npm - @zero-transfer/sdk - Versions diffs - 0.1.6 → 0.4.0 - Mend

@zero-transfer/sdk 0.1.6 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +2 -4
package/assets/zero-transfer-logo.svg +0 -35
package/dist/index.cjs +4556 -1136
package/dist/index.cjs.map +1 -1
package/dist/index.d.mts +918 -59
package/dist/index.d.ts +918 -59
package/dist/index.mjs +4552 -1134
package/dist/index.mjs.map +1 -1
package/package.json +6 -4

package/dist/index.d.mts CHANGED Viewed

@@ -1,8 +1,9 @@
 import { EventEmitter } from 'node:events';
 import { SecureVersion, PeerCertificate } from 'node:tls';
 import { Readable } from 'node:stream';
-import { BaseAgent, Algorithms, ConnectConfig, Client, SFTPWrapper } from 'ssh2';
 import { Buffer as Buffer$1 } from 'node:buffer';
+import { Socket } from 'node:net';
+import { KeyObject } from 'node:crypto';
 /**
  * Structured logging contracts and helpers for ZeroTransfer.
@@ -306,10 +307,25 @@ interface RemoteStat extends RemoteEntry {
 type TlsSecretSource = SecretSource | SecretSource[];
 /** Known-hosts material source accepted by SSH connection profiles. */
 type SshKnownHostsSource = SecretSource | SecretSource[];
+/** Minimal SSH agent contract used by profile validation and SSH adapters. */
+interface SshAgentLike {
+    /** Returns public identities exposed by the agent implementation. */
+    getIdentities: (...args: any[]) => unknown;
+    /** Signs payloads using a selected identity. */
+    sign: (...args: any[]) => unknown;
+}
+/** Ordered algorithm list mutation operations used by SSH adapters. */
+interface SshAlgorithmMutations {
+    append?: string | readonly string[];
+    prepend?: string | readonly string[];
+    remove?: string | readonly string[];
+}
+/** Single SSH algorithm override value accepted by connection profiles. */
+type SshAlgorithmOverride = readonly string[] | SshAlgorithmMutations;
 /** SSH agent source accepted by SFTP providers. */
-type SshAgentSource = string | BaseAgent;
+type SshAgentSource = string | SshAgentLike;
 /** SSH transport algorithm overrides accepted by SFTP providers. */
-type SshAlgorithms = Algorithms;
+type SshAlgorithms = Record<string, SshAlgorithmOverride | undefined>;
 /** Context passed to SSH socket factories before opening an SSH session. */
 interface SshSocketFactoryContext {
     /** Target SSH host from the resolved connection profile. */
@@ -327,7 +343,7 @@ interface SshSocketFactoryContext {
  * Use this hook for HTTP CONNECT, SOCKS, bastion, or custom tunnel integrations.
  *
  * @param context - Resolved SSH target information for the socket being opened.
- * @returns Preconnected readable stream, or a promise for one, passed to ssh2's `sock` option.
+ * @returns Preconnected readable stream, or a promise for one, passed to the SSH adapter socket option.
  */
 type SshSocketFactory = (context: SshSocketFactoryContext) => Readable | Promise<Readable>;
 /** Prompt metadata supplied by an SSH keyboard-interactive server challenge. */
@@ -1637,23 +1653,83 @@ interface RunConnectionDiagnosticsOptions {
  */
 declare function runConnectionDiagnostics(options: RunConnectionDiagnosticsOptions): Promise<ConnectionDiagnosticsResult>;
+/** Options for {@link createPooledTransferClient}. */
+interface ConnectionPoolOptions {
+    /**
+     * Maximum number of *idle* sessions retained per pool key.
+     *
+     * Active leases are not counted against this limit — the cap only applies
+     * to sessions waiting in the pool. When more than `maxIdlePerKey` sessions
+     * become idle simultaneously, the oldest ones are disconnected. Defaults
+     * to `4`.
+     */
+    maxIdlePerKey?: number;
+    /**
+     * How long an idle session may sit unused before it is automatically
+     * disconnected. Defaults to `60_000` ms. Set to `0` to disable the timer
+     * (idle sessions persist until `drainPool()` is called).
+     */
+    idleTimeoutMs?: number;
+    /**
+     * Custom pool key derivation. Receives the resolved
+     * {@link ConnectionProfile} (after TransferClient validation) and must
+     * return a string. Sessions with matching keys are pooled together; never
+     * include secrets in the key.
+     *
+     * The default derives the key from `provider`, `host`, `port`, and
+     * `username`.
+     */
+    keyOf?: (profile: ConnectionProfile) => string;
+}
+/**
+ * Pool-aware {@link TransferClient} returned by
+ * {@link createPooledTransferClient}.
+ */
+interface PooledTransferClient {
+    /** Opens (or leases) a pooled provider session. */
+    connect(profile: ConnectionProfile): Promise<TransferSession>;
+    /** Inspects the registered providers (delegated to the underlying client). */
+    hasProvider(providerId: ProviderId): boolean;
+    /** Returns the registered capability snapshots (delegated). */
+    getCapabilities(): CapabilitySet[];
+    /** Returns a specific capability snapshot (delegated). */
+    getCapabilities(providerId: ProviderId): CapabilitySet;
+    /**
+     * Disconnects every idle session and prevents further pooling. After
+     * `drainPool()` resolves, subsequent `connect()` calls still work but
+     * always create fresh sessions (and never return them to the pool).
+     */
+    drainPool(): Promise<void>;
+    /** Returns the number of idle sessions currently held in the pool. */
+    poolSize(): number;
+}
+/**
+ * Wraps a {@link TransferClient} with connection pooling.
+ *
+ * @param inner - Underlying client used to create real provider sessions.
+ * @param options - Pool sizing, eviction, and key-derivation overrides.
+ * @returns A {@link PooledTransferClient} that reuses idle sessions.
+ */
+declare function createPooledTransferClient(inner: TransferClient, options?: ConnectionPoolOptions): PooledTransferClient;
 /**
  * Built-in provider capability matrix.
  *
  * Aggregates the {@link CapabilitySet} advertised by every shipped provider
  * factory so applications, docs, and diagnostics can compare features across
  * providers without instantiating each one. The S3 entry is captured twice —
- * once with multipart upload disabled (default) and once with multipart
- * upload enabled — because that flag flips `resumeUpload`.
+ * once with the new multipart-by-default configuration and once with
+ * `multipart.enabled: false` for the legacy single-shot variant — because
+ * that flag flips `resumeUpload`.
  *
  * @module providers/capabilityMatrix
  */
 /** Identifier for an entry in {@link getBuiltinCapabilityMatrix}. */
-type BuiltinProviderMatrixId = ProviderId | "s3:multipart";
+type BuiltinProviderMatrixId = ProviderId | "s3:single-shot";
 /** Single entry in the built-in capability matrix. */
 interface BuiltinCapabilityMatrixEntry {
-    /** Stable matrix identifier (provider id, or `s3:multipart` for the multipart variant). */
+    /** Stable matrix identifier (provider id, or `s3:single-shot` for the legacy variant). */
     id: BuiltinProviderMatrixId;
     /** Human-readable label, suitable for documentation tables. */
     label: string;
@@ -1877,6 +1953,24 @@ interface WebDavProviderOptions {
     fetch?: HttpFetch;
     /** Default headers applied to every request. */
     defaultHeaders?: Record<string, string>;
+    /**
+     * Streaming policy for `PUT` request bodies.
+     *
+     * - `"when-known-size"` (default) — stream when the caller declares
+     *   `request.totalBytes` (an explicit `Content-Length` is sent so all
+     *   WebDAV servers accept the upload); otherwise buffer the entire body in
+     *   memory before sending. This is the safe default that does not require
+     *   the server to accept HTTP/1.1 chunked transfer-encoding.
+     * - `"always"` — always stream the body, even when the size is unknown
+     *   (the runtime will use chunked transfer-encoding). Some legacy WebDAV
+     *   servers reject `Transfer-Encoding: chunked` and will respond `411
+     *   Length Required` or `501 Not Implemented`; only enable this for
+     *   servers known to accept chunked uploads (modern Apache/nginx, IIS
+     *   with chunked transfer enabled, Nextcloud, ownCloud, sabre/dav).
+     * - `"never"` — always buffer (legacy behaviour pre-0.4.0). Use for
+     *   maximum compatibility at the cost of memory.
+     */
+    uploadStreaming?: "when-known-size" | "always" | "never";
 }
 /**
  * Creates a WebDAV provider factory.
