super(args.message);
-        this.name = "ControlplaneRequestError";
-        this.status = args.status;
-        this.code = String(args.code ?? "").trim();
-        this.responseBody = args.responseBody;
-    }
-}
-function resolveFetch(fetchImpl) {
-    if (fetchImpl)
-        return fetchImpl;
-    if (typeof globalThis.fetch === "function")
-        return globalThis.fetch.bind(globalThis);
-    throw new Error("global fetch is not available");
-}
+import { requestControlplaneJSON, } from "../controlplane/request.js";
+export { ControlplaneRequestError, requestConnectArtifact, requestEntryConnectArtifact, } from "../controlplane/request.js";
 function buildURL(baseUrl, path) {
     const base = String(baseUrl ?? "").trim();
     if (base === "")
@@ -38,46 +20,7 @@ function buildPayload(endpointId, payload) {
     return out;
 }
 async function requestGrant(url, init) {
-    const runFetch = resolveFetch(init.fetch);
-    const response = await runFetch(url, {
-        ...init,
-        cache: "no-store",
-    });
-    if (!response.ok) {
-        const rawBody = await response.text();
-        const bodyText = String(rawBody ?? "").trim();
-        let responseBody = bodyText;
-        if (bodyText !== "") {
-            try {
-                responseBody = JSON.parse(bodyText);
-            }
-            catch {
-                responseBody = bodyText;
-            }
-        }
-        let message = `Failed to get channel grant: ${response.status}`;
-        let code = "";
-        if (responseBody && typeof responseBody === "object") {
-            const error = responseBody.error;
-            if (error && typeof error === "object") {
-                const nextMessage = String(error.message ?? "").trim();
-                if (nextMessage !== "") {
-                    message = nextMessage;
-                }
-                code = String(error.code ?? "").trim();
-            }
-        }
-        else if (typeof responseBody === "string" && responseBody !== "") {
-            message = responseBody;
-        }
-        throw new ControlplaneRequestError({
-            status: response.status,
-            message,
-            code,
-            responseBody,
-        });
-    }
-    return await response.json();
+    return await requestControlplaneJSON(url, init);
 }
 export async function requestChannelGrant(config) {
     const headers = new Headers(config.headers);
@@ -90,6 +33,7 @@ export async function requestChannelGrant(config) {
         credentials: config.credentials ?? "omit",
         headers,
         body: JSON.stringify(buildPayload(config.endpointId, config.payload)),
+        ...(config.signal === undefined ? {} : { signal: config.signal }),
     }));
     if (!data?.grant_client) {
         throw new Error("Invalid controlplane response: missing `grant_client`");
@@ -112,61 +56,10 @@ export async function requestEntryChannelGrant(config) {
         credentials: config.credentials ?? "omit",
         headers,
         body: JSON.stringify(buildPayload(endpointId, config.payload)),
+        ...(config.signal === undefined ? {} : { signal: config.signal }),
     }));
     if (!data?.grant_client) {
         throw new Error("Invalid controlplane response: missing `grant_client`");
     }
     return assertChannelInitGrant(data.grant_client);
 }
-function buildConnectArtifactPayload(config) {
-    const body = {
-        endpoint_id: String(config.endpointId ?? "").trim(),
-    };
-    if (body.endpoint_id === "")
-        throw new Error("endpointId is required");
-    if (config.payload !== undefined)
-        body.payload = { ...config.payload };
-    const traceId = String(config.correlation?.traceId ?? "").trim();
-    if (traceId !== "") {
-        body.correlation = { trace_id: traceId };
-    }
-    return body;
-}
-export async function requestConnectArtifact(config) {
-    const headers = new Headers(config.headers);
-    if (!headers.has("Content-Type")) {
-        headers.set("Content-Type", "application/json");
-    }
-    const data = (await requestGrant(buildURL(config.baseUrl, config.path ?? "/v1/connect/artifact"), {
-        ...(config.fetch === undefined ? {} : { fetch: config.fetch }),
-        method: "POST",
-        credentials: config.credentials ?? "omit",
-        headers,
-        body: JSON.stringify(buildConnectArtifactPayload(config)),
-    }));
-    if (!data?.connect_artifact) {
-        throw new Error("Invalid controlplane response: missing `connect_artifact`");
-    }
-    return assertConnectArtifact(data.connect_artifact);
-}
-export async function requestEntryConnectArtifact(config) {
-    const entryTicket = String(config.entryTicket ?? "").trim();
-    if (entryTicket === "")
-        throw new Error("entryTicket is required");
-    const headers = new Headers(config.headers);
-    headers.set("Authorization", `Bearer ${entryTicket}`);
-    if (!headers.has("Content-Type")) {
-        headers.set("Content-Type", "application/json");
-    }
-    const data = (await requestGrant(buildURL(config.baseUrl, config.path ?? "/v1/connect/artifact/entry"), {
-        ...(config.fetch === undefined ? {} : { fetch: config.fetch }),
-        method: "POST",
-        credentials: config.credentials ?? "omit",
-        headers,
-        body: JSON.stringify(buildConnectArtifactPayload(config)),
-    }));
-    if (!data?.connect_artifact) {
-        throw new Error("Invalid controlplane response: missing `connect_artifact`");
-    }
-    return assertConnectArtifact(data.connect_artifact);
-}

