@opendatalabs/personal-server-ts-lite 0.0.1-canary.01ca694

package/dist/relay-tls.js

@@ -0,0 +1,226 @@
+import forge from "node-forge";
+import initRustls, { TlsServer as RustlsServer, } from "./browser-tls-rustls/browser_tls_rustls.js";
+const TLS_IDENTITY_CACHE_KEY = "personal-server-lite-tls-identity-v1";
+const DEFAULT_PUBLIC_SUFFIX = "34.16.49.200.sslip.io";
+let rustlsInitPromise;
+export function createRustlsPsLiteRelayTlsFactory(options) {
+    let identityPromise;
+    return {
+        async prepare(input) {
+            identityPromise ??= createTlsIdentity(input, options);
+            await identityPromise;
+        },
+        async createStream(input) {
+            await ensureRustls();
+            identityPromise ??= createTlsIdentity(input, options);
+            const identity = await identityPromise;
+            const tls = new RustlsServer(identity.certPem, identity.keyPem);
+            return createRustlsStream(tls);
+        },
+    };
+}
+export function psLiteRelayPublicHost(sessionId, publicSuffix = DEFAULT_PUBLIC_SUFFIX) {
+    return `${sessionId}.${publicSuffix.replace(/^\./, "")}`;
+}
+export function psLiteRelayPublicUrl(sessionId, publicSuffix = DEFAULT_PUBLIC_SUFFIX) {
+    return `https://${psLiteRelayPublicHost(sessionId, publicSuffix)}`;
+}
+function createRustlsStream(tls) {
+    return {
+        processTls(payload) {
+            return normalizeTlsStep(tls.process_tls(payload));
+        },
+        writePlaintext(payload, endStream) {
+            return normalizeTlsStep(tls.write_plaintext(payload, endStream));
+        },
+        close() {
+            tls.free();
+        },
+    };
+}
+function ensureRustls() {
+    rustlsInitPromise ??= initRustls();
+    return rustlsInitPromise;
+}
+function normalizeTlsStep(value) {
+    const step = value;
+    return {
+        plaintext: step.plaintext instanceof Uint8Array ? step.plaintext : new Uint8Array(),
+        tls: step.tls instanceof Uint8Array ? step.tls : new Uint8Array(),
+        handshaking: Boolean(step.handshaking),
+    };
+}
+async function createTlsIdentity(input, options) {
+    const hostname = psLiteRelayPublicHost(input.sessionId, options.publicSuffix);
+    const cached = readCachedTlsIdentity(hostname, options.storage);
+    if (cached) {
+        return cached;
+    }
+    const keys = await generateKeyPair();
+    const keyPem = forge.pki.privateKeyToPem(keys.privateKey);
+    const csrPem = createCsrPem(hostname, keys);
+    const issued = await requestAcmeCertificate({
+        issuerUrl: resolveCertIssuerUrl(options),
+        sessionId: input.sessionId,
+        csrPem,
+        keyPem,
+        issueToken: input.issueToken ?? "",
+        hostname,
+        storage: options.storage,
+        logger: options.logger,
+    });
+    if (issued) {
+        return issued;
+    }
+    return createSelfSignedIdentity(hostname, keyPem, keys);
+}
+function generateKeyPair() {
+    return new Promise((resolve, reject) => {
+        forge.pki.rsa.generateKeyPair({ bits: 2048, workers: -1 }, (error, keyPair) => {
+            if (error || !keyPair) {
+                reject(error ?? new Error("failed to generate keypair"));
+                return;
+            }
+            resolve(keyPair);
+        });
+    });
+}
+function createCsrPem(hostname, keys) {
+    const csr = forge.pki.createCertificationRequest();
+    csr.publicKey = keys.publicKey;
+    csr.setSubject([{ name: "commonName", value: hostname }]);
+    csr.setAttributes([
+        {
+            name: "extensionRequest",
+            extensions: [
+                {
+                    name: "subjectAltName",
+                    altNames: [{ type: 2, value: hostname }],
+                },
+            ],
+        },
+    ]);
+    csr.sign(keys.privateKey, forge.md.sha256.create());
+    return forge.pki.certificationRequestToPem(csr);
+}
+function createSelfSignedIdentity(hostname, keyPem, keys) {
+    const cert = forge.pki.createCertificate();
+    cert.publicKey = keys.publicKey;
+    cert.serialNumber = Array.from(crypto.getRandomValues(new Uint8Array(12)), (byte) => byte.toString(16).padStart(2, "0")).join("");
