@inkbox/sdk 0.2.15 → 0.3.0

package/dist/tunnels/client/_wsframe.js

@@ -0,0 +1,282 @@
+/**
+ * inkbox-tunnels/client/_wsframe.ts
+ *
+ * RFC 6455 WebSocket frame codec, plus the length-prefixed JSON envelope
+ * format the WS-bridge stream carries.
+ *
+ * Pure / synchronous; no I/O. Used by both the WS upgrade bridge and
+ * the passthrough TCP bridge (which tunnels raw bytes inside WS BINARY
+ * frames on an extended-CONNECT stream).
+ *
+ * ## Statefulness — the decoder MUST accumulate across calls
+ *
+ * A single h2 DATA frame can carry zero, one, many, or partial WS
+ * frames; a single WS frame (with extended length) can span multiple
+ * DATA boundaries. Use {@link WsFrameDecoder.feed} which retains a
+ * carry buffer between calls. Do not implement
+ * one-frame-per-DATA-callback in callers.
+ *
+ * ## Partial-bytes-at-EOF policy (M3 T0 — matches Python)
+ *
+ * If the bridge stream ends ("end" or "reset" h2 event) while the carry
+ * buffer still contains a partial WS frame, the policy is:
+ *   **drop the trailing bytes silently and close the WS session.**
+ *   No RST_STREAM. No error surfaced to the user.
+ *
+ * Verified against Python `_runtime.py` (`_pump_ws`): on a stream-end /
+ * stream-reset event, `recv_done` is set and the loop exits, abandoning
+ * `wire_buf` and `env_buf` without any cleanup write. The TS port
+ * mirrors that exactly.
+ */
+import { randomBytes } from "node:crypto";
+export const WS_OPCODE_CONTINUATION = 0x0;
+export const WS_OPCODE_TEXT = 0x1;
+export const WS_OPCODE_BINARY = 0x2;
+export const WS_OPCODE_CLOSE = 0x8;
+export const WS_OPCODE_PING = 0x9;
+export const WS_OPCODE_PONG = 0xa;
+/**
+ * Stateful WS frame decoder. Hold one per bridge stream; call
+ * {@link feed} as h2 DATA chunks arrive.
+ */
+export class WsFrameDecoder {
+    buf = Buffer.alloc(0);
+    /**
+     * Feed a chunk of wire bytes; return any newly-decodable frames.
+     * Trailing partial bytes stay in the carry buffer for the next call.
+     */
+    feed(chunk) {
+        if (chunk.length > 0) {
+            this.buf = this.buf.length === 0 ? chunk : Buffer.concat([this.buf, chunk]);
+        }
+        const frames = [];
+        let cursor = 0;
+        while (true) {
+            const remaining = this.buf.length - cursor;
+            if (remaining < 2)
+                break;
+            const b0 = this.buf[cursor];
+            const b1 = this.buf[cursor + 1];
+            const fin = (b0 & 0x80) !== 0;
+            const opcode = b0 & 0x0f;
+            const masked = (b1 & 0x80) !== 0;
+            let plen = b1 & 0x7f;
+            let offset = 2;
+            if (plen === 126) {
+                if (remaining < 4)
+                    break;
+                plen = this.buf.readUInt16BE(cursor + 2);
+                offset = 4;
+            }
+            else if (plen === 127) {
+                if (remaining < 10)
+                    break;
+                const high = this.buf.readUInt32BE(cursor + 2);
+                const low = this.buf.readUInt32BE(cursor + 6);
+                // JS-safe range: < 2^53. The bridge cap is well below that.
+                plen = high * 0x1_0000_0000 + low;
+                offset = 10;
+            }
+            let maskKey = null;
+            if (masked) {
+                if (remaining < offset + 4)
+                    break;
+                maskKey = this.buf.subarray(cursor + offset, cursor + offset + 4);
+                offset += 4;
+            }
+            if (remaining < offset + plen)
+                break;
+            let payload = Buffer.from(this.buf.subarray(cursor + offset, cursor + offset + plen));
+            if (masked && maskKey) {
+                for (let i = 0; i < payload.length; i++) {
+                    payload[i] = payload[i] ^ maskKey[i % 4];
+                }
+            }
+            frames.push({ opcode, payload, fin });
+            cursor += offset + plen;
+        }
+        if (cursor > 0) {
+            this.buf = cursor === this.buf.length
+                ? Buffer.alloc(0)
+                : Buffer.from(this.buf.subarray(cursor));
+        }
+        return frames;
+    }
+    /** True iff there are partial bytes still in the carry buffer. */
+    hasPartial() {
+        return this.buf.length > 0;
+    }
+    /** Bytes currently buffered (test-only inspection). */
+    partialBytes() {
+        return this.buf.length;
+    }
+}
+/**
+ * Encode a single WS frame. ``mask=true`` is required for
+ * client→server traffic per RFC 6455.
