npm - @ulpi/browse - Versions diffs - 2.3.3 → 2.4.0 - Mend

@ulpi/browse 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (279) hide show

package/README.md +8 -2
package/dist/browse.cjs +3445 -1636
package/dist/lib.mjs +29504 -0
package/dist/types/a11y.d.ts +32 -0
package/dist/types/a11y.d.ts.map +1 -0
package/dist/types/app/android/bridge.d.ts +41 -0
package/dist/types/app/android/bridge.d.ts.map +1 -0
package/dist/types/app/android/emulator.d.ts +32 -0
package/dist/types/app/android/emulator.d.ts.map +1 -0
package/dist/types/app/android/manager.d.ts +62 -0
package/dist/types/app/android/manager.d.ts.map +1 -0
package/dist/types/app/android/protocol.d.ts +162 -0
package/dist/types/app/android/protocol.d.ts.map +1 -0
package/dist/types/app/android/sim-service.d.ts +33 -0
package/dist/types/app/android/sim-service.d.ts.map +1 -0
package/dist/types/app/index.d.ts +15 -0
package/dist/types/app/index.d.ts.map +1 -0
package/dist/types/app/ios/bridge.d.ts +53 -0
package/dist/types/app/ios/bridge.d.ts.map +1 -0
package/dist/types/app/ios/controller.d.ts +131 -0
package/dist/types/app/ios/controller.d.ts.map +1 -0
package/dist/types/app/ios/manager.d.ts +96 -0
package/dist/types/app/ios/manager.d.ts.map +1 -0
package/dist/types/app/ios/protocol.d.ts +122 -0
package/dist/types/app/ios/protocol.d.ts.map +1 -0
package/dist/types/app/ios/sim-service.d.ts +37 -0
package/dist/types/app/ios/sim-service.d.ts.map +1 -0
package/dist/types/app/macos/bridge.d.ts +22 -0
package/dist/types/app/macos/bridge.d.ts.map +1 -0
package/dist/types/app/manager.d.ts +50 -0
package/dist/types/app/manager.d.ts.map +1 -0
package/dist/types/app/normalize.d.ts +27 -0
package/dist/types/app/normalize.d.ts.map +1 -0
package/dist/types/app/resolve-app.d.ts +31 -0
package/dist/types/app/resolve-app.d.ts.map +1 -0
package/dist/types/app/types.d.ts +77 -0
package/dist/types/app/types.d.ts.map +1 -0
package/dist/types/automation/action-context.d.ts +110 -0
package/dist/types/automation/action-context.d.ts.map +1 -0
package/dist/types/automation/command.d.ts +138 -0
package/dist/types/automation/command.d.ts.map +1 -0
package/dist/types/automation/events.d.ts +72 -0
package/dist/types/automation/events.d.ts.map +1 -0
package/dist/types/automation/executor.d.ts +39 -0
package/dist/types/automation/executor.d.ts.map +1 -0
package/dist/types/automation/index.d.ts +11 -0
package/dist/types/automation/index.d.ts.map +1 -0
package/dist/types/automation/registry.d.ts +38 -0
package/dist/types/automation/registry.d.ts.map +1 -0
package/dist/types/automation/rules.d.ts +52 -0
package/dist/types/automation/rules.d.ts.map +1 -0
package/dist/types/automation/target.d.ts +76 -0
package/dist/types/automation/target.d.ts.map +1 -0
package/dist/types/browser/consent.d.ts +13 -0
package/dist/types/browser/consent.d.ts.map +1 -0
package/dist/types/browser/cookie-import.d.ts +94 -0
package/dist/types/browser/cookie-import.d.ts.map +1 -0
package/dist/types/browser/detection.d.ts +22 -0
package/dist/types/browser/detection.d.ts.map +1 -0
package/dist/types/browser/emulation.d.ts +30 -0
package/dist/types/browser/emulation.d.ts.map +1 -0
package/dist/types/browser/events.d.ts +19 -0
package/dist/types/browser/events.d.ts.map +1 -0
package/dist/types/browser/index.d.ts +17 -0
package/dist/types/browser/index.d.ts.map +1 -0
package/dist/types/browser/macros.d.ts +9 -0
package/dist/types/browser/macros.d.ts.map +1 -0
package/dist/types/browser/manager.d.ts +272 -0
package/dist/types/browser/manager.d.ts.map +1 -0
package/dist/types/browser/png-compare.d.ts +36 -0
package/dist/types/browser/png-compare.d.ts.map +1 -0
package/dist/types/browser/profiles.d.ts +29 -0
package/dist/types/browser/profiles.d.ts.map +1 -0
package/dist/types/browser/react-devtools.d.ts +75 -0
package/dist/types/browser/react-devtools.d.ts.map +1 -0
package/dist/types/browser/readiness.d.ts +19 -0
package/dist/types/browser/readiness.d.ts.map +1 -0
package/dist/types/browser/refs.d.ts +70 -0
package/dist/types/browser/refs.d.ts.map +1 -0
package/dist/types/browser/serp.d.ts +16 -0
package/dist/types/browser/serp.d.ts.map +1 -0
package/dist/types/browser/snapshot-window.d.ts +31 -0
package/dist/types/browser/snapshot-window.d.ts.map +1 -0
package/dist/types/browser/snapshot.d.ts +41 -0
package/dist/types/browser/snapshot.d.ts.map +1 -0
package/dist/types/browser/tabs.d.ts +67 -0
package/dist/types/browser/tabs.d.ts.map +1 -0
package/dist/types/browser/target.d.ts +106 -0
package/dist/types/browser/target.d.ts.map +1 -0
package/dist/types/browser/youtube.d.ts +26 -0
package/dist/types/browser/youtube.d.ts.map +1 -0
package/dist/types/cli.d.ts +14 -0
package/dist/types/cli.d.ts.map +1 -0
package/dist/types/cloud/auth.d.ts +80 -0
package/dist/types/cloud/auth.d.ts.map +1 -0
package/dist/types/cloud/docker.d.ts +76 -0
package/dist/types/cloud/docker.d.ts.map +1 -0
package/dist/types/cloud/firecracker.d.ts +142 -0
package/dist/types/cloud/firecracker.d.ts.map +1 -0
package/dist/types/cloud/golden-snapshot.d.ts +122 -0
package/dist/types/cloud/golden-snapshot.d.ts.map +1 -0
package/dist/types/cloud/index.d.ts +26 -0
package/dist/types/cloud/index.d.ts.map +1 -0
package/dist/types/cloud/orchestrator-interface.d.ts +63 -0
package/dist/types/cloud/orchestrator-interface.d.ts.map +1 -0
package/dist/types/cloud/orchestrator.d.ts +58 -0
package/dist/types/cloud/orchestrator.d.ts.map +1 -0
package/dist/types/cloud/proxy.d.ts +34 -0
package/dist/types/cloud/proxy.d.ts.map +1 -0
package/dist/types/cloud/reaper.d.ts +49 -0
package/dist/types/cloud/reaper.d.ts.map +1 -0
package/dist/types/cloud/server.d.ts +19 -0
package/dist/types/cloud/server.d.ts.map +1 -0
package/dist/types/cloud/sessions.d.ts +85 -0
package/dist/types/cloud/sessions.d.ts.map +1 -0
package/dist/types/cloud/vm-orchestrator.d.ts +133 -0
package/dist/types/cloud/vm-orchestrator.d.ts.map +1 -0
package/dist/types/cloud/vm-warm-pool.d.ts +104 -0
package/dist/types/cloud/vm-warm-pool.d.ts.map +1 -0
package/dist/types/cloud/warm-pool.d.ts +85 -0
package/dist/types/cloud/warm-pool.d.ts.map +1 -0
package/dist/types/cloud/ws.d.ts +61 -0
package/dist/types/cloud/ws.d.ts.map +1 -0
package/dist/types/commands/meta/auth.d.ts +6 -0
package/dist/types/commands/meta/auth.d.ts.map +1 -0
package/dist/types/commands/meta/flows.d.ts +15 -0
package/dist/types/commands/meta/flows.d.ts.map +1 -0
package/dist/types/commands/meta/index.d.ts +14 -0
package/dist/types/commands/meta/index.d.ts.map +1 -0
package/dist/types/commands/meta/inspection.d.ts +7 -0
package/dist/types/commands/meta/inspection.d.ts.map +1 -0
package/dist/types/commands/meta/profile.d.ts +11 -0
package/dist/types/commands/meta/profile.d.ts.map +1 -0
package/dist/types/commands/meta/recording.d.ts +7 -0
package/dist/types/commands/meta/recording.d.ts.map +1 -0
package/dist/types/commands/meta/screenshots.d.ts +7 -0
