chore: auto-commit (1 archivos)

- build/ Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merge branch 'issue/room-history-endpoint'
2026-06-14 23:55:18 +02:00 · 2026-06-14 19:47:05 +02:00 · 2026-06-14 19:46:56 +02:00 · 2026-06-14 19:46:56 +02:00 · 2026-06-14 19:46:45 +02:00 · 2026-06-14 16:05:06 +02:00
31188 changed files with 2032027 additions and 3701 deletions
@@ -2,7 +2,7 @@
 name: unibus
 lang: go
 domain: infra
-version: 0.10.0
+version: 0.16.0
 description: "Bus de mensajería unificado sobre NATS+JetStream con cifrado E2E por room (megolm/olm reducido): service de membresía/claves, librería cliente y peers demo."
 tags: [service, messaging, nats, e2e]
 uses_functions:
@@ -158,6 +158,62 @@ Para apuntar a un NATS externo en producción: `--nats-url nats://host:4222` en
  `cybersecurity` del registry compila limpio con `CGO_ENABLED=0`. NO requiere
  `fts5` ni `gcc`.
 ## Directorio de nombres (endpoint → handle)
 Cada frame del bus lleva el **endpoint id** del remitente
 (`base64url(sha256(signPub))`, sin padding — `frame.EndpointID`), no un nombre
 legible. Para que un cliente muestre nombres en vez de hashes, el control-plane
 expone la ruta del directorio. La SPA la llama como `GET /api/directory`, pero
 Caddy hace `handle_path /api/*` y **stripea `/api`** antes de reenviar a
 `membershipd`, así que el servidor la registra (como todas las rutas del
 control-plane) SIN el prefijo: `GET /directory`:
 - **Auth:** el mismo middleware de firma que el resto del control-plane
  (cabeceras `X-Unibus-Pub/Ts/Nonce/Sig` sobre `CanonicalRequest`). NO es
  admin-only: cualquier usuario activo del bus (member o admin) puede leerlo. En
  modo `enforce`, una request sin firmar recibe 401 antes de llegar al handler.
 - **Respuesta** `{ "members": [ { "sign_pub", "endpoint", "handle", "role" } ] }`,
  solo usuarios `status=active`. El `endpoint` lo computa el servidor desde el
  `sign_pub` con la misma derivación que el bus, así que casa byte a byte con el
  sender id que el cliente ya tiene en cada mensaje.
 - CORS: cubierto por la allowlist `--cors-origins` existente (mismas cabeceras
  que el resto de rutas, sin caso especial).
 ## Provisioning de bots / unibots
 Dar de alta una identidad para un proceso automatizado es **un solo comando**.
 Antes había que derivar un keypair a mano y pasar el `sign_pub` a `user add`;
 ahora `bot add` lo hace todo: mintea una identidad de bus fresca (Ed25519 +
 X25519, la misma derivación `cs.GenerateIdentity` que usan `worker`/`chat`),
 registra su `sign_pub` en el allowlist con `handle` y `role`, y escribe las
 credenciales a un fichero 0600 que el proceso lee para conectar.
 ```bash
 # 1. Provisionar el bot (store sqlite local; usa --store kv contra un cluster vivo).
 membershipd bot add --handle notifier --out ./local_files/notifier.id
 #   provisioned bot "notifier" role=member
 #     sign_pub:    97d5a903...b1d4
 #     endpoint:    HU85l2onjrK4EoTLoBfJVkGEXMw9LAjNEjPWiDS8YwM
 #     credentials: ./local_files/notifier.id (0600)
 # 2. El proceso arranca como ese usuario leyendo el --out (formato canónico
 #    pkg/client.LoadIdentity, sin conversión): el worker demo lo consume directo.
 worker --id-file ./local_files/notifier.id --nats-url nats://127.0.0.1:4250 \
       --ctrl-url http://127.0.0.1:8470
 # 3. (opcional) Verlo en el directorio / en user list.
 membershipd user list
 ```
 Las credenciales (`--out`) quedan en el fichero indicado, con permisos 0600. Es
 el secreto del bot: contiene las claves privadas, trátalo como una clave SSH
 (ver Gotcha "Identidad = secreto crítico"). `bot add` rehúsa sobrescribir un
 `--out` existente, y registra al usuario ANTES de escribir el fichero, de modo
 que un fallo nunca deja un bot a medias.
 Flags: `--handle` y `--out` obligatorios; `--role admin|member` (default member);
 `--store sqlite|kv` y el resto de flags de conexión idénticos a `user add`.
 ## Convención de subjects
 ```
@@ -169,6 +225,82 @@ agent.<nombre>.{in,out}   inbox/outbox de agente LLM (agent.scout.in)
 ## Capability growth log
 - v0.16.0 (2026-06-14) — feat: el server asegura el stream JetStream de las rooms
  persist + `GET /rooms/{id}/history` para que clientes sin JetStream (uniweb) lean
  el histórico. (1) `handleCreateRoom` crea (idempotente, `CreateOrUpdateStream`) el
  stream durable `UNIBUS_<roomID>` de una room persist ANTES de responder, así su
  subject se captura desde el minuto cero venga el mensaje de un cliente Go o de un
  cliente browser que solo habla core NATS (antes el stream lo creaba solo el cliente
  Go, así que los mensajes de uniweb se perdían). (2) Nuevo endpoint member-only
  `GET /rooms/{id}/history?limit=N` (default 200, cap 1000): lee el stream
  server-side y devuelve `{messages:[<base64-std del frame marshalado>]}` en orden
  oldest→newest; el server jamás descifra (relay del ciphertext E2E). Backfill de
  rooms persist existentes: lazy-ensure del stream en el endpoint (empiezan a
  capturar desde ahora; los mensajes previos al stream no son recuperables). El
  control plane abre ahora su propio contexto JetStream también en single-node
  embebido. Todo aditivo; build/vet/test verdes.
 - v0.15.1 (2026-06-14) — fix: la ruta del directorio se registraba con prefijo /api y Caddy lo stripeaba (404 en prod); corregida a /directory.
 - v0.15.0 (2026-06-14) — nombres legibles + provisioning de bots de un comando.
  (1) Nuevo `GET /api/directory` en el control-plane: cualquier usuario activo del
  bus (member o admin), autenticado con la misma firma Ed25519 que el resto de
  rutas, resuelve endpoint id → handle. Devuelve `{members:[{sign_pub, endpoint,
  handle, role}]}` solo de usuarios activos; el endpoint lo deriva el servidor con
  `frame.EndpointID`, casando byte a byte con el sender id de cada frame (paridad
  verificada contra el vector de `cmd/busvectors`). (2) Nuevo `membershipd bot add
  --handle <name> --out <path> [--role] [--store]`: mintea identidad, la registra en
  el allowlist y escribe credenciales 0600 en formato `client.LoadIdentity`, de modo
  que un proceso (worker/clientcheck) conecta como ese usuario sin pasos manuales.
