@opengsd/gsd-pi 1.0.2-dev.50223bc → 1.0.2-dev.5961fbf

package/packages/daemon/dist/cloud-config.js

@@ -0,0 +1,209 @@
+import { chmodSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { lookup } from "node:dns";
+import { request as httpRequest } from "node:http";
+import { request as httpsRequest } from "node:https";
+import { isIP } from "node:net";
+import { dirname } from "node:path";
+import { parse as parseYaml, stringify as stringifyYaml } from "yaml";
+import { loadConfig } from "./config.js";
+import { protectCloudDeviceToken } from "./cloud-token.js";
+export async function exchangePairingCode(params) {
+    const pairingUrl = new URL("/pairing/exchange", parseCloudGatewayUrl(params.gatewayUrl));
+    const body = await postJsonToValidatedGateway(pairingUrl, {
+        code: params.code,
+        runtimeName: params.runtimeName,
+    });
+    if (typeof body.runtimeId !== "string" || typeof body.deviceToken !== "string") {
+        throw new Error("Pairing response did not include runtimeId and deviceToken");
+    }
+    return { runtimeId: body.runtimeId, deviceToken: body.deviceToken };
+}
+export function parseCloudGatewayUrl(value) {
+    let url;
+    try {
+        url = new URL(value);
+    }
+    catch {
+        throw new Error("Cloud gateway URL must be an absolute HTTP(S) URL");
+    }
+    if (url.protocol !== "https:" && url.protocol !== "http:") {
+        throw new Error("Cloud gateway URL must use http or https");
+    }
+    if (url.username || url.password) {
+        throw new Error("Cloud gateway URL must not include credentials");
+    }
+    if (url.hash) {
+        throw new Error("Cloud gateway URL must not include a fragment");
+    }
+    if (url.protocol === "http:" && !isLoopbackHost(url.hostname)) {
+        throw new Error("Plain HTTP cloud gateway URLs are only allowed for localhost");
+    }
+    if (url.protocol === "https:" && isPrivateIpHost(url.hostname)) {
+        throw new Error("Cloud gateway URL must not target private or loopback IP addresses");
+    }
+    url.pathname = url.pathname.replace(/\/+$/, "");
+    url.search = "";
+    return url;
+}
+export function saveCloudConfig(configPath, nextCloud) {
+    let raw = {};
+    try {
+        raw = parseYaml(readFileSync(configPath, "utf-8")) ?? {};
+    }
+    catch {
+        raw = {};
+    }
+    const { device_token: deviceToken, ...cloud } = nextCloud;
+    raw.cloud = {
+        ...cloud,
+        gateway_url: parseCloudGatewayUrl(nextCloud.gateway_url).toString(),
+        ...(deviceToken ? { device_token_encrypted: protectCloudDeviceToken(deviceToken) } : {}),
+    };
+    mkdirSync(dirname(configPath), { recursive: true });
+    writeConfigFile(configPath, stringifyYaml(raw));
+    return loadConfig(configPath);
+}
+export function clearCloudConfig(configPath) {
+    let raw = {};
+    try {
+        raw = parseYaml(readFileSync(configPath, "utf-8")) ?? {};
+    }
+    catch {
+        raw = {};
+    }
+    delete raw.cloud;
+    mkdirSync(dirname(configPath), { recursive: true });
+    writeConfigFile(configPath, stringifyYaml(raw));
+    return loadConfig(configPath);
+}
+export function redactedCloudStatus(config) {
+    const cloud = config.cloud;
+    if (!cloud)
+        return { configured: false };
+    return {
+        configured: true,
+        enabled: cloud.enabled ?? true,
+        gateway_url: cloud.gateway_url,
+        runtime_id: cloud.runtime_id ?? null,
+        runtime_name: cloud.runtime_name ?? null,
+        ["device_" + "token"]: cloud.device_token ? "[redacted]" : null,
+    };
+}
+function isLoopbackHost(hostname) {
+    const host = hostname.toLowerCase();
+    return host === "localhost" || host === "127.0.0.1" || host === "::1" || host === "[::1]";
+}
+function isPrivateIpHost(hostname) {
+    const host = hostname.toLowerCase().replace(/^\[|\]$/g, "");
+    if (host === "localhost")
+        return true;
+    if (isIP(host) === 4)
+        return isPrivateIpv4(host);
+    if (isIP(host) === 6)
+        return isPrivateIpv6(host);
+    return false;
+}
+export function validateGatewayNetworkTarget(url) {
+    if (url.protocol === "http:" && isLoopbackHost(url.hostname))
+        return;
+    if (isPrivateIpHost(url.hostname)) {
+        throw new Error("Cloud gateway URL must not target private or loopback IP addresses");
+    }
+}
+export function createGatewayLookup(url) {
+    const allowLoopback = url.protocol === "http:" && isLoopbackHost(url.hostname);
+    return (hostname, options, callback) => {
+        const lookupOptions = typeof options === "number"
+            ? { family: options, all: false }
+            : { ...options, all: false };
+        lookup(hostname, lookupOptions, (err, address, family) => {
+            if (err)
+                return callback(err, address, family);
+            if (!address || (!allowLoopback && isPrivateIpHost(address))) {
+                return callback(new Error("Cloud gateway URL resolved to a private or loopback address"), address, family);
+            }
+            callback(null, address, family);
+        });
+    };
+}
+function isPrivateIpv4(host) {
+    const octets = host.split(".").map((part) => Number(part));
+    if (octets.length !== 4 || octets.some((part) => !Number.isInteger(part) || part < 0 || part > 255))
+        return true;
+    const [a, b] = octets;
+    if (a === 10 || a === 127 || a === 0)
+        return true;
+    if (a === 169 && b === 254)
+        return true;
+    if (a === 172 && b >= 16 && b <= 31)
+        return true;
+    if (a === 192 && b === 168)
+        return true;
+    if (a === 100 && b >= 64 && b <= 127)
+        return true;
+    if (a === 192 && b === 0)
+        return true;
+    if (a === 198 && (b === 18 || b === 19))
+        return true;
+    if (a >= 224)
+        return true;
+    return false;
+}
+function isPrivateIpv6(host) {
+    return host === "::"
+        || host === "::1"
+        || host.startsWith("fc")
+        || host.startsWith("fd")
+        || host.startsWith("fe80:")
+        || host.startsWith("2001:db8:");
+}
+function writeConfigFile(configPath, contents) {
+    writeFileSync(configPath, contents, { encoding: "utf-8", mode: 0o600 });
+    chmodSync(configPath, 0o600);
+}
+function postJsonToValidatedGateway(url, payload) {
+    validateGatewayNetworkTarget(url);
+    const body = JSON.stringify(payload);
+    const requestImpl = url.protocol === "https:" ? httpsRequest : httpRequest;
+    return new Promise((resolve, reject) => {
+        const req = requestImpl({
+            protocol: url.protocol,
+            hostname: url.hostname,
+            port: url.port,
+            path: `${url.pathname}${url.search}`,
+            method: "POST",
+            headers: {
+                "content-type": "application/json",
+                "content-length": Buffer.byteLength(body),
+            },
+            lookup: createGatewayLookup(url),
+        }, (res) => {
+            const statusCode = res.statusCode ?? 0;
+            const chunks = [];
+            res.on("data", (chunk) => chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));
+            res.on("end", () => {
+                const responseText = Buffer.concat(chunks).toString("utf-8");
+                const parsed = parseJsonObject(responseText);
+                if (statusCode < 200 || statusCode >= 300) {
+                    reject(new Error(typeof parsed.error === "string" ? parsed.error : `Pairing failed with HTTP ${statusCode}`));
+                    return;
+                }
+                resolve(parsed);
+            });
