termify-agent 1.0.32 → 1.0.34

package/dist/network/key-rotation.d.ts

@@ -0,0 +1,55 @@
+import { EventEmitter } from 'node:events';
+export interface KeyRotationConfig {
+    /** Interval between key rotations in ms (default: 24 hours) */
+    rotationIntervalMs: number;
+    /** Random jitter to prevent thundering herd (default: up to 1 hour) */
+    jitterMs: number;
+}
+/**
+ * Manages periodic key rotation for WireGuard.
+ *
+ * Flow:
+ * 1. Timer fires -> emits 'rotate-needed' event
+ * 2. WireGuardManager generates new keypair
+ * 3. Agent sends agent.wg.rotate.propose to server
+ * 4. Server distributes update to peers
+ * 5. Peers ACK with agent.wg.rotate.applied
+ * 6. Server sends server.wg.rotate.commit to agent
+ * 7. Agent applies the new key on its interface
+ *
+ * Events:
+ * - 'rotate-needed' : time to rotate
+ * - 'rotate-committed' : { keyVersion } -- rotation confirmed by server
+ */
+export declare class KeyRotation extends EventEmitter {
+    private config;
+    private rotationTimer;
+    private _currentVersion;
+    private _pendingVersion;
+    private _isRotating;
+    constructor(config?: Partial<KeyRotationConfig>);
+    get currentVersion(): number;
+    get isRotating(): boolean;
+    /**
+     * Start the rotation timer.
+     */
+    start(): void;
+    /**
+     * Stop the rotation timer.
+     */
+    stop(): void;
+    /**
+     * Called when the agent initiates a rotation (increments version, marks rotating).
+     */
+    proposeRotation(): number;
+    /**
+     * Called when server confirms the rotation is committed.
+     */
+    confirmRotation(keyVersion: number): void;
+    /**
+     * Force an immediate rotation (for security incidents).
+     */
+    forceRotation(): void;
+    private scheduleNextRotation;
+}
+//# sourceMappingURL=key-rotation.d.ts.map

package/dist/network/key-rotation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-rotation.d.ts","sourceRoot":"","sources":["../../src/network/key-rotation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,MAAM,WAAW,iBAAiB;IAChC,+DAA+D;IAC/D,kBAAkB,EAAE,MAAM,CAAC;IAC3B,uEAAuE;IACvE,QAAQ,EAAE,MAAM,CAAC;CAClB;AAOD;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,WAAY,SAAQ,YAAY;IAC3C,OAAO,CAAC,MAAM,CAAoB;IAClC,OAAO,CAAC,aAAa,CAA+B;IACpD,OAAO,CAAC,eAAe,CAAa;IACpC,OAAO,CAAC,eAAe,CAAuB;IAC9C,OAAO,CAAC,WAAW,CAAkB;gBAEzB,MAAM,CAAC,EAAE,OAAO,CAAC,iBAAiB,CAAC;IAK/C,IAAI,cAAc,IAAI,MAAM,CAE3B;IAED,IAAI,UAAU,IAAI,OAAO,CAExB;IAED;;OAEG;IACH,KAAK,IAAI,IAAI;IAMb;;OAEG;IACH,IAAI,IAAI,IAAI;IASZ;;OAEG;IACH,eAAe,IAAI,MAAM;IAOzB;;OAEG;IACH,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAWzC;;OAEG;IACH,aAAa,IAAI,IAAI;IAQrB,OAAO,CAAC,oBAAoB;CAgB7B"}

