@h-rig/runtime 0.0.6-alpha.0

package/dist/src/control-plane/remote.js

@@ -0,0 +1,854 @@
+// @bun
+// packages/runtime/src/control-plane/remote.ts
+import { chmodSync as chmodSync2, existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
+import { homedir as homedir2 } from "os";
+import { dirname as dirname2, join as join2 } from "path";
+import { parse as parseToml2, stringify as stringifyToml2 } from "smol-toml";
+
+// packages/runtime/src/control-plane/authority-files.ts
+import { existsSync, mkdirSync, readFileSync, writeFileSync, appendFileSync, copyFileSync, statSync, readdirSync, chmodSync } from "fs";
+import { homedir } from "os";
+import { dirname, join, relative, resolve } from "path";
+import { randomUUID } from "crypto";
+import { parse as parseToml, stringify as stringifyToml } from "smol-toml";
+function readTomlFile(path, fallback) {
+  if (!existsSync(path))
+    return fallback;
+  const raw = readFileSync(path, "utf8");
+  if (!raw.trim())
+    return fallback;
+  return parseToml(raw);
+}
+function writeTomlFile(path, value) {
+  mkdirSync(dirname(path), { recursive: true });
+  writeFileSync(path, `${stringifyToml(value).trimEnd()}
+`, "utf8");
+}
+function normalizeString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function normalizeStringArray(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.map((entry) => normalizeString(entry)).filter((entry) => entry !== null);
+}
+function normalizePort(value) {
+  const port = typeof value === "number" ? value : Number(value);
+  return Number.isInteger(port) && port > 0 && port <= 65535 ? port : 7890;
+}
+function loadRemoteEndpointsToml(projectRoot) {
+  const paths = resolveAuthorityPaths(projectRoot);
+  const parsed = readTomlFile(paths.remoteEndpointsPath, { version: 1, endpoints: {} });
+  return {
+    version: parsed.version ?? 1,
+    endpoints: parsed.endpoints ?? {}
+  };
+}
+function loadRemoteSecretsToml(projectRoot) {
+  const paths = resolveAuthorityPaths(projectRoot);
+  const parsed = readTomlFile(paths.remoteSecretsPath, { version: 1, secrets: {} });
+  return {
+    version: parsed.version ?? 1,
+    secrets: parsed.secrets ?? {}
+  };
+}
+function saveRemoteEndpointsToml(projectRoot, payload) {
+  const paths = resolveAuthorityPaths(projectRoot);
+  writeTomlFile(paths.remoteEndpointsPath, payload);
+}
+function saveRemoteSecretsToml(projectRoot, payload) {
+  const paths = resolveAuthorityPaths(projectRoot);
+  writeTomlFile(paths.remoteSecretsPath, payload);
+  try {
+    chmodSync(paths.remoteSecretsPath, 384);
+  } catch {}
+}
+function resolveAuthorityPaths(projectRoot) {
+  const normalizedRoot = resolve(projectRoot);
+  const stateRoot = resolveAuthorityStateRoot(normalizedRoot);
+  const stateDir = resolveAuthorityStateDir(normalizedRoot);
+  return {
+    projectRoot: normalizedRoot,
+    harnessRoot: resolve(normalizedRoot, "rig"),
+    runsDir: resolve(stateRoot, "runs"),
+    remoteDir: resolve(stateRoot, "remote"),
+    stateDir,
+    remoteEndpointsPath: resolve(stateRoot, "remote", "endpoints.toml"),
+    remoteSecretsPath: resolve(stateDir, "remote-secrets.toml")
+  };
+}
+function resolveAuthorityStateRoot(projectRoot) {
+  const normalizedRoot = resolve(projectRoot);
+  const taskWorkspace = process.env.RIG_TASK_WORKSPACE?.trim();
+  if (taskWorkspace) {
+    return resolve(taskWorkspace, ".rig");
+  }
+  const stateDir = process.env.RIG_STATE_DIR?.trim();
+  if (stateDir) {
+    return dirname(resolve(stateDir));
+  }
+  const logsDir = process.env.RIG_LOGS_DIR?.trim();
+  if (logsDir) {
+    return dirname(resolve(logsDir));
+  }
+  const sessionFile = process.env.RIG_SESSION_FILE?.trim();
+  if (sessionFile) {
+    return dirname(dirname(resolve(sessionFile)));
+  }
+  const projectStateRoot = resolve(normalizedRoot, ".rig");
+  if (existsSync(projectStateRoot)) {
+    return projectStateRoot;
+  }
+  return resolve(normalizedRoot, ".rig");
+}
+function resolveAuthorityStateDir(projectRoot) {
+  const explicit = process.env.RIG_STATE_DIR?.trim();
