gitspace 0.2.0-rc.1

package/src/web/src/lib/crypto/identity.ts

@@ -0,0 +1,128 @@
+/**
+ * Browser-compatible identity generation using noble-curves
+ */
+
+import { ed25519, x25519 } from "@noble/curves/ed25519.js";
+import type { Identity, StoredIdentity, SigningKeypair, KeyExchangeKeypair } from "../../types/identity";
+
+const IDENTITY_ID_LENGTH = 16;
+
+/**
+ * Generate a new Ed25519 signing keypair
+ */
+export function generateSigningKeypair(): SigningKeypair {
+  const privateKey = ed25519.utils.randomSecretKey();
+  const publicKey = ed25519.getPublicKey(privateKey);
+
+  // Ed25519 convention: secretKey = privateKey (32 bytes) + publicKey (32 bytes)
+  const secretKey = new Uint8Array(64);
+  secretKey.set(privateKey, 0);
+  secretKey.set(publicKey, 32);
+
+  return { publicKey, secretKey };
+}
+
+/**
+ * Generate a new X25519 key exchange keypair
+ */
+export function generateKeyExchangeKeypair(): KeyExchangeKeypair {
+  const privateKey = x25519.utils.randomSecretKey();
+  const publicKey = x25519.getPublicKey(privateKey);
+
+  return { publicKey, privateKey };
+}
+
+/**
+ * Derive identity ID from signing public key
+ */
+export function deriveIdentityId(signingPublicKey: Uint8Array): string {
+  // Use base64url encoding
+  const base64 = btoa(String.fromCharCode(...signingPublicKey))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=/g, "");
+  return base64.slice(0, IDENTITY_ID_LENGTH);
+}
+
+/**
+ * Generate a complete identity
+ */
+export function generateIdentity(label?: string): Identity {
+  const signing = generateSigningKeypair();
+  const keyExchange = generateKeyExchangeKeypair();
+  const id = deriveIdentityId(signing.publicKey);
+
+  return {
+    id,
+    signing,
+    keyExchange,
+    label,
+    createdAt: Date.now(),
+  };
+}
+
+/**
+ * Sign a message using Ed25519
+ */
+export function sign(message: Uint8Array, secretKey: Uint8Array): Uint8Array {
+  const privateKey = secretKey.slice(0, 32);
+  return ed25519.sign(message, privateKey);
+}
+
+/**
+ * Verify an Ed25519 signature
+ */
+export function verify(
+  message: Uint8Array,
+  signature: Uint8Array,
+  publicKey: Uint8Array
+): boolean {
+  try {
+    return ed25519.verify(signature, message, publicKey);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Export identity as a public key string for use with `gssh access add`
+ * Format: gssh-pub:SIGNING_KEY:KEYEXCHANGE_KEY (base64)
+ */
+export function exportPublicKey(identity: Identity): string {
+  const signingKey = btoa(String.fromCharCode(...identity.signing.publicKey));
+  const keyExchangeKey = btoa(String.fromCharCode(...identity.keyExchange.publicKey));
+  return `gssh-pub:${signingKey}:${keyExchangeKey}`;
+}
+
+/**
+ * Serialize identity for storage
+ */
+export function serializeIdentity(identity: Identity): StoredIdentity {
+  return {
+    id: identity.id,
+    signingPublicKey: btoa(String.fromCharCode(...identity.signing.publicKey)),
+    signingSecretKey: btoa(String.fromCharCode(...identity.signing.secretKey)),
+    keyExchangePublicKey: btoa(String.fromCharCode(...identity.keyExchange.publicKey)),
+    keyExchangePrivateKey: btoa(String.fromCharCode(...identity.keyExchange.privateKey)),
+    label: identity.label,
+    createdAt: identity.createdAt,
+  };
+}
+
+/**
+ * Deserialize identity from storage
+ */
+export function deserializeIdentity(stored: StoredIdentity): Identity {
+  const signingPublicKey = Uint8Array.from(atob(stored.signingPublicKey), c => c.charCodeAt(0));
+  const signingSecretKey = Uint8Array.from(atob(stored.signingSecretKey), c => c.charCodeAt(0));
+  const keyExchangePublicKey = Uint8Array.from(atob(stored.keyExchangePublicKey), c => c.charCodeAt(0));
+  const keyExchangePrivateKey = Uint8Array.from(atob(stored.keyExchangePrivateKey), c => c.charCodeAt(0));
+
+  return {
+    id: stored.id,
+    signing: { publicKey: signingPublicKey, secretKey: signingSecretKey },
+    keyExchange: { publicKey: keyExchangePublicKey, privateKey: keyExchangePrivateKey },
+    label: stored.label,
+    createdAt: stored.createdAt,
+  };
+}

