@mt-tl/server 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Joe Beretta
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,50 @@
+# @mt-tl/server
+
+Build an MTProto 2.0 server the way you'd build a [Fastify](https://fastify.dev/)
+app: `createServer`, register routes, `listen`. The framework owns the entire
+protocol — WebSocket + raw-TCP transport, framing, auth-key exchange, sessions,
+server salts, service messages, AES-IGE crypto, TL (de)serialization, layered
+encoding, server-push. You write **methods**.
+
+```bash
+npm install @mt-tl/server
+npm install -D @mt-tl/tl   # type generator + codec, used by `gen:types`
+```
+
+```ts
+import { createServer } from '@mt-tl/server'
+import type { RpcMethods } from './generated/schema.js' // generated from your .tl
+
+const app = createServer<RpcMethods>(config)
+
+app.method('help.getConfig', { auth: false }, async () => ({ _: 'config' /* … */ }))
+
+await app.listen() // opens the WebSocket + raw-TCP carriers
+```
+
+You bring three things: a **config** (`MTProtoConfig`), a **`.tl` schema** (your
+methods), and **handlers**.
+
+## What you get
+
+- `createServer` / `definePlugin` — routes and Fastify-style plugins (explicit DI).
+- Hooks (`defineHook`, pre-handlers), `ctx.login/logout/revoke`, `ctx.set/get`.
+- Server-push: `ctx.push(subject, update)`, `ctx.pushToAuthKey(...)`,
+  `createUpdatePublisher` (cross-process).
+- Errors that map to `rpc_error`: `BadRequestError`, `AuthRequiredError`,
+  `NotFoundError`, `FloodWaitError`, `InternalError`.
+- Optional engine-managed update state (`updates.getState` / `getDifference`) and
+  schema-version migrations.
+
+In-process by design: the engine and your handlers run in one process; scale by
+running more replicas behind a load balancer (shared state in Mongo + Redis).
+
+## Docs
+
+Full guide (getting started, core concepts, sessions & auth, server-push,
+releasing a version, deployment) and a complete copy-me example app live in the
+project repository under `docs/` and `examples/demo-eos-seed-app`.
+
+## License
+
+MIT

package/dist/auth/handshake.d.ts

@@ -0,0 +1,35 @@
+import { type Logger } from '@mt-tl/tl';
+import type { TlCodec } from '../tl/codec.js';
+import type { TlObject } from '@mt-tl/tl';
+import { TlReader } from '../tl/reader.js';
+import type { Storage } from '../storage/index.js';
+import type { SaltService } from '../session/salts.js';
+import { NonceStore } from './nonce-store.js';
+import { type RsaKeyPair } from '../crypto/rsa.js';
+export interface HandshakeDeps {
+    codec: TlCodec;
+    rsa: RsaKeyPair;
+    storage: Storage;
+    saltService: SaltService;
+    nonceStore: NonceStore;
+    defaultLayer: number;
+    /** Observability sink; defaults to a no-op logger. */
+    logger?: Logger;
+}
+export type HandshakeReply = {
+    reply: TlObject;
+} | {
+    raw: Buffer;
+} | null;
+export declare class Handshake {
+    private readonly deps;
+    private readonly logger;
+    constructor(deps: HandshakeDeps);
+    static isHandshakeId(id: number): boolean;
+    /** `reader` is positioned just after the 4-byte constructor id. */
+    handle(id: number, reader: TlReader): Promise<HandshakeReply>;
+    private handleReqPq;
+    private handleReqDhParams;
+    private handleSetClientDhParams;
+}
+//# sourceMappingURL=handshake.d.ts.map

package/dist/auth/handshake.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handshake.d.ts","sourceRoot":"","sources":["../../src/auth/handshake.ts"],"names":[],"mappings":"AACA,OAAO,EAAc,KAAK,MAAM,EAAE,MAAM,WAAW,CAAA;AACnD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AAC7C,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAA;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAA;AAC1C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAA;AAClD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAA;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAG7C,OAAO,EAAuB,KAAK,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAmBvE,MAAM,WAAW,aAAa;IAC1B,KAAK,EAAE,OAAO,CAAA;IACd,GAAG,EAAE,UAAU,CAAA;IACf,OAAO,EAAE,OAAO,CAAA;IAChB,WAAW,EAAE,WAAW,CAAA;IACxB,UAAU,EAAE,UAAU,CAAA;IACtB,YAAY,EAAE,MAAM,CAAA;IACpB,sDAAsD;IACtD,MAAM,CAAC,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,MAAM,cAAc,GAAG;IAAE,KAAK,EAAE,QAAQ,CAAA;CAAE,GAAG;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAA;AAEzE,qBAAa,SAAS;IAGN,OAAO,CAAC,QAAQ,CAAC,IAAI;IAFjC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAQ;gBAEF,IAAI,EAAE,aAAa;IAIhD,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IASzC,mEAAmE;IAC7D,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,GAAG,OAAO,CAAC,cAAc,CAAC;IAqBnE,OAAO,CAAC,WAAW;IAenB,OAAO,CAAC,iBAAiB;YAwDX,uBAAuB;CAmDxC"}

