@skillkit/mesh 1.8.0

package/dist/index.js

@@ -0,0 +1,3326 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/types.ts
+var DEFAULT_PORT, DEFAULT_DISCOVERY_PORT, HEALTH_CHECK_TIMEOUT, DISCOVERY_INTERVAL, MESH_VERSION;
+var init_types = __esm({
+  "src/types.ts"() {
+    "use strict";
+    DEFAULT_PORT = 9876;
+    DEFAULT_DISCOVERY_PORT = 9877;
+    HEALTH_CHECK_TIMEOUT = 5e3;
+    DISCOVERY_INTERVAL = 3e4;
+    MESH_VERSION = "1.7.11";
+  }
+});
+
+// src/config/hosts-config.ts
+import { readFile, writeFile, mkdir } from "fs/promises";
+import { existsSync } from "fs";
+import { dirname, join } from "path";
+import { homedir, hostname as osHostname } from "os";
+import { randomUUID } from "crypto";
+async function withFileLock(fn) {
+  while (fileLock) {
+    await fileLock;
+  }
+  let resolve;
+  fileLock = new Promise((r) => {
+    resolve = r;
+  });
+  try {
+    return await fn();
+  } finally {
+    fileLock = null;
+    resolve();
+  }
+}
+async function getHostsFilePath() {
+  return HOSTS_FILE_PATH;
+}
+async function loadHostsFile() {
+  if (!existsSync(HOSTS_FILE_PATH)) {
+    return createDefaultHostsFile();
+  }
+  try {
+    const content = await readFile(HOSTS_FILE_PATH, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return createDefaultHostsFile();
+  }
+}
+async function saveHostsFile(hostsFile) {
+  await mkdir(dirname(HOSTS_FILE_PATH), { recursive: true });
+  hostsFile.lastUpdated = (/* @__PURE__ */ new Date()).toISOString();
+  await writeFile(HOSTS_FILE_PATH, JSON.stringify(hostsFile, null, 2), "utf-8");
+}
+function createDefaultHostsFile() {
+  return {
+    version: MESH_VERSION,
+    localHost: {
+      id: randomUUID(),
+      name: getDefaultHostName(),
+      port: DEFAULT_PORT,
+      autoStart: false,
+      discoveryEnabled: true
+    },
+    knownHosts: [],
+    lastUpdated: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function getDefaultHostName() {
+  const hostname = osHostname();
+  return hostname || `skillkit-host-${randomUUID().slice(0, 8)}`;
+}
+async function getLocalHostConfig() {
+  const hostsFile = await loadHostsFile();
+  return hostsFile.localHost;
+}
+async function updateLocalHostConfig(updates) {
+  return withFileLock(async () => {
+    const hostsFile = await loadHostsFile();
+    hostsFile.localHost = { ...hostsFile.localHost, ...updates };
+    await saveHostsFile(hostsFile);
+    return hostsFile.localHost;
+  });
+}
+async function addKnownHost(host) {
+  return withFileLock(async () => {
+    const hostsFile = await loadHostsFile();
+    const existingIndex = hostsFile.knownHosts.findIndex((h) => h.id === host.id);
+    if (existingIndex >= 0) {
+      hostsFile.knownHosts[existingIndex] = host;
+    } else {
+      hostsFile.knownHosts.push(host);
+    }
+    await saveHostsFile(hostsFile);
+  });
+}
+async function removeKnownHost(hostId) {
+  return withFileLock(async () => {
+    const hostsFile = await loadHostsFile();
+    const initialLength = hostsFile.knownHosts.length;
+    hostsFile.knownHosts = hostsFile.knownHosts.filter((h) => h.id !== hostId);
+    if (hostsFile.knownHosts.length < initialLength) {
+      await saveHostsFile(hostsFile);
+      return true;
+    }
+    return false;
+  });
+}
+async function getKnownHosts() {
+  const hostsFile = await loadHostsFile();
+  return hostsFile.knownHosts;
+}
+async function getKnownHost(hostId) {
+  const hosts = await getKnownHosts();
+  return hosts.find((h) => h.id === hostId);
+}
+async function updateKnownHost(hostId, updates) {
+  const hostsFile = await loadHostsFile();
+  const index = hostsFile.knownHosts.findIndex((h) => h.id === hostId);
+  if (index < 0) return null;
+  hostsFile.knownHosts[index] = { ...hostsFile.knownHosts[index], ...updates };
+  await saveHostsFile(hostsFile);
+  return hostsFile.knownHosts[index];
+}
+async function initializeHostsFile() {
+  if (!existsSync(HOSTS_FILE_PATH)) {
+    const hostsFile = createDefaultHostsFile();
+    await saveHostsFile(hostsFile);
+    return hostsFile;
+  }
+  return loadHostsFile();
+}
+var HOSTS_FILE_PATH, fileLock;
+var init_hosts_config = __esm({
+  "src/config/hosts-config.ts"() {
+    "use strict";
+    init_types();
+    HOSTS_FILE_PATH = join(homedir(), ".skillkit", "hosts.json");
+    fileLock = null;
+  }
+});
+
+// src/config/index.ts
+var config_exports = {};
+__export(config_exports, {
+  addKnownHost: () => addKnownHost,
+  createDefaultHostsFile: () => createDefaultHostsFile,
+  getHostsFilePath: () => getHostsFilePath,
+  getKnownHost: () => getKnownHost,
+  getKnownHosts: () => getKnownHosts,
+  getLocalHostConfig: () => getLocalHostConfig,
+  initializeHostsFile: () => initializeHostsFile,
+  loadHostsFile: () => loadHostsFile,
+  removeKnownHost: () => removeKnownHost,
+  saveHostsFile: () => saveHostsFile,
+  updateKnownHost: () => updateKnownHost,
+  updateLocalHostConfig: () => updateLocalHostConfig
+});
+var init_config = __esm({
+  "src/config/index.ts"() {
+    "use strict";
+    init_hosts_config();
+  }
+});
+
+// src/crypto/identity.ts
+import * as ed25519 from "@noble/ed25519";
+import { x25519 } from "@noble/curves/ed25519";
+import { sha256 } from "@noble/hashes/sha256";
+import { bytesToHex, hexToBytes } from "@noble/hashes/utils";
+import { randomBytes } from "@noble/ciphers/webcrypto";
+var PeerIdentity;
+var init_identity = __esm({
+  "src/crypto/identity.ts"() {
+    "use strict";
+    PeerIdentity = class _PeerIdentity {
+      keypair;
+      constructor(keypair) {
+        this.keypair = keypair;
+      }
+      static async generate() {
+        const privateKey = randomBytes(32);
+        const publicKey = await ed25519.getPublicKeyAsync(privateKey);
+        const fingerprint = _PeerIdentity.computeFingerprint(publicKey);
+        return new _PeerIdentity({
+          publicKey,
+          privateKey,
+          fingerprint
+        });
+      }
+      static async fromPrivateKey(privateKey) {
+        if (privateKey.length !== 32) {
+          throw new Error("Private key must be 32 bytes");
+        }
+        const publicKey = await ed25519.getPublicKeyAsync(privateKey);
+        const fingerprint = _PeerIdentity.computeFingerprint(publicKey);
+        return new _PeerIdentity({
+          publicKey,
+          privateKey,
+          fingerprint
+        });
+      }
+      static fromSerialized(data) {
+        const publicKey = hexToBytes(data.publicKey);
+        const privateKey = hexToBytes(data.privateKey);
+        const fingerprint = data.fingerprint;
+        const computed = _PeerIdentity.computeFingerprint(publicKey);
+        if (computed !== fingerprint) {
+          throw new Error("Fingerprint mismatch - corrupted identity");
+        }
+        return new _PeerIdentity({
+          publicKey,
+          privateKey,
+          fingerprint
+        });
+      }
+      static computeFingerprint(publicKey) {
+        const hash = sha256(publicKey);
+        return bytesToHex(hash.slice(0, 8));
+      }
+      static async verify(signature, message, publicKey) {
+        try {
+          return await ed25519.verifyAsync(signature, message, publicKey);
+        } catch {
+          return false;
+        }
+      }
+      static async verifyHex(signatureHex, messageHex, publicKeyHex) {
+        try {
+          const signature = hexToBytes(signatureHex);
+          const message = hexToBytes(messageHex);
+          const publicKey = hexToBytes(publicKeyHex);
+          return await _PeerIdentity.verify(signature, message, publicKey);
+        } catch {
+          return false;
+        }
+      }
+      async sign(message) {
+        return await ed25519.signAsync(message, this.keypair.privateKey);
+      }
+      async signString(message) {
+        const messageBytes = new TextEncoder().encode(message);
+        const signature = await this.sign(messageBytes);
+        return bytesToHex(signature);
+      }
+      async signObject(obj) {
+        const message = JSON.stringify(obj);
+        return await this.signString(message);
+      }
+      deriveSharedSecret(peerPublicKey) {
+        const x25519PrivateKey = this.keypair.privateKey;
+        return x25519.scalarMult(x25519PrivateKey, peerPublicKey);
+      }
+      deriveSharedSecretHex(peerPublicKeyHex) {
+        const peerPublicKey = hexToBytes(peerPublicKeyHex);
+        return this.deriveSharedSecret(peerPublicKey);
+      }
+      serialize() {
+        return {
+          publicKey: bytesToHex(this.keypair.publicKey),
+          privateKey: bytesToHex(this.keypair.privateKey),
+          fingerprint: this.keypair.fingerprint
+        };
+      }
+      get publicKey() {
+        return this.keypair.publicKey;
+      }
+      get publicKeyHex() {
+        return bytesToHex(this.keypair.publicKey);
+      }
+      get privateKey() {
+        return this.keypair.privateKey;
+      }
+      get privateKeyHex() {
+        return bytesToHex(this.keypair.privateKey);
+      }
+      get fingerprint() {
+        return this.keypair.fingerprint;
+      }
+      toJSON() {
+        return {
+          publicKey: this.publicKeyHex,
+          fingerprint: this.fingerprint
+        };
+      }
+    };
+  }
+});
+
+// src/peer/registry.ts
+import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
+import { existsSync as existsSync2 } from "fs";
+import { join as join2 } from "path";
+import { homedir as homedir2 } from "os";
+async function getPeerRegistry() {
+  if (!globalRegistry) {
+    globalRegistry = new PeerRegistryManager();
+    await globalRegistry.initialize();
+  }
+  return globalRegistry;
+}
+var PEERS_DIR, PeerRegistryManager, globalRegistry;
+var init_registry = __esm({
+  "src/peer/registry.ts"() {
+    "use strict";
+    init_hosts_config();
+    PEERS_DIR = join2(homedir2(), ".skillkit", "mesh", "peers");
+    PeerRegistryManager = class {
+      registry = {
+        peers: /* @__PURE__ */ new Map(),
+        localPeers: /* @__PURE__ */ new Map()
+      };
+      async initialize() {
+        await mkdir2(PEERS_DIR, { recursive: true });
+        await this.loadLocalPeers();
+      }
+      async registerLocalPeer(registration) {
+        const localConfig = await getLocalHostConfig();
+        const peer = {
+          hostId: localConfig.id,
+          agentId: registration.agentId,
+          agentName: registration.agentName,
+          aliases: registration.aliases,
+          capabilities: registration.capabilities,
+          status: "online",
+          lastSeen: (/* @__PURE__ */ new Date()).toISOString()
+        };
+        this.registry.localPeers.set(peer.agentId, peer);
+        await this.saveLocalPeers();
+        return peer;
+      }
+      async unregisterLocalPeer(agentId) {
+        const deleted = this.registry.localPeers.delete(agentId);
+        if (deleted) {
+          await this.saveLocalPeers();
+        }
+        return deleted;
+      }
+      registerRemotePeer(peer) {
+        const key = `${peer.hostId}:${peer.agentId}`;
+        this.registry.peers.set(key, peer);
+      }
+      unregisterRemotePeer(hostId, agentId) {
+        const key = `${hostId}:${agentId}`;
+        return this.registry.peers.delete(key);
+      }
+      getPeer(hostId, agentId) {
+        const key = `${hostId}:${agentId}`;
+        return this.registry.peers.get(key);
+      }
+      getLocalPeer(agentId) {
+        return this.registry.localPeers.get(agentId);
+      }
+      getAllPeers() {
+        return [
+          ...Array.from(this.registry.localPeers.values()),
+          ...Array.from(this.registry.peers.values())
+        ];
+      }
+      getLocalPeers() {
+        return Array.from(this.registry.localPeers.values());
+      }
+      getRemotePeers() {
+        return Array.from(this.registry.peers.values());
+      }
+      getPeersByHost(hostId) {
+        return this.getAllPeers().filter((p) => p.hostId === hostId);
+      }
+      findPeerByName(name) {
+        const lowerName = name.toLowerCase();
+        for (const peer of this.getAllPeers()) {
+          if (peer.agentName.toLowerCase() === lowerName) {
+            return peer;
+          }
+          if (peer.aliases.some((a) => a.toLowerCase() === lowerName)) {
+            return peer;
+          }
+        }
+        return void 0;
+      }
+      findPeersByCapability(capability) {
+        return this.getAllPeers().filter((p) => p.capabilities.includes(capability));
+      }
+      async resolvePeerAddress(nameOrId) {
+        const parts = nameOrId.split("@");
+        const peerName = parts[0];
+        const hostName = parts[1];
+        if (hostName) {
+          const hosts2 = await getKnownHosts();
+          const host2 = hosts2.find(
+            (h) => h.name.toLowerCase() === hostName.toLowerCase() || h.id === hostName
+          );
+          if (!host2) return null;
+          const peer2 = this.getPeersByHost(host2.id).find(
+            (p) => p.agentName.toLowerCase() === peerName.toLowerCase() || p.agentId === peerName || p.aliases.some((a) => a.toLowerCase() === peerName.toLowerCase())
+          );
+          if (!peer2) return null;
+          return { host: host2, peer: peer2 };
+        }
+        const peer = this.findPeerByName(peerName);
+        if (!peer) return null;
