npm - @groundnuty/macf-channel-server - Versions diffs - 0.2.0-rc.0 - Mend

@groundnuty/macf-channel-server 0.2.0-rc.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

package/dist/collision.d.ts +25 -0
package/dist/collision.d.ts.map +1 -0
package/dist/collision.js +94 -0
package/dist/collision.js.map +1 -0
package/dist/health.d.ts +3 -0
package/dist/health.d.ts.map +1 -0
package/dist/health.js +33 -0
package/dist/health.js.map +1 -0
package/dist/https.d.ts +25 -0
package/dist/https.d.ts.map +1 -0
package/dist/https.js +361 -0
package/dist/https.js.map +1 -0
package/dist/index.d.ts +29 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +25 -0
package/dist/index.js.map +1 -0
package/dist/mcp.d.ts +6 -0
package/dist/mcp.d.ts.map +1 -0
package/dist/mcp.js +43 -0
package/dist/mcp.js.map +1 -0
package/dist/notify-formatter.d.ts +19 -0
package/dist/notify-formatter.d.ts.map +1 -0
package/dist/notify-formatter.js +43 -0
package/dist/notify-formatter.js.map +1 -0
package/dist/otel.d.ts +59 -0
package/dist/otel.d.ts.map +1 -0
package/dist/otel.js +122 -0
package/dist/otel.js.map +1 -0
package/dist/server.d.ts +2 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +256 -0
package/dist/server.js.map +1 -0
package/dist/shutdown.d.ts +15 -0
package/dist/shutdown.d.ts.map +1 -0
package/dist/shutdown.js +53 -0
package/dist/shutdown.js.map +1 -0
package/dist/startup-issues.d.ts +24 -0
package/dist/startup-issues.d.ts.map +1 -0
package/dist/startup-issues.js +75 -0
package/dist/startup-issues.js.map +1 -0
package/dist/tmux-wake.d.ts +106 -0
package/dist/tmux-wake.d.ts.map +1 -0
package/dist/tmux-wake.js +196 -0
package/dist/tmux-wake.js.map +1 -0
package/dist/tracing.d.ts +38 -0
package/dist/tracing.d.ts.map +1 -0
package/dist/tracing.js +68 -0
package/dist/tracing.js.map +1 -0
package/package.json +46 -0

package/dist/collision.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import type { AgentInfo, Registry } from '@groundnuty/macf-core';
+import type { Logger } from '@groundnuty/macf-core';
+import { MacfError } from '@groundnuty/macf-core';
+export declare class CollisionError extends MacfError {
+    constructor(name: string, host: string, port: number);
+}
+export type CollisionResult = {
+    readonly action: 'register';
+} | {
+    readonly action: 'takeover';
+    readonly previous: AgentInfo;
+} | {
+    readonly action: 'abort';
+    readonly existing: AgentInfo;
+};
+/**
+ * Check if an agent is already registered and alive.
+ * Returns the action to take: register (fresh), takeover (dead), or abort (alive).
+ */
+export declare function checkCollision(name: string, registry: Registry, certPaths: {
+    readonly caCertPath: string;
+    readonly agentCertPath: string;
+    readonly agentKeyPath: string;
+}, logger: Logger): Promise<CollisionResult>;
+//# sourceMappingURL=collision.d.ts.map

package/dist/collision.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"collision.d.ts","sourceRoot":"","sources":["../src/collision.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AACjE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAElD,qBAAa,cAAe,SAAQ,SAAS;gBAC/B,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;CAQrD;AAgED,MAAM,MAAM,eAAe,GACvB;IAAE,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAA;CAAE,GAC/B;IAAE,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAAC,QAAQ,CAAC,QAAQ,EAAE,SAAS,CAAA;CAAE,GAC7D;IAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IAAC,QAAQ,CAAC,QAAQ,EAAE,SAAS,CAAA;CAAE,CAAC;AAE/D;;;GAGG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,QAAQ,EAClB,SAAS,EAAE;IACT,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;CAC/B,EACD,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,eAAe,CAAC,CAwC1B"}

package/dist/collision.js ADDED Viewed

@@ -0,0 +1,94 @@
+import { request } from 'node:https';
+import { readFileSync } from 'node:fs';
+import { MacfError } from '@groundnuty/macf-core';
+export class CollisionError extends MacfError {
+    constructor(name, host, port) {
+        super('AGENT_COLLISION', `Agent '${name}' is already running at ${host}:${port}. ` +
+            'Stop the existing agent before starting another.');
+        this.name = 'CollisionError';
+    }
+}
+const HEALTH_PING_TIMEOUT_MS = 5000;
+/**
+ * Ping an agent's /health endpoint via mTLS.
+ * Returns true if the agent responds, false if unreachable.
+ */
+function pingHealth(host, port, caCertPath, agentCertPath, agentKeyPath, timeoutMs = HEALTH_PING_TIMEOUT_MS) {
+    // readFileSync on missing/unreadable cert files throws ENOENT/EACCES
+    // as raw Node errors with no descriptive context. During a cert-
+    // rotation race at startup, the agent cert/key files may be
+    // momentarily absent — without this guard the error propagates as
+    // an unhandled rejection up through main() and crashes startup.
+    // Treat any read error the same way we treat network errors: the
+    // peer is effectively unreachable for the purpose of the collision
+    // check. Ultrareview finding H3.
+    let ca;
+    let cert;
+    let key;
+    try {
+        ca = readFileSync(caCertPath);
+        cert = readFileSync(agentCertPath);
+        key = readFileSync(agentKeyPath);
+    }
+    catch {
+        return Promise.resolve(false);
+    }
+    return new Promise((resolve) => {
+        const req = request({
+            hostname: host,
+            port,
+            method: 'GET',
+            path: '/health',
+            ca,
+            cert,
+            key,
+            rejectUnauthorized: true,
+            timeout: timeoutMs,
+        }, (res) => {
+            // Any 2xx response means the agent is alive
+            resolve(res.statusCode !== undefined && res.statusCode >= 200 && res.statusCode < 300);
+            res.resume(); // drain response
+        });
+        req.on('error', () => resolve(false));
+        req.on('timeout', () => {
+            req.destroy();
+            resolve(false);
+        });
+        req.end();
+    });
+}
+/**
+ * Check if an agent is already registered and alive.
+ * Returns the action to take: register (fresh), takeover (dead), or abort (alive).
+ */
+export async function checkCollision(name, registry, certPaths, logger) {
+    const existing = await registry.get(name);
+    if (existing === null) {
+        logger.info('collision_check', { result: 'fresh', agent: name });
+        return { action: 'register' };
+    }
+    logger.info('collision_check', {
+        result: 'variable_exists',
+        agent: name,
+        host: existing.host,
+        port: existing.port,
+        instance_id: existing.instance_id,
+    });
+    const alive = await pingHealth(existing.host, existing.port, certPaths.caCertPath, certPaths.agentCertPath, certPaths.agentKeyPath);
+    if (alive) {
+        logger.warn('collision_check', {
+            result: 'abort',
+            agent: name,
+            host: existing.host,
+            port: existing.port,
+        });
+        return { action: 'abort', existing };
+    }
+    logger.info('collision_check', {
+        result: 'takeover',
+        agent: name,
+        previous_instance: existing.instance_id,
+    });
+    return { action: 'takeover', previous: existing };
+}
+//# sourceMappingURL=collision.js.map

