cocoon-sdk 0.1.0

package/dist/index.cjs

@@ -0,0 +1,2634 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  APIError: () => APIError,
+  AuthenticationError: () => AuthenticationError,
+  Cocoon: () => Cocoon,
+  CocoonError: () => CocoonError,
+  ConnectionError: () => ConnectionError,
+  FileAttestationProvider: () => FileAttestationProvider,
+  ProtocolError: () => ProtocolError,
+  StaticAttestationProvider: () => StaticAttestationProvider,
+  Stream: () => Stream,
+  TimeoutError: () => TimeoutError
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/core/protocol/session.ts
+var import_node_crypto3 = __toESM(require("crypto"), 1);
+var import_node_events2 = require("events");
+
+// src/core/protocol/connection.ts
+var net = __toESM(require("net"), 1);
+var tls = __toESM(require("tls"), 1);
+var import_node_events = require("events");
+
+// src/core/error.ts
+var CocoonError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "CocoonError";
+  }
+};
+var ConnectionError = class extends CocoonError {
+  constructor(message, cause) {
+    super(message);
+    this.cause = cause;
+    this.name = "ConnectionError";
+  }
+};
+var ProtocolError = class extends CocoonError {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "ProtocolError";
+  }
+};
+var APIError = class extends CocoonError {
+  constructor(message, statusCode, errorBody) {
+    super(message);
+    this.statusCode = statusCode;
+    this.errorBody = errorBody;
+    this.name = "APIError";
+  }
+};
+var AuthenticationError = class extends CocoonError {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "AuthenticationError";
+  }
+};
+var TimeoutError = class extends CocoonError {
+  constructor(message = "Request timed out") {
+    super(message);
+    this.name = "TimeoutError";
+  }
+};
+
+// src/core/protocol/pow.ts
+var import_node_crypto = __toESM(require("crypto"), 1);
+var POW_CHALLENGE_MAGIC = 1099829905;
+var POW_RESPONSE_MAGIC = 25326361;
+var POW_CHALLENGE_SIZE = 24;
+var POW_RESPONSE_SIZE = 12;
+var MAX_DIFFICULTY = 32;
+function parsePowChallenge(data) {
+  if (data.length < POW_CHALLENGE_SIZE) {
+    throw new Error(
+      `PoW challenge too short: ${data.length} bytes, expected ${POW_CHALLENGE_SIZE}`
+    );
+  }
+  const magic = data.readUInt32LE(0);
+  if (magic !== POW_CHALLENGE_MAGIC) {
+    throw new Error(
+      `Invalid PoW magic: 0x${magic.toString(16)}, expected 0x${POW_CHALLENGE_MAGIC.toString(16)}`
+    );
+  }
+  const difficultyBits = data.readInt32LE(4);
+  if (difficultyBits < 0 || difficultyBits > MAX_DIFFICULTY) {
+    throw new Error(`PoW difficulty out of range: ${difficultyBits}`);
+  }
+  const salt = Buffer.alloc(16);
+  data.copy(salt, 0, 8, 24);
+  return { difficultyBits, salt };
+}
+function checkPow(hash, difficultyBits) {
+  let remaining = difficultyBits;
+  for (let i = 7; i >= 0 && remaining > 0; i--) {
+    const byte = hash[i];
+    if (remaining >= 8) {
+      if (byte !== 0) return false;
+      remaining -= 8;
+    } else {
+      const mask = 255 << 8 - remaining;
+      if ((byte & mask) !== 0) return false;
+      remaining = 0;
+    }
+  }
+  return true;
+}
+function solvePow(challenge) {
+  const { difficultyBits, salt } = challenge;
+  if (difficultyBits === 0) return 0n;
+  const input = Buffer.alloc(24);
+  salt.copy(input, 0);
+  for (let nonce = 0n; ; nonce++) {
+    input.writeBigUInt64LE(nonce, 16);
+    const hash = import_node_crypto.default.createHash("sha256").update(input).digest();
+    if (checkPow(hash, difficultyBits)) {
+      return nonce;
+    }
+  }
+}
+function buildPowResponse(nonce) {
+  const buf = Buffer.alloc(POW_RESPONSE_SIZE);
+  buf.writeUInt32LE(POW_RESPONSE_MAGIC, 0);
+  buf.writeBigUInt64LE(nonce, 4);
+  return buf;
+}
+
+// src/core/protocol/connection.ts
+var CocoonConnection = class extends import_node_events.EventEmitter {
+  socket = null;
+  rawSocket = null;
+  outSeqno = 0;
+  inSeqno = 0;
+  readBuffer = Buffer.alloc(0);
+  connected = false;
+  destroyed = false;
+  host;
+  port;
+  useTls;
+  timeout;
+  tlsCert;
+  tlsKey;
+  constructor(options) {
+    super();
+    this.host = options.host;
+    this.port = options.port;
+    this.useTls = options.useTls ?? true;
+    this.timeout = options.timeout ?? 12e4;
+    this.tlsCert = options.tlsCert;
+    this.tlsKey = options.tlsKey;
+  }
+  async connect() {
+    if (this.connected) return;
+    if (this.useTls) {
+      await this.connectWithPowAndTls();
+    } else {
+      await this.connectPlainTcp();
+    }
+  }
+  /**
+   * Connect with PoW challenge + TLS upgrade (default for Cocoon proxies).
+   */
+  async connectWithPowAndTls() {
+    const rawSocket = await this.rawTcpConnect();
+    this.rawSocket = rawSocket;
+    try {
+      await this.handlePow(rawSocket);
+      this.socket = await this.upgradeTls(rawSocket);
+    } catch (err) {
+      rawSocket.destroy();
+      this.rawSocket = null;
+      throw err;
+    }
+    this.connected = true;
+    this.setupSocketHandlers(this.socket);
+    this.emit("ready");
+  }
+  /**
+   * Connect with plain TCP (no PoW, no TLS).
+   */
+  async connectPlainTcp() {
+    return new Promise((resolve, reject) => {
+      const onConnect = () => {
+        this.connected = true;
+        this.setupSocketHandlers(this.socket);
+        this.emit("ready");
+        resolve();
+      };
+      const onError = (err) => {
+        reject(
+          new ConnectionError(
+            `Failed to connect to ${this.host}:${this.port}: ${err.message}`,
+            err
+          )
+        );
+      };
+      this.socket = net.connect({ host: this.host, port: this.port }, onConnect);
+      this.socket.setTimeout(this.timeout);
+      this.socket.once("error", onError);
+    });
+  }
+  rawTcpConnect() {
+    return new Promise((resolve, reject) => {
+      const sock = net.connect({ host: this.host, port: this.port }, () => {
+        sock.removeListener("error", onError);
+        resolve(sock);
+      });
+      sock.setTimeout(this.timeout);
+      const onError = (err) => {
+        reject(
+          new ConnectionError(
+            `Failed to connect to ${this.host}:${this.port}: ${err.message}`,
+            err
+          )
+        );
+      };
+      sock.once("error", onError);
+    });
+  }
+  handlePow(sock) {
+    return new Promise((resolve, reject) => {
+      let powBuffer = Buffer.alloc(0);
+      const timer = setTimeout(() => {
+        sock.removeListener("data", onData);
+        reject(new ConnectionError("Timeout waiting for PoW challenge"));
+      }, 3e4);
+      const onData = (chunk) => {
+        powBuffer = Buffer.concat([powBuffer, chunk]);
+        if (powBuffer.length >= 4) {
+          const magic = powBuffer.readUInt32LE(0);
+          if (magic !== POW_CHALLENGE_MAGIC) {
+            clearTimeout(timer);
+            sock.removeListener("data", onData);
+            reject(
+              new ConnectionError(
+                `Unexpected data from proxy (expected PoW challenge): 0x${magic.toString(16)}`
+              )
+            );
+            return;
+          }
+        }
+        if (powBuffer.length >= POW_CHALLENGE_SIZE) {
+          clearTimeout(timer);
+          sock.removeListener("data", onData);
+          try {
+            const challenge = parsePowChallenge(powBuffer);
+            const nonce = solvePow(challenge);
+            const response = buildPowResponse(nonce);
+            sock.write(response, (err) => {
+              if (err) {
+                reject(new ConnectionError(`Failed to send PoW response: ${err.message}`, err));
+              } else {
+                resolve();
+              }
+            });
+          } catch (err) {
+            reject(
+              new ConnectionError(
+                `PoW failed: ${err instanceof Error ? err.message : err}`,
+                err instanceof Error ? err : void 0
+              )
+            );
+          }
+        }
+      };
+      sock.on("data", onData);
+    });
+  }
+  upgradeTls(rawSocket) {
+    return new Promise((resolve, reject) => {
+      const tlsOptions = {
+        socket: rawSocket,
+        rejectUnauthorized: false
+        // Cocoon uses custom TDX attestation, not standard CA
+      };
+      if (this.tlsCert) tlsOptions.cert = this.tlsCert;
+      if (this.tlsKey) tlsOptions.key = this.tlsKey;
+      const tlsSocket = tls.connect(tlsOptions);
+      const timer = setTimeout(() => {
+        cleanup(() => reject(new ConnectionError("TLS handshake timeout")));
+      }, this.timeout);
+      const cleanup = (next) => {
+        clearTimeout(timer);
+        tlsSocket.removeListener("secureConnect", onSecureConnect);
+        tlsSocket.removeListener("error", onError);
+        tlsSocket.removeListener("close", onClose);
+        if (next) next();
+      };
+      const onSecureConnect = () => {
+        cleanup(() => resolve(tlsSocket));
+      };
+      const onError = (err) => {
+        cleanup(() => reject(new ConnectionError(`TLS handshake failed: ${err.message}`, err)));
+      };
+      const onClose = () => {
+        cleanup(() => reject(new ConnectionError("TLS socket closed before handshake completed")));
+      };
+      tlsSocket.once("secureConnect", onSecureConnect);
+      tlsSocket.once("error", onError);
+      tlsSocket.once("close", onClose);
+    });
+  }
+  setupSocketHandlers(sock) {
+    sock.setTimeout(this.timeout);
+    sock.on("data", (data) => this.onData(data));
+    sock.on("close", () => this.onClose());
+    sock.on("timeout", () => {
+      this.destroy(new ConnectionError("Connection timed out"));
+    });
+    sock.on("error", (err) => {
+      if (this.connected) {
+        this.destroy(new ConnectionError(`Socket error: ${err.message}`, err));
+      }
+    });
+  }
+  /**
+   * Send a framed packet: [4b size][4b seqno][payload]
+   */
+  send(payload) {
+    if (!this.socket || this.destroyed) {
+      throw new ConnectionError("Not connected");
+    }
+    const frame = Buffer.alloc(8 + payload.length);
+    frame.writeUInt32LE(payload.length, 0);
+    frame.writeInt32LE(this.outSeqno, 4);
+    payload.copy(frame, 8);
+    this.outSeqno++;
+    this.socket.write(frame);
+  }
+  destroy(error) {
+    if (this.destroyed) return;
+    this.destroyed = true;
+    this.connected = false;
+    if (this.socket) {
+      this.socket.destroy();
+      this.socket = null;
+    }
+    if (this.rawSocket) {
+      this.rawSocket.destroy();
+      this.rawSocket = null;
+    }
+    this.emit("close", error);
+  }
+  get isConnected() {
+    return this.connected && !this.destroyed;
+  }
+  onData(chunk) {
+    this.readBuffer = Buffer.concat([this.readBuffer, chunk]);
+    this.processFrames();
+  }
+  processFrames() {
+    while (this.readBuffer.length >= 8) {
+      const size = this.readBuffer.readUInt32LE(0);
+      if (size > 1 << 24 || size < 0) {
+        this.destroy(new ConnectionError(`Invalid frame size: ${size}`));
+        return;
+      }
+      const totalFrameSize = 8 + size;
+      if (this.readBuffer.length < totalFrameSize) {
+        break;
+      }
+      const seqno = this.readBuffer.readInt32LE(4);
+      if (seqno !== this.inSeqno) {
+        this.destroy(