+        const hosts = await getKnownHosts();
+        const host = hosts.find((h) => h.id === peer.hostId);
+        if (!host) {
+          const localConfig = await getLocalHostConfig();
+          if (peer.hostId === localConfig.id) {
+            return {
+              host: {
+                id: localConfig.id,
+                name: localConfig.name,
+                address: "127.0.0.1",
+                port: localConfig.port,
+                status: "online",
+                lastSeen: (/* @__PURE__ */ new Date()).toISOString()
+              },
+              peer
+            };
+          }
+          return null;
+        }
+        return { host, peer };
+      }
+      updatePeerStatus(hostId, agentId, status) {
+        const key = `${hostId}:${agentId}`;
+        const peer = this.registry.peers.get(key);
+        if (peer) {
+          peer.status = status;
+          peer.lastSeen = (/* @__PURE__ */ new Date()).toISOString();
+        }
+      }
+      markHostOffline(hostId) {
+        for (const [, peer] of this.registry.peers) {
+          if (peer.hostId === hostId) {
+            peer.status = "offline";
+          }
+        }
+      }
+      markHostOnline(hostId) {
+        for (const [, peer] of this.registry.peers) {
+          if (peer.hostId === hostId) {
+            peer.status = "online";
+            peer.lastSeen = (/* @__PURE__ */ new Date()).toISOString();
+          }
+        }
+      }
+      clearRemotePeers() {
+        this.registry.peers.clear();
+      }
+      async loadLocalPeers() {
+        const filePath = join2(PEERS_DIR, "local-peers.json");
+        if (!existsSync2(filePath)) return;
+        try {
+          const content = await readFile2(filePath, "utf-8");
+          const peers = JSON.parse(content);
+          for (const peer of peers) {
+            this.registry.localPeers.set(peer.agentId, peer);
+          }
+        } catch {
+        }
+      }
+      async saveLocalPeers() {
+        const filePath = join2(PEERS_DIR, "local-peers.json");
+        const peers = Array.from(this.registry.localPeers.values());
+        await mkdir2(PEERS_DIR, { recursive: true });
+        await writeFile2(filePath, JSON.stringify(peers, null, 2), "utf-8");
+      }
+    };
+    globalRegistry = null;
+  }
+});
+
+// src/peer/health.ts
+import got from "got";
+async function checkHostHealth(host, options = {}) {
+  const timeout = options.timeout ?? HEALTH_CHECK_TIMEOUT;
+  const startTime = Date.now();
+  const result = {
+    hostId: host.id,
+    address: host.address,
+    port: host.port,
+    status: "unknown",
+    latencyMs: 0,
+    checkedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  try {
+    const url = `http://${host.address}:${host.port}/health`;
+    const response = await got.get(url, {
+      timeout: { request: timeout },
+      retry: { limit: 0 },
+      throwHttpErrors: false
+    });
+    result.latencyMs = Date.now() - startTime;
+    if (response.statusCode === 200) {
+      result.status = "online";
+    } else {
+      result.status = "offline";
+      result.error = `HTTP ${response.statusCode}`;
+    }
+  } catch (err) {
+    result.latencyMs = Date.now() - startTime;
+    result.status = "offline";
+    result.error = err.code || err.message || "Connection failed";
+  }
+  if (options.updateStatus !== false) {
+    await updateKnownHost(host.id, {
+      status: result.status,
+      lastSeen: result.status === "online" ? result.checkedAt : host.lastSeen
+    });
+  }
+  return result;
+}
+async function checkAllHostsHealth(options = {}) {
+  const hosts = await getKnownHosts();
+  const results = await Promise.all(hosts.map((host) => checkHostHealth(host, options)));
+  return results;
+}
+async function getOnlineHosts() {
+  const hosts = await getKnownHosts();
+  return hosts.filter((h) => h.status === "online");
+}
+async function getOfflineHosts() {
+  const hosts = await getKnownHosts();
+  return hosts.filter((h) => h.status === "offline");
+}
+async function waitForHost(host, maxWaitMs = 3e4, intervalMs = 1e3) {
+  const deadline = Date.now() + maxWaitMs;
+  while (Date.now() < deadline) {
+    const result = await checkHostHealth(host, { updateStatus: false });
+    if (result.status === "online") {
+      await updateKnownHost(host.id, {
+        status: "online",
+        lastSeen: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      return true;
+    }
+    await new Promise((resolve) => setTimeout(resolve, intervalMs));
+  }
+  return false;
+}
+var HealthMonitor;
+var init_health = __esm({
+  "src/peer/health.ts"() {
+    "use strict";
+    init_types();
+    init_hosts_config();
+    HealthMonitor = class {
+      interval = null;
+      running = false;
+      checking = false;
+      onStatusChange;
+      constructor(options = {}) {
+        this.onStatusChange = options.onStatusChange;
+      }
+      async start(intervalMs = 3e4) {
+        if (this.running) return;
+        this.running = true;
+        await this.checkAll();
+        this.interval = setInterval(() => {
+          if (!this.checking) {
+            this.checking = true;
+            this.checkAll().finally(() => {
+              this.checking = false;
+            });
+          }
+        }, intervalMs);
+      }
+      stop() {
+        if (!this.running) return;
+        if (this.interval) {
+          clearInterval(this.interval);
+          this.interval = null;
+        }
+        this.running = false;
+      }
+      isRunning() {
+        return this.running;
+      }
+      async checkAll() {
+        const hosts = await getKnownHosts();
+        for (const host of hosts) {
+          const oldStatus = host.status;
+          const result = await checkHostHealth(host);
+          if (this.onStatusChange && oldStatus !== result.status) {
+            this.onStatusChange(host, oldStatus, result.status);
+          }
+        }
+      }
+    };
+  }
+});
+
+// src/peer/index.ts
+var peer_exports = {};
+__export(peer_exports, {
+  HealthMonitor: () => HealthMonitor,
+  PeerRegistryManager: () => PeerRegistryManager,
+  checkAllHostsHealth: () => checkAllHostsHealth,
+  checkHostHealth: () => checkHostHealth,
+  getOfflineHosts: () => getOfflineHosts,
+  getOnlineHosts: () => getOnlineHosts,
+  getPeerRegistry: () => getPeerRegistry,
+  waitForHost: () => waitForHost
+});
+var init_peer = __esm({
+  "src/peer/index.ts"() {
+    "use strict";
+    init_registry();
+    init_health();
+  }
+});
+
+// src/crypto/encryption.ts
+import { xchacha20poly1305 } from "@noble/ciphers/chacha";
+import { randomBytes as randomBytes2 } from "@noble/ciphers/webcrypto";
+import { bytesToHex as bytesToHex2, hexToBytes as hexToBytes3 } from "@noble/hashes/utils";
+import { hkdf } from "@noble/hashes/hkdf";
+import { sha256 as sha2562 } from "@noble/hashes/sha256";
+import { x25519 as x255192 } from "@noble/curves/ed25519";
+function generateNonce() {
+  return bytesToHex2(randomBytes2(24));
+}
+function generateMessageId() {
+  return bytesToHex2(randomBytes2(16));
+}
+var MessageEncryption, PublicKeyEncryption;
+var init_encryption = __esm({
+  "src/crypto/encryption.ts"() {
+    "use strict";
+    MessageEncryption = class _MessageEncryption {
+      key;
+      constructor(sharedSecret) {
+        this.key = hkdf(sha2562, sharedSecret, void 0, "skillkit-mesh-v1", 32);
+      }
+      encrypt(plaintext) {
+        const nonce = randomBytes2(24);
+        const data = typeof plaintext === "string" ? new TextEncoder().encode(plaintext) : plaintext;
+        const cipher = xchacha20poly1305(this.key, nonce);
+        const ciphertext = cipher.encrypt(data);
+        return {
+          nonce: bytesToHex2(nonce),
+          ciphertext: bytesToHex2(ciphertext)
+        };
+      }
+      decrypt(encrypted) {
+        const nonce = hexToBytes3(encrypted.nonce);
+        const ciphertext = hexToBytes3(encrypted.ciphertext);
+        const cipher = xchacha20poly1305(this.key, nonce);
+        return cipher.decrypt(ciphertext);
+      }
+      decryptToString(encrypted) {
+        const plaintext = this.decrypt(encrypted);
+        return new TextDecoder().decode(plaintext);
+      }
+      decryptToObject(encrypted) {
+        const plaintext = this.decryptToString(encrypted);
+        return JSON.parse(plaintext);
+      }
+      encryptObject(obj) {
+        return this.encrypt(JSON.stringify(obj));
+      }
+      static fromSharedSecret(sharedSecret) {
+        return new _MessageEncryption(sharedSecret);
+      }
+    };
+    PublicKeyEncryption = class _PublicKeyEncryption {
+      static encrypt(message, recipientPublicKey) {
+        const ephemeralPrivateKey = randomBytes2(32);
+        const ephemeralPublicKey = x255192.scalarMultBase(ephemeralPrivateKey);
+        const sharedSecret = x255192.scalarMult(ephemeralPrivateKey, recipientPublicKey);
+        const key = hkdf(sha2562, sharedSecret, void 0, "skillkit-mesh-pk-v1", 32);
+        const nonce = randomBytes2(24);
+        const cipher = xchacha20poly1305(key, nonce);
+        const ciphertext = cipher.encrypt(message);
+        return {
+          ephemeralPublicKey: bytesToHex2(ephemeralPublicKey),
+          nonce: bytesToHex2(nonce),
+          ciphertext: bytesToHex2(ciphertext)
+        };
+      }
+      static encryptString(message, recipientPublicKey) {
+        const messageBytes = new TextEncoder().encode(message);
+        return _PublicKeyEncryption.encrypt(messageBytes, recipientPublicKey);
+      }
+      static encryptStringHex(message, recipientPublicKeyHex) {
+        const recipientPublicKey = hexToBytes3(recipientPublicKeyHex);
+        return _PublicKeyEncryption.encryptString(message, recipientPublicKey);
+      }
+      static decrypt(encrypted, recipientPrivateKey) {
+        const ephemeralPublicKey = hexToBytes3(encrypted.ephemeralPublicKey);
+        const nonce = hexToBytes3(encrypted.nonce);
+        const ciphertext = hexToBytes3(encrypted.ciphertext);
+        const sharedSecret = x255192.scalarMult(recipientPrivateKey, ephemeralPublicKey);
+        const key = hkdf(sha2562, sharedSecret, void 0, "skillkit-mesh-pk-v1", 32);
+        const cipher = xchacha20poly1305(key, nonce);
+        return cipher.decrypt(ciphertext);
+      }
+      static decryptToString(encrypted, recipientPrivateKey) {
+        const plaintext = _PublicKeyEncryption.decrypt(encrypted, recipientPrivateKey);
+        return new TextDecoder().decode(plaintext);
+      }
+      static decryptToObject(encrypted, recipientPrivateKey) {
+        const plaintext = _PublicKeyEncryption.decryptToString(
+          encrypted,
+          recipientPrivateKey
+        );
+        return JSON.parse(plaintext);
+      }
+    };
+  }
+});
+
+// src/crypto/signatures.ts
+import { bytesToHex as bytesToHex4, hexToBytes as hexToBytes6 } from "@noble/hashes/utils";
+import { sha256 as sha2563 } from "@noble/hashes/sha256";
+function generateNonce2() {
+  const bytes = new Uint8Array(16);
+  crypto.getRandomValues(bytes);
+  return bytesToHex4(bytes);
+}
+function canonicalize(obj) {
+  if (obj === null || obj === void 0) {
+    return "null";
+  }
+  if (typeof obj !== "object") {
+    return JSON.stringify(obj);
+  }
+  if (Array.isArray(obj)) {
+    return "[" + obj.map(canonicalize).join(",") + "]";
+  }
+  const keys = Object.keys(obj).sort();
+  const pairs = keys.map((key) => {
+    const value = obj[key];
+    return JSON.stringify(key) + ":" + canonicalize(value);
+  });
+  return "{" + pairs.join(",") + "}";
+}
+function hashData(data) {
+  const canonical = canonicalize(data);
+  return sha2563(new TextEncoder().encode(canonical));
+}
+async function signData(data, identity) {
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const nonce = generateNonce2();
+  const toSign = {
+    data,
+    timestamp,
+    nonce,
+    senderFingerprint: identity.fingerprint
+  };
+  const hash = hashData(toSign);
+  const signature = await identity.sign(hash);
+  return {
+    data,
+    signature: bytesToHex4(signature),
+    senderFingerprint: identity.fingerprint,
+    senderPublicKey: identity.publicKeyHex,
+    timestamp,
+    nonce
+  };
+}
+async function verifySignedData(signed, trustedPublicKey) {
+  try {
+    const publicKey = trustedPublicKey || hexToBytes6(signed.senderPublicKey);
+    const computedFingerprint = PeerIdentity.computeFingerprint(publicKey);
+    if (computedFingerprint !== signed.senderFingerprint) {
+      return {
+        valid: false,
+        error: "Fingerprint mismatch"
+      };
+    }
+    const toSign = {
+      data: signed.data,
+      timestamp: signed.timestamp,
+      nonce: signed.nonce,
+      senderFingerprint: signed.senderFingerprint
+    };
+    const hash = hashData(toSign);
+    const signature = hexToBytes6(signed.signature);
+    const valid = await PeerIdentity.verify(signature, hash, publicKey);
+    if (!valid) {
+      return {
+        valid: false,
+        error: "Invalid signature"
+      };
+    }
+    return {
+      valid: true,
+      fingerprint: signed.senderFingerprint
+    };
+  } catch (error) {
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : "Unknown error"
+    };
+  }
+}
