perplexity-user-mcp 0.8.36

package/dist/daemon/server.d.ts

@@ -0,0 +1,159 @@
+import { RequestLike } from 'express';
+import { PerplexityClient } from '../client.js';
+import { readAuditTail } from './audit.js';
+import { DaemonTokenRecord } from './token.js';
+import '../config.js';
+import 'patchright';
+
+/**
+ * OAuth consent cache — remembers per-(clientId, redirectUri, resource)
+ * consents so the user isn't prompted every time Claude Desktop / Cursor /
+ * Cline refreshes an access token (which happens on a ~1h cycle).
+ *
+ * Storage: <configDir>/oauth-consent.json, 0600.
+ * Entries carry an absolute `expiresAt` (ms since epoch). On each check
+ * we lazily prune expired entries. Deleting a record is synchronous and
+ * best-effort (if the file is locked we lose the mutation; next write
+ * will overwrite it).
+ *
+ * Key structure: `(clientId, redirectUri, resource)`. After Phase 8.2 H12
+ * the OAuth `resource` parameter (RFC 8707) is part of the audience binding,
+ * so a consent granted for `https://tunnel-a.example/mcp` must NOT
+ * auto-approve a new authorize request for `https://tunnel-b.example/mcp`
+ * even though the clientId + redirectUri match. `resource === undefined` is
+ * a distinct key from any bound resource string — unbound consents (legacy
+ * / loopback clients that don't send the `resource` param) don't
+ * auto-approve bound-resource consents and vice-versa.
+ *
+ * Revoking a consent entry does NOT invalidate already-issued access
+ * tokens — those live 1h anyway; revoking the CLIENT (see
+ * oauth-provider.revokeClient) is the way to invalidate outstanding
+ * tokens. Phase 8.2's dashboard panel composes these two.
+ */
+interface ConsentEntry {
+    clientId: string;
+    redirectUri: string;
+    approvedAt: string;
+    expiresAt: number;
+    /**
+     * RFC 8707 resource binding. `undefined` = unbound (legacy / loopback
+     * clients that don't send the `resource` param at /authorize). Two entries
+     * with the same (clientId, redirectUri) but different `resource` values
+     * (including undefined-vs-string) are DISTINCT cache keys.
+     */
+    resource?: string;
+}
+
+/**
+ * OAuth 2.1 authorization-server provider for the Perplexity MCP daemon.
+ *
+ * Implements the MCP SDK's `OAuthServerProvider` interface. Plugs into
+ * `mcpAuthRouter()` to expose `/authorize`, `/token`, `/register`, `/revoke`
+ * and the `/.well-known/*` metadata endpoints.
+ *
+ * Design:
+ *   - Clients are persisted in `<configDir>/oauth-clients.json` (0600).
+ *   - Authorization codes are in-memory, 2-min TTL, single-use.
+ *   - Access tokens are in-memory, 1-hour TTL.
+ *   - Refresh tokens rotate on each exchange.
+ *   - `verifyAccessToken` accepts either a valid OAuth access token OR the
+ *     daemon's static bearer, so existing loopback callers (extension host
+ *     + CLI) keep working with no changes.
+ *   - `authorize()` defers to a caller-supplied `requestConsent` callback
+ *     which the daemon wires to the VS Code extension's modal. Until the
+ *     user approves or the 2-min timeout elapses, the HTTP response is
+ *     held open.
+ */
+
+interface AuthorizedClientSummary {
+    clientId: string;
+    clientName?: string;
+    registeredAt: number;
+    lastUsedAt?: string;
+    consentLastApprovedAt?: string;
+    activeTokens: number;
+}
+
+type EventPayload = Record<string, unknown>;
+interface DaemonTunnelHealth {
+    status: "disabled" | "starting" | "enabled" | "crashed";
