@tapflowio/relay 0.8.1 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (226) hide show
  1. package/dist/RelayServer.d.ts +13 -0
  2. package/dist/RelayServer.d.ts.map +1 -1
  3. package/dist/RelayServer.js +80 -9
  4. package/dist/RelayServer.js.map +1 -1
  5. package/dist/api/auth.d.ts +3 -2
  6. package/dist/api/auth.d.ts.map +1 -1
  7. package/dist/api/auth.js +37 -3
  8. package/dist/api/auth.js.map +1 -1
  9. package/dist/api/builds.d.ts.map +1 -1
  10. package/dist/api/builds.js +14 -13
  11. package/dist/api/builds.js.map +1 -1
  12. package/dist/api/comments.d.ts.map +1 -1
  13. package/dist/api/comments.js +23 -10
  14. package/dist/api/comments.js.map +1 -1
  15. package/dist/api/team.d.ts.map +1 -1
  16. package/dist/api/team.js +4 -2
  17. package/dist/api/team.js.map +1 -1
  18. package/dist/index.d.ts +7 -0
  19. package/dist/index.d.ts.map +1 -1
  20. package/dist/index.js +3 -0
  21. package/dist/index.js.map +1 -1
  22. package/dist/lib/cert/AcmeCertProvider.d.ts +55 -0
  23. package/dist/lib/cert/AcmeCertProvider.d.ts.map +1 -0
  24. package/dist/lib/cert/AcmeCertProvider.js +62 -0
  25. package/dist/lib/cert/AcmeCertProvider.js.map +1 -0
  26. package/dist/lib/cert/AcmeClientIssuer.d.ts +23 -0
  27. package/dist/lib/cert/AcmeClientIssuer.d.ts.map +1 -0
  28. package/dist/lib/cert/AcmeClientIssuer.js +54 -0
  29. package/dist/lib/cert/AcmeClientIssuer.js.map +1 -0
  30. package/dist/lib/cert/CertProvider.d.ts +30 -0
  31. package/dist/lib/cert/CertProvider.d.ts.map +1 -0
  32. package/dist/lib/cert/CertProvider.js +4 -0
  33. package/dist/lib/cert/CertProvider.js.map +1 -0
  34. package/dist/lib/cert/CloudflareDnsProvider.d.ts +40 -0
  35. package/dist/lib/cert/CloudflareDnsProvider.d.ts.map +1 -0
  36. package/dist/lib/cert/CloudflareDnsProvider.js +93 -0
  37. package/dist/lib/cert/CloudflareDnsProvider.js.map +1 -0
  38. package/dist/lib/cert/DiskCertStore.d.ts +10 -0
  39. package/dist/lib/cert/DiskCertStore.d.ts.map +1 -0
  40. package/dist/lib/cert/DiskCertStore.js +35 -0
  41. package/dist/lib/cert/DiskCertStore.js.map +1 -0
  42. package/dist/lib/cert/DnsProvider.d.ts +7 -0
  43. package/dist/lib/cert/DnsProvider.d.ts.map +1 -0
  44. package/dist/lib/cert/DnsProvider.js +2 -0
  45. package/dist/lib/cert/DnsProvider.js.map +1 -0
  46. package/dist/lib/cert/ImportCertProvider.d.ts +20 -0
  47. package/dist/lib/cert/ImportCertProvider.d.ts.map +1 -0
  48. package/dist/lib/cert/ImportCertProvider.js +24 -0
  49. package/dist/lib/cert/ImportCertProvider.js.map +1 -0
  50. package/dist/lib/cert/VercelDnsProvider.d.ts +38 -0
  51. package/dist/lib/cert/VercelDnsProvider.d.ts.map +1 -0
  52. package/dist/lib/cert/VercelDnsProvider.js +146 -0
  53. package/dist/lib/cert/VercelDnsProvider.js.map +1 -0
  54. package/dist/lib/cert/accountKey.d.ts +2 -0
  55. package/dist/lib/cert/accountKey.d.ts.map +1 -0
  56. package/dist/lib/cert/accountKey.js +23 -0
  57. package/dist/lib/cert/accountKey.js.map +1 -0
  58. package/dist/lib/cert/addressPublisher.d.ts +20 -0
  59. package/dist/lib/cert/addressPublisher.d.ts.map +1 -0
  60. package/dist/lib/cert/addressPublisher.js +103 -0
  61. package/dist/lib/cert/addressPublisher.js.map +1 -0
  62. package/dist/lib/cert/createCertProvider.d.ts +20 -0
  63. package/dist/lib/cert/createCertProvider.d.ts.map +1 -0
  64. package/dist/lib/cert/createCertProvider.js +25 -0
  65. package/dist/lib/cert/createCertProvider.js.map +1 -0
  66. package/dist/lib/cert/dnsRegistry.d.ts +24 -0
  67. package/dist/lib/cert/dnsRegistry.d.ts.map +1 -0
  68. package/dist/lib/cert/dnsRegistry.js +36 -0
  69. package/dist/lib/cert/dnsRegistry.js.map +1 -0
  70. package/dist/lib/cert/index.d.ts +23 -0
  71. package/dist/lib/cert/index.d.ts.map +1 -0
  72. package/dist/lib/cert/index.js +12 -0
  73. package/dist/lib/cert/index.js.map +1 -0
  74. package/dist/lib/cert/parseCert.d.ts +3 -0
  75. package/dist/lib/cert/parseCert.d.ts.map +1 -0
  76. package/dist/lib/cert/parseCert.js +6 -0
  77. package/dist/lib/cert/parseCert.js.map +1 -0
  78. package/dist/lib/cert/renewal.d.ts +13 -0
  79. package/dist/lib/cert/renewal.d.ts.map +1 -0
  80. package/dist/lib/cert/renewal.js +28 -0
  81. package/dist/lib/cert/renewal.js.map +1 -0
  82. package/dist/lib/clientAddress.d.ts +12 -0
  83. package/dist/lib/clientAddress.d.ts.map +1 -0
  84. package/dist/lib/clientAddress.js +46 -0
  85. package/dist/lib/clientAddress.js.map +1 -0
  86. package/dist/lib/config.d.ts +25 -0
  87. package/dist/lib/config.d.ts.map +1 -1
  88. package/dist/lib/config.js +69 -3
  89. package/dist/lib/config.js.map +1 -1
  90. package/dist/lib/cors.d.ts +2 -0
  91. package/dist/lib/cors.d.ts.map +1 -0
  92. package/dist/lib/cors.js +18 -0
  93. package/dist/lib/cors.js.map +1 -0
  94. package/dist/lib/csrf.d.ts +3 -0
  95. package/dist/lib/csrf.d.ts.map +1 -0
  96. package/dist/lib/csrf.js +42 -0
  97. package/dist/lib/csrf.js.map +1 -0
  98. package/dist/lib/loadEnvFile.d.ts +2 -0
  99. package/dist/lib/loadEnvFile.d.ts.map +1 -0
  100. package/dist/lib/loadEnvFile.js +17 -0
  101. package/dist/lib/loadEnvFile.js.map +1 -0
  102. package/dist/lib/proxyConfig.d.ts +6 -0
  103. package/dist/lib/proxyConfig.d.ts.map +1 -0
  104. package/dist/lib/proxyConfig.js +27 -0
  105. package/dist/lib/proxyConfig.js.map +1 -0
  106. package/dist/lib/publicUrl.d.ts +3 -0
  107. package/dist/lib/publicUrl.d.ts.map +1 -0
  108. package/dist/lib/publicUrl.js +17 -0
  109. package/dist/lib/publicUrl.js.map +1 -0
  110. package/dist/lib/uploads.d.ts +2 -0
  111. package/dist/lib/uploads.d.ts.map +1 -0
  112. package/dist/lib/uploads.js +14 -0
  113. package/dist/lib/uploads.js.map +1 -0
  114. package/dist/middleware/rateLimit.d.ts +18 -0
  115. package/dist/middleware/rateLimit.d.ts.map +1 -0
  116. package/dist/middleware/rateLimit.js +55 -0
  117. package/dist/middleware/rateLimit.js.map +1 -0
  118. package/dist/router.d.ts.map +1 -1
  119. package/dist/router.js +13 -1
  120. package/dist/router.js.map +1 -1
  121. package/dist/server.js +44 -5
  122. package/dist/server.js.map +1 -1
  123. package/package.json +6 -5
  124. package/public/assets/AppCenter-CaY73Tvf.js +16 -0
  125. package/public/assets/AppCenter-CaY73Tvf.js.br +0 -0
  126. package/public/assets/Default-DQiKj0NT.js +1 -0
  127. package/public/assets/Default-DQiKj0NT.js.br +0 -0
  128. package/public/assets/Invite-B4MMcQtw.js +1 -0
  129. package/public/assets/Invite-B4MMcQtw.js.br +0 -0
  130. package/public/assets/MacResources-BfZAJ5BP.js +5 -0
  131. package/public/assets/MacResources-BfZAJ5BP.js.br +0 -0
  132. package/public/assets/NotFound-D85RKzwv.js +1 -0
  133. package/public/assets/NotFound-D85RKzwv.js.br +0 -0
  134. package/public/assets/QASession-B9FSUtZo.js +130 -0
  135. package/public/assets/QASession-B9FSUtZo.js.br +0 -0
  136. package/public/assets/ResetPassword-Degmb6sl.js +1 -0
