paratix 0.0.1 → 0.2.0

package/dist/chunk-G3BMCQKU.js

@@ -0,0 +1,1706 @@
+// src/sshHelpers.ts
+function validateMode(mode) {
+  if (!new RegExp("^[0-7]{3,4}$", "v").test(mode)) {
+    throw new Error(
+      `Invalid file mode '${mode}': expected a 3- or 4-digit octal string (e.g. "644", "0755")`
+    );
+  }
+}
+function shellQuote(s) {
+  return `'${s.replaceAll("'", "'\\''")}'`;
+}
+var CONNECTION_TIMEOUT = 1e4;
+var MAX_OUTPUT_LENGTH = 500;
+function truncateOutput(text) {
+  let count = 0;
+  let sliceEnd = 0;
+  for (const char of text) {
+    if (count >= MAX_OUTPUT_LENGTH) return `${text.slice(0, sliceEnd)}\u2026(truncated)`;
+    sliceEnd += char.length;
+    count++;
+  }
+  return text;
+}
+function codepointLengthExceeds(text, limit) {
+  let count = 0;
+  for (const _char of text) {
+    count++;
+    if (count > limit) return true;
+  }
+  return false;
+}
+var CommandError = class _CommandError extends Error {
+  /** Full, untruncated standard error of the failed command. */
+  fullStderr;
+  /** Full, untruncated standard output of the failed command. */
+  fullStdout;
+  constructor(message, fullStdout, fullStderr) {
+    super(message);
+    this.name = "CommandError";
+    this.fullStdout = fullStdout;
+    this.fullStderr = fullStderr;
+    Error.captureStackTrace(this, _CommandError);
+  }
+};
+var REDACTED = "[REDACTED]";
+function resolveSecret(secret) {
+  return typeof secret === "function" ? secret() : secret;
+}
+function getSecretVariants(secrets) {
+  const variants = /* @__PURE__ */ new Set();
+  for (const source of secrets) {
+    const secret = resolveSecret(source);
+    if (secret.length === 0) continue;
+    if (secret.includes(REDACTED)) {
+      throw new Error(`Secret must not contain the redaction placeholder "${REDACTED}"`);
+    }
+    variants.add(secret);
+    const encoded = encodeURIComponent(secret);
+    if (encoded !== secret) variants.add(encoded);
+    const quoted = shellQuote(secret);
+    if (quoted !== secret) variants.add(quoted);
+  }
+  return [...variants].sort((a, b) => b.length - a.length);
+}
+function createLazyVariantResolver(secrets) {
+  let variants = null;
+  const getVariants = () => {
+    variants ??= getSecretVariants(secrets);
+    return variants;
+  };
+  return {
+    getMaxLength() {
+      return Math.max(0, ...getVariants().map((variant) => variant.length));
+    },
+    mask(text) {
+      let masked = text;
+      for (const variant of getVariants()) {
+        masked = masked.replaceAll(variant, REDACTED);
+      }
+      return masked;
+    }
+  };
+}
+function maskSecrets(text, secrets) {
+  let masked = text;
+  const variants = getSecretVariants(secrets);
+  for (const variant of variants) {
+    masked = masked.replaceAll(variant, REDACTED);
+  }
+  return masked;
+}
+function createStreamMasker(write, secrets) {
+  const resolver = createLazyVariantResolver(secrets);
+  let overlap = null;
+  const getOverlap = () => {
+    overlap ??= Math.max(0, resolver.getMaxLength() - 1);
+    return overlap;
+  };
+  let pending = "";
+  return {
+    flush() {
+      if (pending.length > 0) {
+        write(resolver.mask(pending));
+        pending = "";
+      }
+    },
+    push(chunk) {
+      const currentOverlap = getOverlap();
+      if (currentOverlap === 0) {
+        write(resolver.mask(chunk));
+        return;
+      }
+      pending += chunk;
+      if (pending.length <= currentOverlap) return;
+      const masked = resolver.mask(pending);
+      if (masked.length <= currentOverlap) {
+        pending = masked;
+        return;
+      }
+      write(masked.slice(0, -currentOverlap));
+      pending = masked.slice(-currentOverlap);
+    }
+  };
+}
+function writeStdout(t) {
+  process.stdout.write(t);
+}
+function writeStderr(t) {
+  process.stderr.write(t);
+}
+function normalizeSshCloseCode(code) {
+  return code ?? 0;
+}
+function collectStreamOutput(parameters) {
+  const { command, options, reject, resolve, stream, timer } = parameters;
+  let stdout = "";
+  let stderr = "";
+  const secrets = parameters.secrets ?? [];
+  const stdoutMasker = createStreamMasker((text) => {
+    stdout += text;
+    if (!options.silent) writeStdout(text);
+  }, secrets);
+  const stderrMasker = createStreamMasker((text) => {
+    stderr += text;
+    if (!options.silent) writeStderr(text);
+  }, secrets);
+  stream.on("data", (data) => {
+    stdoutMasker.push(data.toString());
+  });
+  stream.stderr.on("data", (data) => {
+    stderrMasker.push(data.toString());
+  });
+  stream.on("error", (error) => {
+    clearTimeout(timer);
+    stdoutMasker.flush();
+    stderrMasker.flush();
+    reject(error);
+  });
+  stream.on("close", (code) => {
+    clearTimeout(timer);
+    stdoutMasker.flush();
+    stderrMasker.flush();
+    const exitCode = normalizeSshCloseCode(code);
+    if (exitCode !== 0 && options.ignoreExitCode !== true) {
+      const wasTruncated = codepointLengthExceeds(stdout, MAX_OUTPUT_LENGTH) || codepointLengthExceeds(stderr, MAX_OUTPUT_LENGTH);
+      const hint = wasTruncated ? "\n(use --verbose for full output)" : "";
+      reject(
+        new CommandError(
+          `Command failed with exit code ${exitCode}: ${maskSecrets(command, secrets)}
+stdout: ${truncateOutput(stdout)}
+stderr: ${truncateOutput(stderr)}${hint}`,
+          stdout,
+          stderr
+        )
+      );
+      return;
+    }
+    resolve({ code: exitCode, stderr, stdout });
+  });
+}
+function buildConnectConfig(parameters) {
+  const { agent, agentForward, host, hostVerifier, password, port, privateKey, username } = parameters;
+  const connectConfig = {
+    host,
+    port,
+    readyTimeout: CONNECTION_TIMEOUT,
+    username
+  };
+  if (privateKey != null) {
+    connectConfig.privateKey = privateKey;
+  }
+  if (agent != null) {
+    connectConfig.agent = agent;
+  }
+  if (agentForward === true) {
+    connectConfig.agentForward = true;
+  }
+  if (typeof password === "string") {
+    connectConfig.password = password;
+    connectConfig.tryKeyboard = true;
+  }
+  if (hostVerifier != null) {
+    connectConfig.hostVerifier = hostVerifier;
+  }
+  return connectConfig;
+}
+async function tryConnectOnPort(parameters) {
+  const { client, port } = parameters;
+  const connectConfig = buildConnectConfig(parameters);
+  return new Promise((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      client.end();
+      reject(new Error(`Connection timeout on port ${port}`));
+    }, CONNECTION_TIMEOUT);
+    client.on("ready", () => {
+      clearTimeout(timeout);
+      resolve();
+    });
+    client.on("error", (error) => {
+      clearTimeout(timeout);
+      reject(error);
+    });
+    client.connect(connectConfig);
+  });
+}
+
+// src/serverDefinitionValidation.ts
+var STRICT_HOST_KEY_ERROR = `Invalid property 'ssh.strictHostKeyChecking' (expected "accept-new", "no", or "yes")`;
+var MAX_TCP_PORT = 65535;
+function describeType(value) {
+  return value === null ? "null" : typeof value;
+}
+function isHostKeyMode(value) {
+  return value === "accept-new" || value === "no" || value === "yes";
+}
+function isRecord(value) {
+  return Object.getPrototypeOf(value) === Object.prototype || Object.getPrototypeOf(value) === null;
+}
+function collectOptionalBooleanErrors(object, key, errors) {
+  if (!(key in object) || object[key] == null) return;
+  if (typeof object[key] !== "boolean") {
+    errors.push(
+      `Invalid property 'ssh.${key}' (expected boolean, got ${describeType(object[key])})`
+    );
+  }
+}
+function collectOptionalNumberErrors(parameters) {
+  const { errors, key, object, options } = parameters;
+  if (!(key in object) || object[key] == null) return;
+  const value = object[key];
+  const validatedNumber = validateNumberValue(value);
+  if (validatedNumber == null) {
+    errors.push(`Invalid property 'ssh.${key}' (expected number, got ${describeType(value)})`);
+    return;
+  }
