ssh2web 1.0.0

package/dist/crypto/cipher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cipher.d.ts","sourceRoot":"","sources":["../../crypto/cipher.ts"],"names":[],"mappings":"AAiBA,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,SAAS,EACd,EAAE,EAAE,UAAU,EACd,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC;IAAE,UAAU,EAAE,UAAU,CAAC;IAAC,MAAM,EAAE,UAAU,CAAA;CAAE,CAAC,CAiBzD;AAED,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,SAAS,EACd,EAAE,EAAE,UAAU,EACd,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC;IAAE,SAAS,EAAE,UAAU,CAAC;IAAC,MAAM,EAAE,UAAU,CAAA;CAAE,CAAC,CAiBxD"}

package/dist/crypto/cipher.js

@@ -0,0 +1,43 @@
+/**
+ * AES-128-CTR encryption and decryption.
+ * Single responsibility: AES-CTR mode operations.
+ */
+import { AES_BLOCK_SIZE } from "../domain/constants";
+function incrementCounter(iv, count = 1) {
+    const result = new Uint8Array(iv);
+    let carry = count;
+    for (let i = 15; i >= 0 && carry > 0; i--) {
+        const sum = result[i] + carry;
+        result[i] = sum & 0xff;
+        carry = sum >> 8;
+    }
+    return result;
+}
+export async function encryptAES128CTR(key, iv, plaintext) {
+    const ciphertext = new Uint8Array(plaintext.length);
+    const blocks = Math.ceil(plaintext.length / AES_BLOCK_SIZE);
+    let offset = 0;
+    let ivCopy = new Uint8Array(iv);
+    for (let i = 0; i < blocks; i++) {
+        const blockLen = Math.min(AES_BLOCK_SIZE, plaintext.length - offset);
+        const enc = await crypto.subtle.encrypt({ name: "AES-CTR", counter: ivCopy, length: 128 }, key, plaintext.subarray(offset, offset + blockLen));
+        ciphertext.set(new Uint8Array(enc), offset);
+        offset += blockLen;
+        ivCopy = incrementCounter(ivCopy, 1);
+    }
+    return { ciphertext, nextIv: ivCopy };
+}
+export async function decryptAES128CTR(key, iv, ciphertext) {
+    const plaintext = new Uint8Array(ciphertext.length);
+    const blocks = Math.ceil(ciphertext.length / AES_BLOCK_SIZE);
+    let offset = 0;
+    let ivCopy = new Uint8Array(iv);
+    for (let i = 0; i < blocks; i++) {
+        const blockLen = Math.min(AES_BLOCK_SIZE, ciphertext.length - offset);
+        const dec = await crypto.subtle.decrypt({ name: "AES-CTR", counter: ivCopy, length: 128 }, key, ciphertext.subarray(offset, offset + blockLen));
+        plaintext.set(new Uint8Array(dec), offset);
+        offset += blockLen;
+        ivCopy = incrementCounter(ivCopy, 1);
+    }
+    return { plaintext, nextIv: ivCopy };
+}

package/dist/crypto/digest.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Cryptographic hashing operations.
+ * Single responsibility: SHA256 hashing via Web Crypto API.
+ */
+export declare function computeSHA256(data: Uint8Array): Promise<Uint8Array>;
+//# sourceMappingURL=digest.d.ts.map

package/dist/crypto/digest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"digest.d.ts","sourceRoot":"","sources":["../../crypto/digest.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,wBAAsB,aAAa,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAKzE"}

package/dist/crypto/digest.js

@@ -0,0 +1,10 @@
+/**
+ * Cryptographic hashing operations.
+ * Single responsibility: SHA256 hashing via Web Crypto API.
+ */
+export async function computeSHA256(data) {
+    const buffer = data.byteOffset === 0 && data.byteLength === data.buffer.byteLength
+        ? data.buffer
+        : data.slice().buffer;
+    return new Uint8Array(await crypto.subtle.digest("SHA-256", buffer));
+}

package/dist/crypto/keyexchange.d.ts

@@ -0,0 +1,11 @@
+export declare function generateDHPrivate(): Promise<{
+    x: bigint;
+    e: bigint;
+}>;
+export declare function computeDHSharedSecret(f: bigint, x: bigint): bigint;
+export declare function generateX25519KeyPair(): Promise<{
+    publicKey: Uint8Array;
+    privateKey: CryptoKey;
+}>;
+export declare function computeX25519SharedSecret(privateKey: CryptoKey, publicKey: Uint8Array): Promise<Uint8Array>;
+//# sourceMappingURL=keyexchange.d.ts.map

