@zero-transfer/ssh 0.4.0 → 0.4.6

package/dist/index.d.ts

@@ -1,7 +1,7 @@
 import { EventEmitter } from 'node:events';
 import { SecureVersion, PeerCertificate } from 'node:tls';
 import { Readable } from 'node:stream';
-import { Buffer } from 'node:buffer';
+import { Buffer as Buffer$1 } from 'node:buffer';
 import { Socket } from 'node:net';
 import { KeyObject } from 'node:crypto';
 
@@ -183,7 +183,7 @@ interface CapabilitySet {
  */
 
 /** Resolved secret value accepted by profile credential fields. */
-type SecretValue = string | Buffer;
+type SecretValue = string | Buffer$1;
 /** Callback source used by applications to integrate vaults or credential brokers. */
 type SecretProvider = () => SecretValue | Promise<SecretValue>;
 /** Inline secret descriptor. Prefer env, path, or callback sources for real applications. */
@@ -215,7 +215,7 @@ interface ResolveSecretOptions {
     /** Environment source. Defaults to `process.env`. */
     env?: NodeJS.ProcessEnv;
     /** File reader. Defaults to `fs.promises.readFile`. */
-    readFile?: (path: string) => Promise<Buffer> | Buffer;
+    readFile?: (path: string) => Promise<Buffer$1> | Buffer$1;
 }
 /**
  * Resolves a secret source into a string or Buffer without logging the value.
@@ -396,7 +396,7 @@ interface TlsProfile {
      * hex form with or without colons. When present, the TLS handshake additionally requires the
      * leaf certificate's SHA-256 fingerprint to match one of these values.
      *
-     * Not required for normal CA-trusted endpoints — public CAs and `ca` bundles already gate
+     * Not required for normal CA-trusted endpoints - public CAs and `ca` bundles already gate
      * trust via `rejectUnauthorized`. Pinning is **recommended for production** when you control
      * the server and want defence-in-depth against rogue certificates issued by trusted CAs.
      *
@@ -835,7 +835,41 @@ interface TransferEngineOptions {
     /** Clock used for receipts and progress events. Defaults to `new Date()`. */
     now?: () => Date;
 }
-/** Executes transfer jobs and produces audit-friendly receipts. */
+/**
+ * Executes transfer jobs and produces audit-friendly receipts.
+ *
+ * The engine is the lowest-level entry point in the transfer stack: it owns
+ * retry policy, attempt history, abort propagation, progress event
+ * normalization, and receipt construction. Most callers reach the engine
+ * indirectly through {@link runRoute}, {@link uploadFile}, {@link downloadFile},
+ * {@link copyBetween}, or {@link TransferQueue}; instantiate it directly when
+ * you need full control over execution semantics.
+ *
+ * @example Execute a single job with a custom executor
+ * ```ts
+ * import { TransferEngine, type TransferExecutor, type TransferJob } from "@zero-transfer/sdk";
+ *
+ * const engine = new TransferEngine();
+ *
+ * const executor: TransferExecutor = async ({ job, signal, onProgress }) => {
+ *   onProgress?.({ jobId: job.id, bytesTransferred: 0 });
+ *   // … perform the bytes here, honoring `signal` …
+ *   return { jobId: job.id, bytesTransferred: 1234, completedAt: new Date() };
+ * };
+ *
+ * const job: TransferJob = {
+ *   id: "manual-1",
+ *   operation: "upload",
+ *   source: { profile: localProfile, path: "./data.bin" },
+ *   destination: { profile: s3Profile, path: "/data/data.bin" },
+ * };
+ *
+ * const receipt = await engine.execute(job, executor, {
+ *   retry: { maxAttempts: 3, baseDelayMs: 250 },
+ * });
+ * console.log(receipt.attempts.length); // 1 on success
+ * ```
+ */
 declare class TransferEngine {
     private readonly now;
     /**
@@ -1586,8 +1620,20 @@ interface ClientDiagnostics {
 /**
  * Returns a redaction-safe snapshot of the providers registered with a client.
  *
+ * Use this when rendering a setup screen, generating a support bundle, or
+ * asserting in tests that the expected provider factories were registered.
+ *
  * @param client - Transfer client to inspect.
  * @returns Provider id and capability snapshot tuples.
+ *
+ * @example List registered providers
+ * ```ts
+ * import { summarizeClientDiagnostics } from "@zero-transfer/sdk";
+ *
+ * for (const { id, capabilities } of summarizeClientDiagnostics(client).providers) {
+ *   console.log(`${id}: streaming=${capabilities.readStream} resume=${capabilities.resumeDownload}`);
+ * }
+ * ```
  */
 declare function summarizeClientDiagnostics(client: TransferClient): ClientDiagnostics;
 /** Per-step duration measurements collected by {@link runConnectionDiagnostics}. */
@@ -1640,8 +1686,36 @@ interface RunConnectionDiagnosticsOptions {
 /**
  * Connects to a profile, captures capability and listing samples, and returns a redaction-safe report.
  *
+ * Useful for connectivity "ping" pages, smoke tests, and bug reports. Secrets
+ * in the profile are redacted via {@link redactConnectionProfile} before being
+ * returned. The session is always disconnected before the function returns,
+ * including when probes throw.
+ *
  * @param options - Diagnostic probe options.
  * @returns Diagnostic report including timings and any captured error.
+ *
+ * @example Probe an SFTP connection
+ * ```ts
+ * import { runConnectionDiagnostics } from "@zero-transfer/sdk";
+ *
+ * const report = await runConnectionDiagnostics({
+ *   client,
+ *   profile: {
+ *     host: "sftp.example.com",
+ *     provider: "sftp",
+ *     username: "deploy",
+ *     ssh: { privateKey: { path: "./keys/id_ed25519" } },
+ *   },
+ *   listPath: "/uploads",
+ * });
+ *
+ * if (!report.ok) {
+ *   console.error("connection failed:", report.error);
+ * } else {
+ *   console.log(`connect=${report.timings.connectMs}ms list=${report.timings.listMs}ms`);
+ *   console.log(report.sample); // up to 5 entries from /uploads
+ * }
+ * ```
  */
 declare function runConnectionDiagnostics(options: RunConnectionDiagnosticsOptions): Promise<ConnectionDiagnosticsResult>;
 
