@viewportai/daemon 0.1.0

package/dist/server/message-normalizers.js

@@ -0,0 +1,104 @@
+/**
+ * Message normalizers — convert internal daemon types to wire-format update objects.
+ *
+ * These are pure functions that transform SessionMessage, Step, and PermissionRequest
+ * into the Record<string, unknown> payloads sent inside session-update messages.
+ */
+// ---------------------------------------------------------------------------
+// SessionMessage → update object
+// ---------------------------------------------------------------------------
+export function messageToUpdate(msg) {
+    switch (msg.type) {
+        case 'agent_message':
+            return {
+                updateType: 'agent-message',
+                messageId: msg.messageId,
+                text: msg.text,
+                timestamp: msg.timestamp,
+            };
+        case 'agent_message_chunk':
+            return {
+                updateType: 'agent-message-chunk',
+                messageId: msg.messageId,
+                text: msg.text,
+                timestamp: msg.timestamp,
+            };
+        case 'agent_thought_chunk':
+            return {
+                updateType: 'agent-thought-chunk',
+                messageId: msg.messageId,
+                text: msg.text,
+                timestamp: msg.timestamp,
+            };
+        case 'user_message':
+            return {
+                updateType: 'user-message',
+                messageId: msg.messageId,
+                text: msg.text,
+                timestamp: msg.timestamp,
+            };
+        case 'tool_call':
+            return {
+                updateType: 'tool-call',
+                toolCallId: msg.toolCallId,
+                toolName: msg.toolName,
+                title: msg.title,
+                input: msg.input,
+                detail: msg.detail,
+                status: msg.status,
+                timestamp: msg.timestamp,
+            };
+        case 'tool_call_update':
+            return {
+                updateType: 'tool-call-update',
+                toolCallId: msg.toolCallId,
+                status: msg.status,
+                title: msg.title,
+                output: msg.output,
+                timestamp: msg.timestamp,
+            };
+        case 'token_usage':
+            return {
+                updateType: 'token-usage',
+                inputTokens: msg.inputTokens,
+                outputTokens: msg.outputTokens,
+                costUsd: msg.totalCostUsd,
+                timestamp: msg.timestamp,
+            };
+        case 'system_status':
+            return {
+                updateType: 'system-status',
+                status: msg.status,
+                timestamp: msg.timestamp,
+            };
+        default:
+            return { updateType: 'unknown', timestamp: Date.now() };
+    }
+}
+// ---------------------------------------------------------------------------
+// Step → update object
+// ---------------------------------------------------------------------------
+export function stepToUpdate(step) {
+    return {
+        updateType: 'step-committed',
+        step: step.step,
+        sha: step.sha,
+        toolName: step.toolName,
+        description: step.description,
+        timestamp: step.timestamp,
+    };
+}
+// ---------------------------------------------------------------------------
+// PermissionRequest → update object
+// ---------------------------------------------------------------------------
+export function permissionToUpdate(request) {
+    return {
+        updateType: 'permission-request',
+        requestId: request.requestId,
+        toolName: request.toolName,
+        description: request.description,
+        input: request.input,
+        timestamp: Date.now(),
+    };
+}
+//# sourceMappingURL=message-normalizers.js.map