package/dist/network/key-rotation.js

@@ -0,0 +1,105 @@
+import { EventEmitter } from 'node:events';
+import { logger } from '../utils/logger.js';
+const DEFAULT_CONFIG = {
+    rotationIntervalMs: 24 * 60 * 60 * 1000, // 24 hours
+    jitterMs: 60 * 60 * 1000, // 1 hour jitter
+};
+/**
+ * Manages periodic key rotation for WireGuard.
+ *
+ * Flow:
+ * 1. Timer fires -> emits 'rotate-needed' event
+ * 2. WireGuardManager generates new keypair
+ * 3. Agent sends agent.wg.rotate.propose to server
+ * 4. Server distributes update to peers
+ * 5. Peers ACK with agent.wg.rotate.applied
+ * 6. Server sends server.wg.rotate.commit to agent
+ * 7. Agent applies the new key on its interface
+ *
+ * Events:
+ * - 'rotate-needed' : time to rotate
+ * - 'rotate-committed' : { keyVersion } -- rotation confirmed by server
+ */
+export class KeyRotation extends EventEmitter {
+    config;
+    rotationTimer = null;
+    _currentVersion = 0;
+    _pendingVersion = null;
+    _isRotating = false;
+    constructor(config) {
+        super();
+        this.config = { ...DEFAULT_CONFIG, ...config };
+    }
+    get currentVersion() {
+        return this._currentVersion;
+    }
+    get isRotating() {
+        return this._isRotating;
+    }
+    /**
+     * Start the rotation timer.
+     */
+    start() {
+        if (this.rotationTimer)
+            return;
+        this.scheduleNextRotation();
+        logger.info(`[KeyRotation] Started with interval=${this.config.rotationIntervalMs}ms, jitter=${this.config.jitterMs}ms`);
+    }
+    /**
+     * Stop the rotation timer.
+     */
+    stop() {
+        if (this.rotationTimer) {
+            clearTimeout(this.rotationTimer);
+            this.rotationTimer = null;
+        }
+        this._isRotating = false;
+        this._pendingVersion = null;
+    }
+    /**
+     * Called when the agent initiates a rotation (increments version, marks rotating).
+     */
+    proposeRotation() {
+        this._currentVersion++;
+        this._pendingVersion = this._currentVersion;
+        this._isRotating = true;
+        return this._currentVersion;
+    }
+    /**
+     * Called when server confirms the rotation is committed.
+     */
+    confirmRotation(keyVersion) {
+        if (this._pendingVersion === keyVersion) {
+            this._isRotating = false;
+            this._pendingVersion = null;
+            this.emit('rotate-committed', { keyVersion });
+            logger.info(`[KeyRotation] Rotation committed: v${keyVersion}`);
+            // Schedule next rotation
+            this.scheduleNextRotation();
+        }
+    }
+    /**
+     * Force an immediate rotation (for security incidents).
+     */
+    forceRotation() {
+        if (this._isRotating) {
+            logger.warn('[KeyRotation] Already rotating, ignoring force');
+            return;
+        }
+        this.emit('rotate-needed');
+    }
+    scheduleNextRotation() {
+        if (this.rotationTimer) {
+            clearTimeout(this.rotationTimer);
+        }
+        const jitter = Math.floor(Math.random() * this.config.jitterMs);
+        const delay = this.config.rotationIntervalMs + jitter;
+        this.rotationTimer = setTimeout(() => {
+            if (!this._isRotating) {
+                this.emit('rotate-needed');
+            }
+        }, delay);
+        logger.debug(`[KeyRotation] Next rotation in ${Math.round(delay / 1000 / 60)} minutes`);
+    }
+}
+//# sourceMappingURL=key-rotation.js.map

package/dist/network/key-rotation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-rotation.js","sourceRoot":"","sources":["../../src/network/key-rotation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAS5C,MAAM,cAAc,GAAsB;IACxC,kBAAkB,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,WAAW;IACpD,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAkB,gBAAgB;CAC3D,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,OAAO,WAAY,SAAQ,YAAY;IACnC,MAAM,CAAoB;IAC1B,aAAa,GAA0B,IAAI,CAAC;IAC5C,eAAe,GAAW,CAAC,CAAC;IAC5B,eAAe,GAAkB,IAAI,CAAC;IACtC,WAAW,GAAY,KAAK,CAAC;IAErC,YAAY,MAAmC;QAC7C,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,MAAM,EAAE,CAAC;IACjD,CAAC;IAED,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,eAAe,CAAC;IAC9B,CAAC;IAED,IAAI,UAAU;QACZ,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,IAAI,CAAC,aAAa;YAAE,OAAO;QAC/B,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CAAC,uCAAuC,IAAI,CAAC,MAAM,CAAC,kBAAkB,cAAc,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC;IAC3H,CAAC;IAED;;OAEG;IACH,IAAI;QACF,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YACjC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC;QACzB,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;IAC9B,CAAC;IAED;;OAEG;IACH,eAAe;QACb,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;QAC5C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;QACxB,OAAO,IAAI,CAAC,eAAe,CAAC;IAC9B,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,UAAkB;QAChC,IAAI,IAAI,CAAC,eAAe,KAAK,UAAU,EAAE,CAAC;YACxC,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC;YACzB,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,UAAU,EAAE,CAAC,CAAC;YAC9C,MAAM,CAAC,IAAI,CAAC,sCAAsC,UAAU,EAAE,CAAC,CAAC;YAChE,yBAAyB;YACzB,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC9B,CAAC;IACH,CAAC;IAED;;OAEG;IACH,aAAa;QACX,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,MAAM,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YAC9D,OAAO;QACT,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC7B,CAAC;IAEO,oBAAoB;QAC1B,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACnC,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChE,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,kBAAkB,GAAG,MAAM,CAAC;QAEtD,IAAI,CAAC,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;YACnC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBACtB,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC,EAAE,KAAK,CAAC,CAAC;QAEV,MAAM,CAAC,KAAK,CAAC,kCAAkC,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,IAAI,GAAG,EAAE,CAAC,UAAU,CAAC,CAAC;IAC1F,CAAC;CACF"}