package/dist/auth/handshake.js

@@ -0,0 +1,208 @@
+import { randomBytes } from 'node:crypto';
+import { noopLogger } from '@mt-tl/tl';
+import { TlReader } from '../tl/reader.js';
+import { igeEncrypt, igeDecrypt } from '../crypto/aes-ige.js';
+import { sha1, xorBuffers } from '../crypto/hashes.js';
+import { rsaDecryptNoPadding } from '../crypto/rsa.js';
+import { DH_G, DH_PRIME, DH_PRIME_BIGINT, makePQ, modPow, calculatePadding } from '../crypto/dh.js';
+import { toBigIntBE, toBigIntLE, toBufferBE } from '../util/bytes.js';
+// Immutable protocol constructor ids.
+const ID_REQ_PQ = 0x60469778;
+const ID_REQ_PQ_MULTI = 0xbe7e8ef1;
+const ID_REQ_DH_PARAMS = 0xd712e4be;
+const ID_SET_CLIENT_DH_PARAMS = 0xf5045f1f;
+const ID_P_Q_INNER_DATA = 0x83c95aec;
+const ID_P_Q_INNER_DATA_DC = 0xa9f55f95;
+const ID_P_Q_INNER_DATA_TEMP = 0x3c6a84d4;
+const ID_P_Q_INNER_DATA_TEMP_DC = 0x56fddf88;
+const ID_CLIENT_DH_INNER_DATA = 0x6643b654;
+/** Raw -404 (regenerate key) sent when handshake state is missing/invalid. */
+const ERR_404 = Buffer.from('6cfeffff', 'hex');
+export class Handshake {
+    deps;
+    logger;
+    constructor(deps) {
+        this.deps = deps;
+        this.logger = deps.logger ?? noopLogger;
+    }
+    static isHandshakeId(id) {
+        return (id === ID_REQ_PQ ||
+            id === ID_REQ_PQ_MULTI ||
+            id === ID_REQ_DH_PARAMS ||
+            id === ID_SET_CLIENT_DH_PARAMS);
+    }
+    /** `reader` is positioned just after the 4-byte constructor id. */
+    async handle(id, reader) {
+        try {
+            switch (id) {
+                case ID_REQ_PQ:
+                case ID_REQ_PQ_MULTI:
+                    return this.handleReqPq(reader.readInt128());
+                case ID_REQ_DH_PARAMS:
+                    return this.handleReqDhParams(reader);
+                case ID_SET_CLIENT_DH_PARAMS:
+                    return this.handleSetClientDhParams(reader);
+                default:
+                    return null;
+            }
+        }
+        catch (e) {
+            // A malformed/forged handshake step; reply -404 (regenerate key). Client
+            // fault, not server fault → warn, with the step id for correlation.
+            this.logger.warn('handshake.error', { step: id.toString(16), err: e });
+            return { raw: ERR_404 };
+        }
+    }
+    handleReqPq(clientNonce) {
+        const serverNonce = randomBytes(16);
+        const { p, q, pq } = makePQ();
+        this.deps.nonceStore.set(clientNonce.toString('hex'), { clientNonce, serverNonce, p, q, pq });
+        const reply = {
+            _: 'resPQ',
+            nonce: clientNonce,
+            server_nonce: serverNonce,
+            pq,
+            server_public_key_fingerprints: [this.deps.rsa.fingerprint],
+        };
+        return { reply };
+    }
+    handleReqDhParams(reader) {
+        const nonce = reader.readInt128();
+        const serverNonce = reader.readInt128();
+        reader.readBytes(); // p
+        reader.readBytes(); // q
+        reader.readLong(); // public_key_fingerprint
+        const encryptedData = reader.readBytes();
+        const nd = this.deps.nonceStore.get(nonce.toString('hex'));
+        if (!nd)
+            return { raw: ERR_404 };
+        // RSA decrypt -> [0x00][sha1(20)][ctor id (4)][p_q_inner_data fields][padding]
+        const data = rsaDecryptNoPadding(this.deps.rsa.privateKey, encryptedData);
+        const inner = readPqInnerData(data.subarray(21));
+        if (!inner)
+            return { raw: ERR_404 };
+        nd.newClientNonce = inner.newNonce;
+        nd.expiresIn = inner.expiresIn ?? false;
+        // server_DH_inner_data
+        const a = randomBelow(DH_PRIME_BIGINT);
+        nd.a = a;
+        const gA = toBufferBE(modPow(BigInt(DH_G), a, DH_PRIME_BIGINT), 256);
+        const innerData = {
+            _: 'server_DH_inner_data',
+            nonce,
+            server_nonce: serverNonce,
+            g: DH_G,
+            dh_prime: DH_PRIME,
+            g_a: gA,
+            server_time: Math.floor(Date.now() / 1000),
+        };
+        const innerBytes = this.deps.codec.encode(innerData);
+        const innerHash = sha1(innerBytes);
+        const padLen = calculatePadding(innerHash.length + innerBytes.length, 16);
+        const plainAnswer = Buffer.concat([
+            innerHash,
+            innerBytes,
+            padLen > 0 ? randomBytes(padLen) : Buffer.alloc(0),
+        ]);
+        const { tmpAesKey, tmpAesIv } = deriveTmpAes(nd.newClientNonce, serverNonce);
+        nd.tmpAesKey = tmpAesKey;
+        nd.tmpAesIv = tmpAesIv;
+        this.deps.nonceStore.set(nonce.toString('hex'), nd);
+        const reply = {
+            _: 'server_DH_params_ok',
+            nonce,
+            server_nonce: serverNonce,
+            encrypted_answer: igeEncrypt(plainAnswer, tmpAesKey, tmpAesIv),
+        };
+        return { reply };
+    }
+    async handleSetClientDhParams(reader) {
+        const nonce = reader.readInt128();
+        reader.readInt128(); // server_nonce
+        const encryptedData = reader.readBytes();
+        const nd = this.deps.nonceStore.get(nonce.toString('hex'));
+        if (!nd || !nd.tmpAesKey || !nd.tmpAesIv || !nd.a || !nd.newClientNonce) {
+            return { raw: ERR_404 };
+        }
+        const data = igeDecrypt(encryptedData, nd.tmpAesKey, nd.tmpAesIv);
+        // [sha1(20)][ctor id (4)][client_DH_inner_data fields]
+        if (data.readUInt32LE(20) !== ID_CLIENT_DH_INNER_DATA)
+            return { raw: ERR_404 };
+        const gB = readClientDhInner(data.subarray(24));
+        const key = toBufferBE(modPow(toBigIntBE(gB), nd.a, DH_PRIME_BIGINT), 256);
+        const keyHash = sha1(key);
+        const keyId = toBigIntLE(keyHash.subarray(-8));
+        // Wire-compat: the FIRST salt keeps its legacy xor(newNonce, serverNonce)
+        // derivation; it just becomes window 0 of the rolling schedule.
+        const serverSalt = toBigIntLE(xorBuffers(nd.newClientNonce.subarray(0, 8), nd.serverNonce.subarray(0, 8)));
+        await this.deps.storage.authKeys.create({
+            id: keyId,
+            key,
+            expiresIn: nd.expiresIn ? true : false,
+            createdAt: new Date(),
+            subject: null,
+            meta: { apiLayer: this.deps.defaultLayer },
+        });
+        await this.deps.saltService.seed(keyId, serverSalt);
+        // A new auth key was negotiated and persisted (an anonymous key until a
+        // handler binds a user to it).
+        this.logger.info('authkey.create', { authKeyId: keyId, temp: !!nd.expiresIn });
+        const newNonceHash1 = sha1(Buffer.concat([nd.newClientNonce, Buffer.from([1]), keyHash.subarray(0, 8)])).subarray(-16);
+        this.deps.nonceStore.delete(nonce.toString('hex'));
+        const reply = {
+            _: 'dh_gen_ok',
+            nonce,
+            server_nonce: nd.serverNonce,
+            new_nonce_hash1: Buffer.from(newNonceHash1),
+        };
+        return { reply };
+    }
+}
+function readPqInnerData(buf) {
+    const r = new TlReader(buf);
+    const id = r.readUInt32();
+    if (id !== ID_P_Q_INNER_DATA &&
+        id !== ID_P_Q_INNER_DATA_DC &&
+        id !== ID_P_Q_INNER_DATA_TEMP &&
+        id !== ID_P_Q_INNER_DATA_TEMP_DC) {
+        return null;
+    }
+    r.readBytes(); // pq
+    r.readBytes(); // p
+    r.readBytes(); // q
+    r.readInt128(); // nonce
+    r.readInt128(); // server_nonce
+    const newNonce = r.readInt256();
+    if (id === ID_P_Q_INNER_DATA_DC || id === ID_P_Q_INNER_DATA_TEMP_DC)
+        r.readInt32(); // dc
+    let expiresIn;
+    if (id === ID_P_Q_INNER_DATA_TEMP || id === ID_P_Q_INNER_DATA_TEMP_DC)
+        expiresIn = r.readInt32();
+    return { newNonce, expiresIn };
+}
+/** Reads client_DH_inner_data fields (after its ctor id) and returns g_b bytes. */
+function readClientDhInner(buf) {
+    const r = new TlReader(buf);
+    r.readInt128(); // nonce
+    r.readInt128(); // server_nonce
+    r.readLong(); // retry_id
+    return r.readBytes(); // g_b
+}
+// --- crypto helpers ---------------------------------------------------------
+function deriveTmpAes(newNonce, serverNonce) {
+    const nsn = sha1(Buffer.concat([newNonce, serverNonce]));
+    const sns = sha1(Buffer.concat([serverNonce, newNonce]));
+    const nnn = sha1(Buffer.concat([newNonce, newNonce]));
+    return {
+        tmpAesKey: Buffer.concat([nsn, sns.subarray(0, 12)]),
+        tmpAesIv: Buffer.concat([sns.subarray(12, 20), nnn, newNonce.subarray(0, 4)]),
+    };
+}
+function randomBelow(limit) {
+    let a;
+    do {
+        a = toBigIntBE(randomBytes(256));
+    } while (a >= limit || a < 2n);
+    return a;
+}
+//# sourceMappingURL=handshake.js.map