package/dist/types/commands/meta/screenshots.d.ts.map +1 -0
package/dist/types/commands/meta/sessions.d.ts +7 -0
package/dist/types/commands/meta/sessions.d.ts.map +1 -0
package/dist/types/commands/meta/sim.d.ts +10 -0
package/dist/types/commands/meta/sim.d.ts.map +1 -0
package/dist/types/commands/meta/system.d.ts +8 -0
package/dist/types/commands/meta/system.d.ts.map +1 -0
package/dist/types/commands/meta/tabs.d.ts +6 -0
package/dist/types/commands/meta/tabs.d.ts.map +1 -0
package/dist/types/commands/meta/youtube.d.ts +7 -0
package/dist/types/commands/meta/youtube.d.ts.map +1 -0
package/dist/types/commands/read.d.ts +16 -0
package/dist/types/commands/read.d.ts.map +1 -0
package/dist/types/commands/write.d.ts +17 -0
package/dist/types/commands/write.d.ts.map +1 -0
package/dist/types/config.d.ts +101 -0
package/dist/types/config.d.ts.map +1 -0
package/dist/types/constants.d.ts +36 -0
package/dist/types/constants.d.ts.map +1 -0
package/dist/types/detection/frameworks.d.ts +27 -0
package/dist/types/detection/frameworks.d.ts.map +1 -0
package/dist/types/detection/index.d.ts +64 -0
package/dist/types/detection/index.d.ts.map +1 -0
package/dist/types/detection/infrastructure.d.ts +82 -0
package/dist/types/detection/infrastructure.d.ts.map +1 -0
package/dist/types/detection/saas.d.ts +39 -0
package/dist/types/detection/saas.d.ts.map +1 -0
package/dist/types/enable.d.ts +10 -0
package/dist/types/enable.d.ts.map +1 -0
package/dist/types/engine/chrome.d.ts +45 -0
package/dist/types/engine/chrome.d.ts.map +1 -0
package/dist/types/engine/index.d.ts +9 -0
package/dist/types/engine/index.d.ts.map +1 -0
package/dist/types/engine/providers.d.ts +36 -0
package/dist/types/engine/providers.d.ts.map +1 -0
package/dist/types/engine/resolver.d.ts +36 -0
package/dist/types/engine/resolver.d.ts.map +1 -0
package/dist/types/expect.d.ts +68 -0
package/dist/types/expect.d.ts.map +1 -0
package/dist/types/export/index.d.ts +8 -0
package/dist/types/export/index.d.ts.map +1 -0
package/dist/types/export/record.d.ts +28 -0
package/dist/types/export/record.d.ts.map +1 -0
package/dist/types/export/replay.d.ts +9 -0
package/dist/types/export/replay.d.ts.map +1 -0
package/dist/types/flow-parser.d.ts +32 -0
package/dist/types/flow-parser.d.ts.map +1 -0
package/dist/types/install-skill.d.ts +8 -0
package/dist/types/install-skill.d.ts.map +1 -0
package/dist/types/lib.d.ts +27 -0
package/dist/types/lib.d.ts.map +1 -0
package/dist/types/mcp/index.d.ts +10 -0
package/dist/types/mcp/index.d.ts.map +1 -0
package/dist/types/mcp/server.d.ts +9 -0
package/dist/types/mcp/server.d.ts.map +1 -0
package/dist/types/mcp/tools/index.d.ts +36 -0
package/dist/types/mcp/tools/index.d.ts.map +1 -0
package/dist/types/network/buffers.d.ts +53 -0
package/dist/types/network/buffers.d.ts.map +1 -0
package/dist/types/network/har.d.ts +10 -0
package/dist/types/network/har.d.ts.map +1 -0
package/dist/types/network/index.d.ts +6 -0
package/dist/types/network/index.d.ts.map +1 -0
package/dist/types/perf-audit/diff.d.ts +43 -0
package/dist/types/perf-audit/diff.d.ts.map +1 -0
package/dist/types/perf-audit/dom-analysis.d.ts +74 -0
package/dist/types/perf-audit/dom-analysis.d.ts.map +1 -0
package/dist/types/perf-audit/formatter.d.ts +34 -0
package/dist/types/perf-audit/formatter.d.ts.map +1 -0
package/dist/types/perf-audit/index.d.ts +128 -0
package/dist/types/perf-audit/index.d.ts.map +1 -0
package/dist/types/perf-audit/persist.d.ts +40 -0
package/dist/types/perf-audit/persist.d.ts.map +1 -0
package/dist/types/perf-audit/recommendations.d.ts +18 -0
package/dist/types/perf-audit/recommendations.d.ts.map +1 -0
package/dist/types/perf-audit/resource-analyzer.d.ts +46 -0
package/dist/types/perf-audit/resource-analyzer.d.ts.map +1 -0
package/dist/types/perf-audit/web-vitals.d.ts +73 -0
package/dist/types/perf-audit/web-vitals.d.ts.map +1 -0
package/dist/types/proxy/index.d.ts +6 -0
package/dist/types/proxy/index.d.ts.map +1 -0
package/dist/types/proxy/pool.d.ts +44 -0
package/dist/types/proxy/pool.d.ts.map +1 -0
package/dist/types/proxy/providers.d.ts +32 -0
package/dist/types/proxy/providers.d.ts.map +1 -0
package/dist/types/sdk/client.d.ts +37 -0
package/dist/types/sdk/client.d.ts.map +1 -0
package/dist/types/sdk/index.d.ts +17 -0
package/dist/types/sdk/index.d.ts.map +1 -0
package/dist/types/sdk/session.d.ts +95 -0
package/dist/types/sdk/session.d.ts.map +1 -0
package/dist/types/sdk/transports/cloud.d.ts +89 -0
package/dist/types/sdk/transports/cloud.d.ts.map +1 -0
package/dist/types/sdk/transports/index.d.ts +3 -0
package/dist/types/sdk/transports/index.d.ts.map +1 -0
package/dist/types/sdk/transports/local.d.ts +56 -0
package/dist/types/sdk/transports/local.d.ts.map +1 -0
package/dist/types/sdk.d.ts +35 -0
package/dist/types/sdk.d.ts.map +1 -0
package/dist/types/security/auth-vault.d.ts +32 -0
package/dist/types/security/auth-vault.d.ts.map +1 -0
package/dist/types/security/domain-filter.d.ts +31 -0
package/dist/types/security/domain-filter.d.ts.map +1 -0
package/dist/types/security/index.d.ts +10 -0
package/dist/types/security/index.d.ts.map +1 -0
package/dist/types/security/policy.d.ts +20 -0
package/dist/types/security/policy.d.ts.map +1 -0
package/dist/types/security/sanitize.d.ts +6 -0
package/dist/types/security/sanitize.d.ts.map +1 -0
package/dist/types/server.d.ts +13 -0
package/dist/types/server.d.ts.map +1 -0
package/dist/types/session/concurrency.d.ts +28 -0
package/dist/types/session/concurrency.d.ts.map +1 -0
package/dist/types/session/encryption.d.ts +8 -0
package/dist/types/session/encryption.d.ts.map +1 -0
package/dist/types/session/index.d.ts +7 -0
package/dist/types/session/index.d.ts.map +1 -0
package/dist/types/session/manager.d.ts +110 -0
package/dist/types/session/manager.d.ts.map +1 -0
package/dist/types/session/persist.d.ts +87 -0
package/dist/types/session/persist.d.ts.map +1 -0
package/dist/types/session/tab-lock.d.ts +26 -0
package/dist/types/session/tab-lock.d.ts.map +1 -0
package/dist/types/session/target-factory.d.ts +88 -0
package/dist/types/session/target-factory.d.ts.map +1 -0
package/dist/types/sim-cli.d.ts +8 -0
package/dist/types/sim-cli.d.ts.map +1 -0
package/dist/types/types.d.ts +45 -0
package/dist/types/types.d.ts.map +1 -0
package/dist/types/visual.d.ts +79 -0
package/dist/types/visual.d.ts.map +1 -0
package/package.json +22 -3
package/skill/browse/SKILL.md +286 -0
package/skill/{references → browse/references}/commands.md +203 -18
package/skill/browse-aeo/SKILL.md +148 -0
package/skill/browse-config/SKILL.md +200 -0
package/skill/browse-geo/SKILL.md +225 -0
package/skill/browse-qa/SKILL.md +143 -0
package/skill/browse-seo/SKILL.md +188 -0
package/skill/browse-stealth/SKILL.md +246 -0
package/skill/SKILL.md +0 -496
/package/skill/{references → browse/references}/guides.md +0 -0
/package/skill/{references → browse/references}/permissions.md +0 -0