  Nuevo helper exportado `pkg/client.WriteNewIdentity` (no sobrescribe ficheros
  existentes). Todo aditivo; build/vet/test verdes.
 - v0.14.0 (2026-06-13) — prep para el cliente browser-nativo `uniweb` (issue
  uniweb/0001, Fase 0), todo aditivo y opt-in: (1) el nats-server embebido puede
  exponer un listener WebSocket (`WebsocketConfig`) para que un navegador hable el
  protocolo NATS via `nats.ws`, igual que los peers TCP nativos; el authenticator
  nkey aplica también al WebSocket. (2) El control-plane (`membershipd`) gana una
  allowlist CORS opt-in (`--cors-origins`) para aceptar llamadas cross-origin del
  navegador; vacía = CORS off, sin cambios para clientes nativos. (3) `cmd/busvectors`
  genera vectores de test deterministas (endpoint id, firma Ed25519, AEAD
  ChaCha20-Poly1305, sealed-box, wire del Frame) como contrato de paridad para el
  port TypeScript. Peers Go/Kotlin existentes sin cambios; build/vet/test verdes.
 - v0.13.0 (2026-06-13) — el frontend web se separa a su propia app `uniweb`
  (`projects/message_bus/apps/uniweb`, sub-repo Gitea propio). unibus deja de
  contener la SPA (`web/`) y el gateway web (`cmd/webgw`): ahora es estrictamente
  el plano del bus (membresía/claves, librería cliente y peers demo). `uniweb`
  consume unibus como módulo Go via `replace github.com/enmanuel/unibus =>
  ../unibus`, importando `pkg/{busauth,client,frame,room}`, y mantiene su propio
  `replace fn-registry` para las primitivas de cybersecurity. Movimiento sin
  pérdida de capacidad: la misma SPA y el mismo gateway, solo que en su carpeta
  de servicio propia. unibus build/vet/test verdes tras la extracción.
 - v0.12.0 (2026-06-13) — frontend web wallet por usuario integrado a master. La
  SPA gana un onboarding criptográfico: cada usuario deriva su identidad de forma
  determinista desde una mnemónica BIP39 de 12 palabras (esquema HKDF →
  Ed25519/X25519), cifrada at-rest en el dispositivo con AES-256-GCM, con caminos
  join (invitación) / login (passphrase local) / recover (re-derivación en
  dispositivo nuevo, sin admin). El gateway `cmd/webgw` (REST + SSE) pasa de
  identidad única de operador a sesiones wallet por usuario con registro por
  token de invitación. Integra `quick/web-join` sobre el master 0.11.0
  (auto-merge de `embeddednats.go` sin conflictos; Go build/vet/test y
  `pnpm build` verdes).
 - v0.11.0 (2026-06-07) — flag dedicado `UNIBUS_NATS_MONITOR` que abre el endpoint
  de monitoring HTTP del nats-server embebido (`127.0.0.1:8222`, loopback only) de
  forma DESACOPLADA del debug-log. Antes el monitoring solo se abría con
  `UNIBUS_NATS_DEBUG=1`, que además encendía el log verboso del nats-server
  (rutas/RAFT/subjects a journald en claro) — incompatible con el endurecimiento
  del issue 0007. El cómputo de los toggles se extrae a una función pura
  `natsLogOpts(debugEnv, monitorEnv) (noLog, debug, trace, monitor)`: `MONITOR=1`
  abre el endpoint dejando el log en silencio (`NoLog` true / `Debug` false), y se
  mantiene el acoplamiento inverso por compatibilidad (`DEBUG` sigue implicando
  `MONITOR`). El bind loopback `127.0.0.1` queda hardcoded — el monitoring NUNCA es
  público y no lleva auth; lo lee un scraper local que empuja a VictoriaMetrics
  (dashboard `unibus-nats` en `fleet_monitoring`). Se versiona el cableado de
  deploy: drop-in systemd aditivo `membershipd-cluster.service.d/nats-monitor.conf`
  (`Environment=UNIBUS_NATS_MONITOR=1`) + sección "NATS server metrics" en el
  README del cluster con el runbook de activación rolling (magnus→homer→datardos)
  y gate de reconvergencia R3 (`followers 2/2`) entre nodos. Tests nuevos: tabla
  pura del desacoplamiento (monitor on ⇒ log NO debug; debug ⇒ monitor; default
  cerrado) + server real con `MONITOR=1` que confirma `/varz` 200 en loopback:8222
  y server sin flag con el endpoint cerrado. Cambios 100% aditivos: sin el flag el
  comportamiento es idéntico; build/test verdes.
 - v0.10.0 (2026-06-07) — API HTTP admin-only de gestión de usuarios, cerrando la
  última asimetría del control plane: las rooms tenían superficie HTTP firmada
  (`POST /rooms`, etc.) pero los users solo se gestionaban por CLI local o acceso
@@ -0,0 +1,281 @@
 // Command busvectors emits deterministic cross-language test vectors for the bus
 // protocol and its end-to-end crypto. The browser-native client (uniweb) ports the
 // protocol to TypeScript; these vectors are the contract that proves the port is
 // byte-for-byte compatible with this Go reference implementation (issue
 // uniweb/0001, Phase 0).
 //
 // Every input is fixed (hardcoded key material and messages) so the output is
 // stable across runs and can be committed as a golden file. The crypto primitives
 // are the SAME registry functions the bus uses (functions/cybersecurity), so the
 // vectors exercise the real path, not a test-only reimplementation.
