@nordbyte/nordrelay 0.6.0 → 0.7.0

package/dist/discord-command-surface.js

@@ -1,7 +1,8 @@
 import { permissionForCommand } from "./access-control.js";
+import { discordCommandCatalog } from "./channel-command-catalog.js";
+import { normalizeChannelCommandName, parseChannelCommand } from "./channel-runtime.js";
 export function parseDiscordMessageCommand(text) {
-    const match = text.match(/^\/([a-zA-Z0-9_-]+)(?:\s+([\s\S]*))?$/);
-    return match?.[1] ? { command: match[1].toLowerCase(), argument: match[2]?.trim() ?? "" } : null;
+    return parseChannelCommand(text, { allowBotMention: false });
 }
 export function argumentFromDiscordInteraction(interaction) {
     if (interaction.commandName === "prompt") {
@@ -16,17 +17,18 @@ export function argumentFromDiscordInteraction(interaction) {
     return interaction.options.getString("value") ?? interaction.options.getString("query") ?? interaction.options.getString("thread_id") ?? "";
 }
 export function requiredPermissionForDiscordCommand(command, argument) {
-    if (command === "prompt")
+    const normalized = normalizeChannelCommandName(command);
+    if (normalized === "prompt")
         return "prompt.send";
-    if (command === "queue")
+    if (normalized === "queue")
         return argument.trim() ? "queue.write" : "queue.read";
-    return permissionForCommand(command);
+    return permissionForCommand(normalized);
 }
 export function isUnauthenticatedDiscordCommandAllowed(command) {
-    return command === "link";
+    return normalizeChannelCommandName(command) === "link";
 }
 export function permissionForDiscordAction(action) {
-    if (action.startsWith("discord_queue_"))
+    if (action.startsWith("discord_queue_") || action.startsWith("discord_peer_queue_"))
         return "queue.write";
     if (action.startsWith("discord_abort:"))
         return "prompt.abort";
@@ -41,72 +43,8 @@ export function permissionForDiscordAction(action) {
     return null;
 }
 export function discordCommands() {
-    const textOption = (name = "value", description = "Value", required = false) => ({
-        type: 3,
-        name,
-        description,
-        required,
-    });
-    return [
-        command("start", "Start or inspect the current NordRelay context"),
-        command("help", "Show Discord adapter help"),
-        command("prompt", "Send a prompt to the selected agent", [textOption("text", "Prompt text", true)]),
-        command("agent", "Select or show the active agent", [textOption("value", "Agent id")]),
-        command("auth", "Show selected agent auth status"),
-        command("login", "Start selected agent login"),
-        command("logout", "Sign out of the selected agent"),
-        command("session", "Show the active session"),
-        command("sessions", "Browse recent sessions", [textOption("query", "Search query")]),
-        command("new", "Create a new session", [textOption("value", "Workspace path")]),
-        command("switch", "Switch to a session", [textOption("thread_id", "Thread id", true)]),
-        command("attach", "Attach a session", [textOption("thread_id", "Thread id", true)]),
-        command("handback", "Hand the active session back to the native CLI"),
-        command("model", "Select or show models", [textOption("value", "Model id")]),
-        command("reasoning", "Select reasoning effort", [textOption("value", "Reasoning value")]),
-        command("effort", "Select reasoning effort", [textOption("value", "Reasoning value")]),
-        command("fast", "Toggle fast mode", [textOption("value", "on/off")]),
-        command("launch", "Select launch profile", [textOption("value", "Launch profile id")]),
-        command("launch_profiles", "Select launch profile", [textOption("value", "Launch profile id")]),
-        command("workspaces", "List allowed workspaces"),
-        command("pin", "Pin current or given thread", [textOption("value", "Thread id")]),
-        command("unpin", "Unpin current or given thread", [textOption("value", "Thread id")]),
-        command("pinned", "Show pinned threads"),
-        command("queue", "Show or manage queue", [textOption("action", "pause/resume/clear/run/cancel/top/up/down"), textOption("id", "Queue id")]),
-        command("clearqueue", "Clear queue"),
-        command("cancel", "Cancel queued prompt", [textOption("value", "Queue id", true)]),
-        command("abort", "Abort the active task"),
-        command("stop", "Abort the active task"),
-        command("retry", "Retry the last prompt"),
-        command("sync", "Sync from local agent state"),
-        command("activity", "Show recent activity", [textOption("value", "Limit")]),
-        command("tasks", "Show recent tasks", [textOption("value", "Limit")]),
-        command("progress", "Show current turn progress"),
-        command("audit", "Show recent audit events", [textOption("value", "Limit")]),
-        command("artifacts", "List or send artifacts", [textOption("value", "zip <turn-id>")]),
-        command("logs", "Show logs", [textOption("value", "Target and line count")]),
-        command("version", "Show versions"),
-        command("status", "Show status"),
-        command("health", "Show health"),
-        command("diagnostics", "Show diagnostics"),
-        command("support", "Show support diagnostics"),
-        command("restart", "Restart NordRelay"),
-        command("update", "Update NordRelay or agents", [
-            textOption("target", "jobs, install, log, cancel, input, or agent id"),
-            textOption("agent", "Agent id or job id"),
-            textOption("input", "Text for update input"),
-        ]),
-        command("lock", "Lock this context"),
-        command("unlock", "Unlock this context"),
-        command("locks", "List locks"),
-        command("mirror", "Set mirror mode", [textOption("value", "off/status/final/full")]),
-        command("notify", "Set notification mode", [textOption("value", "off/minimal/all")]),
-        command("voice", "Show or change voice settings", [textOption("value", "transcribe-only on/off")]),
-        command("register_channel", "Enable this Discord channel for NordRelay"),
-        command("link", "Link this Discord account with a NordRelay code", [textOption("value", "Link code", true)]),
-        command("whoami", "Show linked NordRelay user"),
-        command("channels", "Show channel adapters"),
-        command("agents", "Show agent adapters"),
-    ];
+    return discordCommandCatalog()
+        .map((entry) => command(entry.name, entry.description, entry.options));
 }
 function command(name, description, options = []) {
     return {