@@ -1911,7 +2005,14 @@ interface S3ProviderOptions {
 }
 /** Multipart upload tuning for the S3 provider. */
 interface S3MultipartOptions {
-    /** Enable multipart upload. Defaults to `false`. */
+    /**
+     * Enable multipart upload. **Defaults to `true`** so large objects stream
+     * in fixed-size parts instead of being buffered in memory before a single
+     * `PUT`. Payloads at or below {@link S3MultipartOptions.thresholdBytes}
+     * still fall back to a single-shot `PUT` automatically. Set to `false` to
+     * force the legacy single-shot behaviour (e.g. when targeting an
+     * S3-compatible endpoint that does not support `CreateMultipartUpload`).
+     */
     enabled?: boolean;
     /** Object size threshold in bytes above which multipart is used. Defaults to 8 MiB. */
     thresholdBytes?: number;
@@ -1957,6 +2058,41 @@ interface S3MultipartResumeStore {
 }
 /** Creates an in-memory {@link S3MultipartResumeStore}. */
 declare function createMemoryS3MultipartResumeStore(): S3MultipartResumeStore;
+/** Options for {@link createFileSystemS3MultipartResumeStore}. */
+interface FileSystemS3MultipartResumeStoreOptions {
+    /**
+     * Directory under which checkpoint JSON files are written. Created
+     * recursively if it does not exist. Each upload occupies a single file
+     * named after a SHA-256 hash of the resume key, so the directory is safe
+     * to share across many concurrent uploads.
+     */
+    directory: string;
+}
+/**
+ * File-system backed {@link S3MultipartResumeStore} that survives process
+ * restarts. Each in-flight multipart upload is checkpointed to a single
+ * JSON file in `options.directory` after every part. On retry the upload
+ * reuses the stored `uploadId` and skips parts that S3 has already
+ * accepted.
+ *
+ * The implementation writes atomically (`<file>.tmp` then `rename`) so a
+ * crash mid-write cannot leave a corrupt checkpoint.
+ *
+ * @example
+ * ```ts
+ * import { createFileSystemS3MultipartResumeStore, createS3ProviderFactory }
+ *   from "@zero-transfer/sdk";
+ *
+ * const resumeStore = createFileSystemS3MultipartResumeStore({
+ *   directory: "./.zt-s3-resume",
+ * });
+ *
+ * const factory = createS3ProviderFactory({
+ *   multipart: { enabled: true, resumeStore },
+ * });
+ * ```
+ */
+declare function createFileSystemS3MultipartResumeStore(options: FileSystemS3MultipartResumeStoreOptions): S3MultipartResumeStore;
 /**
  * Creates an S3-compatible provider factory.
  *
@@ -2568,6 +2704,554 @@ declare function redactValue(value: unknown): unknown;
  */
 declare function redactObject(input: Record<string, unknown>): Record<string, unknown>;
+/** Algorithm lists exchanged during SSH KEXINIT negotiation. */
+interface SshAlgorithmPreferences {
+    compressionClientToServer: readonly string[];
+    compressionServerToClient: readonly string[];
+    encryptionClientToServer: readonly string[];
+    encryptionServerToClient: readonly string[];
+    kexAlgorithms: readonly string[];
+    languagesClientToServer: readonly string[];
+    languagesServerToClient: readonly string[];
+    macClientToServer: readonly string[];
+    macServerToClient: readonly string[];
+    serverHostKeyAlgorithms: readonly string[];
+}
+/** Selected algorithms after intersecting client preferences with server capabilities. */
+interface NegotiatedSshAlgorithms {
+    compressionClientToServer: string;
+    compressionServerToClient: string;
+    encryptionClientToServer: string;
+    encryptionServerToClient: string;
+    kexAlgorithm: string;
+    languageClientToServer?: string;
+    languageServerToClient?: string;
+    macClientToServer: string;
+    macServerToClient: string;
+    serverHostKeyAlgorithm: string;
+}
+/**
+ * Baseline algorithm order for the initial native SSH transport implementation.
+ */
+declare const DEFAULT_SSH_ALGORITHM_PREFERENCES: Readonly<SshAlgorithmPreferences>;
+/**
+ * Intersects client and server algorithm lists using SSH's client-priority selection model.
+ */
+declare function negotiateSshAlgorithms(client: SshAlgorithmPreferences, server: SshAlgorithmPreferences): NegotiatedSshAlgorithms;
+/** Parsed SSH identification components from the RFC 4253 banner line. */
+interface SshIdentification {
+    protocolVersion: string;
+    softwareVersion: string;
+    comments?: string;
+    raw: string;
+}
+/** Parsed SSH_MSG_KEXINIT payload. */
+interface SshKexInitMessage extends SshAlgorithmPreferences {
+    cookie: Buffer$1;
+    firstKexPacketFollows: boolean;
+    messageType: number;
+    reserved: number;
+}
+/** Directional key material used after SSH NEWKEYS. */
+interface SshTransportDirectionKeys {
+    encryptionKey: Buffer$1;
+    iv: Buffer$1;
+    macKey: Buffer$1;
+}
+/** Session key bundle derived from K, H, and session id. */
+interface SshDerivedSessionKeys {
+    clientToServer: SshTransportDirectionKeys;
+    exchangeHash: Buffer$1;
+    serverToClient: SshTransportDirectionKeys;
+    sessionId: Buffer$1;
+}
+/** Initial client-side handshake state before key exchange math starts. */
+interface SshTransportHandshakeResult {
+    keyExchange: {
+        algorithm: string;
+        clientKexInitPayload: Buffer$1;
+        clientPublicKey: Buffer$1;
+        exchangeHash: Buffer$1;
+        serverHostKey: Buffer$1;
+        serverKexInitPayload: Buffer$1;
+        serverPublicKey: Buffer$1;
+        serverSignature: Buffer$1;
+        sessionId: Buffer$1;
+        sharedSecret: Buffer$1;
+        transportKeys: {
+            clientToServer: SshDerivedSessionKeys["clientToServer"];
+            serverToClient: SshDerivedSessionKeys["serverToClient"];
+        };
+    };
+    negotiatedAlgorithms: NegotiatedSshAlgorithms;
+    serverIdentification: SshIdentification;
+    serverKexInit: SshKexInitMessage;
+    /**
+     * Number of unencrypted packets the client sent during the handshake (KEXINIT,
+     * KEX_ECDH_INIT, NEWKEYS). Per RFC 4253 §6.4, packet sequence numbers are never
+     * reset across NEWKEYS, so this value seeds the outbound protector.
+     */
+    outboundPacketCount: number;
+    /**
+     * Number of unencrypted packets the client received from the server during the
+     * handshake (server KEXINIT, KEX_ECDH_REPLY, NEWKEYS). Seeds the inbound unprotector.
+     */
+    inboundPacketCount: number;
+}
+/**
+ * Client-side SSH handshake coordinator for version exchange and KEXINIT negotiation.
+ */
+declare class SshTransportHandshake {
+    private readonly options;
+    private readonly clientAlgorithms;
+    private readonly clientIdentificationLine;
+    private readonly clientKexInitPayload;
+    private readonly identificationLines;
+    private readonly packetFramer;
+    private readonly pendingIdentification;
+    private phase;
+    private inboundPacketCount;
+    private outboundPacketCount;
+    private pendingCurve25519;
+    private pendingKeyExchange;
+    private serverIdentification;
+    constructor(options?: {
+        algorithms?: SshAlgorithmPreferences;
+        clientComments?: string;
+        clientSoftwareVersion?: string;
+        kexCookie?: Uint8Array;
+        /**
+         * Verifies the server's host key after the signature check passes.
+         * Receives the SSH wire-format host key blob and its SHA-256 digest.
+         * Throwing rejects the handshake; resolving accepts it.
+         *
+         * If omitted, the host key is accepted as long as its signature over the
+         * exchange hash verifies. Callers SHOULD supply this hook in production
+         * to enforce known_hosts or pinned-fingerprint policies.
+         */
+        verifyHostKey?: (input: {
+            hostKeyBlob: Buffer$1;
+            hostKeySha256: Buffer$1;
+            algorithmName: string;
+        }) => void | Promise<void>;
+    });
+    /** Creates the first outbound bytes (client identification line). */
+    createInitialClientBytes(): Buffer$1;
+    /**
+     * Feeds raw server bytes into the handshake state machine.