+          new ConnectionError(`Sequence number mismatch: expected ${this.inSeqno}, got ${seqno}`)
+        );
+        return;
+      }
+      const payload = Buffer.alloc(size);
+      this.readBuffer.copy(payload, 0, 8, totalFrameSize);
+      this.readBuffer = this.readBuffer.subarray(totalFrameSize);
+      this.inSeqno++;
+      this.emit("frame", payload);
+    }
+  }
+  onClose() {
+    if (!this.destroyed) {
+      this.destroy();
+    }
+  }
+};
+
+// src/core/tl/schema.ts
+var crc32Table = new Uint32Array(256);
+for (let i = 0; i < 256; i++) {
+  let c = i;
+  for (let j = 0; j < 8; j++) {
+    if (c & 1) {
+      c = 3988292384 ^ c >>> 1;
+    } else {
+      c = c >>> 1;
+    }
+  }
+  crc32Table[i] = c;
+}
+function crc32(str) {
+  const bytes = Buffer.from(str, "utf-8");
+  let crc = 4294967295;
+  for (let i = 0; i < bytes.length; i++) {
+    crc = crc32Table[(crc ^ bytes[i]) & 255] ^ crc >>> 8;
+  }
+  return (crc ^ 4294967295) >>> 0;
+}
+function tlId(definition) {
+  return crc32(definition.trim());
+}
+var TL_SCHEMA = {
+  // --- TCP Layer ---
+  "tcp.ping": {
+    id: tlId("tcp.ping id:long = tcp.Packet"),
+    fields: [{ name: "id", type: "long" }]
+  },
+  "tcp.pong": {
+    id: tlId("tcp.pong id:long = tcp.Packet"),
+    fields: [{ name: "id", type: "long" }]
+  },
+  "tcp.packet": {
+    id: tlId("tcp.packet data:bytes = tcp.Packet"),
+    fields: [{ name: "data", type: "bytes" }]
+  },
+  "tcp.queryAnswer": {
+    id: tlId("tcp.queryAnswer id:long data:bytes = tcp.Packet"),
+    fields: [
+      { name: "id", type: "long" },
+      { name: "data", type: "bytes" }
+    ]
+  },
+  "tcp.queryError": {
+    id: tlId("tcp.queryError id:long code:int message:string = tcp.Packet"),
+    fields: [
+      { name: "id", type: "long" },
+      { name: "code", type: "int" },
+      { name: "message", type: "string" }
+    ]
+  },
+  "tcp.query": {
+    id: tlId("tcp.query id:long data:bytes = tcp.Packet"),
+    fields: [
+      { name: "id", type: "long" },
+      { name: "data", type: "bytes" }
+    ]
+  },
+  "tcp.connected": {
+    id: tlId("tcp.connected id:long = tcp.Packet"),
+    fields: [{ name: "id", type: "long" }]
+  },
+  "tcp.connect": {
+    id: tlId("tcp.connect id:long = tcp.Packet"),
+    fields: [{ name: "id", type: "long" }]
+  },
+  // --- Tokens ---
+  tokensUsed: {
+    id: tlId(
+      "tokensUsed prompt_tokens_used:long cached_tokens_used:long completion_tokens_used:long reasoning_tokens_used:long total_tokens_used:long = TokensUsed"
+    ),
+    fields: [
+      { name: "promptTokensUsed", type: "long" },
+      { name: "cachedTokensUsed", type: "long" },
+      { name: "completionTokensUsed", type: "long" },
+      { name: "reasoningTokensUsed", type: "long" },
+      { name: "totalTokensUsed", type: "long" }
+    ]
+  },
+  // --- Client/Proxy Params ---
+  // worker.params has explicit ID: #869c73ed
+  "worker.params": {
+    id: 2258400237,
+    fields: [
+      { name: "flags", type: "int" },
+      { name: "workerOwnerAddress", type: "string" },
+      { name: "model", type: "string" },
+      { name: "coefficient", type: "int" },
+      { name: "isTest", type: "Bool", flag: { field: "flags", bit: 0 } },
+      { name: "proxyCnt", type: "int", flag: { field: "flags", bit: 0 } },
+      { name: "maxActiveRequests", type: "int", flag: { field: "flags", bit: 0 } },
+      { name: "minProtoVersion", type: "int", flag: { field: "flags", bit: 1 } },
+      { name: "maxProtoVersion", type: "int", flag: { field: "flags", bit: 1 } }
+    ]
+  },
+  // proxy.params has explicit ID: #d5c5609f
+  "proxy.params": {
+    id: 3586482335,
+    fields: [
+      { name: "flags", type: "int" },
+      { name: "proxyPublicKey", type: "int256" },
+      { name: "proxyOwnerAddress", type: "string" },
+      { name: "proxyScAddress", type: "string" },
+      { name: "isTest", type: "Bool", flag: { field: "flags", bit: 0 } },
+      { name: "protoVersion", type: "int", flag: { field: "flags", bit: 1 } }
+    ]
+  },
+  // client.params has explicit ID: #40fdca64
+  "client.params": {
+    id: 1090374244,
+    fields: [
+      { name: "flags", type: "int" },
+      { name: "clientOwnerAddress", type: "string" },
+      { name: "isTest", type: "Bool", flag: { field: "flags", bit: 0 } },
+      { name: "minProtoVersion", type: "int", flag: { field: "flags", bit: 1 } },
+      { name: "maxProtoVersion", type: "int", flag: { field: "flags", bit: 1 } }
+    ]
+  },
+  // --- Auth ---
+  "client.proxyConnectionAuthShort": {
+    id: tlId(
+      "client.proxyConnectionAuthShort secret_hash:int256 nonce:long = client.ProxyConnectionAuth"
+    ),
+    fields: [
+      { name: "secretHash", type: "int256" },
+      { name: "nonce", type: "long" }
+    ]
+  },
+  "client.proxyConnectionAuthLong": {
+    id: tlId("client.proxyConnectionAuthLong nonce:long = client.ProxyConnectionAuth"),
+    fields: [{ name: "nonce", type: "long" }]
+  },
+  // --- Signed Payment ---
+  "proxy.signedPayment": {
+    id: tlId("proxy.signedPayment data:bytes = proxy.SignedPayment"),
+    fields: [{ name: "data", type: "bytes" }]
+  },
+  "proxy.signedPaymentEmpty": {
+    id: tlId("proxy.signedPaymentEmpty = proxy.SignedPayment"),
+    fields: []
+  },
+  // --- Connected To Proxy ---
+  "client.connectedToProxy": {
+    id: tlId(
+      "client.connectedToProxy params:proxy.params client_sc_address:string auth:client.ProxyConnectionAuth signed_payment:proxy.SignedPayment = client.ConnectedToProxy"
+    ),
+    fields: [
+      { name: "params", type: { ref: "proxy.params" } },
+      { name: "clientScAddress", type: "string" },
+      { name: "auth", type: { ref: "client.ProxyConnectionAuth" } },
+      { name: "signedPayment", type: { ref: "proxy.SignedPayment" } }
+    ]
+  },
+  // --- Auth Responses ---
+  "client.authorizationWithProxySuccess": {
+    id: tlId(
+      "client.authorizationWithProxySuccess signed_payment:proxy.SignedPayment tokens_committed_to_db:long max_tokens:long = client.AuthorizationWithProxy"
+    ),
+    fields: [
+      { name: "signedPayment", type: { ref: "proxy.SignedPayment" } },
+      { name: "tokensCommittedToDb", type: "long" },
+      { name: "maxTokens", type: "long" }
+    ]
+  },
+  "client.authorizationWithProxyFailed": {
+    id: tlId(
+      "client.authorizationWithProxyFailed error_code:int error:string = client.AuthorizationWithProxy"
+    ),
+    fields: [
+      { name: "errorCode", type: "int" },
+      { name: "error", type: "string" }
+    ]
+  },
+  // --- Query Final Info ---
+  "client.queryFinalInfo": {
+    id: tlId(
+      "client.queryFinalInfo flags:# tokens_used:tokensUsed worker_debug:flags.0?string proxy_debug:flags.0?string proxy_start_time:flags.1?double proxy_end_time:flags.1?double worker_start_time:flags.1?double worker_end_time:flags.1?double = client.QueryFinalInfo"
+    ),
+    fields: [
+      { name: "flags", type: "int" },
+      { name: "tokensUsed", type: { ref: "tokensUsed" } },
+      { name: "workerDebug", type: "string", flag: { field: "flags", bit: 0 } },
+      { name: "proxyDebug", type: "string", flag: { field: "flags", bit: 0 } },
+      { name: "proxyStartTime", type: "double", flag: { field: "flags", bit: 1 } },
+      { name: "proxyEndTime", type: "double", flag: { field: "flags", bit: 1 } },
+      { name: "workerStartTime", type: "double", flag: { field: "flags", bit: 1 } },
+      { name: "workerEndTime", type: "double", flag: { field: "flags", bit: 1 } }
+    ]
+  },
+  // --- Query Answer Ex variants ---
+  // Legacy variants (still sent by some proxy paths):
+  "client.queryAnswer": {
+    id: tlId(
+      "client.queryAnswer answer:bytes is_completed:Bool request_id:int256 request_tokens_used:tokensUsed = client.QueryAnswer"
+    ),
+    fields: [
+      { name: "answer", type: "bytes" },
+      { name: "isCompleted", type: "Bool" },
+      { name: "requestId", type: "int256" },
+      { name: "requestTokensUsed", type: { ref: "tokensUsed" } }
+    ]
+  },
+  "client.queryAnswerError": {
+    id: tlId(
+      "client.queryAnswerError error_code:int error:string request_id:int256 request_tokens_used:tokensUsed = client.QueryAnswer"
+    ),
+    fields: [
+      { name: "errorCode", type: "int" },
+      { name: "error", type: "string" },
+      { name: "requestId", type: "int256" },
+      { name: "requestTokensUsed", type: { ref: "tokensUsed" } }
+    ]
+  },
+  "client.queryAnswerPart": {
+    id: tlId(
+      "client.queryAnswerPart answer:bytes is_completed:Bool request_id:int256 request_tokens_used:tokensUsed = client.QueryAnswerPart"
+    ),
+    fields: [
+      { name: "answer", type: "bytes" },
+      { name: "isCompleted", type: "Bool" },
+      { name: "requestId", type: "int256" },
+      { name: "requestTokensUsed", type: { ref: "tokensUsed" } }
+    ]
+  },
+  "client.queryAnswerPartError": {
+    id: tlId(
+      "client.queryAnswerPartError error_code:int error:string request_id:int256 request_tokens_used:tokensUsed = client.QueryAnswerPart"
+    ),
+    fields: [
+      { name: "errorCode", type: "int" },
+      { name: "error", type: "string" },
+      { name: "requestId", type: "int256" },
+      { name: "requestTokensUsed", type: { ref: "tokensUsed" } }
+    ]
+  },
+  "client.queryAnswerEx": {
+    id: tlId(
+      "client.queryAnswerEx request_id:int256 answer:bytes flags:# final_info:flags.0?client.queryFinalInfo = client.QueryAnswerEx"
+    ),
+    fields: [
+      { name: "requestId", type: "int256" },
+      { name: "answer", type: "bytes" },
+      { name: "flags", type: "int" },
+      {
+        name: "finalInfo",
+        type: { ref: "client.queryFinalInfo" },
+        flag: { field: "flags", bit: 0 }
+      }
+    ]
+  },
+  "client.queryAnswerErrorEx": {
+    id: tlId(
+      "client.queryAnswerErrorEx request_id:int256 error_code:int error:string flags:# final_info:flags.0?client.queryFinalInfo = client.QueryAnswerEx"
+    ),
+    fields: [
+      { name: "requestId", type: "int256" },
+      { name: "errorCode", type: "int" },
+      { name: "error", type: "string" },
+      { name: "flags", type: "int" },
+      {
+        name: "finalInfo",
+        type: { ref: "client.queryFinalInfo" },
+        flag: { field: "flags", bit: 0 }
+      }
+    ]
+  },
+  "client.queryAnswerPartEx": {
+    id: tlId(
+      "client.queryAnswerPartEx request_id:int256 answer:bytes flags:# final_info:flags.0?client.queryFinalInfo = client.QueryAnswerEx"
+    ),
+    fields: [
+      { name: "requestId", type: "int256" },
+      { name: "answer", type: "bytes" },
+      { name: "flags", type: "int" },
+      {
+        name: "finalInfo",
+        type: { ref: "client.queryFinalInfo" },
+        flag: { field: "flags", bit: 0 }
+      }
+    ]
+  },
+  // --- Worker Types V2 ---
+  // client.workerInstanceV2 has explicit ID: #3ea93d00
+  "client.workerInstanceV2": {
+    id: 1051278592,
+    fields: [
+      { name: "flags", type: "int" },
+      { name: "coefficient", type: "int" },
+      { name: "activeRequests", type: "int" },
+      { name: "maxActiveRequests", type: "int" }
+    ]
+  },
+  "client.workerTypeV2": {
+    // NOTE: Telegram TL canonical CRC for vector fields uses "vector T" syntax.
