@rookdaemon/agora 0.2.8 → 0.2.9

package/dist/index.js

@@ -1,30 +1,1136 @@
-export * from './identity/keypair.js';
-export * from './message/envelope.js';
-export * from './registry/capability.js';
-export * from './registry/peer.js';
-export * from './registry/peer-store.js';
-export * from './registry/messages.js';
-export * from './registry/discovery-service.js';
-export * from './message/types/paper-discovery.js';
-export * from './message/types/peer-discovery.js';
-export * from './transport/http.js';
-export * from './transport/peer-config.js';
-export * from './config.js';
-export * from './relay/server.js';
-export * from './relay/client.js';
-export * from './relay/types.js';
-export * from './relay/message-buffer.js';
-export * from './relay/store.js';
-export { createToken, revokeToken, requireAuth, } from './relay/jwt-auth.js';
-export { createRestRouter, } from './relay/rest-api.js';
-export { runRelay } from './relay/run-relay.js';
-export * from './utils.js';
-export * from './service.js';
-export * from './discovery/peer-discovery.js';
-export * from './discovery/bootstrap.js';
-export * from './reputation/types.js';
-export * from './reputation/verification.js';
-export * from './reputation/commit-reveal.js';
-export * from './reputation/scoring.js';
-export * from './reputation/store.js';
+import {
+  DEFAULT_BOOTSTRAP_RELAYS,
+  MessageStore,
+  PeerDiscoveryService,
+  RelayClient,
+  RelayServer,
+  ReputationStore,
+  canonicalize,
+  computeAllTrustScores,
+  computeId,
+  computeTrustScore,
+  computeTrustScores,
+  createCommit,
+  createEnvelope,
+  createReveal,
+  createVerification,
+  decay,
+  decodeInboundEnvelope,
+  exportKeyPair,
+  formatDisplayName,
+  generateKeyPair,
+  getDefaultBootstrapRelay,
+  hashPrediction,
+  importKeyPair,
+  initPeerConfig,
+  loadPeerConfig,
+  parseBootstrapRelay,
+  resolveBroadcastName,
+  savePeerConfig,
+  sendToPeer,
+  sendViaRelay,
+  shortKey,
+  signMessage,
+  validateCommitRecord,
+  validateRevealRecord,
+  validateVerificationRecord,
+  verifyEnvelope,
+  verifyReveal,
+  verifySignature,
+  verifyVerificationSignature
+} from "./chunk-JUOGKXFN.js";
+
+// src/registry/capability.ts
+import { createHash } from "crypto";
+function stableStringify(value) {
+  if (value === null || value === void 0) return JSON.stringify(value);
+  if (typeof value !== "object") return JSON.stringify(value);
+  if (Array.isArray(value)) {
+    return "[" + value.map(stableStringify).join(",") + "]";
+  }
+  const keys = Object.keys(value).sort();
+  const pairs = keys.map((k) => JSON.stringify(k) + ":" + stableStringify(value[k]));
+  return "{" + pairs.join(",") + "}";
+}
+function computeCapabilityId(name, version, inputSchema, outputSchema) {
+  const data = {
+    name,
+    version,
+    ...inputSchema !== void 0 ? { inputSchema } : {},
+    ...outputSchema !== void 0 ? { outputSchema } : {}
+  };
+  const canonical = stableStringify(data);
+  return createHash("sha256").update(canonical).digest("hex");
+}
+function createCapability(name, version, description, options = {}) {
+  const { inputSchema, outputSchema, tags = [] } = options;
+  const id = computeCapabilityId(name, version, inputSchema, outputSchema);
+  return {
+    id,
+    name,
+    version,
+    description,
+    ...inputSchema !== void 0 ? { inputSchema } : {},
+    ...outputSchema !== void 0 ? { outputSchema } : {},
+    tags
+  };
+}
+function validateCapability(capability) {
+  const errors = [];
+  if (!capability || typeof capability !== "object") {
+    return { valid: false, errors: ["Capability must be an object"] };
+  }
+  const cap = capability;
+  if (!cap.id || typeof cap.id !== "string") {
+    errors.push("Missing or invalid field: id (must be a string)");
+  }
+  if (!cap.name || typeof cap.name !== "string") {
+    errors.push("Missing or invalid field: name (must be a string)");
+  }
+  if (!cap.version || typeof cap.version !== "string") {
+    errors.push("Missing or invalid field: version (must be a string)");
+  }
+  if (!cap.description || typeof cap.description !== "string") {
+    errors.push("Missing or invalid field: description (must be a string)");
+  }
+  if (!Array.isArray(cap.tags)) {
+    errors.push("Missing or invalid field: tags (must be an array)");
+  } else if (!cap.tags.every((tag) => typeof tag === "string")) {
+    errors.push("Invalid field: tags (all elements must be strings)");
+  }
+  if (cap.inputSchema !== void 0 && (typeof cap.inputSchema !== "object" || cap.inputSchema === null)) {
+    errors.push("Invalid field: inputSchema (must be an object)");
+  }
+  if (cap.outputSchema !== void 0 && (typeof cap.outputSchema !== "object" || cap.outputSchema === null)) {
+    errors.push("Invalid field: outputSchema (must be an object)");
+  }
+  if (errors.length > 0) {
+    return { valid: false, errors };
+  }
+  return { valid: true };
+}
+
+// src/registry/peer-store.ts
+var PeerStore = class {
+  peers = /* @__PURE__ */ new Map();
+  /**
+   * Add or update a peer in the store.
