@rine-network/core 0.5.2 → 0.6.0

package/dist/src/api-types.d.ts

@@ -133,6 +133,20 @@ export interface WebhookDeliveryRead {
     last_error?: string;
     created_at: string;
 }
+export interface HookRead {
+    hook_name: string;
+    hostname: string;
+    active: boolean;
+    created_at: string;
+    control_ws_url: string;
+}
+export interface HookCreated extends HookRead {
+    agent_id: string;
+}
+export interface HookListResponse {
+    items: HookRead[];
+    total: number;
+}
 export interface VoteResponse {
     request_id: string;
     your_vote: string;

package/dist/src/funnel/acme.d.ts

@@ -0,0 +1,43 @@
+import { Client } from "acme-client";
+import type { HttpClient } from "../http.js";
+import { type AcmeOptions } from "./cert-cache.js";
+import type { IssueCertDeps } from "./issue.js";
+export { waitForTxtPropagation } from "./propagation.js";
+/**
+ * Tag an LE rate-limit failure so backoff.ts classifies it as TERMINAL. Matches
+ * the stable LE stem `too many certificates` so the modern parenthetical-count
+ * wording (`too many certificates (5) already issued ...`) is still caught —
+ * see backoff.ts isTerminalAcmeError, which uses the same stems.
+ */
+export declare function tagLeRateLimit<E extends Error>(err: E): E;
+/**
+ * POST to the backend dns-challenge endpoint, honoring a 429 + Retry-After
+ * (the server-side rate-limit backstop, REQ-CERT-07). The body carries ONLY
+ * {action, value?} — never the FQDN, never key material.
+ */
+export declare function makeDnsPost(http: HttpClient, agentId: string, agentHeaders?: Record<string, string>): IssueCertDeps["dnsPost"];
+/**
+ * Build the production ACME deps. The acme-client `Client` is the order driver;
+ * a per-issuance closure holds the order/challenge between newOrder→validate→
+ * download so the orchestrator's step boundaries map onto the RFC 8555 flow.
+ */
+export declare function makeAcmeClientDeps(client: Client): Pick<IssueCertDeps, "acme">;
+/**
+ * Load (or mint + persist 0600) the ONE shared ACME account key for this relay,
+ * then build an `acme-client` Client against the selected LE directory. One LE
+ * account is reused across all of the relay's hooks (REQ-CERT-12), so repeated
+ * issuances don't churn accounts. The account key never leaves the box.
+ */
+export declare function buildAcmeClient(configDir: string, options: AcmeOptions): Promise<Client>;
+/**
+ * Assemble the full production `IssueCertDeps` the relay (Track E) injects into
+ * `ensureCert` / `revokeAndWipeCache`. Pure wiring: the ACME client drives the
+ * order, the HttpClient brokers the TXT, node:dns confirms propagation.
+ */
+export declare function buildIssueCertDeps(args: {
+    configDir: string;
+    options: AcmeOptions;
+    http: HttpClient;
+    agentId: string;
+    agentHeaders?: Record<string, string>;
+}): Promise<IssueCertDeps>;

package/dist/src/funnel/backoff.d.ts

@@ -0,0 +1,22 @@
+import type { CertMeta } from "./cert-cache.js";
+/**
+ * Full-jitter exponential backoff: a uniform random delay in `[0, ceiling]`
+ * where `ceiling = base * factor^(n-1)`, capped at 1h. Full jitter (not just a
+ * jittered fixed delay) is what de-correlates a fleet of crash-looping relays.
+ * `n` is the 1-based consecutive-failure count (n<=0 is treated as the first).
+ */
+export declare function nextBackoffDelayMs(consecutiveFailures: number): number;
+/**
+ * A cert is due for renewal when `not_after - now <= 30 days` (boundary
+ * inclusive). An already-expired cert is due (and forces a cold issuance).
+ */
+export declare function isRenewalDue(meta: CertMeta, nowMs: number): boolean;
+/**
+ * TERMINAL = an LE rate-limit ceiling that no amount of retrying can clear in
+ * the near term (the duplicate-certificate limit: 5 identical FQDN sets / 7
+ * days, and the per-account failed-validation limit). On a terminal error the
+ * relay stops attempting and surfaces it rather than burning the LE budget.
+ * Ordinary transient failures (timeouts, propagation, provider 502) are NOT
+ * terminal — they retry on the backoff schedule.
+ */
+export declare function isTerminalAcmeError(err: unknown): boolean;