@@ -1650,7 +1724,7 @@ interface ConnectionPoolOptions {
     /**
      * Maximum number of *idle* sessions retained per pool key.
      *
-     * Active leases are not counted against this limit — the cap only applies
+     * Active leases are not counted against this limit - the cap only applies
      * to sessions waiting in the pool. When more than `maxIdlePerKey` sessions
      * become idle simultaneously, the oldest ones are disconnected. Defaults
      * to `4`.
@@ -1748,8 +1822,29 @@ interface MemoryProviderOptions {
 /**
  * Creates a provider factory backed by deterministic in-memory fixture entries.
  *
+ * Useful for tests and examples where you want a real `TransferSession` without
+ * touching disk or the network. Entries are pre-seeded; mutations made through
+ * the session are visible to subsequent operations on the same provider.
+ *
  * @param options - Optional fixture entries to expose through the memory provider.
  * @returns Provider factory suitable for `createTransferClient({ providers: [...] })`.
+ *
+ * @example Seed entries and read them back
+ * ```ts
+ * import { createMemoryProviderFactory, createTransferClient } from "@zero-transfer/sdk";
+ *
+ * const client = createTransferClient({
+ *   providers: [createMemoryProviderFactory({
+ *     entries: [
+ *       { path: "/fixtures/hello.txt", content: "hello world" },
+ *       { path: "/fixtures/data.bin", content: new Uint8Array([1, 2, 3]) },
+ *     ],
+ *   })],
+ * });
+ *
+ * const session = await client.connect({ host: "fixtures", provider: "memory" });
+ * console.log(await session.fs.list("/fixtures"));
+ * ```
  */
 declare function createMemoryProviderFactory(options?: MemoryProviderOptions): ProviderFactory;
 
