@runneth/cli 0.0.0-sha.3142666bf4dc.production

package/dist/ssh.js

@@ -0,0 +1,835 @@
+import { spawn } from "node:child_process";
+import { createHash } from "node:crypto";
+import { access, chmod, mkdir, readFile, writeFile } from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import process from "node:process";
+import { getOAuthAccessToken } from "./oauth.js";
+import { resolveRunnethCliHome } from "./paths.js";
+const DEFAULT_SSH_APP_PATH = "/runneth/ssh";
+const KEY_COMMENT_PREFIX = "runneth-cli";
+const SSH_TARGET_NAME_PATTERN = /^[A-Za-z0-9._-]{1,64}$/u;
+const SSH_TARGET_STORE_VERSION = 1;
+const SSH_TARGETS_FILE_NAME = "targets.json";
+const SSH_TUNNEL_API_BASE = "/api/tunnels";
+const SSH_PUBLIC_KEY_PATTERN = /^(ssh-ed25519) ([A-Za-z0-9+/]+={0,3})(?: ([^\r\n]{1,256}))?$/u;
+const isRecord = (value) => {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+};
+const isErrnoCode = (error, code) => {
+    return (typeof error === "object" &&
+        error !== null &&
+        "code" in error &&
+        error.code === code);
+};
+const normalizeResourceUrl = (value) => {
+    const url = new URL(value);
+    url.hash = "";
+    url.search = "";
+    if (url.pathname !== "/") {
+        url.pathname = url.pathname.replace(/\/+$/u, "");
+    }
+    return url.toString();
+};
+const normalizeHttpUrl = (value, label) => {
+    const url = new URL(value);
+    if (url.protocol !== "http:" && url.protocol !== "https:") {
+        throw new Error(`${label} must use http or https`);
+    }
+    url.hash = "";
+    url.search = "";
+    if (url.pathname !== "/") {
+        url.pathname = url.pathname.replace(/\/+$/u, "");
+    }
+    return url.toString();
+};
+export const normalizeRunnethSshTargetName = (value) => {
+    const name = value.trim();
+    if (!SSH_TARGET_NAME_PATTERN.test(name)) {
+        throw new Error(`Invalid SSH target name: ${name}. Use letters, numbers, dot, underscore, and dash only.`);
+    }
+    return name;
+};
+export const resolveRunnethSshAppUrl = (input) => {
+    if (input.sshUrl !== undefined) {
+        return normalizeHttpUrl(input.sshUrl, "SSH app URL");
+    }
+    const resource = new URL(input.resourceUrl);
+    return normalizeHttpUrl(`${resource.origin}${DEFAULT_SSH_APP_PATH}`, "SSH app URL");
+};
+const buildSshAppApiUrl = (input) => {
+    const url = new URL(input.sshUrl);
+    url.pathname = `${url.pathname.replace(/\/+$/u, "")}${input.pathSuffix}`;
+    url.search = "";
+    url.hash = "";
+    return url.toString();
+};
+export const resolveRunnethSshTargetsPath = (input) => {
+    const homePath = input.homePath ?? resolveRunnethCliHome();
+    return path.join(homePath, "ssh", SSH_TARGETS_FILE_NAME);
+};
+export const resolveRunnethSshTargetPaths = (input) => {
+    const homePath = input.homePath ?? resolveRunnethCliHome();
+    const sshUrl = resolveRunnethSshAppUrl(input);
+    const digest = createHash("sha256")
+        .update(`${normalizeResourceUrl(input.resourceUrl)}\n${sshUrl}`)
+        .digest("hex")
+        .slice(0, 32);
+    const targetDirectory = path.join(homePath, "ssh", digest);
+    return {
+        configPath: path.join(targetDirectory, "ssh_config"),
+        hostAlias: `runneth-${digest.slice(0, 12)}`,
+        knownHostsPath: path.join(targetDirectory, "known_hosts"),
+        privateKeyPath: path.join(targetDirectory, "id_ed25519"),
+        publicKeyPath: path.join(targetDirectory, "id_ed25519.pub"),
+        targetDirectory,
+    };
+};
+export const resolveRunnethSshSharedKeyPaths = (input) => {
+    const keyDirectory = path.join(input.homePath ?? resolveRunnethCliHome(), "ssh");
+    return {
+        keyDirectory,
+        keyMode: "shared",
+        privateKeyPath: path.join(keyDirectory, "id_ed25519"),