+ */
+export function encodeWsFrame(opcode, payload, options = {}) {
+    const mask = options.mask !== false;
+    const fin = options.fin !== false;
+    const plen = payload.length;
+    let headerLen = 2;
+    if (plen >= 126 && plen < 65536)
+        headerLen = 4;
+    else if (plen >= 65536)
+        headerLen = 10;
+    if (mask)
+        headerLen += 4;
+    const out = Buffer.alloc(headerLen + plen);
+    out[0] = (fin ? 0x80 : 0x00) | (opcode & 0x0f);
+    const maskBit = mask ? 0x80 : 0x00;
+    let off = 2;
+    if (plen < 126) {
+        out[1] = maskBit | plen;
+    }
+    else if (plen < 65536) {
+        out[1] = maskBit | 126;
+        out.writeUInt16BE(plen, 2);
+        off = 4;
+    }
+    else {
+        out[1] = maskBit | 127;
+        const high = Math.floor(plen / 0x1_0000_0000);
+        const low = plen % 0x1_0000_0000;
+        out.writeUInt32BE(high, 2);
+        out.writeUInt32BE(low, 6);
+        off = 10;
+    }
+    if (mask) {
+        const maskKey = randomBytes(4);
+        maskKey.copy(out, off);
+        for (let i = 0; i < plen; i++) {
+            out[off + 4 + i] = payload[i] ^ maskKey[i % 4];
+        }
+    }
+    else {
+        payload.copy(out, off);
+    }
+    return out;
+}
+export function encodeWsEnvelope(msg) {
+    let wire;
+    if (msg.type === "websocket.send") {
+        if ("text" in msg && msg.text !== undefined) {
+            wire = { type: "text", data: msg.text };
+        }
+        else if ("bytes" in msg && msg.bytes !== undefined) {
+            wire = { type: "binary", data: msg.bytes.toString("base64") };
+        }
+        else {
+            wire = { type: "text", data: "" };
+        }
+    }
+    else if (msg.type === "websocket.close") {
+        wire = {
+            type: "close",
+            code: msg.code ?? 1000,
+            reason: msg.reason ?? "",
+        };
+    }
+    else {
+        wire = { type: "text", data: "" };
+    }
+    const json = Buffer.from(JSON.stringify(wire), "utf-8");
+    const out = Buffer.alloc(4 + json.length);
+    out.writeUInt32BE(json.length, 0);
+    json.copy(out, 4);
+    return out;
+}
+/**
+ * Length-prefixed-JSON envelope decoder. Stateful — call repeatedly
+ * with concatenated WS-frame payloads, get back fully-formed envelopes
+ * as they emerge.
+ *
+ * Binary envelopes have their `data` field strictly base64-validated
+ * (per the server contract). Malformed base64 is logged and dropped —
+ * the empty result is what the runtime delivers, mirroring Python's
+ * `_ws.py` behavior at the validate=True boundary.
+ */
+export class WsEnvelopeDecoder {
+    buf = Buffer.alloc(0);
+    feed(chunk) {
+        if (chunk.length > 0) {
+            this.buf = this.buf.length === 0 ? chunk : Buffer.concat([this.buf, chunk]);
+        }
+        const out = [];
+        let cursor = 0;
+        while (this.buf.length - cursor >= 4) {
+            const length = this.buf.readUInt32BE(cursor);
+            if (this.buf.length - cursor - 4 < length)
+                break;
+            const payload = this.buf.subarray(cursor + 4, cursor + 4 + length);
+            cursor += 4 + length;
+            let parsed;
+            try {
+                parsed = JSON.parse(payload.toString("utf-8"));
+            }
+            catch {
+                continue;
+            }
+            const decoded = decodeOneEnvelope(parsed);
+            if (decoded !== null)
+                out.push(decoded);
+        }
+        if (cursor > 0) {
+            this.buf = cursor === this.buf.length
+                ? Buffer.alloc(0)
+                : Buffer.from(this.buf.subarray(cursor));
+        }
+        return out;
+    }
+    hasPartial() {
+        return this.buf.length > 0;
+    }
+}
+function decodeOneEnvelope(parsed) {
+    if (parsed.type === "text") {
+        return { type: "text", data: typeof parsed.data === "string" ? parsed.data : "" };
+    }
+    if (parsed.type === "binary") {
+        if (typeof parsed.data !== "string")
+            return null;
+        const decoded = decodeStrictBase64(parsed.data);
+        if (decoded === null)
+            return null;
+        return { type: "binary", data: decoded };
+    }
+    if (parsed.type === "close") {
+        return {
+            type: "close",
+            code: typeof parsed.code === "number" ? parsed.code : 1000,
+            reason: typeof parsed.reason === "string" ? parsed.reason : "",
+        };
+    }
+    return null;
+}
+/**
+ * Strict base64 decode: rejects non-base64 characters, requires
+ * padding. Mirrors Python `base64.b64decode(..., validate=True)`.
+ *
+ * Node's `Buffer.from(s, "base64")` is permissive (silently strips
+ * non-base64 chars and tolerates missing padding). We need the strict
+ * shape to match the server's outbound encoding exactly — otherwise a
+ * garbage `"@@@@"` decodes to an empty Buffer the user's app would
+ * mistake for a real binary message.
+ */
+function decodeStrictBase64(s) {
+    if (s.length === 0)
+        return Buffer.alloc(0);
+    if (s.length % 4 !== 0)
+        return null;
+    if (!/^[A-Za-z0-9+/]+={0,2}$/.test(s))
+        return null;
+    const decoded = Buffer.from(s, "base64");
+    // Round-trip: re-encode and compare. Catches edge cases the regex
+    // above lets through (Node's Buffer is still tolerant of some inputs).