+    url: string | null;
+    pid?: number | null;
+    error?: string | null;
+}
+interface StartDaemonServerOptions {
+    host?: string;
+    port?: number;
+    uuid?: string;
+    version?: string;
+    bearerToken?: string;
+    configDir?: string;
+    createClient?: () => PerplexityClient;
+    onShutdown?: () => Promise<void> | void;
+    onTokenRotated?: (token: DaemonTokenRecord) => Promise<void> | void;
+    getTunnelState?: () => DaemonTunnelHealth;
+    onEnableTunnel?: () => Promise<void> | void;
+    onDisableTunnel?: () => Promise<void> | void;
+    onTunnelAutoDisable?: (info: {
+        failures: number;
+        windowMs: number;
+    }) => Promise<void> | void;
+    /**
+     * Called when an MCP client hits `/authorize` and we need the local user
+     * to approve the consent. Host (the VS Code extension) resolves true to
+     * approve, false to deny. Called with a fresh consent id that the host
+     * posts back to `/daemon/oauth-consent` with its decision.
+     */
+    onOAuthConsentRequest?: (info: {
+        consentId: string;
+        clientId: string;
+        clientName: string;
+        redirectUri: string;
+        /**
+         * RFC 8707 resource the authorize request is targeting. `undefined` when
+         * the client did not include a `resource` param (legacy / loopback).
+         * The extension-host modal MUST display this when present so users can
+         * spot cross-resource replay attempts at consent time.
+         */
+        resource?: string;
+    }) => Promise<void> | void;
+    /** When tunnel is enabled we advertise this as the OAuth issuer. */
+    getTunnelUrl?: () => string | null;
+}
+interface StartedDaemonServer {
+    host: string;
+    port: number;
+    url: string;
+    bearerToken: string;
+    auditPath: string;
+    tokenPath: string;
+    close: () => Promise<void>;
+    publishEvent: (event: string, payload: EventPayload) => void;
+    getHealth: () => Record<string, unknown>;
+    readAuditTail: (limit?: number) => ReturnType<typeof readAuditTail>;
+    /** Returns registered OAuth clients with their current token counts. */
+    listOAuthClients: () => AuthorizedClientSummary[];
+    /** Deletes an OAuth client and all its outstanding tokens. */
+    revokeOAuthClient: (clientId: string) => boolean;
+    /** Deletes every registered OAuth client and invalidates all outstanding tokens. */
+    revokeAllOAuthClients: () => number;
+    /** Extension host resolves a pending /authorize consent. */
+    resolveOAuthConsent: (consentId: string, approved: boolean) => boolean;
+    /** Live non-expired cached consents. */
+    listOAuthConsents: () => ConsentEntry[];
+    /** Revoke cached consents. No args → revoke all. */
+    revokeOAuthConsents: (filter?: {
+        clientId?: string;
+        redirectUri?: string;
+    }) => number;
+}
+declare function startDaemonServer(options?: StartDaemonServerOptions): Promise<StartedDaemonServer>;
+/**
+ * Canonicalize the expected resource identifier (RFC 8707) for this
+ * request. Returns `<scheme>://<host>/mcp` with no trailing slash so the
+ * PRM endpoint, the /authorize→/token binding, and verifyAccessToken's
+ * expectedResource all agree on a single form.
+ */
+declare function resolveRequestResource(req: RequestLike, fallback?: URL): string;
+
+export { type DaemonTunnelHealth, type StartDaemonServerOptions, type StartedDaemonServer, resolveRequestResource, startDaemonServer };

