@viewportai/daemon 0.2.0 → 0.3.0

package/dist/relay/bridge-pairing-control-handler.d.ts

@@ -0,0 +1,26 @@
+import type { RelayPairingOfferRequestFrame, RelayPairingRedeemRequestFrame } from './relay-control-frames.js';
+export interface PairingChannelKey {
+    key: Buffer;
+    createdAt: number;
+}
+export type PairingChannelKeyStore = Map<string, PairingChannelKey>;
+export type RelayPairingControlReply = (payload: Record<string, unknown>) => void;
+interface PairingControlBaseOptions {
+    pairingChannelKeys: PairingChannelKeyStore;
+    reply: RelayPairingControlReply;
+    maxAgeMs: number;
+    maxEntries: number;
+}
+interface PairingOfferControlOptions extends PairingControlBaseOptions {
+    frame: RelayPairingOfferRequestFrame;
+    workspaceId: string;
+    daemonWsUrl: string;
+}
+interface PairingRedeemControlOptions extends PairingControlBaseOptions {
+    frame: RelayPairingRedeemRequestFrame;
+}
+export declare function handleRelayPairingOfferRequest({ frame, reply, pairingChannelKeys, workspaceId, daemonWsUrl, maxAgeMs, maxEntries, }: PairingOfferControlOptions): Promise<void>;
+export declare function handleRelayPairingRedeemRequest({ frame, reply, pairingChannelKeys, maxAgeMs, maxEntries, }: PairingRedeemControlOptions): Promise<void>;
+export declare function pruneRelayPairingChannelKeys(pairingChannelKeys: PairingChannelKeyStore, now: number, maxAgeMs: number, maxEntries: number): void;
+export {};
+//# sourceMappingURL=bridge-pairing-control-handler.d.ts.map

package/dist/relay/bridge-pairing-control-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-pairing-control-handler.d.ts","sourceRoot":"","sources":["../../src/relay/bridge-pairing-control-handler.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EACV,6BAA6B,EAC7B,8BAA8B,EAC/B,MAAM,2BAA2B,CAAC;AAGnC,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,sBAAsB,GAAG,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;AACpE,MAAM,MAAM,wBAAwB,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;AAElF,UAAU,yBAAyB;IACjC,kBAAkB,EAAE,sBAAsB,CAAC;IAC3C,KAAK,EAAE,wBAAwB,CAAC;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,0BAA2B,SAAQ,yBAAyB;IACpE,KAAK,EAAE,6BAA6B,CAAC;IACrC,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,UAAU,2BAA4B,SAAQ,yBAAyB;IACrE,KAAK,EAAE,8BAA8B,CAAC;CACvC;AAED,wBAAsB,8BAA8B,CAAC,EACnD,KAAK,EACL,KAAK,EACL,kBAAkB,EAClB,WAAW,EACX,WAAW,EACX,QAAQ,EACR,UAAU,GACX,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC,CAuD5C;AAED,wBAAsB,+BAA+B,CAAC,EACpD,KAAK,EACL,KAAK,EACL,kBAAkB,EAClB,QAAQ,EACR,UAAU,GACX,EAAE,2BAA2B,GAAG,OAAO,CAAC,IAAI,CAAC,CAgF7C;AAED,wBAAgB,4BAA4B,CAC1C,kBAAkB,EAAE,sBAAsB,EAC1C,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,GACjB,IAAI,CAgBN"}

