npm - @toon-protocol/client - Versions diffs - 0.9.0 → 0.9.2 - Mend

@toon-protocol/client 0.9.0 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +168 -34
package/dist/anon-proxy-W3KMM7GU.js +23 -0
package/dist/chunk-WHAEQLIW.js +276 -0
package/dist/chunk-WHAEQLIW.js.map +1 -0
package/dist/gateway-QOK47RKS.js +13 -0
package/dist/gateway-QOK47RKS.js.map +1 -0
package/dist/index.d.ts +1413 -34
package/dist/index.js +2530 -430
package/dist/index.js.map +1 -1
package/dist/socks5-WTJBYGME.js +136 -0
package/dist/socks5-WTJBYGME.js.map +1 -0
package/package.json +21 -15
package/dist/chunk-5WRI5ZAA.js +0 -31
package/dist/mina-signer-J7GFWOGO.js +0 -6317
package/dist/mina-signer-J7GFWOGO.js.map +0 -1
/package/dist/{chunk-5WRI5ZAA.js.map → anon-proxy-W3KMM7GU.js.map} +0 -0

package/README.md CHANGED Viewed

@@ -1,15 +1,29 @@
 # @toon-protocol/client
-High-level TypeScript client for publishing Nostr events to the TOON protocol — an ILP-gated Nostr relay that enables sustainable relay operation through micropayments.
+The **client library** for TOON Protocol — _pay-to-write Nostr over Interledger (ILP)_. Use it to **pay for and publish** writes to a network of service nodes. **Reads are free; writes cost a signed EIP-712 payment-channel claim** against an on-chain deposit.
+> **`client` vs `townhouse`.** This package (`@toon-protocol/client`) is what an _app or end user_ uses to **pay** and publish. It does **not** run any relay or node. The nodes are operated separately by **`@toon-protocol/townhouse`** (the operator product, which runs an _apex_ connector plus `town` / `mill` / `dvm` children). Don't confuse the **client** (pays) with **townhouse** (operates), or **`town`** (a single Nostr-relay node) with **townhouse** (the whole operator stack).
+## Which call pays which node
+Every write is an ILP packet carrying a signed payment-channel claim. The client reaches all node types **through a townhouse apex** (`g.townhouse`): the apex validates the claim, takes its fee, and forwards the packet to the destination node, which returns FULFILL (accepted) or REJECT. The method you call determines which node type you pay:
+| Client call                       | Node type | What it does                                                                                                                                              |
+| --------------------------------- | --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `client.publishEvent(event)`      | **town**  | Publish a Nostr event (e.g. `kind:1`) to the relay.                                                                                                       |
+| `requestBlobStorage(client, …)`   | **dvm**   | NIP-90 compute/storage. Builds and publishes a `kind:5094` event that uploads a blob to Arweave — the job request **is** the payment — and decodes the Arweave tx ID from the FULFILL response. |
+| `client.sendSwapPacket(…)`        | **mill**  | Multi-chain token swap (low-level). Most callers use the higher-level `streamSwap()` from `@toon-protocol/sdk`, which is built on `sendSwapPacket`.       |
 ## What It Does
 This client handles:
-- **ILP Micropayments**: Pay to publish Nostr events (read is free)
+- **ILP Micropayments**: Pay to publish Nostr events (reads are free)
 - **Payment Channels**: Automatic on-chain channel creation with off-chain settlement via signed balance proofs
-- **Unified Identity**: One Nostr key = one EVM address (both use secp256k1, derived automatically)
-- **Multi-Hop Routing**: Publish to any destination address, not just your direct peer
+- **Unified Identity**: One Nostr key = one EVM address (both secp256k1, derived automatically) — or a single BIP-39 **mnemonic** to derive a full multi-chain identity
+- **Multi-Chain Settlement**: Sign payment-channel claims on EVM (EIP-712), Solana (Ed25519), and Mina (Pallas) from one mnemonic. A Townhouse apex validates the claim and redeems it on-chain on the matching chain (EVM/Solana credit the recipient; Mina redeems each claim on-chain with recipient credit-at-close deferred — see [Multi-Chain Settlement notes](#identity--multi-chain-settlement))
+- **Multi-Hop Routing**: Publish to any destination address (`destination` / `destinationAddress`), not just your direct peer
+- **Private Transport**: Optionally reach a townhouse apex at its ATOR `.anyone` address through a SOCKS5h proxy (see [Connecting over `.anyone`](#connecting-to-an-apex-over-anyone))
 - **Network Bootstrap**: Automatically discover and register with ILP peers via NIP-02 follow lists
 - **TOON Encoding**: Native binary format for agent-friendly event encoding
@@ -17,32 +31,47 @@ This client handles:
 ```bash
 pnpm add @toon-protocol/client @toon-protocol/core @toon-protocol/relay nostr-tools
+# Optional — only needed to derive/sign on Mina (Pallas):
+pnpm add mina-signer
 ```
 ## Prerequisites
-The client requires external services. Use the SDK E2E infrastructure for local development:
-```bash
-# Start SDK E2E infrastructure
-./scripts/sdk-e2e-infra.sh up
-# Verify services are healthy
-curl http://localhost:19100/health  # Peer 1 BLS
-curl http://localhost:19110/health  # Peer 2 BLS
-# Nostr relays on ws://localhost:19700 and ws://localhost:19710 (WebSocket, no HTTP endpoint)
-# Stop infrastructure
-./scripts/sdk-e2e-infra.sh down
-```
-| Service          | Port  | Purpose                                             |
-| ---------------- | ----- | --------------------------------------------------- |
-| **Anvil**        | 18545 | Local EVM chain (chain ID 31337)                    |
-| **Peer 1 BLS**   | 19100 | Validates events, calculates pricing, stores events |
-| **Peer 1 Relay** | 19700 | WebSocket relay for peer discovery (kind:10032)     |
-| **Peer 2 BLS**   | 19110 | Validates events, calculates pricing, stores events |
-| **Peer 2 Relay** | 19710 | WebSocket relay for peer discovery (kind:10032)     |
+**Reading is free** — to subscribe/query you need nothing but this package. To **write (pay)** you need:
+- **Node.js ≥ 20** — these packages are ESM.
+- **A TOON apex to pay.** You don't run any node yourself; you connect to a running
+  [`@toon-protocol/townhouse`](https://www.npmjs.com/package/@toon-protocol/townhouse) apex (or any
+  TOON connector) and pay it. From its operator you need:
+  - a **connector endpoint** — either an HTTP `connectorUrl`, or an ATOR `.anyone` BTP endpoint reached
+    through a **SOCKS5h** proxy (see [Connecting over `.anyone`](#connecting-to-an-apex-over-anyone));
+  - a **settlement-chain RPC URL** and a **funded key** on that chain, so the client can open a
+    payment channel and sign EIP-712 claims;
+  - the **token** and **TokenNetwork** contract addresses that apex accepts on that chain (e.g. USDC).
+These coordinates go straight into the [`ToonClient` config](#quick-start) below.
+> **Local development (from a clone of this repo, not the npm package).** To try the client
+> end-to-end against a throwaway local network, start the monorepo's SDK E2E stack — Anvil + two peer
+> nodes + relays. This script ships with the repo, **not** the published package:
+>
+> ```bash
+> ./scripts/sdk-e2e-infra.sh up     # start (Ctrl-C-safe; `down` to stop)
+> curl http://localhost:19100/health   # peer 1 health
+> ./scripts/sdk-e2e-infra.sh down   # stop
+> ```
+>
+> | Service          | Port  | Purpose                                             |
+> | ---------------- | ----- | --------------------------------------------------- |
+> | **Anvil**        | 18545 | Local EVM chain (chain ID 31337)                    |
+> | **Peer 1 BLS**   | 19100 | Validates events, calculates pricing, stores events |
+> | **Peer 1 Relay** | 19700 | WebSocket relay for peer discovery (kind:10032)     |
+> | **Peer 2 BLS**   | 19110 | Validates events, calculates pricing, stores events |
+> | **Peer 2 Relay** | 19710 | WebSocket relay for peer discovery (kind:10032)     |
+>
+> The Quick Start below is wired for this local stack (chain `evm:anvil:31337`, TokenNetwork
+> `0xCafac3dD…052c`); swap in your apex's real coordinates for any other network.