package/dist/network/nat-traversal.d.ts

@@ -0,0 +1,27 @@
+import { EventEmitter } from 'node:events';
+export interface NatProbeConfig {
+    token: string;
+    servers: Array<{
+        host: string;
+        port: number;
+        id: 'a' | 'b';
+    }>;
+}
+/**
+ * Handles NAT traversal probing from the agent side.
+ * Uses the WireGuard listen port to send UDP probes to discovery servers.
+ */
+export declare class NatTraversal extends EventEmitter {
+    private listenPort;
+    private probeSocket;
+    private probeTimeout;
+    setListenPort(port: number): void;
+    /**
+     * Execute a NAT probe: send UDP datagrams to both discovery servers
+     * from the WG listen port. Probe datagram format: "TERMIFY_PROBE:<token>"
+     */
+    probe(config: NatProbeConfig): Promise<void>;
+    cleanup(): void;
+    shutdown(): void;
+}
+//# sourceMappingURL=nat-traversal.d.ts.map

package/dist/network/nat-traversal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nat-traversal.d.ts","sourceRoot":"","sources":["../../src/network/nat-traversal.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,GAAG,GAAG,GAAG,CAAA;KAAE,CAAC,CAAC;CAC/D;AAED;;;GAGG;AACH,qBAAa,YAAa,SAAQ,YAAY;IAC5C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,WAAW,CAAuB;IAC1C,OAAO,CAAC,YAAY,CAA+B;IAEnD,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAIjC;;;OAGG;IACG,KAAK,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;IAyClD,OAAO,IAAI,IAAI;IAWf,QAAQ,IAAI,IAAI;CAGjB"}

package/dist/network/nat-traversal.js

@@ -0,0 +1,76 @@
+import { createSocket } from 'node:dgram';
+import { EventEmitter } from 'node:events';
+import { logger } from '../utils/logger.js';
+/**
+ * Handles NAT traversal probing from the agent side.
+ * Uses the WireGuard listen port to send UDP probes to discovery servers.
+ */
+export class NatTraversal extends EventEmitter {
+    listenPort = null;
+    probeSocket = null;
+    probeTimeout = null;
+    setListenPort(port) {
+        this.listenPort = port;
+    }
+    /**
+     * Execute a NAT probe: send UDP datagrams to both discovery servers
+     * from the WG listen port. Probe datagram format: "TERMIFY_PROBE:<token>"
+     */
+    async probe(config) {
+        if (!this.listenPort) {
+            logger.warn('[NAT] Cannot probe: listen port not set');
+            return;
+        }
+        // Create UDP socket, try to bind to WG listen port with SO_REUSEADDR
+        try {
+            this.probeSocket = createSocket({ type: 'udp4', reuseAddr: true });
+            await new Promise((resolve, reject) => {
+                this.probeSocket.bind(this.listenPort, () => resolve());
+                this.probeSocket.once('error', reject);
+            });
+        }
+        catch {
+            // Fallback: ephemeral port (less accurate but still useful)
+            logger.warn('[NAT] Could not bind to WG port, using ephemeral port');
+            this.probeSocket = createSocket({ type: 'udp4' });
+        }
+        const message = Buffer.from(`TERMIFY_PROBE:${config.token}`);
+        for (const server of config.servers) {
+            try {
+                await new Promise((resolve, reject) => {
+                    this.probeSocket.send(message, 0, message.length, server.port, server.host, (err) => {
+                        if (err)
+                            reject(err);
+                        else
+                            resolve();
+                    });
+                });
+                logger.debug(`[NAT] Probe sent to ${server.id} (${server.host}:${server.port})`);
+            }
+            catch (err) {
+                logger.error(`[NAT] Failed to send probe to ${server.id}:`, err);
+            }
+        }
+        // Close socket after packets are sent
+        this.probeTimeout = setTimeout(() => {
+            this.cleanup();
+        }, 2000);
+    }
+    cleanup() {
+        if (this.probeTimeout) {
+            clearTimeout(this.probeTimeout);
+            this.probeTimeout = null;
+        }
+        if (this.probeSocket) {
+            try {
+                this.probeSocket.close();
+            }
+            catch { /* already closed */ }
+            this.probeSocket = null;
+        }
+    }
+    shutdown() {
+        this.cleanup();
+    }
+}
+//# sourceMappingURL=nat-traversal.js.map