+   * If a peer with the same publicKey exists, it will be updated.
+   * 
+   * @param peer - The peer to add or update
+   */
+  addOrUpdatePeer(peer) {
+    this.peers.set(peer.publicKey, peer);
+  }
+  /**
+   * Remove a peer from the store.
+   * 
+   * @param publicKey - The public key of the peer to remove
+   * @returns true if the peer was removed, false if it didn't exist
+   */
+  removePeer(publicKey) {
+    return this.peers.delete(publicKey);
+  }
+  /**
+   * Get a peer by their public key.
+   * 
+   * @param publicKey - The public key of the peer to retrieve
+   * @returns The peer if found, undefined otherwise
+   */
+  getPeer(publicKey) {
+    return this.peers.get(publicKey);
+  }
+  /**
+   * Find all peers that offer a specific capability by name.
+   * 
+   * @param name - The capability name to search for
+   * @returns Array of peers that have a capability with the given name
+   */
+  findByCapability(name) {
+    const result = [];
+    for (const peer of this.peers.values()) {
+      const hasCapability = peer.capabilities.some((cap) => cap.name === name);
+      if (hasCapability) {
+        result.push(peer);
+      }
+    }
+    return result;
+  }
+  /**
+   * Find all peers that have capabilities with a specific tag.
+   * 
+   * @param tag - The tag to search for
+   * @returns Array of peers that have at least one capability with the given tag
+   */
+  findByTag(tag) {
+    const result = [];
+    for (const peer of this.peers.values()) {
+      const hasTag = peer.capabilities.some((cap) => cap.tags.includes(tag));
+      if (hasTag) {
+        result.push(peer);
+      }
+    }
+    return result;
+  }
+  /**
+   * Get all peers in the store.
+   * 
+   * @returns Array of all peers
+   */
+  allPeers() {
+    return Array.from(this.peers.values());
+  }
+  /**
+   * Remove peers that haven't been seen within the specified time window.
+   * 
+   * @param maxAgeMs - Maximum age in milliseconds. Peers older than this will be removed.
+   * @param currentTime - Current timestamp (ms), defaults to Date.now()
+   * @returns Number of peers removed
+   */
+  prune(maxAgeMs, currentTime = Date.now()) {
+    const cutoff = currentTime - maxAgeMs;
+    let removed = 0;
+    for (const [publicKey, peer] of this.peers.entries()) {
+      if (peer.lastSeen < cutoff) {
+        this.peers.delete(publicKey);
+        removed++;
+      }
+    }
+    return removed;
+  }
+};
+
+// src/registry/discovery-service.ts
+var DiscoveryService = class {
+  constructor(peerStore, identity) {
+    this.peerStore = peerStore;
+    this.identity = identity;
+  }
+  /**
+   * Announce own capabilities to the network.
+   * Creates a capability_announce envelope that can be broadcast to peers.
+   * 
+   * @param capabilities - List of capabilities this agent offers
+   * @param metadata - Optional metadata about this agent
+   * @returns A signed capability_announce envelope
+   */
+  announce(capabilities, metadata) {
+    const payload = {
+      publicKey: this.identity.publicKey,
+      capabilities,
+      metadata: metadata ? {
+        ...metadata,
+        lastSeen: Date.now()
+      } : {
+        lastSeen: Date.now()
+      }
+    };
+    return createEnvelope(
+      "capability_announce",
+      this.identity.publicKey,
+      this.identity.privateKey,
+      payload
+    );
+  }
+  /**
+   * Handle an incoming capability_announce message.
+   * Updates the peer store with the announced capabilities.
+   * 
+   * @param envelope - The capability_announce envelope to process
+   */
+  handleAnnounce(envelope) {
+    const { payload } = envelope;
+    const peer = {
+      publicKey: payload.publicKey,
+      capabilities: payload.capabilities,
+      lastSeen: payload.metadata?.lastSeen || envelope.timestamp,
+      metadata: payload.metadata ? {
+        name: payload.metadata.name,
+        version: payload.metadata.version
+      } : void 0
+    };
+    this.peerStore.addOrUpdatePeer(peer);
+  }
+  /**
+   * Create a capability query payload.