 ---
@@ -93,9 +122,86 @@ await client.stop();
 ---
+## Identity & Multi-Chain Settlement
+There are two ways to give the client an identity:
+### 1. Raw `secretKey` — Nostr + EVM (secp256k1)
+A 32-byte Nostr key. Because Nostr and EVM both use secp256k1, the same key provides your EVM identity automatically. This is the path shown in the Quick Start, and it only supports EVM settlement.
+### 2. `mnemonic` — full multi-chain identity (recommended for non-EVM)
+A single BIP-39 phrase derives **all** chain identities: Nostr (NIP-06) + EVM (secp256k1), Solana (Ed25519), and Mina (Pallas). This is required to settle on Solana or Mina — a raw secp256k1 `secretKey` cannot represent those curves.
+```typescript
+import { ToonClient, generateMnemonic, deriveFullIdentity } from '@toon-protocol/client';
+import { encodeEventToToon, decodeEventFromToon } from '@toon-protocol/relay';
+const mnemonic = generateMnemonic(); // or restore an existing 12-word phrase
+const { nostr } = await deriveFullIdentity(mnemonic); // peek at the derived keys if needed
+const client = new ToonClient({
+  connectorUrl: 'http://localhost:8080',
+  mnemonic, // derives Nostr/EVM synchronously; Solana/Mina during start()
+  ilpInfo: {
+    pubkey: nostr.pubkey,
+    ilpAddress: `g.toon.${nostr.pubkey.slice(0, 8)}`,
+    btpEndpoint: 'ws://localhost:3000',
+  },
+  toonEncoder: encodeEventToToon,
+  toonDecoder: decodeEventFromToon,
+});
+await client.start();
+// EVM is available before start(); Solana/Mina are derived during start()
+console.log('Nostr: ', client.getPublicKey());
+console.log('EVM:   ', client.getEvmAddress());
+console.log('Solana:', client.getSolanaAddress()); // base58, after start()
+console.log('Mina:  ', client.getMinaAddress());   // base58, after start() (needs mina-signer)
+```
+**Notes & rules:**
+- **Precedence**: `mnemonic` and `secretKey` are mutually exclusive (a separate `secretKey` would split the Nostr identity from the Solana/Mina identity — the client rejects it). An `evmPrivateKey` override **is** allowed alongside `mnemonic` (e.g. a hardware-wallet EVM key while still deriving Solana/Mina from the phrase).
+- **Solana/Mina addresses** (`getSolanaAddress()`, `getMinaAddress()`) are only available **after `start()`** — those keys are derived asynchronously. `getEvmAddress()`/`getPublicKey()` work before `start()`.
+- **Mina is optional**: it requires the `mina-signer` peer dependency (see Installation). Without it, the client still works for Nostr/EVM/Solana and `getMinaAddress()` returns `undefined`.
+- **Security**: JavaScript strings can't be zeroed from memory, so a `mnemonic` may linger in the heap. For high-security contexts, derive keys yourself (e.g. via `KeyManager`) and pass a pre-derived `secretKey`.
+- **Per-chain claim formats.** Each publish carries a balance-proof claim in the format that destination chain's connector verifier expects — EVM via EIP-712, Solana as a raw Ed25519 message over the on-chain payment-channel message (`channel_pda ‖ nonce ‖ transferredAmount`), Mina as a Pallas-Schnorr claim over a Poseidon `balanceCommitment`. `ToonClient` selects the right signer for the negotiated channel automatically; you do not pick the format. Canonical layouts live in `@toon-protocol/core` (`packages/core/src/settlement/`) so client signers and connector verifiers cannot drift.
+- **On-chain redemption is automatic, and driven by the apex — not the client.** You sign off-chain claims; the Townhouse apex validates them, fulfills, and (once a per-channel threshold is crossed) submits the on-chain redemption itself. EVM and Solana credit the recipient on-chain (Solana at channel close, `SETTLE_CHANNEL`). On **Mina** each paid publish redeems on-chain (`claimFromChannel`, the apex co-signs the counterparty signature; the zkApp nonce and balance commitment advance), and **the recipient's tokens are credited at channel close** via the Story 34.4 fund-custody zkApp (`@toon-protocol/connector` ≥3.10.0): the deposit is escrowed on the zkApp account and `settle()` drains it to the participants (recipient + depositor refund). Verified against `@toon-protocol/connector` 3.10.0.
+---
+## Uploading a blob to a DVM (Arweave storage)
+To store a blob permanently on Arweave, pay a **dvm** node with a `kind:5094` NIP-90 request. The `requestBlobStorage` helper builds the signed event, publishes it through your `ToonClient` (reusing its claim/channel plumbing), and decodes the Arweave transaction ID from the FULFILL response:
+```typescript
+import { ToonClient, requestBlobStorage } from '@toon-protocol/client';
+// `client` is a started ToonClient (see Quick Start). `secretKey` signs the kind:5094 event.
+const result = await requestBlobStorage(client, secretKey, {
+  blobData: new Uint8Array([1, 2, 3, 4]),
+  contentType: 'application/octet-stream',
+  ilpAmount: 50_000n, // USDC micro-units; also used as the event's `bid` if `bid` is omitted
+  destination: 'g.toon.peer1', // the DVM's ILP address (defaults to the client's destinationAddress)
+});
+if (result.success) {
+  console.log(`Stored on Arweave: https://arweave.net/${result.txId}`);
+} else {
+  console.error(`Upload failed: ${result.error}`);
+}
+```
+`requestBlobStorage(client, secretKey, params)` returns `{ success, txId?, eventId?, error? }` (`RequestBlobStorageParams` / `RequestBlobStorageResult` are exported for typing). It covers the **single-packet** case; for large chunked uploads, drive `client.publishEvent()` with `kind:5094` events directly.
+---
 ## Payment Channels
-The client supports EVM-based payment channels for off-chain settlement. Your EVM identity is derived from your Nostr `secretKey` automatically — no separate EVM key needed.
+The client supports payment channels for off-chain settlement on EVM, Solana, and Mina. With a raw `secretKey` you get EVM only; construct from a `mnemonic` (above) to settle on Solana/Mina. Your EVM identity is derived automatically — no separate EVM key needed.
 ### Enabling Payment Channels
@@ -131,10 +237,11 @@ await client.publishEvent(event, { claim });
 ### How It Works
-1. **Bootstrap**: Client discovers peers via NIP-02 and kind:10032 events
-2. **Channel Creation**: Opens on-chain payment channel using your derived EVM address
-3. **Off-chain Payments**: Signed balance proofs settle payments off-chain
+1. **Bootstrap**: Client discovers peers via NIP-02 and kind:10032 events, negotiating a settlement chain with each
+2. **Channel Creation**: Opens an on-chain payment channel on the negotiated chain — using your derived EVM address (EVM), the Ed25519 channel PDA (Solana), or the deployed zkApp account (Mina) when the matching `solanaChannel` / `minaChannel` config is provided
+3. **Off-chain Payments**: Signed balance proofs (chain-appropriate format) settle payments off-chain
 4. **Auto-tracking**: ChannelManager automatically tracks channels and increments nonces
+5. **On-chain redemption**: A Townhouse apex auto-redeems claims on-chain once a per-channel threshold is crossed (see [Multi-Chain Settlement](#identity--multi-chain-settlement) for the EVM/Solana/Mina specifics and the Mina credit-at-close deferral)
 ### Using a Separate EVM Key (Advanced)
@@ -149,6 +256,29 @@ const client = new ToonClient({
 ---
+## Connecting to an apex over `.anyone`
+In production a townhouse apex is reachable at an ATOR `.anyone` hidden-service address rather than a plain `ws://` host. To dial it, route the client's BTP/HTTP traffic through a **SOCKS5h** proxy via the `transport` option. The `socks5h://` scheme is required so DNS resolution happens at the proxy (no DNS leaks):
+```typescript
+const client = new ToonClient({
+  connectorUrl: 'http://localhost:8080', // local connector admin, if any
+  secretKey,
+  ilpInfo: { pubkey, ilpAddress: `g.toon.${pubkey.slice(0, 8)}`, btpEndpoint: 'ws://abc...xyz.anyone:3000' },
+  btpUrl: 'ws://abc...xyz.anyone:3000', // the apex's BTP endpoint at its .anyone address
+  destinationAddress: 'g.townhouse', // pay the apex; it forwards to the town/dvm/mill child
+  toonEncoder: encodeEventToToon,
+  toonDecoder: decodeEventFromToon,
+  // Route the connection through a SOCKS5h proxy (Node.js only).