package/dist/collision.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"collision.js","sourceRoot":"","sources":["../src/collision.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AACrC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAGvC,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAElD,MAAM,OAAO,cAAe,SAAQ,SAAS;IAC3C,YAAY,IAAY,EAAE,IAAY,EAAE,IAAY;QAClD,KAAK,CACH,iBAAiB,EACjB,UAAU,IAAI,2BAA2B,IAAI,IAAI,IAAI,IAAI;YACzD,kDAAkD,CACnD,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAED,MAAM,sBAAsB,GAAG,IAAI,CAAC;AAEpC;;;GAGG;AACH,SAAS,UAAU,CACjB,IAAY,EACZ,IAAY,EACZ,UAAkB,EAClB,aAAqB,EACrB,YAAoB,EACpB,YAAoB,sBAAsB;IAE1C,qEAAqE;IACrE,iEAAiE;IACjE,4DAA4D;IAC5D,kEAAkE;IAClE,gEAAgE;IAChE,iEAAiE;IACjE,mEAAmE;IACnE,iCAAiC;IACjC,IAAI,EAAU,CAAC;IACf,IAAI,IAAY,CAAC;IACjB,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,EAAE,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;QAC9B,IAAI,GAAG,YAAY,CAAC,aAAa,CAAC,CAAC;QACnC,GAAG,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,GAAG,GAAG,OAAO,CACjB;YACE,QAAQ,EAAE,IAAI;YACd,IAAI;YACJ,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,SAAS;YACf,EAAE;YACF,IAAI;YACJ,GAAG;YACH,kBAAkB,EAAE,IAAI;YACxB,OAAO,EAAE,SAAS;SACnB,EACD,CAAC,GAAG,EAAE,EAAE;YACN,4CAA4C;YAC5C,OAAO,CAAC,GAAG,CAAC,UAAU,KAAK,SAAS,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC,CAAC;YACvF,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,iBAAiB;QACjC,CAAC,CACF,CAAC;QAEF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QACtC,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;YACrB,GAAG,CAAC,OAAO,EAAE,CAAC;YACd,OAAO,CAAC,KAAK,CAAC,CAAC;QACjB,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAOD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAY,EACZ,QAAkB,EAClB,SAIC,EACD,MAAc;IAEd,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAE1C,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACjE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IAChC,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE;QAC7B,MAAM,EAAE,iBAAiB;QACzB,KAAK,EAAE,IAAI;QACX,IAAI,EAAE,QAAQ,CAAC,IAAI;QACnB,IAAI,EAAE,QAAQ,CAAC,IAAI;QACnB,WAAW,EAAE,QAAQ,CAAC,WAAW;KAClC,CAAC,CAAC;IAEH,MAAM,KAAK,GAAG,MAAM,UAAU,CAC5B,QAAQ,CAAC,IAAI,EACb,QAAQ,CAAC,IAAI,EACb,SAAS,CAAC,UAAU,EACpB,SAAS,CAAC,aAAa,EACvB,SAAS,CAAC,YAAY,CACvB,CAAC;IAEF,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE;YAC7B,MAAM,EAAE,OAAO;YACf,KAAK,EAAE,IAAI;YACX,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,IAAI,EAAE,QAAQ,CAAC,IAAI;SACpB,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;IACvC,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE;QAC7B,MAAM,EAAE,UAAU;QAClB,KAAK,EAAE,IAAI;QACX,iBAAiB,EAAE,QAAQ,CAAC,WAAW;KACxC,CAAC,CAAC;IACH,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;AACpD,CAAC"}

package/dist/health.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { HealthState } from '@groundnuty/macf-core';
+export declare function createHealthState(agentName: string, agentType: string): HealthState;
+//# sourceMappingURL=health.d.ts.map

package/dist/health.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"health.d.ts","sourceRoot":"","sources":["../src/health.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAkB,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAQzE,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,WAAW,CA4BnF"}