+        publicKeyPath: path.join(keyDirectory, "id_ed25519.pub"),
+    };
+};
+const resolveRunnethSshUniqueKeyPaths = (paths) => {
+    return {
+        keyDirectory: paths.targetDirectory,
+        keyMode: "unique",
+        privateKeyPath: paths.privateKeyPath,
+        publicKeyPath: paths.publicKeyPath,
+    };
+};
+const resolveUserFilePath = (value) => {
+    const trimmed = value.trim();
+    if (trimmed.length === 0) {
+        throw new Error("Identity file path must be a non-empty string");
+    }
+    if (trimmed === "~") {
+        return os.homedir();
+    }
+    if (trimmed.startsWith("~/")) {
+        return path.join(os.homedir(), trimmed.slice(2));
+    }
+    return path.resolve(trimmed);
+};
+const resolveRunnethSshCustomKeyPaths = (input) => {
+    const privateKeyPath = resolveUserFilePath(input.identityFilePath);
+    return {
+        keyDirectory: path.dirname(privateKeyPath),
+        keyMode: "custom",
+        privateKeyPath,
+        publicKeyPath: `${privateKeyPath}.pub`,
+    };
+};
+const resolveRunnethSshKeyPaths = (input) => {
+    if (input.identityFilePath !== undefined && input.keyMode !== undefined) {
+        throw new Error("Use either --identity-file or --unique-key, not both");
+    }
+    if (input.identityFilePath !== undefined) {
+        return resolveRunnethSshCustomKeyPaths({
+            identityFilePath: input.identityFilePath,
+        });
+    }
+    if (input.keyMode === "unique") {
+        return resolveRunnethSshUniqueKeyPaths(input.targetPaths);
+    }
+    return resolveRunnethSshSharedKeyPaths({ homePath: input.homePath });
+};
+const pathExists = async (filePath) => {
+    try {
+        await access(filePath);
+        return true;
+    }
+    catch (error) {
+        if (isErrnoCode(error, "ENOENT")) {
+            return false;
+        }
+        throw error;
+    }
+};
+const runProcess = async (command, args) => {
+    await new Promise((resolve, reject) => {
+        const child = spawn(command, [...args], {
+            stdio: ["ignore", "ignore", "pipe"],
+        });
+        let stderr = "";
+        child.stderr.on("data", (chunk) => {
+            stderr += String(chunk);
+        });
+        child.once("error", reject);
+        child.once("close", (code, signal) => {
+            if (code === 0) {
+                resolve();
+                return;
+            }
+            const exitDescription = signal === null ? `exit code ${String(code)}` : `signal ${signal}`;
+            reject(new Error(`${command} failed with ${exitDescription}${stderr.trim().length > 0 ? `: ${stderr.trim()}` : ""}`));
+        });
+    });
+};
+const resolveGeneratedSshKeyComment = (keyMode, targetPaths, targetName) => {
+    if (keyMode === "shared") {
+        return `${KEY_COMMENT_PREFIX}:shared`;
+    }
+    const targetSegment = targetName === undefined
+        ? path.basename(targetPaths.targetDirectory)
+        : `${targetName}:${path.basename(targetPaths.targetDirectory)}`;
+    return `${KEY_COMMENT_PREFIX}:${targetSegment}:${targetPaths.hostAlias}`;
+};
+const parseSshPublicKey = (publicKey, publicKeyPath) => {
+    const match = SSH_PUBLIC_KEY_PATTERN.exec(publicKey);
+    if (match === null || match[1] !== "ssh-ed25519" || match[2] === undefined) {
+        throw new Error(`SSH public key must be ssh-ed25519: ${publicKeyPath}`);
+    }
+    return {
+        keyType: "ssh-ed25519",
+        keyMaterial: match[2],
+    };
+};
+const formatSshPublicKey = (parts, comment) => {
+    return `${parts.keyType} ${parts.keyMaterial} ${comment}`;
+};
+const normalizePublicKeyComment = async (keyPaths, comment) => {
+    const publicKey = (await readFile(keyPaths.publicKeyPath, "utf8")).trim();
+    const normalizedPublicKey = formatSshPublicKey(parseSshPublicKey(publicKey, keyPaths.publicKeyPath), comment);