+  transport: { type: 'socks5', socksProxy: 'socks5h://127.0.0.1:9050' },
+});
+```
+In the browser, use `transport: { type: 'gateway', gatewayUrl: 'https://…' }` to proxy through an ator gateway server-side instead. (Default is `{ type: 'direct' }`.)
+---
 ## Documentation
 - **[API Reference](docs/api-reference.md)** — Constructor, config interface, and all methods
@@ -189,16 +319,20 @@ See [tests/e2e/README.md](tests/e2e/README.md) for detailed E2E setup.
 See [examples/client-example/](../../examples/client-example/) for standalone client examples:
-- **01 - Publish Event**: Full client lifecycle with self-describing claims
-- **02 - Payment Channel Lifecycle**: Multiple events with incrementing balance proofs
+- **01 - Publish Event** (`01-publish-event.ts`): Full client lifecycle with self-describing claims
+- **02 - Payment Channel Lifecycle** (`02-payment-channel.ts`): Multiple events with incrementing balance proofs
+- **03 - Multi-Chain Publish** (`03-multi-chain-publish.ts`): Publishing with multiple settlement chains configured
+- **04 - Subscribe to Events** (`04-subscribe-events.ts`): Reading events back from the relay (free)
 ---
 ## Related Packages
-- **[@toon-protocol/core](../core/)** — Core protocol (peer discovery, bootstrap)
-- **[@toon-protocol/relay](../relay/)** — Nostr relay with ILP payment gating
+- **[@toon-protocol/core](../core/)** — Core protocol (peer discovery, bootstrap, `buildBlobStorageRequest`)
+- **[@toon-protocol/relay](../relay/)** — Nostr relay with ILP payment gating (`encodeEventToToon` / `decodeEventFromToon`)
+- **[@toon-protocol/sdk](../sdk/)** — Higher-level helpers including `streamSwap()` for multi-chain swaps via a **mill**
 - **[@toon-protocol/bls](../bls/)** — Business Logic Server (pricing, validation, storage)
+- **[@toon-protocol/townhouse](../townhouse/)** — The operator product that runs the apex + town/mill/dvm nodes you pay
 ---

package/dist/anon-proxy-W3KMM7GU.js ADDED Viewed

@@ -0,0 +1,23 @@
+import {
+  ANON_ASSETS,
+  ANON_VERSION,
+  defaultCacheDir,
+  ensureAnonBinary,
+  renderTorrc,
+  selectAnonAsset,
+  startManagedAnonProxy,
+  tcpProbe,
+  waitForAnonSocks
+} from "./chunk-WHAEQLIW.js";
+export {
+  ANON_ASSETS,
+  ANON_VERSION,
+  defaultCacheDir,
+  ensureAnonBinary,
+  renderTorrc,
+  selectAnonAsset,
+  startManagedAnonProxy,
+  tcpProbe,
+  waitForAnonSocks
+};
+//# sourceMappingURL=anon-proxy-W3KMM7GU.js.map

package/dist/chunk-WHAEQLIW.js ADDED Viewed

@@ -0,0 +1,276 @@
+// src/transport/anon-proxy.ts
+import { createRequire } from "module";
+var nodeRequire = createRequire(import.meta.url);
+var ANON_VERSION = "v0.4.10.0-beta";
+var RELEASE_BASE = `https://github.com/anyone-protocol/ator-protocol/releases/download/${ANON_VERSION}`;
+var ANON_ASSETS = {
+  "darwin-arm64": {
+    assetName: "anon-beta-macos-arm64.zip",
+    sha256: "3b8724afc56354aa93d2fe804d6b8a685d3bff65dac0ca3384cae1ef010977b2"
+  },
+  "darwin-x64": {
+    assetName: "anon-beta-macos-amd64.zip",
+    sha256: "aad277849b1e63baa75891b9e5109683534e488776ff190e884e34caa04a6d54"
+  },
+  "linux-x64": {
+    assetName: "anon-beta-linux-amd64.zip",
+    sha256: "370c86f366e7f4cad896e2ef4bbd366a4e78a832c8d58064012f86c88c411a6b"
+  },
+  "linux-arm64": {
+    assetName: "anon-beta-linux-arm64.zip",
+    sha256: "382d21db1052b6a0f1581bf38c9cf79b370719e313781c0eba53ef0d9570334a"
+  }
+};
+function selectAnonAsset(platform, arch) {
+  const key = `${platform}-${arch}`;
+  const asset = ANON_ASSETS[key];
+  if (!asset) {
+    throw new Error(
+      `No managed anon binary available for platform "${platform}" arch "${arch}". Supported: ${Object.keys(ANON_ASSETS).join(", ")}. Provide an explicit transport.socksProxy or set ANYONE_PROXY_URLS to use your own proxy.`
+    );
+  }
+  return asset;
+}
+function defaultCacheDir() {
+  const os = nodeRequire("node:os");
+  const path = nodeRequire("node:path");
+  const xdg = process.env["XDG_CACHE_HOME"];
+  if (xdg) {
+    return path.join(xdg, "toon-client", "anon", ANON_VERSION);
+  }
+  return path.join(os.homedir(), ".toon-client", "anon", ANON_VERSION);
+}
+function renderTorrc(cacheDir, socksPort) {
+  const path = nodeRequire("node:path");
+  return [
+    "AgreeToTerms 1",
+    `DataDirectory ${path.join(cacheDir, "data")}`,
+    `SOCKSPort 127.0.0.1:${socksPort}`,
+    "SOCKSPolicy accept *",
+    `GeoIPFile ${path.join(cacheDir, "geoip")}`,
+    `GeoIPv6File ${path.join(cacheDir, "geoip6")}`,
+    "Log notice stdout",
+    "RunAsDaemon 0",
+    ""
+  ].join("\n");
+}
+async function tcpProbe(host, port, timeoutMs) {
+  const net = nodeRequire("node:net");
+  return new Promise((resolve, reject) => {
+    const sock = net.createConnection({ host, port }, () => {
+      sock.destroy();
+      resolve();
+    });
+    sock.once("error", (err) => {
+      sock.destroy();
+      reject(err);
+    });
+    sock.setTimeout(timeoutMs, () => {
+      sock.destroy();
+      reject(new Error("timeout"));
+    });
+  });
+}
+async function sha256File(filePath) {
+  const fs = nodeRequire("node:fs");
+  const crypto = nodeRequire("node:crypto");
+  return new Promise((resolve, reject) => {
+    const hash = crypto.createHash("sha256");
+    const stream = fs.createReadStream(filePath);
+    stream.on("error", reject);
+    stream.on("data", (chunk) => hash.update(chunk));
+    stream.on("end", () => resolve(hash.digest("hex")));
+  });
+}
+async function downloadToFile(url, destPath) {
+  const fs = nodeRequire("node:fs");
+  const https = nodeRequire("node:https");
+  const fetchOnce = (u, redirectsLeft) => new Promise((resolve, reject) => {
+    const req = https.get(u, (res) => {
+      const status = res.statusCode ?? 0;
+      if (status >= 300 && status < 400 && res.headers.location) {
+        res.resume();
+        if (redirectsLeft <= 0) {
+          reject(new Error(`Too many redirects downloading ${url}`));
+          return;
+        }
+        resolve(fetchOnce(res.headers.location, redirectsLeft - 1));
+        return;
+      }