@@ -2487,9 +2582,47 @@ interface TransferPlanSummary {
     /** Counts grouped by action. */
     actions: Record<string, number>;
 }
-/** Creates a transfer plan from dry-run planning input. */
+/**
+ * Creates a transfer plan from dry-run planning input.
+ *
+ * Plans are immutable, structured descriptions of intended work. Pair with
+ * {@link createSyncPlan} or {@link createAtomicDeployPlan} for end-to-end
+ * planning, or build steps by hand when you need full control. Pass the plan
+ * to {@link createTransferJobsFromPlan} to materialize executable jobs.
+ *
+ * @example Build a plan with two upload steps and inspect it
+ * ```ts
+ * import { createTransferPlan, summarizeTransferPlan } from "@zero-transfer/sdk";
+ *
+ * const plan = createTransferPlan({
+ *   id: "manual-batch",
+ *   steps: [
+ *     { action: "upload", source: "./a.bin", destination: "/lake/a.bin", expectedBytes: 1024 },
+ *     { action: "upload", source: "./b.bin", destination: "/lake/b.bin", expectedBytes: 2048 },
+ *   ],
+ * });
+ *
+ * console.table(summarizeTransferPlan(plan));
+ * ```
+ */
 declare function createTransferPlan(input: TransferPlanInput): TransferPlan;
-/** Summarizes a transfer plan for diagnostics, previews, and tests. */
+/**
+ * Summarizes a transfer plan for diagnostics, previews, and tests.
+ *
+ * Returns aggregate counts (total / executable / skipped / destructive),
+ * total expected bytes, and a per-action histogram. Useful for printing a
+ * one-line plan summary before executing or for asserting plan shape in
+ * tests.
+ *
+ * @example Print a plan preview
+ * ```ts
+ * import { summarizeTransferPlan } from "@zero-transfer/sdk";
+ *
+ * const summary = summarizeTransferPlan(plan);
+ * console.log(`${summary.executableSteps} steps, ${summary.totalExpectedBytes} bytes total`);
+ * console.log("Actions:", summary.actions);
+ * ```
+ */
 declare function summarizeTransferPlan(plan: TransferPlan): TransferPlanSummary;
 /** Converts executable plan steps into transfer jobs while preserving order. */
 declare function createTransferJobsFromPlan(plan: TransferPlan): TransferJob[];
@@ -2566,7 +2699,41 @@ interface TransferQueueSummary {
     /** Failed queue items in queue order. */
     failures: TransferQueueItem[];
 }
-/** Minimal transfer queue with concurrency, pause/resume, cancellation, and drain summaries. */
+/**
+ * Minimal transfer queue with concurrency, pause/resume, cancellation, and drain summaries.
+ *
+ * Wrap a {@link TransferEngine} with a queue when you need to run many transfers
+ * concurrently with bounded parallelism, observe per-job progress, or drive
+ * a UI from a single source of truth. Items are FIFO; failures and successes
+ * are surfaced via observers and in the final {@link TransferQueueSummary}.
+ *
+ * @example Run a batch of uploads with concurrency=4
+ * ```ts
+ * import {
+ *   TransferQueue,
+ *   createProviderTransferExecutor,
+ * } from "@zero-transfer/sdk";
+ *
+ * const queue = new TransferQueue({
+ *   concurrency: 4,
+ *   executor: createProviderTransferExecutor({ client }),
+ *   onProgress: (e) => console.log(`${e.jobId}: ${e.bytesTransferred}`),
+ *   onError: (item, err) => console.error(`${item.job.id} failed`, err),
+ * });
+ *
+ * for (const file of files) {
+ *   queue.enqueue({
+ *     id: file.name,
+ *     operation: "upload",
+ *     source: { profile: localProfile, path: file.path },
+ *     destination: { profile: s3Profile, path: `/lake/${file.name}` },
+ *   });
+ * }
+ *
+ * const summary = await queue.drain();
+ * console.log(`Completed ${summary.completed} / ${summary.total}`);
+ * ```
+ */
 declare class TransferQueue {
     private readonly engine;
     private readonly items;
@@ -2837,7 +3004,7 @@ interface DiffRemoteTreesOptions {
  * Compares two remote subtrees and produces an entry-level diff.
  *
  * Source and destination paths are walked independently; entries are then aligned by
- * the relative path from each tree root. Directory equality is structural — directories
+ * the relative path from each tree root. Directory equality is structural - directories
  * are equal when their relative paths match and the entry types agree.
  *
  * @param source - Source-side remote file system.
@@ -2846,6 +3013,26 @@ interface DiffRemoteTreesOptions {
  * @param destinationPath - Destination-side root path being compared.
  * @param options - Optional comparison controls.
  * @returns Diff result containing entries and a summary.
+ *
+ * @example Diff two SFTP subtrees and feed the result into createSyncPlan
+ * ```ts
+ * import { createSyncPlan, diffRemoteTrees } from "@zero-transfer/sdk";
+ *
+ * const diff = await diffRemoteTrees(
+ *   srcSession.fs, "/exports",
+ *   dstSession.fs, "/exports",
+ *   { compareUniqueId: true },
+ * );
+ *
+ * console.log(diff.summary); // { added, removed, changed, unchanged }
+ *
+ * const plan = createSyncPlan({
+ *   id: "exports-sync",
+ *   diff,
+ *   source: { provider: "sftp", rootPath: "/exports" },
+ *   destination: { provider: "sftp", rootPath: "/exports" },
+ * });
+ * ```
  */
 declare function diffRemoteTrees(source: RemoteFileSystem, sourcePath: string, destination: RemoteFileSystem, destinationPath: string, options?: DiffRemoteTreesOptions): Promise<RemoteTreeDiff>;
 
@@ -2917,6 +3104,31 @@ interface CreateSyncPlanOptions {
  * @param options - Inputs and policies that shape the plan.
  * @returns Transfer plan ready for `createTransferJobsFromPlan` or queue execution.
  * @throws {@link ConfigurationError} When `conflictPolicy: "error"` encounters a conflict.
+ *
+ * @example Mirror SFTP → S3 with deletes
+ * ```ts
+ * import {
+ *   createSyncPlan,
+ *   diffRemoteTrees,
+ *   summarizeTransferPlan,
+ * } from "@zero-transfer/sdk";
+ *
+ * const diff = await diffRemoteTrees(
+ *   srcSession.fs, "/dist",
+ *   dstSession.fs, "/releases/current",
+ * );
+ *
+ * const plan = createSyncPlan({
+ *   id: "release-mirror",
+ *   diff,
+ *   source: { provider: "sftp", rootPath: "/dist" },
+ *   destination: { provider: "s3", rootPath: "/releases/current" },
+ *   deletePolicy: "mirror",
+ *   conflictPolicy: "overwrite",
+ * });
+ *
+ * console.table(summarizeTransferPlan(plan));
+ * ```
  */
 declare function createSyncPlan(options: CreateSyncPlanOptions): TransferPlan;
 
@@ -3032,9 +3244,39 @@ interface CreateAtomicDeployPlanOptions {
 /**
  * Builds an {@link AtomicDeployPlan} that stages a release, swaps it live, and prunes old releases.
  *
+ * The plan describes a blue/green-style deploy:
+ *  1. Upload to a timestamped staging directory under `<destination>/.releases/`.
+ *  2. Atomically swap the `current` symlink/rename to point at the new release.
+ *  3. Optionally prune old releases beyond `retain`.
+ *
+ * No I/O is performed - the host executes the plan steps. Pair with
+ * {@link createTransferPlan} or {@link createTransferJobsFromPlan} to execute.
+ *
  * @param options - Inputs and policies that shape the deploy.
  * @returns Structured deploy plan ready for execution by the calling host.
  * @throws {@link ConfigurationError} When `retain` is less than `1` or the destination root is empty.
+ *
+ * @example Plan a release with rollback path
+ * ```ts
+ * import { createAtomicDeployPlan } from "@zero-transfer/sdk";
+ *
+ * const plan = createAtomicDeployPlan({
+ *   id: "web-2026-04-28",
+ *   source: { rootPath: "./dist" },
+ *   destination: {
+ *     profile: { host: "web1.example.com", provider: "sftp", username: "deploy" },
+ *     rootPath: "/srv/www",
+ *   },
+ *   retain: 5,
+ *   existingReleases: [
+ *     "/srv/www/.releases/2026-04-21T00-00-00Z",
+ *     "/srv/www/.releases/2026-04-14T00-00-00Z",
+ *   ],
+ * });
+ *
+ * console.log(plan.swap);   // staging → current rename
+ * console.log(plan.prune);  // releases scheduled for removal
+ * ```
  */
 declare function createAtomicDeployPlan(options: CreateAtomicDeployPlanOptions): AtomicDeployPlan;
 
