@opsimathically/nodenetproccalld 0.0.2 → 0.0.3

package/dist/index.js

@@ -35,12 +35,17 @@ var __publicField = (obj, key2, value) => __defNormalProp(obj, typeof key2 !== "
 var index_exports = {};
 __export(index_exports, {
   ApiKeyAuthorizer: () => ApiKeyAuthorizer,
+  ClientTlsPackageConfigFileLoader: () => ClientTlsPackageConfigFileLoader,
+  ClientTlsPackageGenerator: () => ClientTlsPackageGenerator,
   ConfigFileLoader: () => ConfigFileLoader,
   ConfigValidator: () => ConfigValidator,
   DaemonCli: () => DaemonCli,
   DaemonProcess: () => DaemonProcess,
+  DefaultClientTlsGenerationConfigGenerator: () => DefaultClientTlsGenerationConfigGenerator,
   DefaultConfigGenerator: () => DefaultConfigGenerator,
+  DefaultTlsGenerationConfigGenerator: () => DefaultTlsGenerationConfigGenerator,
   NetworkProcedureCallDaemon: () => NetworkProcedureCallDaemon,
+  TlsGenerationConfigFileLoader: () => TlsGenerationConfigFileLoader,
   TlsMaterialGenerator: () => TlsMaterialGenerator
 });
 module.exports = __toCommonJS(index_exports);
@@ -136,7 +141,7 @@ var _ApiKeyAuthorizer = class _ApiKeyAuthorizer {
 __name(_ApiKeyAuthorizer, "ApiKeyAuthorizer");
 var ApiKeyAuthorizer = _ApiKeyAuthorizer;
 
-// src/classes/configfileloader/ConfigFileLoader.class.ts
+// src/classes/clienttlspackageconfigfileloader/ClientTlsPackageConfigFileLoader.class.ts
 var import_node_fs = __toESM(require("fs"));
 var import_node_path = __toESM(require("path"));
 
@@ -1247,8 +1252,408 @@ var JSON5 = {
 var lib = JSON5;
 var dist_default = lib;
 
-// src/classes/configvalidator/ConfigValidator.class.ts
+// src/classes/clienttlspackageconfigfileloader/ClientTlsPackageConfigFileLoader.class.ts
 var import_zod = require("zod");
+var client_tls_package_config_schema = import_zod.z.object({
+  ca_key_file: import_zod.z.string().min(1),
+  ca_cert_file: import_zod.z.string().min(1),
+  output_dir: import_zod.z.string().min(1).optional(),
+  overwrite: import_zod.z.boolean().optional(),
+  default_valid_days: import_zod.z.number().int().positive().optional(),
+  clients: import_zod.z.array(import_zod.z.object({
+    client_name: import_zod.z.string().min(1),
+    common_name: import_zod.z.string().min(1).optional(),
+    uri_san: import_zod.z.string().min(1).optional(),
+    package_name: import_zod.z.string().min(1).optional(),
+    valid_days: import_zod.z.number().int().positive().optional()
+  }).strict()).min(1)
+}).strict();
+function ParseJson5File(params) {
+  const absolute_file_path = import_node_path.default.resolve(process.cwd(), params.file_path);
+  let file_content;
+  try {
+    file_content = import_node_fs.default.readFileSync(absolute_file_path, "utf8");
+  } catch (error) {
+    const error_message = error instanceof Error ? error.message : String(error);
+    throw new Error(`Unable to read client TLS package config file "${absolute_file_path}": ${error_message}`);
+  }
+  try {
+    return dist_default.parse(file_content);
+  } catch (error) {
+    const error_message = error instanceof Error ? error.message : String(error);
+    throw new Error(`Invalid JSON5 in client TLS package config "${absolute_file_path}": ${error_message}`);
+  }
+}
+__name(ParseJson5File, "ParseJson5File");
+function BuildZodErrorMessage(params) {
+  const lines = params.error.issues.map((issue) => {
+    const issue_path = issue.path.length > 0 ? issue.path.join(".") : "<root>";
+    return `${issue_path}: ${issue.message}`;
+  });
+  return `Invalid client TLS package config file.
+${lines.join("\n")}`;
+}
+__name(BuildZodErrorMessage, "BuildZodErrorMessage");
+function ResolvePath(params) {
+  if (import_node_path.default.isAbsolute(params.file_path)) {
+    return params.file_path;
+  }
+  return import_node_path.default.resolve(params.base_dir, params.file_path);
+}
+__name(ResolvePath, "ResolvePath");
+function BuildUriSanFromCommonName(params) {
+  const normalized_common_name = params.common_name.replace(/[^a-zA-Z0-9_.-]/g, "_").toLowerCase();
+  return `spiffe://nodenetproccalld/${normalized_common_name}`;
+}
+__name(BuildUriSanFromCommonName, "BuildUriSanFromCommonName");
+var _ClientTlsPackageConfigFileLoader = class _ClientTlsPackageConfigFileLoader {
+  loadClientTlsPackageOptions(params) {
+    const absolute_config_file_path = import_node_path.default.resolve(process.cwd(), params.client_tls_package_generation_options.config_file_path);
+    const config_dir = import_node_path.default.dirname(absolute_config_file_path);
+    const config_raw = ParseJson5File({
+      file_path: absolute_config_file_path
+    });
+    const parse_result = client_tls_package_config_schema.safeParse(config_raw);
+    if (!parse_result.success) {
+      throw new Error(BuildZodErrorMessage({
+        error: parse_result.error
+      }));
+    }
+    const config_from_file = parse_result.data;
+    const output_dir = ResolvePath({
+      file_path: config_from_file.output_dir ?? "./client_certs",
+      base_dir: config_dir
+    });
+    const overwrite = config_from_file.overwrite ?? false;
+    const default_valid_days = config_from_file.default_valid_days ?? 36500;
+    const clients = this.buildRuntimeClients({
+      clients: config_from_file.clients,
+      default_valid_days
+    });
+    this.assertUniqueClientNames({
+      clients
+    });
+    this.assertUniquePackageNames({
+      clients
+    });
+    return {
+      ca_key_file: ResolvePath({
+        file_path: config_from_file.ca_key_file,
+        base_dir: config_dir
+      }),
+      ca_cert_file: ResolvePath({
+        file_path: config_from_file.ca_cert_file,
+        base_dir: config_dir
+      }),
+      output_dir,
+      overwrite,
+      default_valid_days,
+      clients
+    };
+  }
+  buildRuntimeClients(params) {
+    return params.clients.map((client_definition) => {
+      const common_name = client_definition.common_name ?? client_definition.client_name;
+      const client_uri_san = client_definition.uri_san ?? BuildUriSanFromCommonName({
+        common_name
+      });
+      const package_name = client_definition.package_name ?? client_definition.client_name;
+      const valid_days = client_definition.valid_days ?? params.default_valid_days;
+      return {
+        client_name: client_definition.client_name,
+        common_name,
+        uri_san: client_uri_san,
+        package_name,
+        valid_days
+      };
+    });
+  }
+  assertUniqueClientNames(params) {
+    const seen_client_names = /* @__PURE__ */ new Set();
+    for (const client of params.clients) {
+      if (seen_client_names.has(client.client_name)) {
+        throw new Error(`Duplicate client_name "${client.client_name}" in client TLS package config file.`);
+      }
+      seen_client_names.add(client.client_name);
+    }
+  }
+  assertUniquePackageNames(params) {
+    const seen_package_names = /* @__PURE__ */ new Set();
+    for (const client of params.clients) {
+      if (seen_package_names.has(client.package_name)) {
+        throw new Error(`Duplicate package_name "${client.package_name}" in client TLS package config file.`);
+      }
+      seen_package_names.add(client.package_name);
+    }
+  }
+};
+__name(_ClientTlsPackageConfigFileLoader, "ClientTlsPackageConfigFileLoader");
+var ClientTlsPackageConfigFileLoader = _ClientTlsPackageConfigFileLoader;
+
+// src/classes/clienttlspackagegenerator/ClientTlsPackageGenerator.class.ts
+var import_node_child_process = require("child_process");
+var import_node_fs2 = __toESM(require("fs"));
+var import_node_path2 = __toESM(require("path"));
+function WriteTextFile(params) {
+  import_node_fs2.default.writeFileSync(params.file_path, params.content, "utf8");
+}
+__name(WriteTextFile, "WriteTextFile");
+function EnsureReadableFile(params) {
+  if (!import_node_fs2.default.existsSync(params.file_path)) {
