@rine-network/core 0.5.1 → 0.6.0

package/dist/index.js

@@ -1,6 +1,6 @@
 import * as fs from "node:fs";
 import { homedir } from "node:os";
-import { join } from "node:path";
+import { dirname, join } from "node:path";
 import { Aes256Gcm, CipherSuite, HkdfSha256 } from "@hpke/core";
 import { DhkemX25519HkdfSha256 } from "@hpke/dhkem-x25519";
 import { ed25519, x25519 } from "@noble/curves/ed25519.js";
@@ -9,6 +9,11 @@ import { sha256 } from "@noble/hashes/sha2.js";
 import { ml_kem768 } from "@noble/post-quantum/ml-kem.js";
 import { hmac } from "@noble/hashes/hmac.js";
 import { MlsError, acceptAll, clientStateDecoder, clientStateEncoder, createApplicationMessage, createCommit, createGroup, createGroupInfoWithExternalPubAndRatchetTree, decode, defaultCredentialTypes, encode, generateKeyPackageWithKey, getCiphersuiteImpl, joinGroup, joinGroupExternal, keyPackageDecoder, keyPackageEncoder, makeKeyPackageRef, mlsMessageDecoder, mlsMessageEncoder, privateKeyPackageDecoder, privateKeyPackageEncoder, processMessage, processPrivateMessage, protocolVersions, unsafeTestingAuthenticationService, wireformats, zeroOutUint8Array } from "ts-mls";
+import { Client, crypto as crypto$1 } from "acme-client";
+import { createHmac, generateKeyPairSync, randomBytes, timingSafeEqual } from "node:crypto";
+import { Resolver, resolve4, resolveNs } from "node:dns/promises";
+import { connect } from "node:net";
+import { createServer } from "node:tls";
 //#region src/errors.ts
 var RineApiError = class extends Error {
 	constructor(status, detail, raw, code) {
@@ -1312,7 +1317,7 @@ function isPendingConfirmation(err) {
 const CIPHER_SUITE = 1;
 const PENDING_RETRY_LIMIT = 3;
 const PENDING_RETRY_DELAY_MS = 400;
-function sleep(ms) {
+function sleep$1(ms) {
 	return new Promise((resolve) => setTimeout(resolve, ms));
 }
 /**
@@ -1363,7 +1368,7 @@ async function externalJoinMlsGroup(configDir, agentId, groupId, client, extraHe
 			break;
 		}
 		if (i >= PENDING_RETRY_LIMIT - 1) throw new Error(`Cannot self-join MLS group ${groupId}: GroupInfo is still pending peer confirmation after a brief retry. Try again shortly.`, { cause: err });
-		await sleep(PENDING_RETRY_DELAY_MS);
+		await sleep$1(PENDING_RETRY_DELAY_MS);
 	}
 	if (!isEpochConflict(firstErr)) throw firstErr;
 	try {
@@ -1857,6 +1862,1045 @@ async function fetchAndIngestPendingSKDistributions(client, configDir, agentId,
 	return ingested;
 }
 //#endregion
+//#region src/group-invite-ops.ts
+/**
+* Message type for the best-effort group-invite notification DM.
+*
+* Underscore-namespaced like `rine.v1.sender_key_distribution`. Sealed by the
+* inviter and delivered to the invitee's normal inbox; it is a convenience
+* nudge — `GET /groups/invites` is the authoritative source of truth.
+*/
+const GROUP_INVITE_TYPE = "rine.v1.group_invite";
+/**
+* Seal a `rine.v1.group_invite` notification to the invitee and POST it.
+*
+* Reuses the 1:1 DM crypto path (`fetchRecipientKeys` + `encryptMessage`), so
+* hybrid PQ is auto-negotiated when the invitee publishes an ML-KEM key. The
+* sealed payload carries `invited_by = inviterAgentId` (also cryptographically
+* bound via the sender signature). `X-Rine-Agent` selects the inviter as sender.
+*
+* Best-effort by contract: callers wrap this so a failure (e.g. groups_only
+* 403, missing keys) warns but never fails the invite.
+*/
+async function sendGroupInviteNotification(client, configDir, inviterAgentId, inviteeAgentId, invite) {
+	const recipientKeys = await fetchRecipientKeys(client, inviteeAgentId);
+	const payload = {
+		group_id: invite.group_id,
+		group_handle: invite.group_handle,
+		invited_by: inviterAgentId,
+		message: invite.message
+	};
+	const encrypted = await encryptMessage(configDir, inviterAgentId, recipientKeys.encryption, payload, recipientKeys.pqEncryption);
+	await client.post("/messages", {
+		to_agent_id: inviteeAgentId,
+		type: GROUP_INVITE_TYPE,
+		...encrypted
+	}, { "X-Rine-Agent": inviterAgentId });
+}
+/**
+* List the calling agent's open group invites via the authoritative pull
+* endpoint `GET /groups/invites`. `extraHeaders` lets multi-agent orgs pass
+* `X-Rine-Agent` to disambiguate which agent's invites to list.
+*/
+async function listMyInvites(client, extraHeaders) {
+	return (await client.get("/groups/invites", void 0, extraHeaders)).items;
+}
+//#endregion
+//#region src/funnel/backoff.ts
+const BACKOFF_BASE_MS = 3e4;
+const BACKOFF_FACTOR = 2;
+const BACKOFF_CAP_MS = 36e5;
+const RENEWAL_WINDOW_MS = 30 * 864e5;
+/**
+* Full-jitter exponential backoff: a uniform random delay in `[0, ceiling]`
+* where `ceiling = base * factor^(n-1)`, capped at 1h. Full jitter (not just a
+* jittered fixed delay) is what de-correlates a fleet of crash-looping relays.
+* `n` is the 1-based consecutive-failure count (n<=0 is treated as the first).
+*/
+function nextBackoffDelayMs(consecutiveFailures) {
+	const ceiling = Math.min(BACKOFF_CAP_MS, BACKOFF_BASE_MS * BACKOFF_FACTOR ** (Math.max(1, consecutiveFailures) - 1));
+	return Math.floor(Math.random() * (ceiling + 1));
+}
+/**
+* A cert is due for renewal when `not_after - now <= 30 days` (boundary
+* inclusive). An already-expired cert is due (and forces a cold issuance).
+*/
+function isRenewalDue(meta, nowMs) {
+	const notAfterMs = Date.parse(meta.not_after);
+	if (Number.isNaN(notAfterMs)) return true;
+	return notAfterMs - nowMs <= RENEWAL_WINDOW_MS;
+}
+/**
+* TERMINAL = an LE rate-limit ceiling that no amount of retrying can clear in
+* the near term (the duplicate-certificate limit: 5 identical FQDN sets / 7
+* days, and the per-account failed-validation limit). On a terminal error the
+* relay stops attempting and surfaces it rather than burning the LE budget.