 //
 // Coverage:
 //   - endpoint_id : EndpointID(signPub) = base64url(sha256(signPub))
 //   - sign        : Ed25519 signature over a fixed message (deterministic)
 //   - aead        : ChaCha20-Poly1305 seal with a FIXED nonce (deterministic, so
 //                   the TS port must reproduce the same ciphertext AND open it)
 //   - keybox      : sealed-box (X25519) of a room key for a recipient; the TS port
 //                   must OPEN it (the ephemeral sender key is random, so only the
 //                   open direction is a stable vector — the TS->Go seal direction
 //                   is covered by the live E2E test in Phase 3)
 //   - frame       : canonical JSON wire bytes of a Frame, and its SigningBytes
 //
 // Usage:
 //
 //	go run ./cmd/busvectors > ../uniweb/web/src/bus/testdata/vectors.json
 package main
 import (
 	"crypto/ed25519"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"os"
 	cs "fn-registry/functions/cybersecurity"
 	"github.com/enmanuel/unibus/pkg/busauth"
 	"github.com/enmanuel/unibus/pkg/frame"
 	"github.com/enmanuel/unibus/pkg/membership"
 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/crypto/curve25519"
 )
 // Fixed key material. The bytes are arbitrary but stable: the point is a golden
 // file, not secrecy (these are test vectors, never real identities).
 var (
 	signSeed         = mustHex("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f")
 	kexPriv          = mustHex("202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f")
 	recipientKexPriv = mustHex("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f")
 	aeadKey          = mustHex("606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f")
 	aeadNonce        = mustHex("808182838485868788898a8b") // 12 bytes (ChaCha20-Poly1305 IETF)
 	roomKey          = mustHex("a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf")
 	signMessage      = []byte("unibus parity vector message")
 	aeadAAD          = []byte("unibus-room-42")
 	aeadPlaintext    = []byte("hello from the bus")
 )
 // vectors is the JSON document consumed by the TypeScript parity tests. Every field
 // is hex except the frame wire bytes, which are base64 (the frame is JSON, so the
 // TS side compares the exact UTF-8 bytes).
 type vectors struct {
 	Note     string             `json:"note"`
 	Endpoint endpointVector     `json:"endpoint_id"`
 	Nkey     nkeyVector         `json:"nkey"`
 	Sign     signVector         `json:"sign"`
 	AEAD     aeadVector         `json:"aead"`
 	KeyBox   keyboxVector       `json:"keybox"`
 	Frame    frameVector        `json:"frame"`
 	CtrlReq  controlReqVector   `json:"control_request"`
 }
 type endpointVector struct {
 	SignPubHex string `json:"sign_pub_hex"`
 	EndpointID string `json:"endpoint_id"` // base64url(sha256(sign_pub)), unpadded
 }
 type nkeyVector struct {
 	SignPubHex string `json:"sign_pub_hex"`
 	NkeyPublic string `json:"nkey_public"` // NATS user nkey ("U...") from the Ed25519 pubkey
 }
 type controlReqVector struct {
 	Method       string `json:"method"`
 	Path         string `json:"path"`
 	Ts           string `json:"ts"`
 	Nonce        string `json:"nonce"`
 	BodyHex      string `json:"body_hex"`       // raw request body (empty for GET)
 	CanonicalHex string `json:"canonical_hex"`  // bytes that get signed
 	SigHex       string `json:"sig_hex"`        // Ed25519 over canonical, by the signer below
 	SignPrivHex  string `json:"sign_priv_hex"`
 }
 type signVector struct {
 	SignPrivHex string `json:"sign_priv_hex"`
 	SignPubHex  string `json:"sign_pub_hex"`
 	MessageHex  string `json:"message_hex"`
 	SigHex      string `json:"sig_hex"`
 }
 type aeadVector struct {
 	KeyHex        string `json:"key_hex"`
 	NonceHex      string `json:"nonce_hex"`
 	AADHex        string `json:"aad_hex"`
 	PlaintextHex  string `json:"plaintext_hex"`
 	CiphertextHex string `json:"ciphertext_hex"` // includes the 16-byte Poly1305 tag
 }
 type keyboxVector struct {
 	RecipientKexPubHex  string `json:"recipient_kex_pub_hex"`
 	RecipientKexPrivHex string `json:"recipient_kex_priv_hex"`
 	SecretHex           string `json:"secret_hex"`
 	SealedHex           string `json:"sealed_hex"`
 }
 type frameVector struct {
 	// The source fields, so the TS side can build the same Frame and compare.
 	Type         int    `json:"type"`
 	Subject      string `json:"subject"`
 	Sender       string `json:"sender"`
 	MsgID        string `json:"msg_id"`
 	Epoch        int    `json:"epoch"`
 	NonceHex     string `json:"nonce_hex"`
 	PayloadHex   string `json:"payload_hex"`
 	WireB64      string `json:"wire_b64"`         // base64(Marshal()) — full frame incl. sig
 	SigningB64   string `json:"signing_bytes_b64"` // base64(SigningBytes()) — what gets signed
 	SigHex       string `json:"sig_hex"`           // Ed25519 over SigningBytes
 }
 func main() {
 	if err := run(os.Stdout); err != nil {
 		fmt.Fprintln(os.Stderr, "busvectors:", err)
 		os.Exit(1)
 	}
 }
 func run(out *os.File) error {
 	// Identity from the fixed seed: Go's ed25519 private key layout is seed||pub, the
 	// same 64-byte layout cs.Identity and the TS wallet use.
 	signPriv := ed25519.NewKeyFromSeed(signSeed)
 	signPub := signPriv.Public().(ed25519.PublicKey)
 	// X25519 public keys from the fixed private scalars (curve25519 clamps internally,
 	// matching @noble/curves x25519.getPublicKey).
 	kexPub, err := curve25519.X25519(kexPriv, curve25519.Basepoint)
 	if err != nil {
 		return fmt.Errorf("kex pub: %w", err)
 	}
 	recipientKexPub, err := curve25519.X25519(recipientKexPriv, curve25519.Basepoint)
 	if err != nil {
 		return fmt.Errorf("recipient kex pub: %w", err)
 	}
 	// AEAD with a FIXED nonce so the vector is deterministic. This is the same cipher
 	// (ChaCha20-Poly1305 IETF, 12-byte nonce) that cs.SealAEAD uses; we set the nonce
 	// explicitly only to make the vector reproducible. OpenAEAD verifies round-trip.
 	aead, err := chacha20poly1305.New(aeadKey)
 	if err != nil {
 		return fmt.Errorf("aead cipher: %w", err)
 	}
 	ciphertext := aead.Seal(nil, aeadNonce, aeadPlaintext, aeadAAD)
 	if _, err := cs.OpenAEAD(aeadKey, aeadNonce, ciphertext, aeadAAD); err != nil {
 		return fmt.Errorf("aead self-check: %w", err)
 	}
 	// Sealed box of the room key for the recipient. The sender's ephemeral key is
 	// random (anonymous sealed box), so SealedHex changes per run; the stable, useful
 	// assertion for the TS port is that OpenKeyBox recovers the secret, which we
 	// self-check here. The TS test opens SealedHex and compares to SecretHex.
 	sealed, err := cs.SealKeyBox(recipientKexPub, roomKey)
 	if err != nil {
 		return fmt.Errorf("seal keybox: %w", err)
 	}
 	if got, err := cs.OpenKeyBox(recipientKexPub, recipientKexPriv, sealed); err != nil || hex.EncodeToString(got) != hex.EncodeToString(roomKey) {
 		return fmt.Errorf("keybox self-check failed: %v", err)
 	}
 	// A representative encrypted-room frame, signed end-to-end.