+    throw new Error(`${params.label} does not exist: ${params.file_path}`);
+  }
+  const stat_result = import_node_fs2.default.statSync(params.file_path);
+  if (!stat_result.isFile()) {
+    throw new Error(`${params.label} is not a file: ${params.file_path}`);
+  }
+}
+__name(EnsureReadableFile, "EnsureReadableFile");
+var _ClientTlsPackageGenerator = class _ClientTlsPackageGenerator {
+  generateClientTlsPackages(params) {
+    this.assertOpenSslAvailable();
+    this.assertTarAvailable();
+    this.assertCaFiles({
+      runtime_options: params.runtime_options
+    });
+    import_node_fs2.default.mkdirSync(params.runtime_options.output_dir, {
+      recursive: true
+    });
+    const ca_serial_path = import_node_path2.default.join(params.runtime_options.output_dir, "client_ca.cert.srl");
+    if (params.runtime_options.overwrite) {
+      import_node_fs2.default.rmSync(ca_serial_path, {
+        force: true
+      });
+    }
+    const generated_packages = [];
+    for (const client_definition of params.runtime_options.clients) {
+      const client_files = this.buildClientFileMap({
+        output_dir: params.runtime_options.output_dir,
+        client_name: client_definition.client_name,
+        package_name: client_definition.package_name
+      });
+      this.prepareClientOutput({
+        client_files,
+        overwrite: params.runtime_options.overwrite
+      });
+      try {
+        this.generateClientCertificate({
+          client_files,
+          ca_key_file: params.runtime_options.ca_key_file,
+          ca_cert_file: params.runtime_options.ca_cert_file,
+          ca_serial_path,
+          common_name: client_definition.common_name,
+          uri_san: client_definition.uri_san,
+          valid_days: client_definition.valid_days
+        });
+        import_node_fs2.default.rmSync(client_files.client_csr_path, {
+          force: true
+        });
+        import_node_fs2.default.rmSync(client_files.client_ext_path, {
+          force: true
+        });
+        import_node_fs2.default.copyFileSync(params.runtime_options.ca_cert_file, client_files.ca_cert_copy_path);
+        this.writeClientReadme({
+          client_files,
+          client_name: client_definition.client_name
+        });
+        this.createTarPackage({
+          client_files
+        });
+        generated_packages.push({
+          client_name: client_definition.client_name,
+          package_path: client_files.package_path,
+          directory_path: client_files.client_dir,
+          client_cert_path: client_files.client_cert_path,
+          client_key_path: client_files.client_key_path,
+          ca_cert_path: client_files.ca_cert_copy_path
+        });
+      } finally {
+        import_node_fs2.default.rmSync(client_files.client_csr_path, {
+          force: true
+        });
+        import_node_fs2.default.rmSync(client_files.client_ext_path, {
+          force: true
+        });
+      }
+    }
+    import_node_fs2.default.rmSync(ca_serial_path, {
+      force: true
+    });
+    return {
+      output_dir: params.runtime_options.output_dir,
+      packages: generated_packages
+    };
+  }
+  assertOpenSslAvailable() {
+    try {
+      (0, import_node_child_process.execFileSync)("openssl", [
+        "version"
+      ], {
+        stdio: "ignore"
+      });
+    } catch {
+      throw new Error("openssl command is required but was not found. Please install openssl and retry.");
+    }
+  }
+  assertTarAvailable() {
+    try {
+      (0, import_node_child_process.execFileSync)("tar", [
+        "--version"
+      ], {
+        stdio: "ignore"
+      });
+    } catch {
+      throw new Error("tar command is required but was not found. Please install tar and retry.");
+    }
+  }
+  assertCaFiles(params) {
+    EnsureReadableFile({
+      file_path: params.runtime_options.ca_key_file,
+      label: "ca_key_file"
+    });
+    EnsureReadableFile({
+      file_path: params.runtime_options.ca_cert_file,
+      label: "ca_cert_file"
+    });
+  }
+  buildClientFileMap(params) {
+    const client_dir = import_node_path2.default.join(params.output_dir, params.client_name);
+    return {
+      client_dir,
+      client_key_path: import_node_path2.default.join(client_dir, "client.key.pem"),
+      client_csr_path: import_node_path2.default.join(client_dir, "client.csr.pem"),
+      client_cert_path: import_node_path2.default.join(client_dir, "client.cert.pem"),
+      client_ext_path: import_node_path2.default.join(client_dir, "client.ext"),
+      package_path: import_node_path2.default.join(params.output_dir, `${params.package_name}.tar.gz`),
+      ca_cert_copy_path: import_node_path2.default.join(client_dir, "ca.cert.pem")
+    };
+  }
+  prepareClientOutput(params) {
+    if (!params.overwrite) {
+      if (import_node_fs2.default.existsSync(params.client_files.client_dir)) {
+        throw new Error(`Refusing to overwrite existing client directory "${params.client_files.client_dir}". Set overwrite=true in client TLS package config.`);
+      }
+      if (import_node_fs2.default.existsSync(params.client_files.package_path)) {
+        throw new Error(`Refusing to overwrite existing client package "${params.client_files.package_path}". Set overwrite=true in client TLS package config.`);
+      }
+    } else {
+      import_node_fs2.default.rmSync(params.client_files.client_dir, {
+        recursive: true,
+        force: true
+      });
+      import_node_fs2.default.rmSync(params.client_files.package_path, {
+        force: true
+      });
+    }
+    import_node_fs2.default.mkdirSync(params.client_files.client_dir, {
+      recursive: true
+    });
+  }
+  generateClientCertificate(params) {
+    WriteTextFile({
+      file_path: params.client_files.client_ext_path,
+      content: [
+        "extendedKeyUsage=clientAuth",
+        "keyUsage=digitalSignature,keyEncipherment",
+        `subjectAltName=URI:${params.uri_san}`
+      ].join("\n")
+    });
+    this.runOpenSslCommand({
+      args: [
+        "req",
+        "-new",
+        "-newkey",
+        "rsa:4096",
+        "-sha256",
+        "-nodes",
+        "-keyout",
+        params.client_files.client_key_path,
+        "-out",
+        params.client_files.client_csr_path,
+        "-subj",
+        `/CN=${params.common_name}`
+      ]
+    });
+    const ca_sign_args = [
+      "x509",
+      "-req",
+      "-in",
+      params.client_files.client_csr_path,
+      "-CA",
+      params.ca_cert_file,
+      "-CAkey",
+      params.ca_key_file,
+      "-CAserial",
+      params.ca_serial_path,
+      "-out",
+      params.client_files.client_cert_path,
+      "-days",
+      String(params.valid_days),
+      "-sha256",
+      "-extfile",
+      params.client_files.client_ext_path
+    ];
+    if (!import_node_fs2.default.existsSync(params.ca_serial_path)) {
+      const with_create_serial = [
+        ...ca_sign_args
+      ];
+      with_create_serial.splice(10, 0, "-CAcreateserial");
+      this.runOpenSslCommand({
+        args: with_create_serial
+      });
+    } else {
+      this.runOpenSslCommand({
+        args: ca_sign_args
+      });
+    }
+    import_node_fs2.default.chmodSync(params.client_files.client_key_path, 384);
+    import_node_fs2.default.chmodSync(params.client_files.client_cert_path, 420);
+    import_node_fs2.default.chmodSync(params.client_files.client_ext_path, 384);
+    import_node_fs2.default.chmodSync(params.client_files.client_csr_path, 384);
+  }
+  writeClientReadme(params) {
+    const readme_content = [
+      `Client TLS bundle for: ${params.client_name}`,
+      "",
+      "Files:",
+      "- client.key.pem",
+      "- client.cert.pem",
+      "- ca.cert.pem",
+      "",
+      "Use these with NetworkProcedureCallClient tls_mtls fields."
