npm - @zero-transfer/sdk - Versions diffs - 0.3.1 → 0.4.0 - Mend

@zero-transfer/sdk 0.3.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -40,6 +40,7 @@ __export(index_exports, {
   ConnectionError: () => ConnectionError,
   DEFAULT_FAILED_SUBDIR: () => DEFAULT_FAILED_SUBDIR,
   DEFAULT_PROCESSED_SUBDIR: () => DEFAULT_PROCESSED_SUBDIR,
+  DEFAULT_SSH_ALGORITHM_PREFERENCES: () => DEFAULT_SSH_ALGORITHM_PREFERENCES,
   FtpResponseParser: () => FtpResponseParser,
   InMemoryAuditLog: () => InMemoryAuditLog,
   MftScheduler: () => MftScheduler,
@@ -53,6 +54,14 @@ __export(index_exports, {
   REMOTE_MANIFEST_FORMAT_VERSION: () => REMOTE_MANIFEST_FORMAT_VERSION,
   RouteRegistry: () => RouteRegistry,
   ScheduleRegistry: () => ScheduleRegistry,
+  SshAuthSession: () => SshAuthSession,
+  SshConnectionManager: () => SshConnectionManager,
+  SshDataReader: () => SshDataReader,
+  SshDataWriter: () => SshDataWriter,
+  SshDisconnectReason: () => SshDisconnectReason,
+  SshSessionChannel: () => SshSessionChannel,
+  SshTransportConnection: () => SshTransportConnection,
+  SshTransportHandshake: () => SshTransportHandshake,
   TimeoutError: () => TimeoutError,
   TransferClient: () => TransferClient,
   TransferEngine: () => TransferEngine,
@@ -64,6 +73,7 @@ __export(index_exports, {
   ZeroTransferError: () => ZeroTransferError,
   assertSafeFtpArgument: () => assertSafeFtpArgument,
   basenameRemotePath: () => basenameRemotePath,
+  buildPublickeyCredential: () => buildPublickeyCredential,
   buildRemoteBreadcrumbs: () => buildRemoteBreadcrumbs,
   compareRemoteManifests: () => compareRemoteManifests,
   composeAuditLogs: () => composeAuditLogs,
@@ -73,6 +83,7 @@ __export(index_exports, {
   createAzureBlobProviderFactory: () => createAzureBlobProviderFactory,
   createBandwidthThrottle: () => createBandwidthThrottle,
   createDropboxProviderFactory: () => createDropboxProviderFactory,
+  createFileSystemS3MultipartResumeStore: () => createFileSystemS3MultipartResumeStore,
   createFtpProviderFactory: () => createFtpProviderFactory,
   createFtpsProviderFactory: () => createFtpsProviderFactory,
   createGcsProviderFactory: () => createGcsProviderFactory,
@@ -87,6 +98,7 @@ __export(index_exports, {
   createOAuthTokenSecretSource: () => createOAuthTokenSecretSource,
   createOneDriveProviderFactory: () => createOneDriveProviderFactory,
   createOutboxRoute: () => createOutboxRoute,
+  createPooledTransferClient: () => createPooledTransferClient,
   createProgressEvent: () => createProgressEvent,
   createProviderTransferExecutor: () => createProviderTransferExecutor,
   createRemoteBrowser: () => createRemoteBrowser,
@@ -120,6 +132,7 @@ __export(index_exports, {
   joinRemotePath: () => joinRemotePath,
   matchKnownHosts: () => matchKnownHosts,
   matchKnownHostsEntry: () => matchKnownHostsEntry,
+  negotiateSshAlgorithms: () => negotiateSshAlgorithms,
   nextCronFireAt: () => nextCronFireAt,
   nextScheduleFireAt: () => nextScheduleFireAt,
   noopLogger: () => noopLogger,
@@ -1930,6 +1943,186 @@ function summarizeDiagnosticError(error) {
   return { message: String(error) };
 }
+// src/core/ConnectionPool.ts
+var DEFAULT_MAX_IDLE_PER_KEY = 4;
+var DEFAULT_IDLE_TIMEOUT_MS = 6e4;
+function createPooledTransferClient(inner, options = {}) {
+  const maxIdlePerKey = Math.max(1, options.maxIdlePerKey ?? DEFAULT_MAX_IDLE_PER_KEY);
+  const idleTimeoutMs = Math.max(0, options.idleTimeoutMs ?? DEFAULT_IDLE_TIMEOUT_MS);
+  const keyOf = options.keyOf ?? defaultKeyOf;
+  const state = {
+    drained: false,
+    idle: /* @__PURE__ */ new Map()
+  };
+  const release = (key, session, tainted) => {
+    if (tainted || state.drained) {
+      return safelyDisconnect(session);
+    }
+    let bucket = state.idle.get(key);
+    if (bucket === void 0) {
+      bucket = [];
+      state.idle.set(key, bucket);
