tslocal 0.1.0

package/dist/index.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.mts","names":[],"sources":["../ts/src/transport.ts","../ts/src/types.ts","../ts/src/client.ts","../ts/src/errors.ts"],"mappings":";;;UASiB,gBAAA;EACf,UAAA;EACA,aAAA;AAAA;;;;;;;;;;;cCgDW,gBAAA,EAAgB,CAAA,CAAA,SAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KA2HjB,UAAA,GAAa,CAAA,CAAE,KAAA,QAAa,gBAAA;;cAc3B,mBAAA,EAAmB,CAAA,CAAA,SAAA;;;;;KAkBpB,aAAA,GAAgB,CAAA,CAAE,KAAA,QAAa,mBAAA;;;;;;cAO9B,iBAAA,EAAiB,CAAA,CAAA,SAAA;;;;;;KAQlB,WAAA,GAAc,CAAA,CAAE,KAAA,QAAa,iBAAA;;;;;;;cAQ5B,mBAAA,EAAmB,CAAA,CAAA,SAAA;;;;;;;;KA8BpB,aAAA,GAAgB,CAAA,CAAE,KAAA,QAAa,mBAAA;;cAG9B,YAAA,EAAY,CAAA,CAAA,SAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KAiEb,MAAA,GAAS,CAAA,CAAE,KAAA,QAAa,YAAA;;;;;cAmmBvB,iBAAA,EAAiB,CAAA,CAAA,SAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KA+BlB,WAAA,GAAc,CAAA,CAAE,KAAA,QAAa,iBAAA;;;;;;;EAOvC,IAAA;AAAA;;;;;cAOW,mBAAA,EAAmB,CAAA,CAAA,SAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KASpB,aAAA,GAAgB,CAAA,CAAE,KAAA,QAAa,mBAAA;;cAG9B,oBAAA,EAAoB,CAAA,CAAA,SAAA;;;;;KAKrB,cAAA,GAAiB,CAAA,CAAE,KAAA,QAAa,oBAAA;;;;ADv+B5C;;;;cEgBa,WAAA;EAAA,iBACM,SAAA;cAEL,IAAA,GAAM,gBAAA;EAAA,QAIJ,SAAA;EAAA,QAiBA,aAAA;EAAA,QAmBA,MAAA;EAAA,QAIA,OAAA;;EAOR,MAAA,CAAA,GAAU,OAAA,CAAQ,MAAA;;EAMlB,kBAAA,CAAA,GAAsB,OAAA,CAAQ,MAAA;EAAA,QAOtB,OAAA;;EAkBR,KAAA,CAAM,UAAA,WAAqB,OAAA,CAAQ,aAAA;;EAKnC,YAAA,CAAa,OAAA,WAAkB,OAAA,CAAQ,aAAA;;EAKvC,UAAA,CAAW,KAAA,UAAe,UAAA,WAAqB,OAAA,CAAQ,aAAA;;EAOvD,QAAA,CAAS,MAAA,WAAiB,OAAA;IAAU,IAAA,EAAM,MAAA;IAAQ,GAAA,EAAK,MAAA;EAAA;;EAKvD,oBAAA,CACJ,MAAA,UACA,eAAA,WACC,OAAA;IAAU,IAAA,EAAM,MAAA;IAAQ,GAAA,EAAK,MAAA;EAAA;;;;;;;EAwB1B,cAAA,CAAA,GAAkB,OAAA,CAAQ,WAAA;;;;;;;EAoB1B,cAAA,CAAe,MAAA,EAAQ,WAAA,GAAc,OAAA;;EAQ3C,OAAA,CAAA;AAAA;;;;cC1LW,cAAA,SAAuB,KAAA;cACtB,OAAA;AAAA;;cAOD,iBAAA,SAA0B,cAAA;cACzB,OAAA;AAAA;;cAOD,wBAAA,SAAiC,cAAA;cAChC,OAAA;AAAA;;cAOD,iBAAA,SAA0B,cAAA;cACzB,OAAA;AAAA;;cAOD,eAAA,SAAwB,cAAA;cACvB,OAAA;AAAA;;cAOD,qBAAA,SAA8B,eAAA;cAC7B,OAAA;AAAA;;cAOD,SAAA,SAAkB,cAAA;EAAA,SACb,MAAA;cAEJ,MAAA,UAAgB,OAAA;AAAA"}

package/dist/index.mjs

@@ -0,0 +1,651 @@
+import * as http from "node:http";
+import { execFile } from "node:child_process";
+import { readFile, readlink } from "node:fs/promises";
+import { platform } from "node:os";
+import { join } from "node:path";
+import { promisify } from "node:util";
+import { z } from "zod";
+
+//#region ts/src/json.ts
+/** JSON reviver that converts large integers to BigInt to avoid precision loss. */
+const jsonReviver = (_key, value, context) => {
+	if (typeof value === "number" && context?.source && !Number.isSafeInteger(value) && /^-?\d+$/.test(context.source)) return BigInt(context.source);
+	return value;
+};
+/** Parse a JSON string using {@link jsonReviver} for BigInt-safe integer handling. */
+const parseJSON = (str) => JSON.parse(str, jsonReviver);
+/** JSON replacer that serializes BigInt values as raw JSON numbers. */