+    if (decoded.toString("base64") !== s)
+        return null;
+    return decoded;
+}
+export const __testing = { decodeStrictBase64 };
+//# sourceMappingURL=_wsframe.js.map

package/dist/tunnels/client/_wsframe.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"_wsframe.js","sourceRoot":"","sources":["../../../src/tunnels/client/_wsframe.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,MAAM,CAAC,MAAM,sBAAsB,GAAG,GAAG,CAAC;AAC1C,MAAM,CAAC,MAAM,cAAc,GAAG,GAAG,CAAC;AAClC,MAAM,CAAC,MAAM,gBAAgB,GAAG,GAAG,CAAC;AACpC,MAAM,CAAC,MAAM,eAAe,GAAG,GAAG,CAAC;AACnC,MAAM,CAAC,MAAM,cAAc,GAAG,GAAG,CAAC;AAClC,MAAM,CAAC,MAAM,cAAc,GAAG,GAAG,CAAC;AAQlC;;;GAGG;AACH,MAAM,OAAO,cAAc;IACjB,GAAG,GAAW,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEtC;;;OAGG;IACH,IAAI,CAAC,KAAa;QAChB,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;QAC9E,CAAC;QACD,MAAM,MAAM,GAAc,EAAE,CAAC;QAC7B,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC;YAC3C,IAAI,SAAS,GAAG,CAAC;gBAAE,MAAM;YACzB,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAC5B,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAChC,MAAM,GAAG,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;YAC9B,MAAM,MAAM,GAAG,EAAE,GAAG,IAAI,CAAC;YACzB,MAAM,MAAM,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;YACjC,IAAI,IAAI,GAAG,EAAE,GAAG,IAAI,CAAC;YACrB,IAAI,MAAM,GAAG,CAAC,CAAC;YACf,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;gBACjB,IAAI,SAAS,GAAG,CAAC;oBAAE,MAAM;gBACzB,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACzC,MAAM,GAAG,CAAC,CAAC;YACb,CAAC;iBAAM,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;gBACxB,IAAI,SAAS,GAAG,EAAE;oBAAE,MAAM;gBAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBAC9C,4DAA4D;gBAC5D,IAAI,GAAG,IAAI,GAAG,aAAa,GAAG,GAAG,CAAC;gBAClC,MAAM,GAAG,EAAE,CAAC;YACd,CAAC;YACD,IAAI,OAAO,GAAkB,IAAI,CAAC;YAClC,IAAI,MAAM,EAAE,CAAC;gBACX,IAAI,SAAS,GAAG,MAAM,GAAG,CAAC;oBAAE,MAAM;gBAClC,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,CAAC,CAAC,CAAC;gBAClE,MAAM,IAAI,CAAC,CAAC;YACd,CAAC;YACD,IAAI,SAAS,GAAG,MAAM,GAAG,IAAI;gBAAE,MAAM;YACrC,IAAI,OAAO,GAAG,MAAM,CAAC,IAAI,CACvB,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAC3D,CAAC;YACF,IAAI,MAAM,IAAI,OAAO,EAAE,CAAC;gBACtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACxC,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC3C,CAAC;YACH,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;YACtC,MAAM,IAAI,MAAM,GAAG,IAAI,CAAC;QAC1B,CAAC;QACD,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;YACf,IAAI,CAAC,GAAG,GAAG,MAAM,KAAK,IAAI,CAAC,GAAG,CAAC,MAAM;gBACnC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;gBACjB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAC7C,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,kEAAkE;IAClE,UAAU;QACR,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,uDAAuD;IACvD,YAAY;QACV,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC;IACzB,CAAC;CACF;AAaD;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,MAAc,EACd,OAAe,EACf,UAAyB,EAAE;IAE3B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,KAAK,KAAK,CAAC;IACpC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,KAAK,KAAK,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;IAC5B,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,IAAI,IAAI,GAAG,IAAI,IAAI,GAAG,KAAK;QAAE,SAAS,GAAG,CAAC,CAAC;SAC1C,IAAI,IAAI,IAAI,KAAK;QAAE,SAAS,GAAG,EAAE,CAAC;IACvC,IAAI,IAAI;QAAE,SAAS,IAAI,CAAC,CAAC;IACzB,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAC3C,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC/C,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;IACnC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,IAAI,GAAG,GAAG,EAAE,CAAC;QACf,GAAG,CAAC,CAAC,CAAC,GAAG,OAAO,GAAG,IAAI,CAAC;IAC1B,CAAC;SAAM,IAAI,IAAI,GAAG,KAAK,EAAE,CAAC;QACxB,GAAG,CAAC,CAAC,CAAC,GAAG,OAAO,GAAG,GAAG,CAAC;QACvB,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QAC3B,GAAG,GAAG,CAAC,CAAC;IACV,CAAC;SAAM,CAAC;QACN,GAAG,CAAC,CAAC,CAAC,GAAG,OAAO,GAAG,GAAG,CAAC;QACvB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,aAAa,CAAC,CAAC;QAC9C,MAAM,GAAG,GAAG,IAAI,GAAG,aAAa,CAAC;QACjC,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QAC3B,GAAG,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QAC1B,GAAG,GAAG,EAAE,CAAC;IACX,CAAC;IACD,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAC/B,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;YAC9B,GAAG,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAmBD,MAAM,UAAU,gBAAgB,CAAC,GAAkB;IACjD,IAAI,IAAqE,CAAC;IAC1E,IAAI,GAAG,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAClC,IAAI,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC5C,IAAI,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC;QAC1C,CAAC;aAAM,IAAI,OAAO,IAAI,GAAG,IAAI,GAAG,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YACrD,IAAI,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAChE,CAAC;aAAM,CAAC;YACN,IAAI,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;QACpC,CAAC;IACH,CAAC;SAAM,IAAI,GAAG,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;QAC1C,IAAI,GAAG;YACL,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,IAAI;YACtB,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,EAAE;SACzB,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACpC,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1C,GAAG,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAClC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAClB,OAAO,GAAG,CAAC;AACb,CAAC;AAWD;;;;;;;;;GASG;AACH,MAAM,OAAO,iBAAiB;IACpB,GAAG,GAAW,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEtC,IAAI,CAAC,KAAa;QAChB,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;QAC9E,CAAC;QACD,MAAM,GAAG,GAAwB,EAAE,CAAC;QACpC,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;YAC7C,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,MAAM,GAAG,CAAC,GAAG,MAAM;gBAAE,MAAM;YACjD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,MAAM,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;YACnE,MAAM,IAAI,CAAC,GAAG,MAAM,CAAC;YACrB,IAAI,MAA4E,CAAC;YACjF,IAAI,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAkB,CAAC;YAClE,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,MAAM,OAAO,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC1C,IAAI,OAAO,KAAK,IAAI;gBAAE,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1C,CAAC;QACD,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;YACf,IAAI,CAAC,GAAG,GAAG,MAAM,KAAK,IAAI,CAAC,GAAG,CAAC,MAAM;gBACnC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;gBACjB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAC7C,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,UAAU;QACR,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IAC7B,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,MAK1B;IACC,IAAI,MAAM,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAC3B,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IACpF,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QACjD,MAAM,OAAO,GAAG,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAChD,IAAI,OAAO,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAClC,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAC3C,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,OAAO;YACL,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;YAC1D,MAAM,EAAE,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;SAC/D,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,kBAAkB,CAAC,CAAS;IACnC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC3C,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IACzC,kEAAkE;IAClE,uEAAuE;IACvE,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAClD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,MAAM,SAAS,GAAG,EAAE,kBAAkB,EAAE,CAAC"}

package/dist/tunnels/client/index.d.ts

@@ -0,0 +1,101 @@
+/**
+ * @inkbox/sdk/tunnels/connect — Node-only data-plane runtime.