package/dist/auth/handshake.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handshake.js","sourceRoot":"","sources":["../../src/auth/handshake.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,EAAE,UAAU,EAAe,MAAM,WAAW,CAAA;AAGnD,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAA;AAI1C,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AAC7D,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAA;AACtD,OAAO,EAAE,mBAAmB,EAAmB,MAAM,kBAAkB,CAAA;AACvE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;AACnG,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAErE,sCAAsC;AACtC,MAAM,SAAS,GAAG,UAAU,CAAA;AAC5B,MAAM,eAAe,GAAG,UAAU,CAAA;AAClC,MAAM,gBAAgB,GAAG,UAAU,CAAA;AACnC,MAAM,uBAAuB,GAAG,UAAU,CAAA;AAE1C,MAAM,iBAAiB,GAAG,UAAU,CAAA;AACpC,MAAM,oBAAoB,GAAG,UAAU,CAAA;AACvC,MAAM,sBAAsB,GAAG,UAAU,CAAA;AACzC,MAAM,yBAAyB,GAAG,UAAU,CAAA;AAC5C,MAAM,uBAAuB,GAAG,UAAU,CAAA;AAE1C,8EAA8E;AAC9E,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAA;AAe9C,MAAM,OAAO,SAAS;IAGW;IAFZ,MAAM,CAAQ;IAE/B,YAA6B,IAAmB;QAAnB,SAAI,GAAJ,IAAI,CAAe;QAC5C,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,UAAU,CAAA;IAC3C,CAAC;IAED,MAAM,CAAC,aAAa,CAAC,EAAU;QAC3B,OAAO,CACH,EAAE,KAAK,SAAS;YAChB,EAAE,KAAK,eAAe;YACtB,EAAE,KAAK,gBAAgB;YACvB,EAAE,KAAK,uBAAuB,CACjC,CAAA;IACL,CAAC;IAED,mEAAmE;IACnE,KAAK,CAAC,MAAM,CAAC,EAAU,EAAE,MAAgB;QACrC,IAAI,CAAC;YACD,QAAQ,EAAE,EAAE,CAAC;gBACT,KAAK,SAAS,CAAC;gBACf,KAAK,eAAe;oBAChB,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC,CAAA;gBAChD,KAAK,gBAAgB;oBACjB,OAAO,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAA;gBACzC,KAAK,uBAAuB;oBACxB,OAAO,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC,CAAA;gBAC/C;oBACI,OAAO,IAAI,CAAA;YACnB,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACT,yEAAyE;YACzE,oEAAoE;YACpE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,EAAE,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,CAAA;YACtE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,CAAA;QAC3B,CAAC;IACL,CAAC;IAEO,WAAW,CAAC,WAAmB;QACnC,MAAM,WAAW,GAAG,WAAW,CAAC,EAAE,CAAC,CAAA;QACnC,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,GAAG,MAAM,EAAE,CAAA;QAC7B,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,CAAA;QAE7F,MAAM,KAAK,GAAa;YACpB,CAAC,EAAE,OAAO;YACV,KAAK,EAAE,WAAW;YAClB,YAAY,EAAE,WAAW;YACzB,EAAE;YACF,8BAA8B,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;SAC9D,CAAA;QACD,OAAO,EAAE,KAAK,EAAE,CAAA;IACpB,CAAC;IAEO,iBAAiB,CAAC,MAAgB;QACtC,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,CAAA;QACjC,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,EAAE,CAAA;QACvC,MAAM,CAAC,SAAS,EAAE,CAAA,CAAC,IAAI;QACvB,MAAM,CAAC,SAAS,EAAE,CAAA,CAAC,IAAI;QACvB,MAAM,CAAC,QAAQ,EAAE,CAAA,CAAC,yBAAyB;QAC3C,MAAM,aAAa,GAAG,MAAM,CAAC,SAAS,EAAE,CAAA;QAExC,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;QAC1D,IAAI,CAAC,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,CAAA;QAEhC,+EAA+E;QAC/E,MAAM,IAAI,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,aAAa,CAAC,CAAA;QACzE,MAAM,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAA;QAChD,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,CAAA;QAEnC,EAAE,CAAC,cAAc,GAAG,KAAK,CAAC,QAAQ,CAAA;QAClC,EAAE,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,IAAI,KAAK,CAAA;QAEvC,uBAAuB;QACvB,MAAM,CAAC,GAAG,WAAW,CAAC,eAAe,CAAC,CAAA;QACtC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAA;QACR,MAAM,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,eAAe,CAAC,EAAE,GAAG,CAAC,CAAA;QAEpE,MAAM,SAAS,GAAa;YACxB,CAAC,EAAE,sBAAsB;YACzB,KAAK;YACL,YAAY,EAAE,WAAW;YACzB,CAAC,EAAE,IAAI;YACP,QAAQ,EAAE,QAAQ;YAClB,GAAG,EAAE,EAAE;YACP,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;SAC7C,CAAA;QACD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;QACpD,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,CAAA;QAClC,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;QACzE,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC;YAC9B,SAAS;YACT,UAAU;YACV,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;SACrD,CAAC,CAAA;QAEF,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG,YAAY,CAAC,EAAE,CAAC,cAAc,EAAE,WAAW,CAAC,