package/dist/crypto/keyexchange.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyexchange.d.ts","sourceRoot":"","sources":["../../crypto/keyexchange.ts"],"names":[],"mappings":"AAOA,wBAAsB,iBAAiB,IAAI,OAAO,CAAC;IAAE,CAAC,EAAE,MAAM,CAAC;IAAC,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAW3E;AAED,wBAAgB,qBAAqB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAElE;AAED,wBAAsB,qBAAqB,IAAI,OAAO,CAAC;IAAE,SAAS,EAAE,UAAU,CAAC;IAAC,UAAU,EAAE,SAAS,CAAA;CAAE,CAAC,CAQvG;AAED,wBAAsB,yBAAyB,CAAC,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAOjH"}

package/dist/crypto/keyexchange.js

@@ -0,0 +1,35 @@
+/**
+ * Diffie-Hellman key exchange operations.
+ * Single responsibility: DH parameter generation and shared secret computation.
+ */
+import { modPow } from "./arithmetic";
+import { DH_GENERATOR, DH_PRIME } from "../domain/constants";
+export async function generateDHPrivate() {
+    let x;
+    let e;
+    do {
+        const xBytes = crypto.getRandomValues(new Uint8Array(32));
+        x = 0n;
+        for (let i = 0; i < xBytes.length; i++)
+            x = (x << 8n) | BigInt(xBytes[i]);
+        x = x % (DH_PRIME - 2n) + 2n;
+        e = modPow(DH_GENERATOR, x, DH_PRIME);
+    } while (e <= 1n || e >= DH_PRIME - 1n);
+    return { x, e };
+}
+export function computeDHSharedSecret(f, x) {
+    return modPow(f, x, DH_PRIME);
+}
+export async function generateX25519KeyPair() {
+    const keyPair = (await crypto.subtle.generateKey({ name: "X25519" }, true, ["deriveBits"]));
+    const pub = await crypto.subtle.exportKey("raw", keyPair.publicKey);
+    return { publicKey: new Uint8Array(pub), privateKey: keyPair.privateKey };
+}
+export async function computeX25519SharedSecret(privateKey, publicKey) {
+    const buffer = publicKey.byteOffset === 0 && publicKey.byteLength === publicKey.buffer.byteLength
+        ? publicKey.buffer
+        : publicKey.slice().buffer;
+    const pub = await crypto.subtle.importKey("raw", buffer, { name: "X25519" }, false, []);
+    const bits = await crypto.subtle.deriveBits({ name: "X25519", public: pub }, privateKey, 256);
+    return new Uint8Array(bits);
+}

package/dist/crypto/keys.d.ts

@@ -0,0 +1,11 @@
+interface DerivedKeys {
+    ivC: Uint8Array;
+    keyC: Uint8Array;
+    macC: Uint8Array;
+    ivS: Uint8Array;
+    keyS: Uint8Array;
+    macS: Uint8Array;
+}
+export declare function deriveKeys(sharedSecret: Uint8Array, exchangeHash: Uint8Array, sessionId: Uint8Array): Promise<DerivedKeys>;
+export {};
+//# sourceMappingURL=keys.d.ts.map

package/dist/crypto/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../crypto/keys.ts"],"names":[],"mappings":"AAMA,UAAU,WAAW;IACnB,GAAG,EAAE,UAAU,CAAC;IAChB,IAAI,EAAE,UAAU,CAAC;IACjB,IAAI,EAAE,UAAU,CAAC;IACjB,GAAG,EAAE,UAAU,CAAC;IAChB,IAAI,EAAE,UAAU,CAAC;IACjB,IAAI,EAAE,UAAU,CAAC;CAClB;AAED,wBAAsB,UAAU,CAC9B,YAAY,EAAE,UAAU,EACxB,YAAY,EAAE,UAAU,EACxB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,WAAW,CAAC,CAWtB"}

package/dist/crypto/keys.js

@@ -0,0 +1,27 @@
+/**
+ * Key derivation from shared secret to session keys.
+ * RFC 4253: derives IVs, encryption keys, and MAC keys.
+ */
+import { computeSHA256 } from "./digest";
+export async function deriveKeys(sharedSecret, exchangeHash, sessionId) {
+    const deriveKey = async (id) => {
+        return computeSHA256(concat(sharedSecret, exchangeHash, new Uint8Array([id]), sessionId));
+    };
+    const ivC = (await deriveKey(0x41)).subarray(0, 16);
+    const ivS = (await deriveKey(0x42)).subarray(0, 16);
+    const keyC = (await deriveKey(0x43)).subarray(0, 16);
+    const keyS = (await deriveKey(0x44)).subarray(0, 16);
+    const macC = (await deriveKey(0x45)).subarray(0, 32);
+    const macS = (await deriveKey(0x46)).subarray(0, 32);
+    return { ivC, keyC, macC, ivS, keyS, macS };
+}
+function concat(...arr) {
+    const len = arr.reduce((a, b) => a + b.length, 0);
+    const out = new Uint8Array(len);
+    let off = 0;
+    for (const a of arr) {
+        out.set(a, off);
+        off += a.length;
+    }
+    return out;
+}