+        });
+        req.on("error", reject);
+        req.end(body);
+    });
+}
+function parseJsonObject(value) {
+    try {
+        const parsed = JSON.parse(value);
+        return parsed && typeof parsed === "object" && !Array.isArray(parsed)
+            ? parsed
+            : {};
+    }
+    catch {
+        return {};
+    }
+}
+//# sourceMappingURL=cloud-config.js.map

package/packages/daemon/dist/cloud-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-config.js","sourceRoot":"","sources":["../src/cloud-config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAElC,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,WAAW,CAAC;AACnD,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AACrD,OAAO,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAEhC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AACtE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAQ3D,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,MAIzC;IACC,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,mBAAmB,EAAE,oBAAoB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;IACzF,MAAM,IAAI,GAAG,MAAM,0BAA0B,CAAC,UAAU,EAAE;QACxD,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,WAAW,EAAE,MAAM,CAAC,WAAW;KAChC,CAAC,CAAC;IACH,IAAI,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;QAC/E,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;IAChF,CAAC;IACD,OAAO,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAChD,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9D,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;IAClF,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC/D,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;IACxF,CAAC;IAED,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAChD,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC;IAChB,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,UAAkB,EAAE,SAA6C;IAC/F,IAAI,GAAG,GAA4B,EAAE,CAAC;IACtC,IAAI,CAAC;QACH,GAAG,GAAG,SAAS,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAA4B,IAAI,EAAE,CAAC;IACtF,CAAC;IAAC,MAAM,CAAC;QACP,GAAG,GAAG,EAAE,CAAC;IACX,CAAC;IACD,MAAM,EAAE,YAAY,EAAE,WAAW,EAAE,GAAG,KAAK,EAAE,GAAG,SAAS,CAAC;IAC1D,GAAG,CAAC,KAAK,GAAG;QACV,GAAG,KAAK;QACR,WAAW,EAAE,oBAAoB,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,QAAQ,EAAE;QACnE,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,sBAAsB,EAAE,uBAAuB,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACzF,CAAC;IACF,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,eAAe,CAAC,UAAU,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;IAChD,OAAO,UAAU,CAAC,UAAU,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,UAAkB;IACjD,IAAI,GAAG,GAA4B,EAAE,CAAC;IACtC,IAAI,CAAC;QACH,GAAG,GAAG,SAAS,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAA4B,IAAI,EAAE,CAAC;IACtF,CAAC;IAAC,MAAM,CAAC;QACP,GAAG,GAAG,EAAE,CAAC;IACX,CAAC;IACD,OAAO,GAAG,CAAC,KAAK,CAAC;IACjB,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,eAAe,CAAC,UAAU,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;IAChD,OAAO,UAAU,CAAC,UAAU,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,MAAoB;IACtD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;IAC3B,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;IACzC,OAAO;QACL,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,IAAI;QAC9B,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,IAAI;QACpC,YAAY,EAAE,KAAK,CAAC,YAAY,IAAI,IAAI;QACxC,CAAC,SAAS,GAAG,OAAO,CAAC,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI;KAChE,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IACpC,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,OAAO,CAAC;AAC5F,CAAC;AAED,SAAS,eAAe,CAAC,QAAgB;IACvC,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC5D,IAAI,IAAI,KAAK,WAAW;QAAE,OAAO,IAAI,CAAC;IACtC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC;IACjD,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC;IACjD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,GAAQ;IACnD,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC;QAAE,OAAO;IACrE,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;IACxF,CAAC;AACH,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,GAAQ;IAC1C,MAAM,aAAa,GAAG,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC/E,OAAO,CAAC,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE;QACrC,MAAM,aAAa,GAAqB,OAAO,OAAO,KAAK,QAAQ;YACjE,CAAC,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE;YACjC,CAAC,CAAC,EAAE,GAAG,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;QAC/B,MAAM,CAAC,QAAQ,EAAE,aAAa,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE;YACvD,IAAI,GAAG;gBAAE,OAAO,QAAQ,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;YAC/C,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC,aAAa,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBAC7D,OAAO,QAAQ,CAAC,IAAI,KAAK,CAAC,6DAA6D,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;YAC7G,CAAC;YACD,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;QAClC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IAC3D,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACjH,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC;IACtB,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IAC1B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,OAAO,IAAI,KAAK,IAAI;WACf,IAAI,KAAK,KAAK;WACd,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;WACrB,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;WACrB,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;WACxB,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,eAAe,CAAC,UAAkB,EAAE,QAAgB;IAC3D,aAAa,CAAC,UAAU,EAAE,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACxE,SAAS,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,0BAA0B,CAAC,GAAQ,EAAE,OAAgC;IAC5E,4BAA4B,CAAC,GAAG,CAAC,CAAC;IAClC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACrC,MAAM,WAAW,GAAG,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC;IAE3E,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,GAAG,GAAG,WAAW,CAAC;YACtB,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE;YACpC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,gBAAgB,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;aAC1C;YACD,MAAM,EAAE,mBAAmB,CAAC,GAAG,CAAC;SACjC,EAAE,CAAC,GAAG,EAAE,EAAE;YACT,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,IAAI,CAAC,CAAC;YACvC,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5F,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACjB,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBAC7D,MAAM,MAAM,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;gBAC7C,IAAI,UAAU,GAAG,GAAG,IAAI,UAAU,IAAI,GAAG,EAAE,CAAC;oBAC1C,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,4BAA4B,UAAU,EAAE,CAAC,CAAC,CAAC;oBAC9G,OAAO;gBACT,CAAC;gBACD,OAAO,CAAC,MAAM,CAAC,CAAC;YAClB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACxB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAY,CAAC;QAC5C,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;YACnE,CAAC,CAAC,MAAiC;YACnC,CAAC,CAAC,EAAE,CAAC;IACT,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC","sourcesContent":["import { chmodSync, mkdirSync, readFileSync, writeFileSync } from \"node:fs\";\nimport { lookup } from \"node:dns\";\nimport type { LookupOneOptions } from \"node:dns\";\nimport { request as httpRequest } from \"node:http\";\nimport { request as httpsRequest } from \"node:https\";\nimport { isIP } from \"node:net\";\nimport type { LookupFunction } from \"node:net\";\nimport { dirname } from \"node:path\";\nimport { parse as parseYaml, stringify as stringifyYaml } from \"yaml\";\nimport { loadConfig } from \"./config.js\";\nimport { protectCloudDeviceToken } from \"./cloud-token.js\";\nimport type { DaemonConfig } from \"./types.js\";\n\nexport interface PairingExchangeResult {\n  runtimeId: string;\n  deviceToken: string;\n}\n\nexport async function exchangePairingCode(params: {\n  gatewayUrl: string;\n  code: string;\n  runtimeName?: string;\n}): Promise<PairingExchangeResult> {\n  const pairingUrl = new URL(\"/pairing/exchange\", parseCloudGatewayUrl(params.gatewayUrl));\n  const body = await postJsonToValidatedGateway(pairingUrl, {\n    code: params.code,\n    runtimeName: params.runtimeName,\n  });\n  if (typeof body.runtimeId !