@viewportai/daemon 0.1.0 → 0.2.0

package/dist/relay/bridge-crypto.js

@@ -0,0 +1,63 @@
+import crypto from 'node:crypto';
+function isRelayHandshakeProfile(value) {
+    return value === 'noise-ik' || value === 'noise-ikpsk2';
+}
+function toEnvelopeAad(envelope) {
+    return Buffer.from(`viewport-relay-envelope-v2|${envelope.profile}|${envelope.sessionId}|${envelope.epoch}|${envelope.seq}`, 'utf8');
+}
+export function toBase64Url(buffer) {
+    return buffer.toString('base64url');
+}
+export function fromBase64Url(value) {
+    return Buffer.from(value, 'base64url');
+}
+export function parseRelayEnvelope(raw) {
+    const parsed = JSON.parse(raw);
+    if (parsed.type !== 'e2ee' ||
+        parsed.version !== 2 ||
+        !isRelayHandshakeProfile(parsed.profile) ||
+        typeof parsed.sessionId !== 'string' ||
+        parsed.sessionId.trim().length === 0 ||
+        typeof parsed.epoch !== 'number' ||
+        !Number.isInteger(parsed.epoch) ||
+        parsed.epoch < 1 ||
+        typeof parsed.seq !== 'number' ||
+        !Number.isInteger(parsed.seq) ||
+        parsed.seq < 1 ||
+        typeof parsed.iv !== 'string' ||
+        typeof parsed.tag !== 'string' ||
+        typeof parsed.ciphertext !== 'string') {
+        throw new Error('Invalid relay envelope');
+    }
+    return parsed;
+}
+export function encryptEnvelope(key, plaintext, metadata) {
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    cipher.setAAD(toEnvelopeAad(metadata));
+    const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    const envelope = {
+        type: 'e2ee',
+        version: 2,
+        profile: metadata.profile,
+        sessionId: metadata.sessionId,
+        epoch: metadata.epoch,
+        seq: metadata.seq,
+        iv: toBase64Url(iv),
+        tag: toBase64Url(tag),
+        ciphertext: toBase64Url(ciphertext),
+    };
+    return JSON.stringify(envelope);
+}
+export function decryptEnvelope(key, envelope) {
+    const iv = fromBase64Url(envelope.iv);
+    const tag = fromBase64Url(envelope.tag);
+    const ciphertext = fromBase64Url(envelope.ciphertext);
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+    decipher.setAAD(toEnvelopeAad(envelope));
+    decipher.setAuthTag(tag);
+    const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    return plaintext.toString('utf8');
+}
+//# sourceMappingURL=bridge-crypto.js.map

package/dist/relay/bridge-crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-crypto.js","sourceRoot":"","sources":["../../src/relay/bridge-crypto.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAejC,SAAS,uBAAuB,CAAC,KAAc;IAC7C,OAAO,KAAK,KAAK,UAAU,IAAI,KAAK,KAAK,cAAc,CAAC;AAC1D,CAAC;AAED,SAAS,aAAa,CACpB,QAA0E;IAE1E,OAAO,MAAM,CAAC,IAAI,CAChB,8BAA8B,QAAQ,CAAC,OAAO,IAAI,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,GAAG,EAAE,EACxG,MAAM,CACP,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,MAAc;IACxC,OAAO,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA6B,CAAC;IAC3D,IACE,MAAM,CAAC,IAAI,KAAK,MAAM;QACtB,MAAM,CAAC,OAAO,KAAK,CAAC;QACpB,CAAC,uBAAuB,CAAC,MAAM,CAAC,OAAO,CAAC;QACxC,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;QACpC,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC;QACpC,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ;QAChC,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC;QAC/B,MAAM,CAAC,KAAK,GAAG,CAAC;QAChB,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;QAC9B,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC;QAC7B,MAAM,CAAC,GAAG,GAAG,CAAC;QACd,OAAO,MAAM,CAAC,EAAE,KAAK,QAAQ;QAC7B,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;QAC9B,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,EACrC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IAED,OAAO,MAAyB,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,GAAW,EACX,SAAiB,EACjB,QAA0E;IAE1E,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7D,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC;IACvC,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACrF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,MAAM,QAAQ,GAAoB;QAChC,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,QAAQ,CAAC,OAAO;QACzB,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,GAAG,EAAE,QAAQ,CAAC,GAAG;QACjB,EAAE,EAAE,WAAW,CAAC,EAAE,CAAC;QACnB,GAAG,EAAE,WAAW,CAAC,GAAG,CAAC;QACrB,UAAU,EAAE,WAAW,CAAC,UAAU,CAAC;KACpC,CAAC;IACF,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,GAAW,EAAE,QAAyB;IACpE,MAAM,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,UAAU,GAAG,aAAa,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACjE,QAAQ,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC;IACzC,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACjF,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC"}

package/dist/relay/bridge-errors.d.ts

@@ -0,0 +1,6 @@
+export type BridgeErrorCode = 'TOKEN_ISSUE_FAILED' | 'TOKEN_RESPONSE_INVALID' | 'DAEMON_KEY_REGISTER_FAILED' | 'KEY_EXCHANGE_FAILED' | 'WEBSOCKET_CONNECT_TIMEOUT' | 'ENVELOPE_DECRYPT_FAILED' | 'CIRCUIT_OPEN' | 'WEBSOCKET_ERROR' | 'UNKNOWN';
+export declare class BridgeError extends Error {
+    readonly code: BridgeErrorCode;
+    constructor(code: BridgeErrorCode, message: string);
+}
+//# sourceMappingURL=bridge-errors.d.ts.map