package/dist/server/message-normalizers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"message-normalizers.js","sourceRoot":"","sources":["../../src/server/message-normalizers.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAE9E,MAAM,UAAU,eAAe,CAAC,GAAmB;IACjD,QAAQ,GAAG,CAAC,IAAI,EAAE,CAAC;QACjB,KAAK,eAAe;YAClB,OAAO;gBACL,UAAU,EAAE,eAAe;gBAC3B,SAAS,EAAE,GAAG,CAAC,SAAS;gBACxB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,SAAS,EAAE,GAAG,CAAC,SAAS;aACzB,CAAC;QACJ,KAAK,qBAAqB;YACxB,OAAO;gBACL,UAAU,EAAE,qBAAqB;gBACjC,SAAS,EAAE,GAAG,CAAC,SAAS;gBACxB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,SAAS,EAAE,GAAG,CAAC,SAAS;aACzB,CAAC;QACJ,KAAK,qBAAqB;YACxB,OAAO;gBACL,UAAU,EAAE,qBAAqB;gBACjC,SAAS,EAAE,GAAG,CAAC,SAAS;gBACxB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,SAAS,EAAE,GAAG,CAAC,SAAS;aACzB,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO;gBACL,UAAU,EAAE,cAAc;gBAC1B,SAAS,EAAE,GAAG,CAAC,SAAS;gBACxB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,SAAS,EAAE,GAAG,CAAC,SAAS;aACzB,CAAC;QACJ,KAAK,WAAW;YACd,OAAO;gBACL,UAAU,EAAE,WAAW;gBACvB,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,KAAK,EAAE,GAAG,CAAC,KAAK;gBAChB,KAAK,EAAE,GAAG,CAAC,KAAK;gBAChB,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,SAAS,EAAE,GAAG,CAAC,SAAS;aACzB,CAAC;QACJ,KAAK,kBAAkB;YACrB,OAAO;gBACL,UAAU,EAAE,kBAAkB;gBAC9B,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,KAAK,EAAE,GAAG,CAAC,KAAK;gBAChB,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,SAAS,EAAE,GAAG,CAAC,SAAS;aACzB,CAAC;QACJ,KAAK,aAAa;YAChB,OAAO;gBACL,UAAU,EAAE,aAAa;gBACzB,WAAW,EAAE,GAAG,CAAC,WAAW;gBAC5B,YAAY,EAAE,GAAG,CAAC,YAAY;gBAC9B,OAAO,EAAE,GAAG,CAAC,YAAY;gBACzB,SAAS,EAAE,GAAG,CAAC,SAAS;aACzB,CAAC;QACJ,KAAK,eAAe;YAClB,OAAO;gBACL,UAAU,EAAE,eAAe;gBAC3B,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,SAAS,EAAE,GAAG,CAAC,SAAS;aACzB,CAAC;QACJ;YACE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IAC5D,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,MAAM,UAAU,YAAY,CAAC,IAAU;IACrC,OAAO;QACL,UAAU,EAAE,gBAAgB;QAC5B,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,oCAAoC;AACpC,8EAA8E;AAE9E,MAAM,UAAU,kBAAkB,CAAC,OAA0B;IAC3D,OAAO;QACL,UAAU,EAAE,oBAAoB;QAChC,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;KACtB,CAAC;AACJ,CAAC"}

package/dist/server/pairing-offers.d.ts

@@ -0,0 +1,78 @@
+export interface PairingOfferConnection {
+    host: string;
+    port: number;
+    listen: string;
+    socketPath?: string;
+    profile: 'local' | 'lan' | 'relay';
+}
+export interface PairingOfferPublicPayload extends PairingOfferConnection {
+    offerId: string;
+    createdAt: number;
+    expiresAt: number;
+    trustAnchor: string;
+    daemonDeviceId: string;
+}
+export interface PairingOfferIssuedPayload extends PairingOfferPublicPayload {
+    redeemSecret: string;
+    daemonPublicKey: string;
+}
+export interface PairingOfferRedeemedPayload {
+    offerId: string;
+    token: string;
+    trustAnchor: string;
+    daemonDeviceId: string;
+    daemonPublicKey: string;
+    peerId: string;
+    serverSignature: string;
+    connection: PairingOfferConnection;
+    expiresAt: number;
+    createdAt: number;
+}
+export interface PairingTrustAnchorPublic {
+    id: string;
+    createdAt: number;
+    fingerprint: string;
+}
+export interface PairingDaemonIdentityPublic {
+    deviceId: string;
+    createdAt: number;
+    fingerprint: string;
+    publicKey: string;
+}
+export interface PairingClientIdentity {
+    peerId: string;
+    publicKey: string;
+    privateKey: string;
+}
+export interface PairingRedeemProof {
+    peerId: string;
+    clientPublicKey: string;
+    clientProof: string;
+}
+export declare function getOrCreateTrustAnchor(): Promise<PairingTrustAnchorPublic>;
+export declare function getOrCreateDaemonIdentity(): Promise<PairingDaemonIdentityPublic>;
+export declare function createPairingClientIdentity(): PairingClientIdentity;
+export declare function createPairingRedeemProof(input: {
+    offerId: string;
+    redeemSecret: string;
+    trustAnchor: string;
+    clientIdentity: PairingClientIdentity;
+}): PairingRedeemProof;
+export declare function readAuthToken(): Promise<string | null>;