 	f := frame.Frame{
 		Type:    frame.PUB,
 		Subject: "room.parity",
 		Sender:  frame.EndpointID(signPub),
 		MsgID:   "01HZY0VECTORFIXEDULID0001",
 		Epoch:   1,
 		Nonce:   aeadNonce,
 		Payload: ciphertext,
 	}
 	f.Sig = ed25519.Sign(signPriv, f.SigningBytes())
 	wire, err := f.Marshal()
 	if err != nil {
 		return fmt.Errorf("marshal frame: %w", err)
 	}
 	// NATS user nkey derived from the Ed25519 public key (the browser must produce
 	// the same "U..." string to authenticate on the data plane).
 	nkeyPub, err := busauth.NkeyPublicFromSignPub(signPub)
 	if err != nil {
 		return fmt.Errorf("nkey public: %w", err)
 	}
 	// A signed control-plane request vector: the browser signs CanonicalRequest the
 	// same way to authenticate every HTTP call to membershipd. A POST with a body
 	// exercises the sha256(body) term.
 	const ctrlMethod = "POST"
 	const ctrlPath = "/rooms"
 	const ctrlTs = "1700000000"
 	const ctrlNonce = "Zm9vYmFyMTIzNDU2Nzg5MA=="
 	ctrlBody := []byte(`{"subject":"room.parity"}`)
 	canonical := membership.CanonicalRequest(ctrlMethod, ctrlPath, ctrlTs, ctrlNonce, ctrlBody)
 	ctrlSig := ed25519.Sign(signPriv, canonical)
 	v := vectors{
 		Note: "Deterministic cross-language vectors for the unibus protocol. Generated by " +
 			"cmd/busvectors in the unibus repo; regenerate with `go run ./cmd/busvectors`. " +
 			"sealed_hex varies per run (anonymous sealed box); assert via OpenKeyBox.",
 		Endpoint: endpointVector{
 			SignPubHex: hex.EncodeToString(signPub),
 			EndpointID: frame.EndpointID(signPub),
 		},
 		Nkey: nkeyVector{
 			SignPubHex: hex.EncodeToString(signPub),
 			NkeyPublic: nkeyPub,
 		},
 		Sign: signVector{
 			SignPrivHex: hex.EncodeToString(signPriv),
 			SignPubHex:  hex.EncodeToString(signPub),
 			MessageHex:  hex.EncodeToString(signMessage),
 			SigHex:      hex.EncodeToString(ed25519.Sign(signPriv, signMessage)),
 		},
 		AEAD: aeadVector{
 			KeyHex:        hex.EncodeToString(aeadKey),
 			NonceHex:      hex.EncodeToString(aeadNonce),
 			AADHex:        hex.EncodeToString(aeadAAD),
 			PlaintextHex:  hex.EncodeToString(aeadPlaintext),
 			CiphertextHex: hex.EncodeToString(ciphertext),
 		},
 		KeyBox: keyboxVector{
 			RecipientKexPubHex:  hex.EncodeToString(recipientKexPub),
 			RecipientKexPrivHex: hex.EncodeToString(recipientKexPriv),
 			SecretHex:           hex.EncodeToString(roomKey),
 			SealedHex:           hex.EncodeToString(sealed),
 		},
 		Frame: frameVector{
 			Type:       int(f.Type),
 			Subject:    f.Subject,
 			Sender:     f.Sender,
 			MsgID:      f.MsgID,
 			Epoch:      f.Epoch,
 			NonceHex:   hex.EncodeToString(f.Nonce),
 			PayloadHex: hex.EncodeToString(f.Payload),
 			WireB64:    base64.StdEncoding.EncodeToString(wire),
 			SigningB64: base64.StdEncoding.EncodeToString(f.SigningBytes()),
 			SigHex:     hex.EncodeToString(f.Sig),
 		},
 		CtrlReq: controlReqVector{
 			Method:       ctrlMethod,
 			Path:         ctrlPath,
 			Ts:           ctrlTs,
 			Nonce:        ctrlNonce,
 			BodyHex:      hex.EncodeToString(ctrlBody),
 			CanonicalHex: hex.EncodeToString(canonical),
 			SigHex:       hex.EncodeToString(ctrlSig),
 			SignPrivHex:  hex.EncodeToString(signPriv),
 		},
 		// kexPub is unused in a vector field today but derived above to validate the
 		// scalar; reference it so the intent is documented.
 	}
 	_ = kexPub
 	enc := json.NewEncoder(out)
 	enc.SetIndent("", "  ")
 	return enc.Encode(v)
 }
 func mustHex(s string) []byte {
 	b, err := hex.DecodeString(s)
 	if err != nil {
 		panic("busvectors: bad fixed hex: " + s)
 	}
 	return b
 }
@@ -0,0 +1,159 @@
 package main
 import (
 	"encoding/hex"
 	"errors"
 	"flag"
 	"fmt"
 	"os"
 	cs "fn-registry/functions/cybersecurity"
 	"github.com/enmanuel/unibus/pkg/client"
 	"github.com/enmanuel/unibus/pkg/frame"
 	"github.com/enmanuel/unibus/pkg/membership"
 )
 // runBotCLI implements `membershipd bot add ...`, one-command provisioning of a
 // bus identity for an automated process. Where `user add` requires the operator
 // to derive a keypair by hand and pass the public key, `bot add` mints the
 // identity, registers its signing key in the allowlist, AND writes the bot's
 // credentials to a 0600 file the process reads to connect — no manual key
 // derivation, no second step. It shares the SQLite/KV store plumbing with the
 // user CLI, so `--store kv` provisions against a live cluster the same way.
