@undefineds.co/xpod 0.1.0-local.202602081751

package/dist/edge/LocalNetworkManager.d.ts

@@ -0,0 +1,41 @@
+import type { EdgeNodeCapabilityDetector } from './EdgeNodeCapabilityDetector';
+import type { EdgeNodeDnsCoordinator } from './EdgeNodeDnsCoordinator';
+import type { TunnelProvider } from '../tunnel/TunnelProvider';
+export interface LocalNetworkManagerOptions {
+    detector: EdgeNodeCapabilityDetector;
+    dnsCoordinator: EdgeNodeDnsCoordinator;
+    tunnelProvider?: TunnelProvider;
+    localPort?: number;
+    intervalMs?: number;
+}
+/**
+ * 本地网络管理器
+ *
+ * 专门用于 Local 模式，定期探测本机 IP 并自动同步到 DNS。
+ * 它是“自闭环”的，不依赖外部心跳。
+ *
+ * 逻辑：
+ * 1. 优先探测公网 IP (IPv6 > IPv4)。
+ * 2. 如果有公网 IP -> 停止 Tunnel -> 更新 AAAA/A 记录。
+ * 3. 如果无公网 IP -> 启动 Tunnel (Fallback) -> Tunnel 接管 CNAME。
+ */
+export declare class LocalNetworkManager {
+    private readonly logger;
+    private readonly detector;
+    private readonly dnsCoordinator;
+    private readonly tunnelProvider?;
+    private readonly localPort;
+    private readonly intervalMs;
+    private interval?;
+    private lastState;
+    constructor(options: LocalNetworkManagerOptions);
+    /**
+     * 启动管理循环
+     */
+    start(): void;
+    /**
+     * 停止
+     */
+    stop(): Promise<void>;
+    private runMaintenance;
+}

package/dist/edge/LocalNetworkManager.js

@@ -0,0 +1,115 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LocalNetworkManager = void 0;
+const global_logger_factory_1 = require("global-logger-factory");
+/**
+ * 本地网络管理器
+ *
+ * 专门用于 Local 模式，定期探测本机 IP 并自动同步到 DNS。
+ * 它是“自闭环”的，不依赖外部心跳。
+ *
+ * 逻辑：
+ * 1. 优先探测公网 IP (IPv6 > IPv4)。
+ * 2. 如果有公网 IP -> 停止 Tunnel -> 更新 AAAA/A 记录。
+ * 3. 如果无公网 IP -> 启动 Tunnel (Fallback) -> Tunnel 接管 CNAME。
+ */
+class LocalNetworkManager {
+    constructor(options) {
+        this.logger = (0, global_logger_factory_1.getLoggerFor)(this);
+        // 状态追踪，用于减少重复日志
+        this.lastState = {
+            hasPublicIp: false,
+            tunnelRunning: false,
+        };
+        this.detector = options.detector;
+        this.dnsCoordinator = options.dnsCoordinator;
+        this.tunnelProvider = options.tunnelProvider;
+        this.localPort = options.localPort ?? 3000;
+        this.intervalMs = options.intervalMs ?? 60_000; // 默认 1 分钟
+    }
+    /**
+     * 启动管理循环
+     */
+    start() {
+        if (this.interval) {
+            return;
+        }
+        this.logger.info(`Starting background loop (interval: ${this.intervalMs}ms)`);
+        // 立即执行一次，然后开始循环
+        void this.runMaintenance();
+        this.interval = setInterval(() => this.runMaintenance(), this.intervalMs);
+    }
+    /**
+     * 停止
+     */
+    async stop() {
+        if (this.interval) {
+            clearInterval(this.interval);
+            this.interval = undefined;
+        }
+        // 确保退出时关闭 Tunnel，防止僵尸进程
+        if (this.tunnelProvider?.getStatus().running) {
+            this.logger.info('Stopping tunnel before exit...');
+            await this.tunnelProvider.stop();
+        }
+    }
+    async runMaintenance() {
+        try {
+            this.logger.debug('Starting network detection phase...');
+            // 1. 探测本机 IP
+            const netInfo = await this.detector.detectNetworkAddresses();
+            // 2. 构造元数据 (只使用公网 IP)
+            const metadata = {
+                ipv4: netInfo.ipv4Public,
+                ipv6: netInfo.ipv6Public,
+                accessMode: 'direct',
+                subdomain: '@',
+            };
+            const hasPublicIp = !!(metadata.ipv4 || metadata.ipv6);
+            const tunnelRunning = !!this.tunnelProvider?.getStatus().running;
+            // 检查状态是否发生变化
+            const stateChanged = hasPublicIp !== this.lastState.hasPublicIp ||
+                tunnelRunning !== this.lastState.tunnelRunning;
+            if (stateChanged) {
+                this.logger.info(`Network status changed: IP=${hasPublicIp ? 'Public' : 'Private'}, Tunnel=${tunnelRunning ? 'Running' : 'Stopped'} (IPv4=${metadata.ipv4 || 'none'}, IPv6=${metadata.ipv6 || 'none'})`);
+            }
+            else {
+                // 平时仅打印一条极简的调试信息（如果级别设为 info 则每分钟一条）
+                this.logger.debug(`Status check: IP=${hasPublicIp ? 'Public' : 'Private'}, Tunnel=${tunnelRunning ? 'Running' : 'Stopped'}`);
+            }
+            if (hasPublicIp) {
+                // === 直连模式 ===
+                if (tunnelRunning) {
+                    this.logger.info('Stopping tunnel fallback to use direct public IP...');
+                    await this.tunnelProvider.stop();
+                    this.lastState.tunnelRunning = false;
+                }
+                // 仅在 IP 变化或初次运行且有 IP 时同步 DNS
+                await this.dnsCoordinator.synchronize('local-self', metadata);
+            }
+            else {
+                // === 隧道模式 (Fallback) ===
+                if (this.tunnelProvider) {
+                    if (!tunnelRunning) {
+                        this.logger.info('No public IP. Starting Cloudflare Tunnel fallback...');
+                        const config = await this.tunnelProvider.setup({
+                            subdomain: 'local',
+                            localPort: this.localPort,
+                        });
+                        await this.tunnelProvider.start(config);
+                        this.logger.info('Tunnel fallback active.');
+                        this.lastState.tunnelRunning = true;
+                    }
+                }
+            }
+            // 更新状态追踪
+            this.lastState.hasPublicIp = hasPublicIp;
