@inkbox/sdk 0.2.16 → 0.3.1

package/dist/tunnels/client/_callable_streaming.js

@@ -0,0 +1,158 @@
+/**
+ * inkbox-tunnels/client/_callable_streaming.ts
+ *
+ * Streaming wrapper for `InkboxHandler` used by `CallableDispatch` in
+ * passthrough mode. The Fetch-style handler returns a `Response`; this
+ * module pipes that response back through `DispatchResponseSink` so
+ * the third party gets a true streamed reply.
+ *
+ * WebSocket upgrades are handled separately by
+ * `_ws_passthrough.bridgeWsHandlerOverSink` — the h1 parser and h2
+ * transcoder route `isWebSocket=true` requests directly to
+ * `CallableDispatch.dispatchWebSocket` so they never reach this
+ * HTTP-only invoker.
+ */
+import { HOP_BY_HOP_RESPONSE } from "./_protocol.js";
+/**
+ * Build a minimal envelope-shaped object for the InkboxRequestContext.
+ * Passthrough callable dispatch doesn't have a true envelope (those
+ * are produced by the tunnel server's intake path), so we synthesize a
+ * placeholder. The handler can read the typed fields directly via
+ * `req` / `ctx` instead of poking at this for normal use.
+ */
+function synthesizeEnvelope(req) {
+    return Object.freeze({
+        requestId: "",
+        method: req.method,
+        path: req.path,
+        routeKind: "webhook",
+        wsId: null,
+        forwardedHeaders: req.headers,
+        body: Buffer.alloc(0),
+        bodyUri: null,
+        forwardedForIp: req.forwardedForIp,
+        tcpId: null,
+        sniHost: req.sniHost,
+        extraMeta: {},
+    });
+}
+async function bodyToReadable(iter) {
+    const it = iter[Symbol.asyncIterator]();
+    let probed = await it.next();
+    if (probed.done)
+        return null;
+    const first = probed.value;
+    return new ReadableStream({
+        async start(controller) {
+            controller.enqueue(new Uint8Array(first));
+            try {
+                while (true) {
+                    const r = await it.next();
+                    if (r.done)
+                        break;
+                    controller.enqueue(new Uint8Array(r.value));
+                }
+                controller.close();
+            }
+            catch (err) {
+                controller.error(err);
+            }
+        },
+    });
+}
+export async function invokeHandlerStreaming(opts) {
+    const { handler, request, response, publicHost, maxOutboundBodyBytes } = opts;
+    // Build a Fetch Request from the DispatchRequest. Headers are flat,
+    // method/path provided. URL host is the public host.
+    const headers = new Headers();
+    for (const [k, v] of request.headers) {
+        if (k.startsWith(":"))
+            continue;
+        try {
+            headers.append(k, v);
+        }
+        catch {
+            /* invalid header value — skip */
+        }
+    }
+    if (!headers.has("host"))
+        headers.set("host", publicHost);
+    if (!headers.has("x-forwarded-host"))
+        headers.set("x-forwarded-host", publicHost);
+    if (!headers.has("x-forwarded-proto"))
+        headers.set("x-forwarded-proto", "https");
+    if (request.forwardedForIp != null) {
+        if (!headers.has("x-forwarded-for"))
+            headers.set("x-forwarded-for", request.forwardedForIp);
+    }
+    const url = `https://${publicHost}${request.path.startsWith("/") ? "" : "/"}${request.path}`;
+    const bodyStream = request.method === "GET" || request.method === "HEAD"
+        ? null
+        : await bodyToReadable(request.body);
+    const fetchReq = new Request(url, {
+        method: request.method,
+        headers,
+        body: bodyStream,
+        // Required when sending a stream body on Node fetch.