package/dist/crypto/mac.d.ts

@@ -0,0 +1,7 @@
+/**
+ * HMAC-SHA256 message authentication.
+ * Single responsibility: HMAC computation and constant-time comparison.
+ */
+export declare function computeHMACSHA256(key: Uint8Array, data: Uint8Array): Promise<Uint8Array>;
+export declare function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean;
+//# sourceMappingURL=mac.d.ts.map

package/dist/crypto/mac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mac.d.ts","sourceRoot":"","sources":["../../crypto/mac.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAU9F;AAED,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,GAAG,OAAO,CAKvE"}

package/dist/crypto/mac.js

@@ -0,0 +1,17 @@
+/**
+ * HMAC-SHA256 message authentication.
+ * Single responsibility: HMAC computation and constant-time comparison.
+ */
+export async function computeHMACSHA256(key, data) {
+    const cryptoKey = await crypto.subtle.importKey("raw", key, { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+    const sig = await crypto.subtle.sign("HMAC", cryptoKey, data);
+    return new Uint8Array(sig);
+}
+export function constantTimeEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= a[i] ^ b[i];
+    return diff === 0;
+}

package/dist/debug.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Debug logging utility.
+ * Controlled by localStorage.ssh_debug flag.
+ */
+export declare function log(...args: unknown[]): void;
+export declare function logDebug(...args: unknown[]): void;
+export declare function logError(...args: unknown[]): void;
+export declare function logWarn(...args: unknown[]): void;
+//# sourceMappingURL=debug.d.ts.map

package/dist/debug.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"debug.d.ts","sourceRoot":"","sources":["../debug.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,wBAAgB,GAAG,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAE5C;AAED,wBAAgB,QAAQ,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAEjD;AAED,wBAAgB,QAAQ,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAEjD;AAED,wBAAgB,OAAO,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAEhD"}

package/dist/debug.js

@@ -0,0 +1,19 @@
+/**
+ * Debug logging utility.
+ * Controlled by localStorage.ssh_debug flag.
+ */
+const DEBUG = typeof window === "undefined" || localStorage.getItem("ssh_debug") !== "0";
+export function log(...args) {
+    if (DEBUG)
+        console.log("[SSH]", ...args);
+}
+export function logDebug(...args) {
+    if (DEBUG)
+        console.log("[SSH_DEBUG]", ...args);
+}
+export function logError(...args) {
+    console.error("[SSH_ERROR]", ...args);
+}
+export function logWarn(...args) {
+    console.warn("[SSH_WARN]", ...args);
+}