+    if (publicKey === normalizedPublicKey) {
+        return;
+    }
+    await writeFile(keyPaths.publicKeyPath, `${normalizedPublicKey}\n`, {
+        encoding: "utf8",
+        mode: 0o644,
+    });
+    if (process.platform !== "win32") {
+        await chmod(keyPaths.publicKeyPath, 0o644);
+    }
+};
+const ensureGeneratedSshKeyPair = async (keyPaths, comment) => {
+    await mkdir(keyPaths.keyDirectory, { mode: 0o700, recursive: true });
+    if (process.platform !== "win32") {
+        await chmod(keyPaths.keyDirectory, 0o700);
+    }
+    const privateKeyExists = await pathExists(keyPaths.privateKeyPath);
+    const publicKeyExists = await pathExists(keyPaths.publicKeyPath);
+    if (privateKeyExists && publicKeyExists) {
+        await normalizePublicKeyComment(keyPaths, comment);
+        return;
+    }
+    if (privateKeyExists || publicKeyExists) {
+        throw new Error(`SSH keypair is incomplete. Expected both ${keyPaths.privateKeyPath} and ${keyPaths.publicKeyPath}`);
+    }
+    await runProcess("ssh-keygen", [
+        "-t",
+        "ed25519",
+        "-f",
+        keyPaths.privateKeyPath,
+        "-N",
+        "",
+        "-C",
+        comment,
+    ]);
+    if (process.platform !== "win32") {
+        await chmod(keyPaths.privateKeyPath, 0o600);
+        await chmod(keyPaths.publicKeyPath, 0o644);
+    }
+};
+const ensureCustomSshKeyPair = async (keyPaths) => {
+    const privateKeyExists = await pathExists(keyPaths.privateKeyPath);
+    const publicKeyExists = await pathExists(keyPaths.publicKeyPath);
+    if (!privateKeyExists || !publicKeyExists) {
+        throw new Error(`Identity file requires both ${keyPaths.privateKeyPath} and ${keyPaths.publicKeyPath}`);
+    }
+};
+const ensureSshKeyPair = async (input) => {
+    if (input.keyPaths.keyMode === "custom") {
+        await ensureCustomSshKeyPair(input.keyPaths);
+        return;
+    }
+    await ensureGeneratedSshKeyPair(input.keyPaths, resolveGeneratedSshKeyComment(input.keyPaths.keyMode, input.targetPaths, input.targetName));
+};
+const readPublicKey = async (publicKeyPath) => {
+    const publicKey = (await readFile(publicKeyPath, "utf8")).trim();
+    parseSshPublicKey(publicKey, publicKeyPath);
+    return publicKey;
+};
+const parseStringField = (record, key) => {
+    const value = record[key];
+    if (typeof value !== "string" || value.trim().length === 0) {
+        throw new Error(`${key} must be a non-empty string`);
+    }
+    return value;
+};
+const parseOptionalStringField = (record, key) => {
+    const value = record[key];
+    if (value === undefined) {
+        return undefined;
+    }
+    if (typeof value !== "string" || value.trim().length === 0) {
+        throw new Error(`${key} must be a non-empty string`);
+    }
+    return value;
+};
+const emptyRunnethSshTargetStore = () => {
+    return {
+        targets: [],
+        version: SSH_TARGET_STORE_VERSION,
+    };
+};
+const parseRunnethSshTarget = (payload) => {
+    if (!isRecord(payload)) {
+        throw new Error("SSH target entry must be a JSON object");
+    }
+    return {
+        createdAt: parseStringField(payload, "createdAt"),
+        name: normalizeRunnethSshTargetName(parseStringField(payload, "name")),
+        resourceUrl: normalizeResourceUrl(parseStringField(payload, "resourceUrl")),
+        sshUrl: normalizeHttpUrl(parseStringField(payload, "sshUrl"), "SSH app URL"),
+        updatedAt: parseStringField(payload, "updatedAt"),
+    };
+};
+const parseRunnethSshTargetStore = (payload) => {
+    if (!isRecord(payload)) {
+        throw new Error("SSH target store must be a JSON object");
+    }
+    if (payload.version !== SSH_TARGET_STORE_VERSION) {
+        throw new Error("Unsupported SSH target store version");