+    // Equivalent canonical form:
+    // "client.workerTypeV2 name:string workers:vector client.workerInstanceV2 = client.WorkerTypeV2"
+    id: 2994569623,
+    fields: [
+      { name: "name", type: "string" },
+      { name: "workers", type: { vector: { ref: "client.workerInstanceV2" }, bare: true } }
+    ]
+  },
+  "client.workerTypesV2": {
+    // Canonical form:
+    // "client.workerTypesV2 types:vector client.workerTypeV2 = client.WorkerTypesV2"
+    id: 217111655,
+    fields: [{ name: "types", type: { vector: { ref: "client.workerTypeV2" }, bare: true } }]
+  },
+  // --- Payment ---
+  "client.paymentStatus": {
+    id: tlId(
+      "client.paymentStatus signed_payment:proxy.SignedPayment db_tokens:long max_tokens:long = client.PaymentStatus"
+    ),
+    fields: [
+      { name: "signedPayment", type: { ref: "proxy.SignedPayment" } },
+      { name: "dbTokens", type: "long" },
+      { name: "maxTokens", type: "long" }
+    ]
+  },
+  // Payment request from proxy to client (may be sent during query flow).
+  "proxy.clientRequestPayment": {
+    id: tlId(
+      "proxy.clientRequestPayment request_id:int256 signed_payment:proxy.SignedPayment db_tokens:long max_tokens:long request_tokens:long = proxy.WorkerRequestPayment"
+    ),
+    fields: [
+      { name: "requestId", type: "int256" },
+      { name: "signedPayment", type: { ref: "proxy.SignedPayment" } },
+      { name: "dbTokens", type: "long" },
+      { name: "maxTokens", type: "long" },
+      { name: "requestTokens", type: "long" }
+    ]
+  },
+  "client.refund": {
+    id: tlId("client.refund data:bytes = client.Refund"),
+    fields: [{ name: "data", type: "bytes" }]
+  },
+  "client.refundRejected": {
+    id: tlId("client.refundRejected active_queries:long = client.Refund"),
+    fields: [{ name: "activeQueries", type: "long" }]
+  },
+  // --- HTTP ---
+  "http.header": {
+    id: tlId("http.header name:string value:string = http.Header"),
+    fields: [
+      { name: "name", type: "string" },
+      { name: "value", type: "string" }
+    ]
+  },
+  "http.response": {
+    // Canonical vector form for CRC:
+    // "http.response http_version:string status_code:int reason:string headers:vector http.header payload:bytes = http.Response"
+    id: 483443755,
+    fields: [
+      { name: "httpVersion", type: "string" },
+      { name: "statusCode", type: "int" },
+      { name: "reason", type: "string" },
+      { name: "headers", type: { vector: { ref: "http.header" }, bare: true } },
+      { name: "payload", type: "bytes" }
+    ]
+  },
+  "http.request": {
+    // Canonical vector form for CRC:
+    // "http.request method:string url:string http_version:string headers:vector http.header payload:bytes = http.Response"
+    id: 1195978213,
+    fields: [
+      { name: "method", type: "string" },
+      { name: "url", type: "string" },
+      { name: "httpVersion", type: "string" },
+      { name: "headers", type: { vector: { ref: "http.header" }, bare: true } },
+      { name: "payload", type: "bytes" }
+    ],
+    isFunction: true
+  },
+  // --- Root Config ---
+  "rootConfig.registeredProxy": {
+    id: tlId("rootConfig.registeredProxy seqno:int address:string = rootConfig.RegisteredProxy"),
+    fields: [
+      { name: "seqno", type: "int" },
+      { name: "address", type: "string" }
+    ]
+  },
+  // --- Functions ---
+  "client.connectToProxy": {
+    id: tlId(
+      "client.connectToProxy params:client.params min_config_version:int = client.ConnectedToProxy"
+    ),
+    fields: [
+      { name: "params", type: { ref: "client.params" } },
+      { name: "minConfigVersion", type: "int" }
+    ],
+    isFunction: true
+  },
+  "client.authorizeWithProxyShort": {
+    id: tlId("client.authorizeWithProxyShort data:bytes = client.AuthorizationWithProxy"),
+    fields: [{ name: "data", type: "bytes" }],
+    isFunction: true
+  },
+  "client.authorizeWithProxyLong": {
+    id: tlId("client.authorizeWithProxyLong = client.AuthorizationWithProxy"),
+    fields: [],
+    isFunction: true
+  },
+  "client.runQueryEx": {
+    id: tlId(
+      "client.runQueryEx model_name:string query:bytes max_coefficient:int max_tokens:int timeout:double request_id:int256 min_config_version:int flags:# enable_debug:flags.0?Bool = client.QueryAnswerEx"
+    ),
+    fields: [
+      { name: "modelName", type: "string" },
+      { name: "query", type: "bytes" },
+      { name: "maxCoefficient", type: "int" },
+      { name: "maxTokens", type: "int" },
+      { name: "timeout", type: "double" },
+      { name: "requestId", type: "int256" },
+      { name: "minConfigVersion", type: "int" },
+      { name: "flags", type: "int" },
+      { name: "enableDebug", type: "Bool", flag: { field: "flags", bit: 0 } }
+    ],
+    isFunction: true
+  },
+  "client.getWorkerTypesV2": {
+    id: tlId("client.getWorkerTypesV2 = client.WorkerTypesV2"),
+    fields: [],
+    isFunction: true
+  },
+  "client.updatePaymentStatus": {
+    id: tlId("client.updatePaymentStatus = client.PaymentStatus"),
+    fields: [],
+    isFunction: true
+  },
+  "client.requestRefund": {
+    id: tlId("client.requestRefund = client.Refund"),
+    fields: [],
+    isFunction: true
+  }
+};
+var CONSTRUCTOR_ID_MAP = /* @__PURE__ */ new Map();
+for (const [name, def] of Object.entries(TL_SCHEMA)) {
+  CONSTRUCTOR_ID_MAP.set(def.id, name);
+}
+var POLYMORPHIC_TYPES = {
+  "tcp.Packet": [
+    "tcp.ping",
+    "tcp.pong",
+    "tcp.packet",
+    "tcp.queryAnswer",
+    "tcp.queryError",
+    "tcp.query",
+    "tcp.connected",
+    "tcp.connect"
+  ],
+  "client.ProxyConnectionAuth": [
+    "client.proxyConnectionAuthShort",
+    "client.proxyConnectionAuthLong"
+  ],
+  "proxy.SignedPayment": ["proxy.signedPayment", "proxy.signedPaymentEmpty"],
+  "client.AuthorizationWithProxy": [
+    "client.authorizationWithProxySuccess",
+    "client.authorizationWithProxyFailed"
+  ],
+  "client.QueryAnswerEx": [
+    "client.queryAnswerEx",
+    "client.queryAnswerErrorEx",
+    "client.queryAnswerPartEx"
+  ],
+  "client.Refund": ["client.refund", "client.refundRejected"]
+};
+
+// src/core/tl/serializer.ts
+var VECTOR_ID = 481674261;
+var BOOL_TRUE_ID = 2574415285;
+var BOOL_FALSE_ID = 3162085175;
+var TLSerializer = class {
+  buffers = [];
+  totalLength = 0;
+  writeInt(value) {
+    const buf = Buffer.alloc(4);
+    buf.writeInt32LE(value, 0);
+    this.push(buf);
+  }
+  writeUInt(value) {
+    const buf = Buffer.alloc(4);
+    buf.writeUInt32LE(value, 0);
+    this.push(buf);
+  }
+  writeLong(value) {
+    const buf = Buffer.alloc(8);
+    buf.writeBigInt64LE(value, 0);
+    this.push(buf);
+  }
+  writeDouble(value) {
+    const buf = Buffer.alloc(8);
+    buf.writeDoubleLE(value, 0);
+    this.push(buf);
+  }
+  writeInt128(value) {
+    if (value.length !== 16) throw new Error(`int128 must be 16 bytes, got ${value.length}`);
+    this.push(value);
+  }
+  writeInt256(value) {
+    if (value.length !== 32) throw new Error(`int256 must be 32 bytes, got ${value.length}`);
+    this.push(value);
+  }
+  writeBytes(value) {
+    let headerLen;
+    if (value.length < 254) {
+      const header = Buffer.alloc(1);
+      header[0] = value.length;
+      this.push(header);
+      headerLen = 1;
+    } else {
+      const header = Buffer.alloc(4);
+      header[0] = 254;
+      header[1] = value.length & 255;
+      header[2] = value.length >> 8 & 255;
+      header[3] = value.length >> 16 & 255;
+      this.push(header);
+      headerLen = 4;
+    }
+    this.push(value);
+    const totalLen = headerLen + value.length;
+    const padding = (4 - totalLen % 4) % 4;
+    if (padding > 0) {
+      this.push(Buffer.alloc(padding));
+    }
+  }
+  writeString(value) {
+    this.writeBytes(Buffer.from(value, "utf-8"));
+  }
+  writeBool(value) {
+    this.writeUInt(value ? BOOL_TRUE_ID : BOOL_FALSE_ID);
+  }
+  writeVector(items, itemType, bare = false) {
+    if (!bare) {
+      this.writeUInt(VECTOR_ID);
+    }
+    this.writeInt(items.length);
+    for (const item of items) {
+      this.writeField(item, itemType);
+    }
+  }
+  writeConstructorId(id) {
+    this.writeUInt(id);
+  }
+  /**
+   * Serialize a TL object by its _type, writing constructor ID + fields.
+   * boxed=true writes the constructor ID prefix.