+            this.lastState.tunnelRunning = !!this.tunnelProvider?.getStatus().running;
+        }
+        catch (error) {
+            this.logger.error(`Maintenance task failed: ${error.message}`);
+        }
+    }
+}
+exports.LocalNetworkManager = LocalNetworkManager;
+//# sourceMappingURL=LocalNetworkManager.js.map

package/dist/edge/LocalNetworkManager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"LocalNetworkManager.js","sourceRoot":"","sources":["../../src/edge/LocalNetworkManager.ts"],"names":[],"mappings":";;;AAAA,iEAAqD;AAarD;;;;;;;;;;GAUG;AACH,MAAa,mBAAmB;IAe9B,YAAmB,OAAmC;QAdrC,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAQ7C,gBAAgB;QACR,cAAS,GAAG;YAClB,WAAW,EAAE,KAAK;YAClB,aAAa,EAAE,KAAK;SACrB,CAAC;QAGA,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACjC,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;QAC7C,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;QAC7C,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC;QAC3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,MAAM,CAAC,CAAC,UAAU;IAC5D,CAAC;IAED;;OAEG;IACI,KAAK;QACV,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,OAAO;QACT,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uCAAuC,IAAI,CAAC,UAAU,KAAK,CAAC,CAAC;QAE9E,gBAAgB;QAChB,KAAK,IAAI,CAAC,cAAc,EAAE,CAAC;QAC3B,IAAI,CAAC,QAAQ,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5E,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,IAAI;QACf,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC7B,IAAI,CAAC,QAAQ,GAAG,SAAS,CAAC;QAC5B,CAAC;QAED,wBAAwB;QACxB,IAAI,IAAI,CAAC,cAAc,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,CAAC;YAC7C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;YACnD,MAAM,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QACnC,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,IAAI,CAAC;YACH,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;YAEzD,aAAa;YACb,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,sBAAsB,EAAE,CAAC;YAE7D,sBAAsB;YACtB,MAAM,QAAQ,GAA4B;gBACxC,IAAI,EAAE,OAAO,CAAC,UAAU;gBACxB,IAAI,EAAE,OAAO,CAAC,UAAU;gBACxB,UAAU,EAAE,QAAQ;gBACpB,SAAS,EAAE,GAAG;aACf,CAAC;YAEF,MAAM,WAAW,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC;YACvD,MAAM,aAAa,GAAG,CAAC,CAAC,IAAI,CAAC,cAAc,EAAE,SAAS,EAAE,CAAC,OAAO,CAAC;YAEjE,aAAa;YACb,MAAM,YAAY,GAAG,WAAW,KAAK,IAAI,CAAC,SAAS,CAAC,WAAW;gBAC1C,aAAa,KAAK,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC;YAEpE,IAAI,YAAY,EAAE,CAAC;gBACjB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,8BAA8B,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,YAAY,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,UAAU,QAAQ,CAAC,IAAI,IAAI,MAAM,UAAU,QAAQ,CAAC,IAAI,IAAI,MAAM,GAAG,CAAC,CAAC;YAC3M,CAAC;iBAAM,CAAC;gBACN,qCAAqC;gBACrC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,YAAY,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;YAC/H,CAAC;YAED,IAAI,WAAW,EAAE,CAAC;gBAChB,eAAe;gBACf,IAAI,aAAa,EAAE,CAAC;oBAClB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;oBACxE,MAAM,IAAI,CAAC,cAAe,CAAC,IAAI,EAAE,CAAC;oBAClC,IAAI,CAAC,SAAS,CAAC,aAAa,GAAG,KAAK,CAAC;gBACvC,CAAC;gBAED,6BAA6B;gBAC7B,MAAM,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;YAEhE,CAAC;iBAAM,CAAC;gBACN,0BAA0B;gBAC1B,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;oBACxB,IAAI,CAAC,aAAa,EAAE,CAAC;wBACnB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;wBACzE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC;4BAC7C,SAAS,EAAE,OAAO;4BAClB,SAAS,EAAE,IAAI,CAAC,SAAS;yBAC1B,CAAC,CAAC;wBAEH,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;wBACxC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;wBAC5C,IAAI,CAAC,SAAS,CAAC,aAAa,GAAG,IAAI,CAAC;oBACtC,CAAC;gBACH,CAAC;YACH,CAAC;YAED,SAAS;YACT,IAAI,CAAC,SAAS,CAAC,WAAW,GAAG,WAAW,CAAC;YACzC,IAAI,CAAC,SAAS,CAAC,aAAa,GAAG,CAAC,CAAC,IAAI,CAAC,cAAc,EAAE,SAAS,EAAE,CAAC,OAAO,CAAC;QAE5E,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA6B,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;CACF;AAtHD,kDAsHC","sourcesContent":["import { getLoggerFor } from 'global-logger-factory';\nimport type { EdgeNodeCapabilityDetector } from './EdgeNodeCapabilityDetector';\nimport type { EdgeNodeDnsCoordinator } from './EdgeNodeDnsCoordinator';\nimport type { TunnelProvider } from '../tunnel/TunnelProvider';\n\nexport interface LocalNetworkManagerOptions {\n  detector: EdgeNodeCapabilityDetector;\n  dnsCoordinator: EdgeNodeDnsCoordinator;\n  tunnelProvider?: TunnelProvider;\n  localPort?: number;\n  intervalMs?: number;\n}\n\n/**\n * 本地网络管理器\n * \n * 专门用于 Local 模式，定期探测本机 IP 并自动同步到 DNS。\n * 它是“自闭环”的，不依赖外部心跳。\n * \n * 逻辑：\n * 1. 优先探测公网 IP (IPv6 > IPv4)。\n * 2. 如果有公网 IP -> 停止 Tunnel -> 更新 AAAA/A 记录。\n * 3. 如果无公网 IP -> 启动 Tunnel (Fallback) -> Tunnel 接管 CNAME。\n */\nexport class LocalNetworkManager {\n  private readonly logger = getLoggerFor(this);\n  private readonly detector: EdgeNodeCapabilityDetector;\n  private readonly dnsCoordinator: EdgeNodeDnsCoordinator;\n  private readonly tunnelProvider?: TunnelProvider;\n  private readonly localPort: number;\n  private readonly intervalMs: number;\n  private interval?: NodeJS.Timeout;\n  \n  // 状态追踪，用于减少重复日志\n  private lastState = {\n    hasPublicIp: false,\n    tunnelRunning: false,\n  };\n\n  public constructor(options: LocalNetworkManagerOptions) {\n    this.detector = options.detector;\n    this.dnsCoordinator = options.dnsCoordinator;\n    this.tunnelProvider = options.tunnelProvider;\n    this.localPort = options.localPort ?? 3000;\n    this.intervalMs = options.intervalMs ?? 