package/dist/health.js ADDED Viewed

@@ -0,0 +1,33 @@
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+function readVersion() {
+    const pkgPath = resolve(import.meta.dirname, '..', 'package.json');
+    const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    return pkg.version;
+}
+export function createHealthState(agentName, agentType) {
+    const version = readVersion();
+    const startTime = Date.now();
+    let currentIssue = null;
+    let lastNotification = null;
+    return {
+        getHealth() {
+            return {
+                agent: agentName,
+                status: 'online',
+                type: agentType,
+                uptime_seconds: Math.floor((Date.now() - startTime) / 1000),
+                current_issue: currentIssue,
+                version,
+                last_notification: lastNotification,
+            };
+        },
+        setCurrentIssue(issueNumber) {
+            currentIssue = issueNumber;
+        },
+        recordNotification() {
+            lastNotification = new Date().toISOString();
+        },
+    };
+}
+//# sourceMappingURL=health.js.map

package/dist/health.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"health.js","sourceRoot":"","sources":["../src/health.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGpC,SAAS,WAAW;IAClB,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;IACnE,MAAM,GAAG,GAAwB,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;IAC5E,OAAO,GAAG,CAAC,OAAO,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,SAAiB,EAAE,SAAiB;IACpE,MAAM,OAAO,GAAG,WAAW,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,YAAY,GAAkB,IAAI,CAAC;IACvC,IAAI,gBAAgB,GAAkB,IAAI,CAAC;IAE3C,OAAO;QACL,SAAS;YACP,OAAO;gBACL,KAAK,EAAE,SAAS;gBAChB,MAAM,EAAE,QAAQ;gBAChB,IAAI,EAAE,SAAS;gBACf,cAAc,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,GAAG,IAAI,CAAC;gBAC3D,aAAa,EAAE,YAAY;gBAC3B,OAAO;gBACP,iBAAiB,EAAE,gBAAgB;aACpC,CAAC;QACJ,CAAC;QAED,eAAe,CAAC,WAA0B;YACxC,YAAY,GAAG,WAAW,CAAC;QAC7B,CAAC;QAED,kBAAkB;YAChB,gBAAgB,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC9C,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/https.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import type { NotifyPayload, SignRequest, HealthResponse, HttpsServer, Logger } from '@groundnuty/macf-core';
+export declare const PORT_RANGE_START = 8800;
+export declare const PORT_RANGE_SIZE = 1000;
+export declare const CLIENT_AUTH_EKU_OID = "1.3.6.1.5.5.7.3.2";
+/**
+ * Check whether the presented peer cert carries the clientAuth EKU.
+ * Node's `tls.TLSSocket.getPeerCertificate()` exposes EKU as
+ * `ext_key_usage` — an array of OID strings. If the field is absent
+ * or empty, the cert carries no EKU; if present, we require the
+ * clientAuth OID specifically. Exported for tests.
+ */
+export declare function peerCertHasClientAuthEKU(peerCert: {
+    readonly ext_key_usage?: readonly string[];
+}): boolean;
+export declare function randomPort(): number;
+export declare function createHttpsServer(config: {
+    readonly caCertPath: string;
+    readonly agentCertPath: string;
+    readonly agentKeyPath: string;
+    readonly onNotify: (payload: NotifyPayload) => Promise<void>;
+    readonly onHealth: () => HealthResponse;
+    readonly onSign?: (request: SignRequest) => Promise<Record<string, unknown>>;
+    readonly logger: Logger;
+}): HttpsServer;
+//# sourceMappingURL=https.d.ts.map

package/dist/https.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"https.d.ts","sourceRoot":"","sources":["../src/https.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAK7G,eAAO,MAAM,gBAAgB,OAAO,CAAC;AACrC,eAAO,MAAM,eAAe,OAAO,CAAC;AAQpC,eAAO,MAAM,mBAAmB,sBAAsB,CAAC;AAEvD;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE;IACjD,QAAQ,CAAC,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAC5C,GAAG,OAAO,CAGV;AAUD,wBAAgB,UAAU,IAAI,MAAM,CAEnC;AAyDD,wBAAgB,iBAAiB,CAAC,MAAM,EAAE;IACxC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,QAAQ,EAAE,CAAC,OAAO,EAAE,aAAa,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7D,QAAQ,CAAC,QAAQ,EAAE,MAAM,cAAc,CAAC;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7E,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB,GAAG,WAAW,CAiUd"}