+     */
+    pushServerBytes(chunk: Uint8Array): {
+        outbound: Buffer$1[];
+        result?: SshTransportHandshakeResult;
+    };
+    getServerBannerLines(): readonly string[];
+    isComplete(): boolean;
+    /**
+     * Returns any bytes received after the last complete handshake packet and clears the buffer.
+     * Call this once after `pushServerBytes` returns a result to drain bytes that belong to the
+     * post-NEWKEYS encrypted phase but arrived in the same TCP segment as NEWKEYS.
+     */
+    takeRemainingBytes(): Buffer$1;
+    private pushServerBytesWithPhase;
+}
+/** Standard SSH disconnect reason codes (RFC 4253 §11.1). */
+declare const SshDisconnectReason: {
+    readonly HOST_NOT_ALLOWED_TO_CONNECT: 1;
+    readonly PROTOCOL_ERROR: 2;
+    readonly KEY_EXCHANGE_FAILED: 3;
+    readonly MAC_ERROR: 5;
+    readonly COMPRESSION_ERROR: 6;
+    readonly SERVICE_NOT_AVAILABLE: 7;
+    readonly PROTOCOL_VERSION_NOT_SUPPORTED: 8;
+    readonly HOST_KEY_NOT_VERIFIABLE: 9;
+    readonly CONNECTION_LOST: 10;
+    readonly BY_APPLICATION: 11;
+    readonly TOO_MANY_CONNECTIONS: 12;
+    readonly AUTH_CANCELLED_BY_USER: 13;
+    readonly NO_MORE_AUTH_METHODS: 14;
+    readonly ILLEGAL_USER_NAME: 15;
+};
+type SshDisconnectReason = (typeof SshDisconnectReason)[keyof typeof SshDisconnectReason];
+interface SshTransportConnectionOptions {
+    /** AbortSignal that cancels the in-flight `connect()` call and tears down the socket. */
+    abortSignal?: AbortSignal;
+    /** Algorithm preference overrides. Defaults to the library defaults. */
+    algorithms?: SshAlgorithmPreferences;
+    /** SSH software version string embedded in the identification line. */
+    clientSoftwareVersion?: string;
+    /**
+     * Hard cap (milliseconds) on the SSH identification + key exchange + first
+     * NEWKEYS handshake. If exceeded the socket is destroyed and `connect()`
+     * rejects with a `TimeoutError`. Has no effect once `connect()` resolves.
+     */
+    handshakeTimeoutMs?: number;
+    /**
+     * If set, sends a `SSH_MSG_IGNORE` packet every `keepaliveIntervalMs`
+     * milliseconds while the transport is connected and idle. This prevents
+     * stateful NAT / firewall devices from dropping long-lived idle sessions
+     * (e.g. between batches in a transfer queue). The timer is reset on every
+     * outbound payload, so active transfers do not generate extra traffic.
+     */
+    keepaliveIntervalMs?: number;
+    /**
+     * Synchronous host-key policy hook invoked after the signature on the SSH
+     * exchange hash is verified. Throw to reject the server's identity.
+     */
+    verifyHostKey?: (input: {
+        hostKeyBlob: Buffer$1;
+        hostKeySha256: Buffer$1;
+        algorithmName: string;
+    }) => void;
+}
+/**
+ * Live SSH transport connection over a TCP socket.
+ *
+ * Runs the SSH identification exchange and key exchange handshake on the supplied socket,
+ * then provides an encrypted packet send/receive interface for higher-level SSH layers
+ * (authentication, connection, SFTP subsystem).
+ *
+ * Usage:
+ * ```ts
+ * const conn = new SshTransportConnection();
+ * const result = await conn.connect(socket);        // runs handshake
+ * conn.sendPayload(payload);                        // post-NEWKEYS send
+ * for await (const payload of conn.receivePayloads()) { ... }
+ * conn.disconnect();
+ * ```
+ */
+declare class SshTransportConnection {
+    private readonly options;
+    private connected;
+    private disposed;
+    private protector;
+    private unprotector;
+    private socket;
+    private keepaliveTimer;
+    private readonly inboundQueue;
+    /**
+     * FIFO of waiters when the queue is empty. Multiple iterators may suspend on
+     * the same transport (auth session, channel setup, connection-manager pump);
+     * each receives exactly one entry in arrival order. A single-slot field would
+     * lose wakeups when a second consumer suspends before the first is resolved.
+     */
+    private readonly waitingConsumers;
+    constructor(options?: SshTransportConnectionOptions);
+    /**
+     * Runs the SSH handshake on a TCP-connected socket.
+     * Resolves when NEWKEYS completes and the transport is ready for encrypted messages.
+     * Rejects on socket error, abort, or protocol failure.
+     */
+    connect(socket: Socket): Promise<SshTransportHandshakeResult>;
+    /**
+     * Sends an SSH payload over the encrypted transport.
+     * The payload must start with the SSH message type byte.
+     */
+    sendPayload(payload: Buffer$1 | Uint8Array): void;
+    /**
+     * Async generator that yields inbound SSH payloads (post-NEWKEYS).
+     *
+     * Transparent handling:
+     * - SSH_MSG_IGNORE (2) and SSH_MSG_DEBUG (4) are silently dropped.
+     * - SSH_MSG_DISCONNECT (1) from the server throws a `ConnectionError`.
+     * - Socket error or close terminates the generator.
+     */
+    receivePayloads(): AsyncGenerator<Buffer$1>;
+    /**
+     * Sends SSH_MSG_DISCONNECT and ends the socket.
+     * Safe to call multiple times; subsequent calls are no-ops.
+     */
+    disconnect(reason?: SshDisconnectReason, description?: string): void;
+    isConnected(): boolean;
+    private onEncryptedData;
+    private onSocketError;
+    private onSocketClose;
+    private enqueueEntry;
+    private dequeuePayload;
+    private assertConnected;
+    private startKeepalive;
+    private stopKeepalive;
+    private resetKeepaliveTimer;
+    private sendKeepalivePing;
+}
+interface SshPasswordCredential {
+    type: "password";
+    username: string;
+    password: string;
+}
+interface SshPublickeyCredential {
+    type: "publickey";
+    username: string;
+    algorithmName: string;
+    /** Raw public key blob in SSH wire format (e.g. the bytes returned by ssh-keygen -e -f key.pub). */
+    publicKeyBlob: Uint8Array;
+    /**
+     * Signs the challenge data.  The data is already the complete sign-data per RFC 4252 §7.
+     * Should return the signature blob (without algorithm prefix; caller adds wrapping).
+     */
+    sign: (data: Uint8Array) => Promise<Uint8Array> | Uint8Array;
+}
+interface SshKeyboardInteractiveCredential {
+    type: "keyboard-interactive";
+    username: string;
+    /**
+     * Called for each INFO_REQUEST round.  Return one string per prompt in order.
+     */
+    respond: (name: string, instruction: string, prompts: Array<{
+        echo: boolean;
+        prompt: string;
+    }>) => Promise<string[]> | string[];
+}
+type SshCredential = SshPasswordCredential | SshPublickeyCredential | SshKeyboardInteractiveCredential;
+interface SshAuthOptions {
+    credential: SshCredential;
+    /** SSH session id (exchange hash) from key exchange — required for publickey signing. */
+    sessionId: Uint8Array;
+    /** Maximum number of USERAUTH_FAILURE retries before giving up. Defaults to 4. */
+    maxAttempts?: number;
+}
+interface SshAuthResult {
+    /** Banner lines received from the server during authentication. */
+    bannerLines: string[];
+    /** Auth method that succeeded. */
+    method: string;
+}
+/**
+ * Runs SSH user authentication over an encrypted transport connection.
+ *
+ * Call this after `SshTransportConnection.connect()` completes.
+ * Returns a generator of inbound payloads for the upper (connection) layer to consume.
+ * Resolves with an `SshAuthResult` on success; throws `AuthenticationError` on failure.
+ */
+declare class SshAuthSession {
+    private readonly transport;
+    constructor(transport: SshTransportConnection);
+    authenticate(options: SshAuthOptions): Promise<SshAuthResult>;
+    private runKeyboardInteractiveRounds;
+    private pendingPayload;
+    private nextPayload;
+    private nextPayloadSkippingBanners;
+}
+interface BuildPublickeyCredentialOptions {
+    /** Username to authenticate as. */
+    username: string;
+    /** Decoded private key (OpenSSH or PKCS8 PEM accepted by `crypto.createPrivateKey`). */
+    privateKey: KeyObject;
+    /**
+     * For RSA keys, the SSH signature algorithm. Defaults to `rsa-sha2-512`.