+        duplex: "half",
+    });
+    const ctx = {
+        signal: new AbortController().signal,
+        forwardedForIp: request.forwardedForIp,
+        sniHost: request.sniHost,
+        envelope: synthesizeEnvelope(request),
+    };
+    let resp;
+    try {
+        resp = await handler(fetchReq, ctx);
+    }
+    catch {
+        await response.sendHead({
+            status: 502,
+            headers: [["content-type", "text/plain"]],
+        });
+        await response.sendBody(Buffer.from("upstream error"));
+        await response.endBody();
+        return;
+    }
+    const respHeaders = [];
+    resp.headers.forEach((value, key) => {
+        if (HOP_BY_HOP_RESPONSE.has(key.toLowerCase()))
+            return;
+        respHeaders.push([key, value]);
+    });
+    await response.sendHead({ status: resp.status, headers: respHeaders });
+    if (resp.body == null) {
+        await response.endBody();
+        return;
+    }
+    let bytesOut = 0;
+    const reader = resp.body.getReader();
+    try {
+        while (true) {
+            const { done, value } = await reader.read();
+            if (done)
+                break;
+            const buf = Buffer.from(value);
+            bytesOut += buf.length;
+            if (bytesOut > maxOutboundBodyBytes) {
+                await response.reset("response-too-large");
+                return;
+            }
+            await response.sendBody(buf);
+        }
+        await response.endBody();
+    }
+    catch {
+        await response.reset("upstream-error");
+    }
+    finally {
+        try {
+            reader.releaseLock();
+        }
+        catch {
+            /* swallow */
+        }
+    }
+}
+//# sourceMappingURL=_callable_streaming.js.map

package/dist/tunnels/client/_callable_streaming.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"_callable_streaming.js","sourceRoot":"","sources":["../../../src/tunnels/client/_callable_streaming.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAQH,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAUrD;;;;;;GAMG;AACH,SAAS,kBAAkB,CAAC,GAAoB;IAC9C,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,SAAS,EAAE,EAAE;QACb,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,SAAS,EAAE,SAAkB;QAC7B,IAAI,EAAE,IAAI;QACV,gBAAgB,EAAE,GAAG,CAAC,OAAO;QAC7B,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACrB,OAAO,EAAE,IAAI;QACb,cAAc,EAAE,GAAG,CAAC,cAAc;QAClC,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,SAAS,EAAE,EAAE;KACd,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,IAA2B;IAE3B,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;IACxC,IAAI,MAAM,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC;IAC7B,IAAI,MAAM,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;IAC3B,OAAO,IAAI,cAAc,CAAa;QACpC,KAAK,CAAC,KAAK,CAAC,UAAU;YACpB,UAAU,CAAC,OAAO,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;YAC1C,IAAI,CAAC;gBACH,OAAO,IAAI,EAAE,CAAC;oBACZ,MAAM,CAAC,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC;oBAC1B,IAAI,CAAC,CAAC,IAAI;wBAAE,MAAM;oBAClB,UAAU,CAAC,OAAO,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC9C,CAAC;gBACD,UAAU,CAAC,KAAK,EAAE,CAAC;YACrB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,IAAuB;IAEvB,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,oBAAoB,EAAE,GACpE,IAAI,CAAC;IAEP,oEAAoE;IACpE,qDAAqD;IACrD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;IAC9B,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACrC,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAChC,IAAI,CAAC;YACH,OAAO,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,iCAAiC;QACnC,CAAC;IACH,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IAC1D,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;QAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,UAAU,CAAC,CAAC;IAClF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;QAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,OAAO,CAAC,CAAC;IACjF,IAAI,OAAO,CAAC,cAAc,IAAI,IAAI,EAAE,CAAC;QACnC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;YACjC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IAC3D,CAAC;IAED,MAAM,GAAG,GAAG,WAAW,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAE7F,MAAM,UAAU,GACd,OAAO,CAAC,MAAM,KAAK,KAAK,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM;QACnD,CAAC,CAAC,IAAI;QACN,CAAC,CAAC,MAAM,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzC,MAAM,QAAQ,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,OAAO;QACP,IAAI,EAAE,UAA6B;QACnC,qDAAqD;QACrD,MAAM,EAAE,MAAM;KACsB,CAAC,CAAC;IAExC,MAAM,GAAG,GAAyB;QAChC,MAAM,EAAE,IAAI,eAAe,EAAE,CAAC,MAAM;QACpC,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,QAAQ,EAAE,kBAAkB,CAAC,OAAO,CAAC;KACtC,CAAC;IAEF,IAAI,IAAc,CAAC;IACnB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,QAAQ,CAAC,QAAQ,CAAC;YACtB,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,CAAC,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;SAC1C,CAAC,CAAC;QACH,MAAM,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC;QACvD,MAAM,QAAQ,CAAC,OAAO,EAAE,CAAC;QACzB,OAAO;IACT,CAAC;IAED,MAAM,WAAW,GAA4B,EAAE,CAAC;IAChD,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QAClC,IAAI,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;YAAE,OAAO;QACvD,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,MAAM,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC;IACvE,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;QACtB,MAAM,QAAQ,CAAC,OAAO,EAAE,CAAC;QACzB,OAAO;IACT,CAAC;IAED,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;IACrC,IAAI,CAAC;QACH,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;YAC5C,IAAI,IAAI;gBAAE,MAAM;YAChB,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC/B,QAAQ,IAAI,GAAG,CAAC,MAAM,CAAC;YACvB,IAAI,QAAQ,GAAG,oBAAoB,EAAE,CAAC;gBACpC,MAAM,QAAQ,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;gBAC3C,OAAO;YACT,CAAC;YACD,MAAM,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC/B,CAAC;QACD,MAAM,QAAQ,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,QAAQ,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IACzC,CAAC;YAAS,CAAC;QACT,IAAI,CAAC;YACH,MAAM,CAAC,WAAW,EAAE,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,aAAa;QACf,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/tunnels/client/_cert.d.ts

@@ -0,0 +1,45 @@
+/**
+ * inkbox-tunnels/client/_cert.ts
+ *
+ * Passthrough cert lifecycle: load-or-create EC P-256 keypair, build
+ * CSR, detect when the cached cert needs resigning. Mirrors Python
+ * `_cert.py` exactly so on-disk state interops between the two SDKs.
