kraki-relay 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Kraki Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/auth.d.ts

@@ -0,0 +1,104 @@
+export interface AuthUser {
+    id: string;
+    login: string;
+    provider: string;
+    email?: string;
+}
+export interface AuthSuccess {
+    ok: true;
+    user: AuthUser;
+}
+export interface AuthFailure {
+    ok: false;
+    message: string;
+}
+export type AuthOutcome = AuthSuccess | AuthFailure;
+/**
+ * Abstract auth provider. Extend this to support different auth methods.
+ * The head calls `authenticate()` with whatever credentials the device sends.
+ */
+export interface AuthProvider {
+    /** Unique provider name (e.g., 'github', 'open', 'apikey') */
+    readonly name: string;
+    /** Validate credentials and return user info */
+    authenticate(credentials: AuthCredentials): Promise<AuthOutcome>;
+}
+/** Credentials a device can send */
+export interface AuthCredentials {
+    token?: string;
+    channelKey?: string;
+    /** GitHub OAuth authorization code (exchanged for access token) */
+    githubCode?: string;
+    /** IP address of the connecting device (set by the server, not the client) */
+    ip?: string;
+}
+/**
+ * GitHub OAuth token provider.
+ * Validates token against api.github.com/user.
+ * Optionally exchanges an OAuth authorization code for an access token.
+ */
+export declare class GitHubAuthProvider implements AuthProvider {
+    readonly name = "github";
+    private fetcher;
+    private clientId?;
+    private clientSecret?;
+    constructor(opts?: {
+        fetcher?: typeof fetch;
+        clientId?: string;
+        clientSecret?: string;
+    });
+    /** Whether OAuth code exchange is configured */
+    get oauthConfigured(): boolean;
+    /** Get the configured OAuth client ID (for auth_info_response) */
+    getClientId(): string | undefined;
+    /**
+     * Exchange a GitHub OAuth authorization code for an access token.
+     * Requires clientId and clientSecret to be configured.
+     */
+    exchangeCode(code: string): Promise<{
+        ok: true;
+        token: string;
+    } | {
+        ok: false;
+        message: string;
+    }>;
+    authenticate(credentials: AuthCredentials): Promise<AuthOutcome>;
+}
+/**
+ * Open provider for self-hosted mode. No validation — all connections accepted.
+ * Optionally accepts a shared key so tentacles, head, and apps can use the same
+ * secret to form a trusted group without full OAuth.
+ *
+ * TODO: Support multi-user on self-hosted without OAuth (e.g., local user registry)
+ */
+export declare class OpenAuthProvider implements AuthProvider {
+    readonly name = "open";
+    private sharedKey?;
+    constructor(sharedKey?: string);
+    authenticate(credentials: AuthCredentials): Promise<AuthOutcome>;
+}
+/**
+ * Static API key provider for self-hosted relays that want basic protection.
+ * Set a key in env/config, devices must send matching key.
+ */
+export declare class ApiKeyAuthProvider implements AuthProvider {
+    readonly name = "apikey";
+    private validKey;
+    constructor(validKey: string);
+    authenticate(credentials: AuthCredentials): Promise<AuthOutcome>;
+}
+/**
+ * Simple per-IP throttle for auth attempts.
+ * Wraps any AuthProvider and rejects after maxAttempts failures within windowMs.
+ */
+export declare class ThrottledAuthProvider implements AuthProvider {
+    get name(): string;
+    private inner;
+    private maxAttempts;
+    private windowMs;
+    private failures;
+    constructor(inner: AuthProvider, maxAttempts?: number, windowMs?: number);
+    authenticate(credentials: AuthCredentials): Promise<AuthOutcome>;
+    /** Remove stale entries to prevent memory growth on long-running servers. */
+    cleanup(): void;
+}

package/dist/auth.js

@@ -0,0 +1,213 @@
+// ------------------------------------------------------------
+// Auth abstraction — extensible for multiple providers
+// ------------------------------------------------------------
+import { timingSafeEqual } from 'crypto';
+import { getLogger } from './logger.js';
+/** Timing-safe string comparison to prevent timing attacks on secrets */
+function safeEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    return timingSafeEqual(Buffer.from(a), Buffer.from(b));
+}
+// --- Built-in providers ---
+/**
+ * GitHub OAuth token provider.