package/dist/relay/bridge-pairing-control-handler.js

@@ -0,0 +1,136 @@
+import crypto from 'node:crypto';
+import { fromBase64Url, toBase64Url } from './bridge-crypto.js';
+import { decryptPairingPayload, derivePairingChannelKey, encryptPairingPayload, } from './bridge-pairing-channel.js';
+import { issuePairingOffer, redeemPairingOffer } from '../server/pairing-offers.js';
+export async function handleRelayPairingOfferRequest({ frame, reply, pairingChannelKeys, workspaceId, daemonWsUrl, maxAgeMs, maxEntries, }) {
+    const requestId = frame.requestId;
+    try {
+        pruneRelayPairingChannelKeys(pairingChannelKeys, Date.now(), maxAgeMs, maxEntries);
+        const clientChannelPublicKey = fromBase64Url(frame.clientChannelPublicKey);
+        if (clientChannelPublicKey.length !== 65) {
+            throw new Error('invalid clientChannelPublicKey');
+        }
+        const daemonChannel = crypto.createECDH('prime256v1');
+        daemonChannel.generateKeys();
+        const shared = daemonChannel.computeSecret(clientChannelPublicKey);
+        const channelKey = derivePairingChannelKey(shared, `offer:${frame.requestId}`);
+        const daemonUrl = new URL(daemonWsUrl);
+        const issued = await issuePairingOffer({
+            ttlSeconds: frame.ttlSeconds ?? 600,
+            connection: {
+                host: daemonUrl.hostname || '127.0.0.1',
+                port: daemonUrl.port ? Number(daemonUrl.port) : 7070,
+                listen: `relay:${workspaceId}`,
+                profile: 'relay',
+            },
+        });
+        pairingChannelKeys.set(issued.offerId, { key: channelKey, createdAt: Date.now() });
+        const encryptedOffer = encryptPairingPayload(channelKey, JSON.stringify({
+            offerId: issued.offerId,
+            createdAt: issued.createdAt,
+            expiresAt: issued.expiresAt,
+            redeemSecret: issued.redeemSecret,
+            trustAnchor: issued.trustAnchor,
+            daemonDeviceId: issued.daemonDeviceId,
+            daemonPublicKey: issued.daemonPublicKey,
+        }), `offer:${frame.requestId}`);
+        reply({
+            type: 'relay_pairing_offer_response',
+            requestId,
+            ok: true,
+            daemonChannelPublicKey: toBase64Url(daemonChannel.getPublicKey()),
+            ...encryptedOffer,
+        });
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        reply({
+            type: 'relay_pairing_offer_response',
+            requestId,
+            ok: false,
+            errorCode: 'PAIRING_OFFER_FAILED',
+            error: message,
+        });
+    }
+}
+export async function handleRelayPairingRedeemRequest({ frame, reply, pairingChannelKeys, maxAgeMs, maxEntries, }) {
+    const requestId = frame.requestId;
+    try {
+        pruneRelayPairingChannelKeys(pairingChannelKeys, Date.now(), maxAgeMs, maxEntries);
+        const channel = pairingChannelKeys.get(frame.offerId);
+        if (!channel) {
+            throw new Error('pairing channel missing or expired');
+        }
+        const decrypted = decryptPairingPayload(channel.key, {
+            encIv: frame.encIv,
+            encTag: frame.encTag,
+            encCiphertext: frame.encCiphertext,
+        }, `redeem:${frame.requestId}:${frame.offerId}`);
+        const parsed = JSON.parse(decrypted);
+        if (typeof parsed.redeemSecret !== 'string' ||
+            typeof parsed.trustAnchor !== 'string' ||
+            typeof parsed.clientPublicKey !== 'string' ||
+            typeof parsed.clientProof !== 'string' ||
+            parsed.redeemSecret.trim().length === 0 ||
+            parsed.trustAnchor.trim().length === 0 ||
+            parsed.clientPublicKey.trim().length === 0 ||
+            parsed.clientProof.trim().length === 0) {
+            throw new Error('invalid encrypted pairing payload');
+        }
+        const redeemed = await redeemPairingOffer(frame.offerId, parsed.redeemSecret, parsed.trustAnchor, parsed.clientPublicKey, parsed.clientProof);
+        if (!redeemed) {
+            reply({
+                type: 'relay_pairing_redeem_response',
+                requestId,
+                ok: false,
+                errorCode: 'PAIRING_REDEEM_FAILED',
+                error: 'offer not found or no longer valid',
+            });
+            return;
+        }
+        reply({
+            type: 'relay_pairing_redeem_response',
+            requestId,
+            ok: true,
+            redeemed: {
+                offerId: redeemed.offerId,
+                createdAt: redeemed.createdAt,
+                expiresAt: redeemed.expiresAt,
+                peerId: redeemed.peerId,
+                daemonDeviceId: redeemed.daemonDeviceId,
+                daemonPublicKey: redeemed.daemonPublicKey,
+                relayPairingPeerId: redeemed.relayPairingPeerId,
+                serverSignature: redeemed.serverSignature,
+            },
+        });
+        pairingChannelKeys.delete(frame.offerId);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        reply({
+            type: 'relay_pairing_redeem_response',
+            requestId,
+            ok: false,
+            errorCode: 'PAIRING_REDEEM_FAILED',
+            error: message,
+        });
+    }
+}
+export function pruneRelayPairingChannelKeys(pairingChannelKeys, now, maxAgeMs, maxEntries) {
+    for (const [offerId, channel] of pairingChannelKeys.entries()) {
+        if (now - channel.createdAt > maxAgeMs) {
+            pairingChannelKeys.delete(offerId);
+        }
+    }
+    const overflow = pairingChannelKeys.size - maxEntries;
+    if (overflow <= 0) {
+        return;
+    }
+    const oldest = Array.from(pairingChannelKeys.entries())
+        .sort((a, b) => a[1].createdAt - b[1].createdAt)
+        .slice(0, overflow);
+    for (const [offerId] of oldest) {
+        pairingChannelKeys.delete(offerId);
+    }
+}
+//# sourceMappingURL=bridge-pairing-control-handler.js.map

package/dist/relay/bridge-pairing-control-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-pairing-control-handler.js","sourceRoot":"","sources":["../../src/relay/bridge-pairing-control-handler.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAChE,OAAO,EACL,qBAAqB,EACrB,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,6BAA6B,CAAC;AAKrC,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AA2BpF,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAAC,EACnD,KAAK,EACL,KAAK,EACL,kBAAkB,EAClB,WAAW,EACX,WAAW,EACX,QAAQ,EACR,UAAU,GACiB;IAC3B,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC;IAElC,IAAI,CAAC;QACH,4BAA4B,CAAC,kBAAkB,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;QACnF,MAAM,sBAAsB,GAAG,aAAa,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC3E,IAAI,sBAAsB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QACD,MAAM,aAAa,GAAG,MAAM,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;QACtD,aAAa,CAAC,YAAY,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,aAAa,CAAC,aAAa,CAAC,sBAAsB,CAAC,CAAC;QACnE,MAAM,UAAU,GAAG,uBAAuB,CAAC,MAAM,EAAE,SAAS,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;QAE/E,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;QACvC,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC;YACrC,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,GAAG;YACnC,UAAU,EAAE;gBACV,IAAI,EAAE,SAAS,CAAC,QAAQ,IAAI,WAAW;gBACvC,IAAI,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI;gBACpD,MAAM,EAAE,SAAS,WAAW,EAAE;gBAC9B,OAAO,EAAE,OAAO;aACjB;SACF,CAAC,CAAC;QACH,kBAAkB,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACnF,MAAM,cAAc,GAAG,qBAAqB,CAC1C,UAAU,EACV,IAAI,CAAC,SAAS,CAAC;YACb,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,eAAe,EAAE,MAAM,CAAC,eAAe;SACxC,CAAC,EACF,SAAS,KAAK,CAAC,SAAS,EAAE,CAC3B,CAAC;QACF,KAAK,CAAC;YACJ,IAAI,EAAE,8BAA8B;YACpC,SAAS;YACT,EAAE,EAAE,IAAI;YACR,sBAAsB,EAAE,WAAW,CAAC,aAAa,CAAC,YAAY,EAAE,CAAC;YACjE,GAAG,cAAc;SAClB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,KAAK,CAAC;YACJ,IAAI,EAAE,8BAA8B;YACpC,SAAS;YACT,EAAE,EAAE,KAAK;YACT,SAAS,EAAE,sBAAsB;YACjC,KAAK,EAAE,OAAO;SACf,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,+BAA+B,CAAC,EACpD,KAAK,EACL,KAAK,EACL,kBAAkB,EAClB,QAAQ,EACR,UAAU,GACkB;IAC5B,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC;IAElC,IAAI,CAAC;QACH,4BAA4B,CAAC,kBAAkB,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;QACnF,MAAM,OAAO,GAAG,kBAAkB,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACtD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACxD,CAAC;QACD,MAAM,SAAS,GAAG,qBAAqB,CACrC,OAAO,CAAC,GAAG,EACX;YACE,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,aAAa,EAAE,KAAK,CAAC,aAAa;SACnC,EACD,UAAU,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,OAAO,EAAE,CAC7C,CAAC;QACF,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAKlC,CAAC;QACF,IACE,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ;YACvC,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ;YACtC,OAAO,MAAM,CAAC,eAAe,KAAK,QAAQ;YAC1C,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ;YACtC,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC;YACvC,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC;YACtC,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC;YAC1C,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EACtC,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CACvC,KAAK,CAAC,OAAO,EACb,MAAM,CAAC,YAAY,EACnB,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,eAAe,EACtB,MAAM,CAAC,WAAW,CACnB,CAAC;QACF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,KAAK,CAAC;gBACJ,IAAI,EAAE,+BAA+B;gBACrC,SAAS;gBACT,EAAE,EAAE,KAAK;gBACT,SAAS,EAAE,uBAAuB;gBAClC,KAAK,EAAE,oCAAoC;aAC5C,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,KAAK,CAAC;YACJ,IAAI,EAAE,+BAA+B;YACrC,SAAS;YACT,EAAE,EAAE,IAAI;YACR,QAAQ,EAAE;gBACR,OAAO,EAAE,QAAQ,CAAC,OAAO;gBACzB,SAAS,EAAE,QAAQ,CAAC,SAAS;gBAC7B,SAAS,EAAE,QAAQ,CAAC,SAAS;gBAC7B,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,cAAc,EAAE,QAAQ,CAAC,cAAc;gBACvC,eAAe,EAAE,QAAQ,CAAC,eAAe;gBACzC,kBAAkB,EAAE,QAAQ,CAAC,kBAAkB;gBAC/C,eAAe,EAAE,QAAQ,CAAC,eAAe;aAC1C;SACF,CAAC,CAAC;QACH,kBAAkB,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,KAAK,CAAC;YACJ,IAAI,EAAE,+BAA+B;YACrC,SAAS;YACT,EAAE,EAAE,KAAK;YACT,SAAS,EAAE,uBAAuB;YAClC,KAAK,EAAE,OAAO;SACf,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,MAAM,UAAU,4BAA4B,CAC1C,kBAA0C,EAC1C,GAAW,EACX,QAAgB,EAChB,UAAkB;IAElB,KAAK,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,kBAAkB,CAAC,OAAO,EAAE,EAAE,CAAC;QAC9D,IAAI,GAAG,GAAG,OAAO,CAAC,SAAS,GAAG,QAAQ,EAAE,CAAC;YACvC,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IACD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,IAAI,GAAG,UAAU,CAAC;IACtD,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;QAClB,OAAO;IACT,CAAC;IACD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,CAAC;SACpD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;SAC/C,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IACtB,KAAK,MAAM,CAAC,OAAO,CAAC,IAAI,MAAM,EAAE,CAAC;QAC/B,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC;AACH,CAAC"}