+ *
+ * IMPORTANT: This module statically imports `@peculiar/x509` at the
+ * top. The lazy-load boundary lives at the **call site** in
+ * `_runtime.ts` (or `index.ts`) so the edge-mode bundle never pulls
+ * `_cert.ts` into the module graph at all. See M5's bundle-size
+ * verification.
+ */
+import "reflect-metadata";
+export interface KeyPair {
+    privateKey: CryptoKey;
+    publicKey: CryptoKey;
+    /** PKCS8 PEM of the private key. */
+    privatePem: string;
+}
+/**
+ * Load EC P-256 key from disk or generate one. Returns the parsed
+ * keypair. The on-disk format is PKCS8 PEM, matching Python.
+ */
+export declare function loadOrCreateKeypair(stateDir: string): Promise<KeyPair>;
+/**
+ * Build a CSR with CN + SAN = `publicHost`. Signed with SHA-256.
+ */
+export declare function buildCsr(key: KeyPair, publicHost: string): Promise<string>;
+/** Return the cert's expiry (UTC) or null if missing/invalid. */
+export declare function certExpiry(stateDir: string): Date | null;
+/**
+ * Decide whether the cached cert needs resigning.
+ *
+ * - Missing cert / unreadable cert => resign.
+ * - Within the 14-day renewal window => resign.
+ * - Cert pubkey doesn't match the on-disk key (key regenerated since
+ *   last signing) => resign.
+ */
+export declare function certNeedsSign(stateDir: string, key: KeyPair): Promise<boolean>;
+/** Persist the signed cert+chain (mode 0o600); return the bytes. */
+export declare function writeCertChain(stateDir: string, certPem: string, chainPem: string): Buffer;
+/** Serialize a private key as unencrypted PKCS8 PEM bytes. */
+export declare function keyPemBytes(key: KeyPair): Promise<Buffer>;
+//# sourceMappingURL=_cert.d.ts.map

package/dist/tunnels/client/_cert.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"_cert.d.ts","sourceRoot":"","sources":["../../../src/tunnels/client/_cert.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAMH,OAAO,kBAAkB,CAAC;AAyB1B,MAAM,WAAW,OAAO;IACtB,UAAU,EAAE,SAAS,CAAC;IACtB,SAAS,EAAE,SAAS,CAAC;IACrB,oCAAoC;IACpC,UAAU,EAAE,MAAM,CAAC;CACpB;AAOD;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAoB5E;AAED;;GAEG;AACH,wBAAsB,QAAQ,CAC5B,GAAG,EAAE,OAAO,EACZ,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CAYjB;AAED,iEAAiE;AACjE,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAkBxD;AAED;;;;;;;GAOG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,OAAO,CAAC,CAuBlB;AAED,oEAAoE;AACpE,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,MAAM,CAOR;AAED,8DAA8D;AAC9D,wBAAsB,WAAW,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAE/D"}

package/dist/tunnels/client/_cert.js

@@ -0,0 +1,193 @@
+/**
+ * inkbox-tunnels/client/_cert.ts
+ *
+ * Passthrough cert lifecycle: load-or-create EC P-256 keypair, build
+ * CSR, detect when the cached cert needs resigning. Mirrors Python
+ * `_cert.py` exactly so on-disk state interops between the two SDKs.