+    cert.validity.notBefore = new Date(Date.now() - 60_000);
+    cert.validity.notAfter = new Date(Date.now() + 24 * 60 * 60 * 1000);
+    const attrs = [{ name: "commonName", value: hostname }];
+    cert.setSubject(attrs);
+    cert.setIssuer(attrs);
+    cert.setExtensions([
+        { name: "basicConstraints", cA: false },
+        { name: "keyUsage", digitalSignature: true, keyEncipherment: true },
+        { name: "extKeyUsage", serverAuth: true },
+        {
+            name: "subjectAltName",
+            altNames: [{ type: 2, value: hostname }],
+        },
+    ]);
+    cert.sign(keys.privateKey, forge.md.sha256.create());
+    return {
+        certPem: forge.pki.certificateToPem(cert),
+        keyPem,
+        hostname,
+        source: "self-signed",
+        trusted: false,
+    };
+}
+async function requestAcmeCertificate(input) {
+    if (!input.issueToken) {
+        input.logger?.("ACME issuer token unavailable; using self-signed certificate");
+        return undefined;
+    }
+    try {
+        const response = await fetch(input.issuerUrl, {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({
+                sessionId: input.sessionId,
+                csrPem: input.csrPem,
+                issueToken: input.issueToken,
+            }),
+        });
+        if (!response.ok) {
+            const detail = await response.text();
+            input.logger?.(`ACME issuer unavailable (${response.status}); using self-signed certificate`);
+            input.logger?.(detail.slice(0, 240));
+            return undefined;
+        }
+        const payload = (await response.json());
+        if (!payload.certPem) {
+            input.logger?.("ACME issuer returned no certificate; using self-signed certificate");
+            return undefined;
+        }
+        const identity = {
+            certPem: payload.certPem,
+            keyPem: input.keyPem,
+            hostname: input.hostname,
+            source: "acme",
+            trusted: true,
+        };
+        cacheTlsIdentity(identity, input.storage);
+        return identity;
+    }
+    catch (error) {
+        input.logger?.(error instanceof Error ? error.message : String(error));
+        input.logger?.("ACME certificate request failed; using self-signed certificate");
+        return undefined;
+    }
+}
+function resolveCertIssuerUrl(options) {
+    if (options.certIssuerUrl) {
+        return options.certIssuerUrl.replace(/\/+$/, "");
+    }
+    const url = new URL(options.controlUrl);
+    url.protocol = url.protocol === "wss:" ? "https:" : "http:";
+    url.pathname = "/issue-cert";
+    url.search = "";
+    url.hash = "";
+    return url.toString();
+}
+function readCachedTlsIdentity(hostname, storage = globalThis.localStorage) {
+    try {
+        const raw = storage.getItem(`${TLS_IDENTITY_CACHE_KEY}:${hostname}`);
+        if (!raw) {
+            return undefined;
+        }
+        const identity = JSON.parse(raw);
+        if (identity.hostname !== hostname ||
+            !identity.certPem ||
+            !identity.keyPem ||
+            identity.source !== "acme") {
+            return undefined;
+        }
+        const notAfter = firstCertificateNotAfter(identity.certPem);
+        if (notAfter.getTime() - Date.now() < 24 * 60 * 60 * 1000) {
+            return undefined;
+        }
+        return {
+            ...identity,
+            source: "cached-acme",
+            trusted: true,
+        };
+    }
+    catch {
+        return undefined;
+    }
+}
+function cacheTlsIdentity(identity, storage = globalThis.localStorage) {
+    if (identity.source !== "acme") {
+        return;
+    }
+    storage.setItem(`${TLS_IDENTITY_CACHE_KEY}:${identity.hostname}`, JSON.stringify(identity));
+}
+function firstCertificateNotAfter(certPem) {
+    const match = certPem.match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/);
+    if (!match) {
+        return new Date(0);
+    }
+    return forge.pki.certificateFromPem(match[0]).validity.notAfter;
+}
+//# sourceMappingURL=relay-tls.js.map