+* Ordinary transient failures (timeouts, propagation, provider 502) are NOT
+* terminal — they retry on the backoff schedule.
+*/
+function isTerminalAcmeError(err) {
+	if (typeof err !== "object" || err === null) return false;
+	const tag = err.leRateLimit;
+	if (tag === "duplicate-certificate" || tag === "failed-validation") return true;
+	const msg = err instanceof Error ? err.message.toLowerCase() : "";
+	return msg.includes("too many certificates") || msg.includes("too many failed authorizations");
+}
+//#endregion
+//#region src/funnel/cert-cache.ts
+const LE_PROD = "https://acme-v02.api.letsencrypt.org/directory";
+const LE_STAGING = "https://acme-staging-v02.api.letsencrypt.org/directory";
+/**
+* Resolve the ACME directory URL. Production by default; staging when either
+* `opts.staging` is set or `RINE_ACME_STAGING=1` is in the environment, so dev
+* never burns the production LE rate limits. Shares the single `isStaging`
+* decision with the cache-path split so a cert's directory_url and its cache
+* subtree are always derived from the same flag.
+*/
+function acmeDirectoryUrl(opts) {
+	return isStaging(opts) ? LE_STAGING : LE_PROD;
+}
+const CERT_FILE = "cert.pem";
+const KEY_FILE = "key.pem";
+const META_FILE = "meta.json";
+function isStaging(opts) {
+	return opts.staging === true || process.env.RINE_ACME_STAGING === "1";
+}
+/** `${configDir}/funnel` (prod) or `${configDir}/funnel/staging` (staging). */
+function funnelCacheDir(configDir, opts) {
+	const root = join(configDir, "funnel");
+	return isStaging(opts) ? join(root, "staging") : root;
+}
+/** The per-handle cache dir under the (staging-segregated) funnel root. */
+function handleCacheDir(configDir, handle, opts) {
+	return join(funnelCacheDir(configDir, opts), handle);
+}
+/** One LE account key per relay, shared across handles, at the funnel root. */
+function accountKeyPath(configDir, opts) {
+	return join(funnelCacheDir(configDir, opts), "acme-account.key");
+}
+function writeSecret(path, content) {
+	const tmp = `${path}.tmp`;
+	fs.writeFileSync(tmp, content, { mode: 384 });
+	fs.renameSync(tmp, path);
+	fs.chmodSync(path, 384);
+}
+function ensureHandleDir(configDir, handle, opts) {
+	const dir = handleCacheDir(configDir, handle, opts);
+	fs.mkdirSync(dir, {
+		recursive: true,
+		mode: 448
+	});
+	fs.chmodSync(dir, 448);
+	return dir;
+}
+function saveMeta(configDir, handle, opts, meta) {
+	writeSecret(join(ensureHandleDir(configDir, handle, opts), META_FILE), `${JSON.stringify(meta, null, 2)}\n`);
+}
+function loadMeta(configDir, handle, opts) {
+	const path = join(handleCacheDir(configDir, handle, opts), META_FILE);
+	try {
+		return JSON.parse(fs.readFileSync(path, "utf-8"));
+	} catch {
+		return null;
+	}
+}
+function saveCert(configDir, handle, opts, cert) {
+	const dir = ensureHandleDir(configDir, handle, opts);
+	writeSecret(join(dir, KEY_FILE), cert.keyPem);
+	writeSecret(join(dir, CERT_FILE), cert.certPem);
+	saveMeta(configDir, handle, opts, cert.meta);
+}
+/**
+* Returns the cached cert ONLY if cert+key+meta are all present AND the meta's
+* directory_url matches the requested mode (staging cert never served in prod).
+* Any partial/corrupt cache reads back as `null` — never a half-cert.
+*/
+function loadCachedCert(configDir, handle, opts) {
+	const dir = handleCacheDir(configDir, handle, opts);
+	try {
+		const certPem = fs.readFileSync(join(dir, CERT_FILE), "utf-8");
+		const keyPem = fs.readFileSync(join(dir, KEY_FILE), "utf-8");
+		const meta = JSON.parse(fs.readFileSync(join(dir, META_FILE), "utf-8"));
+		if (!certPem || !keyPem || !meta.not_after) return null;
+		if (meta.directory_url !== acmeDirectoryUrl(opts)) return null;
+		return {
+			certPem,
+			keyPem,
+			meta
+		};
+	} catch {
+		return null;
+	}
+}
+/** Scoped wipe of one handle's cache dir (REQ-CERT-16). Other handles untouched. */
+function wipeHandleCache(configDir, handle, opts) {
+	fs.rmSync(handleCacheDir(configDir, handle, opts), {
+		recursive: true,
+		force: true
+	});
+}
+//#endregion
+//#region src/funnel/csr.ts
+const HOOK_ZONE = "hook.rine.network";
+/** The publicly-trusted hostname this relay terminates TLS for. */
+function hookFqdn(handle) {
+	return `${handle}.${HOOK_ZONE}`;
+}
+/**
+* Generate a fresh EC P-256 keypair (node:crypto) and a CSR for
+* `<handle>.hook.rine.network` whose CN and single SAN are that FQDN. A fresh,
+* unique key is minted on every call — no key reuse across issuances/renewals.
+*/
+async function generateCertKeypairAndCsr(handle) {
+	const fqdn = hookFqdn(handle);
+	const { privateKey } = generateKeyPairSync("ec", { namedCurve: "P-256" });
+	const keyPem = privateKey.export({
+		type: "pkcs8",
+		format: "pem"
+	}).toString();
+	const [, csrBuf] = await crypto$1.createCsr({
+		commonName: fqdn,
+		altNames: [fqdn]
+	}, keyPem);
+	return {
+		keyPem,
+		csrPem: csrBuf.toString(),
+		commonName: fqdn,
+		subjectAltNames: [fqdn],
+		keyAlgorithm: "EC",
+		keyCurve: "P-256"
+	};
+}
+//#endregion
+//#region src/funnel/issue.ts
+const DEFAULT_CERT_LIFETIME_MS = 90 * 864e5;
+function certNotAfter(certPem, nowMs) {
+	try {
+		return crypto$1.readCertificateInfo(certPem).notAfter.toISOString();
+	} catch {
+		return new Date(nowMs + DEFAULT_CERT_LIFETIME_MS).toISOString();
+	}
+}
+/**
+* Run one ACME DNS-01 issuance. Sequence (REQ-CERT-10):
+*   newOrder -> dns:set -> waitForPropagation -> validate -> download -> dns:clear
+* The TXT is cleared in a `finally` so a FAILED order still cleans up its record
+* (no lingering challenge). Propagation is awaited BEFORE asking LE to validate
+* so a slow zone never burns a validation attempt.
