ssh-mcp-pro 1.0.0

package/dist/transfer.js

@@ -0,0 +1,363 @@
+import * as fs from "fs";
+import * as path from "path";
+import { createHash } from "node:crypto";
+import { createFilesystemError } from "./errors.js";
+import { logger } from "./logging.js";
+import { SSHMCPError } from "./types.js";
+function sha256(data) {
+    return createHash("sha256").update(data).digest("hex");
+}
+function validateLocalPathInput(localPath) {
+    if (localPath.trim().length === 0) {
+        throw createFilesystemError("Local path must not be empty");
+    }
+    if (localPath.includes("\0")) {
+        throw createFilesystemError("Local path contains NUL byte");
+    }
+}
+function resolveAbsoluteLocalPath(localPath) {
+    validateLocalPathInput(localPath);
+    return path.resolve(localPath);
+}
+function isMissingPathError(error) {
+    return error?.code === "ENOENT";
+}
+async function resolveLocalReadPath(localPath) {
+    const absolutePath = resolveAbsoluteLocalPath(localPath);
+    try {
+        return await fs.promises.realpath(absolutePath);
+    }
+    catch (error) {
+        throw createFilesystemError(`Local path ${localPath} could not be resolved for reading`, error instanceof Error ? error.message : undefined);
+    }
+}
+async function resolveLocalWritePath(localPath) {
+    const absolutePath = resolveAbsoluteLocalPath(localPath);
+    const parentPath = path.dirname(absolutePath);
+    let parentCanonicalPath;
+    try {
+        parentCanonicalPath = await fs.promises.realpath(parentPath);
+    }
+    catch (error) {
+        throw createFilesystemError(`Local parent directory ${parentPath} could not be resolved for writing`, error instanceof Error ? error.message : undefined);
+    }
+    try {
+        const targetCanonicalPath = await fs.promises.realpath(absolutePath);
+        return {
+            absolutePath,
+            canonicalPath: targetCanonicalPath,
+            parentCanonicalPath,
+            action: "transfer.local.overwrite",
+        };
+    }
+    catch (error) {
+        if (!isMissingPathError(error)) {
+            throw createFilesystemError(`Local path ${localPath} could not be resolved for writing`, error instanceof Error ? error.message : undefined);
+        }
+    }
+    return {
+        absolutePath,
+        canonicalPath: path.join(parentCanonicalPath, path.basename(absolutePath)),
+        parentCanonicalPath,
+        action: "transfer.local.create",
+    };
+}
+async function authorizeLocalReadPath(localPath, mode, policy) {
+    const canonicalPath = await resolveLocalReadPath(localPath);
+    policy.assertAllowed({
+        action: "transfer.local.read",
+        path: canonicalPath,
+        mode,
+    });
+    return canonicalPath;
+}
+async function readStableLocalFile(canonicalLocalPath, maxTransferBytes) {
+    const noFollowFlag = fs.constants.O_NOFOLLOW ?? 0;
+    const flags = fs.constants.O_RDONLY | noFollowFlag;
+    let handle;
+    try {
+        handle = await fs.promises.open(canonicalLocalPath, flags);
+        const stats = await handle.stat();
+        if (!stats.isFile()) {
+            throw createFilesystemError(`Local path ${canonicalLocalPath} is not a regular file`);
+        }
+        if (stats.size > maxTransferBytes) {
+            throw createFilesystemError(`Transfer exceeds maxTransferBytes (${maxTransferBytes})`, "Use a smaller file or raise SSH_MCP_MAX_TRANSFER_BYTES intentionally.");
+        }
+        const content = await handle.readFile();
+        if (content.length !== stats.size) {
+            throw createFilesystemError(`Local file ${canonicalLocalPath} changed while it was read`, "Retry the upload after the file is stable.");
+        }
+        return { content, size: stats.size };
+    }
+    catch (error) {
+        if (error instanceof SSHMCPError) {
+            throw error;
+        }
+        throw createFilesystemError(`Local path ${canonicalLocalPath} could not be read for upload`, error instanceof Error ? error.message : undefined);
+    }
+    finally {
+        await handle?.close();
+    }
+}
+async function authorizeLocalWritePath(localPath, mode, policy) {
+    const resolved = await resolveLocalWritePath(localPath);
+    policy.assertAllowed({
+        action: resolved.action,
+        path: resolved.canonicalPath,
+        secondaryPath: resolved.parentCanonicalPath,
+        mode,
+    });
+    return resolved;
+}
+function sftpWriteFile(sftp, remotePath, data) {
+    return new Promise((resolve, reject) => {
+        sftp.writeFile(remotePath, data, {}, (err) => {
+            if (err) {
+                reject(err);
+                return;
+            }
+            resolve();
+        });
+    });
+}
+function sftpReadFile(sftp, remotePath) {
+    return new Promise((resolve, reject) => {
+        sftp.readFile(remotePath, (err, data) => {
+            if (err) {
+                reject(err);
+                return;
+            }
+            resolve(data);
+        });
+    });
+}
+function sftpStat(sftp, remotePath) {
+    return new Promise((resolve, reject) => {
+        sftp.stat(remotePath, (err, stats) => {
+            if (err) {
+                reject(err);
+                return;
+            }
+            resolve(stats);
+        });
+    });
+}
+export function createTransferService({ sessionManager, metrics, policy, config, }) {
+    async function uploadFileWithProgress(localPath, remotePath, options) {
+        const { sessionId, onProgress } = options;