CAAA;QAC5E,EAAE,CAAC,SAAS,GAAG,SAAS,CAAA;QACxB,EAAE,CAAC,QAAQ,GAAG,QAAQ,CAAA;QACtB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAA;QAEnD,MAAM,KAAK,GAAa;YACpB,CAAC,EAAE,qBAAqB;YACxB,KAAK;YACL,YAAY,EAAE,WAAW;YACzB,gBAAgB,EAAE,UAAU,CAAC,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;SACjE,CAAA;QACD,OAAO,EAAE,KAAK,EAAE,CAAA;IACpB,CAAC;IAEO,KAAK,CAAC,uBAAuB,CAAC,MAAgB;QAClD,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,CAAA;QACjC,MAAM,CAAC,UAAU,EAAE,CAAA,CAAC,eAAe;QACnC,MAAM,aAAa,GAAG,MAAM,CAAC,SAAS,EAAE,CAAA;QAExC,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;QAC1D,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,CAAC,SAAS,IAAI,CAAC,EAAE,CAAC,QAAQ,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,cAAc,EAAE,CAAC;YACtE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,CAAA;QAC3B,CAAC;QAED,MAAM,IAAI,GAAG,UAAU,CAAC,aAAa,EAAE,EAAE,CAAC,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAA;QACjE,uDAAuD;QACvD,IAAI,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC,KAAK,uBAAuB;YAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,CAAA;QAC9E,MAAM,EAAE,GAAG,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAA;QAE/C,MAAM,GAAG,GAAG,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,eAAe,CAAC,EAAE,GAAG,CAAC,CAAA;QAC1E,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAA;QACzB,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;QAC9C,0EAA0E;QAC1E,gEAAgE;QAChE,MAAM,UAAU,GAAG,UAAU,CACzB,UAAU,CAAC,EAAE,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAC9E,CAAA;QAED,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;YACpC,EAAE,EAAE,KAAK;YACT,GAAG;YACH,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK;YACtC,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE;SAC7C,CAAC,CAAA;QACF,MAAM,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,EAAE,UAAU,CAAC,CAAA;QACnD,wEAAwE;QACxE,+BAA+B;QAC/B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,CAAA;QAE9E,MAAM,aAAa,GAAG,IAAI,CACtB,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAC/E,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAA;QAEf,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;QAElD,MAAM,KAAK,GAAa;YACpB,CAAC,EAAE,WAAW;YACd,KAAK;YACL,YAAY,EAAE,EAAE,CAAC,WAAW;YAC5B,eAAe,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC;SAC9C,CAAA;QACD,OAAO,EAAE,KAAK,EAAE,CAAA;IACpB,CAAC;CACJ;AASD,SAAS,eAAe,CAAC,GAAW;IAChC,MAAM,CAAC,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAA;IAC3B,MAAM,EAAE,GAAG,CAAC,CAAC,UAAU,EAAE,CAAA;IACzB,IACI,EAAE,KAAK,iBAAiB;QACxB,EAAE,KAAK,oBAAoB;QAC3B,EAAE,KAAK,sBAAsB;QAC7B,EAAE,KAAK,yBAAyB,EAClC,CAAC;QACC,OAAO,IAAI,CAAA;IACf,CAAC;IACD,CAAC,CAAC,SAAS,EAAE,CAAA,CAAC,KAAK;IACnB,CAAC,CAAC,SAAS,EAAE,CAAA,CAAC,IAAI;IAClB,CAAC,CAAC,SAAS,EAAE,CAAA,CAAC,IAAI;IAClB,CAAC,CAAC,UAAU,EAAE,CAAA,CAAC,QAAQ;IACvB,CAAC,CAAC,UAAU,EAAE,CAAA,CAAC,eAAe;IAC9B,MAAM,QAAQ,GAAG,CAAC,CAAC,UAAU,EAAE,CAAA;IAC/B,IAAI,EAAE,KAAK,oBAAoB,IAAI,EAAE,KAAK,yBAAyB;QAAE,CAAC,CAAC,SAAS,EAAE,CAAA,CAAC,KAAK;IACxF,IAAI,SAA6B,CAAA;IACjC,IAAI,EAAE,KAAK,sBAAsB,IAAI,EAAE,KAAK,yBAAyB;QAAE,SAAS,GAAG,CAAC,CAAC,SAAS,EAAE,CAAA;IAChG,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAA;AAClC,CAAC;AAED,mFAAmF;AACnF,SAAS,iBAAiB,CAAC,GAAW;IAClC,MAAM,CAAC,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAA;IAC3B,CAAC,CAAC,UAAU,EAAE,CAAA,CAAC,QAAQ;IACvB,CAAC,CAAC,UAAU,EAAE,CAAA,CAAC,eAAe;IAC9B,CAAC,CAAC,QAAQ,EAAE,CAAA,CAAC,WAAW;IACxB,OAAO,CAAC,CAAC,SAAS,EAAE,CAAA,CAAC,MAAM;AAC/B,CAAC;AAED,+EAA+E;AAE/E,SAAS,YAAY,CAAC,QAAgB,EAAE,WAAmB;IACvD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC,CAAA;IACxD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAA;IACxD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAA;IACrD,OAAO;QACH,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;QACpD,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;KAChF,CAAA;AACL,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAC9B,IAAI,CAAS,CAAA;IACb,GAAG,CAAC;QACA,CAAC,GAAG,UAAU,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAA;IACpC,CAAC,QAAQ,CAAC,IAAI,KAAK,IAAI,CAAC,GAAG,EAAE,EAAC;IAC9B,OAAO,CAAC,CAAA;AACZ,CAAC"}