+*/
+async function issueCert(args) {
+	const { handle, delegationId, directoryUrl, deps } = args;
+	const { keyPem, csrPem } = await generateCertKeypairAndCsr(handle);
+	const order = await deps.acme.newOrder({
+		handle,
+		directoryUrl
+	});
+	if (!order.challengeTypesOffered.includes("dns-01")) throw new Error(`DNS-01 unavailable: order offered only [${order.challengeTypesOffered.join(", ")}]`);
+	let txtSet = false;
+	try {
+		const setResult = await deps.dnsPost("set", order.dnsChallengeToken);
+		txtSet = true;
+		const fqdn = setResult.fqdn ?? `_acme-challenge.${delegationId}.hook.rine.network`;
+		await deps.waitForPropagation({ fqdn });
+		await deps.acme.validate({ handle });
+		const { certPem } = await deps.acme.finalizeAndDownload({
+			handle,
+			csrPem
+		});
+		return {
+			certPem,
+			keyPem,
+			meta: {
+				directory_url: directoryUrl,
+				not_after: certNotAfter(certPem, deps.now()),
+				delegation_id: delegationId,
+				last_attempt_ts: deps.now(),
+				consecutive_failures: 0
+			}
+		};
+	} finally {
+		if (txtSet) await deps.dnsPost("clear");
+	}
+}
+//#endregion
+//#region src/funnel/cert.ts
+/**
+* Cold-start readiness gate (REQ-CERT-32) + cache reuse + persisted backoff
+* (REQ-CERT-13). A valid, fresh cached cert opens the gate immediately with NO
+* ACME round-trip. Otherwise issue, persist atomically, and reset the failure
+* counter on success. On failure the persisted `consecutive_failures` is bumped
+* (read from the prior meta so a crash-loop never resets it to zero) and the
+* error re-thrown — a failed cold start installs NOTHING (gate stays closed).
+*/
+async function ensureCert(args) {
+	const { handle, agentId, delegationId, configDir, options, deps } = args;
+	const directoryUrl = acmeDirectoryUrl(options);
+	const cached = loadCachedCert(configDir, handle, options);
+	if (cached && !isRenewalDue(cached.meta, deps.now())) return {
+		ready: true,
+		fromCache: true,
+		...cached
+	};
+	const priorFailures = loadMeta(configDir, handle, options)?.consecutive_failures ?? 0;
+	try {
+		const issued = await issueCert({
+			handle,
+			agentId,
+			delegationId,
+			directoryUrl,
+			deps
+		});
+		saveCert(configDir, handle, options, issued);
+		return {
+			ready: true,
+			fromCache: false,
+			...issued
+		};
+	} catch (err) {
+		persistFailure(configDir, handle, options, {
+			delegationId,
+			directoryUrl,
+			priorFailures,
+			nowMs: deps.now()
+		});
+		throw isTerminalAcmeError(err) ? new Error(`terminal ACME error (LE rate limit): ${describe(err)}`, { cause: err }) : err;
+	}
+}
+/**
+* Graceful teardown (REQ-CERT-16): best-effort ACME revoke (relay-local — the
+* server holds no key and cannot revoke, REQ-CERT-15), then a SCOPED wipe of
+* just this handle's cache dir. A revoke failure (offline) is swallowed; the
+* local wipe is the meaningful local effect and always runs.
+*/
+async function revokeAndWipeCache(args) {
+	const { handle, configDir, options, deps } = args;
+	const cached = loadCachedCert(configDir, handle, options);
+	if (cached) try {
+		await deps.acme.revoke({
+			certPem: cached.certPem,
+			directoryUrl: cached.meta.directory_url
+		});
+	} catch {}
+	wipeHandleCache(configDir, handle, options);
+}
+function persistFailure(configDir, handle, options, ctx) {
+	const existing = loadMeta(configDir, handle, options);
+	saveMeta(configDir, handle, options, {
+		directory_url: existing?.directory_url ?? ctx.directoryUrl,
+		not_after: existing?.not_after ?? new Date(ctx.nowMs).toISOString(),
+		delegation_id: existing?.delegation_id ?? ctx.delegationId,
+		last_attempt_ts: ctx.nowMs,
+		consecutive_failures: ctx.priorFailures + 1
+	});
+}
+function describe(err) {
+	return err instanceof Error ? err.message : String(err);
+}
+//#endregion
+//#region src/funnel/propagation.ts
+const PROPAGATION_TIMEOUT_MS = 12e4;
+const PROPAGATION_INTERVAL_MS = 5e3;
+function sleep(ms) {
+	return new Promise((resolve) => setTimeout(resolve, ms));
+}
+/**
+* The authoritative NS hostnames for the zone that contains `fqdn`. The
+* challenge name (`_acme-challenge.<label>.hook.rine.network`) is BELOW the zone
+* apex, where neither SOA nor NS records live, so we walk UP one label at a time
+* asking for NS until a parent answers (the apex — e.g. `rine.network`). A plain
+* `resolveSoa(fqdn)` returns ENODATA at a sub-apex name, which is why the prior
+* SOA->NS approach silently fell through to the host resolver every time.
+*/
+async function nsHostsForZoneOf(fqdn) {
+	let name = fqdn.replace(/\.$/, "");
+	while (name.includes(".")) {
+		try {
+			const ns = await resolveNs(name);
+			if (ns.length > 0) return ns;
+		} catch {}
+		name = name.slice(name.indexOf(".") + 1);
+	}
+	throw new Error(`no authoritative NS found for any parent of ${fqdn}`);
+}
+/**
+* Build a resolver pinned to the AUTHORITATIVE nameservers of `fqdn`'s zone
+* (NS -> A, then `Resolver.setServers`). Falls back to the system resolver if NS
+* discovery fails (best-effort — the bounded poll still backstops).
+*/
+async function authoritativeResolver(fqdn) {
+	const resolver = new Resolver();
+	try {
+		const nsHosts = await nsHostsForZoneOf(fqdn);
+		const addresses = (await Promise.all(nsHosts.map((ns) => resolve4(ns)))).flat().filter(Boolean);
+		if (addresses.length > 0) resolver.setServers(addresses);
+	} catch {}
+	return resolver;
+}
+/**
+* Poll the authoritative DNS for the challenge TXT at the server-returned
+* `_acme-challenge.<cert-domain>.hook.rine.network` until it resolves (bounded,
+* ≤120s) before telling LE to validate, so a slow zone never burns a validation
+* attempt. The FQDN is the one the backend wrote the TXT under (the
+* dns-challenge `set` response's `fqdn`) — never derived from a relay-side guess.