+    ].join("\n");
+    WriteTextFile({
+      file_path: import_node_path2.default.join(params.client_files.client_dir, "README.txt"),
+      content: `${readme_content}
+`
+    });
+  }
+  createTarPackage(params) {
+    (0, import_node_child_process.execFileSync)("tar", [
+      "-C",
+      params.client_files.client_dir,
+      "-czf",
+      params.client_files.package_path,
+      "."
+    ], {
+      stdio: "ignore"
+    });
+  }
+  runOpenSslCommand(params) {
+    (0, import_node_child_process.execFileSync)("openssl", params.args, {
+      stdio: "ignore"
+    });
+  }
+};
+__name(_ClientTlsPackageGenerator, "ClientTlsPackageGenerator");
+var ClientTlsPackageGenerator = _ClientTlsPackageGenerator;
+
+// src/classes/configfileloader/ConfigFileLoader.class.ts
+var import_node_fs3 = __toESM(require("fs"));
+var import_node_path3 = __toESM(require("path"));
+
+// src/classes/configvalidator/ConfigValidator.class.ts
+var import_zod2 = require("zod");
 var privilege_name_list = [
   "invoke_functions",
   "define_functions",
@@ -1264,104 +1669,104 @@ var tls_min_version_list = [
   "TLSv1.2",
   "TLSv1.3"
 ];
-var worker_runtime_options_schema = import_zod.z.object({
-  call_timeout_ms: import_zod.z.number().int().positive().optional(),
-  control_timeout_ms: import_zod.z.number().int().positive().optional(),
-  start_timeout_ms: import_zod.z.number().int().positive().optional(),
-  stop_timeout_ms: import_zod.z.number().int().positive().optional(),
-  restart_on_failure: import_zod.z.boolean().optional(),
-  max_restarts_per_worker: import_zod.z.number().int().nonnegative().optional(),
-  max_pending_calls_per_worker: import_zod.z.number().int().positive().optional(),
-  restart_base_delay_ms: import_zod.z.number().int().positive().optional(),
-  restart_max_delay_ms: import_zod.z.number().int().positive().optional(),
-  restart_jitter_ms: import_zod.z.number().int().nonnegative().optional()
+var worker_runtime_options_schema = import_zod2.z.object({
+  call_timeout_ms: import_zod2.z.number().int().positive().optional(),
+  control_timeout_ms: import_zod2.z.number().int().positive().optional(),
+  start_timeout_ms: import_zod2.z.number().int().positive().optional(),
+  stop_timeout_ms: import_zod2.z.number().int().positive().optional(),
+  restart_on_failure: import_zod2.z.boolean().optional(),
+  max_restarts_per_worker: import_zod2.z.number().int().nonnegative().optional(),
+  max_pending_calls_per_worker: import_zod2.z.number().int().positive().optional(),
+  restart_base_delay_ms: import_zod2.z.number().int().positive().optional(),
+  restart_max_delay_ms: import_zod2.z.number().int().positive().optional(),
+  restart_jitter_ms: import_zod2.z.number().int().nonnegative().optional()
 }).strict();
-var rate_limiter_schema = import_zod.z.object({
-  enabled: import_zod.z.boolean().optional(),
-  tokens_per_interval: import_zod.z.number().int().positive().optional(),
-  interval_ms: import_zod.z.number().int().positive().optional(),
-  burst_tokens: import_zod.z.number().int().positive().optional(),
-  disconnect_on_limit: import_zod.z.boolean().optional()
+var rate_limiter_schema = import_zod2.z.object({
+  enabled: import_zod2.z.boolean().optional(),
+  tokens_per_interval: import_zod2.z.number().int().positive().optional(),
+  interval_ms: import_zod2.z.number().int().positive().optional(),
+  burst_tokens: import_zod2.z.number().int().positive().optional(),
+  disconnect_on_limit: import_zod2.z.boolean().optional()
 }).strict();
-var abuse_controls_schema = import_zod.z.object({
-  connection_controls: import_zod.z.object({
-    max_concurrent_sockets: import_zod.z.number().int().positive().optional(),
-    max_concurrent_handshakes: import_zod.z.number().int().positive().optional(),
-    max_unauthenticated_sessions: import_zod.z.number().int().positive().optional(),
-    global_connection_window_ms: import_zod.z.number().int().positive().optional(),
-    global_max_new_connections_per_window: import_zod.z.number().int().positive().optional(),
-    per_ip_max_new_connections_per_window: import_zod.z.number().int().positive().optional(),
-    tls_handshake_timeout_ms: import_zod.z.number().int().positive().optional(),
-    auth_message_timeout_ms: import_zod.z.number().int().positive().optional(),
-    max_pre_auth_frame_bytes: import_zod.z.number().int().positive().optional(),
-    max_post_auth_frame_bytes: import_zod.z.number().int().positive().optional()
+var abuse_controls_schema = import_zod2.z.object({
+  connection_controls: import_zod2.z.object({
+    max_concurrent_sockets: import_zod2.z.number().int().positive().optional(),
+    max_concurrent_handshakes: import_zod2.z.number().int().positive().optional(),
+    max_unauthenticated_sessions: import_zod2.z.number().int().positive().optional(),
+    global_connection_window_ms: import_zod2.z.number().int().positive().optional(),
+    global_max_new_connections_per_window: import_zod2.z.number().int().positive().optional(),
+    per_ip_max_new_connections_per_window: import_zod2.z.number().int().positive().optional(),
+    tls_handshake_timeout_ms: import_zod2.z.number().int().positive().optional(),
+    auth_message_timeout_ms: import_zod2.z.number().int().positive().optional(),
+    max_pre_auth_frame_bytes: import_zod2.z.number().int().positive().optional(),
+    max_post_auth_frame_bytes: import_zod2.z.number().int().positive().optional()
   }).strict().optional(),
-  auth_controls: import_zod.z.object({
-    pending_auth_window_ms: import_zod.z.number().int().positive().optional(),
-    max_pending_auth_attempts_per_ip_per_window: import_zod.z.number().int().positive().optional(),
-    failed_auth_window_ms: import_zod.z.number().int().positive().optional(),
-    max_failed_auth_per_ip_per_window: import_zod.z.number().int().positive().optional(),
-    max_failed_auth_per_api_key_per_window: import_zod.z.number().int().positive().optional(),
-    block_duration_ms: import_zod.z.number().int().positive().optional(),
-    enable_blocklist: import_zod.z.boolean().optional()
+  auth_controls: import_zod2.z.object({
+    pending_auth_window_ms: import_zod2.z.number().int().positive().optional(),
+    max_pending_auth_attempts_per_ip_per_window: import_zod2.z.number().int().positive().optional(),
+    failed_auth_window_ms: import_zod2.z.number().int().positive().optional(),
+    max_failed_auth_per_ip_per_window: import_zod2.z.number().int().positive().optional(),
+    max_failed_auth_per_api_key_per_window: import_zod2.z.number().int().positive().optional(),
+    block_duration_ms: import_zod2.z.number().int().positive().optional(),
+    enable_blocklist: import_zod2.z.boolean().optional()
   }).strict().optional(),
-  request_controls: import_zod.z.object({
-    max_in_flight_requests_per_connection: import_zod.z.number().int().positive().optional(),
+  request_controls: import_zod2.z.object({
+    max_in_flight_requests_per_connection: import_zod2.z.number().int().positive().optional(),
     per_connection: rate_limiter_schema.optional(),
     per_api_key: rate_limiter_schema.optional(),
     per_ip: rate_limiter_schema.optional()
   }).strict().optional(),
-  observability: import_zod.z.object({
-    enable_console_log: import_zod.z.boolean().optional()
+  observability: import_zod2.z.object({
+    enable_console_log: import_zod2.z.boolean().optional()
   }).strict().optional()
 }).strict();
-var daemon_server_config_schema = import_zod.z.object({
-  information: import_zod.z.object({
-    server_name: import_zod.z.string().min(1)
+var daemon_server_config_schema = import_zod2.z.object({
+  information: import_zod2.z.object({