package/dist/relay/bridge-errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-errors.d.ts","sourceRoot":"","sources":["../../src/relay/bridge-errors.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GACvB,oBAAoB,GACpB,wBAAwB,GACxB,4BAA4B,GAC5B,qBAAqB,GACrB,2BAA2B,GAC3B,yBAAyB,GACzB,cAAc,GACd,iBAAiB,GACjB,SAAS,CAAC;AAEd,qBAAa,WAAY,SAAQ,KAAK;IAElC,QAAQ,CAAC,IAAI,EAAE,eAAe;gBAArB,IAAI,EAAE,eAAe,EAC9B,OAAO,EAAE,MAAM;CAKlB"}

package/dist/relay/bridge-errors.js

@@ -0,0 +1,9 @@
+export class BridgeError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = 'BridgeError';
+    }
+}
+//# sourceMappingURL=bridge-errors.js.map

package/dist/relay/bridge-errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-errors.js","sourceRoot":"","sources":["../../src/relay/bridge-errors.ts"],"names":[],"mappings":"AAWA,MAAM,OAAO,WAAY,SAAQ,KAAK;IAEzB;IADX,YACW,IAAqB,EAC9B,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;QAHN,SAAI,GAAJ,IAAI,CAAiB;QAI9B,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;CACF"}

package/dist/relay/bridge-jwt.d.ts

@@ -0,0 +1,18 @@
+export interface RelayTokenClaims {
+    e2eeProfile?: string;
+    pairingSecret?: string;
+    iss?: string;
+    aud?: string | string[];
+    exp?: number;
+    iat?: number;
+    nbf?: number;
+    jti?: string;
+}
+export interface RelayTokenVerificationOptions {
+    issuer?: string;
+    audience?: string;
+    signingKeys: Record<string, string>;
+    clockSkewSec?: number;
+}
+export declare function verifyRelayTokenClaims(relayToken: string, options: RelayTokenVerificationOptions): RelayTokenClaims;
+//# sourceMappingURL=bridge-jwt.d.ts.map

package/dist/relay/bridge-jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-jwt.d.ts","sourceRoot":"","sources":["../../src/relay/bridge-jwt.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,gBAAgB;IAC/B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,6BAA6B;IAC5C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AA+ED,wBAAgB,sBAAsB,CACpC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,6BAA6B,GACrC,gBAAgB,CAiGlB"}