package/dist/network/nat-traversal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nat-traversal.js","sourceRoot":"","sources":["../../src/network/nat-traversal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAe,MAAM,YAAY,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAO5C;;;GAGG;AACH,MAAM,OAAO,YAAa,SAAQ,YAAY;IACpC,UAAU,GAAkB,IAAI,CAAC;IACjC,WAAW,GAAkB,IAAI,CAAC;IAClC,YAAY,GAA0B,IAAI,CAAC;IAEnD,aAAa,CAAC,IAAY;QACxB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;IACzB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,KAAK,CAAC,MAAsB;QAChC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,MAAM,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;YACvD,OAAO;QACT,CAAC;QAED,qEAAqE;QACrE,IAAI,CAAC;YACH,IAAI,CAAC,WAAW,GAAG,YAAY,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACnE,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBAC1C,IAAI,CAAC,WAAY,CAAC,IAAI,CAAC,IAAI,CAAC,UAAW,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC1D,IAAI,CAAC,WAAY,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC1C,CAAC,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,4DAA4D;YAC5D,MAAM,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;YACrE,IAAI,CAAC,WAAW,GAAG,YAAY,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;QAE7D,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,IAAI,CAAC;gBACH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;oBAC1C,IAAI,CAAC,WAAY,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,GAAG,EAAE,EAAE;wBACnF,IAAI,GAAG;4BAAE,MAAM,CAAC,GAAG,CAAC,CAAC;;4BAChB,OAAO,EAAE,CAAC;oBACjB,CAAC,CAAC,CAAC;gBACL,CAAC,CAAC,CAAC;gBACH,MAAM,CAAC,KAAK,CAAC,uBAAuB,MAAM,CAAC,EAAE,KAAK,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC;YACnF,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,KAAK,CAAC,iCAAiC,MAAM,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;YACnE,CAAC;QACH,CAAC;QAED,sCAAsC;QACtC,IAAI,CAAC,YAAY,GAAG,UAAU,CAAC,GAAG,EAAE;YAClC,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,CAAC,EAAE,IAAI,CAAC,CAAC;IACX,CAAC;IAED,OAAO;QACL,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAChC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QAC3B,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,IAAI,CAAC;gBAAC,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,oBAAoB,CAAC,CAAC;YAChE,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,QAAQ;QACN,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;CACF"}

package/dist/network/uapi-client.d.ts

@@ -0,0 +1,50 @@
+/**
+ * WireGuard UAPI (Userspace API) client.
+ *
+ * Communicates with wireguard-go via its Unix domain socket at
+ * /var/run/wireguard/<iface>.sock using the UAPI text protocol.
+ *
+ * This eliminates the need for the `wg` CLI tool when using wireguard-go,
+ * enabling a fully self-contained agent (same model as Tailscale).
+ *
+ * Protocol spec: https://www.wireguard.com/xplatform/#configuration-protocol
+ */
+import type { WgHealthSnapshot } from './wireguard-backend.js';
+/**
+ * Convert a WireGuard base64 key to hex (UAPI requires hex-encoded keys).
+ */
+export declare function wgKeyToHex(base64Key: string): string;
+/**
+ * Convert a hex-encoded key back to WireGuard base64 format.
+ */
+export declare function hexToWgKey(hexKey: string): string;
+/**
+ * Configure the WireGuard interface (private key + listen port).
+ * Equivalent to: wg set <iface> private-key <path> listen-port <port>
+ */
+export declare function uapiSetInterface(iface: string, privateKeyBase64: string, listenPort: number): Promise<void>;
+/**
+ * Add or update a peer.
+ * Equivalent to: wg set <iface> peer <pubkey> allowed-ips <ips> endpoint <ep> persistent-keepalive <ka>
+ */
+export declare function uapiAddPeer(iface: string, publicKeyBase64: string, allowedIps: string, persistentKeepalive: number, endpoint?: string): Promise<void>;
+/**
+ * Remove a peer by its public key.
+ * Equivalent to: wg set <iface> peer <pubkey> remove
+ */
+export declare function uapiRemovePeer(iface: string, publicKeyBase64: string): Promise<void>;
+/**
+ * Update only the endpoint of an existing peer.
+ * Equivalent to: wg set <iface> peer <pubkey> endpoint <ep>
+ */
+export declare function uapiUpdatePeerEndpoint(iface: string, publicKeyBase64: string, endpoint: string): Promise<void>;
+/**
+ * Get the full interface status (self + all peers).
+ * Equivalent to: wg show <iface> dump
+ *
+ * Note: UAPI GET response contains private_key and listen_port for the
+ * interface section, then each peer starts with a public_key line.
+ * The interface's own public key is derived from the private key.
+ */
+export declare function uapiGetStatus(iface: string): Promise<WgHealthSnapshot>;
+//# sourceMappingURL=uapi-client.d.ts.map

