@jingyi0605/codingns 0.4.0 → 0.5.1

package/dist/server/modules/relay-tunnel/relay-tunnel-service.js

@@ -0,0 +1,966 @@
+import os from "node:os";
+import { AppError } from "../../shared/errors/app-error.js";
+import { decryptSecret, encryptSecret } from "../../shared/utils/secret-box.js";
+import { nowIso } from "../../shared/utils/time.js";
+import { RelayTunnelIdentityService } from "./crypto/relay-tunnel-identity-service.js";
+import { createTaskManager } from "../tasks/task-manager.js";
+import { HOST_TASK_TYPES } from "../tasks/task-types.js";
+export class RelayTunnelService {
+    db;
+    bootstrapStateRepository;
+    repository;
+    defaultLocalTargetBaseUrl;
+    legacyLocalTargetBaseUrl;
+    controlSessionSecret;
+    fetchFn;
+    taskManager;
+    runtimeAdapter;
+    identityService;
+    constructor(db, bootstrapStateRepository, identityRepository, repository, options, taskManager = createTaskManager(), runtimeAdapter = new NoopRelayTunnelRuntimeAdapter()) {
+        this.db = db;
+        this.bootstrapStateRepository = bootstrapStateRepository;
+        this.repository = repository;
+        this.taskManager = taskManager;
+        this.runtimeAdapter = runtimeAdapter;
+        this.identityService = new RelayTunnelIdentityService(identityRepository);
+        this.controlSessionSecret = normalizeRequiredText(options.controlSessionSecret, "controlSessionSecret");
+        this.fetchFn = options.fetchFn ?? fetch;
+        this.defaultLocalTargetBaseUrl = normalizeHttpBaseUrl(options.defaultLocalTargetBaseUrl, "defaultLocalTargetBaseUrl");
+        this.legacyLocalTargetBaseUrl = options.legacyLocalTargetBaseUrl
+            ? normalizeHttpBaseUrl(options.legacyLocalTargetBaseUrl, "legacyLocalTargetBaseUrl")
+            : null;
+        this.registerBackgroundTasks();
+    }
+    async restoreOnStartup() {
+        const snapshot = this.readStateSnapshot();
+        if (!snapshot.hasPersistedConfig
+            || !snapshot.config.activated
+            || !snapshot.config.enabled
+            || !isBound(snapshot.config)) {
+            return;
+        }
+        const effectiveConfig = this.syncIdentityIntoConfig(snapshot.config);
+        if (!this.isBootstrapInitialized()) {
+            this.repository.upsertStatus(buildSkeletonStatus("blocked_uninitialized", effectiveConfig, {
+                observedAt: nowIso()
+            }));
+            return;
+        }
+        this.requestReconnect("relay_tunnel.startup_restore");
+    }
+    async getStatus() {
+        const snapshot = this.readStateSnapshot();
+        const effectiveConfig = this.resolveConfigWithIdentity(snapshot.config);
+        return this.buildStatusDto(snapshot, effectiveConfig, this.resolveEffectiveStatus(effectiveConfig));
+    }
+    async ensureIdentity() {
+        const snapshot = this.readStateSnapshot();
+        const nextConfig = this.syncIdentityIntoConfig(snapshot.config);
+        return this.buildStatusDto({
+            config: nextConfig,
+            hasPersistedConfig: snapshot.hasPersistedConfig || nextConfig !== snapshot.config
+        }, nextConfig, this.resolveEffectiveStatus(nextConfig));
+    }
+    async updateConfig(input) {
+        const snapshot = this.readStateSnapshot();
+        const nextConfig = {
+            ...snapshot.config,
+            activated: input.activated !== undefined
+                ? input.activated
+                : snapshot.config.activated,
+            relayBaseUrl: input.relayBaseUrl !== undefined
+                ? normalizeWebsocketBaseUrl(input.relayBaseUrl, "relayBaseUrl")
+                : snapshot.config.relayBaseUrl,
+            controlBaseUrl: input.controlBaseUrl !== undefined
+                ? normalizeHttpBaseUrl(input.controlBaseUrl, "controlBaseUrl")
+                : snapshot.config.controlBaseUrl,
+            localTargetBaseUrl: input.localTargetBaseUrl !== undefined
+                ? normalizeHttpBaseUrl(input.localTargetBaseUrl, "localTargetBaseUrl")
+                : snapshot.config.localTargetBaseUrl,
+            localTargetBaseUrlSource: input.localTargetBaseUrl !== undefined
+                ? "custom"
+                : (snapshot.config.localTargetBaseUrlSource ?? "default"),
+            enabled: input.activated === false
+                ? false
+                : snapshot.config.enabled,
+            updatedAt: nowIso()
+        };
+        this.repository.upsertConfig(nextConfig);
+        const effectiveConfig = this.resolveConfigWithIdentity(nextConfig);
+        if (!effectiveConfig.activated) {
+            const nextStatus = buildSkeletonStatus("disabled", effectiveConfig, {
+                observedAt: nowIso()
+            });
+            this.repository.upsertStatus(nextStatus);