package/dist/relay/bridge-jwt.js

@@ -0,0 +1,130 @@
+import crypto from 'node:crypto';
+import { BridgeError } from './bridge-errors.js';
+function parseBase64UrlJson(segment, label) {
+    let decoded = '';
+    try {
+        decoded = Buffer.from(segment, 'base64url').toString('utf8');
+    }
+    catch (error) {
+        throw new BridgeError('TOKEN_RESPONSE_INVALID', `relay token ${label} decode failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    try {
+        return JSON.parse(decoded);
+    }
+    catch (error) {
+        throw new BridgeError('TOKEN_RESPONSE_INVALID', `relay token ${label} JSON invalid: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+function secureCompare(aRaw, bRaw) {
+    const a = Buffer.from(aRaw, 'utf8');
+    const b = Buffer.from(bRaw, 'utf8');
+    const compareLength = Math.max(a.length, b.length, 1);
+    const paddedA = Buffer.alloc(compareLength);
+    const paddedB = Buffer.alloc(compareLength);
+    a.copy(paddedA);
+    b.copy(paddedB);
+    const equal = crypto.timingSafeEqual(paddedA, paddedB);
+    return equal && a.length === b.length;
+}
+function ensureNumericClaim(payload, name) {
+    const raw = payload[name];
+    if (raw === undefined)
+        return undefined;
+    if (typeof raw !== 'number' || !Number.isFinite(raw)) {
+        throw new BridgeError('TOKEN_RESPONSE_INVALID', `relay token ${name} claim must be numeric`);
+    }
+    return raw;
+}
+function ensureAudience(payload, expectedAudience) {
+    if (!expectedAudience)
+        return;
+    const aud = payload['aud'];
+    if (typeof aud === 'string') {
+        if (aud !== expectedAudience) {
+            throw new BridgeError('TOKEN_RESPONSE_INVALID', `relay token audience mismatch (expected ${expectedAudience})`);
+        }
+        return;
+    }
+    if (Array.isArray(aud) && aud.every((entry) => typeof entry === 'string')) {
+        if (!aud.includes(expectedAudience)) {
+            throw new BridgeError('TOKEN_RESPONSE_INVALID', `relay token audience mismatch (expected ${expectedAudience})`);
+        }
+        return;
+    }
+    throw new BridgeError('TOKEN_RESPONSE_INVALID', 'relay token aud claim is missing/invalid');
+}
+export function verifyRelayTokenClaims(relayToken, options) {
+    const parts = relayToken.split('.');
+    if (parts.length !== 3) {
+        throw new BridgeError('TOKEN_RESPONSE_INVALID', 'relay token is malformed');
+    }
+    const [headerPart, payloadPart, signaturePart] = parts;
+    if (!headerPart || !payloadPart || !signaturePart) {
+        throw new BridgeError('TOKEN_RESPONSE_INVALID', 'relay token is malformed');
+    }
+    const header = parseBase64UrlJson(headerPart, 'header');
+    if (!header || typeof header !== 'object' || Array.isArray(header)) {
+        throw new BridgeError('TOKEN_RESPONSE_INVALID', 'relay token header is invalid');
+    }
+    if (header.alg !== 'HS256' && header.alg !== 'RS256') {
+        throw new BridgeError('TOKEN_RESPONSE_INVALID', `unsupported relay token alg: ${String(header.alg)}`);
+    }
+    const kid = typeof header.kid === 'string' && header.kid.trim().length > 0 ? header.kid : 'v1';
+    const signingKey = options.signingKeys[kid];
+    if (!signingKey || signingKey.trim().length === 0) {
+        throw new BridgeError('TOKEN_RESPONSE_INVALID', `relay token key id ${kid} is not trusted`);
+    }
+    if (header.alg === 'HS256') {
+        const expectedSignature = Buffer.from(crypto.createHmac('sha256', signingKey).update(`${headerPart}.${payloadPart}`).digest()).toString('base64url');
+        if (!secureCompare(expectedSignature, signaturePart)) {
+            throw new BridgeError('TOKEN_RESPONSE_INVALID', 'relay token signature invalid');
+        }
+    }
+    else {
+        let signatureRaw;
+        try {
+            signatureRaw = Buffer.from(signaturePart, 'base64url');
+        }
+        catch (error) {
+            throw new BridgeError('TOKEN_RESPONSE_INVALID', `relay token signature decode failed: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        const valid = crypto.verify('RSA-SHA256', Buffer.from(`${headerPart}.${payloadPart}`, 'utf8'), signingKey, signatureRaw);
+        if (!valid) {
+            throw new BridgeError('TOKEN_RESPONSE_INVALID', 'relay token signature invalid');
+        }
+    }
+    const payload = parseBase64UrlJson(payloadPart, 'payload');
+    if (!payload || typeof payload !== 'object' || Array.isArray(payload)) {
+        throw new BridgeError('TOKEN_RESPONSE_INVALID', 'relay token payload is not an object');
+    }
+    if (options.issuer) {
+        const iss = payload['iss'];
+        if (typeof iss !== 'string' || iss !== options.issuer) {
+            throw new BridgeError('TOKEN_RESPONSE_INVALID', `relay token issuer mismatch (expected ${options.issuer})`);
+        }
+    }
+    ensureAudience(payload, options.audience);
+    const nowSec = Math.floor(Date.now() / 1000);
+    const skew = Math.max(0, Math.floor(options.clockSkewSec ?? 30));
+    const exp = ensureNumericClaim(payload, 'exp');
+    const iat = ensureNumericClaim(payload, 'iat');
+    const nbf = ensureNumericClaim(payload, 'nbf');
+    if (exp === undefined) {
+        throw new BridgeError('TOKEN_RESPONSE_INVALID', 'relay token exp claim is required');
+    }
+    if (exp <= nowSec - skew) {
+        throw new BridgeError('TOKEN_RESPONSE_INVALID', 'relay token is expired');
+    }
+    if (iat !== undefined && iat > nowSec + skew) {
+        throw new BridgeError('TOKEN_RESPONSE_INVALID', 'relay token iat is in the future');
+    }
+    if (nbf !== undefined && nbf > nowSec + skew) {
+        throw new BridgeError('TOKEN_RESPONSE_INVALID', 'relay token is not active yet');
+    }
+    const jti = payload['jti'];
+    if (typeof jti !== 'string' || jti.trim().length === 0) {
+        throw new BridgeError('TOKEN_RESPONSE_INVALID', 'relay token jti claim is required');
+    }
+    return payload;
+}
+//# sourceMappingURL=bridge-jwt.js.map