+     * Ignored for Ed25519 keys.
+     */
+    rsaSignatureAlgorithm?: "rsa-sha2-256" | "rsa-sha2-512";
+}
+declare function buildPublickeyCredential(options: BuildPublickeyCredentialOptions): SshPublickeyCredential;
+/**
+ * SSH session channel (RFC 4254 §6).
+ *
+ * Manages a single "session" channel from the client side:
+ *   CHANNEL_OPEN → OPEN_CONFIRMATION → CHANNEL_REQUEST (subsystem/exec) →
+ *   bidirectional CHANNEL_DATA with window management → CHANNEL_EOF/CLOSE.
+ *
+ * Window management strategy:
+ *   - Local window starts at INITIAL_WINDOW_SIZE.
+ *   - When consumed bytes exceed WINDOW_REFILL_THRESHOLD, a WINDOW_ADJUST is sent.
+ *   - Outbound data respects the remote window; excess is queued and flushed
+ *     as the remote issues WINDOW_ADJUST messages.
+ */
+interface SshSessionChannelOptions {
+    /**
+     * Local channel id allocated by the caller.
+     * If omitted, defaults to 0 (single-channel use case).
+     */
+    localChannelId?: number;
+}
+/**
+ * A single SSH session channel.
+ * Not safe to share across concurrent callers; each SftpSession should own one.
+ */
+declare class SshSessionChannel {
+    private readonly transport;
+    private phase;
+    /** Remote channel id assigned by the server in OPEN_CONFIRMATION. */
+    private remoteChannelId;
+    /** Bytes the remote side can still receive before we must stop sending. */
+    private remoteWindowRemaining;
+    /** Maximum packet data size the remote accepts. */
+    private remoteMaxPacketSize;
+    /** Local window: bytes we can still accept from remote. */
+    private localWindowConsumed;
+    private localWindowSize;
+    /** Queue of inbound data for the `receiveData()` generator. */
+    private readonly inboundQueue;
+    private waitingConsumer;
+    /** Queue of outbound data waiting for remote window space. */
+    private readonly outboundQueue;
+    /**
+     * FIFO of waiters blocked on remote window credit. Each WINDOW_ADJUST wakes
+     * exactly one waiter; concurrent senders must not lose wakeups.
+     */
+    private readonly outboundDrainedWaiters;
+    /** Serializes sendData() calls so byte order on the wire matches call order. */
+    private sendChain;
+    private readonly localChannelId;
+    constructor(transport: SshTransportConnection, options?: SshSessionChannelOptions);
+    /**
+     * Opens the channel and requests a subsystem.
+     * Resolves once the server confirms both CHANNEL_OPEN and the subsystem request.
+     */
+    openSubsystem(subsystemName: string): Promise<void>;
+    /**
+     * Opens the channel and executes a command.
+     */
+    openExec(command: string): Promise<void>;
+    private openChannel;
+    private requestSubsystem;
+    private requestExec;
+    private awaitChannelRequestReply;
+    /**
+     * Sends data on the channel. Respects the remote window; if there is no space,
+     * splits the data and queues the remainder for when WINDOW_ADJUST arrives.
+     *
+     * Concurrent calls are serialized so wire byte order matches call order.
+     */
+    sendData(data: Uint8Array): Promise<void>;
+    private sendDataLocked;
+    /**
+     * Async generator that yields raw data buffers from the channel.
+     * Returns (done) when the channel receives EOF or CLOSE.
+     */
+    receiveData(): AsyncGenerator<Buffer$1, void, undefined>;
+    /**
+     * Sends EOF and CLOSE.  Should be called when the client is done sending.
+     */
+    close(): void;
+    /**
+     * Feed an inbound transport payload to this channel.
+     * Called by the channel multiplexer (`SshConnectionManager`).
+     */
+    dispatch(payload: Buffer$1): void;
+    dispatchError(error: Error): void;
+    private consumeLocalWindow;
+    private enqueueInbound;
+    private dequeueInbound;
+    /** Pull the next payload from the transport (used during channel setup only). */
+    private nextPayload;
+}
+/**
+ * SSH connection protocol manager (RFC 4254).
+ *
+ * Drives the transport-level `receivePayloads()` generator and dispatches each
+ * payload to the right `SshSessionChannel` by recipient channel id.
+ *
+ * Lifecycle:
+ *   1. Create after auth succeeds.
+ *   2. Call `openSubsystemChannel("sftp")` or `openExecChannel(cmd)` to get a channel.
+ *   3. Drive the pump: `start()` returns a Promise that resolves when the transport
+ *      closes cleanly or rejects on a fatal error.
+ */
+declare class SshConnectionManager {
+    private readonly transport;
+    private readonly channels;
+    private nextLocalId;
+    private pumpPromise;
+    private pumpResolve;
+    private pumpReject;
+    /** Payloads that arrived before any channel registered (buffered for the first channel). */
+    private readonly pendingSetupPayloads;
+    private setupPayloadConsumer;
+    constructor(transport: SshTransportConnection);
+    /**
+     * Delivers the next connection-layer payload to callers during channel setup.
+     * Called by `SshSessionChannel` during `openChannel()` / `requestSubsystem()`.
+     *
+     * Channel setup happens sequentially before `start()` begins pumping, so we
+     * pull directly from the transport iterator here.
+     */
+    nextSetupPayload(): Promise<Buffer$1>;
+    /**
+     * Opens a session channel and starts the SFTP subsystem on it.
+     * Must be called before `start()`.
+     */
+    openSubsystemChannel(subsystemName: string): Promise<SshSessionChannel>;
+    /**
+     * Opens a session channel and runs the given command on it.
+     * Must be called before `start()`.
+     */
+    openExecChannel(command: string): Promise<SshSessionChannel>;
+    /**
+     * Starts the main dispatch loop.  Returns a Promise that resolves when the
+     * connection closes cleanly, or rejects on a fatal transport error.
+     *
+     * Call this after all channels have been opened and the application is ready
+     * to receive data.
+     */
+    start(): Promise<void>;
+    /**
+     * Runs channel setup (open + request) with a dedicated payload pump that
+     * pulls from the transport iterator and dispatches non-channel-setup messages
+     * to `pendingSetupPayloads` for later processing.
+     */
+    private runChannelSetup;
+    private pump;
+    private dispatch;
+    private terminateChannels;
+}
+/**
+ * Stateful SSH primitive decoder that reads sequential values from a packet payload.
+ */
+declare class SshDataReader {
+    private readonly source;
+    private offset;
+    constructor(source: Uint8Array);
+    get remaining(): number;
+    hasMore(): boolean;
+    readByte(): number;
+    readBoolean(): boolean;
+    readBytes(length: number): Buffer$1;
+    readUint32(): number;
+    readUint64(): bigint;
+    readString(): Buffer$1;
+    readUtf8String(): string;
+    readNameList(): string[];
+    /**
+     * Reads an SSH `mpint` value (RFC 4251 §5): a length-prefixed two's-complement
+     * big-endian integer. Returns the raw magnitude bytes (non-negative integers
+     * may have a leading 0x00 byte preserved by the caller as needed).
+     */
+    readMpint(): Buffer$1;
+    assertFinished(): void;
+    private ensureAvailable;
+}
+/**
+ * Minimal SSH primitive encoder for transport and authentication packets.
+ */
+declare class SshDataWriter {
+    private readonly chunks;
+    private length;
+    writeByte(value: number): this;
+    writeBoolean(value: boolean): this;
+    writeBytes(value: Uint8Array): this;
+    writeUint32(value: number): this;
+    writeUint64(value: bigint): this;
+    writeString(value: string | Uint8Array, encoding?: BufferEncoding): this;
+    writeMpint(value: Uint8Array): this;
+    writeNameList(values: readonly string[]): this;
+    toBuffer(): Buffer$1;
+    private push;
+    private assertByte;
+}
 /**
  * FTPS control-channel TLS mode.
  *
@@ -2822,71 +3506,246 @@ declare function parseMlsdLine(line: string, directory?: string): RemoteEntry;
  */
 declare function parseMlstTimestamp(input: string | undefined): Date | undefined;
-/** Options used to create an SFTP provider factory. */
-interface SftpProviderOptions {
-    /** Hash algorithm used before calling ssh2's host verifier, such as `sha256`. */
-    hostHash?: ConnectConfig["hostHash"];
-    /** Host-key verifier passed directly to ssh2 for advanced callers. */
-    hostVerifier?: ConnectConfig["hostVerifier"];
-    /** Default SSH handshake timeout in milliseconds when the profile does not provide `timeoutMs`. */
+/**
+ * SFTP v3 file attribute encoding and decoding (draft-ietf-secsh-filexfer-02 §5).