+    }
+    if (!Array.isArray(payload.targets)) {
+        throw new Error("SSH target store targets must be an array");
+    }
+    const targets = payload.targets.map(parseRunnethSshTarget);
+    const names = new Set();
+    for (const target of targets) {
+        if (names.has(target.name)) {
+            throw new Error(`Duplicate SSH target name in store: ${target.name}`);
+        }
+        names.add(target.name);
+    }
+    const rawDefaultTarget = parseOptionalStringField(payload, "defaultTarget");
+    const defaultTarget = rawDefaultTarget === undefined
+        ? undefined
+        : normalizeRunnethSshTargetName(rawDefaultTarget);
+    if (defaultTarget !== undefined && !names.has(defaultTarget)) {
+        throw new Error(`Default SSH target does not exist: ${defaultTarget}`);
+    }
+    return {
+        ...(defaultTarget === undefined ? {} : { defaultTarget }),
+        targets,
+        version: SSH_TARGET_STORE_VERSION,
+    };
+};
+export const readRunnethSshTargetStore = async (input) => {
+    const storePath = resolveRunnethSshTargetsPath(input);
+    try {
+        const payload = JSON.parse(await readFile(storePath, "utf8"));
+        return parseRunnethSshTargetStore(payload);
+    }
+    catch (error) {
+        if (isErrnoCode(error, "ENOENT")) {
+            return emptyRunnethSshTargetStore();
+        }
+        throw error;
+    }
+};
+const writeRunnethSshTargetStore = async (input) => {
+    const storePath = resolveRunnethSshTargetsPath(input);
+    await mkdir(path.dirname(storePath), { mode: 0o700, recursive: true });
+    if (process.platform !== "win32") {
+        await chmod(path.dirname(storePath), 0o700);
+    }
+    await writeFile(storePath, `${JSON.stringify(input.store, null, 2)}\n`, {
+        encoding: "utf8",
+        mode: 0o600,
+    });
+    if (process.platform !== "win32") {
+        await chmod(storePath, 0o600);
+    }
+};
+export const saveRunnethSshTarget = async (input) => {
+    const store = await readRunnethSshTargetStore(input);
+    const name = normalizeRunnethSshTargetName(input.name);
+    const now = new Date().toISOString();
+    const resourceUrl = normalizeResourceUrl(input.resourceUrl);
+    const sshUrl = resolveRunnethSshAppUrl({
+        resourceUrl,
+        ...(input.sshUrl === undefined ? {} : { sshUrl: input.sshUrl }),
+    });
+    const existing = store.targets.find((target) => target.name === name);
+    const target = {
+        createdAt: existing?.createdAt ?? now,
+        name,
+        resourceUrl,
+        sshUrl,
+        updatedAt: now,
+    };
+    const targets = existing === undefined
+        ? [...store.targets, target]
+        : store.targets.map((item) => (item.name === name ? target : item));
+    const defaultTarget = input.makeDefault === true || store.defaultTarget === undefined
+        ? name
+        : store.defaultTarget;
+    const updatedStore = {
+        defaultTarget,
+        targets,
+        version: SSH_TARGET_STORE_VERSION,
+    };
+    await writeRunnethSshTargetStore({
+        homePath: input.homePath,
+        store: updatedStore,
+    });
+    return {
+        store: updatedStore,
+        target,
+    };
+};
+export const setDefaultRunnethSshTarget = async (input) => {
+    const store = await readRunnethSshTargetStore(input);
+    const name = normalizeRunnethSshTargetName(input.name);
+    if (!store.targets.some((target) => target.name === name)) {
+        throw new Error(`Unknown SSH target: ${name}`);
+    }
+    const updatedStore = {
+        defaultTarget: name,
+        targets: store.targets,
+        version: SSH_TARGET_STORE_VERSION,
+    };
+    await writeRunnethSshTargetStore({
+        homePath: input.homePath,
+        store: updatedStore,
+    });