package/dist/browser/reconnectConfig.d.ts

@@ -3,26 +3,25 @@ import type { ChannelInitGrant } from "../gen/flowersec/controlplane/v1.gen.js";
 import type { DirectConnectInfo } from "../gen/flowersec/direct/v1.gen.js";
 import type { ClientObserverLike } from "../observability/observer.js";
 import type { AutoReconnectConfig, ConnectConfig as ReconnectConnectConfig } from "../reconnect/index.js";
+import { type ArtifactAwareReconnectConfig, type ArtifactFactoryArgs } from "../reconnect/artifactControlplane.js";
+import type { RequestConnectArtifactInput, RequestEntryConnectArtifactInput } from "../controlplane/index.js";
 import type { DirectConnectBrowserOptions, TunnelConnectBrowserOptions } from "./connect.js";
-import { type ConnectArtifactRequestConfig, type ControlplaneConfig, type EntryConnectArtifactRequestConfig } from "./controlplane.js";
+import { type ControlplaneConfig } from "./controlplane.js";
 type SharedReconnectOptions = Readonly<{
     observer?: ClientObserverLike;
     autoReconnect?: AutoReconnectConfig;
 }>;
-type ArtifactFactoryArgs = Readonly<{
-    traceId?: string;
-}>;
 type TunnelReconnectConnectOptions = Omit<TunnelConnectBrowserOptions, "observer" | "signal">;
 type DirectReconnectConnectOptions = Omit<DirectConnectBrowserOptions, "observer" | "signal">;
-type ArtifactAwareTunnelReconnectConfig = Readonly<{
+type ArtifactAwareTunnelReconnectConfig = ArtifactAwareReconnectConfig & Readonly<{
     artifact?: ConnectArtifact;
     getArtifact?: (args: ArtifactFactoryArgs) => Promise<ConnectArtifact>;
-    artifactControlplane?: ConnectArtifactRequestConfig | EntryConnectArtifactRequestConfig;
+    artifactControlplane?: RequestConnectArtifactInput | RequestEntryConnectArtifactInput;
 }>;
-type ArtifactAwareDirectReconnectConfig = Readonly<{
+type ArtifactAwareDirectReconnectConfig = ArtifactAwareReconnectConfig & Readonly<{
     artifact?: ConnectArtifact;
     getArtifact?: (args: ArtifactFactoryArgs) => Promise<ConnectArtifact>;
-    artifactControlplane?: ConnectArtifactRequestConfig | EntryConnectArtifactRequestConfig;
+    artifactControlplane?: RequestConnectArtifactInput | RequestEntryConnectArtifactInput;
 }>;
 export type TunnelBrowserReconnectConfig = SharedReconnectOptions & ArtifactAwareTunnelReconnectConfig & Readonly<{
     mode?: "tunnel";