+    }
+    const entry = { session };
+    if (idleTimeoutMs > 0) {
+      entry.idleTimer = setTimeout(() => {
+        evictEntry(state, key, entry);
+      }, idleTimeoutMs);
+      const timer = entry.idleTimer;
+      if (timer !== void 0 && typeof timer.unref === "function") {
+        timer.unref();
+      }
+    }
+    bucket.push(entry);
+    while (bucket.length > maxIdlePerKey) {
+      const dropped = bucket.shift();
+      if (dropped !== void 0) {
+        clearEntryTimer(dropped);
+        void safelyDisconnect(dropped.session);
+      }
+    }
+    return Promise.resolve();
+  };
+  const acquire = async (profile) => {
+    const key = keyOf(profile);
+    const bucket = state.idle.get(key);
+    if (bucket !== void 0 && bucket.length > 0) {
+      const entry = bucket.pop();
+      if (entry !== void 0) {
+        clearEntryTimer(entry);
+        if (bucket.length === 0) state.idle.delete(key);
+        return { key, session: entry.session };
+      }
+    }
+    const session = await inner.connect(profile);
+    return { key, session };
+  };
+  return {
+    connect: async (profile) => {
+      const { key, session } = await acquire(profile);
+      return wrapPooledSession(session, key, release);
+    },
+    drainPool: async () => {
+      state.drained = true;
+      const entries = [];
+      for (const bucket of state.idle.values()) {
+        for (const entry of bucket) {
+          clearEntryTimer(entry);
+          entries.push(entry);
+        }
+      }
+      state.idle.clear();
+      await Promise.all(entries.map((entry) => safelyDisconnect(entry.session)));
+    },
+    getCapabilities: ((providerId) => {
+      if (providerId === void 0) return inner.getCapabilities();
+      return inner.getCapabilities(providerId);
+    }),
+    hasProvider: (providerId) => inner.hasProvider(providerId),
+    poolSize: () => {
+      let total = 0;
+      for (const bucket of state.idle.values()) total += bucket.length;
+      return total;
+    }
+  };
+}
+function defaultKeyOf(profile) {
+  const provider = profile.provider ?? profile.protocol ?? "unknown";
+  const host = profile.host ?? "";
+  const port = profile.port ?? "";
+  const username = typeof profile.username === "string" ? profile.username : "";
+  return `${provider}|${host}|${String(port)}|${username}`;
+}
+function evictEntry(state, key, entry) {
+  const bucket = state.idle.get(key);
+  if (bucket === void 0) return;
+  const index = bucket.indexOf(entry);
+  if (index < 0) return;
+  bucket.splice(index, 1);
+  if (bucket.length === 0) state.idle.delete(key);
+  clearEntryTimer(entry);
+  void safelyDisconnect(entry.session);
+}
+function clearEntryTimer(entry) {
+  if (entry.idleTimer !== void 0) {
+    clearTimeout(entry.idleTimer);
+    delete entry.idleTimer;
+  }
+}
+async function safelyDisconnect(session) {
+  try {
+    await session.disconnect();
+  } catch {
+  }
+}
+function isTaintingError(error) {
+  return error instanceof ConnectionError || error instanceof TimeoutError || error instanceof ProtocolError;
+}
+function wrapPooledSession(session, key, release) {
+  let tainted = false;
+  let released = false;
+  const guard = (fn) => {
+    let promise;
+    try {
+      promise = fn();
+    } catch (error) {
+      if (isTaintingError(error)) tainted = true;
+      return Promise.reject(error instanceof Error ? error : new Error(String(error)));
+    }
+    return promise.catch((error) => {
+      if (isTaintingError(error)) tainted = true;
+      throw error;
+    });
+  };
+  const fs = wrapFs(session.fs, guard);
+  const transfers = session.transfers === void 0 ? void 0 : wrapTransfers(session.transfers, guard);
+  const wrapped = {
+    capabilities: session.capabilities,
+    disconnect: async () => {
+      if (released) return;
+      released = true;