+   */
+  writeObject(obj, boxed = true) {
+    const typeName = obj["_type"];
+    if (!typeName) throw new Error("TL object must have _type field");
+    const schema = TL_SCHEMA[typeName];
+    if (!schema) throw new Error(`Unknown TL type: ${typeName}`);
+    if (boxed) {
+      this.writeConstructorId(schema.id);
+    }
+    this.writeFields(obj, schema);
+  }
+  writeFields(obj, schema) {
+    const flagValues = {};
+    for (const field of schema.fields) {
+      if (field.type === "int" && field.name.toLowerCase().includes("flag")) {
+        const isFlags = schema.fields.some((f) => f.flag?.field === field.name);
+        if (isFlags) {
+          let flags = 0;
+          for (const f of schema.fields) {
+            if (f.flag?.field === field.name && obj[f.name] !== void 0 && obj[f.name] !== null) {
+              flags |= 1 << f.flag.bit;
+            }
+          }
+          flagValues[field.name] = flags;
+        }
+      }
+    }
+    for (const field of schema.fields) {
+      if (field.name in flagValues) {
+        this.writeInt(flagValues[field.name]);
+        continue;
+      }
+      if (field.flag) {
+        const flagVal = flagValues[field.flag.field] ?? obj[field.flag.field] ?? 0;
+        if (!(flagVal & 1 << field.flag.bit)) {
+          continue;
+        }
+      }
+      const value = obj[field.name];
+      this.writeField(value, field.type);
+    }
+  }
+  writeField(value, type) {
+    if (typeof type === "string") {
+      switch (type) {
+        case "int":
+          this.writeInt(value);
+          break;
+        case "long":
+          this.writeLong(value);
+          break;
+        case "double":
+          this.writeDouble(value);
+          break;
+        case "int128":
+          this.writeInt128(value);
+          break;
+        case "int256":
+          this.writeInt256(value);
+          break;
+        case "string":
+          this.writeString(value);
+          break;
+        case "bytes":
+          this.writeBytes(value);
+          break;
+        case "Bool":
+          this.writeBool(value);
+          break;
+        case "true":
+          break;
+        default:
+          throw new Error(`Unknown primitive type: ${type}`);
+      }
+    } else if ("vector" in type) {
+      this.writeVector(value, type.vector, Boolean(type.bare));
+    } else if ("ref" in type) {
+      const isPolymorphicRef = type.ref in POLYMORPHIC_TYPES;
+      if (isPolymorphicRef) {
+        this.writeObject(value, true);
+        return;
+      }
+      if (!(type.ref in TL_SCHEMA)) {
+        throw new Error(`Unknown TL ref type: ${type.ref}`);
+      }
+      const obj = value;
+      const nestedType = obj["_type"];
+      if (nestedType && nestedType !== type.ref) {
+        throw new Error(`Expected nested type ${type.ref}, got ${nestedType}`);
+      }
+      this.writeObject(nestedType ? obj : { ...obj, _type: type.ref }, false);
+    }
+  }
+  push(buf) {
+    this.buffers.push(buf);
+    this.totalLength += buf.length;
+  }
+  toBuffer() {
+    return Buffer.concat(this.buffers, this.totalLength);
+  }
+};
+function serializeTLObject(obj, boxed = true) {
+  const s = new TLSerializer();
+  s.writeObject(obj, boxed);
+  return s.toBuffer();
+}
+
+// src/core/tl/deserializer.ts
+var VECTOR_ID2 = 481674261;
+var BOOL_TRUE_ID2 = 2574415285;
+var BOOL_FALSE_ID2 = 3162085175;
+var TLDeserializer = class {
+  buffer;
+  offset;
+  constructor(buffer) {
+    this.buffer = buffer;
+    this.offset = 0;
+  }
+  get remaining() {
+    return this.buffer.length - this.offset;
+  }
+  readInt() {
+    this.checkRemaining(4);
+    const value = this.buffer.readInt32LE(this.offset);
+    this.offset += 4;
+    return value;
+  }
+  readUInt() {
+    this.checkRemaining(4);
+    const value = this.buffer.readUInt32LE(this.offset);
+    this.offset += 4;
+    return value;
+  }
+  readLong() {
+    this.checkRemaining(8);
+    const value = this.buffer.readBigInt64LE(this.offset);
+    this.offset += 8;
+    return value;
+  }
+  readDouble() {
+    this.checkRemaining(8);
+    const value = this.buffer.readDoubleLE(this.offset);
+    this.offset += 8;
+    return value;
+  }
+  readInt128() {
+    this.checkRemaining(16);
+    const value = Buffer.alloc(16);
+    this.buffer.copy(value, 0, this.offset, this.offset + 16);
+    this.offset += 16;
+    return value;
+  }
+  readInt256() {
+    this.checkRemaining(32);
+    const value = Buffer.alloc(32);
+    this.buffer.copy(value, 0, this.offset, this.offset + 32);
+    this.offset += 32;
+    return value;
+  }
+  readBytes() {
+    this.checkRemaining(1);
+    let length;
+    let headerLen;
+    const firstByte = this.buffer[this.offset];
+    if (firstByte < 254) {
+      length = firstByte;
+      headerLen = 1;
+      this.offset += 1;
+    } else {
+      this.checkRemaining(4);
+      length = this.buffer[this.offset + 1] | this.buffer[this.offset + 2] << 8 | this.buffer[this.offset + 3] << 16;
+      headerLen = 4;
+      this.offset += 4;
+    }
+    this.checkRemaining(length);
+    const value = Buffer.alloc(length);
+    this.buffer.copy(value, 0, this.offset, this.offset + length);
+    this.offset += length;
+    const totalLen = headerLen + length;
+    const padding = (4 - totalLen % 4) % 4;
+    this.offset += padding;
+    return value;
+  }
+  readString() {
+    return this.readBytes().toString("utf-8");
+  }
+  readBool() {
+    const id = this.readUInt();
+    if (id === BOOL_TRUE_ID2) return true;
+    if (id === BOOL_FALSE_ID2) return false;
+    throw new Error(`Invalid Bool constructor ID: 0x${id.toString(16)}`);
+  }
+  readVector(itemType, bare = false) {
+    if (!bare) {
+      const id = this.readUInt();
+      if (id !== VECTOR_ID2) {
+        throw new Error(
+          `Expected vector constructor ID 0x${VECTOR_ID2.toString(16)}, got 0x${id.toString(16)}`
+        );
+      }
+    }
+    const count = this.readInt();
+    const items = [];
+    for (let i = 0; i < count; i++) {
+      items.push(this.readField(itemType));
+    }
+    return items;
+  }
+  /**
+   * Read a boxed TL object: reads constructor ID, looks up schema, reads fields.
+   */
+  readObject() {
+    const constructorId = this.readUInt();
+    const typeName = CONSTRUCTOR_ID_MAP.get(constructorId);
+    if (!typeName) {
+      throw new Error(
+        `Unknown TL constructor ID: 0x${constructorId.toString(16).padStart(8, "0")}`
+      );
+    }
+    const schema = TL_SCHEMA[typeName];
+    return this.readFields(typeName, schema);
+  }
+  /**
+   * Read fields of a known TL type (without reading constructor ID).
+   */
+  readObjectBare(typeName) {
+    const schema = TL_SCHEMA[typeName];
+    if (!schema) throw new Error(`Unknown TL type: ${typeName}`);
+    return this.readFields(typeName, schema);
+  }
+  readFields(typeName, schema) {
+    const result = { _type: typeName };
+    const flagValues = {};
+    for (const field of schema.fields) {
+      if (field.flag) {
+        const flagVal = flagValues[field.flag.field] ?? 0;
+        if (!(flagVal & 1 << field.flag.bit)) {
+          continue;
+        }
+      }
+      const value = this.readField(field.type);
+      result[field.name] = value;
+      if (field.type === "int" && schema.fields.some((f) => f.flag?.field === field.name)) {
+        flagValues[field.name] = value;
+      }
+    }
+    return result;
+  }
+  readField(type) {
+    if (typeof type === "string") {
+      switch (type) {
+        case "int":
+          return this.readInt();
+        case "long":
+          return this.readLong();
+        case "double":
+          return this.readDouble();
+        case "int128":
+          return this.readInt128();
+        case "int256":
+          return this.readInt256();
+        case "string":
+          return this.readString();
+        case "bytes":
+          return this.readBytes();
+        case "Bool":
+          return this.readBool();
+        case "true":
+          return true;
+        // Bare true is present by virtue of the flag being set
+        default:
+          throw new Error(`Unknown primitive type: ${type}`);
+      }
+    } else if ("vector" in type) {
+      return this.readVector(type.vector, Boolean(type.bare));
+    } else if ("ref" in type) {
+      if (type.ref in POLYMORPHIC_TYPES) {
+        return this.readObject();
+      }
+      if (type.ref in TL_SCHEMA) {
+        return this.readObjectBare(type.ref);
+      }
+      throw new Error(`Unknown TL ref type: ${type.ref}`);
+    }
+    throw new Error(`Unhandled field type: ${JSON.stringify(type)}`);
+  }
+  checkRemaining(needed) {
+    if (this.offset + needed > this.buffer.length) {
+      throw new Error(
+        `Buffer underflow: need ${needed} bytes at offset ${this.offset}, but only ${this.buffer.length - this.offset} remain`
+      );
+    }
+  }
+};
+function deserializeTLObject(buffer) {
+  const d = new TLDeserializer(buffer);
+  return d.readObject();
+}
+
+// src/core/protocol/handshake.ts
+var import_node_crypto2 = __toESM(require("crypto"), 1);
+async function performHandshake(conn, ownerAddress, secretString, configVersion, onLongAuthRequired) {
+  const tcpId = import_node_crypto2.default.randomBytes(8).readBigInt64LE();
+  const tcpConnect = { _type: "tcp.connect", id: tcpId };
+  conn.send(serializeTLObject(tcpConnect));
+  const tcpResponse = await waitForFrame(conn, 3e4);
+  const tcpConnected = deserializeTLObject(tcpResponse);
+  if (tcpConnected._type !== "tcp.connected") {
+    throw new ProtocolError(`Expected tcp.connected, got ${tcpConnected._type}`);
+  }
+  const clientParams = {
+    _type: "client.params",
+    flags: 3,
+    // bit 0 (isTest) + bit 1 (proto versions)
+    clientOwnerAddress: ownerAddress,
+    isTest: false,
+    minProtoVersion: 0,
+    maxProtoVersion: 1
+  };
+  const connectReq = {
+    _type: "client.connectToProxy",
+    params: clientParams,
+    minConfigVersion: configVersion
+  };
+  const queryId = import_node_crypto2.default.randomBytes(8).readBigInt64LE();
+  sendQuery(conn, queryId, serializeTLObject(connectReq));
+  const connectResponseData = await waitForQueryAnswer(
+    conn,
+    queryId,
+    3e4,
+    "connectToProxy response"
+  );
+  const connected = deserializeTLObject(connectResponseData);
+  if (connected._type !== "client.connectedToProxy") {
+    throw new ProtocolError(`Expected client.connectedToProxy, got ${connected._type}`);
+  }
+  const protoVersion = connected.params.protoVersion ?? 0;
+  const auth = connected.auth;
+  let authResult;
+  if (auth._type === "client.proxyConnectionAuthShort") {
+    const ourSecretHash = Buffer.from(import_node_crypto2.default.createHash("sha256").update(secretString).digest());
+    if (ourSecretHash.equals(auth.secretHash)) {
+      const authReq = {
+        _type: "client.authorizeWithProxyShort",
+        data: Buffer.from(secretString, "utf-8")
+      };
+      const authQueryId = import_node_crypto2.default.randomBytes(8).readBigInt64LE();
+      sendQuery(
+        conn,
+        authQueryId,
+        serializeTLObject(authReq)
+      );