+ *
+ * ATTRS flags:
+ *   SSH_FILEXFER_ATTR_SIZE        0x00000001
+ *   SSH_FILEXFER_ATTR_UIDGID      0x00000002
+ *   SSH_FILEXFER_ATTR_PERMISSIONS 0x00000004
+ *   SSH_FILEXFER_ATTR_ACMODTIME   0x00000008
+ *   SSH_FILEXFER_ATTR_EXTENDED    0x80000000
+ */
+interface SftpFileAttributes {
+    /** File size in bytes. Present when SFTP_ATTR_FLAG.SIZE is set. */
+    size?: bigint;
+    /** User id. Present when SFTP_ATTR_FLAG.UIDGID is set. */
+    uid?: number;
+    /** Group id. Present when SFTP_ATTR_FLAG.UIDGID is set. */
+    gid?: number;
+    /** POSIX file permissions (octal mode). Present when SFTP_ATTR_FLAG.PERMISSIONS is set. */
+    permissions?: number;
+    /** Access time (seconds since Unix epoch). Present when SFTP_ATTR_FLAG.ACMODTIME is set. */
+    atime?: number;
+    /** Modification time (seconds since Unix epoch). Present when SFTP_ATTR_FLAG.ACMODTIME is set. */
+    mtime?: number;
+    /**
+     * Extended attributes as key-value pairs.
+     * Present when SFTP_ATTR_FLAG.EXTENDED is set.
+     */
+    extended?: Array<{
+        type: string;
+        data: Buffer$1;
+    }>;
+}
+/**
+ * SFTP v3 request and response message codecs (draft-ietf-secsh-filexfer-02).
+ *
+ * Each encode function produces the payload bytes that go inside an
+ * SSH_FXP_* packet (the type byte and length prefix are added by the framer).
+ *
+ * Each decode function accepts the full framed packet payload (starting at the
+ * byte immediately after the type byte, i.e. at request-id).
+ */
+interface SftpVersionResponse {
+    version: number;
+    extensions: Array<{
+        name: string;
+        data: string;
+    }>;
+}
+/** A single entry returned by SSH_FXP_NAME. */
+interface SftpNameEntry {
+    filename: string;
+    longname: string;
+    attrs: SftpFileAttributes;
+}
+/**
+ * SFTP v3 client session (draft-ietf-secsh-filexfer-02).
+ *
+ * Provides a fully concurrent, typed API over an open SSH session channel.
+ * Multiple requests can be in flight simultaneously; each is tracked by its
+ * SFTP request id.  Responses are dispatched to the correct awaiter.
+ *
+ * Lifecycle:
+ *   const channel = await connectionManager.openSubsystemChannel("sftp");
+ *   const sftp = new SftpSession(channel);
+ *   await sftp.init();
+ *   const handle = await sftp.open("/path/to/file", SFTP_OPEN_FLAG.READ, {});
+ *   const data = await sftp.read(handle, 0n, 4096);
+ *   await sftp.close(handle);
+ */
+declare class SftpSession {
+    private readonly channel;
+    private nextRequestId;
+    private readonly pending;
+    private readonly framer;
+    /** Resolves on the first packet (VERSION) during init(). */
+    private versionWaiter;
+    private serverVersion;
+    constructor(channel: SshSessionChannel);
+    /**
+     * Sends SSH_FXP_INIT and awaits SSH_FXP_VERSION.
+     * Must be called once before any other operation.
+     */
+    init(): Promise<SftpVersionResponse>;
+    get negotiatedVersion(): number;
+    /**
+     * Opens a remote file. Returns an opaque handle buffer.
+     */
+    open(path: string, pflags: number, attrs?: SftpFileAttributes): Promise<Buffer$1>;
+    /**
+     * Closes a file or directory handle.
+     */
+    close(handle: Uint8Array): Promise<void>;
+    /**
+     * Reads up to `length` bytes from `handle` at `offset`.
+     * Returns `null` on EOF.
+     */
+    read(handle: Uint8Array, offset: bigint, length: number): Promise<Buffer$1 | null>;
+    /**
+     * Writes `data` to `handle` at `offset`.
+     */
+    write(handle: Uint8Array, offset: bigint, data: Uint8Array): Promise<void>;
+    stat(path: string): Promise<SftpFileAttributes>;
+    lstat(path: string): Promise<SftpFileAttributes>;
+    fstat(handle: Uint8Array): Promise<SftpFileAttributes>;
+    setstat(path: string, attrs: SftpFileAttributes): Promise<void>;
+    fsetstat(handle: Uint8Array, attrs: SftpFileAttributes): Promise<void>;
+    opendir(path: string): Promise<Buffer$1>;
+    /**
+     * Reads one batch of directory entries.
+     * Returns an empty array when the server sends SSH_FX_EOF.
+     */
+    readdir(handle: Uint8Array): Promise<SftpNameEntry[]>;
+    /**
+     * Convenience: opens a directory, reads all entries, and closes the handle.
+     */
+    readdirAll(path: string): Promise<SftpNameEntry[]>;
+    remove(path: string): Promise<void>;
+    mkdir(path: string, attrs?: SftpFileAttributes): Promise<void>;
+    rmdir(path: string): Promise<void>;
+    realpath(path: string): Promise<string>;
+    rename(oldPath: string, newPath: string): Promise<void>;
+    readlink(path: string): Promise<string>;
+    symlink(linkPath: string, targetPath: string): Promise<void>;
+    private allocRequestId;
+    /**
+     * Sends raw SFTP message bytes over the channel.
+     * The message encoders embed the type byte at position 0, followed by the body.
+     * We prefix with a uint32 length so the remote SFTP framer can parse the frame.
+     *
+     * Send is asynchronous because the underlying SSH channel may apply
+     * backpressure when the remote window is exhausted; the channel itself
+     * serializes concurrent calls so byte ordering is preserved.
+     */
+    private sendRaw;
+    private pump;
+    private dispatchPacket;
+    private awaitResponse;
+}
+/**
+ * Options for {@link createNativeSftpProviderFactory}.
+ *
+ * The native provider is a zero-dependency replacement for the legacy
+ * `ssh2`-backed provider. It implements RFC 4253 SSH transport, RFC 4252 user
+ * authentication (`password`, `keyboard-interactive`, `publickey` with
+ * Ed25519/RSA), RFC 5656 ECDSA host keys (`nistp256/384/521`), and the
+ * SFTP v3 client protocol multiplexed over a single channel.
+ */
+interface NativeSftpProviderOptions {
+    /**
+     * Default connection timeout in milliseconds when the profile omits
+     * `timeoutMs`. Bounds both the TCP connect *and* the SSH identification +
+     * key-exchange handshake, so a hung server cannot stall `connect()`
+     * indefinitely after the socket is accepted.
+     */
     readyTimeoutMs?: number;
+    /**
+     * Default interval (milliseconds) between SSH-level keepalive pings sent
+     * once the transport is connected and idle. Prevents stateful firewalls /
+     * NAT devices from dropping long-lived sessions. The timer is reset on
+     * every outbound payload so active transfers do not generate extra
+     * traffic. Disabled when omitted or `0`.
+     */
+    keepaliveIntervalMs?: number;
+    /**
+     * Maximum concurrent file-transfer operations the engine should schedule
+     * against a single SFTP session. Each in-flight read/write occupies an
+     * outstanding SFTP request slot multiplexed over the same SSH channel; the
+     * default of `8` keeps memory bounded on commodity servers, but high-RTT
+     * links and modern OpenSSH builds can comfortably handle 16\u201364. Must be
+     * a positive integer.
+     */
+    maxConcurrency?: number;
 }
-/** Raw SFTP session handles exposed for advanced diagnostics. */
-interface SftpRawSession {
-    /** Underlying ssh2 client connection. */
-    client: Client;
-    /** Underlying ssh2 SFTP wrapper. */
-    sftp: SFTPWrapper;
+/**
+ * Low-level handles exposed by a native SFTP session for diagnostics and
+ * advanced extension. Most applications should use the
+ * {@link TransferSession} returned from `client.connect()` instead.