+function isSignedDataExpired(signed, maxAgeMs = 5 * 60 * 1e3) {
+  const timestamp = new Date(signed.timestamp).getTime();
+  const now = Date.now();
+  return now - timestamp > maxAgeMs;
+}
+function extractSignerFingerprint(signed) {
+  try {
+    const publicKey = hexToBytes6(signed.senderPublicKey);
+    const computed = PeerIdentity.computeFingerprint(publicKey);
+    if (computed === signed.senderFingerprint) {
+      return signed.senderFingerprint;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+var init_signatures = __esm({
+  "src/crypto/signatures.ts"() {
+    "use strict";
+    init_identity();
+  }
+});
+
+// src/crypto/storage.ts
+import {
+  createCipheriv,
+  createDecipheriv,
+  randomBytes as randomBytes4,
+  scrypt,
+  createHash as createHash2
+} from "crypto";
+import { readFile as readFile4, writeFile as writeFile4, mkdir as mkdir4 } from "fs/promises";
+import { dirname as dirname2 } from "path";
+import { existsSync as existsSync4 } from "fs";
+function deriveKey(passphrase, salt) {
+  return new Promise((resolve, reject) => {
+    const options = {
+      N: SCRYPT_N,
+      r: SCRYPT_R,
+      p: SCRYPT_P
+    };
+    scrypt(passphrase, salt, KEY_LENGTH, options, (err, derivedKey) => {
+      if (err) reject(err);
+      else resolve(derivedKey);
+    });
+  });
+}
+function generateSalt() {
+  return randomBytes4(SALT_LENGTH);
+}
+function generateIV() {
+  return randomBytes4(IV_LENGTH);
+}
+function encrypt(data, key, iv) {
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([cipher.update(data), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  return { ciphertext, authTag };
+}
+function decrypt(ciphertext, key, iv, authTag) {
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(authTag);
+  return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+}
+async function encryptData(data, passphrase) {
+  const dataBytes = typeof data === "string" ? Buffer.from(data, "utf-8") : data;
+  const salt = generateSalt();
+  const iv = generateIV();
+  const key = await deriveKey(passphrase, salt);
+  const { ciphertext, authTag } = encrypt(dataBytes, key, iv);
+  return {
+    version: "2.0",
+    encrypted: true,
+    algorithm: "aes-256-gcm",
+    kdf: "scrypt",
+    salt: Buffer.from(salt).toString("hex"),
+    iv: Buffer.from(iv).toString("hex"),
+    ciphertext: ciphertext.toString("hex"),
+    authTag: authTag.toString("hex")
+  };
+}
+async function decryptData(encrypted, passphrase) {
+  if (encrypted.version !== "2.0" || !encrypted.encrypted) {
+    throw new Error("Invalid encrypted file format");
+  }
+  const salt = Buffer.from(encrypted.salt, "hex");
+  const iv = Buffer.from(encrypted.iv, "hex");
+  const ciphertext = Buffer.from(encrypted.ciphertext, "hex");
+  const authTag = Buffer.from(encrypted.authTag, "hex");
+  const key = await deriveKey(passphrase, salt);
+  return decrypt(ciphertext, key, iv, authTag);
+}
+async function encryptObject(obj, passphrase) {
+  const json = JSON.stringify(obj);
+  return encryptData(json, passphrase);
+}
+async function decryptObject(encrypted, passphrase) {
+  const decrypted = await decryptData(encrypted, passphrase);
+  return JSON.parse(decrypted.toString("utf-8"));
+}
+async function encryptFile(data, passphrase, outputPath) {
+  const dir = dirname2(outputPath);
+  if (!existsSync4(dir)) {
+    await mkdir4(dir, { recursive: true });
+  }
+  const encrypted = await encryptObject(data, passphrase);
+  await writeFile4(outputPath, JSON.stringify(encrypted, null, 2));
+}
+async function decryptFile(inputPath, passphrase) {
+  const content = await readFile4(inputPath, "utf-8");
+  const encrypted = JSON.parse(content);
+  return decryptObject(encrypted, passphrase);
+}
+function isEncryptedFile(data) {
+  if (typeof data !== "object" || data === null) return false;
+  const obj = data;
+  return obj.version === "2.0" && obj.encrypted === true && obj.algorithm === "aes-256-gcm" && obj.kdf === "scrypt" && typeof obj.salt === "string" && typeof obj.iv === "string" && typeof obj.ciphertext === "string" && typeof obj.authTag === "string";
+}
+function hashPassphrase(passphrase) {
+  return createHash2("sha256").update(passphrase).digest("hex").slice(0, 16);
+}
+function generateMachineKey() {
+  const hostname = process.env.HOSTNAME || "unknown";
+  const user = process.env.USER || process.env.USERNAME || "unknown";
+  const combined = `skillkit-mesh-${hostname}-${user}`;
+  return createHash2("sha256").update(combined).digest("hex");
+}
+var SCRYPT_N, SCRYPT_R, SCRYPT_P, KEY_LENGTH, IV_LENGTH, SALT_LENGTH;
+var init_storage = __esm({
+  "src/crypto/storage.ts"() {
+    "use strict";
+    SCRYPT_N = 2 ** 14;
+    SCRYPT_R = 8;
+    SCRYPT_P = 1;
+    KEY_LENGTH = 32;
+    IV_LENGTH = 12;
+    SALT_LENGTH = 32;
+  }
+});
+
+// src/crypto/keystore.ts
+import { readFile as readFile5, writeFile as writeFile5, mkdir as mkdir5, access, unlink } from "fs/promises";
+import { join as join4 } from "path";
+import { homedir as homedir4 } from "os";
+import { existsSync as existsSync5 } from "fs";
+function getKeystore(config) {
+  if (!globalKeystore) {
+    globalKeystore = new SecureKeystore(config);
+  }
+  return globalKeystore;
+}
+function resetKeystore() {
+  globalKeystore = null;
+}
+var DEFAULT_KEYSTORE_PATH, SecureKeystore, globalKeystore;
+var init_keystore = __esm({
+  "src/crypto/keystore.ts"() {
+    "use strict";
+    init_identity();
+    init_storage();
+    DEFAULT_KEYSTORE_PATH = join4(homedir4(), ".skillkit", "mesh", "identity");
+    SecureKeystore = class {
+      path;
+      passphrase;
+      identity = null;
+      keystoreData = null;
+      constructor(config = {}) {
+        this.path = config.path || DEFAULT_KEYSTORE_PATH;
+        if (config.encryptionKey) {
+          this.passphrase = config.encryptionKey;
+        } else if (config.useMachineKey !== false) {
+          this.passphrase = generateMachineKey();
+        } else {
+          throw new Error("Encryption key or machine key required");
+        }
+      }
+      get keypairPath() {
+        return join4(this.path, "keypair.enc");
+      }
+      get keystoreDataPath() {
+        return join4(this.path, "keystore.json");
+      }
+      async ensureDirectory() {
+        if (!existsSync5(this.path)) {
+          await mkdir5(this.path, { recursive: true, mode: 448 });
+        }
+      }
+      async loadOrCreateIdentity() {
+        if (this.identity) {
+          return this.identity;
+        }
+        await this.ensureDirectory();
+        try {
+          await access(this.keypairPath);
+          const content = await readFile5(this.keypairPath, "utf-8");
+          const encrypted = JSON.parse(content);
+          if (isEncryptedFile(encrypted)) {
+            const serialized = await decryptObject(
+              encrypted,
+              this.passphrase
+            );
+            this.identity = PeerIdentity.fromSerialized(serialized);
+          } else {
+            this.identity = PeerIdentity.fromSerialized(encrypted);
+          }
+        } catch {
+          this.identity = await PeerIdentity.generate();
+          await this.saveIdentity();
+        }
+        return this.identity;
+      }
+      async saveIdentity() {
+        if (!this.identity) {
+          throw new Error("No identity to save");
+        }
+        await this.ensureDirectory();
+        const serialized = this.identity.serialize();
+        const encrypted = await encryptObject(serialized, this.passphrase);
+        await writeFile5(this.keypairPath, JSON.stringify(encrypted, null, 2), {
+          mode: 384
+        });
+      }
+      async getIdentity() {
+        return this.identity;
+      }
+      async hasIdentity() {
+        try {
+          await access(this.keypairPath);
+          return true;
+        } catch {
+          return false;
+        }
+      }
+      async deleteIdentity() {
+        try {
+          await unlink(this.keypairPath);
+          this.identity = null;
+        } catch {
+        }
+      }
+      async loadKeystoreData() {
+        if (this.keystoreData) {
+          return this.keystoreData;
+        }
+        try {
+          await access(this.keystoreDataPath);
+          const content = await readFile5(this.keystoreDataPath, "utf-8");
+          this.keystoreData = JSON.parse(content);
+        } catch {
+          this.keystoreData = {
+            version: "1.0",
+            trustedPeers: [],
+            revokedFingerprints: []
+          };
+        }
+        return this.keystoreData;
+      }
+      async saveKeystoreData() {
+        if (!this.keystoreData) return;
+        await this.ensureDirectory();
+        await writeFile5(
+          this.keystoreDataPath,
+          JSON.stringify(this.keystoreData, null, 2),
+          { mode: 384 }
+        );
+      }
+      async addTrustedPeer(fingerprint, publicKey, name) {
+        const data = await this.loadKeystoreData();
+        const existing = data.trustedPeers.findIndex(
+          (p) => p.fingerprint === fingerprint
+        );
+        if (existing >= 0) {
+          data.trustedPeers[existing] = {
+            fingerprint,
+            publicKey,
+            name,
+            addedAt: (/* @__PURE__ */ new Date()).toISOString()
+          };
+        } else {
+          data.trustedPeers.push({
+            fingerprint,
+            publicKey,
+            name,
+            addedAt: (/* @__PURE__ */ new Date()).toISOString()
+          });
+        }
+        const revokedIndex = data.revokedFingerprints.indexOf(fingerprint);
+        if (revokedIndex >= 0) {
+          data.revokedFingerprints.splice(revokedIndex, 1);
+        }
+        await this.saveKeystoreData();
+      }
+      async removeTrustedPeer(fingerprint) {
+        const data = await this.loadKeystoreData();
+        data.trustedPeers = data.trustedPeers.filter(
+          (p) => p.fingerprint !== fingerprint
+        );
+        await this.saveKeystoreData();
+      }
+      async revokePeer(fingerprint) {
+        const data = await this.loadKeystoreData();
+        data.trustedPeers = data.trustedPeers.filter(
+          (p) => p.fingerprint !== fingerprint
+        );
+        if (!data.revokedFingerprints.includes(fingerprint)) {
+          data.revokedFingerprints.push(fingerprint);
+        }
+        await this.saveKeystoreData();
+      }
+      async isRevoked(fingerprint) {
+        const data = await this.loadKeystoreData();
+        return data.revokedFingerprints.includes(fingerprint);
+      }
+      async isTrusted(fingerprint) {
+        const data = await this.loadKeystoreData();
+        return data.trustedPeers.some((p) => p.fingerprint === fingerprint);
+      }
+      async getTrustedPeer(fingerprint) {
+        const data = await this.loadKeystoreData();
+        return data.trustedPeers.find((p) => p.fingerprint === fingerprint) || null;
+      }
+      async getTrustedPeers() {
+        const data = await this.loadKeystoreData();
+        return [...data.trustedPeers];
+      }
+      async getRevokedFingerprints() {
+        const data = await this.loadKeystoreData();
+        return [...data.revokedFingerprints];
+      }
+      async clearRevokedPeers() {
+        const data = await this.loadKeystoreData();
+        data.revokedFingerprints = [];
+        await this.saveKeystoreData();
+      }
+      async exportPublicInfo() {
+        const identity = await this.loadOrCreateIdentity();
+        return {
+          fingerprint: identity.fingerprint,
+          publicKey: identity.publicKeyHex
+        };
+      }
+    };
+    globalKeystore = null;
+  }
+});
+
+// src/crypto/index.ts
+var crypto_exports = {};
+__export(crypto_exports, {
+  MessageEncryption: () => MessageEncryption,
+  PeerIdentity: () => PeerIdentity,
+  PublicKeyEncryption: () => PublicKeyEncryption,
+  SecureKeystore: () => SecureKeystore,
+  decryptData: () => decryptData,
+  decryptFile: () => decryptFile,
+  decryptObject: () => decryptObject,
+  deriveKey: () => deriveKey,
+  encryptData: () => encryptData,
+  encryptFile: () => encryptFile,
+  encryptObject: () => encryptObject,
+  extractSignerFingerprint: () => extractSignerFingerprint,
+  generateIV: () => generateIV,
+  generateMachineKey: () => generateMachineKey,
+  generateMessageId: () => generateMessageId,
+  generateNonce: () => generateNonce,
+  generateSalt: () => generateSalt,
+  getKeystore: () => getKeystore,
+  hashPassphrase: () => hashPassphrase,
+  isEncryptedFile: () => isEncryptedFile,
+  isSignedDataExpired: () => isSignedDataExpired,
+  resetKeystore: () => resetKeystore,
+  signData: () => signData,
+  verifySignedData: () => verifySignedData
+});
+var init_crypto = __esm({
+  "src/crypto/index.ts"() {
+    "use strict";
+    init_identity();
+    init_encryption();
+    init_signatures();
+    init_keystore();
+    init_storage();
+  }
+});
+
+// src/index.ts
+init_types();
+init_config();
+
+// src/discovery/local.ts
+init_types();
+init_hosts_config();
+import { createSocket } from "dgram";
+import { networkInterfaces } from "os";
+var MULTICAST_ADDR = "239.255.255.250";
+var DISCOVERY_INTERVAL_MS = 3e4;
+var LocalDiscovery = class {
+  socket = null;
+  announceInterval = null;
+  running = false;