+            this.taskManager.cancel(HOST_TASK_TYPES.relayTunnelConnect, "default", "relay_tunnel_deactivated");
+            await this.runtimeAdapter.disconnect?.("relay_tunnel_deactivated");
+            return this.buildStatusDto({
+                config: effectiveConfig,
+                hasPersistedConfig: true
+            }, effectiveConfig, nextStatus);
+        }
+        if (effectiveConfig.enabled && isBound(effectiveConfig) && this.isBootstrapInitialized()) {
+            this.requestReconnect("relay_tunnel.config_update");
+        }
+        return this.buildStatusDto({
+            config: effectiveConfig,
+            hasPersistedConfig: true
+        }, effectiveConfig, this.resolveEffectiveStatus(effectiveConfig));
+    }
+    async loginControl(input) {
+        const snapshot = this.readStateSnapshot();
+        const controlBaseUrl = requireConfiguredControlBaseUrl(snapshot.config);
+        const email = normalizeRequiredText(input.email, "email");
+        const password = normalizeRequiredText(input.password, "password");
+        const response = await this.requestControlApi({
+            controlBaseUrl,
+            path: "/api/public/auth/login",
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json"
+            },
+            body: JSON.stringify({
+                email,
+                password
+            }),
+            failurePrefix: "控制站登录失败"
+        });
+        const timestamp = nowIso();
+        const nextConfig = {
+            ...snapshot.config,
+            accountId: response.account.accountId,
+            controlAccessTokenCiphertext: encryptSecret(this.controlSessionSecret, response.accessToken),
+            controlAccountEmail: response.account.email.trim(),
+            controlSessionExpiresAt: normalizeOptionalText(response.expiresAt),
+            updatedAt: timestamp
+        };
+        this.repository.upsertConfig(nextConfig);
+        return this.buildStatusDto({
+            config: nextConfig,
+            hasPersistedConfig: true
+        }, this.resolveConfigWithIdentity(nextConfig), this.resolveEffectiveStatus(nextConfig));
+    }
+    async logoutControl() {
+        const snapshot = this.readStateSnapshot();
+        const nextConfig = clearRelayTunnelControlSession(snapshot.config, {
+            clearAccountId: !snapshot.config.bindingId,
+            updatedAt: nowIso()
+        });
+        this.repository.upsertConfig(nextConfig);
+        return this.buildStatusDto({
+            config: nextConfig,
+            hasPersistedConfig: true
+        }, this.resolveConfigWithIdentity(nextConfig), this.resolveEffectiveStatus(nextConfig));
+    }
+    async checkHostLabelAvailability(hostLabel) {
+        const snapshot = this.readStateSnapshot();
+        const normalizedHostLabel = normalizeRequiredText(hostLabel, "hostLabel");
+        const { controlBaseUrl, accessToken } = this.requireControlSession(snapshot.config);
+        const path = `/api/v1/hosts/availability?hostLabel=${encodeURIComponent(normalizedHostLabel)}`;
+        return await this.requestControlApi({
+            controlBaseUrl,
+            path,
+            method: "GET",
+            headers: {
+                Authorization: `Bearer ${accessToken}`
+            },
+            failurePrefix: "检查 Host 名称失败"
+        });
+    }
+    async bindControlHost(hostLabel) {
+        const snapshot = this.readStateSnapshot();
+        if (snapshot.config.bindingId && snapshot.config.tunnelDomain) {
+            const effectiveConfig = this.resolveConfigWithIdentity(snapshot.config);
+            return this.buildStatusDto(snapshot, effectiveConfig, this.resolveEffectiveStatus(effectiveConfig));
+        }
+        const normalizedHostLabel = normalizeRequiredText(hostLabel, "hostLabel");
+        const { controlBaseUrl, accessToken, accountId } = this.requireControlSession(snapshot.config);
+        const identity = this.identityService.ensureIdentity();
+        const bindResponse = await this.requestControlApi({
+            controlBaseUrl,
+            path: "/api/v1/hosts/bind",
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${accessToken}`
+            },
+            body: JSON.stringify({
+                hostLabel: normalizedHostLabel,
+                hostPublicKey: identity.publicKeyPem,
+                hostFingerprint: identity.keyFingerprint
+            }),
+            failurePrefix: "绑定 Host 失败"
+        });
+        return await this.bind({
+            accountId,
+            bindingId: bindResponse.binding.bindingId,
+            tunnelDomain: bindResponse.binding.tunnelDomain,
+            relayBaseUrl: bindResponse.binding.relayBaseUrl,
+            controlBaseUrl
+        });
+    }
+    async getTrafficWallet() {
+        const snapshot = this.readStateSnapshot();