package/dist/auth/nonce-store.d.ts

@@ -0,0 +1,22 @@
+/** In-flight auth-key-exchange state, keyed by the client nonce (hex). */
+export interface NonceData {
+    clientNonce: Buffer;
+    serverNonce: Buffer;
+    newClientNonce?: Buffer;
+    p?: bigint;
+    q?: bigint;
+    pq?: Buffer;
+    /** server DH secret exponent */
+    a?: bigint;
+    tmpAesKey?: Buffer;
+    tmpAesIv?: Buffer;
+    expiresIn?: number | false;
+    timer?: NodeJS.Timeout;
+}
+export declare class NonceStore {
+    private map;
+    set(nonceHex: string, data: NonceData): void;
+    get(nonceHex: string): NonceData | undefined;
+    delete(nonceHex: string): void;
+}
+//# sourceMappingURL=nonce-store.d.ts.map

package/dist/auth/nonce-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nonce-store.d.ts","sourceRoot":"","sources":["../../src/auth/nonce-store.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,MAAM,WAAW,SAAS;IACtB,WAAW,EAAE,MAAM,CAAA;IACnB,WAAW,EAAE,MAAM,CAAA;IACnB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,CAAC,CAAC,EAAE,MAAM,CAAA;IACV,CAAC,CAAC,EAAE,MAAM,CAAA;IACV,EAAE,CAAC,EAAE,MAAM,CAAA;IACX,gCAAgC;IAChC,CAAC,CAAC,EAAE,MAAM,CAAA;IACV,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,SAAS,CAAC,EAAE,MAAM,GAAG,KAAK,CAAA;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC,OAAO,CAAA;CACzB;AAID,qBAAa,UAAU;IACnB,OAAO,CAAC,GAAG,CAA+B;IAE1C,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,IAAI;IAQ5C,GAAG,CAAC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS;IAI5C,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;CAKjC"}

package/dist/auth/nonce-store.js

@@ -0,0 +1,23 @@
+const TTL_MS = 10 * 60 * 1000; // 10 minutes (Telegram drops stale handshakes)
+export class NonceStore {
+    map = new Map();
+    set(nonceHex, data) {
+        const existing = this.map.get(nonceHex);
+        if (existing?.timer)
+            clearTimeout(existing.timer);
+        data.timer = setTimeout(() => this.map.delete(nonceHex), TTL_MS);
+        if (typeof data.timer.unref === 'function')
+            data.timer.unref();
+        this.map.set(nonceHex, data);
+    }
+    get(nonceHex) {
+        return this.map.get(nonceHex);
+    }
+    delete(nonceHex) {
+        const existing = this.map.get(nonceHex);
+        if (existing?.timer)
+            clearTimeout(existing.timer);
+        this.map.delete(nonceHex);
+    }
+}
+//# sourceMappingURL=nonce-store.js.map

package/dist/auth/nonce-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nonce-store.js","sourceRoot":"","sources":["../../src/auth/nonce-store.ts"],"names":[],"mappings":"AAgBA,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA,CAAC,+CAA+C;AAE7E,MAAM,OAAO,UAAU;IACX,GAAG,GAAG,IAAI,GAAG,EAAqB,CAAA;IAE1C,GAAG,CAAC,QAAgB,EAAE,IAAe;QACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QACvC,IAAI,QAAQ,EAAE,KAAK;YAAE,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;QACjD,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,CAAA;QAChE,IAAI,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,KAAK,UAAU;YAAE,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAA;QAC9D,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;IAChC,CAAC;IAED,GAAG,CAAC,QAAgB;QAChB,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACjC,CAAC;IAED,MAAM,CAAC,QAAgB;QACnB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QACvC,IAAI,QAAQ,EAAE,KAAK;YAAE,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;QACjD,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IAC7B,CAAC;CACJ"}