+  options;
+  discoveredHosts = /* @__PURE__ */ new Map();
+  constructor(options = {}) {
+    this.options = {
+      port: options.port ?? DEFAULT_DISCOVERY_PORT,
+      interval: options.interval ?? DISCOVERY_INTERVAL_MS,
+      onDiscover: options.onDiscover ?? (() => {
+      })
+    };
+  }
+  async start() {
+    if (this.running) return;
+    this.socket = createSocket({ type: "udp4", reuseAddr: true });
+    this.socket.on("message", (msg, rinfo) => {
+      this.handleMessage(msg, rinfo);
+    });
+    this.socket.on("error", (err) => {
+      console.error("Discovery socket error:", err);
+    });
+    await new Promise((resolve, reject) => {
+      this.socket.bind(this.options.port, () => {
+        try {
+          this.socket.addMembership(MULTICAST_ADDR);
+          this.socket.setBroadcast(true);
+          this.socket.setMulticastTTL(1);
+          resolve();
+        } catch (err) {
+          this.socket?.close();
+          this.socket = null;
+          reject(err);
+        }
+      });
+    });
+    this.running = true;
+    await this.announce();
+    this.announceInterval = setInterval(() => {
+      void this.announce().catch((err) => {
+        console.error("Discovery announce error:", err);
+      });
+    }, this.options.interval);
+  }
+  async stop() {
+    if (!this.running) return;
+    if (this.announceInterval) {
+      clearInterval(this.announceInterval);
+      this.announceInterval = null;
+    }
+    if (this.socket) {
+      try {
+        this.socket.dropMembership(MULTICAST_ADDR);
+      } catch {
+      }
+      this.socket.close();
+      this.socket = null;
+    }
+    this.running = false;
+  }
+  async announce() {
+    if (!this.socket || !this.running) return;
+    const localConfig = await getLocalHostConfig();
+    const localAddress = getLocalIPAddress();
+    const message = {
+      type: "announce",
+      hostId: localConfig.id,
+      hostName: localConfig.name,
+      address: localAddress,
+      port: localConfig.port,
+      tailscaleIP: localConfig.tailscaleIP,
+      version: MESH_VERSION,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    const buffer = Buffer.from(JSON.stringify(message));
+    this.socket.send(buffer, 0, buffer.length, this.options.port, MULTICAST_ADDR);
+  }
+  async query() {
+    if (!this.socket || !this.running) return;
+    const localConfig = await getLocalHostConfig();
+    const localAddress = getLocalIPAddress();
+    const message = {
+      type: "query",
+      hostId: localConfig.id,
+      hostName: localConfig.name,
+      address: localAddress,
+      port: localConfig.port,
+      version: MESH_VERSION,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    const buffer = Buffer.from(JSON.stringify(message));
+    this.socket.send(buffer, 0, buffer.length, this.options.port, MULTICAST_ADDR);
+  }
+  getDiscoveredHosts() {
+    return Array.from(this.discoveredHosts.values());
+  }
+  isRunning() {
+    return this.running;
+  }
+  async handleMessage(msg, rinfo) {
+    try {
+      const message = JSON.parse(msg.toString());
+      if (!message || message.type !== "announce" && message.type !== "query" && message.type !== "response") return;
+      if (!message.hostId || !message.hostName) return;
+      const port = Number(message.port);
+      if (!Number.isInteger(port) || port < 1 || port > 65535) return;
+      const localConfig = await getLocalHostConfig();
+      if (message.hostId === localConfig.id) return;
+      const host = {
+        id: message.hostId,
+        name: message.hostName,
+        address: rinfo.address,
+        port,
+        tailscaleIP: message.tailscaleIP,
+        status: "online",
+        lastSeen: (/* @__PURE__ */ new Date()).toISOString(),
+        version: message.version
+      };
+      this.discoveredHosts.set(host.id, host);
+      await addKnownHost(host);
+      this.options.onDiscover(host);
+      if (message.type === "query") {
+        await this.announce();
+      }
+    } catch {
+    }
+  }
+};
+function getLocalIPAddress() {
+  const interfaces = networkInterfaces();
+  for (const name of Object.keys(interfaces)) {
+    const iface = interfaces[name];
+    if (!iface) continue;
+    for (const addr of iface) {
+      if (addr.family === "IPv4" && !addr.internal) {
+        return addr.address;
+      }
+    }
+  }
+  return "127.0.0.1";
+}
+function getAllLocalIPAddresses() {
+  const addresses = [];
+  const interfaces = networkInterfaces();
+  for (const name of Object.keys(interfaces)) {
+    const iface = interfaces[name];
+    if (!iface) continue;
+    for (const addr of iface) {
+      if (addr.family === "IPv4" && !addr.internal) {
+        addresses.push(addr.address);
+      }
+    }
+  }
+  return addresses;
+}
+async function discoverOnce(timeout = 5e3) {
+  const discovery = new LocalDiscovery();
+  await discovery.start();
+  await discovery.query();
+  await new Promise((resolve) => setTimeout(resolve, timeout));
+  const hosts = discovery.getDiscoveredHosts();
+  await discovery.stop();
+  return hosts;
+}
+
+// src/discovery/secure-local.ts
+init_types();
+init_hosts_config();
+init_identity();
+import { createSocket as createSocket2 } from "dgram";
+import { networkInterfaces as networkInterfaces2 } from "os";
+
+// src/security/config.ts
+var SECURITY_PRESETS = {
+  development: {
+    discovery: { mode: "open" },
+    transport: { encryption: "none", tls: "none", requireAuth: false },
+    trust: { autoTrustFirst: true, requireManualApproval: false }
+  },
+  signed: {
+    discovery: { mode: "signed" },
+    transport: { encryption: "optional", tls: "none", requireAuth: false },
+    trust: { autoTrustFirst: true, requireManualApproval: false }
+  },
+  secure: {
+    discovery: { mode: "signed" },
+    transport: { encryption: "required", tls: "self-signed", requireAuth: true },
+    trust: { autoTrustFirst: true, requireManualApproval: false }
+  },
+  strict: {
+    discovery: { mode: "trusted-only" },
+    transport: { encryption: "required", tls: "self-signed", requireAuth: true },
+    trust: { autoTrustFirst: false, requireManualApproval: true }
+  }
+};
+var DEFAULT_SECURITY_CONFIG = {
+  ...SECURITY_PRESETS.secure
+};
+function getSecurityPreset(preset) {
+  return { ...SECURITY_PRESETS[preset] };
+}
+function mergeSecurityConfig(base, overrides) {
+  return {
+    identityPath: overrides.identityPath ?? base.identityPath,
+    discovery: {
+      ...base.discovery,
+      ...overrides.discovery
+    },
+    transport: {
+      ...base.transport,
+      ...overrides.transport
+    },
+    trust: {
+      ...base.trust,
+      ...overrides.trust
+    }
+  };
+}
+function validateSecurityConfig(config) {
+  const errors = [];
+  const validDiscoveryModes = ["open", "signed", "trusted-only"];
+  if (!validDiscoveryModes.includes(config.discovery.mode)) {
+    errors.push(`Invalid discovery mode: ${config.discovery.mode}`);
+  }
+  const validEncryption = ["none", "optional", "required"];
+  if (!validEncryption.includes(config.transport.encryption)) {
+    errors.push(`Invalid transport encryption: ${config.transport.encryption}`);
+  }
+  const validTLS = ["none", "self-signed", "ca-signed"];
+  if (!validTLS.includes(config.transport.tls)) {
+    errors.push(`Invalid TLS mode: ${config.transport.tls}`);
+  }
+  if (config.transport.encryption === "required" && config.transport.tls === "none") {
+    errors.push("Required encryption needs TLS enabled");
+  }
+  if (config.discovery.mode === "trusted-only" && !config.trust.trustedFingerprints?.length) {
+    if (!config.trust.autoTrustFirst) {
+      errors.push("trusted-only discovery requires trustedFingerprints or autoTrustFirst");
+    }
+  }
+  return errors;
+}
+function isSecurityEnabled(config) {
+  return config.discovery.mode !== "open" || config.transport.encryption !== "none" || config.transport.requireAuth;
+}
+function describeSecurityLevel(config) {
+  if (config.discovery.mode === "open" && config.transport.encryption === "none" && !config.transport.requireAuth) {
+    return "development (no security)";
+  }
+  if (config.discovery.mode === "trusted-only" && config.transport.encryption === "required" && config.transport.requireAuth) {
+    return "strict (maximum security)";
+  }
+  if (config.discovery.mode === "signed" && config.transport.encryption === "required" && config.transport.requireAuth) {
+    return "secure (recommended)";
+  }
+  if (config.discovery.mode === "signed") {
+    return "signed (partial security)";
+  }
+  return "custom";
+}
+
+// src/discovery/secure-local.ts
+import { hexToBytes as hexToBytes2 } from "@noble/hashes/utils";
+var MULTICAST_ADDR2 = "239.255.255.250";
+var DISCOVERY_INTERVAL_MS2 = 3e4;
+var SecureLocalDiscovery = class {
+  socket = null;
+  announceInterval = null;
+  running = false;
+  options;
+  discoveredHosts = /* @__PURE__ */ new Map();
+  identity = null;
+  keystore = null;
+  securityMode;
+  constructor(options = {}) {
+    this.options = {
+      port: options.port ?? DEFAULT_DISCOVERY_PORT,
+      interval: options.interval ?? DISCOVERY_INTERVAL_MS2,
+      onDiscover: options.onDiscover ?? (() => {
+      }),
+      security: options.security ?? DEFAULT_SECURITY_CONFIG
+    };
+    this.identity = options.identity ?? null;
+    this.keystore = options.keystore ?? null;
+    this.securityMode = this.options.security.discovery.mode;
+  }
+  async initialize() {
+    if (!this.identity && this.keystore) {
+      this.identity = await this.keystore.loadOrCreateIdentity();
+    }
+    if (!this.identity && this.securityMode !== "open") {
+      this.identity = await PeerIdentity.generate();
+    }
+  }
+  async start() {
+    if (this.running) return;
+    await this.initialize();
+    this.socket = createSocket2({ type: "udp4", reuseAddr: true });
+    this.socket.on("message", (msg, rinfo) => {
+      this.handleMessage(msg, rinfo);
+    });
+    this.socket.on("error", (err) => {
+      console.error("Discovery socket error:", err);
+    });
+    await new Promise((resolve, reject) => {
+      this.socket.bind(this.options.port, () => {
+        try {
+          this.socket.addMembership(MULTICAST_ADDR2);
+          this.socket.setBroadcast(true);
+          this.socket.setMulticastTTL(128);
+          resolve();
+        } catch (err) {
+          reject(err);
+        }
+      });
+    });
+    this.running = true;
+    await this.announce();
+    this.announceInterval = setInterval(() => {
+      this.announce();
+    }, this.options.interval);
+  }
+  async stop() {
+    if (!this.running) return;
+    if (this.announceInterval) {
+      clearInterval(this.announceInterval);
+      this.announceInterval = null;
+    }
+    if (this.socket) {
+      try {
+        this.socket.dropMembership(MULTICAST_ADDR2);
+      } catch {
+      }
+      this.socket.close();
+      this.socket = null;
+    }
+    this.running = false;
+  }
+  async announce() {
+    if (!this.socket || !this.running) return;
+    const localConfig = await getLocalHostConfig();
+    const localAddress = getLocalIPAddress2();
+    const baseMessage = {
+      type: "announce",
+      hostId: localConfig.id,
+      hostName: localConfig.name,
+      address: localAddress,
+      port: localConfig.port,
+      tailscaleIP: localConfig.tailscaleIP,
+      version: MESH_VERSION,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    let message = baseMessage;
+    if (this.identity && this.securityMode !== "open") {
+      const signature = await this.identity.signObject(baseMessage);
+      message = {
+        ...baseMessage,
+        signature,
+        publicKey: this.identity.publicKeyHex,
+        fingerprint: this.identity.fingerprint
+      };
+    }
+    const buffer = Buffer.from(JSON.stringify(message));
+    this.socket.send(buffer, 0, buffer.length, this.options.port, MULTICAST_ADDR2);
+  }
+  async query() {
+    if (!this.socket || !this.running) return;
+    const localConfig = await getLocalHostConfig();
+    const localAddress = getLocalIPAddress2();
+    const baseMessage = {
+      type: "query",
+      hostId: localConfig.id,
+      hostName: localConfig.name,
+      address: localAddress,
+      port: localConfig.port,
+      version: MESH_VERSION,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    let message = baseMessage;
+    if (this.identity && this.securityMode !== "open") {
+      const signature = await this.identity.signObject(baseMessage);
+      message = {
+        ...baseMessage,
+        signature,
+        publicKey: this.identity.publicKeyHex,
+        fingerprint: this.identity.fingerprint
+      };
+    }
+    const buffer = Buffer.from(JSON.stringify(message));
+    this.socket.send(buffer, 0, buffer.length, this.options.port, MULTICAST_ADDR2);
+  }
+  getDiscoveredHosts() {
+    return Array.from(this.discoveredHosts.values());
+  }
+  isRunning() {
+    return this.running;
+  }
+  getFingerprint() {
+    return this.identity?.fingerprint ?? null;
+  }
+  async handleMessage(msg, rinfo) {
+    try {
+      const raw = JSON.parse(msg.toString());
+      const localConfig = await getLocalHostConfig();
+      if (raw.hostId === localConfig.id) return;
+      let message;