@@ -3227,6 +3469,12 @@ declare function joinRemotePath(...segments: string[]): string;
  */
 declare function basenameRemotePath(input: string): string;
 
+/**
+ * Returns `true` when the file containing `import.meta.url` is the entry point
+ * of the current Node.js process. Returns `false` outside Node.
+ */
+declare function isMainModule(importMetaUrl: string): boolean;
+
 /** Algorithm lists exchanged during SSH KEXINIT negotiation. */
 interface SshAlgorithmPreferences {
     compressionClientToServer: readonly string[];
@@ -3272,7 +3520,7 @@ interface SshIdentification {
 
 /** Parsed SSH_MSG_KEXINIT payload. */
 interface SshKexInitMessage extends SshAlgorithmPreferences {
-    cookie: Buffer;
+    cookie: Buffer$1;
     firstKexPacketFollows: boolean;
     messageType: number;
     reserved: number;
@@ -3280,31 +3528,31 @@ interface SshKexInitMessage extends SshAlgorithmPreferences {
 
 /** Directional key material used after SSH NEWKEYS. */
 interface SshTransportDirectionKeys {
-    encryptionKey: Buffer;
-    iv: Buffer;
-    macKey: Buffer;
+    encryptionKey: Buffer$1;
+    iv: Buffer$1;
+    macKey: Buffer$1;
 }
 /** Session key bundle derived from K, H, and session id. */
 interface SshDerivedSessionKeys {
     clientToServer: SshTransportDirectionKeys;
-    exchangeHash: Buffer;
+    exchangeHash: Buffer$1;
     serverToClient: SshTransportDirectionKeys;
-    sessionId: Buffer;
+    sessionId: Buffer$1;
 }
 
 /** Initial client-side handshake state before key exchange math starts. */
 interface SshTransportHandshakeResult {
     keyExchange: {
         algorithm: string;
-        clientKexInitPayload: Buffer;
-        clientPublicKey: Buffer;
-        exchangeHash: Buffer;
-        serverHostKey: Buffer;
-        serverKexInitPayload: Buffer;
-        serverPublicKey: Buffer;
-        serverSignature: Buffer;
-        sessionId: Buffer;
-        sharedSecret: Buffer;
+        clientKexInitPayload: Buffer$1;
+        clientPublicKey: Buffer$1;
+        exchangeHash: Buffer$1;
+        serverHostKey: Buffer$1;
+        serverKexInitPayload: Buffer$1;
+        serverPublicKey: Buffer$1;
+        serverSignature: Buffer$1;
+        sessionId: Buffer$1;
+        sharedSecret: Buffer$1;
         transportKeys: {
             clientToServer: SshDerivedSessionKeys["clientToServer"];
             serverToClient: SshDerivedSessionKeys["serverToClient"];
@@ -3357,18 +3605,18 @@ declare class SshTransportHandshake {
          * to enforce known_hosts or pinned-fingerprint policies.
          */
         verifyHostKey?: (input: {
-            hostKeyBlob: Buffer;
-            hostKeySha256: Buffer;
+            hostKeyBlob: Buffer$1;
+            hostKeySha256: Buffer$1;
             algorithmName: string;
         }) => void | Promise<void>;
     });
     /** Creates the first outbound bytes (client identification line). */
-    createInitialClientBytes(): Buffer;
+    createInitialClientBytes(): Buffer$1;
     /**
      * Feeds raw server bytes into the handshake state machine.
      */
     pushServerBytes(chunk: Uint8Array): {
-        outbound: Buffer[];
+        outbound: Buffer$1[];
         result?: SshTransportHandshakeResult;
     };
     getServerBannerLines(): readonly string[];
@@ -3378,7 +3626,7 @@ declare class SshTransportHandshake {
      * Call this once after `pushServerBytes` returns a result to drain bytes that belong to the
      * post-NEWKEYS encrypted phase but arrived in the same TCP segment as NEWKEYS.
      */
-    takeRemainingBytes(): Buffer;
+    takeRemainingBytes(): Buffer$1;
     private pushServerBytesWithPhase;
 }
 