package/src/web/src/lib/crypto/keyexchange.ts

@@ -0,0 +1,246 @@
+/**
+ * Browser-compatible X25519 key exchange and HKDF key derivation
+ */
+
+import { x25519 } from "@noble/curves/ed25519.js";
+import { hkdf } from "@noble/hashes/hkdf.js";
+import { sha256 } from "@noble/hashes/sha2.js";
+import type { KeyExchangeKeypair, SessionKeys } from "../../types/identity";
+
+// Constants
+export const X25519_KEY_LENGTH = 32;
+export const SESSION_KEY_LENGTH = 32;
+const HKDF_SALT_LENGTH = 32;
+
+const INFO_SEND = "spaces-v1-send";
+const INFO_RECEIVE = "spaces-v1-receive";
+const INFO_SESSION_ID = "spaces-v1-session-id";
+
+/**
+ * Generate random bytes using Web Crypto API
+ */
+export function randomBytes(length: number): Uint8Array {
+  const bytes = new Uint8Array(length);
+  crypto.getRandomValues(bytes);
+  return bytes;
+}
+
+/**
+ * Compute X25519 ECDH shared secret
+ */
+export function x25519SharedSecret(
+  ourPrivateKey: Uint8Array,
+  theirPublicKey: Uint8Array
+): Uint8Array {
+  if (ourPrivateKey.length !== X25519_KEY_LENGTH) {
+    throw new Error(`Invalid private key length: expected ${X25519_KEY_LENGTH}, got ${ourPrivateKey.length}`);
+  }
+  if (theirPublicKey.length !== X25519_KEY_LENGTH) {
+    throw new Error(`Invalid public key length: expected ${X25519_KEY_LENGTH}, got ${theirPublicKey.length}`);
+  }
+
+  try {
+    return x25519.getSharedSecret(ourPrivateKey, theirPublicKey);
+  } catch (error) {
+    throw new Error(`X25519 shared secret computation failed: ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+
+/**
+ * Generate a random X25519 ephemeral keypair
+ */
+export function generateEphemeralKeypair(): KeyExchangeKeypair {
+  const privateKey = randomBytes(X25519_KEY_LENGTH);
+  const publicKey = x25519.getPublicKey(privateKey);
+  return { privateKey, publicKey };
+}
+
+/**
+ * All 8 known X25519 low-order points (little-endian representation)
+ *
+ * These points have small order (dividing 8) and can cause security issues:
+ * - DH with these points produces predictable outputs
+ * - Can enable small-subgroup attacks
+ *
+ * Security: All of these must be rejected as public keys
+ */
+const LOW_ORDER_POINTS: Uint8Array[] = [
+  // 0 - the identity point
+  new Uint8Array(32).fill(0),
+
+  // 1 - point (1, *)
+  new Uint8Array([1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]),
+
+  // 0xecffffff...7f = p - 1 (2^255 - 19 - 1)
+  new Uint8Array([0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f]),
+
+  // Point with high bit set: 0x0000...80
+  new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x80]),
+
+  // 1 with high bit set: 0x0100...80
+  new Uint8Array([1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x80]),
+
+  // p - 1 with high bit set
+  new Uint8Array([0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff]),
+
+  // Additional dangerous point: 325606250916557431795983626356110631294008115727848805560023387167927233504
+  new Uint8Array([0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0xeb, 0x80, 0xf9, 0x3f, 0x81]),
+
+  // 5f9c95bca3508c24b1d0b15b72633f78f59b2ab008637a1405f5bf5c20c9b010
+  new Uint8Array([0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x5b, 0x72, 0x63, 0x3f, 0x78, 0xf5, 0x9b, 0x2a, 0xb0, 0x08, 0x63, 0x7a, 0x14, 0x05, 0xf5, 0xbf, 0x5c, 0x20, 0xc9, 0xb0, 0x10]),
+];
+
+/**
+ * Compare two Uint8Arrays in constant time
+ * Security: Prevents timing attacks when comparing keys
+ */
+function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a[i] ^ b[i];
+  }
+  return result === 0;
+}
+
+/**
+ * Check if a public key is a known low-order point
+ * Security: Returns true if the key is dangerous and should be rejected
+ */
+function isLowOrderPoint(publicKey: Uint8Array): boolean {
+  for (const lowOrderPoint of LOW_ORDER_POINTS) {
+    if (constantTimeEqual(publicKey, lowOrderPoint)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+/**