+      if (status !== 200) {
+        res.resume();
+        reject(new Error(`Download failed (HTTP ${status}) for ${u}`));
+        return;
+      }
+      const out = fs.createWriteStream(destPath);
+      res.pipe(out);
+      out.on("error", reject);
+      out.on("finish", () => out.close(() => resolve()));
+    });
+    req.on("error", reject);
+    req.setTimeout(12e4, () => {
+      req.destroy(new Error(`Download timeout for ${u}`));
+    });
+  });
+  await fetchOnce(url, 5);
+}
+async function extractZip(zipPath, destDir) {
+  const cp = nodeRequire("node:child_process");
+  await new Promise((resolve, reject) => {
+    const child = cp.spawn("unzip", ["-o", zipPath, "-d", destDir], {
+      stdio: ["ignore", "ignore", "pipe"]
+    });
+    let stderr = "";
+    child.stderr?.on("data", (d) => {
+      stderr += d.toString();
+    });
+    child.on(
+      "error",
+      (err) => reject(
+        new Error(`Failed to spawn unzip (is it installed?): ${err.message}`)
+      )
+    );
+    child.on("exit", (code) => {
+      if (code === 0) resolve();
+      else
+        reject(
+          new Error(`unzip exited ${code} extracting ${zipPath}: ${stderr}`)
+        );
+    });
+  });
+}
+async function ensureAnonBinary(opts) {
+  const fs = nodeRequire("node:fs");
+  const path = nodeRequire("node:path");
+  const download = opts.download ?? downloadToFile;
+  const extract = opts.extract ?? extractZip;
+  const asset = selectAnonAsset(opts.platform, opts.arch);
+  const anonPath = path.join(opts.cacheDir, "anon");
+  if (fs.existsSync(anonPath)) {
+    return anonPath;
+  }
+  if (asset.sha256 === null) {
+    throw new Error(
+      `Managed anon binary for "${opts.platform}-${opts.arch}" (${asset.assetName}) has no pinned checksum yet (see issue #204). Provide an explicit transport.socksProxy to use your own proxy.`
+    );
+  }
+  fs.mkdirSync(opts.cacheDir, { recursive: true });
+  const zipPath = path.join(opts.cacheDir, asset.assetName);
+  const url = `${RELEASE_BASE}/${asset.assetName}`;
+  await download(url, zipPath);
+  const actual = await sha256File(zipPath);
+  if (actual !== asset.sha256) {
+    try {
+      fs.rmSync(zipPath, { force: true });
+    } catch {
+    }
+    throw new Error(
+      `Checksum mismatch for ${asset.assetName}: expected ${asset.sha256}, got ${actual}. Refusing to run an unverified anon binary.`
+    );
+  }
+  await extract(zipPath, opts.cacheDir);
+  if (!fs.existsSync(anonPath)) {
+    throw new Error(
+      `Extraction of ${asset.assetName} did not produce an "anon" binary at ${anonPath}.`
+    );
+  }
+  try {
+    fs.chmodSync(anonPath, 493);
+  } catch {
+  }
+  return anonPath;
+}
+async function waitForAnonSocks(opts) {
+  const probe = opts.probe ?? tcpProbe;
+  const sleep = opts.sleep ?? ((ms) => new Promise((r) => setTimeout(r, ms)));
+  opts.log(`[anon] waiting for SOCKS5 bind on 127.0.0.1:${opts.port}\u2026`);
+  let lastErr = null;
+  while (Date.now() < opts.deadlineMs) {
+    if (opts.childExited()) {
+      throw new Error("[anon] process exited before SOCKS5 port bound");
+    }
+    try {
+      await probe("127.0.0.1", opts.port, 2e3);
+      opts.log(`[anon] SOCKS5 bound on 127.0.0.1:${opts.port}`);
+      return;
+    } catch (err) {
+      const msg = err.message;
+      if (msg !== lastErr) {
+        opts.log(`[anon] SOCKS5 not ready: ${msg}`);
+        lastErr = msg;
+      }
+    }
+    await sleep(2e3);
+  }
+  throw new Error(
+    `[anon] SOCKS5 never bound on 127.0.0.1:${opts.port} by deadline`
+  );
+}
+async function startManagedAnonProxy(options = {}) {
+  const fs = nodeRequire("node:fs");
+  const path = nodeRequire("node:path");
+  const os = nodeRequire("node:os");
+  const cp = nodeRequire("node:child_process");
+  const platform = options.platform ?? os.platform();
+  const arch = options.arch ?? os.arch();
+  const cacheDir = options.cacheDir ?? defaultCacheDir();
+  const socksPort = options.socksPort ?? 9050;
+  const bootstrapTimeoutMs = options.bootstrapTimeoutMs ?? 18e4;
+  const log = options.log ?? (() => {
+  });
+  const anonPath = await ensureAnonBinary({ cacheDir, platform, arch });
+  fs.mkdirSync(path.join(cacheDir, "data"), { recursive: true });
+  const torrcPath = path.join(cacheDir, "torrc");
+  fs.writeFileSync(torrcPath, renderTorrc(cacheDir, socksPort), {
+    mode: 420
+  });
+  log(`[anon] spawning: ${anonPath} -f ${torrcPath}`);
+  const child = cp.spawn(anonPath, ["-f", torrcPath], {
+    stdio: ["ignore", "inherit", "inherit"],
+    detached: false
+  });
+  let exited = false;
+  child.on("exit", (code, signal) => {
+    exited = true;
+    log(`[anon] child exited code=${code} signal=${signal}`);
+  });
+  child.on("error", (err) => {
+    log(`[anon] spawn error: ${err.message}`);
+  });
+  const stop = async () => {
+    if (!child.killed && !exited) {
+      try {
+        child.kill("SIGTERM");
+      } catch {
+      }
+    }
+  };
+  try {
+    await waitForAnonSocks({
+      port: socksPort,
+      deadlineMs: Date.now() + bootstrapTimeoutMs,
+      childExited: () => exited,
+      log
+    });
+  } catch (err) {
+    await stop();
+    throw err;
+  }
+  return {
+    socksProxy: `socks5h://127.0.0.1:${socksPort}`,
+    stop
+  };
+}
+export {
+  ANON_VERSION,
+  ANON_ASSETS,
+  selectAnonAsset,
+  defaultCacheDir,
+  renderTorrc,
+  tcpProbe,
+  ensureAnonBinary,
+  waitForAnonSocks,
+  startManagedAnonProxy
+};
+//# sourceMappingURL=chunk-WHAEQLIW.js.map