package/dist/domain/constants.d.ts

@@ -0,0 +1,47 @@
+/**
+ * SSH protocol message type constants.
+ */
+export declare const SSH_MSG_DISCONNECT = 1;
+export declare const SSH_MSG_IGNORE = 2;
+export declare const SSH_MSG_UNIMPLEMENTED = 3;
+export declare const SSH_MSG_DEBUG = 4;
+export declare const SSH_MSG_SERVICE_REQUEST = 5;
+export declare const SSH_MSG_SERVICE_ACCEPT = 6;
+export declare const SSH_MSG_EXT_INFO = 7;
+export declare const SSH_MSG_KEXINIT = 20;
+export declare const SSH_MSG_NEWKEYS = 21;
+export declare const SSH_MSG_KEX_ECDH_INIT = 30;
+export declare const SSH_MSG_KEX_ECDH_REPLY = 31;
+export declare const SSH_MSG_KEXDH_INIT = 30;
+export declare const SSH_MSG_KEXDH_REPLY = 31;
+export declare const SSH_MSG_USERAUTH_REQUEST = 50;
+export declare const SSH_MSG_USERAUTH_FAILURE = 51;
+export declare const SSH_MSG_USERAUTH_SUCCESS = 52;
+export declare const SSH_MSG_USERAUTH_PK_OK = 60;
+export declare const SSH_MSG_GLOBAL_REQUEST = 80;
+export declare const SSH_MSG_REQUEST_SUCCESS = 81;
+export declare const SSH_MSG_REQUEST_FAILURE = 82;
+export declare const SSH_MSG_CHANNEL_OPEN = 90;
+export declare const SSH_MSG_CHANNEL_OPEN_CONFIRMATION = 91;
+export declare const SSH_MSG_CHANNEL_REQUEST = 98;
+export declare const SSH_MSG_CHANNEL_DATA = 94;
+export declare const SSH_MSG_CHANNEL_EXTENDED_DATA = 95;
+export declare const SSH_MSG_CHANNEL_SUCCESS = 99;
+export declare const SSH_MSG_CHANNEL_FAILURE = 100;
+export declare const SSH_MSG_CHANNEL_WINDOW_ADJUST = 93;
+export declare const CLIENT_IDENT = "SSH-2.0-agentripper-ssh";
+export declare const PREFERRED_KEX = "diffie-hellman-group14-sha256,curve25519-sha256,curve25519-sha256@libssh.org";
+export declare const PREFERRED_CIPHER = "aes128-ctr";
+export declare const PREFERRED_MAC = "hmac-sha2-256,hmac-sha2-256-etm@openssh.com";
+export declare const DH_GENERATOR = 2n;
+export declare const DH_PRIME: bigint;
+export declare const AES_BLOCK_SIZE = 16;
+export declare const HMAC_SHA256_SIZE = 32;
+export declare const MIN_PADDING = 4;
+export declare const DEFAULT_TERMINAL_TYPE = "xterm-256color";
+export declare const DEFAULT_TERMINAL_COLS = 80;
+export declare const DEFAULT_TERMINAL_ROWS = 24;
+export declare const KEX_TIMEOUT_MS = 8000;
+export declare const MAX_PACKET_SIZE = 35000;
+export declare const DEFAULT_WINDOW_SIZE = 32768;
+//# sourceMappingURL=constants.d.ts.map

package/dist/domain/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../domain/constants.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,eAAO,MAAM,kBAAkB,IAAI,CAAC;AACpC,eAAO,MAAM,cAAc,IAAI,CAAC;AAChC,eAAO,MAAM,qBAAqB,IAAI,CAAC;AACvC,eAAO,MAAM,aAAa,IAAI,CAAC;AAC/B,eAAO,MAAM,uBAAuB,IAAI,CAAC;AACzC,eAAO,MAAM,sBAAsB,IAAI,CAAC;AACxC,eAAO,MAAM,gBAAgB,IAAI,CAAC;AAElC,eAAO,MAAM,eAAe,KAAK,CAAC;AAClC,eAAO,MAAM,eAAe,KAAK,CAAC;AAElC,eAAO,MAAM,qBAAqB,KAAK,CAAC;AACxC,eAAO,MAAM,sBAAsB,KAAK,CAAC;AACzC,eAAO,MAAM,kBAAkB,KAAK,CAAC;AACrC,eAAO,MAAM,mBAAmB,KAAK,CAAC;AAEtC,eAAO,MAAM,wBAAwB,KAAK,CAAC;AAC3C,eAAO,MAAM,wBAAwB,KAAK,CAAC;AAC3C,eAAO,MAAM,wBAAwB,KAAK,CAAC;AAC3C,eAAO,MAAM,sBAAsB,KAAK,CAAC;AAEzC,eAAO,MAAM,sBAAsB,KAAK,CAAC;AACzC,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAC1C,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,eAAO,MAAM,oBAAoB,KAAK,CAAC;AACvC,eAAO,MAAM,iCAAiC,KAAK,CAAC;AACpD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAC1C,eAAO,MAAM,oBAAoB,KAAK,CAAC;AACvC,eAAO,MAAM,6BAA6B,KAAK,CAAC;AAChD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAC1C,eAAO,MAAM,uBAAuB,MAAM,CAAC;AAC3C,eAAO,MAAM,6BAA6B,KAAK,CAAC;AAEhD,eAAO,MAAM,YAAY,4BAA4B,CAAC;AACtD,eAAO,MAAM,aAAa,iFAAiF,CAAC;AAC5G,eAAO,MAAM,gBAAgB,eAAe,CAAC;AAC7C,eAAO,MAAM,aAAa,gDAAgD,CAAC;AAE3E,eAAO,MAAM,YAAY,KAAK,CAAC;AAC/B,eAAO,MAAM,QAAQ,QAA+gB,CAAC;AAEriB,eAAO,MAAM,cAAc,KAAK,CAAC;AACjC,eAAO,MAAM,gBAAgB,KAAK,CAAC;AACnC,eAAO,MAAM,WAAW,IAAI,CAAC;AAC7B,eAAO,MAAM,qBAAqB,mBAAmB,CAAC;AACtD,eAAO,MAAM,qBAAqB,KAAK,CAAC;AACxC,eAAO,MAAM,qBAAqB,KAAK,CAAC;AACxC,eAAO,MAAM,cAAc,OAAO,CAAC;AACnC,eAAO,MAAM,eAAe,QAAQ,CAAC;AACrC,eAAO,MAAM,mBAAmB,QAAS,CAAC"}