+        logger.debug("Starting file upload with progress", {
+            sessionId,
+            localPath,
+            remotePath,
+        });
+        const session = sessionManager.getSession(sessionId);
+        if (!session) {
+            throw createFilesystemError("Session not found or expired");
+        }
+        if (!session.sftp) {
+            throw createFilesystemError("SFTP subsystem is unavailable for this session");
+        }
+        const decision = policy.assertAllowed({
+            action: "transfer.upload",
+            path: remotePath,
+            mode: session.info.policyMode,
+        });
+        if (decision.mode === "explain") {
+            return {
+                success: true,
+                filename: path.basename(localPath),
+                size: 0,
+                durationMs: 0,
+                averageSpeed: 0,
+                sha256: "",
+                verified: false,
+            };
+        }
+        const canonicalLocalPath = await authorizeLocalReadPath(localPath, session.info.policyMode, policy);
+        const startTime = Date.now();
+        const filename = path.basename(canonicalLocalPath);
+        try {
+            const { content: fileContent, size: totalSize } = await readStableLocalFile(canonicalLocalPath, config.maxTransferBytes);
+            const localSha256 = sha256(fileContent);
+            await sftpWriteFile(session.sftp, remotePath, fileContent);
+            const remoteContent = await sftpReadFile(session.sftp, remotePath);
+            const remoteSha256 = sha256(remoteContent);
+            const verified = localSha256 === remoteSha256;
+            if (!verified) {
+                throw createFilesystemError(`Transfer verification failed for ${remotePath}`, "Remote SHA-256 does not match the local file after upload");
+            }
+            if (onProgress) {
+                const elapsed = (Date.now() - startTime) / 1000 || 1;
+                onProgress({
+                    filename,
+                    transferred: totalSize,
+                    total: totalSize,
+                    percentage: 100,
+                    bytesPerSecond: totalSize / elapsed,
+                    eta: 0,
+                });
+            }
+            const durationMs = Date.now() - startTime;
+            const averageSpeed = totalSize / ((durationMs || 1) / 1000);
+            logger.info("File upload completed", {
+                sessionId,
+                filename,
+                size: totalSize,
+                durationMs,
+                averageSpeed,
+                sha256: localSha256,
+            });
+            metrics.recordTransfer("upload", totalSize);
+            return {
+                success: true,
+                filename,
+                size: totalSize,
+                durationMs,
+                averageSpeed,
+                sha256: localSha256,
+                verified,
+            };
+        }
+        catch (error) {
+            if (error instanceof SSHMCPError) {
+                throw error;
+            }
+            logger.error("File upload failed", { sessionId, localPath, error });
+            throw createFilesystemError(`Failed to upload ${localPath}: ${error}`);
+        }
+    }
+    async function downloadFileWithProgress(remotePath, localPath, options) {
+        const { sessionId, onProgress } = options;
+        logger.debug("Starting file download with progress", {
+            sessionId,
+            remotePath,
+            localPath,
+        });
+        const session = sessionManager.getSession(sessionId);
+        if (!session) {
+            throw createFilesystemError("Session not found or expired");
+        }
+        if (!session.sftp) {
+            throw createFilesystemError("SFTP subsystem is unavailable for this session");
+        }
+        const decision = policy.assertAllowed({
+            action: "transfer.download",
+            path: remotePath,
+            mode: session.info.policyMode,
+        });
+        if (decision.mode === "explain") {
+            return {
+                success: true,
+                filename: path.basename(remotePath),
+                size: 0,
+                durationMs: 0,
+                averageSpeed: 0,
+                sha256: "",
+                verified: false,
+            };
+        }
+        const startTime = Date.now();
+        const filename = path.basename(remotePath);
+        try {
+            const targetPath = await authorizeLocalWritePath(localPath, session.info.policyMode, policy);
+            const stats = await sftpStat(session.sftp, remotePath);
+            const totalSize = stats.size ?? 0;
+            if (totalSize > config.maxTransferBytes) {
+                throw createFilesystemError(`Transfer exceeds maxTransferBytes (${config.maxTransferBytes})`, "Use a smaller file or raise SSH_MCP_MAX_TRANSFER_BYTES intentionally.");
+            }
+            const data = await sftpReadFile(session.sftp, remotePath);
+            const remoteSha256 = sha256(data);
+            const tempLocalPath = `${targetPath.absolutePath}.tmp.${Date.now()}`;
+            const tempPath = await authorizeLocalWritePath(tempLocalPath, session.info.policyMode, policy);
+            await fs.promises.writeFile(tempPath.absolutePath, data, { flag: "wx" });
+            const tempReadPath = await authorizeLocalReadPath(tempPath.absolutePath, session.info.policyMode, policy);
+            const localData = await fs.promises.readFile(tempReadPath);