+  if (explicit) {
+    return resolve(explicit);
+  }
+  return resolve(resolveAuthorityStateRoot(projectRoot), "state");
+}
+function listAuthorityRemoteEndpoints(projectRoot) {
+  const endpoints = loadRemoteEndpointsToml(projectRoot).endpoints ?? {};
+  const secrets = loadRemoteSecretsToml(projectRoot).secrets ?? {};
+  return Object.values(endpoints).map((entry) => {
+    const token = secrets[entry.secret_ref] ?? "";
+    return {
+      id: entry.id,
+      alias: entry.alias,
+      host: entry.host,
+      port: normalizePort(entry.port),
+      token,
+      autoConnect: Boolean(entry.auto_connect),
+      addedAt: entry.created_at,
+      updatedAt: entry.updated_at,
+      lastConnectedAt: normalizeString(entry.last_connected_at) ?? null,
+      labels: normalizeStringArray(entry.labels),
+      capabilities: normalizeStringArray(entry.capabilities),
+      transport: normalizeString(entry.transport) ?? "websocket",
+      secretRef: entry.secret_ref
+    };
+  }).sort((left, right) => left.alias.localeCompare(right.alias));
+}
+function nextRemoteEndpointRecord(input) {
+  const timestamp = new Date().toISOString();
+  const secretRef = input.existing?.secret_ref ?? randomUUID();
+  return {
+    record: {
+      id: input.endpointId ?? input.existing?.id ?? randomUUID(),
+      alias: input.alias,
+      host: input.host,
+      port: normalizePort(input.port),
+      transport: normalizeString(input.transport) ?? normalizeString(input.existing?.transport) ?? "websocket",
+      auto_connect: input.autoConnect ?? input.existing?.auto_connect ?? false,
+      labels: input.labels ?? normalizeStringArray(input.existing?.labels),
+      capabilities: input.capabilities ?? normalizeStringArray(input.existing?.capabilities),
+      secret_ref: secretRef,
+      created_at: input.existing?.created_at ?? timestamp,
+      updated_at: timestamp,
+      last_connected_at: input.existing?.last_connected_at ?? null
+    },
+    secretRef
+  };
+}
+function upsertAuthorityRemoteEndpoint(projectRoot, input) {
+  const endpointsToml = loadRemoteEndpointsToml(projectRoot);
+  const secretsToml = loadRemoteSecretsToml(projectRoot);
+  const existing = Object.values(endpointsToml.endpoints ?? {}).find((entry) => entry.alias === input.alias) ?? null;
+  const { record, secretRef } = nextRemoteEndpointRecord({
+    endpointId: input.endpointId,
+    existing,
+    alias: input.alias,
+    host: input.host,
+    port: input.port,
+    token: input.token,
+    autoConnect: input.autoConnect,
+    transport: input.transport,
+    labels: input.labels,
+    capabilities: input.capabilities
+  });
+  endpointsToml.endpoints = {
+    ...endpointsToml.endpoints ?? {},
+    [record.id]: record
+  };
+  secretsToml.secrets = {
+    ...secretsToml.secrets ?? {},
+    [secretRef]: input.token
+  };
+  saveRemoteEndpointsToml(projectRoot, endpointsToml);
+  saveRemoteSecretsToml(projectRoot, secretsToml);
+  return listAuthorityRemoteEndpoints(projectRoot).find((entry) => entry.id === record.id);
+}
+function updateAuthorityRemoteEndpoint(projectRoot, input) {
+  const endpointsToml = loadRemoteEndpointsToml(projectRoot);
+  const secretsToml = loadRemoteSecretsToml(projectRoot);
+  const current = Object.values(endpointsToml.endpoints ?? {}).find((entry) => input.endpointId && entry.id === input.endpointId || input.alias && entry.alias === input.alias);
+  if (!current)
+    return null;
+  const record = {
+    ...current,
+    alias: normalizeString(input.alias) ?? current.alias,
+    host: normalizeString(input.host) ?? current.host,
+    port: input.port !== undefined ? normalizePort(input.port) : current.port,
+    auto_connect: input.autoConnect ?? current.auto_connect,
+    transport: normalizeString(input.transport) ?? current.transport,
+    labels: input.labels ?? normalizeStringArray(current.labels),
+    capabilities: input.capabilities ?? normalizeStringArray(current.capabilities),
+    updated_at: new Date().toISOString()
+  };
+  endpointsToml.endpoints = {