60_000; // 默认 1 分钟\n  }\n\n  /**\n   * 启动管理循环\n   */\n  public start(): void {\n    if (this.interval) {\n      return;\n    }\n    this.logger.info(`Starting background loop (interval: ${this.intervalMs}ms)`);\n    \n    // 立即执行一次，然后开始循环\n    void this.runMaintenance();\n    this.interval = setInterval(() => this.runMaintenance(), this.intervalMs);\n  }\n\n  /**\n   * 停止\n   */\n  public async stop(): Promise<void> {\n    if (this.interval) {\n      clearInterval(this.interval);\n      this.interval = undefined;\n    }\n    \n    // 确保退出时关闭 Tunnel，防止僵尸进程\n    if (this.tunnelProvider?.getStatus().running) {\n      this.logger.info('Stopping tunnel before exit...');\n      await this.tunnelProvider.stop();\n    }\n  }\n\n  private async runMaintenance(): Promise<void> {\n    try {\n      this.logger.debug('Starting network detection phase...');\n      \n      // 1. 探测本机 IP\n      const netInfo = await this.detector.detectNetworkAddresses();\n      \n      // 2. 构造元数据 (只使用公网 IP)\n      const metadata: Record<string, unknown> = {\n        ipv4: netInfo.ipv4Public,\n        ipv6: netInfo.ipv6Public,\n        accessMode: 'direct',\n        subdomain: '@', \n      };\n\n      const hasPublicIp = !!(metadata.ipv4 || metadata.ipv6);\n      const tunnelRunning = !!this.tunnelProvider?.getStatus().running;\n      \n      // 检查状态是否发生变化\n      const stateChanged = hasPublicIp !== this.lastState.hasPublicIp || \n                           tunnelRunning !== this.lastState.tunnelRunning;\n\n      if (stateChanged) {\n        this.logger.info(`Network status changed: IP=${hasPublicIp ? 'Public' : 'Private'}, Tunnel=${tunnelRunning ? 'Running' : 'Stopped'} (IPv4=${metadata.ipv4 || 'none'}, IPv6=${metadata.ipv6 || 'none'})`);\n      } else {\n        // 平时仅打印一条极简的调试信息（如果级别设为 info 则每分钟一条）\n        this.logger.debug(`Status check: IP=${hasPublicIp ? 'Public' : 'Private'}, Tunnel=${tunnelRunning ? 'Running' : 'Stopped'}`);\n      }\n\n      if (hasPublicIp) {\n        // === 直连模式 ===\n        if (tunnelRunning) {\n          this.logger.info('Stopping tunnel fallback to use direct public IP...');\n          await this.tunnelProvider!.stop();\n          this.lastState.tunnelRunning = false;\n        }\n\n        // 仅在 IP 变化或初次运行且有 IP 时同步 DNS\n        await this.dnsCoordinator.synchronize('local-self', metadata);\n\n      } else {\n        // === 隧道模式 (Fallback) ===\n        if (this.tunnelProvider) {\n          if (!tunnelRunning) {\n            this.logger.info('No public IP. Starting Cloudflare Tunnel fallback...');\n            const config = await this.tunnelProvider.setup({\n              subdomain: 'local',\n              localPort: this.localPort,\n            });\n            \n            await this.tunnelProvider.start(config);\n            this.logger.info('Tunnel fallback active.');\n            this.lastState.tunnelRunning = true;\n          }\n        }\n      }\n      \n      // 更新状态追踪\n      this.lastState.hasPublicIp = hasPublicIp;\n      this.lastState.tunnelRunning = !!this.tunnelProvider?.getStatus().running;\n      \n    } catch (error: unknown) {\n      this.logger.error(`Maintenance task failed: ${(error as Error).message}`);\n    }\n  }\n}\n"]}

package/dist/edge/acme/AcmeCertificateManager.d.ts

@@ -0,0 +1,65 @@
+import type { DnsProvider } from '../../dns/DnsProvider';
+/**
+ * DNS 验证处理器接口
+ */
+export interface DnsChallengeHandler {
+    setChallenge(host: string, value: string): Promise<void>;
+    removeChallenge(host: string, value?: string): Promise<void>;
+}
+/**
+ * 使用 DnsProvider 的本地 DNS 验证处理器
+ */
+export declare class LocalDnsChallengeHandler implements DnsChallengeHandler {
+    private readonly provider;
+    private readonly rootDomain;
+    constructor(provider: DnsProvider, rootDomain: string);
+    setChallenge(host: string, value: string): Promise<void>;
+    removeChallenge(host: string, value?: string): Promise<void>;
+    private extractSubdomain;
+}
+export interface AcmeCertificateManagerOptions {
+    /** Cloud 模式: 通过 signal endpoint 操作 DNS */
+    signalEndpoint?: string;
+    nodeId?: string;
+    nodeToken?: string;
+    /** Local 模式: 直接使用 DNS Provider */
+    dnsProvider?: DnsProvider;
+    rootDomain?: string;
+    /** 或者直接提供自定义的 DNS 验证处理器 */
+    dnsChallengeHandler?: DnsChallengeHandler;
+    email: string;
+    domains: string[];
+    directoryUrl?: string;
+    fallbackDirectoryUrls?: string[];
+    accountKeyPath: string;
+    certificateKeyPath: string;
+    certificatePath: string;
+    fullChainPath?: string;
+    renewBeforeDays?: number;
+    propagationDelayMs?: number;
+}
+export declare class AcmeCertificateManager {
+    private readonly logger;
+    private readonly dnsHandler;
+    private readonly email;
+    private readonly domains;
+    private readonly directoryUrl;
+    private readonly fallbackDirectoryUrls;
+    private readonly accountKeyPath;
+    private readonly certificateKeyPath;
+    private readonly certificatePath;
+    private readonly fullChainPath?;
+    private readonly renewBeforeDays;
+    private readonly propagationDelayMs;
+    constructor(options: AcmeCertificateManagerOptions);
+    ensureCertificate(): Promise<boolean>;
+    private isCertificateValid;
+    private issueCertificate;
+    private issueCertificateFromCA;
+    private ensureAccount;
+    private loadOrCreateAccountKey;
+    private readOptionalFile;
+    private ensureDirectory;
+    private delay;
+    private isConflictError;
+}

package/dist/edge/acme/AcmeCertificateManager.js