package/dist/relay-tls.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"relay-tls.js","sourceRoot":"","sources":["../src/relay-tls.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,YAAY,CAAC;AAC/B,OAAO,UAAU,EAAE,EACjB,SAAS,IAAI,YAAY,GAC1B,MAAM,4CAA4C,CAAC;AASpD,MAAM,sBAAsB,GAAG,sCAAsC,CAAC;AACtE,MAAM,qBAAqB,GAAG,uBAAuB,CAAC;AAkBtD,IAAI,iBAA+C,CAAC;AAEpD,MAAM,UAAU,iCAAiC,CAC/C,OAAoC;IAEpC,IAAI,eAA4D,CAAC;IAEjE,OAAO;QACL,KAAK,CAAC,OAAO,CAAC,KAAiC;YAC7C,eAAe,KAAK,iBAAiB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YACtD,MAAM,eAAe,CAAC;QACxB,CAAC;QACD,KAAK,CAAC,YAAY,CAAC,KAAgC;YACjD,MAAM,YAAY,EAAE,CAAC;YACrB,eAAe,KAAK,iBAAiB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YACtD,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC;YACvC,MAAM,GAAG,GAAG,IAAI,YAAY,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;YAChE,OAAO,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACjC,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,SAAiB,EACjB,YAAY,GAAG,qBAAqB;IAEpC,OAAO,GAAG,SAAS,IAAI,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,EAAE,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,SAAiB,EACjB,YAAY,GAAG,qBAAqB;IAEpC,OAAO,WAAW,qBAAqB,CAAC,SAAS,EAAE,YAAY,CAAC,EAAE,CAAC;AACrE,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAiB;IAC3C,OAAO;QACL,UAAU,CAAC,OAAO;YAChB,OAAO,gBAAgB,CAAC,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC;QACpD,CAAC;QACD,cAAc,CAAC,OAAO,EAAE,SAAS;YAC/B,OAAO,gBAAgB,CAAC,GAAG,CAAC,eAAe,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC;QACnE,CAAC;QACD,KAAK;YACH,GAAG,CAAC,IAAI,EAAE,CAAC;QACb,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,YAAY;IACnB,iBAAiB,KAAK,UAAU,EAAE,CAAC;IACnC,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,MAAM,IAAI,GAAG,KAAoC,CAAC;IAClD,OAAO;QACL,SAAS,EACP,IAAI,CAAC,SAAS,YAAY,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,UAAU,EAAE;QAC1E,GAAG,EAAE,IAAI,CAAC,GAAG,YAAY,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,UAAU,EAAE;QACjE,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC;KACvC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,KAAiC,EACjC,OAAoC;IAEpC,MAAM,QAAQ,GAAG,qBAAqB,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAC9E,MAAM,MAAM,GAAG,qBAAqB,CAAC,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAChE,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,eAAe,EAAE,CAAC;IACrC,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1D,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC5C,MAAM,MAAM,GAAG,MAAM,sBAAsB,CAAC;QAC1C,SAAS,EAAE,oBAAoB,CAAC,OAAO,CAAC;QACxC,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,MAAM;QACN,MAAM;QACN,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,EAAE;QAClC,QAAQ;QACR,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IACH,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,wBAAwB,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,eAAe;IACtB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,eAAe,CAC3B,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,EAAE,EAC3B,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;YACjB,IAAI,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC;gBACtB,MAAM,CAAC,KAAK,IAAI,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC,CAAC;gBACzD,OAAO;YACT,CAAC;YACD,OAAO,CAAC,OAAO,CAAC,CAAC;QACnB,CAAC,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,YAAY,CAAC,QAAgB,EAAE,IAA2B;IACjE,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,0BAA0B,EAAE,CAAC;IACnD,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;IAC/B,GAAG,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;IAC1D,GAAG,CAAC,aAAa,CAAC;QAChB;YACE,IAAI,EAAE,kBAAkB;YACxB,UAAU,EAAE;gBACV;oBACE,IAAI,EAAE,gBAAgB;oBACtB,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;iBACzC;aACF;SACF;KACF,CAAC,CAAC;IACH,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IACpD,OAAO,KAAK,CAAC,GAAG,CAAC,yBAAyB,CAAC,GAAG,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,wBAAwB,CAC/B,QAAgB,EAChB,MAAc,EACd,IAA2B;IAE3B,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;IAC3C,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;IAChC,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,IAAI,CAC5B,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,EAC1C,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAC7C,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,IAAI,CAAC,QAAQ,CAAC,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,CAAC;IACxD,IAAI,CAAC,QAAQ,CAAC,QAAQ,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IACpE,MAAM,KAAK,GAAG,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IACxD,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACvB,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACtB,IAAI,CAAC,aAAa,CAAC;QACjB,EAAE,IAAI,EAAE,kBAAkB,EAAE,EAAE,EAAE,KAAK,EAAE;QACvC,EAAE,IAAI,EAAE,UAAU,EAAE,gBAAgB,EAAE,IAAI,EAAE,eAAe,EAAE,IAAI,EAAE;QACnE,EAAE,IAAI,EAAE,aAAa,EAAE,UAAU,EAAE,IAAI,EAAE;QACzC;YACE,IAAI,EAAE,gBAAgB;YACtB,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;SACzC;KACF,CAAC,CAAC;IACH,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAErD,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,CAAC;QACzC,MAAM;QACN,QAAQ;QACR,MAAM,EAAE,aAAa;QACrB,OAAO,EAAE,KAAK;KACf,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,sBAAsB,CAAC,KASrC;IACC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;QACtB,KAAK,CAAC,MAAM,EAAE,CACZ,8DAA8D,CAC/D,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE;YAC5C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,UAAU,EAAE,KAAK,CAAC,UAAU;aAC7B,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACrC,KAAK,CAAC,MAAM,EAAE,CACZ,4BAA4B,QAAQ,CAAC,MAAM,kCAAkC,CAC9E,CAAC;YACF,KAAK,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;YACrC,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAyB,CAAC;QAChE,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YACrB,KAAK,CAAC,MAAM,EAAE,CACZ,oEAAoE,CACrE,CAAC;YACF,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,QAAQ,GAA2B;YACvC,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI;SACd,CAAC;QACF,gBAAgB,CAAC,QAAQ,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QAC1C,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,KAAK,CAAC,MAAM,EAAE,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACvE,KAAK,CAAC,MAAM,EAAE,CACZ,gEAAgE,CACjE,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAoC;IAChE,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACxC,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;IAC5D,GAAG,CAAC,QAAQ,GAAG,aAAa,CAAC;IAC7B,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC;IAChB,GAAG,CAAC,IAAI,GAAG,EAAE,CAAC;IACd,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,qBAAqB,CAC5B,QAAgB,EAChB,OAAO,GAAG,UAAU,CAAC,YAAY;IAEjC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,sBAAsB,IAAI,QAAQ,EAAE,CAAC,CAAC;QACrE,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA2B,CAAC;QAC3D,IACE,QAAQ,CAAC,QAAQ,KAAK,QAAQ;YAC9B,CAAC,QAAQ,CAAC,OAAO;YACjB,CAAC,QAAQ,CAAC,MAAM;YAChB,QAAQ,CAAC,MAAM,KAAK,MAAM,EAC1B,CAAC;YACD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,QAAQ,GAAG,wBAAwB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC5D,IAAI,QAAQ,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;YAC1D,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO;YACL,GAAG,QAAQ;YACX,MAAM,EAAE,aAAa;YACrB,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CACvB,QAAgC,EAChC,OAAO,GAAG,UAAU,CAAC,YAAY;IAEjC,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/B,OAAO;IACT,CAAC;IACD,OAAO,CAAC,OAAO,CACb,GAAG,sBAAsB,IAAI,QAAQ,CAAC,QAAQ,EAAE,EAChD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CACzB,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAAC,OAAe;IAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CACzB,8DAA8D,CAC/D,CAAC;IACF,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC;IACrB,CAAC;IACD,OAAO,KAAK,CAAC,GAAG,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;AAClE,CAAC"}

package/dist/relay.d.ts

@@ -0,0 +1,70 @@
+import { type PsLiteBridgeResponse } from "./bridge.js";
+import type { PsLiteRuntime } from "./runtime.js";
+export interface PsLiteRelayClientOptions {
+    sessionId: string;
+    runtime: PsLiteRuntime;
+    controlUrl?: string;
+    publicSuffix?: string;
+    certIssuerUrl?: string;
+    origin?: string;
+    webSocketFactory?: PsLiteRelayWebSocketFactory;
+    tls?: PsLiteRelayTlsFactory | false;
+    logger?: (line: string) => void;