+const jsonReplacer = (_key, value) => typeof value === "bigint" ? JSON.rawJSON(value.toString()) : value;
+
+//#endregion
+//#region ts/src/errors.ts
+/** Base error for all Tailscale Local API errors. */
+var TailscaleError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "TailscaleError";
+	}
+};
+/** Raised when the server returns HTTP 403. */
+var AccessDeniedError = class extends TailscaleError {
+	constructor(message) {
+		super(`Access denied: ${message}`);
+		this.name = "AccessDeniedError";
+	}
+};
+/** Raised when the server returns HTTP 412. */
+var PreconditionsFailedError = class extends TailscaleError {
+	constructor(message) {
+		super(`Preconditions failed: ${message}`);
+		this.name = "PreconditionsFailedError";
+	}
+};
+/** Raised when a WhoIs lookup returns HTTP 404. */
+var PeerNotFoundError = class extends TailscaleError {
+	constructor(message) {
+		super(`Peer not found: ${message}`);
+		this.name = "PeerNotFoundError";
+	}
+};
+/** Raised when the connection to tailscaled fails. */
+var ConnectionError = class extends TailscaleError {
+	constructor(message) {
+		super(message);
+		this.name = "ConnectionError";
+	}
+};
+/** Raised when tailscaled is not running. */
+var DaemonNotRunningError = class extends ConnectionError {
+	constructor(message) {
+		super(message);
+		this.name = "DaemonNotRunningError";
+	}
+};
+/** Raised for unexpected HTTP status codes. */
+var HttpError = class extends TailscaleError {
+	status;
+	constructor(status, message) {
+		super(`HTTP ${status}: ${message}`);
+		this.name = "HttpError";
+		this.status = status;
+	}
+};
+/** Extract error message from a JSON body like Go's errorMessageFromBody. */
+function errorMessageFromBody(body) {
+	try {
+		return JSON.parse(body)?.error;
+	} catch {
+		return;
+	}
+}
+
+//#endregion
+//#region ts/src/safesocket.ts
+const LOCAL_API_HOST = "local-tailscaled.sock";
+const CURRENT_CAP_VERSION = 131;
+/** Return the default socket path for the current platform. */
+function defaultSocketPath() {
+	if (platform() === "darwin") return "/var/run/tailscaled.socket";
+	return "/var/run/tailscale/tailscaled.sock";
+}
+/** Attempt to discover macOS TCP port and token for tailscaled. */
+async function localTcpPortAndToken() {
+	if (platform() !== "darwin") return;
+	const result = await readMacosSameUserProof();
+	if (result) return result;
+	return readMacsysSameUserProof();
+}
+const execFileP = promisify(execFile);
+async function readMacosSameUserProof() {
+	try {
+		const uid = process.getuid?.();
+		if (uid === void 0) return void 0;
+		const { stdout: output } = await execFileP("lsof", [
+			"-n",
+			"-a",
+			`-u${uid}`,
+			"-c",
+			"IPNExtension",
+			"-F"
+		]);
+		return parseLsofOutput(output);
+	} catch {
+		return;
+	}
+}
+/** Parse lsof -F output looking for sameuserproof-PORT-TOKEN. */
+function parseLsofOutput(output) {
+	const needle = ".tailscale.ipn.macos/sameuserproof-";
+	for (const line of output.split("\n")) {
+		const idx = line.indexOf(needle);
+		if (idx === -1) continue;