package/dist/src/funnel/cert-cache.d.ts

@@ -0,0 +1,52 @@
+/** ACME directory selection. `RINE_ACME_STAGING=1` env is also honored. */
+export type AcmeOptions = {
+    staging?: boolean;
+};
+/**
+ * Resolve the ACME directory URL. Production by default; staging when either
+ * `opts.staging` is set or `RINE_ACME_STAGING=1` is in the environment, so dev
+ * never burns the production LE rate limits. Shares the single `isStaging`
+ * decision with the cache-path split so a cert's directory_url and its cache
+ * subtree are always derived from the same flag.
+ */
+export declare function acmeDirectoryUrl(opts: AcmeOptions): string;
+/**
+ * Order/renewal metadata persisted alongside the cert. `consecutive_failures`
+ * is the persisted ACME-storm backoff counter (REQ-CERT-13) — it survives a
+ * crash-loop so a buggy relay can never reset its own backoff to zero on boot.
+ */
+export interface CertMeta {
+    directory_url: string;
+    not_after: string;
+    /**
+     * The cert handle, kept as a local cache label only (historical field name —
+     * there is no DNS delegation anymore; the TXT lives directly at
+     * `_acme-challenge.<cert-domain>.hook.rine.network`). Drives nothing security-
+     * relevant; it only labels the cache and seeds the never-hit poll fallback.
+     */
+    delegation_id: string;
+    last_attempt_ts: number;
+    consecutive_failures: number;
+}
+export interface CachedCert {
+    certPem: string;
+    keyPem: string;
+    meta: CertMeta;
+}
+/** `${configDir}/funnel` (prod) or `${configDir}/funnel/staging` (staging). */
+export declare function funnelCacheDir(configDir: string, opts: AcmeOptions): string;
+/** The per-handle cache dir under the (staging-segregated) funnel root. */
+export declare function handleCacheDir(configDir: string, handle: string, opts: AcmeOptions): string;
+/** One LE account key per relay, shared across handles, at the funnel root. */
+export declare function accountKeyPath(configDir: string, opts: AcmeOptions): string;
+export declare function saveMeta(configDir: string, handle: string, opts: AcmeOptions, meta: CertMeta): void;
+export declare function loadMeta(configDir: string, handle: string, opts: AcmeOptions): CertMeta | null;
+export declare function saveCert(configDir: string, handle: string, opts: AcmeOptions, cert: CachedCert): void;
+/**
+ * Returns the cached cert ONLY if cert+key+meta are all present AND the meta's
+ * directory_url matches the requested mode (staging cert never served in prod).
+ * Any partial/corrupt cache reads back as `null` — never a half-cert.
+ */
+export declare function loadCachedCert(configDir: string, handle: string, opts: AcmeOptions): CachedCert | null;
+/** Scoped wipe of one handle's cache dir (REQ-CERT-16). Other handles untouched. */
+export declare function wipeHandleCache(configDir: string, handle: string, opts: AcmeOptions): void;

package/dist/src/funnel/cert.d.ts

@@ -0,0 +1,45 @@
+import { type AcmeOptions } from "./cert-cache.js";
+import { type IssueCertDeps, type IssuedCert } from "./issue.js";
+export type { AcmeOptions, CachedCert, CertMeta } from "./cert-cache.js";
+export { accountKeyPath, acmeDirectoryUrl, funnelCacheDir, handleCacheDir, loadCachedCert, loadMeta, saveCert, saveMeta, wipeHandleCache, } from "./cert-cache.js";
+export { isRenewalDue, isTerminalAcmeError, nextBackoffDelayMs, } from "./backoff.js";
+export { type KeypairAndCsr, generateCertKeypairAndCsr, hookFqdn, } from "./csr.js";
+export { type IssueCertDeps, type IssuedCert, issueCert } from "./issue.js";
+export interface EnsureCertResult extends IssuedCert {
+    ready: boolean;
+    fromCache: boolean;
+}
+/**
+ * Cold-start readiness gate (REQ-CERT-32) + cache reuse + persisted backoff
+ * (REQ-CERT-13). A valid, fresh cached cert opens the gate immediately with NO
+ * ACME round-trip. Otherwise issue, persist atomically, and reset the failure
+ * counter on success. On failure the persisted `consecutive_failures` is bumped
+ * (read from the prior meta so a crash-loop never resets it to zero) and the
+ * error re-thrown — a failed cold start installs NOTHING (gate stays closed).
+ */
+export declare function ensureCert(args: {
+    handle: string;
+    agentId: string;
+    /**
+     * The cert handle (the relay passes its own `<handle>`). Persisted as
+     * `meta.delegation_id` purely as a local cache label and used to build the
+     * never-hit propagation-poll fallback FQDN — the server always returns the
+     * authoritative `_acme-challenge.<cert-domain>.hook.rine.network` directly.
+     */
+    delegationId: string;
+    configDir: string;
+    options: AcmeOptions;
+    deps: IssueCertDeps;
+}): Promise<EnsureCertResult>;
+/**
+ * Graceful teardown (REQ-CERT-16): best-effort ACME revoke (relay-local — the
+ * server holds no key and cannot revoke, REQ-CERT-15), then a SCOPED wipe of
+ * just this handle's cache dir. A revoke failure (offline) is swallowed; the
+ * local wipe is the meaningful local effect and always runs.
+ */
+export declare function revokeAndWipeCache(args: {
+    handle: string;
+    configDir: string;
+    options: AcmeOptions;
+    deps: IssueCertDeps;
+}): Promise<void>;