+ *
+ * Imported as:
+ *
+ * ```ts
+ * import { connect } from "@inkbox/sdk/tunnels/connect";
+ * ```
+ *
+ * This subpath pulls in `node:http2`, `node:tls`, `node:fs`, and
+ * `node:os`, so it is NOT browser-safe. The main package entry
+ * (`@inkbox/sdk`) stays browser-safe; only this subpath gates on Node.
+ */
+import type { Inkbox } from "../../inkbox.js";
+import { TLSMode } from "../types.js";
+import { type TunnelListener, type TunnelStatusCallback } from "./_listener.js";
+import type { InkboxHandler } from "./_handler.js";
+import type { InkboxWsHandler } from "./_ws.js";
+export type { TunnelListener, TunnelStatusCallback } from "./_listener.js";
+export { ForwardTargetRefused, validateEnvelopePath, validateForwardTarget, } from "./_validation.js";
+export type { InkboxHandler, InkboxRequestContext } from "./_handler.js";
+export type { InkboxWebSocket, InkboxWebSocketAcceptOpts, InkboxWsHandler, } from "./_ws.js";
+export { WsAcceptDeadlineExceeded, WsClosed, WsProtocolMismatch, } from "./_ws.js";
+export { TunnelAuthError } from "./_runtime.js";
+/** Default tunnel zone — used when neither the server nor the state file specifies one. */
+export declare const PROD_ZONE = "inkboxwire.com";
+/**
+ * Raised by `connect()` when the supplied dispatch options are
+ * invalid — for example, both `forwardTo` and `handler` set, or
+ * `wsHandler` set without an HTTP path.
+ *
+ * Validation runs synchronously before any control-plane writes: a
+ * tunnel is never created or restored for an invalid configuration.
+ */
+export declare class InvalidConnectOptions extends Error {
+    constructor(message: string);
+}
+export interface ConnectOptions {
+    /** Tunnel name (server-side `tunnel_name`). */
+    name: string;
+    /** URL forward path: forward inbound HTTP traffic to a local URL. */
+    forwardTo?: string;
+    /** In-process Fetch-API HTTP handler. Mutually exclusive with `forwardTo`. */
+    handler?: InkboxHandler;
+    /** In-process WS handler. Optional alongside an HTTP path. */
+    wsHandler?: InkboxWsHandler;
+    /** Expert-only override for the data-plane h2 endpoint. */
+    dataPlaneZone?: string;
+    /** `"edge"` (default) or `"passthrough"`. */
+    tlsMode?: TLSMode | "edge" | "passthrough";
+    /** Where state.json (and passthrough key/cert) live. */
+    stateDir?: string;
+    /** Free-form description, recorded server-side at create time. */
+    description?: string;
+    /** 1-32; omit to let the server decide. */
+    poolSize?: number;
+    /** Explicit override; wins over the state file. */
+    secret?: string;
+    /** Status transitions. */
+    onStatus?: TunnelStatusCallback;
+    /** `"auto_restore"` (default) or `"error"`. */
+    onPendingRemoval?: "auto_restore" | "error";
+    /** Cap on materialized inbound bodies. */
+    maxInboundBodyBytes?: number;
+    /**
+     * Cap on materialized outbound (response) bodies. Threaded into both
+     * the URL-forward and in-process-handler paths as the same value;
+     * different names imply different policies and confuse users.
+     */
+    maxResponseBytes?: number;
+    /** Bypass the loopback-only allowlist for `forwardTo`. */
+    allowRemoteForwarding?: boolean;
+    /** TTY-gated by default. */
+    printSecretToStderr?: boolean | null;
+    /** Signal-handler installation policy. */
+    installSignalHandlers?: boolean;
+    /**
+     * Default `true`. When `false`, passthrough advertises only
+     * `http/1.1` in ALPN — the h1 parser still handles inbound traffic
+     * uniformly (caps, validation, header injection). This is an
+     * ALPN-only escape hatch; the raw byte-pipe is gone.
+     */
+    enableH2Transcode?: boolean;
+    /**
+     * Verify the upstream's TLS certificate when `forwardTo` is `https://`.
+     * Default `true`. Set `false` for self-signed dev certs on loopback;
+     * pair with `forwardToCaBundle` for private CAs.
+     */
+    forwardToVerifyTls?: boolean;
+    /**
+     * Extra CA certificate(s) (PEM) to trust when verifying the upstream
+     * TLS certificate. Mutually exclusive with `forwardToVerifyTls=false`
+     * for sanity.