package/dist/daemon/server.mjs

@@ -0,0 +1,20 @@
+import {
+  resolveRequestResource,
+  startDaemonServer
+} from "../chunk-S5VD7WTU.mjs";
+import "../chunk-PE23RMXY.mjs";
+import "../chunk-HTUAQRKH.mjs";
+import "../chunk-Q2VY4R5F.mjs";
+import "../chunk-H4BUAPPO.mjs";
+import "../chunk-Z7DAACGZ.mjs";
+import "../chunk-OF4DMAPJ.mjs";
+import "../chunk-LZPLNZ5U.mjs";
+import "../chunk-LKJMLGFP.mjs";
+import "../chunk-TQLCLE4L.mjs";
+import "../chunk-MTDFKNXX.mjs";
+import "../chunk-XKSWCEGI.mjs";
+import "../chunk-4UEJOM6W.mjs";
+export {
+  resolveRequestResource,
+  startDaemonServer
+};

package/dist/daemon/token.d.ts

@@ -0,0 +1,17 @@
+interface DaemonTokenRecord {
+    bearerToken: string;
+    version: number;
+    createdAt: string;
+    rotatedAt: string;
+}
+interface TokenOptions {
+    tokenPath?: string;
+    now?: () => string;
+}
+declare function getTokenPath(configDir?: string): string;
+declare function generateBearerToken(): string;
+declare function readToken(options?: TokenOptions): DaemonTokenRecord | null;
+declare function ensureToken(options?: TokenOptions): DaemonTokenRecord;
+declare function rotateToken(options?: TokenOptions): DaemonTokenRecord;
+
+export { type DaemonTokenRecord, type TokenOptions, ensureToken, generateBearerToken, getTokenPath, readToken, rotateToken };

package/dist/daemon/token.mjs

@@ -0,0 +1,17 @@
+import {
+  ensureToken,
+  generateBearerToken,
+  getTokenPath,
+  readToken,
+  rotateToken
+} from "../chunk-HTUAQRKH.mjs";
+import "../chunk-MTDFKNXX.mjs";
+import "../chunk-XKSWCEGI.mjs";
+import "../chunk-4UEJOM6W.mjs";
+export {
+  ensureToken,
+  generateBearerToken,
+  getTokenPath,
+  readToken,
+  rotateToken
+};