@@ -0,0 +1,233 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AcmeCertificateManager = exports.LocalDnsChallengeHandler = void 0;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const promises_1 = require("node:fs/promises");
+const node_crypto_1 = require("node:crypto");
+const acme_client_1 = __importDefault(require("acme-client"));
+const global_logger_factory_1 = require("global-logger-factory");
+const DnsChallengeClient_1 = require("./DnsChallengeClient");
+const utils_1 = require("./utils");
+/**
+ * 使用 DnsProvider 的本地 DNS 验证处理器
+ */
+class LocalDnsChallengeHandler {
+    constructor(provider, rootDomain) {
+        this.provider = provider;
+        this.rootDomain = rootDomain;
+    }
+    async setChallenge(host, value) {
+        // host 格式: _acme-challenge.node1.pods.undefineds.co
+        // 需要提取 subdomain: _acme-challenge.node1.pods
+        const subdomain = this.extractSubdomain(host);
+        await this.provider.upsertRecord({
+            domain: this.rootDomain,
+            subdomain,
+            type: 'TXT',
+            value,
+            ttl: 60,
+        });
+    }
+    async removeChallenge(host, value) {
+        const subdomain = this.extractSubdomain(host);
+        await this.provider.deleteRecord({
+            domain: this.rootDomain,
+            subdomain,
+            type: 'TXT',
+            value,
+        });
+    }
+    extractSubdomain(host) {
+        // 从 _acme-challenge.node1.pods.undefineds.co 提取 _acme-challenge.node1.pods
+        const suffix = `.${this.rootDomain}`;
+        if (host.endsWith(suffix)) {
+            return host.slice(0, -suffix.length);
+        }
+        return host;
+    }
+}
+exports.LocalDnsChallengeHandler = LocalDnsChallengeHandler;
+const DEFAULT_DIRECTORY_URL = acme_client_1.default.directory.letsencrypt.production;
+const DEFAULT_FALLBACK_URLS = [
+    acme_client_1.default.directory.letsencrypt.staging, // Staging as fallback for testing
+    'https://acme.zerossl.com/v2/DV90', // ZeroSSL as alternative CA
+];
+class AcmeCertificateManager {
+    constructor(options) {
+        this.logger = (0, global_logger_factory_1.getLoggerFor)(this);
+        // 确定 DNS 验证处理器
+        if (options.dnsChallengeHandler) {
+            // 用户提供自定义处理器
+            this.dnsHandler = options.dnsChallengeHandler;
+        }
+        else if (options.dnsProvider && options.rootDomain) {
+            // Local 模式：使用 DNS Provider
+            this.dnsHandler = new LocalDnsChallengeHandler(options.dnsProvider, options.rootDomain);
+        }
+        else if (options.signalEndpoint && options.nodeId && options.nodeToken) {
+            // Cloud 模式：通过 signal endpoint
+            this.dnsHandler = new DnsChallengeClient_1.DnsChallengeClient({
+                signalEndpoint: options.signalEndpoint,
+                nodeId: options.nodeId,
+                nodeToken: options.nodeToken,
+            });
+        }
+        else {
+            throw new Error('AcmeCertificateManager 需要提供 DNS 验证方式: dnsChallengeHandler, (dnsProvider + rootDomain), 或 (signalEndpoint + nodeId + nodeToken)');
+        }
+        this.email = options.email;
+        this.domains = options.domains;
+        this.directoryUrl = options.directoryUrl ?? DEFAULT_DIRECTORY_URL;
+        this.fallbackDirectoryUrls = options.fallbackDirectoryUrls ?? DEFAULT_FALLBACK_URLS;
+        this.accountKeyPath = options.accountKeyPath;
+        this.certificateKeyPath = options.certificateKeyPath;
+        this.certificatePath = options.certificatePath;
+        this.fullChainPath = options.fullChainPath;
+        this.renewBeforeDays = options.renewBeforeDays ?? 15;
+        this.propagationDelayMs = options.propagationDelayMs ?? 15_000;
+    }
+    async ensureCertificate() {
+        if (await this.isCertificateValid()) {
+            this.logger.debug('现有证书仍在有效期内，跳过 ACME 申请。');
+            return false;
+        }
+        await this.issueCertificate();
+        return true;
+    }
+    async isCertificateValid() {
+        try {
+            const certPem = await node_fs_1.promises.readFile(this.certificatePath, 'utf8');
+            const cert = new node_crypto_1.X509Certificate(certPem);
+            const expiresAt = cert.validTo ? new Date(cert.validTo).getTime() : NaN;
+            if (!Number.isFinite(expiresAt)) {
+                return false;
+            }
+            const remainingMs = expiresAt - Date.now();
+            const thresholdMs = this.renewBeforeDays * 24 * 60 * 60 * 1000;
+            const containsAllDomains = this.domains.every((domain) => cert.subjectAltName?.includes(domain));
+            return remainingMs > thresholdMs && containsAllDomains;
+        }
+        catch {
+            return false;
+        }
+    }
+    async issueCertificate() {
+        this.logger.info(`申请 ACME 证书：${this.domains.join(', ')}`);
+        await this.ensureDirectory((0, node_path_1.dirname)(this.accountKeyPath));
+        await this.ensureDirectory((0, node_path_1.dirname)(this.certificateKeyPath));
+        await this.ensureDirectory((0, node_path_1.dirname)(this.certificatePath));
+        if (this.fullChainPath) {
+            await this.ensureDirectory((0, node_path_1.dirname)(this.fullChainPath));
+        }
+        // Try primary CA first, then fallback CAs
+        const directoryUrls = [this.directoryUrl, ...this.fallbackDirectoryUrls];
+        let lastError;
+        for (const directoryUrl of directoryUrls) {
+            try {
+                await this.issueCertificateFromCA(directoryUrl);
+                return; // Success!