+      await release(key, session, tainted);
+    },
+    fs,
+    provider: session.provider,
+    ...transfers !== void 0 ? { transfers } : {}
+  };
+  if (typeof session.raw === "function") {
+    const rawFn = session.raw.bind(session);
+    wrapped.raw = () => rawFn();
+  }
+  return wrapped;
+}
+function wrapFs(fs, guard) {
+  const wrapped = {
+    list: (path2, options) => guard(() => options !== void 0 ? fs.list(path2, options) : fs.list(path2)),
+    stat: (path2, options) => guard(() => options !== void 0 ? fs.stat(path2, options) : fs.stat(path2))
+  };
+  if (typeof fs.remove === "function") {
+    const remove = fs.remove.bind(fs);
+    wrapped.remove = (path2, options) => guard(() => options !== void 0 ? remove(path2, options) : remove(path2));
+  }
+  if (typeof fs.rename === "function") {
+    const rename2 = fs.rename.bind(fs);
+    wrapped.rename = (from, to, options) => guard(() => options !== void 0 ? rename2(from, to, options) : rename2(from, to));
+  }
+  if (typeof fs.mkdir === "function") {
+    const mkdir2 = fs.mkdir.bind(fs);
+    wrapped.mkdir = (path2, options) => guard(() => options !== void 0 ? mkdir2(path2, options) : mkdir2(path2));
+  }
+  if (typeof fs.rmdir === "function") {
+    const rmdir = fs.rmdir.bind(fs);
+    wrapped.rmdir = (path2, options) => guard(() => options !== void 0 ? rmdir(path2, options) : rmdir(path2));
+  }
+  return wrapped;
+}
+function wrapTransfers(transfers, guard) {
+  return {
+    read: (request) => guard(() => Promise.resolve(transfers.read(request))),
+    write: (request) => guard(() => Promise.resolve(transfers.write(request)))
+  };
+}
 // src/providers/classic/ftp/FtpProvider.ts
 var import_node_buffer3 = require("buffer");
 var import_node_net = require("net");
@@ -3814,7 +4007,7 @@ var SshDataWriter = class {
   length = 0;
   writeByte(value) {
     this.assertByte(value, "byte");
-    const chunk = import_node_buffer5.Buffer.allocUnsafe(1);
+    const chunk = import_node_buffer5.Buffer.alloc(1);
     chunk.writeUInt8(value, 0);
     return this.push(chunk);
   }
@@ -3832,7 +4025,7 @@ var SshDataWriter = class {
         retryable: false
       });
     }
-    const chunk = import_node_buffer5.Buffer.allocUnsafe(4);
+    const chunk = import_node_buffer5.Buffer.alloc(4);
     chunk.writeUInt32BE(value, 0);
     return this.push(chunk);
   }
@@ -3844,7 +4037,7 @@ var SshDataWriter = class {
         retryable: false
       });
     }
-    const chunk = import_node_buffer5.Buffer.allocUnsafe(8);
+    const chunk = import_node_buffer5.Buffer.alloc(8);
     chunk.writeBigUInt64BE(value, 0);
     return this.push(chunk);
   }
@@ -5400,7 +5593,7 @@ function encodeSshTransportPacket(payload, options = {}) {
   }
   const padding = options.randomPadding === false ? import_node_buffer12.Buffer.alloc(paddingLength) : (0, import_node_crypto6.randomBytes)(paddingLength);
   const packetLength = 1 + body.length + paddingLength;
-  const frame = import_node_buffer12.Buffer.allocUnsafe(4 + packetLength);
+  const frame = import_node_buffer12.Buffer.alloc(4 + packetLength);
   frame.writeUInt32BE(packetLength, 0);
   frame.writeUInt8(paddingLength, 4);
   body.copy(frame, 5);
@@ -6276,7 +6469,7 @@ function computeMac(macAlgorithm, macKey, sequence, packet, macLength) {
     return import_node_buffer15.Buffer.alloc(0);
   }
   const hashName = macAlgorithm === "hmac-sha2-512" ? "sha512" : "sha256";
-  const sequenceBuffer = import_node_buffer15.Buffer.allocUnsafe(4);
+  const sequenceBuffer = import_node_buffer15.Buffer.alloc(4);
   sequenceBuffer.writeUInt32BE(sequence >>> 0, 0);
   return (0, import_node_crypto8.createHmac)(hashName, macKey).update(sequenceBuffer).update(packet).digest().subarray(0, macLength);
 }
@@ -7228,7 +7421,7 @@ var SftpSession = class {
    * serializes concurrent calls so byte ordering is preserved.