+     */
+    forwardToCaBundle?: Buffer | string;
+}
+/**
+ * Bring a tunnel online from this Node process.
+ */
+export declare function connect(inkbox: Inkbox, options: ConnectOptions): Promise<TunnelListener>;
+//# sourceMappingURL=index.d.ts.map

package/dist/tunnels/client/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/tunnels/client/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAQ9C,OAAO,EAAE,OAAO,EAAwB,MAAM,aAAa,CAAC;AAa5D,OAAO,EAEL,KAAK,cAAc,EAEnB,KAAK,oBAAoB,EAC1B,MAAM,gBAAgB,CAAC;AAMxB,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AACnD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAEhD,YAAY,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AAC3E,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AACzE,YAAY,EACV,eAAe,EACf,yBAAyB,EACzB,eAAe,GAChB,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,wBAAwB,EACxB,QAAQ,EACR,kBAAkB,GACnB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEhD,2FAA2F;AAC3F,eAAO,MAAM,SAAS,mBAAmB,CAAC;AAE1C;;;;;;;GAOG;AACH,qBAAa,qBAAsB,SAAQ,KAAK;gBAClC,OAAO,EAAE,MAAM;CAI5B;AAED,MAAM,WAAW,cAAc;IAC7B,+CAA+C;IAC/C,IAAI,EAAE,MAAM,CAAC;IACb,qEAAqE;IACrE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8EAA8E;IAC9E,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,8DAA8D;IAC9D,SAAS,CAAC,EAAE,eAAe,CAAC;IAC5B,2DAA2D;IAC3D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,aAAa,CAAC;IAC3C,wDAAwD;IACxD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kEAAkE;IAClE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,oBAAoB,CAAC;IAChC,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC;IAC5C,0CAA0C;IAC1C,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,0DAA0D;IAC1D,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,4BAA4B;IAC5B,mBAAmB,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;IACrC,0CAA0C;IAC1C,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC;;;;;OAKG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B;;;;OAIG;IACH,iBAAiB,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;CACrC;AA0DD;;GAEG;AACH,wBAAsB,OAAO,CAC3B,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,cAAc,CAAC,CAyLzB"}

package/dist/tunnels/client/index.js

@@ -0,0 +1,242 @@
+/**
+ * @inkbox/sdk/tunnels/connect — Node-only data-plane runtime.
+ *
+ * Imported as:
+ *
+ * ```ts
+ * import { connect } from "@inkbox/sdk/tunnels/connect";
+ * ```
+ *
+ * This subpath pulls in `node:http2`, `node:tls`, `node:fs`, and
+ * `node:os`, so it is NOT browser-safe. The main package entry
+ * (`@inkbox/sdk`) stays browser-safe; only this subpath gates on Node.
+ */
+import { POOL_SIZE_MAX, POOL_SIZE_MIN } from "../resources/tunnels.js";
+import { TunnelRemoved, TunnelSecretUnavailable, TunnelStateConflict, } from "../exceptions.js";
+import { validateTunnelName } from "../_validation.js";
+import { TLSMode, TunnelStatus } from "../types.js";
+import { validateForwardTarget, } from "./_validation.js";
+import { defaultStateDir, ensurePrivateStateDir, loadState, printSecretOnce, saveState, } from "./_state.js";
+import { TunnelListenerImpl, } from "./_listener.js";
+import { DEFAULT_INBOUND_BODY_BYTES, DEFAULT_OUTBOUND_BODY_BYTES, TunnelRuntime, } from "./_runtime.js";
+export { ForwardTargetRefused, validateEnvelopePath, validateForwardTarget, } from "./_validation.js";
+export { WsAcceptDeadlineExceeded, WsClosed, WsProtocolMismatch, } from "./_ws.js";
+export { TunnelAuthError } from "./_runtime.js";
+/** Default tunnel zone — used when neither the server nor the state file specifies one. */
+export const PROD_ZONE = "inkboxwire.com";
+/**
+ * Raised by `connect()` when the supplied dispatch options are
+ * invalid — for example, both `forwardTo` and `handler` set, or
+ * `wsHandler` set without an HTTP path.
+ *
+ * Validation runs synchronously before any control-plane writes: a
+ * tunnel is never created or restored for an invalid configuration.
+ */
+export class InvalidConnectOptions extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "InvalidConnectOptions";
+    }
+}
+function validatePoolSize(poolSize) {
+    if (poolSize === undefined)
+        return;
+    if (!Number.isInteger(poolSize) ||
+        poolSize < POOL_SIZE_MIN ||
+        poolSize > POOL_SIZE_MAX) {
+        throw new RangeError(`poolSize must be an integer in [${POOL_SIZE_MIN}, ${POOL_SIZE_MAX}] (got ${poolSize})`);
+    }
+}
+/**
+ * Validate the `connect()` dispatch matrix synchronously, before any
+ * control-plane writes. The runtime never has to handle the ambiguous
+ * combinations because they can't reach it.
+ */
+function validateDispatchOptions(opts) {
+    const hasForward = opts.forwardTo !== undefined;
+    const hasHandler = opts.handler !== undefined;
+    const hasWs = opts.wsHandler !== undefined;
+    if (hasForward && hasHandler) {
+        throw new InvalidConnectOptions("ambiguous HTTP path: both forwardTo and handler are set; pick one.");
+    }
+    if (!hasForward && !hasHandler && !hasWs) {
+        throw new InvalidConnectOptions("no dispatch path configured: pass forwardTo, handler, or wsHandler.");
+    }
+    if (!hasForward && !hasHandler && hasWs) {
+        throw new InvalidConnectOptions("wsHandler set without an HTTP path: pass forwardTo or handler too.");
+    }
+}
+function resolveZoneAndHost(opts) {
+    const publicHost = opts.serverPublicHost ?? opts.state?.publicHost ?? `${opts.name}.${PROD_ZONE}`;
+    const zone = opts.dataPlaneZoneOverride ??