+*/
+async function waitForTxtPropagation(args) {
+	const { fqdn } = args;
+	const resolver = await authoritativeResolver(fqdn);
+	const deadline = Date.now() + PROPAGATION_TIMEOUT_MS;
+	while (Date.now() < deadline) {
+		try {
+			if ((await resolver.resolveTxt(fqdn)).length > 0) return;
+		} catch {}
+		await sleep(PROPAGATION_INTERVAL_MS);
+	}
+	throw new Error(`DNS propagation timeout for ${fqdn}`);
+}
+//#endregion
+//#region src/funnel/acme.ts
+/**
+* Tag an LE rate-limit failure so backoff.ts classifies it as TERMINAL. Matches
+* the stable LE stem `too many certificates` so the modern parenthetical-count
+* wording (`too many certificates (5) already issued ...`) is still caught —
+* see backoff.ts isTerminalAcmeError, which uses the same stems.
+*/
+function tagLeRateLimit(err) {
+	const msg = err.message.toLowerCase();
+	if (msg.includes("too many certificates")) err.leRateLimit = "duplicate-certificate";
+	else if (msg.includes("too many failed authorizations")) err.leRateLimit = "failed-validation";
+	return err;
+}
+/**
+* POST to the backend dns-challenge endpoint, honoring a 429 + Retry-After
+* (the server-side rate-limit backstop, REQ-CERT-07). The body carries ONLY
+* {action, value?} — never the FQDN, never key material.
+*/
+function makeDnsPost(http, agentId, agentHeaders = {}) {
+	const path = `/agents/${agentId}/funnel/dns-challenge`;
+	return async (action, value) => {
+		const body = action === "set" ? {
+			action,
+			value
+		} : { action };
+		try {
+			return await http.post(path, body, agentHeaders);
+		} catch (err) {
+			if (err instanceof RineApiError && err.status === 429) {
+				const retryAfter = retryAfterMs(err);
+				if (retryAfter > 0) await sleep(retryAfter);
+				return await http.post(path, body, agentHeaders);
+			}
+			throw err;
+		}
+	};
+}
+function retryAfterMs(err) {
+	const res = err.raw;
+	if (res instanceof Response) {
+		const header = res.headers.get("retry-after");
+		const secs = header ? Number(header) : NaN;
+		if (Number.isFinite(secs) && secs > 0) return secs * 1e3;
+	}
+	return 0;
+}
+/**
+* Build the production ACME deps. The acme-client `Client` is the order driver;
+* a per-issuance closure holds the order/challenge between newOrder→validate→
+* download so the orchestrator's step boundaries map onto the RFC 8555 flow.
+*/
+function makeAcmeClientDeps(client) {
+	let pending;
+	return { acme: {
+		async newOrder({ handle }) {
+			const fqdn = hookFqdn(handle);
+			try {
+				const order = await client.createOrder({ identifiers: [{
+					type: "dns",
+					value: fqdn
+				}] });
+				const authz = (await client.getAuthorizations(order))[0];
+				if (!authz) throw new Error("no authorization on order");
+				const dns = authz.challenges.find((c) => c.type === "dns-01");
+				const offered = authz.challenges.map((c) => c.type);
+				if (dns) {
+					const keyAuth = await client.getChallengeKeyAuthorization(dns);
+					pending = {
+						order,
+						authz,
+						challenge: dns
+					};
+					return {
+						dnsChallengeToken: keyAuth,
+						challengeTypesOffered: offered
+					};
+				}
+				return {
+					dnsChallengeToken: "",
+					challengeTypesOffered: offered
+				};
+			} catch (err) {
+				throw tagLeRateLimit(err);
+			}
+		},
+		async validate() {
+			if (!pending) throw new Error("validate called before newOrder");
+			await client.completeChallenge(pending.challenge);
+			await client.waitForValidStatus(pending.authz);
+		},
+		async finalizeAndDownload({ csrPem }) {
+			if (!pending) throw new Error("finalize called before newOrder");
+			const order = await client.finalizeOrder(pending.order, csrPem);
+			return { certPem: await client.getCertificate(order) };
+		},
+		async revoke({ certPem }) {
+			await client.revokeCertificate(certPem);
+		}
+	} };
+}
+/**
+* Load (or mint + persist 0600) the ONE shared ACME account key for this relay,
+* then build an `acme-client` Client against the selected LE directory. One LE
+* account is reused across all of the relay's hooks (REQ-CERT-12), so repeated
+* issuances don't churn accounts. The account key never leaves the box.
+*/
+async function buildAcmeClient(configDir, options) {
+	const keyPath = accountKeyPath(configDir, options);
+	let accountKey;
+	try {
+		accountKey = fs.readFileSync(keyPath, "utf-8");
+	} catch {
+		accountKey = (await crypto$1.createPrivateEcdsaKey("P-256")).toString();
+		fs.mkdirSync(dirname(keyPath), {
+			recursive: true,
+			mode: 448
+		});
+		const tmp = `${keyPath}.tmp`;
+		fs.writeFileSync(tmp, accountKey, { mode: 384 });
+		fs.renameSync(tmp, keyPath);
+		fs.chmodSync(keyPath, 384);
+	}
+	const client = new Client({
+		directoryUrl: acmeDirectoryUrl(options),
+		accountKey
+	});
+	await client.createAccount({ termsOfServiceAgreed: true });
+	return client;
+}
+/**
+* Assemble the full production `IssueCertDeps` the relay (Track E) injects into
+* `ensureCert` / `revokeAndWipeCache`. Pure wiring: the ACME client drives the
+* order, the HttpClient brokers the TXT, node:dns confirms propagation.