+    server_name: import_zod2.z.string().min(1)
   }).strict(),
-  network: import_zod.z.object({
-    bind_addr: import_zod.z.string().min(1),
-    tcp_listen_port: import_zod.z.number().int().positive().max(65535)
+  network: import_zod2.z.object({
+    bind_addr: import_zod2.z.string().min(1),
+    tcp_listen_port: import_zod2.z.number().int().positive().max(65535)
   }).strict(),
-  tls_mtls: import_zod.z.object({
-    key_file: import_zod.z.string().min(1),
-    cert_file: import_zod.z.string().min(1),
-    ca_file: import_zod.z.string().min(1),
-    crl_file: import_zod.z.string().min(1).optional(),
-    min_version: import_zod.z.enum(tls_min_version_list).optional(),
-    cipher_suites: import_zod.z.string().min(1).optional(),
-    handshake_timeout_ms: import_zod.z.number().int().positive().optional(),
-    request_timeout_ms: import_zod.z.number().int().positive().optional(),
-    max_frame_bytes: import_zod.z.number().int().positive().optional()
+  tls_mtls: import_zod2.z.object({
+    key_file: import_zod2.z.string().min(1),
+    cert_file: import_zod2.z.string().min(1),
+    ca_file: import_zod2.z.string().min(1),
+    crl_file: import_zod2.z.string().min(1).optional(),
+    min_version: import_zod2.z.enum(tls_min_version_list).optional(),
+    cipher_suites: import_zod2.z.string().min(1).optional(),
+    handshake_timeout_ms: import_zod2.z.number().int().positive().optional(),
+    request_timeout_ms: import_zod2.z.number().int().positive().optional(),
+    max_frame_bytes: import_zod2.z.number().int().positive().optional()
   }).strict(),
-  workerprocedurecall: import_zod.z.object({
-    count: import_zod.z.number().int().positive(),
+  workerprocedurecall: import_zod2.z.object({
+    count: import_zod2.z.number().int().positive(),
     constructor_options: worker_runtime_options_schema.optional(),
     start_options: worker_runtime_options_schema.optional()
   }).strict(),
   abuse_controls: abuse_controls_schema.optional(),
-  observability: import_zod.z.object({
-    enable_console_log: import_zod.z.boolean().optional(),
-    log_worker_events: import_zod.z.boolean().optional(),
-    metrics_log_interval_ms: import_zod.z.number().int().positive().optional()
+  observability: import_zod2.z.object({
+    enable_console_log: import_zod2.z.boolean().optional(),
+    log_worker_events: import_zod2.z.boolean().optional(),
+    metrics_log_interval_ms: import_zod2.z.number().int().positive().optional()
   }).strict().optional()
 }).strict();
-var daemon_api_key_config_schema = import_zod.z.object({
-  api_keys: import_zod.z.array(import_zod.z.object({
-    key_id: import_zod.z.string().min(1),
-    api_key: import_zod.z.string().min(1),
-    privileges: import_zod.z.array(import_zod.z.enum(privilege_name_list)).min(1),
-    enabled: import_zod.z.boolean().optional(),
-    identity_constraints: import_zod.z.object({
-      remote_address_regex: import_zod.z.string().min(1).optional(),
-      tls_peer_subject_regex: import_zod.z.string().min(1).optional(),
-      tls_peer_san_regex: import_zod.z.string().min(1).optional(),
-      tls_peer_fingerprint256_regex: import_zod.z.string().min(1).optional(),
-      tls_peer_serial_number_regex: import_zod.z.string().min(1).optional()
+var daemon_api_key_config_schema = import_zod2.z.object({
+  api_keys: import_zod2.z.array(import_zod2.z.object({
+    key_id: import_zod2.z.string().min(1),
+    api_key: import_zod2.z.string().min(1),
+    privileges: import_zod2.z.array(import_zod2.z.enum(privilege_name_list)).min(1),
+    enabled: import_zod2.z.boolean().optional(),
+    identity_constraints: import_zod2.z.object({
+      remote_address_regex: import_zod2.z.string().min(1).optional(),
+      tls_peer_subject_regex: import_zod2.z.string().min(1).optional(),
+      tls_peer_san_regex: import_zod2.z.string().min(1).optional(),
+      tls_peer_fingerprint256_regex: import_zod2.z.string().min(1).optional(),
+      tls_peer_serial_number_regex: import_zod2.z.string().min(1).optional()
     }).strict().optional()
   }).strict()).min(1)
 }).strict();
-function BuildZodErrorMessage(params) {
+function BuildZodErrorMessage2(params) {
   const message_lines = params.error.issues.map((issue) => {
     const issue_path = issue.path.length > 0 ? issue.path.join(".") : "<root>";
     return `${issue_path}: ${issue.message}`;
@@ -1369,7 +1774,7 @@ function BuildZodErrorMessage(params) {
   return `${params.prefix}
 ${message_lines.join("\n")}`;
 }
-__name(BuildZodErrorMessage, "BuildZodErrorMessage");
+__name(BuildZodErrorMessage2, "BuildZodErrorMessage");
 function CompileRegex(params) {
   try {
     return new RegExp(params.source);
@@ -1383,7 +1788,7 @@ var _ConfigValidator = class _ConfigValidator {
   validateServerConfig(params) {
     const parse_result = daemon_server_config_schema.safeParse(params.server_config_raw);
     if (!parse_result.success) {
-      throw new Error(BuildZodErrorMessage({
+      throw new Error(BuildZodErrorMessage2({
         prefix: "Invalid server config.",
         error: parse_result.error
       }));
@@ -1393,7 +1798,7 @@ var _ConfigValidator = class _ConfigValidator {
   validateApiKeysConfig(params) {
     const parse_result = daemon_api_key_config_schema.safeParse(params.api_keys_config_raw);
     if (!parse_result.success) {
-      throw new Error(BuildZodErrorMessage({
+      throw new Error(BuildZodErrorMessage2({
         prefix: "Invalid api-keys config.",
         error: parse_result.error
       }));
@@ -1486,20 +1891,20 @@ var ConfigValidator = _ConfigValidator;
 // src/classes/configfileloader/ConfigFileLoader.class.ts
 function ReadUtf8File(params) {
   try {
-    return import_node_fs.default.readFileSync(params.file_path, "utf8");
+    return import_node_fs3.default.readFileSync(params.file_path, "utf8");
   } catch (error) {
     const error_message = error instanceof Error ? error.message : String(error);
     throw new Error(`Unable to read file "${params.file_path}": ${error_message}`);
   }
 }
 __name(ReadUtf8File, "ReadUtf8File");
-function ResolvePath(params) {
-  if (import_node_path.default.isAbsolute(params.file_path)) {
+function ResolvePath2(params) {
+  if (import_node_path3.default.isAbsolute(params.file_path)) {
     return params.file_path;
   }
-  return import_node_path.default.resolve(params.base_dir, params.file_path);
+  return import_node_path3.default.resolve(params.base_dir, params.file_path);
 }
-__name(ResolvePath, "ResolvePath");
+__name(ResolvePath2, "ResolvePath");
 function ParseJson5(params) {
   try {
     return dist_default.parse(params.content);
@@ -1515,11 +1920,11 @@ var _ConfigFileLoader = class _ConfigFileLoader {
     this.config_validator = params?.config_validator ?? new ConfigValidator();
   }
   loadDaemonConfig(params) {
-    const server_config_path = ResolvePath({
+    const server_config_path = ResolvePath2({
       file_path: params.config_paths.server_config_path,
       base_dir: process.cwd()
     });
-    const api_keys_config_path = ResolvePath({
+    const api_keys_config_path = ResolvePath2({
       file_path: params.config_paths.api_keys_config_path,
       base_dir: process.cwd()
     });
@@ -1537,7 +1942,7 @@ var _ConfigFileLoader = class _ConfigFileLoader {
     });
     const runtime_tls_mtls = this.resolveTlsMaterial({
       tls_file_config: server_config.tls_mtls,
-      config_file_dir: import_node_path.default.dirname(server_config_path)
+      config_file_dir: import_node_path3.default.dirname(server_config_path)
     });
     const runtime_api_keys = this.config_validator.toRuntimeApiKeysConfig({
       api_keys_config
@@ -1595,7 +2000,7 @@ var _ConfigFileLoader = class _ConfigFileLoader {