package/dist/chunk-WHAEQLIW.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/transport/anon-proxy.ts"],"sourcesContent":["/**\n * Self-managed `anon` (anyone-protocol / ATOR) SOCKS5h proxy (Node.js only).\n *\n * Lets a `@toon-protocol/client` consumer reach a `.anyone` hidden service with\n * ZERO manual proxy setup: the SDK downloads, verifies, extracts, and spawns its\n * own `anon` daemon, waits for it to bootstrap + bind a loopback SOCKS5 port, and\n * hands back a `socks5h://127.0.0.1:<port>` URL. The proven reference is the\n * server-side pod entrypoint `docker/src/entrypoint-toon-client.ts` (`writeTorrc`,\n * `spawnAnon`, `waitForAnonSocks`, `tcpProbe`); this module ports that daemon\n * logic into the client package and adds the binary download + checksum gate so it\n * works without an OS-level `anon` install.\n *\n * BROWSER SAFETY: this module is dynamically imported only from `resolveTransport`\n * when a managed proxy is actually needed (Node-only path). Every Node built-in is\n * pulled in lazily via the ESM-safe `require(...)` built off `import.meta.url`\n * (the same pattern as `socks5.ts`), so a browser bundler that statically analyses\n * the package never reaches `node:child_process`/`node:fs`/`node:https`/`node:net`.\n */\n\nimport { createRequire } from 'node:module';\nimport type childProcessModule from 'node:child_process';\nimport type fsModule from 'node:fs';\nimport type netModule from 'node:net';\nimport type osModule from 'node:os';\nimport type pathModule from 'node:path';\nimport type httpsModule from 'node:https';\nimport type * as cryptoModule from 'node:crypto';\n\n// ESM-safe require — see socks5.ts for the full rationale. The published bundle\n// is ESM with Node built-ins external; a bare `require` would be rewritten into a\n// throwing `__require` shim. Building a real require off import.meta.url keeps the\n// synchronous, browser-guarded `require(...)` calls below working. This file is\n// only ever dynamically imported on the Node path, so browser bundlers that tree-\n// shake the static graph never include it.\nconst nodeRequire = createRequire(import.meta.url);\n\n/**\n * Pinned `anon` release. \"beta\" is the channel slug embedded in the per-platform\n * zip asset names (e.g. `anon-beta-macos-arm64.zip`).\n */\nexport const ANON_VERSION = 'v0.4.10.0-beta';\n\nconst RELEASE_BASE = `https://github.com/anyone-protocol/ator-protocol/releases/download/${ANON_VERSION}`;\n\n/**\n * Per-platform `anon` zip asset descriptor. `sha256` is the pinned checksum of the\n * release zip. All supported platforms are pinned (issue #204); the type stays\n * `string | null` and the download gate still defensively refuses a `null` entry,\n * so adding a new (not-yet-hashed) platform fails closed rather than skipping\n * verification.\n */\nexport interface AnonAsset {\n /** Release asset file name, e.g. `anon-beta-macos-arm64.zip`. */\n assetName: string;\n /** Pinned sha256 of the zip, or null when not yet pinned (issue #204). */\n sha256: string | null;\n}\n\n/**\n * Platform → asset map keyed by `${os.platform()}-${os.arch()}` (Node values).\n * Only macOS + Linux on x64/arm64 are supported (the `anon` releases that ship a\n * SOCKS-capable binary). Windows is intentionally absent.\n *\n * Pinned checksums (issue #204): all four supported platforms are pinned to the\n * sha256 of the `v0.4.10.0-beta` release zips (downloaded + hashed; the\n * darwin-arm64 value matches the previously-verified manual flow).\n */\nexport const ANON_ASSETS: Record<string, AnonAsset> = {\n 'darwin-arm64': {\n assetName: 'anon-beta-macos-arm64.zip',\n sha256: '3b8724afc56354aa93d2fe804d6b8a685d3bff65dac0ca3384cae1ef010977b2',\n },\n 'darwin-x64': {\n assetName: 'anon-beta-macos-amd64.zip',\n sha256: 'aad277849b1e63baa75891b9e5109683534e488776ff190e884e34caa04a6d54',\n },\n 'linux-x64': {\n assetName: 'anon-beta-linux-amd64.zip',\n sha256: '370c86f366e7f4cad896e2ef4bbd366a4e78a832c8d58064012f86c88c411a6b',\n },\n 'linux-arm64': {\n assetName: 'anon-beta-linux-arm64.zip',\n sha256: '382d21db1052b6a0f1581bf38c9cf79b370719e313781c0eba53ef0d9570334a',\n },\n};\n\n/**\n * Resolves the `anon` release asset for a platform/arch pair (Node\n * `os.platform()` / `os.arch()` values).\n *\n * @throws If the platform/arch combination has no known `anon` asset.\n */\nexport function selectAnonAsset(platform: string, arch: string): AnonAsset {\n const key = `${platform}-${arch}`;\n const asset = ANON_ASSETS[key];\n if (!asset) {\n throw new Error(\n `No managed anon binary available for platform \"${platform}\" arch \"${arch}\". ` +\n `Supported: ${Object.keys(ANON_ASSETS).join(', ')}. ` +\n 'Provide an explicit transport.socksProxy or set ANYONE_PROXY_URLS to use your own proxy.'\n );\n }\n return asset;\n}\n\n/**\n * Default cache directory for the downloaded/extracted `anon` binary.\n * Honours `XDG_CACHE_HOME`; otherwise `~/.toon-client/anon`.\n */\nexport function defaultCacheDir(): string {\n const os = nodeRequire('node:os') as typeof osModule;\n const path = nodeRequire('node:path') as typeof pathModule;\n const xdg = process.env['XDG_CACHE_HOME'];\n if (xdg) {\n return path.join(xdg, 'toon-client', 'anon', ANON_VERSION);\n }\n return path.join(os.homedir(), '.toon-client', 'anon', ANON_VERSION);\n}\n\n/**\n * Renders a SOCKS-only torrc. Mirrors `writeTorrc` in the proven docker\n * entrypoint. `AgreeToTerms 1` is REQUIRED — omitting it makes `anon` exit\n * immediately.\n */\nexport function renderTorrc(cacheDir: string, socksPort: number): string {\n const path = nodeRequire('node:path') as typeof pathModule;\n return [\n 'AgreeToTerms 1',\n `DataDirectory ${path.join(cacheDir, 'data')}`,\n `SOCKSPort 127.0.0.1:${socksPort}`,\n 'SOCKSPolicy accept *',\n `GeoIPFile ${path.join(cacheDir, 'geoip')}`,\n `GeoIPv6File ${path.join(cacheDir, 'geoip6')}`,\n 'Log notice stdout',\n 'RunAsDaemon 0',\n '',\n ].join('\\n');\n}\n\n/**\n * Simple TCP connect probe — confirms the SOCKS5 port has bound and accepts\n * connections. Mirrors `tcpProbe` in the docker entrypoint / `probeSocks5Proxy`.\n */\nexport async function tcpProbe(\n host: string,\n port: number,\n timeoutMs: number\n): Promise<void> {\n const net = nodeRequire('node:net') as typeof netModule;\n return new Promise<void>((resolve, reject) => {\n const sock = net.createConnection({ host, port }, () => {\n sock.destroy();\n resolve();\n });\n sock.once('error', (err: Error) => {\n sock.destroy();\n reject(err);\n });\n sock.setTimeout(timeoutMs, () => {\n sock.destroy();\n reject(new Error('timeout'));\n });\n });\n}\n\n/**\n * Computes the sha256 (hex) of a file using node:crypto streaming.