+        const { controlBaseUrl, accessToken } = this.requireControlSession(snapshot.config);
+        const response = await this.requestControlApi({
+            controlBaseUrl,
+            path: "/api/v1/traffic-wallet/me",
+            method: "GET",
+            headers: {
+                Authorization: `Bearer ${accessToken}`
+            },
+            failurePrefix: "读取控制站流量信息失败"
+        });
+        return response.wallet;
+    }
+    async bind(input) {
+        const snapshot = this.readStateSnapshot();
+        const accountId = normalizeRequiredText(input.accountId, "accountId");
+        const bindingId = normalizeRequiredText(input.bindingId, "bindingId");
+        const tunnelDomain = normalizeTunnelDomain(input.tunnelDomain, "tunnelDomain");
+        const identity = this.identityService.ensureIdentity();
+        const relayBaseUrl = input.relayBaseUrl !== undefined
+            ? normalizeWebsocketBaseUrl(input.relayBaseUrl, "relayBaseUrl")
+            : snapshot.config.relayBaseUrl;
+        const controlBaseUrl = input.controlBaseUrl !== undefined
+            ? normalizeHttpBaseUrl(input.controlBaseUrl, "controlBaseUrl")
+            : snapshot.config.controlBaseUrl;
+        if (!relayBaseUrl || !controlBaseUrl) {
+            throw new AppError({
+                statusCode: 400,
+                errorCode: "INVALID_INPUT",
+                detail: "绑定前必须提供 relayBaseUrl 和 controlBaseUrl"
+            });
+        }
+        const timestamp = nowIso();
+        const nextConfig = {
+            ...snapshot.config,
+            relayBaseUrl,
+            controlBaseUrl,
+            accountId,
+            tunnelDomain,
+            bindingId,
+            hostPublicKey: identity.publicKeyPem,
+            hostKeyFingerprint: identity.keyFingerprint,
+            updatedAt: timestamp
+        };
+        const nextStatus = buildSkeletonStatus(nextConfig.enabled
+            ? (this.isBootstrapInitialized() ? "connecting" : "blocked_uninitialized")
+            : "disabled", nextConfig, {
+            observedAt: timestamp
+        });
+        this.db.transaction(() => {
+            this.repository.upsertConfig(nextConfig);
+            this.repository.upsertStatus(nextStatus);
+        })();
+        if (nextConfig.enabled && this.isBootstrapInitialized()) {
+            this.requestReconnect("relay_tunnel.bind");
+        }
+        return this.buildStatusDto({
+            config: nextConfig,
+            hasPersistedConfig: true
+        }, nextConfig, this.resolveEffectiveStatus(nextConfig));
+    }
+    async unbind() {
+        const snapshot = this.readStateSnapshot();
+        const timestamp = nowIso();
+        const nextConfig = clearRelayTunnelControlSession({
+            ...snapshot.config,
+            enabled: false,
+            bindingId: null,
+            tunnelDomain: null,
+            updatedAt: timestamp
+        }, {
+            clearAccountId: true,
+            updatedAt: timestamp
+        });
+        const nextStatus = buildSkeletonStatus("disabled", nextConfig, {
+            observedAt: timestamp
+        });
+        this.taskManager.cancel(HOST_TASK_TYPES.relayTunnelConnect, "default", "relay_tunnel_unbound");
+        await this.runtimeAdapter.disconnect?.("relay_tunnel_unbound");
+        this.db.transaction(() => {
+            this.repository.upsertConfig(nextConfig);
+            this.repository.upsertStatus(nextStatus);
+        })();
+        return this.buildStatusDto({
+            config: nextConfig,
+            hasPersistedConfig: true
+        }, nextConfig, nextStatus);
+    }
+    async enable() {
+        const snapshot = this.readStateSnapshot();
+        if (!isBound(snapshot.config)) {
+            throw new AppError({
+                statusCode: 409,
+                errorCode: "RELAY_TUNNEL_NOT_BOUND",
+                detail: "当前实例还没有绑定公共隧道"
+            });
+        }
+        const timestamp = nowIso();
+        const nextConfig = {
+            ...snapshot.config,
+            activated: true,
+            enabled: true,
+            updatedAt: timestamp
+        };
+        const configWithIdentity = this.syncIdentityIntoConfig(nextConfig);
+        const nextStatus = buildSkeletonStatus(this.isBootstrapInitialized() ? "connecting" : "blocked_uninitialized", configWithIdentity, {
+            observedAt: timestamp
+        });
+        this.db.transaction(() => {
+            this.repository.upsertConfig(configWithIdentity);
+            this.repository.upsertStatus(nextStatus);
+        })();
+        if (this.isBootstrapInitialized()) {
+            this.requestReconnect("relay_tunnel.enable");
+        }
+        return this.buildStatusDto({
+            config: configWithIdentity,
+            hasPersistedConfig: true
+        }, configWithIdentity, nextStatus);