+ * Validates token against api.github.com/user.
+ * Optionally exchanges an OAuth authorization code for an access token.
+ */
+export class GitHubAuthProvider {
+    name = 'github';
+    fetcher;
+    clientId;
+    clientSecret;
+    constructor(opts) {
+        this.fetcher = opts?.fetcher ?? globalThis.fetch;
+        this.clientId = opts?.clientId;
+        this.clientSecret = opts?.clientSecret;
+    }
+    /** Whether OAuth code exchange is configured */
+    get oauthConfigured() {
+        return !!(this.clientId && this.clientSecret);
+    }
+    /** Get the configured OAuth client ID (for auth_info_response) */
+    getClientId() {
+        return this.clientId;
+    }
+    /**
+     * Exchange a GitHub OAuth authorization code for an access token.
+     * Requires clientId and clientSecret to be configured.
+     */
+    async exchangeCode(code) {
+        if (!this.clientId || !this.clientSecret) {
+            return { ok: false, message: 'GitHub OAuth not configured (missing client_id/client_secret)' };
+        }
+        try {
+            const res = await this.fetcher('https://github.com/login/oauth/access_token', {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    Accept: 'application/json',
+                },
+                body: JSON.stringify({
+                    client_id: this.clientId,
+                    client_secret: this.clientSecret,
+                    code,
+                }),
+            });
+            if (!res.ok) {
+                return { ok: false, message: `GitHub OAuth token exchange returned ${res.status}` };
+            }
+            const data = await res.json();
+            if (data.error) {
+                return { ok: false, message: `GitHub OAuth error: ${data.error_description || data.error}` };
+            }
+            if (typeof data.access_token !== 'string') {
+                return { ok: false, message: 'GitHub OAuth response missing access_token' };
+            }
+            return { ok: true, token: data.access_token };
+        }
+        catch (err) {
+            return { ok: false, message: `GitHub OAuth exchange failed: ${err.message}` };
+        }
+    }
+    async authenticate(credentials) {
+        let token = credentials.token;
+        // If a GitHub OAuth code is provided, exchange it for an access token first
+        if (!token && credentials.githubCode) {
+            const exchange = await this.exchangeCode(credentials.githubCode);
+            if (!exchange.ok) {
+                return { ok: false, message: exchange.message };
+            }
+            token = exchange.token;
+        }
+        if (!token) {
+            return { ok: false, message: 'Token required for GitHub auth' };
+        }
+        try {
+            const res = await this.fetcher('https://api.github.com/user', {
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                    Accept: 'application/vnd.github+json',
+                    'User-Agent': 'kraki-head',
+                },
+            });
+            if (!res.ok) {
+                getLogger().warn('GitHub auth failed', { status: res.status, ip: credentials.ip });
+                return { ok: false, message: `GitHub API returned ${res.status}` };
+            }
+            const data = await res.json();
+            if (!data.id || !data.login) {
+                return { ok: false, message: 'Unexpected GitHub API response' };
+            }
+            return {
+                ok: true,
+                user: { id: String(data.id), login: String(data.login), provider: 'github', email: typeof data.email === 'string' ? data.email : undefined },
+            };
+        }
+        catch (err) {
+            return { ok: false, message: `GitHub API request failed: ${err.message}` };
+        }
+    }
+}
+/**
+ * Open provider for self-hosted mode. No validation — all connections accepted.
+ * Optionally accepts a shared key so tentacles, head, and apps can use the same
+ * secret to form a trusted group without full OAuth.