package/dist/relay/bridge-jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-jwt.js","sourceRoot":"","sources":["../../src/relay/bridge-jwt.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AA0BjD,SAAS,kBAAkB,CAAI,OAAe,EAAE,KAAa;IAC3D,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC/D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,WAAW,CACnB,wBAAwB,EACxB,eAAe,KAAK,mBAAmB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAChG,CAAC;IACJ,CAAC;IACD,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAM,CAAC;IAClC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,WAAW,CACnB,wBAAwB,EACxB,eAAe,KAAK,kBAAkB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC/F,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,IAAY,EAAE,IAAY;IAC/C,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACpC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACpC,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACtD,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IAC5C,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAChB,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAChB,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACvD,OAAO,KAAK,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,CAAC;AACxC,CAAC;AAED,SAAS,kBAAkB,CACzB,OAAgC,EAChC,IAA2B;IAE3B,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1B,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,eAAe,IAAI,wBAAwB,CAAC,CAAC;IAC/F,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,cAAc,CACrB,OAAgC,EAChC,gBAAoC;IAEpC,IAAI,CAAC,gBAAgB;QAAE,OAAO;IAC9B,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;IAC3B,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,IAAI,GAAG,KAAK,gBAAgB,EAAE,CAAC;YAC7B,MAAM,IAAI,WAAW,CACnB,wBAAwB,EACxB,2CAA2C,gBAAgB,GAAG,CAC/D,CAAC;QACJ,CAAC;QACD,OAAO;IACT,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,EAAE,CAAC;QAC1E,IAAI,CAAE,GAAgB,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAClD,MAAM,IAAI,WAAW,CACnB,wBAAwB,EACxB,2CAA2C,gBAAgB,GAAG,CAC/D,CAAC;QACJ,CAAC;QACD,OAAO;IACT,CAAC;IACD,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,0CAA0C,CAAC,CAAC;AAC9F,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,UAAkB,EAClB,OAAsC;IAEtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,0BAA0B,CAAC,CAAC;IAC9E,CAAC;IACD,MAAM,CAAC,UAAU,EAAE,WAAW,EAAE,aAAa,CAAC,GAAG,KAAiC,CAAC;IACnF,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW,IAAI,CAAC,aAAa,EAAE,CAAC;QAClD,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,0BAA0B,CAAC,CAAC;IAC9E,CAAC;IAED,MAAM,MAAM,GAAG,kBAAkB,CAAY,UAAU,EAAE,QAAQ,CAAC,CAAC;IACnE,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnE,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,+BAA+B,CAAC,CAAC;IACnF,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;QACrD,MAAM,IAAI,WAAW,CACnB,wBAAwB,EACxB,gCAAgC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACrD,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/F,MAAM,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,sBAAsB,GAAG,iBAAiB,CAAC,CAAC;IAC9F,CAAC;IAED,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;QAC3B,MAAM,iBAAiB,GAAG,MAAM,CAAC,IAAI,CACnC,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,MAAM,CAAC,GAAG,UAAU,IAAI,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CACxF,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACxB,IAAI,CAAC,aAAa,CAAC,iBAAiB,EAAE,aAAa,CAAC,EAAE,CAAC;YACrD,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,+BAA+B,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,YAAoB,CAAC;QACzB,IAAI,CAAC;YACH,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;QACzD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,WAAW,CACnB,wBAAwB,EACxB,wCAAwC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACjG,CAAC;QACJ,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CACzB,YAAY,EACZ,MAAM,CAAC,IAAI,CAAC,GAAG,UAAU,IAAI,WAAW,EAAE,EAAE,MAAM,CAAC,EACnD,UAAU,EACV,YAAY,CACb,CAAC;QACF,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,+BAA+B,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,kBAAkB,CAA0B,WAAW,EAAE,SAAS,CAAC,CAAC;IACpF,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACtE,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,sCAAsC,CAAC,CAAC;IAC1F,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;QAC3B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC;YACtD,MAAM,IAAI,WAAW,CACnB,wBAAwB,EACxB,yCAAyC,OAAO,CAAC,MAAM,GAAG,CAC3D,CAAC;QACJ,CAAC;IACH,CAAC;IAED,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAE1C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC/C,MAAM,GAAG,GAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC/C,MAAM,GAAG,GAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAE/C,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,mCAAmC,CAAC,CAAC;IACvF,CAAC;IACD,IAAI,GAAG,IAAI,MAAM,GAAG,IAAI,EAAE,CAAC;QACzB,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,wBAAwB,CAAC,CAAC;IAC5E,CAAC;IACD,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,MAAM,GAAG,IAAI,EAAE,CAAC;QAC7C,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,kCAAkC,CAAC,CAAC;IACtF,CAAC;IACD,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,MAAM,GAAG,IAAI,EAAE,CAAC;QAC7C,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,+BAA+B,CAAC,CAAC;IACnF,CAAC;IAED,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;IAC3B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,mCAAmC,CAAC,CAAC;IACvF,CAAC;IAED,OAAO,OAA2B,CAAC;AACrC,CAAC"}

package/dist/relay/bridge-key-exchange.d.ts

@@ -0,0 +1,49 @@
+export interface DaemonRelayIdentity {
+    publicKey: string;
+    privateKey: string;
+    algorithm: 'p256';
+}
+export type RelayHandshakeProfile = 'noise-ik' | 'noise-ikpsk2';
+export interface RelayKeyExchangeInitFrame {
+    type: 'relay_key_exchange_init';
+    version: 2;
+    profile: RelayHandshakeProfile;
+    requestId: string;
+    clientPublicKey: string;
+    clientNonce: string;
+    clientProof: string;
+    pairingPeerId?: string;
+    previousSessionId?: string;
+}
+export interface RelayKeyExchangeResponseFrame {
+    type: 'relay_key_exchange_response';
+    version: 2;
+    profile: RelayHandshakeProfile;
+    requestId: string;
+    daemonPublicKey: string;
+    daemonNonce: string;
+    sessionId: string;
+    epoch: number;
+    proof: string;
+}
+export interface DerivedRelaySession {
+    key: Buffer;
+    profile: RelayHandshakeProfile;
+    sessionId: string;
+    epoch: number;
+}
+export declare function loadOrCreateIdentity(workspaceId: string): Promise<DaemonRelayIdentity>;
+export declare function parseRelayHandshakeProfile(value: unknown): RelayHandshakeProfile | null;
+export declare function parseRelayKeyExchangeInitFrame(value: unknown): RelayKeyExchangeInitFrame | null;
+export declare function deriveSessionFromKeyExchange(params: {
+    init: RelayKeyExchangeInitFrame;
+    daemonIdentity: DaemonRelayIdentity;
+    nextEpoch: number;
+    pairingSecret?: Buffer;
+    daemonNonceOverride?: Buffer;
+    sessionIdOverride?: string;
+}): {
+    session: DerivedRelaySession;
+    response: RelayKeyExchangeResponseFrame;
+};
+//# sourceMappingURL=bridge-key-exchange.d.ts.map