+    }
+    async disable() {
+        const snapshot = this.readStateSnapshot();
+        const timestamp = nowIso();
+        const nextConfig = {
+            ...snapshot.config,
+            enabled: false,
+            updatedAt: timestamp
+        };
+        const nextStatus = buildSkeletonStatus("disabled", nextConfig, {
+            observedAt: timestamp
+        });
+        this.db.transaction(() => {
+            this.repository.upsertConfig(nextConfig);
+            this.repository.upsertStatus(nextStatus);
+        })();
+        this.taskManager.cancel(HOST_TASK_TYPES.relayTunnelConnect, "default", "relay_tunnel_disabled");
+        await this.runtimeAdapter.disconnect?.("relay_tunnel_disabled");
+        return this.buildStatusDto({
+            config: nextConfig,
+            hasPersistedConfig: true
+        }, nextConfig, nextStatus);
+    }
+    requestReconnect(source = "relay_tunnel.reconnect") {
+        return this.taskManager.enqueue(HOST_TASK_TYPES.relayTunnelConnect, {
+            key: "default",
+            source,
+            input: {
+                source
+            }
+        });
+    }
+    readStateSnapshot() {
+        const persistedConfig = this.reconcileLegacyLocalTargetBaseUrl(this.repository.findConfig());
+        return {
+            config: persistedConfig
+                ?? {
+                    activated: false,
+                    enabled: false,
+                    provider: "codingns_relay",
+                    relayBaseUrl: null,
+                    controlBaseUrl: null,
+                    controlAccessTokenCiphertext: null,
+                    controlAccountEmail: null,
+                    controlSessionExpiresAt: null,
+                    accountId: null,
+                    tunnelDomain: null,
+                    bindingId: null,
+                    hostPublicKey: null,
+                    hostKeyFingerprint: null,
+                    localTargetBaseUrl: this.defaultLocalTargetBaseUrl,
+                    localTargetBaseUrlSource: "default",
+                    updatedAt: nowIso()
+                },
+            hasPersistedConfig: persistedConfig !== null
+        };
+    }
+    reconcileLegacyLocalTargetBaseUrl(config) {
+        if (!config) {
+            return config;
+        }
+        if ((config.localTargetBaseUrlSource ?? "default") !== "default") {
+            return config;
+        }
+        if (config.localTargetBaseUrl === this.defaultLocalTargetBaseUrl) {
+            return config;
+        }
+        // `default` 源的目标地址由当前运行模式决定，不应该把历史默认值永久粘在库里。
+        // 只要默认入口变化了，就在启动时自动收敛到新的默认值；用户显式写入的 custom 配置不动。
+        const migratedConfig = {
+            ...config,
+            localTargetBaseUrl: this.defaultLocalTargetBaseUrl,
+            localTargetBaseUrlSource: "default",
+            updatedAt: nowIso()
+        };
+        this.repository.upsertConfig(migratedConfig);
+        return migratedConfig;
+    }
+    resolveEffectiveStatus(config) {
+        const persisted = this.repository.findStatus();
+        if (!config.activated || !config.enabled) {
+            return buildSkeletonStatus("disabled", config, {
+                observedAt: persisted?.observedAt ?? null
+            });
+        }
+        if (!isBound(config)) {
+            return buildSkeletonStatus("unbound", config, {
+                observedAt: persisted?.observedAt ?? null
+            });
+        }
+        if (!this.isBootstrapInitialized()) {
+            return buildSkeletonStatus("blocked_uninitialized", config, {
+                observedAt: persisted?.observedAt ?? null
+            });
+        }
+        if (!persisted
+            || persisted.phase === "disabled"
+            || persisted.phase === "unbound"
+            || persisted.phase === "blocked_uninitialized") {
+            return buildSkeletonStatus("connecting", config, {
+                observedAt: persisted?.observedAt ?? null
+            });
+        }
+        return {
+            ...persisted,
+            bindingId: config.bindingId,
+            tunnelDomain: config.tunnelDomain,
+            hostFingerprint: config.hostKeyFingerprint
+        };
+    }
+    registerBackgroundTasks() {
+        if (this.taskManager.has(HOST_TASK_TYPES.relayTunnelConnect)) {
+            return;
+        }
+        this.taskManager.register({
+            taskType: HOST_TASK_TYPES.relayTunnelConnect,
+            executionLane: "host_background",
+            timeoutMs: 15_000,
+            run: async (_input, context) => await this.runConnectTask(context.signal)
+        });
+    }
+    async runConnectTask(signal) {
+        const snapshot = this.readStateSnapshot();
+        if (!snapshot.config.enabled || !isBound(snapshot.config)) {