package/dist/types/cloud/golden-snapshot.d.ts ADDED Viewed

@@ -0,0 +1,122 @@
+/**
+ * Golden snapshot manager — builds and manages a pre-warmed VM snapshot
+ * for near-instant (<200ms) VM provisioning via Firecracker restore.
+ *
+ * Golden snapshot flow:
+ *   1. build()    — boot a fresh VM, launch Chromium, wait for health,
+ *                   pause, snapshot memory + state to disk
+ *   2. clone(id)  — restore a new VM from the golden snapshot
+ *   3. rebuild()  — delete old snapshot and rebuild from scratch
+ *
+ * The golden snapshot captures a fully-booted VM with Chromium running
+ * and the browse server healthy. Cloning from this snapshot skips the
+ * entire boot + browser launch sequence (~5-10s → <200ms).
+ *
+ * Host setup requirements (for health-check mode):
+ *   - Tap device `tap-golden` with host IP 172.16.0.1/24
+ *   - iptables/nftables rules for NAT if the VM needs internet
+ *   - VmConfig.network must be set with tapDevice: 'tap-golden'
+ *
+ * Without network, the manager waits a fixed boot time (5s) instead.
+ *
+ * Snapshot files are stored at 0o600 for security:
+ *   {snapshotDir}/snapshot           — VM state (CPU, devices)
+ *   {snapshotDir}/memory             — Full memory image (~memSizeMb)
+ *   {snapshotDir}/golden-metadata.json — Build metadata for validation
+ */
+import { FirecrackerClient, type VmConfig } from './firecracker';
+export interface GoldenSnapshotOptions {
+    /** Firecracker client */
+    firecracker: FirecrackerClient;
+    /** Path to vmlinux kernel */
+    kernelPath: string;
+    /** Path to rootfs ext4 image */
+    rootfsPath: string;
+    /** Directory to store golden snapshot files (default /var/lib/browse-cloud/golden) */
+    snapshotDir?: string;
+    /** Memory per VM in MB (default 512) */
+    memSizeMb?: number;
+    /** vCPUs per VM (default 1) */
+    vcpuCount?: number;
+    /** Browse server port inside VM (default 9400) */
+    browsePort?: number;
+    /** Health check timeout for the golden VM in ms (default 30000) */
+    healthTimeout?: number;
+    /** Network config for the golden build VM (optional — skips health check if absent) */
+    network?: VmConfig['network'];
+}
+export declare class GoldenSnapshotManager {
+    private firecracker;
+    private kernelPath;
+    private rootfsPath;
+    private snapshotDir;
+    private memSizeMb;
+    private vcpuCount;
+    private browsePort;
+    private healthTimeout;
+    private network;
+    private ready;
+    /** The auth token baked into the golden snapshot. All clones share it. */
+    private _authToken;
+    private snapshotPath;
+    private memPath;
+    private metadataPath;
+    constructor(opts: GoldenSnapshotOptions);
+    /** The auth token baked into the golden snapshot. All clones inherit it. */
+    get authToken(): string;
+    /**
+     * Build the golden snapshot from scratch.
+     *
+     * Boots a fresh VM, waits for the browse server to become healthy
+     * (or waits a fixed time if no network is configured), pauses the VM,
+     * and snapshots its memory + state to disk.
+     *
+     * This is a heavy operation (~10-30s) and should only be done once
+     * or when kernel/rootfs changes require a rebuild.
+     */
+    build(): Promise<void>;
+    /**
+     * Create a new VM from the golden snapshot.
+     *
+     * Calls `firecracker.restoreVm()` which spawns a new Firecracker process,
+     * loads the snapshot, and resumes the VM. The restored VM is fully running
+     * with the browse server ready after this call.
+     *
+     * @param vmId - Unique identifier for the cloned VM
+     */
+    clone(vmId: string): Promise<void>;
+    /**
+     * Rebuild the golden snapshot from scratch.
+     *
+     * Deletes existing snapshot files and builds a new one.
+     * Use this when kernel or rootfs has been updated.
+     */
+    rebuild(): Promise<void>;
+    /**
+     * Check if the golden snapshot is ready for cloning.
+     *
+     * Returns true if the snapshot has been built or loaded from disk,
+     * AND the snapshot files still exist on disk.
+     */
+    isReady(): boolean;
+    /**
+     * Attempt to load an existing golden snapshot from disk.
+     *
+     * If snapshot files and metadata exist from a previous build,
+     * loads them without rebuilding. This allows recovery after
+     * a gateway restart without the cost of a full rebuild.
+     *
+     * @returns true if a valid snapshot was found and loaded
+     */
+    loadFromDisk(): boolean;
+    /**
+     * Poll the browse server health endpoint until it responds 200
+     * or the timeout is exceeded.
+     */
+    private waitForHealth;
+    /** Check if all three snapshot files exist on disk. */
+    private snapshotFilesExist;
+    /** Delete snapshot files (best-effort). */
+    private deleteSnapshotFiles;
+}
+//# sourceMappingURL=golden-snapshot.d.ts.map