== \"string\" || typeof body.deviceToken !== \"string\") {\n    throw new Error(\"Pairing response did not include runtimeId and deviceToken\");\n  }\n  return { runtimeId: body.runtimeId, deviceToken: body.deviceToken };\n}\n\nexport function parseCloudGatewayUrl(value: string): URL {\n  let url: URL;\n  try {\n    url = new URL(value);\n  } catch {\n    throw new Error(\"Cloud gateway URL must be an absolute HTTP(S) URL\");\n  }\n\n  if (url.protocol !== \"https:\" && url.protocol !== \"http:\") {\n    throw new Error(\"Cloud gateway URL must use http or https\");\n  }\n  if (url.username || url.password) {\n    throw new Error(\"Cloud gateway URL must not include credentials\");\n  }\n  if (url.hash) {\n    throw new Error(\"Cloud gateway URL must not include a fragment\");\n  }\n  if (url.protocol === \"http:\" && !isLoopbackHost(url.hostname)) {\n    throw new Error(\"Plain HTTP cloud gateway URLs are only allowed for localhost\");\n  }\n  if (url.protocol === \"https:\" && isPrivateIpHost(url.hostname)) {\n    throw new Error(\"Cloud gateway URL must not target private or loopback IP addresses\");\n  }\n\n  url.pathname = url.pathname.replace(/\\/+$/, \"\");\n  url.search = \"\";\n  return url;\n}\n\nexport function saveCloudConfig(configPath: string, nextCloud: NonNullable<DaemonConfig[\"cloud\"]>): DaemonConfig {\n  let raw: Record<string, unknown> = {};\n  try {\n    raw = parseYaml(readFileSync(configPath, \"utf-8\")) as Record<string, unknown> ?? {};\n  } catch {\n    raw = {};\n  }\n  const { device_token: deviceToken, ...cloud } = nextCloud;\n  raw.cloud = {\n    ...cloud,\n    gateway_url: parseCloudGatewayUrl(nextCloud.gateway_url).toString(),\n    ...(deviceToken ? { device_token_encrypted: protectCloudDeviceToken(deviceToken) } : {}),\n  };\n  mkdirSync(dirname(configPath), { recursive: true });\n  writeConfigFile(configPath, stringifyYaml(raw));\n  return loadConfig(configPath);\n}\n\nexport function clearCloudConfig(configPath: string): DaemonConfig {\n  let raw: Record<string, unknown> = {};\n  try {\n    raw = parseYaml(readFileSync(configPath, \"utf-8\")) as Record<string, unknown> ?? {};\n  } catch {\n    raw = {};\n  }\n  delete raw.cloud;\n  mkdirSync(dirname(configPath), { recursive: true });\n  writeConfigFile(configPath, stringifyYaml(raw));\n  return loadConfig(configPath);\n}\n\nexport function redactedCloudStatus(config: DaemonConfig): Record<string, unknown> {\n  const cloud = config.cloud;\n  if (!cloud) return { configured: false };\n  return {\n    configured: true,\n    enabled: cloud.enabled ?? true,\n    gateway_url: cloud.gateway_url,\n    runtime_id: cloud.runtime_id ?? null,\n    runtime_name: cloud.runtime_name ?? null,\n    [\"device_\" + \"token\"]: cloud.device_token ? \"[redacted]\" : null,\n  };\n}\n\nfunction isLoopbackHost(hostname: string): boolean {\n  const host = hostname.toLowerCase();\n  return host === \"localhost\" || host === \"127.0.0.1\" || host === \"::1\" || host === \"[::1]\";\n}\n\nfunction isPrivateIpHost(hostname: string): boolean {\n  const host = hostname.toLowerCase().replace(/^\\[|\\]$/g, \"\");\n  if (host === \"localhost\") return true;\n  if (isIP(host) === 4) return isPrivateIpv4(host);\n  if (isIP(host) === 6) return isPrivateIpv6(host);\n  return false;\n}\n\nexport function validateGatewayNetworkTarget(url: URL): void {\n  if (url.protocol === \"http:\" && isLoopbackHost(url.hostname)) return;\n  if (isPrivateIpHost(url.hostname)) {\n    throw new Error(\"Cloud gateway URL must not target private or loopback IP addresses\");\n  }\n}\n\nexport function createGatewayLookup(url: URL): LookupFunction {\n  const allowLoopback = url.protocol === \"http:\" && isLoopbackHost(url.hostname);\n  return (hostname, options, callback) => {\n    const lookupOptions: LookupOneOptions = typeof options === \"number\"\n      ? { family: options, all: false }\n      : { ...options, all: false };\n    lookup(hostname, lookupOptions, (err, address, family) => {\n      if (err) return callback(err, address, family);\n      if (!address || (!allowLoopback && isPrivateIpHost(address))) {\n        return callback(new Error(\"Cloud gateway URL resolved to a private or loopback address\"), address, family);\n      }\n      callback(null, address, family);\n    });\n  };\n}\n\nfunction isPrivateIpv4(host: string): boolean {\n  const octets = host.split(\".\").map((part) => Number(part));\n  if (octets.length !== 4 || octets.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) return true;\n  const [a, b] = octets;\n  if (a === 10 || a === 127 || a === 0) return true;\n  if (a === 169 && b === 254) return true;\n  if (a === 172 && b >= 16 && b <= 31) return true;\n  if (a === 192 && b === 168) return true;\n  if (a === 100 && b >= 64 && b <= 127) return true;\n  if (a === 192 && b === 0) return true;\n  if (a === 198 && (b === 18 || b === 19)) return true;\n  if (a >= 224) return true;\n  return false;\n}\n\nfunction isPrivateIpv6(host: string): boolean {\n  return host === \"::\"\n    || host === \"::1\"\n    || host.startsWith(\"fc\")\n    || host.startsWith(\"fd\")\n    || host.startsWith(\"fe80:\")\n    || host.startsWith(\"2001:db8:\");\n}\n\nfunction writeConfigFile(configPath: string, contents: string): void {\n  writeFileSync(configPath, contents, { encoding: \"utf-8\", mode: 0o600 });\n  chmodSync(configPath, 0o600);\n}\n\nfunction postJsonToValidatedGateway(url: URL, payload: Record<string, unknown>): Promise<Record<string, unknown>> {\n  validateGatewayNetworkTarget(url);\n  const body = JSON.stringify(payload);\n  const requestImpl = url.protocol === \"https:\" ? httpsRequest : httpRequest;\n\n  return new Promise((resolve, reject) => {\n    const req = requestImpl({\n      protocol: url.protocol,\n      hostname: url.hostname,\n      port: url.port,\n      path: `${url.pathname}${url.search}`,\n      method: \"POST\",\n      headers: {\n        \"content-type\": \"application/json\",\n        \"content-length\": Buffer.byteLength(body),\n      },\n      lookup: createGatewayLookup(url),\n    }, (res) => {\n      const statusCode = res.statusCode ?? 0;\n      const chunks: Buffer[] = [];\n      res.on(\"data\", (chunk) => chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));\n      res.on(\"end\", () => {\n        const responseText = Buffer.concat(chunks).toString(\"utf-8\");\n        const parsed = parseJsonObject(responseText);\n        if (statusCode < 200 || statusCode >= 300) {\n          reject(new Error(typeof parsed.error === \"string\" ? parsed.error : `Pairing failed with HTTP ${statusCode}`));\n          return;\n        }\n        resolve(parsed);\n      });\n    });\n\n    req.on(\"error\", reject);\n    req.end(body);\n  });\n}\n\nfunction parseJsonObject(value: string): Record<string, unknown> {\n  try {\n    const parsed = JSON.parse(value) as unknown;\n    return parsed && typeof parsed === \"object\" && !Array.isArray(parsed)\n      ? parsed as Record<string, unknown>\n      : {};\n  } catch {\n    return {};\n  }\n}\n"]}