+    return updatedStore;
+};
+export const removeRunnethSshTarget = async (input) => {
+    const store = await readRunnethSshTargetStore(input);
+    const name = normalizeRunnethSshTargetName(input.name);
+    if (!store.targets.some((target) => target.name === name)) {
+        throw new Error(`Unknown SSH target: ${name}`);
+    }
+    const defaultTarget = store.defaultTarget === name ? undefined : store.defaultTarget;
+    const updatedStore = {
+        ...(defaultTarget === undefined ? {} : { defaultTarget }),
+        targets: store.targets.filter((target) => target.name !== name),
+        version: SSH_TARGET_STORE_VERSION,
+    };
+    await writeRunnethSshTargetStore({
+        homePath: input.homePath,
+        store: updatedStore,
+    });
+    return updatedStore;
+};
+export const resolveRunnethSshTarget = async (input) => {
+    if (input.targetName !== undefined) {
+        if (input.resourceUrl !== undefined || input.sshUrl !== undefined) {
+            throw new Error("Use either --target or explicit --resource/--ssh-url, not both");
+        }
+        const store = await readRunnethSshTargetStore(input);
+        const targetName = normalizeRunnethSshTargetName(input.targetName);
+        const target = store.targets.find((item) => item.name === targetName);
+        if (target === undefined) {
+            throw new Error(`Unknown SSH target: ${targetName}`);
+        }
+        return {
+            resourceUrl: target.resourceUrl,
+            sshUrl: target.sshUrl,
+            targetName,
+        };
+    }
+    if (input.resourceUrl !== undefined) {
+        const resourceUrl = normalizeResourceUrl(input.resourceUrl);
+        return {
+            resourceUrl,
+            sshUrl: resolveRunnethSshAppUrl({
+                resourceUrl,
+                ...(input.sshUrl === undefined ? {} : { sshUrl: input.sshUrl }),
+            }),
+        };
+    }
+    if (input.sshUrl !== undefined) {
+        throw new Error("runneth-cli ssh requires --resource when --ssh-url is set");
+    }
+    const store = await readRunnethSshTargetStore(input);
+    if (store.defaultTarget === undefined) {
+        throw new Error("No default SSH target configured. Run: runneth-cli ssh target add <name> --resource <url> --ssh-url <url> --default");
+    }
+    const target = store.targets.find((item) => item.name === store.defaultTarget);
+    if (target === undefined) {
+        throw new Error(`Default SSH target does not exist: ${store.defaultTarget}`);
+    }
+    return {
+        resourceUrl: target.resourceUrl,
+        sshUrl: target.sshUrl,
+        targetName: target.name,
+    };
+};
+const parseSshAppMetadata = (payload) => {
+    if (!isRecord(payload)) {
+        throw new Error("SSH app response must be a JSON object");
+    }
+    if (payload.ok !== true) {
+        throw new Error("SSH app response did not report ok: true");
+    }
+    return {
+        authorizedKeysPath: parseStringField(payload, "authorizedKeysPath"),
+        connectRoute: parseStringField(payload, "connectRoute"),
+        ok: true,
+        sshUser: parseStringField(payload, "sshUser"),
+    };
+};
+const parseSshInstallResponse = (payload) => {
+    const metadata = parseSshAppMetadata(payload);
+    if (!isRecord(payload) || typeof payload.installed !== "boolean") {
+        throw new Error("SSH key install response must include installed");
+    }
+    return {
+        ...metadata,
+        installed: payload.installed,
+    };
+};
+const fetchJson = async (url, init, label) => {
+    const response = await fetch(url, init);
+    if (!response.ok) {
+        const body = await response.text();
+        throw new Error(`${label} failed with HTTP ${String(response.status)}: ${body}`);
+    }
+    const payload = await response.json();