+*/
+async function buildIssueCertDeps(args) {
+	return {
+		...makeAcmeClientDeps(await buildAcmeClient(args.configDir, args.options)),
+		dnsPost: makeDnsPost(args.http, args.agentId, args.agentHeaders),
+		waitForPropagation: waitForTxtPropagation,
+		now: () => Date.now()
+	};
+}
+//#endregion
+//#region src/funnel/mux-codec.ts
+/** Fixed mux header size: type(1) + conn_id(4) + len(4). */
+const HEADER_LEN = 9;
+/** conn_id 0 is reserved for the control plane (BIND and keepalive). */
+const CONTROL_CONN_ID = 0;
+/** Frame type discriminants. WINDOW (0x07) is intentionally absent. */
+const FrameType = {
+	OPEN: 1,
+	DATA: 2,
+	CLOSE: 3,
+	RESET: 4,
+	BIND: 16,
+	BIND_ACK: 17,
+	BIND_NAK: 18
+};
+const KNOWN_TYPES = new Set(Object.values(FrameType));
+function isControl(t) {
+	return t === FrameType.BIND || t === FrameType.BIND_ACK || t === FrameType.BIND_NAK;
+}
+/** A framing/protocol fault. The broker maps these to WS close codes (1002/1009). */
+var FrameError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "FrameError";
+	}
+};
+/**
+* Encode a frame into one WS-binary message body. Rejects an over-`maxFrameBytes`
+* payload and any type the codec does not know (so the relay can never put a
+* WINDOW/0x07 frame on the wire) before allocating.
+*/
+function encodeFrame(frame, maxFrameBytes) {
+	if (!KNOWN_TYPES.has(frame.frameType)) throw new FrameError(`refusing to encode unknown frame type 0x${frame.frameType.toString(16)}`);
+	const len = frame.payload.length;
+	if (len > maxFrameBytes) throw new FrameError(`frame payload ${len} exceeds max_frame_bytes ${maxFrameBytes}`);
+	const out = new Uint8Array(9 + len);
+	const view = new DataView(out.buffer);
+	out[0] = frame.frameType;
+	view.setUint32(1, frame.connId, false);
+	view.setUint32(5, len, false);
+	out.set(frame.payload, 9);
+	return out;
+}
+/**
+* Decode one WS-binary message body into a Frame, enforcing every REQ-TUN-05
+* rule: unknown/reserved type (incl. WINDOW 0x07), short header, declared-len
+* mismatch, conn_id=0 on a data frame, non-zero conn_id on a control frame, and
+* an over-`maxFrameBytes` payload.
+*/
+function decodeFrame(buf, maxFrameBytes) {
+	if (buf.length < 9) throw new FrameError(`frame shorter than 9-byte header: ${buf.length} bytes`);
+	const view = new DataView(buf.buffer, buf.byteOffset, buf.byteLength);
+	const typeByte = buf[0];
+	if (!KNOWN_TYPES.has(typeByte)) throw new FrameError(`unknown frame type byte: 0x${typeByte.toString(16)}`);
+	const frameType = typeByte;
+	const connId = view.getUint32(1, false);
+	const declared = view.getUint32(5, false);
+	const body = buf.subarray(9);
+	if (declared !== body.length) throw new FrameError(`declared len ${declared} != actual payload ${body.length}`);
+	if (isControl(frameType)) {
+		if (connId !== 0) throw new FrameError(`control frame must use conn_id=0, got ${connId}`);
+	} else if (connId === 0) throw new FrameError("conn_id=0 reserved for control plane, not valid on a data-plane frame");
+	if (body.length > maxFrameBytes) throw new FrameError(`frame payload ${body.length} exceeds max_frame_bytes ${maxFrameBytes}`);
+	return {
+		frameType,
+		connId,
+		payload: body.slice()
+	};
+}
+//#endregion
+//#region src/funnel/mux-client.ts
+/** Per-conn in-flight cap before the relay pauses reading from the broker. */
+const PER_CONN_INFLIGHT_CAP = 256 * 1024;
+const DEFAULT_MAX_FRAME$1 = 65536;
+/**
+* Build a mux client over `ws`. `start()` wires the WS binary + close callbacks;
+* `handleFrame` is exposed so a caller (and the unit tests) can drive a single
+* decoded frame directly.
+*/
+function createMuxClient(args) {
+	const { ws, openLocalPipe } = args;
+	const maxFrame = args.maxFrameBytes ?? DEFAULT_MAX_FRAME$1;
+	const conns = /* @__PURE__ */ new Map();
+	function sendData(connId, bytes) {
+		ws.send(encodeFrame({
+			frameType: FrameType.DATA,
+			connId,
+			payload: bytes
+		}, maxFrame));
+	}
+	function teardown(connId) {
+		const state = conns.get(connId);
+		if (!state) return;
+		conns.delete(connId);
+		state.pipe.close();
+	}
+	function openConn(frame) {
+		const pipe = openLocalPipe(frame);
+		const state = {
+			pipe,
+			inflight: 0,
+			paused: false
+		};
+		conns.set(frame.connId, state);
+		pipe.onData((bytes) => {
+			sendData(frame.connId, bytes);
+			state.inflight = Math.max(0, state.inflight - bytes.length);
+			if (state.paused && state.inflight < 262144) {
+				state.paused = false;
+				state.pipe.resume?.();
+			}
+		});
+	}
+	function onData(frame) {
+		const state = conns.get(frame.connId);
+		if (!state) return;
+		state.pipe.write(frame.payload);
+		state.inflight += frame.payload.length;
+		if (state.inflight > 262144 && !state.paused) {
+			state.paused = true;
+			state.pipe.pause?.();
+		}
+	}
+	function handleFrame(frame) {
+		switch (frame.frameType) {
+			case FrameType.OPEN:
+				openConn(frame);
+				break;
+			case FrameType.DATA:
+				onData(frame);
+				break;
+			case FrameType.CLOSE:
+			case FrameType.RESET:
+				teardown(frame.connId);
+				break;
+			default: break;
+		}
+	}
+	function resetAllConns() {
+		for (const connId of [...conns.keys()]) teardown(connId);
+	}
+	return {
+		start() {
+			ws.onBinary((data) => {
+				const frame = decodeFrame(data, maxFrame);
+				if (frame.connId === 0) return;
+				handleFrame(frame);
+			});
+			ws.onClose?.(() => resetAllConns());
+		},
+		handleFrame
+	};
+}
+/**
+* Reconnect backoff progression, identical to stream.ts: double, capped at 30s.
+* `1 → 2 → 4 → 8 → 16 → 30 → 30`.