    */
   sendRaw(encodedMessage, requestId) {
-    const frame = import_node_buffer18.Buffer.allocUnsafe(4 + encodedMessage.length);
+    const frame = import_node_buffer18.Buffer.alloc(4 + encodedMessage.length);
     frame.writeUInt32BE(encodedMessage.length, 0);
     encodedMessage.copy(frame, 4);
     this.channel.sendData(frame).catch((err) => {
@@ -7346,44 +7539,54 @@ var NATIVE_SFTP_ALGORITHM_PREFERENCES = {
     "rsa-sha2-256"
   ]
 };
-var NATIVE_SFTP_PROVIDER_CAPABILITIES = {
-  provider: NATIVE_SFTP_PROVIDER_ID,
-  authentication: ["password", "keyboard-interactive", "publickey"],
-  list: true,
-  stat: true,
-  readStream: true,
-  writeStream: true,
-  serverSideCopy: false,
-  serverSideMove: false,
-  resumeDownload: true,
-  resumeUpload: true,
-  checksum: [],
-  atomicRename: false,
-  chmod: false,
-  chown: false,
-  symlink: true,
-  metadata: ["accessedAt", "group", "modifiedAt", "owner", "permissions"],
-  maxConcurrency: 8,
-  notes: [
-    "Native SSH/SFTP provider using the project's own protocol stack (Waves 1\u20133).",
-    "Supports password and keyboard-interactive authentication."
-  ]
-};
+var NATIVE_SFTP_DEFAULT_MAX_CONCURRENCY = 8;
+function buildNativeSftpCapabilities(maxConcurrency) {
+  return {
+    provider: NATIVE_SFTP_PROVIDER_ID,
+    authentication: ["password", "keyboard-interactive", "publickey"],
+    list: true,
+    stat: true,
+    readStream: true,
+    writeStream: true,
+    serverSideCopy: false,
+    serverSideMove: false,
+    resumeDownload: true,
+    resumeUpload: true,
+    checksum: [],
+    atomicRename: false,
+    chmod: false,
+    chown: false,
+    symlink: true,
+    metadata: ["accessedAt", "group", "modifiedAt", "owner", "permissions"],
+    maxConcurrency,
+    notes: [
+      "Native SSH/SFTP provider using the project's own protocol stack (Waves 1\u20133).",
+      "Supports password, keyboard-interactive, and public-key (Ed25519/RSA) authentication."