 //
 // Like the user CLI it never returns: it exits non-zero on error so it composes
 // in shell scripts and systemd ExecStartPre hooks.
 func runBotCLI(args []string) {
 	if len(args) == 0 {
 		botUsage()
 		os.Exit(2)
 	}
 	sub, rest := args[0], args[1:]
 	switch sub {
 	case "add":
 		botAdd(rest)
 	case "-h", "--help", "help":
 		botUsage()
 		os.Exit(0)
 	default:
 		fmt.Fprintf(os.Stderr, "membershipd bot: unknown subcommand %q\n\n", sub)
 		botUsage()
 		os.Exit(2)
 	}
 }
 func botUsage() {
 	fmt.Fprint(os.Stderr, `usage: membershipd bot add [flags]
 Provision a bus identity for an automated process (a "unibot") in one command:
 mint a fresh Ed25519+X25519 identity, register its signing key in the allowlist,
 and write the credentials to a 0600 file the process loads to connect.
 required flags:
  --handle <name>   human-readable name for the bot (shown in the directory)
  --out <path>      where to write the bot credentials (refused if it exists)
 optional flags:
  --role <role>     admin or member (default member)
  --store <kind>    sqlite (local DB, default) | kv (the live cluster's allowlist)
  --db <path>       SQLite database path (--store sqlite; default ./local_files/unibus.db)
 --store kv flags (defaults assume an on-node invocation):
  --nats-url <url>           cluster NATS (default nats://127.0.0.1:4250)
  --internal-id-file <path>  persisted internal service identity (default /opt/unibus/secrets/internal.id)
  --ca <path>                CA cert pinning the data-plane TLS (default /opt/unibus/tls/ca.crt)
  --kv-replicas <n>          KV replication factor, match the cluster (default 3)
 examples:
  membershipd bot add --handle notifier --out ./local_files/notifier.id
  membershipd bot add --store kv --handle relay --role member --out /opt/unibus/secrets/relay.id
 The --out file is the canonical identity format read by the worker/clientcheck
 clients (pkg/client.LoadIdentity), so the provisioned bot connects with no extra
 conversion: point the process at it (e.g. worker --id-file <path>) and it joins
 the bus as this user.
 `)
 }
 func botAdd(args []string) {
 	fs := flag.NewFlagSet("bot add", flag.ExitOnError)
 	handle := fs.String("handle", "", "human-readable bot name (required)")
 	role := fs.String("role", membership.RoleMember, "role: admin or member")
 	out := fs.String("out", "", "path to write the bot credentials, 0600 (required)")
 	dbPath := fs.String("db", defaultDBPath, "SQLite database path")
 	kf := registerKVFlags(fs)
 	_ = fs.Parse(args)
 	if *handle == "" || *out == "" {
 		fmt.Fprintln(os.Stderr, "membershipd bot add: --handle and --out are required")
 		os.Exit(2)
 	}
 	store, kv, closeStore := resolveStore("bot add", kf, *dbPath)
 	defer closeStore()
 	signPubHex, endpoint, err := provisionBot(store, *handle, *role, *out)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "membershipd bot add: %v\n", err)
 		os.Exit(1)
 	}
 	fmt.Printf("provisioned bot %q role=%s\n", *handle, *role)
 	fmt.Printf("  sign_pub:    %s\n", signPubHex)
 	fmt.Printf("  endpoint:    %s\n", endpoint)
 	fmt.Printf("  credentials: %s (0600)\n", *out)
 	if kv != nil {
 		reportKVReplication(kv.js)
 	}
 }
 // provisionBot mints a fresh bus identity and provisions it. It is the generating
 // half; provisionBotWithIdentity does the registration + persistence so a test can
 // inject a known identity (e.g. to exercise the already-registered error path).
 func provisionBot(store membership.Store, handle, role, out string) (signPubHex, endpoint string, err error) {
 	id, err := cs.GenerateIdentity()
 	if err != nil {
 		return "", "", fmt.Errorf("generate bot identity: %w", err)
 	}
 	return provisionBotWithIdentity(store, id, handle, role, out)
 }
 // provisionBotWithIdentity registers id's signing key under handle/role and writes
 // id's credentials to out. It returns the lowercase-hex signing key and the
 // derived endpoint id.
 //
 // Ordering is deliberate so a failure never leaves a half-provisioned bot:
 //  1. refuse if out already exists, BEFORE the store is touched (no orphan user);
 //  2. register the user — an already-registered key is a clear error, not a panic;
 //  3. only then write the 0600 credentials file.
 //
 // A write failure after a successful register is reported with the registered key
 // so the operator can revoke it; this is the one residual non-atomic seam (a
 // local admin command, acceptable per KISS).
 func provisionBotWithIdentity(store membership.Store, id cs.Identity, handle, role, out string) (signPubHex, endpoint string, err error) {
 	if handle == "" || out == "" {
 		return "", "", fmt.Errorf("handle and out are required")
 	}
 	if role == "" {
 		role = membership.RoleMember
 	}
 	if _, statErr := os.Stat(out); statErr == nil {
 		return "", "", fmt.Errorf("out file %q already exists; refusing to overwrite bot credentials", out)
 	} else if !os.IsNotExist(statErr) {
 		return "", "", fmt.Errorf("stat out %q: %w", out, statErr)
 	}
 	signPubHex = hex.EncodeToString(id.SignPub)
 	endpoint = frame.EndpointID(id.SignPub)
 	if err := store.AddUser(signPubHex, handle, role); err != nil {
 		if errors.Is(err, membership.ErrUserExists) {
 			return "", "", fmt.Errorf("sign_pub %s already registered; revoke it first to replace", signPubHex)
 		}
 		return "", "", fmt.Errorf("register bot user: %w", err)
 	}
 	if err := client.WriteNewIdentity(out, id); err != nil {
 		return "", "", fmt.Errorf("write bot credentials to %q (user %s WAS registered — revoke it to retry): %w", out, signPubHex, err)
 	}
 	return signPubHex, endpoint, nil
 }
@@ -0,0 +1,149 @@
 package main
 import (
 	"encoding/hex"
 	"os"
 	"path/filepath"
 	"testing"
 	cs "fn-registry/functions/cybersecurity"
 	"github.com/enmanuel/unibus/pkg/client"
 	"github.com/enmanuel/unibus/pkg/frame"
 	"github.com/enmanuel/unibus/pkg/membership"
 )
 // openTestStore opens a fresh SQLite membership store in a temp dir.
 func openTestStore(t *testing.T) membership.Store {
 	t.Helper()
 	store, err := membership.Open(filepath.Join(t.TempDir(), "unibus.db"))
 	if err != nil {
 		t.Fatalf("open store: %v", err)
 	}
 	t.Cleanup(func() { store.Close() })
 	return store
 }
 // TestProvisionBotGolden is the happy path: provisioning a bot registers it in the
 // allowlist with the right handle and role, AND writes a 0600 credentials file
 // that LoadIdentity reconstructs into the same identity — so a worker/clientcheck
 // binary pointed at the file connects as exactly this user with no extra step.
 func TestProvisionBotGolden(t *testing.T) {
 	store := openTestStore(t)
 	out := filepath.Join(t.TempDir(), "notifier.id")
 	signPubHex, endpoint, err := provisionBot(store, "notifier", membership.RoleMember, out)
 	if err != nil {
 		t.Fatalf("provisionBot: %v", err)
 	}
 	// Registered in the allowlist with the right handle/role/status.