+    return payload;
+};
+const resolveBearerAuthorizationHeader = (token) => {
+    if (token.tokenType.toLowerCase() !== "bearer") {
+        throw new Error(`Unsupported OAuth token type for SSH: ${token.tokenType}`);
+    }
+    return `Bearer ${token.accessToken}`;
+};
+const installSshPublicKey = async (input) => {
+    return parseSshInstallResponse(await fetchJson(buildSshAppApiUrl({ pathSuffix: "/api/keys", sshUrl: input.sshUrl }), {
+        body: JSON.stringify({
+            publicKey: input.publicKey,
+        }),
+        headers: {
+            Accept: "application/json",
+            Authorization: input.authorizationHeader,
+            "Content-Type": "application/json",
+        },
+        method: "POST",
+    }, "SSH public key install request"));
+};
+const quoteSshConfigValue = (value) => {
+    return `"${value.replace(/\\/gu, "\\\\").replace(/"/gu, '\\"')}"`;
+};
+const writeSshConfig = async (input) => {
+    const proxyCommand = [
+        quoteSshConfigValue(process.execPath),
+        quoteSshConfigValue(input.cliPath),
+        "ssh",
+        "proxy",
+        ...(input.targetName === undefined
+            ? [
+                "--resource",
+                quoteSshConfigValue(input.resourceUrl),
+                "--ssh-url",
+                quoteSshConfigValue(input.sshUrl),
+            ]
+            : ["--target", quoteSshConfigValue(input.targetName)]),
+    ].join(" ");
+    await mkdir(input.paths.targetDirectory, { mode: 0o700, recursive: true });
+    if (process.platform !== "win32") {
+        await chmod(input.paths.targetDirectory, 0o700);
+    }
+    await writeFile(input.paths.configPath, [
+        `Host ${input.paths.hostAlias}`,
+        `  HostName ${input.paths.hostAlias}`,
+        `  User ${input.metadata.sshUser}`,
+        `  IdentityFile ${quoteSshConfigValue(input.keyPaths.privateKeyPath)}`,
+        "  IdentitiesOnly yes",
+        "  StrictHostKeyChecking accept-new",
+        `  UserKnownHostsFile ${quoteSshConfigValue(input.paths.knownHostsPath)}`,
+        `  ProxyCommand ${proxyCommand}`,
+        "",
+    ].join("\n"), {
+        encoding: "utf8",
+        mode: 0o600,
+    });
+    if (process.platform !== "win32") {
+        await chmod(input.paths.configPath, 0o600);
+    }
+};
+export const installRunnethSshAccess = async (options) => {
+    const sshUrl = resolveRunnethSshAppUrl(options);
+    const paths = resolveRunnethSshTargetPaths({
+        homePath: options.homePath,
+        resourceUrl: options.resourceUrl,
+        sshUrl,
+    });
+    const keyPaths = resolveRunnethSshKeyPaths({
+        homePath: options.homePath,
+        ...(options.identityFilePath === undefined
+            ? {}
+            : { identityFilePath: options.identityFilePath }),
+        ...(options.keyMode === undefined ? {} : { keyMode: options.keyMode }),
+        targetPaths: paths,
+    });
+    await ensureSshKeyPair({
+        keyPaths,
+        targetName: options.targetName,
+        targetPaths: paths,
+    });
+    const authorizationHeader = resolveBearerAuthorizationHeader(options.oauthToken);
+    const publicKey = await readPublicKey(keyPaths.publicKeyPath);
+    const installResponse = await installSshPublicKey({
+        authorizationHeader,
+        publicKey,
+        sshUrl,
+    });
+    await writeSshConfig({
+        cliPath: options.cliPath,
+        keyPaths,
+        metadata: installResponse,
+        paths,
+        resourceUrl: options.resourceUrl,
+        sshUrl,
+        ...(options.targetName === undefined
+            ? {}
+            : { targetName: options.targetName }),
+    });
+    return {
+        authorizedKeysPath: installResponse.authorizedKeysPath,
+        configPath: paths.configPath,
+        connectRoute: installResponse.connectRoute,