+    onStatus?: (status: PsLiteRelayStatus) => void;
+}
+export type PsLiteRelayStatus = "connecting" | "connected" | "disconnected" | "closed" | "error";
+export interface PsLiteRelayClient {
+    readonly sessionId: string;
+    readonly url: string;
+    close(reason?: string): void;
+}
+export interface PsLiteRelayWebSocketFactory {
+    (url: string): PsLiteRelayWebSocket;
+}
+export interface PsLiteRelayWebSocket {
+    binaryType: string;
+    readonly readyState: number;
+    readonly OPEN: number;
+    readonly CONNECTING: number;
+    onopen: (() => void) | null;
+    onmessage: ((event: {
+        data: string | ArrayBuffer | Uint8Array;
+    }) => void) | null;
+    onclose: (() => void) | null;
+    onerror: (() => void) | null;
+    send(data: string | Uint8Array): void;
+    close(code?: number, reason?: string): void;
+}
+export interface PsLiteRelayTlsFactory {
+    prepare?(input: PsLiteRelayTlsPrepareInput): Promise<void>;
+    createStream(input: PsLiteRelayTlsStreamInput): Promise<PsLiteRelayTlsStream>;
+}
+export interface PsLiteRelayTlsPrepareInput {
+    sessionId: string;
+    issueToken?: string;
+}
+export interface PsLiteRelayTlsStreamInput {
+    sessionId: string;
+    streamId: number;
+    issueToken?: string;
+}
+export interface PsLiteRelayTlsStream {
+    processTls(payload: Uint8Array): PsLiteRelayTlsStep;
+    writePlaintext(payload: Uint8Array, endStream: boolean): PsLiteRelayTlsStep;
+    close?(): void;
+}
+export interface PsLiteRelayTlsStep {
+    plaintext: Uint8Array;
+    tls: Uint8Array;
+    handshaking?: boolean;
+}
+export declare function psLiteRelayControlUrl(sessionId: string, controlUrl?: string): string;
+export declare function psLiteRelayPublicUrl(sessionId: string, publicSuffix?: string): string;
+export declare function startPsLiteRelayClient(options: PsLiteRelayClientOptions): PsLiteRelayClient;
+export declare function buildHttpResponse(response: PsLiteBridgeResponse): string;
+export declare function encodeDataFrame(streamId: number, payload: Uint8Array): Uint8Array;
+export declare function decodeDataFrame(data: string | ArrayBuffer | Uint8Array): {
+    streamId: number;
+    payload: Uint8Array;
+} | null;
+//# sourceMappingURL=relay.d.ts.map

package/dist/relay.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"relay.d.ts","sourceRoot":"","sources":["../src/relay.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,oBAAoB,EAC1B,MAAM,aAAa,CAAC;AAErB,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAQlD,MAAM,WAAW,wBAAwB;IACvC,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,aAAa,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,2BAA2B,CAAC;IAC/C,GAAG,CAAC,EAAE,qBAAqB,GAAG,KAAK,CAAC;IACpC,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IAChC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,iBAAiB,KAAK,IAAI,CAAC;CAChD;AAED,MAAM,MAAM,iBAAiB,GACzB,YAAY,GACZ,WAAW,GACX,cAAc,GACd,QAAQ,GACR,OAAO,CAAC;AAEZ,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B;AAED,MAAM,WAAW,2BAA2B;IAC1C,CAAC,GAAG,EAAE,MAAM,GAAG,oBAAoB,CAAC;CACrC;AAED,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE,CAAC,MAAM,IAAI,CAAC,GAAG,IAAI,CAAC;IAC5B,SAAS,EACL,CAAC,CAAC,KAAK,EAAE;QAAE,IAAI,EAAE,MAAM,GAAG,WAAW,GAAG,UAAU,CAAA;KAAE,KAAK,IAAI,CAAC,GAC9D,IAAI,CAAC;IACT,OAAO,EAAE,CAAC,MAAM,IAAI,CAAC,GAAG,IAAI,CAAC;IAC7B,OAAO,EAAE,CAAC,MAAM,IAAI,CAAC,GAAG,IAAI,CAAC;IAC7B,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAAC;IACtC,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7C;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,CAAC,CAAC,KAAK,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3D,YAAY,CAAC,KAAK,EAAE,yBAAyB,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;CAC/E;AAED,MAAM,WAAW,0BAA0B;IACzC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,yBAAyB;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,oBAAoB;IACnC,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,kBAAkB,CAAC;IACpD,cAAc,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,OAAO,GAAG,kBAAkB,CAAC;IAC5E,KAAK,CAAC,IAAI,IAAI,CAAC;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,UAAU,CAAC;IACtB,GAAG,EAAE,UAAU,CAAC;IAChB,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAuBD,wBAAgB,qBAAqB,CACnC,SAAS,EAAE,MAAM,EACjB,UAAU,SAAsB,GAC/B,MAAM,CAER;AAED,wBAAgB,oBAAoB,CAClC,SAAS,EAAE,MAAM,EACjB,YAAY,SAAwB,GACnC,MAAM,CAER;AAED,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,wBAAwB,GAChC,iBAAiB,CAgOnB;AAyBD,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,oBAAoB,GAAG,MAAM,CAiBxE;AAeD,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,UAAU,GAClB,UAAU,CAMZ;AAED,wBAAgB,eAAe,CAC7B,IAAI,EAAE,MAAM,GAAG,WAAW,GAAG,UAAU,GACtC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,GAAG,IAAI,CAclD"}