+            const localSha256 = sha256(localData);
+            const verified = remoteSha256 === localSha256;
+            if (!verified) {
+                await fs.promises.rm(tempPath.absolutePath, { force: true });
+                throw createFilesystemError(`Transfer verification failed for ${remotePath}`, "Local SHA-256 does not match the remote file after download");
+            }
+            const finalTargetPath = await authorizeLocalWritePath(localPath, session.info.policyMode, policy);
+            await fs.promises.rename(tempPath.absolutePath, finalTargetPath.absolutePath);
+            if (onProgress) {
+                const elapsed = (Date.now() - startTime) / 1000 || 1;
+                onProgress({
+                    filename,
+                    transferred: totalSize,
+                    total: totalSize,
+                    percentage: 100,
+                    bytesPerSecond: totalSize / elapsed,
+                    eta: 0,
+                });
+            }
+            const durationMs = Date.now() - startTime;
+            const averageSpeed = totalSize / ((durationMs || 1) / 1000);
+            logger.info("File download completed", {
+                sessionId,
+                filename,
+                size: totalSize,
+                durationMs,
+                averageSpeed,
+                sha256: remoteSha256,
+            });
+            metrics.recordTransfer("download", totalSize);
+            return {
+                success: true,
+                filename,
+                size: totalSize,
+                durationMs,
+                averageSpeed,
+                sha256: remoteSha256,
+                verified,
+            };
+        }
+        catch (error) {
+            if (error instanceof SSHMCPError) {
+                throw error;
+            }
+            logger.error("File download failed", { sessionId, remotePath, error });
+            throw createFilesystemError(`Failed to download ${remotePath}: ${error}`);
+        }
+    }
+    return {
+        uploadFileWithProgress,
+        downloadFileWithProgress,
+    };
+}
+export function formatSpeed(bytesPerSecond) {
+    if (bytesPerSecond >= 1024 * 1024) {
+        return `${(bytesPerSecond / (1024 * 1024)).toFixed(2)} MB/s`;
+    }
+    if (bytesPerSecond >= 1024) {
+        return `${(bytesPerSecond / 1024).toFixed(2)} KB/s`;
+    }
+    return `${bytesPerSecond.toFixed(0)} B/s`;
+}
+export function formatSize(bytes) {
+    if (bytes >= 1024 * 1024 * 1024) {
+        return `${(bytes / (1024 * 1024 * 1024)).toFixed(2)} GB`;
+    }
+    if (bytes >= 1024 * 1024) {
+        return `${(bytes / (1024 * 1024)).toFixed(2)} MB`;
+    }
+    if (bytes >= 1024) {
+        return `${(bytes / 1024).toFixed(2)} KB`;
+    }
+    return `${bytes} B`;
+}
+export function formatETA(seconds) {
+    if (seconds < 60) {
+        return `${Math.ceil(seconds)}s`;
+    }
+    if (seconds < 3600) {
+        const mins = Math.floor(seconds / 60);
+        const secs = Math.ceil(seconds % 60);
+        return `${mins}m ${secs}s`;
+    }
+    const hours = Math.floor(seconds / 3600);
+    const mins = Math.floor((seconds % 3600) / 60);
+    return `${hours}h ${mins}m`;
+}
+//# sourceMappingURL=transfer.js.map

package/dist/transfer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"transfer.js","sourceRoot":"","sources":["../src/transfer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAKtC,OAAO,EAAE,WAAW,EAAmB,MAAM,YAAY,CAAC;AA0D1D,SAAS,MAAM,CAAC,IAAY;IAC1B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,sBAAsB,CAAC,SAAiB;IAC/C,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,MAAM,qBAAqB,CAAC,8BAA8B,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,MAAM,qBAAqB,CAAC,8BAA8B,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC;AAED,SAAS,wBAAwB,CAAC,SAAiB;IACjD,sBAAsB,CAAC,SAAS,CAAC,CAAC;IAClC,OAAO,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAc;IACxC,OAAQ,KAA2C,EAAE,IAAI,KAAK,QAAQ,CAAC;AACzE,CAAC;AAED,KAAK,UAAU,oBAAoB,CAAC,SAAiB;IACnD,MAAM,YAAY,GAAG,wBAAwB,CAAC,SAAS,CAAC,CAAC;IACzD,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,qBAAqB,CACzB,cAAc,SAAS,oCAAoC,EAC3D,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CACnD,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,qBAAqB,CAAC,SAAiB;IACpD,MAAM,YAAY,GAAG,wBAAwB,CAAC,SAAS,CAAC,CAAC;IACzD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAC9C,IAAI,mBAA2B,CAAC;IAEhC,IAAI,CAAC;QACH,mBAAmB,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC/D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,qBAAqB,CACzB,0BAA0B,UAAU,oCAAoC,EACxE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CACnD,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,mBAAmB,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QACrE,OAAO;YACL,YAAY;YACZ,aAAa,EAAE,mBAAmB;YAClC,mBAAmB;YACnB,MAAM,EAAE,0BAA0B;SACnC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/B,MAAM,qBAAqB,CACzB,cAAc,SAAS,oCAAoC,EAC3D,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CACnD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO;QACL,YAAY;QACZ,aAAa,EAAE,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QAC1E,mBAAmB;QACnB,MAAM,EAAE,uBAAuB;KAChC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,SAAiB,EACjB,IAAgB,EAChB,MAA2C;IAE3C,MAAM,aAAa,GAAG,MAAM,oBAAoB,CAAC,SAAS,CAAC,CAAC;IAC5D,MAAM,CAAC,aAAa,CAAC;QACnB,MAAM,EAAE,qBAAqB;QAC7B,IAAI,EAAE,aAAa;QACnB,IAAI;KACL,CAAC,CAAC;IACH,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,kBAA0B,EAC1B,gBAAwB;IAExB,MAAM,YAAY,GACf,EAAE,CAAC,SAA2D,CAAC,UAAU,IAAI,CAAC,CAAC;IAClF,MAAM,KAAK,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,GAAG,YAAY,CAAC;IACnD,IAAI,MAAgE,CAAC;IAErE,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,kBAAkB,EAAE,KAAK,CAAC,CAAC;QAC3D,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;QAClC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YACpB,MAAM,qBAAqB,CAAC,cAAc,kBAAkB,wBAAwB,CAAC,CAAC;QACxF,CAAC;QACD,IAAI,KAAK,CAAC,IAAI,GAAG,gBAAgB,EAAE,CAAC;YAClC,MAAM,qBAAqB,CACzB,sCAAsC,gBAAgB,GAAG,EACzD,uEAAuE,CACxE,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,CAAC,IAAI,EAAE,CAAC;YAClC,MAAM,qBAAqB,CACzB,cAAc,kBAAkB,4BAA4B,EAC5D,4CAA4C,CAC7C,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC;IACvC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;YACjC,MAAM,KAAK,CAAC;QACd,CAAC;QACD,MAAM,qBAAqB,CACzB,cAAc,kBAAkB,+BAA+B,EAC/D,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CACnD,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,MAAM,EAAE,KAAK,EAAE,CAAC;IACxB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,SAAiB,EACjB,IAAgB,EAChB,MAA2C;IAE3C,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,SAAS,CAAC,CAAC;IACxD,MAAM,CAAC,aAAa,CAAC;QACnB,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,IAAI,EAAE,QAAQ,CAAC,aAAa;QAC5B,aAAa,EAAE,QAAQ,CAAC,mBAAmB;QAC3C,IAAI;KACL,CAAC,CAAC;IACH,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,aAAa,CAAC,IAAiB,EAAE,UAAkB,EAAE,IAAY;IACxE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,GAA6B,EAAE,EAAE;YACrE,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,CAAC,GAAG,CAAC,CAAC;gBACZ,OAAO;YACT,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,YAAY,CAAC,IAAiB,EAAE,UAAkB;IACzD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,CAAC,GAA6B,EAAE,IAAY,EAAE,EAAE;YACxE,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,CAAC,GAAG,CAAC,CAAC;gBACZ,OAAO;YACT,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,QAAQ,CAAC,IAAiB,EAAE,UAAkB;IACrD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,GAA6B,EAAE,KAAY,EAAE,EAAE;YACpE,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,CAAC,GAAG,CAAC,CAAC;gBACZ,OAAO;YACT,CAAC;YACD,OAAO,CAAC,KAAK,CAAC,CAAC;QACjB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,EACpC,cAAc,EACd,OAAO,EACP,MAAM,EACN,MAAM,GACc;IACpB,KAAK,UAAU,sBAAsB,CACnC,SAAiB,EACjB,UAAkB,EAClB,OAAwB;QAExB,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;QAE1C,MAAM,CAAC,KAAK,CAAC,oCAAoC,EAAE;YACjD,SAAS;YACT,SAAS;YACT,UAAU;SACX,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,cAAc,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QACrD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,qBAAqB,CAAC,8BAA8B,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,MAAM,qBAAqB,CAAC,gDAAgD,CAAC,CAAC;QAChF,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,aAAa,CAAC;YACpC,MAAM,EAAE,iBAAiB;YACzB,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,UAAU;SAC9B,CAAC,CAAC;QACH,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAChC,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAClC,IAAI,EAAE,CAAC;gBACP,UAAU,EAAE,CAAC;gBACb,YAAY,EAAE,CAAC;gBACf,MAAM,EAAE,EAAE;gBACV,QAAQ,EAAE,KAAK;aAChB,CAAC;QACJ,CAAC;QAED,MAAM,kBAAkB,GAAG,MAAM,sBAAsB,CACrD,SAAS,EACT,OAAO,CAAC,IAAI,CAAC,UAAU,EACvB,MAAM,CACP,CAAC;QACF,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;QAEnD,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,MAAM,mBAAmB,CACzE,kBAAkB,EAClB,MAAM,CAAC,gBAAgB,CACxB,CAAC;YACF,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC;YAExC,MAAM,aAAa,CAAC,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;YAC3D,MAAM,aAAa,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;YACnE,MAAM,YAAY,GAAG,MAAM,CAAC,aAAa,CAAC,CAAC;YAC3C,MAAM,QAAQ,GAAG,WAAW,KAAK,YAAY,CAAC;YAC9C,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,qBAAqB,CACzB,oCAAoC,UAAU,EAAE,EAChD,2DAA2D,CAC5D,CAAC;YACJ,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC;gBACrD,UAAU,CAAC;oBACT,QAAQ;oBACR,WAAW,EAAE,SAAS;oBACtB,KAAK,EAAE,SAAS;oBAChB,UAAU,EAAE,GAAG;oBACf,cAAc,EAAE,SAAS,GAAG,OAAO;oBACnC,GAAG,EAAE,CAAC;iBACP,CAAC,CAAC;YACL,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAC1C,MAAM,YAAY,GAAG,SAAS,GAAG,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YAE5D,MAAM,CAAC,IAAI,CAAC,uBAAuB,EAAE;gBACnC,SAAS;gBACT,QAAQ;gBACR,IAAI,EAAE,SAAS;gBACf,UAAU;gBACV,YAAY;gBACZ,MAAM,EAAE,WAAW;aACpB,CAAC,CAAC;YACH,OAAO,CAAC,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;YAE5C,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,QAAQ;gBACR,IAAI,EAAE,SAAS;gBACf,UAAU;gBACV,YAAY;gBACZ,MAAM,EAAE,WAAW;gBACnB,QAAQ;aACT,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;gBACjC,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,CAAC,KAAK,CAAC,oBAAoB,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;YACpE,MAAM,qBAAqB,CAAC,oBAAoB,SAAS,KAAK,KAAK,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED,KAAK,UAAU,wBAAwB,CACrC,UAAkB,EAClB,SAAiB,EACjB,OAAwB;QAExB,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;QAE1C,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE;YACnD,SAAS;YACT,UAAU;YACV,SAAS;SACV,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,cAAc,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QACrD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,qBAAqB,CAAC,8BAA8B,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,MAAM,qBAAqB,CAAC,gDAAgD,CAAC,CAAC;QAChF,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,aAAa,CAAC;YACpC,MAAM,EAAE,mBAAmB;YAC3B,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,UAAU;SAC9B,CAAC,CAAC;QACH,