+        opts.serverZone ??
+        opts.state?.zone ??
+        PROD_ZONE;
+    return { zone, publicHost };
+}
+/**
+ * Bring a tunnel online from this Node process.
+ */
+export async function connect(inkbox, options) {
+    // --- Synchronous validation (cheap; runs before any disk or server I/O) ---
+    validateTunnelName(options.name);
+    validatePoolSize(options.poolSize);
+    validateDispatchOptions(options);
+    if (options.forwardTo !== undefined) {
+        validateForwardTarget(options.forwardTo, {
+            allowRemoteForwarding: options.allowRemoteForwarding,
+        });
+    }
+    const tlsMode = (typeof options.tlsMode === "string"
+        ? options.tlsMode
+        : options.tlsMode) ?? TLSMode.EDGE;
+    // Passthrough accepts both http:// and https:// forwardTo URLs.
+    // UpstreamUrlDispatch builds undici's tls.connect options from
+    // forwardToVerifyTls / forwardToCaBundle for https:// upstreams.
+    const onPendingRemoval = options.onPendingRemoval ?? "auto_restore";
+    const stateDirPath = options.stateDir ?? defaultStateDir(options.name);
+    ensurePrivateStateDir(stateDirPath);
+    const state = loadState(stateDirPath);
+    let secret = options.secret ?? state?.secret ?? null;
+    let tunnel = null;
+    if (state?.tunnelId) {
+        try {
+            tunnel = await inkbox.tunnels.get(state.tunnelId);
+        }
+        catch (err) {
+            const apiErr = err;
+            if (apiErr?.statusCode === 404) {
+                throw new TunnelRemoved(`tunnel ${options.name} (id=${state.tunnelId}) has been removed; ` +
+                    `clear ${stateDirPath} and call inkbox.tunnels.create() to start fresh`);
+            }
+            throw err;
+        }
+    }
+    if (!tunnel) {
+        const list = await inkbox.tunnels.list();
+        tunnel = list.find((t) => t.tunnelName === options.name) ?? null;
+    }
+    if (!tunnel) {
+        const created = await inkbox.tunnels.create({
+            tunnelName: options.name,
+            tlsMode,
+            description: options.description,
+        });
+        tunnel = created.tunnel;
+        secret = created.connectSecret;
+        saveState(stateDirPath, {
+            tunnelId: tunnel.id,
+            name: options.name,
+            secret,
+            mode: tlsMode,
+            zone: tunnel.zone,
+            publicHost: tunnel.publicHost,
+        });
+        printSecretOnce({
+            secret,
+            statePath: `${stateDirPath}/state.json`,
+            printToStderr: options.printSecretToStderr ?? null,
+        });
+    }
+    else {
+        if (tunnel.tlsMode !== tlsMode) {
+            throw new TunnelStateConflict(409, `tls_mode mismatch: requested ${tlsMode} but tunnel reports ${tunnel.tlsMode}. ` +
+                "tls_mode is fixed at creation; delete the tunnel and recreate to change it.");
+        }
+        if (tunnel.status === TunnelStatus.PENDING_REMOVAL) {
+            if (onPendingRemoval === "error") {
+                throw new TunnelStateConflict(409, `tunnel ${options.name} is in pending_removal; pass ` +
+                    "onPendingRemoval: 'auto_restore' to bring it back");
+            }
+            if (!secret) {
+                throw new TunnelSecretUnavailable(`connect_secret not available locally for tunnel ${options.name}; ` +
+                    "pass secret explicitly, or rotate via inkbox.tunnels.rotateSecret(id) first.");
+            }
+            tunnel = await inkbox.tunnels.restore(tunnel.id);
+        }
+        if (!secret) {
+            throw new TunnelSecretUnavailable(`connect_secret not available locally for tunnel ${options.name}; ` +
+                "pass secret explicitly, or rotate via inkbox.tunnels.rotateSecret(id) first.");
+        }
+    }
+    // For passthrough, lazy-load _cert.ts so the edge-mode bundle stays
+    // clean of @peculiar/x509. The dynamic import keeps the dep out of
+    // the static module graph for edge users; M5 bundle verification is
+    // the forcing function.
+    let tlsTerminator = null;
+    if (tunnel.tlsMode === TLSMode.PASSTHROUGH) {
+        // Passthrough accepts either ``forwardTo`` (URL) or ``handler``
+        // (Fetch-style callable). The runtime constructs UpstreamUrlDispatch
+        // or CallableDispatch accordingly.
+        const cert = await import("./_cert.js");
+        const tls = await import("./_tls.js");
+        const keypair = await cert.loadOrCreateKeypair(stateDirPath);
+        const tunnelPublicHost = tunnel.publicHost ?? `${options.name}.${PROD_ZONE}`;
+        if (await cert.certNeedsSign(stateDirPath, keypair)) {
+            const csrPem = await cert.buildCsr(keypair, tunnelPublicHost);
+            const signed = await inkbox.tunnels.signCsr(tunnel.id, { csrPem });
+            cert.writeCertChain(stateDirPath, signed.certPem, signed.chainPem);
+        }
+        const certPath = `${stateDirPath}/cert_chain.pem`;
+        const certChainPem = await import("node:fs").then((fs) => fs.promises.readFile(certPath));
+        const keyPem = await cert.keyPemBytes(keypair);
+        // ALPN advertised in passthrough. enableH2Transcode=true (default)
+        // advertises h2 + http/1.1; the runtime selects the h1 parser or
+        // h2 transcoder per-connection by negotiated ALPN. Setting it
+        // false is the ALPN-only escape hatch — h1 parser still services
+        // inbound traffic, but h2 is never offered.