 	u, err := store.GetUser(signPubHex)
 	if err != nil {
 		t.Fatalf("get provisioned user: %v", err)
 	}
 	if u.Handle != "notifier" || u.Role != membership.RoleMember || u.Status != membership.StatusActive {
 		t.Fatalf("provisioned user row wrong: %+v", u)
 	}
 	// And it shows up in user list (the `user list` surface).
 	users, err := store.ListUsers()
 	if err != nil {
 		t.Fatalf("list users: %v", err)
 	}
 	found := false
 	for _, x := range users {
 		if x.SignPub == signPubHex {
 			found = true
 		}
 	}
 	if !found {
 		t.Fatalf("provisioned bot missing from user list: %+v", users)
 	}
 	// Credentials file exists, is 0600, and round-trips through LoadIdentity to the
 	// same signing key + endpoint (no-friction contract).
 	info, err := os.Stat(out)
 	if err != nil {
 		t.Fatalf("stat out file: %v", err)
 	}
 	if perm := info.Mode().Perm(); perm != 0o600 {
 		t.Fatalf("out file perms = %o, want 600", perm)
 	}
 	id, err := client.LoadIdentity(out)
 	if err != nil {
 		t.Fatalf("LoadIdentity(out): %v", err)
 	}
 	if got := hex.EncodeToString(id.SignPub); got != signPubHex {
 		t.Fatalf("loaded sign_pub %q != provisioned %q", got, signPubHex)
 	}
 	if got := frame.EndpointID(id.SignPub); got != endpoint {
 		t.Fatalf("loaded endpoint %q != reported %q", got, endpoint)
 	}
 }
 // TestProvisionBotDefaultRole: an empty role defaults to member.
 func TestProvisionBotDefaultRole(t *testing.T) {
 	store := openTestStore(t)
 	out := filepath.Join(t.TempDir(), "bot.id")
 	signPubHex, _, err := provisionBot(store, "defrole", "", out)
 	if err != nil {
 		t.Fatalf("provisionBot: %v", err)
 	}
 	u, err := store.GetUser(signPubHex)
 	if err != nil {
 		t.Fatalf("get user: %v", err)
 	}
 	if u.Role != membership.RoleMember {
 		t.Fatalf("empty role should default to member, got %q", u.Role)
 	}
 }
 // TestProvisionBotSignPubAlreadyRegistered is the error path: provisioning an
 // identity whose signing key is already in the allowlist fails with a clear error
 // (not a panic) AND does not write a credentials file (no half-provisioned bot).
 func TestProvisionBotSignPubAlreadyRegistered(t *testing.T) {
 	store := openTestStore(t)
 	// Pre-register a key, then try to provision a bot with that SAME identity.
 	id, err := cs.GenerateIdentity()
 	if err != nil {
 		t.Fatalf("generate identity: %v", err)
 	}
 	signPubHex := hex.EncodeToString(id.SignPub)
 	if err := store.AddUser(signPubHex, "preexisting", membership.RoleMember); err != nil {
 		t.Fatalf("pre-register: %v", err)
 	}
 	out := filepath.Join(t.TempDir(), "dup.id")
 	_, _, err = provisionBotWithIdentity(store, id, "dupbot", membership.RoleMember, out)
 	if err == nil {
 		t.Fatalf("provisioning an already-registered key should error")
 	}
 	if _, statErr := os.Stat(out); !os.IsNotExist(statErr) {
 		t.Fatalf("credentials file must NOT be written on a duplicate-key failure (stat err = %v)", statErr)
 	}
 }
 // TestProvisionBotOutExists is the other error path: an existing --out file is
 // refused BEFORE the store is mutated, so the run leaves no orphan user behind.
 func TestProvisionBotOutExists(t *testing.T) {
 	store := openTestStore(t)
 	out := filepath.Join(t.TempDir(), "taken.id")
 	if err := os.WriteFile(out, []byte("preexisting credentials"), 0o600); err != nil {
 		t.Fatalf("seed out file: %v", err)
 	}
 	_, _, err := provisionBot(store, "clobber", membership.RoleMember, out)
 	if err == nil {
 		t.Fatalf("provisioning over an existing out file should error")
 	}
 	// The store must be untouched: no user was registered.
 	users, err := store.ListUsers()
 	if err != nil {
 		t.Fatalf("list users: %v", err)
 	}
 	if len(users) != 0 {
 		t.Fatalf("no user should be registered when out exists, got %+v", users)
 	}
 }
@@ -13,6 +13,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
 	"strings"
 	"syscall"
 	"time"
@@ -46,6 +47,14 @@ func main() {
 		runMigrateCLI(os.Args[2:])
 		return
 	}
 	// `membershipd bot add ...` provisions a bus identity for an automated process
 	// in one command (mint identity + register + write 0600 credentials). It shares
 	// the same trusted-host model and store plumbing as the user CLI, so it is
 	// dispatched here before the server flag set parses os.Args.
 	if len(os.Args) > 1 && os.Args[1] == "bot" {
 		runBotCLI(os.Args[2:])
 		return
 	}
 	var (
 		bind      = flag.String("bind", "127.0.0.1", "network interface to bind the HTTP API and the embedded NATS to; use 0.0.0.0 to accept LAN/remote peers")
@@ -54,8 +63,11 @@ func main() {
 		dbPath    = flag.String("db", "./local_files/unibus.db", "SQLite database path")
 		storeDir  = flag.String("store-dir", "./local_files/blobs", "blob store directory")
 		natsPort  = flag.Int("nats-port", 4250, "embedded NATS listen port (when --nats-url empty)")
 		wsPort    = flag.Int("ws-port", 0, "WebSocket listen port for browser clients (nats.ws); 0 = disabled. Enables the browser-native uniweb client (issue uniweb/0001)")
 		natsStore = flag.String("nats-store", "./local_files/jetstream", "embedded JetStream store dir")
 		busAuth   = flag.String("bus-auth", "off", "control-plane auth rollout: off|soft|enforce (feature flag bus-auth)")
 		corsOrigins = flag.String("cors-origins", "", "comma-separated CORS allowlist of browser origins permitted to call the control plane (e.g. http://localhost:5173,https://chat.example.com); empty = CORS off. Enables the browser-native uniweb client (issue uniweb/0001)")
 		trustedProxies = flag.String("trusted-proxies", "", "comma-separated IPs/CIDRs of reverse proxies whose X-Forwarded-For/X-Real-IP is trusted for the per-IP rate limit; empty = trust the direct connection only. Set to the same-origin proxy's address (e.g. the Caddy node) so the rate limit stays per-client behind the proxy")
 		tlsCert   = flag.String("tls-cert", "", "PATH to the NATS server certificate (deploy/tls/server.crt); enables TLS on the embedded data plane")
 		tlsKey    = flag.String("tls-key", "", "path to the NATS server private key (deploy/tls/server.key); required with --tls-cert")
 		// Cluster (issue 0003a): empty --cluster-name keeps the server standalone.