package/dist/domain/constants.js

@@ -0,0 +1,46 @@
+/**
+ * SSH protocol message type constants.
+ */
+export const SSH_MSG_DISCONNECT = 1;
+export const SSH_MSG_IGNORE = 2;
+export const SSH_MSG_UNIMPLEMENTED = 3;
+export const SSH_MSG_DEBUG = 4;
+export const SSH_MSG_SERVICE_REQUEST = 5;
+export const SSH_MSG_SERVICE_ACCEPT = 6;
+export const SSH_MSG_EXT_INFO = 7;
+export const SSH_MSG_KEXINIT = 20;
+export const SSH_MSG_NEWKEYS = 21;
+export const SSH_MSG_KEX_ECDH_INIT = 30;
+export const SSH_MSG_KEX_ECDH_REPLY = 31;
+export const SSH_MSG_KEXDH_INIT = 30;
+export const SSH_MSG_KEXDH_REPLY = 31;
+export const SSH_MSG_USERAUTH_REQUEST = 50;
+export const SSH_MSG_USERAUTH_FAILURE = 51;
+export const SSH_MSG_USERAUTH_SUCCESS = 52;
+export const SSH_MSG_USERAUTH_PK_OK = 60;
+export const SSH_MSG_GLOBAL_REQUEST = 80;
+export const SSH_MSG_REQUEST_SUCCESS = 81;
+export const SSH_MSG_REQUEST_FAILURE = 82;
+export const SSH_MSG_CHANNEL_OPEN = 90;
+export const SSH_MSG_CHANNEL_OPEN_CONFIRMATION = 91;
+export const SSH_MSG_CHANNEL_REQUEST = 98;
+export const SSH_MSG_CHANNEL_DATA = 94;
+export const SSH_MSG_CHANNEL_EXTENDED_DATA = 95;
+export const SSH_MSG_CHANNEL_SUCCESS = 99;
+export const SSH_MSG_CHANNEL_FAILURE = 100;
+export const SSH_MSG_CHANNEL_WINDOW_ADJUST = 93;
+export const CLIENT_IDENT = "SSH-2.0-agentripper-ssh";
+export const PREFERRED_KEX = "diffie-hellman-group14-sha256,curve25519-sha256,curve25519-sha256@libssh.org";
+export const PREFERRED_CIPHER = "aes128-ctr";
+export const PREFERRED_MAC = "hmac-sha2-256,hmac-sha2-256-etm@openssh.com";
+export const DH_GENERATOR = 2n;
+export const DH_PRIME = BigInt("0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF");
+export const AES_BLOCK_SIZE = 16;
+export const HMAC_SHA256_SIZE = 32;
+export const MIN_PADDING = 4;
+export const DEFAULT_TERMINAL_TYPE = "xterm-256color";
+export const DEFAULT_TERMINAL_COLS = 80;
+export const DEFAULT_TERMINAL_ROWS = 24;
+export const KEX_TIMEOUT_MS = 8000;
+export const MAX_PACKET_SIZE = 35000;
+export const DEFAULT_WINDOW_SIZE = 0x8000;

package/dist/domain/errors.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Domain-specific errors and exception handling.
+ */
+export declare class SSHError extends Error {
+    constructor(message: string);
+}
+export declare class KEXError extends SSHError {
+    constructor(message: string);
+}
+export declare class AuthenticationError extends SSHError {
+    constructor(message: string);
+}
+export declare class MacVerificationError extends SSHError {
+    constructor(message: string);
+}
+export declare class ProtocolError extends SSHError {
+    constructor(message: string);
+}
+export declare class ChannelError extends SSHError {
+    constructor(message: string);
+}
+export declare class ParseError extends SSHError {
+    constructor(message: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/domain/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../domain/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,qBAAa,QAAS,SAAQ,KAAK;gBACrB,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,QAAS,SAAQ,QAAQ;gBACxB,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,mBAAoB,SAAQ,QAAQ;gBACnC,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,oBAAqB,SAAQ,QAAQ;gBACpC,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,aAAc,SAAQ,QAAQ;gBAC7B,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,YAAa,SAAQ,QAAQ;gBAC5B,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,UAAW,SAAQ,QAAQ;gBAC1B,OAAO,EAAE,MAAM;CAI5B"}