package/dist/relay/bridge-key-exchange.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-key-exchange.d.ts","sourceRoot":"","sources":["../../src/relay/bridge-key-exchange.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,qBAAqB,GAAG,UAAU,GAAG,cAAc,CAAC;AAEhE,MAAM,WAAW,yBAAyB;IACxC,IAAI,EAAE,yBAAyB,CAAC;IAChC,OAAO,EAAE,CAAC,CAAC;IACX,OAAO,EAAE,qBAAqB,CAAC;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,6BAA6B;IAC5C,IAAI,EAAE,6BAA6B,CAAC;IACpC,OAAO,EAAE,CAAC,CAAC;IACX,OAAO,EAAE,qBAAqB,CAAC;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,mBAAmB;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,qBAAqB,CAAC;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;CACf;AAsBD,wBAAsB,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAkC5F;AAwHD,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,qBAAqB,GAAG,IAAI,CAGvF;AAED,wBAAgB,8BAA8B,CAAC,KAAK,EAAE,OAAO,GAAG,yBAAyB,GAAG,IAAI,CAiC/F;AAED,wBAAgB,4BAA4B,CAAC,MAAM,EAAE;IACnD,IAAI,EAAE,yBAAyB,CAAC;IAChC,cAAc,EAAE,mBAAmB,CAAC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,GAAG;IAAE,OAAO,EAAE,mBAAmB,CAAC;IAAC,QAAQ,EAAE,6BAA6B,CAAA;CAAE,CA2F5E"}