  137. package/public/assets/ResetPassword-Degmb6sl.js.br +0 -0
  138. package/public/assets/Setup-DKOFxDo2.js +1 -0
  139. package/public/assets/Setup-DKOFxDo2.js.br +0 -0
  140. package/public/assets/Team-Bgspan2B.js +6 -0
  141. package/public/assets/Team-Bgspan2B.js.br +0 -0
  142. package/public/assets/Tokens-C3u48FUG.js +6 -0
  143. package/public/assets/Tokens-C3u48FUG.js.br +0 -0
  144. package/public/assets/alert-dialog-Ci_cWoVo.js +7 -0
  145. package/public/assets/alert-dialog-Ci_cWoVo.js.br +0 -0
  146. package/public/assets/badge-Cktrrdvf.js +1 -0
  147. package/public/assets/badge-Cktrrdvf.js.br +0 -0
  148. package/public/assets/build-format-Blzidb1D.js +11 -0
  149. package/public/assets/build-format-Blzidb1D.js.br +0 -0
  150. package/public/assets/dialog-BuZjQWBQ.js +11 -0
  151. package/public/assets/dialog-BuZjQWBQ.js.br +0 -0
  152. package/public/assets/index-BI7E3MD-.css +1 -0
  153. package/public/assets/index-BI7E3MD-.css.br +0 -0
  154. package/public/assets/index-ClAB0eKw.js +258 -0
  155. package/public/assets/index-ClAB0eKw.js.br +0 -0
  156. package/public/assets/inter-latin-ext-standard-normal-DpK-iCPk.woff2 +0 -0
  157. package/public/assets/inter-latin-standard-normal-BwkfbSeq.woff2 +0 -0
  158. package/public/assets/jetbrains-mono-latin-ext-wght-normal-DBQx-q_a.woff2 +0 -0
  159. package/public/assets/jetbrains-mono-latin-wght-normal-B9CIFXIH.woff2 +0 -0
  160. package/public/assets/pencil-BoxokH2R.js +6 -0
  161. package/public/assets/pencil-BoxokH2R.js.br +0 -0
  162. package/public/assets/plus-C0Y4Yk9P.js +6 -0
  163. package/public/assets/plus-C0Y4Yk9P.js.br +0 -0
  164. package/public/assets/table-NBRnBazr.js +1 -0
  165. package/public/assets/table-NBRnBazr.js.br +0 -0
  166. package/public/assets/tabs-CB9a8dpY.js +1 -0
  167. package/public/assets/tabs-CB9a8dpY.js.br +0 -0
  168. package/public/assets/tinyh264.worker-DiJ50Hai.js.br +0 -0
  169. package/public/favicon.svg.br +0 -0
  170. package/public/index.html +2 -2
  171. package/public/index.html.br +0 -0
  172. package/public/logo-dark.svg.br +0 -0
  173. package/public/logo.svg.br +0 -0
  174. package/public/assets/index-Bhoumejm.js +0 -520
  175. package/public/assets/index-DX5Pf9T6.css +0 -1
  176. package/public/assets/inter-cyrillic-400-normal-HOLc17fK.woff +0 -0
  177. package/public/assets/inter-cyrillic-400-normal-obahsSVq.woff2 +0 -0
  178. package/public/assets/inter-cyrillic-500-normal-BasfLYem.woff2 +0 -0
  179. package/public/assets/inter-cyrillic-500-normal-CxZf_p3X.woff +0 -0
  180. package/public/assets/inter-cyrillic-600-normal-4D_pXhcN.woff +0 -0
  181. package/public/assets/inter-cyrillic-600-normal-CWCymEST.woff2 +0 -0
  182. package/public/assets/inter-cyrillic-ext-400-normal-BQZuk6qB.woff2 +0 -0
  183. package/public/assets/inter-cyrillic-ext-400-normal-DQukG94-.woff +0 -0
  184. package/public/assets/inter-cyrillic-ext-500-normal-B0yAr1jD.woff2 +0 -0
  185. package/public/assets/inter-cyrillic-ext-500-normal-BmqWE9Dz.woff +0 -0
  186. package/public/assets/inter-cyrillic-ext-600-normal-Bcila6Z-.woff +0 -0
  187. package/public/assets/inter-cyrillic-ext-600-normal-Dfes3d0z.woff2 +0 -0
  188. package/public/assets/inter-greek-400-normal-B4URO6DV.woff2 +0 -0
  189. package/public/assets/inter-greek-400-normal-q2sYcFCs.woff +0 -0
  190. package/public/assets/inter-greek-500-normal-BIZE56-Y.woff2 +0 -0
  191. package/public/assets/inter-greek-500-normal-Xzm54t5V.woff +0 -0
  192. package/public/assets/inter-greek-600-normal-BZpKdvQh.woff +0 -0
  193. package/public/assets/inter-greek-600-normal-plRanbMR.woff2 +0 -0
  194. package/public/assets/inter-greek-ext-400-normal-DGGRlc-M.woff2 +0 -0
  195. package/public/assets/inter-greek-ext-400-normal-KugGGMne.woff +0 -0
  196. package/public/assets/inter-greek-ext-500-normal-2j5mBUwD.woff +0 -0
  197. package/public/assets/inter-greek-ext-500-normal-C4iEst2y.woff2 +0 -0
  198. package/public/assets/inter-greek-ext-600-normal-B8X0CLgF.woff +0 -0
  199. package/public/assets/inter-greek-ext-600-normal-DRtmH8MT.woff2 +0 -0
  200. package/public/assets/inter-latin-400-normal-C38fXH4l.woff2 +0 -0
  201. package/public/assets/inter-latin-400-normal-CyCys3Eg.woff +0 -0
  202. package/public/assets/inter-latin-500-normal-BL9OpVg8.woff +0 -0
  203. package/public/assets/inter-latin-500-normal-Cerq10X2.woff2 +0 -0
  204. package/public/assets/inter-latin-600-normal-CiBQ2DWP.woff +0 -0
  205. package/public/assets/inter-latin-600-normal-LgqL8muc.woff2 +0 -0
  206. package/public/assets/inter-latin-ext-400-normal-77YHD8bZ.woff +0 -0
  207. package/public/assets/inter-latin-ext-400-normal-C1nco2VV.woff2 +0 -0
  208. package/public/assets/inter-latin-ext-500-normal-BxGbmqWO.woff +0 -0
  209. package/public/assets/inter-latin-ext-500-normal-CV4jyFjo.woff2 +0 -0
  210. package/public/assets/inter-latin-ext-600-normal-CIVaiw4L.woff +0 -0
  211. package/public/assets/inter-latin-ext-600-normal-D2bJ5OIk.woff2 +0 -0
  212. package/public/assets/inter-vietnamese-400-normal-Bbgyi5SW.woff +0 -0
  213. package/public/assets/inter-vietnamese-400-normal-DMkecbls.woff2 +0 -0
  214. package/public/assets/inter-vietnamese-500-normal-DOriooB6.woff2 +0 -0
  215. package/public/assets/inter-vietnamese-500-normal-mJboJaSs.woff +0 -0
  216. package/public/assets/inter-vietnamese-600-normal-BuLX-rYi.woff +0 -0
  217. package/public/assets/inter-vietnamese-600-normal-Cc8MFFhd.woff2 +0 -0
  218. package/public/assets/jetbrains-mono-cyrillic-400-normal-BEIGL1Tu.woff2 +0 -0
  219. package/public/assets/jetbrains-mono-cyrillic-400-normal-ugxPyKxw.woff +0 -0
  220. package/public/assets/jetbrains-mono-greek-400-normal-B9oWc5Lo.woff +0 -0
  221. package/public/assets/jetbrains-mono-greek-400-normal-C190GLew.woff2 +0 -0
  222. package/public/assets/jetbrains-mono-latin-400-normal-6-qcROiO.woff +0 -0
  223. package/public/assets/jetbrains-mono-latin-400-normal-V6pRDFza.woff2 +0 -0
  224. package/public/assets/jetbrains-mono-latin-ext-400-normal-Bc8Ftmh3.woff2 +0 -0
  225. package/public/assets/jetbrains-mono-latin-ext-400-normal-fXTG6kC5.woff +0 -0
  226. package/public/assets/jetbrains-mono-vietnamese-400-normal-CqNFfHCs.woff +0 -0
@@ -0,0 +1,25 @@
1
+ import path from 'path';
2
+ import { AcmeCertProvider } from './AcmeCertProvider.js';
3
+ import { AcmeClientIssuer } from './AcmeClientIssuer.js';
4
+ import { dnsProviders } from './dnsRegistry.js';
5
+ import { ImportCertProvider } from './ImportCertProvider.js';
6
+ import { DiskCertStore } from './DiskCertStore.js';
7
+ /** config.tls를 적절한 CertProvider로 매핑한다. 비밀(토큰)은 env에서 읽는다. */
8
+ export function createCertProvider(tls, deps) {
9
+ if (tls.mode === 'import-cert') {
10
+ return new ImportCertProvider({ certPath: tls.certPath, keyPath: tls.keyPath });
11
+ }
12
+ // byo-api-token: 레지스트리에서 provider를 찾아 자기 DNS 계정 토큰(env)으로 DNS-01.
