Files
punktfunk/sdk/src/config.ts
T
enricobuehler 87114ab186
apple / swift (push) Successful in 1m15s
apple / screenshots (push) Successful in 4m21s
ci / web (push) Successful in 52s
ci / docs-site (push) Successful in 1m0s
android / android (push) Has been cancelled
arch / build-publish (push) Has been cancelled
ci / rust (push) Has been cancelled
ci / bench (push) Has been cancelled
deb / build-publish (push) Has been cancelled
decky / build-publish (push) Has been cancelled
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 18s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 15s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 14s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 16s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 13s
rpm / build-publish (44, fedora-44, punktfunk-fedora44-rpm) (push) Successful in 14m56s
rpm / build-publish (43, bazzite, punktfunk-fedora-rpm) (push) Successful in 19m42s
docker / deploy-docs (push) Successful in 26s
feat(sdk): @punktfunk/host — the Effect TypeScript SDK (M3)
New top-level sdk/ package (RFC §7): a typed management-API client plus
the lifecycle event stream, built on Effect, two surfaces over one core:

- @punktfunk/host — the Promise facade front door: connect() resolves
  URL/token/TLS pin from the host's own files (zero config on the box),
  fails fast on bad credentials, pf.events.on() with typed callbacks
  (exact kinds, domain.* prefixes, "*", "dropped", "unknown"),
  pf.request() for the REST surface. Effect never required.
- @punktfunk/host/effect — the PunktfunkHost service + PunktfunkHostLive
  layer, Stream-based events()/eventsRaw(), typed errors
  (AuthError | ApiError | TransportError | VersionSkew — a 2xx that
  fails its schema is a typed skew, not undefined later), and every
  wire shape as an effect/Schema: REST generated via orval
  client:'effect' from api/openapi.json (S3 spike: works well; the
  text/event-stream payload is out of its reach), events hand-mirrored
  from the host's snapshot-tested wire format as a kind-discriminated
  union.

One reconnecting SSE core under both surfaces: spec-shaped parser,
exponential+jittered backoff (capped, resets after a healthy
connection), Last-Event-ID resume, 401 terminal. Default is LIVE tail
only — a fresh notify script must not re-fire on the host's replayed
ring (since: 0 opts into full replay).

TLS: the pin trusts exactly the host's self-signed identity cert
(chain-verified; hostname check waived — the cert is deliberately
CN-only for fingerprint pinning). Bun via fetch tls, Node via an undici
dispatcher (optionalDependency).

definePlugin() accepts both main shapes (async fn | Effect requiring
PunktfunkHost). Examples in both styles; README carries the compat
contract + systemd/Task Scheduler templates.

11 bun tests green (wire decode against the Rust snapshot strings,
SSE parser/reconnect/Last-Event-ID/401, both surfaces vs a mock host).
Live-verified against a real host on Bun AND Node through the pinned
loopback hop: connect → REST mutate → live event received → resume
cursor advanced; a wrong CA is rejected. npm publish + CI wiring
deferred (npm org = RFC open question 1).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-17 00:14:39 +02:00