+*/
+function nextReconnectBackoffSeconds(backoffSeconds) {
+	return Math.min(backoffSeconds * 2, 30);
+}
+/** Full jitter over the current backoff window — identical to stream.ts. */
+function jitteredDelayMs(backoffSeconds) {
+	return Math.round(backoffSeconds * (.5 + Math.random()) * 1e3);
+}
+//#endregion
+//#region src/funnel/tunnel.ts
+const SUBPROTOCOL = "rine.funnel.v1";
+const DEFAULT_MAX_FRAME = 65536;
+const CLEAN_CLOSE_CODES = new Set([
+	0,
+	1e3,
+	1001,
+	1005
+]);
+function classifyClose(ev) {
+	const code = ev.code ?? 1005;
+	return {
+		code,
+		clean: ev.wasClean === true || CLEAN_CLOSE_CODES.has(code)
+	};
+}
+/** A bind rejection (BIND_NAK / ownership failure). `revoked` stops the relay. */
+var TunnelBindError = class extends Error {
+	revoked = true;
+	constructor(reason) {
+		super(`funnel binding rejected: ${reason}`);
+		this.name = "TunnelBindError";
+	}
+};
+/**
+* Adapt a Node 24 global WebSocket to the minimal MuxWs surface. The close
+* callback receives the classified close (code + clean flag); the mux driver
+* (MuxWs.onClose) ignores the arg and just resets its conns.
+*/
+function adaptWs(ws) {
+	ws.binaryType = "arraybuffer";
+	return {
+		send: (data) => ws.send(data),
+		onBinary: (cb) => {
+			ws.addEventListener("message", (ev) => {
+				if (ev.data instanceof ArrayBuffer) cb(new Uint8Array(ev.data));
+			});
+		},
+		onClose: (cb) => ws.addEventListener("close", (ev) => cb(classifyClose(ev))),
+		close: () => ws.close()
+	};
+}
+function sendBind(ws, agentId, hostname) {
+	const payload = new TextEncoder().encode(JSON.stringify({
+		v: 1,
+		agent_id: agentId,
+		hostname
+	}));
+	ws.send(encodeFrame({
+		frameType: FrameType.BIND,
+		connId: 0,
+		payload
+	}, DEFAULT_MAX_FRAME));
+}
+/**
+* Open the control WS (Bearer at the upgrade — Node 24's global WebSocket takes
+* a `{protocols, headers}` options object), perform the BIND handshake, and wire
+* the mux driver. The returned handle resolves once BIND_ACK arrives; a BIND_NAK
+* rejects with a TunnelBindError (the relay treats it as revoked and stops).
+*/
+function connectTunnel(args) {
+	const { controlWsUrl, token, agentId, hostname, openLocalPipe } = args;
+	return new Promise((resolve, reject) => {
+		const ws = new WebSocket(controlWsUrl, {
+			protocols: [SUBPROTOCOL],
+			headers: { Authorization: `Bearer ${token}` }
+		});
+		const adapted = adaptWs(ws);
+		let bound = false;
+		ws.addEventListener("open", () => sendBind(adapted, agentId, hostname));
+		ws.addEventListener("error", () => {
+			if (!bound) reject(/* @__PURE__ */ new Error("control WS connect failed"));
+		});
+		adapted.onBinary((data) => {
+			const frame = decodeFrame(data, DEFAULT_MAX_FRAME);
+			if (frame.connId !== 0) return;
+			if (frame.frameType === FrameType.BIND_ACK) {
+				bound = true;
+				const caps = JSON.parse(new TextDecoder().decode(frame.payload)).caps;
+				createMuxClient({
+					ws: adapted,
+					openLocalPipe,
+					maxFrameBytes: caps.max_frame_bytes
+				}).start();
+				resolve({
+					caps,
+					close: () => ws.close(),
+					onClose: (cb) => adapted.onClose(cb)
+				});
+			} else if (frame.frameType === FrameType.BIND_NAK) {
+				const reason = JSON.parse(new TextDecoder().decode(frame.payload)).reason;
+				ws.close();
+				reject(new TunnelBindError(reason ?? "unknown"));
+			}
+		});
+	});
+}
+//#endregion
+//#region src/funnel/tls-listener.ts
+/**
+* Stand up the loopback TLS listener. Each accepted socket is one webhook
+* delivery: parse the HTTP request head + body, hand the RAW body to `onRequest`,
+* then write a minimal 204/400 response and close (GitHub only needs a 2xx).
+*/
+async function startTlsListener(args) {
+	const { certPem, keyPem, onRequest } = args;
+	const server = createServer({
+		cert: certPem,
+		key: keyPem
+	}, (socket) => handleConnection(socket, onRequest));
+	const port = await new Promise((resolve, reject) => {
+		server.once("error", reject);
+		server.listen(args.port, "127.0.0.1", () => {
+			const addr = server.address();
+			resolve(typeof addr === "object" && addr ? addr.port : args.port);
+		});
+	});
+	return {
+		port,
+		close: () => server.close(),
+		openLocalPipe: () => openLoopbackPipe(port)
+	};
+}
+/**
+* Buffer one HTTP request off the TLS socket and dispatch as soon as the full
+* body has arrived. A real HTTP/1.1 client (GitHub) sends the request then BLOCKS
+* on the response WITHOUT half-closing, so triggering on the socket `"end"` (EOF)
+* deadlocks until the client's own timeout. Instead we dispatch the moment we have
+* the head plus a `Content-Length`-worth of body; `"end"` stays a fallback for the
+* no-body / chunked / EOF-terminated cases. `handled` guards single dispatch.