+    ...endpointsToml.endpoints ?? {},
+    [record.id]: record
+  };
+  if (input.token !== undefined) {
+    secretsToml.secrets = {
+      ...secretsToml.secrets ?? {},
+      [record.secret_ref]: input.token
+    };
+  }
+  saveRemoteEndpointsToml(projectRoot, endpointsToml);
+  saveRemoteSecretsToml(projectRoot, secretsToml);
+  return listAuthorityRemoteEndpoints(projectRoot).find((entry) => entry.id === record.id) ?? null;
+}
+function removeAuthorityRemoteEndpoint(projectRoot, endpointIdOrAlias) {
+  const endpointsToml = loadRemoteEndpointsToml(projectRoot);
+  const secretsToml = loadRemoteSecretsToml(projectRoot);
+  const entry = Object.values(endpointsToml.endpoints ?? {}).find((candidate) => candidate.id === endpointIdOrAlias || candidate.alias === endpointIdOrAlias);
+  if (!entry)
+    return false;
+  const nextEndpoints = { ...endpointsToml.endpoints ?? {} };
+  delete nextEndpoints[entry.id];
+  const nextSecrets = { ...secretsToml.secrets ?? {} };
+  delete nextSecrets[entry.secret_ref];
+  saveRemoteEndpointsToml(projectRoot, { version: endpointsToml.version ?? 1, endpoints: nextEndpoints });
+  saveRemoteSecretsToml(projectRoot, { version: secretsToml.version ?? 1, secrets: nextSecrets });
+  return true;
+}
+function markAuthorityRemoteEndpointConnected(projectRoot, endpointId, connectedAt = new Date().toISOString()) {
+  const endpointsToml = loadRemoteEndpointsToml(projectRoot);
+  const entry = endpointsToml.endpoints?.[endpointId];
+  if (!entry)
+    return;
+  endpointsToml.endpoints = {
+    ...endpointsToml.endpoints ?? {},
+    [endpointId]: {
+      ...entry,
+      last_connected_at: connectedAt,
+      updated_at: connectedAt
+    }
+  };
+  saveRemoteEndpointsToml(projectRoot, endpointsToml);
+}
+function importLegacyRemoteEndpoints(projectRoot, legacyPath = join(homedir(), ".config", "rig", "remotes.toml")) {
+  if (!existsSync(legacyPath)) {
+    return { imported: 0, skipped: 0, sourcePath: legacyPath };
+  }
+  const parsed = readTomlFile(legacyPath, { version: 1, remotes: {} });
+  let imported = 0;
+  let skipped = 0;
+  for (const [alias, entry] of Object.entries(parsed.remotes ?? {})) {
+    const host = normalizeString(entry.host);
+    const token = normalizeString(entry.token);
+    if (!host || !token) {
+      skipped += 1;
+      continue;
+    }
+    upsertAuthorityRemoteEndpoint(projectRoot, {
+      alias,
+      host,
+      port: normalizePort(entry.port),
+      token
+    });
+    imported += 1;
+  }
+  return { imported, skipped, sourcePath: legacyPath };
+}
+function doctorAuthorityRemoteEndpoints(projectRoot) {
+  const paths = resolveAuthorityPaths(projectRoot);
+  const endpoints = loadRemoteEndpointsToml(projectRoot).endpoints ?? {};
+  const secrets = loadRemoteSecretsToml(projectRoot).secrets ?? {};
+  const missingSecrets = Object.values(endpoints).filter((entry) => !normalizeString(secrets[entry.secret_ref])).map((entry) => entry.alias);
+  const warnings = [];
+  if (!existsSync(paths.remoteEndpointsPath)) {
+    warnings.push("Remote endpoint manifest is missing.");
+  }
+  if (!existsSync(paths.remoteSecretsPath)) {
+    warnings.push("Remote secret store is missing.");
+  }
+  return {
+    manifestPath: paths.remoteEndpointsPath,
+    secretsPath: paths.remoteSecretsPath,
+    endpointCount: Object.keys(endpoints).length,
+    missingSecrets,
+    warnings
+  };
+}
+
+// packages/runtime/src/control-plane/remote.ts
+var DEFAULT_REMOTE_PORT = 7890;
+var DEFAULT_TIMEOUTS = {
+  connectMs: 5000,
+  authMs: 5000,
+  requestMs: 30000,
+  subscriptionMs: 1e4
+};
+var REMOTES_CONFIG_PATH = join2(homedir2(), ".config", "rig", "remotes.toml");
+
+class RemoteCliError extends Error {
+  code;
+  exitCode;
+  details;
+  constructor(code, message, exitCode = 1, details) {
+    super(message);
+    this.name = "RemoteCliError";
+    this.code = code;
+    this.exitCode = exitCode;
+    this.details = details;
+  }
+}
+function loadRemotesConfig(configPath = REMOTES_CONFIG_PATH) {
+  if (!existsSync2(configPath)) {