package/dist/daemon/tunnel-providers/index.d.ts

@@ -0,0 +1,330 @@
+import { spawn } from 'node:child_process';
+import { TunnelState, StartedTunnel } from '../tunnel.js';
+
+type TunnelProviderId = "cf-quick" | "ngrok" | "cf-named";
+interface TunnelProviderStartOptions {
+    port: number;
+    configDir: string;
+    onStateChange: (state: TunnelState) => void;
+}
+interface SetupCheck {
+    ready: boolean;
+    /** User-facing reason the provider isn't ready (e.g. "ngrok authtoken not set"). */
+    reason?: string;
+    /** Optional action hint the dashboard can surface.
+     *
+     * Kinds:
+     *   - "open-url": UI opens `url` in the default browser.
+     *   - "input-authtoken": UI surfaces a text input and posts
+     *     `daemon:set-ngrok-authtoken` back.
+     *   - "install-binary": UI runs the known install-binary flow
+     *     (`daemon:install-cloudflared` for cf-named / cf-quick today).
+     *   - "run-command": UI dispatches the webview message type identified
+     *     by `command` (e.g. `"cf-named-login"` → `daemon:cf-named-login`).
+     *     Preferred over "open-url" when the action has no URL and needs
+     *     a modal-confirmed host-side handler.
+     */
+    action?: {
+        label: string;
+        kind: "open-url" | "input-authtoken" | "install-binary" | "run-command";
+        url?: string;
+        /** Opaque identifier for the command to run (used with kind: "run-command"). */
+        command?: string;
+    };
+}
+interface TunnelProvider {
+    readonly id: TunnelProviderId;
+    readonly displayName: string;
+    /** Brief description surfaced next to the provider in the dashboard picker. */
+    readonly description: string;
+    /**
+     * Returns whether the provider has everything it needs to start a tunnel.
+     * Called before start(); the dashboard also calls this to render a setup widget.
+     */
+    isSetupComplete(configDir: string): Promise<SetupCheck>;
+    /**
+     * Start the tunnel. Must resolve once the public URL is known OR reject if
+     * setup is missing / start fails. onStateChange fires on every state
+     * transition including "starting" and "enabled".
+     */
+    start(options: TunnelProviderStartOptions): Promise<StartedTunnel>;
+}
+interface TunnelProviderStatus {
+    id: TunnelProviderId;
+    displayName: string;
+    description: string;
+    setup: SetupCheck;
+    isActive: boolean;
+}
+
+/**
+ * Cloudflared named-tunnel provider.
+ *
+ * Runs a persistent Cloudflare tunnel that routes a user-owned hostname
+ * (e.g. https://mcp.example.com) to the local daemon HTTP port. Unlike
+ * cloudflared-quick, the URL is stable across restarts.
+ *
+ * Setup (one-time, handled by 8.4.3 UI + 8.4.4 CLI) produces:
+ *   - ~/.cloudflared/cert.pem              (origin cert from `cloudflared login`)
+ *   - ~/.cloudflared/<uuid>.json           (tunnel credentials, written by create)
+ *   - <configDir>/cloudflared-named.yml    (managed ingress config we serialize)
+ *
+ * Port-drift rewrite (load-bearing): the managed YAML embeds the daemon's
+ * loopback port. The daemon picks a fresh OS-assigned port on most restarts,
+ * so the persisted port is almost always stale by the time start() runs. We
+ * rewrite the managed YAML with the current port on every start() — idempotent
+ * atomic writes are cheap, forgetting the rewrite routes cloudflared to a
+ * dead port.
+ *
+ * The managed YAML is treated as provider-owned — hand-edits to add extra
+ * ingress rules WILL be silently dropped on the next start() because we
+ * serialize only the four canonical keys (tunnel / credentials-file /
+ * hostname / service). Warning on drift is deferred to 8.4.3.
+ */
+
+type SpawnFn$1 = typeof spawn;
+interface ProviderDependencies {
+    spawn?: SpawnFn$1;
+    homedir?: () => string;
+}
+/**
+ * Build a provider bound to a specific dependency set. The exported
+ * singleton uses node defaults; tests construct a one-off via
+ * createCloudflaredNamedProvider({ dependencies: { spawn: fakeSpawn } }).
+ */
+declare function createCloudflaredNamedProvider(options?: {
+    dependencies?: ProviderDependencies;
+}): TunnelProvider;
+
+/**
+ * ngrok tunnel provider.
+ *
+ * Uses the official `@ngrok/ngrok` NAPI binding — the tunnel runs in-process
+ * so there's no binary to download and no child process to manage. The ngrok
+ * account authtoken and (optional) reserved domain live in <configDir>/ngrok.json.
+ *
+ * Free-tier ngrok includes one reserved static domain (yourname.ngrok-free.app)
+ * which persists across daemon restarts; callers who leave `domain` unset get