@@ -3426,8 +3674,8 @@ interface SshTransportConnectionOptions {
      * exchange hash is verified. Throw to reject the server's identity.
      */
     verifyHostKey?: (input: {
-        hostKeyBlob: Buffer;
-        hostKeySha256: Buffer;
+        hostKeyBlob: Buffer$1;
+        hostKeySha256: Buffer$1;
         algorithmName: string;
     }) => void;
 }
@@ -3474,7 +3722,7 @@ declare class SshTransportConnection {
      * Sends an SSH payload over the encrypted transport.
      * The payload must start with the SSH message type byte.
      */
-    sendPayload(payload: Buffer | Uint8Array): void;
+    sendPayload(payload: Buffer$1 | Uint8Array): void;
     /**
      * Async generator that yields inbound SSH payloads (post-NEWKEYS).
      *
@@ -3483,7 +3731,7 @@ declare class SshTransportConnection {
      * - SSH_MSG_DISCONNECT (1) from the server throws a `ConnectionError`.
      * - Socket error or close terminates the generator.
      */
-    receivePayloads(): AsyncGenerator<Buffer>;
+    receivePayloads(): AsyncGenerator<Buffer$1>;
     /**
      * Sends SSH_MSG_DISCONNECT and ends the socket.
      * Safe to call multiple times; subsequent calls are no-ops.
@@ -3533,7 +3781,7 @@ interface SshKeyboardInteractiveCredential {
 type SshCredential = SshPasswordCredential | SshPublickeyCredential | SshKeyboardInteractiveCredential;
 interface SshAuthOptions {
     credential: SshCredential;
-    /** SSH session id (exchange hash) from key exchange — required for publickey signing. */
+    /** SSH session id (exchange hash) from key exchange - required for publickey signing. */
     sessionId: Uint8Array;
     /** Maximum number of USERAUTH_FAILURE retries before giving up. Defaults to 4. */
     maxAttempts?: number;
@@ -3650,7 +3898,7 @@ declare class SshSessionChannel {
      * Async generator that yields raw data buffers from the channel.
      * Returns (done) when the channel receives EOF or CLOSE.
      */
-    receiveData(): AsyncGenerator<Buffer, void, undefined>;
+    receiveData(): AsyncGenerator<Buffer$1, void, undefined>;
     /**
      * Sends EOF and CLOSE.  Should be called when the client is done sending.
      */
@@ -3659,7 +3907,7 @@ declare class SshSessionChannel {
      * Feed an inbound transport payload to this channel.
      * Called by the channel multiplexer (`SshConnectionManager`).
      */
-    dispatch(payload: Buffer): void;
+    dispatch(payload: Buffer$1): void;
     dispatchError(error: Error): void;
     private consumeLocalWindow;
     private enqueueInbound;
@@ -3699,7 +3947,7 @@ declare class SshConnectionManager {
      * Channel setup happens sequentially before `start()` begins pumping, so we
      * pull directly from the transport iterator here.
      */
-    nextSetupPayload(): Promise<Buffer>;
+    nextSetupPayload(): Promise<Buffer$1>;
     /**
      * Opens a session channel and starts the SFTP subsystem on it.
      * Must be called before `start()`.
@@ -3740,10 +3988,10 @@ declare class SshDataReader {
     hasMore(): boolean;
     readByte(): number;
     readBoolean(): boolean;
-    readBytes(length: number): Buffer;
+    readBytes(length: number): Buffer$1;
     readUint32(): number;
     readUint64(): bigint;
-    readString(): Buffer;
+    readString(): Buffer$1;
     readUtf8String(): string;
     readNameList(): string[];
     /**
@@ -3751,7 +3999,7 @@ declare class SshDataReader {
      * big-endian integer. Returns the raw magnitude bytes (non-negative integers
      * may have a leading 0x00 byte preserved by the caller as needed).
      */
-    readMpint(): Buffer;
+    readMpint(): Buffer$1;
     assertFinished(): void;
     private ensureAvailable;
 }
@@ -3770,9 +4018,74 @@ declare class SshDataWriter {
     writeString(value: string | Uint8Array, encoding?: BufferEncoding): this;
     writeMpint(value: Uint8Array): this;
     writeNameList(values: readonly string[]): this;
-    toBuffer(): Buffer;
+    toBuffer(): Buffer$1;
     private push;
     private assertByte;
 }
 