package/dist/relay.js

@@ -0,0 +1,368 @@
+import { handlePsLiteBridgeRequest, } from "./bridge.js";
+import { createRustlsPsLiteRelayTlsFactory } from "./relay-tls.js";
+const DATA_FRAME_TYPE = 1;
+const HEADER_BYTES = 5;
+const DEFAULT_CONTROL_URL = "wss://control.34.16.49.200.sslip.io:8443";
+const DEFAULT_PUBLIC_SUFFIX = "34.16.49.200.sslip.io";
+const DEFAULT_ORIGIN = "https://ps-lite.local";
+export function psLiteRelayControlUrl(sessionId, controlUrl = DEFAULT_CONTROL_URL) {
+    return `${controlUrl.replace(/\/+$/, "")}/browser/${sessionId}`;
+}
+export function psLiteRelayPublicUrl(sessionId, publicSuffix = DEFAULT_PUBLIC_SUFFIX) {
+    return `https://${sessionId}.${publicSuffix.replace(/^\./, "")}`;
+}
+export function startPsLiteRelayClient(options) {
+    const baseControlUrl = options.controlUrl ?? DEFAULT_CONTROL_URL;
+    const controlUrl = psLiteRelayControlUrl(options.sessionId, baseControlUrl);
+    const socket = createSocket(options.webSocketFactory, controlUrl);
+    const tls = options.tls === undefined
+        ? createRustlsPsLiteRelayTlsFactory({
+            controlUrl: baseControlUrl,
+            publicSuffix: options.publicSuffix,
+            certIssuerUrl: options.certIssuerUrl,
+            logger: options.logger,
+        })
+        : options.tls;
+    const streams = new Map();
+    const pendingStreamData = new Map();
+    const origin = options.origin ?? DEFAULT_ORIGIN;
+    let issueToken;
+    let closed = false;
+    socket.binaryType = "arraybuffer";
+    options.onStatus?.("connecting");
+    const log = (line) => options.logger?.(line);
+    const sendText = (message) => {
+        if (socket.readyState === socket.OPEN) {
+            socket.send(JSON.stringify(message));
+        }
+    };
+    const sendData = (streamId, payload) => {
+        if (socket.readyState === socket.OPEN) {
+            socket.send(encodeDataFrame(streamId, payload));
+        }
+    };
+    const closeStream = (streamId, reason) => {
+        const stream = streams.get(streamId);
+        stream?.tls?.close?.();
+        streams.delete(streamId);
+        pendingStreamData.delete(streamId);
+        sendText({ type: "stream.close", streamId, reason });
+    };
+    const writePlaintextResponse = (stream, responseBytes) => {
+        if (!stream.tls) {
+            sendData(stream.streamId, responseBytes);
+            return;
+        }
+        const step = stream.tls.writePlaintext(responseBytes, true);
+        if (step.tls.length > 0) {
+            sendData(stream.streamId, step.tls);
+        }
+    };
+    const drainHttpRequests = async (stream) => {
+        while (true) {
+            const parsed = parseHttpRequest(stream.plaintext);
+            if (!parsed) {
+                return;
+            }
+            stream.plaintext = stream.plaintext.slice(parsed.consumedBytes);
+            const response = await handleRelayHttpRequest(options.runtime, parsed.request, origin);
+            // `response` is a binary (latin1) string: buildHttpResponse appends the
+            // body via bytesToBinary, so each char code 0x00–0xFF is one body byte.
+            // It must be turned back into bytes the same way (binaryToBytes), NOT
+            // UTF-8 re-encoded — textToBytes would expand every byte >= 0x80 into a
+            // 2-byte sequence, corrupting binary payloads (e.g. OpenPGP-encrypted
+            // files fail downstream with "not a valid OpenPGP message"). ASCII/JSON
+            // bodies survive UTF-8, which is why only encrypted binary downloads broke.