     };
   }
   readPemFile(params) {
-    const absolute_file_path = ResolvePath({
+    const absolute_file_path = ResolvePath2({
       file_path: params.pem_path,
       base_dir: params.config_file_dir
     });
@@ -1616,11 +2021,13 @@ var ConfigFileLoader = _ConfigFileLoader;
 var default_server_config_path = "./config/server.config.json5";
 var default_api_keys_config_path = "./config/api_keys.config.json5";
 var default_config_output_dir = "./config";
+var default_tls_config_file_path = "./config/tls_generation.config.json5";
+var default_client_tls_config_file_path = "./config/client_tls_packages.config.json5";
 var default_tls_output_dir = "./config/certs";
 var default_ca_common_name = "nodenetproccalld-local-ca";
 var default_server_common_name = "localhost";
 var default_client_common_name = "nodenetproccalld-client";
-var default_tls_valid_days = 825;
+var default_tls_valid_days = 36500;
 var _DaemonCli = class _DaemonCli {
   parseOptions() {
     const options = {
@@ -1632,14 +2039,36 @@ var _DaemonCli = class _DaemonCli {
         output_dir: default_config_output_dir,
         overwrite: false
       },
+      default_tls_config_generation: {
+        enabled: false,
+        output_file_path: default_tls_config_file_path,
+        overwrite: false
+      },
+      default_client_tls_config_generation: {
+        enabled: false,
+        output_file_path: default_client_tls_config_file_path,
+        overwrite: false
+      },
       tls_generation: {
         enabled: false,
+        config_file_path: void 0,
         output_dir: default_tls_output_dir,
         overwrite: false,
         ca_common_name: default_ca_common_name,
         server_common_name: default_server_common_name,
         client_common_name: default_client_common_name,
+        server_dns_sans: [
+          "localhost"
+        ],
+        server_ip_sans: [
+          "127.0.0.1"
+        ],
+        client_uri_san: void 0,
         valid_days: default_tls_valid_days
+      },
+      client_tls_package_generation: {
+        enabled: false,
+        config_file_path: default_client_tls_config_file_path
       }
     };
     const argv = process.argv.slice(2);
@@ -1688,6 +2117,62 @@ var _DaemonCli = class _DaemonCli {
         options.tls_generation.enabled = true;
         continue;
       }
+      if (token2 === "--tls-generation-config") {
+        const next_value = argv[index + 1];
+        if (!next_value) {
+          throw new Error("Missing value for --tls-generation-config");
+        }
+        options.tls_generation.config_file_path = next_value;
+        index += 1;
+        continue;
+      }
+      if (token2 === "--generate-default-tls-config") {
+        options.default_tls_config_generation.enabled = true;
+        continue;
+      }
+      if (token2 === "--default-tls-config-file") {
+        const next_value = argv[index + 1];
+        if (!next_value) {
+          throw new Error("Missing value for --default-tls-config-file");
+        }
+        options.default_tls_config_generation.output_file_path = next_value;
+        index += 1;
+        continue;
+      }
+      if (token2 === "--default-tls-config-overwrite") {
+        options.default_tls_config_generation.overwrite = true;
+        continue;
+      }
+      if (token2 === "--generate-default-client-tls-config") {
+        options.default_client_tls_config_generation.enabled = true;
+        continue;
+      }
+      if (token2 === "--default-client-tls-config-file") {
+        const next_value = argv[index + 1];
+        if (!next_value) {
+          throw new Error("Missing value for --default-client-tls-config-file");
+        }
+        options.default_client_tls_config_generation.output_file_path = next_value;
+        index += 1;
+        continue;
+      }
+      if (token2 === "--default-client-tls-config-overwrite") {
+        options.default_client_tls_config_generation.overwrite = true;
+        continue;
+      }
+      if (token2 === "--generate-client-tls-packages") {
+        options.client_tls_package_generation.enabled = true;
+        continue;
+      }
+      if (token2 === "--client-tls-generation-config") {
+        const next_value = argv[index + 1];
+        if (!next_value) {
+          throw new Error("Missing value for --client-tls-generation-config");
+        }
+        options.client_tls_package_generation.config_file_path = next_value;
+        index += 1;
+        continue;
+      }
       if (token2 === "--tls-output-dir") {
         const next_value = argv[index + 1];
         if (!next_value) {
@@ -1762,7 +2247,28 @@ var _DaemonCli = class _DaemonCli {
       "                              Output directory for server/api-key config files.",
       "                              Default: ./config",
       "  --default-config-overwrite  Overwrite existing default config files.",
+      "  --generate-default-tls-config",
+      "                              Generate a default TLS-generation JSON5 config and exit.",
+      "  --default-tls-config-file <path>",
+      "                              Output path for default TLS-generation config.",
+      "                              Default: ./config/tls_generation.config.json5",
+      "  --default-tls-config-overwrite",
+      "                              Overwrite existing TLS-generation config file.",
+      "  --generate-default-client-tls-config",
+      "                              Generate a default client TLS package JSON5 config and exit.",
+      "  --default-client-tls-config-file <path>",
+      "                              Output path for default client TLS package config.",
+      "                              Default: ./config/client_tls_packages.config.json5",
+      "  --default-client-tls-config-overwrite",
+      "                              Overwrite existing client TLS package config file.",
       "  --generate-tls-material     Generate CA/server/client TLS material and exit.",
+      "  --tls-generation-config <path>",
+      "                              Load TLS-generation options from JSON5 file.",
+      "  --generate-client-tls-packages",
+      "                              Generate client cert/key packages from JSON5 config.",
+      "  --client-tls-generation-config <path>",
+      "                              Path to client TLS package generation JSON5 config.",
+      "                              Default: ./config/client_tls_packages.config.json5",
       "  --tls-output-dir <path>     Output directory for generated TLS files.",
       "                              Default: ./config/certs",
       "  --tls-overwrite             Overwrite existing TLS files in output dir.",
@@ -1773,7 +2279,7 @@ var _DaemonCli = class _DaemonCli {
       "  --tls-client-cn <value>     Client certificate common name.",
       "                              Default: nodenetproccalld-client",
       "  --tls-valid-days <number>   Certificate validity in days.",
-      "                              Default: 825",
+      "                              Default: 36500",
       "  -h, --help                  Show this help message."
     ].join("\n");
     console.log(help_text);
@@ -2103,9 +2609,61 @@ var _DaemonProcess = class _DaemonProcess {
 __name(_DaemonProcess, "DaemonProcess");
 var DaemonProcess = _DaemonProcess;
 
+// src/classes/defaultclienttlsgenerationconfiggenerator/DefaultClientTlsGenerationConfigGenerator.class.ts
+var import_node_fs4 = __toESM(require("fs"));
+var import_node_path4 = __toESM(require("path"));
+var default_client_tls_generation_config_template = `{
+  // Existing CA files used to sign client certificates.