+export declare function rotateAuthToken(): Promise<{
+    token: string;
+    previousTokenExisted: boolean;
+}>;
+export declare function issuePairingOffer(input: {
+    connection: PairingOfferConnection;
+    ttlSeconds: number;
+}): Promise<PairingOfferIssuedPayload>;
+export declare function listPairingOffers(): Promise<Array<PairingOfferPublicPayload & {
+    revokedAt?: number;
+    redeemedAt?: number;
+    active: boolean;
+    expired: boolean;
+}>>;
+export declare function revokePairingOffer(offerId: string): Promise<boolean>;
+export declare function redeemPairingOffer(offerId: string, redeemSecret: string, expectedTrustAnchor?: string, clientPublicKey?: string, clientProof?: string): Promise<PairingOfferRedeemedPayload | null>;
+//# sourceMappingURL=pairing-offers.d.ts.map

package/dist/server/pairing-offers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pairing-offers.d.ts","sourceRoot":"","sources":["../../src/server/pairing-offers.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,OAAO,GAAG,KAAK,GAAG,OAAO,CAAC;CACpC;AAuBD,MAAM,WAAW,yBAA0B,SAAQ,sBAAsB;IACvE,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,yBAA0B,SAAQ,yBAAyB;IAC1E,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;IACxB,UAAU,EAAE,sBAAsB,CAAC;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AASD,MAAM,WAAW,wBAAwB;IACvC,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CACrB;AAwBD,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;CACrB;AA8GD,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,wBAAwB,CAAC,CA0BhF;AA6BD,wBAAsB,yBAAyB,IAAI,OAAO,CAAC,2BAA2B,CAAC,CAgCtF;AA6ED,wBAAgB,2BAA2B,IAAI,qBAAqB,CASnE;AAED,wBAAgB,wBAAwB,CAAC,KAAK,EAAE;IAC9C,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,qBAAqB,CAAC;CACvC,GAAG,kBAAkB,CAmBrB;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAO5D;AAED,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,oBAAoB,EAAE,OAAO,CAAA;CAAE,CAAC,CAOjG;AAED,wBAAsB,iBAAiB,CAAC,KAAK,EAAE;IAC7C,UAAU,EAAE,sBAAsB,CAAC;IACnC,UAAU,EAAE,MAAM,CAAC;CACpB,GAAG,OAAO,CAAC,yBAAyB,CAAC,CA+CrC;AAED,wBAAsB,iBAAiB,IAAI,OAAO,CAChD,KAAK,CACH,yBAAyB,GAAG;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;CAClB,CACF,CACF,CAyBA;AAED,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAU1E;AAED,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,mBAAmB,CAAC,EAAE,MAAM,EAC5B,eAAe,CAAC,EAAE,MAAM,EACxB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,2BAA2B,GAAG,IAAI,CAAC,CAsI7C"}

package/dist/server/pairing-offers.js

@@ -0,0 +1,502 @@
+import crypto from 'node:crypto';
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import { configDir } from '../core/config.js';
+const MAX_STORED_OFFERS = 200;
+const MAX_FAILED_REDEEM_ATTEMPTS = 5;
+function pairingStorePath() {
+    return path.join(configDir(), 'pairing-offers.json');
+}
+function pairingAuditPath() {
+    return path.join(configDir(), 'pairing-audit.jsonl');
+}
+function authTokenPath() {
+    return path.join(configDir(), 'auth-token');
+}
+function trustAnchorPath() {
+    return path.join(configDir(), 'pairing-trust-anchor.json');
+}
+function daemonIdentityPath() {
+    return path.join(configDir(), 'pairing-device-identity.json');
+}
+function peerBindingPath() {
+    return path.join(configDir(), 'pairing-peers.json');
+}
+async function readStore() {
+    try {
+        const raw = await fs.readFile(pairingStorePath(), 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (!Array.isArray(parsed.offers)) {
+            return { version: 1, offers: [] };
+        }
+        return {
+            version: 1,
+            offers: parsed.offers.filter((item) => item && typeof item.offerId === 'string'),
+        };
+    }
+    catch {
+        return { version: 1, offers: [] };
+    }
+}
+async function writeStore(store) {
+    await fs.mkdir(configDir(), { recursive: true });
+    const compacted = compactOffers(store.offers);
+    await fs.writeFile(pairingStorePath(), JSON.stringify({ version: 1, offers: compacted }, null, 2) + '\n', 'utf-8');