package/dist/https.js ADDED Viewed

@@ -0,0 +1,361 @@
+import { createServer } from 'node:https';
+import { readFileSync } from 'node:fs';
+import { randomInt } from 'node:crypto';
+import { context, propagation, SpanKind, SpanStatusCode } from '@opentelemetry/api';
+import { NotifyPayloadSchema, SignRequestSchema } from '@groundnuty/macf-core';
+import { PortExhaustedError, PortUnavailableError, HttpsServerError, HttpError } from '@groundnuty/macf-core';
+import { getTracer, SpanNames, Attr, GenAiAttr, operationNameForNotifyType } from './tracing.js';
+const MAX_BODY_BYTES = 64 * 1024; // 64KB
+export const PORT_RANGE_START = 8800;
+export const PORT_RANGE_SIZE = 1000;
+const MAX_PORT_ATTEMPTS = 10;
+// clientAuth EKU OID — RFC 5280 §4.2.1.12. Peer certs emit this via
+// generateAgentCert + signCSR (#125); the routing-action client cert
+// emits it too (#119). Enforced at the server as the final step of
+// DR-004 v2 EKU rollout (#121). Non-EKU certs are rejected at
+// /notify + /health + /sign uniformly.
+export const CLIENT_AUTH_EKU_OID = '1.3.6.1.5.5.7.3.2';
+/**
+ * Check whether the presented peer cert carries the clientAuth EKU.
+ * Node's `tls.TLSSocket.getPeerCertificate()` exposes EKU as
+ * `ext_key_usage` — an array of OID strings. If the field is absent
+ * or empty, the cert carries no EKU; if present, we require the
+ * clientAuth OID specifically. Exported for tests.
+ */
+export function peerCertHasClientAuthEKU(peerCert) {
+    return Array.isArray(peerCert.ext_key_usage)
+        && peerCert.ext_key_usage.includes(CLIENT_AUTH_EKU_OID);
+}
+// Exported for tests (#109 H1). Uses crypto.randomInt (CSPRNG)
+// rather than a weak PRNG — port numbers aren't secrets, but the
+// canonical defensive pattern for random in security-adjacent code
+// paths is the CSPRNG.
+export function randomPort() {
+    return PORT_RANGE_START + randomInt(PORT_RANGE_SIZE);
+}
+function sendJson(res, status, body) {
+    const json = JSON.stringify(body);
+    res.writeHead(status, {
+        'Content-Type': 'application/json',
+        'Content-Length': Buffer.byteLength(json),
+    });
+    res.end(json);
+}
+function readBody(req) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let size = 0;
+        let settled = false;
+        req.on('data', (chunk) => {
+            size += chunk.length;
+            if (size > MAX_BODY_BYTES && !settled) {
+                settled = true;
+                // Destroy the underlying socket (not just req) so the half-open
+                // write-side (res) is also torn down. `req.destroy()` alone
+                // leaves res attached to a destroyed request, which can retain
+                // GC references under high-throughput abuse — see ultrareview
+                // finding H2.
+                req.socket.destroy();
+                reject(new HttpsServerError('Body too large'));
+                return;
+            }
+            if (!settled) {
+                chunks.push(chunk);
+            }
+        });
+        req.on('end', () => {
+            if (!settled) {
+                settled = true;
+                resolve(Buffer.concat(chunks).toString('utf-8'));
+            }
+        });
+        req.on('error', (err) => {
+            if (!settled) {
+                settled = true;
+                reject(err);
+            }
+        });
+    });
+}
+export function createHttpsServer(config) {
+    const { onNotify, onHealth, onSign, logger } = config;
+    const tlsOptions = {
+        key: readFileSync(config.agentKeyPath),
+        cert: readFileSync(config.agentCertPath),
+        ca: readFileSync(config.caCertPath),
+        requestCert: true,
+        rejectUnauthorized: true,
+    };
+    let server;
+    async function handleRequest(req, res) {
+        // Defense-in-depth: reject at HTTP level even if TLS handshake passed.
+        // Protects against misconfigured rejectUnauthorized during debugging.
+        const tlsSocket = req.socket;
+        if (!tlsSocket.authorized) {
+            sendJson(res, 401, { error: 'Unauthorized' });
+            return;
+        }
+        // Step 3 of the DR-004 v2 EKU rollout (#121): require the peer
+        // cert to carry the clientAuth EKU. Peer certs emit it via
+        // generateAgentCert + signCSR (#125); routing-action client cert
+        // emits it via generateClientCert (#119). A CA-signed cert
+        // WITHOUT the EKU — e.g. an old peer cert pre-#125 that hasn't
+        // been rotated — is rejected uniformly at /health, /notify,
+        // /sign. Operators who miss a rotation see 403 with a clear
+        // message pointing at `macf certs rotate`.
+        const peerCert = tlsSocket.getPeerCertificate();
+        if (!peerCertHasClientAuthEKU(peerCert)) {
+            const cn = peerCert.subject?.CN ?? 'unknown';
+            logger.warn('client_cert_missing_eku', {
+                from_cn: cn,
+                url: req.url ?? '',
+            });
+            sendJson(res, 403, {
+                error: 'Forbidden: client certificate missing clientAuth Extended Key Usage. Run `macf certs rotate` to pick up an EKU-enabled cert.',
+            });
+            return;
+        }
+        const { method, url } = req;
+        if (method === 'GET' && url === '/health') {
+            const health = onHealth();
+            const clientCn = req.socket
+                .getPeerCertificate()?.subject?.CN;
+            logger.info('health_pinged', { from_cn: clientCn ?? 'unknown' });
+            sendJson(res, 200, health);
+            return;
+        }
+        if (method === 'POST' && url === '/notify') {
+            const contentType = req.headers['content-type'] ?? '';
+            if (!contentType.includes('application/json')) {
+                sendJson(res, 415, { error: 'Content-Type must be application/json' });
+                return;
+            }
+            let body;
+            try {
+                body = await readBody(req);
+            }
+            catch {
+                sendJson(res, 413, { error: 'Body too large (max 64KB)' });
+                return;
+            }
+            let parsed;
+            try {
+                parsed = JSON.parse(body);
+            }
+            catch {
+                sendJson(res, 400, { error: 'Invalid JSON' });
+                return;
+            }
+            const result = NotifyPayloadSchema.safeParse(parsed);
+            if (!result.success) {
+                sendJson(res, 400, { error: `Validation failed: ${result.error.message}` });
+                return;
+            }
+            // macf#194: wrap onNotify in a SERVER span so child operations
+            // (MCP push, tmux wake) attach to it via active-context
+            // propagation. Parent context extracted from W3C `traceparent`
+            // header if the routing Action sent one; otherwise a new root.
+            // Span + any mcp/tmux children roll up to the same trace-id
+            // in Langfuse/SigNoz, giving one unified trace per coord event.
+            const parentCtx = propagation.extract(context.active(), req.headers);
+            const clientCn = req.socket
+                .getPeerCertificate()?.subject?.CN ?? 'unknown';
+            const tracer = getTracer();
+            await tracer.startActiveSpan(SpanNames.NotifyReceived, {
+                kind: SpanKind.SERVER,
+                attributes: {
+                    [GenAiAttr.System]: 'macf',
+                    [GenAiAttr.OperationName]: operationNameForNotifyType(result.data.type),
+                    [Attr.NotifyType]: result.data.type,
+                    [Attr.RemoteCn]: clientCn,
+                    ...(result.data.issue_number !== undefined
+                        ? { [Attr.IssueNumber]: result.data.issue_number }
+                        : {}),
+                },
+            }, parentCtx, async (span) => {