+    ]
+  };
+}
+var NATIVE_SFTP_PROVIDER_CAPABILITIES = buildNativeSftpCapabilities(
+  NATIVE_SFTP_DEFAULT_MAX_CONCURRENCY
+);
 function createNativeSftpProviderFactory(options = {}) {
   validateNativeSftpOptions(options);
+  const capabilities = buildNativeSftpCapabilities(
+    options.maxConcurrency ?? NATIVE_SFTP_DEFAULT_MAX_CONCURRENCY
+  );
   return {
-    capabilities: NATIVE_SFTP_PROVIDER_CAPABILITIES,
-    create: () => new NativeSftpProvider(options),
+    capabilities,
+    create: () => new NativeSftpProvider(options, capabilities),
     id: NATIVE_SFTP_PROVIDER_ID
   };
 }
 var NativeSftpProvider = class {
-  constructor(options) {
+  constructor(options, capabilities = NATIVE_SFTP_PROVIDER_CAPABILITIES) {
     this.options = options;
+    this.capabilities = capabilities;
   }
   options;
   id = NATIVE_SFTP_PROVIDER_ID;
-  capabilities = NATIVE_SFTP_PROVIDER_CAPABILITIES;
+  capabilities;
   async connect(profile) {
     const resolved = await resolveConnectionProfileSecrets(profile);
     const username = requireNativeSftpUsername(resolved);
@@ -8012,6 +8215,14 @@ function validateNativeSftpOptions(options) {
       retryable: false
     });
   }
+  if (options.maxConcurrency !== void 0 && (!Number.isInteger(options.maxConcurrency) || options.maxConcurrency <= 0)) {
+    throw new ConfigurationError({
+      details: { maxConcurrency: options.maxConcurrency },
+      message: "Native SFTP provider maxConcurrency must be a positive integer",
+      protocol: "sftp",
+      retryable: false
+    });
+  }
 }
 // src/providers/web/httpInternals.ts
@@ -8549,6 +8760,7 @@ async function collectChunks(source) {
 // src/providers/cloud/GoogleDriveProvider.ts
 var import_node_buffer21 = require("buffer");
+var import_node_crypto10 = require("crypto");
 var GDRIVE_API_BASE = "https://www.googleapis.com/drive/v3";
 var GDRIVE_UPLOAD_BASE = "https://www.googleapis.com/upload/drive/v3";
 var GDRIVE_FOLDER_MIME = "application/vnd.google-apps.folder";
@@ -8833,7 +9045,7 @@ var GoogleDriveTransferOperations = class {
     const existing = await this.findExisting(parentId, name);
     const metadata = { name };
     if (existing === void 0) metadata["parents"] = [parentId];
-    const boundary = `----zt-boundary-${Math.random().toString(36).slice(2)}-${Date.now().toString(36)}`;
+    const boundary = `----zt-boundary-${(0, import_node_crypto10.randomBytes)(16).toString("hex")}`;
     const bodyParts = [];
     const enc = new TextEncoder();
     bodyParts.push(
@@ -11356,12 +11568,14 @@ function createWebDavProviderFactory(options = {}) {
   const secure = options.secure ?? false;
   const basePath = options.basePath ?? "";
   const fetchImpl = options.fetch ?? globalThis.fetch;
+  const uploadStreaming = options.uploadStreaming ?? "when-known-size";
   if (typeof fetchImpl !== "function") {
     throw new ConfigurationError({
       message: "Global fetch is unavailable; supply WebDavProviderOptions.fetch explicitly",
       retryable: false
     });
   }
+  const streamingNote = uploadStreaming === "always" ? "PUT bodies are always streamed (chunked when size is unknown)." : uploadStreaming === "never" ? "PUT bodies are buffered in memory (uploadStreaming: 'never')." : "PUT bodies stream when totalBytes is known; otherwise buffered in memory.";
   const capabilities = {
     atomicRename: false,
     authentication: ["anonymous", "password", "token"],
@@ -11371,7 +11585,7 @@ function createWebDavProviderFactory(options = {}) {
     list: true,
     maxConcurrency: 8,
     metadata: ["modifiedAt", "mimeType", "uniqueId"],
-    notes: ["WebDAV provider buffers PUT bodies in memory; chunked uploads are not yet supported."],
+    notes: [streamingNote],
     provider: id,
     readStream: true,
     resumeDownload: true,
@@ -11390,7 +11604,8 @@ function createWebDavProviderFactory(options = {}) {
       defaultHeaders: { ...options.defaultHeaders ?? {} },
       fetch: fetchImpl,
       id,
-      secure
+      secure,
+      uploadStreaming
     }),
     id
   };
@@ -11424,7 +11639,8 @@ var WebDavProvider = class {
       capabilities: this.internals.capabilities,