+      const authResponseData = await waitForQueryAnswer(
+        conn,
+        authQueryId,
+        3e5,
+        "short auth response"
+      );
+      authResult = deserializeTLObject(authResponseData);
+    } else {
+      authResult = await performLongAuth(
+        conn,
+        connected,
+        auth.nonce,
+        onLongAuthRequired,
+        "Proxy requested long auth because provided SECRET does not match on-chain secret hash"
+      );
+    }
+  } else {
+    authResult = await performLongAuth(
+      conn,
+      connected,
+      auth.nonce,
+      onLongAuthRequired,
+      "Proxy requires long auth (wallet is not registered for this proxy or SECRET is unavailable)"
+    );
+  }
+  if (authResult._type === "client.authorizationWithProxyFailed") {
+    throw new AuthenticationError(`Proxy auth failed: ${authResult.error}`, authResult.errorCode);
+  }
+  if (authResult._type !== "client.authorizationWithProxySuccess") {
+    throw new ProtocolError(
+      `Unexpected auth response type: ${authResult._type}`
+    );
+  }
+  return {
+    proxyParams: connected.params,
+    clientScAddress: connected.clientScAddress,
+    signedPayment: authResult.signedPayment,
+    tokensCommittedToDb: authResult.tokensCommittedToDb,
+    maxTokens: authResult.maxTokens,
+    protoVersion
+  };
+}
+function buildHandshakeCloseError(stage, error) {
+  const suffix = " This usually means RA-TLS/mTLS client credentials were rejected by the proxy.";
+  return new ConnectionError(
+    `Connection closed while waiting for ${stage}.${suffix}`,
+    error
+  );
+}
+async function performLongAuth(conn, connected, nonce, onLongAuthRequired, missingHandlerMessage) {
+  if (!onLongAuthRequired) {
+    throw new AuthenticationError(
+      `${missingHandlerMessage}. Provide SECRET for short auth, or keep automatic long-auth registration enabled`
+    );
+  }
+  await onLongAuthRequired({
+    nonce,
+    clientScAddress: connected.clientScAddress,
+    proxyParams: connected.params
+  });
+  const authQueryId = import_node_crypto2.default.randomBytes(8).readBigInt64LE();
+  const authReq = { _type: "client.authorizeWithProxyLong" };
+  sendQuery(conn, authQueryId, serializeTLObject(authReq));
+  const authResponseData = await waitForQueryAnswer(
+    conn,
+    authQueryId,
+    3e5,
+    "long auth response"
+  );
+  return deserializeTLObject(authResponseData);
+}
+function sendQuery(conn, queryId, data) {
+  const queryObj = {
+    _type: "tcp.query",
+    id: queryId,
+    data
+  };
+  conn.send(serializeTLObject(queryObj));
+}
+function waitForFrame(conn, timeoutMs) {
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(() => cleanup(() => reject(new ConnectionError("Timeout waiting for frame"))), timeoutMs);
+    const cleanup = (next) => {
+      clearTimeout(timer);
+      conn.removeListener("frame", onFrame);
+      conn.removeListener("close", onClose);
+      if (next) next();
+    };
+    const onFrame = (data) => {
+      cleanup(() => resolve(data));
+    };
+    const onClose = (error) => {
+      cleanup(() => reject(buildHandshakeCloseError("handshake frame", error)));
+    };
+    conn.once("frame", onFrame);
+    conn.once("close", onClose);
+  });
+}
+function waitForQueryAnswer(conn, queryId, timeoutMs, stage = "query answer") {
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(
+      () => cleanup(() => reject(new ConnectionError(`Timeout waiting for ${stage}`))),
+      timeoutMs
+    );
+    const cleanup = (next) => {
+      clearTimeout(timer);
+      conn.removeListener("frame", onFrame);
+      conn.removeListener("close", onClose);
+      if (next) next();
+    };
+    const onClose = (error) => {
+      cleanup(() => reject(buildHandshakeCloseError(stage, error)));
+    };
+    const onFrame = (data) => {
+      let obj;
+      try {
+        obj = deserializeTLObject(data);
+      } catch (err) {
+        cleanup(
+          () => reject(new ProtocolError(`Failed to deserialize handshake frame: ${String(err)}`))
+        );
+        return;
+      }
+      if (obj["_type"] === "tcp.queryAnswer") {
+        const answerId = obj["id"];
+        if (answerId === queryId) {
+          cleanup(() => resolve(obj["data"]));
+          return;
+        }
+      } else if (obj["_type"] === "tcp.queryError") {
+        const errorId = obj["id"];
+        if (errorId === queryId) {
+          cleanup(
+            () => reject(new ProtocolError(`Query error: ${obj["message"]}`, obj["code"]))
+          );
+          return;
+        }
+      }
+    };
+    conn.on("frame", onFrame);
+    conn.once("close", onClose);
+  });
+}
+
+// src/core/protocol/session.ts
+var CocoonSession = class extends import_node_events2.EventEmitter {
+  conn = null;
+  handshakeResult = null;
+  pendingQueries = /* @__PURE__ */ new Map();
+  keepaliveTimer = null;
+  _connected = false;
+  options;
+  constructor(options) {
+    super();
+    this.options = options;
+  }
+  get connected() {
+    return this._connected;
+  }
+  get protoVersion() {
+    return this.handshakeResult?.protoVersion ?? 0;
+  }
+  async connect() {
+    if (this._connected) return;
+    this.conn = new CocoonConnection(this.options);
+    await this.conn.connect();
+    this.handshakeResult = await performHandshake(
+      this.conn,
+      this.options.ownerAddress,
+      this.options.secretString,
+      this.options.configVersion ?? 0,
+      this.options.onLongAuthRequired
+    );
+    this._connected = true;
+    this.conn.on("frame", (data) => this.handleFrame(data));
+    this.conn.on("close", (error) => {
+      this._connected = false;
+      this.cleanup();
+      this.emit("close", error);
+    });
+    this.startKeepalive();
+  }
+  /**
+   * Send a query and wait for the complete answer.
+   */
+  async sendQuery(modelName, httpRequest, options = {}) {
+    if (!this.conn || !this._connected) {
+      throw new ConnectionError("Not connected");
+    }
+    const requestId = import_node_crypto3.default.randomBytes(32);
+    const timeout = options.timeout ?? this.options.timeout ?? 12e4;
+    const queryPayload = serializeTLObject(httpRequest, true);
+    const runQuery = {
+      _type: "client.runQueryEx",
+      modelName,
+      query: queryPayload,
+      maxCoefficient: options.maxCoefficient ?? 4e3,
+      maxTokens: options.maxTokens ?? 1e3,
+      timeout: timeout / 1e3 * 0.95,
+      requestId,
+      minConfigVersion: this.options.configVersion ?? 0,
+      flags: options.enableDebug ? 1 : 0,
+      enableDebug: options.enableDebug
+    };
+    const tlData = serializeTLObject(runQuery, true);
+    const tcpPacket = {
+      _type: "tcp.packet",
+      data: tlData
+    };
+    this.conn.send(serializeTLObject(tcpPacket));
+    return new Promise((resolve, reject) => {
+      const requestIdHex = requestId.toString("hex");
+      const timer = setTimeout(() => {
+        this.pendingQueries.delete(requestIdHex);
+        reject(new TimeoutError(`Query timed out after ${timeout}ms`));
+      }, timeout);
+      this.pendingQueries.set(requestIdHex, {
+        resolve,
+        reject,
+        onPart: options.onPart,
+        timer
+      });
+    });
+  }
+  /**
+   * Send a raw TL function (for getWorkerTypesV2, etc.)
+   */
+  async sendRpcQuery(tlObject, timeoutMs = 3e4) {
+    if (!this.conn || !this._connected) {
+      throw new ConnectionError("Not connected");
+    }
+    const queryId = import_node_crypto3.default.randomBytes(8).readBigInt64LE();
+    const data = serializeTLObject(tlObject, true);
+    const tcpQuery = {
+      _type: "tcp.query",
+      id: queryId,
+      data
+    };
+    this.conn.send(serializeTLObject(tcpQuery));
+    return new Promise((resolve, reject) => {
+      const timer = setTimeout(() => {
+        this.removeListener(`queryAnswer:${queryId}`, onAnswer);
+        reject(new TimeoutError(`RPC query timed out after ${timeoutMs}ms`));
+      }, timeoutMs);
+      const onAnswer = (result) => {
+        clearTimeout(timer);
+        if (result.error) {
+          reject(new ProtocolError(result.error.message, result.error.code));
+        } else if (result.data) {
+          resolve(deserializeTLObject(result.data));
+        }
+      };
+      this.once(`queryAnswer:${queryId}`, onAnswer);
+    });
+  }
+  async disconnect() {
+    this.cleanup();
+    this.conn?.destroy();
+    this.conn = null;
+    this._connected = false;
+  }
+  handleFrame(data) {
+    if (data.length === 0) {
+      return;
+    }
+    let obj;
+    try {
+      obj = deserializeTLObject(data);
+    } catch (e) {
+      this.emit("error", new ProtocolError(`Failed to deserialize frame: ${e}`));
+      return;
+    }
+    const type = obj["_type"];
+    switch (type) {
+      case "tcp.pong":
+        break;
+      case "tcp.ping": {
+        if (this.conn) {
+          const pong = { _type: "tcp.pong", id: obj["id"] };
+          this.conn.send(serializeTLObject(pong));
+        }
+        break;
+      }
+      case "tcp.queryAnswer": {
+        const queryId = obj["id"];
+        this.emit(`queryAnswer:${queryId}`, { data: obj["data"] });
+        break;
+      }
+      case "tcp.queryError": {
+        const queryId = obj["id"];
+        this.emit(`queryAnswer:${queryId}`, {
+          error: { code: obj["code"], message: obj["message"] }
+        });
+        break;
+      }
+      case "tcp.packet": {
+        const innerData = obj["data"];
+        if (innerData.length === 0) break;
+        let innerObj;
+        try {
+          innerObj = deserializeTLObject(innerData);
+        } catch (e) {
+          this.emit("error", new ProtocolError(`Failed to deserialize inner packet: ${e}`));
+          return;
+        }
+        this.handleInnerPacket(innerObj);
+        break;
+      }
+      default:
+        this.emit("error", new ProtocolError(`Unexpected frame type: ${type}`));
+    }
+  }
+  handleInnerPacket(obj) {
+    const type = obj["_type"];
+    let normalized = obj;
+    if (type === "client.queryAnswer") {
+      normalized = {
+        ...obj,
+        _type: "client.queryAnswerEx"
+      };
+    } else if (type === "client.queryAnswerPart") {
+      normalized = {
+        ...obj,
+        _type: "client.queryAnswerPartEx"
+      };
+    } else if (type === "client.queryAnswerError" || type === "client.queryAnswerPartError") {
+      normalized = {
+        ...obj,
+        _type: "client.queryAnswerErrorEx"
+      };
+    }
+    const normalizedType = normalized["_type"];
+    if (normalizedType === "client.queryAnswerEx" || normalizedType === "client.queryAnswerErrorEx" || normalizedType === "client.queryAnswerPartEx") {
+      const requestId = normalized["requestId"].toString("hex");
+      const pending = this.pendingQueries.get(requestId);
+      if (!pending) {
+        return;
+      }
+      const answer = normalized;
+      if (normalizedType === "client.queryAnswerErrorEx") {
+        clearTimeout(pending.timer);
+        this.pendingQueries.delete(requestId);
+        pending.resolve(answer);
+        return;
+      }
+      pending.onPart?.(answer);
+      if (this.isTerminalQueryAnswer(answer)) {