+ *
+ * TODO: Support multi-user on self-hosted without OAuth (e.g., local user registry)
+ */
+export class OpenAuthProvider {
+    name = 'open';
+    sharedKey;
+    constructor(sharedKey) {
+        this.sharedKey = sharedKey;
+    }
+    async authenticate(credentials) {
+        if (this.sharedKey) {
+            if (!credentials.token || !safeEqual(credentials.token, this.sharedKey)) {
+                getLogger().warn('Open auth failed: invalid shared key', { ip: credentials.ip });
+                return { ok: false, message: 'Invalid shared key' };
+            }
+        }
+        return {
+            ok: true,
+            user: { id: 'local', login: 'local', provider: 'open' },
+        };
+    }
+}
+/**
+ * Static API key provider for self-hosted relays that want basic protection.
+ * Set a key in env/config, devices must send matching key.
+ */
+export class ApiKeyAuthProvider {
+    name = 'apikey';
+    validKey;
+    constructor(validKey) {
+        this.validKey = validKey;
+    }
+    async authenticate(credentials) {
+        if (!credentials.token || !safeEqual(credentials.token, this.validKey)) {
+            getLogger().warn('API key auth failed', { ip: credentials.ip });
+            return { ok: false, message: 'Invalid API key' };
+        }
+        return {
+            ok: true,
+            user: { id: 'apikey-user', login: 'apikey-user', provider: 'apikey' },
+        };
+    }
+}
+// --- Auth throttle ---
+/**
+ * Simple per-IP throttle for auth attempts.
+ * Wraps any AuthProvider and rejects after maxAttempts failures within windowMs.
+ */
+export class ThrottledAuthProvider {
+    get name() { return this.inner.name; }
+    inner;
+    maxAttempts;
+    windowMs;
+    failures = new Map();
+    constructor(inner, maxAttempts = 5, windowMs = 60_000) {
+        this.inner = inner;
+        this.maxAttempts = maxAttempts;
+        this.windowMs = windowMs;
+    }
+    async authenticate(credentials) {
+        const ip = credentials.ip ?? 'unknown';
+        const now = Date.now();
+        const record = this.failures.get(ip);
+        if (record) {
+            if (now - record.firstAt > this.windowMs) {
+                this.failures.delete(ip);
+            }
+            else if (record.count >= this.maxAttempts) {
+                getLogger().warn('Auth throttled', { ip, attempts: record.count });
+                return { ok: false, message: 'Too many auth attempts. Try again later.' };
+            }
+        }
+        const result = await this.inner.authenticate(credentials);
+        if (!result.ok) {
+            const existing = this.failures.get(ip);
+            if (existing) {
+                existing.count++;
+            }
+            else {
+                this.failures.set(ip, { count: 1, firstAt: now });
+            }
+        }
+        else {
+            this.failures.delete(ip);
+        }
+        return result;
+    }
+    /** Remove stale entries to prevent memory growth on long-running servers. */
+    cleanup() {
+        const now = Date.now();
+        for (const [ip, record] of this.failures) {
+            if (now - record.firstAt > this.windowMs) {
+                this.failures.delete(ip);
+            }
+        }
+    }
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,uDAAuD;AACvD,+DAA+D;AAE/D,OAAO,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAExC,yEAAyE;AACzE,SAAS,SAAS,CAAC,CAAS,EAAE,CAAS;IACrC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AACzD,CAAC;AA0CD,6BAA6B;AAE7B;;;;GAIG;AACH,MAAM,OAAO,kBAAkB;IACpB,IAAI,GAAG,QAAQ,CAAC;IACjB,OAAO,CAAe;IACtB,QAAQ,CAAU;IAClB,YAAY,CAAU;IAE9B,YAAY,IAA2E;QACrF,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC;QACjD,IAAI,CAAC,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAC/B,IAAI,CAAC,YAAY,GAAG,IAAI,EAAE,YAAY,CAAC;IACzC,CAAC;IAED,gDAAgD;IAChD,IAAI,eAAe;QACjB,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC;IAChD,CAAC;IAED,kEAAkE;IAClE,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,IAAY;QAC7B,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACzC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,+DAA+D,EAAE,CAAC;QACjG,CAAC;QAED,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,6CAA6C,EAAE;gBAC5E,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,MAAM,EAAE,kBAAkB;iBAC3B;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,SAAS,EAAE,IAAI,CAAC,QAAQ;oBACxB,aAAa,EAAE,IAAI,CAAC,YAAY;oBAChC,IAAI;iBACL,CAAC;aACH