+		const rest = line.slice(idx + 35);
+		const dash = rest.indexOf("-");
+		if (dash === -1) continue;
+		const portStr = rest.slice(0, dash);
+		const token = rest.slice(dash + 1);
+		const port = parseInt(portStr, 10);
+		if (!isNaN(port)) return {
+			port,
+			token
+		};
+	}
+}
+async function readMacsysSameUserProof(sharedDir = "/Library/Tailscale") {
+	try {
+		const portStr = await readlink(join(sharedDir, "ipnport"), "utf-8");
+		const port = parseInt(portStr, 10);
+		if (isNaN(port)) return void 0;
+		return {
+			port,
+			token: (await readFile(join(sharedDir, `sameuserproof-${port}`), "utf-8")).trim()
+		};
+	} catch {
+		return;
+	}
+}
+
+//#endregion
+//#region ts/src/transport.ts
+/**
+* Discover TCP port and token for this request.
+*/
+async function resolvePortAndToken(useSocketOnly) {
+	if (useSocketOnly) return void 0;
+	return localTcpPortAndToken();
+}
+/**
+* HTTP transport that connects to tailscaled.
+* Reuses connections via Node.js http.Agent keep-alive.
+* Port and token are discovered per-request (matching Go's behavior),
+* so the client adapts to daemon restarts and late starts.
+*/
+var Transport = class {
+	socketPath;
+	useSocketOnly;
+	agent;
+	constructor(opts = {}) {
+		this.socketPath = opts.socketPath ?? defaultSocketPath();
+		this.useSocketOnly = opts.useSocketOnly ?? false;
+		this.agent = new http.Agent({
+			keepAlive: true,
+			keepAliveMsecs: 6e4
+		});
+	}
+	async request(method, path, body, extraHeaders) {
+		const portAndToken = await resolvePortAndToken(this.useSocketOnly);
+		return new Promise((resolve, reject) => {
+			const headers = {
+				Host: LOCAL_API_HOST,
+				"Tailscale-Cap": String(CURRENT_CAP_VERSION),
+				...extraHeaders
+			};
+			if (portAndToken) headers["Authorization"] = `Basic ${Buffer.from(`:${portAndToken.token}`).toString("base64")}`;
+			const options = {
+				method,
+				path,
+				headers,
+				agent: this.agent
+			};
+			if (portAndToken) {
+				options.host = "127.0.0.1";
+				options.port = portAndToken.port;
+			} else options.socketPath = this.socketPath;
+			const req = http.request(options, (res) => {
+				const chunks = [];
+				res.on("data", (chunk) => chunks.push(chunk));
+				res.on("end", () => {
+					resolve({
+						status: res.statusCode ?? 0,
+						body: Buffer.concat(chunks),
+						headers: res.headers
+					});
+				});
+				res.on("error", reject);
+			});
+			req.on("error", reject);
+			if (body !== void 0) req.write(body);
+			req.end();
+		});
+	}
+	destroy() {
+		this.agent.destroy();
+	}
+};
+
+//#endregion
+//#region ts/src/types.ts
+const goSlice = (item) => z.array(item).nullish().transform((v) => v ?? []);
+const goMap = (val) => z.record(z.string(), val).nullish().transform((v) => v ?? {});
+const int64 = z.union([z.number().int(), z.bigint()]).transform((v) => BigInt(v));
+/**
+* Location represents geographical location data about a
+* Tailscale host. Location is optional and only set if
+* explicitly declared by a node.