package/dist/relay/bridge-key-exchange.js

@@ -0,0 +1,234 @@
+import crypto from 'node:crypto';
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import { configDir } from '../core/config.js';
+import { fromBase64Url, toBase64Url } from './bridge-crypto.js';
+const SESSION_INFO_PREFIX = 'viewport-relay-session-v2';
+const TRANSCRIPT_PREFIX = 'viewport-relay-transcript-v2';
+const INIT_INFO_PREFIX = 'viewport-relay-kex-init-v1';
+function safeWorkspaceId(workspaceId) {
+    return workspaceId.replace(/[^a-zA-Z0-9_.-]/g, '_');
+}
+function identityFilePath(workspaceId) {
+    return path.join(configDir(), `relay-daemon-identity-${safeWorkspaceId(workspaceId)}.json`);
+}
+async function writeJsonAtomic(filePath, value) {
+    const dir = path.dirname(filePath);
+    await fs.mkdir(dir, { recursive: true });
+    const tmp = `${filePath}.tmp-${process.pid}-${Date.now()}`;
+    await fs.writeFile(tmp, JSON.stringify(value, null, 2) + '\n', { mode: 0o600 });
+    await fs.rename(tmp, filePath);
+}
+export async function loadOrCreateIdentity(workspaceId) {
+    const filePath = identityFilePath(workspaceId);
+    try {
+        const raw = await fs.readFile(filePath, 'utf8');
+        const parsed = JSON.parse(raw);
+        if (parsed.algorithm === 'p256' &&
+            typeof parsed.publicKey === 'string' &&
+            typeof parsed.privateKey === 'string') {
+            const priv = fromBase64Url(parsed.privateKey);
+            const pub = fromBase64Url(parsed.publicKey);
+            if (priv.length === 32 && pub.length === 65 && pub[0] === 0x04) {
+                return {
+                    algorithm: 'p256',
+                    publicKey: parsed.publicKey,
+                    privateKey: parsed.privateKey,
+                };
+            }
+        }
+    }
+    catch {
+        // create below
+    }
+    const ecdh = crypto.createECDH('prime256v1');
+    const publicKey = ecdh.generateKeys();
+    const privateKey = ecdh.getPrivateKey();
+    const identity = {
+        algorithm: 'p256',
+        publicKey: toBase64Url(publicKey),
+        privateKey: toBase64Url(privateKey),
+    };
+    await writeJsonAtomic(filePath, identity);
+    return identity;
+}
+function toSessionInfo(profile, sessionId, epoch) {
+    return Buffer.from(`${SESSION_INFO_PREFIX}|${profile}|${sessionId}|${epoch}`, 'utf8');
+}
+function toTranscript(params) {
+    return Buffer.from([
+        TRANSCRIPT_PREFIX,
+        params.requestId,
+        params.profile,
+        params.clientPublicKey,
+        params.daemonPublicKey,
+        params.clientNonce,
+        params.daemonNonce,
+        params.sessionId,
+        String(params.epoch),
+    ].join('|'), 'utf8');
+}
+function deriveSessionKey(params) {
+    const ikm = params.profile === 'noise-ikpsk2' && params.pairingSecret
+        ? Buffer.concat([params.sharedSecret, params.pairingSecret])
+        : params.sharedSecret;
+    const salt = Buffer.concat([params.clientNonce, params.daemonNonce]);
+    const derived = crypto.hkdfSync('sha256', ikm, salt, toSessionInfo(params.profile, params.sessionId, params.epoch), 32);
+    return Buffer.isBuffer(derived) ? derived : Buffer.from(derived);
+}
+function computeProof(sessionKey, transcript) {
+    return crypto.createHmac('sha256', sessionKey).update(transcript).digest().subarray(0, 16);
+}
+function toInitInfo(params) {
+    return Buffer.from([
+        INIT_INFO_PREFIX,
+        params.requestId,
+        params.profile,
+        params.clientPublicKey,
+        params.daemonPublicKey,
+        params.clientNonce,
+        params.previousSessionId ?? '',
+    ].join('|'), 'utf8');
+}
+function computeClientInitProof(params) {
+    const ikm = params.profile === 'noise-ikpsk2' && params.pairingSecret
+        ? Buffer.concat([params.sharedSecret, params.pairingSecret])
+        : params.sharedSecret;
+    const initKey = crypto.hkdfSync('sha256', ikm, params.clientNonce, toInitInfo({
+        requestId: params.requestId,
+        profile: params.profile,
+        clientPublicKey: params.clientPublicKey,
+        daemonPublicKey: params.daemonPublicKey,
+        clientNonce: params.clientNonceEncoded,
+        previousSessionId: params.previousSessionId,
+    }), 32);
+    const normalized = Buffer.isBuffer(initKey) ? initKey : Buffer.from(initKey);
+    return crypto
+        .createHmac('sha256', normalized)
+        .update('client-proof', 'utf8')
+        .digest()
+        .subarray(0, 16);
+}
+export function parseRelayHandshakeProfile(value) {
+    if (value === 'noise-ik' || value === 'noise-ikpsk2')
+        return value;
+    return null;
+}
+export function parseRelayKeyExchangeInitFrame(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value))
+        return null;
+    const frame = value;
+    const profile = parseRelayHandshakeProfile(frame['profile']);
+    if (!profile)
+        return null;
+    if (frame['type'] !== 'relay_key_exchange_init' ||
+        frame['version'] !== 2 ||
+        typeof frame['requestId'] !== 'string' ||
+        typeof frame['clientPublicKey'] !== 'string' ||
+        typeof frame['clientNonce'] !== 'string' ||
+        typeof frame['clientProof'] !== 'string') {
+        return null;
+    }
+    const previousSessionId = typeof frame['previousSessionId'] === 'string' ? frame['previousSessionId'] : undefined;
+    const pairingPeerId = typeof frame['pairingPeerId'] === 'string' ? frame['pairingPeerId'] : undefined;
+    if (profile === 'noise-ikpsk2' && (!pairingPeerId || pairingPeerId.trim().length === 0)) {
+        return null;
+    }
+    return {
+        type: 'relay_key_exchange_init',
+        version: 2,
+        profile,
+        requestId: frame['requestId'],
+        clientPublicKey: frame['clientPublicKey'],
+        clientNonce: frame['clientNonce'],
+        clientProof: frame['clientProof'],
+        pairingPeerId,
+        previousSessionId,
+    };
+}
+export function deriveSessionFromKeyExchange(params) {
+    const clientPublic = fromBase64Url(params.init.clientPublicKey);
+    if (clientPublic.length !== 65 || clientPublic[0] !== 0x04) {
+        throw new Error('invalid client public key');
+    }
+    const clientNonce = fromBase64Url(params.init.clientNonce);
+    if (clientNonce.length < 12 || clientNonce.length > 32) {
+        throw new Error('invalid client nonce');
+    }
+    const daemonPrivate = fromBase64Url(params.daemonIdentity.privateKey);
+    if (daemonPrivate.length !== 32) {
+        throw new Error('invalid daemon private key');
+    }
+    if (params.init.profile === 'noise-ikpsk2' && !params.pairingSecret) {
+        throw new Error('pairing secret required for noise-ikpsk2');
+    }
+    const daemonNonce = params.daemonNonceOverride ?? crypto.randomBytes(16);
+    if (daemonNonce.length !== 16) {
+        throw new Error('invalid daemon nonce override');
+    }
+    const sessionId = params.sessionIdOverride ?? `rs_${crypto.randomBytes(12).toString('hex')}`;
+    if (sessionId.trim().length === 0) {
+        throw new Error('invalid session id override');
+    }
+    const epoch = Math.max(1, params.nextEpoch);
+    const ecdh = crypto.createECDH('prime256v1');
+    ecdh.setPrivateKey(daemonPrivate);
+    const sharedSecret = ecdh.computeSecret(clientPublic);
+    const expectedClientProof = computeClientInitProof({
+        sharedSecret,
+        clientNonce,
+        profile: params.init.profile,
+        requestId: params.init.requestId,
+        clientPublicKey: params.init.clientPublicKey,
+        daemonPublicKey: params.daemonIdentity.publicKey,
+        clientNonceEncoded: params.init.clientNonce,
+        previousSessionId: params.init.previousSessionId,
+        pairingSecret: params.pairingSecret,
+    });
+    const providedClientProof = fromBase64Url(params.init.clientProof);
+    if (providedClientProof.length !== expectedClientProof.length ||
+        !crypto.timingSafeEqual(providedClientProof, expectedClientProof)) {
+        throw new Error('invalid client key exchange proof');
+    }
+    const sessionKey = deriveSessionKey({
+        sharedSecret,
+        clientNonce,
+        daemonNonce,
+        profile: params.init.profile,
+        sessionId,
+        epoch,
+        pairingSecret: params.pairingSecret,
+    });
+    const daemonNonceEncoded = toBase64Url(daemonNonce);
+    const transcript = toTranscript({
+        requestId: params.init.requestId,
+        profile: params.init.profile,
+        clientPublicKey: params.init.clientPublicKey,
+        daemonPublicKey: params.daemonIdentity.publicKey,
+        clientNonce: params.init.clientNonce,
+        daemonNonce: daemonNonceEncoded,
+        sessionId,
+        epoch,
+    });
+    const proof = computeProof(sessionKey, transcript);
+    return {
+        session: {
+            key: sessionKey,
+            profile: params.init.profile,
+            sessionId,
+            epoch,
+        },
+        response: {
+            type: 'relay_key_exchange_response',
+            version: 2,
+            profile: params.init.profile,
+            requestId: params.init.requestId,
+            daemonPublicKey: params.daemonIdentity.publicKey,
+            daemonNonce: daemonNonceEncoded,
+            sessionId,
+            epoch,
+            proof: toBase64Url(proof),
+        },
+    };
+}
+//# sourceMappingURL=bridge-key-exchange.js.map