+  if (options?.integer === true && !Number.isInteger(validatedNumber)) {
+    errors.push(`Property 'ssh.${key}' must be an integer`);
+    return;
+  }
+  if (options?.positive === true && validatedNumber <= 0) {
+    errors.push(`Property 'ssh.${key}' must be greater than 0`);
+  }
+}
+function validateNumberValue(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : null;
+}
+function isValidTcpPort(value) {
+  return typeof value === "number" && Number.isInteger(value) && value >= 1 && value <= MAX_TCP_PORT;
+}
+function collectOptionalStringErrors(object, key, errors) {
+  if (!(key in object) || object[key] == null) return;
+  if (typeof object[key] !== "string") {
+    errors.push(`Invalid property 'ssh.${key}' (expected string, got ${describeType(object[key])})`);
+    return;
+  }
+  if (object[key].length === 0) {
+    errors.push(`Property 'ssh.${key}' must not be an empty string`);
+  }
+}
+function collectPortsErrors(ssh, errors) {
+  if (!("ports" in ssh)) {
+    errors.push("Missing property 'ssh.ports' (expected array)");
+    return;
+  }
+  if (!Array.isArray(ssh.ports)) {
+    errors.push(`Invalid property 'ssh.ports' (expected array, got ${describeType(ssh.ports)})`);
+    return;
+  }
+  if (ssh.ports.length === 0) {
+    errors.push("Property 'ssh.ports' must not be empty");
+    return;
+  }
+  for (const [index, port] of ssh.ports.entries()) {
+    if (!isValidTcpPort(port)) {
+      errors.push(`Property 'ssh.ports[${index}]' must be an integer between 1 and 65535`);
+    }
+  }
+}
+function collectRequiredUserErrors(ssh, errors) {
+  if (!("user" in ssh)) {
+    errors.push("Missing property 'ssh.user' (expected string)");
+    return;
+  }
+  if (typeof ssh.user !== "string") {
+    errors.push(`Invalid property 'ssh.user' (expected string, got ${describeType(ssh.user)})`);
+    return;
+  }
+  if (ssh.user.length === 0) {
+    errors.push("Property 'ssh.user' must not be an empty string");
+  }
+}
+function collectStrictHostKeyCheckingErrors(ssh, errors) {
+  if (!("strictHostKeyChecking" in ssh) || ssh.strictHostKeyChecking == null) return;
+  if (typeof ssh.strictHostKeyChecking !== "string" || !isHostKeyMode(ssh.strictHostKeyChecking)) {
+    errors.push(STRICT_HOST_KEY_ERROR);
+  }
+}
+function collectOptionalSshFieldErrors(ssh, errors) {
+  collectOptionalStringErrors(ssh, "privateKey", errors);
+  collectOptionalStringErrors(ssh, "expectedHostFingerprint", errors);
+  collectOptionalStringErrors(ssh, "expectedHostPublicKey", errors);
+  collectOptionalBooleanErrors(ssh, "agentForward", errors);
+  collectOptionalBooleanErrors(ssh, "passwordFallback", errors);
+  collectOptionalNumberErrors({
+    errors,
+    key: "reconnectTimeout",
+    object: ssh,
+    options: { positive: true }
+  });
+  collectOptionalNumberErrors({
+    errors,
+    key: "maxReconnectAttempts",
+    object: ssh,
+    options: { integer: true, positive: true }
+  });
+  collectStrictHostKeyCheckingErrors(ssh, errors);
+}
+function collectSshConfigErrors(value) {
+  const errors = [];
+  if (value === null) {
+    errors.push("Invalid property 'ssh' (expected object, got null)");
+    return errors;
+  }
+  if (typeof value !== "object") {
+    errors.push(`Invalid property 'ssh' (expected object, got ${describeType(value)})`);
+    return errors;
+  }
+  if (!isRecord(value)) {
+    errors.push("Invalid property 'ssh' (expected object, got object)");
+    return errors;
+  }
+  const ssh = value;
+  collectPortsErrors(ssh, errors);
+  collectRequiredUserErrors(ssh, errors);
+  collectOptionalSshFieldErrors(ssh, errors);
+  return errors;
+}
+function normalizeServerDefinitionSshError(error) {
+  const mappedErrors = {
+    "Missing property 'ssh.user' (expected string)": "ssh.user is required",
+    "Property 'ssh.expectedHostFingerprint' must not be an empty string": "ssh.expectedHostFingerprint must not be an empty string",
+    "Property 'ssh.expectedHostPublicKey' must not be an empty string": "ssh.expectedHostPublicKey must not be an empty string",
+    "Property 'ssh.ports' must not be empty": "ssh.ports must not be empty",
+    "Property 'ssh.privateKey' must not be an empty string": "ssh.privateKey must not be an empty string",
+    "Property 'ssh.user' must not be an empty string": "ssh.user is required",
+    [STRICT_HOST_KEY_ERROR]: "ssh.strictHostKeyChecking must be one of accept-new, no, yes"
+  };
+  return mappedErrors[error] ?? error;
+}
+function validateSshConfig(ssh) {
+  const errors = collectSshConfigErrors(ssh);
+  if (errors.length === 0) return;
+  throw new Error(`ServerDefinition: ${normalizeServerDefinitionSshError(errors[0])}`);
+}
+
+// src/meta.ts
+var SYSTEM_HOST_KIND = "system.host";
+var SYSTEM_REBOOT_KIND = "system.reboot";
+function hasValidMetaName(name) {
+  return typeof name === "string" && name.length > 0;
+}
+function inferMetaValueType(value, explicitValueType) {
+  if (explicitValueType != null) return explicitValueType;
+  if (typeof value === "boolean") return "boolean";
+  if (typeof value === "number") return "number";
+  return "string";
+}
+function normalizeMetaValueResolver(value) {
+  if (typeof value === "function") {
+    return async () => {
+      await Promise.resolve();
+      return value();
+    };
+  }
+  return async () => {
+    await Promise.resolve();
+    return value;
+  };
+}
+function isRecord2(value) {
+  return typeof value === "object" && value !== null;
+}
+function assertValidEnvironmentMetaEntry(candidate) {
+  if (!hasValidMetaName(candidate.name)) {
+    throw new TypeError("Invalid env meta entry: name must be a non-empty string");
+  }
+  if (typeof candidate.resolve !== "function") {
+    throw new TypeError("Invalid env meta entry: resolve must be a function returning a Promise");
+  }
+  if (candidate.valueType !== "boolean" && candidate.valueType !== "number" && candidate.valueType !== "string") {
+    throw new TypeError("Invalid env meta entry: valueType must be boolean, number, or string");
+  }
+}
+function assertValidSshdPortMetaEntry(candidate) {
+  if (!isValidTcpPort(candidate.port)) {
+    throw new TypeError("Invalid sshd.port meta entry: port must be an integer between 1 and 65535");
+  }
+}
+function assertValidSystemHostMetaEntry(candidate) {
+  if (typeof candidate.host !== "string" || candidate.host.length === 0) {
+    throw new TypeError("Invalid system.host meta entry: host must be a non-empty string");
+  }
+}
+function environmentMeta(name, value, valueType) {
+  if (!hasValidMetaName(name)) {
+    throw new TypeError("Meta env entry name must be a non-empty string");
+  }
+  return {
+    kind: "env",
+    name,
+    resolve: normalizeMetaValueResolver(value),
+    valueType: inferMetaValueType(value, valueType)
+  };
+}
+function sshdPortMeta(port) {
+  if (!isValidTcpPort(port)) {
+    throw new TypeError("Meta entry sshd.port requires an integer port between 1 and 65535");
+  }
+  return { kind: "sshd.port", port };
+}
+function systemHostMeta(host) {
+  if (host.length === 0) {
+    throw new TypeError("Meta entry system.host requires a non-empty host");
+  }
+  return { host, kind: SYSTEM_HOST_KIND };
+}
+function systemRebootMeta() {
+  return { kind: SYSTEM_REBOOT_KIND };
+}
+var meta = {
+  env: environmentMeta,
+  sshdPort: sshdPortMeta,
+  systemHost: systemHostMeta,
+  systemReboot: systemRebootMeta
+};
+function isEnvironmentMetaEntry(entry) {
+  return entry.kind === "env";
+}
+function isStringEnvironmentMetaEntry(entry) {
+  return isEnvironmentMetaEntry(entry) && entry.valueType === "string";
+}
+function isNumberEnvironmentMetaEntry(entry) {
+  return isEnvironmentMetaEntry(entry) && entry.valueType === "number";
+}
+function isBooleanEnvironmentMetaEntry(entry) {
+  return isEnvironmentMetaEntry(entry) && entry.valueType === "boolean";
+}
+function isLazyEnvironmentMetaEntry(entry) {
+  return isEnvironmentMetaEntry(entry);
+}
+function isSshdPortMetaEntry(entry) {
+  return entry.kind === "sshd.port";
+}