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAChC,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;gBACnC,IAAI,EAAE,CAAC;gBACP,UAAU,EAAE,CAAC;gBACb,YAAY,EAAE,CAAC;gBACf,MAAM,EAAE,EAAE;gBACV,QAAQ,EAAE,KAAK;aAChB,CAAC;QACJ,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAE3C,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,uBAAuB,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;YAC7F,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;YACvD,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;YAClC,IAAI,SAAS,GAAG,MAAM,CAAC,gBAAgB,EAAE,CAAC;gBACxC,MAAM,qBAAqB,CACzB,sCAAsC,MAAM,CAAC,gBAAgB,GAAG,EAChE,uEAAuE,CACxE,CAAC;YACJ,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;YAC1D,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;YAClC,MAAM,aAAa,GAAG,GAAG,UAAU,CAAC,YAAY,QAAQ,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACrE,MAAM,QAAQ,GAAG,MAAM,uBAAuB,CAC5C,aAAa,EACb,OAAO,CAAC,IAAI,CAAC,UAAU,EACvB,MAAM,CACP,CAAC;YACF,MAAM,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;YACzE,MAAM,YAAY,GAAG,MAAM,sBAAsB,CAC/C,QAAQ,CAAC,YAAY,EACrB,OAAO,CAAC,IAAI,CAAC,UAAU,EACvB,MAAM,CACP,CAAC;YACF,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YAC3D,MAAM,WAAW,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;YACtC,MAAM,QAAQ,GAAG,YAAY,KAAK,WAAW,CAAC;YAC9C,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,QAAQ,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC7D,MAAM,qBAAqB,CACzB,oCAAoC,UAAU,EAAE,EAChD,6DAA6D,CAC9D,CAAC;YACJ,CAAC;YACD,MAAM,eAAe,GAAG,MAAM,uBAAuB,CACnD,SAAS,EACT,OAAO,CAAC,IAAI,CAAC,UAAU,EACvB,MAAM,CACP,CAAC;YACF,MAAM,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,eAAe,CAAC,YAAY,CAAC,CAAC;YAE9E,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC;gBACrD,UAAU,CAAC;oBACT,QAAQ;oBACR,WAAW,EAAE,SAAS;oBACtB,KAAK,EAAE,SAAS;oBAChB,UAAU,EAAE,GAAG;oBACf,cAAc,EAAE,SAAS,GAAG,OAAO;oBACnC,GAAG,EAAE,CAAC;iBACP,CAAC,CAAC;YACL,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAC1C,MAAM,YAAY,GAAG,SAAS,GAAG,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YAE5D,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE;gBACrC,SAAS;gBACT,QAAQ;gBACR,IAAI,EAAE,SAAS;gBACf,UAAU;gBACV,YAAY;gBACZ,MAAM,EAAE,YAAY;aACrB,CAAC,CAAC;YACH,OAAO,CAAC,cAAc,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;YAE9C,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,QAAQ;gBACR,IAAI,EAAE,SAAS;gBACf,UAAU;gBACV,YAAY;gBACZ,MAAM,EAAE,YAAY;gBACpB,QAAQ;aACT,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;gBACjC,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAC;YACvE,MAAM,qBAAqB,CAAC,sBAAsB,UAAU,KAAK,KAAK,EAAE,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IAED,OAAO;QACL,sBAAsB;QACtB,wBAAwB;KACzB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,cAAsB;IAChD,IAAI,cAAc,IAAI,IAAI,GAAG,IAAI,EAAE,CAAC;QAClC,OAAO,GAAG,CAAC,cAAc,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;IAC/D,CAAC;IACD,IAAI,cAAc,IAAI,IAAI,EAAE,CAAC;QAC3B,OAAO,GAAG,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;IACtD,CAAC;IACD,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,KAAa;IACtC,IAAI,KAAK,IAAI,IAAI,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC;QAChC,OAAO,GAAG,CAAC,KAAK,GAAG,CAAC,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;IAC3D,CAAC;IACD,IAAI,KAAK,IAAI,IAAI,GAAG,IAAI,EAAE,CAAC;QACzB,OAAO,GAAG,CAAC,KAAK,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;IACpD,CAAC;IACD,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;QAClB,OAAO,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;IAC3C,CAAC;IACD,OAAO,GAAG,KAAK,IAAI,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,OAAe;IACvC,IAAI,OAAO,GAAG,EAAE,EAAE,CAAC;QACjB,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC;IAClC,CAAC;IACD,IAAI,OAAO,GAAG,IAAI,EAAE,CAAC;QACnB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,EAAE,CAAC,CAAC;QACtC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,GAAG,EAAE,CAAC,CAAC;QACrC,OAAO,GAAG,IAAI,KAAK,IAAI,GAAG,CAAC;IAC7B,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IACzC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAC/C,OAAO,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC;AAC9B,CAAC"}

package/dist/tunnel.d.ts

@@ -0,0 +1,37 @@
+import type { MetricsCollector } from "./metrics.js";
+import type { PolicyEngine } from "./policy.js";
+import type { SessionManager } from "./session.js";
+export type TunnelType = "local" | "remote" | "dynamic";
+export interface TunnelConfig {
+    sessionId: string;
+    type: TunnelType;
+    localHost?: string;
+    localPort: number;
+    remoteHost?: string;
+    remotePort?: number;
+}
+export interface TunnelInfo {
+    id: string;
+    sessionId: string;
+    type: TunnelType;
+    localHost: string;
+    localPort: number;
+    remoteHost: string;
+    remotePort: number;
+    createdAt: number;
+    active: boolean;
+}
+export interface TunnelService {
+    createLocalForward(sessionId: string, localPort: number, remoteHost: string, remotePort: number): Promise<TunnelInfo>;
+    createRemoteForward(sessionId: string, remotePort: number, localHost: string, localPort: number): Promise<TunnelInfo>;
+    closeTunnel(tunnelId: string): Promise<boolean>;
+    listTunnels(sessionId?: string): TunnelInfo[];
+    closeSessionTunnels(sessionId: string): Promise<number>;
+}
+export interface TunnelServiceDeps {
+    sessionManager: Pick<SessionManager, "getSession">;
+    metrics: Pick<MetricsCollector, "recordTunnelOpened" | "recordTunnelClosed" | "recordTunnelError">;
+    policy: Pick<PolicyEngine, "assertAllowed">;
+}