@@ -138,6 +150,16 @@ func main() {
 	decentralized := *storeBackend == "kv"
 	needJS := clustered || decentralized
 	enforce := authMode == membership.AuthEnforce
 	embedded := *natsURL == ""
 	// The control plane also needs a privileged JetStream client to OWN the durable
 	// per-room streams of persisted rooms (ensure the stream on room creation so the
 	// subject is captured from the first message — even from a JetStream-less browser
 	// client — and read it back for GET /rooms/{id}/history). The embedded NATS
 	// always ships JetStream, so open the client whenever we run embedded, even for a
 	// standalone SQLite node. For an EXTERNAL NATS we only reach for JetStream when a
 	// cluster/KV feature explicitly requires it (unchanged), so an operator-managed
 	// external deployment without those features behaves exactly as before.
 	openJS := needJS || embedded
 	// Internal service identity (issue 0006a): when the embedded data plane enforces
 	// auth, membershipd must still connect to its OWN server to manage JetStream.
@@ -147,7 +169,7 @@ func main() {
 	// the server is embedded), so a standalone or non-enforce node is unchanged.
 	var internalID cs.Identity
 	var internalPubHex string
-	if needJS && enforce && *natsURL == "" {
+	if openJS && enforce && embedded {
 		if *internalIDFile != "" {
 			// Persisted identity: load it, generating + writing it (0600) on first
 			// start. A stable internal key is what `user add --store kv` presents to
@@ -267,6 +289,24 @@ func main() {
 			cfg.TLS = tlsCfg
 			log.Printf("NATS TLS: ON (%s)", *tlsCert)
 		}
 		if *wsPort > 0 {
 			// Expose a WebSocket listener so browser clients (uniweb via nats.ws) reach
 			// the data plane directly. It reuses the data-plane TLS (wss:// when TLS is
 			// on, ws:// for a loopback dev stack) and the same browser-origin allowlist
 			// as the control-plane CORS, so opening the data plane to the browser and
 			// opening the control plane to it are governed by one --cors-origins list.
 			scheme := "ws"
 			if cfg.TLS != nil {
 				scheme = "wss"
 			}
 			cfg.Websocket = &embeddednats.WebsocketConfig{
 				Host:           *bind,
 				Port:           *wsPort,
 				TLS:            cfg.TLS,
 				AllowedOrigins: splitRoutes(*corsOrigins),
 			}
 			log.Printf("NATS WebSocket: ON (%s://%s:%d)", scheme, *bind, *wsPort)
 		}
 		ns, err = embeddednats.StartServer(cfg)
 		if err != nil {
 			log.Fatalf("start embedded nats: %v", err)
@@ -286,9 +326,9 @@ func main() {
 	// only client that can connect in this window (the holder still denies everyone
 	// else; the internal identity bypasses the store).
 	var js jetstream.JetStream
-	if needJS {
+	if openJS {
 		var internalNC *nats.Conn
-		if *natsURL == "" {
+		if embedded {
 			internalNC, js, err = connectInternalJS(ns, internalID, enforce)
 		} else {
 			internalNC, js, err = connectExternalJS(natsClientURL, *caFile)
@@ -310,6 +350,14 @@ func main() {
 	}
 	srv := membership.NewServer(store, blobs, authMode)
 	// Wire the privileged JetStream context so the control plane owns persisted
 	// rooms' durable streams (ensure on create + serve GET /rooms/{id}/history). The
 	// stream replication factor matches the control-plane KV replication so a room's
 	// history is as available as its metadata. js is nil only for an external NATS
 	// without a cluster/KV feature, where history degrades to empty (see openJS).
 	if js != nil {
 		srv.SetJetStream(js, *kvReplicas)
 	}
 	// On a public (non-loopback) bind, disable cleartext rooms: the embedded NATS
 	// has no per-subject ACL, so cleartext content would be readable by any
 	// registered peer. Forcing E2E keeps message content confidential regardless
@@ -329,6 +377,24 @@ func main() {
 		Cluster: clustered,
 		Store:   *storeBackend,
 	}
 	// CORS allowlist for the browser-native client (uniweb). splitRoutes is reused
 	// as a generic comma-list parser (trim + drop empties). Empty flag => empty
 	// slice => CORS stays off, identical to the pre-flag behavior.
 	if origins := splitRoutes(*corsOrigins); len(origins) > 0 {
 		srv.AllowedOrigins = origins
 		log.Printf("CORS: allowing %d browser origin(s): %s", len(origins), strings.Join(origins, ", "))
 	}
 	// Trusted reverse proxies for the per-IP rate limit. Behind the same-origin
 	// Caddy proxy every request arrives with the proxy's IP, which would collapse
 	// the per-IP rate limit into one bucket for the whole world; naming the proxy
 	// here lets the limiter believe its X-Forwarded-For and key on the real client
 	// instead. Empty flag => trust the direct connection only (unchanged behavior).
 	if proxies := splitRoutes(*trustedProxies); len(proxies) > 0 {
 		if err := srv.SetTrustedProxies(proxies); err != nil {
 			log.Fatalf("invalid --trusted-proxies: %v", err)
 		}
 		log.Printf("rate limit: trusting forwarded client IP from proxies: %s", strings.Join(proxies, ", "))
 	}
 	// Replicated anti-replay (issue 0006a, audit 0008 N3): a clustered node MUST
 	// share its nonce store across the cluster, or a request accepted on one node
@@ -1,246 +0,0 @@
 package main
 import (
 	"encoding/hex"
 	"fmt"
 	"strings"
 	"sync"
 	cs "fn-registry/functions/cybersecurity"
 	"github.com/enmanuel/unibus/pkg/busauth"
 	"github.com/enmanuel/unibus/pkg/client"
 	"github.com/enmanuel/unibus/pkg/frame"
 	"github.com/enmanuel/unibus/pkg/room"
 )
 // gateway is the live web gateway: it owns the operator's identity and a single
 // connected unibus client, and turns the bus's crypto-bearing API into the plain
 // REST/SSE surface the browser consumes. The browser never signs, never speaks
 // NATS, and never sees a private key — the gateway is the legitimate room member
 // that seals/opens payloads on the browser's behalf.