package/dist/src/funnel/csr.d.ts

@@ -0,0 +1,19 @@
+export { acmeDirectoryUrl } from "./cert-cache.js";
+/** The publicly-trusted hostname this relay terminates TLS for. */
+export declare function hookFqdn(handle: string): string;
+export interface KeypairAndCsr {
+    /** Cert private key (PKCS#8 PEM) — LOCAL storage only, never transmitted. */
+    keyPem: string;
+    /** CSR (PEM) — the only artifact sent to LE; carries the public key only. */
+    csrPem: string;
+    commonName: string;
+    subjectAltNames: string[];
+    keyAlgorithm: "EC";
+    keyCurve: string;
+}
+/**
+ * Generate a fresh EC P-256 keypair (node:crypto) and a CSR for
+ * `<handle>.hook.rine.network` whose CN and single SAN are that FQDN. A fresh,
+ * unique key is minted on every call — no key reuse across issuances/renewals.
+ */
+export declare function generateCertKeypairAndCsr(handle: string): Promise<KeypairAndCsr>;

package/dist/src/funnel/index.d.ts

@@ -0,0 +1,6 @@
+export * from "./cert.js";
+export * from "./acme.js";
+export * from "./tunnel.js";
+export * from "./tls-listener.js";
+export * from "./relay-adapter.js";
+export * from "./secret-store.js";

package/dist/src/funnel/issue.d.ts

@@ -0,0 +1,74 @@
+import type { CertMeta } from "./cert-cache.js";
+/** Injectable externals. ALL are mocked in unit tests — never hits LE/DNS/net. */
+export interface IssueCertDeps {
+    acme: {
+        /** Place an ACME order; returns the DNS-01 token + the challenge types LE offered. */
+        newOrder(args: {
+            handle: string;
+            directoryUrl: string;
+        }): Promise<{
+            dnsChallengeToken: string;
+            challengeTypesOffered: string[];
+        }>;
+        /** Tell LE to validate the challenge (only after DNS has propagated). */
+        validate(args: {
+            handle: string;
+        }): Promise<void>;
+        /** Finalize the order with the CSR and download the issued chain. */
+        finalizeAndDownload(args: {
+            handle: string;
+            csrPem: string;
+        }): Promise<{
+            certPem: string;
+        }>;
+        /** Relay-local revocation using the relay's own cert+account key. */
+        revoke(args: {
+            certPem: string;
+            directoryUrl: string;
+        }): Promise<void>;
+    };
+    /**
+     * POST {action:"set",value} | {action:"clear"} to the dns-challenge endpoint.
+     * The `set` response carries `{status,fqdn}` where `fqdn` is
+     * `_acme-challenge.<cert-domain>.hook.rine.network` — the relative TXT rrset
+     * the backend wrote DIRECTLY in the single `rine.network` zone (no CNAME, no
+     * `acme.` delegation subzone). It is the source of truth for the propagation
+     * poll (the relay never derives it).
+     */
+    dnsPost(action: "set" | "clear", value?: string): Promise<DnsChallengeResult>;
+    /** Bounded poll of the authoritative DNS at `fqdn` until the TXT propagates. */
+    waitForPropagation(args: {
+        fqdn: string;
+    }): Promise<void>;
+    now(): number;
+}
+/** The dns-challenge endpoint response (REQ-CERT-08): `set` echoes the `fqdn`. */
+export interface DnsChallengeResult {
+    status?: string;
+    fqdn?: string;
+}
+export interface IssuedCert {
+    certPem: string;
+    keyPem: string;
+    meta: CertMeta;
+}
+/**
+ * Run one ACME DNS-01 issuance. Sequence (REQ-CERT-10):
+ *   newOrder -> dns:set -> waitForPropagation -> validate -> download -> dns:clear
+ * The TXT is cleared in a `finally` so a FAILED order still cleans up its record
+ * (no lingering challenge). Propagation is awaited BEFORE asking LE to validate
+ * so a slow zone never burns a validation attempt.
+ */
+export declare function issueCert(args: {
+    handle: string;
+    agentId: string;
+    /**
+     * The cert handle — the relay passes its own `<handle>` here. Used only as a
+     * local cache label (persisted as `meta.delegation_id`) and to build the
+     * NEVER-HIT propagation-poll fallback FQDN below; the server always echoes the
+     * authoritative `fqdn` in its `set` response, so this fallback is dead in prod.
+     */
+    delegationId: string;
+    directoryUrl: string;
+    deps: IssueCertDeps;
+}): Promise<IssuedCert>;