package/dist/index.js

@@ -19,6 +19,8 @@ import { describeOpenClawCli, resolveOpenClawCli } from "./openclaw-cli.js";
 import { installConsoleLogger } from "./logger.js";
 import { checkPiAuthStatus } from "./pi-auth.js";
 import { describePiCli, resolvePiCli } from "./pi-cli.js";
+import { startPeerServer } from "./peer-server.js";
+import { RelayRuntime } from "./relay-runtime.js";
 import { configureRedaction } from "./redaction.js";
 import { SessionRegistry } from "./session-registry.js";
 import { UserStore } from "./user-management.js";
@@ -26,6 +28,8 @@ let registry;
 let bot;
 let discordBridge;
 let webhookServer;
+let peerServer;
+let peerRuntime;
 let runtimeConfig;
 try {
     const config = loadConfig();
@@ -39,6 +43,10 @@ try {
     }
     discordBridge = createDiscordBridge(config, registry);
     await discordBridge?.start();
+    if (config.peerEnabled) {
+        peerRuntime = new RelayRuntime(config);
+        peerServer = await startPeerServer({ config, runtime: peerRuntime });
+    }
     console.log("NordRelay running");
     const userStore = new UserStore();
     if (userStore.hasAdminUser()) {
@@ -52,6 +60,9 @@ try {
     if (!authStatus.authenticated) {
         console.warn(`Warning: ${agentLabel(config.defaultAgent)} is not authenticated. ${authStatus.detail}`);
     }
+    for (const warning of config.adapterWarnings ?? []) {
+        console.warn(`Warning: ${warning}`);
+    }
     console.log(`Workspace: ${config.workspace}`);
     console.log(`Enabled agents: ${enabledAgents(config).join(", ")} (default: ${config.defaultAgent})`);
     if (config.codexModel) {
@@ -83,6 +94,7 @@ try {
     console.log("Session mode: per chat context");
     console.log(`Telegram: ${config.telegramEnabled ? config.telegramTransport : "disabled"}`);
     console.log(`Discord: ${config.discordEnabled ? "enabled" : "disabled"}`);
+    console.log(`Peers: ${peerServer ? peerServer.url : "disabled"}`);
     await writeConnectorState({
         status: "ready",
         pid: Number(process.env.NORDRELAY_WRAPPER_PID) || process.pid,
@@ -99,6 +111,10 @@ try {
         openClawGateway: config.openClawGatewayUrl,
         telegramTransport: config.telegramTransport,
         discordEnabled: config.discordEnabled,
+        peerEnabled: config.peerEnabled,
+        peerUrl: peerServer?.url,
+        peerTlsFingerprint: peerServer?.tlsFingerprint,
+        adapterWarnings: config.adapterWarnings ?? [],
     });
 }
 catch (error) {
@@ -149,8 +165,12 @@ const shutdown = (signal) => {
         console.warn("Failed to stop Discord bridge:", error instanceof Error ? error.message : String(error));
     });
     webhookServer?.close();
+    void peerServer?.close().catch((error) => {
+        console.warn("Failed to stop peer server:", error instanceof Error ? error.message : String(error));
+    });
     setTimeout(() => {
         registry?.disposeAll();
+        peerRuntime?.dispose();
         void writeConnectorState({
             status: "stopped",
             pid: Number(process.env.NORDRELAY_WRAPPER_PID) || process.pid,