+ * Validate an X25519 public key
+ *
+ * Security checks:
+ * - Correct length (32 bytes)
+ * - Not any of the 8 known low-order points (prevents small-subgroup attacks)
+ * - Valid for scalar multiplication (library check)
+ */
+export function validateX25519PublicKey(publicKey: Uint8Array): boolean {
+  if (publicKey.length !== X25519_KEY_LENGTH) {
+    return false;
+  }
+
+  // Check not a low-order point (includes all zeros, 1, p-1, and other dangerous points)
+  if (isLowOrderPoint(publicKey)) {
+    return false;
+  }
+
+  // Try to use it in scalar multiplication
+  try {
+    const testPrivate = new Uint8Array(32);
+    testPrivate[0] = 9;
+    const result = x25519.getSharedSecret(testPrivate, publicKey);
+
+    // Security: Check result is not all zeros (indicates small-order point)
+    const isAllZeros = result.every((byte: number) => byte === 0);
+    if (isAllZeros) {
+      return false;
+    }
+
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Base64url encode
+ */
+function toBase64Url(bytes: Uint8Array): string {
+  return btoa(String.fromCharCode(...bytes))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=/g, "");
+}
+
+/**
+ * Derive session keys from a single shared secret using HKDF-SHA256
+ */
+export function deriveSessionKeys(
+  sharedSecret: Uint8Array,
+  salt?: Uint8Array,
+  isInitiator: boolean = true
+): SessionKeys {
+  if (sharedSecret.length !== X25519_KEY_LENGTH) {
+    throw new Error(`Invalid shared secret length: expected ${X25519_KEY_LENGTH}, got ${sharedSecret.length}`);
+  }
+
+  const actualSalt = salt ?? randomBytes(HKDF_SALT_LENGTH);
+
+  if (actualSalt.length === 0) {
+    throw new Error("Salt cannot be empty");
+  }
+
+  // Derive send key
+  const sendKeyInfo = new TextEncoder().encode(INFO_SEND);
+  const sendKey = hkdf(sha256, sharedSecret, actualSalt, sendKeyInfo, SESSION_KEY_LENGTH);
+
+  // Derive receive key
+  const receiveKeyInfo = new TextEncoder().encode(INFO_RECEIVE);
+  const receiveKey = hkdf(sha256, sharedSecret, actualSalt, receiveKeyInfo, SESSION_KEY_LENGTH);
+
+  // Derive session ID
+  const sessionIdInfo = new TextEncoder().encode(INFO_SESSION_ID);
+  const sessionIdBytes = hkdf(sha256, sharedSecret, actualSalt, sessionIdInfo, 16);
+  const sessionId = toBase64Url(sessionIdBytes);
+
+  if (!isInitiator) {
+    return { sendKey: receiveKey, receiveKey: sendKey, sessionId };
+  }
+
+  return { sendKey, receiveKey, sessionId };
+}
+
+/**
+ * Derive session keys from multiple shared secrets (X3DH protocol)
+ */
+export function deriveSessionKeysFromMultiple(
+  sharedSecrets: Uint8Array[],
+  salt?: Uint8Array,
+  isInitiator: boolean = true
+): SessionKeys {
+  if (sharedSecrets.length === 0) {
+    throw new Error("At least one shared secret is required");
+  }
+
+  for (let i = 0; i < sharedSecrets.length; i++) {
+    if (sharedSecrets[i].length !== X25519_KEY_LENGTH) {
+      throw new Error(`Invalid shared secret at index ${i}: expected ${X25519_KEY_LENGTH} bytes, got ${sharedSecrets[i].length}`);
+    }
+  }
+
+  const actualSalt = salt ?? randomBytes(HKDF_SALT_LENGTH);
+
+  if (actualSalt.length === 0) {
+    throw new Error("Salt cannot be empty");
+  }
+
+  // Concatenate all shared secrets
+  const totalLength = sharedSecrets.length * X25519_KEY_LENGTH;
+  const concatenated = new Uint8Array(totalLength);
+  for (let i = 0; i < sharedSecrets.length; i++) {
+    concatenated.set(sharedSecrets[i], i * X25519_KEY_LENGTH);
+  }
+
+  // Derive master secret
+  const masterInfo = new TextEncoder().encode("spaces-v1-master");
+  const masterSecret = hkdf(sha256, concatenated, actualSalt, masterInfo, X25519_KEY_LENGTH);
+
+  return deriveSessionKeys(masterSecret, actualSalt, isInitiator);
+}
+
+/**
+ * Generate a random salt for session key derivation
+ */
+export function generateSessionSalt(): Uint8Array {
+  return randomBytes(HKDF_SALT_LENGTH);
+}