13
+ const entry = dnsProviders.get(tls.dnsProvider);
14
+ if (!entry)
15
+ throw new Error(`unknown dnsProvider "${tls.dnsProvider}" — available: ${dnsProviders.names().join(', ')}`);
16
+ const dns = entry.fromEnv();
17
+ const issuer = new AcmeClientIssuer({
18
+ email: deps.email ?? process.env.TAPFLOW_ACME_EMAIL ?? '',
19
+ staging: deps.staging ?? process.env.TAPFLOW_ACME_STAGING === '1',
20
+ accountKeyPath: path.join(deps.dataDir, 'tls', 'account.pem'),
21
+ });
22
+ const store = new DiskCertStore(path.join(deps.dataDir, 'tls'));
23
+ return new AcmeCertProvider({ domain: tls.domain, dns, issuer, store });
24
+ }
25
+ //# sourceMappingURL=createCertProvider.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"createCertProvider.js","sourceRoot":"","sources":["../../../src/lib/cert/createCertProvider.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAA;AAGvB,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AACxD,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAA;AAC/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAelD,6DAA6D;AAC7D,MAAM,UAAU,kBAAkB,CAAC,GAAc,EAAE,IAA4B;IAC7E,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QAC/B,OAAO,IAAI,kBAAkB,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;IACjF,CAAC;IACD,kEAAkE;IAClE,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;IAC/C,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,GAAG,CAAC,WAAW,kBAAkB,YAAY,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IACvH,MAAM,GAAG,GAAgB,KAAK,CAAC,OAAO,EAAE,CAAA;IACxC,MAAM,MAAM,GAAG,IAAI,gBAAgB,CAAC;QAClC,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,EAAE;QACzD,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,KAAK,GAAG;QACjE,cAAc,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,aAAa,CAAC;KAC9D,CAAC,CAAA;IACF,MAAM,KAAK,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAA;IAC/D,OAAO,IAAI,gBAAgB,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAA;AACzE,CAAC"}
@@ -0,0 +1,24 @@
1
+ import type { DnsProvider } from './DnsProvider.js';
2
+ export interface DnsProviderEntry {
3
+ /** config의 dnsProvider 값이자 식별자. */
4
+ name: string;
5
+ /** wizard 표시 라벨. */
6
+ label: string;
7
+ /** wizard 힌트. */
8
+ hint: string;
9
+ /** 자격 증명 env 변수(검증·요약용). 비밀은 config가 아니라 env에서만 읽는다. */
10
+ envVars: string[];
11
+ /** env에서 자격을 읽어 DnsProvider를 만든다(미설정 시 throw). */
12
+ fromEnv(zoneName?: string): DnsProvider;
13
+ }
14
+ declare class DnsProviderRegistry {
15
+ private readonly entries;
16
+ register(entry: DnsProviderEntry): void;
17
+ get(name: string): DnsProviderEntry | undefined;
18
+ has(name: string): boolean;
19
+ list(): DnsProviderEntry[];
20
+ names(): string[];
21
+ }
22
+ export declare const dnsProviders: DnsProviderRegistry;
23
+ export {};
24
+ //# sourceMappingURL=dnsRegistry.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"dnsRegistry.d.ts","sourceRoot":"","sources":["../../../src/lib/cert/dnsRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAA;AAMnD,MAAM,WAAW,gBAAgB;IAC/B,mCAAmC;IACnC,IAAI,EAAE,MAAM,CAAA;IACZ,oBAAoB;IACpB,KAAK,EAAE,MAAM,CAAA;IACb,iBAAiB;IACjB,IAAI,EAAE,MAAM,CAAA;IACZ,wDAAwD;IACxD,OAAO,EAAE,MAAM,EAAE,CAAA;IACjB,kDAAkD;IAClD,OAAO,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,WAAW,CAAA;CACxC;AAED,cAAM,mBAAmB;IACvB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAsC;IAC9D,QAAQ,CAAC,KAAK,EAAE,gBAAgB,GAAG,IAAI;IAGvC,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS;IAG/C,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAG1B,IAAI,IAAI,gBAAgB,EAAE;IAG1B,KAAK,IAAI,MAAM,EAAE;CAGlB;AAED,eAAO,MAAM,YAAY,qBAA4B,CAAA"}
@@ -0,0 +1,36 @@
1
+ import { cloudflareDnsFromEnv } from './CloudflareDnsProvider.js';
2
+ import { vercelDnsFromEnv } from './VercelDnsProvider.js';
3
+ class DnsProviderRegistry {
4
+ entries = new Map();
5
+ register(entry) {
6
+ this.entries.set(entry.name, entry);
7
+ }
8
+ get(name) {
9
+ return this.entries.get(name);
10
+ }
11
+ has(name) {
12
+ return this.entries.has(name);
13
+ }
14
+ list() {
15
+ return [...this.entries.values()];
16
+ }
17
+ names() {
18
+ return [...this.entries.keys()];
19
+ }
20
+ }
21
+ export const dnsProviders = new DnsProviderRegistry();
22
+ dnsProviders.register({
23
+ name: 'cloudflare',
24
+ label: 'Cloudflare DNS',
25
+ hint: 'auto-issue & renew via API token (env TAPFLOW_CLOUDFLARE_TOKEN)',
26
+ envVars: ['TAPFLOW_CLOUDFLARE_TOKEN'],
27
+ fromEnv: cloudflareDnsFromEnv,
28
+ });
29
+ dnsProviders.register({
30
+ name: 'vercel',
31
+ label: 'Vercel DNS',
32
+ hint: 'auto-issue & renew via API token (env TAPFLOW_VERCEL_TOKEN)',
33
+ envVars: ['TAPFLOW_VERCEL_TOKEN'],
34
+ fromEnv: vercelDnsFromEnv,
35
+ });
36
+ //# sourceMappingURL=dnsRegistry.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"dnsRegistry.js","sourceRoot":"","sources":["../../../src/lib/cert/dnsRegistry.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAA;AACjE,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAA;AAiBzD,MAAM,mBAAmB;IACN,OAAO,GAAG,IAAI,GAAG,EAA4B,CAAA;IAC9D,QAAQ,CAAC,KAAuB;QAC9B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;IACrC,CAAC;IACD,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC/B,CAAC;IACD,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC/B,CAAC;IACD,IAAI;QACF,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;IACnC,CAAC;IACD,KAAK;QACH,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;IACjC,CAAC;CACF;AAED,MAAM,CAAC,MAAM,YAAY,GAAG,IAAI,mBAAmB,EAAE,CAAA;AAErD,YAAY,CAAC,QAAQ,CAAC;IACpB,IAAI,EAAE,YAAY;IAClB,KAAK,EAAE,gBAAgB;IACvB,IAAI,EAAE,iEAAiE;IACvE,OAAO,EAAE,CAAC,0BAA0B,CAAC;IACrC,OAAO,EAAE,oBAAoB;CAC9B,CAAC,CAAA;AACF,YAAY,CAAC,QAAQ,CAAC;IACpB,IAAI,EAAE,QAAQ;IACd,KAAK,EAAE,YAAY;IACnB,IAAI,EAAE,6DAA6D;IACnE,OAAO,EAAE,CAAC,sBAAsB,CAAC;IACjC,OAAO,EAAE,gBAAgB;CAC1B,CAAC,CAAA"}
@@ -0,0 +1,23 @@
1
+ export type { CertProvider, CertMaterial, CertStrategy } from './CertProvider.js';
2
+ export type { DnsProvider } from './DnsProvider.js';
3
+ export { CloudflareDnsProvider, cloudflareDnsFromEnv } from './CloudflareDnsProvider.js';
4
+ export type { CloudflareDnsProviderOptions, FetchLike } from './CloudflareDnsProvider.js';
5
+ export { VercelDnsProvider, vercelDnsFromEnv } from './VercelDnsProvider.js';
6
+ export type { VercelDnsProviderOptions } from './VercelDnsProvider.js';
7
+ export { AcmeCertProvider, InMemoryCertStore } from './AcmeCertProvider.js';
8
+ export type { AcmeIssuer, IssuedCert, CertStore, AcmeCertProviderOptions } from './AcmeCertProvider.js';
9
+ export { AcmeClientIssuer } from './AcmeClientIssuer.js';
10
+ export type { AcmeClientIssuerOptions } from './AcmeClientIssuer.js';
11
+ export { ImportCertProvider } from './ImportCertProvider.js';
12
+ export type { ImportCertProviderOptions } from './ImportCertProvider.js';
13
+ export { parseCertNotAfter } from './parseCert.js';
14
+ export { DiskCertStore } from './DiskCertStore.js';
15
+ export { startCertRenewal, renewalTick } from './renewal.js';
16
+ export type { CertRenewalOptions } from './renewal.js';
17
+ export { startAddressPublisher, detectLanIPv4 } from './addressPublisher.js';
18
+ export type { AddressPublisherTls, AddressPublisherOptions } from './addressPublisher.js';
19
+ export { dnsProviders } from './dnsRegistry.js';
20
+ export type { DnsProviderEntry } from './dnsRegistry.js';
21
+ export { createCertProvider } from './createCertProvider.js';
22
+ export type { TlsConfig, CreateCertProviderDeps } from './createCertProvider.js';
23