+                try {
+                    await onNotify(result.data);
+                    sendJson(res, 200, { status: 'received' });
+                    span.setStatus({ code: SpanStatusCode.OK });
+                }
+                catch (err) {
+                    logger.error('notify_push_failed', {
+                        error: err instanceof Error ? err.message : String(err),
+                    });
+                    span.recordException(err);
+                    span.setStatus({
+                        code: SpanStatusCode.ERROR,
+                        message: err instanceof Error ? err.message : String(err),
+                    });
+                    sendJson(res, 500, { error: 'Failed to push notification' });
+                }
+                finally {
+                    span.end();
+                }
+            });
+            return;
+        }
+        if (method === 'POST' && url === '/sign') {
+            if (!onSign) {
+                sendJson(res, 503, { error: 'Signing not available on this agent' });
+                return;
+            }
+            const contentType = req.headers['content-type'] ?? '';
+            if (!contentType.includes('application/json')) {
+                sendJson(res, 415, { error: 'Content-Type must be application/json' });
+                return;
+            }
+            let body;
+            try {
+                body = await readBody(req);
+            }
+            catch {
+                sendJson(res, 413, { error: 'Body too large (max 64KB)' });
+                return;
+            }
+            let parsed;
+            try {
+                parsed = JSON.parse(body);
+            }
+            catch {
+                sendJson(res, 400, { error: 'Invalid JSON' });
+                return;
+            }
+            const result = SignRequestSchema.safeParse(parsed);
+            if (!result.success) {
+                sendJson(res, 400, { error: `Validation failed: ${result.error.message}` });
+                return;
+            }
+            // macf#194: /sign SERVER span. Audit-trail value — every cert
+            // issuance gets a trace entry correlatable to the requester
+            // (cn + agent_name) + the trace-parent (who kicked off the
+            // rotation?).
+            const signParentCtx = propagation.extract(context.active(), req.headers);
+            const signClientCn = req.socket
+                .getPeerCertificate()?.subject?.CN ?? 'unknown';
+            const signTracer = getTracer();
+            await signTracer.startActiveSpan(SpanNames.SignCsr, {
+                kind: SpanKind.SERVER,
+                attributes: {
+                    [GenAiAttr.System]: 'macf',
+                    [Attr.RemoteCn]: signClientCn,
+                    [GenAiAttr.AgentName]: result.data.agent_name,
+                },
+            }, signParentCtx, async (span) => {
+                try {
+                    const response = await onSign(result.data);
+                    sendJson(res, 200, response);
+                    span.setStatus({ code: SpanStatusCode.OK });
+                }
+                catch (err) {
+                    // Typed HttpError carries a specific intended status;
+                    // anything else is an unexpected server-side failure → 500.
+                    const status = err instanceof HttpError ? err.httpStatus : 500;
+                    sendJson(res, status, {
+                        error: err instanceof Error ? err.message : 'Signing failed',
+                    });
+                    span.recordException(err);
+                    span.setStatus({
+                        code: SpanStatusCode.ERROR,
+                        message: err instanceof Error ? err.message : String(err),
+                    });
+                }
+                finally {
+                    span.end();
+                }
+            });
+            return;
+        }
+        sendJson(res, 404, { error: 'Not found' });
+    }
+    function listenOnPort(srv, port, host) {
+        return new Promise((resolve, reject) => {
+            const onError = (err) => {
+                srv.removeListener('error', onError);
+                reject(err);
+            };
+            srv.on('error', onError);
+            srv.listen(port, host, () => {
+                srv.removeListener('error', onError);
+                const addr = srv.address();
+                const actualPort = typeof addr === 'object' && addr !== null ? addr.port : port;
+                resolve(actualPort);
+            });
+        });
+    }
+    function requestHandler(req, res) {
+        handleRequest(req, res).catch((err) => {
+            logger.error('request_error', {
+                error: err instanceof Error ? err.message : String(err),
+            });
+            if (!res.headersSent) {
+                sendJson(res, 500, { error: 'Internal server error' });
+            }
+        });
+    }
+    return {
+        async start(port, host) {
+            server = createServer(tlsOptions, requestHandler);
+            // TLS-layer handshake failures (no cert, expired cert, wrong CA,
+            // missing clientAuth EKU per #121) never reach requestHandler.
+            // Without this listener, operators see a dead connection with
+            // no log entry explaining why. Log enough to triage — ultrareview
+            // finding H1.
+            server.on('tlsClientError', (err, tlsSocket) => {
+                const peerCn = tlsSocket.getPeerCertificate?.()
+                    ?.subject?.CN ?? 'unknown';
+                logger.warn('tls_client_error', {
+                    error: err.message,
+                    code: err.code ?? 'unknown',
+                    from_cn: peerCn,
+                    remote_addr: tlsSocket.remoteAddress ?? 'unknown',
+                });
+            });
+            // Explicit port: fail immediately if busy
+            if (port !== 0) {
+                try {
+                    const actualPort = await listenOnPort(server, port, host);
+                    return { actualPort };
+                }
+                catch (err) {
+                    const nodeErr = err;
+                    if (nodeErr.code === 'EADDRINUSE') {
+                        throw new PortUnavailableError(port);
+                    }
+                    throw new HttpsServerError(`Failed to start server: ${nodeErr.message}`);
+                }
+            }
+            // Random port: retry up to MAX_PORT_ATTEMPTS times
+            for (let attempt = 0; attempt < MAX_PORT_ATTEMPTS; attempt++) {
+                const candidatePort = randomPort();
+                try {
+                    const actualPort = await listenOnPort(server, candidatePort, host);
+                    return { actualPort };
+                }
+                catch (err) {
+                    const nodeErr = err;
+                    if (nodeErr.code !== 'EADDRINUSE') {
+                        throw new HttpsServerError(`Failed to start server: ${nodeErr.message}`);
+                    }
+                    // Close and recreate server for retry
+                    await new Promise((r) => server.close(() => r()));
+                    server = createServer(tlsOptions, requestHandler);
+                }
+            }
+            throw new PortExhaustedError();
+        },
+        async stop() {
+            if (!server)
+                return;
+            return new Promise((resolve, reject) => {
+                server.close((err) => {
+                    if (err)
+                        reject(new HttpsServerError(`Failed to stop server: ${err.message}`));
+                    else
+                        resolve();
+                });
+            });
+        },
+    };
+}
+//# sourceMappingURL=https.js.map