+            const effectiveConfig = this.resolveConfigWithIdentity(snapshot.config);
+            return this.buildStatusDto(snapshot, effectiveConfig, this.resolveEffectiveStatus(effectiveConfig));
+        }
+        const effectiveConfig = this.syncIdentityIntoConfig(snapshot.config);
+        if (!this.isBootstrapInitialized()) {
+            const blockedStatus = buildSkeletonStatus("blocked_uninitialized", effectiveConfig, {
+                observedAt: nowIso()
+            });
+            this.repository.upsertStatus(blockedStatus);
+            return this.buildStatusDto(snapshot, effectiveConfig, blockedStatus);
+        }
+        try {
+            const nextStatus = await this.runtimeAdapter.connect(effectiveConfig, signal);
+            if (signal.aborted) {
+                const latestSnapshot = this.readStateSnapshot();
+                const effectiveConfig = this.resolveConfigWithIdentity(latestSnapshot.config);
+                return this.buildStatusDto(latestSnapshot, effectiveConfig, this.resolveEffectiveStatus(effectiveConfig));
+            }
+            this.repository.upsertStatus(nextStatus);
+            return this.buildStatusDto(snapshot, effectiveConfig, nextStatus);
+        }
+        catch (error) {
+            if (signal.aborted) {
+                const latestSnapshot = this.readStateSnapshot();
+                const effectiveConfig = this.resolveConfigWithIdentity(latestSnapshot.config);
+                return this.buildStatusDto(latestSnapshot, effectiveConfig, this.resolveEffectiveStatus(effectiveConfig));
+            }
+            const failedStatus = {
+                ...buildSkeletonStatus("error", snapshot.config, {
+                    observedAt: nowIso()
+                }),
+                lastError: error instanceof Error ? error.message : String(error)
+            };
+            this.repository.upsertStatus(failedStatus);
+            return this.buildStatusDto(snapshot, effectiveConfig, failedStatus);
+        }
+    }
+    buildStatusDto(snapshot, effectiveConfig, effectiveStatus) {
+        return {
+            activated: effectiveConfig.activated,
+            enabled: effectiveConfig.enabled,
+            provider: effectiveConfig.provider,
+            relayBaseUrl: effectiveConfig.relayBaseUrl,
+            controlBaseUrl: effectiveConfig.controlBaseUrl,
+            controlAccountEmail: effectiveConfig.controlAccountEmail,
+            controlSessionExpiresAt: effectiveConfig.controlSessionExpiresAt,
+            accountId: effectiveConfig.accountId,
+            tunnelDomain: effectiveConfig.tunnelDomain,
+            bindingId: effectiveConfig.bindingId,
+            hostPublicKey: effectiveConfig.hostPublicKey,
+            hostKeyFingerprint: effectiveConfig.hostKeyFingerprint,
+            localTargetBaseUrl: effectiveConfig.localTargetBaseUrl,
+            candidateEndpoints: buildHostCandidateEndpoints(effectiveConfig),
+            phase: effectiveStatus.phase,
+            connected: effectiveStatus.connected,
+            hostFingerprint: effectiveStatus.hostFingerprint,
+            trafficUsedBytes: effectiveStatus.trafficUsedBytes,
+            trafficRemainingBytes: effectiveStatus.trafficRemainingBytes,
+            quotaResetAt: effectiveStatus.quotaResetAt,
+            lastError: effectiveStatus.lastError,
+            observedAt: effectiveStatus.observedAt,
+            updatedAt: snapshot.hasPersistedConfig ? snapshot.config.updatedAt : null
+        };
+    }
+    resolveConfigWithIdentity(config) {
+        const identity = this.identityService.getIdentity();
+        if (!identity) {
+            return config;
+        }
+        return {
+            ...config,
+            hostPublicKey: identity.publicKeyPem,
+            hostKeyFingerprint: identity.keyFingerprint
+        };
+    }
+    syncIdentityIntoConfig(config) {
+        const identity = this.identityService.ensureIdentity();
+        if (config.hostPublicKey === identity.publicKeyPem
+            && config.hostKeyFingerprint === identity.keyFingerprint) {
+            return config;
+        }
+        const nextConfig = {
+            ...config,
+            hostPublicKey: identity.publicKeyPem,
+            hostKeyFingerprint: identity.keyFingerprint
+        };
+        this.repository.upsertConfig(nextConfig);
+        return nextConfig;
+    }
+    isBootstrapInitialized() {
+        return this.bootstrapStateRepository.getState().initialized;
+    }
+    requireControlSession(config) {
+        const controlBaseUrl = requireConfiguredControlBaseUrl(config);
+        const encryptedAccessToken = normalizeOptionalText(config.controlAccessTokenCiphertext);
+        const accountId = normalizeOptionalText(config.accountId);
+        if (!encryptedAccessToken || !accountId) {