+ *
+ * IMPORTANT: This module statically imports `@peculiar/x509` at the
+ * top. The lazy-load boundary lives at the **call site** in
+ * `_runtime.ts` (or `index.ts`) so the edge-mode bundle never pulls
+ * `_cert.ts` into the module graph at all. See M5's bundle-size
+ * verification.
+ */
+// peculiar/x509 internally uses tsyringe, which needs the
+// reflect-metadata polyfill to be loaded BEFORE the library imports.
+// Keep this side-effect import first so the lazy-load boundary in
+// _runtime.ts/index.ts pulls everything in correctly.
+import "reflect-metadata";
+import * as crypto from "node:crypto";
+import * as fs from "node:fs";
+import * as path from "node:path";
+import * as x509 from "@peculiar/x509";
+import { CERT_FILE, KEY_FILE, ensurePrivateStateDir, writePrivateFile, } from "./_state.js";
+const RENEWAL_THRESHOLD_MS = 14 * 24 * 60 * 60 * 1000;
+// peculiar/x509 reads the global cryptoProvider when its routines need
+// crypto primitives. Wire Node's webcrypto in once at module load.
+x509.cryptoProvider.set(crypto.webcrypto);
+// Cast Node's webcrypto subtle to the DOM types used by peculiar/x509
+// and our function signatures. The runtime APIs are identical; the
+// type definitions diverge between `lib.dom.d.ts` and Node's own.
+const subtle = crypto.webcrypto.subtle;
+const ALGORITHM = {
+    name: "ECDSA",
+    namedCurve: "P-256",
+};
+/**
+ * Load EC P-256 key from disk or generate one. Returns the parsed
+ * keypair. The on-disk format is PKCS8 PEM, matching Python.
+ */
+export async function loadOrCreateKeypair(stateDir) {
+    const keyPath = path.join(stateDir, KEY_FILE);
+    if (fs.existsSync(keyPath) && fs.statSync(keyPath).isFile()) {
+        const pem = fs.readFileSync(keyPath, "utf-8");
+        return await importPkcs8Pem(pem);
+    }
+    ensurePrivateStateDir(stateDir);
+    const generated = (await subtle.generateKey({ name: "ECDSA", namedCurve: "P-256" }, true, ["sign", "verify"]));
+    const pkcs8 = await subtle.exportKey("pkcs8", generated.privateKey);
+    const pem = pkcs8ToPem(Buffer.from(pkcs8));
+    writePrivateFile(keyPath, pem);
+    return {
+        privateKey: generated.privateKey,
+        publicKey: generated.publicKey,
+        privatePem: pem,
+    };
+}
+/**
+ * Build a CSR with CN + SAN = `publicHost`. Signed with SHA-256.
+ */
+export async function buildCsr(key, publicHost) {
+    const csr = await x509.Pkcs10CertificateRequestGenerator.create({
+        name: `CN=${publicHost}`,
+        keys: { privateKey: key.privateKey, publicKey: key.publicKey },
+        signingAlgorithm: { name: "ECDSA", hash: "SHA-256" },
+        extensions: [
+            new x509.SubjectAlternativeNameExtension([
+                { type: "dns", value: publicHost },
+            ]),
+        ],
+    });
+    return csr.toString("pem");
+}
+/** Return the cert's expiry (UTC) or null if missing/invalid. */
+export function certExpiry(stateDir) {
+    const certPath = path.join(stateDir, CERT_FILE);
+    if (!fs.existsSync(certPath))
+        return null;
+    let pem;
+    try {
+        pem = fs.readFileSync(certPath, "utf-8");
+    }
+    catch {
+        return null;
+    }
+    // Read the leaf cert (first PEM block).
+    const leafBlock = extractFirstPemBlock(pem, "CERTIFICATE");
+    if (leafBlock === null)
+        return null;
+    try {
+        const cert = new x509.X509Certificate(leafBlock);
+        return cert.notAfter;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Decide whether the cached cert needs resigning.
+ *
+ * - Missing cert / unreadable cert => resign.
+ * - Within the 14-day renewal window => resign.
+ * - Cert pubkey doesn't match the on-disk key (key regenerated since
+ *   last signing) => resign.