package/dist/network/uapi-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"uapi-client.d.ts","sourceRoot":"","sources":["../../src/network/uapi-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,OAAO,KAAK,EAAE,gBAAgB,EAAgB,MAAM,wBAAwB,CAAC;AAM7E;;GAEG;AACH,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAEpD;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEjD;AA+DD;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,EACb,gBAAgB,EAAE,MAAM,EACxB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,IAAI,CAAC,CAUf;AAED;;;GAGG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,eAAe,EAAE,MAAM,EACvB,UAAU,EAAE,MAAM,EAClB,mBAAmB,EAAE,MAAM,EAC3B,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,IAAI,CAAC,CAqBf;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,MAAM,EACb,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,IAAI,CAAC,CAUf;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,MAAM,EACb,eAAe,EAAE,MAAM,EACvB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAUf;AAED;;;;;;;GAOG;AACH,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA+H5E"}

package/dist/network/uapi-client.js

@@ -0,0 +1,260 @@
+/**
+ * WireGuard UAPI (Userspace API) client.
+ *
+ * Communicates with wireguard-go via its Unix domain socket at
+ * /var/run/wireguard/<iface>.sock using the UAPI text protocol.
+ *
+ * This eliminates the need for the `wg` CLI tool when using wireguard-go,
+ * enabling a fully self-contained agent (same model as Tailscale).
+ *
+ * Protocol spec: https://www.wireguard.com/xplatform/#configuration-protocol
+ */
+import { createConnection } from 'node:net';
+import { logger } from '../utils/logger.js';
+// ---------------------------------------------------------------------------
+// Key encoding helpers
+// ---------------------------------------------------------------------------
+/**
+ * Convert a WireGuard base64 key to hex (UAPI requires hex-encoded keys).
+ */
+export function wgKeyToHex(base64Key) {
+    return Buffer.from(base64Key, 'base64').toString('hex');
+}
+/**
+ * Convert a hex-encoded key back to WireGuard base64 format.
+ */
+export function hexToWgKey(hexKey) {
+    return Buffer.from(hexKey, 'hex').toString('base64');
+}
+// ---------------------------------------------------------------------------
+// Socket communication
+// ---------------------------------------------------------------------------
+const SOCKET_DIR = '/var/run/wireguard';
+function socketPath(iface) {
+    return `${SOCKET_DIR}/${iface}.sock`;
+}
+/**
+ * Send a UAPI request and read the full response.
+ * Returns the raw response string.
+ */
+async function uapiRequest(iface, request) {
+    return new Promise((resolve, reject) => {
+        const sock = createConnection(socketPath(iface));
+        let response = '';
+        sock.on('connect', () => {
+            sock.write(request);
+        });
+        sock.on('data', (data) => {
+            response += data.toString();
+        });
+        sock.on('end', () => {
+            resolve(response);
+        });
+        sock.on('error', (err) => {
+            reject(new Error(`UAPI socket error (${iface}): ${err.message}`));
+        });
+        // Safety timeout
+        sock.setTimeout(5000, () => {
+            sock.destroy();
+            reject(new Error(`UAPI socket timeout (${iface})`));
+        });
+    });
+}
+/**
+ * Parse errno from UAPI response. Returns 0 on success, throws on error.
+ */
+function checkErrno(response, operation) {
+    const match = /^errno=(\d+)$/m.exec(response);
+    if (!match) {
+        throw new Error(`UAPI ${operation}: no errno in response`);
+    }
+    const errno = parseInt(match[1], 10);
+    if (errno !== 0) {
+        throw new Error(`UAPI ${operation} failed: errno=${errno}`);
+    }
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Configure the WireGuard interface (private key + listen port).
+ * Equivalent to: wg set <iface> private-key <path> listen-port <port>
+ */
+export async function uapiSetInterface(iface, privateKeyBase64, listenPort) {
+    const request = `set=1\n` +
+        `private_key=${wgKeyToHex(privateKeyBase64)}\n` +
+        `listen_port=${listenPort}\n` +
+        `\n`;
+    const response = await uapiRequest(iface, request);
+    checkErrno(response, 'setInterface');
+    logger.debug('[UAPI] Interface configured: port=' + listenPort);
+}
+/**
+ * Add or update a peer.
+ * Equivalent to: wg set <iface> peer <pubkey> allowed-ips <ips> endpoint <ep> persistent-keepalive <ka>
+ */
+export async function uapiAddPeer(iface, publicKeyBase64, allowedIps, persistentKeepalive, endpoint) {
+    let request = `set=1\n` +
+        `public_key=${wgKeyToHex(publicKeyBase64)}\n`;
+    if (endpoint) {
+        request += `endpoint=${endpoint}\n`;
+    }
+    // allowed_ips: each CIDR on its own line
+    const ips = allowedIps.split(',').map((s) => s.trim());
+    for (const ip of ips) {
+        request += `allowed_ip=${ip}\n`;
+    }
+    request += `persistent_keepalive_interval=${persistentKeepalive}\n`;
+    request += `\n`;
+    const response = await uapiRequest(iface, request);
+    checkErrno(response, 'addPeer');
+    logger.debug('[UAPI] Peer added: ' + publicKeyBase64.slice(0, 8) + '...');
+}
+/**
+ * Remove a peer by its public key.