+ * an ephemeral URL that changes on each start.
+ *
+ * NOTE ON LAZY NATIVE LOADING (0.8.6):
+ * `@ngrok/ngrok` ships platform-specific NAPI subpackages
+ * (`@ngrok/ngrok-linux-x64-gnu`, `@ngrok/ngrok-win32-x64-msvc`, …) that are
+ * resolved at module-load time. If the VSIX was packaged on a different OS
+ * than the one activating the extension, the required subpackage may be
+ * missing and `require("@ngrok/ngrok")` throws MODULE_NOT_FOUND. That used to
+ * crash extension activation because the provider registry statically
+ * imported this file. We now defer loading the NAPI binding until a caller
+ * actually needs it (start / kill), and surface a domain-specific
+ * `NgrokNativeMissingError` so the dashboard can show a useful message.
+ */
+
+/**
+ * Error thrown when the `@ngrok/ngrok` native subpackage for the current
+ * platform/arch isn't installed. Callers (dashboard / CLI) should surface the
+ * message to the user instead of letting a raw MODULE_NOT_FOUND propagate.
+ */
+declare class NgrokNativeMissingError extends Error {
+    readonly platform: string;
+    readonly arch: string;
+    readonly cause?: unknown;
+    constructor(cause: unknown);
+}
+interface NgrokModule {
+    forward: (options: Record<string, unknown>) => Promise<NgrokListener>;
+    kill?: () => Promise<void> | void;
+}
+interface NgrokListener {
+    url: () => string | undefined | null;
+    close: () => Promise<void> | void;
+}
+/**
+ * Lazily import `@ngrok/ngrok`. Cached on first success. On
+ * MODULE_NOT_FOUND for either the umbrella package or its platform subpackage,
+ * throws `NgrokNativeMissingError`; every other error propagates as-is so we
+ * don't swallow genuine bugs.
+ */
+declare function loadNgrokNative(): Promise<NgrokModule>;
+/**
+ * Probe whether the native binding would load on this platform, without
+ * actually keeping it cached. Used by `listTunnelProviderStatuses` so we can
+ * surface a `native-missing` setup reason without crashing.
+ */
+declare function isNgrokNativeAvailable(): Promise<{
+    available: true;
+} | {
+    available: false;
+    error: NgrokNativeMissingError;
+}>;
+
+/**
+ * Persistence for ngrok credentials.
+ *
+ * Stored at `<configDir>/ngrok.json` with file mode 0600 (POSIX) or
+ * user-only ACL (Windows). Mirrors the token.ts safety pattern.
+ */
+interface NgrokSettings {
+    authtoken: string;
+    domain?: string;
+    updatedAt: string;
+}
+declare function getNgrokConfigPath(configDir: string): string;
+declare function readNgrokSettings(configDir: string): NgrokSettings | null;
+declare function writeNgrokSettings(configDir: string, next: {
+    authtoken?: string;
+    domain?: string | null;
+}): NgrokSettings;
+declare function clearNgrokSettings(configDir: string): void;
+
+/**
+ * Cloudflared named-tunnel setup helpers.
+ *
+ * Wraps the `cloudflared` CLI to drive a persistent (named) tunnel. Named
+ * tunnels require an origin cert (`~/.cloudflared/cert.pem`), a tunnel UUID
+ * + credentials file, and a YAML config that maps a hostname -> local port.
+ *
+ * This module ships the setup primitives only; provider registration lives in
+ * cloudflared-named.ts (Phase 8.4.2). The dashboard/CLI call these helpers
+ * during the one-time setup flow.
+ */
+
+/**
+ * Minimal spawn signature we rely on — matches the three-arg overload of
+ * `node:child_process.spawn` used for piping stdio and collecting output.
+ * Declared as a type alias so tests can inject a fake implementation.
+ */
+type SpawnFn = typeof spawn;
+interface CloudflaredLoginResult {
+    ok: boolean;
+    certPath: string;
+    stderr?: string;
+}
+interface NamedTunnelSummary {
+    /** cloudflared's tunnel UUID. */
+    uuid: string;
+    /** Human-readable name. */
+    name: string;
+    createdAt?: string;
+    connections?: number;
+}
+interface CreatedTunnel extends NamedTunnelSummary {
+    /** Path to the credentials JSON cloudflared wrote. */
+    credentialsPath: string;
+}
+interface NamedTunnelConfig {
+    uuid: string;
+    /** e.g. "mcp.example.com" */
+    hostname: string;
+    /** Local daemon HTTP port. */
+    port: number;
+    /** Full path to the written .yml. */
+    configPath: string;
+    credentialsPath: string;
+}
+interface DeletedNamedTunnel {
+    uuid: string;
+}
+type DeleteNamedTunnelFailureReason = "active-connections" | "unknown";
+declare class DeleteNamedTunnelError extends Error {
+    readonly reason: DeleteNamedTunnelFailureReason;
+    constructor(message: string, reason: DeleteNamedTunnelFailureReason);
+}
+/**
+ * Runs `cloudflared tunnel login`. Opens a browser. Blocks until the cert