+ */
+interface NativeSftpRawSession {
+    /** SFTP v3 client multiplexed over the SSH session channel. */
+    sftp: SftpSession;
+    /** Underlying SSH transport (key exchange, packet protection, channel mux). */
+    transport: SshTransportConnection;
 }
 /**
- * Creates an SFTP provider factory backed by the mature `ssh2` implementation.
+ * Creates a {@link ProviderFactory} backed by the native SSH/SFTP protocol
+ * stack — no `ssh2` dependency required.
  *
- * @param options - Optional ssh2 host-key verifier and timeout defaults.
- * @returns Provider factory suitable for `createTransferClient({ providers: [...] })`.
+ * **Supported algorithms**
+ * - Key exchange: `curve25519-sha256`, `curve25519-sha256@libssh.org`
+ * - Host keys: `ssh-ed25519`, `ecdsa-sha2-nistp256/384/521`, `rsa-sha2-256`,
+ *   `rsa-sha2-512` (legacy SHA-1 `ssh-rsa` is rejected)
+ * - Ciphers: `aes128-ctr`, `aes256-ctr`
+ * - MACs: `hmac-sha2-256`, `hmac-sha2-512`
  *
- * @example Register and use
- * ```ts
- * import { createSftpProviderFactory, createTransferClient } from "@zero-transfer/sdk";
+ * **Authentication**
+ * - `password`
+ * - `keyboard-interactive` (RFC 4256)
+ * - `publickey` for Ed25519 and RSA private keys (`rsa-sha2-512` preferred,
+ *   `rsa-sha2-256` fallback). Encrypted keys are unlocked via
+ *   `profile.ssh.passphrase`.
  *
- * const client = createTransferClient({ providers: [createSftpProviderFactory()] });
+ * **Host-key verification**
+ * - The server's signature over the exchange hash is always verified.
+ * - Optional pinning via `profile.ssh.pinnedHostKeySha256` (`SHA256:...`,
+ *   raw base64, or hex).
+ * - Optional `profile.ssh.knownHosts` (OpenSSH format, hashed and plain
+ *   patterns, `[host]:port`, negation, and `@revoked` markers).
+ *
+ * **Resilience**
+ * - `readyTimeoutMs` bounds TCP connect + SSH handshake.
+ * - `keepaliveIntervalMs` keeps idle sessions alive through stateful
+ *   firewalls / NAT.
  *
+ * @example
+ * ```ts
+ * const client = createTransferClient({
+ *   providers: [createNativeSftpProviderFactory({
+ *     readyTimeoutMs: 10_000,
+ *     keepaliveIntervalMs: 30_000,
+ *   })],
+ * });
  * const session = await client.connect({
- *   host: "sftp.example.com",
  *   provider: "sftp",
+ *   host: "sftp.example.com",
  *   username: "deploy",
  *   ssh: {
- *     privateKey: { path: "./keys/id_ed25519" },
- *     // Optional but recommended for production:
- *     pinnedHostKeySha256: "SHA256:abc123basesixfourpinFromKnownHosts=",
+ *     privateKey: { kind: "literal", value: process.env.DEPLOY_KEY! },
+ *     pinnedHostKeySha256: "SHA256:abc...",
  *   },
  * });
  * ```
- *
- * Host-key verification (`ssh.knownHosts` and/or `ssh.pinnedHostKeySha256`) is
- * optional; without either, the client trusts whatever host key the server
- * presents. Use one for any non-lab deployment.
- */
-declare function createSftpProviderFactory(options?: SftpProviderOptions): ProviderFactory;
-/** Options for {@link createSftpJumpHostSocketFactory}. */
-interface SftpJumpHostOptions {
-    /** Static ssh2 connect configuration for the bastion. Mutually exclusive with {@link buildBastion}. */
-    bastion?: ConnectConfig;
-    /** Per-connection builder used to refresh credentials before each tunnel attempt. */
-    buildBastion?: (context: SshSocketFactoryContext) => ConnectConfig | Promise<ConnectConfig>;
-    /** Optional logger used for tunnel diagnostics. */
-    logger?: ZeroTransferLogger;
-    /** Optional ssh2 client factory override used in tests. */
-    createClient?: () => Client;
-}
-/**
- * Builds an {@link SshSocketFactory} that tunnels SFTP connections through a bastion host.
- *
- * @param options - Bastion configuration and overrides.
- * @returns Factory that returns a forwarded ssh2 channel stream when invoked.
- * @throws {@link ConfigurationError} When neither {@link SftpJumpHostOptions.bastion} nor {@link SftpJumpHostOptions.buildBastion} is supplied.
  */
-declare function createSftpJumpHostSocketFactory(options: SftpJumpHostOptions): SshSocketFactory;
+declare function createNativeSftpProviderFactory(options?: NativeSftpProviderOptions): ProviderFactory;
 /**
  * Transfer result and progress calculation helpers.
@@ -4534,4 +5393,4 @@ declare function joinRemotePath(...segments: string[]): string;
  */
 declare function basenameRemotePath(input: string): string;
-export { AbortError, type AgeRetentionPolicy, ApprovalRegistry, ApprovalRejectedError, type ApprovalRequest, type ApprovalStatus, type AtomicDeployActivateOperation, type AtomicDeployActivateStep, type AtomicDeployPlan, type AtomicDeployPruneStep, type AtomicDeployStrategy, type AuthenticationCapability, AuthenticationError, AuthorizationError, type AzureBlobProviderOptions, type BandwidthSleep, type BandwidthThrottle, type BandwidthThrottleOptions, type Base64EnvSecretSource, type BuiltInProviderId, type BuiltinCapabilityMatrixEntry, type BuiltinProviderMatrixId, CLASSIC_PROVIDER_IDS, type CapabilitySet, type ChecksumCapability, type ClassicProviderId, type ClientDiagnostics, type CompareRemoteManifestsOptions, ConfigurationError, type ConnectionDiagnosticTimings, type ConnectionDiagnosticsResult, ConnectionError, type ConnectionProfile, type ConventionEndpoint, type CopyBetweenOptions, type CountRetentionPolicy, type CreateApprovalGateOptions, type CreateAtomicDeployPlanOptions, type CreateInboxRouteOptions, type CreateOutboxRouteOptions, type CreateRemoteBrowserOptions, type CreateRemoteManifestOptions, type CreateSyncPlanOptions, type CreateWebhookAuditLogOptions, type CronExpression, type CronField, type CronScheduleTrigger, DEFAULT_FAILED_SUBDIR, DEFAULT_PROCESSED_SUBDIR, type DiffRemoteTreesOptions, type DispatchWebhookOptions, type DispatchWebhookResult, type DownloadFileOptions, type DropboxProviderOptions, type EnvSecretSource, type EvaluateRetentionOptions, type FileSecretSource, type FileZillaSite, type FriendlyTransferOptions, type FtpFeatures, type FtpPassiveHostStrategy, type FtpProviderOptions, type FtpReplyErrorInput, type FtpResponse, FtpResponseParser, type FtpResponseStatus, type FtpsDataProtection, type FtpsMode, type FtpsProviderOptions, type GcsProviderOptions, type GoogleDriveProviderOptions, type HttpFetch, type HttpProviderOptions, type ImportFileZillaSitesResult, type ImportOpenSshConfigOptions, type ImportOpenSshConfigResult, type ImportWinScpSessionsResult, InMemoryAuditLog, type IntervalScheduleTrigger, type JsonlWriter, type KnownHostsEntry, type KnownHostsMarker, type ListOptions, type LocalProviderOptions, type LogLevel, type LogRecord, type LogRecordInput, type LoggerMethod, type MemoryProviderEntry, type MemoryProviderOptions, type MetadataCapability, type MftAuditEntry, type MftAuditEntryType, type MftAuditLog, type MftInboxConvention, type MftOutboxConvention, type MftRoute, type MftRouteEndpoint, type MftRouteFilter, type MftRouteOperation, type MftSchedule, type MftScheduleTrigger, MftScheduler, type MftSchedulerOptions, type MkdirOptions, type OAuthAccessToken, type OAuthRefreshCallback, type OAuthTokenSecretSourceOptions, type OneDriveProviderOptions, type OpenSshConfigEntry, ParseError, PathAlreadyExistsError, PathNotFoundError, PermissionDeniedError, type ProgressEventInput, ProtocolError, type AuthenticationCapability as ProviderAuthenticationCapability, type CapabilitySet as ProviderCapabilities, type ChecksumCapability as ProviderChecksumCapability, type ProviderFactory, type ProviderId, type MetadataCapability