+        const enableH2 = options.enableH2Transcode !== false;
+        const alpnProtocols = enableH2
+            ? ["h2", "http/1.1"]
+            : ["http/1.1"];
+        tlsTerminator = new tls.TlsTerminator({
+            certChainPem,
+            keyPem,
+            alpnProtocols,
+        });
+    }
+    const { zone, publicHost } = resolveZoneAndHost({
+        name: options.name,
+        serverZone: tunnel.zone,
+        serverPublicHost: tunnel.publicHost,
+        state,
+        dataPlaneZoneOverride: options.dataPlaneZone ?? null,
+    });
+    saveState(stateDirPath, {
+        tunnelId: tunnel.id,
+        name: options.name,
+        secret,
+        mode: tunnel.tlsMode,
+        zone,
+        publicHost,
+    });
+    const runtime = new TunnelRuntime({
+        tunnelId: tunnel.id,
+        secret,
+        zone,
+        publicHost,
+        poolSize: options.poolSize ?? null,
+        dispatch: {
+            forwardTo: options.forwardTo,
+            httpHandler: options.handler,
+            wsHandler: options.wsHandler,
+        },
+        tlsTerminator: tlsTerminator ?? undefined,
+        maxInboundBodyBytes: options.maxInboundBodyBytes ?? DEFAULT_INBOUND_BODY_BYTES,
+        maxResponseBytes: options.maxResponseBytes ?? DEFAULT_OUTBOUND_BODY_BYTES,
+        allowRemoteForwarding: options.allowRemoteForwarding,
+        forwardToVerifyTls: options.forwardToVerifyTls,
+        forwardToCaBundle: options.forwardToCaBundle,
+        onStatus: options.onStatus,
+    });
+    const listenerOpts = {
+        installSignalHandlers: options.installSignalHandlers,
+    };
+    return new TunnelListenerImpl({
+        publicHost,
+        tunnel,
+        runtime,
+        listenerOpts,
+    });
+}
+//# sourceMappingURL=index.js.map

package/dist/tunnels/client/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/tunnels/client/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACvE,OAAO,EACL,aAAa,EACb,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,OAAO,EAAU,YAAY,EAAE,MAAM,aAAa,CAAC;AAC5D,OAAO,EAGL,qBAAqB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,SAAS,EACT,eAAe,EACf,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,kBAAkB,GAInB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,0BAA0B,EAC1B,2BAA2B,EAC3B,aAAa,GACd,MAAM,eAAe,CAAC;AAKvB,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,kBAAkB,CAAC;AAO1B,OAAO,EACL,wBAAwB,EACxB,QAAQ,EACR,kBAAkB,GACnB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEhD,2FAA2F;AAC3F,MAAM,CAAC,MAAM,SAAS,GAAG,gBAAgB,CAAC;AAE1C;;;;;;;GAOG;AACH,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAC9C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AA8DD,SAAS,gBAAgB,CAAC,QAA4B;IACpD,IAAI,QAAQ,KAAK,SAAS;QAAE,OAAO;IACnC,IACE,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC;QAC3B,QAAQ,GAAG,aAAa;QACxB,QAAQ,GAAG,aAAa,EACxB,CAAC;QACD,MAAM,IAAI,UAAU,CAClB,mCAAmC,aAAa,KAAK,aAAa,UAAU,QAAQ,GAAG,CACxF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,uBAAuB,CAAC,IAAoB;IACnD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC;IAChD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,KAAK,SAAS,CAAC;IAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC;IAC3C,IAAI,UAAU,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,IAAI,qBAAqB,CAC7B,oEAAoE,CACrE,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,IAAI,CAAC,KAAK,EAAE,CAAC;QACzC,MAAM,IAAI,qBAAqB,CAC7B,qEAAqE,CACtE,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,IAAI,KAAK,EAAE,CAAC;QACxC,MAAM,IAAI,qBAAqB,CAC7B,oEAAoE,CACrE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,IAM3B;IACC,MAAM,UAAU,GACd,IAAI,CAAC,gBAAgB,IAAI,IAAI,CAAC,KAAK,EAAE,UAAU,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC;IACjF,MAAM,IAAI,GACR,IAAI,CAAC,qBAAqB;QAC1B,IAAI,CAAC,UAAU;QACf,IAAI,CAAC,KAAK,EAAE,IAAI;QAChB,SAAS,CAAC;IACZ,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,OAAuB;IAEvB,6EAA6E;IAC7E,kBAAkB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACjC,gBAAgB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,uBAAuB,CAAC,OAAO,CAAC,CAAC;IACjC,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACpC,qBAAqB,CAAC,OAAO,CAAC,SAAS,EAAE;YACvC,qBAAqB,EAAE,OAAO,CAAC,qBAAqB;SACrD,CAAC,CAAC;IACL,CAAC;IAED,MAAM,OAAO,GACX,CAAC,OAAO,OAAO,CAAC,OAAO,KAAK,QAAQ;QAClC,CAAC,CAAE,OAAO,CAAC,OAAmB;QAC9B,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC;IAEvC,gEAAgE;IAChE,+DAA+D;IAC/D,iEAAiE;IACjE,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,cAAc,CAAC;IACpE,MAAM,YAAY,GAAG,OAAO,CAAC