package/dist/types/cloud/golden-snapshot.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"golden-snapshot.d.ts","sourceRoot":"","sources":["../../../src/cloud/golden-snapshot.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAMH,OAAO,EAAE,iBAAiB,EAAE,KAAK,QAAQ,EAAE,MAAM,eAAe,CAAC;AAgBjE,MAAM,WAAW,qBAAqB;IACpC,yBAAyB;IACzB,WAAW,EAAE,iBAAiB,CAAC;IAC/B,6BAA6B;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,sFAAsF;IACtF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,wCAAwC;IACxC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+BAA+B;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,uFAAuF;IACvF,OAAO,CAAC,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;CAC/B;AAkBD,qBAAa,qBAAqB;IAChC,OAAO,CAAC,WAAW,CAAoB;IACvC,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,OAAO,CAAkC;IAEjD,OAAO,CAAC,KAAK,CAAS;IACtB,0EAA0E;IAC1E,OAAO,CAAC,UAAU,CAAM;IACxB,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,YAAY,CAAS;gBAEjB,IAAI,EAAE,qBAAqB;IAgBvC,4EAA4E;IAC5E,IAAI,SAAS,IAAI,MAAM,CAEtB;IAID;;;;;;;;;OASG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAwG5B;;;;;;;;OAQG;IACG,KAAK,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAiBxC;;;;;OAKG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAU9B;;;;;OAKG;IACH,OAAO,IAAI,OAAO;IAQlB;;;;;;;;OAQG;IACH,YAAY,IAAI,OAAO;IAyDvB;;;OAGG;IACH,OAAO,CAAC,aAAa;IAiDrB,uDAAuD;IACvD,OAAO,CAAC,kBAAkB;IAW1B,2CAA2C;IAC3C,OAAO,CAAC,mBAAmB;CAS5B"}

package/dist/types/cloud/index.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+export { ApiKeyVault, createJwt, validateJwt, resolveJwtSecret, hashApiKey } from './auth';
+export type { ApiKeyRecord, ApiKeyListEntry, CreateKeyResult } from './auth';
+export { CloudSessionManager, TenantAccessError } from './sessions';
+export type { CloudConfig } from './server';
+export { handleUpgrade, closeAllConnections, broadcastSessionEvent } from './ws';
+export type { WsConnection, HandleUpgradeOpts } from './ws';
+export { DockerClient, DockerApiError } from './docker';
+export type { ContainerCreateOptions, ContainerInfo, DockerClientOptions } from './docker';
+export type { Orchestrator, SessionHandle, FrozenSession } from './orchestrator-interface';
+export { ContainerOrchestrator } from './orchestrator';
+export type { ContainerOrchestratorOptions } from './orchestrator';
+export { proxyCommand, ProxyError } from './proxy';
+export type { ProxyOptions } from './proxy';
+export { ContainerReaper } from './reaper';
+export type { ReaperOptions } from './reaper';
+export { WarmPool } from './warm-pool';
+export type { WarmPoolOptions, PoolEntry } from './warm-pool';
+export { FirecrackerClient, FirecrackerApiError } from './firecracker';
+export type { VmConfig, FirecrackerClientOptions } from './firecracker';
+export { GoldenSnapshotManager } from './golden-snapshot';
+export type { GoldenSnapshotOptions } from './golden-snapshot';
+export { VmOrchestrator } from './vm-orchestrator';
+export type { VmOrchestratorOptions } from './vm-orchestrator';
+export { VmWarmPool } from './vm-warm-pool';
+export type { VmWarmPoolOptions, VmPoolEntry } from './vm-warm-pool';
+//# sourceMappingURL=index.d.ts.map

package/dist/types/cloud/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cloud/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,WAAW,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC3F,YAAY,EAAE,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AAC7E,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AACpE,YAAY,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,MAAM,CAAC;AACjF,YAAY,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AACxD,YAAY,EAAE,sBAAsB,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAC;AAC3F,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAC3F,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AACvD,YAAY,EAAE,4BAA4B,EAAE,MAAM,gBAAgB,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnD,YAAY,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3C,YAAY,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,YAAY,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AACvE,YAAY,EAAE,QAAQ,EAAE,wBAAwB,EAAE,MAAM,eAAe,CAAC;AACxE,OAAO,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC1D,YAAY,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC5C,YAAY,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/types/cloud/orchestrator-interface.d.ts ADDED Viewed