as ProviderMetadataCapability, ProviderRegistry, type ProviderSelection, type ProviderTransferEndpointRole, type ProviderTransferExecutorOptions, type ProviderTransferOperations, type ProviderTransferReadRequest, type ProviderTransferReadResult, type ProviderTransferRequest, type ProviderTransferSessionResolver, type ProviderTransferSessionResolverInput, type ProviderTransferWriteRequest, type ProviderTransferWriteResult, REDACTED, REMOTE_MANIFEST_FORMAT_VERSION, type RemoteBreadcrumb, type RemoteBrowser, type RemoteBrowserFilter, type RemoteBrowserSnapshot, type RemoteEntry, type RemoteEntrySortKey, type RemoteEntrySortOrder, type RemoteEntryType, type RemoteFileAdapter, type RemoteFileEndpoint, type RemoteFileSystem, type RemoteManifest, type RemoteManifestEntry, type RemotePermissions, type RemoteProtocol, type RemoteStat, type RemoteTreeDiff, type RemoteTreeDiffEntry, type RemoteTreeDiffReason, type RemoteTreeDiffStatus, type RemoteTreeDiffSummary, type RemoteTreeEntry, type RemoteTreeFilter, type RemoveOptions, type RenameOptions, type ResolveSecretOptions, type ResolvedConnectionProfile, type ResolvedOpenSshHost, type ResolvedSshProfile, type ResolvedTlsProfile, type RetentionEvaluation, type RetentionPolicy, type RmdirOptions, RouteRegistry, type RunConnectionDiagnosticsOptions, type RunRouteOptions, type S3MultipartCheckpoint, type S3MultipartOptions, type S3MultipartPart, type S3MultipartResumeKey, type S3MultipartResumeStore, type S3ProviderOptions, ScheduleRegistry, type ScheduleRouteRunner, type ScheduleTimerHooks, type SecretProvider, type SecretSource, type SecretValue, type SftpJumpHostOptions, type SftpProviderOptions, type SftpRawSession, type SpecializedErrorDetails, type SshAgentSource, type SshAlgorithms, type SshKeyboardInteractiveChallenge, type SshKeyboardInteractiveHandler, type SshKeyboardInteractivePrompt, type SshKnownHostsSource, type SshProfile, type SshSocketFactory, type SshSocketFactoryContext, type StatOptions, type SyncConflictPolicy, type SyncDeletePolicy, type SyncDirection, type SyncEndpointInput, TimeoutError, type TlsProfile, type TlsSecretSource, type TransferAttempt, type TransferAttemptError, type TransferBandwidthLimit, type TransferByteRange, TransferClient, type TransferClientOptions, type TransferDataChunk, type TransferDataSource, type TransferEndpoint, TransferEngine, type TransferEngineExecuteOptions, type TransferEngineOptions, TransferError, type TransferExecutionContext, type TransferExecutionResult, type TransferExecutor, type TransferJob, type TransferOperation, type TransferPlan, type TransferPlanAction, type TransferPlanInput, type TransferPlanStep, type TransferPlanSummary, type TransferProgressEvent, type TransferProvider, TransferQueue, type TransferQueueExecutorResolver, type TransferQueueItem, type TransferQueueItemStatus, type TransferQueueOptions, type TransferQueueRunOptions, type TransferQueueSummary, type TransferReceipt, type TransferResult, type TransferResultInput, type TransferRetryDecisionInput, type TransferRetryPolicy, type TransferSession, type TransferTimeoutPolicy, type TransferVerificationResult, UnsupportedFeatureError, type UploadFileOptions, type ValueSecretSource, VerificationError, type WalkRemoteTreeOptions, type WebDavProviderOptions, type WebhookRetryPolicy, type WebhookSignature, type WebhookTarget, type WinScpSession, ZeroTransfer, type ZeroTransferCapabilities, ZeroTransferError, type ZeroTransferErrorDetails, type ZeroTransferLogger, type ZeroTransferOptions, assertSafeFtpArgument, basenameRemotePath, buildRemoteBreadcrumbs, compareRemoteManifests, composeAuditLogs, copyBetween, createApprovalGate, createAtomicDeployPlan, createAzureBlobProviderFactory, createBandwidthThrottle, createDropboxProviderFactory, createFtpProviderFactory, createFtpsProviderFactory, createGcsProviderFactory, createGoogleDriveProviderFactory, createHttpProviderFactory, createInboxRoute, createJsonlAuditLog, createLocalProviderFactory, createMemoryProviderFactory, createMemoryS3MultipartResumeStore, createOAuthTokenSecretSource, createOneDriveProviderFactory, createOutboxRoute, createProgressEvent, createProviderTransferExecutor, createRemoteBrowser, createRemoteManifest, createS3ProviderFactory, createSftpJumpHostSocketFactory, createSftpProviderFactory, createSyncPlan, createTransferClient, createTransferJobsFromPlan, createTransferPlan, createTransferResult, createWebDavProviderFactory, createWebhookAuditLog, diffRemoteTrees, dispatchWebhook, downloadFile, emitLog, errorFromFtpReply, evaluateRetention, filterRemoteEntries, formatCapabilityMatrixMarkdown, freezeReceipt, getBuiltinCapabilityMatrix, importFileZillaSites, importOpenSshConfig, importWinScpSessions, inboxFailedPath, inboxProcessedPath, isClassicProviderId, isSensitiveKey, joinRemotePath, matchKnownHosts, matchKnownHostsEntry, nextCronFireAt, nextScheduleFireAt, noopLogger, normalizeRemotePath, parentRemotePath, parseCronExpression, parseFtpFeatures, parseFtpResponseLines, parseKnownHosts, parseMlsdLine, parseMlsdList, parseMlstTimestamp, parseOpenSshConfig, parseRemoteManifest, parseUnixList, parseUnixListLine, redactCommand, redactConnectionProfile, redactObject, redactSecretSource, redactValue, resolveConnectionProfileSecrets, resolveOpenSshHost, resolveProviderId, resolveSecret, runConnectionDiagnostics, runRoute, serializeRemoteManifest, signWebhookPayload, sortRemoteEntries, summarizeClientDiagnostics, summarizeError, summarizeTransferPlan, throttleByteIterable, uploadFile, validateConnectionProfile, validateSchedule, walkRemoteTree };
+export { AbortError, type AgeRetentionPolicy, ApprovalRegistry, ApprovalRejectedError, type ApprovalRequest, type ApprovalStatus, type AtomicDeployActivateOperation, type AtomicDeployActivateStep, type AtomicDeployPlan, type AtomicDeployPruneStep, type AtomicDeployStrategy, type AuthenticationCapability, AuthenticationError, AuthorizationError, type AzureBlobProviderOptions, type BandwidthSleep, type BandwidthThrottle, type BandwidthThrottleOptions, type Base64EnvSecretSource, type BuiltInProviderId, type BuiltinCapabilityMatrixEntry, type BuiltinProviderMatrixId, CLASSIC_PROVIDER_IDS, type CapabilitySet, type ChecksumCapability, type ClassicProviderId, type ClientDiagnostics, type CompareRemoteManifestsOptions, ConfigurationError, type ConnectionDiagnosticTimings, type ConnectionDiagnosticsResult, ConnectionError, type ConnectionPoolOptions, type ConnectionProfile, type ConventionEndpoint, type CopyBetweenOptions, type CountRetentionPolicy, type CreateApprovalGateOptions, type CreateAtomicDeployPlanOptions, type CreateInboxRouteOptions, type CreateOutboxRouteOptions, type CreateRemoteBrowserOptions, type CreateRemoteManifestOptions, type CreateSyncPlanOptions, type CreateWebhookAuditLogOptions, type CronExpression, type CronField, type CronScheduleTrigger, DEFAULT_FAILED_SUBDIR, DEFAULT_PROCESSED_SUBDIR, DEFAULT_SSH_ALGORITHM_PREFERENCES, type DiffRemoteTreesOptions, type DispatchWebhookOptions, type DispatchWebhookResult, type DownloadFileOptions, type DropboxProviderOptions, type EnvSecretSource, type EvaluateRetentionOptions, type FileSecretSource, type FileSystemS3MultipartResumeStoreOptions, type FileZillaSite, type FriendlyTransferOptions, type FtpFeatures, type FtpPassiveHostStrategy, type FtpProviderOptions, type FtpReplyErrorInput, type FtpResponse, FtpResponseParser, type FtpResponseStatus, type FtpsDataProtection, type FtpsMode, type FtpsProviderOptions, type GcsProviderOptions, type