+}
+function compactOffers(offers) {
+    const now = Date.now();
+    const fresh = offers.filter((offer) => {
+        if (!offer.expiresAt || offer.expiresAt <= now - 24 * 60 * 60 * 1000) {
+            return false;
+        }
+        return true;
+    });
+    if (fresh.length <= MAX_STORED_OFFERS)
+        return fresh;
+    return fresh.slice(fresh.length - MAX_STORED_OFFERS);
+}
+async function appendAudit(event) {
+    await fs.mkdir(configDir(), { recursive: true });
+    const line = JSON.stringify({ timestamp: Date.now(), ...event });
+    await fs.appendFile(pairingAuditPath(), `${line}\n`, 'utf-8');
+}
+function trustAnchorFingerprint(secret) {
+    const digest = crypto.createHash('sha256').update(secret).digest('hex');
+    return digest.match(/.{1,4}/g)?.join(':') ?? digest;
+}
+function keyFingerprint(publicKey) {
+    const digest = crypto.createHash('sha256').update(publicKey).digest('hex');
+    return digest.match(/.{1,4}/g)?.join(':') ?? digest;
+}
+async function readTrustAnchorRecord() {
+    try {
+        const raw = await fs.readFile(trustAnchorPath(), 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (parsed &&
+            parsed.version === 1 &&
+            typeof parsed.id === 'string' &&
+            typeof parsed.createdAt === 'number' &&
+            typeof parsed.secret === 'string' &&
+            parsed.secret.length > 0) {
+            return parsed;
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+async function writeTrustAnchorRecord(record) {
+    await fs.mkdir(configDir(), { recursive: true });
+    await fs.writeFile(trustAnchorPath(), JSON.stringify(record, null, 2) + '\n', {
+        mode: 0o600,
+    });
+}
+export async function getOrCreateTrustAnchor() {
+    const existing = await readTrustAnchorRecord();
+    if (existing) {
+        return {
+            id: existing.id,
+            createdAt: existing.createdAt,
+            fingerprint: trustAnchorFingerprint(existing.secret),
+        };
+    }
+    const created = {
+        version: 1,
+        id: crypto.randomUUID(),
+        createdAt: Date.now(),
+        secret: crypto.randomBytes(32).toString('hex'),
+    };
+    await writeTrustAnchorRecord(created);
+    await appendAudit({
+        event: 'pair_trust_anchor_created',
+        trustAnchorId: created.id,
+        trustAnchor: trustAnchorFingerprint(created.secret),
+    });
+    return {
+        id: created.id,
+        createdAt: created.createdAt,
+        fingerprint: trustAnchorFingerprint(created.secret),
+    };
+}
+async function readDaemonIdentity() {
+    try {
+        const raw = await fs.readFile(daemonIdentityPath(), 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (parsed &&
+            parsed.version === 1 &&
+            typeof parsed.deviceId === 'string' &&
+            typeof parsed.createdAt === 'number' &&
+            typeof parsed.publicKey === 'string' &&
+            typeof parsed.privateKey === 'string') {
+            return parsed;
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+async function writeDaemonIdentity(identity) {
+    await fs.mkdir(configDir(), { recursive: true });
+    await fs.writeFile(daemonIdentityPath(), JSON.stringify(identity, null, 2) + '\n', {
+        mode: 0o600,
+    });
+}
+export async function getOrCreateDaemonIdentity() {
+    const existing = await readDaemonIdentity();
+    if (existing) {
+        return {
+            deviceId: existing.deviceId,
+            createdAt: existing.createdAt,
+            fingerprint: keyFingerprint(existing.publicKey),
+            publicKey: existing.publicKey,
+        };
+    }
+    const keypair = crypto.generateKeyPairSync('ed25519');
+    const publicKey = keypair.publicKey.export({ type: 'spki', format: 'pem' }).toString().trim();
+    const privateKey = keypair.privateKey.export({ type: 'pkcs8', format: 'pem' }).toString().trim();
+    const created = {
+        version: 1,
+        deviceId: crypto.randomUUID(),