+            throw new AppError({
+                statusCode: 409,
+                errorCode: "RELAY_TUNNEL_CONTROL_SESSION_REQUIRED",
+                detail: "当前还没有登录控制站账号"
+            });
+        }
+        try {
+            return {
+                controlBaseUrl,
+                accessToken: decryptSecret(this.controlSessionSecret, encryptedAccessToken),
+                accountId
+            };
+        }
+        catch {
+            const nextConfig = clearRelayTunnelControlSession(config, {
+                clearAccountId: !config.bindingId,
+                updatedAt: nowIso()
+            });
+            this.repository.upsertConfig(nextConfig);
+            throw new AppError({
+                statusCode: 409,
+                errorCode: "RELAY_TUNNEL_CONTROL_SESSION_REQUIRED",
+                detail: "控制站登录态已失效，请重新登录"
+            });
+        }
+    }
+    async requestControlApi(input) {
+        let response;
+        try {
+            response = await this.fetchFn(new URL(input.path, ensureTrailingSlash(input.controlBaseUrl)), {
+                method: input.method,
+                headers: input.headers,
+                body: input.body
+            });
+        }
+        catch (error) {
+            throw buildControlFetchError(error, input.controlBaseUrl, input.failurePrefix);
+        }
+        if (!response.ok) {
+            throw await buildControlApiError(response, input.controlBaseUrl, input.failurePrefix);
+        }
+        return await response.json();
+    }
+}
+class NoopRelayTunnelRuntimeAdapter {
+    async connect(config, _signal) {
+        return buildSkeletonStatus("connecting", config, {
+            observedAt: nowIso()
+        });
+    }
+}
+function buildSkeletonStatus(phase, config, overrides) {
+    return {
+        phase,
+        connected: false,
+        bindingId: config.bindingId,
+        tunnelDomain: config.tunnelDomain,
+        hostFingerprint: config.hostKeyFingerprint,
+        trafficUsedBytes: null,
+        trafficRemainingBytes: null,
+        quotaResetAt: null,
+        lastError: null,
+        observedAt: overrides?.observedAt ?? null
+    };
+}
+function buildHostCandidateEndpoints(config) {
+    const endpoints = new Map();
+    const relayEndpoint = buildRelayPublicUrl(config);
+    if (relayEndpoint) {
+        endpoints.set(relayEndpoint, {
+            endpointId: `relay:${relayEndpoint}`,
+            kind: "relay",
+            url: relayEndpoint,
+            priority: 400,
+            expiresAt: null,
+            source: "host_reported"
+        });
+    }
+    for (const localCandidateUrl of buildLocalCandidateUrls(config.localTargetBaseUrl)) {
+        endpoints.set(localCandidateUrl, {
+            endpointId: `host_reported:${localCandidateUrl}`,
+            kind: classifyCandidateEndpointKind(localCandidateUrl),
+            url: localCandidateUrl,
+            priority: resolveCandidateEndpointPriority(localCandidateUrl),
+            expiresAt: null,
+            source: "host_reported"
+        });
+    }
+    return Array.from(endpoints.values()).sort((left, right) => {
+        if (left.priority !== right.priority) {
+            return left.priority - right.priority;
+        }
+        return left.url.localeCompare(right.url);
+    });
+}
+function buildRelayPublicUrl(config) {
+    if (!config.tunnelDomain || !config.controlBaseUrl) {
+        return null;
+    }
+    try {
+        const controlUrl = new URL(config.controlBaseUrl);
+        controlUrl.hostname = config.tunnelDomain.trim().toLowerCase();
+        controlUrl.pathname = "/";
+        controlUrl.search = "";
+        controlUrl.hash = "";
+        return controlUrl.toString().replace(/\/$/, "");
+    }
+    catch {
+        return null;
+    }
+}
+function buildLocalCandidateUrls(localTargetBaseUrl) {
+    let parsed;
+    try {
+        parsed = new URL(localTargetBaseUrl);
+    }
+    catch {
+        return [];
+    }
+    const candidates = new Set();
+    const hostname = parsed.hostname.trim().toLowerCase();
+    candidates.add(normalizeUrlWithoutTrailingSlash(parsed.toString()));
+    if (hostname === "0.0.0.0" || hostname === "::" || hostname === "::0") {
+        for (const networkAddress of listPrivateIpv4Addresses()) {
+            const candidateUrl = new URL(parsed.toString());
+            candidateUrl.hostname = networkAddress;
+            candidates.add(normalizeUrlWithoutTrailingSlash(candidateUrl.toString()));
+        }
+    }
+    if (hostname === "127.0.0.1" || hostname === "localhost" || hostname === "::1") {
+        for (const networkAddress of listPrivateIpv4Addresses()) {
+            const candidateUrl = new URL(parsed.toString());
+            candidateUrl.hostname = networkAddress;
+            candidates.add(normalizeUrlWithoutTrailingSlash(candidateUrl.toString()));