package/dist/domain/errors.js

@@ -0,0 +1,45 @@
+/**
+ * Domain-specific errors and exception handling.
+ */
+export class SSHError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "SSHError";
+    }
+}
+export class KEXError extends SSHError {
+    constructor(message) {
+        super(message);
+        this.name = "KEXError";
+    }
+}
+export class AuthenticationError extends SSHError {
+    constructor(message) {
+        super(message);
+        this.name = "AuthenticationError";
+    }
+}
+export class MacVerificationError extends SSHError {
+    constructor(message) {
+        super(message);
+        this.name = "MacVerificationError";
+    }
+}
+export class ProtocolError extends SSHError {
+    constructor(message) {
+        super(message);
+        this.name = "ProtocolError";
+    }
+}
+export class ChannelError extends SSHError {
+    constructor(message) {
+        super(message);
+        this.name = "ChannelError";
+    }
+}
+export class ParseError extends SSHError {
+    constructor(message) {
+        super(message);
+        this.name = "ParseError";
+    }
+}

package/dist/domain/models.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Domain model value objects and entities.
+ * These represent core SSH protocol concepts.
+ */
+export interface Credentials {
+    username: string;
+    certificate: string;
+    privateKey: string;
+}
+export interface TerminalConfig {
+    cols: number;
+    rows: number;
+    termType: string;
+}
+export interface SessionId extends Readonly<{
+    readonly __brand: unique symbol;
+}> {
+    readonly value: Uint8Array;
+}
+export interface ChannelId extends Readonly<{
+    readonly __brand: unique symbol;
+}> {
+    readonly value: number;
+}
+export interface SequenceNumber extends Readonly<{
+    readonly __brand: unique symbol;
+}> {
+    readonly value: number;
+}
+export interface EncryptionKey extends Readonly<{
+    readonly __brand: unique symbol;
+}> {
+    readonly key: CryptoKey;
+}
+export interface MacKey extends Readonly<{
+    readonly __brand: unique symbol;
+}> {
+    readonly key: Uint8Array;
+}
+export interface InitializationVector extends Readonly<{
+    readonly __brand: unique symbol;
+}> {
+    readonly value: Uint8Array;
+}
+export type KexAlgorithm = "curve25519-sha256" | "curve25519-sha256@libssh.org" | "diffie-hellman-group14-sha256";
+export type CipherAlgorithm = "aes128-ctr";
+export type MacAlgorithm = "hmac-sha2-256" | "hmac-sha2-256-etm@openssh.com";
+export interface AlgorithmNegotiation {
+    kex: KexAlgorithm;
+    cipher: CipherAlgorithm;
+    mac: MacAlgorithm;
+}
+export type SSHMessageType = number;
+export declare const createSessionId: (data: Uint8Array) => SessionId;
+export declare const createChannelId: (value: number) => ChannelId;
+export declare const createSequenceNumber: (value: number) => SequenceNumber;
+export declare const createEncryptionKey: (key: CryptoKey) => EncryptionKey;
+export declare const createMacKey: (key: Uint8Array) => MacKey;
+export declare const createInitializationVector: (value: Uint8Array) => InitializationVector;
+//# sourceMappingURL=models.d.ts.map