+ */
+export async function certNeedsSign(stateDir, key) {
+    const certPath = path.join(stateDir, CERT_FILE);
+    const expiry = certExpiry(stateDir);
+    if (!fs.existsSync(certPath) || expiry === null)
+        return true;
+    const now = new Date();
+    if (expiry.getTime() - now.getTime() < RENEWAL_THRESHOLD_MS)
+        return true;
+    try {
+        const pem = fs.readFileSync(certPath, "utf-8");
+        const leafBlock = extractFirstPemBlock(pem, "CERTIFICATE");
+        if (leafBlock === null)
+            return true;
+        const cert = new x509.X509Certificate(leafBlock);
+        const certPubKey = (await cert.publicKey.export(crypto.webcrypto));
+        const certPubSpki = await subtle.exportKey("spki", certPubKey);
+        const keyPubSpki = await subtle.exportKey("spki", key.publicKey);
+        if (Buffer.compare(Buffer.from(certPubSpki), Buffer.from(keyPubSpki)) !== 0) {
+            return true;
+        }
+        return false;
+    }
+    catch {
+        return true;
+    }
+}
+/** Persist the signed cert+chain (mode 0o600); return the bytes. */
+export function writeCertChain(stateDir, certPem, chainPem) {
+    // PEM cross-language interop policy: leaf first, then intermediates,
+    // \n line endings, trailing single \n. Mirror Python `_cert.py`.
+    const fullChain = ensureSinglePemTerminator(certPem) + ensureSinglePemTerminator(chainPem);
+    const certPath = path.join(stateDir, CERT_FILE);
+    writePrivateFile(certPath, fullChain);
+    return Buffer.from(fullChain, "ascii");
+}
+/** Serialize a private key as unencrypted PKCS8 PEM bytes. */
+export async function keyPemBytes(key) {
+    return Buffer.from(key.privatePem, "ascii");
+}
+// --- internals -----------------------------------------------------------
+async function importPkcs8Pem(pem) {
+    const block = extractFirstPemBlock(pem, "PRIVATE KEY");
+    if (block === null) {
+        throw new Error("private_key.pem: missing PRIVATE KEY block");
+    }
+    const der = pemBlockToDer(block);
+    // Cast to BufferSource's Uint8Array variant — Node's Buffer is
+    // assignable but lib.dom.d.ts disagrees on ArrayBufferLike vs
+    // ArrayBuffer.
+    const privateKey = await subtle.importKey("pkcs8", new Uint8Array(der), ALGORITHM, true, ["sign"]);
+    // Derive the public key from the private — JOSE jwk round-trip.
+    const jwk = await subtle.exportKey("jwk", privateKey);
+    const pubJwk = { ...jwk };
+    delete pubJwk.d;
+    pubJwk.key_ops = ["verify"];
+    const publicKey = await subtle.importKey("jwk", pubJwk, ALGORITHM, true, ["verify"]);
+    return { privateKey, publicKey, privatePem: pem };
+}
+function pkcs8ToPem(der) {
+    const b64 = der.toString("base64");
+    const lines = [];
+    for (let i = 0; i < b64.length; i += 64)
+        lines.push(b64.slice(i, i + 64));
+    return `-----BEGIN PRIVATE KEY-----\n${lines.join("\n")}\n-----END PRIVATE KEY-----\n`;
+}
+function extractFirstPemBlock(pem, label) {
+    const begin = `-----BEGIN ${label}-----`;
+    const end = `-----END ${label}-----`;
+    const beginIdx = pem.indexOf(begin);
+    const endIdx = pem.indexOf(end);
+    if (beginIdx < 0 || endIdx < 0 || endIdx < beginIdx)
+        return null;
+    return pem.slice(beginIdx, endIdx + end.length);
+}
+function pemBlockToDer(block) {
+    const lines = block.split(/\r?\n/).filter((l) => l.length > 0 && !l.startsWith("-----"));
+    return Buffer.from(lines.join(""), "base64");
+}
+function ensureSinglePemTerminator(pem) {
+    // Strip Windows line endings, trailing whitespace, and excess
+    // newlines; ensure a single \n after the final -----END...-----.