+function isSystemHostMetaEntry(entry) {
+  return entry.kind === SYSTEM_HOST_KIND;
+}
+function isSystemRebootMetaEntry(entry) {
+  return entry.kind === SYSTEM_REBOOT_KIND;
+}
+function assertValidModuleMetaEntry(entry) {
+  if (!isRecord2(entry)) {
+    throw new TypeError(`Invalid meta entry: expected object, got ${typeof entry}`);
+  }
+  switch (entry.kind) {
+    case "env": {
+      assertValidEnvironmentMetaEntry(entry);
+      return;
+    }
+    case "sshd.port": {
+      assertValidSshdPortMetaEntry(entry);
+      return;
+    }
+    case SYSTEM_HOST_KIND: {
+      assertValidSystemHostMetaEntry(entry);
+      return;
+    }
+    case SYSTEM_REBOOT_KIND: {
+      return;
+    }
+    default: {
+      throw new TypeError(`Invalid meta entry kind: ${String(entry.kind)}`);
+    }
+  }
+}
+function assertValidModuleMetaEntries(entries) {
+  if (entries == null) return;
+  for (const entry of entries) {
+    assertValidModuleMetaEntry(entry);
+  }
+}
+async function mergeEnvironmentFromMeta(environment, entries) {
+  if (entries == null || entries.length === 0) {
+    await Promise.resolve();
+    return environment;
+  }
+  const nextEnvironment = { ...environment };
+  for (const entry of entries) {
+    if (!isEnvironmentMetaEntry(entry)) continue;
+    nextEnvironment[entry.name] = async () => entry.resolve();
+  }
+  await Promise.resolve();
+  return nextEnvironment;
+}
+function environmentToMetaEntries(environment) {
+  return Object.entries(environment).map(([name, value]) => environmentMeta(name, value));
+}
+function diffEnvironmentToMetaEntries(original, current) {
+  const entries = [];
+  for (const key of Object.keys(current)) {
+    if (!(key in original) || current[key] !== original[key]) {
+      entries.push(environmentMeta(key, current[key]));
+    }
+  }
+  return entries.length === 0 ? void 0 : entries;
+}
+
+// src/ssh.ts
+import { randomUUID as randomUUID2, timingSafeEqual as timingSafeEqual2 } from "crypto";
+import { unlinkSync as unlinkSync2, writeFileSync } from "fs";
+import { readFile, stat } from "fs/promises";
+import { homedir as homedir2, tmpdir } from "os";
+import { join as join3, posix } from "path";
+import { Client } from "ssh2";
+
+// src/knownHosts.ts
+import { createHash, createHmac, timingSafeEqual } from "crypto";
+import { readFileSync } from "fs";
+import { appendFile, mkdir } from "fs/promises";
+import { homedir } from "os";
+import { join } from "path";
+var HostKeyVerificationError = class _HostKeyVerificationError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "HostKeyVerificationError";
+    Error.captureStackTrace(this, _HostKeyVerificationError);
+  }
+};
+var MIN_KNOWN_HOSTS_FIELDS = 3;
+var DEFAULT_SSH_PORT = 22;
+var UINT32_SIZE = 4;
+var HASHED_HOST_PARTS = 4;
+var inMemoryHostKeys = /* @__PURE__ */ new Map();
+function parseKnownHostsLine(line) {
+  const parts = line.split(new RegExp("\\s+", "v"));
+  const offset = parts[0]?.startsWith("@") ? 1 : 0;
+  if (parts.length < MIN_KNOWN_HOSTS_FIELDS + offset) return [];
+  const marker = offset === 1 ? parts[0] : void 0;
+  const hostsPart = parts[offset];
+  const algo = parts[offset + 1];
+  const base64Key = parts[offset + 2];
+  const key = Buffer.from(base64Key, "base64");
+  return hostsPart.split(",").map((host) => ({ algo, host, key, marker }));
+}
+function parseKnownHosts(content) {
+  const entries = [];
+  for (const raw of content.split("\n")) {
+    const line = raw.trim();
+    if (line.length === 0 || line.startsWith("#")) continue;
+    entries.push(...parseKnownHostsLine(line));
+  }
+  return entries;
+}
+function formatHostNeedle(host, port) {
+  return port === DEFAULT_SSH_PORT ? host : `[${host}]:${port}`;
+}
+function matchesHashedHost(pattern, needle) {
+  if (!pattern.startsWith("|1|")) return false;
+  const parts = pattern.split("|");
+  if (parts.length !== HASHED_HOST_PARTS || parts[1] !== "1") return false;
+  const salt = Buffer.from(parts[2] ?? "", "base64");
+  const expectedHash = Buffer.from(parts[3] ?? "", "base64");
+  if (salt.length === 0 || expectedHash.length === 0) return false;
+  const actualHash = createHmac("sha1", salt).update(needle).digest();
+  return actualHash.length === expectedHash.length && timingSafeEqual(actualHash, expectedHash);
+}
+function findMatchingEntries(entries, host, port) {
+  const needle = formatHostNeedle(host, port);
+  return entries.filter((entry) => entry.host === needle || matchesHashedHost(entry.host, needle));
+}
+function findRevokedEntry(entries, key) {
+  return entries.find(
+    (entry) => entry.marker === "@revoked" && entry.key.length === key.length && timingSafeEqual(entry.key, key)
+  );
+}
+function throwHostKeyMismatch(host, presentedKey, existingKey) {
+  const presentedAlgo = extractAlgoFromKey(presentedKey);
+  const knownHostsDetails = existingKey == null ? "remote host key does not match the key in known_hosts. " : `remote host key (${presentedAlgo}) does not match the key in known_hosts (${extractAlgoFromKey(existingKey)}). `;
+  throw new HostKeyVerificationError(
+    `HOST KEY VERIFICATION FAILED for ${host}: ${knownHostsDetails}This could indicate a man-in-the-middle attack.`
+  );
+}
+function verifyHostKeyAgainstKnownEntries(parameters) {
+  const { cachedKey, fileEntries, host, key } = parameters;
+  const revokedKey = findRevokedEntry(fileEntries, key);
+  if (revokedKey != null) {
+    throw new HostKeyVerificationError(
+      `HOST KEY VERIFICATION FAILED for ${host}: remote host key (${extractAlgoFromKey(revokedKey.key)}) is marked as revoked in known_hosts.`
+    );
+  }
+  const nonRevokedEntries = fileEntries.filter((entry) => entry.marker !== "@revoked");
+  const matchingEntry = nonRevokedEntries.find(
+    (entry) => entry.key.length === key.length && timingSafeEqual(entry.key, key)
+  );
+  if (matchingEntry != null) return true;
+  if (cachedKey?.length === key.length && timingSafeEqual(cachedKey, key)) {
+    return true;
+  }
+  const firstNonRevokedKey = nonRevokedEntries.at(0)?.key;
+  if (firstNonRevokedKey != null) throwHostKeyMismatch(host, key, firstNonRevokedKey);
+  if (cachedKey != null) throwHostKeyMismatch(host, key, cachedKey);
+  return false;
+}
+function extractAlgoFromKey(keyBuffer) {
+  if (keyBuffer.length < UINT32_SIZE) {
+    throw new Error("Invalid SSH key buffer: too short to contain algorithm length");
+  }
+  const algoLength = keyBuffer.readUInt32BE(0);
+  if (algoLength === 0 || UINT32_SIZE + algoLength > keyBuffer.length) {
+    throw new Error("Invalid SSH key buffer: algorithm length exceeds buffer size");
+  }
+  return keyBuffer.subarray(UINT32_SIZE, UINT32_SIZE + algoLength).toString("ascii");
+}
+function computeFingerprint(key) {
+  const hash = createHash("sha256").update(key).digest("base64");
+  return `SHA256:${hash.replaceAll("=", "")}`;
+}
+async function appendHostKey(host, port, keyBuffer) {
+  const hostLabel = formatHostNeedle(host, port);
+  const algo = extractAlgoFromKey(keyBuffer);
+  const base64Key = keyBuffer.toString("base64");
+  const line = `${hostLabel} ${algo} ${base64Key}
+`;
+  const sshDirectory = join(homedir(), ".ssh");
+  const filePath = join(sshDirectory, "known_hosts");
+  await mkdir(sshDirectory, { mode: 448, recursive: true });
+  await appendFile(filePath, line, { mode: 420 });
+}
+function loadKnownHostEntries() {
+  const filePath = join(homedir(), ".ssh", "known_hosts");
+  let content = "";
+  try {
+    content = readFileSync(filePath, "utf8");
+  } catch {
+  }
+  return parseKnownHosts(content);
+}
+async function acceptAndPersistHostKey(host, port, key) {
+  try {
+    const algo = extractAlgoFromKey(key);
+    const fingerprint = computeFingerprint(key);
+    process.stderr.write(
+      `WARNING: Permanently added '${host}' (${algo}) to the list of known hosts. Fingerprint: ${fingerprint}
+`
+    );
+  } catch {
+    process.stderr.write(`WARNING: Permanently added '${host}' to the list of known hosts.