package/dist/bootstrap.d.ts

@@ -0,0 +1,36 @@
+import { type Gateway } from './gateway.js';
+import { type UpdateLog } from './core/updates.js';
+import { type Logger } from '@mt-tl/tl';
+import type { MTProtoConfig } from './config.js';
+import type { RpcRequest, RpcResponse } from './dispatch/rpc-forwarder.js';
+import type { UpdateMessage } from './updates/types.js';
+import type { MigrationRegistry } from '@mt-tl/tl';
+/** The app's forward handler — typically `req => dispatchRpc(app.rpc, req, app.deps)`. */
+export type ForwardHandler = (req: RpcRequest) => Promise<RpcResponse>;
+/** Publishes a server update onto the gateway's push loop (no-op when push is off). */
+export type UpdatePublish = (msg: UpdateMessage) => Promise<void>;
+export interface BootstrapOptions {
+    config: MTProtoConfig;
+    /**
+     * Builds the app's forward handler. Receives a `publish` wired to the
+     * gateway's in-process push loop and the shared {@link UpdateLog} (durable
+     * when `config.updates.managed`) — feed both into the app's update emitter
+     * (`new LoggingUpdateEmitter(updateLog, publish)`) so handler-emitted updates
+     * reach connected clients and, when managed, persist with a pts.
+     */
+    createForward: (publish: UpdatePublish, updateLog: UpdateLog) => ForwardHandler;
+    logger?: Logger;
+    /** Per-predicate migration ladders (input `up` / output `down`). */
+    migrations?: MigrationRegistry;
+}
+/**
+ * The in-process-first entrypoint: runs the gateway and an app in ONE process.
+ * The app is reached via an {@link InProcessForwarder} (no broker). When
+ * `config.updates.enabled`, server-push is wired in-process: the app's
+ * `publish` → update bus → {@link UpdateRouter} (presence lookup) → this node →
+ * client. Uses an in-memory bus/presence for a single process, or Redis (pub/sub
+ * bus + presence) when `config.updates.redisUrl` is set (then scale
+ * horizontally). Returns the gateway; call `listen()`.
+ */
+export declare function bootstrap(opts: BootstrapOptions): Promise<Gateway>;
+//# sourceMappingURL=bootstrap.d.ts.map

package/dist/bootstrap.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.d.ts","sourceRoot":"","sources":["../src/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmC,KAAK,OAAO,EAAE,MAAM,cAAc,CAAA;AAQ5E,OAAO,EAAqB,KAAK,SAAS,EAAE,MAAM,mBAAmB,CAAA;AACrE,OAAO,EAAgB,KAAK,MAAM,EAAE,MAAM,WAAW,CAAA;AACrD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,6BAA6B,CAAA;AAC1E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AACvD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAA;AAElD,0FAA0F;AAC1F,MAAM,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,UAAU,KAAK,OAAO,CAAC,WAAW,CAAC,CAAA;AAEtE,uFAAuF;AACvF,MAAM,MAAM,aAAa,GAAG,CAAC,GAAG,EAAE,aAAa,KAAK,OAAO,CAAC,IAAI,CAAC,CAAA;AAEjE,MAAM,WAAW,gBAAgB;IAC7B,MAAM,EAAE,aAAa,CAAA;IACrB;;;;;;OAMG;IACH,aAAa,EAAE,CAAC,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,SAAS,KAAK,cAAc,CAAA;IAC/E,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,oEAAoE;IACpE,UAAU,CAAC,EAAE,iBAAiB,CAAA;CACjC;AAED;;;;;;;;GAQG;AACH,wBAAsB,SAAS,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,CAmCxE"}