-export { AbortError, type AtomicDeployActivateOperation, type AtomicDeployActivateStep, type AtomicDeployPlan, type AtomicDeployPruneStep, type AtomicDeployStrategy, type AuthenticationCapability, AuthenticationError, AuthorizationError, type BandwidthSleep, type BandwidthThrottle, type BandwidthThrottleOptions, type Base64EnvSecretSource, type BuiltInProviderId, CLASSIC_PROVIDER_IDS, type CapabilitySet, type ChecksumCapability, type ClassicProviderId, type ClientDiagnostics, type CompareRemoteManifestsOptions, ConfigurationError, type ConnectionDiagnosticTimings, type ConnectionDiagnosticsResult, ConnectionError, type ConnectionPoolOptions, type ConnectionProfile, type CopyBetweenOptions, type CreateAtomicDeployPlanOptions, type CreateRemoteBrowserOptions, type CreateRemoteManifestOptions, type CreateSyncPlanOptions, DEFAULT_SSH_ALGORITHM_PREFERENCES, type DiffRemoteTreesOptions, type DownloadFileOptions, type EnvSecretSource, type FileSecretSource, type FileZillaSite, type FriendlyTransferOptions, type FtpReplyErrorInput, type ImportFileZillaSitesResult, type ImportOpenSshConfigOptions, type ImportOpenSshConfigResult, type ImportWinScpSessionsResult, type KnownHostsEntry, type KnownHostsMarker, type ListOptions, type LocalProviderOptions, type LogLevel, type LogRecord, type LogRecordInput, type LoggerMethod, type MemoryProviderEntry, type MemoryProviderOptions, type MetadataCapability, type MkdirOptions, type NegotiatedSshAlgorithms, type OAuthAccessToken, type OAuthRefreshCallback, type OAuthTokenSecretSourceOptions, type OpenSshConfigEntry, ParseError, PathAlreadyExistsError, PathNotFoundError, PermissionDeniedError, type PooledTransferClient, type ProgressEventInput, ProtocolError, type AuthenticationCapability as ProviderAuthenticationCapability, type CapabilitySet as ProviderCapabilities, type ChecksumCapability as ProviderChecksumCapability, type ProviderFactory, type ProviderId, type MetadataCapability as ProviderMetadataCapability, ProviderRegistry, type ProviderSelection, type ProviderTransferEndpointRole, type ProviderTransferExecutorOptions, type ProviderTransferOperations, type ProviderTransferReadRequest, type ProviderTransferReadResult, type ProviderTransferRequest, type ProviderTransferSessionResolver, type ProviderTransferSessionResolverInput, type ProviderTransferWriteRequest, type ProviderTransferWriteResult, REDACTED, REMOTE_MANIFEST_FORMAT_VERSION, type RemoteBreadcrumb, type RemoteBrowser, type RemoteBrowserFilter, type RemoteBrowserSnapshot, type RemoteEntry, type RemoteEntrySortKey, type RemoteEntrySortOrder, type RemoteEntryType, type RemoteFileAdapter, type RemoteFileEndpoint, type RemoteFileSystem, type RemoteManifest, type RemoteManifestEntry, type RemotePermissions, type RemoteProtocol, type RemoteStat, type RemoteTreeDiff, type RemoteTreeDiffEntry, type RemoteTreeDiffReason, type RemoteTreeDiffStatus, type RemoteTreeDiffSummary, type RemoteTreeEntry, type RemoteTreeFilter, type RemoveOptions, type RenameOptions, type ResolveSecretOptions, type ResolvedConnectionProfile, type ResolvedOpenSshHost, type ResolvedSshProfile, type ResolvedTlsProfile, type RmdirOptions, type RunConnectionDiagnosticsOptions, type SecretProvider, type SecretSource, type SecretValue, type SpecializedErrorDetails, type SshAgentSource, type SshAlgorithmPreferences, type SshAlgorithms, SshAuthSession, SshConnectionManager, SshDataReader, SshDataWriter, SshDisconnectReason, type SshKeyboardInteractiveChallenge, type SshKeyboardInteractiveCredential, type SshKeyboardInteractiveHandler, type SshKeyboardInteractivePrompt, type SshKnownHostsSource, type SshPasswordCredential, type SshProfile, type SshPublickeyCredential, SshSessionChannel, type SshSocketFactory, type SshSocketFactoryContext, SshTransportConnection, type SshTransportConnectionOptions, SshTransportHandshake, type SshTransportHandshakeResult, type StatOptions, type SyncConflictPolicy, type SyncDeletePolicy, type SyncDirection, type SyncEndpointInput, TimeoutError, type TlsProfile, type TlsSecretSource, type TransferAttempt, type TransferAttemptError, type TransferBandwidthLimit, type TransferByteRange, TransferClient, type TransferClientOptions, type TransferDataChunk, type TransferDataSource, type TransferEndpoint, TransferEngine, type TransferEngineExecuteOptions, type TransferEngineOptions, TransferError, type TransferExecutionContext, type TransferExecutionResult, type TransferExecutor, type TransferJob, type TransferOperation, type TransferPlan, type TransferPlanAction, type TransferPlanInput, type TransferPlanStep, type TransferPlanSummary, type TransferProgressEvent, type TransferProvider, TransferQueue, type TransferQueueExecutorResolver, type TransferQueueItem, type TransferQueueItemStatus, type TransferQueueOptions, type TransferQueueRunOptions, type TransferQueueSummary, type TransferReceipt, type TransferResult, type TransferResultInput, type TransferRetryDecisionInput, type TransferRetryPolicy, type TransferSession, type TransferTimeoutPolicy, type TransferVerificationResult, UnsupportedFeatureError, type UploadFileOptions, type ValueSecretSource, VerificationError, type WalkRemoteTreeOptions, type WinScpSession, ZeroTransfer, type