+    return { version: 1, remotes: {} };
+  }
+  try {
+    const content = readFileSync2(configPath, "utf-8");
+    if (!content.trim()) {
+      return { version: 1, remotes: {} };
+    }
+    const parsed = parseToml2(content);
+    return {
+      version: parsed.version ?? 1,
+      remotes: parsed.remotes ?? {}
+    };
+  } catch (error) {
+    throw new RemoteCliError("RIG_REMOTE_CONFIG_PARSE_ERROR", `Failed to parse remotes config at ${configPath}: ${error instanceof Error ? error.message : String(error)}`, 2, { configPath });
+  }
+}
+function saveRemotesConfig(config, configPath = REMOTES_CONFIG_PATH) {
+  mkdirSync2(dirname2(configPath), { recursive: true });
+  writeFileSync2(configPath, `${stringifyToml2(config).trimEnd()}
+`, "utf-8");
+  try {
+    chmodSync2(configPath, 384);
+  } catch {}
+}
+function listManagedRemoteEndpoints(configPath = REMOTES_CONFIG_PATH, projectRoot) {
+  if (projectRoot) {
+    return listAuthorityRemoteEndpoints(projectRoot).map((entry) => ({
+      id: entry.id,
+      alias: entry.alias,
+      host: entry.host,
+      port: entry.port,
+      token: entry.token,
+      addedAt: entry.addedAt,
+      lastConnected: entry.lastConnectedAt
+    }));
+  }
+  const config = loadRemotesConfig(configPath);
+  return Object.entries(config.remotes ?? {}).map(([alias, entry]) => ({
+    id: alias,
+    alias,
+    host: normalizeString2(entry.host) || "",
+    port: Number.isFinite(entry.port) ? Number(entry.port) : DEFAULT_REMOTE_PORT,
+    token: normalizeString2(entry.token) || "",
+    addedAt: normalizeString2(entry.addedAt) || null,
+    lastConnected: normalizeString2(entry.lastConnected) || null
+  })).sort((left, right) => left.alias.localeCompare(right.alias));
+}
+function upsertManagedRemoteEndpoint(input, configPath = REMOTES_CONFIG_PATH, projectRoot) {
+  if (projectRoot) {
+    const saved = upsertAuthorityRemoteEndpoint(projectRoot, {
+      ...input,
+      token: input.token ?? ""
+    });
+    return {
+      id: saved.id,
+      alias: saved.alias,
+      host: saved.host,
+      port: saved.port,
+      token: saved.token,
+      addedAt: saved.addedAt,
+      lastConnected: saved.lastConnectedAt
+    };
+  }
+  const config = loadRemotesConfig(configPath);
+  const existing = config.remotes?.[input.alias];
+  const nextEntry = {
+    host: input.host,
+    port: input.port,
+    token: input.token,
+    addedAt: normalizeString2(existing?.addedAt) || new Date().toISOString(),
+    ...normalizeString2(existing?.lastConnected) ? { lastConnected: normalizeString2(existing?.lastConnected) } : {}
+  };
+  const nextConfig = {
+    version: config.version ?? 1,
+    remotes: {
+      ...config.remotes ?? {},
+      [input.alias]: nextEntry
+    }
+  };
+  saveRemotesConfig(nextConfig, configPath);
+  return {
+    id: input.alias,
+    alias: input.alias,
+    host: input.host,
+    port: input.port,
+    token: input.token ?? "",
+    addedAt: nextEntry.addedAt ?? null,
+    lastConnected: nextEntry.lastConnected ?? null
+  };
+}
+function removeManagedRemoteEndpoint(alias, configPath = REMOTES_CONFIG_PATH, projectRoot) {
+  if (projectRoot) {
+    return removeAuthorityRemoteEndpoint(projectRoot, alias);
+  }
+  const config = loadRemotesConfig(configPath);
+  if (!config.remotes?.[alias]) {
+    return false;
+  }
+  const nextRemotes = { ...config.remotes ?? {} };
+  delete nextRemotes[alias];
+  saveRemotesConfig({
+    version: config.version ?? 1,
+    remotes: nextRemotes
+  }, configPath);
+  return true;
+}
+function resolveRemoteEndpoint(options) {
+  const env = options.env ?? process.env;
+  const envHost = normalizeString2(env.RIG_REMOTE_HOST);
+  const envToken = normalizeString2(env.RIG_REMOTE_TOKEN);
+  const envPort = parsePort(normalizeString2(env.RIG_REMOTE_PORT), "RIG_REMOTE_PORT");
+  const envAlias = normalizeString2(env.RIG_REMOTE_ALIAS);
+  const explicitHost = normalizeString2(options.host);
+  const explicitToken = normalizeString2(options.token);
+  const explicitPort = parsePort(normalizeString2(options.port), "--port");