+    let out = pem.replace(/\r\n/g, "\n").replace(/[ \t]+\n/g, "\n");
+    while (out.endsWith("\n\n"))
+        out = out.slice(0, -1);
+    if (!out.endsWith("\n"))
+        out += "\n";
+    return out;
+}
+//# sourceMappingURL=_cert.js.map

package/dist/tunnels/client/_cert.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"_cert.js","sourceRoot":"","sources":["../../../src/tunnels/client/_cert.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,0DAA0D;AAC1D,qEAAqE;AACrE,kEAAkE;AAClE,sDAAsD;AACtD,OAAO,kBAAkB,CAAC;AAE1B,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAEvC,OAAO,EACL,SAAS,EACT,QAAQ,EACR,qBAAqB,EACrB,gBAAgB,GACjB,MAAM,aAAa,CAAC;AAErB,MAAM,oBAAoB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEtD,uEAAuE;AACvE,mEAAmE;AACnE,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,SAA8B,CAAC,CAAC;AAE/D,sEAAsE;AACtE,mEAAmE;AACnE,kEAAkE;AAClE,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,MAAiC,CAAC;AASlE,MAAM,SAAS,GAAG;IAChB,IAAI,EAAE,OAAO;IACb,UAAU,EAAE,OAAO;CACX,CAAC;AAEX;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,QAAgB;IACxD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC9C,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC;QAC5D,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC9C,OAAO,MAAM,cAAc,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;IACD,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IAChC,MAAM,SAAS,GAAG,CAAC,MAAM,MAAM,CAAC,WAAW,CACzC,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,EACtC,IAAI,EACJ,CAAC,MAAM,EAAE,QAAQ,CAAC,CACnB,CAAkB,CAAC;IACpB,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,CAAC,CAAC;IACpE,MAAM,GAAG,GAAG,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3C,gBAAgB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAC/B,OAAO;QACL,UAAU,EAAE,SAAS,CAAC,UAAU;QAChC,SAAS,EAAE,SAAS,CAAC,SAAS;QAC9B,UAAU,EAAE,GAAG;KAChB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,GAAY,EACZ,UAAkB;IAElB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,iCAAiC,CAAC,MAAM,CAAC;QAC9D,IAAI,EAAE,MAAM,UAAU,EAAE;QACxB,IAAI,EAAE,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU,EAAE,SAAS,EAAE,GAAG,CAAC,SAAS,EAAE;QAC9D,gBAAgB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE;QACpD,UAAU,EAAE;YACV,IAAI,IAAI,CAAC,+BAA+B,CAAC;gBACvC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE;aACnC,CAAC;SACH;KACF,CAAC,CAAC;IACH,OAAO,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAC7B,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,UAAU,CAAC,QAAgB;IACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAChD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1C,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,wCAAwC;IACxC,MAAM,SAAS,GAAG,oBAAoB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAC3D,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAgB,EAChB,GAAY;IAEZ,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IACpC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,MAAM,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC7D,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,GAAG,oBAAoB;QAAE,OAAO,IAAI,CAAC;IACzE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC/C,MAAM,SAAS,GAAG,oBAAoB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;QAC3D,IAAI,SAAS,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QACpC,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;QACjD,MAAM,UAAU,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAC7C,MAAM,CAAC,SAA8B,CACtC,CAAc,CAAC;QAChB,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QAC/D,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC;QACjE,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5E,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,oEAAoE;AACpE,MAAM,UAAU,cAAc,CAC5B,QAAgB,EAChB,OAAe,EACf,QAAgB;IAEhB,qEAAqE;IACrE,iEAAiE;IACjE,MAAM,SAAS,GAAG,yBAAyB,CAAC,OAAO,CAAC,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAC;IAC3F,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAChD,gBAAgB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IACtC,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;AACzC,CAAC;AAED,8DAA8D;AAC9D,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,GAAY;IAC5C,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;AAC9C,CAAC;AAED,4EAA4E;AAE5E,KAAK,UAAU,cAAc,CAAC,GAAW;IACvC,MAAM,KAAK,GAAG,oBAAoB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IACvD,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,GAAG,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IACjC,+DAA+D;IAC/D,8DAA8D;IAC9D,eAAe;IACf,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,SAAS,CACvC,OAAO,EACP,IAAI,UAAU,CAAC,GAAG,CAAC,EACnB,SAAS,EACT,IAAI,EACJ,CAAC,MAAM,CAAC,CACT,CAAC;IACF,gEAAgE;IAChE,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IACtD,MAAM,MAAM,GAAe,EAAE,GAAG,GAAG,EAAE,CAAC;IACtC,OAAO,MAAM,CAAC,CAAC,CAAC;IAChB,MAAM,CAAC,OAAO,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC5B,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,SAAS,CACtC,KAAK,EACL,MAAM,EACN,SAAS,EACT,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;IACF,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,UAAU,CAAC,GAAW;IAC7B,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACnC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAC1E,OAAO,gCAAgC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,+BAA+B,CAAC;AACzF,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAW,EAAE,KAAa;IACtD,MAAM,KAAK,GAAG,cAAc,KAAK,OAAO,CAAC;IACzC,MAAM,GAAG,GAAG,YAAY,KAAK,OAAO,CAAC;IACrC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,QAAQ,GAAG,CAAC,IAAI,MAAM,GAAG,CAAC,IAAI,MAAM,GAAG,QAAQ;QAAE,OAAO,IAAI,CAAC;IACjE,OAAO,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CACvC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAC9C,CAAC;IACF,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,QAAQ,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,yBAAyB,CAAC,GAAW;IAC5C,8DAA8D;IAC9D,iEAAiE;IACjE,IAAI,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;IAChE,OAAO,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACpD,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,GAAG,IAAI,IAAI,CAAC;IACrC,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/tunnels/client/_dispatch.d.ts

@@ -0,0 +1,109 @@
+/**
+ * inkbox-tunnels/client/_dispatch.ts
+ *
+ * The Dispatch interface — both the in-process h1 parser and the h2
+ * transcoder hand parsed requests to a Dispatch impl. The interface is
+ * transport-neutral; the same impl serves an h1 inbound and an h2 inbound.