\n */\nasync function sha256File(filePath: string): Promise<string> {\n const fs = nodeRequire('node:fs') as typeof fsModule;\n const crypto = nodeRequire('node:crypto') as typeof cryptoModule;\n return new Promise<string>((resolve, reject) => {\n const hash = crypto.createHash('sha256');\n const stream = fs.createReadStream(filePath);\n stream.on('error', reject);\n stream.on('data', (chunk) => hash.update(chunk));\n stream.on('end', () => resolve(hash.digest('hex')));\n });\n}\n\n/**\n * Downloads a URL to a file, following GitHub release redirects. Node-only\n * (node:https + node:fs).\n */\nasync function downloadToFile(url: string, destPath: string): Promise<void> {\n const fs = nodeRequire('node:fs') as typeof fsModule;\n const https = nodeRequire('node:https') as typeof httpsModule;\n\n const fetchOnce = (u: string, redirectsLeft: number): Promise<void> =>\n new Promise<void>((resolve, reject) => {\n const req = https.get(u, (res) => {\n const status = res.statusCode ?? 0;\n // GitHub release assets redirect to a signed S3 URL.\n if (status >= 300 && status < 400 && res.headers.location) {\n res.resume();\n if (redirectsLeft <= 0) {\n reject(new Error(`Too many redirects downloading ${url}`));\n return;\n }\n resolve(fetchOnce(res.headers.location, redirectsLeft - 1));\n return;\n }\n if (status !== 200) {\n res.resume();\n reject(new Error(`Download failed (HTTP ${status}) for ${u}`));\n return;\n }\n const out = fs.createWriteStream(destPath);\n res.pipe(out);\n out.on('error', reject);\n out.on('finish', () => out.close(() => resolve()));\n });\n req.on('error', reject);\n req.setTimeout(120_000, () => {\n req.destroy(new Error(`Download timeout for ${u}`));\n });\n });\n\n await fetchOnce(url, 5);\n}\n\n/**\n * Extracts a zip into a directory by shelling out to the system `unzip` binary\n * (present on macOS + Linux). Kept here (not a JS unzip dep) to avoid adding a\n * runtime dependency to the browser-facing client package.\n */\nasync function extractZip(zipPath: string, destDir: string): Promise<void> {\n const cp = nodeRequire('node:child_process') as typeof childProcessModule;\n await new Promise<void>((resolve, reject) => {\n const child = cp.spawn('unzip', ['-o', zipPath, '-d', destDir], {\n stdio: ['ignore', 'ignore', 'pipe'],\n });\n let stderr = '';\n child.stderr?.on('data', (d: Buffer) => {\n stderr += d.toString();\n });\n child.on('error', (err: Error) =>\n reject(\n new Error(`Failed to spawn unzip (is it installed?): ${err.message}`)\n )\n );\n child.on('exit', (code) => {\n if (code === 0) resolve();\n else\n reject(\n new Error(`unzip exited ${code} extracting ${zipPath}: ${stderr}`)\n );\n });\n });\n}\n\n/**\n * Ensures a verified `anon` binary exists in the cache directory, downloading +\n * checksum-verifying + extracting it if not. Returns the absolute path to the\n * extracted `anon` executable.\n *\n * Skips re-download when a previously extracted `anon` binary is already present\n * (the checksum gate runs on the freshly downloaded zip; an already-extracted\n * binary in a version-pinned cache dir is trusted).\n */\nexport async function ensureAnonBinary(opts: {\n cacheDir: string;\n platform: string;\n arch: string;\n /** Injectable downloader (tests). Default: node:https GET with redirects. */\n download?: (url: string, destPath: string) => Promise<void>;\n /** Injectable extractor (tests). Default: shell out to `unzip`. */\n extract?: (zipPath: string, destDir: string) => Promise<void>;\n}): Promise<string> {\n const fs = nodeRequire('node:fs') as typeof fsModule;\n const path = nodeRequire('node:path') as typeof pathModule;\n\n const download = opts.download ?? downloadToFile;\n const extract = opts.extract ?? extractZip;\n\n const asset = selectAnonAsset(opts.platform, opts.arch);\n const anonPath = path.join(opts.cacheDir, 'anon');\n\n // Fast path: already extracted (version-pinned cache dir).\n if (fs.existsSync(anonPath)) {\n return anonPath;\n }\n\n if (asset.sha256 === null) {\n throw new Error(\n `Managed anon binary for \"${opts.platform}-${opts.arch}\" ` +\n `(${asset.assetName}) has no pinned checksum yet (see issue #204). ` +\n 'Provide an explicit transport.socksProxy to use your own proxy.'\n );\n }\n\n fs.mkdirSync(opts.cacheDir, { recursive: true });\n const zipPath = path.join(opts.cacheDir, asset.assetName);\n const url = `${RELEASE_BASE}/${asset.assetName}`;\n\n await download(url, zipPath);\n\n const actual = await sha256File(zipPath);\n if (actual !== asset.sha256) {\n // Remove the bad artifact so a retry re-downloads cleanly.\n try {\n fs.rmSync(zipPath, { force: true });\n } catch {\n /* best-effort cleanup */\n }\n throw new Error(\n `Checksum mismatch for ${asset.assetName}: expected ${asset.sha256}, got ${actual}. ` +\n 'Refusing to run an unverified anon binary.'\n );\n }\n\n await extract(zipPath, opts.cacheDir);\n\n if (!fs.existsSync(anonPath)) {\n throw new Error(\n `Extraction of ${asset.assetName} did not produce an \"anon\" binary at ${anonPath}.`\n );\n }\n // Ensure executable (zip may not preserve the bit on all platforms).\n try {\n fs.chmodSync(anonPath, 0o755);\n } catch {\n /* best-effort */\n }\n return anonPath;\n}\n\n/**\n * Polls for the SOCKS5 port to bind. `anon` typically takes 30-90s to bootstrap\n * (build a circuit + consensus) before SOCKS5 accepts connections. Mirrors\n * `waitForAnonSocks` in the docker entrypoint, but also fails fast if the child\n * exits before binding.\n */\nexport async function waitForAnonSocks(opts: {\n port: number;\n deadlineMs: number;\n childExited: () => boolean;\n log: (msg: string) => void;\n probe?: (host: string, port: number, timeoutMs: number) => Promise<void>;\n sleep?: (ms: number) => Promise<void>;\n}): Promise<void> {\n const probe = opts.probe ?? tcpProbe;\n const sleep =\n opts.sleep ?? ((ms: number) => new Promise((r) => setTimeout(r, ms)));\n opts.log(`[anon] waiting for SOCKS5 bind on 127.0.0.1:${opts.port}…`);\n let lastErr: string | null = null;\n while (Date.now() < opts.deadlineMs) {\n if (opts.childExited()) {\n throw new Error('[anon] process exited before SOCKS5 port bound');\n }\n try {\n await probe('127.0.0.1', opts.port, 2_000);\n opts.log(`[anon] SOCKS5 bound on 127.0.0.1:${opts.port}`);\n return;\n } catch (err) {\n const msg = (err as Error).message;\n if (msg !