+  const explicitProvided = Boolean(explicitHost || explicitToken || explicitPort !== null);
+  const requestedAlias = normalizeString2(options.remoteAlias) || envAlias;
+  let endpoint = {
+    source: "env",
+    host: envHost || "",
+    port: envPort ?? DEFAULT_REMOTE_PORT,
+    token: envToken || "",
+    configPath: REMOTES_CONFIG_PATH
+  };
+  if (requestedAlias) {
+    if (options.projectRoot) {
+      const remote = listAuthorityRemoteEndpoints(options.projectRoot).find((entry) => entry.alias === requestedAlias);
+      if (!remote) {
+        const configPath = resolveAuthorityPaths(options.projectRoot).remoteEndpointsPath;
+        throw new RemoteCliError("RIG_REMOTE_ALIAS_NOT_FOUND", `Remote alias '${requestedAlias}' was not found in ${configPath}.`, 2, { alias: requestedAlias, configPath });
+      }
+      endpoint = {
+        source: "alias",
+        alias: requestedAlias,
+        host: remote.host,
+        port: remote.port,
+        token: remote.token,
+        configPath: resolveAuthorityPaths(options.projectRoot).remoteEndpointsPath
+      };
+    } else {
+      const config = loadRemotesConfig();
+      const remote = config.remotes?.[requestedAlias];
+      if (!remote) {
+        throw new RemoteCliError("RIG_REMOTE_ALIAS_NOT_FOUND", `Remote alias '${requestedAlias}' was not found in ${REMOTES_CONFIG_PATH}.`, 2, { alias: requestedAlias, configPath: REMOTES_CONFIG_PATH });
+      }
+      endpoint = {
+        source: "alias",
+        alias: requestedAlias,
+        host: normalizeString2(remote.host) || "",
+        port: Number.isFinite(remote.port) ? Number(remote.port) : DEFAULT_REMOTE_PORT,
+        token: normalizeString2(remote.token) || "",
+        configPath: REMOTES_CONFIG_PATH
+      };
+    }
+  }
+  if (explicitProvided) {
+    endpoint = {
+      ...endpoint,
+      source: "flags",
+      host: explicitHost || endpoint.host,
+      port: explicitPort ?? endpoint.port,
+      token: explicitToken || endpoint.token
+    };
+  }
+  if (!endpoint.host) {
+    throw new RemoteCliError("RIG_REMOTE_HOST_REQUIRED", "Remote host is required. Pass --host, --remote <alias>, or set RIG_REMOTE_HOST.", 2);
+  }
+  if (!Number.isFinite(endpoint.port) || endpoint.port <= 0 || endpoint.port > 65535) {
+    throw new RemoteCliError("RIG_REMOTE_INVALID_PORT", `Invalid remote port: ${endpoint.port}.`, 2);
+  }
+  return endpoint;
+}
+
+class RemoteWsClient {
+  endpoint;
+  ws = null;
+  connected = false;
+  pending = new Map;
+  onEvent;
+  requestTimeoutMs;
+  connectTimeoutMs;
+  authTimeoutMs;
+  subscriptionTimeoutMs;
+  connectionToken = null;
+  connectionTokenExpiresAt = null;
+  tokenRefreshTimer = null;
+  constructor(endpoint, options = {}) {
+    this.endpoint = endpoint;
+    this.onEvent = options.onEvent;
+    this.connectTimeoutMs = options.connectTimeoutMs ?? DEFAULT_TIMEOUTS.connectMs;
+    this.authTimeoutMs = options.authTimeoutMs ?? DEFAULT_TIMEOUTS.authMs;
+    this.requestTimeoutMs = options.requestTimeoutMs ?? DEFAULT_TIMEOUTS.requestMs;
+    this.subscriptionTimeoutMs = options.subscriptionTimeoutMs ?? DEFAULT_TIMEOUTS.subscriptionMs;
+  }
+  setEventHandler(handler) {
+    this.onEvent = handler;
+  }
+  async connect() {
+    if (this.connected) {
+      return;
+    }
+    const url = `ws://${this.endpoint.host}:${this.endpoint.port}`;
+    await new Promise((resolve2, reject) => {
+      let authResolved = false;
+      let connectTimer = setTimeout(() => {
+        connectTimer = null;
+        reject(new RemoteCliError("RIG_REMOTE_CONNECT_TIMEOUT", `Timed out connecting to ${url} after ${this.connectTimeoutMs}ms.`, 3, { host: this.endpoint.host, port: this.endpoint.port, timeoutMs: this.connectTimeoutMs }));
+      }, this.connectTimeoutMs);
+      const ws = new WebSocket(url);
+      this.ws = ws;
+      ws.onopen = () => {
+        const authMessage = {
+          type: "auth",
+          id: crypto.randomUUID(),
+          timestamp: new Date().toISOString(),