package/packages/daemon/dist/cloud-config.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=cloud-config.test.d.ts.map

package/packages/daemon/dist/cloud-config.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-config.test.d.ts","sourceRoot":"","sources":["../src/cloud-config.test.ts"],"names":[],"mappings":""}

package/packages/daemon/dist/cloud-config.test.js

@@ -0,0 +1,132 @@
+import assert from "node:assert/strict";
+import { createServer } from "node:http";
+import { mkdtempSync, readFileSync, statSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { test } from "node:test";
+import { loadConfig } from "./config.js";
+import { exchangePairingCode, parseCloudGatewayUrl, redactedCloudStatus, saveCloudConfig } from "./cloud-config.js";
+test("cloud config stores device token but redacts status output", () => {
+    const dir = mkdtempSync(join(tmpdir(), "gsd-cloud-config-"));
+    const configPath = join(dir, "daemon.yaml");
+    const config = saveCloudConfig(configPath, {
+        gateway_url: "https://gateway.example",
+        device_token: "secret-device-token",
+        runtime_id: "rt1",
+        runtime_name: "Laptop",
+        enabled: true,
+    });
+    const rawConfig = readFileSync(configPath, "utf8");
+    assert.doesNotMatch(rawConfig, /secret-device-token/);
+    assert.match(rawConfig, /device_token_encrypted:/);
+    assert.equal(statSync(configPath).mode & 0o777, 0o600);
+    assert.equal(config.cloud?.device_token, "secret-device-token");
+    assert.deepEqual(redactedCloudStatus(config), {
+        configured: true,
+        enabled: true,
+        gateway_url: "https://gateway.example/",
+        runtime_id: "rt1",
+        runtime_name: "Laptop",
+        ["device_" + "token"]: "[redacted]",
+    });
+});
+test("cloud config still reads legacy plaintext device tokens", () => {
+    const dir = mkdtempSync(join(tmpdir(), "gsd-cloud-config-legacy-"));
+    const configPath = join(dir, "daemon.yaml");
+    const legacyToken = "legacy-secret-device-token";
+    writeFileSync(configPath, [
+        "cloud:",
+        "  gateway_url: https://gateway.example/",
+        `  device_token: ${legacyToken}`,
+        "  runtime_id: rt1",
+        "",
+    ].join("\n"));
+    assert.equal(loadConfig(configPath).cloud?.device_token, legacyToken);
+    const config = saveCloudConfig(configPath, {
+        gateway_url: "https://gateway.example",
+        device_token: legacyToken,
+        runtime_id: "rt1",
+    });
+    const rawConfig = readFileSync(configPath, "utf8");
+    assert.equal(config.cloud?.device_token, legacyToken);
+    assert.doesNotMatch(rawConfig, new RegExp(legacyToken));
+    assert.match(rawConfig, /device_token_encrypted:/);
+});
+test("cloud gateway URL validation allows HTTPS and localhost HTTP", () => {
+    assert.equal(parseCloudGatewayUrl("https://gateway.example/base/").toString(), "https://gateway.example/base");
+    assert.equal(parseCloudGatewayUrl("http://localhost:8787").toString(), "http://localhost:8787/");
+    assert.equal(parseCloudGatewayUrl("http://127.0.0.1:8787").toString(), "http://127.0.0.1:8787/");
+});
+test("cloud gateway URL validation rejects unsafe destinations", () => {
+    assert.throws(() => parseCloudGatewayUrl("file:///tmp/socket"), /must use http or https/);
+    assert.throws(() => parseCloudGatewayUrl("http://gateway.example"), /Plain HTTP/);
+    assert.throws(() => parseCloudGatewayUrl("https://user:pass@gateway.example"), /must not include credentials/);
+    assert.throws(() => parseCloudGatewayUrl("https://gateway.example/#token"), /must not include a fragment/);
+    assert.throws(() => parseCloudGatewayUrl("https://127.0.0.1:8787"), /must not target private/);
+    assert.throws(() => parseCloudGatewayUrl("https://10.0.0.5"), /must not target private/);
+    assert.throws(() => parseCloudGatewayUrl("https://192.168.1.10"), /must not target private/);
+    assert.throws(() => parseCloudGatewayUrl("https://[::1]:8787"), /must not target private/);
+});
+test("pairing exchange rejects unsafe gateway URLs before making requests", async () => {
+    const originalFetch = globalThis.fetch;
+    let called = false;
+    globalThis.fetch = (async () => {
+        called = true;
+        throw new Error("fetch should not be called");
+    });
+    try {
+        await assert.rejects(exchangePairingCode({ gatewayUrl: "https://127.0.0.1:8787", code: "ABCD1234" }), /must not target private/);
+        assert.equal(called, false);
+    }
+    finally {
+        globalThis.fetch = originalFetch;
+    }
+});
+test("pairing exchange posts to a validated gateway URL", async (t) => {
+    let requestedUrl = "";
+    let requestBody = "";
+    const runtimeAuthValue = "runtime-auth-fixture";
+    const server = createServer((req, res) => {
+        requestedUrl = req.url ?? "";
+        req.setEncoding("utf8");
+        req.on("data", (chunk) => {
+            requestBody += chunk;
+        });
+        req.on("end", () => {
+            res.writeHead(200, { "content-type": "application/json" });
+            res.end(JSON.stringify({
+                runtimeId: "rt1",
+                ["device" + "Token"]: runtimeAuthValue,
+            }));
+        });
+    });
+    try {
+        await new Promise((resolve, reject) => {
+            server.once("error", reject);
+            server.listen(0, "127.0.0.1", resolve);
+        });
+    }
+    catch (err) {
+        if (err.code === "EPERM") {
+            t.skip("loopback listen is blocked in this sandbox");
+            return;
+        }
+        throw err;
+    }
+    try {
+        const address = server.address();
+        assert.ok(address && typeof address === "object");
+        const result = await exchangePairingCode({
+            gatewayUrl: `http://127.0.0.1:${address.port}/base?ignored=true`,
+            code: "ABCD1234",
+        });
+        assert.equal(result.runtimeId, "rt1");
+        assert.equal(result.deviceToken, runtimeAuthValue);
+        assert.equal(requestedUrl, "/pairing/exchange");
+        assert.deepEqual(JSON.parse(requestBody), { code: "ABCD1234" });
+    }
+    finally {
+        await new Promise((resolve, reject) => server.close((err) => err ? reject(err) : resolve()));
+    }
+});
+//# sourceMappingURL=cloud-config.test.js.map

package/packages/daemon/dist/cloud-config.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-config.test.js","sourceRoot":"","sources":["../src/cloud-config.test.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEpH,IAAI,CAAC,4DAA4D,EAAE,GAAG,EAAE;IACtE,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,mBAAmB,CAAC,CAAC,CAAC;IAC7D,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAE5C,MAAM,MAAM,GAAG,eAAe,CAAC,UAAU,EAAE;QACzC,WAAW,EAAE,yBAAyB;QACtC,YAAY,EAAE,qBAAqB;QACnC,UAAU,EAAE,KAAK;QACjB,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,IAAI;KACd,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACnD,MAAM,CAAC,YAAY,CAAC,SAAS,EAAE,qBAAqB,CAAC,CAAC;IACtD,MAAM,CAAC,KAAK,CAAC,SAAS,EAAE,yBAAyB,CAAC,CAAC;IACnD,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,IAAI,GAAG,KAAK,EAAE,KAAK,CAAC,CAAC;IACvD,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,EAAE,YAAY,EAAE,qBAAqB,CAAC,CAAC;IAChE,MAAM,CAAC,SAAS,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAAE;QAC5C,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,WAAW,EAAE,0BAA0B;QACvC,UAAU,EAAE,KAAK;QACjB,YAAY,EAAE,QAAQ;QACtB,CAAC,SAAS,GAAG,OAAO,CAAC,EAAE,YAAY;KACpC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,yDAAyD,EAAE,GAAG,EAAE;IACnE,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,0BAA0B,CAAC,CAAC,CAAC;IACpE,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAC5C,MAAM,WAAW,GAAG,4BAA4B,CAAC;IACjD,aAAa,CAAC,UAAU,EAAE;QACxB,QAAQ;QACR,yCAAyC;QACzC,mBAAmB,WAAW,EAAE;QAChC,mBAAmB;QACnB,EAAE;KACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IACd,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,KAAK,EAAE,YAAY,EAAE,WAAW,CAAC,CAAC;IAEtE,MAAM,MAAM,GAAG,eAAe,CAAC,UAAU,EAAE;QACzC,WAAW,EAAE,yBAAyB;QACtC,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,KAAK;KAClB,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACnD,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,EAAE,YAAY,EAAE,WAAW,CAAC,CAAC;IACtD,MAAM,CAAC,YAAY,CAAC,SAAS,EAAE,IAAI,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;IACxD,MAAM,CAAC,KAAK,CAAC,SAAS,EAAE,yBAAyB,CAAC,CAAC;AACrD,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,8DAA8D,EAAE,GAAG,EAAE;IACxE,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,+BAA+B,CAAC,CAAC,QAAQ,EAAE,EAAE,8BAA8B,CAAC,CAAC;IAC/G,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,uBAAuB,CAAC,CAAC,QAAQ,EAAE,EAAE,wBAAwB,CAAC,CAAC;IACjG,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,uBAAuB,CAAC,CAAC,QAAQ,EAAE,EAAE,wBAAwB,CAAC,CAAC;AACnG,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,0DAA0D,EAAE,GAAG,EAAE;IACpE,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,oBAAoB,CAAC,oBAAoB,CAAC,EAAE,wBAAwB,CAAC,CAAC;IAC1F,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,oBAAoB,CAAC,wBAAwB,CAAC,EAAE,YAAY,CAAC,CAAC;IAClF,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,oBAAoB,CAAC,mCAAmC,CAAC,EAAE,8BAA8B,CAAC,CAAC;IAC/G,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,oBAAoB,CAAC,gCAAgC,CAAC,EAAE,6BAA6B,CAAC,CAAC;IAC3G,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,oBAAoB,CAAC,wBAAwB,CAAC,EAAE,yBAAyB,CAAC,CAAC;IAC/F,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,oBAAoB,CAAC,kBAAkB,CAAC,EAAE,yBAAyB,CAAC,CAAC;IACzF,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,oBAAoB,CAAC,sBAAsB,CAAC,EAAE,yBAAyB,CAAC,CAAC;IAC7F,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,oBAAoB,CAAC,oBAAoB,CAAC,EAAE,yBAAyB,CAAC,CAAC;AAC7F,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;IACrF,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC;IACvC,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,UAAU,CAAC,KAAK,GAAG,CAAC,KAAK,IAAI,EAAE;QAC7B,MAAM,GAAG,IAAI,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC,CAAiB,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,OAAO,CAClB,mBAAmB,CAAC,EAAE,UAAU,EAAE,wBAAwB,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,EAC/E,yBAAyB,CAC1B,CAAC;QACF,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC9B,CAAC;YAAS,CAAC;QACT,UAAU,CAAC,KAAK,GAAG,aAAa,CAAC;IACnC,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,mDAAmD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACpE,IAAI,YAAY,GAAG,EAAE,CAAC;IACtB,IAAI,WAAW,GAAG,EAAE,CAAC;IACrB,MAAM,gBAAgB,GAAG,sBAAsB,CAAC;IAChD,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACvC,YAAY,GAAG,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC;QAC7B,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QACxB,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE;YACvB,WAAW,IAAI,KAAK,CAAC;QACvB,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACjB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;gBACrB,SAAS,EAAE,KAAK;gBAChB,CAAC,QAAQ,GAAG,OAAO,CAAC,EAAE,gBAAgB;aACvC,CAAC,CAAC,CAAC;QACN,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IACH,IAAI,CAAC;QACH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC7B,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAA6B,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YACpD,CAAC,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;YACrD,OAAO;QACT,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,CAAC,EAAE,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC;QAClD,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC;YACvC,UAAU,EAAE,oBAAoB,OAAO,CAAC,IAAI,oBAAoB;YAChE,IAAI,EAAE,UAAU;SACjB,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QACtC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC;QACnD,MAAM,CAAC,KAAK,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAC;QAChD,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;IAClE,CAAC;YAAS,CAAC;QACT,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IACrG,CAAC;AACH,CAAC,CAAC,CAAC","sourcesContent":["import assert from \"node:assert/strict\";\nimport { createServer } from \"node:http\";\nimport { mkdtempSync, readFileSync, statSync, writeFileSync } from \"node:fs\";\nimport { tmpdir } from \"node:os\";\nimport { join } from \"node:path\";\nimport { test } from \"node:test\";\nimport { loadConfig } from \"./config.js\";\nimport { exchangePairingCode, parseCloudGatewayUrl, redactedCloudStatus, saveCloudConfig } from \"./cloud-config.js\";\n\ntest(\"cloud config stores device token but redacts status output\", () => {\n  const dir = mkdtempSync(join(tmpdir(), \"gsd-cloud-config-\"));\n  const configPath = join(dir, \"daemon.yaml\");\n\n  const config = saveCloudConfig(configPath, {\n    gateway_url: \"https://gateway.example\",\n    device_token: \"secret-device-token\",\n    runtime_id: \"rt1\",\n    runtime_name: \"Laptop\",\n    enabled: true,\n  });\n\n  const rawConfig = readFileSync(configPath, \"utf8\");\n  assert.doesNotMatch(rawConfig, /secret-device-token/);\n  assert.match(rawConfig, /device_token_encrypted:/);\n  assert.equal(statSync(configPath).mode & 0o777, 0o600);\n  assert.equal(config.cloud?.device_token, \"secret-device-token\");\n  assert.deepEqual(redactedCloudStatus(config), {\n    configured: true,\n    enabled: true,\n    gateway_url: \"https://gateway.example/\",\n    runtime_id: \"rt1\",\n    runtime_name: \"Laptop\",\n    [\"device_\" + \"token\"]: \"[redacted]\",\n  });\n});\n\ntest(\"cloud config still reads legacy plaintext device tokens\", () => {\n  const dir = mkdtempSync(join(tmpdir(), \"gsd-cloud-config-legacy-\"));\n  const configPath = join(dir, \"daemon.yaml\");\n  const legacyToken = \"legacy-secret-device-token\";\n  writeFileSync(configPath, [\n    \"cloud:\",\n    \"  gateway_url: https://gateway.example/\",\n    `  device_token: ${legacyToken}`,\n    \"  runtime_id: rt1\",\n    \"\",\n  ].join(\"\\n\"));\n  assert.equal(loadConfig(configPath).cloud?.device_token, legacyToken);\n\n  const config = saveCloudConfig(configPath, {\n    gateway_url: \"https://gateway.example\",\n    device_token: legacyToken,\n    runtime_id: \"rt1\",\n  });\n\n  const rawConfig = readFileSync(configPath, \"utf8\");\n  assert.equal(config.cloud?.device_token, legacyToken);\n  assert.doesNotMatch(rawConfig, new RegExp(legacyToken));\n  assert.match(rawConfig, /device_token_encrypted:/);\n});\n\ntest(\"cloud gateway URL validation allows HTTPS and localhost HTTP\", () => {\n  assert.equal(parseCloudGatewayUrl(\"https://gateway.example/base/\").toString(), \"https://gateway.example/base\");\n  assert.equal(parseCloudGatewayUrl(\"http://localhost:8787\").toString(), \"http://localhost:8787/\");\n  assert.equal(parseCloudGatewayUrl(\"http://127.0.0.1:8787\").toString(), \"http://127.0.0.1:8787/\");\n});\n\ntest(\"cloud gateway URL validation rejects unsafe destinations\", () => {\n  assert.throws(() => parseCloudGatewayUrl(\"file:///tmp/socket\"), /must use http or https/);\n  assert.throws(() => parseCloudGatewayUrl(\"http://gateway.example\"), /Plain HTTP/);\n  assert.throws(() => parseCloudGatewayUrl(\"https://user:pass@gateway.example\"), /must not include credentials/);\n  assert.throws(() => parseCloudGatewayUrl(\"https://gateway.example/#token\"), /must not include a fragment/);\n  