package/dist/relay/bridge-relay-sessions.d.ts

@@ -0,0 +1,45 @@
+import type { RelayHandshakeProfile } from './bridge-key-exchange.js';
+export interface RelaySessionState {
+    key: Buffer;
+    profile: RelayHandshakeProfile;
+    sessionId: string;
+    epoch: number;
+    txSeq: number;
+    rxHighestSeq: number;
+    rxSeenSeq: Set<number>;
+    lastActivityAt: number;
+    keyRotationRequested: boolean;
+}
+export interface RelaySessionSeed {
+    key: Buffer;
+    profile: RelayHandshakeProfile;
+    sessionId: string;
+    epoch: number;
+}
+export interface RelaySessionSocket {
+    send(payload: string): void;
+}
+export declare function createRelaySessionState(seed: RelaySessionSeed, now?: number): RelaySessionState;
+export declare function acceptInboundRelaySeq(session: RelaySessionState, seq: number): boolean;
+export declare function pruneIdleRelaySessions(sessions: Map<string, RelaySessionState>, now?: number, idleTtlMs?: number): string[];
+export declare function enforceRelaySessionCapacity(options: {
+    sessions: Map<string, RelaySessionState>;
+    maxEntries: number;
+    now?: number;
+    idleTtlMs?: number;
+}): string[];
+export declare function sendToRelaySession(options: {
+    relayWs: RelaySessionSocket;
+    session: RelaySessionState;
+    payload: string;
+    now?: number;
+}): void;
+export declare function sendToAllRelaySessions(options: {
+    relayWs: RelaySessionSocket;
+    sessions: Map<string, RelaySessionState>;
+    payload: string;
+    keyRotateAfterMessages: number;
+    now?: number;
+    idleTtlMs?: number;
+}): void;
+//# sourceMappingURL=bridge-relay-sessions.d.ts.map

package/dist/relay/bridge-relay-sessions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-relay-sessions.d.ts","sourceRoot":"","sources":["../../src/relay/bridge-relay-sessions.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AAGtE,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,qBAAqB,CAAC;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,oBAAoB,EAAE,OAAO,CAAC;CAC/B;AAED,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,qBAAqB,CAAC;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,gBAAgB,EACtB,GAAG,SAAa,GACf,iBAAiB,CASnB;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,iBAAiB,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAetF;AAED,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,EACxC,GAAG,SAAa,EAChB,SAAS,SAA4B,GACpC,MAAM,EAAE,CASV;AAED,wBAAgB,2BAA2B,CAAC,OAAO,EAAE;IACnD,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IACzC,UAAU,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GAAG,MAAM,EAAE,CAWX;AAED,wBAAgB,kBAAkB,CAAC,OAAO,EAAE;IAC1C,OAAO,EAAE,kBAAkB,CAAC;IAC5B,OAAO,EAAE,iBAAiB,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,GAAG,IAAI,CAUP;AAED,wBAAgB,sBAAsB,CAAC,OAAO,EAAE;IAC9C,OAAO,EAAE,kBAAkB,CAAC;IAC5B,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IACzC,OAAO,EAAE,MAAM,CAAC;IAChB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GAAG,IAAI,CAuBP"}