+          token: this.connectionToken || this.endpoint.token,
+          tokenType: this.connectionToken ? "connection" : "server"
+        };
+        let authTimer = setTimeout(() => {
+          authTimer = null;
+          reject(new RemoteCliError("RIG_REMOTE_AUTH_TIMEOUT", `Timed out waiting for auth response from ${url} after ${this.authTimeoutMs}ms.`, 3, { host: this.endpoint.host, port: this.endpoint.port, timeoutMs: this.authTimeoutMs }));
+        }, this.authTimeoutMs);
+        ws.send(JSON.stringify(authMessage));
+        const originalOnMessage = ws.onmessage;
+        ws.onmessage = (event) => {
+          const message = parseIncomingMessage(event.data);
+          if (!message) {
+            return;
+          }
+          if (message.type === "auth_response" && !authResolved) {
+            authResolved = true;
+            if (connectTimer) {
+              clearTimeout(connectTimer);
+              connectTimer = null;
+            }
+            if (authTimer) {
+              clearTimeout(authTimer);
+              authTimer = null;
+            }
+            const auth = message;
+            if (!auth.success) {
+              reject(new RemoteCliError("RIG_REMOTE_AUTH_FAILED", auth.error || "Remote authentication failed.", 3, { host: this.endpoint.host, port: this.endpoint.port }));
+              return;
+            }
+            if (auth.connectionToken && auth.connectionTokenExpiresAt) {
+              this.connectionToken = auth.connectionToken;
+              this.connectionTokenExpiresAt = auth.connectionTokenExpiresAt;
+              this.scheduleTokenRefresh();
+            }
+            if (this.endpoint.configPath.endsWith("endpoints.toml")) {
+              const projectRoot = dirname2(dirname2(dirname2(this.endpoint.configPath)));
+              try {
+                markAuthorityRemoteEndpointConnected(projectRoot, this.endpoint.alias ? listAuthorityRemoteEndpoints(projectRoot).find((entry) => entry.alias === this.endpoint.alias)?.id ?? "" : "");
+              } catch {}
+            }
+            this.connected = true;
+            ws.onmessage = (event2) => {
+              const next = parseIncomingMessage(event2.data);
+              if (!next) {
+                return;
+              }
+              this.routeMessage(next);
+            };
+            resolve2();
+            return;
+          }
+          if (typeof originalOnMessage === "function") {
+            originalOnMessage.call(ws, event);
+          }
+        };
+      };
+      ws.onerror = () => {
+        if (connectTimer) {
+          clearTimeout(connectTimer);
+          connectTimer = null;
+        }
+        if (!authResolved) {
+          reject(new RemoteCliError("RIG_REMOTE_CONNECT_FAILED", `Failed to connect to ${url}.`, 3, { host: this.endpoint.host, port: this.endpoint.port }));
+        }
+      };
+      ws.onclose = () => {
+        this.connected = false;
+        this.clearPending("Connection closed");
+      };
+    });
+  }
+  disconnect() {
+    this.connected = false;
+    this.clearTokenRefreshTimer();
+    this.clearPending("Connection closed");
+    if (this.ws) {
+      try {
+        this.ws.close();
+      } catch {}
+      this.ws = null;
+    }
+  }
+  async subscribe(eventTypes = []) {
+    const message = { type: "subscribe" };
+    if (eventTypes.length > 0) {
+      message.eventTypes = eventTypes;
+    }
+    const response = await this.request(message, this.subscriptionTimeoutMs);
+    return expectType(response, "operation_result");
+  }
+  async unsubscribe() {
+    return expectType(await this.request({ type: "unsubscribe" }), "operation_result");
+  }
+  async getState() {
+    return expectType(await this.request({ type: "get_state" }), "state_response");
+  }
+  async getTasks() {
+    return expectType(await this.request({ type: "get_tasks" }), "tasks_response");
+  }
+  async pause() {
+    return expectType(await this.request({ type: "pause" }), "operation_result");
+  }
+  async resume() {