package/dist/src/funnel/mux-client.d.ts

@@ -0,0 +1,40 @@
+import { type Frame } from "./mux-codec.js";
+/** Per-conn in-flight cap before the relay pauses reading from the broker. */
+export declare const PER_CONN_INFLIGHT_CAP: number;
+/** A local byte pipe (the TLS-terminating listener conn) the relay drives. */
+export interface LocalPipe {
+    write(bytes: Uint8Array): void;
+    onData(cb: (bytes: Uint8Array) => void): void;
+    close(): void;
+    pause?(): void;
+    resume?(): void;
+}
+/** The minimal WS surface the driver needs (real WebSocket or a fake in tests). */
+export interface MuxWs {
+    send(data: Uint8Array): void;
+    onBinary(cb: (data: Uint8Array) => void): void;
+    onClose?(cb: () => void): void;
+    close(): void;
+}
+export interface MuxClientArgs {
+    ws: MuxWs;
+    openLocalPipe(frame: Frame): LocalPipe;
+    maxFrameBytes?: number;
+}
+export interface MuxClient {
+    start(): void;
+    handleFrame(frame: Frame): void;
+}
+/**
+ * Build a mux client over `ws`. `start()` wires the WS binary + close callbacks;
+ * `handleFrame` is exposed so a caller (and the unit tests) can drive a single
+ * decoded frame directly.
+ */
+export declare function createMuxClient(args: MuxClientArgs): MuxClient;
+/**
+ * Reconnect backoff progression, identical to stream.ts: double, capped at 30s.
+ * `1 → 2 → 4 → 8 → 16 → 30 → 30`.
+ */
+export declare function nextReconnectBackoffSeconds(backoffSeconds: number): number;
+/** Full jitter over the current backoff window — identical to stream.ts. */
+export declare function jitteredDelayMs(backoffSeconds: number): number;

package/dist/src/funnel/mux-codec.d.ts

@@ -0,0 +1,37 @@
+/** Fixed mux header size: type(1) + conn_id(4) + len(4). */
+export declare const HEADER_LEN = 9;
+/** conn_id 0 is reserved for the control plane (BIND and keepalive). */
+export declare const CONTROL_CONN_ID = 0;
+/** Frame type discriminants. WINDOW (0x07) is intentionally absent. */
+export declare const FrameType: {
+    readonly OPEN: 1;
+    readonly DATA: 2;
+    readonly CLOSE: 3;
+    readonly RESET: 4;
+    readonly BIND: 16;
+    readonly BIND_ACK: 17;
+    readonly BIND_NAK: 18;
+};
+export type FrameType = (typeof FrameType)[keyof typeof FrameType];
+export interface Frame {
+    frameType: FrameType;
+    connId: number;
+    payload: Uint8Array;
+}
+/** A framing/protocol fault. The broker maps these to WS close codes (1002/1009). */
+export declare class FrameError extends Error {
+    constructor(message: string);
+}
+/**
+ * Encode a frame into one WS-binary message body. Rejects an over-`maxFrameBytes`
+ * payload and any type the codec does not know (so the relay can never put a
+ * WINDOW/0x07 frame on the wire) before allocating.
+ */
+export declare function encodeFrame(frame: Frame, maxFrameBytes: number): Uint8Array;
+/**
+ * Decode one WS-binary message body into a Frame, enforcing every REQ-TUN-05
+ * rule: unknown/reserved type (incl. WINDOW 0x07), short header, declared-len
+ * mismatch, conn_id=0 on a data frame, non-zero conn_id on a control frame, and
+ * an over-`maxFrameBytes` payload.
+ */
+export declare function decodeFrame(buf: Uint8Array, maxFrameBytes: number): Frame;