package/dist/browser/reconnectConfig.js

@@ -1,5 +1,6 @@
+import { resolveConnectArtifact, updateTraceId, } from "../reconnect/artifactControlplane.js";
 import { connectBrowser, connectDirectBrowser, connectTunnelBrowser } from "./connect.js";
-import { requestChannelGrant, requestConnectArtifact, requestEntryConnectArtifact, } from "./controlplane.js";
+import { requestChannelGrant, } from "./controlplane.js";
 async function resolveTunnelGrant(config) {
     if (config.getGrant)
         return await config.getGrant();
@@ -16,32 +17,6 @@ async function resolveDirectInfo(config) {
         return config.directInfo;
     throw new Error("Direct reconnect config requires `getDirectInfo` or `directInfo`");
 }
-async function resolveConnectArtifact(config, traceId) {
-    if (config.getArtifact) {
-        return await config.getArtifact(traceId === undefined ? {} : { traceId });
-    }
-    if (config.artifact)
-        return config.artifact;
-    if (config.artifactControlplane) {
-        const correlation = traceId === undefined
-            ? config.artifactControlplane.correlation
-            : { traceId };
-        if ("entryTicket" in config.artifactControlplane) {
-            return await requestEntryConnectArtifact({
-                ...config.artifactControlplane,
-                ...(correlation === undefined ? {} : { correlation }),
-            });
-        }
-        return await requestConnectArtifact({
-            ...config.artifactControlplane,
-            ...(correlation === undefined ? {} : { correlation }),
-        });
-    }
-    throw new Error("Artifact reconnect config requires `getArtifact`, `artifact`, or `artifactControlplane`");
-}
-function updateTraceId(current, artifact) {
-    return artifact.correlation?.trace_id ?? current;
-}
 export function createTunnelBrowserReconnectConfig(config) {
     let traceId = config.artifact?.correlation?.trace_id;
     return {
@@ -49,7 +24,7 @@ export function createTunnelBrowserReconnectConfig(config) {
         ...(config.autoReconnect === undefined ? {} : { autoReconnect: config.autoReconnect }),
         connectOnce: async ({ signal, observer }) => {
             if (config.getArtifact || config.artifact || config.artifactControlplane) {
-                const artifact = await resolveConnectArtifact(config, traceId);
+                const artifact = await resolveConnectArtifact(config, traceId, signal);
                 if (artifact.transport !== "tunnel") {
                     throw new Error("Tunnel reconnect config requires a tunnel ConnectArtifact");
                 }
@@ -75,7 +50,7 @@ export function createDirectBrowserReconnectConfig(config) {
         ...(config.autoReconnect === undefined ? {} : { autoReconnect: config.autoReconnect }),
         connectOnce: async ({ signal, observer }) => {
             if (config.getArtifact || config.artifact || config.artifactControlplane) {
-                const artifact = await resolveConnectArtifact(config, traceId);
+                const artifact = await resolveConnectArtifact(config, traceId, signal);
                 if (artifact.transport !== "direct") {
                     throw new Error("Direct reconnect config requires a direct ConnectArtifact");
                 }

package/dist/client-connect/tunnelAttachCloseReason.d.ts

@@ -1,3 +1,3 @@
-export declare const tunnelAttachCloseReasons: readonly ["too_many_connections", "expected_attach", "invalid_attach", "invalid_token", "channel_mismatch", "init_exp_mismatch", "idle_timeout_mismatch", "role_mismatch", "token_replay", "replace_rate_limited", "attach_failed", "timeout", "canceled"];
+export declare const tunnelAttachCloseReasons: readonly ["too_many_connections", "expected_attach", "invalid_attach", "invalid_token", "channel_mismatch", "init_exp_mismatch", "idle_timeout_mismatch", "role_mismatch", "token_replay", "tenant_mismatch", "policy_denied", "policy_error", "replace_rate_limited", "attach_failed", "timeout", "canceled"];
 export type TunnelAttachCloseReason = (typeof tunnelAttachCloseReasons)[number];
 export declare function isTunnelAttachCloseReason(v: string | undefined): v is TunnelAttachCloseReason;

package/dist/client-connect/tunnelAttachCloseReason.js

@@ -8,10 +8,13 @@ export const tunnelAttachCloseReasons = [
     "idle_timeout_mismatch",
     "role_mismatch",
     "token_replay",
+    "tenant_mismatch",
+    "policy_denied",
+    "policy_error",
     "replace_rate_limited",
     "attach_failed",
     "timeout",
-    "canceled"
+    "canceled",
 ];
 export function isTunnelAttachCloseReason(v) {
     if (v == null)

package/dist/controlplane/index.d.ts

@@ -0,0 +1,2 @@
+export type { ArtifactRequestCorrelation, ConnectArtifactEnvelope, ControlplaneBaseConfig, ControlplaneErrorEnvelope, RequestConnectArtifactInput, RequestEntryConnectArtifactInput, } from "./request.js";
+export { ControlplaneRequestError, DEFAULT_CONNECT_ARTIFACT_PATH, DEFAULT_ENTRY_CONNECT_ARTIFACT_PATH, requestConnectArtifact, requestEntryConnectArtifact, } from "./request.js";