+export declare function createTunnelService({ sessionManager, metrics, policy, }: TunnelServiceDeps): TunnelService;
+//# sourceMappingURL=tunnel.d.ts.map

package/dist/tunnel.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tunnel.d.ts","sourceRoot":"","sources":["../src/tunnel.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEnD,MAAM,MAAM,UAAU,GAAG,OAAO,GAAG,QAAQ,GAAG,SAAS,CAAC;AAExD,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,UAAU,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,UAAU,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,kBAAkB,CAChB,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,UAAU,CAAC,CAAC;IACvB,mBAAmB,CACjB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,UAAU,CAAC,CAAC;IACvB,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAChD,WAAW,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,UAAU,EAAE,CAAC;IAC9C,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACzD;AAED,MAAM,WAAW,iBAAiB;IAChC,cAAc,EAAE,IAAI,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;IACnD,OAAO,EAAE,IAAI,CACX,gBAAgB,EAChB,oBAAoB,GAAG,oBAAoB,GAAG,mBAAmB,CAClE,CAAC;IACF,MAAM,EAAE,IAAI,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;CAC7C;AA0OD,wBAAgB,mBAAmB,CAAC,EAClC,cAAc,EACd,OAAO,EACP,MAAM,GACP,EAAE,iBAAiB,GAAG,aAAa,CA2CnC"}

package/dist/tunnel.js

@@ -0,0 +1,234 @@
+import net from "node:net";
+import { createConnectionError } from "./errors.js";
+import { logger } from "./logging.js";
+class TunnelManager {
+    sessionManager;
+    metrics;
+    policy;
+    tunnels = new Map();
+    handles = new Map();
+    tunnelCounter = 0;
+    constructor(sessionManager, metrics, policy) {
+        this.sessionManager = sessionManager;
+        this.metrics = metrics;
+        this.policy = policy;
+    }
+    async createLocalTunnel(config) {
+        const { sessionId, localPort, remoteHost = "localhost", remotePort } = config;
+        const localHost = config.localHost ?? "localhost";
+        logger.debug("Creating local tunnel", {
+            sessionId,
+            localPort,
+            remoteHost,
+            remotePort,
+        });
+        const session = this.sessionManager.getSession(sessionId);
+        if (!session) {
+            throw createConnectionError("Session not found or expired");
+        }
+        const decision = this.policy.assertAllowed({
+            action: "tunnel.local",
+            host: remoteHost,
+            localBindHost: localHost,
+            localPort,
+            remoteHost,
+            remotePort: remotePort ?? localPort,
+            mode: session.info.policyMode,
+        });
+        if (decision.mode === "explain") {
+            return {
+                id: `tunnel-explain-${Date.now()}`,
+                sessionId,
+                type: "local",
+                localHost,
+                localPort,
+                remoteHost,
+                remotePort: remotePort ?? localPort,
+                createdAt: Date.now(),
+                active: false,
+            };
+        }
+        const tunnelId = `tunnel-${Date.now()}-${++this.tunnelCounter}`;
+        const targetPort = remotePort ?? localPort;
+        const server = net.createServer((socket) => {
+            void session.ssh
+                .forwardOut(socket.remoteAddress ?? localHost, socket.remotePort ?? 0, remoteHost, targetPort)
+                .then((channel) => {
+                socket.pipe(channel).pipe(socket);
+            })
+                .catch((error) => {
+                this.metrics.recordTunnelError();
+                logger.error("Local tunnel forwarding failed", { tunnelId, error });
+                socket.destroy();
+            });
+        });
+        await new Promise((resolve, reject) => {
+            server.once("error", reject);
+            server.listen(localPort, localHost, () => {
+                server.off("error", reject);
+                resolve();
+            });
+        });
+        const tunnelInfo = {
+            id: tunnelId,
+            sessionId,
+            type: "local",
+            localHost,
+            localPort,
+            remoteHost,
+            remotePort: targetPort,
+            createdAt: Date.now(),
+            active: true,
+        };
+        this.tunnels.set(tunnelId, tunnelInfo);
+        this.handles.set(tunnelId, {
+            close: () => new Promise((resolve, reject) => {
+                server.close((error) => (error ? reject(error) : resolve()));
+            }),
+        });
+        this.metrics.recordTunnelOpened();
+        logger.info("Local tunnel created", {
+            tunnelId,
+            localPort,
+            remoteHost,
+            remotePort: targetPort,
+        });
+        return tunnelInfo;
+    }
+    async createRemoteTunnel(config) {
+        const { sessionId, localPort, remoteHost = "localhost", remotePort } = config;
+        const localHost = config.localHost ?? "localhost";
+        logger.debug("Creating remote tunnel", {
+            sessionId,
+            localPort,
+            remoteHost,
+            remotePort,
+        });
+        const session = this.sessionManager.getSession(sessionId);
+        if (!session) {
+            throw createConnectionError("Session not found or expired");
+        }
+        const decision = this.policy.assertAllowed({
+            action: "tunnel.remote",
+            host: remoteHost,
+            localBindHost: localHost,
+            localPort,
+            remoteHost,
+            remotePort: remotePort ?? localPort,