,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,wCAAwC,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;YACtF,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA6B,CAAC;YACzD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACf,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,uBAAuB,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC;YAC/F,CAAC;YACD,IAAI,OAAO,IAAI,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;gBAC1C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,4CAA4C,EAAE,CAAC;YAC9E,CAAC;YAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;QAChD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,iCAAkC,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC;QAC3F,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,WAA4B;QAC7C,IAAI,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC;QAE9B,4EAA4E;QAC5E,IAAI,CAAC,KAAK,IAAI,WAAW,CAAC,UAAU,EAAE,CAAC;YACrC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;YACjE,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE,CAAC;YAClD,CAAC;YACD,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;QACzB,CAAC;QAED,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC;QAClE,CAAC;QAED,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,6BAA6B,EAAE;gBAC5D,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,KAAK,EAAE;oBAChC,MAAM,EAAE,6BAA6B;oBACrC,YAAY,EAAE,YAAY;iBAC3B;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,SAAS,EAAE,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,EAAE,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC,CAAC;gBACnF,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,uBAAuB,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;YACrE,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA6B,CAAC;YACzD,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;gBAC5B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC;YAClE,CAAC;YACD,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,EAAE;aAC7I,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,8BAA+B,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC;QACxF,CAAC;IACH,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,OAAO,gBAAgB;IAClB,IAAI,GAAG,MAAM,CAAC;IACf,SAAS,CAAU;IAE3B,YAAY,SAAkB;QAC5B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,WAA4B;QAC7C,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;gBACxE,SAAS,EAAE,CAAC,IAAI,CAAC,sCAAsC,EAAE,EAAE,EAAE,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC,CAAC;gBACjF,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,oBAAoB,EAAE,CAAC;YACtD,CAAC;QACH,CAAC;QACD,OAAO;YACL,EAAE,EAAE,IAAI;YACR,IAAI,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE;SACxD,CAAC;IACJ,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,kBAAkB;IACpB,IAAI,GAAG,QAAQ,CAAC;IACjB,QAAQ,CAAS;IAEzB,YAAY,QAAgB;QAC1B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,WAA4B;QAC7C,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvE,SAAS,EAAE,CAAC,IAAI,CAAC,qBAAqB,EAAE,EAAE,EAAE,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC,CAAC;YAChE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC;QACnD,CAAC;QACD,OAAO;YACL,EAAE,EAAE,IAAI;YACR,IAAI,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAQ,EAAE;SACtE,CAAC;IACJ,CAAC;CACF;AAED,wBAAwB;AAExB;;;GAGG;AACH,MAAM,OAAO,qBAAqB;IAChC,IAAI,IAAI,KAAK,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IAC9B,KAAK,CAAe;IACpB,WAAW,CAAS;IACpB,QAAQ,CAAS;IACjB,QAAQ,GAAG,IAAI,GAAG,EAA8C,CAAC;IAEzE,YAAY,KAAmB,EAAE,WAAW,GAAG,CAAC,EAAE,QAAQ,GAAG,MAAM;QACjE,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,WAA4B;QAC7C,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,IAAI,SAAS,CAAC;QACvC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAErC,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,GAAG,GAAG,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACzC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC3B,CAAC;iBAAM,IAAI,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC5C,SAAS,EAAE,CAAC,IAAI,CAAC,gBAAgB,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;gBACnE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;YAC5E,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAE1D,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACvC,IAAI,QAAQ,EAAE,CAAC;gBACb,QAAQ,CAAC,KAAK,EAAE,CAAC;YACnB,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAC3B,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,6EAA6E;IAC7E,OAAO;QACL,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACzC,IAAI,GAAG,GAAG,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACzC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;CACF"}