+   * 
+   * @param queryType - Type of query: 'name', 'tag', or 'schema'
+   * @param query - The query value (capability name, tag, or schema)
+   * @param filters - Optional filters (limit, minTrustScore)
+   * @returns A capability_query payload
+   */
+  query(queryType, query, filters) {
+    return {
+      queryType,
+      query,
+      filters
+    };
+  }
+  /**
+   * Handle an incoming capability_query message.
+   * Searches the local peer store and returns matching peers.
+   * 
+   * @param envelope - The capability_query envelope to process
+   * @returns A capability_response envelope with matching peers
+   */
+  handleQuery(envelope) {
+    const { payload } = envelope;
+    let peers = [];
+    if (payload.queryType === "name" && typeof payload.query === "string") {
+      peers = this.peerStore.findByCapability(payload.query);
+    } else if (payload.queryType === "tag" && typeof payload.query === "string") {
+      peers = this.peerStore.findByTag(payload.query);
+    } else if (payload.queryType === "schema") {
+      peers = [];
+    }
+    const limit = payload.filters?.limit;
+    const totalMatches = peers.length;
+    if (limit !== void 0 && limit > 0) {
+      peers = peers.slice(0, limit);
+    }
+    const responsePeers = peers.map((peer) => ({
+      publicKey: peer.publicKey,
+      capabilities: peer.capabilities,
+      metadata: peer.metadata ? {
+        name: peer.metadata.name,
+        version: peer.metadata.version,
+        lastSeen: peer.lastSeen
+      } : {
+        lastSeen: peer.lastSeen
+      },
+      // Trust score integration deferred to Phase 2b (RFC-001)
+      trustScore: void 0
+    }));
+    const responsePayload = {
+      queryId: envelope.id,
+      peers: responsePeers,
+      totalMatches
+    };
+    return createEnvelope(
+      "capability_response",
+      this.identity.publicKey,
+      this.identity.privateKey,
+      responsePayload,
+      Date.now(),
+      envelope.id
+      // inReplyTo
+    );
+  }
+  /**
+   * Remove peers that haven't been seen within the specified time window.
+   * 
+   * @param maxAgeMs - Maximum age in milliseconds
+   * @returns Number of peers removed
+   */
+  pruneStale(maxAgeMs, currentTime = Date.now()) {
+    return this.peerStore.prune(maxAgeMs, currentTime);
+  }
+};
+
+// src/message/types/peer-discovery.ts
+function validatePeerListRequest(payload) {
+  const errors = [];
+  if (typeof payload !== "object" || payload === null) {
+    errors.push("Payload must be an object");
+    return { valid: false, errors };
+  }
+  const p = payload;
+  if (p.filters !== void 0) {
+    if (typeof p.filters !== "object" || p.filters === null) {
+      errors.push("filters must be an object");
+    } else {
+      const filters = p.filters;
+      if (filters.activeWithin !== void 0 && typeof filters.activeWithin !== "number") {
+        errors.push("filters.activeWithin must be a number");
+      }
+      if (filters.limit !== void 0 && typeof filters.limit !== "number") {
+        errors.push("filters.limit must be a number");
+      }
+    }
+  }
+  return { valid: errors.length === 0, errors };
+}
+function validatePeerListResponse(payload) {
+  const errors = [];
+  if (typeof payload !== "object" || payload === null) {
+    errors.push("Payload must be an object");
+    return { valid: false, errors };
+  }
+  const p = payload;
+  if (!Array.isArray(p.peers)) {
+    errors.push("peers must be an array");
+  } else {
+    p.peers.forEach((peer, index) => {
+      if (typeof peer !== "object" || peer === null) {
+        errors.push(`peers[${index}] must be an object`);
+        return;
+      }
+      const peerObj = peer;
+      if (typeof peerObj.publicKey !== "string") {
+        errors.push(`peers[${index}].publicKey must be a string`);
+      }
+      if (typeof peerObj.lastSeen !== "number") {
+        errors.push(`peers[${index}].lastSeen must be a number`);
+      }
+    });
+  }
+  if (typeof p.totalPeers !== "number") {
+    errors.push("totalPeers must be a number");
+  }
+  if (typeof p.relayPublicKey !== "string") {
+    errors.push("relayPublicKey must be a string");
+  }
+  return { valid: errors.length === 0, errors };
+}
+function validatePeerReferral(payload) {
+  const errors = [];
+  if (typeof payload !== "object" || payload === null) {
+    errors.push("Payload must be an object");
+    return { valid: false, errors };
+  }
+  const p = payload;