+            mode: session.info.policyMode,
+        });
+        if (decision.mode === "explain") {
+            return {
+                id: `tunnel-explain-${Date.now()}`,
+                sessionId,
+                type: "remote",
+                localHost,
+                localPort,
+                remoteHost,
+                remotePort: remotePort ?? localPort,
+                createdAt: Date.now(),
+                active: false,
+            };
+        }
+        const tunnelId = `tunnel-${Date.now()}-${++this.tunnelCounter}`;
+        const targetPort = remotePort ?? localPort;
+        const forward = await session.ssh.forwardIn(remoteHost, targetPort, (_details, accept) => {
+            const channel = accept();
+            const localSocket = net.connect(localPort, localHost);
+            channel.pipe(localSocket).pipe(channel);
+            localSocket.on("error", (error) => {
+                this.metrics.recordTunnelError();
+                logger.error("Remote tunnel local socket failed", { tunnelId, error });
+                channel.destroy();
+            });
+        });
+        const tunnelInfo = {
+            id: tunnelId,
+            sessionId,
+            type: "remote",
+            localHost,
+            localPort,
+            remoteHost,
+            remotePort: forward.port,
+            createdAt: Date.now(),
+            active: true,
+        };
+        this.tunnels.set(tunnelId, tunnelInfo);
+        this.handles.set(tunnelId, {
+            close: () => forward.dispose(),
+        });
+        this.metrics.recordTunnelOpened();
+        logger.info("Remote tunnel created", {
+            tunnelId,
+            remotePort: targetPort,
+            localHost,
+            localPort,
+        });
+        return tunnelInfo;
+    }
+    async closeTunnel(tunnelId) {
+        const tunnel = this.tunnels.get(tunnelId);
+        if (!tunnel) {
+            logger.warn("Tunnel not found", { tunnelId });
+            return false;
+        }
+        tunnel.active = false;
+        const handle = this.handles.get(tunnelId);
+        if (handle) {
+            await handle.close();
+            this.handles.delete(tunnelId);
+        }
+        this.tunnels.delete(tunnelId);
+        this.metrics.recordTunnelClosed();
+        logger.info("Tunnel closed", { tunnelId });
+        return true;
+    }
+    listTunnels(sessionId) {
+        const tunnels = Array.from(this.tunnels.values());
+        return sessionId ? tunnels.filter((tunnel) => tunnel.sessionId === sessionId) : tunnels;
+    }
+    async closeSessionTunnels(sessionId) {
+        const sessionTunnels = this.listTunnels(sessionId);
+        let closed = 0;
+        for (const tunnel of sessionTunnels) {
+            if (await this.closeTunnel(tunnel.id)) {
+                closed++;
+            }
+        }
+        return closed;
+    }
+}
+export function createTunnelService({ sessionManager, metrics, policy, }) {
+    const manager = new TunnelManager(sessionManager, metrics, policy);
+    return {
+        createLocalForward(sessionId, localPort, remoteHost, remotePort) {
+            return manager.createLocalTunnel({
+                sessionId,
+                type: "local",
+                localPort,
+                remoteHost,
+                remotePort,
+            });
+        },
+        createRemoteForward(sessionId, remotePort, localHost, localPort) {
+            return manager.createRemoteTunnel({
+                sessionId,
+                type: "remote",
+                localHost,
+                localPort,
+                remoteHost: "localhost",
+                remotePort,
+            });
+        },
+        closeTunnel(tunnelId) {
+            return manager.closeTunnel(tunnelId);
+        },
+        listTunnels(sessionId) {
+            return manager.listTunnels(sessionId);
+        },
+        closeSessionTunnels(sessionId) {
+            return manager.closeSessionTunnels(sessionId);
+        },
+    };
+}
+//# sourceMappingURL=tunnel.js.map

package/dist/tunnel.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tunnel.js","sourceRoot":"","sources":["../src/tunnel.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,UAAU,CAAC;AAC3B,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AA2DtC,MAAM,aAAa;IAME;IACA;IAIA;IAVF,OAAO,GAAG,IAAI,GAAG,EAAsB,CAAC;IACxC,OAAO,GAAG,IAAI,GAAG,EAAwB,CAAC;IACnD,aAAa,GAAG,CAAC,CAAC;IAE1B,YACmB,cAAkD,EAClD,OAGhB,EACgB,MAA2C;QAL3C,mBAAc,GAAd,cAAc,CAAoC;QAClD,YAAO,GAAP,OAAO,CAGvB;QACgB,WAAM,GAAN,MAAM,CAAqC;IAC3D,CAAC;IAEJ,KAAK,CAAC,iBAAiB,CAAC,MAAoB;QAC1C,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,GAAG,WAAW,EAAE,UAAU,EAAE,GAAG,MAAM,CAAC;QAC9E,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,WAAW,CAAC;QAElD,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE;YACpC,SAAS;YACT,SAAS;YACT,UAAU;YACV,UAAU;SACX,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,qBAAqB,CAAC,8BAA8B,CAAC,CAAC;QAC9D,CAAC;QACD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;YACzC,MAAM,EAAE,cAAc;YACtB,IAAI,EAAE,UAAU;YAChB,aAAa,EAAE,SAAS;YACxB,SAAS;YACT,UAAU;YACV,UAAU,EAAE,UAAU,IAAI,SAAS;YACnC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,UAAU;SAC9B,CAAC,CAAC;QACH,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAChC,OAAO;gBACL,EAAE,EAAE,kBAAkB,IAAI,CAAC,GAAG,EAAE,EAAE;gBAClC,SAAS;gBACT,IAAI,EAAE,OAAO;gBACb,SAAS;gBACT,SAAS;gBACT,UAAU;gBACV,UAAU,EAAE,UAAU,IAAI,SAAS;gBACnC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;