package/dist/metrics.js

@@ -1,5 +1,9 @@
+import { monitorEventLoopDelay } from "node:perf_hooks";
 import { getDiscordRateLimitMetrics } from "./discord-rate-limit.js";
 import { getTelegramRateLimitMetrics } from "./telegram-rate-limit.js";
+const startedAt = Date.now();
+const eventLoopDelay = monitorEventLoopDelay({ resolution: 20 });
+eventLoopDelay.enable();
 export function buildRuntimeMetrics(input) {
     const completedPromptDurations = input.activity
         .filter((event) => event.category === "prompt" && event.status === "completed" && typeof event.durationMs === "number")
@@ -27,12 +31,54 @@ export function buildRuntimeMetrics(input) {
             failed: countJobs(input.jobs, "failed"),
             aborted: countJobs(input.jobs, "aborted"),
         },
+        process: processMetrics(),
         adapters: {
             telegram: getTelegramRateLimitMetrics(),
             discord: getDiscordRateLimitMetrics(),
         },
     };
 }
+function processMetrics() {
+    const memory = process.memoryUsage();
+    const cpu = process.cpuUsage();
+    const uptimeMs = Math.max(0, Math.round(process.uptime() * 1000));
+    const totalMs = Math.round((cpu.user + cpu.system) / 1000);
+    return {
+        pid: process.pid,
+        nodeVersion: process.version,
+        platform: process.platform,
+        arch: process.arch,
+        uptimeMs,
+        startedAt: new Date(startedAt).toISOString(),
+        memory: {
+            rssBytes: memory.rss,
+            heapTotalBytes: memory.heapTotal,
+            heapUsedBytes: memory.heapUsed,
+            externalBytes: memory.external,
+            arrayBuffersBytes: memory.arrayBuffers,
+        },
+        cpu: {
+            userMs: Math.round(cpu.user / 1000),
+            systemMs: Math.round(cpu.system / 1000),
+            totalMs,
+            percentSinceStart: uptimeMs > 0 ? roundMetric((totalMs / uptimeMs) * 100) : null,
+        },
+        eventLoop: {
+            delayMeanMs: nanosecondsToMilliseconds(eventLoopDelay.mean),
+            delayMaxMs: nanosecondsToMilliseconds(eventLoopDelay.max),
+            delayP95Ms: nanosecondsToMilliseconds(eventLoopDelay.percentile(95)),
+        },
+    };
+}
+function nanosecondsToMilliseconds(value) {
+    if (!Number.isFinite(value) || value <= 0) {
+        return null;
+    }
+    return roundMetric(value / 1_000_000);
+}
+function roundMetric(value) {
+    return Math.round(value * 100) / 100;
+}
 function countJobs(jobs, status) {
     return jobs.filter((job) => job.status === status).length;
 }