package/dist/relay/bridge-relay-sessions.js

@@ -0,0 +1,88 @@
+import { RELAY_REPLAY_WINDOW, RELAY_SESSION_IDLE_TTL_MS } from './bridge-constants.js';
+import { encryptEnvelope } from './bridge-crypto.js';
+export function createRelaySessionState(seed, now = Date.now()) {
+    return {
+        ...seed,
+        txSeq: 0,
+        rxHighestSeq: 0,
+        rxSeenSeq: new Set(),
+        lastActivityAt: now,
+        keyRotationRequested: false,
+    };
+}
+export function acceptInboundRelaySeq(session, seq) {
+    if (seq < 1)
+        return false;
+    if (session.rxSeenSeq.has(seq))
+        return false;
+    if (seq > session.rxHighestSeq + RELAY_REPLAY_WINDOW)
+        return false;
+    const minimumAllowed = Math.max(1, session.rxHighestSeq - RELAY_REPLAY_WINDOW + 1);
+    if (seq < minimumAllowed)
+        return false;
+    session.rxSeenSeq.add(seq);
+    if (seq > session.rxHighestSeq)
+        session.rxHighestSeq = seq;
+    const pruneBelow = Math.max(1, session.rxHighestSeq - RELAY_REPLAY_WINDOW + 1);
+    for (const seen of session.rxSeenSeq) {
+        if (seen < pruneBelow)
+            session.rxSeenSeq.delete(seen);
+    }
+    return true;
+}
+export function pruneIdleRelaySessions(sessions, now = Date.now(), idleTtlMs = RELAY_SESSION_IDLE_TTL_MS) {
+    const pruned = [];
+    for (const [sessionId, session] of sessions.entries()) {
+        if (now - session.lastActivityAt > idleTtlMs) {
+            sessions.delete(sessionId);
+            pruned.push(sessionId);
+        }
+    }
+    return pruned;
+}
+export function enforceRelaySessionCapacity(options) {
+    pruneIdleRelaySessions(options.sessions, options.now, options.idleTtlMs);
+    const evicted = [];
+    while (options.sessions.size > options.maxEntries) {
+        const oldestSessionId = options.sessions.keys().next().value;
+        if (!oldestSessionId)
+            break;
+        options.sessions.delete(oldestSessionId);
+        evicted.push(oldestSessionId);
+    }
+    return evicted;
+}
+export function sendToRelaySession(options) {
+    options.session.txSeq += 1;
+    options.session.lastActivityAt = options.now ?? Date.now();
+    const envelope = encryptEnvelope(options.session.key, options.payload, {
+        profile: options.session.profile,
+        sessionId: options.session.sessionId,
+        epoch: options.session.epoch,
+        seq: options.session.txSeq,
+    });
+    options.relayWs.send(envelope);
+}
+export function sendToAllRelaySessions(options) {
+    const now = options.now ?? Date.now();
+    pruneIdleRelaySessions(options.sessions, now, options.idleTtlMs);
+    for (const session of options.sessions.values()) {
+        sendToRelaySession({
+            relayWs: options.relayWs,
+            session,
+            payload: options.payload,
+            now,
+        });
+        if (!session.keyRotationRequested && session.txSeq >= options.keyRotateAfterMessages) {
+            const rotateNotice = {
+                type: 'relay_key_update_required',
+                sessionId: session.sessionId,
+                nextEpoch: session.epoch + 1,
+                reason: 'message_threshold',
+            };
+            options.relayWs.send(JSON.stringify(rotateNotice));
+            session.keyRotationRequested = true;
+        }
+    }
+}
+//# sourceMappingURL=bridge-relay-sessions.js.map

package/dist/relay/bridge-relay-sessions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-relay-sessions.js","sourceRoot":"","sources":["../../src/relay/bridge-relay-sessions.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AACvF,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AA2BrD,MAAM,UAAU,uBAAuB,CACrC,IAAsB,EACtB,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE;IAEhB,OAAO;QACL,GAAG,IAAI;QACP,KAAK,EAAE,CAAC;QACR,YAAY,EAAE,CAAC;QACf,SAAS,EAAE,IAAI,GAAG,EAAU;QAC5B,cAAc,EAAE,GAAG;QACnB,oBAAoB,EAAE,KAAK;KAC5B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,OAA0B,EAAE,GAAW;IAC3E,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1B,IAAI,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7C,IAAI,GAAG,GAAG,OAAO,CAAC,YAAY,GAAG,mBAAmB;QAAE,OAAO,KAAK,CAAC;IACnE,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,YAAY,GAAG,mBAAmB,GAAG,CAAC,CAAC,CAAC;IACnF,IAAI,GAAG,GAAG,cAAc;QAAE,OAAO,KAAK,CAAC;IAEvC,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,GAAG,GAAG,OAAO,CAAC,YAAY;QAAE,OAAO,CAAC,YAAY,GAAG,GAAG,CAAC;IAE3D,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,YAAY,GAAG,mBAAmB,GAAG,CAAC,CAAC,CAAC;IAC/E,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACrC,IAAI,IAAI,GAAG,UAAU;YAAE,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACxD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,QAAwC,EACxC,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,EAChB,SAAS,GAAG,yBAAyB;IAErC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC;QACtD,IAAI,GAAG,GAAG,OAAO,CAAC,cAAc,GAAG,SAAS,EAAE,CAAC;YAC7C,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC3B,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,OAK3C;IACC,sBAAsB,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAEzE,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,OAAO,OAAO,CAAC,QAAQ,CAAC,IAAI,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;QAClD,MAAM,eAAe,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;QAC7D,IAAI,CAAC,eAAe;YAAE,MAAM;QAC5B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QACzC,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,OAKlC;IACC,OAAO,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC;IAC3B,OAAO,CAAC,OAAO,CAAC,cAAc,GAAG,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IAC3D,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE;QACrE,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,OAAO;QAChC,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,SAAS;QACpC,KAAK,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK;QAC5B,GAAG,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK;KAC3B,CAAC,CAAC;IACH,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,OAOtC;IACC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IACtC,sBAAsB,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAEjE,KAAK,MAAM,OAAO,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;QAChD,kBAAkB,CAAC;YACjB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,OAAO;YACP,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,GAAG;SACJ,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,CAAC,oBAAoB,IAAI,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,sBAAsB,EAAE,CAAC;YACrF,MAAM,YAAY,GAAgC;gBAChD,IAAI,EAAE,2BAA2B;gBACjC,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,SAAS,EAAE,OAAO,CAAC,KAAK,GAAG,CAAC;gBAC5B,MAAM,EAAE,mBAAmB;aAC5B,CAAC;YACF,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC;YACnD,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;QACtC,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/relay/bridge-token-issuer.d.ts