+ *
+ * UpstreamUrlDispatch forwards requests to a customer-supplied URL via
+ * undici (one Pool per dispatcher). CallableDispatch invokes an
+ * in-process Fetch-style handler. ``dispatchWebSocket`` on either impl
+ * routes WS upgrades (h1 ``Upgrade: websocket`` or h2 Extended CONNECT)
+ * without going through the HTTP response sink.
+ */
+/**
+ * Wire-shaped request handed to a Dispatch impl. Both transports
+ * populate the same shape; pseudo-headers and h2-only headers are
+ * stripped before this point.
+ */
+export interface DispatchRequest {
+    method: string;
+    path: string;
+    /** Lower-case header name + value, preserving order and duplicates. */
+    headers: Array<[string, string]>;
+    /** Streaming body. Resolves with empty Buffer on end-of-body. */
+    body: AsyncIterable<Buffer>;
+    forwardedForIp: string | null;
+    sniHost: string | null;
+    isWebSocket: boolean;
+    wsSubprotocol: string | null;
+    /**
+     * Inbound transport: "h1" or "h2". Populated by the parser /
+     * transcoder so dispatchers can emit structured telemetry with the
+     * full ``dispatch=url-h1|url-h2|callable-h1|callable-h2`` field.
+     */
+    transport?: "h1" | "h2";
+}
+export interface DispatchResponseHead {
+    status: number;
+    headers: Array<[string, string]>;
+}
+/** Streamed response sink the Dispatch impl writes to. */
+export interface DispatchResponseSink {
+    sendHead(head: DispatchResponseHead): Promise<void>;
+    sendBody(chunk: Buffer): Promise<void>;
+    endBody(): Promise<void>;
+    reset(reason: string): Promise<void>;
+}
+/** Stateless-per-call dispatcher invoked by the parser/transcoder. */
+export interface Dispatch {
+    dispatch(request: DispatchRequest, response: DispatchResponseSink): Promise<void>;
+    /**
+     * Optional WS upgrade entry-point. Transports check for this method
+     * before routing a WS upgrade; if absent, they fall back to sending
+     * a 501 via the regular HTTP sink.
+     */
+    dispatchWebSocket?(request: DispatchRequest, ws: import("./_ws_passthrough.js").WebSocketSink): Promise<void>;
+    aclose(): Promise<void>;
+}
+export interface UpstreamUrlDispatchOpts {
+    forwardTo: string;
+    publicHost: string;
+    maxOutboundBodyBytes: number;
+    maxInboundBodyBytes: number;
+    /** Verify upstream TLS certs. Only consulted when forwardTo is https://. */
+    verifyTls?: boolean;
+    /** PEM CA bundle to trust for the upstream TLS connection. */
+    caBundle?: Buffer | string | null;
+}
+/**
+ * Forward requests to a customer-supplied URL via undici.
+ *
+ * One ``undici.Pool`` per dispatcher. The pool's connect options carry
+ * the upstream-TLS options when the URL is https://. We always speak
+ * h1 to the upstream — we transcode at this boundary.