+`);
+  }
+  inMemoryHostKeys.set(formatHostNeedle(host, port), key);
+  try {
+    await appendHostKey(host, port, key);
+  } catch (error) {
+    const keyscanArguments = port === DEFAULT_SSH_PORT ? shellQuote(host) : `-p ${port} ${shellQuote(host)}`;
+    process.stderr.write(
+      `WARNING: Could not persist host key for ${host} \u2014 the key is cached in memory for this session. To persist it, ensure ~/.ssh/ is writable or run: ssh-keyscan ${keyscanArguments} >> ~/.ssh/known_hosts. ${String(error)}
+`
+    );
+  }
+}
+function normalizePinnedPublicKey(publicKey) {
+  const parts = publicKey.trim().split(new RegExp("\\s+", "v"));
+  if (parts.length < 2) {
+    throw new Error("Expected host public key must use the format '<algorithm> <base64>'");
+  }
+  const [algorithm, key] = parts;
+  return `${algorithm} ${key}`;
+}
+function formatPresentedPublicKey(key) {
+  return `${extractAlgoFromKey(key)} ${key.toString("base64")}`;
+}
+function hasPinnedHostTrustAnchor(options) {
+  return options?.expectedHostFingerprint != null || options?.expectedHostPublicKey != null;
+}
+function verifyPinnedHostKey(host, key, options) {
+  const normalizedExpectedPublicKey = options.expectedHostPublicKey == null ? null : normalizePinnedPublicKey(options.expectedHostPublicKey);
+  const expectedFingerprint = options.expectedHostFingerprint ?? null;
+  const presentedPublicKey = formatPresentedPublicKey(key);
+  const presentedFingerprint = computeFingerprint(key);
+  if (normalizedExpectedPublicKey === presentedPublicKey || expectedFingerprint === presentedFingerprint) {
+    return;
+  }
+  throw new HostKeyVerificationError(
+    `HOST KEY VERIFICATION FAILED for ${host}: the remote host key does not match the configured trust anchor.`
+  );
+}
+function buildHostVerifier(mode, location, options = {}) {
+  const { host, port } = location;
+  if (mode === "no" && !hasPinnedHostTrustAnchor(options)) return {};
+  const entries = loadKnownHostEntries();
+  const fileEntries = findMatchingEntries(entries, host, port);
+  const cachedKey = inMemoryHostKeys.get(formatHostNeedle(host, port)) ?? null;
+  const result = {
+    hostVerifier(key) {
+      if (mode !== "no" && verifyHostKeyAgainstKnownEntries({ cachedKey, fileEntries, host, key })) {
+        if (hasPinnedHostTrustAnchor(options)) verifyPinnedHostKey(host, key, options);
+        return true;
+      }
+      if (hasPinnedHostTrustAnchor(options)) {
+        verifyPinnedHostKey(host, key, options);
+        return true;
+      }
+      if (mode === "yes") {
+        throw new HostKeyVerificationError(
+          `Host key for ${host} not found in known_hosts. Set strictHostKeyChecking to "accept-new" for explicit TOFU or configure ssh.expectedHostFingerprint / ssh.expectedHostPublicKey.`
+        );
+      }
+      if (mode === "no") return true;
+      result.pendingPersist = acceptAndPersistHostKey(host, port, key);
+      return true;
+    }
+  };
+  return result;
+}
+
+// src/sftp.ts
+import { randomUUID } from "crypto";
+import { createReadStream, createWriteStream, renameSync, unlinkSync } from "fs";
+import { dirname, join as join2 } from "path";
+var SFTP_TIMEOUT = 12e4;
+function wireStreams(options) {
+  const { readStream, reject, resolve, sftp, timeout, timeoutMessage, writeStream } = options;
+  let settled = false;
+  const timer = setTimeout(() => {
+    if (settled) return;
+    settled = true;
+    readStream.destroy();
+    writeStream.destroy();
+    sftp.end();
+    reject(new Error(timeoutMessage));
+  }, timeout);
+  writeStream.on("close", () => {
+    clearTimeout(timer);
+    if (settled) return;
+    settled = true;
+    sftp.end();
+    resolve();
+  });
+  writeStream.on("error", (writeError) => {
+    clearTimeout(timer);
+    if (settled) return;
+    settled = true;
+    readStream.destroy();
+    if (typeof writeStream.destroy === "function") writeStream.destroy();
+    sftp.end();
+    reject(writeError);
+  });
+  readStream.on("error", (readError) => {
+    clearTimeout(timer);
+    if (settled) return;
+    settled = true;
+    if (typeof readStream.destroy === "function") readStream.destroy();
+    if (typeof writeStream.destroy === "function") writeStream.destroy();
+    sftp.end();
+    reject(readError);
+  });
+  readStream.pipe(writeStream);
+}
+async function sftpDownload(client, remotePath, localPath, timeout = SFTP_TIMEOUT) {
+  return new Promise((resolve, reject) => {
+    const temporaryPath = join2(dirname(localPath), `.paratix-download-${randomUUID()}.tmp`);
+    let shouldCleanupTemporaryFile = false;
+    const rejectWithCleanup = (reason) => {
+      if (shouldCleanupTemporaryFile) {
+        try {
+          unlinkSync(temporaryPath);
+        } catch {
+        }
+      }
+      reject(reason);
+    };
+    client.sftp((error, sftp) => {
+      if (error) {
+        rejectWithCleanup(error);
+        return;
+      }
+      const readStream = sftp.createReadStream(remotePath);
+      const writeStream = createWriteStream(temporaryPath, { mode: 384 });
+      shouldCleanupTemporaryFile = true;
+      wireStreams({
+        readStream,
+        reject: rejectWithCleanup,
+        resolve: () => {
+          try {
+            renameSync(temporaryPath, localPath);
+            resolve();
+          } catch (finalizeError) {
+            rejectWithCleanup(
+              finalizeError instanceof Error ? finalizeError : new Error(`Failed to finalize SFTP download: ${String(finalizeError)}`)
+            );
+          }
+        },
+        sftp,
+        timeout,
+        timeoutMessage: `SFTP download timed out after ${timeout}ms: ${remotePath}`,
+        writeStream
+      });
+    });
+  });
+}
+async function sftpUpload(client, localPath, remotePath, timeout = SFTP_TIMEOUT) {
+  return new Promise((resolve, reject) => {
+    client.sftp((error, sftp) => {
+      if (error) {
+        reject(error);
+        return;
+      }
+      const readStream = createReadStream(localPath);
+      const writeStream = sftp.createWriteStream(remotePath, { mode: 384 });
+      wireStreams({
+        readStream,
+        reject,
+        resolve,
+        sftp,
+        timeout,
+        timeoutMessage: `SFTP upload timed out after ${timeout}ms: ${remotePath}`,
+        writeStream
+      });
+    });
+  });
+}
+
+// src/terminal.ts
+import { createInterface } from "readline";
+function normalizePromptAbortReason(reason) {
+  return reason instanceof Error ? reason : new Error(String(reason));
+}
+function installHiddenPromptOutput(rl, question) {
+  const rlInternal = rl;
+  rlInternal._writeToOutput = (text) => {
+    if (text.includes(question)) {
+      rlInternal.output.write(text);
+    }
+  };
+}
+function createPromptAbortHandler(parameters) {
+  return () => {
+    if (parameters.settled()) return;
+    parameters.setSettled();
+    parameters.cleanup();
+    parameters.rl.close();
+    if (parameters.hidden) process.stderr.write("\n");
+    parameters.reject(
+      normalizePromptAbortReason(