package/dist/channel-manager.d.ts

@@ -0,0 +1,92 @@
+import type { DeviceSummary, SessionSummary, DeviceRole, DeviceKind, DeviceCapabilities } from '@kraki/protocol';
+import type { AuthUser } from './auth.js';
+import { Storage } from './storage.js';
+export interface ConnectedDevice {
+    deviceId: string;
+    channelId: string;
+    name: string;
+    role: DeviceRole;
+    kind?: DeviceKind;
+    publicKey?: string;
+    encryptionKey?: string;
+    capabilities?: DeviceCapabilities;
+    send: (data: string) => void;
+}
+export interface RegisterDeviceInput {
+    channelId: string;
+    name: string;
+    role: DeviceRole;
+    send: (data: string) => void;
+    kind?: DeviceKind;
+    publicKey?: string;
+    encryptionKey?: string;
+    capabilities?: DeviceCapabilities;
+    /** Client-provided stable device ID for reconnection. If omitted, a new one is generated. */
+    clientDeviceId?: string;
+}
+export interface SessionMeta {
+    agent: string;
+    model?: string;
+}
+export declare class ChannelManager {
+    private storage;
+    /** In-memory map of connected devices by deviceId */
+    private connections;
+    /** Session tracking: sessionId → SessionRecord */
+    private sessions;
+    /** Reverse index: deviceId → Set of sessionIds (for fast cleanup) */
+    private deviceSessions;
+    /** Per-channel seq counter */
+    private seqCounters;
+    constructor(storage: Storage);
+    /**
+     * Get or create a channel for a user. Returns the channel ID.
+     */
+    getOrCreateChannel(user: AuthUser): string;
+    /**
+     * Register a device connection. Returns the assigned deviceId.
+     * If clientDeviceId is provided and matches an existing device, reuses it (no ghost).
+     */
+    registerDevice(input: RegisterDeviceInput): string;
+    /**
+     * Remove a device connection (on disconnect).
+     */
+    disconnectDevice(deviceId: string): ConnectedDevice | undefined;
+    /**
+     * Register that a tentacle owns a session, with metadata.
+     */
+    registerSession(sessionId: string, deviceId: string, meta: SessionMeta): void;
+    /**
+     * Get the tentacle deviceId that owns a session.
+     * Checks in-memory first, then falls back to persistent storage.
+     */
+    getSessionOwner(sessionId: string): string | undefined;
+    /**
+     * Get the next seq number for a channel (monotonically increasing).
+     */
+    nextSeq(channelId: string): number;
+    /**
+     * Get all connected devices on a channel.
+     */
+    getConnectedDevices(channelId: string): ConnectedDevice[];
+    /**
+     * Get connected devices filtered by role.
+     */
+    getConnectedByRole(channelId: string, role: DeviceRole): ConnectedDevice[];
+    /**
+     * Get device summaries for a channel (includes offline devices from storage).
+     */
+    getDeviceSummaries(channelId: string): DeviceSummary[];
+    /**
+     * Get session summaries for a channel.
+     */
+    getSessionSummaries(channelId: string): SessionSummary[];
+    /**
+     * Get a specific connected device.
+     */
+    getConnection(deviceId: string): ConnectedDevice | undefined;
+    /**
+     * Get the underlying storage instance.
+     */
+    getStorage(): Storage;
+}

package/dist/channel-manager.js

@@ -0,0 +1,197 @@
+import { v4 as uuid } from 'uuid';
+export class ChannelManager {
+    storage;
+    /** In-memory map of connected devices by deviceId */
+    connections = new Map();
+    /** Session tracking: sessionId → SessionRecord */
+    sessions = new Map();
+    /** Reverse index: deviceId → Set of sessionIds (for fast cleanup) */
+    deviceSessions = new Map();
+    /** Per-channel seq counter */
+    seqCounters = new Map();
+    constructor(storage) {
+        this.storage = storage;
+    }
+    /**
+     * Get or create a channel for a user. Returns the channel ID.
+     */
+    getOrCreateChannel(user) {
+        this.storage.upsertUser(user.id, user.login, user.provider, user.email);
+        const existing = this.storage.getChannelByOwner(user.id);
+        if (existing)
+            return existing.id;
+        const channelId = `ch_${uuid().slice(0, 12)}`;
+        this.storage.createChannel(channelId, user.id);
+        return channelId;
+    }
+    /**
+     * Register a device connection. Returns the assigned deviceId.