package/dist/peer-auth.js

@@ -0,0 +1,85 @@
+import { createHash, createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+const MAX_CLOCK_SKEW_MS = 5 * 60 * 1000;
+const NONCE_TTL_MS = 10 * 60 * 1000;
+export class PeerNonceCache {
+    seen = new Map();
+    consume(peerId, nonce) {
+        const now = Date.now();
+        for (const [key, expiresAt] of this.seen.entries()) {
+            if (expiresAt <= now) {
+                this.seen.delete(key);
+            }
+        }
+        const key = `${peerId}:${nonce}`;
+        if (this.seen.has(key)) {
+            return false;
+        }
+        this.seen.set(key, now + NONCE_TTL_MS);
+        return true;
+    }
+}
+export function signPeerRequest(peer, method, pathname, body = "") {
+    const timestamp = new Date().toISOString();
+    const nonce = randomBytes(16).toString("base64url");
+    const bodyHash = hashBody(body);
+    const signature = createSignature(peer.secret, canonicalRequest(method, pathname, timestamp, nonce, bodyHash));
+    return {
+        timestamp,
+        nonce,
+        bodyHash,
+        headers: {
+            "x-nordrelay-peer-id": peer.id,
+            "x-nordrelay-peer-timestamp": timestamp,
+            "x-nordrelay-peer-nonce": nonce,
+            "x-nordrelay-peer-body-sha256": bodyHash,
+            "x-nordrelay-peer-signature": signature,
+        },
+    };
+}
+export function verifyPeerRequest(options) {
+    const timestamp = header(options.req, "x-nordrelay-peer-timestamp");
+    const nonce = header(options.req, "x-nordrelay-peer-nonce");
+    const bodyHash = header(options.req, "x-nordrelay-peer-body-sha256");
+    const signature = header(options.req, "x-nordrelay-peer-signature");
+    if (!timestamp || !nonce || !bodyHash || !signature) {
+        throw new Error("Missing peer authentication headers.");
+    }
+    const time = Date.parse(timestamp);
+    if (!Number.isFinite(time) || Math.abs(Date.now() - time) > MAX_CLOCK_SKEW_MS) {
+        throw new Error("Peer request timestamp is outside the allowed clock skew.");
+    }
+    if (hashBody(options.body) !== bodyHash) {
+        throw new Error("Peer request body hash mismatch.");
+    }
+    if (!options.nonces.consume(options.peer.id, nonce)) {
+        throw new Error("Replay detected for peer request.");
+    }
+    const expected = createSignature(options.peer.secret, canonicalRequest(options.method, options.pathname, timestamp, nonce, bodyHash));
+    if (!safeEqual(signature, expected)) {
+        throw new Error("Invalid peer request signature.");
+    }
+}
+export function header(req, name) {
+    const value = req.headers[name.toLowerCase()];
+    return Array.isArray(value) ? value[0] ?? "" : value ?? "";
+}
+export function hashBody(body) {
+    return createHash("sha256").update(body).digest("hex");
+}
+function canonicalRequest(method, pathname, timestamp, nonce, bodyHash) {
+    return [
+        method.toUpperCase(),
+        pathname,
+        timestamp,
+        nonce,
+        bodyHash,
+    ].join("\n");
+}
+function createSignature(secret, value) {
+    return createHmac("sha256", secret).update(value).digest("base64url");
+}
+function safeEqual(left, right) {
+    const leftBuffer = Buffer.from(left);
+    const rightBuffer = Buffer.from(right);
+    return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}