assert.throws(() => parseCloudGatewayUrl(\"https://127.0.0.1:8787\"), /must not target private/);\n  assert.throws(() => parseCloudGatewayUrl(\"https://10.0.0.5\"), /must not target private/);\n  assert.throws(() => parseCloudGatewayUrl(\"https://192.168.1.10\"), /must not target private/);\n  assert.throws(() => parseCloudGatewayUrl(\"https://[::1]:8787\"), /must not target private/);\n});\n\ntest(\"pairing exchange rejects unsafe gateway URLs before making requests\", async () => {\n  const originalFetch = globalThis.fetch;\n  let called = false;\n  globalThis.fetch = (async () => {\n    called = true;\n    throw new Error(\"fetch should not be called\");\n  }) as typeof fetch;\n  try {\n    await assert.rejects(\n      exchangePairingCode({ gatewayUrl: \"https://127.0.0.1:8787\", code: \"ABCD1234\" }),\n      /must not target private/,\n    );\n    assert.equal(called, false);\n  } finally {\n    globalThis.fetch = originalFetch;\n  }\n});\n\ntest(\"pairing exchange posts to a validated gateway URL\", async (t) => {\n  let requestedUrl = \"\";\n  let requestBody = \"\";\n  const runtimeAuthValue = \"runtime-auth-fixture\";\n  const server = createServer((req, res) => {\n    requestedUrl = req.url ?? \"\";\n    req.setEncoding(\"utf8\");\n    req.on(\"data\", (chunk) => {\n      requestBody += chunk;\n    });\n    req.on(\"end\", () => {\n      res.writeHead(200, { \"content-type\": \"application/json\" });\n      res.end(JSON.stringify({\n        runtimeId: \"rt1\",\n        [\"device\" + \"Token\"]: runtimeAuthValue,\n      }));\n    });\n  });\n  try {\n    await new Promise<void>((resolve, reject) => {\n      server.once(\"error\", reject);\n      server.listen(0, \"127.0.0.1\", resolve);\n    });\n  } catch (err) {\n    if ((err as NodeJS.ErrnoException).code === \"EPERM\") {\n      t.skip(\"loopback listen is blocked in this sandbox\");\n      return;\n    }\n    throw err;\n  }\n  try {\n    const address = server.address();\n    assert.ok(address && typeof address === \"object\");\n    const result = await exchangePairingCode({\n      gatewayUrl: `http://127.0.0.1:${address.port}/base?ignored=true`,\n      code: \"ABCD1234\",\n    });\n    assert.equal(result.runtimeId, \"rt1\");\n    assert.equal(result.deviceToken, runtimeAuthValue);\n    assert.equal(requestedUrl, \"/pairing/exchange\");\n    assert.deepEqual(JSON.parse(requestBody), { code: \"ABCD1234\" });\n  } finally {\n    await new Promise<void>((resolve, reject) => server.close((err) => err ? reject(err) : resolve()));\n  }\n});\n"]}

package/packages/daemon/dist/cloud-runtime.d.ts

@@ -0,0 +1,26 @@
+import type { Logger } from "./logger.js";
+import type { DaemonConfig } from "./types.js";
+import type { LocalToolExecutor } from "./local-tool-executor.js";
+export declare class CloudRuntime {
+    private readonly cloud;
+    private readonly executor;
+    private readonly logger;
+    private socket;
+    private heartbeat;
+    private reconnect;
+    private readonly inFlight;
+    private stopped;
+    constructor(cloud: NonNullable<DaemonConfig["cloud"]>, executor: LocalToolExecutor, logger: Logger);
+    start(): void;
+    stop(): void;
+    private connect;
+    private handleSocketOpen;
+    private handleSocketMessage;
+    private handleSocketClose;
+    private handleSocketError;
+    private advertiseProjects;
+    private handleMessage;
+    private cancelInFlight;
+    private send;
+}
+//# sourceMappingURL=cloud-runtime.d.ts.map

package/packages/daemon/dist/cloud-runtime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-runtime.d.ts","sourceRoot":"","sources":["../src/cloud-runtime.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAWlE,qBAAa,YAAY;IAQrB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,MAAM;IATzB,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,SAAS,CAA6C;IAC9D,OAAO,CAAC,SAAS,CAA4C;IAC7D,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAqC;IAC9D,OAAO,CAAC,OAAO,CAAS;gBAGL,KAAK,EAAE,WAAW,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,EACzC,QAAQ,EAAE,iBAAiB,EAC3B,MAAM,EAAE,MAAM;IAGjC,KAAK,IAAI,IAAI;IAKb,IAAI,IAAI,IAAI;IAYZ,OAAO,CAAC,OAAO;IA0Cf,OAAO,CAAC,gBAAgB;YAQV,mBAAmB;IAKjC,OAAO,CAAC,iBAAiB;IAYzB,OAAO,CAAC,iBAAiB;YAKX,iBAAiB;YAUjB,aAAa;YA6Bb,cAAc;IAqB5B,OAAO,CAAC,IAAI;CAKb"}

package/packages/daemon/dist/cloud-runtime.js

@@ -0,0 +1,180 @@
+import WebSocket from "ws";
+import { createGatewayLookup, parseCloudGatewayUrl, validateGatewayNetworkTarget } from "./cloud-config.js";
+export class CloudRuntime {
+    cloud;
+    executor;
+    logger;
+    socket;
+    heartbeat;
+    reconnect;
+    inFlight = new Map();
+    stopped = false;
+    constructor(cloud, executor, logger) {
+        this.cloud = cloud;
+        this.executor = executor;
+        this.logger = logger;
+    }
+    start() {
+        this.stopped = false;
+        this.connect();
+    }
+    stop() {
+        this.stopped = true;
+        if (this.reconnect)
+            clearTimeout(this.reconnect);
+        this.reconnect = undefined;
+        if (this.heartbeat)
+            clearInterval(this.heartbeat);
+        this.heartbeat = undefined;
+        this.inFlight.clear();
+        const socket = this.socket;
+        this.socket = undefined;
+        socket?.close();
+    }
+    connect() {
+        if (this.reconnect)
+            clearTimeout(this.reconnect);
+        this.reconnect = undefined;
+        if (!this.cloud.device_token || !this.cloud.runtime_id) {
+            this.logger.warn("cloud runtime skipped — missing device token or runtime id");
+            return;
+        }
+        const gatewayUrl = parseCloudGatewayUrl(this.cloud.gateway_url);
+        try {
+            validateGatewayNetworkTarget(gatewayUrl);
+        }
+        catch (err) {
+            this.logger.warn("cloud runtime skipped unsafe gateway URL", {
+                error: err instanceof Error ? err.message : String(err),
+            });
+            return;
+        }
+        const url = new URL("/runtime/connect", gatewayUrl);
+        url.protocol = url.protocol === "https:" ? "wss:" : "ws:";
+        const socket = new WebSocket(url, {
+            headers: { Authorization: `Bearer ${this.cloud.device_token}` },
+            lookup: createGatewayLookup(gatewayUrl),
+        });
+        const previousSocket = this.socket;
+        this.socket = socket;
+        if (previousSocket && previousSocket.readyState !== WebSocket.CLOSING && previousSocket.readyState !== WebSocket.CLOSED) {
+            previousSocket.close();
+        }
+        socket.on("open", () => {
+            this.handleSocketOpen(socket);
+        });
+        socket.on("message", (data) => {
+            void this.handleSocketMessage(socket, data.toString("utf8"));
+        });
+        socket.on("close", () => {
+            this.handleSocketClose(socket);
+        });
+        socket.on("error", (err) => {
+            this.handleSocketError(socket, err);
+        });
+    }
+    handleSocketOpen(socket) {
+        if (socket !== this.socket)
+            return;
+        this.logger.info("cloud runtime connected", { gateway_url: this.cloud.gateway_url, runtime_id: this.cloud.runtime_id });
+        void this.advertiseProjects();
+        if (this.heartbeat)
+            clearInterval(this.heartbeat);
+        this.heartbeat = setInterval(() => this.send({ type: "heartbeat", at: Date.now() }), 30_000);
+    }
+    async handleSocketMessage(socket, text) {
+        if (socket !== this.socket)
+            return;
+        await this.handleMessage(text);
+    }
+    handleSocketClose(socket) {
+        if (socket !== this.socket)