+     * If clientDeviceId is provided and matches an existing device, reuses it (no ghost).
+     */
+    registerDevice(input) {
+        const deviceId = input.clientDeviceId ?? `dev_${uuid().slice(0, 12)}`;
+        this.storage.upsertDevice(deviceId, input.channelId, input.name, input.role, input.kind, input.publicKey, input.encryptionKey);
+        this.connections.set(deviceId, {
+            deviceId,
+            channelId: input.channelId,
+            name: input.name,
+            role: input.role,
+            kind: input.kind,
+            publicKey: input.publicKey,
+            encryptionKey: input.encryptionKey,
+            capabilities: input.capabilities,
+            send: input.send,
+        });
+        return deviceId;
+    }
+    /**
+     * Remove a device connection (on disconnect).
+     */
+    disconnectDevice(deviceId) {
+        const device = this.connections.get(deviceId);
+        if (device) {
+            this.connections.delete(deviceId);
+            this.deviceSessions.delete(deviceId);
+        }
+        return device;
+    }
+    /**
+     * Register that a tentacle owns a session, with metadata.
+     */
+    registerSession(sessionId, deviceId, meta) {
+        this.sessions.set(sessionId, { deviceId, meta });
+        if (!this.deviceSessions.has(deviceId)) {
+            this.deviceSessions.set(deviceId, new Set());
+        }
+        this.deviceSessions.get(deviceId).add(sessionId);
+        // Persist to storage for durability across restarts
+        const device = this.connections.get(deviceId);
+        const channelId = device?.channelId ?? this.storage.getDevice(deviceId)?.channelId;
+        if (channelId) {
+            this.storage.upsertSession(sessionId, channelId, deviceId, meta.agent, meta.model);
+        }
+    }
+    /**
+     * Get the tentacle deviceId that owns a session.
+     * Checks in-memory first, then falls back to persistent storage.
+     */
+    getSessionOwner(sessionId) {
+        const inMemory = this.sessions.get(sessionId);
+        if (inMemory)
+            return inMemory.deviceId;
+        // Check persistent storage (session may have survived a head restart)
+        const stored = this.storage.getSessionById(sessionId);
+        if (stored) {
+            // Restore to in-memory map
+            this.sessions.set(sessionId, {
+                deviceId: stored.deviceId,
+                meta: { agent: stored.agent, model: stored.model ?? undefined },
+            });
+            return stored.deviceId;
+        }
+        return undefined;
+    }
+    /**
+     * Get the next seq number for a channel (monotonically increasing).
+     */
+    nextSeq(channelId) {
+        if (!this.seqCounters.has(channelId)) {
+            const maxSeq = this.storage.getMaxSeq(channelId);
+            this.seqCounters.set(channelId, maxSeq);
+        }
+        const next = this.seqCounters.get(channelId) + 1;
+        this.seqCounters.set(channelId, next);
+        return next;
+    }
+    /**
+     * Get all connected devices on a channel.
+     */
+    getConnectedDevices(channelId) {
+        // TODO: Add channelId → Set<deviceId> index if this becomes a bottleneck
+        return Array.from(this.connections.values()).filter(d => d.channelId === channelId);
+    }
+    /**
+     * Get connected devices filtered by role.
+     */
+    getConnectedByRole(channelId, role) {
+        return this.getConnectedDevices(channelId).filter(d => d.role === role);
+    }
+    /**
+     * Get device summaries for a channel (includes offline devices from storage).
+     */
+    getDeviceSummaries(channelId) {
+        const stored = this.storage.getDevicesByChannel(channelId);
+        return stored.map(d => {
+            const conn = this.connections.get(d.id);
+            return {
+                id: d.id,
+                name: d.name,
+                role: d.role,
+                kind: d.kind ?? undefined,
+                publicKey: d.publicKey ?? undefined,
+                encryptionKey: conn?.encryptionKey ?? d.encryptionKey ?? undefined,
+                online: !!conn,
+                capabilities: conn?.capabilities,
+            };
+        });
+    }
+    /**
+     * Get session summaries for a channel.