       fetch: this.internals.fetch,
       headers,
-      id: this.internals.id
+      id: this.internals.id,
+      uploadStreaming: this.internals.uploadStreaming
     };
     if (profile.timeoutMs !== void 0) sessionOptions.timeoutMs = profile.timeoutMs;
     return new WebDavSession(sessionOptions);
@@ -11549,13 +11765,53 @@ var WebDavTransferOperations = class {
     }
     const normalized = normalizeRemotePath(request.endpoint.path);
     const url = resolveUrl(this.options.baseUrl, normalized);
-    const buffered = await collectChunks6(request.content);
+    const totalBytes = request.totalBytes;
+    const policy = this.options.uploadStreaming;
+    const shouldStream = policy === "always" || policy === "when-known-size" && typeof totalBytes === "number" && totalBytes >= 0;
+    if (!shouldStream) {
+      const buffered = await collectChunks6(request.content);
+      const headers2 = {
+        "Content-Length": String(buffered.byteLength),
+        "Content-Type": "application/octet-stream"
+      };
+      const init2 = {
+        body: buffered,
+        headers: headers2,
+        method: "PUT"
+      };
+      if (request.signal !== void 0) init2.signal = request.signal;
+      const response2 = await dispatchRequest(this.options, url, init2);
+      if (!response2.ok) {
+        throw mapResponseError(response2, normalized);
+      }
+      request.reportProgress(buffered.byteLength, buffered.byteLength);
+      const result2 = {
+        bytesTransferred: buffered.byteLength,
+        totalBytes: buffered.byteLength
+      };
+      const etag2 = response2.headers.get("etag");
+      if (etag2 !== null) result2.checksum = etag2;
+      return result2;
+    }
+    let bytesTransferred = 0;
+    const knownTotal = typeof totalBytes === "number" ? totalBytes : void 0;
+    const stream = asyncIterableToReadableStream(request.content, (chunk) => {
+      bytesTransferred += chunk.byteLength;
+      if (knownTotal !== void 0) {
+        request.reportProgress(bytesTransferred, knownTotal);
+      } else {
+        request.reportProgress(bytesTransferred);
+      }
+    });
     const headers = {
-      "Content-Length": String(buffered.byteLength),
       "Content-Type": "application/octet-stream"
     };
+    if (knownTotal !== void 0) {
+      headers["Content-Length"] = String(knownTotal);
+    }
     const init = {
-      body: buffered,
+      body: stream,
+      duplex: "half",
       headers,
       method: "PUT"
     };
@@ -11564,10 +11820,9 @@ var WebDavTransferOperations = class {
     if (!response.ok) {
       throw mapResponseError(response, normalized);
     }
-    request.reportProgress(buffered.byteLength, buffered.byteLength);
     const result = {
-      bytesTransferred: buffered.byteLength,
-      totalBytes: buffered.byteLength
+      bytesTransferred,
+      ...knownTotal !== void 0 ? { totalBytes: knownTotal } : { totalBytes: bytesTransferred }
     };
     const etag = response.headers.get("etag");
     if (etag !== null) result.checksum = etag;
@@ -11589,6 +11844,36 @@ async function collectChunks6(source) {
   }
   return out;
 }
+function asyncIterableToReadableStream(source, onChunk) {
+  const iterator = source[Symbol.asyncIterator]();
+  return new ReadableStream({
+    async pull(controller) {
+      try {
+        const next = await iterator.next();
+        if (next.done === true) {
+          controller.close();
+          return;
+        }
+        const chunk = next.value;
+        if (chunk.byteLength === 0) {
+          return;
+        }
+        controller.enqueue(chunk);
+        onChunk(chunk);
+      } catch (error) {
+        controller.error(error);
+      }
+    },
+    async cancel(reason) {
+      if (typeof iterator.return === "function") {
+        try {
+          await iterator.return(reason);
+        } catch {
+        }
+      }
+    }
+  });
+}
 function parsePropfindResponses(xml, baseUrl) {
   const entries = [];
   const responseRegex = /<(?:[a-zA-Z0-9-]+:)?response\b[^>]*>([\s\S]*?)<\/(?:[a-zA-Z0-9-]+:)?response>/gi;
@@ -11668,8 +11953,13 @@ function parentOf(path2) {