+*/
+const LocationSchema = z.object({
+	Country: z.string().nullish(),
+	CountryCode: z.string().nullish(),
+	City: z.string().nullish(),
+	CityCode: z.string().nullish(),
+	Latitude: z.number().nullish(),
+	Longitude: z.number().nullish(),
+	Priority: int64.nullish()
+});
+/**
+* PeerStatus describes a peer node and its current state.
+* WARNING: The fields in PeerStatus are merged by the AddPeer method in the StatusBuilder.
+* When adding a new field to PeerStatus, you must update AddPeer to handle merging
+* the new field. The AddPeer function is responsible for combining multiple updates
+* to the same peer, and any new field that is not merged properly may lead to
+* inconsistencies or lost data in the peer status.
+*/
+const PeerStatusSchema = z.object({
+	ID: z.string().default(""),
+	PublicKey: z.string().default(""),
+	HostName: z.string().default(""),
+	DNSName: z.string().default(""),
+	OS: z.string().default(""),
+	UserID: int64.default(0n),
+	AltSharerUserID: int64.nullish(),
+	TailscaleIPs: goSlice(z.string()),
+	AllowedIPs: goSlice(z.string()),
+	Tags: goSlice(z.string()),
+	PrimaryRoutes: goSlice(z.string()),
+	Addrs: goSlice(z.string()),
+	CurAddr: z.string().default(""),
+	Relay: z.string().default(""),
+	PeerRelay: z.string().default(""),
+	RxBytes: int64.default(0n),
+	TxBytes: int64.default(0n),
+	Created: z.string().default(""),
+	LastWrite: z.string().default(""),
+	LastSeen: z.string().default(""),
+	LastHandshake: z.string().default(""),
+	Online: z.boolean().default(false),
+	ExitNode: z.boolean().default(false),
+	ExitNodeOption: z.boolean().default(false),
+	Active: z.boolean().default(false),
+	PeerAPIURL: goSlice(z.string()),
+	TaildropTarget: int64.default(0n),
+	NoFileSharingReason: z.string().default(""),
+	Capabilities: goSlice(z.string()),
+	CapMap: goMap(goSlice(z.unknown())),
+	sshHostKeys: goSlice(z.string()),
+	ShareeNode: z.boolean().nullish(),
+	InNetworkMap: z.boolean().default(false),
+	InMagicSock: z.boolean().default(false),
+	InEngine: z.boolean().default(false),
+	Expired: z.boolean().nullish(),
+	KeyExpiry: z.string().nullish(),
+	Location: LocationSchema.nullish()
+});
+/** ExitNodeStatus describes the current exit node. */
+const ExitNodeStatusSchema = z.object({
+	ID: z.string().default(""),
+	Online: z.boolean().default(false),
+	TailscaleIPs: goSlice(z.string())
+});
+/** TailnetStatus is information about a Tailscale network ("tailnet"). */
+const TailnetStatusSchema = z.object({
+	Name: z.string().default(""),
+	MagicDNSSuffix: z.string().default(""),
+	MagicDNSEnabled: z.boolean().default(false)
+});
+/**
+* A UserProfile is display-friendly data for a [User].
+* It includes the LoginName for display purposes but *not* the Provider.
+* It also includes derived data from one of the user's logins.
+*/
+const UserProfileSchema = z.object({
+	ID: int64.default(0n),
+	LoginName: z.string().default(""),
+	DisplayName: z.string().default(""),
+	ProfilePicURL: z.string().nullish()
+});
+/**
+* ClientVersion is information about the latest client version that's available
+* for the client (and whether they're already running it).