+    return expectType(await this.request({ type: "resume" }), "operation_result");
+  }
+  async interrupt() {
+    return expectType(await this.request({ type: "interrupt" }), "operation_result");
+  }
+  async continueExecution() {
+    return expectType(await this.request({ type: "continue" }), "operation_result");
+  }
+  async refreshTasks() {
+    return expectType(await this.request({ type: "refresh_tasks" }), "operation_result");
+  }
+  async addIterations(count) {
+    return expectType(await this.request({ type: "add_iterations", count }), "operation_result");
+  }
+  async removeIterations(count) {
+    return expectType(await this.request({ type: "remove_iterations", count }), "operation_result");
+  }
+  async getPromptPreview(taskId) {
+    return expectType(await this.request({ type: "get_prompt_preview", taskId }), "prompt_preview_response");
+  }
+  async getIterationOutput(taskId) {
+    return expectType(await this.request({ type: "get_iteration_output", taskId }), "iteration_output_response");
+  }
+  async startOrchestration(options) {
+    return expectType(await this.request({
+      type: "orchestrate:start",
+      maxWorkers: options.maxWorkers,
+      maxIterations: options.maxIterations,
+      directMerge: options.directMerge
+    }), "orchestrate:start_response");
+  }
+  async pauseOrchestration(orchestrationId) {
+    return expectType(await this.request({ type: "orchestrate:pause", orchestrationId }), "operation_result");
+  }
+  async resumeOrchestration(orchestrationId) {
+    return expectType(await this.request({ type: "orchestrate:resume", orchestrationId }), "operation_result");
+  }
+  async stopOrchestration(orchestrationId) {
+    return expectType(await this.request({ type: "orchestrate:stop", orchestrationId }), "operation_result");
+  }
+  async getOrchestrationState(orchestrationId) {
+    return expectType(await this.request({ type: "orchestrate:get_state", orchestrationId }), "orchestrate:state_response");
+  }
+  async ping() {
+    return this.request({ type: "ping" });
+  }
+  async request(payload, timeoutMs = this.requestTimeoutMs) {
+    if (!this.connected || !this.ws) {
+      throw new RemoteCliError("RIG_REMOTE_NOT_CONNECTED", "Remote client is not connected.", 3);
+    }
+    const id = crypto.randomUUID();
+    const message = {
+      ...payload,
+      id,
+      timestamp: new Date().toISOString()
+    };
+    return await new Promise((resolve2, reject) => {
+      const timeout = setTimeout(() => {
+        this.pending.delete(id);
+        reject(new RemoteCliError("RIG_REMOTE_REQUEST_TIMEOUT", `Timed out waiting for response to '${String(payload.type)}' after ${timeoutMs}ms.`, 3, { requestType: payload.type, requestId: id, timeoutMs }));
+      }, timeoutMs);
+      this.pending.set(id, { resolve: resolve2, reject, timeout });
+      this.ws?.send(JSON.stringify(message));
+    });
+  }
+  routeMessage(message) {
+    if (message.id && this.pending.has(message.id)) {
+      const pending = this.pending.get(message.id);
+      if (pending) {
+        clearTimeout(pending.timeout);
+        this.pending.delete(message.id);
+        pending.resolve(message);
+      }
+      return;
+    }
+    if (message.type === "token_refresh_response") {
+      const token = normalizeString2(message.connectionToken);
+      const expiresAt = normalizeString2(message.connectionTokenExpiresAt);
+      if (token && expiresAt) {
+        this.connectionToken = token;
+        this.connectionTokenExpiresAt = expiresAt;
+        this.scheduleTokenRefresh();
+      }
+    }
+    this.onEvent?.({ receivedAt: new Date().toISOString(), message });
+  }
+  scheduleTokenRefresh() {
+    this.clearTokenRefreshTimer();
+    if (!this.connectionToken || !this.connectionTokenExpiresAt || !this.ws || !this.connected) {
+      return;
+    }
+    const expiresAt = new Date(this.connectionTokenExpiresAt).getTime();
+    if (!Number.isFinite(expiresAt)) {
+      return;
+    }
+    const refreshAt = expiresAt - 60 * 60 * 1000;
+    const delay = Math.max(0, refreshAt - Date.now());