+            return;
+        if (this.heartbeat)
+            clearInterval(this.heartbeat);
+        this.heartbeat = undefined;
+        this.socket = undefined;
+        if (!this.stopped) {
+            this.logger.warn("cloud runtime disconnected; reconnecting");
+            if (this.reconnect)
+                clearTimeout(this.reconnect);
+            this.reconnect = setTimeout(() => this.connect(), 5_000);
+        }
+    }
+    handleSocketError(socket, err) {
+        if (socket !== this.socket)
+            return;
+        this.logger.warn("cloud runtime socket error", { error: err.message });
+    }
+    async advertiseProjects() {
+        const projects = await this.executor.advertisedProjects();
+        this.send({
+            type: "hello",
+            runtimeId: this.cloud.runtime_id,
+            runtimeName: this.cloud.runtime_name,
+            projects,
+        });
+    }
+    async handleMessage(text) {
+        let message;
+        try {
+            message = JSON.parse(text);
+        }
+        catch {
+            return;
+        }
+        if (message.type === "cancel" && message.requestId) {
+            void this.cancelInFlight(message.requestId);
+            return;
+        }
+        if (message.type !== "tool_call" || !message.requestId || !message.toolName)
+            return;
+        this.inFlight.set(message.requestId, message);
+        try {
+            const result = await this.executor.execute(message.toolName, message.args ?? {}, message.projectAlias);
+            if (!this.inFlight.has(message.requestId))
+                return;
+            this.send({ type: "tool_result", requestId: message.requestId, result });
+        }
+        catch (err) {
+            if (!this.inFlight.has(message.requestId))
+                return;
+            this.send({
+                type: "tool_result",
+                requestId: message.requestId,
+                error: err instanceof Error ? err.message : String(err),
+            });
+        }
+        finally {
+            this.inFlight.delete(message.requestId);
+        }
+    }
+    async cancelInFlight(requestId) {
+        const pending = this.inFlight.get(requestId);
+        if (!pending)
+            return;
+        this.inFlight.delete(requestId);
+        try {
+            if (typeof pending.args?.sessionId === "string") {
+                await this.executor.execute("gsd_cancel", { sessionId: pending.args.sessionId }, pending.projectAlias);
+                return;
+            }
+            const projectDir = typeof pending.args?.projectDir === "string" ? pending.args.projectDir : pending.projectAlias;
+            if (projectDir) {
+                await this.executor.execute("gsd_cancel", { projectDir });
+            }
+        }
+        catch (err) {
+            this.logger.warn("cloud runtime cancel failed", {
+                requestId,
+                error: err instanceof Error ? err.message : String(err),
+            });
+        }
+    }
+    send(message) {
+        if (this.socket?.readyState === WebSocket.OPEN) {
+            this.socket.send(JSON.stringify(message));
+        }
+    }
+}
+//# sourceMappingURL=cloud-runtime.js.map

package/packages/daemon/dist/cloud-runtime.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-runtime.js","sourceRoot":"","sources":["../src/cloud-runtime.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,IAAI,CAAC;AAI3B,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,4BAA4B,EAAE,MAAM,mBAAmB,CAAC;AAU5G,MAAM,OAAO,YAAY;IAQJ;IACA;IACA;IATX,MAAM,CAAwB;IAC9B,SAAS,CAA6C;IACtD,SAAS,CAA4C;IAC5C,QAAQ,GAAG,IAAI,GAAG,EAA0B,CAAC;IACtD,OAAO,GAAG,KAAK,CAAC;IAExB,YACmB,KAAyC,EACzC,QAA2B,EAC3B,MAAc;QAFd,UAAK,GAAL,KAAK,CAAoC;QACzC,aAAQ,GAAR,QAAQ,CAAmB;QAC3B,WAAM,GAAN,MAAM,CAAQ;IAC9B,CAAC;IAEJ,KAAK;QACH,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;QACrB,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAED,IAAI;QACF,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,IAAI,CAAC,SAAS;YAAE,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjD,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,IAAI,CAAC,SAAS;YAAE,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAClD,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC;QACxB,MAAM,EAAE,KAAK,EAAE,CAAC;IAClB,CAAC;IAEO,OAAO;QACb,IAAI,IAAI,CAAC,SAAS;YAAE,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjD,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;YACvD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;YAC/E,OAAO;QACT,CAAC;QACD,MAAM,UAAU,GAAG,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAChE,IAAI,CAAC;YACH,4BAA4B,CAAC,UAAU,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0CAA0C,EAAE;gBAC3D,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,kBAAkB,EAAE,UAAU,CAAC,CAAC;QACpD,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;QAC1D,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC,GAAG,EAAE;YAChC,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,EAAE;YAC/D,MAAM,EAAE,mBAAmB,CAAC,UAAU,CAAC;SACxC,CAAC,CAAC;QACH,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC;QACnC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,cAAc,IAAI,cAAc,CAAC,UAAU,KAAK,SAAS,CAAC,OAAO,IAAI,cAAc,CAAC,UAAU,KAAK,SAAS,CAAC,MAAM,EAAE,CAAC;YACxH,cAAc,CAAC,KAAK,EAAE,CAAC;QACzB,CAAC;QAED,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;YACrB,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAChC,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,EAAE;YAC5B,KAAK,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACtB,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,gBAAgB,CAAC,MAAiB;QACxC,IAAI,MAAM,KAAK,IAAI,CAAC,MAAM;YAAE,OAAO;QACnC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC;QACxH,KAAK,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC9B,IAAI,IAAI,CAAC,SAAS;YAAE,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAClD,IAAI,CAAC,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;IAC/F,CAAC;IAEO,KAAK,CAAC,mBAAmB,CAAC,MAAiB,EAAE,IAAY;QAC/D,IAAI,MAAM,KAAK,IAAI,CAAC,MAAM;YAAE,OAAO;QACnC,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;IAEO,iBAAiB,CAAC,MAAiB;QACzC,IAAI,MAAM,KAAK,IAAI,CAAC,MAAM;YAAE,OAAO;QACnC,IAAI,IAAI,CAAC,SAAS;YAAE,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAClD,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC;QACxB,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;YAC7D,IAAI,IAAI,CAAC,SAAS;gBAAE,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACjD,IAAI,CAAC,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,KAAK,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAEO,iBAAiB,CAAC,MAAiB,EAAE,GAAU;QACrD,IAAI,MAAM,KAAK,IAAI,CAAC,MAAM;YAAE,OAAO;QACnC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IACzE,CAAC;IAEO,KAAK,CAAC,iBAAiB;QAC7B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,kBAAkB,EAAE,CAAC;QAC1D,IAAI,CAAC,IAAI,CAAC;YACR,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU;YAChC,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,YAAY;YACpC,QAAQ;SACT,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,IAAY;QACtC,IAAI,OAAuB,CAAC;QAC5B,IAAI,CAAC;YACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAmB,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QACD,IAAI,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACnD,KAAK,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAC5C,OAAO;QACT,CAAC;QACD,IAAI,OAAO,CAAC,IAAI,KAAK,WAAW,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,QAAQ;YAAE,OAAO;QACpF,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC9C,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,