@@ -0,0 +1,63 @@
+/**
+ * Shared orchestrator interface for session isolation backends.
+ *
+ * Both ContainerOrchestrator (Docker) and VmOrchestrator (microVM)
+ * implement this contract. The cloud gateway selects a backend at
+ * startup via BROWSE_CLOUD_ISOLATION env var.
+ *
+ * Design invariants:
+ *   - One orchestrator instance per gateway process
+ *   - Session IDs are tenant-scoped: `tenant:<tenantId>:session:<id>`
+ *   - Each session maps 1:1 to an isolated backend (container or VM)
+ *   - Freeze/resume allows session persistence across compute recycling
+ */
+/** Handle to a provisioned session (container or VM). */
+export interface SessionHandle {
+    /** Unique session ID (tenant-scoped) */
+    sessionId: string;
+    /** Tenant that owns this session */
+    tenantId: string;
+    /** Internal address for command proxying (e.g. '172.17.0.2:9400') */
+    internalAddress: string;
+    /** Auth token for the internal browse server */
+    internalToken: string;
+    /** Backend-specific ID (container ID, VM ID) */
+    backendId: string;
+    /** When the session was provisioned (ISO 8601) */
+    createdAt: string;
+}
+/** Frozen session metadata — persisted after compute is released. */
+export interface FrozenSession {
+    sessionId: string;
+    tenantId: string;
+    /** Backend-specific snapshot reference (image ID, snapshot path) */
+    snapshotRef: string;
+    /** When the session was frozen (ISO 8601) */
+    frozenAt: string;
+    /** Auth token from the original session — must be reused on resume
+     *  because VM snapshots restore with the same in-process token. */
+    internalToken?: string;
+    /** Allowed domains from the original session — must be reapplied on resume. */
+    allowedDomains?: string;
+}
+/** Common orchestrator interface — container and VM backends implement this. */
+export interface Orchestrator {
+    /** Provision a new isolated session. */
+    provision(tenantId: string, opts?: {
+        sessionId?: string;
+        allowedDomains?: string;
+    }): Promise<SessionHandle>;
+    /** Execute a browse command on a provisioned session. */
+    executeCommand(handle: SessionHandle, command: string, args: string[]): Promise<string>;
+    /** Terminate a session and clean up its resources. */
+    terminate(handle: SessionHandle): Promise<void>;
+    /** Freeze a session (save state, release compute). */
+    freeze(handle: SessionHandle): Promise<FrozenSession>;
+    /** Resume a frozen session. */
+    resume(tenantId: string, frozen: FrozenSession): Promise<SessionHandle>;
+    /** List active sessions for a tenant. */
+    list(tenantId: string): SessionHandle[];
+    /** Shut down the orchestrator and clean up all resources. */
+    shutdown(): Promise<void>;
+}
+//# sourceMappingURL=orchestrator-interface.d.ts.map

package/dist/types/cloud/orchestrator-interface.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"orchestrator-interface.d.ts","sourceRoot":"","sources":["../../../src/cloud/orchestrator-interface.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,yDAAyD;AACzD,MAAM,WAAW,aAAa;IAC5B,wCAAwC;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,oCAAoC;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,qEAAqE;IACrE,eAAe,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,aAAa,EAAE,MAAM,CAAC;IACtB,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,kDAAkD;IAClD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,qEAAqE;AACrE,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,oEAAoE;IACpE,WAAW,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB;uEACmE;IACnE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAID,gFAAgF;AAChF,MAAM,WAAW,YAAY;IAC3B,wCAAwC;IACxC,SAAS,CACP,QAAQ,EAAE,MAAM,EAChB,IAAI,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,cAAc,CAAC,EAAE,MAAM,CAAA;KAAE,GACrD,OAAO,CAAC,aAAa,CAAC,CAAC;IAE1B,yDAAyD;IACzD,cAAc,CACZ,MAAM,EAAE,aAAa,EACrB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,GACb,OAAO,CAAC,MAAM,CAAC,CAAC;IAEnB,sDAAsD;IACtD,SAAS,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEhD,sDAAsD;IACtD,MAAM,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAEtD,+BAA+B;IAC/B,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAExE,yCAAyC;IACzC,IAAI,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,EAAE,CAAC;IAExC,6DAA6D;IAC7D,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B"}

package/dist/types/cloud/orchestrator.d.ts ADDED Viewed

@@ -0,0 +1,58 @@
+/**
+ * Container orchestrator — Docker-based session isolation.
+ *
+ * Implements the Orchestrator interface using DockerClient.
+ * Each session runs in its own Docker container with:
+ *   - Memory and CPU limits
+ *   - Its own browse server on port 9400
+ *   - A known auth token (set via BROWSE_AUTH_TOKEN env var)
+ *   - Labels for tenant tracking and orphan detection
+ *
+ * The gateway proxies commands to each container's internal
+ * browse server via the proxyCommand() HTTP function.
+ */
+import { DockerClient } from './docker';
+import type { Orchestrator, SessionHandle, FrozenSession } from './orchestrator-interface';
+import type { WarmPool } from './warm-pool';
+export interface ContainerOrchestratorOptions {
+    /** Docker client instance */
+    docker: DockerClient;
+    /** Docker image name for session containers */
+    imageName: string;
+    /** Memory limit per container in bytes (default 512 MB) */
+    memoryLimit?: number;
+    /** CPU limit in nanoCPUs (default 0.5 CPU = 500_000_000) */
+    cpuLimit?: number;
+    /** Container health check timeout in ms (default 30000) */
+    healthTimeout?: number;
+    /** Optional warm container pool for fast provisioning */
+    pool?: WarmPool;
+}
+export declare class ContainerOrchestrator implements Orchestrator {
+    private docker;
+    private imageName;
+    private memoryLimit;
+    private cpuLimit;
+    private healthTimeout;
+    private pool;
+    /** Active session handles keyed by sessionId */
+    private handles;
+    /** Session ID sets keyed by tenantId */
+    private tenantHandles;
+    constructor(opts: ContainerOrchestratorOptions);
+    provision(tenantId: string, opts?: {
+        sessionId?: string;
+        allowedDomains?: string;
+    }): Promise<SessionHandle>;
+    executeCommand(handle: SessionHandle, command: string, args: string[]): Promise<string>;
+    terminate(handle: SessionHandle): Promise<void>;
+    freeze(handle: SessionHandle): Promise<FrozenSession>;
+    resume(tenantId: string, frozen: FrozenSession): Promise<SessionHandle>;
+    /** Return all active container IDs tracked by this orchestrator. */
+    getActiveBackendIds(): Set<string>;
+    list(tenantId: string): SessionHandle[];
+    shutdown(): Promise<void>;
+    private trackHandle;
+    private untrackHandle;
+}
+//# sourceMappingURL=orchestrator.d.ts.map