package/dist/peer-client.js

@@ -0,0 +1,256 @@
+import http from "node:http";
+import https from "node:https";
+import { createPairingSignaturePayload, signPeerPayload, fingerprintForPublicKey, } from "./peer-identity.js";
+import { signPeerRequest } from "./peer-auth.js";
+import { PeerStore } from "./peer-store.js";
+import { PEER_PROTOCOL_VERSION, } from "./peer-types.js";
+export async function pairPeer(options, identity, store = new PeerStore()) {
+    const timestamp = new Date().toISOString();
+    const payload = createPairingSignaturePayload(identity.public.nodeId, timestamp, options.code);
+    const body = {
+        code: options.code,
+        name: options.name,
+        publicUrl: options.publicUrl,
+        identity: identity.public,
+        timestamp,
+        signature: signPeerPayload(identity.privateKey, payload),
+    };
+    const result = await requestJson({
+        url: joinPeerUrl(options.url, "/peer/pair"),
+        method: "POST",
+        body,
+        allowSelfSigned: true,
+    });
+    if (result.data.protocolVersion !== PEER_PROTOCOL_VERSION) {
+        throw new Error(`Unsupported peer protocol version: ${result.data.protocolVersion}`);
+    }
+    if (fingerprintForPublicKey(result.data.identity.publicKey) !== result.data.identity.fingerprint) {
+        throw new Error("Remote peer identity fingerprint does not match its public key.");
+    }
+    const peer = store.upsertPeer({
+        id: result.data.peerId,
+        name: result.data.identity.name,
+        url: normalizePeerUrl(options.url),
+        nodeId: result.data.identity.nodeId,
+        publicKey: result.data.identity.publicKey,
+        fingerprint: result.data.identity.fingerprint,
+        tlsFingerprint: result.tlsFingerprint,
+        secret: result.data.secret,
+        enabled: true,
+        direction: "outbound",
+        scopes: result.data.scopes,
+        allowedAgents: result.data.allowedAgents,
+        allowedWorkspaceRoots: result.data.allowedWorkspaceRoots,
+        workspaceAliases: result.data.workspaceAliases,
+    });
+    return { peer, tlsFingerprint: result.tlsFingerprint };
+}
+export class RemoteRelayClient {
+    store;
+    constructor(store = new PeerStore()) {
+        this.store = store;
+    }
+    async rpc(peerId, type, payload, actor) {
+        const peer = this.requiredPeer(peerId);
+        const body = {
+            protocolVersion: PEER_PROTOCOL_VERSION,
+            type,
+            payload,
+            actor,
+        };
+        const bodyText = JSON.stringify(body);
+        const signed = signPeerRequest(peer, "POST", "/peer/rpc", bodyText);
+        try {
+            const startedAt = Date.now();
+            const result = await requestJson({
+                url: joinPeerUrl(requiredPeerUrl(peer), "/peer/rpc"),
+                method: "POST",
+                bodyText,
+                headers: signed.headers,
+                expectedTlsFingerprint: peer.tlsFingerprint,
+                allowSelfSigned: Boolean(peer.tlsFingerprint),
+            });
+            this.store.markSeen(peer.id, healthPatchFromRpc(type, result.data.ok ? result.data.data : null, Date.now() - startedAt));
+            if (!result.data.ok) {
+                throw new Error(result.data.error);
+            }
+            return result.data.data;
+        }
+        catch (error) {
+            this.store.markError(peer.id, error instanceof Error ? error.message : String(error));
+            throw error;
+        }
+    }
+    async webProxy(peerId, payload, actor, sourceContextKey) {
+        return this.rpc(peerId, "web.proxy", sourceContextKey ? { ...payload, contextKey: sourceContextKey } : payload, actor);
+    }
+    subscribe(peerId, onEvent, onError, sourceContextKey) {
+        const peer = this.requiredPeer(peerId);
+        const url = new URL(joinPeerUrl(requiredPeerUrl(peer), "/peer/events"));
+        if (sourceContextKey) {
+            url.searchParams.set("contextKey", sourceContextKey);
+        }
+        const signed = signPeerRequest(peer, "GET", `${url.pathname}${url.search}`, "");
+        const transport = url.protocol === "https:" ? https : http;
+        const req = transport.request({
+            method: "GET",
+            protocol: url.protocol,
+            hostname: url.hostname,
+            port: url.port,
+            path: `${url.pathname}${url.search}`,
+            headers: signed.headers,
+            rejectUnauthorized: false,
+        }, (res) => {
+            try {
+                assertTlsFingerprint(res.socket, peer.tlsFingerprint);
+            }
+            catch (error) {
+                req.destroy(error);
+                return;
+            }
+            if ((res.statusCode ?? 500) >= 400) {
+                req.destroy(new Error(`Peer events failed with HTTP ${res.statusCode}`));
+                return;
+            }
+            this.store.markSeen(peer.id, { remoteStatus: "online" });
+            let buffer = "";
+            res.setEncoding("utf8");
+            res.on("data", (chunk) => {
+                buffer += chunk;
+                let separator = buffer.indexOf("\n\n");
+                while (separator !== -1) {
+                    const frame = buffer.slice(0, separator);
+                    buffer = buffer.slice(separator + 2);
+                    const data = frame.split(/\n/).find((line) => line.startsWith("data:"))?.slice(5).trim();
+                    if (data) {