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/cert/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AACjF,YAAY,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAA;AACnD,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAA;AACxF,YAAY,EAAE,4BAA4B,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAA;AACzF,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAA;AAC5E,YAAY,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAA;AACtE,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAA;AAC3E,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAA;AACvG,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AACxD,YAAY,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAA;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAC5D,YAAY,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAA;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAClD,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AAC5D,YAAY,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAA;AACtD,OAAO,EAAE,qBAAqB,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAA;AAC5E,YAAY,EAAE,mBAAmB,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAA;AACzF,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAA;AAC/C,YAAY,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAA;AACxD,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAC5D,YAAY,EAAE,SAAS,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAA"}
@@ -0,0 +1,12 @@
1
+ export { CloudflareDnsProvider, cloudflareDnsFromEnv } from './CloudflareDnsProvider.js';
2
+ export { VercelDnsProvider, vercelDnsFromEnv } from './VercelDnsProvider.js';
3
+ export { AcmeCertProvider, InMemoryCertStore } from './AcmeCertProvider.js';
4
+ export { AcmeClientIssuer } from './AcmeClientIssuer.js';
5
+ export { ImportCertProvider } from './ImportCertProvider.js';
6
+ export { parseCertNotAfter } from './parseCert.js';
7
+ export { DiskCertStore } from './DiskCertStore.js';
8
+ export { startCertRenewal, renewalTick } from './renewal.js';
9
+ export { startAddressPublisher, detectLanIPv4 } from './addressPublisher.js';
10
+ export { dnsProviders } from './dnsRegistry.js';
11
+ export { createCertProvider } from './createCertProvider.js';
12
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/lib/cert/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAA;AAExF,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAA;AAE5E,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAA;AAE3E,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AAExD,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAE5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAClD,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AAE5D,OAAO,EAAE,qBAAqB,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAA;AAE5E,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAA;AAE/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA"}
@@ -0,0 +1,3 @@
1
+ /** PEM 인증서에서 notAfter(만료 시각)를 파싱한다. 잘못된 PEM이면 throw. */
2
+ export declare function parseCertNotAfter(certPem: string): Date;
3
+ //# sourceMappingURL=parseCert.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"parseCert.d.ts","sourceRoot":"","sources":["../../../src/lib/cert/parseCert.ts"],"names":[],"mappings":"AAEA,wDAAwD;AACxD,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAEvD"}
@@ -0,0 +1,6 @@
1
+ import { X509Certificate } from 'crypto';
2
+ /** PEM 인증서에서 notAfter(만료 시각)를 파싱한다. 잘못된 PEM이면 throw. */
3
+ export function parseCertNotAfter(certPem) {
4
+ return new Date(new X509Certificate(certPem).validTo);
5
+ }
6
+ //# sourceMappingURL=parseCert.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"parseCert.js","sourceRoot":"","sources":["../../../src/lib/cert/parseCert.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAA;AAExC,wDAAwD;AACxD,MAAM,UAAU,iBAAiB,CAAC,OAAe;IAC/C,OAAO,IAAI,IAAI,CAAC,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,CAAA;AACvD,CAAC"}
@@ -0,0 +1,13 @@
1
+ import type { CertProvider, CertMaterial } from './CertProvider.js';
2
+ export interface CertRenewalOptions {
3
+ intervalMs?: number;
4
+ /** 갱신이 일어났을 때(새 자료) 호출 — 예: relay TLS 컨텍스트 핫스왑. */
5
+ onRenew?: (material: CertMaterial) => void;
6
+ /** 갱신 중 오류. 미지정 시 경고 로그. 절대 전파하지 않는다. */
7
+ onError?: (err: unknown) => void;
8
+ }
9
+ /** 1회 점검 — renewIfNeeded 호출, 갱신 시 onRenew, 오류는 삼키고 onError/로그. */
10
+ export declare function renewalTick(provider: CertProvider, opts?: CertRenewalOptions): Promise<void>;
11
+ /** 주기 갱신 타이머를 시작하고 정지 함수를 반환한다. */
12
+ export declare function startCertRenewal(provider: CertProvider, opts?: CertRenewalOptions): () => void;
13
+ //# sourceMappingURL=renewal.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"renewal.d.ts","sourceRoot":"","sources":["../../../src/lib/cert/renewal.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAOnE,MAAM,WAAW,kBAAkB;IACjC,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,mDAAmD;IACnD,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,YAAY,KAAK,IAAI,CAAA;IAC1C,yCAAyC;IACzC,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,IAAI,CAAA;CACjC;AAED,kEAAkE;AAClE,wBAAsB,WAAW,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,GAAE,kBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC,CAQtG;AAED,mCAAmC;AACnC,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,GAAE,kBAAuB,GAAG,MAAM,IAAI,CAOlG"}
@@ -0,0 +1,28 @@
1
+ import { createLogger } from '@tapflowio/agent-core';
2
+ const logger = createLogger('relay:cert');
3
+ // ACME 클라이언트 관례대로 하루 두 번 점검. 실제 발급은 만료 30일 이내일 때만 일어난다.
4
+ const DEFAULT_INTERVAL_MS = 12 * 60 * 60 * 1000;
5
+ /** 1회 점검 — renewIfNeeded 호출, 갱신 시 onRenew, 오류는 삼키고 onError/로그. */
6
+ export async function renewalTick(provider, opts = {}) {
7
+ try {
8
+ const renewed = await provider.renewIfNeeded();
9
+ if (renewed)
10
+ opts.onRenew?.(renewed);
11
+ }
12
+ catch (err) {
13
+ if (opts.onError)
14
+ opts.onError(err);
15
+ else
16
+ logger.warn(`cert renewal failed: ${String(err)}`);
17
+ }
18
+ }
19
+ /** 주기 갱신 타이머를 시작하고 정지 함수를 반환한다. */
20
+ export function startCertRenewal(provider, opts = {}) {
21
+ const interval = opts.intervalMs ?? DEFAULT_INTERVAL_MS;
22
+ const timer = setInterval(() => {
23
+ void renewalTick(provider, opts);
24
+ }, interval);
25
+ timer.unref?.();
26
+ return () => clearInterval(timer);
27
+ }
28
+ //# sourceMappingURL=renewal.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"renewal.js","sourceRoot":"","sources":["../../../src/lib/cert/renewal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AAGpD,MAAM,MAAM,GAAG,YAAY,CAAC,YAAY,CAAC,CAAA;AAEzC,wDAAwD;AACxD,MAAM,mBAAmB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;AAU/C,kEAAkE;AAClE,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,QAAsB,EAAE,OAA2B,EAAE;IACrF,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,aAAa,EAAE,CAAA;QAC9C,IAAI,OAAO;YAAE,IAAI,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAA;IACtC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,IAAI,CAAC,OAAO;YAAE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;;YAC9B,MAAM,CAAC,IAAI,CAAC,wBAAwB,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IACzD,CAAC;AACH,CAAC;AAED,mCAAmC;AACnC,MAAM,UAAU,gBAAgB,CAAC,QAAsB,EAAE,OAA2B,EAAE;IACpF,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,IAAI,mBAAmB,CAAA;IACvD,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE;QAC7B,KAAK,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;IAClC,CAAC,EAAE,QAAQ,CAAC,CAAA;IACZ,KAAK,CAAC,KAAK,EAAE,EAAE,CAAA;IACf,OAAO,GAAG,EAAE,CAAC,aAAa,CAAC,KAAK,CAAC,CAAA;AACnC,CAAC"}
@@ -0,0 +1,12 @@
1
+ export declare function parseTrustedProxies(raw: string | undefined): string[];
2
+ export interface ResolveClientAddressInput {
3
+ socketAddr: string;
4
+ forwardedFor: string | undefined;
5
+ trustedProxies: string[];
6
+ }
7
+ export interface ResolvedClientAddress {
8
+ addr: string;
9
+ isLocal: boolean;
10
+ }
11
+ export declare function resolveClientAddress(input: ResolveClientAddressInput): ResolvedClientAddress;
12
+ //# sourceMappingURL=clientAddress.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"clientAddress.d.ts","sourceRoot":"","sources":["../../src/lib/clientAddress.ts"],"names":[],"mappings":"AAiBA,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,EAAE,CAMrE;AAED,MAAM,WAAW,yBAAyB;IACxC,UAAU,EAAE,MAAM,CAAA;IAClB,YAAY,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,EAAE,CAAA;CACzB;AAED,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,yBAAyB,GAAG,qBAAqB,CAoB5F"}
@@ -0,0 +1,46 @@
1
+ // ⑤ trusted-proxy — same-host 리버스 프록시 뒤에서 loopback 무인증 우회를 막는 IP 해석.