+        createdAt: Date.now(),
+        publicKey,
+        privateKey,
+    };
+    await writeDaemonIdentity(created);
+    await appendAudit({
+        event: 'pair_device_identity_created',
+        deviceId: created.deviceId,
+        fingerprint: keyFingerprint(created.publicKey),
+    });
+    return {
+        deviceId: created.deviceId,
+        createdAt: created.createdAt,
+        fingerprint: keyFingerprint(created.publicKey),
+        publicKey: created.publicKey,
+    };
+}
+function canonicalRedeemPayload(input) {
+    return [
+        'viewport-pair-redeem-v1',
+        input.offerId,
+        input.redeemSecret,
+        input.trustAnchor,
+        input.clientPublicKey,
+    ].join('\n');
+}
+function peerIdFromPublicKey(publicKey) {
+    return crypto.createHash('sha256').update(publicKey).digest('hex');
+}
+async function readPeerBindings() {
+    try {
+        const raw = await fs.readFile(peerBindingPath(), 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (!parsed || parsed.version !== 1 || !Array.isArray(parsed.peers)) {
+            return { version: 1, peers: [] };
+        }
+        return {
+            version: 1,
+            peers: parsed.peers.filter((item) => item &&
+                typeof item.peerId === 'string' &&
+                typeof item.publicKey === 'string' &&
+                typeof item.firstPairedAt === 'number'),
+        };
+    }
+    catch {
+        return { version: 1, peers: [] };
+    }
+}
+async function writePeerBindings(store) {
+    await fs.mkdir(configDir(), { recursive: true });
+    await fs.writeFile(peerBindingPath(), JSON.stringify(store, null, 2) + '\n', {
+        mode: 0o600,
+    });
+}
+async function upsertPeerBinding(input) {
+    const store = await readPeerBindings();
+    const now = Date.now();
+    const existing = store.peers.find((peer) => peer.peerId === input.peerId);
+    if (existing) {
+        existing.publicKey = input.publicKey;
+        existing.lastPairedAt = now;
+        existing.lastOfferId = input.offerId;
+        existing.trustAnchor = input.trustAnchor;
+    }
+    else {
+        store.peers.push({
+            peerId: input.peerId,
+            publicKey: input.publicKey,
+            firstPairedAt: now,
+            lastPairedAt: now,
+            lastOfferId: input.offerId,
+            trustAnchor: input.trustAnchor,
+        });
+    }
+    await writePeerBindings(store);
+}
+export function createPairingClientIdentity() {
+    const keypair = crypto.generateKeyPairSync('ed25519');
+    const publicKey = keypair.publicKey.export({ type: 'spki', format: 'pem' }).toString().trim();
+    const privateKey = keypair.privateKey.export({ type: 'pkcs8', format: 'pem' }).toString().trim();
+    return {
+        peerId: peerIdFromPublicKey(publicKey),
+        publicKey,
+        privateKey,
+    };
+}
+export function createPairingRedeemProof(input) {
+    const normalizedClientPublicKey = input.clientIdentity.publicKey.trim();
+    const normalizedClientPrivateKey = input.clientIdentity.privateKey.trim();
+    const payload = canonicalRedeemPayload({
+        offerId: input.offerId,
+        redeemSecret: input.redeemSecret,
+        trustAnchor: input.trustAnchor,
+        clientPublicKey: normalizedClientPublicKey,
+    });
+    const signature = crypto.sign(null, Buffer.from(payload, 'utf-8'), crypto.createPrivateKey(normalizedClientPrivateKey));
+    return {
+        peerId: peerIdFromPublicKey(normalizedClientPublicKey),
+        clientPublicKey: normalizedClientPublicKey,
+        clientProof: signature.toString('base64url'),
+    };
+}
+export async function readAuthToken() {
+    try {
+        const token = (await fs.readFile(authTokenPath(), 'utf-8')).trim();
+        return token || null;
+    }
+    catch {
+        return null;
+    }
+}
+export async function rotateAuthToken() {
+    const previous = await readAuthToken();
+    const token = crypto.randomBytes(32).toString('hex');
+    await fs.mkdir(configDir(), { recursive: true });