+* 
+* It does not include a URL to download the client, as that varies by platform.
+*/
+const ClientVersionSchema = z.object({
+	RunningLatest: z.boolean().nullish(),
+	LatestVersion: z.string().nullish(),
+	UrgentSecurityUpdate: z.boolean().nullish(),
+	Notify: z.boolean().nullish(),
+	NotifyURL: z.string().nullish(),
+	NotifyText: z.string().nullish()
+});
+/** Status represents the entire state of the IPN network. */
+const StatusSchema = z.object({
+	Version: z.string().default(""),
+	TUN: z.boolean().default(false),
+	BackendState: z.string().default(""),
+	HaveNodeKey: z.boolean().nullish(),
+	AuthURL: z.string().default(""),
+	TailscaleIPs: goSlice(z.string()),
+	Self: PeerStatusSchema.nullish(),
+	ExitNodeStatus: ExitNodeStatusSchema.nullish(),
+	Health: goSlice(z.string()),
+	MagicDNSSuffix: z.string().default(""),
+	CurrentTailnet: TailnetStatusSchema.nullish(),
+	CertDomains: goSlice(z.string()),
+	Peer: goMap(PeerStatusSchema),
+	User: goMap(UserProfileSchema),
+	ClientVersion: ClientVersionSchema.nullish()
+});
+/** Service represents a service running on a node. */
+const ServiceSchema = z.object({
+	Proto: z.string().default(""),
+	Port: z.number().default(0),
+	Description: z.string().nullish()
+});
+/** NetInfo contains information about the host's network state. */
+const NetInfoSchema = z.object({
+	MappingVariesByDestIP: z.boolean().nullish(),
+	WorkingIPv6: z.boolean().nullish(),
+	OSHasIPv6: z.boolean().nullish(),
+	WorkingUDP: z.boolean().nullish(),
+	WorkingICMPv4: z.boolean().nullish(),
+	HavePortMap: z.boolean().nullish(),
+	UPnP: z.boolean().nullish(),
+	PMP: z.boolean().nullish(),
+	PCP: z.boolean().nullish(),
+	PreferredDERP: int64.nullish(),
+	LinkType: z.string().nullish(),
+	DERPLatency: goMap(z.number()),
+	FirewallMode: z.string().nullish()
+});
+/**
+* TPMInfo contains information about a TPM 2.0 device present on a node.
+* All fields are read from TPM_CAP_TPM_PROPERTIES, see Part 2, section 6.13 of
+* https://trustedcomputinggroup.org/resource/tpm-library-specification/.
+*/
+const TPMInfoSchema = z.object({
+	Manufacturer: z.string().nullish(),
+	Vendor: z.string().nullish(),
+	Model: int64.nullish(),
+	FirmwareVersion: int64.nullish(),
+	SpecRevision: int64.nullish(),
+	FamilyIndicator: z.string().nullish()
+});
+/**
+* Hostinfo contains a summary of a Tailscale host.
+* 
+* Because it contains pointers (slices), this type should not be used
+* as a value type.