package/dist/types/cloud/orchestrator.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"orchestrator.d.ts","sourceRoot":"","sources":["../../../src/cloud/orchestrator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,YAAY,EAAsB,MAAM,UAAU,CAAC;AAC5D,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAE3F,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAc5C,MAAM,WAAW,4BAA4B;IAC3C,6BAA6B;IAC7B,MAAM,EAAE,YAAY,CAAC;IACrB,+CAA+C;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,2DAA2D;IAC3D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2DAA2D;IAC3D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,yDAAyD;IACzD,IAAI,CAAC,EAAE,QAAQ,CAAC;CACjB;AAID,qBAAa,qBAAsB,YAAW,YAAY;IACxD,OAAO,CAAC,MAAM,CAAe;IAC7B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,IAAI,CAAkB;IAE9B,gDAAgD;IAChD,OAAO,CAAC,OAAO,CAAoC;IACnD,wCAAwC;IACxC,OAAO,CAAC,aAAa,CAAkC;gBAE3C,IAAI,EAAE,4BAA4B;IAWxC,SAAS,CACb,QAAQ,EAAE,MAAM,EAChB,IAAI,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,cAAc,CAAC,EAAE,MAAM,CAAA;KAAE,GACrD,OAAO,CAAC,aAAa,CAAC;IAuEnB,cAAc,CAClB,MAAM,EAAE,aAAa,EACrB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,GACb,OAAO,CAAC,MAAM,CAAC;IAOZ,SAAS,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAgB/C,MAAM,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;IA+DrD,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;IA2C7E,oEAAoE;IACpE,mBAAmB,IAAI,GAAG,CAAC,MAAM,CAAC;IAQlC,IAAI,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,EAAE;IAYjC,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAe/B,OAAO,CAAC,WAAW;IAWnB,OAAO,CAAC,aAAa;CAWtB"}

package/dist/types/cloud/proxy.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+/**
+ * HTTP command proxy — forwards browse commands to container-internal servers.
+ *
+ * The cloud gateway uses this to proxy tenant requests into isolated
+ * containers (or VMs), each running their own browse server on port 9400.
+ *
+ * Protocol:
+ *   POST http://{host}:{port}/command
+ *   Body: { command, args }
+ *   Headers: Authorization: Bearer {token}, Content-Type: application/json
+ *   Response: text/plain (success) or JSON { error } (failure)
+ */
+export interface ProxyOptions {
+    /** Target address (host:port) */
+    address: string;
+    /** Auth token for the target server */
+    token: string;
+    /** Request timeout in ms (default 30000) */
+    timeout?: number;
+}
+export declare class ProxyError extends Error {
+    statusCode: number;
+    targetAddress: string;
+    constructor(statusCode: number, message: string, targetAddress: string);
+}
+/**
+ * Proxy a browse command to a container-internal server.
+ *
+ * Sends POST /command with the container's auth token.
+ * Returns the response body as a string on success.
+ * Throws ProxyError on HTTP errors or transport failures.
+ */
+export declare function proxyCommand(command: string, args: string[], opts: ProxyOptions): Promise<string>;
+//# sourceMappingURL=proxy.d.ts.map

package/dist/types/cloud/proxy.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"proxy.d.ts","sourceRoot":"","sources":["../../../src/cloud/proxy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAMH,MAAM,WAAW,YAAY;IAC3B,iCAAiC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,KAAK,EAAE,MAAM,CAAC;IACd,4CAA4C;IAC5C,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID,qBAAa,UAAW,SAAQ,KAAK;IAE1B,UAAU,EAAE,MAAM;IAElB,aAAa,EAAE,MAAM;gBAFrB,UAAU,EAAE,MAAM,EACzB,OAAO,EAAE,MAAM,EACR,aAAa,EAAE,MAAM;CAK/B;AAID;;;;;;GAMG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,EACd,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,MAAM,CAAC,CAkFjB"}

package/dist/types/cloud/reaper.d.ts ADDED Viewed

@@ -0,0 +1,49 @@
+/**
+ * Orphan container reaper — detects and removes containers with no
+ * matching session in the gateway.
+ *
+ * Safety net for crash recovery: if the gateway process dies, its
+ * containers survive. On the next gateway startup the reaper finds
+ * orphaned containers (those not tracked by the orchestrator) and
+ * removes them after a configurable grace period.
+ *
+ * All operations are best-effort — the reaper never throws from reap().
+ */
+import { DockerClient } from './docker';
+export interface ReaperOptions {
+    /** Docker client */
+    docker: DockerClient;
+    /** Function that returns active session backend IDs */
+    getActiveIds: () => Set<string>;
+    /** Minimum age before reaping (ms, default 300000 = 5 min) */
+    minAgeMs?: number;
+    /** Reap interval (ms, default 60000 = 60s) */
+    intervalMs?: number;
+    /** Also reap committed snapshot images older than TTL (ms, default 3600000 = 1 hour) */
+    snapshotTtlMs?: number;
+}
+export declare class ContainerReaper {
+    private docker;
+    private getActiveIds;
+    private minAgeMs;
+    private intervalMs;
+    private timer;
+    constructor(opts: ReaperOptions);
+    /** Start the periodic reap interval. */
+    start(): void;
+    /** Stop the periodic reap interval. */
+    stop(): void;
+    /** Run one reap cycle. Returns counts of reaped resources. */
+    reap(): Promise<{
+        containers: number;
+        images: number;
+    }>;
+    /** Alias for reap() — convenient for one-shot manual invocation. */
+    reapOnce(): Promise<{
+        containers: number;
+    }>;
+    private reapContainers;
+    /** Calculate container age in ms from the browse-cloud.created label. */
+    private containerAge;
+}
+//# sourceMappingURL=reaper.d.ts.map

package/dist/types/cloud/reaper.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"reaper.d.ts","sourceRoot":"","sources":["../../../src/cloud/reaper.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,YAAY,EAAsB,MAAM,UAAU,CAAC;AAU5D,MAAM,WAAW,aAAa;IAC5B,oBAAoB;IACpB,MAAM,EAAE,YAAY,CAAC;IACrB,uDAAuD;IACvD,YAAY,EAAE,MAAM,GAAG,CAAC,MAAM,CAAC,CAAC;IAChC,8DAA8D;IAC9D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,wFAAwF;IACxF,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAID,qBAAa,eAAe;IAC1B,OAAO,CAAC,MAAM,CAAe;IAC7B,OAAO,CAAC,YAAY,CAAoB;IACxC,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,KAAK,CAA+B;gBAEhC,IAAI,EAAE,aAAa;IAQ/B,wCAAwC;IACxC,KAAK,IAAI,IAAI;IAUb,uCAAuC;IACvC,IAAI,IAAI,IAAI;IAQZ,8DAA8D;IACxD,IAAI,IAAI,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IAoB7D,oEAAoE;IAC9D,QAAQ,IAAI,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;YAOnC,cAAc;IAiC5B,yEAAyE;IACzE,OAAO,CAAC,YAAY;CAarB"}