+     */
+    getSessionSummaries(channelId) {
+        // Merge in-memory sessions with persisted sessions from storage
+        const seen = new Set();
+        const summaries = [];
+        // In-memory sessions first (most up-to-date)
+        for (const [sessionId, record] of this.sessions) {
+            const conn = this.connections.get(record.deviceId);
+            const channelMatch = conn
+                ? conn.channelId === channelId
+                : this.storage.getDevice(record.deviceId)?.channelId === channelId;
+            if (channelMatch) {
+                seen.add(sessionId);
+                let deviceName = conn?.name;
+                if (!deviceName) {
+                    const stored = this.storage.getDevice(record.deviceId);
+                    deviceName = stored?.name ?? record.deviceId;
+                }
+                summaries.push({
+                    id: sessionId,
+                    deviceId: record.deviceId,
+                    deviceName,
+                    agent: record.meta.agent,
+                    model: record.meta.model,
+                    messageCount: 0,
+                });
+            }
+        }
+        // Add persisted sessions not already in memory (survives head restart)
+        for (const stored of this.storage.getSessionsByChannel(channelId)) {
+            if (!seen.has(stored.id)) {
+                const device = this.storage.getDevice(stored.deviceId);
+                summaries.push({
+                    id: stored.id,
+                    deviceId: stored.deviceId,
+                    deviceName: device?.name ?? stored.deviceId,
+                    agent: stored.agent,
+                    model: stored.model ?? undefined,
+                    messageCount: 0,
+                });
+            }
+        }
+        return summaries;
+    }
+    /**
+     * Get a specific connected device.
+     */
+    getConnection(deviceId) {
+        return this.connections.get(deviceId);
+    }
+    /**
+     * Get the underlying storage instance.
+     */
+    getStorage() {
+        return this.storage;
+    }
+}
+//# sourceMappingURL=channel-manager.js.map

package/dist/channel-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"channel-manager.js","sourceRoot":"","sources":["../src/channel-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,IAAI,IAAI,EAAE,MAAM,MAAM,CAAC;AAwClC,MAAM,OAAO,cAAc;IACjB,OAAO,CAAU;IACzB,qDAAqD;IAC7C,WAAW,GAAG,IAAI,GAAG,EAA2B,CAAC;IACzD,kDAAkD;IAC1C,QAAQ,GAAG,IAAI,GAAG,EAAyB,CAAC;IACpD,qEAAqE;IAC7D,cAAc,GAAG,IAAI,GAAG,EAAuB,CAAC;IACxD,8BAA8B;IACtB,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;IAEhD,YAAY,OAAgB;QAC1B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,kBAAkB,CAAC,IAAc;QAC/B,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QACxE,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACzD,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC,EAAE,CAAC;QACjC,MAAM,SAAS,GAAG,MAAM,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QAC9C,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QAC/C,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;OAGG;IACH,cAAc,CAAC,KAA0B;QACvC,MAAM,QAAQ,GAAG,KAAK,CAAC,cAAc,IAAI,OAAO,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QACtE,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,QAAQ,EAAE,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;QAC/H,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,EAAE;YAC7B,QAAQ;YACR,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,aAAa,EAAE,KAAK,CAAC,aAAa;YAClC,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,IAAI,EAAE,KAAK,CAAC,IAAI;SACjB,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,QAAgB;QAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC9C,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAClC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,SAAiB,EAAE,QAAgB,EAAE,IAAiB;QACpE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACjD,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAE,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAClD,oDAAoD;QACpD,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,MAAM,EAAE,SAAS,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,SAAS,CAAC;QACnF,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QACrF,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,eAAe,CAAC,SAAiB;QAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC9C,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC,QAAQ,CAAC;QACvC,sEAAsE;QACtE,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;QACtD,IAAI,MAAM,EAAE,CAAC;YACX,2BAA2B;YAC3B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE;gBAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,SAAS,EAAE;aAChE,CAAC,CAAC;YACH,OAAO,MAAM,CAAC,QAAQ,CAAC;QACzB,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,SAAiB;QACvB,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YACjD,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC1C,CAAC;QACD,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,SAAS,CAAE,GAAG,CAAC,CAAC;QAClD,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,mBAAmB,CAAC,SAAiB;QACnC,yEAAyE;QACzE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC;IACtF,CAAC;IAED;;OAEG;IACH,kBAAkB,CAAC,SAAiB,EAAE,IAAgB;QACpD,OAAO,IAAI,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC1E,CAAC;IAED;;OAEG;IACH,kBAAkB,CAAC,SAAiB;QAClC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;QAC3D,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;YACpB,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACxC,OAAO;gBACL,EAAE,EAAE,CAAC,CAAC,EAAE;gBACR,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,IAAI,EAAE,CAAC,CAAC,IAAkB;gBAC1B,IAAI,EAAG,CAAC,CAAC,IAAmB,IAAI,SAAS;gBACzC,SAAS,EAAE,CAAC,CAAC,SAAS,IAAI,SAAS;gBACnC,aAAa,EAAE,IAAI,EAAE,aAAa,IAAI,CAAC,CAAC,aAAa,IAAI,SAAS;gBAClE,MAAM,EAAE,CAAC,CAAC,IAAI;gBACd,YAAY,EAAE,IAAI,EAAE,YAAY;aACjC,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,mBAAmB,CAAC,SAAiB;QACnC,gEAAgE;QAChE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,MAAM,SAAS,GAAqB,EAAE,CAAC;QAEvC,6CAA6C;QAC7C,KAAK,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAChD,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACnD,MAAM,YAAY,GAAG,IAAI;gBACvB,CAAC,CAAC,IAAI,CAAC,SAAS,KAAK,SAAS;gBAC9B,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,SAAS,KAAK,SAAS,CAAC;YACrE,IAAI,YAAY,EAAE,CAAC;gBACjB,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBACpB,IAAI,UAAU,GAAG,IAAI,EAAE,IAAI,CAAC;gBAC5B,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;oBACvD,UAAU,GAAG,MAAM,EAAE,IAAI,IAAI,MAAM,CAAC,QAAQ,CAAC;gBAC/C,CAAC;gBACD,SAAS,CAAC,IAAI,CAAC;oBACb,EAAE,EAAE,SAAS;oBACb,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,UAAU;oBACV,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK;oBACxB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK;oBACxB,YAAY,EAAE,CAAC;iBAChB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,uEAAuE;QACvE,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,oBAAoB,CAAC,SAAS,CAAC,EAAE,CAAC;YAClE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;gBACzB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACvD,SAAS,CAAC,IAAI,CAAC;oBACb,EAAE,EAAE,MAAM,CAAC,EAAE;oBACb,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,UAAU,EAAE,MAAM,EAAE,IAAI,IAAI,MAAM,CAAC,QAAQ;oBAC3C,KAAK,EAAE,MAAM,CAAC,KAAK;oBACnB,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,SAAS;oBAChC,YAAY,EAAE,CAAC;iBAChB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,QAAgB;QAC5B,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;CACF"}

package/dist/cli.d.ts

@@ -0,0 +1,21 @@
+#!/usr/bin/env node
+/**
+ * kraki-relay — CLI entry point for the Kraki relay server.
+ *
+ * Usage:
+ *   npx kraki-relay
+ *   npx kraki-relay --port 8080
+ *   npx kraki-relay --auth github --e2e true
+ *
+ * Environment variables:
+ *   PORT         Server port (default: 4000)
+ *   DB_PATH      SQLite database path (default: kraki-head.db)
+ *   AUTH_MODE    Auth mode: open | github | apikey (default: open)
+ *   E2E_MODE     Enable E2E encryption: true | false (default: false)
+ *   API_KEY               API key for apikey auth mode
+ *   GITHUB_CLIENT_ID      GitHub OAuth App client ID (for web login)
+ *   GITHUB_CLIENT_SECRET  GitHub OAuth App client secret (for web login)
+ *   LOG_LEVEL             Log level: debug | info | warn | error (default: info)
+ *   LOG_PATH     Log file path (optional)
+ */
+export {};