package/src/web/src/lib/crypto/relay-signing.ts

@@ -0,0 +1,53 @@
+/**
+ * Relay message signing utilities (browser)
+ */
+
+import type { Identity } from "../../types/identity";
+import { sign } from "./identity";
+
+export interface SignatureBlock {
+  sig: string;
+  pub: string;
+  ts: number;
+}
+
+function canonicalize(obj: object): string {
+  return JSON.stringify(obj, (key, value) => {
+    if (key === "signature") return undefined;
+    if (value && typeof value === "object" && !Array.isArray(value)) {
+      const sorted: Record<string, unknown> = {};
+      for (const k of Object.keys(value).sort()) {
+        sorted[k] = (value as Record<string, unknown>)[k];
+      }
+      return sorted;
+    }
+    return value;
+  });
+}
+
+function toBase64(bytes: Uint8Array): string {
+  let binary = "";
+  for (const b of bytes) {
+    binary += String.fromCharCode(b);
+  }
+  return btoa(binary);
+}
+
+export function signRelayMessage<T extends object>(
+  message: T,
+  identity: Identity
+): T & { signature: SignatureBlock } {
+  const ts = Date.now();
+  const msgWithTs = { ...message, signature: { ts } };
+  const canonical = canonicalize(msgWithTs);
+  const messageBytes = new TextEncoder().encode(canonical);
+  const signatureBytes = sign(messageBytes, identity.signing.secretKey);
+
+  const signature: SignatureBlock = {
+    sig: toBase64(signatureBytes),
+    pub: toBase64(identity.signing.publicKey),
+    ts,
+  };
+
+  return { ...message, signature };
+}