package/dist/types/cloud/server.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Cloud server — multi-tenant HTTP API for remote browser automation.
+ *
+ * Separate entry point from the local server (src/server.ts).
+ * Wraps the same SessionManager + executeCommand infrastructure
+ * behind JWT-authenticated, tenant-scoped routes.
+ *
+ * Auth flow: API key -> JWT exchange -> Bearer token on all /v1/ routes.
+ * Sessions are prefixed `tenant:<tenantId>:session:<id>` for isolation.
+ */
+export interface CloudConfig {
+    port: number;
+    host: string;
+    dbPath: string;
+    jwtSecret: Buffer;
+    adminKey: string | undefined;
+    localDir: string;
+}
+//# sourceMappingURL=server.d.ts.map

package/dist/types/cloud/server.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../../src/cloud/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAsBH,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,QAAQ,EAAE,MAAM,CAAC;CAClB"}

package/dist/types/cloud/sessions.d.ts ADDED Viewed

@@ -0,0 +1,85 @@
+/**
+ * Cloud session manager — tenant-scoped session lifecycle on top of SessionManager.
+ *
+ * Wraps the generic SessionManager with tenant isolation:
+ *   - Session IDs are prefixed `tenant:<tenantId>:session:<id>`
+ *   - Each tenant has a configurable session limit
+ *   - All accessors validate tenant ownership before touching a session
+ *
+ * Throws TenantAccessError (maps to HTTP 403) when a tenant tries to
+ * reach a session it does not own.
+ */
+import type { SessionManager, Session } from '../session/manager';
+export declare class TenantAccessError extends Error {
+    constructor(tenantId: string, sessionId: string);
+}
+export declare class CloudSessionManager {
+    private sessionManager;
+    private maxSessionsPerTenant;
+    /** Tracks which session IDs belong to each tenant */
+    private tenantSessions;
+    constructor(sessionManager: SessionManager, maxSessionsPerTenant?: number);
+    /**
+     * Provision a new session for a tenant.
+     *
+     * Generates a scoped ID `tenant:<tenantId>:session:<id>`, creates the
+     * underlying session via SessionManager, and tracks it in tenantSessions.
+     *
+     * Throws if the tenant has reached its session limit (429-friendly message).
+     */
+    provision(tenantId: string, opts?: {
+        allowedDomains?: string;
+        sessionId?: string;
+    }): Promise<{
+        sessionId: string;
+        createdAt: string;
+    }>;
+    /**
+     * List sessions belonging to a tenant.
+     *
+     * Filters the global session list by the tenant prefix.
+     */
+    list(tenantId: string): Array<{
+        id: string;
+        tabs: number;
+        url: string;
+        idleSeconds: number;
+    }>;
+    /**
+     * Get an existing session, verifying tenant ownership.
+     *
+     * Throws TenantAccessError if the session does not belong to the tenant.
+     * Throws a generic Error if the session does not exist.
+     */
+    get(tenantId: string, sessionId: string): Session;
+    /**
+     * Get an existing session or create it, verifying tenant ownership.
+     *
+     * Throws TenantAccessError if the session ID does not match the tenant prefix.
+     */
+    getOrCreate(tenantId: string, sessionId: string, allowedDomains?: string): Promise<Session>;
+    /**
+     * Terminate a session, verifying tenant ownership.
+     *
+     * Throws TenantAccessError if the session does not belong to the tenant.
+     */
+    terminate(tenantId: string, sessionId: string): Promise<void>;
+    /**
+     * Return the number of sessions currently tracked for a tenant.
+     */
+    getSessionCount(tenantId: string): number;
+    /**
+     * Check whether a tenant has reached its session limit.
+     */
+    isAtLimit(tenantId: string): boolean;
+    /**
+     * Validate that a session ID has the correct tenant prefix.
+     * Throws TenantAccessError if the prefix does not match.
+     */
+    private validateTenantOwnership;
+    /** Add a session ID to the tenant tracking set. */
+    private trackSession;
+    /** Remove a session ID from the tenant tracking set. */
+    private untrackSession;
+}
+//# sourceMappingURL=sessions.d.ts.map

package/dist/types/cloud/sessions.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sessions.d.ts","sourceRoot":"","sources":["../../../src/cloud/sessions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAIlE,qBAAa,iBAAkB,SAAQ,KAAK;gBAC9B,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM;CAIhD;AAID,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,oBAAoB,CAAS;IACrC,qDAAqD;IACrD,OAAO,CAAC,cAAc,CAAkC;gBAE5C,cAAc,EAAE,cAAc,EAAE,oBAAoB,SAAK;IAKrE;;;;;;;OAOG;IACG,SAAS,CACb,QAAQ,EAAE,MAAM,EAChB,IAAI,CAAC,EAAE;QAAE,cAAc,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GACrD,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAgBpD;;;;OAIG;IACH,IAAI,CACF,QAAQ,EAAE,MAAM,GACf,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,CAAC;IAaxE;;;;;OAKG;IACH,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO;IAUjD;;;;OAIG;IACG,WAAW,CACf,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,cAAc,CAAC,EAAE,MAAM,GACtB,OAAO,CAAC,OAAO,CAAC;IAQnB;;;;OAIG;IACG,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOnE;;OAEG;IACH,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;IAIzC;;OAEG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAMpC;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAM/B,mDAAmD;IACnD,OAAO,CAAC,YAAY;IASpB,wDAAwD;IACxD,OAAO,CAAC,cAAc;CAQvB"}