+  if (typeof p.publicKey !== "string") {
+    errors.push("publicKey must be a string");
+  }
+  if (p.endpoint !== void 0 && typeof p.endpoint !== "string") {
+    errors.push("endpoint must be a string");
+  }
+  if (p.comment !== void 0 && typeof p.comment !== "string") {
+    errors.push("comment must be a string");
+  }
+  if (p.trustScore !== void 0 && typeof p.trustScore !== "number") {
+    errors.push("trustScore must be a number");
+  }
+  return { valid: errors.length === 0, errors };
+}
+
+// src/config.ts
+import { readFileSync, existsSync } from "fs";
+import { readFile } from "fs/promises";
+import { resolve } from "path";
+import { homedir } from "os";
+function getDefaultConfigPath() {
+  if (process.env.AGORA_CONFIG) {
+    return resolve(process.env.AGORA_CONFIG);
+  }
+  return resolve(homedir(), ".config", "agora", "config.json");
+}
+function parseConfig(config) {
+  const rawIdentity = config.identity;
+  if (!rawIdentity?.publicKey || !rawIdentity?.privateKey) {
+    throw new Error("Invalid config: missing identity.publicKey or identity.privateKey");
+  }
+  const identity = {
+    publicKey: rawIdentity.publicKey,
+    privateKey: rawIdentity.privateKey,
+    name: typeof rawIdentity.name === "string" ? rawIdentity.name : void 0
+  };
+  const peers = {};
+  if (config.peers && typeof config.peers === "object") {
+    for (const [name, entry] of Object.entries(config.peers)) {
+      const peer = entry;
+      if (peer && typeof peer.publicKey === "string") {
+        peers[name] = {
+          publicKey: peer.publicKey,
+          url: typeof peer.url === "string" ? peer.url : void 0,
+          token: typeof peer.token === "string" ? peer.token : void 0,
+          name: typeof peer.name === "string" ? peer.name : void 0
+        };
+      }
+    }
+  }
+  let relay;
+  const rawRelay = config.relay;
+  if (typeof rawRelay === "string") {
+    relay = { url: rawRelay, autoConnect: true };
+  } else if (rawRelay && typeof rawRelay === "object") {
+    const r = rawRelay;
+    if (typeof r.url === "string") {
+      relay = {
+        url: r.url,
+        autoConnect: typeof r.autoConnect === "boolean" ? r.autoConnect : true,
+        name: typeof r.name === "string" ? r.name : void 0,
+        reconnectMaxMs: typeof r.reconnectMaxMs === "number" ? r.reconnectMaxMs : void 0
+      };
+    }
+  }
+  return {
+    identity,
+    peers,
+    ...relay ? { relay } : {}
+  };
+}
+function loadAgoraConfig(path) {
+  const configPath = path ?? getDefaultConfigPath();
+  if (!existsSync(configPath)) {
+    throw new Error(`Config file not found at ${configPath}. Run 'npx @rookdaemon/agora init' first.`);
+  }
+  const content = readFileSync(configPath, "utf-8");
+  let config;
+  try {
+    config = JSON.parse(content);
+  } catch {
+    throw new Error(`Invalid JSON in config file: ${configPath}`);
+  }
+  return parseConfig(config);
+}
+async function loadAgoraConfigAsync(path) {
+  const configPath = path ?? getDefaultConfigPath();
+  let content;
+  try {
+    content = await readFile(configPath, "utf-8");
+  } catch (err) {
+    const code = err && typeof err === "object" && "code" in err ? err.code : void 0;
+    if (code === "ENOENT") {
+      throw new Error(`Config file not found at ${configPath}. Run 'npx @rookdaemon/agora init' first.`);
+    }
+    throw err;
+  }
+  let config;
+  try {
+    config = JSON.parse(content);
+  } catch {
+    throw new Error(`Invalid JSON in config file: ${configPath}`);
+  }
+  return parseConfig(config);
+}
+
+// src/relay/message-buffer.ts
+var MAX_MESSAGES_PER_AGENT = 100;
+var MessageBuffer = class {
+  buffers = /* @__PURE__ */ new Map();
+  /**
+   * Add a message to an agent's buffer.
+   * Evicts the oldest message if the buffer is full.
+   */
+  add(publicKey, message) {
+    let queue = this.buffers.get(publicKey);
+    if (!queue) {
+      queue = [];
+      this.buffers.set(publicKey, queue);
+    }
+    queue.push(message);
+    if (queue.length > MAX_MESSAGES_PER_AGENT) {
+      queue.shift();
+    }
+  }
+  /**
+   * Retrieve messages for an agent, optionally filtering by `since` timestamp.
+   * Returns messages with timestamp > since (exclusive).
+   */
+  get(publicKey, since) {
+    const queue = this.buffers.get(publicKey) ?? [];
+    if (since === void 0) {
+      return [...queue];
+    }
+    return queue.filter((m) => m.timestamp > since);
+  }
+  /**
+   * Clear all messages for an agent (after polling without `since`).