2
+ // classifyConnection 앞단에서 "이 연결의 실제 클라이언트 IP가 무엇이고 loopback인가"만 판정한다.
3
+ // IPv4-mapped IPv6(`::ffff:127.0.0.1`)를 IPv4로 풀고, IPv6 zone id(`%en0`)를 떼낸다.
4
+ function normalize(addr) {
5
+ let a = addr.trim();
6
+ const zone = a.indexOf('%');
7
+ if (zone !== -1)
8
+ a = a.slice(0, zone);
9
+ if (a.toLowerCase().startsWith('::ffff:') && a.includes('.'))
10
+ a = a.slice(7);
11
+ return a;
12
+ }
13
+ function isLoopback(addr) {
14
+ const a = normalize(addr);
15
+ return a === '::1' || a.startsWith('127.');
16
+ }
17
+ export function parseTrustedProxies(raw) {
18
+ if (!raw)
19
+ return [];
20
+ return raw
21
+ .split(',')
22
+ .map((s) => normalize(s))
23
+ .filter((s) => s.length > 0);
24
+ }
25
+ export function resolveClientAddress(input) {
26
+ const socket = normalize(input.socketAddr);
27
+ const fromTrustedProxy = input.trustedProxies.includes(socket);
28
+ const xff = (input.forwardedFor ?? '').trim();
29
+ if (fromTrustedProxy && xff.length > 0) {
30
+ // 신뢰 프록시 경유: XFF 최좌측은 클라이언트가 임의 주입할 수 있다(nginx 등은 기존 헤더에 append).
31
+ // 우측(프록시가 직접 관찰한 쪽)부터 신뢰 프록시 IP를 벗겨내고, 첫 비신뢰 IP를 원 클라이언트로 본다.
32
+ const chain = xff.split(',').map((s) => normalize(s.trim())).filter((s) => s.length > 0);
33
+ let i = chain.length - 1;
34
+ while (i >= 0 && input.trustedProxies.includes(chain[i]))
35
+ i--;
36
+ // 전부 신뢰 프록시(원 클라이언트 식별 불가) → 안전 기본(원격 간주).
37
+ if (i < 0)
38
+ return { addr: socket, isLocal: false };
39
+ return { addr: chain[i], isLocal: isLoopback(chain[i]) };
40
+ }
41
+ // 직접 연결: 신뢰 프록시 IP라도 XFF가 없으면 프록시 미경유 직접 접근으로 본다(프록시는 항상 XFF를
42
+ // 추가하므로) — 호스트에서의 admin init / CLI / agent가 막히지 않게 한다.
43
+ // 비신뢰 출발지가 보낸 XFF는 스푸핑 가능하므로 무시하고, 어느 경우든 소켓 IP로 판정한다.
44
+ return { addr: socket, isLocal: isLoopback(socket) };
45
+ }
46
+ //# sourceMappingURL=clientAddress.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"clientAddress.js","sourceRoot":"","sources":["../../src/lib/clientAddress.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,sEAAsE;AAEtE,6EAA6E;AAC7E,SAAS,SAAS,CAAC,IAAY;IAC7B,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IACnB,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAC3B,IAAI,IAAI,KAAK,CAAC,CAAC;QAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAA;IACrC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAC5E,OAAO,CAAC,CAAA;AACV,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,MAAM,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IACzB,OAAO,CAAC,KAAK,KAAK,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAA;AAC5C,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,GAAuB;IACzD,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAA;IACnB,OAAO,GAAG;SACP,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;SACxB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;AAChC,CAAC;AAaD,MAAM,UAAU,oBAAoB,CAAC,KAAgC;IACnE,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;IAC1C,MAAM,gBAAgB,GAAG,KAAK,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;IAC9D,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAA;IAE7C,IAAI,gBAAgB,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvC,kEAAkE;QAClE,8DAA8D;QAC9D,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;QACxF,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAA;QACxB,OAAO,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAAE,CAAC,EAAE,CAAA;QAC7D,2CAA2C;QAC3C,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;QAClD,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAC1D,CAAC;IAED,8DAA8D;IAC9D,uDAAuD;IACvD,uDAAuD;IACvD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAA;AACtD,CAAC"}
@@ -4,6 +4,7 @@ declare const configSchema: z.ZodObject<{
4
4
  port: z.ZodNumber;
5
5
  dataDir: z.ZodString;
6
6
  wsBackpressureBytes: z.ZodNumber;
7
+ trustedProxies: z.ZodArray<z.ZodString>;
7
8
  }, z.core.$strip>;
8
9
  relay: z.ZodObject<{
9
10
  url: z.ZodNullable<z.ZodString>;
@@ -21,6 +22,17 @@ declare const configSchema: z.ZodObject<{
21
22
  provider: z.ZodLiteral<"tailscale">;
22
23
  publicUrl: z.ZodOptional<z.ZodString>;
23
24
  }, z.core.$strip>], "provider">>;
25
+ tls: z.ZodNullable<z.ZodDiscriminatedUnion<[z.ZodObject<{
26
+ mode: z.ZodLiteral<"byo-api-token">;
27
+ domain: z.ZodString;
28
+ dnsProvider: z.ZodString;
29
+ publishAddress: z.ZodOptional<z.ZodBoolean>;
30
+ address: z.ZodOptional<z.ZodString>;
31
+ }, z.core.$strip>, z.ZodObject<{
32
+ mode: z.ZodLiteral<"import-cert">;
33
+ certPath: z.ZodString;
34
+ keyPath: z.ZodString;
35
+ }, z.core.$strip>], "mode">>;
24
36
  smtp: z.ZodObject<{
25
37
  host: z.ZodString;
26
38
  port: z.ZodNumber;
@@ -31,11 +43,13 @@ declare const configSchema: z.ZodObject<{
31
43
  }, z.core.$strip>;
32
44
  }, z.core.$strip>;
33
45
  export type TapflowConfig = z.infer<typeof configSchema>;
46
+ export declare function loadOrCreatePersistedSecret(dataDir: string): string;
34
47
  export declare const config: {
35
48
  local: {
36
49
  port: number;
37
50
  dataDir: string;
38
51
  wsBackpressureBytes: number;
52
+ trustedProxies: string[];
39
53
  };
40
54
  relay: {
41
55
  url: string | null;
@@ -53,6 +67,17 @@ export declare const config: {
53
67
  provider: "tailscale";
54
68
  publicUrl?: string | undefined;
55
69
  } | null;
70
+ tls: {
71
+ mode: "byo-api-token";
72
+ domain: string;
73
+ dnsProvider: string;
74
+ publishAddress?: boolean | undefined;
75
+ address?: string | undefined;
76
+ } | {
77
+ mode: "import-cert";
78
+ certPath: string;
79
+ keyPath: string;
80
+ } | null;
56
81
  smtp: {
57
82
  host: string;
58
83
  port: number;
@@ -1 +1 @@
1
- {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AA2BvB,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAkBhB,CAAA;AAEF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAA;AAsHxD,eAAO,MAAM,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAAS,CAAA;AAC5B,eAAO,MAAM,SAAS,QAAkB,CAAA"}
1
+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAkDvB,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAoBhB,CAAA;AAEF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAA;AAiIxD,wBAAgB,2BAA2B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAkBnE;AAaD,eAAO,MAAM,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAAS,CAAA;AAC5B,eAAO,MAAM,SAAS,QAAkB,CAAA"}
@@ -1,9 +1,11 @@
1
1
  import fs from 'fs';
2
2
  import path from 'path';
3
+ import crypto from 'crypto';
3
4
  import { z } from 'zod';
4
5
  import { createLogger } from '@tapflowio/agent-core';
6
+ import { parseTrustedProxies } from './clientAddress.js';
7
+ import { dnsProviders } from './cert/dnsRegistry.js';
5
8
  const logger = createLogger('relay:config');
6
- const DEV_DEFAULT_SECRET = 'tapflow-dev-secret-change-in-production';
7
9
  const tunnelSshSchema = z.object({
8
10
  host: z.string().min(1),
9
11
  user: z.string().min(1),
@@ -20,16 +22,38 @@ const tailscaleTunnelSchema = z.object({
20
22
  publicUrl: z.string().optional(),
21
23
  });
22
24
  const tunnelSchema = z.discriminatedUnion('provider', [ratholeTunnelSchema, tailscaleTunnelSchema]);
25
+ // LAN HTTPS (issue #232) — secure context용 TLS 종단 설정. 골격: v1은 LAN 가지만 구현.