+        parameters.abortSignal?.reason ?? new Error("Terminal prompt aborted")
+      )
+    );
+  };
+}
+async function promptTerminal(question, hidden = false, options) {
+  const rl = createInterface({ input: process.stdin, output: process.stderr });
+  const abortSignal = options?.abortSignal;
+  if (hidden) installHiddenPromptOutput(rl, question);
+  return new Promise((resolve, reject) => {
+    let settled = false;
+    const cleanup = () => {
+      abortSignal?.removeEventListener("abort", rejectPrompt);
+    };
+    const resolvePrompt = (answer) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      rl.close();
+      if (hidden) process.stderr.write("\n");
+      resolve(answer);
+    };
+    const rejectPrompt = createPromptAbortHandler({
+      abortSignal,
+      cleanup,
+      hidden,
+      reject,
+      rl,
+      setSettled: () => {
+        settled = true;
+      },
+      settled: () => settled
+    });
+    if (abortSignal?.aborted === true) {
+      rejectPrompt();
+      return;
+    }
+    abortSignal?.addEventListener("abort", rejectPrompt, { once: true });
+    rl.question(question, (answer) => {
+      resolvePrompt(answer);
+    });
+  });
+}
+
+// src/ssh.ts
+function validateMktempPath(directory, path, prefix) {
+  const normalizedDirectory = directory === "/" ? "" : directory;
+  const expectedPrefix = `${normalizedDirectory}/${prefix}.`;
+  if (!path.startsWith(expectedPrefix) || path.includes("\n") || path.endsWith("/")) {
+    throw new Error(`Unexpected mktemp output: ${path}`);
+  }
+  return path;
+}
+function expandHomePath(path) {
+  if (path === "~") return homedir2();
+  if (path.startsWith("~/")) return join3(homedir2(), path.slice(2));
+  return path;
+}
+function resolveWriteFileMode(remotePath, options) {
+  if (options?.mode == null) {
+    throw new Error(
+      `[ssh.writeFile: ${remotePath}] missing options.mode; pass { mode: "0644" } or another explicit file mode`
+    );
+  }
+  try {
+    validateMode(options.mode);
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : String(error);
+    throw new Error(
+      `[ssh.writeFile: ${remotePath}] invalid options.mode "${options.mode}": ${reason}`,
+      { cause: error }
+    );
+  }
+  return options.mode;
+}
+var COMMAND_TIMEOUT = 12e4;
+var DEFAULT_MAX_RECONNECT_ATTEMPTS = 10;
+var DEFAULT_RECONNECT_TIMEOUT = 12e4;
+var JITTER_BASE = 0.75;
+var JITTER_RANGE = 0.5;
+var RECONNECT_BASE_DELAY = 1e3;
+var RECONNECT_MAX_DELAY = 3e4;
+var SshConnectionImpl = class {
+  agentSocket = null;
+  authMethod = null;
+  /**
+   * Cached sudo password stored as a Buffer so it can be actively zeroed
+   * after use via `buffer.fill(0)`.
+   *
+   * **Limitations:** Buffer zeroing in JavaScript/V8 only reduces the window
+   * for potential memory leaks — it cannot eliminate them entirely. The GC may
+   * create internal copies. The masking pipeline only materializes a string
+   * from this buffer on actual output/error paths. This is a best-effort
+   * mitigation, not a guarantee.
+   */
+  cachedSudoPassword = null;
+  client = null;
+  config;
+  connectedPort = 0;
+  pendingRejects = /* @__PURE__ */ new Set();
+  pinnedHostKey = null;
+  promptAbortSignal;
+  runtime;
+  sudoProbePromise = null;
+  sudoReady = false;
+  verifiedHostKey = null;
+  constructor(host, config) {
+    this.runtime = {
+      host,
+      ports: [...config.ports]
+    };
+    this.config = {
+      ...config,
+      ports: [...config.ports]
+    };
+    if (config.sudoPassword != null && (config.sudoPassword.includes("\n") || config.sudoPassword.includes("\r"))) {
+      throw new Error("Sudo password must not contain newline characters");
+    }
+    this.cachedSudoPassword = config.sudoPassword == null ? null : Buffer.from(config.sudoPassword);
+  }
+  addPort(port) {
+    if (!this.runtime.ports.includes(port)) this.runtime.ports.push(port);
+  }
+  /**
+   * Establish the SSH connection using the configured credentials.
+   *
+   * Authentication strategy (in order):
+   * 1. If `privateKey` is set: connect with the key, optionally falling back to
+   *    password authentication when `passwordFallback` is enabled.
+   * 2. If `privateKey` is omitted: connect via the SSH agent identified by
+   *    `SSH_AUTH_SOCK`, optionally falling back to password authentication
+   *    when `passwordFallback` is enabled. Throws if the environment variable
+   *    is not set.
+   *
+   * @param options - Optional prompt behavior for interactive password fallback.
+   * @throws {Error} When no port in `config.ports` accepts the connection.
+   */
+  async connect(options) {
+    this.promptAbortSignal = options?.abortSignal;
+    if (this.config.privateKey == null) {
+      await this.connectViaAgent(options);
+      return;
+    }
+    await this.connectViaPrivateKey(options);
+  }
+  disconnect() {
+    this.clearCachedPassword();
+    this.disconnectTransport();
+  }
+  async downloadFile(remotePath, localPath) {
+    const client = this.ensureClient();
+    let sourcePath = remotePath;
+    try {
+      if (this.config.user !== "root") {
+        sourcePath = await this.createRemoteTempPath(
+          "mktemp /tmp/paratix-download.XXXXXX",
+          "paratix-download"
+        );
+        await this.exec(`cat ${shellQuote(remotePath)} > ${shellQuote(sourcePath)}`, {
+          silent: true
+        });
+      }
+      await sftpDownload(client, sourcePath, localPath);
+    } finally {
+      if (sourcePath !== remotePath) {
+        try {
+          await this.cleanupRemoteTempFile(sourcePath);
+        } catch (cleanupError) {
+          process.stderr.write(
+            `Warning: failed to remove temp file ${sourcePath}: ${maskSecrets(String(cleanupError), this.buildSecrets())}
+`
+          );
+        }
+      }
+    }
+  }
+  async exec(command, options = {}) {
+    await this.ensureSudoReady();
+    return this.execPrepared(command, options);
+  }
+  async exists(remotePath) {
+    return this.test(`[ -e ${shellQuote(remotePath)} ]`);
+  }
+  getConnectionInfo() {
+    return {
+      agentSocket: this.authMethod === "agent" ? this.agentSocket ?? void 0 : void 0,
+      authMethod: this.authMethod ?? void 0,
+      host: this.runtime.host,
+      port: this.connectedPort,
+      privateKeyPath: this.authMethod === "privateKey" && this.config.privateKey != null ? expandHomePath(this.config.privateKey) : void 0,
+      user: this.config.user,
+      verifiedHostPublicKey: this.verifiedHostKey == null ? void 0 : `${extractAlgoFromKey(this.verifiedHostKey)} ${this.verifiedHostKey.toString("base64")}`
+    };
+  }
+  async lines(command) {
+    const out = await this.output(command);
+    return out === "" ? [] : out.split("\n");
+  }
+  async output(command) {
+    const result = await this.exec(command, { silent: true });
+    return result.stdout.trim();
+  }
+  /**
+   * Probe whether passwordless sudo is available. If not, prompt the user
+   * for a password and cache it for the remainder of the run.