,QAAQ,IAAI,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvE,qBAAqB,CAAC,YAAY,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,SAAS,CAAC,YAAY,CAAC,CAAC;IAEtC,IAAI,MAAM,GAAkB,OAAO,CAAC,MAAM,IAAI,KAAK,EAAE,MAAM,IAAI,IAAI,CAAC;IACpE,IAAI,MAAM,GAAkB,IAAI,CAAC;IAEjC,IAAI,KAAK,EAAE,QAAQ,EAAE,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QACpD,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,MAAM,GAAG,GAA8B,CAAC;YAC9C,IAAI,MAAM,EAAE,UAAU,KAAK,GAAG,EAAE,CAAC;gBAC/B,MAAM,IAAI,aAAa,CACrB,UAAU,OAAO,CAAC,IAAI,QAAQ,KAAK,CAAC,QAAQ,sBAAsB;oBAChE,SAAS,YAAY,kDAAkD,CAC1E,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IACD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACzC,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;IACnE,CAAC;IACD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;YAC1C,UAAU,EAAE,OAAO,CAAC,IAAI;YACxB,OAAO;YACP,WAAW,EAAE,OAAO,CAAC,WAAW;SACjC,CAAC,CAAC;QACH,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QACxB,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;QAC/B,SAAS,CAAC,YAAY,EAAE;YACtB,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,MAAM;YACN,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,UAAU,EAAE,MAAM,CAAC,UAAU;SAC9B,CAAC,CAAC;QACH,eAAe,CAAC;YACd,MAAM;YACN,SAAS,EAAE,GAAG,YAAY,aAAa;YACvC,aAAa,EAAE,OAAO,CAAC,mBAAmB,IAAI,IAAI;SACnD,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;YAC/B,MAAM,IAAI,mBAAmB,CAC3B,GAAG,EACH,gCAAgC,OAAO,uBAAuB,MAAM,CAAC,OAAO,IAAI;gBAC9E,6EAA6E,CAChF,CAAC;QACJ,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,KAAK,YAAY,CAAC,eAAe,EAAE,CAAC;YACnD,IAAI,gBAAgB,KAAK,OAAO,EAAE,CAAC;gBACjC,MAAM,IAAI,mBAAmB,CAC3B,GAAG,EACH,UAAU,OAAO,CAAC,IAAI,+BAA+B;oBACnD,mDAAmD,CACtD,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,uBAAuB,CAC/B,mDAAmD,OAAO,CAAC,IAAI,IAAI;oBACjE,8EAA8E,CACjF,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,uBAAuB,CAC/B,mDAAmD,OAAO,CAAC,IAAI,IAAI;gBACjE,8EAA8E,CACjF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,mEAAmE;IACnE,oEAAoE;IACpE,wBAAwB;IACxB,IAAI,aAAa,GAA6C,IAAI,CAAC;IACnE,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,CAAC,WAAW,EAAE,CAAC;QAC3C,gEAAgE;QAChE,qEAAqE;QACrE,mCAAmC;QACnC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;QACxC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAC;QAC7D,MAAM,gBAAgB,GACpB,MAAM,CAAC,UAAU,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC;QACtD,IAAI,MAAM,IAAI,CAAC,aAAa,CAAC,YAAY,EAAE,OAAO,CAAC,EAAE,CAAC;YACpD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;YAC9D,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;YACnE,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrE,CAAC;QACD,MAAM,QAAQ,GAAG,GAAG,YAAY,iBAAiB,CAAC;QAClD,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CACvD,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAC/B,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAC/C,mEAAmE;QACnE,iEAAiE;QACjE,8DAA8D;QAC9D,iEAAiE;QACjE,4CAA4C;QAC5C,MAAM,QAAQ,GAAG,OAAO,CAAC,iBAAiB,KAAK,KAAK,CAAC;QACrD,MAAM,aAAa,GAAG,QAAQ;YAC5B,CAAC,CAAC,CAAC,IAAI,EAAE,UAAU,CAAC;YACpB,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;QACjB,aAAa,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC;YACpC,YAAY;YACZ,MAAM;YACN,aAAa;SACd,CAAC,CAAC;IACL,CAAC;IAED,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,kBAAkB,CAAC;QAC9C,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,UAAU,EAAE,MAAM,CAAC,IAAI;QACvB,gBAAgB,EAAE,MAAM,CAAC,UAAU;QACnC,KAAK;QACL,qBAAqB,EAAE,OAAO,CAAC,aAAa,IAAI,IAAI;KACrD,CAAC,CAAC;IAEH,SAAS,CAAC,YAAY,EAAE;QACtB,QAAQ,EAAE,MAAM,CAAC,EAAE;QACnB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,MAAM;QACN,IAAI,EAAE,MAAM,CAAC,OAAO;QACpB,IAAI;QACJ,UAAU;KACX,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,IAAI,aAAa,CAAC;QAChC,QAAQ,EAAE,MAAM,CAAC,EAAE;QACnB,MAAM;QACN,IAAI;QACJ,UAAU;QACV,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;QAClC,QAAQ,EAAE;YACR,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,OAAO,CAAC,OAAO;YAC5B,SAAS,EAAE,OAAO,CAAC,SAAS;SAC7B;QACD,aAAa,EAAE,aAAa,IAAI,SAAS;QACzC,mBAAmB,EAAE,OAAO,CAAC,mBAAmB,IAAI,0BAA0B;QAC9E,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,IAAI,2BAA2B;QACzE,qBAAqB,EAAE,OAAO,CAAC,qBAAqB;QACpD,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;QAC9C,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;QAC5C,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC3B,CAAC,CAAC;IAEH,MAAM,YAAY,GAAuB;QACvC,qBAAqB,EAAE,OAAO,CAAC,qBAAqB;KACrD,CAAC;IACF,OAAO,IAAI,kBAAkB,CAAC;QAC5B,UAAU;QACV,MAAM;QACN,OAAO;QACP,YAAY;KACb,CAAC,CAAC;AACL,CAAC"}