package/src/web/src/lib/invite.ts

@@ -0,0 +1,58 @@
+/**
+ * Invite token parsing
+ */
+
+export interface ParsedInvite {
+  inviteToken: string;  // Full invite token for X3DH authorization
+  machineId: string;
+  inviteId: string;     // Short hash for relay lookup
+  relayUrl?: string;
+}
+
+/**
+ * Parse invite from URL hash
+ * Format: #invite=base64url(JSON)
+ */
+export async function parseInviteFromHash(hash: string): Promise<ParsedInvite | null> {
+  try {
+    const prefix = "#invite=";
+    if (!hash.startsWith(prefix)) return null;
+
+    const encoded = hash.slice(prefix.length);
+
+    // Decode base64url
+    const base64 = encoded.replace(/-/g, "+").replace(/_/g, "/");
+    const padding = "=".repeat((4 - (base64.length % 4)) % 4);
+    const decoded = atob(base64 + padding);
+
+    const invite = JSON.parse(decoded);
+
+    // Generate invite ID from token (first 16 chars of hash)
+    const inviteId = await generateInviteId(encoded);
+
+    return {
+      inviteToken: encoded,  // Full token for X3DH auth
+      machineId: invite.machineId,
+      inviteId,              // Short hash for relay lookup
+      relayUrl: invite.relayUrl,
+    };
+  } catch (e) {
+    console.error("Failed to parse invite:", e);
+    return null;
+  }
+}
+
+/**
+ * Generate invite ID from token (simple hash)
+ */
+async function generateInviteId(token: string): Promise<string> {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(token);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = new Uint8Array(hashBuffer);
+  const hashBase64 = btoa(String.fromCharCode(...hashArray))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=/g, "");
+  return hashBase64.slice(0, 16);
+}

package/src/web/src/lib/storage/identity-store.ts

@@ -0,0 +1,94 @@
+/**
+ * IndexedDB storage for client identity
+ */
+
+import type { Identity, StoredIdentity } from "../../types/identity";
+import { generateIdentity, serializeIdentity, deserializeIdentity } from "../crypto/identity";
+
+const DB_NAME = "spaces-terminal";
+const STORE_NAME = "identity";
+const IDENTITY_KEY = "client-identity";
+
+/**
+ * Open IndexedDB database
+ */
+function openDB(): Promise<IDBDatabase> {
+  return new Promise((resolve, reject) => {
+    const request = indexedDB.open(DB_NAME, 1);
+
+    request.onerror = () => reject(request.error);
+    request.onsuccess = () => resolve(request.result);
+
+    request.onupgradeneeded = () => {
+      const db = request.result;
+      if (!db.objectStoreNames.contains(STORE_NAME)) {
+        db.createObjectStore(STORE_NAME);
+      }
+    };
+  });
+}
+
+/**
+ * Get stored identity from IndexedDB
+ */
+async function getStoredIdentity(): Promise<StoredIdentity | null> {
+  const db = await openDB();
+
+  return new Promise((resolve, reject) => {
+    const tx = db.transaction(STORE_NAME, "readonly");
+    const store = tx.objectStore(STORE_NAME);
+    const request = store.get(IDENTITY_KEY);
+
+    request.onerror = () => reject(request.error);
+    request.onsuccess = () => resolve(request.result || null);
+  });
+}
+
+/**
+ * Store identity in IndexedDB
+ */
+async function storeIdentity(identity: StoredIdentity): Promise<void> {
+  const db = await openDB();
+
+  return new Promise((resolve, reject) => {
+    const tx = db.transaction(STORE_NAME, "readwrite");
+    const store = tx.objectStore(STORE_NAME);
+    const request = store.put(identity, IDENTITY_KEY);
+
+    request.onerror = () => reject(request.error);
+    request.onsuccess = () => resolve();
+  });
+}
+
+/**
+ * Get or create client identity
+ */
+export async function getOrCreateIdentity(): Promise<Identity> {
+  const stored = await getStoredIdentity();
+
+  if (stored) {
+    return deserializeIdentity(stored);
+  }
+
+  // Generate new identity
+  const identity = generateIdentity("Browser Client");
+  await storeIdentity(serializeIdentity(identity));
+
+  return identity;
+}
+
+/**
+ * Clear stored identity (for logout)
+ */
+export async function clearIdentity(): Promise<void> {
+  const db = await openDB();
+
+  return new Promise((resolve, reject) => {
+    const tx = db.transaction(STORE_NAME, "readwrite");
+    const store = tx.objectStore(STORE_NAME);
+    const request = store.delete(IDENTITY_KEY);
+
+    request.onerror = () => reject(request.error);
+    request.onsuccess = () => resolve();
+  });
+}