+        clearTimeout(pending.timer);
+        this.pendingQueries.delete(requestId);
+        pending.resolve(answer);
+      }
+    }
+  }
+  isTerminalQueryAnswer(answer) {
+    if (answer._type === "client.queryAnswerErrorEx") {
+      return true;
+    }
+    const legacyIsCompleted = answer.isCompleted;
+    if (typeof legacyIsCompleted === "boolean") {
+      return legacyIsCompleted;
+    }
+    if ("finalInfo" in answer && answer.finalInfo) {
+      return true;
+    }
+    if ("flags" in answer && typeof answer.flags === "number" && (answer.flags & 1) !== 0) {
+      return true;
+    }
+    if ("answer" in answer && answer.answer) {
+      try {
+        const envelope = deserializeTLObject(answer.answer);
+        if (envelope._type === "http.response") {
+          const transferEncoding = envelope.headers?.find(
+            (h) => h.name.toLowerCase() === "transfer-encoding"
+          )?.value;
+          if (transferEncoding && transferEncoding.toLowerCase().includes("chunked")) {
+            return false;
+          }
+          return true;
+        }
+      } catch {
+      }
+    }
+    if (answer._type === "client.queryAnswerPartEx") {
+      return false;
+    }
+    return true;
+  }
+  startKeepalive() {
+    this.keepaliveTimer = setInterval(() => {
+      if (this.conn?.isConnected) {
+        const pingId = import_node_crypto3.default.randomBytes(8).readBigInt64LE();
+        const ping = { _type: "tcp.ping", id: pingId };
+        try {
+          this.conn.send(serializeTLObject(ping));
+        } catch {
+        }
+      }
+    }, 1e4);
+  }
+  cleanup() {
+    if (this.keepaliveTimer) {
+      clearInterval(this.keepaliveTimer);
+      this.keepaliveTimer = null;
+    }
+    for (const [, pending] of this.pendingQueries) {
+      clearTimeout(pending.timer);
+      pending.reject(new ConnectionError("Connection closed"));
+    }
+    this.pendingQueries.clear();
+  }
+};
+function buildHttpRequest(method, url, body, extraHeaders = []) {
+  const hasHeader = (name) => extraHeaders.some((h) => h.name.toLowerCase() === name.toLowerCase());
+  const headers = [...extraHeaders];
+  if (!hasHeader("Content-Type")) {
+    headers.unshift({ _type: "http.header", name: "Content-Type", value: "application/json" });
+  }
+  if (!hasHeader("Content-Length")) {
+    headers.push({ _type: "http.header", name: "Content-Length", value: body.length.toString() });
+  }
+  if (!hasHeader("Host")) {
+    headers.push({ _type: "http.header", name: "Host", value: "api.openai.com" });
+  }
+  return {
+    _type: "http.request",
+    method,
+    url,
+    httpVersion: "HTTP/1.1",
+    headers,
+    payload: body
+  };
+}
+
+// src/core/streaming.ts
+var Stream = class {
+  controller = null;
+  stream;
+  _done = false;
+  constructor() {
+    this.stream = new ReadableStream({
+      start: (controller) => {
+        this.controller = controller;
+      }
+    });
+  }
+  /**
+   * Push a chunk into the stream.
+   */
+  push(chunk) {
+    if (this._done) return;
+    this.controller?.enqueue(chunk);
+  }
+  /**
+   * Signal that the stream is complete.
+   */
+  end() {
+    if (this._done) return;
+    this._done = true;
+    this.controller?.close();
+  }
+  /**
+   * Signal an error on the stream.
+   */
+  error(err) {
+    if (this._done) return;
+    this._done = true;
+    this.controller?.error(err);
+  }
+  get done() {
+    return this._done;
+  }
+  async *[Symbol.asyncIterator]() {
+    const reader = this.stream.getReader();
+    try {
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        yield value;
+      }
+    } finally {
+      reader.releaseLock();
+    }
+  }
+};
+
+// src/resources/chat/completions.ts
+var Completions = class {
+  constructor(getSession) {
+    this.getSession = getSession;
+  }
+  extractHttpData(answer) {
+    try {
+      const httpResponse = deserializeTLObject(answer);
+      if (httpResponse._type === "http.response") {
+        return {
+          payload: httpResponse.payload,
+          statusCode: httpResponse.statusCode,
+          reason: httpResponse.reason
+        };
+      }
+    } catch {
+    }
+    return { payload: answer };
+  }
+  parseErrorPayload(payload, fallbackMessage) {
+    if (payload.length === 0) {
+      return { message: fallbackMessage, body: { error: fallbackMessage } };
+    }
+    const text = payload.toString("utf-8");
+    try {
+      const parsed = JSON.parse(text);
+      const message = typeof parsed.message === "string" ? parsed.message : typeof parsed.error === "string" ? parsed.error : fallbackMessage;
+      return { message, body: parsed };
+    } catch {
+      return { message: text || fallbackMessage, body: { error: text || fallbackMessage } };
+    }
+  }
+  async create(params) {
+    const session = await this.getSession();
+    const body = JSON.stringify({
+      model: params.model,
+      messages: params.messages,
+      stream: params.stream ?? false,
+      ...params.temperature !== void 0 && { temperature: params.temperature },
+      ...params.top_p !== void 0 && { top_p: params.top_p },
+      ...params.max_tokens !== void 0 && { max_tokens: params.max_tokens },
+      ...params.max_completion_tokens !== void 0 && {
+        max_completion_tokens: params.max_completion_tokens
+      },
+      ...params.stop !== void 0 && { stop: params.stop },
+      ...params.presence_penalty !== void 0 && { presence_penalty: params.presence_penalty },
+      ...params.frequency_penalty !== void 0 && {
+        frequency_penalty: params.frequency_penalty
+      }
+    });
+    const httpRequest = buildHttpRequest(
+      "POST",
+      "/v1/chat/completions",
+      Buffer.from(body, "utf-8")
+    );
+    if (params.stream) {
+      return this.createStreaming(session, params, httpRequest);
+    }
+    return this.createNonStreaming(session, params, httpRequest);
+  }
+  async createNonStreaming(session, params, httpRequest) {
+    const chunks = [];
+    let sawAnswer = false;
+    let statusCode;
+    let statusReason;
+    const finalAnswer = await session.sendQuery(params.model, httpRequest, {
+      maxCoefficient: params.max_coefficient,
+      maxTokens: params.max_tokens ?? params.max_completion_tokens,
+      timeout: params.timeout,
+      onPart: (part) => {
+        if (!("answer" in part) || !part.answer) {
+          return;
+        }
+        sawAnswer = true;
+        const extracted = this.extractHttpData(part.answer);
+        if (extracted.statusCode !== void 0) {
+          statusCode = extracted.statusCode;
+          statusReason = extracted.reason;
+        }
+        if (extracted.payload.length > 0) {
+          chunks.push(extracted.payload);
+        }
+      }
+    });
+    if (finalAnswer._type === "client.queryAnswerErrorEx") {
+      throw new APIError(finalAnswer.error, 500, {
+        error_code: finalAnswer.errorCode,
+        error: finalAnswer.error
+      });
+    }
+    if (!sawAnswer && "answer" in finalAnswer && finalAnswer.answer) {
+      const extracted = this.extractHttpData(finalAnswer.answer);
+      if (extracted.statusCode !== void 0) {
+        statusCode = extracted.statusCode;
+        statusReason = extracted.reason;
+      }
+      if (extracted.payload.length > 0) {
+        chunks.push(extracted.payload);
+      }
+    }
+    const fullPayload = Buffer.concat(chunks);
+    if (statusCode !== void 0 && statusCode >= 400) {
+      const fallback = statusReason ? `${statusCode} ${statusReason}` : `HTTP ${statusCode}`;
+      const parsed = this.parseErrorPayload(fullPayload, fallback);
+      throw new APIError(parsed.message, statusCode, parsed.body);
+    }
+    if (fullPayload.length === 0) {
+      throw new ProtocolError("Empty response from proxy");
+    }
+    try {
+      return JSON.parse(fullPayload.toString("utf-8"));
+    } catch (error) {
+      throw new ProtocolError(
+        `Failed to parse completion payload as JSON: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+  async createStreaming(session, params, httpRequest) {
+    const stream = new Stream();
+    let sseBuffer = "";
+    let headersParsed = false;
+    let statusCode;
+    let statusReason;
+    const errorChunks = [];
+    session.sendQuery(params.model, httpRequest, {
+      maxCoefficient: params.max_coefficient,
+      maxTokens: params.max_tokens ?? params.max_completion_tokens,
+      timeout: params.timeout,
+      onPart: (part) => {
+        try {
+          let rawData;
+          if ("answer" in part && part.answer) {
+            const answer = part.answer;
+            if (!headersParsed) {
+              try {
+                const httpResponse = deserializeTLObject(answer);
+                if (httpResponse._type === "http.response") {
+                  headersParsed = true;
+                  statusCode = httpResponse.statusCode;
+                  statusReason = httpResponse.reason;
+                  rawData = httpResponse.payload;
+                } else {
+                  rawData = answer;
+                }
+              } catch {
+                rawData = answer;
+                headersParsed = true;
+              }
+            } else {
+              rawData = answer;
+            }
+          }
+          if (rawData && rawData.length > 0) {
+            if (statusCode !== void 0 && statusCode >= 400) {
+              errorChunks.push(rawData);
+              return;
+            }
+            sseBuffer += rawData.toString("utf-8");
+            this.processSSEBuffer(sseBuffer, stream);
+            const lastNewline = sseBuffer.lastIndexOf("\n");
+            if (lastNewline >= 0) {
+              sseBuffer = sseBuffer.substring(lastNewline + 1);
+            }
+          }
+        } catch (e) {
+          stream.error(e instanceof Error ? e : new Error(String(e)));
+        }
+      }
+    }).then(() => {
+      if (statusCode !== void 0 && statusCode >= 400) {
+        const parsed = this.parseErrorPayload(
+          Buffer.concat(errorChunks),
+          statusReason ? `${statusCode} ${statusReason}` : `HTTP ${statusCode}`
+        );
+        stream.error(new APIError(parsed.message, statusCode, parsed.body));
+        return;
+      }
+      if (sseBuffer.trim().length > 0) {
+        this.processSSEBuffer(sseBuffer + "\n", stream);
+      }
+      stream.end();
+    }).catch((err) => {
+      stream.error(err instanceof Error ? err : new Error(String(err)));
+    });
+    return stream;
+  }
+  processSSEBuffer(buffer, stream) {
+    const lines = buffer.split("\n");
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (trimmed === "") continue;
+      if (trimmed === "data: [DONE]") continue;
+      if (trimmed.startsWith("data: ")) {
+        const jsonStr = trimmed.substring(6);
+        try {
+          const chunk = JSON.parse(jsonStr);
+          stream.push(chunk);
+        } catch {
+        }
+      }
+    }
+  }
+};
+
+// src/resources/models/models.ts
+var Models = class {
+  constructor(getSession) {
+    this.getSession = getSession;
+  }
+  /**
+   * List all available models on the network.