+  // Paths are resolved relative to this config file.
+  ca_key_file: './certs/ca.key.pem',
+  ca_cert_file: './certs/ca.cert.pem',
+
+  // Where client cert bundles will be written.
+  output_dir: './client_certs',
+
+  // Set true to replace existing client bundles.
+  overwrite: false,
+
+  // Default validity period for generated client certs.
+  default_valid_days: 36500,
+
+  clients: [
+    {
+      client_name: 'your_client_name_here',
+      common_name: 'your_client_name_here',
+      uri_san: 'spiffe://nodenetproccalld/your_client_name_here',
+      package_name: 'your_client_name_here_bundle'
+    },
+    {
+      client_name: 'localhost',
+      common_name: 'localhost',
+      uri_san: 'spiffe://nodenetproccalld/localhost',
+      package_name: 'localhost_bundle'
+    }
+  ]
+}
+`;
+var _DefaultClientTlsGenerationConfigGenerator = class _DefaultClientTlsGenerationConfigGenerator {
+  generateDefaultClientTlsGenerationConfig(params) {
+    const output_file_path = import_node_path4.default.resolve(process.cwd(), params.default_client_tls_config_generation_options.output_file_path);
+    if (!params.default_client_tls_config_generation_options.overwrite && import_node_fs4.default.existsSync(output_file_path)) {
+      throw new Error(`Refusing to overwrite existing client TLS config "${output_file_path}". Use --default-client-tls-config-overwrite to replace it.`);
+    }
+    import_node_fs4.default.mkdirSync(import_node_path4.default.dirname(output_file_path), {
+      recursive: true
+    });
+    import_node_fs4.default.writeFileSync(output_file_path, default_client_tls_generation_config_template, "utf8");
+    return {
+      output_file_path
+    };
+  }
+};
+__name(_DefaultClientTlsGenerationConfigGenerator, "DefaultClientTlsGenerationConfigGenerator");
+var DefaultClientTlsGenerationConfigGenerator = _DefaultClientTlsGenerationConfigGenerator;
+
 // src/classes/defaultconfiggenerator/DefaultConfigGenerator.class.ts
-var import_node_fs2 = __toESM(require("fs"));
-var import_node_path2 = __toESM(require("path"));
+var import_node_fs5 = __toESM(require("fs"));
+var import_node_path5 = __toESM(require("path"));
 var default_server_config_template = `{
   // Friendly name that clients can use in their own config maps.
   information: {
@@ -2209,28 +2767,28 @@ var default_api_keys_config_template = `{
 }
 `;
 function EnsureParentDirectory(params) {
-  import_node_fs2.default.mkdirSync(import_node_path2.default.dirname(params.file_path), {
+  import_node_fs5.default.mkdirSync(import_node_path5.default.dirname(params.file_path), {
     recursive: true
   });
 }
 __name(EnsureParentDirectory, "EnsureParentDirectory");
 function WriteFileIfAllowed(params) {
-  if (!params.overwrite && import_node_fs2.default.existsSync(params.file_path)) {
+  if (!params.overwrite && import_node_fs5.default.existsSync(params.file_path)) {
     throw new Error(`Refusing to overwrite existing config "${params.file_path}". Use --default-config-overwrite to replace it.`);
   }
   EnsureParentDirectory({
     file_path: params.file_path
   });
-  import_node_fs2.default.writeFileSync(params.file_path, params.content, "utf8");
+  import_node_fs5.default.writeFileSync(params.file_path, params.content, "utf8");
 }
 __name(WriteFileIfAllowed, "WriteFileIfAllowed");
 var _DefaultConfigGenerator = class _DefaultConfigGenerator {
   generateDefaultConfig(params) {
     const options = params.default_config_generation_options;
-    const output_dir = import_node_path2.default.resolve(process.cwd(), options.output_dir);
-    const server_config_path = import_node_path2.default.join(output_dir, "server.config.json5");
-    const api_keys_config_path = import_node_path2.default.join(output_dir, "api_keys.config.json5");
-    import_node_fs2.default.mkdirSync(output_dir, {
+    const output_dir = import_node_path5.default.resolve(process.cwd(), options.output_dir);
+    const server_config_path = import_node_path5.default.join(output_dir, "server.config.json5");
+    const api_keys_config_path = import_node_path5.default.join(output_dir, "api_keys.config.json5");
+    import_node_fs5.default.mkdirSync(output_dir, {
       recursive: true
     });
     WriteFileIfAllowed({
@@ -2253,10 +2811,117 @@ var _DefaultConfigGenerator = class _DefaultConfigGenerator {
 __name(_DefaultConfigGenerator, "DefaultConfigGenerator");
 var DefaultConfigGenerator = _DefaultConfigGenerator;
 
+// src/classes/defaulttlsgenerationconfiggenerator/DefaultTlsGenerationConfigGenerator.class.ts
+var import_node_fs6 = __toESM(require("fs"));
+var import_node_path6 = __toESM(require("path"));
+var default_tls_generation_config_template = `{
+  // Where generated CA/server/client cert + key files should be written.
+  output_dir: './config/certs',
+
+  // Set true to replace existing files in output_dir.
+  overwrite: false,
+
+  // X.509 subject common names.
+  ca_common_name: 'nodenetproccalld-local-ca',
+  server_common_name: 'your_server_name_here',
+  client_common_name: 'nodenetproccalld-client',
+
+  // Server certificate SAN entries used by hostname validation.
+  // Add the DNS names and IPs clients will actually connect to.
+  server_dns_sans: ['your_server_name_here', 'localhost'],
+  server_ip_sans: ['127.0.0.1'],
+
+  // Optional explicit client URI SAN; when omitted, generator derives one from client_common_name.
+  // client_uri_san: 'spiffe://nodenetproccalld/client',
+
+  // Certificate validity period.
+  valid_days: 36500
+}
+`;
+var _DefaultTlsGenerationConfigGenerator = class _DefaultTlsGenerationConfigGenerator {
+  generateDefaultTlsGenerationConfig(params) {
+    const output_file_path = import_node_path6.default.resolve(process.cwd(), params.default_tls_config_generation_options.output_file_path);
+    if (!params.default_tls_config_generation_options.overwrite && import_node_fs6.default.existsSync(output_file_path)) {
+      throw new Error(`Refusing to overwrite existing TLS generation config "${output_file_path}". Use --default-tls-config-overwrite to replace it.`);
+    }
+    import_node_fs6.default.mkdirSync(import_node_path6.default.dirname(output_file_path), {
+      recursive: true
+    });
+    import_node_fs6.default.writeFileSync(output_file_path, default_tls_generation_config_template, "utf8");
+    return {
+      output_file_path
+    };
+  }
+};
+__name(_DefaultTlsGenerationConfigGenerator, "DefaultTlsGenerationConfigGenerator");
+var DefaultTlsGenerationConfigGenerator = _DefaultTlsGenerationConfigGenerator;
+
+// src/classes/tlsgenerationconfigfileloader/TlsGenerationConfigFileLoader.class.ts
+var import_node_fs7 = __toESM(require("fs"));
+var import_node_path7 = __toESM(require("path"));
+var import_zod3 = require("zod");
+var tls_generation_config_schema = import_zod3.z.object({
+  output_dir: import_zod3.z.string().min(1).optional(),
+  overwrite: import_zod3.z.boolean().optional(),
+  ca_common_name: import_zod3.z.string().min(1).optional(),
+  server_common_name: import_zod3.z.string().min(1).optional(),
+  client_common_name: import_zod3.z.string().min(1).optional(),
+  server_dns_sans: import_zod3.z.array(import_zod3.z.string().min(1)).optional(),
+  server_ip_sans: import_zod3.z.array(import_zod3.z.string().min(1)).optional(),
+  client_uri_san: import_zod3.z.string().min(1).optional(),
+  valid_days: import_zod3.z.number().int().positive().optional()
+}).strict();
+function ParseJson5File2(params) {
+  const absolute_file_path = import_node_path7.default.resolve(process.cwd(), params.file_path);
+  let file_content;
+  try {
+    file_content = import_node_fs7.default.readFileSync(absolute_file_path, "utf8");
+  } catch (error) {
+    const error_message = error instanceof Error ? error.message : String(error);
+    throw new Error(`Unable to read TLS generation config file "${absolute_file_path}": ${error_message}`);
+  }
+  try {
+    return dist_default.parse(file_content);
+  } catch (error) {
+    const error_message = error instanceof Error ? error.message : String(error);
+    throw new Error(`Invalid JSON5 in TLS generation config "${absolute_file_path}": ${error_message}`);
+  }
+}
+__name(ParseJson5File2, "ParseJson5File");
+function BuildZodErrorMessage3(params) {
+  const lines = params.error.issues.map((issue) => {
+    const issue_path = issue.path.length > 0 ? issue.path.join(".") : "<root>";
+    return `${issue_path}: ${issue.message}`;
+  });
+  return `Invalid TLS generation config file.