@@ -0,0 +1,32 @@
+import { type RelayHandshakeProfile } from './bridge-key-exchange.js';
+export interface RelayTokenIssuerOptions {
+    relayServerUrl: string;
+    workspaceId: string;
+    runtimeTargetId?: string;
+    relayTlsVerify?: 'auto' | '0' | '1';
+    relayCaCertPath?: string;
+    relayTlsPins?: string[];
+    relayTokenIssuer?: string;
+    relayTokenAudience?: string;
+    relayTokenJwksUrl?: string;
+    relayTokenSigningKeys?: Record<string, string>;
+    relayTokenClockSkewSec?: number;
+}
+export declare class RelayTokenIssuer {
+    private readonly options;
+    private daemonIssueToken;
+    private readonly relayTokenJwksUrl;
+    private readonly relayTokenSigningKeys;
+    private jwksCacheExpiresAt;
+    private jwksCacheKeys;
+    constructor(options: RelayTokenIssuerOptions, daemonIssueToken: string | null);
+    setDaemonIssueToken(token: string | null): void;
+    issue(): Promise<{
+        relayToken: string;
+        profile: RelayHandshakeProfile;
+    }>;
+    private verifyIssueResponseToken;
+    private verifyTokenClaims;
+    private resolveRelayTokenVerificationKeys;
+}
+//# sourceMappingURL=bridge-token-issuer.d.ts.map

package/dist/relay/bridge-token-issuer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-token-issuer.d.ts","sourceRoot":"","sources":["../../src/relay/bridge-token-issuer.ts"],"names":[],"mappings":"AAIA,OAAO,EAA8B,KAAK,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AAclG,MAAM,WAAW,uBAAuB;IACtC,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC;IACpC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,qBAAqB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/C,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;AAED,qBAAa,gBAAgB;IAOzB,OAAO,CAAC,QAAQ,CAAC,OAAO;IACxB,OAAO,CAAC,gBAAgB;IAP1B,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAqB;IACvD,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAyB;IAC/D,OAAO,CAAC,kBAAkB,CAAK;IAC/B,OAAO,CAAC,aAAa,CAA8B;gBAGhC,OAAO,EAAE,uBAAuB,EACzC,gBAAgB,EAAE,MAAM,GAAG,IAAI;IAMzC,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI;IAIzC,KAAK,IAAI,OAAO,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;QACnB,OAAO,EAAE,qBAAqB,CAAC;KAChC,CAAC;YAkDY,wBAAwB;IAkBtC,OAAO,CAAC,iBAAiB;YAYX,iCAAiC;CAqDhD"}