package/dist/bootstrap.js

@@ -0,0 +1,82 @@
+import { buildGateway } from './gateway.js';
+import { InProcessForwarder } from './dispatch/forwarders/in-process.js';
+import { InMemoryUpdateBus } from './updates/update-bus.js';
+import { InMemoryPresence } from './updates/presence.js';
+import { createRedisPresence } from './updates/redis-presence.js';
+import { createRedisUpdateBus } from './updates/redis-bus.js';
+import { createMongoUpdateLog } from './updates/mongo-update-log.js';
+import { UpdateRouter } from './updates/router.js';
+import { InMemoryUpdateLog } from './core/updates.js';
+import { createLogger } from '@mt-tl/tl';
+/**
+ * The in-process-first entrypoint: runs the gateway and an app in ONE process.
+ * The app is reached via an {@link InProcessForwarder} (no broker). When
+ * `config.updates.enabled`, server-push is wired in-process: the app's
+ * `publish` → update bus → {@link UpdateRouter} (presence lookup) → this node →
+ * client. Uses an in-memory bus/presence for a single process, or Redis (pub/sub
+ * bus + presence) when `config.updates.redisUrl` is set (then scale
+ * horizontally). Returns the gateway; call `listen()`.
+ */
+export async function bootstrap(opts) {
+    const logger = opts.logger ?? createLogger({ name: opts.config.nodeId });
+    const buildOpts = { logger, migrations: opts.migrations };
+    const closers = [];
+    let publish = async () => { };
+    if (opts.config.updates.enabled) {
+        const presence = await makePresence(opts.config);
+        const bus = await makeBus(opts.config);
+        new UpdateRouter(bus.bus, presence.presence).start();
+        publish = msg => bus.bus.publishUpdate(msg);
+        buildOpts.presence = presence.presence;
+        buildOpts.bus = bus.bus;
+        closers.push(bus.close, presence.close);
+        logger.info('updates.inprocess', {
+            backend: opts.config.updates.redisUrl ? 'redis' : 'memory',
+        });
+    }
+    // Update state (pts log). Durable + engine-answered when `updates.managed`.
+    const updateLog = await makeUpdateLog(opts.config);
+    closers.push(updateLog.close);
+    buildOpts.updateLog = updateLog.log;
+    buildOpts.managedUpdates = !!opts.config.updates.managed;
+    buildOpts.forwarder = new InProcessForwarder(opts.createForward(publish, updateLog.log));
+    const gateway = await buildGateway(opts.config, buildOpts);
+    // Extend close() to also tear down the in-process update infra.
+    const closeGateway = gateway.close.bind(gateway);
+    gateway.close = async () => {
+        await closeGateway();
+        for (const close of closers)
+            await close().catch(() => { });
+    };
+    return gateway;
+}
+/** In-memory for a single process; Redis once `redisUrl` is set (multi-instance). */
+async function makePresence(config) {
+    const u = config.updates;
+    if (!u.redisUrl)
+        return { presence: new InMemoryPresence(), close: async () => { } };
+    return createRedisPresence(u.redisUrl, u.presenceTtlMs);
+}
+async function makeBus(config) {
+    const u = config.updates;
+    if (!u.redisUrl) {
+        const bus = new InMemoryUpdateBus();
+        return { bus, close: () => bus.close() };
+    }
+    return createRedisUpdateBus(u.redisUrl);
+}
+/**
+ * The pts log behind `ctx.push` and (when `updates.managed`) `updates.getState`/
+ * `getDifference`. Durable on Mongo when managed + `storage.backend: 'mongo'`;
+ * in-memory otherwise (the emitter still uses it to stamp a pts).
+ */
+async function makeUpdateLog(config) {
+    if (config.updates.managed && config.storage.backend === 'mongo') {
+        if (!config.storage.mongoUrl || !config.storage.mongoDb) {
+            throw new Error('updates.managed with mongo storage requires MONGO_URL and MONGO_DB');
+        }
+        return createMongoUpdateLog(config.storage.mongoUrl, config.storage.mongoDb);
+    }
+    return { log: new InMemoryUpdateLog(), close: async () => { } };
+}
+//# sourceMappingURL=bootstrap.js.map