+        }
+    }
+    return Array.from(candidates);
+}
+function listPrivateIpv4Addresses() {
+    const interfaces = os.networkInterfaces();
+    const candidates = new Set();
+    for (const entries of Object.values(interfaces)) {
+        for (const entry of entries ?? []) {
+            if (!entry || entry.family !== "IPv4" || entry.internal) {
+                continue;
+            }
+            if (!isPrivateIpv4Address(entry.address)) {
+                continue;
+            }
+            candidates.add(entry.address);
+        }
+    }
+    return Array.from(candidates).sort();
+}
+function isPrivateIpv4Address(address) {
+    return (/^10\./.test(address)
+        || /^192\.168\./.test(address)
+        || /^172\.(1[6-9]|2\d|3[0-1])\./.test(address));
+}
+function classifyCandidateEndpointKind(candidateUrl) {
+    try {
+        const hostname = new URL(candidateUrl).hostname.toLowerCase();
+        if (hostname === "127.0.0.1" || hostname === "localhost" || hostname === "::1") {
+            return "loopback";
+        }
+        if (isPrivateIpv4Address(hostname)) {
+            return "lan";
+        }
+        return "custom";
+    }
+    catch {
+        return "custom";
+    }
+}
+function resolveCandidateEndpointPriority(candidateUrl) {
+    const kind = classifyCandidateEndpointKind(candidateUrl);
+    switch (kind) {
+        case "loopback":
+            return 100;
+        case "lan":
+            return 200;
+        case "tailscale":
+            return 300;
+        case "relay":
+            return 400;
+        default:
+            return 500;
+    }
+}
+function normalizeUrlWithoutTrailingSlash(value) {
+    return value.endsWith("/") ? value.slice(0, -1) : value;
+}
+function isBound(config) {
+    return Boolean(config.bindingId && config.tunnelDomain);
+}
+function normalizeRequiredText(value, field) {
+    const normalized = value?.trim();
+    if (!normalized) {
+        throw new AppError({
+            statusCode: 400,
+            errorCode: "INVALID_INPUT",
+            detail: `${field} 不能为空`,
+            field
+        });
+    }
+    return normalized;
+}
+function normalizeOptionalText(value) {
+    const normalized = value?.trim();
+    return normalized ? normalized : null;
+}
+function normalizeTunnelDomain(value, field) {
+    const normalized = normalizeRequiredText(value, field).toLowerCase();
+    if (!/^[a-z0-9-]+(\.[a-z0-9-]+)+$/.test(normalized)) {
+        throw new AppError({
+            statusCode: 400,
+            errorCode: "INVALID_INPUT",
+            detail: "tunnelDomain 必须是合法域名",
+            field
+        });
+    }
+    return normalized;
+}
+function normalizeHttpBaseUrl(value, field) {
+    if (value === null || value === undefined) {
+        return value ?? null;
+    }
+    const normalized = value.trim();
+    if (normalized.length === 0) {
+        return null;
+    }
+    let parsed;
+    try {
+        parsed = new URL(normalized);
+    }
+    catch {
+        throw new AppError({
+            statusCode: 400,
+            errorCode: "INVALID_INPUT",
+            detail: `${field} 必须是合法的 http 或 https 地址`,
+            field
+        });
+    }
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+        throw new AppError({
+            statusCode: 400,
+            errorCode: "INVALID_INPUT",
+            detail: `${field} 只允许使用 http 或 https 协议`,
+            field
+        });
+    }
+    if (parsed.username || parsed.password || parsed.search || parsed.hash) {
+        throw new AppError({
+            statusCode: 400,
+            errorCode: "INVALID_INPUT",
+            detail: `${field} 不能包含账号、查询参数或 hash`,
+            field
+        });
+    }
+    const pathname = parsed.pathname === "/" ? "" : parsed.pathname.replace(/\/+$/, "");
+    return `${parsed.protocol}//${parsed.host}${pathname}`;
+}
+function normalizeWebsocketBaseUrl(value, field) {
+    if (value === null || value === undefined) {
+        return value ?? null;
+    }
+    const normalized = value.trim();
+    if (normalized.length === 0) {
+        return null;
+    }
+    let parsed;
+    try {
+        parsed = new URL(normalized);
+    }
+    catch {
+        throw new AppError({
+            statusCode: 400,
+            errorCode: "INVALID_INPUT",
+            detail: `${field} 必须是合法的 ws、wss、http 或 https 地址`,
+            field
+        });
+    }
+    if (parsed.protocol !== "ws:"
+        && parsed.protocol !== "wss:"
+        && parsed.protocol !== "http:"
+        && parsed.protocol !== "https:") {
+        throw new AppError({
+            statusCode: 400,
+            errorCode: "INVALID_INPUT",
+            detail: `${field} 只允许使用 ws、wss、http 或 https 协议`,
+            field
+        });
+    }