+    await fs.writeFile(authTokenPath(), `${token}\n`, { mode: 0o600 });
+    await appendAudit({ event: 'auth_token_rotated' });
+    return { token, previousTokenExisted: previous !== null };
+}
+export async function issuePairingOffer(input) {
+    const ttlSeconds = Math.min(3600, Math.max(30, Math.floor(input.ttlSeconds)));
+    const createdAt = Date.now();
+    const expiresAt = createdAt + ttlSeconds * 1000;
+    const offerId = crypto.randomUUID();
+    const redeemSecret = crypto.randomBytes(16).toString('hex');
+    const token = await readAuthToken();
+    if (!token) {
+        throw new Error('No auth token available for pairing offer');
+    }
+    const trustAnchor = await getOrCreateTrustAnchor();
+    const daemonIdentity = await getOrCreateDaemonIdentity();
+    const store = await readStore();
+    store.offers.push({
+        offerId,
+        createdAt,
+        expiresAt,
+        redeemSecretHash: hashSecret(redeemSecret),
+        token,
+        trustAnchor: trustAnchor.fingerprint,
+        daemonDeviceId: daemonIdentity.deviceId,
+        daemonPublicKey: daemonIdentity.publicKey,
+        connection: input.connection,
+    });
+    await writeStore(store);
+    await appendAudit({
+        event: 'pair_offer_issued',
+        offerId,
+        createdAt,
+        expiresAt,
+        profile: input.connection.profile,
+        listen: input.connection.listen,
+        trustAnchor: trustAnchor.fingerprint,
+        daemonDeviceId: daemonIdentity.deviceId,
+    });
+    return {
+        offerId,
+        createdAt,
+        expiresAt,
+        redeemSecret,
+        trustAnchor: trustAnchor.fingerprint,
+        daemonDeviceId: daemonIdentity.deviceId,
+        daemonPublicKey: daemonIdentity.publicKey,
+        ...input.connection,
+    };
+}
+export async function listPairingOffers() {
+    const store = await readStore();
+    const now = Date.now();
+    return store.offers
+        .map((offer) => {
+        const expired = offer.expiresAt <= now;
+        const active = !expired && !offer.revokedAt && !offer.redeemedAt;
+        return {
+            offerId: offer.offerId,
+            createdAt: offer.createdAt,
+            expiresAt: offer.expiresAt,
+            trustAnchor: offer.trustAnchor,
+            daemonDeviceId: offer.daemonDeviceId,
+            host: offer.connection.host,
+            port: offer.connection.port,
+            listen: offer.connection.listen,
+            socketPath: offer.connection.socketPath,
+            profile: offer.connection.profile,
+            revokedAt: offer.revokedAt,
+            redeemedAt: offer.redeemedAt,
+            active,
+            expired,
+        };
+    })
+        .sort((a, b) => b.createdAt - a.createdAt);
+}
+export async function revokePairingOffer(offerId) {
+    const store = await readStore();
+    const offer = store.offers.find((item) => item.offerId === offerId);
+    if (!offer)
+        return false;
+    if (!offer.revokedAt) {
+        offer.revokedAt = Date.now();
+        await writeStore(store);
+        await appendAudit({ event: 'pair_offer_revoked', offerId: offer.offerId });
+    }
+    return true;
+}
+export async function redeemPairingOffer(offerId, redeemSecret, expectedTrustAnchor, clientPublicKey, clientProof) {
+    if (!redeemSecret || redeemSecret.trim().length === 0) {
+        return null;
+    }
+    const store = await readStore();
+    const offer = store.offers.find((item) => item.offerId === offerId);
+    if (!offer)
+        return null;
+    const now = Date.now();
+    const expired = offer.expiresAt <= now;
+    if (expired || offer.revokedAt || offer.redeemedAt || offer.lockedAt) {
+        return null;
+    }
+    if (!clientPublicKey || !clientProof) {
+        await appendAudit({
+            event: 'pair_offer_redeem_failed',
+            offerId: offer.offerId,
+            reason: 'missing_client_identity_proof',
+        });
+        return null;
+    }