package/dist/controlplane/index.js

@@ -0,0 +1 @@
+export { ControlplaneRequestError, DEFAULT_CONNECT_ARTIFACT_PATH, DEFAULT_ENTRY_CONNECT_ARTIFACT_PATH, requestConnectArtifact, requestEntryConnectArtifact, } from "./request.js";

package/dist/controlplane/request.d.ts

@@ -0,0 +1,50 @@
+import { type ConnectArtifact } from "../connect/artifact.js";
+type FetchLike = typeof fetch;
+export type ControlplaneBaseConfig = Readonly<{
+    baseUrl?: string;
+    path?: string;
+    headers?: HeadersInit;
+    credentials?: RequestCredentials;
+    fetch?: FetchLike;
+    signal?: AbortSignal;
+}>;
+export type ArtifactRequestCorrelation = Readonly<{
+    traceId?: string;
+}>;
+export type RequestConnectArtifactInput = ControlplaneBaseConfig & Readonly<{
+    endpointId: string;
+    payload?: Record<string, unknown>;
+    correlation?: ArtifactRequestCorrelation;
+}>;
+export type RequestEntryConnectArtifactInput = RequestConnectArtifactInput & Readonly<{
+    entryTicket: string;
+}>;
+export type ConnectArtifactEnvelope = Readonly<{
+    connect_artifact: ConnectArtifact;
+}>;
+export type ControlplaneErrorEnvelope = Readonly<{
+    error: Readonly<{
+        code: string;
+        message: string;
+    }>;
+}>;
+export declare class ControlplaneRequestError extends Error {
+    readonly status: number;
+    readonly code: string;
+    readonly responseBody: unknown;
+    constructor(args: Readonly<{
+        status: number;
+        message: string;
+        code?: string;
+        responseBody?: unknown;
+    }>);
+}
+export declare const DEFAULT_CONNECT_ARTIFACT_PATH = "/v1/connect/artifact";
+export declare const DEFAULT_ENTRY_CONNECT_ARTIFACT_PATH = "/v1/connect/artifact/entry";
+export declare function buildControlplaneURL(baseUrl: string | undefined, path: string): string;
+export declare function requestControlplaneJSON(url: string, init: RequestInit & Readonly<{
+    fetch?: FetchLike;
+}>): Promise<unknown>;
+export declare function requestConnectArtifact(config: RequestConnectArtifactInput): Promise<ConnectArtifact>;
+export declare function requestEntryConnectArtifact(config: RequestEntryConnectArtifactInput): Promise<ConnectArtifact>;
+export {};