== lastErr) {\n opts.log(`[anon] SOCKS5 not ready: ${msg}`);\n lastErr = msg;\n }\n }\n await sleep(2_000);\n }\n throw new Error(\n `[anon] SOCKS5 never bound on 127.0.0.1:${opts.port} by deadline`\n );\n}\n\n/**\n * Handle returned by `startManagedAnonProxy`. `socksProxy` is the loopback\n * `socks5h://` URL to wire into `transport: { type: 'socks5', socksProxy }`.\n * `stop()` SIGTERMs the daemon and is idempotent.\n */\nexport interface ManagedAnonProxy {\n socksProxy: string;\n stop(): Promise<void>;\n}\n\n/**\n * Options for `startManagedAnonProxy`. All have sensible defaults; tests inject\n * the deps to avoid real downloads/spawns.\n */\nexport interface StartManagedAnonProxyOptions {\n /** Cache dir for the binary + torrc + data. Default: {@link defaultCacheDir}. */\n cacheDir?: string;\n /** Loopback SOCKS5 port. Default 9050. */\n socksPort?: number;\n /** Bootstrap deadline in ms. Default 180_000. */\n bootstrapTimeoutMs?: number;\n /** Logger. Default: no-op. */\n log?: (msg: string) => void;\n /** os.platform() override (tests). */\n platform?: string;\n /** os.arch() override (tests). */\n arch?: string;\n}\n\n/**\n * Downloads (if needed) + spawns a managed `anon` daemon and waits for its SOCKS5\n * port to bind. Returns a {@link ManagedAnonProxy} whose `socksProxy` is ready for\n * `transport: { type: 'socks5', socksProxy }`.\n *\n * @throws If the platform is unsupported, the checksum fails, or anon never binds.\n */\nexport async function startManagedAnonProxy(\n options: StartManagedAnonProxyOptions = {}\n): Promise<ManagedAnonProxy> {\n const fs = nodeRequire('node:fs') as typeof fsModule;\n const path = nodeRequire('node:path') as typeof pathModule;\n const os = nodeRequire('node:os') as typeof osModule;\n const cp = nodeRequire('node:child_process') as typeof childProcessModule;\n\n const platform = options.platform ?? os.platform();\n const arch = options.arch ?? os.arch();\n const cacheDir = options.cacheDir ?? defaultCacheDir();\n const socksPort = options.socksPort ?? 9050;\n const bootstrapTimeoutMs = options.bootstrapTimeoutMs ?? 180_000;\n const log =\n options.log ??\n ((): void => {\n /* default: silent */\n });\n\n const anonPath = await ensureAnonBinary({ cacheDir, platform, arch });\n\n // Write the SOCKS-only torrc.\n fs.mkdirSync(path.join(cacheDir, 'data'), { recursive: true });\n const torrcPath = path.join(cacheDir, 'torrc');\n fs.writeFileSync(torrcPath, renderTorrc(cacheDir, socksPort), {\n mode: 0o644,\n });\n\n log(`[anon] spawning: ${anonPath} -f ${torrcPath}`);\n const child = cp.spawn(anonPath, ['-f', torrcPath], {\n stdio: ['ignore', 'inherit', 'inherit'],\n detached: false,\n });\n let exited = false;\n child.on('exit', (code, signal) => {\n exited = true;\n log(`[anon] child exited code=${code} signal=${signal}`);\n });\n child.on('error', (err: Error) => {\n log(`[anon] spawn error: ${err.message}`);\n });\n\n const stop = async (): Promise<void> => {\n if (!child.killed && !exited) {\n try {\n child.kill('SIGTERM');\n } catch {\n /* best-effort */\n }\n }\n };\n\n try {\n await waitForAnonSocks({\n port: socksPort,\n deadlineMs: Date.now() + bootstrapTimeoutMs,\n childExited: () => exited,\n log,\n });\n } catch (err) {\n await stop();\n throw err;\n }\n\n return {\n socksProxy: `socks5h://127.0.0.1:${socksPort}`,\n stop,\n };\n}\n"],"mappings":";AAmBA,SAAS,qBAAqB;AAe9B,IAAM,cAAc,cAAc,YAAY,GAAG;AAM1C,IAAM,eAAe;AAE5B,IAAM,eAAe,sEAAsE,YAAY;AAyBhG,IAAM,cAAyC;AAAA,EACpD,gBAAgB;AAAA,IACd,WAAW;AAAA,IACX,QAAQ;AAAA,EACV;AAAA,EACA,cAAc;AAAA,IACZ,WAAW;AAAA,IACX,QAAQ;AAAA,EACV;AAAA,EACA,aAAa;AAAA,IACX,WAAW;AAAA,IACX,QAAQ;AAAA,EACV;AAAA,EACA,eAAe;AAAA,IACb,WAAW;AAAA,IACX,QAAQ;AAAA,EACV;AACF;AAQO,SAAS,gBAAgB,UAAkB,MAAyB;AACzE,QAAM,MAAM,GAAG,QAAQ,IAAI,IAAI;AAC/B,QAAM,QAAQ,YAAY,GAAG;AAC7B,MAAI,CAAC,OAAO;AACV,UAAM,IAAI;AAAA,MACR,kDAAkD,QAAQ,WAAW,IAAI,iBACzD,OAAO,KAAK,WAAW,EAAE,KAAK,IAAI,CAAC;AAAA,IAErD;AAAA,EACF;AACA,SAAO;AACT;AAMO,SAAS,kBAA0B;AACxC,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,OAAO,YAAY,WAAW;AACpC,QAAM,MAAM,QAAQ,IAAI,gBAAgB;AACxC,MAAI,KAAK;AACP,WAAO,KAAK,KAAK,KAAK,eAAe,QAAQ,YAAY;AAAA,EAC3D;AACA,SAAO,KAAK,KAAK,GAAG,QAAQ,GAAG,gBAAgB,QAAQ,YAAY;AACrE;AAOO,SAAS,YAAY,UAAkB,WAA2B;AACvE,QAAM,OAAO,YAAY,WAAW;AACpC,SAAO;AAAA,IACL;AAAA,IACA,iBAAiB,KAAK,KAAK,UAAU,MAAM,CAAC;AAAA,IAC5C,uBAAuB,SAAS;AAAA,IAChC;AAAA,IACA,aAAa,KAAK,KAAK,UAAU,OAAO,CAAC;AAAA,IACzC,eAAe,KAAK,KAAK,UAAU,QAAQ,CAAC;AAAA,IAC5C;AAAA,IACA;AAAA,IACA;AAAA,EACF,EAAE,KAAK,IAAI;AACb;AAMA,eAAsB,SACpB,MACA,MACA,WACe;AACf,QAAM,MAAM,YAAY,UAAU;AAClC,SAAO,IAAI,QAAc,CAAC,SAAS,WAAW;AAC5C,UAAM,OAAO,IAAI,iBAAiB,EAAE,MAAM,KAAK,GAAG,MAAM;AACtD,WAAK,QAAQ;AACb,cAAQ;AAAA,IACV,CAAC;AACD,SAAK,KAAK,SAAS,CAAC,QAAe;AACjC,WAAK,QAAQ;AACb,aAAO,GAAG;AAAA,IACZ,CAAC;AACD,SAAK,WAAW,WAAW,MAAM;AAC/B,WAAK,QAAQ;AACb,aAAO,IAAI,MAAM,SAAS,CAAC;AAAA,IAC7B,CAAC;AAAA,EACH,CAAC;AACH;AAKA,eAAe,WAAW,UAAmC;AAC3D,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,SAAS,YAAY,aAAa;AACxC,SAAO,IAAI,QAAgB,CAAC,SAAS,WAAW;AAC9C,UAAM,OAAO,OAAO,WAAW,QAAQ;AACvC,UAAM,SAAS,GAAG,iBAAiB,QAAQ;AAC3C,WAAO,GAAG,SAAS,MAAM;AACzB,WAAO,GAAG,QAAQ,CAAC,UAAU,KAAK,OAAO,KAAK,CAAC;AAC/C,WAAO,GAAG,OAAO,MAAM,QAAQ,KAAK,OAAO,KAAK,CAAC,CAAC;AAAA,EACpD,CAAC;AACH;AAMA,eAAe,eAAe,KAAa,UAAiC;AAC1E,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,QAAQ,YAAY,YAAY;AAEtC,QAAM,YAAY,CAAC,GAAW,kBAC5B,IAAI,QAAc,CAAC,SAAS,WAAW;AACrC,UAAM,MAAM,MAAM,IAAI,GAAG,CAAC,QAAQ;AAChC,YAAM,SAAS,IAAI,cAAc;AAEjC,UAAI,UAAU,OAAO,SAAS,OAAO,IAAI,QAAQ,UAAU;AACzD,YAAI,OAAO;AACX,YAAI,iBAAiB,GAAG;AACtB,iBAAO,IAAI,MAAM,kCAAkC,GAAG,EAAE,CAAC;AACzD;AAAA,QACF;AACA,gBAAQ,UAAU,IAAI,QAAQ,UAAU,gBAAgB,CAAC,CAAC;AAC1D;AAAA,MACF;AACA,UAAI,WAAW,KAAK;AAClB,YAAI,OAAO;AACX,eAAO,IAAI,MAAM,yBAAyB,MAAM,SAAS,CAAC,EAAE,CAAC;AAC7D;AAAA,MACF;AACA,YAAM,MAAM,GAAG,kBAAkB,QAAQ;AACzC,UAAI,KAAK,GAAG;AACZ,UAAI,GAAG,SAAS,MAAM;AACtB,UAAI,GAAG,UAAU,MAAM,IAAI,MAAM,MAAM,QAAQ,CAAC,CAAC;AAAA,IACnD,CAAC;AACD,QAAI,GAAG,SAAS,MAAM;AACtB,QAAI,WAAW,MAAS,MAAM;AAC5B,UAAI,QAAQ,IAAI,MAAM,wBAAwB,CAAC,EAAE,CAAC;AAAA,IACpD,CAAC;AAAA,EACH,CAAC;AAEH,QAAM,UAAU,KAAK,CAAC;AACxB;AAOA,eAAe,WAAW,SAAiB,SAAgC;AACzE,QAAM,KAAK,YAAY,oBAAoB;AAC3C,QAAM,IAAI,QAAc,CAAC,SAAS,WAAW;AAC3C,UAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,MAAM,SAAS,MAAM,OAAO,GAAG;AAAA,MAC9D,OAAO,CAAC,UAAU,UAAU,MAAM;AAAA,IACpC,CAAC;AACD,QAAI,SAAS;AACb,UAAM,QAAQ,GAAG,QAAQ,CAAC,MAAc;AACtC,gBAAU,EAAE,SAAS;AAAA,IACvB,CAAC;AACD,UAAM;AAAA,MAAG;AAAA,MAAS,CAAC,QACjB;AAAA,QACE,IAAI,MAAM,6CAA6C,IAAI,OAAO,EAAE;AAAA,MACtE;AAAA,IACF;AACA,UAAM,GAAG,QAAQ,CAAC,SAAS;AACzB,UAAI,SAAS,EAAG,SAAQ;AAAA;AAEtB;AAAA,UACE,IAAI,MAAM,gBAAgB,IAAI,eAAe,OAAO,KAAK,MAAM,EAAE;AAAA,QACnE;AAAA,IACJ,CAAC;AAAA,EACH,CAAC;AACH;AAWA,eAAsB,iBAAiB,MAQnB;AAClB,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,OAAO,YAAY,WAAW;AAEpC,QAAM,WAAW,KAAK,YAAY;AAClC,QAAM,UAAU,KAAK,WAAW;AAEhC,QAAM,QAAQ,gBAAgB,KAAK,UAAU,KAAK,IAAI;AACtD,QAAM,WAAW,KAAK,KAAK,KAAK,UAAU,MAAM;AAGhD,MAAI,GAAG,WAAW,QAAQ,GAAG;AAC3B,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,WAAW,MAAM;AACzB,UAAM,IAAI;AAAA,MACR,4BAA4B,KAAK,QAAQ,IAAI,KAAK,IAAI,MAChD,MAAM,SAAS;AAAA,IAEvB;AAAA,EACF;AAEA,KAAG,UAAU,KAAK,UAAU,EAAE,WAAW,KAAK,CAAC;AAC/C,QAAM,UAAU,KAAK,KAAK,KAAK,UAAU,MAAM,SAAS;AACxD,QAAM,MAAM,GAAG,YAAY,IAAI,MAAM,SAAS;AAE9C,QAAM,SAAS,KAAK,OAAO;AAE3B,QAAM,SAAS,MAAM,WAAW,OAAO;AACvC,MAAI,WAAW,MAAM,QAAQ;AAE3B,QAAI;AACF,SAAG,OAAO,SAAS,EAAE,OAAO,KAAK,CAAC;AAAA,IACpC,QAAQ;AAAA,IAER;AACA,UAAM,IAAI;AAAA,MACR,yBAAyB,MAAM,SAAS,cAAc,MAAM,MAAM,SAAS,MAAM;AAAA,IAEnF;AAAA,EACF;AAEA,QAAM,QAAQ,SAAS,KAAK,QAAQ;AAEpC,MAAI,CAAC,GAAG,WAAW,QAAQ,GAAG;AAC5B,UAAM,IAAI;AAAA,MACR,iBAAiB,MAAM,SAAS,wCAAwC,QAAQ;AAAA,IAClF;AAAA,EACF;AAEA,MAAI;AACF,OAAG,UAAU,UAAU,GAAK;AAAA,EAC9B,QAAQ;AAAA,EAER;AACA,SAAO;AACT;AAQA,eAAsB,iBAAiB,MAOrB;AAChB,QAAM,QAAQ,KAAK,SAAS;AAC5B,QAAM,QACJ,KAAK,UAAU,CAAC,OAAe,IAAI,QAAQ,CAAC,MAAM,WAAW,GAAG,EAAE,CAAC;AACrE,OAAK,IAAI,+CAA+C,KAAK,IAAI,QAAG;AACpE,MAAI,UAAyB;AAC7B,SAAO,KAAK,IAAI,IAAI,KAAK,YAAY;AACnC,QAAI,KAAK,YAAY,GAAG;AACtB,YAAM,IAAI,MAAM,gDAAgD;AAAA,IAClE;AACA,QAAI;AACF,YAAM,MAAM,aAAa,KAAK,MAAM,GAAK;AACzC,WAAK,IAAI,oCAAoC,KAAK,IAAI,EAAE;AACxD;AAAA,IACF,SAAS,KAAK;AACZ,YAAM,MAAO,IAAc;AAC3B,UAAI,QAAQ,SAAS;AACnB,aAAK,IAAI,4BAA4B,GAAG,EAAE;AAC1C,kBAAU;AAAA,MACZ;AAAA,IACF;AACA,UAAM,MAAM,GAAK;AAAA,EACnB;AACA,QAAM,IAAI;AAAA,IACR,0CAA0C,KAAK,IAAI;AAAA,EACrD;AACF;AAsCA,eAAsB,sBACpB,UAAwC,CAAC,GACd;AAC3B,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,OAAO,YAAY,WAAW;AACpC,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,KAAK,YAAY,oBAAoB;AAE3C,QAAM,WAAW,QAAQ,YAAY,GAAG,SAAS;AACjD,QAAM,OAAO,QAAQ,QAAQ,GAAG,KAAK;AACrC,QAAM,WAAW,QAAQ,YAAY,gBAAgB;AACrD,QAAM,YAAY,QAAQ,aAAa;AACvC,QAAM,qBAAqB,QAAQ,sBAAsB;AACzD,QAAM,MACJ,QAAQ,QACP,MAAY;AAAA,EAEb;AAEF,QAAM,WAAW,MAAM,iBAAiB,EAAE,UAAU,UAAU,KAAK,CAAC;AAGpE,KAAG,UAAU,KAAK,KAAK,UAAU,MAAM,GAAG,EAAE,WAAW,KAAK,CAAC;AAC7D,QAAM,YAAY,KAAK,KAAK,UAAU,OAAO;AAC7C,KAAG,cAAc,WAAW,YAAY,UAAU,SAAS,GAAG;AAAA,IAC5D,MAAM;AAAA,EACR,CAAC;AAED,MAAI,oBAAoB,QAAQ,OAAO,SAAS,EAAE;AAClD,QAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,MAAM,SAAS,GAAG;AAAA,IAClD,OAAO,CAAC,UAAU,WAAW,SAAS;AAAA,IACtC,UAAU;AAAA,EACZ,CAAC;AACD,MAAI,SAAS;AACb,QAAM,GAAG,QAAQ,CAAC,MAAM,WAAW;AACjC,aAAS;AACT,QAAI,4BAA4B,IAAI,WAAW,MAAM,EAAE;AAAA,EACzD,CAAC;AACD,QAAM,GAAG,SAAS,CAAC,QAAe;AAChC,QAAI,uBAAuB,IAAI,OAAO,EAAE;AAAA,EAC1C,CAAC;AAED,QAAM,OAAO,YAA2B;AACtC,QAAI,CAAC,MAAM,UAAU,CAAC,QAAQ;AAC5B,UAAI;AACF,cAAM,KAAK,SAAS;AAAA,MACtB,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAEA,MAAI;AACF,UAAM,iBAAiB;AAAA,MACrB,MAAM;AAAA,MACN,YAAY,KAAK,IAAI,IAAI;AAAA,MACzB,aAAa,MAAM;AAAA,MACnB;AAAA,IACF,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,UAAM,KAAK;AACX,UAAM;AAAA,EACR;AAEA,SAAO;AAAA,IACL,YAAY,uBAAuB,SAAS;AAAA,IAC5C;AAAA,EACF;AACF;","names":[]}

package/dist/gateway-QOK47RKS.js ADDED Viewed

@@ -0,0 +1,13 @@
+// src/transport/gateway.ts
+function rewriteUrlsForGateway(gatewayUrl, btpUrl, connectorUrl) {
+  const base = gatewayUrl.replace(/\/$/, "");
+  const wsBase = base.replace(/^https:/, "wss:").replace(/^http:/, "ws:");
+  return {
+    btpUrl: btpUrl ? `${wsBase}/btp` : void 0,
+    connectorUrl: connectorUrl ? `${base}/api` : void 0
+  };
+}
+export {
+  rewriteUrlsForGateway
+};
+//# sourceMappingURL=gateway-QOK47RKS.js.map

package/dist/gateway-QOK47RKS.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/transport/gateway.ts"],"sourcesContent":["/**\n * Gateway transport for browser environments.\n *\n * Rewrites BTP and HTTP URLs to route through an ator gateway that handles\n * SOCKS5 proxying server-side. Browser clients connect to the gateway via\n * standard WebSocket/HTTP — no special transport code needed.\n */\n\n/**\n * Rewrites btpUrl and connectorUrl to route through a gateway.\n *\n * Gateway endpoint conventions:\n * - WebSocket: `ws(s)://<gateway>/btp` — proxies BTP connections\n * - HTTP: `http(s)://<gateway>/api` — proxies connector admin API\n *\n * @param gatewayUrl - Base URL of the ator gateway (http:// or https://)\n * @param btpUrl - Original BTP WebSocket URL (optional)\n * @param connectorUrl - Original connector HTTP URL (optional)\n */\nexport function rewriteUrlsForGateway(\n gatewayUrl: string,\n btpUrl?: string,\n connectorUrl?: string\n): { btpUrl?: string; connectorUrl?: string } {\n const base = gatewayUrl.replace(/\\/$/, '');\n\n // Derive WebSocket scheme from HTTP scheme\n const wsBase = base.replace(/^https:/, 'wss:').replace(/^http:/, 'ws:');\n\n return {\n btpUrl: btpUrl ? `${wsBase}/btp` : undefined,\n connectorUrl: connectorUrl ? `${base}/api` : undefined,\n };\n}\n"],"mappings":";AAmBO,SAAS,sBACd,YACA,QACA,cAC4C;AAC5C,QAAM,OAAO,WAAW,QAAQ,OAAO,EAAE;AAGzC,QAAM,SAAS,KAAK,QAAQ,WAAW,MAAM,EAAE,QAAQ,UAAU,KAAK;AAEtE,SAAO;AAAA,IACL,QAAQ,SAAS,GAAG,MAAM,SAAS;AAAA,IACnC,cAAc,eAAe,GAAG,IAAI,SAAS;AAAA,EAC/C;AACF;","names":[]}