+*/
+function handleConnection(socket, onRequest) {
+	const chunks = [];
+	let handled = false;
+	const dispatch = async (eof) => {
+		if (handled) return;
+		const raw = Buffer.concat(chunks);
+		const sep = raw.indexOf("\r\n\r\n");
+		if (sep < 0) {
+			if (eof) {
+				handled = true;
+				socket.end("HTTP/1.1 400 Bad Request\r\nContent-Length: 0\r\n\r\n");
+			}
+			return;
+		}
+		const headers = parseHeaders(raw.subarray(0, sep).toString("latin1"));
+		const body = raw.subarray(sep + 4);
+		const declared = Number(headers["content-length"]);
+		if (Number.isInteger(declared) && declared >= 0) {
+			if (body.length < declared && !eof) return;
+		} else if (!eof) return;
+		handled = true;
+		const rawBody = Number.isInteger(declared) && declared >= 0 ? body.subarray(0, declared) : body;
+		try {
+			await onRequest({
+				headers,
+				rawBody
+			});
+			socket.end("HTTP/1.1 204 No Content\r\nContent-Length: 0\r\n\r\n");
+		} catch {
+			socket.end("HTTP/1.1 500 Internal Server Error\r\nContent-Length: 0\r\n\r\n");
+		}
+	};
+	socket.on("data", (c) => {
+		chunks.push(c);
+		dispatch(false);
+	});
+	socket.on("error", () => socket.destroy());
+	socket.on("end", () => void dispatch(true));
+}
+/** Parse a CRLF-delimited HTTP head into a lowercased header map (skip the request line). */
+function parseHeaders(head) {
+	const out = {};
+	const lines = head.split("\r\n");
+	for (const line of lines.slice(1)) {
+		const idx = line.indexOf(":");
+		if (idx > 0) out[line.slice(0, idx).trim().toLowerCase()] = line.slice(idx + 1).trim();
+	}
+	return out;
+}
+/** One mux conn → one loopback TCP socket bridging broker bytes ↔ TLS listener. */
+function openLoopbackPipe(port) {
+	const sock = connect(port, "127.0.0.1");
+	let dataCb;
+	sock.on("data", (c) => dataCb?.(new Uint8Array(c)));
+	sock.on("error", () => sock.destroy());
+	return {
+		write: (bytes) => sock.write(bytes),
+		onData: (cb) => {
+			dataCb = cb;
+		},
+		close: () => sock.destroy(),
+		pause: () => sock.pause(),
+		resume: () => sock.resume()
+	};
+}
+//#endregion
+//#region src/funnel/relay-adapter.ts
+const WEBHOOK_MESSAGE_TYPE = "rine.v1.webhook";
+/** Parse `sha256=<hex>` (X-Hub-Signature-256) or a bare hex (X-Hook-Signature). */
+function parseSignature(headers) {
+	const raw = headers["x-hub-signature-256"] ?? headers["x-hook-signature"];
+	if (!raw) return void 0;
+	const hex = raw.startsWith("sha256=") ? raw.slice(7) : raw;
+	if (!/^[0-9a-fA-F]+$/.test(hex) || hex.length % 2 !== 0) return void 0;
+	return Uint8Array.from(Buffer.from(hex, "hex"));
+}
+/**
+* Constant-time HMAC-SHA-256 verification over the EXACT raw bytes (no JSON
+* re-serialization). A length-mismatched signature fails SAFELY: timingSafeEqual
+* throws on unequal buffers, so we length-guard first.
+*/
+function verifyHmac(secret, rawBody, headers) {
+	const received = parseSignature(headers);
+	if (!received) return false;
+	const computed = createHmac("sha256", secret).update(rawBody).digest();
+	if (received.length !== computed.length) return false;
+	return timingSafeEqual(received, computed);
+}
+/**
+* Verify → encrypt → self-send one webhook. Returns the outcome; never throws out
+* (the caller's tunnel must survive a single bad request). A verify failure drops
+* the conn with no post and no encrypt; a post/key-fetch failure drops the conn
+* after verify with `relayed:false`.
+*/
+async function handleWebhookRequest(deps, req) {
+	const { configDir, agentId, hookName, secret, client, emitLifecycle } = deps;
+	if (!verifyHmac(secret, req.rawBody, req.headers)) {
+		emitLifecycle?.({
+			event: "lifecycle",
+			data: {
+				state: "verify_failed",
+				hook_name: hookName
+			}
+		});
+		return {
+			verified: false,
+			relayed: false
+		};
+	}
+	try {
+		const recipientKeys = await fetchRecipientKeys(client, agentId);
+		const payload = decodePayload(req.rawBody);
+		const encrypted = await encryptMessage(configDir, agentId, recipientKeys.encryption, payload, recipientKeys.pqEncryption);
+		const body = {
+			to_agent_id: agentId,
+			type: WEBHOOK_MESSAGE_TYPE,
+			metadata: { "rine.hook_name": hookName },
+			encrypted_payload: encrypted.encrypted_payload,
+			encryption_version: encrypted.encryption_version,
+			sender_signing_kid: encrypted.sender_signing_kid
+		};
+		const result = await client.post("/messages", body);
+		emitLifecycle?.({
+			event: "lifecycle",
+			data: {
+				state: "webhook_relayed",
+				hook_name: hookName,
+				message_id: result?.id
+			}
+		});
+		return {
+			verified: true,
+			relayed: true
+		};
+	} catch {
+		emitLifecycle?.({
+			event: "lifecycle",
+			data: {
+				state: "relay_error",
+				hook_name: hookName
+			}
+		});
+		return {
+			verified: true,
+			relayed: false
+		};
+	}
+}
+/** Best-effort JSON decode; fall back to the raw text so any body still relays. */
+function decodePayload(rawBody) {
+	const text = new TextDecoder("utf-8").decode(rawBody);
+	try {
+		return JSON.parse(text);
+	} catch {
+		return text;
+	}
+}
+//#endregion
+//#region src/funnel/secret-store.ts
+/** DNS-label-safe hook name (mirrors the backend HOOK_NAME_PATTERN). */
+const HOOK_NAME_RE = /^[a-z0-9]([a-z0-9-]{0,30}[a-z0-9])?$/;
+function isValidHookName(name) {
+	return HOOK_NAME_RE.test(name);
+}
+/** Generate a 32-byte HMAC secret as 64 hex chars (client-side only). */
+function generateHookSecret() {
+	return randomBytes(32).toString("hex");
+}
+/** Directory holding one agent's funnel secrets. */
+function funnelSecretDir(configDir, agentId) {
+	return join(configDir, "funnel", agentId);
+}
+/** Absolute path of a hook's secret file. */
+function hookSecretPath(configDir, agentId, name) {
+	return join(funnelSecretDir(configDir, agentId), `${name}.secret`);
+}
+/**
+* Persist a hook secret atomically with file mode 0600 in a 0700 dir. Returns the
+* path it wrote so callers can tell the operator where the secret lives.