+            writePlaintextResponse(stream, binaryToBytes(response));
+            closeStream(stream.streamId, "http_response_sent");
+            return;
+        }
+    };
+    const handlePlaintext = (stream, plaintext) => {
+        if (plaintext.length === 0) {
+            return;
+        }
+        stream.plaintext += bytesToBinary(plaintext);
+        void drainHttpRequests(stream).catch((error) => {
+            log(error instanceof Error ? error.message : String(error));
+            closeStream(stream.streamId, "handler_error");
+        });
+    };
+    const processPayload = (stream, payload) => {
+        if (!stream.tls) {
+            handlePlaintext(stream, payload);
+            return;
+        }
+        try {
+            const step = stream.tls.processTls(payload);
+            if (step.tls.length > 0) {
+                sendData(stream.streamId, step.tls);
+            }
+            handlePlaintext(stream, step.plaintext);
+        }
+        catch (error) {
+            log(error instanceof Error ? error.message : String(error));
+            closeStream(stream.streamId, "tls_error");
+        }
+    };
+    const openStream = async (streamId) => {
+        const stream = {
+            streamId,
+            plaintext: "",
+        };
+        if (tls) {
+            stream.tls = await tls.createStream({
+                sessionId: options.sessionId,
+                streamId,
+                issueToken,
+            });
+        }
+        streams.set(streamId, stream);
+        const buffered = pendingStreamData.get(streamId) ?? [];
+        pendingStreamData.delete(streamId);
+        for (const payload of buffered) {
+            processPayload(stream, payload);
+        }
+    };
+    const handleControl = (message) => {
+        if (message.type === "session.ready") {
+            issueToken = message.issueToken;
+            options.onStatus?.("connected");
+            if (tls && tls.prepare) {
+                void tls
+                    .prepare({
+                    sessionId: options.sessionId,
+                    issueToken,
+                })
+                    .catch((error) => {
+                    log(error instanceof Error ? error.message : String(error));
+                });
+            }
+            return;
+        }
+        if (message.type === "pong") {
+            return;
+        }
+        if (message.type === "stream.open" &&
+            typeof message.streamId === "number") {
+            void openStream(message.streamId).catch((error) => {
+                log(error instanceof Error ? error.message : String(error));
+                if (typeof message.streamId === "number") {
+                    closeStream(message.streamId, "stream_open_error");
+                }
+            });
+            return;
+        }
+        if (message.type === "stream.close" &&
+            typeof message.streamId === "number") {
+            streams.get(message.streamId)?.tls?.close?.();
+            streams.delete(message.streamId);
+            pendingStreamData.delete(message.streamId);
+        }
+    };
+    const handleDataFrame = (data) => {
+        const frame = decodeDataFrame(data);
+        if (!frame) {
+            return;
+        }
+        const stream = streams.get(frame.streamId);
+        if (!stream) {
+            const buffered = pendingStreamData.get(frame.streamId) ?? [];
+            buffered.push(frame.payload);
+            pendingStreamData.set(frame.streamId, buffered);
+            return;
+        }
+        processPayload(stream, frame.payload);
+    };
+    socket.onopen = () => options.onStatus?.("connected");
+    socket.onmessage = (event) => {
+        if (typeof event.data === "string") {
+            handleControl(JSON.parse(event.data));
+            return;
+        }
+        handleDataFrame(event.data);
+    };
+    socket.onclose = () => {
+        streams.forEach((stream) => stream.tls?.close?.());
+        streams.clear();
+        pendingStreamData.clear();
+        options.onStatus?.(closed ? "closed" : "disconnected");
+    };
+    socket.onerror = () => options.onStatus?.("error");
+    return {
+        sessionId: options.sessionId,
+        url: controlUrl,
+        close(reason = "closed") {
+            closed = true;
+            streams.forEach((stream) => stream.tls?.close?.());
+            streams.clear();
+            pendingStreamData.clear();
+            socket.close(1000, reason);
+        },
+    };
+}
+async function handleRelayHttpRequest(runtime, request, origin) {
+    const bridgeRequest = {
+        requestId: crypto.randomUUID(),
+        method: request.method,
+        path: request.path,
+        query: request.query,
+        headers: request.headers,
+        body: encodeBase64(request.body),
+    };