26
+ // 비밀(DNS API 토큰)은 config 파일이 아니라 env에서 읽는다(예: TAPFLOW_CLOUDFLARE_TOKEN).
27
+ const importCertTlsSchema = z.object({
28
+ mode: z.literal('import-cert'),
29
+ certPath: z.string().min(1),
30
+ keyPath: z.string().min(1),
31
+ });
32
+ const byoApiTokenTlsSchema = z.object({
33
+ mode: z.literal('byo-api-token'),
34
+ domain: z.string().min(1),
35
+ // 유효 provider는 레지스트리가 정한다(새 provider 추가 시 스키마 무변경).
36
+ dnsProvider: z.string().min(1).refine((n) => dnsProviders.has(n), {
37
+ message: `unknown dnsProvider (available: ${dnsProviders.names().join(', ')})`,
38
+ }),
39
+ // 도메인 A 레코드를 LAN IP로 자동 발행(기본 ON). false면 사용자가 직접 관리.
40
+ publishAddress: z.boolean().optional(),
41
+ // 자동 감지 대신 쓸 고정 LAN IP(멀티NIC/VPN 환경 오버라이드).
42
+ address: z.string().min(1).optional(),
43
+ });
44
+ const tlsSchema = z.discriminatedUnion('mode', [byoApiTokenTlsSchema, importCertTlsSchema]);
23
45
  const configSchema = z.object({
24
46
  local: z.object({
25
47
  port: z.number().int().min(1).max(65535),
26
48
  dataDir: z.string().min(1),
27
49
  wsBackpressureBytes: z.number().int().min(1),
50
+ trustedProxies: z.array(z.string()),
28
51
  }),
29
52
  relay: z.object({
30
53
  url: z.string().nullable(),
31
54
  }),
32
55
  tunnel: tunnelSchema.nullable(),
56
+ tls: tlsSchema.nullable(),
33
57
  smtp: z.object({
34
58
  host: z.string(),
35
59
  port: z.number().int().min(1).max(65535),
@@ -44,11 +68,13 @@ const DEFAULTS = {
44
68
  port: 4000,
45
69
  dataDir: '.tapflow-data',
46
70
  wsBackpressureBytes: 1_048_576,
71
+ trustedProxies: [],
47
72
  },
48
73
  relay: {
49
74
  url: null,
50
75
  },
51
76
  tunnel: null,
77
+ tls: null,
52
78
  smtp: {
53
79
  host: '',
54
80
  port: 587,
@@ -80,6 +106,7 @@ function load() {
80
106
  port: file.local?.port ?? DEFAULTS.local.port,
81
107
  dataDir: resolveDataDir(file.local?.dataDir ?? DEFAULTS.local.dataDir),
82
108
  wsBackpressureBytes: DEFAULTS.local.wsBackpressureBytes,
109
+ trustedProxies: parseTrustedProxies(process.env.TAPFLOW_TRUSTED_PROXIES),
83
110
  },
84
111
  relay: {
85
112
  url: file.relay?.url || null,
@@ -101,6 +128,22 @@ function load() {
101
128
  : null,
102
129
  };
103
130
  })(),
131
+ tls: (() => {
132
+ if (file.tls == null)
133
+ return null;
134
+ const t = file.tls;
135
+ if (t.mode === 'import-cert') {
136
+ return { mode: 'import-cert', certPath: t.certPath ?? '', keyPath: t.keyPath ?? '' };
137
+ }
138
+ // Pass mode/provider through (no silent default) so zod rejects a missing/misspelled provider.
139
+ return {
140
+ mode: t.mode,
141
+ domain: t.domain ?? '',
142
+ dnsProvider: t.dnsProvider ?? '',
143
+ ...(t.publishAddress !== undefined ? { publishAddress: t.publishAddress } : {}),
144
+ ...(t.address !== undefined ? { address: t.address } : {}),
145
+ };
146
+ })(),
104
147
  smtp: {
105
148
  host: file.smtp?.host ?? DEFAULTS.smtp.host,
106
149
  port: file.smtp?.port ?? DEFAULTS.smtp.port,
@@ -143,6 +186,30 @@ function load() {
143
186
  }
144
187
  return result.data;
145
188
  }
189
+ // JWT_SECRET 미설정 시: 공개된 공유 기본값 대신 per-install 시크릿을 생성·영속화한다.
190
+ // dataDir에 0600으로 저장하고 재시작 시 재사용 → 설정 없이도 위조 불가, 온보딩 friction 없음.
191
+ export function loadOrCreatePersistedSecret(dataDir) {
192
+ const secretPath = path.join(dataDir, 'jwt-secret');
193
+ try {
194
+ const existing = fs.readFileSync(secretPath, 'utf-8').trim();
195
+ if (existing.length >= 32)
196
+ return existing;
197
+ }
198
+ catch {
199
+ // not yet created
200
+ }
201
+ const secret = crypto.randomBytes(48).toString('base64url');
202
+ fs.mkdirSync(dataDir, { recursive: true });
203
+ fs.writeFileSync(secretPath, secret, { mode: 0o600 });
204
+ try {
205
+ fs.chmodSync(secretPath, 0o600);
206
+ }
207
+ catch {
208
+ // best-effort on platforms without POSIX permissions
209
+ }
210
+ logger.info(`Generated a per-install JWT secret at ${secretPath} (set JWT_SECRET to override)`);
211
+ return secret;
212
+ }
146
213
  function loadJwtSecret() {
147
214
  if (process.env.JWT_SECRET !== undefined) {
148
215
  if (process.env.JWT_SECRET.length < 32) {
@@ -151,8 +218,7 @@ function loadJwtSecret() {
151
218
  }
152
219
  return process.env.JWT_SECRET;
153
220
  }
154
- logger.warn('JWT_SECRET is using the dev default — set a strong secret in production');
155
- return DEV_DEFAULT_SECRET;
221
+ return loadOrCreatePersistedSecret(config.local.dataDir);
156
222
  }
157
223
  export const config = load();
158
224
  export const jwtSecret = loadJwtSecret();
@@ -1 +1 @@
1
- {"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAA;AACnB,OAAO,IAAI,MAAM,MAAM,CAAA;AACvB,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AAEpD,MAAM,MAAM,GAAG,YAAY,CAAC,cAAc,CAAC,CAAA;AAE3C,MAAM,kBAAkB,GAAG,yCAAyC,CAAA;AAEpE,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC,CAAA;AAEF,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,QAAQ,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IAC9B,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,GAAG,EAAE,eAAe,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAA;AAEF,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IACrC,QAAQ,EAAE,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;IAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACjC,CAAC,CAAA;AAEF,MAAM,YAAY,GAAG,CAAC,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC,mBAAmB,EAAE,qBAAqB,CAAC,CAAC,CAAA;AAEnG,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC;QACd,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC;QACxC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1B,mBAAmB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;KAC7C,CAAC;IACF,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC;QACd,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC3B,CAAC;IACF,MAAM,EAAE,YAAY,CAAC,QAAQ,EAAE;IAC/B,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QACb,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC;QACxC,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE;QACnB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;KACjB,CAAC;CACH,CAAC,CAAA;AAMF,MAAM,QAAQ,GAAG;IACf,KAAK,EAAE;QACL,IAAI,EAAE,IAAI;QACV,OAAO,EAAE,eAAe;QACxB,mBAAmB,EAAE,SAAS;KAC/B;IACD,KAAK,EAAE;QACL,GAAG,EAAE,IAAI;KACV;IACD,MAAM,EAAE,IAAI;IACZ,IAAI,EAAE;QACJ,IAAI,EAAE,EAAE;QACR,IAAI,EAAE,GAAG;QACT,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,EAAE;QACR,IAAI,EAAE,EAAE;QACR,IAAI,EAAE,iCAAiC;KACxC;CACsB,CAAA;AAEzB,SAAS,cAAc,CAAC,GAAW;IACjC,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,CAAA;AACnE,CAAC;AAED,SAAS,IAAI;IACX,IAAI,IAAI,GAAqE,EAAE,CAAA;IAE/E,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,qBAAqB,CAAC,CAAA;IAClE,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,IAAI,CAAC;YACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAgB,CAAA;QACxE,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAA;QACrE,CAAC;IACH,CAAC;IAED,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,IAAI,WAAW,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,uFAAuF,CAAC,CAAA;IACtG,CAAC;IAED,MAAM,GAAG,GAAkB;QACzB,KAAK,EAAE;YACL,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI;YAC7C,OAAO,EAAE,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,IAAI,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC;YACtE,mBAAmB,EAAE,QAAQ,CAAC,KAAK,CAAC,mBAAmB;SACxD;QACD,KAAK,EAAE;YACL,GAAG,EAAE,IAAI,CAAC,KAAK,EAAE,GAAG,IAAI,IAAI;SAC7B;QACD,MAAM,EAAE,CAAC,GAAG,EAAE;YACZ,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI;gBAAE,OAAO,IAAI,CAAA;YACpC,MAAM,CAAC,GAAG,IAAI,CAAC,MAAyI,CAAA;YACxJ,IAAI,CAAC,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBAC/B,OAAO,EAAE,QAAQ,EAAE,WAAoB,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,CAAA;YACnE,CAAC;YACD,qFAAqF;YACrF,OAAO;gBACL,QAAQ,EAAE,CAAC,CAAC,QAAqB;gBACjC,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,EAAE;gBAC9B,SAAS,EAAE,CAAC,CAAC,SAAS,IAAI,EAAE;gBAC5B,GAAG,EAAE,CAAC,CAAC,GAAG,IAAI,IAAI;oBAChB,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE;oBAC5E,CAAC,CAAC,IAAI;aACT,CAAA;QACH,CAAC,CAAC,EAAE;QACJ,IAAI,EAAE;YACJ,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI;YAC3C,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI;YAC3C,MAAM,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM;YACjD,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI;YAC3C,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI;YAC3C,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI;SAC5C;KACF,CAAA;IAED,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY;QAAE,GAAG,CAAC,KAAK,CAAC,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;IAC/E,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAAE,GAAG,CAAC,KAAK,CAAC,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAA;IAClG,IAAI,OAAO,CAAC,GAAG,CAAC,6BAA6B;QAAE,GAAG,CAAC,KAAK,CAAC,mBAAmB,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAA;IAChI,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAAE,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,IAAI,CAAA;IACxF,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAA;IAChE,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;IACxE,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW;QAAE,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,MAAM,CAAA;IACjF,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAA;IAChE,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAA;IAChE,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAA;IAEhE,qFAAqF;IACrF,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,IAAI,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAC1F,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,YAAY,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,CAAA;IAC9C,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;IAC1C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACxC,MAAM,CAAC,KAAK,CAAC,iBAAiB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;QAC1E,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAA;AACpB,CAAC;AAED,SAAS,aAAa;IACpB,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACvC,MAAM,CAAC,KAAK,CAAC,2DAA2D,CAAC,CAAA;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QACD,OAAO,OAAO,CAAC,GAAG,CAAC,UAAU,CAAA;IAC/B,CAAC;IACD,MAAM,CAAC,IAAI,CAAC,yEAAyE,CAAC,CAAA;IACtF,OAAO,kBAAkB,CAAA;AAC3B,CAAC;AAED,MAAM,CAAC,MAAM,MAAM,GAAG,IAAI,EAAE,CAAA;AAC5B,MAAM,CAAC,MAAM,SAAS,GAAG,aAAa,EAAE,CAAA"}