package/dist/relay/bridge-key-exchange.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-key-exchange.js","sourceRoot":"","sources":["../../src/relay/bridge-key-exchange.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAyChE,MAAM,mBAAmB,GAAG,2BAA2B,CAAC;AACxD,MAAM,iBAAiB,GAAG,8BAA8B,CAAC;AACzD,MAAM,gBAAgB,GAAG,4BAA4B,CAAC;AAEtD,SAAS,eAAe,CAAC,WAAmB;IAC1C,OAAO,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,gBAAgB,CAAC,WAAmB;IAC3C,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,yBAAyB,eAAe,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;AAC9F,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,QAAgB,EAAE,KAAc;IAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,MAAM,GAAG,GAAG,GAAG,QAAQ,QAAQ,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IAC3D,MAAM,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAChF,MAAM,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,WAAmB;IAC5D,MAAM,QAAQ,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;IAC/C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAiC,CAAC;QAC/D,IACE,MAAM,CAAC,SAAS,KAAK,MAAM;YAC3B,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;YACpC,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,EACrC,CAAC;YACD,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAC9C,MAAM,GAAG,GAAG,aAAa,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC5C,IAAI,IAAI,CAAC,MAAM,KAAK,EAAE,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC/D,OAAO;oBACL,SAAS,EAAE,MAAM;oBACjB,SAAS,EAAE,MAAM,CAAC,SAAS;oBAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;iBAC9B,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,eAAe;IACjB,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;IACtC,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;IACxC,MAAM,QAAQ,GAAwB;QACpC,SAAS,EAAE,MAAM;QACjB,SAAS,EAAE,WAAW,CAAC,SAAS,CAAC;QACjC,UAAU,EAAE,WAAW,CAAC,UAAU,CAAC;KACpC,CAAC;IACF,MAAM,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC1C,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,aAAa,CAAC,OAA8B,EAAE,SAAiB,EAAE,KAAa;IACrF,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,mBAAmB,IAAI,OAAO,IAAI,SAAS,IAAI,KAAK,EAAE,EAAE,MAAM,CAAC,CAAC;AACxF,CAAC;AAED,SAAS,YAAY,CAAC,MASrB;IACC,OAAO,MAAM,CAAC,IAAI,CAChB;QACE,iBAAiB;QACjB,MAAM,CAAC,SAAS;QAChB,MAAM,CAAC,OAAO;QACd,MAAM,CAAC,eAAe;QACtB,MAAM,CAAC,eAAe;QACtB,MAAM,CAAC,WAAW;QAClB,MAAM,CAAC,WAAW;QAClB,MAAM,CAAC,SAAS;QAChB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;KACrB,CAAC,IAAI,CAAC,GAAG,CAAC,EACX,MAAM,CACP,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,MAQzB;IACC,MAAM,GAAG,GACP,MAAM,CAAC,OAAO,KAAK,cAAc,IAAI,MAAM,CAAC,aAAa;QACvD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;QAC5D,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC;IAC1B,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;IACrE,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAC7B,QAAQ,EACR,GAAG,EACH,IAAI,EACJ,aAAa,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,EAC7D,EAAE,CACH,CAAC;IACF,OAAO,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACnE,CAAC;AAED,SAAS,YAAY,CAAC,UAAkB,EAAE,UAAkB;IAC1D,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC7F,CAAC;AAED,SAAS,UAAU,CAAC,MAOnB;IACC,OAAO,MAAM,CAAC,IAAI,CAChB;QACE,gBAAgB;QAChB,MAAM,CAAC,SAAS;QAChB,MAAM,CAAC,OAAO;QACd,MAAM,CAAC,eAAe;QACtB,MAAM,CAAC,eAAe;QACtB,MAAM,CAAC,WAAW;QAClB,MAAM,CAAC,iBAAiB,IAAI,EAAE;KAC/B,CAAC,IAAI,CAAC,GAAG,CAAC,EACX,MAAM,CACP,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,MAU/B;IACC,MAAM,GAAG,GACP,MAAM,CAAC,OAAO,KAAK,cAAc,IAAI,MAAM,CAAC,aAAa;QACvD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;QAC5D,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC;IAE1B,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAC7B,QAAQ,EACR,GAAG,EACH,MAAM,CAAC,WAAW,EAClB,UAAU,CAAC;QACT,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,WAAW,EAAE,MAAM,CAAC,kBAAkB;QACtC,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;KAC5C,CAAC,EACF,EAAE,CACH,CAAC;IACF,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC7E,OAAO,MAAM;SACV,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;SAChC,MAAM,CAAC,cAAc,EAAE,MAAM,CAAC;SAC9B,MAAM,EAAE;SACR,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,KAAc;IACvD,IAAI,KAAK,KAAK,UAAU,IAAI,KAAK,KAAK,cAAc;QAAE,OAAO,KAAK,CAAC;IACnE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,KAAc;IAC3D,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7E,MAAM,KAAK,GAAG,KAAgC,CAAC;IAC/C,MAAM,OAAO,GAAG,0BAA0B,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC;IAC7D,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,IACE,KAAK,CAAC,MAAM,CAAC,KAAK,yBAAyB;QAC3C,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC;QACtB,OAAO,KAAK,CAAC,WAAW,CAAC,KAAK,QAAQ;QACtC,OAAO,KAAK,CAAC,iBAAiB,CAAC,KAAK,QAAQ;QAC5C,OAAO,KAAK,CAAC,aAAa,CAAC,KAAK,QAAQ;QACxC,OAAO,KAAK,CAAC,aAAa,CAAC,KAAK,QAAQ,EACxC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,iBAAiB,GACrB,OAAO,KAAK,CAAC,mBAAmB,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC1F,MAAM,aAAa,GACjB,OAAO,KAAK,CAAC,eAAe,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAClF,IAAI,OAAO,KAAK,cAAc,IAAI,CAAC,CAAC,aAAa,IAAI,aAAa,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QACxF,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO;QACL,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,CAAC;QACV,OAAO;QACP,SAAS,EAAE,KAAK,CAAC,WAAW,CAAC;QAC7B,eAAe,EAAE,KAAK,CAAC,iBAAiB,CAAC;QACzC,WAAW,EAAE,KAAK,CAAC,aAAa,CAAC;QACjC,WAAW,EAAE,KAAK,CAAC,aAAa,CAAC;QACjC,aAAa;QACb,iBAAiB;KAClB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,MAO5C;IACC,MAAM,YAAY,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAChE,IAAI,YAAY,CAAC,MAAM,KAAK,EAAE,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IACD,MAAM,WAAW,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC3D,IAAI,WAAW,CAAC,MAAM,GAAG,EAAE,IAAI,WAAW,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,aAAa,GAAG,aAAa,CAAC,MAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,aAAa,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,KAAK,cAAc,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;QACpE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,mBAAmB,IAAI,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IACzE,IAAI,WAAW,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,CAAC,iBAAiB,IAAI,MAAM,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;IAC7F,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IAC5C,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;IAC7C,IAAI,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC;IAClC,MAAM,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;IACtD,MAAM,mBAAmB,GAAG,sBAAsB,CAAC;QACjD,YAAY;QACZ,WAAW;QACX,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO;QAC5B,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS;QAChC,eAAe,EAAE,MAAM,CAAC,IAAI,CAAC,eAAe;QAC5C,eAAe,EAAE,MAAM,CAAC,cAAc,CAAC,SAAS;QAChD,kBAAkB,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW;QAC3C,iBAAiB,EAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB;QAChD,aAAa,EAAE,MAAM,CAAC,aAAa;KACpC,CAAC,CAAC;IACH,MAAM,mBAAmB,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACnE,IACE,mBAAmB,CAAC,MAAM,KAAK,mBAAmB,CAAC,MAAM;QACzD,CAAC,MAAM,CAAC,eAAe,CAAC,mBAAmB,EAAE,mBAAmB,CAAC,EACjE,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,UAAU,GAAG,gBAAgB,CAAC;QAClC,YAAY;QACZ,WAAW;QACX,WAAW;QACX,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO;QAC5B,SAAS;QACT,KAAK;QACL,aAAa,EAAE,MAAM,CAAC,aAAa;KACpC,CAAC,CAAC;IAEH,MAAM,kBAAkB,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;IACpD,MAAM,UAAU,GAAG,YAAY,CAAC;QAC9B,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS;QAChC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO;QAC5B,eAAe,EAAE,MAAM,CAAC,IAAI,CAAC,eAAe;QAC5C,eAAe,EAAE,MAAM,CAAC,cAAc,CAAC,SAAS;QAChD,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW;QACpC,WAAW,EAAE,kBAAkB;QAC/B,SAAS;QACT,KAAK;KACN,CAAC,CAAC;IACH,MAAM,KAAK,GAAG,YAAY,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAEnD,OAAO;QACL,OAAO,EAAE;YACP,GAAG,EAAE,UAAU;YACf,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK;SACN;QACD,QAAQ,EAAE;YACR,IAAI,EAAE,6BAA6B;YACnC,OAAO,EAAE,CAAC;YACV,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO;YAC5B,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS;YAChC,eAAe,EAAE,MAAM,CAAC,cAAc,CAAC,SAAS;YAChD,WAAW,EAAE,kBAAkB;YAC/B,SAAS;YACT,KAAK;YACL,KAAK,EAAE,WAAW,CAAC,KAAK,CAAC;SAC1B;KACF,CAAC;AACJ,CAAC"}