+            }
+            catch (error) {
+                lastError = error;
+                this.logger.warn(`ACME CA ${directoryUrl} 失败: ${lastError.message}`);
+                if (directoryUrl !== directoryUrls[directoryUrls.length - 1]) {
+                    this.logger.info('尝试下一个 ACME CA...');
+                }
+            }
+        }
+        // All CAs failed
+        throw new Error(`所有 ACME CA 都失败。最后错误: ${lastError?.message}`);
+    }
+    async issueCertificateFromCA(directoryUrl) {
+        this.logger.info(`使用 ACME CA: ${directoryUrl}`);
+        const accountKey = await this.loadOrCreateAccountKey(this.accountKeyPath);
+        const client = new acme_client_1.default.Client({
+            directoryUrl,
+            accountKey,
+        });
+        await this.ensureAccount(client);
+        const existingCertKey = await this.readOptionalFile(this.certificateKeyPath);
+        const [privateKey, csr] = await acme_client_1.default.crypto.createCsr({
+            altNames: this.domains,
+            commonName: this.domains[0],
+        }, existingCertKey ?? undefined);
+        const certificate = await client.auto({
+            csr,
+            email: this.email,
+            termsOfServiceAgreed: true,
+            challengePriority: ['dns-01'],
+            challengeCreateFn: async (authz, _challenge, keyAuthorization) => {
+                const recordName = `_acme-challenge.${authz.identifier.value}`;
+                const value = (0, utils_1.toDns01Value)(keyAuthorization);
+                await this.dnsHandler.setChallenge(recordName, value);
+                await this.delay(this.propagationDelayMs);
+            },
+            challengeRemoveFn: async (authz) => {
+                const recordName = `_acme-challenge.${authz.identifier.value}`;
+                await this.dnsHandler.removeChallenge(recordName);
+            },
+        });
+        await node_fs_1.promises.writeFile(this.certificateKeyPath, privateKey.toString());
+        await node_fs_1.promises.writeFile(this.certificatePath, certificate);
+        if (this.fullChainPath) {
+            await node_fs_1.promises.writeFile(this.fullChainPath, certificate);
+        }
+        this.logger.info(`ACME 证书申请成功 (CA: ${directoryUrl})`);
+    }
+    async ensureAccount(client) {
+        try {
+            await client.createAccount({
+                termsOfServiceAgreed: true,
+                contact: [`mailto:${this.email}`],
+            });
+            this.logger.debug('ACME 账户已创建。');
+        }
+        catch (error) {
+            if (this.isConflictError(error)) {
+                this.logger.debug('ACME 账户已存在，跳过创建。');
+            }
+            else {
+                throw error;
+            }
+        }
+    }
+    async loadOrCreateAccountKey(path) {
+        const existing = await this.readOptionalFile(path);
+        if (existing) {
+            return existing.toString();
+        }
+        await this.ensureDirectory((0, node_path_1.dirname)(path));
+        const key = await acme_client_1.default.crypto.createPrivateKey();
+        await node_fs_1.promises.writeFile(path, key);
+        return key.toString();
+    }
+    async readOptionalFile(path) {
+        try {
+            return await node_fs_1.promises.readFile(path);
+        }
+        catch {
+            return undefined;
+        }
+    }
+    async ensureDirectory(path) {
+        if (!path || path === '.') {
+            return;
+        }
+        await (0, promises_1.mkdir)(path, { recursive: true });
+    }
+    async delay(ms) {
+        if (ms <= 0) {
+            return;
+        }
+        await new Promise((resolve) => setTimeout(resolve, ms));
+    }
+    isConflictError(error) {
+        return Boolean(error && typeof error === 'object' && 'status' in error && error.status === 409);
+    }
+}
+exports.AcmeCertificateManager = AcmeCertificateManager;
+//# sourceMappingURL=AcmeCertificateManager.js.map

package/dist/edge/acme/AcmeCertificateManager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AcmeCertificateManager.js","sourceRoot":"","sources":["../../../src/edge/acme/AcmeCertificateManager.ts"],"names":[],"mappings":";;;;;;AAAA,qCAAyC;AACzC,yCAAoC;AACpC,+CAAyC;AACzC,6CAA8C;AAC9C,8DAA+B;AAE/B,iEAAqD;AACrD,6DAA0D;AAC1D,mCAAuC;AAWvC;;GAEG;AACH,MAAa,wBAAwB;IAInC,YAAmB,QAAqB,EAAE,UAAkB;QAC1D,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;IAEM,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,KAAa;QACnD,oDAAoD;QACpD,6CAA6C;QAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAC9C,MAAM,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;YAC/B,MAAM,EAAE,IAAI,CAAC,UAAU;YACvB,SAAS;YACT,IAAI,EAAE,KAAK;YACX,KAAK;YACL,GAAG,EAAE,EAAE;SACR,CAAC,CAAC;IACL,CAAC;IAEM,KAAK,CAAC,eAAe,CAAC,IAAY,EAAE,KAAc;QACvD,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAC9C,MAAM,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;YAC/B,MAAM,EAAE,IAAI,CAAC,UAAU;YACvB,SAAS;YACT,IAAI,EAAE,KAAK;YACX,KAAK;SACN,CAAC,CAAC;IACL,CAAC;IAEO,gBAAgB,CAAC,IAAY;QACnC,2EAA2E;QAC3E,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACrC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAxCD,4DAwCC;AA2BD,MAAM,qBAAqB,GAAG,qBAAI,CAAC,SAAS,CAAC,WAAW,CAAC,UAAU,CAAC;AACpE,MAAM,qBAAqB,GAAG;IAC5B,qBAAI,CAAC,SAAS,CAAC,WAAW,CAAC,OAAO,EAAE,kCAAkC;IACtE,kCAAkC,EAAE,4BAA4B;CACjE,CAAC;AAEF,MAAa,sBAAsB;IAcjC,YAAmB,OAAsC;QAbxC,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAc3C,eAAe;QACf,IAAI,OAAO,CAAC,mBAAmB,EAAE,CAAC;YAChC,aAAa;YACb,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