package/dist/controlplane/request.js

@@ -0,0 +1,136 @@
+import { assertConnectArtifact } from "../connect/artifact.js";
+export class ControlplaneRequestError extends Error {
+    status;
+    code;
+    responseBody;
+    constructor(args) {
+        super(args.message);
+        this.name = "ControlplaneRequestError";
+        this.status = args.status;
+        this.code = String(args.code ?? "").trim();
+        this.responseBody = args.responseBody;
+    }
+}
+export const DEFAULT_CONNECT_ARTIFACT_PATH = "/v1/connect/artifact";
+export const DEFAULT_ENTRY_CONNECT_ARTIFACT_PATH = "/v1/connect/artifact/entry";
+function resolveFetch(fetchImpl) {
+    if (fetchImpl)
+        return fetchImpl;
+    if (typeof globalThis.fetch === "function")
+        return globalThis.fetch.bind(globalThis);
+    throw new Error("global fetch is not available");
+}
+export function buildControlplaneURL(baseUrl, path) {
+    const base = String(baseUrl ?? "").trim();
+    if (base === "")
+        return path;
+    return `${base.replace(/\/+$/, "")}${path}`;
+}
+function parseMaybeJSON(bodyText) {
+    const trimmed = String(bodyText ?? "").trim();
+    if (trimmed === "")
+        return "";
+    try {
+        return JSON.parse(trimmed);
+    }
+    catch {
+        return trimmed;
+    }
+}
+function decodeErrorMessage(status, responseBody) {
+    let message = `controlplane request failed: ${status}`;
+    let code = "";
+    if (responseBody && typeof responseBody === "object") {
+        const error = responseBody.error;
+        if (error && typeof error === "object") {
+            const nextMessage = String(error.message ?? "").trim();
+            if (nextMessage !== "") {
+                message = nextMessage;
+            }
+            code = String(error.code ?? "").trim();
+        }
+    }
+    else if (typeof responseBody === "string" && responseBody !== "") {
+        message = responseBody;
+    }
+    return { code, message };
+}
+export async function requestControlplaneJSON(url, init) {
+    const runFetch = resolveFetch(init.fetch);
+    const response = await runFetch(url, {
+        ...init,
+        cache: "no-store",
+    });
+    const rawBody = await response.text();
+    const responseBody = parseMaybeJSON(rawBody);
+    if (!response.ok) {
+        const error = decodeErrorMessage(response.status, responseBody);
+        throw new ControlplaneRequestError({
+            status: response.status,
+            message: error.message,
+            code: error.code,
+            responseBody,
+        });
+    }
+    if (typeof responseBody === "string") {
+        if (responseBody === "") {
+            throw new Error("Invalid controlplane response: expected JSON body");
+        }
+        throw new Error("Invalid controlplane response: expected JSON body");
+    }
+    return responseBody;
+}
+function buildConnectArtifactPayload(config) {
+    const body = {
+        endpoint_id: String(config.endpointId ?? "").trim(),
+    };
+    if (body.endpoint_id === "")
+        throw new Error("endpointId is required");
+    if (config.payload !== undefined)
+        body.payload = { ...config.payload };
+    const traceId = String(config.correlation?.traceId ?? "").trim();
+    if (traceId !== "") {
+        body.correlation = { trace_id: traceId };
+    }
+    return body;
+}
+function createJSONHeaders(input) {
+    const headers = new Headers(input);
+    if (!headers.has("Content-Type")) {
+        headers.set("Content-Type", "application/json");
+    }
+    return headers;
+}
+export async function requestConnectArtifact(config) {
+    const data = (await requestControlplaneJSON(buildControlplaneURL(config.baseUrl, config.path ?? DEFAULT_CONNECT_ARTIFACT_PATH), {
+        ...(config.fetch === undefined ? {} : { fetch: config.fetch }),
+        method: "POST",
+        credentials: config.credentials ?? "omit",
+        headers: createJSONHeaders(config.headers),
+        body: JSON.stringify(buildConnectArtifactPayload(config)),
+        ...(config.signal === undefined ? {} : { signal: config.signal }),
+    }));
+    if (!data?.connect_artifact) {
+        throw new Error("Invalid controlplane response: missing `connect_artifact`");
+    }
+    return assertConnectArtifact(data.connect_artifact);
+}
+export async function requestEntryConnectArtifact(config) {
+    const entryTicket = String(config.entryTicket ?? "").trim();
+    if (entryTicket === "")
+        throw new Error("entryTicket is required");
+    const headers = createJSONHeaders(config.headers);
+    headers.set("Authorization", `Bearer ${entryTicket}`);
+    const data = (await requestControlplaneJSON(buildControlplaneURL(config.baseUrl, config.path ?? DEFAULT_ENTRY_CONNECT_ARTIFACT_PATH), {
+        ...(config.fetch === undefined ? {} : { fetch: config.fetch }),
+        method: "POST",
+        credentials: config.credentials ?? "omit",
+        headers,
+        body: JSON.stringify(buildConnectArtifactPayload(config)),
+        ...(config.signal === undefined ? {} : { signal: config.signal }),
+    }));
+    if (!data?.connect_artifact) {
+        throw new Error("Invalid controlplane response: missing `connect_artifact`");
+    }
+    return assertConnectArtifact(data.connect_artifact);
+}

package/dist/e2ee/secureChannel.js

@@ -68,8 +68,6 @@ export class SecureChannel {
     // read resolves with the next plaintext chunk or throws on errors/close.
     async read() {
         while (true) {
-            if (this.readErr != null)
-                throw this.readErr;
             if (this.recvQueueHead < this.recvQueue.length) {
                 const b = this.recvQueue[this.recvQueueHead];
                 this.recvQueueHead++;
@@ -80,6 +78,8 @@ export class SecureChannel {
                 this.recvQueueBytes -= b.length;
                 return b;
             }
+            if (this.readErr != null)
+                throw this.readErr;
             if (this.closed)
                 throw new Error("closed");
             await new Promise((resolve) => this.recvWaiters.push(resolve));
@@ -94,9 +94,6 @@ export class SecureChannel {
         this.rejectQueuedSenders(this.sendErr ?? new Error("closed"));
         this.wakeSendWaiters();
         this.transport.close();
-        this.recvQueue.length = 0;
-        this.recvQueueHead = 0;
-        this.recvQueueBytes = 0;
         const ws = this.recvWaiters;
         this.recvWaiters = [];
         for (const w of ws)