+*/
+function saveHookSecret(configDir, agentId, name, secret) {
+	const dir = funnelSecretDir(configDir, agentId);
+	fs.mkdirSync(dir, {
+		recursive: true,
+		mode: 448
+	});
+	const path = hookSecretPath(configDir, agentId, name);
+	const tmp = `${path}.tmp`;
+	fs.writeFileSync(tmp, secret, { mode: 384 });
+	fs.renameSync(tmp, path);
+	fs.chmodSync(path, 384);
+	return path;
+}
+/** Read a hook secret, or undefined if it is not stored locally. */
+function loadHookSecret(configDir, agentId, name) {
+	try {
+		return fs.readFileSync(hookSecretPath(configDir, agentId, name), "utf-8").trim();
+	} catch {
+		return;
+	}
+}
+/** Remove a hook secret (no error if it is already absent). */
+function deleteHookSecret(configDir, agentId, name) {
+	fs.rmSync(hookSecretPath(configDir, agentId, name), { force: true });
+}
+//#endregion
 //#region src/mls-ops.ts
 /**
 * Generate and upload MLS key packages for an agent, enabling other agents
@@ -2039,4 +3083,4 @@ async function performAgentCreation(client, configDir, profile, params) {
 	return agent;
 }
 //#endregion
-export { DEFAULT_API_URL, HttpClient, MLKEM_CT_SIZE, MLS_CIPHER_SUITE_ID, RineApiError, UUID_RE, VERSION_HYBRID, VERSION_MLS, addMemberToMlsGroup, addMlsGroupMember, advanceChain, agentIdFromKid, agentKeysExist, bytesToUuid, cacheMlsSelfRead, cacheToken, claimKeyPackages, createMlsGroup, decodeEnvelope, decryptGroupMessage, decryptMessage, decryptMlsAppMessage, deleteMlsState, deletePrivateKeyPackage, deriveMessageKey, distributeSenderKey, encodeEnvelope, encryptGroupMessage, encryptMessage, encryptMlsAppMessage, encryptMlsGroupMessage, encryptionPublicKeyToJWK, externalJoinMlsGroup, fetchAgents, fetchAndIngestPendingSKDistributions, fetchGroupInfo, fetchHandshakes, fetchOAuthToken, fetchRecipientKeys, fetchWelcomes, formatError, fromBase64Url, generateAgentKeys, generateEncryptionKeyPair, generateMlsKeyPackage, generatePqKeyPair, generateSenderKey, generateSigningKeyPair, getAgentPublicKeys, getCredentialEntry, getMlsCipherSuite, getMlsContext, getOrCreateSenderKey, getOrRefreshToken, ingestSenderKeyDistribution, initMlsGroup, isBareAgentName, jwkToPqPublicKey, jwkToPublicKey, listPrivateKeyPackages, loadAgentKeys, loadCredentials, loadMlsState, loadPrivateKeyPackage, loadSenderKeyStates, loadTokenCache, lookupMlsSelfRead, mlsAck, mlsCommit, fromBase64 as mlsFromBase64, mlsInit, mlsNack, toBase64 as mlsToBase64, needsRotation, normalizeHandle, open, openGroup, openHybrid, performAgentCreation, performRegistration, pqPublicKeyToJWK, processMlsCommit, processMlsWelcome, processMlsWelcomes, publishMlsKeyPackages, removeMemberFromMlsGroup, removeMlsGroupMember, resolveAgent, resolveApiUrl, resolveConfigDir, resolveHandleViaWebFinger, resolveToUuid, saveAgentKeys, saveCredentials, saveMlsState, savePqEncryptionKey, savePrivateKeyPackages, saveSenderKeyState, saveTokenCache, seal, sealGroup, sealHybrid, signPayload, signingPublicKeyToJWK, solveTimeLock, solveTimeLockWithProgress, submitProposal, syncMlsGroup, toBase64Url, uploadKeyPackages, uuidToBytes, validateEncryptionKey, validatePathId, validateSigningKey, validateSlug, verifySignature };
+export { CONTROL_CONN_ID, DEFAULT_API_URL, FrameError, FrameType, GROUP_INVITE_TYPE, HEADER_LEN, HttpClient, MLKEM_CT_SIZE, MLS_CIPHER_SUITE_ID, PER_CONN_INFLIGHT_CAP, RineApiError, TunnelBindError, UUID_RE, VERSION_HYBRID, VERSION_MLS, WEBHOOK_MESSAGE_TYPE, accountKeyPath, acmeDirectoryUrl, addMemberToMlsGroup, addMlsGroupMember, advanceChain, agentIdFromKid, agentKeysExist, buildAcmeClient, buildIssueCertDeps, bytesToUuid, cacheMlsSelfRead, cacheToken, claimKeyPackages, connectTunnel, createMlsGroup, createMuxClient, decodeEnvelope, decodeFrame, decryptGroupMessage, decryptMessage, decryptMlsAppMessage, deleteHookSecret, deleteMlsState, deletePrivateKeyPackage, deriveMessageKey, distributeSenderKey, encodeEnvelope, encodeFrame, encryptGroupMessage, encryptMessage, encryptMlsAppMessage, encryptMlsGroupMessage, encryptionPublicKeyToJWK, ensureCert, externalJoinMlsGroup, fetchAgents, fetchAndIngestPendingSKDistributions, fetchGroupInfo, fetchHandshakes, fetchOAuthToken, fetchRecipientKeys, fetchWelcomes, formatError, fromBase64Url, funnelCacheDir, funnelSecretDir, generateAgentKeys, generateCertKeypairAndCsr, generateEncryptionKeyPair, generateHookSecret, generateMlsKeyPackage, generatePqKeyPair, generateSenderKey, generateSigningKeyPair, getAgentPublicKeys, getCredentialEntry, getMlsCipherSuite, getMlsContext, getOrCreateSenderKey, getOrRefreshToken, handleCacheDir, handleConnection, handleWebhookRequest, hookFqdn, hookSecretPath, ingestSenderKeyDistribution, initMlsGroup, isBareAgentName, isRenewalDue, isTerminalAcmeError, isValidHookName, issueCert, jitteredDelayMs, jwkToPqPublicKey, jwkToPublicKey, listMyInvites, listPrivateKeyPackages, loadAgentKeys, loadCachedCert, loadCredentials, loadHookSecret, loadMeta, loadMlsState, loadPrivateKeyPackage, loadSenderKeyStates, loadTokenCache, lookupMlsSelfRead, makeAcmeClientDeps, makeDnsPost, mlsAck, mlsCommit, fromBase64 as mlsFromBase64, mlsInit, mlsNack, toBase64 as mlsToBase64, needsRotation, nextBackoffDelayMs, nextReconnectBackoffSeconds, normalizeHandle, open, openGroup, openHybrid, performAgentCreation, performRegistration, pqPublicKeyToJWK, processMlsCommit, processMlsWelcome, processMlsWelcomes, publishMlsKeyPackages, removeMemberFromMlsGroup, removeMlsGroupMember, resolveAgent, resolveApiUrl, resolveConfigDir, resolveHandleViaWebFinger, resolveToUuid, revokeAndWipeCache, saveAgentKeys, saveCert, saveCredentials, saveHookSecret, saveMeta, saveMlsState, savePqEncryptionKey, savePrivateKeyPackages, saveSenderKeyState, saveTokenCache, seal, sealGroup, sealHybrid, sendGroupInviteNotification, signPayload, signingPublicKeyToJWK, solveTimeLock, solveTimeLockWithProgress, startTlsListener, submitProposal, syncMlsGroup, tagLeRateLimit, toBase64Url, uploadKeyPackages, uuidToBytes, validateEncryptionKey, validatePathId, validateSigningKey, validateSlug, verifySignature, waitForTxtPropagation, wipeHandleCache };