+    this.tokenRefreshTimer = setTimeout(() => {
+      if (!this.connected || !this.ws || !this.connectionToken) {
+        return;
+      }
+      const refreshMessage = {
+        type: "token_refresh",
+        id: crypto.randomUUID(),
+        timestamp: new Date().toISOString(),
+        connectionToken: this.connectionToken
+      };
+      this.ws.send(JSON.stringify(refreshMessage));
+    }, delay);
+  }
+  clearTokenRefreshTimer() {
+    if (this.tokenRefreshTimer) {
+      clearTimeout(this.tokenRefreshTimer);
+      this.tokenRefreshTimer = null;
+    }
+  }
+  clearPending(reason) {
+    for (const [requestId, pending] of this.pending.entries()) {
+      clearTimeout(pending.timeout);
+      pending.reject(new RemoteCliError("RIG_REMOTE_REQUEST_CANCELLED", `${reason} (request ${requestId}).`, 3, { requestId }));
+      this.pending.delete(requestId);
+    }
+  }
+}
+function matchesEventFilter(message, expectedType) {
+  if (!expectedType) {
+    return true;
+  }
+  if (message.type === expectedType) {
+    return true;
+  }
+  if (message.type === "engine_event") {
+    const eventType = normalizeString2(message.event?.type);
+    return eventType === expectedType;
+  }
+  if (message.type === "parallel_event") {
+    const eventType = normalizeString2(message.event?.type);
+    return eventType === expectedType;
+  }
+  return false;
+}
+function summarizeMessage(message) {
+  if (message.type === "pong") {
+    return "pong";
+  }
+  if (message.type === "engine_event") {
+    const eventType = normalizeString2(message.event?.type);
+    return eventType ? `engine_event:${eventType}` : "engine_event";
+  }
+  if (message.type === "parallel_event") {
+    const eventType = normalizeString2(message.event?.type);
+    const orchestrationId = normalizeString2(message.orchestrationId);
+    return orchestrationId ? `parallel_event:${eventType || "unknown"}:${orchestrationId}` : `parallel_event:${eventType || "unknown"}`;
+  }
+  return message.type;
+}
+function migrateManagedRemoteEndpoints(projectRoot, legacyPath = REMOTES_CONFIG_PATH) {
+  return importLegacyRemoteEndpoints(projectRoot, legacyPath);
+}
+function doctorManagedRemoteEndpoints(projectRoot) {
+  return doctorAuthorityRemoteEndpoints(projectRoot);
+}
+function updateManagedRemoteEndpointInAuthority(projectRoot, input) {
+  const updated = updateAuthorityRemoteEndpoint(projectRoot, input);
+  if (!updated)
+    return null;
+  return {
+    id: updated.id,
+    alias: updated.alias,
+    host: updated.host,
+    port: updated.port,
+    token: updated.token,
+    addedAt: updated.addedAt,
+    lastConnected: updated.lastConnectedAt
+  };
+}
+function normalizeString2(value) {
+  if (!value) {
+    return "";
+  }
+  return value.trim();
+}
+function parsePort(value, label) {
+  if (!value) {
+    return null;
+  }
+  const parsed = Number.parseInt(value, 10);
+  if (!Number.isFinite(parsed) || parsed <= 0 || parsed > 65535) {
+    throw new RemoteCliError("RIG_REMOTE_INVALID_PORT", `Invalid port for ${label}: ${value}.`, 2, { label, value });
+  }
+  return parsed;
+}
+function parseIncomingMessage(raw) {
+  if (typeof raw !== "string") {
+    return null;
+  }
+  try {
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== "object" || typeof parsed.type !== "string") {
+      return null;
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function expectType(message, expectedType) {
+  if (message.type !== expectedType) {
+    throw new RemoteCliError("RIG_REMOTE_UNEXPECTED_RESPONSE", `Unexpected response type: ${message.type}. Expected ${expectedType}.`, 3, { expectedType, actualType: message.type, message });
+  }
+  return message;
+}
+export {
+  upsertManagedRemoteEndpoint,
+  updateManagedRemoteEndpointInAuthority,
+  summarizeMessage,
+  resolveRemoteEndpoint,
+  removeManagedRemoteEndpoint,
+  migrateManagedRemoteEndpoints,
+  matchesEventFilter,
+  loadRemotesConfig,
+  listManagedRemoteEndpoints,
+  doctorManagedRemoteEndpoints,
+  RemoteWsClient,
+  RemoteCliError
+};