+ * Equivalent to: wg set <iface> peer <pubkey> remove
+ */
+export async function uapiRemovePeer(iface, publicKeyBase64) {
+    const request = `set=1\n` +
+        `public_key=${wgKeyToHex(publicKeyBase64)}\n` +
+        `remove=true\n` +
+        `\n`;
+    const response = await uapiRequest(iface, request);
+    checkErrno(response, 'removePeer');
+    logger.debug('[UAPI] Peer removed: ' + publicKeyBase64.slice(0, 8) + '...');
+}
+/**
+ * Update only the endpoint of an existing peer.
+ * Equivalent to: wg set <iface> peer <pubkey> endpoint <ep>
+ */
+export async function uapiUpdatePeerEndpoint(iface, publicKeyBase64, endpoint) {
+    const request = `set=1\n` +
+        `public_key=${wgKeyToHex(publicKeyBase64)}\n` +
+        `endpoint=${endpoint}\n` +
+        `\n`;
+    const response = await uapiRequest(iface, request);
+    checkErrno(response, 'updatePeerEndpoint');
+    logger.debug('[UAPI] Endpoint updated for peer ' + publicKeyBase64.slice(0, 8) + '...');
+}
+/**
+ * Get the full interface status (self + all peers).
+ * Equivalent to: wg show <iface> dump
+ *
+ * Note: UAPI GET response contains private_key and listen_port for the
+ * interface section, then each peer starts with a public_key line.
+ * The interface's own public key is derived from the private key.
+ */
+export async function uapiGetStatus(iface) {
+    const request = `get=1\n\n`;
+    let response;
+    try {
+        response = await uapiRequest(iface, request);
+    }
+    catch {
+        return {
+            interfaceUp: false,
+            publicKey: '',
+            listenPort: 0,
+            peers: [],
+        };
+    }
+    checkErrno(response, 'getStatus');
+    const lines = response.trim().split('\n');
+    let privateKeyHex = '';
+    let listenPort = 0;
+    const peers = [];
+    let currentPeer = null;
+    for (const line of lines) {
+        if (line.startsWith('errno='))
+            continue;
+        const eqIdx = line.indexOf('=');
+        if (eqIdx === -1)
+            continue;
+        const key = line.substring(0, eqIdx);
+        const value = line.substring(eqIdx + 1);
+        switch (key) {
+            case 'private_key':
+                privateKeyHex = value;
+                break;
+            case 'listen_port':
+                if (!currentPeer) {
+                    listenPort = parseInt(value, 10);
+                }
+                break;
+            case 'public_key':
+                // Every public_key line in UAPI GET marks the start of a new peer
+                if (currentPeer) {
+                    peers.push(currentPeer);
+                }
+                currentPeer = {
+                    publicKey: hexToWgKey(value),
+                    allowedIps: '',
+                    transferRx: 0,
+                    transferTx: 0,
+                };
+                break;
+            case 'endpoint':
+                if (currentPeer && value && value !== '(none)') {
+                    currentPeer.endpoint = value;
+                }
+                break;
+            case 'allowed_ip':
+                if (currentPeer) {
+                    currentPeer.allowedIps = currentPeer.allowedIps
+                        ? currentPeer.allowedIps + ',' + value
+                        : value;
+                }
+                break;
+            case 'last_handshake_time_sec': {
+                if (currentPeer) {
+                    const epoch = parseInt(value, 10);
+                    if (epoch > 0) {
+                        currentPeer.latestHandshake = new Date(epoch * 1000);
+                    }
+                }
+                break;
+            }
+            case 'rx_bytes':
+                if (currentPeer) {
+                    currentPeer.transferRx = parseInt(value, 10);
+                }
+                break;
+            case 'tx_bytes':
+                if (currentPeer) {
+                    currentPeer.transferTx = parseInt(value, 10);
+                }
+                break;
+            default:
+                break;
+        }
+    }
+    // Push last peer
+    if (currentPeer) {
+        peers.push(currentPeer);
+    }
+    // Derive public key from private key using X25519
+    let publicKey = '';
+    if (privateKeyHex) {
+        try {
+            const { createPublicKey, createPrivateKey } = await import('node:crypto');
+            // Build PKCS#8 DER: 16-byte header + 32-byte raw private key
+            const privRaw = Buffer.from(privateKeyHex, 'hex');
+            const pkcs8Header = Buffer.from('302e020100300506032b656e04220420', 'hex');
+            const pkcs8Der = Buffer.concat([pkcs8Header, privRaw]);
+            const privKeyObj = createPrivateKey({ key: pkcs8Der, format: 'der', type: 'pkcs8' });
+            const pubKeyObj = createPublicKey(privKeyObj);
+            const spkiDer = pubKeyObj.export({ type: 'spki', format: 'der' });
+            publicKey = spkiDer.subarray(12).toString('base64');
+        }
+        catch {
+            // If derivation fails, leave empty — caller can fill from state store
+        }
+    }
+    return {
+        interfaceUp: true,
+        publicKey,
+        listenPort,
+        peers,
+    };
+}
+//# sourceMappingURL=uapi-client.js.map