+ */
+export declare class UpstreamUrlDispatch implements Dispatch {
+    private readonly pool;
+    private readonly forwardTo;
+    private readonly publicHost;
+    private readonly maxOutboundBodyBytes;
+    private readonly maxInboundBodyBytes;
+    private readonly verifyTls;
+    private readonly caBundle;
+    constructor(opts: UpstreamUrlDispatchOpts);
+    aclose(): Promise<void>;
+    dispatch(request: DispatchRequest, response: DispatchResponseSink): Promise<void>;
+    dispatchWebSocket(request: DispatchRequest, ws: import("./_ws_passthrough.js").WebSocketSink): Promise<void>;
+}
+export interface CallableDispatchOpts {
+    handler: import("./_handler.js").InkboxHandler;
+    /** Optional WebSocket handler — receives `accept`/`send`/iterator. */
+    wsHandler?: import("./_ws.js").InkboxWsHandler;
+    publicHost: string;
+    maxOutboundBodyBytes: number;
+}
+/**
+ * Dispatch impl that invokes an in-process `InkboxHandler` (Fetch-style).
+ * Used by passthrough mode when the user supplied a `handler` instead
+ * of a `forwardTo` URL. When `wsHandler` is also supplied, WebSocket
+ * upgrades route through `dispatchWebSocket`.
+ */
+export declare class CallableDispatch implements Dispatch {
+    private readonly opts;
+    constructor(opts: CallableDispatchOpts);
+    aclose(): Promise<void>;
+    dispatch(request: DispatchRequest, response: DispatchResponseSink): Promise<void>;
+    dispatchWebSocket(request: DispatchRequest, ws: import("./_ws_passthrough.js").WebSocketSink): Promise<void>;
+}
+//# sourceMappingURL=_dispatch.d.ts.map

package/dist/tunnels/client/_dispatch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"_dispatch.d.ts","sourceRoot":"","sources":["../../../src/tunnels/client/_dispatch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAiBH;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,uEAAuE;IACvE,OAAO,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACjC,iEAAiE;IACjE,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5B,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,WAAW,EAAE,OAAO,CAAC;IACrB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,SAAS,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CACzB;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAClC;AAED,0DAA0D;AAC1D,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACzB,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACtC;AAED,sEAAsE;AACtE,MAAM,WAAW,QAAQ;IACvB,QAAQ,CACN,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,oBAAoB,GAC7B,OAAO,CAAC,IAAI,CAAC,CAAC;IACjB;;;;OAIG;IACH,iBAAiB,CAAC,CAChB,OAAO,EAAE,eAAe,EACxB,EAAE,EAAE,OAAO,sBAAsB,EAAE,aAAa,GAC/C,OAAO,CAAC,IAAI,CAAC,CAAC;IACjB,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACzB;AAID,MAAM,WAAW,uBAAuB;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,4EAA4E;IAC5E,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,8DAA8D;IAC9D,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;CACnC;AAED;;;;;;GAMG;AACH,qBAAa,mBAAoB,YAAW,QAAQ;IAClD,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAO;IAC5B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAM;IAChC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAS;IAC9C,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAS;IAC7C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAU;IACpC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAyB;gBAEtC,IAAI,EAAE,uBAAuB;IAsBnC,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAQvB,QAAQ,CACZ,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,oBAAoB,GAC7B,OAAO,CAAC,IAAI,CAAC;IA0HV,iBAAiB,CACrB,OAAO,EAAE,eAAe,EACxB,EAAE,EAAE,OAAO,sBAAsB,EAAE,aAAa,GAC/C,OAAO,CAAC,IAAI,CAAC;CAoBjB;AA6BD,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,eAAe,EAAE,aAAa,CAAC;IAC/C,sEAAsE;IACtE,SAAS,CAAC,EAAE,OAAO,UAAU,EAAE,eAAe,CAAC;IAC/C,UAAU,EAAE,MAAM,CAAC;IACnB,oBAAoB,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;GAKG;AACH,qBAAa,gBAAiB,YAAW,QAAQ;IACnC,OAAO,CAAC,QAAQ,CAAC,IAAI;gBAAJ,IAAI,EAAE,oBAAoB;IAEjD,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAIvB,QAAQ,CACZ,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,oBAAoB,GAC7B,OAAO,CAAC,IAAI,CAAC;IA2CV,iBAAiB,CACrB,OAAO,EAAE,eAAe,EACxB,EAAE,EAAE,OAAO,sBAAsB,EAAE,aAAa,GAC/C,OAAO,CAAC,IAAI,CAAC;CAyCjB"}