   return path2.slice(0, idx);
 }
+// src/providers/web/S3Provider.ts
+var import_node_crypto12 = require("crypto");
+var import_promises3 = require("fs/promises");
+var import_node_path3 = require("path");
 // src/providers/web/awsSigv4.ts
-var import_node_crypto10 = require("crypto");
+var import_node_crypto11 = require("crypto");
 function signSigV4(input) {
   const now = input.now ?? /* @__PURE__ */ new Date();
   const amzDate = formatAmzDate(now);
@@ -11739,13 +12029,13 @@ function encodeRfc3986(value) {
   );
 }
 function sha256Hex(data) {
-  return (0, import_node_crypto10.createHash)("sha256").update(data).digest("hex");
+  return (0, import_node_crypto11.createHash)("sha256").update(data).digest("hex");
 }
 function hmac(key, data) {
-  return (0, import_node_crypto10.createHmac)("sha256", key).update(data, "utf8").digest();
+  return (0, import_node_crypto11.createHmac)("sha256", key).update(data, "utf8").digest();
 }
 function hmacHex(key, data) {
-  return (0, import_node_crypto10.createHmac)("sha256", key).update(data, "utf8").digest("hex");
+  return (0, import_node_crypto11.createHmac)("sha256", key).update(data, "utf8").digest("hex");
 }
 // src/providers/web/S3Provider.ts
@@ -11762,6 +12052,48 @@ function createMemoryS3MultipartResumeStore() {
     }
   };
 }
+function createFileSystemS3MultipartResumeStore(options) {
+  const directory = options.directory;
+  if (typeof directory !== "string" || directory.length === 0) {
+    throw new ConfigurationError({
+      message: "createFileSystemS3MultipartResumeStore requires a non-empty directory option",
+      retryable: false
+    });
+  }
+  const fileFor = (key) => {
+    const hash = (0, import_node_crypto12.createHash)("sha256").update(`${key.bucket}\0${key.jobId}\0${key.path}`).digest("hex");
+    return (0, import_node_path3.join)(directory, `${hash}.json`);
+  };
+  return {
+    async clear(key) {
+      try {
+        await (0, import_promises3.unlink)(fileFor(key));
+      } catch (error) {
+        if (error.code !== "ENOENT") throw error;
+      }
+    },
+    async load(key) {
+      try {
+        const text = await (0, import_promises3.readFile)(fileFor(key), "utf8");
+        const parsed = JSON.parse(text);
+        if (typeof parsed !== "object" || parsed === null || typeof parsed.uploadId !== "string" || !Array.isArray(parsed.parts)) {
+          return void 0;
+        }
+        return parsed;
+      } catch (error) {
+        if (error.code === "ENOENT") return void 0;
+        throw error;
+      }
+    },
+    async save(key, checkpoint) {
+      await (0, import_promises3.mkdir)(directory, { recursive: true });
+      const target = fileFor(key);
+      const tmp = `${target}.${String(process.pid)}.${String(Date.now())}.tmp`;
+      await (0, import_promises3.writeFile)(tmp, JSON.stringify(checkpoint), { encoding: "utf8", mode: 384 });
+      await (0, import_promises3.rename)(tmp, target);
+    }
+  };
+}
 var DEFAULT_MULTIPART_PART_SIZE = 8 * 1024 * 1024;
 var DEFAULT_MULTIPART_THRESHOLD = 8 * 1024 * 1024;
 var S3_CHECKSUM_CAPABILITIES = ["etag"];
@@ -11789,7 +12121,7 @@ function createS3ProviderFactory(options = {}) {
       retryable: false
     });
   }
-  const multipartEnabled = options.multipart?.enabled ?? false;
+  const multipartEnabled = options.multipart?.enabled ?? true;
   const multipart = {
     enabled: multipartEnabled,
     partSizeBytes: options.multipart?.partSizeBytes ?? DEFAULT_MULTIPART_PART_SIZE,
@@ -11806,9 +12138,11 @@ function createS3ProviderFactory(options = {}) {
     maxConcurrency: 16,
     metadata: ["modifiedAt", "mimeType", "uniqueId"],
     notes: multipartEnabled ? [
-      `S3 multipart upload enabled (partSize=${String(multipart.partSizeBytes)}B, threshold=${String(multipart.thresholdBytes)}B).`
+      `S3 multipart upload enabled by default (partSize=${String(multipart.partSizeBytes)}B, threshold=${String(multipart.thresholdBytes)}B).`,
+      "Payloads at or below the threshold automatically fall back to single-shot PUT.",
+      "Pass `multipart: { enabled: false }` to force the legacy single-shot behaviour."