package/dist/relay/bridge-token-issuer.js

@@ -0,0 +1,173 @@
+import crypto from 'node:crypto';
+import { transportFetch } from '../cli/network.js';
+import { BridgeError } from './bridge-errors.js';
+import { verifyRelayTokenClaims } from './bridge-jwt.js';
+import { parseRelayHandshakeProfile } from './bridge-key-exchange.js';
+const MAX_JWKS_KEYS = 64;
+export class RelayTokenIssuer {
+    options;
+    daemonIssueToken;
+    relayTokenJwksUrl;
+    relayTokenSigningKeys;
+    jwksCacheExpiresAt = 0;
+    jwksCacheKeys = {};
+    constructor(options, daemonIssueToken) {
+        this.options = options;
+        this.daemonIssueToken = daemonIssueToken;
+        this.relayTokenJwksUrl = options.relayTokenJwksUrl;
+        this.relayTokenSigningKeys = options.relayTokenSigningKeys ?? {};
+    }
+    setDaemonIssueToken(token) {
+        this.daemonIssueToken = token;
+    }
+    async issue() {
+        const url = `${this.options.relayServerUrl.replace(/\/+$/, '')}/api/runtime/relay-token`;
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 8_000);
+        let res;
+        if (!this.daemonIssueToken) {
+            throw new BridgeError('TOKEN_ISSUE_FAILED', 'missing daemon issue token');
+        }
+        try {
+            res = await transportFetch(url, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({
+                    role: 'workspace-daemon',
+                    workspaceId: this.options.workspaceId,
+                    runtimeTargetId: this.options.runtimeTargetId,
+                    credential: this.daemonIssueToken,
+                }),
+                signal: controller.signal,
+                tlsVerify: this.options.relayTlsVerify ?? 'auto',
+                caCertPath: this.options.relayCaCertPath,
+                tlsPins: this.options.relayTlsPins,
+            });
+        }
+        catch (error) {
+            clearTimeout(timeout);
+            throw new BridgeError('TOKEN_ISSUE_FAILED', error instanceof Error ? error.message : String(error));
+        }
+        clearTimeout(timeout);
+        const parsed = await parseRelayIssueResponse(res);
+        if (!res.ok || !parsed.ok || !parsed.relayToken) {
+            const reason = parsed.reason ?? parsed.error ?? `HTTP ${res.status}`;
+            throw new BridgeError('TOKEN_ISSUE_FAILED', `issue relay token failed: ${reason}`);
+        }
+        const tokenClaims = await this.verifyIssueResponseToken(parsed.relayToken);
+        const profile = parseRelayHandshakeProfile(tokenClaims.e2eeProfile ?? 'noise-ik');
+        if (!profile) {
+            throw new BridgeError('TOKEN_RESPONSE_INVALID', 'missing/invalid e2eeProfile claim');
+        }
+        return {
+            relayToken: parsed.relayToken,
+            profile,
+        };
+    }
+    async verifyIssueResponseToken(relayToken) {
+        let verificationKeys = await this.resolveRelayTokenVerificationKeys(false);
+        try {
+            return this.verifyTokenClaims(relayToken, verificationKeys);
+        }
+        catch (error) {
+            if (this.relayTokenJwksUrl &&
+                error instanceof BridgeError &&
+                error.code === 'TOKEN_RESPONSE_INVALID' &&
+                error.message.includes('is not trusted')) {
+                verificationKeys = await this.resolveRelayTokenVerificationKeys(true);
+                return this.verifyTokenClaims(relayToken, verificationKeys);
+            }
+            throw error;
+        }
+    }
+    verifyTokenClaims(relayToken, signingKeys) {
+        return verifyRelayTokenClaims(relayToken, {
+            issuer: this.options.relayTokenIssuer ?? 'viewport-server',
+            audience: this.options.relayTokenAudience ?? 'viewport-relay',
+            signingKeys,
+            clockSkewSec: this.options.relayTokenClockSkewSec ?? 30,
+        });
+    }
+    async resolveRelayTokenVerificationKeys(forceRefresh) {
+        if (!this.relayTokenJwksUrl) {
+            return this.relayTokenSigningKeys;
+        }
+        const now = Date.now();
+        if (!forceRefresh && now < this.jwksCacheExpiresAt && Object.keys(this.jwksCacheKeys).length) {
+            return this.jwksCacheKeys;
+        }
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 8_000);
+        let res;
+        try {
+            res = await transportFetch(this.relayTokenJwksUrl, {
+                method: 'GET',
+                headers: { accept: 'application/json' },
+                signal: controller.signal,
+                tlsVerify: this.options.relayTlsVerify ?? 'auto',
+                caCertPath: this.options.relayCaCertPath,
+                tlsPins: this.options.relayTlsPins,
+            });
+        }
+        catch (error) {
+            clearTimeout(timeout);
+            throw new BridgeError('TOKEN_RESPONSE_INVALID', `failed to fetch JWKS: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        clearTimeout(timeout);
+        if (!res.ok) {
+            throw new BridgeError('TOKEN_RESPONSE_INVALID', `JWKS endpoint returned HTTP ${res.status}`);
+        }
+        const parsed = (await res.json().catch(() => null));
+        if (!parsed || !Array.isArray(parsed.keys)) {
+            throw new BridgeError('TOKEN_RESPONSE_INVALID', 'JWKS response missing keys array');
+        }
+        if (parsed.keys.length > MAX_JWKS_KEYS) {
+            throw new BridgeError('TOKEN_RESPONSE_INVALID', `JWKS response contains too many keys (${parsed.keys.length} > ${MAX_JWKS_KEYS})`);
+        }
+        const keys = parseJwksSigningKeys(parsed.keys);
+        this.jwksCacheKeys = keys;
+        this.jwksCacheExpiresAt = Date.now() + 5 * 60_000;
+        return keys;
+    }
+}
+async function parseRelayIssueResponse(res) {
+    const json = (await res.json().catch(() => null));
+    if (!json) {
+        return {
+            ok: false,
+            reason: `relay token endpoint returned non-JSON (${res.status})`,
+        };
+    }
+    return json;
+}
+function parseJwksSigningKeys(entries) {
+    const keys = {};
+    for (const entry of entries) {
+        if (!entry || typeof entry !== 'object' || Array.isArray(entry))
+            continue;
+        const kid = typeof entry['kid'] === 'string' ? entry['kid'].trim() : '';
+        const kty = typeof entry['kty'] === 'string' ? entry['kty'] : '';
+        const alg = typeof entry['alg'] === 'string' ? entry['alg'] : '';
+        const n = typeof entry['n'] === 'string' ? entry['n'] : '';
+        const e = typeof entry['e'] === 'string' ? entry['e'] : '';
+        if (!kid || kty !== 'RSA' || !n || !e)
+            continue;
+        if (alg && alg !== 'RS256')
+            continue;
+        try {
+            const keyObject = crypto.createPublicKey({
+                key: { kty: 'RSA', n, e },
+                format: 'jwk',
+            });
+            keys[kid] = keyObject.export({ format: 'pem', type: 'spki' }).toString();
+        }
+        catch {
+            continue;
+        }
+    }
+    if (Object.keys(keys).length === 0) {
+        throw new BridgeError('TOKEN_RESPONSE_INVALID', 'JWKS contained no usable signing keys');
+    }
+    return keys;
+}
+//# sourceMappingURL=bridge-token-issuer.js.map