+        hostAlias: paths.hostAlias,
+        installed: installResponse.installed,
+        keyMode: keyPaths.keyMode,
+        knownHostsPath: paths.knownHostsPath,
+        privateKeyPath: keyPaths.privateKeyPath,
+        publicKeyPath: keyPaths.publicKeyPath,
+        sshUrl,
+        sshUser: installResponse.sshUser,
+        ...(options.targetName === undefined
+            ? {}
+            : { targetName: options.targetName }),
+    };
+};
+const defaultSshProxyStreams = () => {
+    return {
+        stderr: process.stderr,
+        stdin: process.stdin,
+        stdout: process.stdout,
+    };
+};
+const buildSshTunnelApiUrl = (input) => {
+    return buildSshAppApiUrl({
+        pathSuffix: `${SSH_TUNNEL_API_BASE}${input.pathSuffix}`,
+        sshUrl: input.sshUrl,
+    });
+};
+const parseSshTunnelCreateResponse = (payload) => {
+    if (!isRecord(payload) || payload.ok !== true) {
+        throw new Error("SSH tunnel create response was invalid");
+    }
+    const tunnelId = parseStringField(payload, "tunnelId");
+    return {
+        ok: true,
+        tunnelId,
+    };
+};
+const parseSshTunnelOutputResponse = (payload) => {
+    if (!isRecord(payload) ||
+        payload.ok !== true ||
+        typeof payload.closed !== "boolean" ||
+        typeof payload.data !== "string") {
+        throw new Error("SSH tunnel output response was invalid");
+    }
+    return {
+        closed: payload.closed,
+        data: Buffer.from(payload.data, "base64"),
+        ok: true,
+    };
+};
+const createSshHttpTunnel = async (input) => {
+    return parseSshTunnelCreateResponse(await fetchJson(buildSshTunnelApiUrl({
+        pathSuffix: "",
+        sshUrl: input.sshUrl,
+    }), {
+        headers: {
+            Accept: "application/json",
+            Authorization: input.authorizationHeader,
+        },
+        method: "POST",
+    }, "SSH tunnel create request"));
+};
+const postSshHttpTunnelInput = async (input) => {
+    const url = new URL(buildSshTunnelApiUrl({
+        pathSuffix: `/${input.tunnelId}/input`,
+        sshUrl: input.sshUrl,
+    }));
+    if (input.close) {
+        url.searchParams.set("close", "1");
+    }
+    await fetchJson(url.toString(), {
+        body: new Blob([new Uint8Array(input.payload)]),
+        headers: {
+            Accept: "application/json",
+            Authorization: input.authorizationHeader,
+            "Content-Type": "application/octet-stream",
+        },
+        method: "POST",
+        signal: input.signal,
+    }, "SSH tunnel input request");
+};
+const pumpSshHttpTunnelInput = async (input) => {
+    for await (const chunk of input.stdin) {
+        const payload = typeof chunk === "string"
+            ? Buffer.from(chunk, "utf8")
+            : chunk instanceof Uint8Array
+                ? Buffer.from(chunk)
+                : null;
+        if (payload === null) {
+            throw new Error("SSH tunnel stdin must emit bytes");
+        }
+        await postSshHttpTunnelInput({
+            authorizationHeader: input.authorizationHeader,
+            close: false,
+            payload,
+            signal: input.signal,
+            sshUrl: input.sshUrl,
+            tunnelId: input.tunnelId,
+        });
+    }
+    await postSshHttpTunnelInput({
+        authorizationHeader: input.authorizationHeader,
+        close: true,
+        payload: Buffer.alloc(0),
+        signal: input.signal,
+        sshUrl: input.sshUrl,
+        tunnelId: input.tunnelId,
+    });
+};
+const readSshHttpTunnelOutput = async (input) => {
+    return parseSshTunnelOutputResponse(await fetchJson(buildSshTunnelApiUrl({
+        pathSuffix: `/${input.tunnelId}/output`,
+        sshUrl: input.sshUrl,
+    }), {
+        headers: {