ZeroTransferCapabilities, ZeroTransferError, type ZeroTransferErrorDetails, type ZeroTransferLogger, type ZeroTransferOptions, assertSafeFtpArgument, basenameRemotePath, buildPublickeyCredential, buildRemoteBreadcrumbs, compareRemoteManifests, copyBetween, createAtomicDeployPlan, createBandwidthThrottle, createLocalProviderFactory, createMemoryProviderFactory, createOAuthTokenSecretSource, createPooledTransferClient, createProgressEvent, createProviderTransferExecutor, createRemoteBrowser, createRemoteManifest, createSyncPlan, createTransferClient, createTransferJobsFromPlan, createTransferPlan, createTransferResult, diffRemoteTrees, downloadFile, emitLog, errorFromFtpReply, filterRemoteEntries, importFileZillaSites, importOpenSshConfig, importWinScpSessions, isClassicProviderId, isSensitiveKey, joinRemotePath, matchKnownHosts, matchKnownHostsEntry, negotiateSshAlgorithms, noopLogger, normalizeRemotePath, parentRemotePath, parseKnownHosts, parseOpenSshConfig, parseRemoteManifest, redactCommand, redactConnectionProfile, redactObject, redactSecretSource, redactValue, resolveConnectionProfileSecrets, resolveOpenSshHost, resolveProviderId, resolveSecret, runConnectionDiagnostics, serializeRemoteManifest, sortRemoteEntries, summarizeClientDiagnostics, summarizeTransferPlan, throttleByteIterable, uploadFile, validateConnectionProfile, walkRemoteTree };
+/**
+ * Options for {@link runSshCommand}.
+ */
+interface RunSshCommandOptions {
+    /** Hostname or IP of the SSH server. */
+    host: string;
+    /** TCP port. Defaults to `22`. */
+    port?: number;
+    /** Command to execute on the remote shell. */
+    command: string;
+    /**
+     * Authentication credential. Use one of:
+     *
+     * - `{ type: "password", username, password }`
+     * - `{ type: "publickey", username, algorithmName, publicKeyBlob, sign }`
+     *   (build one from a private-key file with `buildPublickeyCredential`)
+     * - `{ type: "keyboard-interactive", username, respond }`
+     */
+    auth: SshCredential;
+    /**
+     * Forwarded to {@link SshTransportConnection}; covers host-key pinning,
+     * algorithm overrides, and handshake timeout. The default
+     * `handshakeTimeoutMs` is 10 seconds.
+     */
+    transport?: SshTransportConnectionOptions;
+    /** TCP connect timeout in milliseconds. Defaults to 10 000. */
+    connectTimeoutMs?: number;
+    /** Maximum total bytes captured from stdout. Defaults to 16 MiB. */
+    maxOutputBytes?: number;
+}
+/**
+ * Result of {@link runSshCommand}. The full captured stdout is provided as
+ * both a `Buffer` (for binary output) and as a UTF-8 decoded `string`.
+ *
+ * Note: stderr (CHANNEL_EXTENDED_DATA) and exit-status are not currently
+ * surfaced - drop down to {@link SshConnectionManager}/{@link SshSessionChannel}
+ * directly if you need them.
+ */
+interface RunSshCommandResult {
+    /** Captured stdout as raw bytes. */
+    stdout: Buffer;
+    /** Captured stdout decoded as UTF-8. */
+    stdoutText: string;
+    /** Bytes received before the channel closed. */
+    bytesReceived: number;
+}
+/**
+ * Connects, authenticates, runs `command` on a fresh exec channel, drains
+ * stdout, and disconnects. The TCP socket, transport, auth session, and
+ * channel are all owned by this helper and torn down before it returns.
+ *
+ * @example Run `uname -a` with a password credential
+ * ```ts
+ * import { runSshCommand } from "@zero-transfer/ssh";
+ *
+ * const { stdoutText } = await runSshCommand({
+ *   host: "ssh.example.com",
+ *   auth: { type: "password", username: "deploy", password: process.env.SSH_PASSWORD! },
+ *   command: "uname -a",
+ * });
+ * console.log(stdoutText);
+ * ```
+ */
+declare function runSshCommand(options: RunSshCommandOptions): Promise<RunSshCommandResult>;
+
+export { AbortError, type AtomicDeployActivateOperation, type AtomicDeployActivateStep, type AtomicDeployPlan, type AtomicDeployPruneStep, type AtomicDeployStrategy, type AuthenticationCapability, AuthenticationError, AuthorizationError, type BandwidthSleep, type BandwidthThrottle, type BandwidthThrottleOptions, type Base64EnvSecretSource, type BuiltInProviderId, CLASSIC_PROVIDER_IDS, type CapabilitySet, type ChecksumCapability, type ClassicProviderId, type ClientDiagnostics, type CompareRemoteManifestsOptions, ConfigurationError, type ConnectionDiagnosticTimings, type ConnectionDiagnosticsResult, ConnectionError, type ConnectionPoolOptions, type ConnectionProfile, type CopyBetweenOptions, type CreateAtomicDeployPlanOptions, type CreateRemoteBrowserOptions, type CreateRemoteManifestOptions, type CreateSyncPlanOptions, DEFAULT_SSH_ALGORITHM_PREFERENCES, type DiffRemoteTreesOptions, type DownloadFileOptions, type EnvSecretSource, type FileSecretSource, type FileZillaSite, type FriendlyTransferOptions, type FtpReplyErrorInput, type ImportFileZillaSitesResult, type ImportOpenSshConfigOptions, type ImportOpenSshConfigResult, type ImportWinScpSessionsResult, type KnownHostsEntry, type KnownHostsMarker, type ListOptions, type LocalProviderOptions, type LogLevel, type LogRecord, type LogRecordInput, type LoggerMethod, type MemoryProviderEntry, type MemoryProviderOptions, type MetadataCapability, type MkdirOptions, type