+   */
+  clear(publicKey) {
+    this.buffers.set(publicKey, []);
+  }
+  /**
+   * Remove all state for a disconnected agent.
+   */
+  delete(publicKey) {
+    this.buffers.delete(publicKey);
+  }
+};
+
+// src/relay/jwt-auth.ts
+import jwt from "jsonwebtoken";
+import { randomBytes } from "crypto";
+var revokedJtis = /* @__PURE__ */ new Map();
+function pruneExpiredRevocations() {
+  const now = Date.now();
+  for (const [jti, expiry] of revokedJtis) {
+    if (expiry <= now) {
+      revokedJtis.delete(jti);
+    }
+  }
+}
+function getJwtSecret() {
+  const secret = process.env.AGORA_RELAY_JWT_SECRET;
+  if (!secret) {
+    throw new Error(
+      "AGORA_RELAY_JWT_SECRET environment variable is required but not set"
+    );
+  }
+  return secret;
+}
+function getExpirySeconds() {
+  const raw = process.env.AGORA_JWT_EXPIRY_SECONDS;
+  if (raw) {
+    const parsed = parseInt(raw, 10);
+    if (!isNaN(parsed) && parsed > 0) {
+      return parsed;
+    }
+  }
+  return 3600;
+}
+function createToken(payload) {
+  const secret = getJwtSecret();
+  const expirySeconds = getExpirySeconds();
+  const jti = `${Date.now()}-${randomBytes(16).toString("hex")}`;
+  const token = jwt.sign(
+    { publicKey: payload.publicKey, name: payload.name, jti },
+    secret,
+    { expiresIn: expirySeconds }
+  );
+  const expiresAt = Date.now() + expirySeconds * 1e3;
+  return { token, expiresAt };
+}
+function revokeToken(token) {
+  try {
+    const secret = getJwtSecret();
+    const decoded = jwt.verify(token, secret);
+    if (decoded.jti) {
+      const expiry = decoded.exp ? decoded.exp * 1e3 : Date.now();
+      revokedJtis.set(decoded.jti, expiry);
+      pruneExpiredRevocations();
+    }
+  } catch {
+  }
+}
+function requireAuth(req, res, next) {
+  const authHeader = req.headers.authorization;
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    res.status(401).json({ error: "Missing or malformed Authorization header" });
+    return;
+  }
+  const token = authHeader.slice(7);
+  try {
+    const secret = getJwtSecret();
+    const decoded = jwt.verify(token, secret);
+    if (decoded.jti && revokedJtis.has(decoded.jti)) {
+      res.status(401).json({ error: "Token has been revoked" });
+      return;
+    }
+    req.agent = { publicKey: decoded.publicKey, name: decoded.name };
+    next();
+  } catch (err) {
+    if (err instanceof jwt.TokenExpiredError) {
+      res.status(401).json({ error: "Token expired" });
+    } else {
+      res.status(401).json({ error: "Invalid token" });
+    }
+  }
+}
+
+// src/relay/rest-api.ts
+import { Router } from "express";
+import { rateLimit } from "express-rate-limit";
+var apiRateLimit = rateLimit({
+  windowMs: 6e4,
+  limit: 60,
+  standardHeaders: "draft-7",
+  legacyHeaders: false,
+  message: { error: "Too many requests \u2014 try again later" }
+});
+function pruneExpiredSessions(sessions, buffer) {
+  const now = Date.now();
+  for (const [publicKey, session] of sessions) {
+    if (session.expiresAt <= now) {
+      sessions.delete(publicKey);
+      buffer.delete(publicKey);
+    }
+  }
+}
+function createRestRouter(relay, buffer, sessions, createEnv, verifyEnv) {
+  const router = Router();
+  router.use(apiRateLimit);
+  relay.on("message-relayed", (from, to, envelope) => {
+    if (!sessions.has(to)) return;
+    const agentMap = relay.getAgents();
+    const senderAgent = agentMap.get(from);
+    const env = envelope;
+    const msg = {
+      id: env.id,
+      from,
+      fromName: senderAgent?.name,
+      type: env.type,
+      payload: env.payload,
+      timestamp: env.timestamp,
+      inReplyTo: env.inReplyTo
+    };
+    buffer.add(to, msg);
+  });
+  router.post("/v1/register", async (req, res) => {
+    const { publicKey, privateKey, name, metadata } = req.body;
+    if (!publicKey || typeof publicKey !== "string") {
+      res.status(400).json({ error: "publicKey is required" });
+      return;
+    }
+    if (!privateKey || typeof privateKey !== "string") {
+      res.status(400).json({ error: "privateKey is required" });
+      return;
+    }
+    const testEnvelope = createEnv(
+      "announce",
+      publicKey,
+      privateKey,
+      { challenge: "register" },
+      Date.now()
+    );
+    const verification = verifyEnv(testEnvelope);
+    if (!verification.valid) {
+      res.status(400).json({ error: "Key pair verification failed: " + verification.reason });
+      return;
+    }
+    const { token, expiresAt } = createToken({ publicKey, name });