+    if (expectedTrustAnchor && offer.trustAnchor !== expectedTrustAnchor) {
+        await appendAudit({
+            event: 'pair_offer_redeem_failed',
+            offerId: offer.offerId,
+            reason: 'trust_anchor_mismatch',
+            expectedTrustAnchor,
+            offeredTrustAnchor: offer.trustAnchor,
+        });
+        return null;
+    }
+    try {
+        const payload = canonicalRedeemPayload({
+            offerId: offer.offerId,
+            redeemSecret,
+            trustAnchor: offer.trustAnchor,
+            clientPublicKey,
+        });
+        const verified = crypto.verify(null, Buffer.from(payload, 'utf-8'), crypto.createPublicKey(clientPublicKey), Buffer.from(clientProof, 'base64url'));
+        if (!verified) {
+            await appendAudit({
+                event: 'pair_offer_redeem_failed',
+                offerId: offer.offerId,
+                reason: 'client_proof_invalid',
+            });
+            return null;
+        }
+    }
+    catch {
+        await appendAudit({
+            event: 'pair_offer_redeem_failed',
+            offerId: offer.offerId,
+            reason: 'client_proof_invalid',
+        });
+        return null;
+    }
+    if (typeof offer.redeemSecretHash !== 'string' || offer.redeemSecretHash.length === 0) {
+        offer.lockedAt = now;
+        await writeStore(store);
+        await appendAudit({
+            event: 'pair_offer_redeem_failed',
+            offerId: offer.offerId,
+            reason: 'missing_redeem_secret_hash',
+        });
+        return null;
+    }
+    const proofValid = secureSecretCompare(offer.redeemSecretHash, hashSecret(redeemSecret));
+    if (!proofValid) {
+        offer.failedRedeemAttempts = (offer.failedRedeemAttempts ?? 0) + 1;
+        if (offer.failedRedeemAttempts >= MAX_FAILED_REDEEM_ATTEMPTS) {
+            offer.lockedAt = now;
+        }
+        await writeStore(store);
+        await appendAudit({
+            event: 'pair_offer_redeem_failed',
+            offerId: offer.offerId,
+            attempts: offer.failedRedeemAttempts,
+            locked: !!offer.lockedAt,
+        });
+        return null;
+    }
+    offer.redeemedAt = now;
+    await writeStore(store);
+    const peerId = peerIdFromPublicKey(clientPublicKey);
+    await upsertPeerBinding({
+        peerId,
+        publicKey: clientPublicKey,
+        offerId: offer.offerId,
+        trustAnchor: offer.trustAnchor,
+    });
+    const daemonIdentity = await readDaemonIdentity();
+    const daemonPrivateKey = daemonIdentity
+        ? crypto.createPrivateKey(daemonIdentity.privateKey)
+        : undefined;
+    const redeemEnvelope = [
+        'viewport-pair-redeem-response-v1',
+        offer.offerId,
+        peerId,
+        offer.trustAnchor,
+        String(offer.expiresAt),
+    ].join('\n');
+    const serverSignature = daemonPrivateKey
+        ? crypto
+            .sign(null, Buffer.from(redeemEnvelope, 'utf-8'), daemonPrivateKey)
+            .toString('base64url')
+        : '';
+    await appendAudit({
+        event: 'pair_offer_redeemed',
+        offerId: offer.offerId,
+        peerId,
+        daemonDeviceId: offer.daemonDeviceId,
+    });
+    return {
+        offerId: offer.offerId,
+        token: offer.token,
+        trustAnchor: offer.trustAnchor,
+        daemonDeviceId: offer.daemonDeviceId,
+        daemonPublicKey: offer.daemonPublicKey,
+        peerId,
+        serverSignature,
+        connection: offer.connection,
+        expiresAt: offer.expiresAt,
+        createdAt: offer.createdAt,
+    };
+}
+function hashSecret(secret) {
+    return crypto.createHash('sha256').update(secret).digest('hex');
+}
+function secureSecretCompare(a, b) {
+    const left = Buffer.from(a, 'utf-8');
+    const right = Buffer.from(b, 'utf-8');
+    if (left.length !== right.length) {
+        crypto.timingSafeEqual(left, left);
+        return false;
+    }
+    return crypto.timingSafeEqual(left, right);
+}
+//# sourceMappingURL=pairing-offers.js.map