package/dist/https.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"https.js","sourceRoot":"","sources":["../src/https.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAkC,MAAM,YAAY,CAAC;AAE1E,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpF,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE/E,OAAO,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAC9G,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAEjG,MAAM,cAAc,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,OAAO;AACzC,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,CAAC;AACrC,MAAM,CAAC,MAAM,eAAe,GAAG,IAAI,CAAC;AACpC,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B,oEAAoE;AACpE,qEAAqE;AACrE,mEAAmE;AACnE,8DAA8D;AAC9D,uCAAuC;AACvC,MAAM,CAAC,MAAM,mBAAmB,GAAG,mBAAmB,CAAC;AAEvD;;;;;;GAMG;AACH,MAAM,UAAU,wBAAwB,CAAC,QAExC;IACC,OAAO,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC;WACvC,QAAQ,CAAC,aAAa,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;AAC5D,CAAC;AAMD,+DAA+D;AAC/D,iEAAiE;AACjE,mEAAmE;AACnE,uBAAuB;AACvB,MAAM,UAAU,UAAU;IACxB,OAAO,gBAAgB,GAAG,SAAS,CAAC,eAAe,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,QAAQ,CACf,GAAuC,EACvC,MAAc,EACd,IAA6B;IAE7B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAClC,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE;QACpB,cAAc,EAAE,kBAAkB;QAClC,gBAAgB,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;KAC1C,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED,SAAS,QAAQ,CACf,GAAwC;IAExC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,IAAI,GAAG,CAAC,CAAC;QACb,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC/B,IAAI,IAAI,KAAK,CAAC,MAAM,CAAC;YACrB,IAAI,IAAI,GAAG,cAAc,IAAI,CAAC,OAAO,EAAE,CAAC;gBACtC,OAAO,GAAG,IAAI,CAAC;gBACf,gEAAgE;gBAChE,4DAA4D;gBAC5D,+DAA+D;gBAC/D,8DAA8D;gBAC9D,cAAc;gBACd,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACrB,MAAM,CAAC,IAAI,gBAAgB,CAAC,gBAAgB,CAAC,CAAC,CAAC;gBAC/C,OAAO;YACT,CAAC;YACD,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACjB,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,IAAI,CAAC;gBACf,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YACnD,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACtB,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,IAAI,CAAC;gBACf,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,MAQjC;IACC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;IAEtD,MAAM,UAAU,GAAG;QACjB,GAAG,EAAE,YAAY,CAAC,MAAM,CAAC,YAAY,CAAC;QACtC,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,aAAa,CAAC;QACxC,EAAE,EAAE,YAAY,CAAC,MAAM,CAAC,UAAU,CAAC;QACnC,WAAW,EAAE,IAAI;QACjB,kBAAkB,EAAE,IAAI;KACzB,CAAC;IAEF,IAAI,MAAmC,CAAC;IAExC,KAAK,UAAU,aAAa,CAC1B,GAAwC,EACxC,GAAuC;QAEvC,uEAAuE;QACvE,sEAAsE;QACtE,MAAM,SAAS,GAAG,GAAG,CAAC,MAAmB,CAAC;QAC1C,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC;YAC1B,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAC9C,OAAO;QACT,CAAC;QAED,+DAA+D;QAC/D,2DAA2D;QAC3D,iEAAiE;QACjE,2DAA2D;QAC3D,+DAA+D;QAC/D,4DAA4D;QAC5D,4DAA4D;QAC5D,2CAA2C;QAC3C,MAAM,QAAQ,GAAG,SAAS,CAAC,kBAAkB,EAG5C,CAAC;QACF,IAAI,CAAC,wBAAwB,CAAC,QAAQ,CAAC,EAAE,CAAC;YACxC,MAAM,EAAE,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,IAAI,SAAS,CAAC;YAC7C,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE;gBACrC,OAAO,EAAE,EAAE;gBACX,GAAG,EAAE,GAAG,CAAC,GAAG,IAAI,EAAE;aACnB,CAAC,CAAC;YACH,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE;gBACjB,KAAK,EAAE,8HAA8H;aACtI,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC;QAE5B,IAAI,MAAM,KAAK,KAAK,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC1C,MAAM,MAAM,GAAG,QAAQ,EAAE,CAAC;YAC1B,MAAM,QAAQ,GAAI,GAAG,CAAC,MAAuC;iBAC1D,kBAAkB,EAAE,EAAE,OAAO,EAAE,EAAE,CAAC;YACrC,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,EAAE,OAAO,EAAE,QAAQ,IAAI,SAAS,EAAE,CAAC,CAAC;YACjE,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,MAA4C,CAAC,CAAC;YACjE,OAAO;QACT,CAAC;QAED,IAAI,MAAM,KAAK,MAAM,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC3C,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;YACtD,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBAC9C,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,uCAAuC,EAAE,CAAC,CAAC;gBACvE,OAAO;YACT,CAAC;YAED,IAAI,IAAY,CAAC;YACjB,IAAI,CAAC;gBACH,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC7B,CAAC;YAAC,MAAM,CAAC;gBACP,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC,CAAC;gBAC3D,OAAO;YACT,CAAC;YAED,IAAI,MAAe,CAAC;YACpB,IAAI,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC5B,CAAC;YAAC,MAAM,CAAC;gBACP,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;gBAC9C,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,mBAAmB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YACrD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,sBAAsB,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;gBAC5E,OAAO;YACT,CAAC;YAED,+DAA+D;YAC/D,wDAAwD;YACxD,+DAA+D;YAC/D,+DAA+D;YAC/D,4DAA4D;YAC5D,gEAAgE;YAChE,MAAM,SAAS,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YACrE,MAAM,QAAQ,GAAI,GAAG,CAAC,MAAuC;iBAC1D,kBAAkB,EAAE,EAAE,OAAO,EAAE,EAAE,IAAI,SAAS,CAAC;YAClD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,MAAM,CAAC,eAAe,CAC1B,SAAS,CAAC,cAAc,EACxB;gBACE,IAAI,EAAE,QAAQ,CAAC,MAAM;gBACrB,UAAU,EAAE;oBACV,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM;oBAC1B,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,0BAA0B,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;oBACvE,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI;oBACnC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,QAAQ;oBACzB,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,KAAK,SAAS;wBACxC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE;wBAClD,CAAC,CAAC,EAAE,CAAC;iBACR;aACF,EACD,SAAS,EACT,KAAK,EAAE,IAAI,EAAE,EAAE;gBACb,IAAI,CAAC;oBACH,MAAM,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;oBAC5B,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;oBAC3C,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC9C,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,MAAM,CAAC,KAAK,CAAC,oBAAoB,EAAE;wBACjC,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;qBACxD,CAAC,CAAC;oBACH,IAAI,CAAC,eAAe,CAAC,GAAY,CAAC,CAAC;oBACnC,IAAI,CAAC,SAAS,CAAC;wBACb,IAAI,EAAE,cAAc,CAAC,KAAK;wBAC1B,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;qBAC1D,CAAC,CAAC;oBACH,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,6BAA6B,EAAE,CAAC,CAAC;gBAC/D,CAAC;wBAAS,CAAC;oBACT,IAAI,CAAC,GAAG,EAAE,CAAC;gBACb,CAAC;YACH,CAAC,CACF,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,MAAM,KAAK,MAAM,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;YACzC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,qCAAqC,EAAE,CAAC,CAAC;gBACrE,OAAO;YACT,CAAC;YAED,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;YACtD,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBAC9C,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,uCAAuC,EAAE,CAAC,CAAC;gBACvE,OAAO;YACT,CAAC;YAED,IAAI,IAAY,CAAC;YACjB,IAAI,CAAC;gBACH,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC7B,CAAC;YAAC,MAAM,CAAC;gBACP,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC,CAAC;gBAC3D,OAAO;YACT,CAAC;YAED,IAAI,MAAe,CAAC;YACpB,IAAI,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC5B,CAAC;YAAC,MAAM,CAAC;gBACP,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;gBAC9C,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YACnD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,sBAAsB,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;gBAC5E,OAAO;YACT,CAAC;YAED,8DAA8D;YAC9D,4DAA4D;YAC5D,2DAA2D;YAC3D,cAAc;YACd,MAAM,aAAa,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YACzE,MAAM,YAAY,GAAI,GAAG,CAAC,MAAuC;iBAC9D,kBAAkB,EAAE,EAAE,OAAO,EAAE,EAAE,IAAI,SAAS,CAAC;YAClD,MAAM,UAAU,GAAG,SAAS,EAAE,CAAC;YAC/B,MAAM,UAAU,CAAC,eAAe,CAC9B,SAAS,CAAC,OAAO,EACjB;gBACE,IAAI,EAAE,QAAQ,CAAC,MAAM;gBACrB,UAAU,EAAE;oBACV,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM;oBAC1B,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,YAAY;oBAC7B,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU;iBAC9C;aACF,EACD,aAAa,EACb,KAAK,EAAE,IAAI,EAAE,EAAE;gBACb,IAAI,CAAC;oBACH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;oBAC3C,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;oBAC7B,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC9C,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,sDAAsD;oBACtD,4DAA4D;oBAC5D,MAAM,MAAM,GAAG,GAAG,YAAY,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC;oBAC/D,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE;wBACpB,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB;qBAC7D,CAAC,CAAC;oBACH,IAAI,CAAC,eAAe,CAAC,GAAY,CAAC,CAAC;oBACnC,IAAI,CAAC,SAAS,CAAC;wBACb,IAAI,EAAE,cAAc,CAAC,KAAK;wBAC1B,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;qBAC1D,CAAC,CAAC;gBACL,CAAC;wBAAS,CAAC;oBACT,IAAI,CAAC,GAAG,EAAE,CAAC;gBACb,CAAC;YACH,CAAC,CACF,CAAC;YACF,OAAO;QACT,CAAC;QAED,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,SAAS,YAAY,CACnB,GAAoB,EACpB,IAAY,EACZ,IAAY;QAEZ,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,OAAO,GAAG,CAAC,GAAc,EAAQ,EAAE;gBACvC,GAAG,CAAC,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;gBACrC,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC,CAAC;YACF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACzB,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE;gBAC1B,GAAG,CAAC,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;gBACrC,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;gBAC3B,MAAM,UAAU,GAAG,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;gBAChF,OAAO,CAAC,UAAU,CAAC,CAAC;YACtB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,SAAS,cAAc,CACrB,GAAwC,EACxC,GAAuC;QAEvC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACpC,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE;gBAC5B,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;YACzD,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,IAAY,EAAE,IAAY;YACpC,MAAM,GAAG,YAAY,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;YAElD,iEAAiE;YACjE,+DAA+D;YAC/D,8DAA8D;YAC9D,kEAAkE;YAClE,cAAc;YACd,MAAM,CAAC,EAAE,CAAC,gBAAgB,EAAE,CAAC,GAAG,EAAE,SAAS,EAAE,EAAE;gBAC7C,MAAM,MAAM,GAAI,SAAS,CAAC,kBAAkB,EAAE,EAAgD;oBAC5F,EAAE,OAAO,EAAE,EAAE,IAAI,SAAS,CAAC;gBAC7B,MAAM,CAAC,IAAI,CAAC,kBAAkB,EAAE;oBAC9B,KAAK,EAAE,GAAG,CAAC,OAAO;oBAClB,IAAI,EAAG,GAAiB,CAAC,IAAI,IAAI,SAAS;oBAC1C,OAAO,EAAE,MAAM;oBACf,WAAW,EAAE,SAAS,CAAC,aAAa,IAAI,SAAS;iBAClD,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,0CAA0C;YAC1C,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;gBACf,IAAI,CAAC;oBACH,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;oBAC1D,OAAO,EAAE,UAAU,EAAE,CAAC;gBACxB,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,MAAM,OAAO,GAAG,GAAgB,CAAC;oBACjC,IAAI,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;wBAClC,MAAM,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC;oBACvC,CAAC;oBACD,MAAM,IAAI,gBAAgB,CACxB,2BAA2B,OAAO,CAAC,OAAO,EAAE,CAC7C,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,mDAAmD;YACnD,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,iBAAiB,EAAE,OAAO,EAAE,EAAE,CAAC;gBAC7D,MAAM,aAAa,GAAG,UAAU,EAAE,CAAC;gBACnC,IAAI,CAAC;oBACH,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,aAAa,EAAE,IAAI,CAAC,CAAC;oBACnE,OAAO,EAAE,UAAU,EAAE,CAAC;gBACxB,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,MAAM,OAAO,GAAG,GAAgB,CAAC;oBACjC,IAAI,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;wBAClC,MAAM,IAAI,gBAAgB,CACxB,2BAA2B,OAAO,CAAC,OAAO,EAAE,CAC7C,CAAC;oBACJ,CAAC;oBACD,sCAAsC;oBACtC,MAAM,IAAI,OAAO,CAAO,CAAC,CAAC,EAAE,EAAE,CAAC,MAAO,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;oBACzD,MAAM,GAAG,YAAY,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;gBACpD,CAAC;YACH,CAAC;YAED,MAAM,IAAI,kBAAkB,EAAE,CAAC;QACjC,CAAC;QAED,KAAK,CAAC,IAAI;YACR,IAAI,CAAC,MAAM;gBAAE,OAAO;YAEpB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBACrC,MAAO,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;oBACpB,IAAI,GAAG;wBAAE,MAAM,CAAC,IAAI,gBAAgB,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;;wBAC1E,OAAO,EAAE,CAAC;gBACjB,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * Multi-Agent Coordination Framework (MACF)
+ *
+ * Coordinates multiple Claude Code agents via GitHub,
+ * using MCP channels (HTTP/mTLS) for communication.
+ */
+export { MacfError, ConfigError, McpChannelError, HttpsServerError, PortUnavailableError, PortExhaustedError, ValidationError } from '@groundnuty/macf-core';
+export { createMcpChannel } from './mcp.js';
+export { createHttpsServer } from './https.js';
+export { createHealthState } from './health.js';
+export { createLogger } from '@groundnuty/macf-core';
+export { loadConfig } from '@groundnuty/macf-core';
+export { NotifyPayloadSchema, NotifyTypeSchema, HealthResponseSchema, CiCompletionPayloadSchema, CheckSuiteConclusionSchema, } from '@groundnuty/macf-core';
+export type { NotifyPayload, NotifyType, HealthResponse, AgentConfig, Logger, McpChannel, HttpsServer, HealthState, CiCompletionPayload, CheckSuiteConclusion, } from '@groundnuty/macf-core';
+export { createRegistryFromConfig, createRegistry, createGitHubClient, GitHubApiError, AgentInfoSchema, RegistryConfigSchema } from '@groundnuty/macf-core';
+export type { AgentInfo, Registry, RegistryConfig, GitHubVariablesClient } from '@groundnuty/macf-core';
+export { checkCollision, CollisionError } from './collision.js';
+export type { CollisionResult } from './collision.js';
+export { registerShutdownHandler } from './shutdown.js';
+export { generateToken } from '@groundnuty/macf-core';
+export { checkPendingIssues } from './startup-issues.js';
+export { createCA, backupCAKey, recoverCAKey, encryptCAKey, decryptCAKey, loadCA, CaError } from '@groundnuty/macf-core';
+export type { CaKeyPair } from '@groundnuty/macf-core';
+export { generateAgentCert, generateCSR, signCSR, AgentCertError } from '@groundnuty/macf-core';
+export type { AgentCertResult } from '@groundnuty/macf-core';
+export { createChallenge, verifyAndConsumeChallenge, ChallengeError } from '@groundnuty/macf-core';
+export { SignRequestSchema, SignChallengeResponseSchema, SignCertResponseSchema } from '@groundnuty/macf-core';
+export type { SignRequest } from '@groundnuty/macf-core';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,eAAe,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7J,OAAO,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EACL,mBAAmB,EAAE,gBAAgB,EAAE,oBAAoB,EAC3D,yBAAyB,EAAE,0BAA0B,GACtD,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EACV,aAAa,EAAE,UAAU,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,EAC9D,UAAU,EAAE,WAAW,EAAE,WAAW,EACpC,mBAAmB,EAAE,oBAAoB,GAC1C,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,wBAAwB,EAAE,cAAc,EAAE,kBAAkB,EAAE,cAAc,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC5J,YAAY,EAAE,SAAS,EAAE,QAAQ,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AACxG,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChE,YAAY,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAGzD,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACzH,YAAY,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAChG,YAAY,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,yBAAyB,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACnG,OAAO,EAAE,iBAAiB,EAAE,2BAA2B,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAC/G,YAAY,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC"}