+      let fingerprint;
+      if (this.isSignedMessage(raw)) {
+        const signedMsg = raw;
+        fingerprint = signedMsg.fingerprint;
+        if (this.securityMode === "signed" || this.securityMode === "trusted-only") {
+          const isValid = await this.verifySignedMessage(signedMsg);
+          if (!isValid) {
+            return;
+          }
+        }
+        if (this.securityMode === "trusted-only" && this.keystore) {
+          const isTrusted = await this.keystore.isTrusted(fingerprint);
+          const isRevoked = await this.keystore.isRevoked(fingerprint);
+          if (isRevoked) {
+            return;
+          }
+          if (!isTrusted) {
+            if (this.options.security.trust.autoTrustFirst) {
+              await this.keystore.addTrustedPeer(
+                fingerprint,
+                signedMsg.publicKey,
+                signedMsg.hostName
+              );
+            } else {
+              return;
+            }
+          }
+        }
+        message = {
+          type: signedMsg.type,
+          hostId: signedMsg.hostId,
+          hostName: signedMsg.hostName,
+          address: signedMsg.address,
+          port: signedMsg.port,
+          tailscaleIP: signedMsg.tailscaleIP,
+          version: signedMsg.version,
+          timestamp: signedMsg.timestamp
+        };
+      } else {
+        if (this.securityMode !== "open") {
+          return;
+        }
+        message = raw;
+      }
+      const host = {
+        id: message.hostId,
+        name: message.hostName,
+        address: message.address || rinfo.address,
+        port: message.port,
+        tailscaleIP: message.tailscaleIP,
+        status: "online",
+        lastSeen: (/* @__PURE__ */ new Date()).toISOString(),
+        version: message.version,
+        metadata: fingerprint ? { fingerprint } : void 0
+      };
+      this.discoveredHosts.set(host.id, host);
+      await addKnownHost(host);
+      this.options.onDiscover(host, fingerprint);
+      if (message.type === "query") {
+        await this.announce();
+      }
+    } catch {
+    }
+  }
+  isSignedMessage(msg) {
+    if (typeof msg !== "object" || msg === null) return false;
+    const obj = msg;
+    return typeof obj.signature === "string" && typeof obj.publicKey === "string" && typeof obj.fingerprint === "string";
+  }
+  async verifySignedMessage(msg) {
+    try {
+      const publicKey = hexToBytes2(msg.publicKey);
+      const computedFingerprint = PeerIdentity.computeFingerprint(publicKey);
+      if (computedFingerprint !== msg.fingerprint) {
+        return false;
+      }
+      const baseMessage = {
+        type: msg.type,
+        hostId: msg.hostId,
+        hostName: msg.hostName,
+        address: msg.address,
+        port: msg.port,
+        tailscaleIP: msg.tailscaleIP,
+        version: msg.version,
+        timestamp: msg.timestamp
+      };
+      const messageBytes = new TextEncoder().encode(JSON.stringify(baseMessage));
+      const signature = hexToBytes2(msg.signature);
+      return await PeerIdentity.verify(signature, messageBytes, publicKey);
+    } catch {
+      return false;
+    }
+  }
+};
+function getLocalIPAddress2() {
+  const interfaces = networkInterfaces2();
+  for (const name of Object.keys(interfaces)) {
+    const iface = interfaces[name];
+    if (!iface) continue;
+    for (const addr of iface) {
+      if (addr.family === "IPv4" && !addr.internal) {
+        return addr.address;
+      }
+    }
+  }
+  return "127.0.0.1";
+}
+async function discoverOnceSecure(timeout = 5e3, options = {}) {
+  const discovery = new SecureLocalDiscovery(options);
+  await discovery.start();
+  await discovery.query();
+  await new Promise((resolve) => setTimeout(resolve, timeout));
+  const hosts = discovery.getDiscoveredHosts();
+  await discovery.stop();
+  return hosts;
+}
+
+// src/discovery/tailscale.ts
+init_types();
+import { exec } from "child_process";
+import { promisify } from "util";
+var execAsync = promisify(exec);
+async function getTailscaleStatus() {
+  try {
+    const { stdout } = await execAsync("tailscale status --json");
+    const status = JSON.parse(stdout);
+    const self = status.Self ? {
+      id: status.Self.ID,
+      name: status.Self.HostName,
+      tailscaleIP: status.Self.TailscaleIPs?.[0] || "",
+      hostname: status.Self.HostName,
+      online: status.Self.Online ?? true,
+      os: status.Self.OS
+    } : void 0;
+    const peers = [];
+    if (status.Peer) {
+      for (const [id, peer] of Object.entries(status.Peer)) {
+        peers.push({
+          id,
+          name: peer.HostName,
+          tailscaleIP: peer.TailscaleIPs?.[0] || "",
+          hostname: peer.HostName,
+          online: peer.Online ?? false,
+          os: peer.OS,
+          lastSeen: peer.LastSeen
+        });
+      }
+    }
+    return {
+      available: true,
+      self,
+      peers,
+      magicDNSSuffix: status.MagicDNSSuffix
+    };
+  } catch {
+    return {
+      available: false,
+      peers: []
+    };
+  }
+}
+async function isTailscaleAvailable() {
+  try {
+    await execAsync("tailscale version");
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function getTailscaleIP() {
+  const status = await getTailscaleStatus();
+  return status.self?.tailscaleIP ?? null;
+}
+async function discoverTailscaleHosts(skillkitPort) {
+  const status = await getTailscaleStatus();
+  if (!status.available) return [];
+  const hosts = [];
+  for (const peer of status.peers) {
+    if (!peer.online) continue;
+    hosts.push({
+      id: `tailscale-${peer.id}`,
+      name: peer.name,
+      address: peer.tailscaleIP,
+      port: skillkitPort,
+      tailscaleIP: peer.tailscaleIP,
+      status: "unknown",
+      lastSeen: peer.lastSeen ?? (/* @__PURE__ */ new Date()).toISOString(),
+      version: MESH_VERSION,
+      metadata: {
+        discoveredVia: "tailscale",
+        os: peer.os
+      }
+    });
+  }
+  return hosts;
+}
+async function resolveTailscaleName(hostname) {
+  const status = await getTailscaleStatus();
+  if (!status.available) return null;
+  const normalizedName = hostname.toLowerCase();
+  for (const peer of status.peers) {
+    if (peer.hostname.toLowerCase() === normalizedName || peer.name.toLowerCase() === normalizedName) {
+      return peer.tailscaleIP;
+    }
+  }
+  if (status.magicDNSSuffix && hostname.endsWith(status.magicDNSSuffix)) {
+    const shortName = hostname.slice(0, -status.magicDNSSuffix.length - 1);
+    for (const peer of status.peers) {
+      if (peer.hostname.toLowerCase() === shortName.toLowerCase()) {
+        return peer.tailscaleIP;
+      }
+    }
+  }
+  return null;
+}
+
+// src/index.ts
+init_peer();
+
+// src/transport/http.ts
+init_types();
+import got2 from "got";
+import { randomUUID as randomUUID2 } from "crypto";
+var HttpTransport = class {
+  client;
+  options;
+  constructor(host, options = {}) {
+    this.options = {
+      timeout: options.timeout ?? HEALTH_CHECK_TIMEOUT,
+      retries: options.retries ?? 2,
+      retryDelay: options.retryDelay ?? 1e3,
+      baseUrl: options.baseUrl ?? `http://${host.address}:${host.port}`,
+      headers: options.headers ?? {}
+    };
+    this.client = got2.extend({
+      prefixUrl: this.options.baseUrl,
+      timeout: { request: this.options.timeout },
+      retry: {
+        limit: this.options.retries,
+        calculateDelay: () => this.options.retryDelay
+      },
+      headers: {
+        "Content-Type": "application/json",
+        "X-SkillKit-Transport": "http",
+        ...this.options.headers
+      }
+    });
+  }
+  async send(path, payload) {
+    const message = {
+      id: randomUUID2(),
+      type: "request",
+      from: "local",
+      to: path,
+      payload,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    const response = await this.client.post(path, {
+      json: message
+    });
+    return JSON.parse(response.body);
+  }
+  async sendMessage(to, type, payload) {
+    return this.send("message", {
+      to,
+      type,
+      payload
+    });
+  }
+  async registerPeer(registration) {
+    return this.send("peer/register", registration);
+  }
+  async getPeers() {
+    const response = await this.client.get("peers");
+    return JSON.parse(response.body);
+  }
+  async healthCheck() {
+    try {
+      const response = await this.client.get("health");
+      return response.statusCode === 200;
+    } catch {
+      return false;
+    }
+  }
+};
+async function sendToHost(host, path, payload, options = {}) {
+  const transport = new HttpTransport(host, options);
+  return transport.send(path, payload);
+}
+async function broadcastToHosts(hosts, path, payload, options = {}) {
+  const results = /* @__PURE__ */ new Map();
+  await Promise.all(
+    hosts.map(async (host) => {
+      try {
+        const response = await sendToHost(host, path, payload, options);
+        results.set(host.id, response);
+      } catch (err) {
+        results.set(host.id, err);
+      }
+    })
+  );
+  return results;
+}
+
+// src/transport/websocket.ts
+init_types();
+import WebSocket, { WebSocketServer } from "ws";
+import { randomUUID as randomUUID3 } from "crypto";
+var WebSocketTransport = class {
+  socket = null;
+  options;
+  url;
+  reconnectAttempts = 0;
+  messageHandlers = /* @__PURE__ */ new Set();
+  connected = false;
+  reconnectTimer = null;
+  manualClose = false;
+  constructor(host, options = {}) {
+    this.url = `ws://${host.address}:${host.port}/ws`;
+    this.options = {
+      timeout: options.timeout ?? 5e3,
+      retries: options.retries ?? 3,
+      retryDelay: options.retryDelay ?? 1e3,
+      reconnect: options.reconnect ?? true,
+      reconnectInterval: options.reconnectInterval ?? 5e3,
+      maxReconnectAttempts: options.maxReconnectAttempts ?? 10
+    };
+  }
+  async connect() {
+    return new Promise((resolve, reject) => {
+      this.socket = new WebSocket(this.url, {
+        handshakeTimeout: this.options.timeout
+      });
+      const timeout = setTimeout(() => {
+        this.socket?.close();
+        reject(new Error("Connection timeout"));
+      }, this.options.timeout);
+      this.socket.on("open", () => {
+        clearTimeout(timeout);
+        this.connected = true;
+        this.reconnectAttempts = 0;
+        resolve();
+      });
+      this.socket.on("message", (data) => {
+        try {
+          const message = JSON.parse(data.toString());
+          this.messageHandlers.forEach((handler) => handler(message, this.socket));
+        } catch {
+        }
+      });
+      this.socket.on("close", () => {
+        this.connected = false;
+        if (this.options.reconnect && !this.manualClose) {
+          this.scheduleReconnect();
+        }
+      });
+      this.socket.on("error", (err) => {
+        clearTimeout(timeout);
+        if (!this.connected) {
+          reject(err);
+        }
+      });
+    });
+  }
+  disconnect() {
+    this.manualClose = true;
+    if (this.reconnectTimer) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
+    }
+    if (this.socket) {
+      this.socket.close();
+      this.socket = null;
+    }
+    this.connected = false;
+  }
+  async send(message) {
+    if (!this.socket || !this.connected) {
+      throw new Error("Not connected");
+    }
+    const fullMessage = {
+      ...message,
+      id: randomUUID3(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    return new Promise((resolve, reject) => {
+      this.socket.send(JSON.stringify(fullMessage), (err) => {
+        if (err) reject(err);
+        else resolve();
+      });
+    });
+  }
+  onMessage(handler) {
+    this.messageHandlers.add(handler);
+    return () => this.messageHandlers.delete(handler);
+  }
+  isConnected() {
+    return this.connected;
+  }
+  scheduleReconnect() {
+    if (this.reconnectAttempts >= this.options.maxReconnectAttempts) {
+      return;
+    }
+    this.reconnectTimer = setTimeout(async () => {
+      this.reconnectAttempts++;
+      try {
+        await this.connect();
+      } catch {
+        this.scheduleReconnect();
+      }
+    }, this.options.reconnectInterval);
+  }
+};
+var WebSocketServer2 = class {
+  server = null;
+  clients = /* @__PURE__ */ new Set();
+  messageHandlers = /* @__PURE__ */ new Set();
+  port;
+  running = false;
+  constructor(port = DEFAULT_PORT) {
+    this.port = port;
+  }
+  async start() {
+    if (this.running) return;
+    return new Promise((resolve, reject) => {
+      this.server = new WebSocketServer({ port: this.port, path: "/ws" });
+      this.server.on("listening", () => {
+        this.running = true;
+        resolve();
+      });
+      this.server.on("error", (err) => {
+        reject(err);
+      });
+      this.server.on("connection", (socket) => {
+        this.clients.add(socket);
+        socket.on("message", (data) => {
+          try {
+            const message = JSON.parse(data.toString());
+            this.messageHandlers.forEach((handler) => handler(message, socket));
+          } catch {
+          }
+        });
+        socket.on("close", () => {
+          this.clients.delete(socket);
+        });
+      });
+    });
+  }
+  stop() {
+    if (!this.running) return;