package/dist/network/uapi-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"uapi-client.js","sourceRoot":"","sources":["../../src/network/uapi-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,gBAAgB,EAAe,MAAM,UAAU,CAAC;AACzD,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAG5C,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,SAAiB;IAC1C,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,MAAc;IACvC,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACvD,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,MAAM,UAAU,GAAG,oBAAoB,CAAC;AAExC,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,GAAG,UAAU,IAAI,KAAK,OAAO,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,WAAW,CAAC,KAAa,EAAE,OAAe;IACvD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,IAAI,GAAW,gBAAgB,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;QACzD,IAAI,QAAQ,GAAG,EAAE,CAAC;QAElB,IAAI,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;YACtB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACtB,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YAC/B,QAAQ,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YAClB,OAAO,CAAC,QAAQ,CAAC,CAAC;QACpB,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YAC9B,MAAM,CAAC,IAAI,KAAK,CAAC,sBAAsB,KAAK,MAAM,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;QAEH,iBAAiB;QACjB,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,GAAG,EAAE;YACzB,IAAI,CAAC,OAAO,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,KAAK,CAAC,wBAAwB,KAAK,GAAG,CAAC,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,QAAgB,EAAE,SAAiB;IACrD,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,QAAQ,SAAS,wBAAwB,CAAC,CAAC;IAC7D,CAAC;IACD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrC,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,QAAQ,SAAS,kBAAkB,KAAK,EAAE,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAAa,EACb,gBAAwB,EACxB,UAAkB;IAElB,MAAM,OAAO,GACX,SAAS;QACT,eAAe,UAAU,CAAC,gBAAgB,CAAC,IAAI;QAC/C,eAAe,UAAU,IAAI;QAC7B,IAAI,CAAC;IAEP,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACnD,UAAU,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IACrC,MAAM,CAAC,KAAK,CAAC,oCAAoC,GAAG,UAAU,CAAC,CAAC;AAClE,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,KAAa,EACb,eAAuB,EACvB,UAAkB,EAClB,mBAA2B,EAC3B,QAAiB;IAEjB,IAAI,OAAO,GACT,SAAS;QACT,cAAc,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC;IAEhD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,IAAI,YAAY,QAAQ,IAAI,CAAC;IACtC,CAAC;IAED,yCAAyC;IACzC,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IACvD,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,OAAO,IAAI,cAAc,EAAE,IAAI,CAAC;IAClC,CAAC;IAED,OAAO,IAAI,iCAAiC,mBAAmB,IAAI,CAAC;IACpE,OAAO,IAAI,IAAI,CAAC;IAEhB,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACnD,UAAU,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAChC,MAAM,CAAC,KAAK,CAAC,qBAAqB,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;AAC5E,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAAa,EACb,eAAuB;IAEvB,MAAM,OAAO,GACX,SAAS;QACT,cAAc,UAAU,CAAC,eAAe,CAAC,IAAI;QAC7C,eAAe;QACf,IAAI,CAAC;IAEP,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACnD,UAAU,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IACnC,MAAM,CAAC,KAAK,CAAC,uBAAuB,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,KAAa,EACb,eAAuB,EACvB,QAAgB;IAEhB,MAAM,OAAO,GACX,SAAS;QACT,cAAc,UAAU,CAAC,eAAe,CAAC,IAAI;QAC7C,YAAY,QAAQ,IAAI;QACxB,IAAI,CAAC;IAEP,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACnD,UAAU,CAAC,QAAQ,EAAE,oBAAoB,CAAC,CAAC;IAC3C,MAAM,CAAC,KAAK,CAAC,mCAAmC,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;AAC1F,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAa;IAC/C,MAAM,OAAO,GAAG,WAAW,CAAC;IAE5B,IAAI,QAAgB,CAAC;IACrB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,WAAW,EAAE,KAAK;YAClB,SAAS,EAAE,EAAE;YACb,UAAU,EAAE,CAAC;YACb,KAAK,EAAE,EAAE;SACV,CAAC;IACJ,CAAC;IAED,UAAU,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IAElC,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE1C,IAAI,aAAa,GAAG,EAAE,CAAC;IACvB,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,MAAM,KAAK,GAAmB,EAAE,CAAC;IACjC,IAAI,WAAW,GAAwB,IAAI,CAAC;IAE5C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,SAAS;QAExC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,KAAK,KAAK,CAAC,CAAC;YAAE,SAAS;QAE3B,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QACrC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;QAExC,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,aAAa;gBAChB,aAAa,GAAG,KAAK,CAAC;gBACtB,MAAM;YAER,KAAK,aAAa;gBAChB,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,UAAU,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACnC,CAAC;gBACD,MAAM;YAER,KAAK,YAAY;gBACf,kEAAkE;gBAClE,IAAI,WAAW,EAAE,CAAC;oBAChB,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;gBAC1B,CAAC;gBACD,WAAW,GAAG;oBACZ,SAAS,EAAE,UAAU,CAAC,KAAK,CAAC;oBAC5B,UAAU,EAAE,EAAE;oBACd,UAAU,EAAE,CAAC;oBACb,UAAU,EAAE,CAAC;iBACd,CAAC;gBACF,MAAM;YAER,KAAK,UAAU;gBACb,IAAI,WAAW,IAAI,KAAK,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;oBAC/C,WAAW,CAAC,QAAQ,GAAG,KAAK,CAAC;gBAC/B,CAAC;gBACD,MAAM;YAER,KAAK,YAAY;gBACf,IAAI,WAAW,EAAE,CAAC;oBAChB,WAAW,CAAC,UAAU,GAAG,WAAW,CAAC,UAAU;wBAC7C,CAAC,CAAC,WAAW,CAAC,UAAU,GAAG,GAAG,GAAG,KAAK;wBACtC,CAAC,CAAC,KAAK,CAAC;gBACZ,CAAC;gBACD,MAAM;YAER,KAAK,yBAAyB,CAAC,CAAC,CAAC;gBAC/B,IAAI,WAAW,EAAE,CAAC;oBAChB,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBAClC,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;wBACd,WAAW,CAAC,eAAe,GAAG,IAAI,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;oBACvD,CAAC;gBACH,CAAC;gBACD,MAAM;YACR,CAAC;YAED,KAAK,UAAU;gBACb,IAAI,WAAW,EAAE,CAAC;oBAChB,WAAW,CAAC,UAAU,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBAC/C,CAAC;gBACD,MAAM;YAER,KAAK,UAAU;gBACb,IAAI,WAAW,EAAE,CAAC;oBAChB,WAAW,CAAC,UAAU,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBAC/C,CAAC;gBACD,MAAM;YAER;gBACE,MAAM;QACV,CAAC;IACH,CAAC;IAED,iBAAiB;IACjB,IAAI,WAAW,EAAE,CAAC;QAChB,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC1B,CAAC;IAED,kDAAkD;IAClD,IAAI,SAAS,GAAG,EAAE,CAAC;IACnB,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,EAAE,eAAe,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;YAC1E,6DAA6D;YAC7D,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;YAClD,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE,KAAK,CAAC,CAAC;YAC3E,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;YACvD,MAAM,UAAU,GAAG,gBAAgB,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YACrF,MAAM,SAAS,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;YAC9C,MAAM,OAAO,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;YAClE,SAAS,GAAI,OAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,sEAAsE;QACxE,CAAC;IACH,CAAC;IAED,OAAO;QACL,WAAW,EAAE,IAAI;QACjB,SAAS;QACT,UAAU;QACV,KAAK;KACN,CAAC;AACJ,CAAC"}