+ * lands at `~/.cloudflared/cert.pem` (or throws on timeout / abort). The
+ * login subprocess is best-effort terminated on resolve/reject.
+ */
+declare function runCloudflaredLogin(options: {
+    configDir: string;
+    binaryPath?: string;
+    signal?: AbortSignal;
+    timeoutMs?: number;
+    /** Override the cert watch location (defaults to `$HOME/.cloudflared/cert.pem`). */
+    certPath?: string;
+    /**
+     * When true, pipe the cloudflared child's stderr AND stdout to the parent
+     * process's stderr so CLI users see the "open this URL in your browser"
+     * prompt (some cloudflared builds emit it on stdout, others on stderr).
+     * Never forwards to parent stdout — the CLI reserves stdout for --json
+     * machine-readable output. Default false (test hermeticity + dashboard
+     * flow that wraps output in notifications instead).
+     */
+    forwardOutput?: boolean;
+    /** Test-only dependency injection seam. */
+    dependencies?: {
+        spawn?: SpawnFn;
+    };
+}): Promise<CloudflaredLoginResult>;
+/**
+ * Runs `cloudflared tunnel list --output=json` and parses. Returns [] on
+ * "no tunnels" (exit 0 + empty list). Throws on binary/cert problems.
+ */
+declare function listNamedTunnels(options: {
+    configDir: string;
+    binaryPath?: string;
+    dependencies?: {
+        spawn?: SpawnFn;
+    };
+}): Promise<NamedTunnelSummary[]>;
+/**
+ * Runs `cloudflared tunnel create <name>`, parses the UUID + credentials
+ * path out of stdout, then runs `cloudflared tunnel route dns <uuid>
+ * <hostname>` to install the CNAME record.
+ */
+declare function createNamedTunnel(options: {
+    configDir: string;
+    name: string;
+    hostname: string;
+    binaryPath?: string;
+    signal?: AbortSignal;
+    dependencies?: {
+        spawn?: SpawnFn;
+    };
+}): Promise<CreatedTunnel>;
+/**
+ * Deletes a remote Cloudflare named tunnel. This is intentionally separate
+ * from clearNamedTunnelConfig(): remote delete can fail even with --force
+ * when DNS still routes traffic and active connections keep the tunnel alive.
+ */
+declare function deleteNamedTunnel(options: {
+    configDir: string;
+    uuid: string;
+    binaryPath?: string;
+    signal?: AbortSignal;
+    dependencies?: {
+        spawn?: SpawnFn;
+    };
+}): Promise<DeletedNamedTunnel>;
+declare function isActiveConnectionDeleteFailure(output: string): boolean;
+declare function getNamedTunnelConfigPath(configDir: string): string;
+/**
+ * Writes `<configDir>/cloudflared-named.yml` describing the tunnel ->
+ * localhost mapping. Uses the temp-file + rename pattern from ngrok-config.ts
+ * and locks file mode to 0600 (POSIX) / user-only ACL (Windows).
+ */
+declare function writeTunnelConfig(options: {
+    configDir: string;
+    uuid: string;
+    hostname: string;
+    port: number;
+    credentialsPath: string;
+}): NamedTunnelConfig;
+/**
+ * Reads + validates the config written by writeTunnelConfig. Returns null
+ * if absent or malformed.
+ */
+declare function readNamedTunnelConfig(configDir: string): NamedTunnelConfig | null;
+declare function clearNamedTunnelConfig(configDir: string): boolean;
+
+declare function getTunnelProvider(id: TunnelProviderId): TunnelProvider;
+declare function listTunnelProviders(): TunnelProvider[];
+interface TunnelSettings {
+    activeProvider: TunnelProviderId;
+    updatedAt: string;
+}
+declare function getTunnelSettingsPath(configDir: string): string;
+declare function readTunnelSettings(configDir: string): TunnelSettings;
+declare function writeTunnelSettings(configDir: string, patch: Partial<TunnelSettings>): TunnelSettings;
+declare function listTunnelProviderStatuses(configDir: string): Promise<TunnelProviderStatus[]>;
+
+export { type CloudflaredLoginResult, type CreatedTunnel, DeleteNamedTunnelError, type DeleteNamedTunnelFailureReason, type DeletedNamedTunnel, type NamedTunnelConfig, type NamedTunnelSummary, NgrokNativeMissingError, type NgrokSettings, type SetupCheck, type TunnelProvider, type TunnelProviderId, type TunnelProviderStatus, type TunnelSettings, clearNamedTunnelConfig, clearNgrokSettings, createCloudflaredNamedProvider, createNamedTunnel, deleteNamedTunnel, getNamedTunnelConfigPath, getNgrokConfigPath, getTunnelProvider, getTunnelSettingsPath, isActiveConnectionDeleteFailure, isNgrokNativeAvailable, listNamedTunnels, listTunnelProviderStatuses, listTunnelProviders, loadNgrokNative, readNamedTunnelConfig, readNgrokSettings, readTunnelSettings, runCloudflaredLogin, writeNgrokSettings, writeTunnelConfig, writeTunnelSettings };