IAAI,EAAE,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;YACvG,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC;gBAAE,OAAO;YAClD,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;QAC3E,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC;gBAAE,OAAO;YAClD,IAAI,CAAC,IAAI,CAAC;gBACR,IAAI,EAAE,aAAa;gBACnB,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,SAAiB;QAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7C,IAAI,CAAC,OAAO;YAAE,OAAO;QACrB,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAChC,IAAI,CAAC;YACH,IAAI,OAAO,OAAO,CAAC,IAAI,EAAE,SAAS,KAAK,QAAQ,EAAE,CAAC;gBAChD,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;gBACvG,OAAO;YACT,CAAC;YACD,MAAM,UAAU,GAAG,OAAO,OAAO,CAAC,IAAI,EAAE,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC;YACjH,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,UAAU,EAAE,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,6BAA6B,EAAE;gBAC9C,SAAS;gBACT,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAEO,IAAI,CAAC,OAAgB;QAC3B,IAAI,IAAI,CAAC,MAAM,EAAE,UAAU,KAAK,SAAS,CAAC,IAAI,EAAE,CAAC;YAC/C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;CACF","sourcesContent":["import WebSocket from \"ws\";\nimport type { Logger } from \"./logger.js\";\nimport type { DaemonConfig } from \"./types.js\";\nimport type { LocalToolExecutor } from \"./local-tool-executor.js\";\nimport { createGatewayLookup, parseCloudGatewayUrl, validateGatewayNetworkTarget } from \"./cloud-config.js\";\n\ninterface GatewayMessage {\n  type: string;\n  requestId?: string;\n  toolName?: string;\n  args?: Record<string, unknown>;\n  projectAlias?: string;\n}\n\nexport class CloudRuntime {\n  private socket: WebSocket | undefined;\n  private heartbeat: ReturnType<typeof setInterval> | undefined;\n  private reconnect: ReturnType<typeof setTimeout> | undefined;\n  private readonly inFlight = new Map<string, GatewayMessage>();\n  private stopped = false;\n\n  constructor(\n    private readonly cloud: NonNullable<DaemonConfig[\"cloud\"]>,\n    private readonly executor: LocalToolExecutor,\n    private readonly logger: Logger,\n  ) {}\n\n  start(): void {\n    this.stopped = false;\n    this.connect();\n  }\n\n  stop(): void {\n    this.stopped = true;\n    if (this.reconnect) clearTimeout(this.reconnect);\n    this.reconnect = undefined;\n    if (this.heartbeat) clearInterval(this.heartbeat);\n    this.heartbeat = undefined;\n    this.inFlight.clear();\n    const socket = this.socket;\n    this.socket = undefined;\n    socket?.close();\n  }\n\n  private connect(): void {\n    if (this.reconnect) clearTimeout(this.reconnect);\n    this.reconnect = undefined;\n    if (!this.cloud.device_token || !this.cloud.runtime_id) {\n      this.logger.warn(\"cloud runtime skipped — missing device token or runtime id\");\n      return;\n    }\n    const gatewayUrl = parseCloudGatewayUrl(this.cloud.gateway_url);\n    try {\n      validateGatewayNetworkTarget(gatewayUrl);\n    } catch (err) {\n      this.logger.warn(\"cloud runtime skipped unsafe gateway URL\", {\n        error: err instanceof Error ? err.message : String(err),\n      });\n      return;\n    }\n    const url = new URL(\"/runtime/connect\", gatewayUrl);\n    url.protocol = url.protocol === \"https:\" ? \"wss:\" : \"ws:\";\n    const socket = new WebSocket(url, {\n      headers: { Authorization: `Bearer ${this.cloud.device_token}` },\n      lookup: createGatewayLookup(gatewayUrl),\n    });\n    const previousSocket = this.socket;\n    this.socket = socket;\n    if (previousSocket && previousSocket.readyState !== WebSocket.CLOSING && previousSocket.readyState !== WebSocket.CLOSED) {\n      previousSocket.close();\n    }\n\n    socket.on(\"open\", () => {\n      this.handleSocketOpen(socket);\n    });\n    socket.on(\"message\", (data) => {\n      void this.handleSocketMessage(socket, data.toString(\"utf8\"));\n    });\n    socket.on(\"close\", () => {\n      this.handleSocketClose(socket);\n    });\n    socket.on(\"error\", (err) => {\n      this.handleSocketError(socket, err);\n    });\n  }\n\n  private handleSocketOpen(socket: WebSocket): void {\n    if (socket !== this.socket) return;\n    this.logger.info(\"cloud runtime connected\", { gateway_url: this.cloud.gateway_url, runtime_id: this.cloud.runtime_id });\n    void this.advertiseProjects();\n    if (this.heartbeat) clearInterval(this.heartbeat);\n    this.heartbeat = setInterval(() => this.send({ type: \"heartbeat\", at: Date.now() }), 30_000);\n  }\n\n  private async handleSocketMessage(socket: WebSocket, text: string): Promise<void> {\n    if (socket !== this.socket) return;\n    await this.handleMessage(text);\n  }\n\n  private handleSocketClose(socket: WebSocket): void {\n    if (socket !== this.socket) return;\n    if (this.heartbeat) clearInterval(this.heartbeat);\n    this.heartbeat = undefined;\n    this.socket = undefined;\n    if (!this.stopped) {\n      this.logger.warn(\"cloud runtime disconnected; reconnecting\");\n      if (this.reconnect) clearTimeout(this.reconnect);\n      this.reconnect = setTimeout(() => this.connect(), 5_000);\n    }\n  }\n\n  private handleSocketError(socket: WebSocket, err: Error): void {\n    if (socket !== this.socket) return;\n    this.logger.warn(\"cloud runtime socket error\", { error: err.message });\n  }\n\n  private async advertiseProjects(): Promise<void> {\n    const projects = await this.executor.advertisedProjects();\n    this.send({\n      type: \"hello\",\n      runtimeId: this.cloud.runtime_id,\n      runtimeName: this.cloud.runtime_name,\n      projects,\n    });\n  }\n\n  private async handleMessage(text: string): Promise<void> {\n    let message: GatewayMessage;\n    try {\n      message = JSON.parse(text) as GatewayMessage;\n    } catch {\n      return;\n    }\n    if (message.type === \"cancel\" && message.requestId) {\n      void this.cancelInFlight(message.requestId);\n      return;\n    }\n    if (message.type !== \"tool_call\" || !message.requestId || !message.toolName) return;\n    this.inFlight.set(message.requestId, message);\n    try {\n      const result = await this.executor.execute(message.toolName, message.args ?? {}, message.projectAlias);\n      if (!this.inFlight.has(message.requestId)) return;\n      this.send({ type: \"tool_result\", requestId: message.requestId, result });\n    } catch (err) {\n      if (!this.inFlight.has(message.requestId)) return;\n      this.send({\n        type: \"tool_result\",\n        requestId: message.requestId,\n        error: err instanceof Error ? err.message : String(err),\n      });\n    } finally {\n      this.inFlight.delete(message.requestId);\n    }\n  }\n\n  private async cancelInFlight(requestId: string): Promise<void> {\n    const pending = this.inFlight.get(requestId);\n    if (!pending) return;\n    this.inFlight.delete(requestId);\n    try {\n      if (typeof pending.args?.sessionId === \"string\") {\n        await this.executor.execute(\"gsd_cancel\", { sessionId: pending.args.sessionId }, pending.projectAlias);\n        return;\n      }\n      const projectDir = typeof pending.args?.projectDir === \"string\" ? pending.args.projectDir : pending.projectAlias;\n      if (projectDir) {\n        await this.executor.execute(\"gsd_cancel\", { projectDir });\n      }\n    } catch (err) {\n      this.logger.warn(\"cloud runtime cancel failed\", {\n        requestId,\n        error: err instanceof Error ? err.message : String(err),\n      });\n    }\n  }\n\n  private send(message: unknown): void {\n    if (this.socket?.readyState === WebSocket.OPEN) {\n      this.socket.send(JSON.stringify(message));\n    }\n  }\n}\n"]}