1
+ {"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAA;AACnB,OAAO,IAAI,MAAM,MAAM,CAAA;AACvB,OAAO,MAAM,MAAM,QAAQ,CAAA;AAC3B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAA;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AAEpD,MAAM,MAAM,GAAG,YAAY,CAAC,cAAc,CAAC,CAAA;AAE3C,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC,CAAA;AAEF,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,QAAQ,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IAC9B,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,GAAG,EAAE,eAAe,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAA;AAEF,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IACrC,QAAQ,EAAE,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;IAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACjC,CAAC,CAAA;AAEF,MAAM,YAAY,GAAG,CAAC,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC,mBAAmB,EAAE,qBAAqB,CAAC,CAAC,CAAA;AAEnG,0EAA0E;AAC1E,yEAAyE;AACzE,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAC9B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC3B,CAAC,CAAA;AAEF,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IACpC,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC;IAChC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,oDAAoD;IACpD,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;QAChE,OAAO,EAAE,mCAAmC,YAAY,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;KAC/E,CAAC;IACF,sDAAsD;IACtD,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACtC,4CAA4C;IAC5C,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;CACtC,CAAC,CAAA;AAEF,MAAM,SAAS,GAAG,CAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC,oBAAoB,EAAE,mBAAmB,CAAC,CAAC,CAAA;AAE3F,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC;QACd,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC;QACxC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1B,mBAAmB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5C,cAAc,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KACpC,CAAC;IACF,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC;QACd,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC3B,CAAC;IACF,MAAM,EAAE,YAAY,CAAC,QAAQ,EAAE;IAC/B,GAAG,EAAE,SAAS,CAAC,QAAQ,EAAE;IACzB,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QACb,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC;QACxC,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE;QACnB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;KACjB,CAAC;CACH,CAAC,CAAA;AAMF,MAAM,QAAQ,GAAG;IACf,KAAK,EAAE;QACL,IAAI,EAAE,IAAI;QACV,OAAO,EAAE,eAAe;QACxB,mBAAmB,EAAE,SAAS;QAC9B,cAAc,EAAE,EAAE;KACnB;IACD,KAAK,EAAE;QACL,GAAG,EAAE,IAAI;KACV;IACD,MAAM,EAAE,IAAI;IACZ,GAAG,EAAE,IAAI;IACT,IAAI,EAAE;QACJ,IAAI,EAAE,EAAE;QACR,IAAI,EAAE,GAAG;QACT,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,EAAE;QACR,IAAI,EAAE,EAAE;QACR,IAAI,EAAE,iCAAiC;KACxC;CACsB,CAAA;AAEzB,SAAS,cAAc,CAAC,GAAW;IACjC,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,CAAA;AACnE,CAAC;AAED,SAAS,IAAI;IACX,IAAI,IAAI,GAAqE,EAAE,CAAA;IAE/E,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,qBAAqB,CAAC,CAAA;IAClE,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,IAAI,CAAC;YACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAgB,CAAA;QACxE,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAA;QACrE,CAAC;IACH,CAAC;IAED,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,IAAI,WAAW,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,uFAAuF,CAAC,CAAA;IACtG,CAAC;IAED,MAAM,GAAG,GAAkB;QACzB,KAAK,EAAE;YACL,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI;YAC7C,OAAO,EAAE,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,IAAI,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC;YACtE,mBAAmB,EAAE,QAAQ,CAAC,KAAK,CAAC,mBAAmB;YACvD,cAAc,EAAE,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC;SACzE;QACD,KAAK,EAAE;YACL,GAAG,EAAE,IAAI,CAAC,KAAK,EAAE,GAAG,IAAI,IAAI;SAC7B;QACD,MAAM,EAAE,CAAC,GAAG,EAAE;YACZ,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI;gBAAE,OAAO,IAAI,CAAA;YACpC,MAAM,CAAC,GAAG,IAAI,CAAC,MAAyI,CAAA;YACxJ,IAAI,CAAC,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBAC/B,OAAO,EAAE,QAAQ,EAAE,WAAoB,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,CAAA;YACnE,CAAC;YACD,qFAAqF;YACrF,OAAO;gBACL,QAAQ,EAAE,CAAC,CAAC,QAAqB;gBACjC,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,EAAE;gBAC9B,SAAS,EAAE,CAAC,CAAC,SAAS,IAAI,EAAE;gBAC5B,GAAG,EAAE,CAAC,CAAC,GAAG,IAAI,IAAI;oBAChB,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE;oBAC5E,CAAC,CAAC,IAAI;aACT,CAAA;QACH,CAAC,CAAC,EAAE;QACJ,GAAG,EAAE,CAAC,GAAG,EAAE;YACT,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI;gBAAE,OAAO,IAAI,CAAA;YACjC,MAAM,CAAC,GAAG,IAAI,CAAC,GAGd,CAAA;YACD,IAAI,CAAC,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;gBAC7B,OAAO,EAAE,IAAI,EAAE,aAAsB,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,IAAI,EAAE,EAAE,CAAA;YAC/F,CAAC;YACD,+FAA+F;YAC/F,OAAO;gBACL,IAAI,EAAE,CAAC,CAAC,IAAuB;gBAC/B,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE;gBACtB,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,EAAE;gBAChC,GAAG,CAAC,CAAC,CAAC,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC/E,GAAG,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC3D,CAAA;QACH,CAAC,CAAC,EAAE;QACJ,IAAI,EAAE;YACJ,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI;YAC3C,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI;YAC3C,MAAM,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM;YACjD,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI;YAC3C,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI;YAC3C,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI;SAC5C;KACF,CAAA;IAED,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY;QAAE,GAAG,CAAC,KAAK,CAAC,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;IAC/E,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAAE,GAAG,CAAC,KAAK,CAAC,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAA;IAClG,IAAI,OAAO,CAAC,GAAG,CAAC,6BAA6B;QAAE,GAAG,CAAC,KAAK,CAAC,mBAAmB,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAA;IAChI,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAAE,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,IAAI,CAAA;IACxF,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAA;IAChE,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;IACxE,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW;QAAE,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,MAAM,CAAA;IACjF,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAA;IAChE,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAA;IAChE,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAA;IAEhE,qFAAqF;IACrF,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,IAAI,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAC1F,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,YAAY,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,CAAA;IAC9C,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;IAC1C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACxC,MAAM,CAAC,KAAK,CAAC,iBAAiB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;QAC1E,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAA;AACpB,CAAC;AAED,6DAA6D;AAC7D,kEAAkE;AAClE,MAAM,UAAU,2BAA2B,CAAC,OAAe;IACzD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAA;IACnD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAA;QAC5D,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE;YAAE,OAAO,QAAQ,CAAA;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB;IACpB,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;IAC3D,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IAC1C,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;IACrD,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,KAAK,CAAC,CAAA;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,qDAAqD;IACvD,CAAC;IACD,MAAM,CAAC,IAAI,CAAC,yCAAyC,UAAU,+BAA+B,CAAC,CAAA;IAC/F,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,aAAa;IACpB,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACvC,MAAM,CAAC,KAAK,CAAC,2DAA2D,CAAC,CAAA;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QACD,OAAO,OAAO,CAAC,GAAG,CAAC,UAAU,CAAA;IAC/B,CAAC;IACD,OAAO,2BAA2B,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;AAC1D,CAAC;AAED,MAAM,CAAC,MAAM,MAAM,GAAG,IAAI,EAAE,CAAA;AAC5B,MAAM,CAAC,MAAM,SAAS,GAAG,aAAa,EAAE,CAAA"}
@@ -0,0 +1,2 @@
1
+ export declare function resolveCorsHeaders(origin: string | undefined, allowedOrigins: Set<string>): Record<string, string> | null;
2
+ //# sourceMappingURL=cors.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../../src/lib/cors.ts"],"names":[],"mappings":"AAKA,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,cAAc,EAAE,GAAG,CAAC,MAAM,CAAC,GAC1B,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAS/B"}
@@ -0,0 +1,18 @@
1
+ // #4 — CORS 출처 제한.