+                        try {
+                            onEvent(JSON.parse(data));
+                        }
+                        catch {
+                            // Ignore malformed event frames from a broken peer.
+                        }
+                    }
+                    separator = buffer.indexOf("\n\n");
+                }
+            });
+        });
+        req.on("error", (error) => {
+            this.store.markError(peer.id, error.message);
+            onError?.(error);
+        });
+        req.end();
+        return {
+            close: () => req.destroy(),
+        };
+    }
+    requiredPeer(peerId) {
+        const peer = this.store.get(peerId);
+        if (!peer) {
+            throw new Error("Peer not found.");
+        }
+        if (!peer.enabled) {
+            throw new Error("Peer is disabled.");
+        }
+        return peer;
+    }
+}
+function healthPatchFromRpc(type, data, latencyMs) {
+    if (type !== "peer.ping" || !data || typeof data !== "object") {
+        return { latencyMs, remoteStatus: "online" };
+    }
+    const record = data;
+    return {
+        latencyMs,
+        remoteVersion: typeof record.version === "string" ? record.version : undefined,
+        remoteStatus: typeof record.status === "string" ? record.status : "online",
+    };
+}
+async function requestJson(options) {
+    const url = new URL(options.url);
+    const bodyText = options.bodyText ?? (options.body === undefined ? "" : JSON.stringify(options.body));
+    const transport = url.protocol === "https:" ? https : http;
+    return await new Promise((resolve, reject) => {
+        const req = transport.request({
+            method: options.method,
+            protocol: url.protocol,
+            hostname: url.hostname,
+            port: url.port,
+            path: `${url.pathname}${url.search}`,
+            headers: {
+                "content-type": "application/json",
+                "content-length": Buffer.byteLength(bodyText),
+                ...(options.headers ?? {}),
+            },
+            rejectUnauthorized: options.allowSelfSigned ? false : undefined,
+        }, (res) => {
+            let tlsFingerprint;
+            try {
+                tlsFingerprint = assertTlsFingerprint(res.socket, options.expectedTlsFingerprint);
+            }
+            catch (error) {
+                reject(error);
+                req.destroy();
+                return;
+            }
+            const chunks = [];
+            res.on("data", (chunk) => chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));
+            res.on("end", () => {
+                const text = Buffer.concat(chunks).toString("utf8");
+                let data = {};
+                try {
+                    data = text ? JSON.parse(text) : {};
+                }
+                catch {
+                    reject(new Error(`Peer returned invalid JSON: ${text.slice(0, 200)}`));
+                    return;
+                }
+                if ((res.statusCode ?? 500) >= 400) {
+                    const message = data && typeof data === "object" && "error" in data ? String(data.error) : `HTTP ${res.statusCode}`;
+                    reject(new Error(message));
+                    return;
+                }
+                resolve({ data: data, tlsFingerprint });
+            });
+        });
+        req.on("error", reject);
+        if (bodyText)
+            req.write(bodyText);
+        req.end();
+    });
+}
+function assertTlsFingerprint(socket, expected) {
+    if (!socket.encrypted) {
+        if (expected) {
+            throw new Error("Expected a TLS peer connection, but the peer used plaintext HTTP.");
+        }
+        return undefined;
+    }
+    const certificate = socket.getPeerCertificate();
+    const actual = normalizeFingerprint(certificate?.fingerprint256);
+    if (expected && actual !== normalizeFingerprint(expected)) {
+        throw new Error("Peer TLS certificate fingerprint mismatch.");
+    }
+    return actual;
+}
+function requiredPeerUrl(peer) {
+    if (!peer.url) {
+        throw new Error(`Peer ${peer.name} has no URL.`);
+    }
+    return peer.url;
+}
+function joinPeerUrl(base, route) {
+    const url = new URL(normalizePeerUrl(base));
+    url.pathname = route;
+    url.search = "";
+    return url.toString();
+}
+function normalizePeerUrl(value) {
+    const url = new URL(value);
+    url.pathname = "";
+    url.search = "";
+    url.hash = "";
+    return url.toString().replace(/\/$/, "");
+}
+function normalizeFingerprint(value) {
+    return value?.trim().toLowerCase();
+}

package/dist/peer-context.js

@@ -0,0 +1,21 @@
+const DEFAULT_SOURCE_CONTEXT = "web:dashboard";
+export function peerRuntimeContextKey(peer, sourceContextKey) {
+    const source = sourceContextKey?.trim() || DEFAULT_SOURCE_CONTEXT;
+    return `peer:${encodeContextPart(peer.id || peer.nodeId)}:${encodeContextPart(source)}`;
+}
+export function parsePeerRuntimeContextKey(key) {
+    const match = /^peer:([^:]+):(.+)$/.exec(key);
+    if (!match?.[1] || !match[2]) {
+        return null;
+    }
+    return {
+        peerId: decodeContextPart(match[1]),
+        sourceContextKey: decodeContextPart(match[2]),
+    };
+}
+function encodeContextPart(value) {
+    return Buffer.from(value, "utf8").toString("base64url");
+}
+function decodeContextPart(value) {
+    return Buffer.from(value, "base64url").toString("utf8");
+}