package/dist/domain/models.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"models.d.ts","sourceRoot":"","sources":["../../domain/models.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,SAAU,SAAQ,QAAQ,CAAC;IAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,MAAM,CAAA;CAAE,CAAC;IAC9E,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAC;CAC5B;AAED,MAAM,WAAW,SAAU,SAAQ,QAAQ,CAAC;IAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,MAAM,CAAA;CAAE,CAAC;IAC9E,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,cAAe,SAAQ,QAAQ,CAAC;IAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,MAAM,CAAA;CAAE,CAAC;IACnF,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,aAAc,SAAQ,QAAQ,CAAC;IAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,MAAM,CAAA;CAAE,CAAC;IAClF,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC;CACzB;AAED,MAAM,WAAW,MAAO,SAAQ,QAAQ,CAAC;IAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,MAAM,CAAA;CAAE,CAAC;IAC3E,QAAQ,CAAC,GAAG,EAAE,UAAU,CAAC;CAC1B;AAED,MAAM,WAAW,oBAAqB,SAAQ,QAAQ,CAAC;IAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,MAAM,CAAA;CAAE,CAAC;IACzF,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAC;CAC5B;AAED,MAAM,MAAM,YAAY,GAAG,mBAAmB,GAAG,8BAA8B,GAAG,+BAA+B,CAAC;AAClH,MAAM,MAAM,eAAe,GAAG,YAAY,CAAC;AAC3C,MAAM,MAAM,YAAY,GAAG,eAAe,GAAG,+BAA+B,CAAC;AAE7E,MAAM,WAAW,oBAAoB;IACnC,GAAG,EAAE,YAAY,CAAC;IAClB,MAAM,EAAE,eAAe,CAAC;IACxB,GAAG,EAAE,YAAY,CAAC;CACnB;AAED,MAAM,MAAM,cAAc,GAAG,MAAM,CAAC;AAEpC,eAAO,MAAM,eAAe,GAAI,MAAM,UAAU,KAAG,SAA2C,CAAC;AAC/F,eAAO,MAAM,eAAe,GAAI,OAAO,MAAM,KAAG,SAAqC,CAAC;AACtF,eAAO,MAAM,oBAAoB,GAAI,OAAO,MAAM,KAAG,cAA+C,CAAC;AACrG,eAAO,MAAM,mBAAmB,GAAI,KAAK,SAAS,KAAG,aAA2C,CAAC;AACjG,eAAO,MAAM,YAAY,GAAI,KAAK,UAAU,KAAG,MAA6B,CAAC;AAC7E,eAAO,MAAM,0BAA0B,GAAI,OAAO,UAAU,KAAG,oBAA2D,CAAC"}

package/dist/domain/models.js

@@ -0,0 +1,10 @@
+/**
+ * Domain model value objects and entities.
+ * These represent core SSH protocol concepts.
+ */
+export const createSessionId = (data) => ({ value: data });
+export const createChannelId = (value) => ({ value });
+export const createSequenceNumber = (value) => ({ value });
+export const createEncryptionKey = (key) => ({ key });
+export const createMacKey = (key) => ({ key });
+export const createInitializationVector = (value) => ({ value });

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Public API barrel export.
+ * Architecture: domain, crypto, protocol, transport, state machines (kex/auth/channel/connection), connection orchestrator.
+ */
+export { connectSSH } from "./connection/connectSSH";
+export type { SSHConnection, ConnectSSHOptions, SSHCredentials } from "./connection/types";
+export { SSHError, KEXError, AuthenticationError, MacVerificationError, ProtocolError, ChannelError, ParseError } from "./domain/errors";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AACrD,YAAY,EAAE,aAAa,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAC3F,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,aAAa,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/index.js

@@ -0,0 +1,6 @@
+/**
+ * Public API barrel export.
+ * Architecture: domain, crypto, protocol, transport, state machines (kex/auth/channel/connection), connection orchestrator.
+ */
+export { connectSSH } from "./connection/connectSSH";
+export { SSHError, KEXError, AuthenticationError, MacVerificationError, ProtocolError, ChannelError, ParseError } from "./domain/errors";

package/dist/kex/builder.d.ts

@@ -0,0 +1,2 @@
+export declare function buildKexInit(): Uint8Array;
+//# sourceMappingURL=builder.d.ts.map

package/dist/kex/builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"builder.d.ts","sourceRoot":"","sources":["../../kex/builder.ts"],"names":[],"mappings":"AAMA,wBAAgB,YAAY,IAAI,UAAU,CAsBzC"}

package/dist/kex/builder.js

@@ -0,0 +1,22 @@
+/**
+ * Builds KEXINIT payload for client key exchange.
+ */
+import { writeString, writeUint32, concat } from "../protocol/serialization";
+import { SSH_MSG_KEXINIT, PREFERRED_KEX, PREFERRED_CIPHER, PREFERRED_MAC } from "../domain/constants";
+export function buildKexInit() {
+    const cookie = crypto.getRandomValues(new Uint8Array(16));
+    const macList = PREFERRED_MAC.split(",").map((s) => s.trim()).filter(Boolean);
+    const lists = [
+        PREFERRED_KEX,
+        "ssh-ed25519",
+        PREFERRED_CIPHER,
+        PREFERRED_CIPHER,
+        macList.join(","),
+        macList.join(","),
+        "none",
+        "none",
+        "",
+        "",
+    ];
+    return concat(new Uint8Array([SSH_MSG_KEXINIT]), cookie, ...lists.map(writeString), new Uint8Array([0]), writeUint32(0));
+}