+${lines.join("\n")}`;
+}
+__name(BuildZodErrorMessage3, "BuildZodErrorMessage");
+var _TlsGenerationConfigFileLoader = class _TlsGenerationConfigFileLoader {
+  loadTlsGenerationOptions(params) {
+    const config_raw = ParseJson5File2({
+      file_path: params.config_file_path
+    });
+    const parse_result = tls_generation_config_schema.safeParse(config_raw);
+    if (!parse_result.success) {
+      throw new Error(BuildZodErrorMessage3({
+        error: parse_result.error
+      }));
+    }
+    const config_from_file = parse_result.data;
+    return {
+      ...params.fallback_options,
+      ...config_from_file
+    };
+  }
+};
+__name(_TlsGenerationConfigFileLoader, "TlsGenerationConfigFileLoader");
+var TlsGenerationConfigFileLoader = _TlsGenerationConfigFileLoader;
+
 // src/classes/tlsmaterialgenerator/TlsMaterialGenerator.class.ts
-var import_node_child_process = require("child_process");
-var import_node_fs3 = __toESM(require("fs"));
-var import_node_path3 = __toESM(require("path"));
+var import_node_child_process2 = require("child_process");
+var import_node_fs8 = __toESM(require("fs"));
+var import_node_path8 = __toESM(require("path"));
 function EnsurePositiveInteger(params) {
   if (!Number.isInteger(params.value) || params.value <= 0) {
     throw new Error(`${params.label} must be a positive integer.`);
@@ -2264,15 +2929,35 @@ function EnsurePositiveInteger(params) {
 }
 __name(EnsurePositiveInteger, "EnsurePositiveInteger");
 function MakeDirRecursive(params) {
-  import_node_fs3.default.mkdirSync(params.dir_path, {
+  import_node_fs8.default.mkdirSync(params.dir_path, {
     recursive: true
   });
 }
 __name(MakeDirRecursive, "MakeDirRecursive");
-function WriteTextFile(params) {
-  import_node_fs3.default.writeFileSync(params.file_path, params.content, "utf8");
+function WriteTextFile2(params) {
+  import_node_fs8.default.writeFileSync(params.file_path, params.content, "utf8");
 }
-__name(WriteTextFile, "WriteTextFile");
+__name(WriteTextFile2, "WriteTextFile");
+function BuildServerSubjectAltNameLine(params) {
+  const san_entries = [];
+  for (const dns_name of params.server_dns_sans) {
+    if (dns_name.trim().length === 0) {
+      continue;
+    }
+    san_entries.push(`DNS:${dns_name.trim()}`);
+  }
+  for (const ip_addr of params.server_ip_sans) {
+    if (ip_addr.trim().length === 0) {
+      continue;
+    }
+    san_entries.push(`IP:${ip_addr.trim()}`);
+  }
+  if (san_entries.length === 0) {
+    throw new Error("TLS generation requires at least one SAN entry. Provide server_dns_sans or server_ip_sans.");
+  }
+  return `subjectAltName=${san_entries.join(",")}`;
+}
+__name(BuildServerSubjectAltNameLine, "BuildServerSubjectAltNameLine");
 var _TlsMaterialGenerator = class _TlsMaterialGenerator {
   generateTlsMaterial(params) {
     const options = params.tls_generation_options;
@@ -2280,7 +2965,7 @@ var _TlsMaterialGenerator = class _TlsMaterialGenerator {
       value: options.valid_days,
       label: "tls_generation.valid_days"
     });
-    const output_dir = import_node_path3.default.resolve(process.cwd(), options.output_dir);
+    const output_dir = import_node_path8.default.resolve(process.cwd(), options.output_dir);
     MakeDirRecursive({
       dir_path: output_dir
     });
@@ -2301,12 +2986,15 @@ var _TlsMaterialGenerator = class _TlsMaterialGenerator {
       this.generateServerCertificate({
         tls_files,
         valid_days: options.valid_days,
-        server_common_name: options.server_common_name
+        server_common_name: options.server_common_name,
+        server_dns_sans: options.server_dns_sans,
+        server_ip_sans: options.server_ip_sans
       });
       this.generateClientCertificate({
         tls_files,
         valid_days: options.valid_days,
-        client_common_name: options.client_common_name
+        client_common_name: options.client_common_name,
+        client_uri_san: options.client_uri_san
       });
       this.cleanupIntermediateFiles({
         tls_files
@@ -2328,7 +3016,7 @@ var _TlsMaterialGenerator = class _TlsMaterialGenerator {
   }
   assertOpenSslAvailable() {
     try {
-      (0, import_node_child_process.execFileSync)("openssl", [
+      (0, import_node_child_process2.execFileSync)("openssl", [
         "version"
       ], {
         stdio: "ignore"
@@ -2339,17 +3027,17 @@ var _TlsMaterialGenerator = class _TlsMaterialGenerator {
   }
   buildTlsFileMap(params) {
     return {
-      ca_key_path: import_node_path3.default.join(params.output_dir, "ca.key.pem"),
-      ca_cert_path: import_node_path3.default.join(params.output_dir, "ca.cert.pem"),
-      server_key_path: import_node_path3.default.join(params.output_dir, "server.key.pem"),
-      server_csr_path: import_node_path3.default.join(params.output_dir, "server.csr.pem"),
-      server_cert_path: import_node_path3.default.join(params.output_dir, "server.cert.pem"),
-      server_ext_path: import_node_path3.default.join(params.output_dir, "server.ext"),
-      client_key_path: import_node_path3.default.join(params.output_dir, "client.key.pem"),
-      client_csr_path: import_node_path3.default.join(params.output_dir, "client.csr.pem"),
-      client_cert_path: import_node_path3.default.join(params.output_dir, "client.cert.pem"),
-      client_ext_path: import_node_path3.default.join(params.output_dir, "client.ext"),
-      ca_serial_path: import_node_path3.default.join(params.output_dir, "ca.cert.srl")
+      ca_key_path: import_node_path8.default.join(params.output_dir, "ca.key.pem"),
+      ca_cert_path: import_node_path8.default.join(params.output_dir, "ca.cert.pem"),
+      server_key_path: import_node_path8.default.join(params.output_dir, "server.key.pem"),
+      server_csr_path: import_node_path8.default.join(params.output_dir, "server.csr.pem"),
+      server_cert_path: import_node_path8.default.join(params.output_dir, "server.cert.pem"),
+      server_ext_path: import_node_path8.default.join(params.output_dir, "server.ext"),
+      client_key_path: import_node_path8.default.join(params.output_dir, "client.key.pem"),
+      client_csr_path: import_node_path8.default.join(params.output_dir, "client.csr.pem"),
+      client_cert_path: import_node_path8.default.join(params.output_dir, "client.cert.pem"),
+      client_ext_path: import_node_path8.default.join(params.output_dir, "client.ext"),
+      ca_serial_path: import_node_path8.default.join(params.output_dir, "ca.cert.srl")
     };
   }
   assertTargetFilesAreWritable(params) {
@@ -2363,18 +3051,18 @@ var _TlsMaterialGenerator = class _TlsMaterialGenerator {
     ];
     if (!params.overwrite) {
       for (const target_path of target_paths) {
-        if (import_node_fs3.default.existsSync(target_path)) {
+        if (import_node_fs8.default.existsSync(target_path)) {