+    pruneExpiredSessions(sessions, buffer);
+    const session = {
+      publicKey,
+      privateKey,
+      name,
+      metadata,
+      registeredAt: Date.now(),
+      expiresAt,
+      token
+    };
+    sessions.set(publicKey, session);
+    const wsAgents = relay.getAgents();
+    const peers = [];
+    for (const agent of wsAgents.values()) {
+      if (agent.publicKey !== publicKey) {
+        peers.push({
+          publicKey: agent.publicKey,
+          name: agent.name,
+          lastSeen: agent.lastSeen
+        });
+      }
+    }
+    for (const s of sessions.values()) {
+      if (s.publicKey !== publicKey && !wsAgents.has(s.publicKey)) {
+        peers.push({
+          publicKey: s.publicKey,
+          name: s.name,
+          lastSeen: s.registeredAt
+        });
+      }
+    }
+    res.json({ token, expiresAt, peers });
+  });
+  router.post(
+    "/v1/send",
+    requireAuth,
+    async (req, res) => {
+      const { to, type, payload, inReplyTo } = req.body;
+      if (!to || typeof to !== "string") {
+        res.status(400).json({ error: "to is required" });
+        return;
+      }
+      if (!type || typeof type !== "string") {
+        res.status(400).json({ error: "type is required" });
+        return;
+      }
+      if (payload === void 0) {
+        res.status(400).json({ error: "payload is required" });
+        return;
+      }
+      const senderPublicKey = req.agent.publicKey;
+      const session = sessions.get(senderPublicKey);
+      if (!session) {
+        res.status(401).json({ error: "Session not found \u2014 please re-register" });
+        return;
+      }
+      const envelope = createEnv(
+        type,
+        senderPublicKey,
+        session.privateKey,
+        payload,
+        Date.now(),
+        inReplyTo
+      );
+      const wsAgents = relay.getAgents();
+      const wsRecipient = wsAgents.get(to);
+      if (wsRecipient && wsRecipient.socket) {
+        const ws = wsRecipient.socket;
+        const OPEN = 1;
+        if (ws.readyState !== OPEN) {
+          res.status(503).json({ error: "Recipient connection is not open" });
+          return;
+        }
+        try {
+          const relayMsg = JSON.stringify({
+            type: "message",
+            from: senderPublicKey,
+            name: session.name,
+            envelope
+          });
+          ws.send(relayMsg);
+          res.json({ ok: true, envelopeId: envelope.id });
+          return;
+        } catch (err) {
+          res.status(500).json({
+            error: "Failed to deliver message: " + (err instanceof Error ? err.message : String(err))
+          });
+          return;
+        }
+      }
+      const restRecipient = sessions.get(to);
+      if (restRecipient) {
+        const senderAgent = wsAgents.get(senderPublicKey);
+        const msg = {
+          id: envelope.id,
+          from: senderPublicKey,
+          fromName: session.name ?? senderAgent?.name,
+          type: envelope.type,
+          payload: envelope.payload,
+          timestamp: envelope.timestamp,
+          inReplyTo: envelope.inReplyTo
+        };
+        buffer.add(to, msg);
+        res.json({ ok: true, envelopeId: envelope.id });
+        return;
+      }
+      res.status(404).json({ error: "Recipient not connected" });
+    }
+  );
+  router.get(
+    "/v1/peers",
+    requireAuth,
+    (req, res) => {
+      const callerPublicKey = req.agent.publicKey;
+      const wsAgents = relay.getAgents();
+      const peerList = [];
+      for (const agent of wsAgents.values()) {
+        if (agent.publicKey !== callerPublicKey) {
+          peerList.push({
+            publicKey: agent.publicKey,
+            name: agent.name,
+            lastSeen: agent.lastSeen,
+            metadata: agent.metadata
+          });
+        }
+      }
+      for (const s of sessions.values()) {
+        if (s.publicKey !== callerPublicKey && !wsAgents.has(s.publicKey)) {
+          peerList.push({
+            publicKey: s.publicKey,
+            name: s.name,
+            lastSeen: s.registeredAt,
+            metadata: s.metadata
+          });
+        }
+      }
+      res.json({ peers: peerList });
+    }
+  );
+  router.get(
+    "/v1/messages",
+    requireAuth,
+    (req, res) => {
+      const publicKey = req.agent.publicKey;
+      const sinceRaw = req.query.since;
+      const limitRaw = req.query.limit;
+      const since = sinceRaw ? parseInt(sinceRaw, 10) : void 0;