package/dist/kex/kexstate.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Key exchange state machine.
+ * Manages KEX negotiation and algorithm selection.
+ */
+import { AlgorithmNegotiation } from "../domain/models";
+export type KexPhase = "init" | "negotiating" | "exchanging" | "complete";
+export interface KexState {
+    phase: KexPhase;
+    serverKexList: string[];
+    serverHostKeyTypes: string[];
+    negotiated: AlgorithmNegotiation | null;
+    kexInitC: Uint8Array | null;
+    kexInitS: Uint8Array | null;
+}
+export declare function createKexState(): KexState;
+export declare function selectAlgorithm(ourList: string[], serverList: string[]): string | null;
+export declare function negotiateAlgorithms(preferredKex: string[], preferredCipher: string[], preferredMac: string[], serverKex: string[], serverCipher: string[], serverMac: string[]): AlgorithmNegotiation | null;
+export declare function isValidKex(kex: string): boolean;
+export declare function transitionKexPhase(current: KexPhase): KexPhase;
+//# sourceMappingURL=kexstate.d.ts.map

package/dist/kex/kexstate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kexstate.d.ts","sourceRoot":"","sources":["../../kex/kexstate.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAA+C,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAGrG,MAAM,MAAM,QAAQ,GAAG,MAAM,GAAG,aAAa,GAAG,YAAY,GAAG,UAAU,CAAC;AAE1E,MAAM,WAAW,QAAQ;IACvB,KAAK,EAAE,QAAQ,CAAC;IAChB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,kBAAkB,EAAE,MAAM,EAAE,CAAC;IAC7B,UAAU,EAAE,oBAAoB,GAAG,IAAI,CAAC;IACxC,QAAQ,EAAE,UAAU,GAAG,IAAI,CAAC;IAC5B,QAAQ,EAAE,UAAU,GAAG,IAAI,CAAC;CAC7B;AAED,wBAAgB,cAAc,IAAI,QAAQ,CASzC;AAED,wBAAgB,eAAe,CAC7B,OAAO,EAAE,MAAM,EAAE,EACjB,UAAU,EAAE,MAAM,EAAE,GACnB,MAAM,GAAG,IAAI,CAEf;AAED,wBAAgB,mBAAmB,CACjC,YAAY,EAAE,MAAM,EAAE,EACtB,eAAe,EAAE,MAAM,EAAE,EACzB,YAAY,EAAE,MAAM,EAAE,EACtB,SAAS,EAAE,MAAM,EAAE,EACnB,YAAY,EAAE,MAAM,EAAE,EACtB,SAAS,EAAE,MAAM,EAAE,GAClB,oBAAoB,GAAG,IAAI,CAM7B;AAED,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAI/C;AAED,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,QAAQ,GAAG,QAAQ,CAQ9D"}

package/dist/kex/kexstate.js

@@ -0,0 +1,35 @@
+export function createKexState() {
+    return {
+        phase: "init",
+        serverKexList: [],
+        serverHostKeyTypes: [],
+        negotiated: null,
+        kexInitC: null,
+        kexInitS: null,
+    };
+}
+export function selectAlgorithm(ourList, serverList) {
+    return ourList.find((a) => serverList.includes(a)) ?? null;
+}
+export function negotiateAlgorithms(preferredKex, preferredCipher, preferredMac, serverKex, serverCipher, serverMac) {
+    const kex = selectAlgorithm(preferredKex, serverKex);
+    const cipher = selectAlgorithm(preferredCipher, serverCipher);
+    const mac = selectAlgorithm(preferredMac, serverMac);
+    if (!kex || !cipher || !mac)
+        return null;
+    return { kex, cipher, mac };
+}
+export function isValidKex(kex) {
+    return kex === "curve25519-sha256" ||
+        kex === "curve25519-sha256@libssh.org" ||
+        kex === "diffie-hellman-group14-sha256";
+}
+export function transitionKexPhase(current) {
+    const transitions = {
+        "init": "negotiating",
+        "negotiating": "exchanging",
+        "exchanging": "complete",
+        "complete": "complete",
+    };
+    return transitions[current];
+}

package/dist/protocol/codec.d.ts

@@ -0,0 +1,7 @@
+export interface ParsedPacket {
+    payload: Uint8Array;
+    consumed: number;
+}
+export declare function buildPacket(payload: Uint8Array, etm?: boolean): Uint8Array;
+export declare function parsePacket(data: Uint8Array): ParsedPacket | null;
+//# sourceMappingURL=codec.d.ts.map

package/dist/protocol/codec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"codec.d.ts","sourceRoot":"","sources":["../../protocol/codec.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,UAAU,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG,UAAQ,GAAG,UAAU,CAUxE;AAED,wBAAgB,WAAW,CAAC,IAAI,EAAE,UAAU,GAAG,YAAY,GAAG,IAAI,CASjE"}