+    for (const client of this.clients) {
+      client.close();
+    }
+    this.clients.clear();
+    this.server?.close();
+    this.server = null;
+    this.running = false;
+  }
+  broadcast(message) {
+    const fullMessage = {
+      ...message,
+      id: randomUUID3(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    const data = JSON.stringify(fullMessage);
+    for (const client of this.clients) {
+      if (client.readyState === WebSocket.OPEN) {
+        client.send(data);
+      }
+    }
+  }
+  sendTo(socket, message) {
+    if (socket.readyState !== WebSocket.OPEN) return;
+    const fullMessage = {
+      ...message,
+      id: randomUUID3(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    socket.send(JSON.stringify(fullMessage));
+  }
+  onMessage(handler) {
+    this.messageHandlers.add(handler);
+    return () => this.messageHandlers.delete(handler);
+  }
+  getClientCount() {
+    return this.clients.size;
+  }
+  isRunning() {
+    return this.running;
+  }
+};
+
+// src/transport/secure-websocket.ts
+init_types();
+init_identity();
+init_encryption();
+import WebSocket2, { WebSocketServer as WebSocketServer3 } from "ws";
+import { createServer as createHttpsServer } from "https";
+import { randomUUID as randomUUID4 } from "crypto";
+
+// src/security/auth.ts
+init_identity();
+import { SignJWT, jwtVerify, importPKCS8, importSPKI } from "jose";
+import { randomBytes as randomBytes3, createPrivateKey, createPublicKey } from "crypto";
+import { bytesToHex as bytesToHex3, hexToBytes as hexToBytes4 } from "@noble/hashes/utils";
+var DEFAULT_TOKEN_TTL = 24 * 60 * 60;
+var CHALLENGE_SIZE = 32;
+var CHALLENGE_EXPIRY_MS = 30 * 1e3;
+var AuthManager = class {
+  identity;
+  pendingChallenges = /* @__PURE__ */ new Map();
+  constructor(identity) {
+    this.identity = identity;
+  }
+  async getSigningKey() {
+    const privateKeyObj = createPrivateKey({
+      key: Buffer.concat([
+        Buffer.from("302e020100300506032b657004220420", "hex"),
+        Buffer.from(this.identity.privateKey)
+      ]),
+      format: "der",
+      type: "pkcs8"
+    });
+    const pem = privateKeyObj.export({ type: "pkcs8", format: "pem" });
+    return importPKCS8(pem, "EdDSA");
+  }
+  async getVerifyingKey(publicKeyHex) {
+    const publicKeyBytes = hexToBytes4(publicKeyHex);
+    const publicKeyObj = createPublicKey({
+      key: Buffer.concat([
+        Buffer.from("302a300506032b6570032100", "hex"),
+        Buffer.from(publicKeyBytes)
+      ]),
+      format: "der",
+      type: "spki"
+    });
+    const pem = publicKeyObj.export({ type: "spki", format: "pem" });
+    return importSPKI(pem, "EdDSA");
+  }
+  async createToken(hostId, capabilities = [], ttlSeconds = DEFAULT_TOKEN_TTL) {
+    const now = Math.floor(Date.now() / 1e3);
+    const signingKey = await this.getSigningKey();
+    const token = await new SignJWT({
+      hostId,
+      fingerprint: this.identity.fingerprint,
+      publicKey: this.identity.publicKeyHex,
+      capabilities
+    }).setProtectedHeader({ alg: "EdDSA" }).setIssuedAt(now).setExpirationTime(now + ttlSeconds).setIssuer("skillkit-mesh").sign(signingKey);
+    return token;
+  }
+  async verifyToken(token) {
+    try {
+      const parts = token.split(".");
+      if (parts.length !== 3) {
+        return null;
+      }
+      const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+      if (!payload.publicKey) {
+        return null;
+      }
+      const computedFingerprint = PeerIdentity.computeFingerprint(hexToBytes4(payload.publicKey));
+      if (computedFingerprint !== payload.fingerprint) {
+        return null;
+      }
+      const verifyingKey = await this.getVerifyingKey(payload.publicKey);
+      const { payload: verified } = await jwtVerify(token, verifyingKey, {
+        issuer: "skillkit-mesh"
+      });
+      return {
+        hostId: verified.hostId,
+        fingerprint: verified.fingerprint,
+        publicKey: verified.publicKey,
+        capabilities: verified.capabilities || [],
+        iat: verified.iat,
+        exp: verified.exp
+      };
+    } catch {
+      return null;
+    }
+  }
+  createChallenge() {
+    const challengeBytes = randomBytes3(CHALLENGE_SIZE);
+    const challenge = bytesToHex3(challengeBytes);
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    this.pendingChallenges.set(challenge, {
+      expected: challenge,
+      expires: Date.now() + CHALLENGE_EXPIRY_MS
+    });
+    this.cleanupExpiredChallenges();
+    return {
+      challenge,
+      timestamp
+    };
+  }
+  async respondToChallenge(challengeRequest) {
+    const message = `${challengeRequest.challenge}:${challengeRequest.timestamp}`;
+    const signature = await this.identity.signString(message);
+    return {
+      challenge: challengeRequest.challenge,
+      signature,
+      publicKey: this.identity.publicKeyHex,
+      fingerprint: this.identity.fingerprint,
+      timestamp: challengeRequest.timestamp
+    };
+  }
+  async verifyChallengeResponse(response) {
+    const pending = this.pendingChallenges.get(response.challenge);
+    if (!pending) {
+      return {
+        authenticated: false,
+        error: "Unknown or expired challenge"
+      };
+    }
+    if (Date.now() > pending.expires) {
+      this.pendingChallenges.delete(response.challenge);
+      return {
+        authenticated: false,
+        error: "Challenge expired"
+      };
+    }
+    try {
+      const publicKey = hexToBytes4(response.publicKey);
+      const computedFingerprint = PeerIdentity.computeFingerprint(publicKey);
+      if (computedFingerprint !== response.fingerprint) {
+        return {
+          authenticated: false,
+          error: "Fingerprint mismatch"
+        };
+      }
+      const message = `${response.challenge}:${response.timestamp}`;
+      const messageBytes = new TextEncoder().encode(message);
+      const signature = hexToBytes4(response.signature);
+      const valid = await PeerIdentity.verify(signature, messageBytes, publicKey);
+      if (!valid) {
+        return {
+          authenticated: false,
+          error: "Invalid signature"
+        };
+      }
+      this.pendingChallenges.delete(response.challenge);
+      return {
+        authenticated: true,
+        fingerprint: response.fingerprint,
+        publicKey: response.publicKey
+      };
+    } catch (error) {
+      return {
+        authenticated: false,
+        error: error instanceof Error ? error.message : "Verification failed"
+      };
+    }
+  }
+  cleanupExpiredChallenges() {
+    const now = Date.now();
+    for (const [challenge, data] of this.pendingChallenges) {
+      if (now > data.expires) {
+        this.pendingChallenges.delete(challenge);
+      }
+    }
+  }
+  async createSignedMessage(payload) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const toSign = JSON.stringify({ payload, timestamp });
+    const signature = await this.identity.signString(toSign);
+    return {
+      payload,
+      signature,
+      fingerprint: this.identity.fingerprint,
+      timestamp
+    };
+  }
+  async verifySignedMessage(message) {
+    try {
+      if (!message.publicKey) {
+        return { valid: false, error: "Missing public key" };
+      }
+      const publicKey = hexToBytes4(message.publicKey);
+      const computedFingerprint = PeerIdentity.computeFingerprint(publicKey);
+      if (computedFingerprint !== message.fingerprint) {
+        return { valid: false, error: "Fingerprint mismatch" };
+      }
+      const toSign = JSON.stringify({
+        payload: message.payload,
+        timestamp: message.timestamp
+      });
+      const messageBytes = new TextEncoder().encode(toSign);
+      const signature = hexToBytes4(message.signature);
+      const valid = await PeerIdentity.verify(signature, messageBytes, publicKey);
+      if (!valid) {
+        return { valid: false, error: "Invalid signature" };
+      }
+      return { valid: true, fingerprint: message.fingerprint };
+    } catch (error) {
+      return {
+        valid: false,
+        error: error instanceof Error ? error.message : "Verification failed"
+      };
+    }
+  }
+  get fingerprint() {
+    return this.identity.fingerprint;
+  }
+  get publicKey() {
+    return this.identity.publicKeyHex;
+  }
+};
+function extractBearerToken(authHeader) {
+  if (!authHeader) return null;
+  const match = authHeader.match(/^Bearer\s+(.+)$/i);
+  return match ? match[1] : null;
+}
+function createBearerHeader(token) {
+  return `Bearer ${token}`;
+}
+
+// src/security/tls.ts
+import {
+  generateKeyPairSync,
+  createHash
+} from "crypto";
+import { readFile as readFile3, writeFile as writeFile3, mkdir as mkdir3 } from "fs/promises";
+import { existsSync as existsSync3 } from "fs";
+import { join as join3 } from "path";
+import { homedir as homedir3 } from "os";
+var DEFAULT_CERT_PATH = join3(homedir3(), ".skillkit", "mesh", "certs");
+function generateSelfSignedCertificate(hostId, hostName, validDays = 365) {
+  const { publicKey, privateKey } = generateKeyPairSync("rsa", {
+    modulusLength: 2048,
+    publicKeyEncoding: { type: "spki", format: "pem" },
+    privateKeyEncoding: { type: "pkcs8", format: "pem" }
+  });
+  const notBefore = /* @__PURE__ */ new Date();
+  const notAfter = /* @__PURE__ */ new Date();
+  notAfter.setDate(notAfter.getDate() + validDays);
+  const serialNumber = createHash("sha256").update(hostId + Date.now().toString()).digest("hex").slice(0, 16);
+  const certPem = createSimpleCert({
+    publicKey,
+    privateKey,
+    subject: `CN=${hostName},O=SkillKit Mesh,OU=${hostId}`,
+    issuer: `CN=${hostName},O=SkillKit Mesh,OU=${hostId}`,
+    serialNumber,
+    notBefore,
+    notAfter,
+    altNames: ["localhost", "127.0.0.1", hostName]
+  });
+  return {
+    cert: certPem,
+    key: privateKey
+  };
+}
+function createSimpleCert(params) {
+  const base64Encode = (str) => Buffer.from(str).toString("base64");
+  const formatDate = (date) => {
+    const y = date.getUTCFullYear().toString().slice(-2);
+    const m = (date.getUTCMonth() + 1).toString().padStart(2, "0");
+    const d = date.getUTCDate().toString().padStart(2, "0");
+    const h = date.getUTCHours().toString().padStart(2, "0");
+    const min = date.getUTCMinutes().toString().padStart(2, "0");
+    const s = date.getUTCSeconds().toString().padStart(2, "0");
+    return `${y}${m}${d}${h}${min}${s}Z`;
+  };
+  const certInfo = {
+    version: 3,
+    serialNumber: params.serialNumber,
+    subject: params.subject,
+    issuer: params.issuer,
+    notBefore: formatDate(params.notBefore),
+    notAfter: formatDate(params.notAfter),
+    publicKey: params.publicKey,
+    altNames: params.altNames
+  };
+  const certData = JSON.stringify(certInfo);
+  const certBase64 = base64Encode(certData);
+  const lines = ["-----BEGIN CERTIFICATE-----"];
+  for (let i = 0; i < certBase64.length; i += 64) {
+    lines.push(certBase64.slice(i, i + 64));
+  }
+  lines.push("-----END CERTIFICATE-----");
+  return lines.join("\n");
+}
+var TLSManager = class _TLSManager {
+  certPath;
+  constructor(certPath) {
+    this.certPath = certPath || DEFAULT_CERT_PATH;
+  }
+  async ensureDirectory() {
+    if (!existsSync3(this.certPath)) {
+      await mkdir3(this.certPath, { recursive: true, mode: 448 });
+    }
+  }
+  async generateCertificate(hostId, hostName = "localhost", validDays = 365) {
+    await this.ensureDirectory();
+    const { cert, key } = generateSelfSignedCertificate(
+      hostId,
+      hostName,
+      validDays
+    );
+    const certFile = join3(this.certPath, `${hostId}.crt`);
+    const keyFile = join3(this.certPath, `${hostId}.key`);
+    await writeFile3(certFile, cert, { mode: 420 });
+    await writeFile3(keyFile, key, { mode: 384 });
+    const fingerprint = createHash("sha256").update(cert).digest("hex");
+    const notBefore = /* @__PURE__ */ new Date();
+    const notAfter = /* @__PURE__ */ new Date();
+    notAfter.setDate(notAfter.getDate() + validDays);
+    return {
+      cert,
+      key,
+      fingerprint,
+      notBefore,
+      notAfter,
+      subject: `CN=${hostName},O=SkillKit Mesh,OU=${hostId}`
+    };
+  }
+  async loadCertificate(hostId) {
+    const certFile = join3(this.certPath, `${hostId}.crt`);
+    const keyFile = join3(this.certPath, `${hostId}.key`);
+    if (!existsSync3(certFile) || !existsSync3(keyFile)) {
+      return null;
+    }
+    const cert = await readFile3(certFile, "utf-8");
+    const key = await readFile3(keyFile, "utf-8");
+    const fingerprint = createHash("sha256").update(cert).digest("hex");
+    return {
+      cert,
+      key,
+      fingerprint,
+      notBefore: /* @__PURE__ */ new Date(),
+      notAfter: new Date(Date.now() + 365 * 24 * 60 * 60 * 1e3),
+      subject: hostId
+    };
+  }
+  async loadOrCreateCertificate(hostId, hostName = "localhost") {
+    const existing = await this.loadCertificate(hostId);
+    if (existing) {
+      return existing;
+    }
+    return this.generateCertificate(hostId, hostName);
+  }
+  async hasCertificate(hostId) {
+    const certFile = join3(this.certPath, `${hostId}.crt`);
+    return existsSync3(certFile);
+  }
+  getCertificatePath(hostId) {
+    return {
+      certPath: join3(this.certPath, `${hostId}.crt`),