+*/
+const HostinfoSchema = z.object({
+	IPNVersion: z.string().nullish(),
+	FrontendLogID: z.string().nullish(),
+	BackendLogID: z.string().nullish(),
+	OS: z.string().nullish(),
+	OSVersion: z.string().nullish(),
+	Container: z.boolean().nullish(),
+	Env: z.string().nullish(),
+	Distro: z.string().nullish(),
+	DistroVersion: z.string().nullish(),
+	DistroCodeName: z.string().nullish(),
+	App: z.string().nullish(),
+	Desktop: z.boolean().nullish(),
+	Package: z.string().nullish(),
+	DeviceModel: z.string().nullish(),
+	PushDeviceToken: z.string().nullish(),
+	Hostname: z.string().nullish(),
+	ShieldsUp: z.boolean().nullish(),
+	ShareeNode: z.boolean().nullish(),
+	NoLogsNoSupport: z.boolean().nullish(),
+	WireIngress: z.boolean().nullish(),
+	IngressEnabled: z.boolean().nullish(),
+	AllowsUpdate: z.boolean().nullish(),
+	Machine: z.string().nullish(),
+	GoArch: z.string().nullish(),
+	GoArchVar: z.string().nullish(),
+	GoVersion: z.string().nullish(),
+	RoutableIPs: goSlice(z.string()),
+	RequestTags: goSlice(z.string()),
+	WoLMACs: goSlice(z.string()),
+	Services: goSlice(ServiceSchema),
+	NetInfo: NetInfoSchema.nullish(),
+	sshHostKeys: goSlice(z.string()),
+	Cloud: z.string().nullish(),
+	Userspace: z.boolean().nullish(),
+	UserspaceRouter: z.boolean().nullish(),
+	AppConnector: z.boolean().nullish(),
+	ServicesHash: z.string().nullish(),
+	ExitNodeID: z.string().nullish(),
+	Location: LocationSchema.nullish(),
+	TPM: TPMInfoSchema.nullish(),
+	StateEncrypted: z.boolean().nullish()
+});
+/** Resolver is the configuration for one DNS resolver. */
+const ResolverSchema = z.object({
+	Addr: z.string().nullish(),
+	BootstrapResolution: goSlice(z.string()),
+	UseWithExitNode: z.boolean().nullish()
+});
+/** Node is a Tailscale device in a tailnet. */
+const NodeSchema = z.object({
+	ID: int64.default(0n),
+	StableID: z.string().default(""),
+	Name: z.string().default(""),
+	User: int64.default(0n),
+	Sharer: int64.nullish(),
+	Key: z.string().default(""),
+	KeyExpiry: z.string().nullish(),
+	KeySignature: z.string().nullish(),
+	Machine: z.string().nullish(),
+	DiscoKey: z.string().nullish(),
+	Addresses: goSlice(z.string()),
+	AllowedIPs: goSlice(z.string()),
+	Endpoints: goSlice(z.string()),
+	DERP: z.string().nullish(),
+	HomeDERP: int64.nullish(),
+	Hostinfo: HostinfoSchema.nullish(),
+	Created: z.string().nullish(),
+	Cap: int64.nullish(),
+	Tags: goSlice(z.string()),
+	PrimaryRoutes: goSlice(z.string()),
+	LastSeen: z.string().nullish(),
+	Online: z.boolean().nullish(),
+	MachineAuthorized: z.boolean().nullish(),
+	Capabilities: goSlice(z.string()),
+	CapMap: goMap(goSlice(z.unknown())),
+	UnsignedPeerAPIOnly: z.boolean().nullish(),
+	ComputedName: z.string().nullish(),
+	ComputedNameWithHost: z.string().nullish(),
+	DataPlaneAuditLogID: z.string().nullish(),
+	Expired: z.boolean().nullish(),
+	SelfNodeV4MasqAddrForThisPeer: z.string().nullish(),
+	SelfNodeV6MasqAddrForThisPeer: z.string().nullish(),
+	IsWireGuardOnly: z.boolean().nullish(),
+	IsJailed: z.boolean().nullish(),
+	ExitNodeDNSResolvers: goSlice(ResolverSchema)
+});
+/**
+* TCPPortHandler describes what to do when handling a TCP
+* connection.