+   *
+   * @param options - Optional prompt behavior for the interactive sudo password prompt.
+   */
+  async probeSudo(options) {
+    this.promptAbortSignal = options?.abortSignal ?? this.promptAbortSignal;
+    if (this.isSudoReadyWithoutProbe()) {
+      this.sudoReady = true;
+      return;
+    }
+    await this.ensureSudoInstalled();
+    if (await this.hasPasswordlessSudo()) {
+      this.sudoReady = true;
+      return;
+    }
+    await this.promptAndCacheSudoPassword();
+  }
+  async readFile(remotePath) {
+    return this.output(`cat ${shellQuote(remotePath)}`);
+  }
+  async reconnect() {
+    const timeout = this.config.reconnectTimeout ?? DEFAULT_RECONNECT_TIMEOUT;
+    const maxAttempts = this.config.maxReconnectAttempts ?? DEFAULT_MAX_RECONNECT_ATTEMPTS;
+    const deadline = Date.now() + timeout;
+    let attempt = 0;
+    while (Date.now() < deadline && attempt < maxAttempts) {
+      try {
+        this.disconnectTransport();
+        await this.connect();
+        return;
+      } catch (error) {
+        if (error instanceof HostKeyVerificationError || error instanceof Error && error.message === "SSH connection closed")
+          throw error;
+        const jitter = Math.min(RECONNECT_BASE_DELAY * 2 ** attempt, RECONNECT_MAX_DELAY) * (JITTER_BASE + Math.random() * JITTER_RANGE);
+        const delay = Math.min(jitter, Math.max(0, deadline - Date.now()));
+        await new Promise((resolve) => {
+          setTimeout(resolve, delay);
+        });
+        attempt++;
+      }
+    }
+    throw new Error(
+      `Failed to reconnect to ${this.runtime.host} after ${attempt} attempts (timeout: ${timeout}ms)`
+    );
+  }
+  removePort(port) {
+    this.runtime.ports = this.runtime.ports.filter((candidate) => candidate !== port);
+  }
+  async sha256(remotePath) {
+    const exists = await this.test(`[ -f ${shellQuote(remotePath)} ]`);
+    if (!exists) return null;
+    const out = await this.output(`sha256sum ${shellQuote(remotePath)}`);
+    return out.split(new RegExp("\\s+", "v"))[0] ?? null;
+  }
+  async test(command) {
+    try {
+      const result = await this.exec(command, { ignoreExitCode: true, silent: true });
+      return result.code === 0;
+    } catch {
+      return false;
+    }
+  }
+  updateHost(host) {
+    this.runtime.host = host;
+  }
+  async uploadFile(localPath, remotePath, options) {
+    const client = this.ensureClient();
+    const temporaryPath = await this.createRemoteWritableTempPath(remotePath, "paratix-upload");
+    const temporaryMode = options?.mode ?? "0600";
+    try {
+      await sftpUpload(client, localPath, temporaryPath);
+      await this.setRemoteTempMode(temporaryPath, temporaryMode);
+      await this.finalizeRemoteTempFile(temporaryPath, remotePath, temporaryMode);
+    } finally {
+      try {
+        await this.cleanupRemoteTempFile(temporaryPath);
+      } catch (cleanupError) {
+        process.stderr.write(
+          `Warning: failed to remove temp file ${temporaryPath}: ${maskSecrets(String(cleanupError), this.buildSecrets())}
+`
+        );
+      }
+    }
+  }
+  /**
+   * Write a string to a remote file atomically via write-to-temp + mv.
+   *
+   * The content is first written to a local temporary file, uploaded via SFTP
+   * to a remote temporary file, then moved to the final destination with `mv`.
+   * This ensures the target file is never left in a half-written state.
+   *
+   * @param remotePath - Destination path on the remote host.
+   * @param content - The string content to write.
+   * @param options - Settings for the remote write.
+   * @param options.mode - File mode to set via `chmod` on the temp file before moving (e.g. `"0644"`).
+   */
+  async writeFile(remotePath, content, options) {
+    const client = this.ensureClient();
+    const localTemporary = join3(tmpdir(), `paratix-write-${randomUUID2()}`);
+    const remoteTemporary = await this.createRemoteWritableTempPath(remotePath, "paratix-write");
+    const temporaryMode = resolveWriteFileMode(
+      remotePath,
+      options
+    );
+    try {
+      writeFileSync(localTemporary, content, { mode: 384 });
+      await sftpUpload(client, localTemporary, remoteTemporary);
+      await this.setRemoteTempMode(remoteTemporary, temporaryMode);
+      await this.finalizeRemoteTempFile(remoteTemporary, remotePath, temporaryMode);
+    } finally {
+      try {
+        unlinkSync2(localTemporary);
+      } catch {
+      }
+      try {
+        await this.cleanupRemoteTempFile(remoteTemporary);
+      } catch (cleanupError) {
+        process.stderr.write(
+          `Warning: failed to remove temp file ${remoteTemporary}: ${maskSecrets(String(cleanupError), this.buildSecrets())}
+`
+        );
+      }
+    }
+  }
+  buildEnvPrefix(environment) {
+    if (environment == null) return "";
+    for (const key of Object.keys(environment)) {
+      if (!new RegExp("^[A-Za-z_]\\w*$", "v").test(key)) {
+        throw new Error(`Invalid environment variable name: ${key}`);
+      }
+    }
+    const pairs = Object.entries(environment).map(([k, v]) => `${k}=${shellQuote(v)}`);
+    return `${pairs.join(" ")} `;
+  }
+  buildSecrets(extra) {
+    const cachedPasswordSecret = this.cachedSudoPassword == null ? [] : [() => this.cachedSudoPassword?.toString("utf8") ?? ""];
+    return [...cachedPasswordSecret, ...extra ?? []];
+  }
+  async cacheAndValidateSudoPassword(password) {
+    if (password.includes("\n") || password.includes("\r")) {
+      throw new Error("Sudo password must not contain newline characters");
+    }
+    this.cachedSudoPassword = Buffer.from(password);
+    try {
+      await this.execPrepared("true", { silent: true, timeout: 1e4 });
+      this.sudoReady = true;
+    } catch (error) {
+      const masked = maskSecrets(String(error), [password]);
+      this.clearCachedPassword();
+      throw new Error(`Sudo authentication failed: ${masked}`, { cause: error });
+    }
+  }
+  async cleanupRemoteTempFile(remotePath) {
+    const cleanup = this.config.user === "root" ? this.exec(`rm -f ${shellQuote(remotePath)}`, { silent: true }) : this.execWithoutSudo(`rm -f ${shellQuote(remotePath)}`);
+    await cleanup;
+  }
+  clearCachedPassword() {
+    if (this.cachedSudoPassword != null) {
+      this.cachedSudoPassword.fill(0);
+      this.cachedSudoPassword = null;
+    }
+  }
+  async connectViaAgent(options) {
+    const agent = process.env.SSH_AUTH_SOCK;
+    if (agent == null || agent.length === 0) {
+      if (await this.tryPasswordFallback(options)) return;
+      if (this.config.passwordFallback) {
+        throw new Error(
+          `Failed to connect to ${this.runtime.host} on ports: ${this.runtime.ports.join(", ")}`
+        );
+      }
+      throw new Error("No privateKey configured and SSH_AUTH_SOCK is not set");
+    }
+    try {
+      await stat(agent);
+    } catch {
+      throw new Error(`SSH_AUTH_SOCK points to non-existent path: ${agent}`);
+    }
+    if (await this.tryConnectOnPorts(void 0, void 0, agent)) {
+      this.agentSocket = agent;
+      this.authMethod = "agent";
+      return;
+    }
+    if (await this.tryPasswordFallback(options, agent)) return;
+    throw new Error(
+      `Could not connect to ${this.runtime.host} via SSH agent on ports ${this.runtime.ports.join(", ")}`
+    );
+  }
+  async connectViaPrivateKey(options) {
+    const privateKeyPath = this.config.privateKey;
+    if (privateKeyPath == null) {
+      throw new Error("connectViaPrivateKey requires config.privateKey");
+    }
+    const privateKey = await readFile(expandHomePath(privateKeyPath));
+    try {
+      if (await this.tryConnectOnPorts(privateKey)) {
+        this.authMethod = "privateKey";
+        return;
+      }
+      if (this.config.passwordFallback) {
+        const password = await promptTerminal(
+          `Password for ${this.config.user}@${this.runtime.host}: `,
+          true,
+          options
+        );
+        if (await this.tryConnectOnPorts(privateKey, password)) {