GoogleDriveProviderOptions, type HttpFetch, type HttpProviderOptions, type ImportFileZillaSitesResult, type ImportOpenSshConfigOptions, type ImportOpenSshConfigResult, type ImportWinScpSessionsResult, InMemoryAuditLog, type IntervalScheduleTrigger, type JsonlWriter, type KnownHostsEntry, type KnownHostsMarker, type ListOptions, type LocalProviderOptions, type LogLevel, type LogRecord, type LogRecordInput, type LoggerMethod, type MemoryProviderEntry, type MemoryProviderOptions, type MetadataCapability, type MftAuditEntry, type MftAuditEntryType, type MftAuditLog, type MftInboxConvention, type MftOutboxConvention, type MftRoute, type MftRouteEndpoint, type MftRouteFilter, type MftRouteOperation, type MftSchedule, type MftScheduleTrigger, MftScheduler, type MftSchedulerOptions, type MkdirOptions, type NativeSftpProviderOptions, type NativeSftpRawSession, type NegotiatedSshAlgorithms, type OAuthAccessToken, type OAuthRefreshCallback, type OAuthTokenSecretSourceOptions, type OneDriveProviderOptions, type OpenSshConfigEntry, ParseError, PathAlreadyExistsError, PathNotFoundError, PermissionDeniedError, type PooledTransferClient, type ProgressEventInput, ProtocolError, type AuthenticationCapability as ProviderAuthenticationCapability, type CapabilitySet as ProviderCapabilities, type ChecksumCapability as ProviderChecksumCapability, type ProviderFactory, type ProviderId, type MetadataCapability as ProviderMetadataCapability, ProviderRegistry, type ProviderSelection, type ProviderTransferEndpointRole, type ProviderTransferExecutorOptions, type ProviderTransferOperations, type ProviderTransferReadRequest, type ProviderTransferReadResult, type ProviderTransferRequest, type ProviderTransferSessionResolver, type ProviderTransferSessionResolverInput, type ProviderTransferWriteRequest, type ProviderTransferWriteResult, REDACTED, REMOTE_MANIFEST_FORMAT_VERSION, type RemoteBreadcrumb, type RemoteBrowser, type RemoteBrowserFilter, type RemoteBrowserSnapshot, type RemoteEntry, type RemoteEntrySortKey, type RemoteEntrySortOrder, type RemoteEntryType, type RemoteFileAdapter, type RemoteFileEndpoint, type RemoteFileSystem, type RemoteManifest, type RemoteManifestEntry, type RemotePermissions, type RemoteProtocol, type RemoteStat, type RemoteTreeDiff, type RemoteTreeDiffEntry, type RemoteTreeDiffReason, type RemoteTreeDiffStatus, type RemoteTreeDiffSummary, type RemoteTreeEntry, type RemoteTreeFilter, type RemoveOptions, type RenameOptions, type ResolveSecretOptions, type ResolvedConnectionProfile, type ResolvedOpenSshHost, type ResolvedSshProfile, type ResolvedTlsProfile, type RetentionEvaluation, type RetentionPolicy, type RmdirOptions, RouteRegistry, type RunConnectionDiagnosticsOptions, type RunRouteOptions, type S3MultipartCheckpoint, type S3MultipartOptions, type S3MultipartPart, type S3MultipartResumeKey, type S3MultipartResumeStore, type S3ProviderOptions, ScheduleRegistry, type ScheduleRouteRunner, type ScheduleTimerHooks, type SecretProvider, type SecretSource, type SecretValue, type NativeSftpProviderOptions as SftpProviderOptions, type NativeSftpRawSession as SftpRawSession, type SpecializedErrorDetails, type SshAgentSource, type SshAlgorithmPreferences, type SshAlgorithms, SshAuthSession, SshConnectionManager, SshDataReader, SshDataWriter, SshDisconnectReason, type SshKeyboardInteractiveChallenge, type SshKeyboardInteractiveCredential, type SshKeyboardInteractiveHandler, type SshKeyboardInteractivePrompt, type SshKnownHostsSource, type SshPasswordCredential, type SshProfile, type SshPublickeyCredential, SshSessionChannel, type SshSocketFactory, type SshSocketFactoryContext, SshTransportConnection, type SshTransportConnectionOptions, SshTransportHandshake, type SshTransportHandshakeResult, type StatOptions, type SyncConflictPolicy, type SyncDeletePolicy, type SyncDirection, type SyncEndpointInput, TimeoutError, type TlsProfile, type TlsSecretSource, type TransferAttempt, type TransferAttemptError, type TransferBandwidthLimit, type TransferByteRange, TransferClient, type TransferClientOptions, type TransferDataChunk, type TransferDataSource, type TransferEndpoint, TransferEngine, type TransferEngineExecuteOptions, type TransferEngineOptions, TransferError, type TransferExecutionContext, type TransferExecutionResult, type TransferExecutor, type TransferJob, type TransferOperation, type TransferPlan, type TransferPlanAction, type TransferPlanInput, type TransferPlanStep, type TransferPlanSummary, type TransferProgressEvent, type TransferProvider, TransferQueue, type TransferQueueExecutorResolver, type TransferQueueItem, type TransferQueueItemStatus, type TransferQueueOptions, type TransferQueueRunOptions, type TransferQueueSummary, type TransferReceipt, type TransferResult, type TransferResultInput, type TransferRetryDecisionInput, type TransferRetryPolicy, type TransferSession, type TransferTimeoutPolicy, type TransferVerificationResult, UnsupportedFeatureError, type UploadFileOptions, type ValueSecretSource, VerificationError, type WalkRemoteTreeOptions, type WebDavProviderOptions, type WebhookRetryPolicy, type WebhookSignature, type WebhookTarget, type WinScpSession, ZeroTransfer, type ZeroTransferCapabilities, ZeroTransferError, type ZeroTransferErrorDetails, type ZeroTransferLogger, type ZeroTransferOptions, assertSafeFtpArgument, basenameRemotePath, buildPublickeyCredential, buildRemoteBreadcrumbs, compareRemoteManifests, composeAuditLogs, copyBetween, createApprovalGate, createAtomicDeployPlan, createAzureBlobProviderFactory, createBandwidthThrottle, createDropboxProviderFactory, createFileSystemS3MultipartResumeStore, createFtpProviderFactory, createFtpsProviderFactory, createGcsProviderFactory, createGoogleDriveProviderFactory, createHttpProviderFactory, createInboxRoute, createJsonlAuditLog, createLocalProviderFactory, createMemoryProviderFactory, createMemoryS3MultipartResumeStore, createNativeSftpProviderFactory, createOAuthTokenSecretSource, createOneDriveProviderFactory, createOutboxRoute, createPooledTransferClient, createProgressEvent, createProviderTransferExecutor, createRemoteBrowser, createRemoteManifest, createS3ProviderFactory, createNativeSftpProviderFactory as createSftpProviderFactory, createSyncPlan, createTransferClient, createTransferJobsFromPlan, createTransferPlan, createTransferResult, createWebDavProviderFactory, createWebhookAuditLog, diffRemoteTrees, dispatchWebhook, downloadFile, emitLog, errorFromFtpReply, evaluateRetention, filterRemoteEntries, formatCapabilityMatrixMarkdown, freezeReceipt, getBuiltinCapabilityMatrix, importFileZillaSites, importOpenSshConfig, importWinScpSessions, inboxFailedPath, inboxProcessedPath, isClassicProviderId, isSensitiveKey, joinRemotePath, matchKnownHosts, matchKnownHostsEntry, negotiateSshAlgorithms, nextCronFireAt, nextScheduleFireAt, noopLogger, normalizeRemotePath, parentRemotePath, parseCronExpression, parseFtpFeatures, parseFtpResponseLines, parseKnownHosts, parseMlsdLine, parseMlsdList, parseMlstTimestamp, parseOpenSshConfig, parseRemoteManifest, parseUnixList, parseUnixListLine, redactCommand, redactConnectionProfile, redactObject, redactSecretSource, redactValue, resolveConnectionProfileSecrets, resolveOpenSshHost, resolveProviderId, resolveSecret, runConnectionDiagnostics, runRoute, serializeRemoteManifest, signWebhookPayload, sortRemoteEntries, summarizeClientDiagnostics, summarizeError, summarizeTransferPlan, throttleByteIterable, uploadFile, validateConnectionProfile, validateSchedule, walkRemoteTree };