package/dist/relay/bridge-token-issuer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-token-issuer.js","sourceRoot":"","sources":["../../src/relay/bridge-token-issuer.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAyB,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAChF,OAAO,EAAE,0BAA0B,EAA8B,MAAM,0BAA0B,CAAC;AAYlG,MAAM,aAAa,GAAG,EAAE,CAAC;AAgBzB,MAAM,OAAO,gBAAgB;IAOR;IACT;IAPO,iBAAiB,CAAqB;IACtC,qBAAqB,CAAyB;IACvD,kBAAkB,GAAG,CAAC,CAAC;IACvB,aAAa,GAA2B,EAAE,CAAC;IAEnD,YACmB,OAAgC,EACzC,gBAA+B;QADtB,YAAO,GAAP,OAAO,CAAyB;QACzC,qBAAgB,GAAhB,gBAAgB,CAAe;QAEvC,IAAI,CAAC,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAC;QACnD,IAAI,CAAC,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,IAAI,EAAE,CAAC;IACnE,CAAC;IAED,mBAAmB,CAAC,KAAoB;QACtC,IAAI,CAAC,gBAAgB,GAAG,KAAK,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,KAAK;QAIT,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,0BAA0B,CAAC;QACzF,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,KAAK,CAAC,CAAC;QAC5D,IAAI,GAAa,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3B,MAAM,IAAI,WAAW,CAAC,oBAAoB,EAAE,4BAA4B,CAAC,CAAC;QAC5E,CAAC;QACD,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,cAAc,CAAC,GAAG,EAAE;gBAC9B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,IAAI,EAAE,kBAAkB;oBACxB,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW;oBACrC,eAAe,EAAE,IAAI,CAAC,OAAO,CAAC,eAAe;oBAC7C,UAAU,EAAE,IAAI,CAAC,gBAAgB;iBAClC,CAAC;gBACF,MAAM,EAAE,UAAU,CAAC,MAAM;gBACzB,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,cAAc,IAAI,MAAM;gBAChD,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,eAAe;gBACxC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY;aACnC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,MAAM,IAAI,WAAW,CACnB,oBAAoB,EACpB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CACvD,CAAC;QACJ,CAAC;QACD,YAAY,CAAC,OAAO,CAAC,CAAC;QAEtB,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,GAAG,CAAC,CAAC;QAClD,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;YAChD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,KAAK,IAAI,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC;YACrE,MAAM,IAAI,WAAW,CAAC,oBAAoB,EAAE,6BAA6B,MAAM,EAAE,CAAC,CAAC;QACrF,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,wBAAwB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAC3E,MAAM,OAAO,GAAG,0BAA0B,CAAC,WAAW,CAAC,WAAW,IAAI,UAAU,CAAC,CAAC;QAClF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,mCAAmC,CAAC,CAAC;QACvF,CAAC;QAED,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,OAAO;SACR,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,wBAAwB,CAAC,UAAkB;QACvD,IAAI,gBAAgB,GAAG,MAAM,IAAI,CAAC,iCAAiC,CAAC,KAAK,CAAC,CAAC;QAC3E,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,iBAAiB,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;QAC9D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IACE,IAAI,CAAC,iBAAiB;gBACtB,KAAK,YAAY,WAAW;gBAC5B,KAAK,CAAC,IAAI,KAAK,wBAAwB;gBACvC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EACxC,CAAC;gBACD,gBAAgB,GAAG,MAAM,IAAI,CAAC,iCAAiC,CAAC,IAAI,CAAC,CAAC;gBACtE,OAAO,IAAI,CAAC,iBAAiB,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;YAC9D,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAEO,iBAAiB,CACvB,UAAkB,EAClB,WAAmC;QAEnC,OAAO,sBAAsB,CAAC,UAAU,EAAE;YACxC,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,gBAAgB,IAAI,iBAAiB;YAC1D,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,kBAAkB,IAAI,gBAAgB;YAC7D,WAAW;YACX,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,sBAAsB,IAAI,EAAE;SACxD,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,iCAAiC,CAC7C,YAAqB;QAErB,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC,qBAAqB,CAAC;QACpC,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,YAAY,IAAI,GAAG,GAAG,IAAI,CAAC,kBAAkB,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,MAAM,EAAE,CAAC;YAC7F,OAAO,IAAI,CAAC,aAAa,CAAC;QAC5B,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,KAAK,CAAC,CAAC;QAE5D,IAAI,GAAa,CAAC;QAClB,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,iBAAiB,EAAE;gBACjD,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;gBACvC,MAAM,EAAE,UAAU,CAAC,MAAM;gBACzB,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,cAAc,IAAI,MAAM;gBAChD,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,eAAe;gBACxC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY;aACnC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,MAAM,IAAI,WAAW,CACnB,wBAAwB,EACxB,yBAAyB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAClF,CAAC;QACJ,CAAC;QACD,YAAY,CAAC,OAAO,CAAC,CAAC;QAEtB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,+BAA+B,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QAC/F,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAwB,CAAC;QAC3E,IAAI,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3C,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,kCAAkC,CAAC,CAAC;QACtF,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,aAAa,EAAE,CAAC;YACvC,MAAM,IAAI,WAAW,CACnB,wBAAwB,EACxB,yCAAyC,MAAM,CAAC,IAAI,CAAC,MAAM,MAAM,aAAa,GAAG,CAClF,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC/C,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;QAC1B,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,MAAM,CAAC;QAClD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,KAAK,UAAU,uBAAuB,CAAC,GAAa;IAClD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAA8B,CAAC;IAC/E,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,2CAA2C,GAAG,CAAC,MAAM,GAAG;SACjE,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAuC;IACnE,MAAM,IAAI,GAA2B,EAAE,CAAC;IACxC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;YAAE,SAAS;QAC1E,MAAM,GAAG,GAAG,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACxE,MAAM,GAAG,GAAG,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACjE,MAAM,GAAG,GAAG,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACjE,MAAM,CAAC,GAAG,OAAO,KAAK,CAAC,GAAG,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3D,MAAM,CAAC,GAAG,OAAO,KAAK,CAAC,GAAG,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3D,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,KAAK,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC;YAAE,SAAS;QAChD,IAAI,GAAG,IAAI,GAAG,KAAK,OAAO;YAAE,SAAS;QAErC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,CAAC,eAAe,CAAC;gBACvC,GAAG,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,EAAE;gBACzB,MAAM,EAAE,KAAK;aACd,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC3E,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,uCAAuC,CAAC,CAAC;IAC3F,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/relay/daemon-relay-bridge.d.ts

@@ -5,10 +5,14 @@ export interface DaemonRelayBridgeOptions {
     relayEndpoint: string;
     relayServerUrl: string;
     workspaceId: string;
-    enrollToken: string;
+    runtimeTargetId?: string;
+    machineId?: string;
     issueToken?: string;
     daemonWsUrl: string;
     daemonAuthToken?: string;
+    daemonTlsVerify?: 'auto' | '0' | '1';
+    daemonCaCertPath?: string;
+    daemonTlsPins?: string[];
     relayTlsVerify?: 'auto' | '0' | '1';
     relayCaCertPath?: string;
     relayTlsPins?: string[];
@@ -46,10 +50,7 @@ export declare class DaemonRelayBridge {
     private daemonIdentity;
     private daemonIssueToken;
     private requiredProfile;
-    private readonly relayTokenJwksUrl;
-    private readonly relayTokenSigningKeys;
-    private jwksCacheExpiresAt;
-    private jwksCacheKeys;
+    private readonly relayTokenIssuer;
     private readonly relaySessions;
     private readonly pairingChannelKeys;
     private consecutiveIssueFailures;
@@ -69,24 +70,19 @@ export declare class DaemonRelayBridge {
     stop(): Promise<void>;
     private ensureKeyMaterial;
     private registerDaemonPublicKey;
-    private persistIssueToken;
     private connectLoop;
     private installSocketHandlers;
     private sendToAllRelaySessions;
-    private acceptInboundSeq;
-    private pruneIdleSessions;
     private enforceRelaySessionCapacity;
     private handleRelayControlFrame;
     private handleKeyExchangeInit;
     private handleKeyExchangeInitV3;
     private handlePairingOfferRequest;
     private handlePairingRedeemRequest;
-    private prunePairingChannelKeys;
+    prunePairingChannelKeys(now?: number, maxAgeMs?: number, maxEntries?: number): void;
     private flushPendingOutbound;
     private resolvePolicyCPairingSecret;
     private issueRelayToken;
-    private resolveRelayTokenVerificationKeys;
-    private normalizeError;
     private recordError;
     private reportStatus;
 }