+*/
+const TCPPortHandlerSchema = z.object({
+	HTTPS: z.boolean().nullish(),
+	HTTP: z.boolean().nullish(),
+	TCPForward: z.string().nullish(),
+	TerminateTLS: z.string().nullish(),
+	ProxyProtocol: int64.nullish()
+});
+/** HTTPHandler is either a path or a proxy to serve. */
+const HTTPHandlerSchema = z.object({
+	Path: z.string().nullish(),
+	Proxy: z.string().nullish(),
+	Text: z.string().nullish(),
+	AcceptAppCaps: goSlice(z.string()),
+	Redirect: z.string().nullish()
+});
+/** WebServerConfig describes a web server's configuration. */
+const WebServerConfigSchema = z.object({ Handlers: goMap(HTTPHandlerSchema) });
+/**
+* ServiceConfig contains the config information for a single service.
+* it contains a bool to indicate if the service is in Tun mode (L3 forwarding).
+* If the service is not in Tun mode, the service is configured by the L4 forwarding
+* (TCP ports) and/or the L7 forwarding (http handlers) information.
+*/
+const ServiceConfigSchema = z.object({
+	TCP: goMap(TCPPortHandlerSchema),
+	Web: goMap(WebServerConfigSchema),
+	Tun: z.boolean().nullish()
+});
+const _ServeConfigRef = z.lazy(() => ServeConfigSchema);
+/**
+* ServeConfig is the JSON type stored in the StateStore for
+* StateKey "_serve/$PROFILE_ID" as returned by ServeConfigKey.
+*/
+const ServeConfigSchema = z.object({
+	TCP: goMap(TCPPortHandlerSchema),
+	Web: goMap(WebServerConfigSchema),
+	Services: goMap(ServiceConfigSchema),
+	AllowFunnel: goMap(z.boolean()),
+	Foreground: goMap(_ServeConfigRef)
+});
+/**
+* WhoIsResponse is the JSON type returned by tailscaled debug server's /whois?ip=$IP handler.
+* In successful whois responses, Node and UserProfile are never nil.
+*/
+const WhoIsResponseSchema = z.object({
+	Node: NodeSchema.nullish(),
+	UserProfile: UserProfileSchema.nullish(),
+	CapMap: goMap(goSlice(z.unknown()))
+});
+/** Alias for TailnetStatus for backward compatibility. */
+const CurrentTailnetSchema = z.object({
+	Name: z.string(),
+	MagicDNSSuffix: z.string(),
+	MagicDNSEnabled: z.boolean()
+});
+
+//#endregion
+//#region ts/src/client.ts
+/**
+* Client for the Tailscale Local API.
+*
+* Connections are reused via HTTP keep-alive.
+*/
+var LocalClient = class {
+	transport;
+	constructor(opts = {}) {
+		this.transport = new Transport(opts);
+	}
+	async doRequest(method, path, body, headers) {
+		try {
+			return await this.transport.request(method, path, body, headers);
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : String(err);
+			if (msg.includes("ECONNREFUSED") || msg.includes("ENOENT")) throw new DaemonNotRunningError(msg);
+			throw new ConnectionError(msg);
+		}
+	}
+	async doRequestNice(method, path, body, headers) {
+		const resp = await this.doRequest(method, path, body, headers);
+		if (resp.status >= 200 && resp.status < 300) return resp.body;
+		const bodyStr = resp.body.toString("utf-8");
+		const msg = errorMessageFromBody(bodyStr) ?? bodyStr;
+		if (resp.status === 403) throw new AccessDeniedError(msg);
+		if (resp.status === 412) throw new PreconditionsFailedError(msg);
+		throw new HttpError(resp.status, msg);
+	}
+	async get200(path) {
+		return this.doRequestNice("GET", path);
+	}
+	async post200(path, body) {
+		return this.doRequestNice("POST", path, body);
+	}
+	/** Get the current tailscaled status. */
+	async status() {
+		const data = await this.get200("/localapi/v0/status");
+		return StatusSchema.parse(parseJSON(data.toString("utf-8")));
+	}
+	/** Get the current tailscaled status without peer information. */