     ] : [
-      "S3 provider performs single-shot PUT uploads; pass multipart.enabled to stream large objects."
+      "S3 provider performs single-shot PUT uploads; entire object is buffered in memory before transmission."
     ],
     provider: id,
     readStream: true,
@@ -12426,15 +12760,15 @@ function getBuiltinCapabilityMatrix() {
     {
       capabilities: createS3ProviderFactory({ fetch: noopFetch }).capabilities,
       id: "s3",
-      label: "S3-compatible (single-shot uploads)"
+      label: "S3-compatible (multipart uploads, default)"
     },
     {
       capabilities: createS3ProviderFactory({
         fetch: noopFetch,
-        multipart: { enabled: true }
+        multipart: { enabled: false }
       }).capabilities,
-      id: "s3:multipart",
-      label: "S3-compatible (multipart uploads)"
+      id: "s3:single-shot",
+      label: "S3-compatible (single-shot uploads)"
     },
     {
       capabilities: createDropboxProviderFactory({ fetch: noopFetch }).capabilities,
@@ -14522,9 +14856,9 @@ function deepFreeze(value) {
 }
 // src/mft/webhooks.ts
-var import_node_crypto11 = require("crypto");
+var import_node_crypto13 = require("crypto");
 function signWebhookPayload(payload, secret, timestamp = (/* @__PURE__ */ new Date()).toISOString()) {
-  const mac = (0, import_node_crypto11.createHmac)("sha256", secret);
+  const mac = (0, import_node_crypto13.createHmac)("sha256", secret);
   mac.update(`${timestamp}.${payload}`);
   return { digest: mac.digest("hex"), timestamp };
 }
@@ -15115,6 +15449,7 @@ var defaultRunner = ({ client, route, signal }) => {
   ConnectionError,
   DEFAULT_FAILED_SUBDIR,
   DEFAULT_PROCESSED_SUBDIR,
+  DEFAULT_SSH_ALGORITHM_PREFERENCES,
   FtpResponseParser,
   InMemoryAuditLog,
   MftScheduler,
@@ -15128,6 +15463,14 @@ var defaultRunner = ({ client, route, signal }) => {
   REMOTE_MANIFEST_FORMAT_VERSION,
   RouteRegistry,
   ScheduleRegistry,
+  SshAuthSession,
+  SshConnectionManager,
+  SshDataReader,
+  SshDataWriter,
+  SshDisconnectReason,
+  SshSessionChannel,
+  SshTransportConnection,
+  SshTransportHandshake,
   TimeoutError,
   TransferClient,
   TransferEngine,
@@ -15139,6 +15482,7 @@ var defaultRunner = ({ client, route, signal }) => {
   ZeroTransferError,
   assertSafeFtpArgument,
   basenameRemotePath,
+  buildPublickeyCredential,
   buildRemoteBreadcrumbs,
   compareRemoteManifests,
   composeAuditLogs,
@@ -15148,6 +15492,7 @@ var defaultRunner = ({ client, route, signal }) => {
   createAzureBlobProviderFactory,
   createBandwidthThrottle,
   createDropboxProviderFactory,
+  createFileSystemS3MultipartResumeStore,
   createFtpProviderFactory,
   createFtpsProviderFactory,
   createGcsProviderFactory,
@@ -15162,6 +15507,7 @@ var defaultRunner = ({ client, route, signal }) => {
   createOAuthTokenSecretSource,
   createOneDriveProviderFactory,
   createOutboxRoute,
+  createPooledTransferClient,
   createProgressEvent,
   createProviderTransferExecutor,
   createRemoteBrowser,
@@ -15195,6 +15541,7 @@ var defaultRunner = ({ client, route, signal }) => {
   joinRemotePath,
   matchKnownHosts,
   matchKnownHostsEntry,
+  negotiateSshAlgorithms,
   nextCronFireAt,
   nextScheduleFireAt,
   noopLogger,