+          this.authMethod = "password";
+          return;
+        }
+      }
+      throw new Error(
+        `Failed to connect to ${this.runtime.host} on ports: ${this.runtime.ports.join(", ")}`
+      );
+    } finally {
+      privateKey.fill(0);
+    }
+  }
+  async createRemoteTempPath(command, prefix) {
+    const path = this.config.user === "root" ? await this.output(command) : await this.outputWithoutSudo(command);
+    return validateMktempPath("/tmp", path, prefix);
+  }
+  async createRemoteTempPathInDestination(remotePath, prefix) {
+    const directory = posix.dirname(remotePath);
+    const template = `${directory}/${prefix}.XXXXXX`;
+    const command = `mktemp ${shellQuote(template)}`;
+    const path = this.config.user === "root" ? await this.output(command) : await this.outputWithoutSudo(command);
+    return validateMktempPath(directory, path, prefix);
+  }
+  async createRemoteWritableTempPath(remotePath, prefix) {
+    if (this.config.user === "root") {
+      return this.createRemoteTempPathInDestination(remotePath, prefix);
+    }
+    return this.createRemoteTempPath(`mktemp '/tmp/${prefix}.XXXXXX'`, prefix);
+  }
+  createSettledCallbacks(resolve, reject) {
+    let settled = false;
+    const wrappedReject = (reason) => {
+      if (settled) return;
+      settled = true;
+      this.pendingRejects.delete(wrappedReject);
+      reject(reason);
+    };
+    const wrappedResolve = (value) => {
+      if (settled) return;
+      settled = true;
+      this.pendingRejects.delete(wrappedReject);
+      resolve(value);
+    };
+    this.pendingRejects.add(wrappedReject);
+    return { wrappedReject, wrappedResolve };
+  }
+  /** Tear down the SSH transport without touching the cached sudo password. */
+  disconnectTransport() {
+    if (this.client) {
+      this.client.end();
+      this.client = null;
+    }
+    const error = new Error("SSH connection closed");
+    for (const rejectFunction of this.pendingRejects) {
+      rejectFunction(error);
+    }
+    this.pendingRejects.clear();
+  }
+  ensureClient() {
+    if (!this.client) throw new Error("SSH not connected");
+    return this.client;
+  }
+  /** Verify that `sudo` is available on the remote host. */
+  async ensureSudoInstalled() {
+    const result = await this.execRaw("command -v sudo");
+    if (result.exitCode !== 0) {
+      throw new Error("sudo is not installed on the remote host");
+    }
+  }
+  async ensureSudoReady() {
+    if (this.config.user === "root" || this.sudoReady) return;
+    if (this.cachedSudoPassword != null) {
+      this.sudoReady = true;
+      return;
+    }
+    if (this.sudoProbePromise != null) {
+      await this.sudoProbePromise;
+      return;
+    }
+    this.sudoProbePromise = this.probeSudo({ abortSignal: this.promptAbortSignal }).finally(() => {
+      this.sudoProbePromise = null;
+    });
+    await this.sudoProbePromise;
+  }
+  async execPrepared(command, options = {}) {
+    const client = this.ensureClient();
+    const environmentPrefix = this.buildEnvPrefix(options.env);
+    const { command: cmd, needsPassword } = this.sudoCommand(command, environmentPrefix);
+    return new Promise((resolve, reject) => {
+      const { wrappedReject, wrappedResolve } = this.createSettledCallbacks(
+        resolve,
+        reject
+      );
+      const timeout = options.timeout ?? COMMAND_TIMEOUT;
+      const secrets = this.buildSecrets(options.secrets);
+      let activeStream = null;
+      const timer = setTimeout(() => {
+        activeStream?.close();
+        wrappedReject(
+          new Error(`Command timed out after ${timeout}ms: ${maskSecrets(command, secrets)}`)
+        );
+      }, timeout);
+      client.exec(cmd, (error, stream) => {
+        if (error) {
+          clearTimeout(timer);
+          wrappedReject(error);
+          return;
+        }
+        activeStream = stream;
+        collectStreamOutput({
+          command,
+          options,
+          reject: wrappedReject,
+          resolve: wrappedResolve,
+          secrets,
+          stream,
+          timer
+        });
+        if (needsPassword && this.cachedSudoPassword != null) {
+          this.writeSudoPassword(stream);
+        }
+      });
+    });
+  }
+  /**
+   * Execute a command directly over the SSH transport without sudo wrapping.
+   * Used only by {@link probeSudo} to check whether `sudo` is installed.
+   *
+   * @param command - The raw shell command to run.
+   * @returns The exit code and captured stdout.
+   */
+  async execRaw(command) {
+    const client = this.ensureClient();
+    return new Promise((resolve, reject) => {
+      const { wrappedReject, wrappedResolve } = this.createSettledCallbacks(resolve, reject);
+      let activeStream = null;
+      const timer = setTimeout(() => {
+        activeStream?.close();
+        wrappedReject(new Error(`Command timed out after ${COMMAND_TIMEOUT}ms: ${command}`));
+      }, COMMAND_TIMEOUT);
+      client.exec(command, (error, stream) => {
+        if (error) {
+          clearTimeout(timer);
+          wrappedReject(error);
+          return;
+        }
+        activeStream = stream;
+        const chunks = [];
+        stream.on("data", (chunk) => {
+          chunks.push(chunk);
+        });
+        stream.on("close", (code) => {
+          clearTimeout(timer);
+          wrappedResolve({
+            exitCode: normalizeSshCloseCode(code),
+            stdout: Buffer.concat(chunks).toString("utf8")
+          });
+        });
+        stream.stderr.on("data", () => {
+        });
+      });
+    });
+  }
+  async execWithoutSudo(command) {
+    const result = await this.execRaw(command);
+    if (result.exitCode !== 0) {
+      throw new Error(`Command failed (exit code ${result.exitCode}): ${command}`);
+    }
+  }
+  async finalizeRemoteTempFile(temporaryPath, remotePath, mode) {
+    validateMode(mode);
+    if (this.config.user === "root") {
+      await this.exec(`mv ${shellQuote(temporaryPath)} ${shellQuote(remotePath)}`, {
+        silent: true
+      });
+      return;
+    }
+    const directory = posix.dirname(remotePath);
+    const basename = posix.basename(remotePath);
+    const finalTemplate = `${directory}/.${basename}.paratix.XXXXXX`;
+    const finalizeScript = `
+target_owner=$(stat -c '%u:%g' ${shellQuote(remotePath)} 2>/dev/null || printf '0:0')
+target_temp=''
+cleanup() {
+  if [ -n "$target_temp" ]; then
+    rm -f "$target_temp"
+  fi
+}
+trap cleanup EXIT
+target_temp=$(mktemp ${shellQuote(finalTemplate)})
+mv ${shellQuote(temporaryPath)} "$target_temp"
+chmod ${shellQuote(mode)} "$target_temp"
+chown "$target_owner" "$target_temp"
+mv "$target_temp" ${shellQuote(remotePath)}
+trap - EXIT
+`;
+    await this.exec(finalizeScript, { silent: true });
+  }
+  async hasPasswordlessSudo() {
+    try {
+      await this.execPrepared("true", { silent: true, timeout: 1e4 });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  isSudoReadyWithoutProbe() {
+    return this.config.user === "root" || this.cachedSudoPassword != null;
+  }
+  async outputWithoutSudo(command) {
+    const result = await this.execRaw(command);
+    if (result.exitCode !== 0) {
+      throw new Error(`Command failed (exit code ${result.exitCode}): ${command}`);
+    }
+    return result.stdout.trim();
+  }
+  async promptAndCacheSudoPassword() {
+    const password = await promptTerminal(
+      `[sudo] password for ${this.config.user}@${this.runtime.host}: `,
+      true,
+      { abortSignal: this.promptAbortSignal }
+    );
+    await this.cacheAndValidateSudoPassword(password);
+  }
+  async setRemoteTempMode(remotePath, mode) {
+    validateMode(mode);
+    const command = `chmod ${shellQuote(mode)} ${shellQuote(remotePath)}`;
+    if (this.config.user === "root") {
+      await this.exec(command, { silent: true });
+      return;
+    }
+    await this.execWithoutSudo(command);
+  }
+  /**
+   * Build the sudo-wrapped command string for execution.