,mBAAmB,CAAC;QAChD,CAAC;aAAM,IAAI,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACrD,2BAA2B;YAC3B,IAAI,CAAC,UAAU,GAAG,IAAI,wBAAwB,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;QAC1F,CAAC;aAAM,IAAI,OAAO,CAAC,cAAc,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACzE,8BAA8B;YAC9B,IAAI,CAAC,UAAU,GAAG,IAAI,uCAAkB,CAAC;gBACvC,cAAc,EAAE,OAAO,CAAC,cAAc;gBACtC,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,SAAS,EAAE,OAAO,CAAC,SAAS;aAC7B,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,gIAAgI,CAAC,CAAC;QACpJ,CAAC;QAED,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC/B,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,qBAAqB,CAAC;QAClE,IAAI,CAAC,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,IAAI,qBAAqB,CAAC;QACpF,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;QAC7C,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC;QACrD,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;QAC/C,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;QAC3C,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,EAAE,CAAC;QACrD,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,IAAI,MAAM,CAAC;IACjE,CAAC;IAEM,KAAK,CAAC,iBAAiB;QAC5B,IAAI,MAAM,IAAI,CAAC,kBAAkB,EAAE,EAAE,CAAC;YACpC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;YAC5C,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,KAAK,CAAC,kBAAkB;QAC9B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;YAChE,MAAM,IAAI,GAAG,IAAI,6BAAe,CAAC,OAAO,CAAC,CAAC;YAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;YACxE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBAChC,OAAO,KAAK,CAAC;YACf,CAAC;YACD,MAAM,WAAW,GAAG,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC3C,MAAM,WAAW,GAAG,IAAI,CAAC,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;YAC/D,MAAM,kBAAkB,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YACjG,OAAO,WAAW,GAAG,WAAW,IAAI,kBAAkB,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,gBAAgB;QAC5B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC1D,MAAM,IAAI,CAAC,eAAe,CAAC,IAAA,mBAAO,EAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC;QACzD,MAAM,IAAI,CAAC,eAAe,CAAC,IAAA,mBAAO,EAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC;QAC7D,MAAM,IAAI,CAAC,eAAe,CAAC,IAAA,mBAAO,EAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC;QAC1D,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,IAAI,CAAC,eAAe,CAAC,IAAA,mBAAO,EAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC;QAC1D,CAAC;QAED,0CAA0C;QAC1C,MAAM,aAAa,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,GAAG,IAAI,CAAC,qBAAqB,CAAC,CAAC;QACzE,IAAI,SAA4B,CAAC;QAEjC,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;YACzC,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,sBAAsB,CAAC,YAAY,CAAC,CAAC;gBAChD,OAAO,CAAC,WAAW;YACrB,CAAC;YAAC,OAAO,KAAc,EAAE,CAAC;gBACxB,SAAS,GAAG,KAAc,CAAC;gBAC3B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,YAAY,QAAQ,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC;gBACrE,IAAI,YAAY,KAAK,aAAa,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC;oBAC7D,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;gBACvC,CAAC;YACH,CAAC;QACH,CAAC;QAED,iBAAiB;QACjB,MAAM,IAAI,KAAK,CAAC,wBAAwB,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;IAChE,CAAC;IAEO,KAAK,CAAC,sBAAsB,CAAC,YAAoB;QACvD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,YAAY,EAAE,CAAC,CAAC;QAEhD,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAC1E,MAAM,MAAM,GAAG,IAAI,qBAAI,CAAC,MAAM,CAAC;YAC7B,YAAY;YACZ,UAAU;SACX,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAEjC,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAC7E,MAAM,CAAE,UAAU,EAAE,GAAG,CAAE,GAAG,MAAM,qBAAI,CAAC,MAAM,CAAC,SAAS,CAAC;YACtD,QAAQ,EAAE,IAAI,CAAC,OAAO;YACtB,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;SAC5B,EAAE,eAAe,IAAI,SAAS,CAAC,CAAC;QAEjC,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC;YACpC,GAAG;YACH,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,oBAAoB,EAAE,IAAI;YAC1B,iBAAiB,EAAE,CAAE,QAAQ,CAAE;YAC/B,iBAAiB,EAAE,KAAK,EAAE,KAAoB,EAAE,UAAmB,EAAE,gBAAwB,EAAiB,EAAE;gBAC9G,MAAM,UAAU,GAAG,mBAAmB,KAAK,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;gBAC/D,MAAM,KAAK,GAAG,IAAA,oBAAY,EAAC,gBAAgB,CAAC,CAAC;gBAC7C,MAAM,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;gBACtD,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YAC5C,CAAC;YACD,iBAAiB,EAAE,KAAK,EAAE,KAAoB,EAAiB,EAAE;gBAC/D,MAAM,UAAU,GAAG,mBAAmB,KAAK,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;gBAC/D,MAAM,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;YACpD,CAAC;SACF,CAAC,CAAC;QAEH,MAAM,kBAAE,CAAC,SAAS,CAAC,IAAI,CAAC,kBAAkB,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC;QACnE,MAAM,kBAAE,CAAC,SAAS,CAAC,IAAI,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;QACtD,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,kBAAE,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;QACtD,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,YAAY,GAAG,CAAC,CAAC;IACxD,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,MAAmB;QAC7C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,aAAa,CAAC;gBACzB,oBAAoB,EAAE,IAAI;gBAC1B,OAAO,EAAE,CAAE,UAAU,IAAI,CAAC,KAAK,EAAE,CAAE;aACpC,CAAC,CAAC;YACH,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QACnC,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,IAAI,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;YACxC,CAAC;iBAAM,CAAC;gBACN,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,sBAAsB,CAAC,IAAY;QAC/C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAC7B,CAAC;QACD,MAAM,IAAI,CAAC,eAAe,CAAC,IAAA,mBAAO,EAAC,IAAI,CAAC,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,MAAM,qBAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;QACjD,MAAM,kBAAE,CAAC,SAAS,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;IACxB,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAAC,IAAY;QACzC,IAAI,CAAC;YACH,OAAO,MAAM,kBAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,eAAe,CAAC,IAAY;QACxC,IAAI,CAAC,IAAI,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YAC1B,OAAO;QACT,CAAC;QACD,MAAM,IAAA,gBAAK,EAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC;IAEO,KAAK,CAAC,KAAK,CAAC,EAAU;QAC5B,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;YACZ,OAAO;QACT,CAAC;QACD,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;IAC1D,CAAC;IAEO,eAAe,CAAC,KAAc;QACpC,OAAO,OAAO,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,QAAQ,IAAI,KAAK,IAAK,KAAa,CAAC,MAAM,KAAK,GAAG,CAAC,CAAC;IAC3G,CAAC;CACF;AAnMD,wDAmMC","sourcesContent":["import { promises as fs } from 'node:fs';\nimport { dirname } from 'node:path';\nimport { mkdir } from 'node:fs/promises';\nimport { X509Certificate } from 'node:crypto';\nimport acme from 'acme-client';\nimport type { Authorization } from 'acme-client';\nimport { getLoggerFor } from 'global-logger-factory';\nimport { DnsChallengeClient } from './DnsChallengeClient';\nimport { toDns01Value } from './utils';\nimport type { DnsProvider } from '../../dns/DnsProvider';\n\n/**\n * DNS 验证处理器接口\n */\nexport interface DnsChallengeHandler {\n  setChallenge(host: string, value: string): Promise<void>;\n  removeChallenge(host: string, value?: string): Promise<void>;\n}\n\n/**\n * 使用 DnsProvider 的本地 DNS 验证处理器\n */\nexport class LocalDnsChallengeHandler implements DnsChallengeHandler {\n  private readonly provider: DnsProvider;\n  private readonly rootDomain: string;\n\n  public constructor(provider: DnsProvider, rootDomain: string) {\n    this.provider = provider;\n    this.rootDomain = rootDomain;\n  }\n\n  public async setChallenge(host: string, value: string): Promise<void> {\n    // host 格式: _acme-challenge.node1.pods.undefineds.co\n    // 需要提取 subdomain: _acme-challenge.node1.pods\n    const subdomain = this.extractSubdomain(host);\n    await this.provider.upsertRecord({\n      domain: this.rootDomain,\n      subdomain,\n      type: 'TXT',\n      value,\n      ttl: 60,\n    });\n  }\n\n  public async removeChallenge(host: string, value?: string): Promise<void> {\n    const subdomain = this.extractSubdomain(host);\n    await this.provider.deleteRecord({\n      domain: this.rootDomain,\n      subdomain,\n      type: 'TXT',\n      value,\n    });\n  }\n\n  private extractSubdomain(host: string): string {\n    // 从 _acme-challenge.node1.pods.undefineds.co 提取 _acme-challenge.node1.pods\n    const suffix = `.${this.rootDomain}`;\n    if (host.endsWith(suffix)) {\n      return host.slice(0, -suffix.length);\n    }\n    return host;\n  }\n}\n\nexport interface AcmeCertificateManagerOptions {\n  /** Cloud 模式: 通过 signal endpoint 操作 DNS */\n  signalEndpoint?: string;\n  nodeId?: string;\n  nodeToken?: string;\n  \n  /** Local 模式: 直接使用 DNS Provider */\n  dnsProvider?: DnsProvider;\n  rootDomain?: string;\n  \n  /** 或者直接提供自定义的 DNS 验证处理器 */\n  dnsChallengeHandler?: DnsChallengeHandler;\n  \n  email: string;\n  domains: string[];\n  directoryUrl?: string;\n  fallbackDirectoryUrls?: string[]; // CA failover support\n  accountKeyPath: string;\n  certificateKeyPath: string;\n  certificatePath: string;\n  fullChainPath?: string;\n  renewBeforeDays?: number;\n  propagationDelayMs?: number;\n}\n\nconst DEFAULT_DIRECTORY_URL = acme.directory.letsencrypt.production;\nconst DEFAULT_FALLBACK_URLS = [\n  acme.directory.letsencrypt.staging, // Staging as fallback for testing\n  'https://acme.zerossl.com/v2/DV90', // ZeroSSL as alternative CA\n];\n\nexport class AcmeCertificateManager {\n  private readonly logger = getLoggerFor(this);\n  private readonly dnsHandler: DnsChallengeHandler;\n  private readonly email: string;\n  private readonly domains: string[];\n  private readonly directoryUrl: string;\n  private readonly fallbackDirectoryUrls: string[];\n  private readonly accountKeyPath: string;\n  private readonly certificateKeyPath: string;\n  private readonly certificatePath: string;\n  private readonly fullChainPath?: string;\n  private readonly renewBeforeDays: number;\n  private readonly propagationDelayMs: number;\n\n  public constructor(options: AcmeCertificateManagerOptions) {\n    // 确定 DNS 验证处理器\n    if (options.dnsChallengeHandler) {\n      // 用户提供自定义处理器\n      this.dnsHandler = options.dnsChallengeHandler;\n    } else if (options.dnsProvider && options.rootDomain) {\n      // Local 模式：使用 DNS Provider\n      this.dnsHandler = new LocalDnsChallengeHandler(options.dnsProvider, options.rootDomain);\n    } else if (options.signalEndpoint && options.nodeId && options.nodeToken) {\n      // Cloud 模式：通过 signal endpoint\n      this.dnsHandler = new DnsChallengeClient({\n        signalEndpoint: options.signalEndpoint,\n        nodeId: options.nodeId,\n        nodeToken: options.nodeToken,\n      });\n    } else {\n      throw new Error('AcmeCertificateManager 需要提供 DNS 验证方式: dnsChallengeHandler, (dnsProvider + rootDomain), 或 (signalEndpoint + nodeId + nodeToken)');\n    }\n    \n    this.email = options.email;\n    this.domains = options.domains;\n    this.directoryUrl = options.directoryUrl ?? DEFAULT_DIRECTORY_URL;\n    this.fallbackDirectoryUrls = options.fallbackDirectoryUrls ?? DEFAULT_FALLBACK_URLS;\n    this.accountKeyPath = options.accountKeyPath;\n    this.certificateKeyPath = options.certificateKeyPath;\n    this.certificatePath = options.certificatePath;\n    this.fullChainPath = options.fullChainPath;\n    this.renewBeforeDays = options.renewBeforeDays ?? 