2
+ // 기존엔 모든 응답에 `Access-Control-Allow-Origin: *` + `Allow-Headers: Authorization`을 줘서,
3
+ // PAT(Authorization 헤더)를 cross-origin 스크립트에서 사용할 수 있었다. 허용 출처 allowlist에
4
+ // 든 origin만 에코하고, 그 외에는 CORS 헤더를 부여하지 않는다(브라우저가 cross-origin을 차단).
5
+ // same-origin 요청과 비-브라우저(CLI/서버-서버, Origin 헤더 없음)는 CORS와 무관하게 그대로 동작한다.
6
+ export function resolveCorsHeaders(origin, allowedOrigins) {
7
+ if (!origin)
8
+ return null;
9
+ if (!allowedOrigins.has(origin))
10
+ return null;
11
+ return {
12
+ 'Access-Control-Allow-Origin': origin,
13
+ 'Vary': 'Origin',
14
+ 'Access-Control-Allow-Headers': 'Content-Type, Authorization',
15
+ 'Access-Control-Allow-Methods': 'GET, POST, PATCH, DELETE, OPTIONS',
16
+ };
17
+ }
18
+ //# sourceMappingURL=cors.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"cors.js","sourceRoot":"","sources":["../../src/lib/cors.ts"],"names":[],"mappings":"AAAA,mBAAmB;AACnB,oFAAoF;AACpF,yEAAyE;AACzE,mEAAmE;AACnE,wEAAwE;AACxE,MAAM,UAAU,kBAAkB,CAChC,MAA0B,EAC1B,cAA2B;IAE3B,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAA;IACxB,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAA;IAC5C,OAAO;QACL,6BAA6B,EAAE,MAAM;QACrC,MAAM,EAAE,QAAQ;QAChB,8BAA8B,EAAE,6BAA6B;QAC7D,8BAA8B,EAAE,mCAAmC;KACpE,CAAA;AACH,CAAC"}
@@ -0,0 +1,3 @@
1
+ import type http from 'http';
2
+ export declare function isCsrfBlocked(method: string | undefined, headers: http.IncomingHttpHeaders, allowedOrigins: Set<string>): boolean;
3
+ //# sourceMappingURL=csrf.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/lib/csrf.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAkB5B,wBAAgB,aAAa,CAC3B,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,OAAO,EAAE,IAAI,CAAC,mBAAmB,EACjC,cAAc,EAAE,GAAG,CAAC,MAAM,CAAC,GAC1B,OAAO,CAoBT"}
@@ -0,0 +1,42 @@
1
+ // #5 — CSRF 경량 가드.
2
+ // 상태 변경 API가 `SameSite=Lax` 쿠키에만 의존하면 일부 cross-site 요청이 통과할 수 있다.
3
+ // 쿠키로 인증된 상태 변경 요청은 Origin이 same-origin(Host 일치)이거나 신뢰 allowlist에 있을 때만
4
+ // 허용하고, 그 외 cross-origin은 차단한다. 브라우저는 상태 변경 요청에 Origin을 강제로 붙이므로
5
+ // 대시보드(same-origin)는 그대로 통과하고, 공격자 origin은 막힌다.
6
+ // 면제: 안전 메서드(GET/HEAD/OPTIONS), PAT 인증(Authorization — 쿠키 자동 전송이 아님),
7
+ // 쿠키 없는 요청(미인증/login/init), Origin 없는 요청(비-브라우저; 브라우저는 cross-site에 Origin을 생략하지 못한다).
8
+ const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
9
+ // Loopback origins are the local dev machine (e.g. Vite :3001 proxying to the relay :4000), never a
10
+ // remote attacker — a cross-site page can't forge a localhost Origin, so exempting these is safe.
11
+ function isLoopbackHost(hostname) {
12
+ const h = hostname.replace(/^\[|\]$/g, '');
13
+ return h === 'localhost' || h === '127.0.0.1' || h === '::1';
14
+ }
15
+ export function isCsrfBlocked(method, headers, allowedOrigins) {
16
+ if (SAFE_METHODS.has((method ?? 'GET').toUpperCase()))
17
+ return false;
18
+ if (headers['authorization'])
19
+ return false;
20
+ const cookie = headers['cookie'];
21
+ const hasCookieAuth = typeof cookie === 'string' && cookie.includes('tapflow_token=');
22
+ if (!hasCookieAuth)
23
+ return false;
24
+ const origin = headers['origin'];
25
+ if (!origin)
26
+ return false;
27
+ if (allowedOrigins.has(origin))
28
+ return false;
29
+ const host = headers['host'];
30
+ try {
31
+ const url = new URL(origin);
32
+ if (host && url.host === host)
33
+ return false;
34
+ if (isLoopbackHost(url.hostname))
35
+ return false;
36
+ }
37
+ catch {
38
+ // malformed Origin → treat as cross-origin (blocked below)
39
+ }
40
+ return true;
41
+ }
42
+ //# sourceMappingURL=csrf.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"csrf.js","sourceRoot":"","sources":["../../src/lib/csrf.ts"],"names":[],"mappings":"AAEA,mBAAmB;AACnB,kEAAkE;AAClE,wEAAwE;AACxE,iEAAiE;AACjE,gDAAgD;AAChD,sEAAsE;AACtE,4FAA4F;AAC5F,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAA;AAExD,oGAAoG;AACpG,kGAAkG;AAClG,SAAS,cAAc,CAAC,QAAgB;IACtC,MAAM,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAA;IAC1C,OAAO,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,KAAK,CAAA;AAC9D,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,MAA0B,EAC1B,OAAiC,EACjC,cAA2B;IAE3B,IAAI,YAAY,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QAAE,OAAO,KAAK,CAAA;IACnE,IAAI,OAAO,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAA;IAC1C,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IAChC,MAAM,aAAa,GAAG,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAA;IACrF,IAAI,CAAC,aAAa;QAAE,OAAO,KAAK,CAAA;IAEhC,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IAChC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACzB,IAAI,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAA;IAE5C,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IAC5B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAA;QAC3B,IAAI,IAAI,IAAI,GAAG,CAAC,IAAI,KAAK,IAAI;YAAE,OAAO,KAAK,CAAA;QAC3C,IAAI,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,KAAK,CAAA;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,2DAA2D;IAC7D,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}
@@ -0,0 +1,2 @@
1
+ export declare function loadDataDirEnv(dataDir: string): string | null;
2
+ //# sourceMappingURL=loadEnvFile.d.ts.map