+      keyPath: join3(this.certPath, `${hostId}.key`)
+    };
+  }
+  createServerContext(certInfo, options) {
+    const context = {
+      cert: certInfo.cert,
+      key: certInfo.key,
+      requestCert: options?.requestClientCert ?? false,
+      rejectUnauthorized: false
+    };
+    if (options?.trustedCAs?.length) {
+      context.ca = options.trustedCAs;
+      context.rejectUnauthorized = true;
+    }
+    return context;
+  }
+  createClientContext(certInfo, options) {
+    const context = {
+      rejectUnauthorized: false
+    };
+    if (certInfo) {
+      context.cert = certInfo.cert;
+      context.key = certInfo.key;
+    }
+    if (options?.trustedCAs?.length) {
+      context.ca = options.trustedCAs;
+    }
+    return context;
+  }
+  static computeCertFingerprint(cert) {
+    return createHash("sha256").update(cert).digest("hex");
+  }
+  static verifyCertFingerprint(cert, expectedFingerprint) {
+    const actual = _TLSManager.computeCertFingerprint(cert);
+    return actual.toLowerCase() === expectedFingerprint.toLowerCase();
+  }
+};
+var globalTLSManager = null;
+function getTLSManager(certPath) {
+  if (!globalTLSManager) {
+    globalTLSManager = new TLSManager(certPath);
+  }
+  return globalTLSManager;
+}
+function resetTLSManager() {
+  globalTLSManager = null;
+}
+
+// src/transport/secure-websocket.ts
+import { hexToBytes as hexToBytes5 } from "@noble/hashes/utils";
+var SecureWebSocketTransport = class {
+  socket = null;
+  host;
+  options;
+  identity = null;
+  keystore = null;
+  authManager = null;
+  encryption = null;
+  reconnectAttempts = 0;
+  messageHandlers = /* @__PURE__ */ new Set();
+  connected = false;
+  authenticated = false;
+  reconnectTimer = null;
+  constructor(host, options = {}) {
+    this.host = host;
+    this.options = {
+      timeout: options.timeout ?? 5e3,
+      reconnect: options.reconnect ?? true,
+      reconnectInterval: options.reconnectInterval ?? 5e3,
+      maxReconnectAttempts: options.maxReconnectAttempts ?? 10,
+      security: options.security ?? DEFAULT_SECURITY_CONFIG
+    };
+    this.identity = options.identity ?? null;
+    this.keystore = options.keystore ?? null;
+  }
+  async initialize() {
+    if (!this.identity && this.keystore) {
+      this.identity = await this.keystore.loadOrCreateIdentity();
+    }
+    if (!this.identity) {
+      this.identity = await PeerIdentity.generate();
+    }
+    this.authManager = new AuthManager(this.identity);
+  }
+  getUrl() {
+    const protocol = this.options.security.transport.tls !== "none" ? "wss" : "ws";
+    return `${protocol}://${this.host.address}:${this.host.port}/ws`;
+  }
+  async connect() {
+    if (!this.identity) {
+      await this.initialize();
+    }
+    return new Promise((resolve, reject) => {
+      const url = this.getUrl();
+      const wsOptions = {
+        handshakeTimeout: this.options.timeout,
+        rejectUnauthorized: false
+      };
+      this.socket = new WebSocket2(url, wsOptions);
+      const timeout = setTimeout(() => {
+        this.socket?.close();
+        reject(new Error("Connection timeout"));
+      }, this.options.timeout);
+      this.socket.on("open", async () => {
+        clearTimeout(timeout);
+        this.connected = true;
+        this.reconnectAttempts = 0;
+        if (this.options.security.transport.requireAuth) {
+          try {
+            await this.performClientHandshake();
+            this.authenticated = true;
+          } catch (err) {
+            this.socket?.close();
+            reject(new Error(`Authentication failed: ${err}`));
+            return;
+          }
+        } else {
+          this.authenticated = true;
+        }
+        resolve();
+      });
+      this.socket.on("message", async (data) => {
+        try {
+          const raw = JSON.parse(data.toString());
+          if (raw.type === "auth:challenge") {
+            return;
+          }
+          let message;
+          let senderFingerprint;
+          if (this.encryption && raw.ciphertext) {
+            const decrypted = this.encryption.decryptToObject({
+              nonce: raw.nonce,
+              ciphertext: raw.ciphertext
+            });
+            message = decrypted;
+            senderFingerprint = raw.senderFingerprint;
+          } else if (raw.signature) {
+            const secure = raw;
+            senderFingerprint = secure.senderFingerprint;
+            message = {
+              id: secure.id,
+              type: secure.type,
+              from: secure.from,
+              to: secure.to,
+              payload: secure.payload,
+              timestamp: secure.timestamp
+            };
+          } else {
+            message = raw;
+          }
+          this.messageHandlers.forEach(
+            (handler) => handler(message, this.socket, senderFingerprint)
+          );
+        } catch {
+        }
+      });
+      this.socket.on("close", () => {
+        this.connected = false;
+        this.authenticated = false;
+        if (this.options.reconnect) {
+          this.scheduleReconnect();
+        }
+      });
+      this.socket.on("error", (err) => {
+        clearTimeout(timeout);
+        if (!this.connected) {
+          reject(err);
+        }
+      });
+    });
+  }
+  async performClientHandshake() {
+    return new Promise((resolve, reject) => {
+      const handleChallenge = async (data) => {
+        try {
+          const msg = JSON.parse(data.toString());
+          if (msg.type === "auth:challenge") {
+            const challenge = {
+              challenge: msg.challenge,
+              timestamp: msg.timestamp
+            };
+            const response = await this.authManager.respondToChallenge(challenge);
+            this.socket.send(
+              JSON.stringify({
+                type: "auth:response",
+                ...response
+              })
+            );
+          } else if (msg.type === "auth:success") {
+            this.socket.off("message", handleChallenge);
+            if (msg.serverPublicKey) {
+              const serverPubKey = hexToBytes5(msg.serverPublicKey);
+              const sharedSecret = this.identity.deriveSharedSecret(serverPubKey);
+              this.encryption = new MessageEncryption(sharedSecret);
+            }
+            resolve();
+          } else if (msg.type === "auth:failed") {
+            this.socket.off("message", handleChallenge);
+            reject(new Error(msg.error || "Authentication failed"));
+          }
+        } catch (err) {
+          reject(err);
+        }
+      };
+      this.socket.on("message", handleChallenge);
+      setTimeout(() => {
+        this.socket.off("message", handleChallenge);
+        reject(new Error("Authentication timeout"));
+      }, this.options.timeout);
+    });
+  }
+  disconnect() {
+    if (this.reconnectTimer) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
+    }
+    if (this.socket) {
+      this.socket.close();
+      this.socket = null;
+    }
+    this.connected = false;
+    this.authenticated = false;
+    this.encryption = null;
+  }
+  async send(message) {
+    if (!this.socket || !this.connected) {
+      throw new Error("Not connected");
+    }
+    if (!this.authenticated) {
+      throw new Error("Not authenticated");
+    }
+    const fullMessage = {
+      ...message,
+      id: randomUUID4(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    let dataToSend;
+    if (this.encryption && this.options.security.transport.encryption === "required") {
+      const encrypted = this.encryption.encryptObject(fullMessage);
+      dataToSend = JSON.stringify({
+        id: fullMessage.id,
+        senderFingerprint: this.identity.fingerprint,
+        nonce: encrypted.nonce,
+        ciphertext: encrypted.ciphertext,
+        timestamp: fullMessage.timestamp
+      });
+    } else if (this.identity) {
+      const signature = await this.identity.signObject(fullMessage);
+      const secureMessage = {
+        ...fullMessage,
+        signature,
+        senderFingerprint: this.identity.fingerprint,
+        senderPublicKey: this.identity.publicKeyHex,
+        nonce: randomUUID4()
+      };
+      dataToSend = JSON.stringify(secureMessage);
+    } else {
+      dataToSend = JSON.stringify(fullMessage);
+    }
+    return new Promise((resolve, reject) => {
+      this.socket.send(dataToSend, (err) => {
+        if (err) reject(err);
+        else resolve();
+      });
+    });
+  }
+  onMessage(handler) {
+    this.messageHandlers.add(handler);
+    return () => this.messageHandlers.delete(handler);
+  }
+  isConnected() {
+    return this.connected;
+  }
+  isAuthenticated() {
+    return this.authenticated;
+  }
+  getFingerprint() {
+    return this.identity?.fingerprint ?? null;
+  }
+  scheduleReconnect() {
+    if (this.reconnectAttempts >= this.options.maxReconnectAttempts) {
+      return;
+    }
+    this.reconnectTimer = setTimeout(async () => {
+      this.reconnectAttempts++;
+      try {
+        await this.connect();
+      } catch {
+        this.scheduleReconnect();
+      }
+    }, this.options.reconnectInterval);
+  }
+};
+var SecureWebSocketServer = class {
+  wss = null;
+  httpsServer = null;
+  clients = /* @__PURE__ */ new Map();
+  messageHandlers = /* @__PURE__ */ new Set();
+  port;
+  running = false;
+  identity = null;
+  keystore = null;
+  authManager = null;
+  tlsManager = null;
+  certInfo = null;
+  security;
+  hostId;
+  constructor(port = DEFAULT_PORT, options = {}) {
+    this.port = port;
+    this.security = options.security ?? DEFAULT_SECURITY_CONFIG;
+    this.identity = options.identity ?? null;
+    this.keystore = options.keystore ?? null;
+    this.hostId = options.hostId ?? randomUUID4();
+  }
+  async initialize() {
+    if (!this.identity && this.keystore) {
+      this.identity = await this.keystore.loadOrCreateIdentity();
+    }
+    if (!this.identity) {
+      this.identity = await PeerIdentity.generate();
+    }
+    this.authManager = new AuthManager(this.identity);
+    if (this.security.transport.tls !== "none") {
+      this.tlsManager = new TLSManager();
+      this.certInfo = await this.tlsManager.loadOrCreateCertificate(
+        this.hostId,
+        "localhost"
+      );
+    }
+  }
+  async start() {
+    if (this.running) return;
+    await this.initialize();
+    return new Promise((resolve, reject) => {
+      if (this.security.transport.tls !== "none" && this.certInfo) {
+        this.httpsServer = createHttpsServer({
+          cert: this.certInfo.cert,
+          key: this.certInfo.key
+        });
+        this.wss = new WebSocketServer3({
+          server: this.httpsServer,
+          path: "/ws"
+        });
+        this.httpsServer.listen(this.port, () => {
+          this.running = true;
+          resolve();
+        });
+        this.httpsServer.on("error", reject);
+      } else {
+        this.wss = new WebSocketServer3({ port: this.port, path: "/ws" });
+        this.wss.on("listening", () => {
+          this.running = true;
+          resolve();
+        });
+        this.wss.on("error", reject);
+      }
+      this.wss.on("connection", (socket) => {
+        this.handleConnection(socket);
+      });
+    });
+  }
+  async handleConnection(socket) {
+    if (this.security.transport.requireAuth) {
+      try {
+        const client = await this.performServerHandshake(socket);
+        this.clients.set(socket, client);
+      } catch {
+        socket.close();
+        return;
+      }
+    } else {
+      this.clients.set(socket, {
+        socket,
+        fingerprint: "anonymous",
+        publicKey: ""
+      });
+    }
+    socket.on("message", async (data) => {
+      try {
+        const raw = JSON.parse(data.toString());
+        if (raw.type === "auth:response") {
+          return;
+        }
+        const client = this.clients.get(socket);
+        if (!client) return;
+        let message;
+        let senderFingerprint = client.fingerprint;
+        if (client.encryption && raw.ciphertext) {
+          const decrypted = client.encryption.decryptToObject({
+            nonce: raw.nonce,
+            ciphertext: raw.ciphertext
+          });
+          message = decrypted;
+        } else if (raw.signature) {
+          const secure = raw;
+          senderFingerprint = secure.senderFingerprint;
+          message = {
+            id: secure.id,
+            type: secure.type,
+            from: secure.from,
+            to: secure.to,
+            payload: secure.payload,
+            timestamp: secure.timestamp
+          };
+        } else {
+          message = raw;
+        }
+        this.messageHandlers.forEach(
+          (handler) => handler(message, socket, senderFingerprint)
+        );
+      } catch {
+      }
+    });
+    socket.on("close", () => {
+      this.clients.delete(socket);
+    });
+  }
+  async performServerHandshake(socket) {
+    return new Promise((resolve, reject) => {
+      const challenge = this.authManager.createChallenge();
+      socket.send(
+        JSON.stringify({
+          type: "auth:challenge",
+          ...challenge
+        })
+      );
+      const timeout = setTimeout(() => {
+        socket.off("message", handleResponse);