package/dist/node/index.d.ts

@@ -1,4 +1,6 @@
 export { createNodeWsFactory } from "./wsFactory.js";
 export { connectDirectNode, connectNode, connectTunnelNode } from "./connect.js";
+export type { DirectNodeReconnectConfig, NodeReconnectConfig, TunnelNodeReconnectConfig, } from "./reconnectConfig.js";
+export { createDirectNodeReconnectConfig, createNodeReconnectConfig, createTunnelNodeReconnectConfig, } from "./reconnectConfig.js";
 export type { ConnectArtifact, CorrelationContext, CorrelationKV, DirectClientConnectArtifact, ScopeMetadataEntry, TunnelClientConnectArtifact, } from "../connect/artifact.js";
 export { assertConnectArtifact } from "../connect/artifact.js";

package/dist/node/index.js

@@ -1,3 +1,4 @@
 export { createNodeWsFactory } from "./wsFactory.js";
 export { connectDirectNode, connectNode, connectTunnelNode } from "./connect.js";
+export { createDirectNodeReconnectConfig, createNodeReconnectConfig, createTunnelNodeReconnectConfig, } from "./reconnectConfig.js";
 export { assertConnectArtifact } from "../connect/artifact.js";

package/dist/node/reconnectConfig.d.ts

@@ -0,0 +1,42 @@
+import type { ConnectArtifact } from "../connect/artifact.js";
+import type { ChannelInitGrant } from "../gen/flowersec/controlplane/v1.gen.js";
+import type { DirectConnectInfo } from "../gen/flowersec/direct/v1.gen.js";
+import type { ClientObserverLike } from "../observability/observer.js";
+import type { DirectConnectOptions } from "../direct-client/connect.js";
+import type { TunnelConnectOptions } from "../tunnel-client/connect.js";
+import type { AutoReconnectConfig, ConnectConfig as ReconnectConnectConfig } from "../reconnect/index.js";
+import { type ArtifactAwareReconnectConfig, type ArtifactFactoryArgs } from "../reconnect/artifactControlplane.js";
+import type { RequestConnectArtifactInput, RequestEntryConnectArtifactInput } from "../controlplane/index.js";
+type SharedReconnectOptions = Readonly<{
+    observer?: ClientObserverLike;
+    autoReconnect?: AutoReconnectConfig;
+}>;
+type TunnelReconnectConnectOptions = Omit<TunnelConnectOptions, "observer" | "signal">;
+type DirectReconnectConnectOptions = Omit<DirectConnectOptions, "observer" | "signal">;
+type ArtifactAwareTunnelReconnectConfig = ArtifactAwareReconnectConfig & Readonly<{
+    artifact?: ConnectArtifact;
+    getArtifact?: (args: ArtifactFactoryArgs) => Promise<ConnectArtifact>;
+    artifactControlplane?: RequestConnectArtifactInput | RequestEntryConnectArtifactInput;
+}>;
+type ArtifactAwareDirectReconnectConfig = ArtifactAwareReconnectConfig & Readonly<{
+    artifact?: ConnectArtifact;
+    getArtifact?: (args: ArtifactFactoryArgs) => Promise<ConnectArtifact>;
+    artifactControlplane?: RequestConnectArtifactInput | RequestEntryConnectArtifactInput;
+}>;
+export type TunnelNodeReconnectConfig = SharedReconnectOptions & ArtifactAwareTunnelReconnectConfig & Readonly<{
+    mode?: "tunnel";
+    connect?: TunnelReconnectConnectOptions;
+    grant?: ChannelInitGrant;
+    getGrant?: () => Promise<ChannelInitGrant>;
+}>;
+export type DirectNodeReconnectConfig = SharedReconnectOptions & ArtifactAwareDirectReconnectConfig & Readonly<{
+    mode: "direct";
+    connect?: DirectReconnectConnectOptions;
+    directInfo?: DirectConnectInfo;
+    getDirectInfo?: () => Promise<DirectConnectInfo>;
+}>;
+export type NodeReconnectConfig = TunnelNodeReconnectConfig | DirectNodeReconnectConfig;
+export declare function createTunnelNodeReconnectConfig(config: TunnelNodeReconnectConfig): ReconnectConnectConfig;
+export declare function createDirectNodeReconnectConfig(config: DirectNodeReconnectConfig): ReconnectConnectConfig;
+export declare function createNodeReconnectConfig(config: NodeReconnectConfig): ReconnectConnectConfig;
+export {};