package/dist/bootstrap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../src/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAmC,MAAM,cAAc,CAAA;AAC5E,OAAO,EAAE,kBAAkB,EAAE,MAAM,qCAAqC,CAAA;AACxE,OAAO,EAAE,iBAAiB,EAAkB,MAAM,yBAAyB,CAAA;AAC3E,OAAO,EAAE,gBAAgB,EAAiB,MAAM,uBAAuB,CAAA;AACvE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAA;AACjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAA;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAA;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAClD,OAAO,EAAE,iBAAiB,EAAkB,MAAM,mBAAmB,CAAA;AACrE,OAAO,EAAE,YAAY,EAAe,MAAM,WAAW,CAAA;AA2BrD;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,IAAsB;IAClD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,YAAY,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAA;IACxE,MAAM,SAAS,GAAiB,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,CAAA;IACvE,MAAM,OAAO,GAA+B,EAAE,CAAA;IAC9C,IAAI,OAAO,GAAkB,KAAK,IAAI,EAAE,GAAE,CAAC,CAAA;IAE3C,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QAC9B,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAChD,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QACtC,IAAI,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAE,CAAA;QACpD,OAAO,GAAG,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,CAAA;QAC3C,SAAS,CAAC,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAA;QACtC,SAAS,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,CAAA;QACvB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAA;QACvC,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE;YAC7B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ;SAC7D,CAAC,CAAA;IACN,CAAC;IAED,4EAA4E;IAC5E,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;IAClD,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;IAC7B,SAAS,CAAC,SAAS,GAAG,SAAS,CAAC,GAAG,CAAA;IACnC,SAAS,CAAC,cAAc,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAA;IAExD,SAAS,CAAC,SAAS,GAAG,IAAI,kBAAkB,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAA;IACxF,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;IAE1D,gEAAgE;IAChE,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAChD,OAAO,CAAC,KAAK,GAAG,KAAK,IAAI,EAAE;QACvB,MAAM,YAAY,EAAE,CAAA;QACpB,KAAK,MAAM,KAAK,IAAI,OAAO;YAAE,MAAM,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA;IAC9D,CAAC,CAAA;IACD,OAAO,OAAO,CAAA;AAClB,CAAC;AAED,qFAAqF;AACrF,KAAK,UAAU,YAAY,CACvB,MAAqB;IAErB,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAA;IACxB,IAAI,CAAC,CAAC,CAAC,QAAQ;QAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,gBAAgB,EAAE,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC,EAAE,CAAA;IACnF,OAAO,mBAAmB,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,aAAa,CAAC,CAAA;AAC3D,CAAC;AAED,KAAK,UAAU,OAAO,CAAC,MAAqB;IACxC,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAA;IACxB,IAAI,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,GAAG,GAAG,IAAI,iBAAiB,EAAE,CAAA;QACnC,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,CAAA;IAC5C,CAAC;IACD,OAAO,oBAAoB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAA;AAC3C,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,aAAa,CAAC,MAAqB;IAC9C,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;QAC/D,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YACtD,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAA;QACzF,CAAC;QACD,OAAO,oBAAoB,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAChF,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,IAAI,iBAAiB,EAAE,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC,EAAE,CAAA;AAClE,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,103 @@
+import type { StorageBackend } from './storage/index.js';
+/**
+ * The configuration object you pass to {@link createServer}. The framework reads
+ * **no** environment of its own — your app builds this (its composition root) and
+ * hands it in. Only `nodeId`, `defaultLayer`, `schemaDir`, `schemaLayersDir`,
+ * `storage`, and `updates` are required.
+ *
+ * @example
+ * ```ts
+ * const config: MTProtoConfig = {
+ *   nodeId: 'node-1',
+ *   wsPort: 8081,
+ *   defaultLayer: 204,
+ *   schemaDir,                 // your business .tl
+ *   schemaLayersDir: layersDir,
+ *   rsaKeyPath: process.env.RSA_PRIVATE_KEY_PATH,
+ *   storage: { backend: 'mongo', mongoUrl: process.env.MONGO_URL },
+ *   updates: { enabled: true, redisUrl: process.env.REDIS_URL, presenceTtlMs: 60_000 },
+ * }
+ * ```
+ */
+export interface MTProtoConfig {
+    /** Stable id of this instance, unique per replica — the presence routing key. */
+    nodeId: string;
+    /** WebSocket listen port. Omit to disable the WS carrier. */
+    wsPort?: number;
+    /** Raw-TCP listen port. Omit to disable the TCP carrier. */
+    tcpPort?: number;
+    /** TL layer assumed for a connection until it negotiates one via `invokeWithLayer`. */
+    defaultLayer: number;
+    /**
+     * Whitelist of accepted `initConnection.api_id`s. Omit (default) to accept any
+     * id. When set, an `initConnection` carrying an id outside the list is rejected
+     * with `rpc_error` `API_ID_INVALID` (400) and its wrapped query is not run —
+     * so an unregistered app can't reach your handlers.
+     */
+    allowedApiIds?: number[];
+    /** Directory of your business `.tl` schema (the protocol schema is bundled). */
+    schemaDir: string;
+    /** Directory of per-layer snapshots (`scheme_N.json`) that drive layered encoding. */
+    schemaLayersDir: string;
+    /**
+     * Path to the server's RSA private key (PEM). Clients pin its fingerprint, so a
+     * real client needs the production key here. Omitted → an ephemeral key is
+     * generated (handshake works only for test clients).
+     */
+    rsaKeyPath?: string;
+    /**
+     * Disable the inbound MTProto 2.0 `msg_key` integrity check. ⚠️ INSECURE — keep
+     * `false` (the default). Only enable as a temporary interop shim for a
+     * non-compliant client. See docs/internals/msgkey-v1-quirk.md.
+     */
+    disableMsgKeyCheck?: boolean;
+    /**
+     * Disable inbound sequence-number validation (`bad_msg_notification` codes
+     * 32/34/35). Default `false` = enforced: content-related messages (RPC queries)
+     * must carry an odd, strictly increasing `seqno` and pure service messages an
+     * even one. Set `true` as an interop shim for a client that does not set `seqno`
+     * to spec — the same escape-hatch pattern as {@link disableMsgKeyCheck}.
+     */
+    disableSeqNoCheck?: boolean;
+    /**
+     * Trust an upstream proxy/load balancer for the client address: parse the
+     * PROXY-protocol header (v1/v2) on the raw-TCP carrier, and trust
+     * `X-Forwarded-For` on WebSocket. Default `false` — leave off when clients
+     * connect directly, since both are spoofable by a direct client. When `true`,
+     * the announced IP surfaces as `ctx.request.ip`.
+     */
+    trustProxy?: boolean;
+    /** Where auth keys, server salts, and sessions persist. */
+    storage: {
+        /** `'memory'` (single process, dev) or `'mongo'` (shared, multi-replica). */
+        backend: StorageBackend;
+        /** Mongo connection string (required when `backend: 'mongo'`). */
+        mongoUrl?: string;
+        /** Mongo database name (defaults to the driver's database in the URL). */
+        mongoDb?: string;
+    };
+    /** Server-push (updates) delivery. */
+    updates: {
+        /** Master switch for server-push. When `false`, `ctx.push` is a no-op. */
+        enabled: boolean;
+        /**
+         * Redis URL for cross-instance presence + the pub/sub update bus. Omit for a
+         * single process (in-memory presence/bus); required to deliver push across
+         * replicas.
+         */
+        redisUrl?: string;
+        /** Presence entry TTL in ms; the node refreshes it on a heartbeat. */
+        presenceTtlMs: number;
+        /**
+         * Who owns the update state (`pts` + `updates.getState`/`getDifference`).
+         * `false` (default) → your app owns it: handle those methods yourself and
+         * embed `pts` in the updates you push. `true` → the engine owns it: it keeps
+         * a durable per-user pts log (Mongo when `storage.backend: 'mongo'`, else
+         * in-memory) and answers `updates.getState`/`updates.getDifference` itself.
+         * Requires the `updates.*` types in your schema. Common-pts only — no qts,
+         * seq, or per-channel pts.
+         */
+        managed?: boolean;
+    };
+}
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAExD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,WAAW,aAAa;IAC1B,iFAAiF;IACjF,MAAM,EAAE,MAAM,CAAA;IACd,6DAA6D;IAC7D,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,4DAA4D;IAC5D,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,uFAAuF;IACvF,YAAY,EAAE,MAAM,CAAA;IACpB;;;;;OAKG;IACH,aAAa,CAAC,EAAE,MAAM,EAAE,CAAA;IACxB,gFAAgF;IAChF,SAAS,EAAE,MAAM,CAAA;IACjB,sFAAsF;IACtF,eAAe,EAAE,MAAM,CAAA;IACvB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAC5B;;;;;;OAMG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAA;IAC3B;;;;;;OAMG;IACH,UAAU,CAAC,EAAE,OAAO,CAAA;IACpB,2DAA2D;IAC3D,OAAO,EAAE;QACL,6EAA6E;QAC7E,OAAO,EAAE,cAAc,CAAA;QACvB,kEAAkE;QAClE,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,0EAA0E;QAC1E,OAAO,CAAC,EAAE,MAAM,CAAA;KACnB,CAAA;IACD,sCAAsC;IACtC,OAAO,EAAE;QACL,0EAA0E;QAC1E,OAAO,EAAE,OAAO,CAAA;QAChB;;;;WAIG;QACH,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,sEAAsE;QACtE,aAAa,EAAE,MAAM,CAAA;QACrB;;;;;;;;WAQG;QACH,OAAO,CAAC,EAAE,OAAO,CAAA;KACpB,CAAA;CACJ"}

package/dist/config.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":""}