129 lines
4.8 KiB
TypeScript

// Connection resolution (RFC §7): loopback URL + bearer token + the host's self-signed
// identity cert, from the environment with file fallbacks — so `connect()` on the host machine
// needs zero configuration.
//
// PUNKTFUNK_MGMT_URL (default https://127.0.0.1:47990)
// PUNKTFUNK_MGMT_TOKEN (else <config_dir>/mgmt-token)
// PUNKTFUNK_MGMT_CA (path; else <config_dir>/cert.pem when present)
//
// The CA is the host's own identity certificate — trusting exactly it (not the system roots)
// IS the pin for the loopback hop. Per-runtime plumbing differs: Bun takes `tls.ca` on fetch,
// Node (undici) takes a dispatcher with a CA-carrying TLS connector; anything else falls back
// to plain fetch (document PUNKTFUNK_MGMT_CA + NODE_EXTRA_CA_CERTS there).
import * as fs from "node:fs";
import * as os from "node:os";
import * as path from "node:path";
export interface ConnectOptions {
/** Management API base URL (default `https://127.0.0.1:47990`). */
url?: string;
/** Bearer token (default: `PUNKTFUNK_MGMT_TOKEN`, else the host's `mgmt-token` file). */
token?: string;
/** PEM of the CA to trust — the host's identity cert (default: `PUNKTFUNK_MGMT_CA`, else `cert.pem`). */
ca?: string;
}
export interface ResolvedConfig {
url: string;
token: string;
ca?: string;
/** A fetch honoring `ca` on this runtime. */
fetch: typeof fetch;
}
/** The host's config dir — the same resolution the host itself uses. */
export const configDir = (): string => {
const explicit = process.env.PUNKTFUNK_CONFIG_DIR;
if (explicit) return explicit;
if (process.platform === "win32") {
const base = process.env.ProgramData ?? process.env.APPDATA ?? ".";
return path.join(base, "punktfunk");
}
const base =
process.env.XDG_CONFIG_HOME ?? path.join(os.homedir(), ".config");
return path.join(base, "punktfunk");
};
const readIfExists = (p: string): string | undefined => {
try {
return fs.readFileSync(p, "utf8");
} catch {
return undefined;
}
};
/** First token-looking line of the mgmt-token file (tolerates `TOKEN=`-style and blank lines). */
const parseTokenFile = (raw: string): string | undefined => {
for (const line of raw.split(/\r?\n/)) {
const t = line.trim();
if (t.length === 0 || t.startsWith("#")) continue;
return t.includes("=") ? t.slice(t.indexOf("=") + 1).trim() : t;
}
return undefined;
};
export const resolveConfig = async (
options?: ConnectOptions,
): Promise<ResolvedConfig> => {
const url = (
options?.url ??
process.env.PUNKTFUNK_MGMT_URL ??
"https://127.0.0.1:47990"
).replace(/\/+$/, "");
const token =
options?.token ??
process.env.PUNKTFUNK_MGMT_TOKEN ??
parseTokenFile(readIfExists(path.join(configDir(), "mgmt-token")) ?? "");
if (!token) {
throw new Error(
"no management token: set PUNKTFUNK_MGMT_TOKEN, pass { token }, or run where " +
`the host's token file exists (${path.join(configDir(), "mgmt-token")})`,
);
}
const caPath = process.env.PUNKTFUNK_MGMT_CA;
const ca =
options?.ca ??
(caPath ? readIfExists(caPath) : undefined) ??
(url.startsWith("https://")
? readIfExists(path.join(configDir(), "cert.pem"))
: undefined);
return { url, token, ca, fetch: await makeFetch(ca) };
};
/**
* A fetch that PINS `ca` — the host's self-signed identity cert — on this runtime.
*
* The pin is chain verification against exactly that certificate (nothing else can pass),
* with the HOSTNAME check waived: the host identity cert is deliberately CN-only/no-SAN
* (native clients pin its fingerprint; see `web/nitro-entry/bun-https.mjs` for the same
* finding), so standard SAN matching would always fail — and it adds nothing when the chain
* already admits only the one pinned cert.
*/
const makeFetch = async (ca: string | undefined): Promise<typeof fetch> => {
if (!ca) return fetch;
const skipHostname = { checkServerIdentity: () => undefined };
// Bun: fetch takes node-compatible `tls` options.
if (typeof (globalThis as Record<string, unknown>).Bun !== "undefined") {
return ((input: Parameters<typeof fetch>[0], init?: RequestInit) =>
fetch(input, {
...init,
tls: { ca, ...skipHostname },
} as RequestInit)) as typeof fetch;
}
// Node: global fetch is undici — a per-request dispatcher carries the pin.
try {
// Optional dependency — declared in package.json optionalDependencies; absent on
// runtimes that don't need it (the catch below falls back).
const { Agent } = (await import("undici" as string)) as {
Agent: new (opts: unknown) => unknown;
};
const dispatcher = new Agent({ connect: { ca, ...skipHostname } });
return ((input: Parameters<typeof fetch>[0], init?: RequestInit) =>
fetch(input, { ...init, dispatcher } as RequestInit)) as typeof fetch;
} catch {
// Unknown runtime: plain fetch (system trust) — PUNKTFUNK_MGMT_CA via the runtime's
// own CA mechanism (e.g. NODE_EXTRA_CA_CERTS / --cert) is the documented fallback.
return fetch;
}
};