+   */
+  async list() {
+    const session = await this.getSession();
+    const result = await session.sendRpcQuery({
+      _type: "client.getWorkerTypesV2"
+    });
+    const workerTypes = result;
+    const models = workerTypes.types.map((wt) => {
+      const totalWorkers = wt.workers.length;
+      const coefficients = wt.workers.map((w) => w.coefficient);
+      const minCoeff = coefficients.length > 0 ? Math.min(...coefficients) : 0;
+      const maxCoeff = coefficients.length > 0 ? Math.max(...coefficients) : 0;
+      return {
+        id: wt.name,
+        object: "model",
+        created: Math.floor(Date.now() / 1e3),
+        owned_by: "cocoon",
+        active_workers: totalWorkers,
+        coefficient_min: minCoeff,
+        coefficient_max: maxCoeff
+      };
+    });
+    return {
+      object: "list",
+      data: models
+    };
+  }
+};
+
+// src/ton/wallet.ts
+var import_crypto = require("@ton/crypto");
+var import_ton = require("@ton/ton");
+var import_node_crypto4 = __toESM(require("crypto"), 1);
+var MnemonicWallet = class {
+  mnemonic;
+  keyPair = null;
+  wallet = null;
+  _address = null;
+  tonClient = null;
+  tonClient4 = null;
+  constructor(mnemonic, network = "mainnet", options) {
+    this.mnemonic = mnemonic.trim().split(/\s+/);
+    if (this.mnemonic.length !== 24) {
+      throw new Error(`Expected 24 mnemonic words, got ${this.mnemonic.length}`);
+    }
+    this.network = network;
+    this.tonEndpoint = options?.tonEndpoint;
+    this.tonV4Endpoint = options?.tonV4Endpoint;
+  }
+  network;
+  tonEndpoint;
+  tonV4Endpoint;
+  async init() {
+    if (this.keyPair) return;
+    this.keyPair = await (0, import_crypto.mnemonicToPrivateKey)(this.mnemonic);
+    this.wallet = import_ton.WalletContractV4.create({
+      workchain: 0,
+      publicKey: this.keyPair.publicKey
+    });
+    this._address = this.wallet.address;
+  }
+  get address() {
+    if (!this._address) throw new Error("Wallet not initialized. Call init() first.");
+    return this._address;
+  }
+  get addressString() {
+    return this.address.toString({ bounceable: true, testOnly: this.network === "testnet" });
+  }
+  get publicKey() {
+    if (!this.keyPair) throw new Error("Wallet not initialized. Call init() first.");
+    return this.keyPair.publicKey;
+  }
+  get secretKey() {
+    if (!this.keyPair) throw new Error("Wallet not initialized. Call init() first.");
+    return this.keyPair.secretKey;
+  }
+  /**
+   * Compute SHA-256 hash of a secret string (for short auth).
+   */
+  secretHash(secret) {
+    return import_node_crypto4.default.createHash("sha256").update(secret).digest();
+  }
+  /**
+   * Get or create a TonClient for blockchain queries.
+   */
+  getTonClient() {
+    if (!this.tonClient) {
+      const endpoint = this.tonEndpoint ?? (this.network === "mainnet" ? "https://toncenter.com/api/v2/jsonRPC" : "https://testnet.toncenter.com/api/v2/jsonRPC");
+      this.tonClient = new import_ton.TonClient({ endpoint });
+    }
+    return this.tonClient;
+  }
+  /**
+   * Get or create a TonClient4 for sending transactions via v4 HTTP API.
+   */
+  getTonClient4() {
+    if (!this.tonClient4) {
+      const endpoint = this.tonV4Endpoint ?? (this.network === "mainnet" ? "https://mainnet-v4.tonhubapi.com" : "https://testnet-v4.tonhubapi.com");
+      this.tonClient4 = new import_ton.TonClient4({ endpoint });
+    }
+    return this.tonClient4;
+  }
+  /**
+   * Create a sender for sending transactions.
+   */
+  async createSender() {
+    if (!this.wallet || !this.keyPair) {
+      throw new Error("Wallet not initialized");
+    }
+    const client = this.getTonClient4();
+    const contract = client.open(this.wallet);
+    return contract.sender(this.keyPair.secretKey);
+  }
+};
+
+// src/ton/discovery.ts
+var import_ton3 = require("@ton/ton");
+
+// src/ton/contracts/root.ts
+var import_ton2 = require("@ton/ton");
+function buildClientParamsCell(params) {
+  const b = (0, import_ton2.beginCell)().storeUint(params.structVersion, 8).storeUint(params.paramsVersion, 32).storeUint(params.uniqueId, 32).storeBit(params.isTest).storeCoins(params.pricePerToken).storeCoins(params.workerFeePerToken);
+  if (params.structVersion >= 2) {
+    if (params.structVersion >= 3) {
+      b.storeUint(params.promptTokensPriceMultiplier, 32);
+    }
+    b.storeUint(params.cachedTokensPriceMultiplier, 32);
+    if (params.structVersion >= 3) {
+      b.storeUint(params.completionTokensPriceMultiplier, 32);
+    }
+    b.storeUint(params.reasoningTokensPriceMultiplier, 32);
+  }
+  b.storeUint(params.proxyDelayBeforeClose, 32);
+  b.storeUint(params.clientDelayBeforeClose, 32);
+  if (params.structVersion >= 1) {
+    b.storeCoins(params.minProxyStake);
+    b.storeCoins(params.minClientStake);
+  }
+  b.storeMaybeRef(null).storeMaybeRef(null).storeMaybeRef(null);
+  return b.endCell();
+}
+function proxyInfoValue() {
+  return {
+    serialize: () => {
+      throw new Error("ProxyInfo serialization not needed for read-only usage");
+    },
+    parse: (src) => {
+      src.loadBit();
+      const strlen = src.loadUint(7);
+      const buf = src.loadBuffer(strlen);
+      return { addr: buf.toString("utf-8") };
+    }
+  };
+}
+var CocoonRoot = class {
+  constructor(client, address) {
+    this.client = client;
+    this.address = address;
+  }
+  /**
+   * Get all parameters by reading the raw contract state and parsing the Cell.
+   * Returns null if the contract is not initialized.
+   */
+  async getAllParams() {
+    const state = await this.client.getContractState(this.address);
+    if (!state.data) {
+      return null;
+    }
+    const cell = import_ton2.Cell.fromBoc(Buffer.from(state.data))[0];
+    const cs = cell.beginParse();
+    const ownerAddress = cs.loadAddress();
+    const version = cs.loadUint(32);
+    const data = cs.loadRef().beginParse();
+    if (data.loadBit()) data.loadRef();
+    const proxiesDict = data.loadDict(
+      import_ton2.Dictionary.Keys.Uint(32),
+      proxyInfoValue()
+    );
+    const lastProxySeqno = data.loadUint(32);
+    if (data.loadBit()) data.loadRef();
+    if (data.loadBit()) data.loadRef();
+    const pcs = cs.loadRef().beginParse();
+    const structVersion = pcs.loadUint(8);
+    const paramsVersion = pcs.loadUint(32);
+    const uniqueId = pcs.loadUint(32);
+    const isTest = pcs.loadBit();
+    const pricePerToken = pcs.loadCoins();
+    const workerFeePerToken = pcs.loadCoins();
+    let promptTokensPriceMultiplier = 1e4;
+    if (structVersion >= 3) {
+      promptTokensPriceMultiplier = pcs.loadUint(32);
+    }
+    let cachedTokensPriceMultiplier = 1e4;
+    if (structVersion >= 2) {
+      cachedTokensPriceMultiplier = pcs.loadUint(32);
+    }
+    let completionTokensPriceMultiplier = 1e4;
+    if (structVersion >= 3) {
+      completionTokensPriceMultiplier = pcs.loadUint(32);
+    }
+    let reasoningTokensPriceMultiplier = 1e4;
+    if (structVersion >= 2) {
+      reasoningTokensPriceMultiplier = pcs.loadUint(32);
+    }
+    const proxyDelayBeforeClose = pcs.loadUint(32);
+    const clientDelayBeforeClose = pcs.loadUint(32);
+    let minProxyStake = 1000000000n;
+    let minClientStake = 1000000000n;
+    if (structVersion >= 1) {
+      minProxyStake = pcs.loadCoins();
+      minClientStake = pcs.loadCoins();
+    }
+    const proxyScCode = pcs.loadMaybeRef();
+    const workerScCode = pcs.loadMaybeRef();
+    const clientScCode = pcs.loadMaybeRef();
+    const registeredProxies = [];
+    if (proxiesDict) {
+      for (const [seqno, info] of proxiesDict) {
+        registeredProxies.push({ seqno, address: info.addr });
+      }
+    }
+    return {
+      ownerAddress,
+      registeredProxies,
+      lastProxySeqno,
+      version,
+      params: {
+        structVersion,
+        paramsVersion,
+        uniqueId,
+        isTest,
+        pricePerToken,
+        workerFeePerToken,
+        promptTokensPriceMultiplier,
+        cachedTokensPriceMultiplier,
+        completionTokensPriceMultiplier,
+        reasoningTokensPriceMultiplier,
+        proxyDelayBeforeClose,
+        clientDelayBeforeClose,
+        minProxyStake,
+        minClientStake
+      },
+      codes: {
+        proxyScCode,
+        workerScCode,
+        clientScCode
+      }
+    };
+  }
+};
+
+// src/ton/discovery.ts
+var ROOT_CONTRACTS = {
+  mainnet: "EQCns7bYSp0igFvS1wpb5wsZjCKCV19MD5AVzI4EyxsnU73k",
+  testnet: "EQBT4hy4vMEZ9uxSCuhw_gBKh9_AwmHXLe7Wo0O4Vh-4kRjJ"
+};
+var ProxyDiscovery = class {
+  tonClient;
+  rootAddress;
+  cachedParams = null;
+  cacheTime = 0;
+  cacheTtl = 6e4;
+  // 1 minute
+  constructor(options) {
+    const endpoint = options.tonApiEndpoint ?? (options.network === "mainnet" ? "https://toncenter.com/api/v2/jsonRPC" : "https://testnet.toncenter.com/api/v2/jsonRPC");
+    this.tonClient = new import_ton3.TonClient({ endpoint });
+    const addr = options.rootContractAddress ?? ROOT_CONTRACTS[options.network];
+    if (!addr) {
+      throw new Error(`No root contract address for network: ${options.network}`);
+    }
+    this.rootAddress = import_ton3.Address.parse(addr);
+  }
+  /**
+   * Get all registered proxies from the root contract.
+   */
+  async getProxies() {
+    const params = await this.getRootParams();
+    return params.registeredProxies;
+  }
+  /**
+   * Get a random proxy for connection.
+   */
+  async getRandomProxy() {
+    const proxies = await this.getProxies();
+    if (proxies.length === 0) {
+      throw new Error("No proxies available in the network");
+    }
+    const idx = Math.floor(Math.random() * proxies.length);
+    return proxies[idx];
+  }
+  /**
+   * Get root contract parameters (cached).
+   */
+  async getRootParams() {
+    const now = Date.now();
+    if (this.cachedParams && now - this.cacheTime < this.cacheTtl) {
+      return this.cachedParams;
+    }
+    const root = new CocoonRoot(this.tonClient, this.rootAddress);
+    const result = await root.getAllParams();
+    if (!result) {
+      throw new Error("Root contract is not initialized");
+    }
+    this.cachedParams = result;
+    this.cacheTime = now;
+    return this.cachedParams;
+  }
+};
+
+// src/ton/contracts/client-contract.ts
+var import_ton4 = require("@ton/ton");
+var OPCODES = {
+  ownerClientRegister: 3294601019,
+  ownerClientChangeSecretHash: 2838851636,
+  extClientTopUp: 4050839234
+};
+var CocoonClientContract = class _CocoonClientContract {
+  constructor(address) {
+    this.address = address;
+  }
+  /**
+   * Create a registration message body for the proxy.