package/dist/src/funnel/propagation.d.ts

@@ -0,0 +1,11 @@
+export declare function sleep(ms: number): Promise<void>;
+/**
+ * Poll the authoritative DNS for the challenge TXT at the server-returned
+ * `_acme-challenge.<cert-domain>.hook.rine.network` until it resolves (bounded,
+ * ≤120s) before telling LE to validate, so a slow zone never burns a validation
+ * attempt. The FQDN is the one the backend wrote the TXT under (the
+ * dns-challenge `set` response's `fqdn`) — never derived from a relay-side guess.
+ */
+export declare function waitForTxtPropagation(args: {
+    fqdn: string;
+}): Promise<void>;

package/dist/src/funnel/relay-adapter.d.ts

@@ -0,0 +1,27 @@
+import type { HttpClient } from "../http.js";
+export declare const WEBHOOK_MESSAGE_TYPE = "rine.v1.webhook";
+/** A single inbound webhook request as the local TLS listener parsed it. */
+export interface WebhookRequest {
+    headers: Record<string, string>;
+    rawBody: Uint8Array;
+}
+export interface RelayAdapterDeps {
+    configDir: string;
+    agentId: string;
+    hookName: string;
+    secret: string;
+    client: Pick<HttpClient, "get" | "post">;
+    /** Lifecycle sink (stream.ts shape). NEVER receives body/secret/signature. */
+    emitLifecycle?(ev: Record<string, unknown>): void;
+}
+export interface RelayResult {
+    verified: boolean;
+    relayed: boolean;
+}
+/**
+ * Verify → encrypt → self-send one webhook. Returns the outcome; never throws out
+ * (the caller's tunnel must survive a single bad request). A verify failure drops
+ * the conn with no post and no encrypt; a post/key-fetch failure drops the conn
+ * after verify with `relayed:false`.
+ */
+export declare function handleWebhookRequest(deps: RelayAdapterDeps, req: WebhookRequest): Promise<RelayResult>;

package/dist/src/funnel/secret-store.d.ts

@@ -0,0 +1,16 @@
+export declare function isValidHookName(name: string): boolean;
+/** Generate a 32-byte HMAC secret as 64 hex chars (client-side only). */
+export declare function generateHookSecret(): string;
+/** Directory holding one agent's funnel secrets. */
+export declare function funnelSecretDir(configDir: string, agentId: string): string;
+/** Absolute path of a hook's secret file. */
+export declare function hookSecretPath(configDir: string, agentId: string, name: string): string;
+/**
+ * Persist a hook secret atomically with file mode 0600 in a 0700 dir. Returns the
+ * path it wrote so callers can tell the operator where the secret lives.
+ */
+export declare function saveHookSecret(configDir: string, agentId: string, name: string, secret: string): string;
+/** Read a hook secret, or undefined if it is not stored locally. */
+export declare function loadHookSecret(configDir: string, agentId: string, name: string): string | undefined;
+/** Remove a hook secret (no error if it is already absent). */
+export declare function deleteHookSecret(configDir: string, agentId: string, name: string): void;