+    if (parsed.username || parsed.password || parsed.search || parsed.hash) {
+        throw new AppError({
+            statusCode: 400,
+            errorCode: "INVALID_INPUT",
+            detail: `${field} 不能包含账号、查询参数或 hash`,
+            field
+        });
+    }
+    const pathname = parsed.pathname === "/" ? "" : parsed.pathname.replace(/\/+$/, "");
+    const normalizedProtocol = parsed.protocol === "https:"
+        ? "wss:"
+        : parsed.protocol === "http:"
+            ? "ws:"
+            : parsed.protocol;
+    return `${normalizedProtocol}//${parsed.host}${pathname}`;
+}
+function requireConfiguredControlBaseUrl(config) {
+    const controlBaseUrl = normalizeOptionalText(config.controlBaseUrl);
+    if (!controlBaseUrl) {
+        throw new AppError({
+            statusCode: 409,
+            errorCode: "RELAY_TUNNEL_CONTROL_BASE_URL_REQUIRED",
+            detail: "当前还没有配置控制站点地址"
+        });
+    }
+    return controlBaseUrl;
+}
+function ensureTrailingSlash(value) {
+    return value.endsWith("/") ? value : `${value}/`;
+}
+function clearRelayTunnelControlSession(config, options) {
+    return {
+        ...config,
+        controlAccessTokenCiphertext: null,
+        controlAccountEmail: null,
+        controlSessionExpiresAt: null,
+        accountId: options.clearAccountId ? null : config.accountId,
+        updatedAt: options.updatedAt
+    };
+}
+async function buildControlApiError(response, controlBaseUrl, failurePrefix) {
+    const detail = await readControlApiErrorDetail(response);
+    if (response.status === 401 || response.status === 403) {
+        return new AppError({
+            statusCode: response.status,
+            errorCode: "RELAY_TUNNEL_CONTROL_ACCESS_DENIED",
+            detail: `${failurePrefix}：控制站 ${controlBaseUrl} 拒绝了这次请求（HTTP ${response.status}）。`
+                + ` 请确认这是正确的控制站地址，并检查账号、密码或访问权限。`
+                + appendControlApiDetail(detail)
+        });
+    }
+    if (response.status === 404) {
+        return new AppError({
+            statusCode: 404,
+            errorCode: "RELAY_TUNNEL_CONTROL_ENDPOINT_NOT_FOUND",
+            detail: `${failurePrefix}：控制站 ${controlBaseUrl} 上没有这个接口（HTTP 404）。`
+                + " 这通常说明地址写错了，或者目标服务不是 CodingNS 控制站。"
+                + appendControlApiDetail(detail)
+        });
+    }
+    return new AppError({
+        statusCode: response.status,
+        errorCode: "RELAY_TUNNEL_CONTROL_API_ERROR",
+        detail: `${failurePrefix}：控制站 ${controlBaseUrl} 返回了异常响应（HTTP ${response.status}）。`
+            + appendControlApiDetail(detail)
+    });
+}
+function buildControlFetchError(error, controlBaseUrl, failurePrefix) {
+    return new AppError({
+        statusCode: 502,
+        errorCode: "RELAY_TUNNEL_CONTROL_UNREACHABLE",
+        detail: `${failurePrefix}：无法连接到控制站 ${controlBaseUrl}。`
+            + " 请确认服务地址、端口和网络连接是否正确。"
+            + appendControlApiDetail(resolveFetchErrorDetail(error))
+    });
+}
+async function readControlApiErrorDetail(response) {
+    const contentType = response.headers.get("content-type") ?? "";
+    if (contentType.includes("application/json")) {
+        try {
+            const payload = await response.json();
+            const detail = readJsonErrorText(payload.detail)
+                ?? readJsonErrorText(payload.message)
+                ?? readJsonErrorText(payload.error);
+            if (detail) {
+                return detail;
+            }
+        }
+        catch {
+            // 忽略 JSON 解析失败，回退到纯文本。
+        }
+    }
+    const text = normalizeOptionalText(await response.text());
+    return text ?? `HTTP ${response.status}`;
+}
+function readJsonErrorText(value) {
+    return typeof value === "string" ? normalizeOptionalText(value) : null;
+}
+function resolveFetchErrorDetail(error) {
+    if (error instanceof Error) {
+        const code = readFetchErrorCode(error);
+        if (code === "ECONNREFUSED") {
+            return "连接被目标服务器拒绝。";
+        }
+        if (code === "ENOTFOUND" || code === "EAI_AGAIN") {
+            return "域名无法解析。";
+        }
+        if (code === "ETIMEDOUT" || code === "UND_ERR_CONNECT_TIMEOUT") {
+            return "连接超时。";
+        }
+        if (code === "CERT_HAS_EXPIRED" || code === "DEPTH_ZERO_SELF_SIGNED_CERT") {
+            return "TLS 证书无效。";
+        }
+        return normalizeOptionalText(error.message);
+    }
+    return null;
+}
+function readFetchErrorCode(error) {
+    const cause = "cause" in error
+        ? error.cause
+        : undefined;
+    return typeof cause?.code === "string" ? cause.code : null;
+}
+function appendControlApiDetail(detail) {
+    const normalized = normalizeOptionalText(detail);
+    if (!normalized) {
+        return "";
+    }
+    return ` 详情：${normalized}`;
+}
+//# sourceMappingURL=relay-tunnel-service.js.map