+   * This is sent to the client smart contract to register with a proxy.
+   */
+  static createRegisterBody(nonce, sendExcessesTo, queryId = 0n) {
+    const nonceU64 = BigInt.asUintN(64, nonce);
+    const queryIdU64 = BigInt.asUintN(64, queryId);
+    return (0, import_ton4.beginCell)().storeUint(OPCODES.ownerClientRegister, 32).storeUint(queryIdU64, 64).storeUint(nonceU64, 64).storeAddress(sendExcessesTo).endCell();
+  }
+  /**
+   * Create a message body to change the secret hash.
+   */
+  static createChangeSecretHashBody(secretHash, sendExcessesTo, queryId = 0n) {
+    const queryIdU64 = BigInt.asUintN(64, queryId);
+    return (0, import_ton4.beginCell)().storeUint(OPCODES.ownerClientChangeSecretHash, 32).storeUint(queryIdU64, 64).storeBuffer(secretHash, 32).storeAddress(sendExcessesTo).endCell();
+  }
+  /**
+   * Create a top-up message body.
+   */
+  static createTopUpBody(coins, sendExcessesTo, queryId = 0n) {
+    const queryIdU64 = BigInt.asUintN(64, queryId);
+    return (0, import_ton4.beginCell)().storeUint(OPCODES.extClientTopUp, 32).storeUint(queryIdU64, 64).storeCoins(coins).storeAddress(sendExcessesTo).endCell();
+  }
+  /**
+   * Build client_sc data cell for deployment.
+   * Mirrors ClientContract::init_data_cell in upstream C++ code.
+   */
+  static createDeployDataCell(ownerAddress, proxyScAddress, proxyPublicKey, minClientStake, clientParamsCell) {
+    if (proxyPublicKey.length !== 32) {
+      throw new Error(`proxyPublicKey must be 32 bytes, got ${proxyPublicKey.length}`);
+    }
+    const configDataRef = (0, import_ton4.beginCell)().storeAddress(ownerAddress).storeAddress(proxyScAddress).storeBuffer(proxyPublicKey, 32).endCell();
+    return (0, import_ton4.beginCell)().storeUint(0, 2).storeCoins(0n).storeCoins(minClientStake).storeInt(0n, 64).storeInt(0, 32).storeBuffer(Buffer.alloc(32), 32).storeRef(configDataRef).storeRef(clientParamsCell).endCell();
+  }
+  static createStateInit(clientCode, dataCell) {
+    return {
+      code: clientCode,
+      data: dataCell
+    };
+  }
+  /**
+   * Send a registration transaction to the client contract.
+   */
+  async register(sender, ownerAddress, nonce, amount = (0, import_ton4.toNano)("1"), init) {
+    const body = _CocoonClientContract.createRegisterBody(nonce, ownerAddress);
+    const message = {
+      to: this.address,
+      value: amount,
+      body
+    };
+    if (init) {
+      message.init = init;
+    }
+    await sender.send(message);
+  }
+  /**
+   * Top up the client contract balance.
+   */
+  async topUp(sender, ownerAddress, amount) {
+    const body = _CocoonClientContract.createTopUpBody(amount, ownerAddress);
+    await sender.send({
+      to: this.address,
+      value: amount + (0, import_ton4.toNano)("0.7"),
+      body
+    });
+  }
+  /**
+   * Change the secret hash for short auth.
+   */
+  async changeSecretHash(sender, ownerAddress, secretHash, amount = (0, import_ton4.toNano)("0.7")) {
+    const body = _CocoonClientContract.createChangeSecretHashBody(secretHash, ownerAddress);
+    await sender.send({
+      to: this.address,
+      value: amount,
+      body
+    });
+  }
+};
+
+// src/client.ts
+var import_node_crypto5 = __toESM(require("crypto"), 1);
+var import_ton5 = require("@ton/ton");
+var import_core = require("@ton/core");
+var Cocoon = class {
+  chat;
+  models;
+  mnemonicWallet;
+  discovery;
+  session = null;
+  connecting = null;
+  options;
+  constructor(options) {
+    if (options.tlsCert && !options.tlsKey || !options.tlsCert && options.tlsKey) {
+      throw new ConnectionError(
+        "Both tlsCert and tlsKey must be provided together for mTLS"
+      );
+    }
+    if (options.attestationProvider && (options.tlsCert || options.tlsKey)) {
+      throw new ConnectionError(
+        "Use either attestationProvider or tlsCert/tlsKey, not both"
+      );
+    }
+    this.options = {
+      network: "mainnet",
+      timeout: 12e4,
+      useTls: true,
+      autoRegisterOnLongAuth: true,
+      longAuthRegisterAmountTon: "1",
+      ...options
+    };
+    this.mnemonicWallet = new MnemonicWallet(options.wallet, this.options.network, {
+      tonEndpoint: this.options.tonEndpoint,
+      tonV4Endpoint: this.options.tonV4Endpoint
+    });
+    if (!options.proxyUrl) {
+      this.discovery = new ProxyDiscovery({ network: this.options.network });
+    } else {
+      this.discovery = null;
+    }
+    const getSession = () => this.ensureSession();
+    this.chat = { completions: new Completions(getSession) };
+    this.models = new Models(getSession);
+  }
+  /**
+   * Explicitly connect to a proxy. Called lazily on first API call if not called manually.
+   */
+  async connect() {
+    await this.ensureSession();
+  }
+  /**
+   * Disconnect from the proxy.
+   */
+  async disconnect() {
+    if (this.session) {
+      await this.session.disconnect();
+      this.session = null;
+    }
+    this.connecting = null;
+  }
+  async ensureSession() {
+    if (this.session?.connected) {
+      return this.session;
+    }
+    if (this.connecting) {
+      return this.connecting;
+    }
+    this.connecting = this.createSession();
+    try {
+      this.session = await this.connecting;
+      return this.session;
+    } finally {
+      this.connecting = null;
+    }
+  }
+  async createSession() {
+    await this.mnemonicWallet.init();
+    let host;
+    let port;
+    if (this.options.proxyUrl) {
+      const parts = this.options.proxyUrl.split(":");
+      host = parts.slice(0, -1).join(":");
+      port = parseInt(parts[parts.length - 1], 10);
+      if (!host || isNaN(port)) {
+        throw new ConnectionError(`Invalid proxyUrl: ${this.options.proxyUrl}`);
+      }
+    } else if (this.discovery) {
+      const proxy = await this.discovery.getRandomProxy();
+      const entries = proxy.address.trim().split(/\s+/);
+      const clientEntry = entries.length > 1 ? entries[1] : entries[0];
+      const lastColon = clientEntry.lastIndexOf(":");
+      host = clientEntry.substring(0, lastColon);
+      port = parseInt(clientEntry.substring(lastColon + 1), 10);
+      if (!host || isNaN(port)) {
+        throw new ConnectionError(`Invalid proxy address from discovery: ${proxy.address}`);
+      }
+    } else {
+      throw new ConnectionError("No proxy URL or discovery available");
+    }
+    let tlsCert = this.options.tlsCert;
+    let tlsKey = this.options.tlsKey;
+    if (this.options.attestationProvider) {
+      const context = {
+        host,
+        port,
+        network: this.options.network
+      };
+      const credentials = await this.options.attestationProvider.getClientTlsCredentials(context);
+      tlsCert = credentials.cert;
+      tlsKey = credentials.key;
+    }
+    if (tlsCert && !tlsKey || !tlsCert && tlsKey) {
+      throw new ConnectionError("Attestation provider returned incomplete TLS credentials");
+    }
+    const secretString = this.options.secretString ?? import_node_crypto5.default.randomBytes(32).toString("hex");
+    const onLongAuthRequired = this.options.autoRegisterOnLongAuth ? async (context) => {
+      try {
+        const sender = await this.mnemonicWallet.createSender();
+        const clientScAddress = import_ton5.Address.parse(context.clientScAddress);
+        const clientContract = new CocoonClientContract(clientScAddress);
+        const v4Client = this.mnemonicWallet.getTonClient4();
+        const last = await v4Client.getLastBlock();
+        const account = await v4Client.getAccount(last.last.seqno, clientScAddress);
+        let init;
+        if (account.account.state.type !== "active") {
+          const discovery = this.discovery ?? new ProxyDiscovery({
+            network: this.options.network,
+            tonApiEndpoint: this.options.tonEndpoint
+          });
+          const rootParams = await discovery.getRootParams();
+          const clientCode = rootParams.codes.clientScCode;
+          if (!clientCode) {
+            throw new Error(
+              "Root contract does not contain client_sc_code; cannot deploy client contract"
+            );
+          }
+          const clientParamsCell = buildClientParamsCell(rootParams.params);
+          const dataCell = CocoonClientContract.createDeployDataCell(
+            this.mnemonicWallet.address,
+            import_ton5.Address.parse(context.proxyParams.proxyScAddress),
+            context.proxyParams.proxyPublicKey,
+            rootParams.params.minClientStake,
+            clientParamsCell
+          );
+          init = CocoonClientContract.createStateInit(clientCode, dataCell);
+          const expectedAddress = (0, import_core.contractAddress)(0, init);
+          if (!expectedAddress.equals(clientScAddress)) {
+            throw new Error(
+              `Computed client_sc mismatch: expected ${context.clientScAddress}, got ${expectedAddress.toString({ bounceable: true, testOnly: this.options.network === "testnet" })}`
+            );
+          }
+        }
+        await clientContract.register(
+          sender,
+          this.mnemonicWallet.address,
+          context.nonce,
+          (0, import_ton5.toNano)(this.options.longAuthRegisterAmountTon),
+          init
+        );
+      } catch (err) {
+        throw new ConnectionError(
+          `Auto long-auth registration failed: ${err instanceof Error ? err.message : String(err)}. Configure tonEndpoint / wallet balance or provide a valid SECRET`,
+          err instanceof Error ? err : void 0
+        );
+      }
+    } : void 0;
+    const sessionOptions = {
+      host,
+      port,
+      useTls: this.options.useTls,
+      timeout: this.options.timeout,
+      ownerAddress: this.mnemonicWallet.addressString,
+      secretString,
+      tlsCert,
+      tlsKey,
+      onLongAuthRequired
+    };
+    const session = new CocoonSession(sessionOptions);
+    await session.connect();
+    session.on("close", () => {
+      if (this.session === session) {
+        this.session = null;
+      }
+    });
+    return session;
+  }
+};
+
+// src/core/protocol/attestation.ts
+var import_promises = require("fs/promises");
+var StaticAttestationProvider = class {
+  constructor(credentials) {
+    this.credentials = credentials;
+  }
+  async getClientTlsCredentials() {
+    return this.credentials;
+  }
+};
+var FileAttestationProvider = class {
+  constructor(certPath, keyPath) {
+    this.certPath = certPath;
+    this.keyPath = keyPath;
+  }
+  async getClientTlsCredentials() {
+    const [cert, key] = await Promise.all([
+      (0, import_promises.readFile)(this.certPath),
+      (0, import_promises.readFile)(this.keyPath)
+    ]);
+    return { cert, key };
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  APIError,
+  AuthenticationError,
+  Cocoon,
+  CocoonError,
+  ConnectionError,
+  FileAttestationProvider,
+  ProtocolError,
+  StaticAttestationProvider,
+  Stream,
+  TimeoutError
+});
+//# sourceMappingURL=index.cjs.map