+    const bridgeResponse = await handlePsLiteBridgeRequest(runtime, bridgeRequest, {
+        origin,
+    });
+    return buildHttpResponse(bridgeResponse);
+}
+export function buildHttpResponse(response) {
+    const responseHeaders = {
+        "cache-control": "no-store",
+        connection: "close",
+        ...response.headers,
+    };
+    const bodyBytes = decodeBase64(response.body);
+    const head = [
+        `HTTP/1.1 ${response.status} ${httpStatusText(response.status)}`,
+        ...Object.entries(responseHeaders).map(([key, value]) => `${key}: ${value}`),
+        `content-length: ${bodyBytes.length}`,
+        "",
+        "",
+    ].join("\r\n");
+    return head + bytesToBinary(bodyBytes);
+}
+function createSocket(factory, url) {
+    if (factory) {
+        return factory(url);
+    }
+    if (typeof WebSocket === "undefined") {
+        throw new Error("WebSocket is required to start PS Lite relay client");
+    }
+    return new WebSocket(url);
+}
+export function encodeDataFrame(streamId, payload) {
+    const frame = new Uint8Array(HEADER_BYTES + payload.length);
+    frame[0] = DATA_FRAME_TYPE;
+    writeUint32(frame, 1, streamId);
+    frame.set(payload, HEADER_BYTES);
+    return frame;
+}
+export function decodeDataFrame(data) {
+    const frame = typeof data === "string"
+        ? textToBytes(data)
+        : data instanceof Uint8Array
+            ? data
+            : new Uint8Array(data);
+    if (frame.length < HEADER_BYTES || frame[0] !== DATA_FRAME_TYPE) {
+        return null;
+    }
+    return {
+        streamId: readUint32(frame, 1),
+        payload: frame.slice(HEADER_BYTES),
+    };
+}
+function parseHttpRequest(buffer) {
+    const headerEnd = buffer.indexOf("\r\n\r\n");
+    if (headerEnd === -1) {
+        return undefined;
+    }
+    const headerBlock = buffer.slice(0, headerEnd);
+    const lines = headerBlock.split("\r\n");
+    const [method, target] = lines[0]?.split(" ") ?? [];
+    if (!method || !target) {
+        return undefined;
+    }
+    const headers = {};
+    for (const line of lines.slice(1)) {
+        const separator = line.indexOf(":");
+        if (separator === -1) {
+            continue;
+        }
+        headers[line.slice(0, separator).trim().toLowerCase()] = line
+            .slice(separator + 1)
+            .trim();
+    }
+    const bodyStart = headerEnd + 4;
+    const contentLength = Number(headers["content-length"] ?? "0");
+    const requestEnd = bodyStart + contentLength;
+    if (buffer.length < requestEnd) {
+        return undefined;
+    }
+    const url = new URL(target, DEFAULT_ORIGIN);
+    return {
+        consumedBytes: requestEnd,
+        request: {
+            method,
+            path: url.pathname,
+            query: url.searchParams.toString(),
+            headers,
+            body: binaryToBytes(buffer.slice(bodyStart, requestEnd)),
+        },
+    };
+}
+function encodeBase64(bytes) {
+    let binary = "";
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return typeof globalThis.btoa === "function"
+        ? globalThis.btoa(binary)
+        : Buffer.from(binary, "binary").toString("base64");
+}
+function decodeBase64(input) {
+    if (!input)
+        return new Uint8Array();
+    const binary = typeof globalThis.atob === "function"
+        ? globalThis.atob(input)
+        : Buffer.from(input, "base64").toString("binary");
+    return binaryToBytes(binary);
+}
+function textToBytes(value) {
+    return new TextEncoder().encode(value);
+}
+function binaryToBytes(value) {
+    return Uint8Array.from(value, (char) => char.charCodeAt(0));
+}
+function bytesToBinary(bytes) {
+    let result = "";
+    for (const byte of bytes) {
+        result += String.fromCharCode(byte);
+    }
+    return result;
+}
+function writeUint32(bytes, offset, value) {
+    bytes[offset] = (value >>> 24) & 0xff;
+    bytes[offset + 1] = (value >>> 16) & 0xff;
+    bytes[offset + 2] = (value >>> 8) & 0xff;
+    bytes[offset + 3] = value & 0xff;
+}
+function readUint32(bytes, offset) {
+    return (bytes[offset] * 0x1000000 +
+        ((bytes[offset + 1] << 16) | (bytes[offset + 2] << 8) | bytes[offset + 3]));
+}
+function httpStatusText(status) {
+    if (status === 200)
+        return "OK";
+    if (status === 201)
+        return "Created";
+    if (status === 204)
+        return "No Content";
+    if (status === 400)
+        return "Bad Request";
+    if (status === 401)
+        return "Unauthorized";
+    if (status === 403)
+        return "Forbidden";
+    if (status === 404)
+        return "Not Found";
+    if (status === 405)
+        return "Method Not Allowed";
+    if (status === 413)
+        return "Content Too Large";
+    if (status === 500)
+        return "Internal Server Error";
+    if (status === 503)
+        return "Service Unavailable";
+    return "Error";
+}
+//# sourceMappingURL=relay.js.map