+   *
+   * @param command - The raw command to execute.
+   * @param environmentPrefix - Optional env var prefix string.
+   * @returns An object with the final command and whether a password must be written to stdin.
+   */
+  sudoCommand(command, environmentPrefix = "") {
+    if (this.config.user === "root") {
+      return { command: `${environmentPrefix}${command}`, needsPassword: false };
+    }
+    const quoted = shellQuote(`${environmentPrefix}${command}`);
+    if (this.cachedSudoPassword != null) {
+      return { command: `SUDO_PROMPT='' sudo -S bash -c ${quoted}`, needsPassword: true };
+    }
+    return { command: `sudo bash -c ${quoted}`, needsPassword: false };
+  }
+  /**
+   * Iterate over `config.ports` and attempt a connection on each one.
+   *
+   * @param privateKey - PEM-encoded private key content, or `undefined` when using agent auth.
+   * @param password - Optional password for keyboard-interactive fallback.
+   * @param agent - SSH agent socket path (e.g. `SSH_AUTH_SOCK`). Used when `privateKey` is absent.
+   * @returns `true` if a port connected successfully, `false` if all ports failed.
+   */
+  async tryConnectOnPorts(privateKey, password, agent) {
+    const mode = this.config.strictHostKeyChecking ?? "yes";
+    for (const port of this.runtime.ports) {
+      try {
+        const client = new Client();
+        const verifier = buildHostVerifier(
+          mode,
+          { host: this.runtime.host, port },
+          {
+            expectedHostFingerprint: this.config.expectedHostFingerprint,
+            expectedHostPublicKey: this.config.expectedHostPublicKey
+          }
+        );
+        const wrappedVerifier = this.wrapHostVerifier(verifier.hostVerifier);
+        await tryConnectOnPort({
+          agent,
+          agentForward: this.config.agentForward,
+          client,
+          host: this.runtime.host,
+          hostVerifier: wrappedVerifier,
+          password,
+          port,
+          privateKey,
+          username: this.config.user
+        });
+        if (verifier.pendingPersist != null) await verifier.pendingPersist;
+        client.on("close", () => {
+          const error = new Error("SSH connection closed unexpectedly");
+          for (const rejectFunction of this.pendingRejects) {
+            rejectFunction(error);
+          }
+          this.pendingRejects.clear();
+        });
+        this.client = client;
+        this.connectedPort = port;
+        return true;
+      } catch (error) {
+        if (error instanceof HostKeyVerificationError) throw error;
+      }
+    }
+    return false;
+  }
+  async tryPasswordFallback(options, agent) {
+    if (!this.config.passwordFallback) return false;
+    const password = await promptTerminal(
+      `Password for ${this.config.user}@${this.runtime.host}: `,
+      true,
+      options
+    );
+    if (!await this.tryConnectOnPorts(void 0, password, agent)) return false;
+    this.authMethod = "password";
+    return true;
+  }
+  /**
+   * Wrap a host-key verifier to pin the accepted key on first connection and
+   * reject key changes on subsequent connections (reconnects).
+   *
+   * @param original - The original verifier from `buildHostVerifier`, if any.
+   * @returns A verifier that enforces host-key pinning.
+   */
+  wrapHostVerifier(original) {
+    return (key) => {
+      if (this.pinnedHostKey != null && (this.pinnedHostKey.length !== key.length || !timingSafeEqual2(this.pinnedHostKey, key))) {
+        this.clearCachedPassword();
+        throw new HostKeyVerificationError(
+          `HOST KEY CHANGED on reconnect to ${this.runtime.host}: the remote host key does not match the key from the initial connection. This could indicate a man-in-the-middle attack.`
+        );
+      }
+      if (original != null) {
+        const accepted = original(key);
+        if (!accepted) return false;
+        this.verifiedHostKey ??= Buffer.from(key);
+      }
+      this.pinnedHostKey ??= Buffer.from(key);
+      return true;
+    };
+  }
+  /**
+   * Write the cached sudo password followed by a newline to the given stream.
+   *
+   * @param stream - The SSH channel to write the password to.
+   */
+  writeSudoPassword(stream) {
+    stream.write(this.cachedSudoPassword);
+    stream.write("\n");
+  }
+};
+
+// src/environment.ts
+import { readFile as readFile2 } from "fs/promises";
+async function resolveEnvironment(environment, key) {
+  const value = environment[key];
+  if (value === void 0) {
+    throw new Error(`Env key "${key}" is not defined`);
+  }
+  if (typeof value === "function") {
+    return value();
+  }
+  return value;
+}
+async function loadDotEnvironment(filePath) {
+  const content = await readFile2(filePath, "utf8");
+  const environment = {};
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (trimmed === "" || trimmed.startsWith("#")) continue;
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex === -1) continue;
+    const key = trimmed.slice(0, eqIndex).trim();
+    environment[key] = processValue(trimmed.slice(eqIndex + 1).trim());
+  }
+  return environment;
+}
+function processValue(raw) {
+  if (raw.length >= 2 && raw.startsWith('"') && raw.endsWith('"')) {
+    return raw.slice(1, -1).replaceAll("\\\\", "\0").replaceAll("\\n", "\n").replaceAll('\\"', '"').replaceAll("\0", "\\");
+  }
+  if (raw.length >= 2 && raw.startsWith("'") && raw.endsWith("'")) {
+    return raw.slice(1, -1);
+  }
+  const commentIndex = raw.search(new RegExp("\\s#", "v"));
+  return commentIndex === -1 ? raw : raw.slice(0, commentIndex).trimEnd();
+}
+function mergeEnvironment(...environments) {
+  const result = {};
+  for (const environment of environments) {
+    if (environment != null) {
+      Object.assign(result, environment);
+    }
+  }
+  return result;
+}
+
+export {
+  validateMode,
+  shellQuote,
+  CommandError,
+  maskSecrets,
+  isValidTcpPort,
+  collectSshConfigErrors,
+  validateSshConfig,
+  environmentMeta,
+  sshdPortMeta,
+  systemHostMeta,
+  systemRebootMeta,
+  meta,
+  isEnvironmentMetaEntry,
+  isStringEnvironmentMetaEntry,
+  isNumberEnvironmentMetaEntry,
+  isBooleanEnvironmentMetaEntry,
+  isLazyEnvironmentMetaEntry,
+  isSshdPortMetaEntry,
+  isSystemHostMetaEntry,
+  isSystemRebootMetaEntry,
+  assertValidModuleMetaEntry,
+  assertValidModuleMetaEntries,
+  mergeEnvironmentFromMeta,
+  environmentToMetaEntries,
+  diffEnvironmentToMetaEntries,
+  resolveEnvironment,
+  loadDotEnvironment,
+  mergeEnvironment,
+  computeFingerprint,
+  SshConnectionImpl
+};
+//# sourceMappingURL=chunk-G3BMCQKU.js.map