15;\n    this.propagationDelayMs = options.propagationDelayMs ?? 15_000;\n  }\n\n  public async ensureCertificate(): Promise<boolean> {\n    if (await this.isCertificateValid()) {\n      this.logger.debug('现有证书仍在有效期内，跳过 ACME 申请。');\n      return false;\n    }\n    await this.issueCertificate();\n    return true;\n  }\n\n  private async isCertificateValid(): Promise<boolean> {\n    try {\n      const certPem = await fs.readFile(this.certificatePath, 'utf8');\n      const cert = new X509Certificate(certPem);\n      const expiresAt = cert.validTo ? new Date(cert.validTo).getTime() : NaN;\n      if (!Number.isFinite(expiresAt)) {\n        return false;\n      }\n      const remainingMs = expiresAt - Date.now();\n      const thresholdMs = this.renewBeforeDays * 24 * 60 * 60 * 1000;\n      const containsAllDomains = this.domains.every((domain) => cert.subjectAltName?.includes(domain));\n      return remainingMs > thresholdMs && containsAllDomains;\n    } catch {\n      return false;\n    }\n  }\n\n  private async issueCertificate(): Promise<void> {\n    this.logger.info(`申请 ACME 证书：${this.domains.join(', ')}`);\n    await this.ensureDirectory(dirname(this.accountKeyPath));\n    await this.ensureDirectory(dirname(this.certificateKeyPath));\n    await this.ensureDirectory(dirname(this.certificatePath));\n    if (this.fullChainPath) {\n      await this.ensureDirectory(dirname(this.fullChainPath));\n    }\n\n    // Try primary CA first, then fallback CAs\n    const directoryUrls = [this.directoryUrl, ...this.fallbackDirectoryUrls];\n    let lastError: Error | undefined;\n\n    for (const directoryUrl of directoryUrls) {\n      try {\n        await this.issueCertificateFromCA(directoryUrl);\n        return; // Success!\n      } catch (error: unknown) {\n        lastError = error as Error;\n        this.logger.warn(`ACME CA ${directoryUrl} 失败: ${lastError.message}`);\n        if (directoryUrl !== directoryUrls[directoryUrls.length - 1]) {\n          this.logger.info('尝试下一个 ACME CA...');\n        }\n      }\n    }\n\n    // All CAs failed\n    throw new Error(`所有 ACME CA 都失败。最后错误: ${lastError?.message}`);\n  }\n\n  private async issueCertificateFromCA(directoryUrl: string): Promise<void> {\n    this.logger.info(`使用 ACME CA: ${directoryUrl}`);\n    \n    const accountKey = await this.loadOrCreateAccountKey(this.accountKeyPath);\n    const client = new acme.Client({\n      directoryUrl,\n      accountKey,\n    });\n\n    await this.ensureAccount(client);\n\n    const existingCertKey = await this.readOptionalFile(this.certificateKeyPath);\n    const [ privateKey, csr ] = await acme.crypto.createCsr({\n      altNames: this.domains,\n      commonName: this.domains[0],\n    }, existingCertKey ?? undefined);\n\n    const certificate = await client.auto({\n      csr,\n      email: this.email,\n      termsOfServiceAgreed: true,\n      challengePriority: [ 'dns-01' ],\n      challengeCreateFn: async (authz: Authorization, _challenge: unknown, keyAuthorization: string): Promise<void> => {\n        const recordName = `_acme-challenge.${authz.identifier.value}`;\n        const value = toDns01Value(keyAuthorization);\n        await this.dnsHandler.setChallenge(recordName, value);\n        await this.delay(this.propagationDelayMs);\n      },\n      challengeRemoveFn: async (authz: Authorization): Promise<void> => {\n        const recordName = `_acme-challenge.${authz.identifier.value}`;\n        await this.dnsHandler.removeChallenge(recordName);\n      },\n    });\n\n    await fs.writeFile(this.certificateKeyPath, privateKey.toString());\n    await fs.writeFile(this.certificatePath, certificate);\n    if (this.fullChainPath) {\n      await fs.writeFile(this.fullChainPath, certificate);\n    }\n    this.logger.info(`ACME 证书申请成功 (CA: ${directoryUrl})`);\n  }\n\n  private async ensureAccount(client: acme.Client): Promise<void> {\n    try {\n      await client.createAccount({\n        termsOfServiceAgreed: true,\n        contact: [ `mailto:${this.email}` ],\n      });\n      this.logger.debug('ACME 账户已创建。');\n    } catch (error: unknown) {\n      if (this.isConflictError(error)) {\n        this.logger.debug('ACME 账户已存在，跳过创建。');\n      } else {\n        throw error;\n      }\n    }\n  }\n\n  private async loadOrCreateAccountKey(path: string): Promise<string> {\n    const existing = await this.readOptionalFile(path);\n    if (existing) {\n      return existing.toString();\n    }\n    await this.ensureDirectory(dirname(path));\n    const key = await acme.crypto.createPrivateKey();\n    await fs.writeFile(path, key);\n    return key.toString();\n  }\n\n  private async readOptionalFile(path: string): Promise<Buffer | undefined> {\n    try {\n      return await fs.readFile(path);\n    } catch {\n      return undefined;\n    }\n  }\n\n  private async ensureDirectory(path: string): Promise<void> {\n    if (!path || path === '.') {\n      return;\n    }\n    await mkdir(path, { recursive: true });\n  }\n\n  private async delay(ms: number): Promise<void> {\n    if (ms <= 0) {\n      return;\n    }\n    await new Promise((resolve) => setTimeout(resolve, ms));\n  }\n\n  private isConflictError(error: unknown): boolean {\n    return Boolean(error && typeof error === 'object' && 'status' in error && (error as any).status === 409);\n  }\n}\n"]}