gBACrB,MAAM,EAAE,KAAK;aACd,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,UAAU,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC;QAChE,MAAM,UAAU,GAAG,UAAU,IAAI,SAAS,CAAC;QAC3C,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,EAAE;YACzC,KAAK,OAAO,CAAC,GAAG;iBACb,UAAU,CACT,MAAM,CAAC,aAAa,IAAI,SAAS,EACjC,MAAM,CAAC,UAAU,IAAI,CAAC,EACtB,UAAU,EACV,UAAU,CACX;iBACA,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;gBAChB,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACpC,CAAC,CAAC;iBACD,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;gBACf,IAAI,CAAC,OAAO,CAAC,iBAAiB,EAAE,CAAC;gBACjC,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;gBACpE,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC7B,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,EAAE,GAAG,EAAE;gBACvC,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;gBAC5B,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,MAAM,UAAU,GAAe;YAC7B,EAAE,EAAE,QAAQ;YACZ,SAAS;YACT,IAAI,EAAE,OAAO;YACb,SAAS;YACT,SAAS;YACT,UAAU;YACV,UAAU,EAAE,UAAU;YACtB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,MAAM,EAAE,IAAI;SACb,CAAC;QAEF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACvC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE;YACzB,KAAK,EAAE,GAAG,EAAE,CACV,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBACpC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAC/D,CAAC,CAAC;SACL,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAElC,MAAM,CAAC,IAAI,CAAC,sBAAsB,EAAE;YAClC,QAAQ;YACR,SAAS;YACT,UAAU;YACV,UAAU,EAAE,UAAU;SACvB,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,MAAoB;QAC3C,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,GAAG,WAAW,EAAE,UAAU,EAAE,GAAG,MAAM,CAAC;QAC9E,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,WAAW,CAAC;QAElD,MAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE;YACrC,SAAS;YACT,SAAS;YACT,UAAU;YACV,UAAU;SACX,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,qBAAqB,CAAC,8BAA8B,CAAC,CAAC;QAC9D,CAAC;QACD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;YACzC,MAAM,EAAE,eAAe;YACvB,IAAI,EAAE,UAAU;YAChB,aAAa,EAAE,SAAS;YACxB,SAAS;YACT,UAAU;YACV,UAAU,EAAE,UAAU,IAAI,SAAS;YACnC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,UAAU;SAC9B,CAAC,CAAC;QACH,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAChC,OAAO;gBACL,EAAE,EAAE,kBAAkB,IAAI,CAAC,GAAG,EAAE,EAAE;gBAClC,SAAS;gBACT,IAAI,EAAE,QAAQ;gBACd,SAAS;gBACT,SAAS;gBACT,UAAU;gBACV,UAAU,EAAE,UAAU,IAAI,SAAS;gBACnC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;gBACrB,MAAM,EAAE,KAAK;aACd,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,UAAU,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC;QAChE,MAAM,UAAU,GAAG,UAAU,IAAI,SAAS,CAAC;QAC3C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,UAAU,EAAE,UAAU,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE;YACvF,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC;YACzB,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACxC,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;gBAChC,IAAI,CAAC,OAAO,CAAC,iBAAiB,EAAE,CAAC;gBACjC,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;gBACvE,OAAO,CAAC,OAAO,EAAE,CAAC;YACpB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,MAAM,UAAU,GAAe;YAC7B,EAAE,EAAE,QAAQ;YACZ,SAAS;YACT,IAAI,EAAE,QAAQ;YACd,SAAS;YACT,SAAS;YACT,UAAU;YACV,UAAU,EAAE,OAAO,CAAC,IAAI;YACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,MAAM,EAAE,IAAI;SACb,CAAC;QAEF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACvC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE;YACzB,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE;SAC/B,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAElC,MAAM,CAAC,IAAI,CAAC,uBAAuB,EAAE;YACnC,QAAQ;YACR,UAAU,EAAE,UAAU;YACtB,SAAS;YACT,SAAS;SACV,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,QAAgB;QAChC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC9C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,CAAC,MAAM,GAAG,KAAK,CAAC;QACtB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;YACrB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC9B,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAClC,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,WAAW,CAAC,SAAkB;QAC5B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QAClD,OAAO,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAC1F,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,SAAiB;QACzC,MAAM,cAAc,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;QACnD,IAAI,MAAM,GAAG,CAAC,CAAC;QAEf,KAAK,MAAM,MAAM,IAAI,cAAc,EAAE,CAAC;YACpC,IAAI,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;gBACtC,MAAM,EAAE,CAAC;YACX,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,MAAM,UAAU,mBAAmB,CAAC,EAClC,cAAc,EACd,OAAO,EACP,MAAM,GACY;IAClB,MAAM,OAAO,GAAG,IAAI,aAAa,CAAC,cAAc,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAEnE,OAAO;QACL,kBAAkB,CAChB,SAAiB,EACjB,SAAiB,EACjB,UAAkB,EAClB,UAAkB;YAElB,OAAO,OAAO,CAAC,iBAAiB,CAAC;gBAC/B,SAAS;gBACT,IAAI,EAAE,OAAO;gBACb,SAAS;gBACT,UAAU;gBACV,UAAU;aACX,CAAC,CAAC;QACL,CAAC;QACD,mBAAmB,CACjB,SAAiB,EACjB,UAAkB,EAClB,SAAiB,EACjB,SAAiB;YAEjB,OAAO,OAAO,CAAC,kBAAkB,CAAC;gBAChC,SAAS;gBACT,IAAI,EAAE,QAAQ;gBACd,SAAS;gBACT,SAAS;gBACT,UAAU,EAAE,WAAW;gBACvB,UAAU;aACX,CAAC,CAAC;QACL,CAAC;QACD,WAAW,CAAC,QAAgB;YAC1B,OAAO,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC;QACD,WAAW,CAAC,SAAkB;YAC5B,OAAO,OAAO,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;QACxC,CAAC;QACD,mBAAmB,CAAC,SAAiB;YACnC,OAAO,OAAO,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;QAChD,CAAC;KACF,CAAC;AACJ,CAAC"}