NegotiatedSshAlgorithms, type OAuthAccessToken, type OAuthRefreshCallback, type OAuthTokenSecretSourceOptions, type OpenSshConfigEntry, ParseError, PathAlreadyExistsError, PathNotFoundError, PermissionDeniedError, type PooledTransferClient, type ProgressEventInput, ProtocolError, type AuthenticationCapability as ProviderAuthenticationCapability, type CapabilitySet as ProviderCapabilities, type ChecksumCapability as ProviderChecksumCapability, type ProviderFactory, type ProviderId, type MetadataCapability as ProviderMetadataCapability, ProviderRegistry, type ProviderSelection, type ProviderTransferEndpointRole, type ProviderTransferExecutorOptions, type ProviderTransferOperations, type ProviderTransferReadRequest, type ProviderTransferReadResult, type ProviderTransferRequest, type ProviderTransferSessionResolver, type ProviderTransferSessionResolverInput, type ProviderTransferWriteRequest, type ProviderTransferWriteResult, REDACTED, REMOTE_MANIFEST_FORMAT_VERSION, type RemoteBreadcrumb, type RemoteBrowser, type RemoteBrowserFilter, type RemoteBrowserSnapshot, type RemoteEntry, type RemoteEntrySortKey, type RemoteEntrySortOrder, type RemoteEntryType, type RemoteFileAdapter, type RemoteFileEndpoint, type RemoteFileSystem, type RemoteManifest, type RemoteManifestEntry, type RemotePermissions, type RemoteProtocol, type RemoteStat, type RemoteTreeDiff, type RemoteTreeDiffEntry, type RemoteTreeDiffReason, type RemoteTreeDiffStatus, type RemoteTreeDiffSummary, type RemoteTreeEntry, type RemoteTreeFilter, type RemoveOptions, type RenameOptions, type ResolveSecretOptions, type ResolvedConnectionProfile, type ResolvedOpenSshHost, type ResolvedSshProfile, type ResolvedTlsProfile, type RmdirOptions, type RunConnectionDiagnosticsOptions, type RunSshCommandOptions, type RunSshCommandResult, type SecretProvider, type SecretSource, type SecretValue, type SpecializedErrorDetails, type SshAgentSource, type SshAlgorithmPreferences, type SshAlgorithms, SshAuthSession, SshConnectionManager, SshDataReader, SshDataWriter, SshDisconnectReason, type SshKeyboardInteractiveChallenge, type SshKeyboardInteractiveCredential, type SshKeyboardInteractiveHandler, type SshKeyboardInteractivePrompt, type SshKnownHostsSource, type SshPasswordCredential, type SshProfile, type SshPublickeyCredential, SshSessionChannel, type SshSocketFactory, type SshSocketFactoryContext, SshTransportConnection, type SshTransportConnectionOptions, SshTransportHandshake, type SshTransportHandshakeResult, type StatOptions, type SyncConflictPolicy, type SyncDeletePolicy, type SyncDirection, type SyncEndpointInput, TimeoutError, type TlsProfile, type TlsSecretSource, type TransferAttempt, type TransferAttemptError, type TransferBandwidthLimit, type TransferByteRange, TransferClient, type TransferClientOptions, type TransferDataChunk, type TransferDataSource, type TransferEndpoint, TransferEngine, type TransferEngineExecuteOptions, type TransferEngineOptions, TransferError, type TransferExecutionContext, type TransferExecutionResult, type TransferExecutor, type TransferJob, type TransferOperation, type TransferPlan, type TransferPlanAction, type TransferPlanInput, type TransferPlanStep, type TransferPlanSummary, type TransferProgressEvent, type TransferProvider, TransferQueue, type TransferQueueExecutorResolver, type TransferQueueItem, type TransferQueueItemStatus, type TransferQueueOptions, type TransferQueueRunOptions, type TransferQueueSummary, type TransferReceipt, type TransferResult, type TransferResultInput, type TransferRetryDecisionInput, type TransferRetryPolicy, type TransferSession, type TransferTimeoutPolicy, type TransferVerificationResult, UnsupportedFeatureError, type UploadFileOptions, type ValueSecretSource, VerificationError, type WalkRemoteTreeOptions, type WinScpSession, ZeroTransfer, type ZeroTransferCapabilities, ZeroTransferError, type ZeroTransferErrorDetails, type ZeroTransferLogger, type ZeroTransferOptions, assertSafeFtpArgument, basenameRemotePath, buildPublickeyCredential, buildRemoteBreadcrumbs, compareRemoteManifests, copyBetween, createAtomicDeployPlan, createBandwidthThrottle, createLocalProviderFactory, createMemoryProviderFactory, createOAuthTokenSecretSource, createPooledTransferClient, createProgressEvent, createProviderTransferExecutor, createRemoteBrowser, createRemoteManifest, createSyncPlan, createTransferClient, createTransferJobsFromPlan, createTransferPlan, createTransferResult, diffRemoteTrees, downloadFile, emitLog, errorFromFtpReply, filterRemoteEntries, importFileZillaSites, importOpenSshConfig, importWinScpSessions, isClassicProviderId, isMainModule, isSensitiveKey, joinRemotePath, matchKnownHosts, matchKnownHostsEntry, negotiateSshAlgorithms, noopLogger, normalizeRemotePath, parentRemotePath, parseKnownHosts, parseOpenSshConfig, parseRemoteManifest, redactCommand, redactConnectionProfile, redactObject, redactSecretSource, redactValue, resolveConnectionProfileSecrets, resolveOpenSshHost, resolveProviderId, resolveSecret, runConnectionDiagnostics, runSshCommand, serializeRemoteManifest, sortRemoteEntries, summarizeClientDiagnostics, summarizeTransferPlan, throttleByteIterable, uploadFile, validateConnectionProfile, walkRemoteTree };