+      const limit = Math.min(limitRaw ? parseInt(limitRaw, 10) : 50, 100);
+      let messages = buffer.get(publicKey, since);
+      const hasMore = messages.length > limit;
+      if (hasMore) {
+        messages = messages.slice(0, limit);
+      }
+      if (since === void 0) {
+        buffer.clear(publicKey);
+      }
+      res.json({ messages, hasMore });
+    }
+  );
+  router.delete(
+    "/v1/disconnect",
+    requireAuth,
+    (req, res) => {
+      const publicKey = req.agent.publicKey;
+      const authHeader = req.headers.authorization;
+      const token = authHeader.slice(7);
+      revokeToken(token);
+      sessions.delete(publicKey);
+      buffer.delete(publicKey);
+      res.json({ ok: true });
+    }
+  );
+  return router;
+}
+
+// src/relay/run-relay.ts
+import http from "http";
+import express from "express";
+var createEnvelopeForRest = (type, sender, privateKey, payload, timestamp, inReplyTo) => createEnvelope(
+  type,
+  sender,
+  privateKey,
+  payload,
+  timestamp ?? Date.now(),
+  inReplyTo
+);
+async function runRelay(options = {}) {
+  const wsPort = options.wsPort ?? parseInt(process.env.PORT ?? "3001", 10);
+  const enableRest = options.enableRest ?? (typeof process.env.AGORA_RELAY_JWT_SECRET === "string" && process.env.AGORA_RELAY_JWT_SECRET.length > 0);
+  const relay = new RelayServer(options.relayOptions);
+  await relay.start(wsPort);
+  if (!enableRest) {
+    return { relay };
+  }
+  if (!process.env.AGORA_RELAY_JWT_SECRET) {
+    await relay.stop();
+    throw new Error(
+      "AGORA_RELAY_JWT_SECRET environment variable is required when REST API is enabled"
+    );
+  }
+  const restPort = options.restPort ?? wsPort + 1;
+  const messageBuffer = new MessageBuffer();
+  const restSessions = /* @__PURE__ */ new Map();
+  const app = express();
+  app.use(express.json());
+  const verifyForRest = (envelope) => verifyEnvelope(envelope);
+  const router = createRestRouter(
+    relay,
+    messageBuffer,
+    restSessions,
+    createEnvelopeForRest,
+    verifyForRest
+  );
+  app.use(router);
+  app.use((_req, res) => {
+    res.status(404).json({ error: "Not found" });
+  });
+  const httpServer = http.createServer(app);
+  await new Promise((resolve2, reject) => {
+    httpServer.listen(restPort, () => resolve2());
+    httpServer.on("error", reject);
+  });
+  return { relay, httpServer };
+}
+
+// src/service.ts
+var AgoraService = class {
+  config;
+  relayClient = null;
+  relayMessageHandler = null;
+  relayMessageHandlerWithName = null;
+  logger;
+  relayClientFactory;
+  constructor(config, logger, relayClientFactory) {
+    this.config = config;
+    this.logger = logger ?? null;
+    this.relayClientFactory = relayClientFactory ?? null;
+  }
+  /**
+   * Send a signed message to a named peer.
+   * Tries HTTP webhook first; falls back to relay if HTTP is unavailable.
+   */
+  async sendMessage(options) {
+    const peer = this.config.peers.get(options.peerName);
+    if (!peer) {
+      return {
+        ok: false,
+        status: 0,
+        error: `Unknown peer: ${options.peerName}`
+      };
+    }
+    if (peer.url) {
+      const transportConfig = {
+        identity: {
+          publicKey: this.config.identity.publicKey,
+          privateKey: this.config.identity.privateKey
+        },
+        peers: /* @__PURE__ */ new Map([[peer.publicKey, peer]])
+      };
+      const httpResult = await sendToPeer(
+        transportConfig,
+        peer.publicKey,
+        options.type,
+        options.payload,
+        options.inReplyTo
+      );
+      if (httpResult.ok) {
+        return httpResult;
+      }
+      this.logger?.debug(`HTTP send to ${options.peerName} failed: ${httpResult.error}`);
+    }
+    if (this.relayClient?.connected() && this.config.relay) {
+      const relayResult = await sendViaRelay(
+        {
+          identity: this.config.identity,
+          relayUrl: this.config.relay.url,
+          relayClient: this.relayClient
+        },
+        peer.publicKey,
+        options.type,
+        options.payload,
+        options.inReplyTo
+      );
+      return {
+        ok: relayResult.ok,
+        status: 0,
+        error: relayResult.error
+      };
+    }
+    return {
+      ok: false,
+      status: 0,
+      error: peer.url ? `HTTP send failed and relay not available for peer: ${options.peerName}` : `No webhook URL and relay not available for peer: ${options.peerName}`
+    };
+  }
+  /**
+   * Decode and verify an inbound envelope from a webhook message.