           throw new Error(`Refusing to overwrite existing file "${target_path}". Use --tls-overwrite to replace existing material.`);
         }
       }
       return;
     }
     for (const target_path of target_paths) {
-      import_node_fs3.default.rmSync(target_path, {
+      import_node_fs8.default.rmSync(target_path, {
         force: true
       });
     }
-    import_node_fs3.default.rmSync(params.tls_files.ca_serial_path, {
+    import_node_fs8.default.rmSync(params.tls_files.ca_serial_path, {
       force: true
     });
   }
@@ -2399,10 +3087,13 @@ var _TlsMaterialGenerator = class _TlsMaterialGenerator {
     });
   }
   generateServerCertificate(params) {
-    WriteTextFile({
+    WriteTextFile2({
       file_path: params.tls_files.server_ext_path,
       content: [
-        "subjectAltName=DNS:localhost,IP:127.0.0.1",
+        BuildServerSubjectAltNameLine({
+          server_dns_sans: params.server_dns_sans,
+          server_ip_sans: params.server_ip_sans
+        }),
         "extendedKeyUsage=serverAuth",
         "keyUsage=digitalSignature,keyEncipherment"
       ].join("\n")
@@ -2447,8 +3138,8 @@ var _TlsMaterialGenerator = class _TlsMaterialGenerator {
     });
   }
   generateClientCertificate(params) {
-    const client_uri = `spiffe://nodenetproccalld/${params.client_common_name.replace(/[^a-zA-Z0-9_.-]/g, "_").toLowerCase()}`;
-    WriteTextFile({
+    const client_uri = params.client_uri_san ?? `spiffe://nodenetproccalld/${params.client_common_name.replace(/[^a-zA-Z0-9_.-]/g, "_").toLowerCase()}`;
+    WriteTextFile2({
       file_path: params.tls_files.client_ext_path,
       content: [
         "extendedKeyUsage=clientAuth",
@@ -2495,24 +3186,24 @@ var _TlsMaterialGenerator = class _TlsMaterialGenerator {
     });
   }
   cleanupIntermediateFiles(params) {
-    import_node_fs3.default.rmSync(params.tls_files.server_csr_path, {
+    import_node_fs8.default.rmSync(params.tls_files.server_csr_path, {
       force: true
     });
-    import_node_fs3.default.rmSync(params.tls_files.client_csr_path, {
+    import_node_fs8.default.rmSync(params.tls_files.client_csr_path, {
       force: true
     });
-    import_node_fs3.default.rmSync(params.tls_files.server_ext_path, {
+    import_node_fs8.default.rmSync(params.tls_files.server_ext_path, {
       force: true
     });
-    import_node_fs3.default.rmSync(params.tls_files.client_ext_path, {
+    import_node_fs8.default.rmSync(params.tls_files.client_ext_path, {
       force: true
     });
-    import_node_fs3.default.rmSync(params.tls_files.ca_serial_path, {
+    import_node_fs8.default.rmSync(params.tls_files.ca_serial_path, {
       force: true
     });
   }
   runOpenSslCommand(params) {
-    (0, import_node_child_process.execFileSync)("openssl", params.args, {
+    (0, import_node_child_process2.execFileSync)("openssl", params.args, {
       stdio: "ignore"
     });
   }
@@ -2545,10 +3236,36 @@ async function StartDaemonFromCli() {
     console.log(`API keys config: ${generated_default_config.api_keys_config_path}`);
     return;
   }
+  if (cli_options.default_tls_config_generation.enabled) {
+    const default_tls_generation_config_generator = new DefaultTlsGenerationConfigGenerator();
+    const generated_default_tls_config = default_tls_generation_config_generator.generateDefaultTlsGenerationConfig({
+      default_tls_config_generation_options: cli_options.default_tls_config_generation
+    });
+    console.log("Default TLS-generation config generated successfully.");
+    console.log(`TLS-generation config: ${generated_default_tls_config.output_file_path}`);
+    return;
+  }
+  if (cli_options.default_client_tls_config_generation.enabled) {
+    const default_client_tls_config_generator = new DefaultClientTlsGenerationConfigGenerator();
+    const generated_default_client_tls_config = default_client_tls_config_generator.generateDefaultClientTlsGenerationConfig({
+      default_client_tls_config_generation_options: cli_options.default_client_tls_config_generation
+    });
+    console.log("Default client TLS package config generated successfully.");
+    console.log(`Client TLS package config: ${generated_default_client_tls_config.output_file_path}`);
+    return;
+  }
   if (cli_options.tls_generation.enabled) {
+    let tls_generation_options = cli_options.tls_generation;
+    if (cli_options.tls_generation.config_file_path) {
+      const tls_generation_config_file_loader = new TlsGenerationConfigFileLoader();
+      tls_generation_options = tls_generation_config_file_loader.loadTlsGenerationOptions({
+        config_file_path: cli_options.tls_generation.config_file_path,
+        fallback_options: tls_generation_options
+      });
+    }
     const tls_material_generator = new TlsMaterialGenerator();
     const generated_tls_material = tls_material_generator.generateTlsMaterial({
-      tls_generation_options: cli_options.tls_generation
+      tls_generation_options
     });
     console.log("TLS material generated successfully.");
     console.log(`Output directory: ${generated_tls_material.output_dir}`);
@@ -2561,6 +3278,22 @@ async function StartDaemonFromCli() {
     console.log("If using default config, set tls_mtls key_file/cert_file/ca_file in config/server.config.json5 to these files.");
     return;
   }
+  if (cli_options.client_tls_package_generation.enabled) {
+    const client_tls_package_config_file_loader = new ClientTlsPackageConfigFileLoader();
+    const runtime_options = client_tls_package_config_file_loader.loadClientTlsPackageOptions({
+      client_tls_package_generation_options: cli_options.client_tls_package_generation
+    });
+    const client_tls_package_generator = new ClientTlsPackageGenerator();
+    const generated_client_tls_packages = client_tls_package_generator.generateClientTlsPackages({
+      runtime_options
+    });
+    console.log("Client TLS packages generated successfully.");
+    console.log(`Output directory: ${generated_client_tls_packages.output_dir}`);
+    for (const generated_package of generated_client_tls_packages.packages) {
+      console.log(`Client ${generated_package.client_name}: ${generated_package.package_path}`);
+    }
+    return;
+  }
   const daemon_process = new DaemonProcess({
     config_paths: {
       server_config_path: cli_options.server_config_path,
@@ -2580,12 +3313,17 @@ if (require.main === module) {
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ApiKeyAuthorizer,
+  ClientTlsPackageConfigFileLoader,
+  ClientTlsPackageGenerator,
   ConfigFileLoader,
   ConfigValidator,
   DaemonCli,
   DaemonProcess,
+  DefaultClientTlsGenerationConfigGenerator,
   DefaultConfigGenerator,
+  DefaultTlsGenerationConfigGenerator,
   NetworkProcedureCallDaemon,
+  TlsGenerationConfigFileLoader,
   TlsMaterialGenerator
 });
 //# sourceMappingURL=index.js.map