package/dist/types/cloud/vm-orchestrator.d.ts ADDED Viewed

@@ -0,0 +1,133 @@
+/**
+ * VM orchestrator — Firecracker microVM-based session isolation.
+ *
+ * Implements the Orchestrator interface using FirecrackerClient.
+ * Each session runs in its own microVM with:
+ *   - Dedicated kernel + rootfs image
+ *   - Its own browse server on port 9400
+ *   - A known auth token (passed via kernel boot args or init script)
+ *   - Network isolation via tap devices
+ *
+ * The gateway proxies commands to each VM's internal browse server
+ * via the proxyCommand() HTTP function.
+ *
+ * Auth token injection: the token is passed via kernel boot args as
+ *   BROWSE_AUTH_TOKEN=<uuid>. The rootfs init script parses /proc/cmdline
+ *   and exports matching BROWSE_* vars before launching the browse server.
+ *
+ * Networking: Firecracker VMs require host-side tap device setup (ip tuntap,
+ * ip addr, iptables NAT) which must be done BEFORE createVm(). This
+ * orchestrator generates tap device names and guest IPs but does NOT create
+ * the tap devices — the host environment must pre-provision them or a setup
+ * script must run before the orchestrator. Without real tap devices,
+ * provision() will fail at the health check step.
+ *
+ * IP assignment: simplified counter-based scheme using 172.16.0.0/24.
+ * Host-side tap devices all share 172.16.0.1; each guest gets
+ * 172.16.0.{N} where N increments per VM. Production deployments
+ * should use proper network namespaces with per-VM subnets.
+ */
+import { FirecrackerClient } from './firecracker';
+import type { Orchestrator, SessionHandle, FrozenSession } from './orchestrator-interface';
+import type { VmWarmPool } from './vm-warm-pool';
+/**
+ * Callback that provisions host-side networking for a VM.
+ * Must create the tap device, assign IPs, and configure NAT/routing.
+ * Returns the guest IP that the VM will be reachable at.
+ *
+ * If not provided, the orchestrator uses a fabricated IP scheme that
+ * will NOT work without external network setup.
+ */
+export type NetworkProvider = (vmId: string, tapDevice: string) => Promise<{
+    guestIp: string;
+}>;
+export interface VmOrchestratorOptions {
+    /** Firecracker client */
+    firecracker: FirecrackerClient;
+    /** Path to vmlinux kernel */
+    kernelPath: string;
+    /** Path to rootfs ext4 image */
+    rootfsPath: string;
+    /** Memory per VM in MB (default 512) */
+    memSizeMb?: number;
+    /** vCPUs per VM (default 1) */
+    vcpuCount?: number;
+    /** Browse server port inside VM (default 9400) */
+    browsePort?: number;
+    /** Health check timeout in ms (default 30000) */
+    healthTimeout?: number;
+    /** Directory for snapshot files (default /var/lib/browse-cloud/snapshots) */
+    snapshotDir?: string;
+    /** Optional VM warm pool for pre-cloned paused VMs */
+    pool?: VmWarmPool | null;
+    /**
+     * Host-side network provisioning callback. Creates tap device, assigns IPs,
+     * configures NAT. Returns the guest IP. Required for production use.
+     * When omitted, falls back to fabricated 172.16.0.x IPs (development only).
+     */
+    networkProvider?: NetworkProvider;
+}
+export declare class VmOrchestrator implements Orchestrator {
+    private firecracker;
+    private kernelPath;
+    private rootfsPath;
+    private memSizeMb;
+    private vcpuCount;
+    private browsePort;
+    private healthTimeout;
+    private snapshotDir;
+    private pool;
+    private networkProvider;
+    /** Active session handles keyed by sessionId */
+    private handles;
+    /** Session ID sets keyed by tenantId */
+    private tenantHandles;
+    /**
+     * Counter-based IP suffix for guest IPs.
+     * Starts at 2 (172.16.0.2) and increments per VM.
+     * Wraps at 254 to stay within a /24 subnet.
+     *
+     * NOTE: This simplified scheme assumes no more than ~252 concurrent VMs.
+     * Production deployments should use per-VM network namespaces with
+     * dedicated subnets (e.g., 172.16.{X}.2 per VM).
+     */
+    private nextIpSuffix;
+    constructor(opts: VmOrchestratorOptions);
+    provision(tenantId: string, opts?: {
+        sessionId?: string;
+        allowedDomains?: string;
+    }): Promise<SessionHandle>;
+    executeCommand(handle: SessionHandle, command: string, args: string[]): Promise<string>;
+    terminate(handle: SessionHandle): Promise<void>;
+    freeze(handle: SessionHandle): Promise<FrozenSession>;
+    resume(tenantId: string, frozen: FrozenSession): Promise<SessionHandle>;
+    list(tenantId: string): SessionHandle[];
+    shutdown(): Promise<void>;
+    /** Return all active VM IDs tracked by this orchestrator. */
+    getActiveVmIds(): Set<string>;
+    private trackHandle;
+    private untrackHandle;
+    /**
+     * Allocate a guest IP address using counter-based scheme.
+     *
+     * Returns IPs in the 172.16.0.0/24 range starting from 172.16.0.2.
+     * Wraps at 254 to avoid broadcast address.
+     *
+     * NOTE: Production should use per-VM network namespaces with
+     * dedicated subnets for proper isolation.
+     */
+    private allocateGuestIp;
+    /**
+     * Poll the browse server's /health endpoint until it responds.
+     *
+     * Uses native http.get with a short timeout per attempt.
+     * Throws if the server doesn't become healthy within the deadline.
+     */
+    private waitForHealth;
+    /**
+     * Single health check attempt — returns true if the browse server
+     * responds with HTTP 200, false otherwise.
+     */
+    private checkHealth;
+}
+//# sourceMappingURL=vm-orchestrator.d.ts.map

package/dist/types/cloud/vm-orchestrator.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"vm-orchestrator.d.ts","sourceRoot":"","sources":["../../../src/cloud/vm-orchestrator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAMH,OAAO,EAAE,iBAAiB,EAAiB,MAAM,eAAe,CAAC;AACjE,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAE3F,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAajD;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC;AAEhG,MAAM,WAAW,qBAAqB;IACpC,yBAAyB;IACzB,WAAW,EAAE,iBAAiB,CAAC;IAC/B,6BAA6B;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,wCAAwC;IACxC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+BAA+B;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iDAAiD;IACjD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,6EAA6E;IAC7E,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,sDAAsD;IACtD,IAAI,CAAC,EAAE,UAAU,GAAG,IAAI,CAAC;IACzB;;;;OAIG;IACH,eAAe,CAAC,EAAE,eAAe,CAAC;CACnC;AAUD,qBAAa,cAAe,YAAW,YAAY;IACjD,OAAO,CAAC,WAAW,CAAoB;IACvC,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,IAAI,CAAgC;IAC5C,OAAO,CAAC,eAAe,CAAyB;IAEhD,gDAAgD;IAChD,OAAO,CAAC,OAAO,CAAsC;IACrD,wCAAwC;IACxC,OAAO,CAAC,aAAa,CAAkC;IAEvD;;;;;;;;OAQG;IACH,OAAO,CAAC,YAAY,CAAK;gBAEb,IAAI,EAAE,qBAAqB;IAejC,SAAS,CACb,QAAQ,EAAE,MAAM,EAChB,IAAI,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,cAAc,CAAC,EAAE,MAAM,CAAA;KAAE,GACrD,OAAO,CAAC,aAAa,CAAC;IAiInB,cAAc,CAClB,MAAM,EAAE,aAAa,EACrB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,GACb,OAAO,CAAC,MAAM,CAAC;IAOZ,SAAS,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAc/C,MAAM,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;IAoDrD,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;IA0D7E,IAAI,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,EAAE;IAYjC,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAsB/B,6DAA6D;IAC7D,cAAc,IAAI,GAAG,CAAC,MAAM,CAAC;IAU7B,OAAO,CAAC,WAAW;IAWnB,OAAO,CAAC,aAAa;IAcrB;;;;;;;;OAQG;IACH,OAAO,CAAC,eAAe;IAQvB;;;;;OAKG;YACW,aAAa;IAc3B;;;OAGG;IACH,OAAO,CAAC,WAAW;CAkBpB"}