+   */
+  async decodeInbound(message) {
+    const peersByPubKey = /* @__PURE__ */ new Map();
+    for (const peer of this.config.peers.values()) {
+      peersByPubKey.set(peer.publicKey, peer);
+    }
+    const result = decodeInboundEnvelope(message, peersByPubKey);
+    if (result.ok) {
+      return { ok: true, envelope: result.envelope };
+    }
+    return { ok: false, reason: result.reason };
+  }
+  getPeers() {
+    return Array.from(this.config.peers.keys());
+  }
+  getPeerConfig(name) {
+    return this.config.peers.get(name);
+  }
+  /**
+   * Connect to the relay server.
+   */
+  async connectRelay(url) {
+    if (this.relayClient) {
+      return;
+    }
+    const maxReconnectDelay = this.config.relay?.reconnectMaxMs ?? 3e5;
+    let name = this.config.identity.name ?? this.config.relay?.name;
+    if (name && name === shortKey(this.config.identity.publicKey)) {
+      name = void 0;
+    }
+    const opts = {
+      relayUrl: url,
+      publicKey: this.config.identity.publicKey,
+      privateKey: this.config.identity.privateKey,
+      name,
+      pingInterval: 3e4,
+      maxReconnectDelay
+    };
+    if (this.relayClientFactory) {
+      this.relayClient = this.relayClientFactory(opts);
+    } else {
+      this.relayClient = new RelayClient(opts);
+    }
+    this.relayClient.on("error", (error) => {
+      this.logger?.debug(`Agora relay error: ${error.message}`);
+    });
+    this.relayClient.on("message", (envelope, from, fromName) => {
+      if (this.relayMessageHandlerWithName) {
+        this.relayMessageHandlerWithName(envelope, from, fromName);
+      } else if (this.relayMessageHandler) {
+        this.relayMessageHandler(envelope);
+      }
+    });
+    try {
+      await this.relayClient.connect();
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      this.logger?.debug(`Agora relay connect failed (${url}): ${message}`);
+      this.relayClient = null;
+    }
+  }
+  setRelayMessageHandler(handler) {
+    this.relayMessageHandler = handler;
+    this.relayMessageHandlerWithName = null;
+  }
+  setRelayMessageHandlerWithName(handler) {
+    this.relayMessageHandlerWithName = handler;
+    this.relayMessageHandler = null;
+  }
+  async disconnectRelay() {
+    if (this.relayClient) {
+      this.relayClient.disconnect();
+      this.relayClient = null;
+    }
+  }
+  isRelayConnected() {
+    return this.relayClient?.connected() ?? false;
+  }
+  /**
+   * Load Agora configuration and return service config (peers as Map).
+   */
+  static async loadConfig(path) {
+    const configPath = path ?? getDefaultConfigPath();
+    const loaded = await loadAgoraConfigAsync(configPath);
+    const peers = /* @__PURE__ */ new Map();
+    for (const [name, p] of Object.entries(loaded.peers)) {
+      peers.set(name, {
+        publicKey: p.publicKey,
+        url: p.url,
+        token: p.token
+      });
+    }
+    return {
+      identity: loaded.identity,
+      peers,
+      relay: loaded.relay
+    };
+  }
+};
+export {
+  AgoraService,
+  DEFAULT_BOOTSTRAP_RELAYS,
+  DiscoveryService,
+  MessageBuffer,
+  MessageStore,
+  PeerDiscoveryService,
+  PeerStore,
+  RelayClient,
+  RelayServer,
+  ReputationStore,
+  canonicalize,
+  computeAllTrustScores,
+  computeId,
+  computeTrustScore,
+  computeTrustScores,
+  createCapability,
+  createCommit,
+  createEnvelope,
+  createRestRouter,
+  createReveal,
+  createToken,
+  createVerification,
+  decay,
+  decodeInboundEnvelope,
+  exportKeyPair,
+  formatDisplayName,
+  generateKeyPair,
+  getDefaultBootstrapRelay,
+  getDefaultConfigPath,
+  hashPrediction,
+  importKeyPair,
+  initPeerConfig,
+  loadAgoraConfig,
+  loadAgoraConfigAsync,
+  loadPeerConfig,
+  parseBootstrapRelay,
+  requireAuth,
+  resolveBroadcastName,
+  revokeToken,
+  runRelay,
+  savePeerConfig,
+  sendToPeer,
+  shortKey,
+  signMessage,
+  validateCapability,
+  validateCommitRecord,
+  validatePeerListRequest,
+  validatePeerListResponse,
+  validatePeerReferral,
+  validateRevealRecord,
+  validateVerificationRecord,
+  verifyEnvelope,
+  verifyReveal,
+  verifySignature,
+  verifyVerificationSignature
+};
 //# sourceMappingURL=index.js.map