package/dist/daemon/tunnel-providers/index.mjs

@@ -0,0 +1,57 @@
+import {
+  DeleteNamedTunnelError,
+  NgrokNativeMissingError,
+  clearNamedTunnelConfig,
+  clearNgrokSettings,
+  createCloudflaredNamedProvider,
+  createNamedTunnel,
+  deleteNamedTunnel,
+  getNamedTunnelConfigPath,
+  getNgrokConfigPath,
+  getTunnelProvider,
+  getTunnelSettingsPath,
+  isActiveConnectionDeleteFailure,
+  isNgrokNativeAvailable,
+  listNamedTunnels,
+  listTunnelProviderStatuses,
+  listTunnelProviders,
+  loadNgrokNative,
+  readNamedTunnelConfig,
+  readNgrokSettings,
+  readTunnelSettings,
+  runCloudflaredLogin,
+  writeNgrokSettings,
+  writeTunnelConfig,
+  writeTunnelSettings
+} from "../../chunk-KCXM2M4B.mjs";
+import "../../chunk-6YMQVLFX.mjs";
+import "../../chunk-3B276PGG.mjs";
+import "../../chunk-MTDFKNXX.mjs";
+import "../../chunk-XKSWCEGI.mjs";
+import "../../chunk-4UEJOM6W.mjs";
+export {
+  DeleteNamedTunnelError,
+  NgrokNativeMissingError,
+  clearNamedTunnelConfig,
+  clearNgrokSettings,
+  createCloudflaredNamedProvider,
+  createNamedTunnel,
+  deleteNamedTunnel,
+  getNamedTunnelConfigPath,
+  getNgrokConfigPath,
+  getTunnelProvider,
+  getTunnelSettingsPath,
+  isActiveConnectionDeleteFailure,
+  isNgrokNativeAvailable,
+  listNamedTunnels,
+  listTunnelProviderStatuses,
+  listTunnelProviders,
+  loadNgrokNative,
+  readNamedTunnelConfig,
+  readNgrokSettings,
+  readTunnelSettings,
+  runCloudflaredLogin,
+  writeNgrokSettings,
+  writeTunnelConfig,
+  writeTunnelSettings
+};

package/dist/daemon/tunnel.d.ts

@@ -0,0 +1,23 @@
+interface TunnelState {
+    status: "starting" | "enabled" | "disabled" | "crashed";
+    url: string | null;
+    pid: number | null;
+    error?: string | null;
+}
+interface StartTunnelOptions {
+    command: string;
+    args?: string[];
+    port: number;
+    env?: NodeJS.ProcessEnv;
+    onStateChange?: (state: TunnelState) => void;
+}
+interface StartedTunnel {
+    pid: number;
+    waitUntilReady: Promise<string>;
+    stop: () => Promise<void>;
+    getState: () => TunnelState;
+}
+declare function startTunnel(options: StartTunnelOptions): StartedTunnel;
+declare function extractTunnelUrl(line: string): string | null;
+
+export { type StartTunnelOptions, type StartedTunnel, type TunnelState, extractTunnelUrl, startTunnel };

package/dist/daemon/tunnel.mjs

@@ -0,0 +1,9 @@
+import {
+  extractTunnelUrl,
+  startTunnel
+} from "../chunk-6YMQVLFX.mjs";
+import "../chunk-4UEJOM6W.mjs";
+export {
+  extractTunnelUrl,
+  startTunnel
+};

package/dist/doctor-report.d.ts

@@ -0,0 +1,24 @@
+import { DoctorReport, DoctorCategory } from './doctor.d-CXmUqOXX.js';
+
+declare function buildIssueBody(input: {
+  report: DoctorReport;
+  stderrTail: string;
+  extVersion: string;
+  nodeVersion: string;
+  os: string;
+  activeTier?: string | null;
+}): string;
+
+declare function redactIssueBody(md: string): string;
+
+declare function decideTransport(input: { bodyBytes: number }): "inline" | "file";
+
+declare function buildIssueUrl(input: {
+  owner: string;
+  repo: string;
+  category: DoctorCategory | string;
+  check: string;
+  body: string;
+}): string;
+
+export { buildIssueBody, buildIssueUrl, decideTransport, redactIssueBody };

package/dist/doctor-report.mjs

@@ -0,0 +1,14 @@
+import {
+  buildIssueBody,
+  buildIssueUrl,
+  decideTransport,
+  redactIssueBody
+} from "./chunk-DPGMKSSA.mjs";
+import "./chunk-HMKLWVXB.mjs";
+import "./chunk-4UEJOM6W.mjs";
+export {
+  buildIssueBody,
+  buildIssueUrl,
+  decideTransport,
+  redactIssueBody
+};