package/src/web/src/main.tsx

@@ -0,0 +1,10 @@
+import { StrictMode } from "react";
+import { createRoot } from "react-dom/client";
+import "./index.css";
+import App from "./App";
+
+createRoot(document.getElementById("root")!).render(
+  <StrictMode>
+    <App />
+  </StrictMode>
+);

package/src/web/src/types/identity.ts

@@ -0,0 +1,45 @@
+/** Ed25519 signing keypair */
+export interface SigningKeypair {
+  publicKey: Uint8Array;
+  secretKey: Uint8Array;
+}
+
+/** X25519 key exchange keypair */
+export interface KeyExchangeKeypair {
+  publicKey: Uint8Array;
+  privateKey: Uint8Array;
+}
+
+/** Complete identity */
+export interface Identity {
+  id: string;
+  signing: SigningKeypair;
+  keyExchange: KeyExchangeKeypair;
+  label?: string;
+  createdAt: number;
+}
+
+/** Serializable identity for IndexedDB storage */
+export interface StoredIdentity {
+  id: string;
+  signingPublicKey: string;
+  signingSecretKey: string;
+  keyExchangePublicKey: string;
+  keyExchangePrivateKey: string;
+  label?: string;
+  createdAt: number;
+}
+
+/** Session keys derived from handshake */
+export interface SessionKeys {
+  sendKey: Uint8Array;
+  receiveKey: Uint8Array;
+  sessionId: string;
+}
+
+/** Permissions */
+export interface AccessPermissions {
+  read: boolean;
+  write: boolean;
+  manage: boolean;
+}

package/src/web/tsconfig.app.json

@@ -0,0 +1,28 @@
+{
+  "compilerOptions": {
+    "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.app.tsbuildinfo",
+    "target": "ES2022",
+    "useDefineForClassFields": true,
+    "lib": ["ES2022", "DOM", "DOM.Iterable"],
+    "module": "ESNext",
+    "types": ["vite/client", "node"],
+    "skipLibCheck": true,
+
+    /* Bundler mode */
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": true,
+    "moduleDetection": "force",
+    "noEmit": true,
+    "jsx": "react-jsx",
+
+    /* Linting */
+    "strict": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "erasableSyntaxOnly": true,
+    "noFallthroughCasesInSwitch": true,
+    "noUncheckedSideEffectImports": true
+  },
+  "include": ["src"]
+}

package/src/web/tsconfig.json

@@ -0,0 +1,7 @@
+{
+  "files": [],
+  "references": [
+    { "path": "./tsconfig.app.json" },
+    { "path": "./tsconfig.node.json" }
+  ]
+}

package/src/web/tsconfig.node.json

@@ -0,0 +1,26 @@
+{
+  "compilerOptions": {
+    "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.node.tsbuildinfo",
+    "target": "ES2023",
+    "lib": ["ES2023"],
+    "module": "ESNext",
+    "types": ["node"],
+    "skipLibCheck": true,
+
+    /* Bundler mode */
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": true,
+    "moduleDetection": "force",
+    "noEmit": true,
+
+    /* Linting */
+    "strict": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "erasableSyntaxOnly": true,
+    "noFallthroughCasesInSwitch": true,
+    "noUncheckedSideEffectImports": true
+  },
+  "include": ["vite.config.ts"]
+}