package/dist/relay/daemon-relay-bridge.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"daemon-relay-bridge.d.ts","sourceRoot":"","sources":["../../src/relay/daemon-relay-bridge.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,gBAAgB,EAAS,MAAM,qBAAqB,CAAC;AAU9D,OAAO,EACL,eAAe,EACf,eAAe,EACf,aAAa,EAEb,WAAW,EACZ,MAAM,oBAAoB,CAAC;AAe5B,OAAO,EAAe,KAAK,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAqDvE,MAAM,WAAW,wBAAwB;IACvC,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC;IACpC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,qBAAqB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/C,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;AAgBD,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,CAAC;AAM1F,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,SAAS,GAAG,YAAY,GAAG,WAAW,GAAG,eAAe,GAAG,cAAc,CAAC;IACjF,gBAAgB,EAAE,MAAM,CAAC;IACzB,aAAa,CAAC,EAAE,eAAe,CAAC;IAChC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AA2ID,qBAAa,iBAAiB;IA6BhB,OAAO,CAAC,QAAQ,CAAC,OAAO;IA5BpC,OAAO,CAAC,OAAO,CAAwB;IACvC,OAAO,CAAC,QAAQ,CAAwB;IACxC,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,gBAAgB,CAAK;IAC7B,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAgB;IAChD,OAAO,CAAC,oBAAoB,CAAK;IACjC,OAAO,CAAC,cAAc,CAAoC;IAC1D,OAAO,CAAC,gBAAgB,CAAgB;IACxC,OAAO,CAAC,eAAe,CAAqC;IAC5D,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAqB;IACvD,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAyB;IAC/D,OAAO,CAAC,kBAAkB,CAAK;IAC/B,OAAO,CAAC,aAAa,CAA8B;IACnD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAwC;IACtE,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAyD;IAC5F,OAAO,CAAC,wBAAwB,CAAK;IACrC,OAAO,CAAC,kBAAkB,CAAK;IAC/B,OAAO,CAAC,aAAa,CAA8B;IACnD,OAAO,CAAC,gBAAgB,CAAqB;IAC7C,OAAO,CAAC,WAAW,CAAqB;IACxC,OAAO,CAAC,KAAK,CAA+C;IAC5D,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAS;IAChD,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAS;IAC7C,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAS;IAClD,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAS;gBAEnB,OAAO,EAAE,wBAAwB;IA+B9D,SAAS,IAAI,uBAAuB;IAW9B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAQtB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;YAcb,iBAAiB;YAMjB,uBAAuB;YA4DvB,iBAAiB;YAgBjB,WAAW;IA6GzB,OAAO,CAAC,qBAAqB;IAgF7B,OAAO,CAAC,sBAAsB;IA0B9B,OAAO,CAAC,gBAAgB;IAiBxB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,2BAA2B;YAYrB,uBAAuB;YAgFvB,qBAAqB;YAiFrB,uBAAuB;YAkFvB,yBAAyB;YAiEzB,0BAA0B;IA0FxC,OAAO,CAAC,uBAAuB;IAsB/B,OAAO,CAAC,oBAAoB;YAYd,2BAA2B;YAa3B,eAAe;YA0Ef,iCAAiC;IA4E/C,OAAO,CAAC,cAAc;IAUtB,OAAO,CAAC,WAAW;IAMnB,OAAO,CAAC,YAAY;CAGrB"}
+{"version":3,"file":"daemon-relay-bridge.d.ts","sourceRoot":"","sources":["../../src/relay/daemon-relay-bridge.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAS,MAAM,qBAAqB,CAAC;AAS9D,OAAO,EACL,eAAe,EACf,eAAe,EACf,aAAa,EAEb,WAAW,EACZ,MAAM,oBAAoB,CAAC;AAgB5B,OAAO,EAIL,KAAK,eAAe,EACrB,MAAM,oBAAoB,CAAC;AA4B5B,MAAM,WAAW,wBAAwB;IACvC,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC;IACrC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC;IACpC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,qBAAqB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/C,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;AAID,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,CAAC;AAM1F,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,SAAS,GAAG,YAAY,GAAG,WAAW,GAAG,eAAe,GAAG,cAAc,CAAC;IACjF,gBAAgB,EAAE,MAAM,CAAC;IACzB,aAAa,CAAC,EAAE,eAAe,CAAC;IAChC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,qBAAa,iBAAiB;IA0BhB,OAAO,CAAC,QAAQ,CAAC,OAAO;IAzBpC,OAAO,CAAC,OAAO,CAAwB;IACvC,OAAO,CAAC,QAAQ,CAAwB;IACxC,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,gBAAgB,CAAK;IAC7B,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAgB;IAChD,OAAO,CAAC,oBAAoB,CAAK;IACjC,OAAO,CAAC,cAAc,CAAoC;IAC1D,OAAO,CAAC,gBAAgB,CAAgB;IACxC,OAAO,CAAC,eAAe,CAAqC;IAC5D,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAmB;IACpD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAwC;IACtE,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAwC;IAC3E,OAAO,CAAC,wBAAwB,CAAK;IACrC,OAAO,CAAC,kBAAkB,CAAK;IAC/B,OAAO,CAAC,aAAa,CAA8B;IACnD,OAAO,CAAC,gBAAgB,CAAqB;IAC7C,OAAO,CAAC,WAAW,CAAqB;IACxC,OAAO,CAAC,KAAK,CAA+C;IAC5D,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAS;IAChD,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAS;IAC7C,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAS;IAClD,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAS;gBAEnB,OAAO,EAAE,wBAAwB;IA8B9D,SAAS,IAAI,uBAAuB;IAW9B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAQtB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;YAcb,iBAAiB;YAMjB,uBAAuB;YAYvB,WAAW;IAsFzB,OAAO,CAAC,qBAAqB;IAkF7B,OAAO,CAAC,sBAAsB;IAS9B,OAAO,CAAC,2BAA2B;YAYrB,uBAAuB;YAgFvB,qBAAqB;YA0ErB,uBAAuB;YAgFvB,yBAAyB;YAoBzB,0BAA0B;IAkBxC,uBAAuB,CACrB,GAAG,SAAa,EAChB,QAAQ,SAA2B,EACnC,UAAU,SAAgC,GACzC,IAAI;IAIP,OAAO,CAAC,oBAAoB;YAYd,2BAA2B;IAazC,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,WAAW;IAMnB,OAAO,CAAC,YAAY;CAGrB"}