package/dist/src/funnel/tls-listener.d.ts

@@ -0,0 +1,32 @@
+import { type TLSSocket } from "node:tls";
+import type { LocalPipe } from "./mux-client.js";
+import type { Frame } from "./mux-codec.js";
+import type { WebhookRequest } from "./relay-adapter.js";
+export interface TlsListener {
+    port: number;
+    close(): void;
+    /** A LocalPipe factory for the mux client — one loopback conn per mux OPEN. */
+    openLocalPipe(frame: Frame): LocalPipe;
+}
+export interface TlsListenerArgs {
+    port: number;
+    certPem: string;
+    keyPem: string;
+    /** Handle one decoded request; resolves when the relay is done with it. */
+    onRequest(req: WebhookRequest): Promise<void>;
+}
+/**
+ * Stand up the loopback TLS listener. Each accepted socket is one webhook
+ * delivery: parse the HTTP request head + body, hand the RAW body to `onRequest`,
+ * then write a minimal 204/400 response and close (GitHub only needs a 2xx).
+ */
+export declare function startTlsListener(args: TlsListenerArgs): Promise<TlsListener>;
+/**
+ * Buffer one HTTP request off the TLS socket and dispatch as soon as the full
+ * body has arrived. A real HTTP/1.1 client (GitHub) sends the request then BLOCKS
+ * on the response WITHOUT half-closing, so triggering on the socket `"end"` (EOF)
+ * deadlocks until the client's own timeout. Instead we dispatch the moment we have
+ * the head plus a `Content-Length`-worth of body; `"end"` stays a fallback for the
+ * no-body / chunked / EOF-terminated cases. `handled` guards single dispatch.
+ */
+export declare function handleConnection(socket: TLSSocket, onRequest: TlsListenerArgs["onRequest"]): void;

package/dist/src/funnel/tunnel.d.ts

@@ -0,0 +1,46 @@
+import { type LocalPipe } from "./mux-client.js";
+import { type Frame } from "./mux-codec.js";
+export * from "./mux-codec.js";
+export * from "./mux-client.js";
+/** Negotiated per-tunnel caps the broker returns in BIND_ACK. */
+export interface TunnelCaps {
+    max_conns: number;
+    per_conn_inflight_bytes: number;
+    max_frame_bytes: number;
+    heartbeat_secs: number;
+}
+/**
+ * Why the control WS closed. `clean` (WS close 1000/1001 or a bare TCP drop with
+ * no abnormal code) maps to an orderly broker close — the relay reconnects
+ * immediately (REQ-TUN-14). Any other / abnormal code (1002/1009/1011/…) is an
+ * error and gets the jittered backoff.
+ */
+export interface TunnelClose {
+    code: number;
+    clean: boolean;
+}
+/** A bind rejection (BIND_NAK / ownership failure). `revoked` stops the relay. */
+export declare class TunnelBindError extends Error {
+    readonly revoked = true;
+    constructor(reason: string);
+}
+export interface ConnectTunnelArgs {
+    controlWsUrl: string;
+    token: string;
+    agentId: string;
+    hostname: string;
+    openLocalPipe(frame: Frame): LocalPipe;
+}
+export interface TunnelHandle {
+    caps: TunnelCaps;
+    close(): void;
+    /** The callback receives the classified close so the relay can pick its reconnect policy. */
+    onClose(cb: (close: TunnelClose) => void): void;
+}
+/**
+ * Open the control WS (Bearer at the upgrade — Node 24's global WebSocket takes
+ * a `{protocols, headers}` options object), perform the BIND handshake, and wire
+ * the mux driver. The returned handle resolves once BIND_ACK arrives; a BIND_NAK
+ * rejects with a TunnelBindError (the relay treats it as revoked and stops).
+ */
+export declare function connectTunnel(args: ConnectTunnelArgs): Promise<TunnelHandle>;

package/dist/src/index.d.ts

@@ -9,6 +9,7 @@ export * from "./timelock.js";
 export * from "./sender-key-ops.js";
 export * from "./group-invite-ops.js";
 export * from "./crypto/index.js";
+export * from "./funnel/index.js";
 export * from "./mls-ops.js";
 export { externalJoinMlsGroup } from "./mls-ops.js";
 export { performRegistration, performAgentCreation, validateSlug } from "./onboard.js";

package/dist/test/funnel/cert.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/test/funnel/no-body-log-structural.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/test/funnel/relay-adapter.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/test/funnel/tls-listener.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/test/funnel/tunnel.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/test/setup.d.ts

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@rine-network/core",
-	"version": "0.5.2",
+	"version": "0.6.0",
 	"description": "Core library for rine.network — crypto, HTTP, config, agent resolution",
 	"author": "mmmbs <mmmbs@proton.me>",
 	"license": "EUPL-1.2",
@@ -29,6 +29,7 @@
 		"@noble/curves": "^2.0.1",
 		"@noble/hashes": "^2.0.1",
 		"@noble/post-quantum": "^0.6.1",
+		"acme-client": "^5.4.0",
 		"ts-mls": "^2.0.0-rc.13"
 	},
 	"devDependencies": {