+        reject(new Error("Handshake timeout"));
+      }, 1e4);
+      const handleResponse = async (data) => {
+        try {
+          const msg = JSON.parse(data.toString());
+          if (msg.type === "auth:response") {
+            clearTimeout(timeout);
+            socket.off("message", handleResponse);
+            const response = {
+              challenge: msg.challenge,
+              signature: msg.signature,
+              publicKey: msg.publicKey,
+              fingerprint: msg.fingerprint,
+              timestamp: msg.timestamp
+            };
+            const result = await this.authManager.verifyChallengeResponse(response);
+            if (!result.authenticated) {
+              socket.send(
+                JSON.stringify({
+                  type: "auth:failed",
+                  error: result.error
+                })
+              );
+              reject(new Error(result.error));
+              return;
+            }
+            if (this.keystore) {
+              const isRevoked = await this.keystore.isRevoked(result.fingerprint);
+              if (isRevoked) {
+                socket.send(
+                  JSON.stringify({
+                    type: "auth:failed",
+                    error: "Peer is revoked"
+                  })
+                );
+                reject(new Error("Peer is revoked"));
+                return;
+              }
+            }
+            let encryption;
+            if (this.security.transport.encryption === "required") {
+              const clientPubKey = hexToBytes5(response.publicKey);
+              const sharedSecret = this.identity.deriveSharedSecret(clientPubKey);
+              encryption = new MessageEncryption(sharedSecret);
+            }
+            socket.send(
+              JSON.stringify({
+                type: "auth:success",
+                serverFingerprint: this.identity.fingerprint,
+                serverPublicKey: this.identity.publicKeyHex
+              })
+            );
+            resolve({
+              socket,
+              fingerprint: result.fingerprint,
+              publicKey: response.publicKey,
+              encryption
+            });
+          }
+        } catch (err) {
+          clearTimeout(timeout);
+          reject(err);
+        }
+      };
+      socket.on("message", handleResponse);
+    });
+  }
+  stop() {
+    if (!this.running) return;
+    for (const [socket] of this.clients) {
+      socket.close();
+    }
+    this.clients.clear();
+    this.wss?.close();
+    this.httpsServer?.close();
+    this.wss = null;
+    this.httpsServer = null;
+    this.running = false;
+  }
+  async broadcast(message) {
+    const fullMessage = {
+      ...message,
+      id: randomUUID4(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    for (const [socket, client] of this.clients) {
+      if (socket.readyState !== WebSocket2.OPEN) continue;
+      let dataToSend;
+      if (client.encryption) {
+        const encrypted = client.encryption.encryptObject(fullMessage);
+        dataToSend = JSON.stringify({
+          id: fullMessage.id,
+          senderFingerprint: this.identity.fingerprint,
+          nonce: encrypted.nonce,
+          ciphertext: encrypted.ciphertext,
+          timestamp: fullMessage.timestamp
+        });
+      } else if (this.identity) {
+        const signature = await this.identity.signObject(fullMessage);
+        const secureMessage = {
+          ...fullMessage,
+          signature,
+          senderFingerprint: this.identity.fingerprint,
+          senderPublicKey: this.identity.publicKeyHex,
+          nonce: randomUUID4()
+        };
+        dataToSend = JSON.stringify(secureMessage);
+      } else {
+        dataToSend = JSON.stringify(fullMessage);
+      }
+      socket.send(dataToSend);
+    }
+  }
+  async sendTo(socket, message) {
+    if (socket.readyState !== WebSocket2.OPEN) return;
+    const client = this.clients.get(socket);
+    if (!client) return;
+    const fullMessage = {
+      ...message,
+      id: randomUUID4(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    let dataToSend;
+    if (client.encryption) {
+      const encrypted = client.encryption.encryptObject(fullMessage);
+      dataToSend = JSON.stringify({
+        id: fullMessage.id,
+        senderFingerprint: this.identity.fingerprint,
+        nonce: encrypted.nonce,
+        ciphertext: encrypted.ciphertext,
+        timestamp: fullMessage.timestamp
+      });
+    } else if (this.identity) {
+      const signature = await this.identity.signObject(fullMessage);
+      const secureMessage = {
+        ...fullMessage,
+        signature,
+        senderFingerprint: this.identity.fingerprint,
+        senderPublicKey: this.identity.publicKeyHex,
+        nonce: randomUUID4()
+      };
+      dataToSend = JSON.stringify(secureMessage);
+    } else {
+      dataToSend = JSON.stringify(fullMessage);
+    }
+    socket.send(dataToSend);
+  }
+  onMessage(handler) {
+    this.messageHandlers.add(handler);
+    return () => this.messageHandlers.delete(handler);
+  }
+  getClientCount() {
+    return this.clients.size;
+  }
+  isRunning() {
+    return this.running;
+  }
+  getFingerprint() {
+    return this.identity?.fingerprint ?? null;
+  }
+  getAuthenticatedClients() {
+    return Array.from(this.clients.values()).map((c) => ({
+      fingerprint: c.fingerprint,
+      publicKey: c.publicKey
+    }));
+  }
+};
+
+// src/transport/secure-http.ts
+init_types();
+init_identity();
+import got3 from "got";
+import { randomUUID as randomUUID5 } from "crypto";
+var SecureHttpTransport = class {
+  client;
+  options;
+  identity = null;
+  keystore = null;
+  authManager = null;
+  authToken = null;
+  host;
+  security;
+  constructor(host, options = {}) {
+    this.host = host;
+    this.options = {
+      timeout: options.timeout ?? HEALTH_CHECK_TIMEOUT,
+      retries: options.retries ?? 2,
+      retryDelay: options.retryDelay ?? 1e3,
+      headers: options.headers ?? {}
+    };
+    this.identity = options.identity ?? null;
+    this.keystore = options.keystore ?? null;
+    this.authToken = options.authToken ?? null;
+    this.security = options.security ?? DEFAULT_SECURITY_CONFIG;
+    const protocol = this.security.transport.tls !== "none" ? "https" : "http";
+    const baseUrl = `${protocol}://${host.address}:${host.port}`;
+    this.client = got3.extend({
+      prefixUrl: baseUrl,
+      timeout: { request: this.options.timeout },
+      retry: {
+        limit: this.options.retries,
+        calculateDelay: () => this.options.retryDelay
+      },
+      https: {
+        rejectUnauthorized: false
+      },
+      headers: {
+        "Content-Type": "application/json",
+        "X-SkillKit-Transport": "secure-http",
+        ...this.options.headers
+      }
+    });
+  }
+  async initialize() {
+    if (!this.identity && this.keystore) {
+      this.identity = await this.keystore.loadOrCreateIdentity();
+    }
+    if (!this.identity) {
+      this.identity = await PeerIdentity.generate();
+    }
+    this.authManager = new AuthManager(this.identity);
+    if (this.security.transport.requireAuth && !this.authToken) {
+      this.authToken = await this.authManager.createToken(this.host.id);
+    }
+  }
+  async getSecureHeaders() {
+    const headers = {};
+    if (this.authToken) {
+      headers["Authorization"] = createBearerHeader(this.authToken);
+    }
+    if (this.identity) {
+      headers["X-SkillKit-Fingerprint"] = this.identity.fingerprint;
+    }
+    return headers;
+  }
+  async send(path, payload) {
+    if (!this.identity) {
+      await this.initialize();
+    }
+    const message = {
+      id: randomUUID5(),
+      type: "request",
+      from: this.identity?.fingerprint ?? "local",
+      to: path,
+      payload,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    let body = message;
+    if (this.identity) {
+      const signature = await this.identity.signObject(message);
+      body = {
+        ...message,
+        signature,
+        senderFingerprint: this.identity.fingerprint,
+        senderPublicKey: this.identity.publicKeyHex,
+        nonce: randomUUID5()
+      };
+    }
+    const secureHeaders = await this.getSecureHeaders();
+    const response = await this.client.post(path, {
+      json: body,
+      headers: secureHeaders
+    });
+    return JSON.parse(response.body);
+  }
+  async sendMessage(to, type, payload) {
+    return this.send("message", {
+      to,
+      type,
+      payload
+    });
+  }
+  async registerPeer(registration) {
+    return this.send("peer/register", registration);
+  }
+  async getPeers() {
+    if (!this.identity) {
+      await this.initialize();
+    }
+    const secureHeaders = await this.getSecureHeaders();
+    const response = await this.client.get("peers", {
+      headers: secureHeaders
+    });
+    return JSON.parse(response.body);
+  }
+  async healthCheck() {
+    try {
+      const response = await this.client.get("health", {
+        headers: await this.getSecureHeaders()
+      });
+      return response.statusCode === 200;
+    } catch {
+      return false;
+    }
+  }
+  getFingerprint() {
+    return this.identity?.fingerprint ?? null;
+  }
+  setAuthToken(token) {
+    this.authToken = token;
+  }
+};
+async function sendToHostSecure(host, path, payload, options = {}) {
+  const transport = new SecureHttpTransport(host, options);
+  await transport.initialize();
+  return transport.send(path, payload);
+}
+async function broadcastToHostsSecure(hosts, path, payload, options = {}) {
+  const results = /* @__PURE__ */ new Map();
+  await Promise.all(
+    hosts.map(async (host) => {
+      try {
+        const response = await sendToHostSecure(host, path, payload, options);
+        results.set(host.id, response);
+      } catch (err) {
+        results.set(host.id, err);
+      }
+    })
+  );
+  return results;
+}
+function verifySecureMessage(message) {
+  if (!message.signature || !message.senderPublicKey || !message.senderFingerprint) {
+    return { valid: false, error: "Missing signature fields" };
+  }
+  const computedFingerprint = PeerIdentity.computeFingerprint(
+    Buffer.from(message.senderPublicKey, "hex")
+  );
+  if (computedFingerprint !== message.senderFingerprint) {
+    return { valid: false, error: "Fingerprint mismatch" };
+  }
+  return { valid: true };
+}
+
+// src/index.ts
+init_crypto();
+async function initializeMesh() {
+  const { initializeHostsFile: initializeHostsFile2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+  const { getPeerRegistry: getPeerRegistry2 } = await Promise.resolve().then(() => (init_peer(), peer_exports));
+  await initializeHostsFile2();
+  await getPeerRegistry2();
+}
+async function initializeSecureMesh(securityConfig) {
+  const { initializeHostsFile: initializeHostsFile2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+  const { getPeerRegistry: getPeerRegistry2 } = await Promise.resolve().then(() => (init_peer(), peer_exports));
+  const { SecureKeystore: SecureKeystore2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+  await initializeHostsFile2();
+  await getPeerRegistry2();
+  const keystore = new SecureKeystore2({
+    path: securityConfig?.identityPath
+  });
+  const identity = await keystore.loadOrCreateIdentity();
+  return { identity, keystore };
+}
+export {
+  AuthManager,
+  DEFAULT_DISCOVERY_PORT,
+  DEFAULT_PORT,
+  DEFAULT_SECURITY_CONFIG,
+  DISCOVERY_INTERVAL,
+  HEALTH_CHECK_TIMEOUT,
+  HealthMonitor,
+  HttpTransport,
+  LocalDiscovery,
+  MESH_VERSION,
+  MessageEncryption,
+  PeerIdentity,
+  PeerRegistryManager,
+  PublicKeyEncryption,
+  SECURITY_PRESETS,
+  SecureHttpTransport,
+  SecureKeystore,
+  SecureLocalDiscovery,
+  SecureWebSocketServer,
+  SecureWebSocketTransport,
+  TLSManager,
+  WebSocketServer2 as WebSocketServer,
+  WebSocketTransport,
+  addKnownHost,
+  broadcastToHosts,
+  broadcastToHostsSecure,
+  checkAllHostsHealth,
+  checkHostHealth,
+  createBearerHeader,
+  createDefaultHostsFile,
+  decryptData,
+  decryptFile,
+  decryptObject,
+  deriveKey,
+  describeSecurityLevel,
+  discoverOnce,
+  discoverOnceSecure,
+  discoverTailscaleHosts,
+  encryptData,
+  encryptFile,
+  encryptObject,
+  extractBearerToken,
+  extractSignerFingerprint,
+  generateIV,
+  generateMachineKey,
+  generateMessageId,
+  generateNonce,
+  generateSalt,
+  getAllLocalIPAddresses,
+  getHostsFilePath,
+  getKeystore,
+  getKnownHost,
+  getKnownHosts,
+  getLocalHostConfig,
+  getLocalIPAddress,
+  getOfflineHosts,
+  getOnlineHosts,
+  getPeerRegistry,
+  getSecurityPreset,
+  getTLSManager,
+  getTailscaleIP,
+  getTailscaleStatus,
+  hashPassphrase,
+  initializeHostsFile,
+  initializeMesh,
+  initializeSecureMesh,
+  isEncryptedFile,
+  isSecurityEnabled,
+  isSignedDataExpired,
+  isTailscaleAvailable,
+  loadHostsFile,
+  mergeSecurityConfig,
+  removeKnownHost,
+  resetKeystore,
+  resetTLSManager,
+  resolveTailscaleName,
+  saveHostsFile,
+  sendToHost,
+  sendToHostSecure,
+  signData,
+  updateKnownHost,
+  updateLocalHostConfig,
+  validateSecurityConfig,
+  verifySecureMessage,
+  verifySignedData,
+  waitForHost
+};
+//# sourceMappingURL=index.js.map