+            Accept: "application/json",
+            Authorization: input.authorizationHeader,
+        },
+        method: "GET",
+        signal: input.signal,
+    }, "SSH tunnel output request"));
+};
+const deleteSshHttpTunnel = async (input) => {
+    await fetchJson(buildSshTunnelApiUrl({
+        pathSuffix: `/${input.tunnelId}`,
+        sshUrl: input.sshUrl,
+    }), {
+        headers: {
+            Accept: "application/json",
+            Authorization: input.authorizationHeader,
+        },
+        method: "DELETE",
+    }, "SSH tunnel delete request");
+};
+const writeStdout = async (stream, chunk) => {
+    if (stream.write(chunk)) {
+        return;
+    }
+    await new Promise((resolve) => {
+        stream.once("drain", () => {
+            resolve();
+        });
+    });
+};
+const destroyReadableStream = (stream) => {
+    if (stream.destroyed) {
+        return;
+    }
+    stream.destroy();
+};
+const openSshHttpTunnel = async (input) => {
+    const tunnel = await createSshHttpTunnel({
+        authorizationHeader: input.authorizationHeader,
+        sshUrl: input.sshUrl,
+    });
+    const abortController = new AbortController();
+    let inputError = null;
+    let outputClosed = false;
+    const inputPump = pumpSshHttpTunnelInput({
+        authorizationHeader: input.authorizationHeader,
+        signal: abortController.signal,
+        sshUrl: input.sshUrl,
+        stdin: input.streams.stdin,
+        tunnelId: tunnel.tunnelId,
+    }).catch((error) => {
+        inputError = error;
+        abortController.abort();
+    });
+    try {
+        while (!outputClosed) {
+            if (inputError !== null) {
+                throw inputError;
+            }
+            let output;
+            try {
+                output = await readSshHttpTunnelOutput({
+                    authorizationHeader: input.authorizationHeader,
+                    signal: abortController.signal,
+                    sshUrl: input.sshUrl,
+                    tunnelId: tunnel.tunnelId,
+                });
+            }
+            catch (error) {
+                if (inputError !== null) {
+                    throw inputError;
+                }
+                throw error;
+            }
+            if (output.data.length > 0) {
+                await writeStdout(input.streams.stdout, output.data);
+            }
+            if (output.closed) {
+                outputClosed = true;
+            }
+        }
+    }
+    finally {
+        outputClosed = true;
+        abortController.abort();
+        destroyReadableStream(input.streams.stdin);
+        await inputPump;
+        await deleteSshHttpTunnel({
+            authorizationHeader: input.authorizationHeader,
+            sshUrl: input.sshUrl,
+            tunnelId: tunnel.tunnelId,
+        }).catch(() => { });
+    }
+};
+export const runRunnethSshProxy = async (options) => {
+    const sshUrl = resolveRunnethSshAppUrl(options);
+    const oauthToken = await getOAuthAccessToken({
+        homePath: options.homePath,
+        resourceUrl: options.resourceUrl,
+    });
+    const authorizationHeader = resolveBearerAuthorizationHeader(oauthToken);
+    await openSshHttpTunnel({
+        authorizationHeader,
+        sshUrl,
+        streams: options.streams ?? defaultSshProxyStreams(),
+    });
+};
+export const runOpenSsh = async (options) => {
+    return await new Promise((resolve, reject) => {
+        const child = spawn("ssh", [
+            "-F",
+            options.setup.configPath,
+            options.setup.hostAlias,
+            ...options.extraArgs,
+        ], {
+            stdio: "inherit",
+        });
+        child.once("error", reject);
+        child.once("close", (code) => {
+            resolve(code ?? 1);
+        });
+    });
+};