package/dist/relay/bridge-network.d.ts

@@ -0,0 +1,12 @@
+import type { WebSocket as WsType } from 'ws';
+type RelayWs = WsType;
+type WsCheckServerIdentity = (servername: string, cert: unknown) => boolean;
+export declare function wsOpen(ws: RelayWs): Promise<void>;
+export declare function resolveRelayTlsOptions(relayUrl: string, mode: 'auto' | '0' | '1', caCertPath?: string, relayTlsPins?: string[]): {
+    rejectUnauthorized?: boolean;
+    ca?: Buffer;
+    checkServerIdentity?: WsCheckServerIdentity;
+};
+export declare function closeQuietly(ws: RelayWs | null | undefined): void;
+export {};
+//# sourceMappingURL=bridge-network.d.ts.map

package/dist/relay/bridge-network.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-network.d.ts","sourceRoot":"","sources":["../../src/relay/bridge-network.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,SAAS,IAAI,MAAM,EAAE,MAAM,IAAI,CAAC;AAI9C,KAAK,OAAO,GAAG,MAAM,CAAC;AACtB,KAAK,qBAAqB,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,KAAK,OAAO,CAAC;AAE5E,wBAAgB,MAAM,CAAC,EAAE,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CA2BjD;AAED,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,GAAG,GAAG,GAAG,GAAG,EACxB,UAAU,CAAC,EAAE,MAAM,EACnB,YAAY,CAAC,EAAE,MAAM,EAAE,GACtB;IAAE,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAAC,EAAE,CAAC,EAAE,MAAM,CAAC;IAAC,mBAAmB,CAAC,EAAE,qBAAqB,CAAA;CAAE,CA+C5F;AAaD,wBAAgB,YAAY,CAAC,EAAE,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,GAAG,IAAI,CAOjE"}