+	async statusWithoutPeers() {
+		const data = await this.get200("/localapi/v0/status?peers=false");
+		return StatusSchema.parse(parseJSON(data.toString("utf-8")));
+	}
+	async doWhoIs(params) {
+		const resp = await this.doRequest("GET", `/localapi/v0/whois?${params}`);
+		if (resp.status === 404) throw new PeerNotFoundError(params);
+		if (resp.status !== 200) {
+			const bodyStr = resp.body.toString("utf-8");
+			const msg = errorMessageFromBody(bodyStr) ?? bodyStr;
+			if (resp.status === 403) throw new AccessDeniedError(msg);
+			throw new HttpError(resp.status, msg);
+		}
+		return WhoIsResponseSchema.parse(parseJSON(resp.body.toString("utf-8")));
+	}
+	/** Look up the owner of an IP address or IP:port. */
+	async whoIs(remoteAddr) {
+		return this.doWhoIs(`addr=${encodeURIComponent(remoteAddr)}`);
+	}
+	/** Look up a peer by node key. */
+	async whoIsNodeKey(nodeKey) {
+		return this.whoIs(nodeKey);
+	}
+	/** Look up the owner of an IP address with a specific protocol ("tcp" or "udp"). */
+	async whoIsProto(proto, remoteAddr) {
+		return this.doWhoIs(`proto=${encodeURIComponent(proto)}&addr=${encodeURIComponent(remoteAddr)}`);
+	}
+	/** Get a TLS certificate and private key for the given domain. */
+	async certPair(domain) {
+		return this.certPairWithValidity(domain, 0);
+	}
+	/** Get a TLS certificate with minimum validity duration (in seconds). */
+	async certPairWithValidity(domain, minValiditySecs) {
+		const body = await this.get200(`/localapi/v0/cert/${encodeURIComponent(domain)}?type=pair&min_validity=${minValiditySecs}s`);
+		const delimiter = Buffer.from("--\n--");
+		const pos = body.indexOf(delimiter);
+		if (pos === -1) throw new Error("unexpected cert response: no delimiter");
+		const split = pos + 3;
+		const key = body.subarray(0, split);
+		return {
+			cert: body.subarray(split),
+			key
+		};
+	}
+	/**
+	* Get the current serve configuration.
+	*
+	* The returned ServeConfig has its ETag field populated from the
+	* HTTP Etag response header.
+	*/
+	async getServeConfig() {
+		const resp = await this.doRequest("GET", "/localapi/v0/serve-config");
+		if (resp.status !== 200) {
+			const bodyStr = resp.body.toString("utf-8");
+			const msg = errorMessageFromBody(bodyStr) ?? bodyStr;
+			if (resp.status === 403) throw new AccessDeniedError(msg);
+			if (resp.status === 412) throw new PreconditionsFailedError(msg);
+			throw new HttpError(resp.status, msg);
+		}
+		const config = ServeConfigSchema.parse(parseJSON(resp.body.toString("utf-8")));
+		config.ETag = resp.headers["etag"] ?? "";
+		return config;
+	}
+	/**
+	* Set the serve configuration.
+	*
+	* The ETag field on the config is sent as the If-Match header
+	* for conditional updates.
+	*/
+	async setServeConfig(config) {
+		const headers = {};
+		if (config.ETag) headers["If-Match"] = config.ETag;
+		const body = JSON.stringify(config, jsonReplacer);
+		await this.doRequestNice("POST", "/localapi/v0/serve-config", body, headers);
+	}
+	/** Close the underlying transport and release resources. */
+	destroy() {
+		this.transport.destroy();
+	}
+};
+
+//#endregion
+export { AccessDeniedError, ClientVersionSchema, ConnectionError, CurrentTailnetSchema, DaemonNotRunningError, HttpError, LocalClient, PeerNotFoundError, PeerStatusSchema, PreconditionsFailedError, ServeConfigSchema, StatusSchema, TailnetStatusSchema, TailscaleError, UserProfileSchema, WhoIsResponseSchema };
+//# sourceMappingURL=index.mjs.map