 //
 // TRUST MODEL: content stays end-to-end encrypted on the wire. The gateway can
 // read plaintext because it acts AS the operator's client — a real member of
 // each room, holding the room key K like any peer. It is the same trust a native
 // desktop client has. In the wallet phase (per-browser WebCrypto identity) the
 // decryption can move into the browser; today, for the single-operator MVP, the
 // gateway decrypts server-side and pushes cleartext over a loopback/authenticated
 // SSE channel.
 type gateway struct {
 	id         cs.Identity
 	endpoint   string
 	cli        *client.Client
 	refreshACL bool // call RefreshSession after a membership change (needed under a per-subject ACL bus)
 	mu   sync.Mutex
 	hubs map[string]*roomHub // roomID -> live fan-out of decrypted frames to SSE clients
 }
 // gatewayConfig wires a live gateway.
 type gatewayConfig struct {
 	Identity cs.Identity
 	NatsURL  string
 	CtrlURL  string
 	CtrlURLs []string
 	NatsURLs []string
 	CAPath   string // bus CA; empty => plaintext dev connection (matches a loopback membershipd)
 }
 // newGateway connects the unibus client with the operator identity following the
 // same posture seam every peer uses: a non-empty CA path means TLS + nkey, empty
 // means plaintext dev. When a CA is configured the bus is assumed to enforce a
 // per-subject ACL, so membership changes trigger a session refresh.
 func newGateway(cfg gatewayConfig) (*gateway, error) {
 	opts := client.Options{
 		CtrlURLs:    cfg.CtrlURLs,
 		NatsServers: cfg.NatsURLs,
 	}
 	if cfg.CAPath != "" {
 		tlsCfg, err := busauth.LoadCATLSConfig(cfg.CAPath)
 		if err != nil {
 			return nil, fmt.Errorf("webgw: load bus CA %q: %w", cfg.CAPath, err)
 		}
 		opts.UseNkey = true
 		opts.TLS = tlsCfg
 		opts.CtrlTLS = tlsCfg
 	}
 	cli, err := client.NewWithOptions(cfg.NatsURL, cfg.CtrlURL, cfg.Identity, opts)
 	if err != nil {
 		return nil, fmt.Errorf("webgw: connect bus client: %w", err)
 	}
 	return &gateway{
 		id:         cfg.Identity,
 		endpoint:   frame.EndpointID(cfg.Identity.SignPub),
 		cli:        cli,
 		refreshACL: cfg.CAPath != "",
 		hubs:       map[string]*roomHub{},
 	}, nil
 }
 // Close stops every hub and releases the bus client connection.
 func (g *gateway) Close() error {
 	g.mu.Lock()
 	for _, h := range g.hubs {
 		h.stop()
 	}
 	g.hubs = map[string]*roomHub{}
 	g.mu.Unlock()
 	if g.cli != nil {
 		return g.cli.Close()
 	}
 	return nil
 }
 // ---- wire types (browser-facing JSON) ------------------------------------
 // meInfo is what GET /api/me returns: the operator identity the gateway acts as.
 type meInfo struct {
 	Endpoint string `json:"endpoint"`
 	SignPub  string `json:"sign_pub"`
 }
 // roomWire is the browser view of a room. It deliberately omits messages: those
 // stream over SSE (GET /api/rooms/{id}/stream), not in the room list.
 type roomWire struct {
 	ID       string `json:"id"`
 	Subject  string `json:"subject"`
 	Name     string `json:"name"`
 	Epoch    int    `json:"epoch"`
 	Encrypt  bool   `json:"encrypt"`
 	Persist  bool   `json:"persist"`
 	SignMsgs bool   `json:"sign_msgs"`
 	Role     string `json:"role"`
 }
 // createRoomReq is the POST /api/rooms body. Encrypt/Persist/SignMsgs are
 // pointers so an omitted field falls back to the chat default rather than to the
 // Go zero value (false). The common case — the browser sending only {subject,
 // encrypted} — maps encrypted onto all three (the Matrix-like chat policy).
 type createRoomReq struct {
 	Subject   string `json:"subject"`
 	Encrypted *bool  `json:"encrypted,omitempty"`
 	Encrypt   *bool  `json:"encrypt,omitempty"`
 	Persist   *bool  `json:"persist,omitempty"`
 	SignMsgs  *bool  `json:"sign_msgs,omitempty"`
 }
 // policy resolves the requested policy. A bare {subject} defaults to the
 // Matrix-like chat room (encrypted + persisted + signed) so a created room keeps
 // durable, end-to-end-encrypted, authored history. Callers can override any leg.
 func (r createRoomReq) policy() room.Policy {
 	enc, per, sig := true, true, true
 	if r.Encrypted != nil {
 		enc, per, sig = *r.Encrypted, *r.Encrypted, *r.Encrypted
 	}
 	if r.Encrypt != nil {
 		enc = *r.Encrypt
 	}
 	if r.Persist != nil {
 		per = *r.Persist
 	}
 	if r.SignMsgs != nil {
 		sig = *r.SignMsgs
 	}
 	return room.Policy{Encrypt: enc, Persist: per, SignMsgs: sig}
 }
 // sendReq is the POST /api/rooms/{id}/send body.
 type sendReq struct {
 	Body string `json:"body"`
 }
 // msgWire is one decrypted message pushed over SSE.
 type msgWire struct {
 	ID     string `json:"id"`
 	Sender string `json:"sender"`
 	Body   string `json:"body"`
 	TS     int64  `json:"ts"` // epoch ms (decoded from the frame's ULID id)
 	Mine   bool   `json:"mine"`
 }
 // ---- operations -----------------------------------------------------------
 func (g *gateway) me() meInfo {
 	return meInfo{Endpoint: g.endpoint, SignPub: hex.EncodeToString(g.id.SignPub)}
 }
 // subjectName derives a short, human-friendly room name from its bus subject by
 // dropping the leading namespace segment (room., test., proc., agent.). It is a
 // display nicety only; the canonical identity stays the subject/room id.
 func subjectName(subject string) string {
 	for _, p := range []string{"room.", "test.", "proc.", "agent.", "rpc."} {
 		if strings.HasPrefix(subject, p) {
 			return strings.TrimPrefix(subject, p)
 		}
 	}
 	return subject
 }
 func (g *gateway) listRooms() ([]roomWire, error) {
 	rooms, err := g.cli.ListMyRooms()
 	if err != nil {
 		return nil, err
 	}
 	out := make([]roomWire, 0, len(rooms))
 	for _, rm := range rooms {
 		out = append(out, roomWire{
 			ID:       rm.RoomID,
 			Subject:  rm.Subject,
 			Name:     subjectName(rm.Subject),
 			Epoch:    rm.Epoch,
 			Encrypt:  rm.Policy.Encrypt,
 			Persist:  rm.Policy.Persist,
 			SignMsgs: rm.Policy.SignMsgs,
 			Role:     rm.Role,
 		})
 	}
 	return out, nil
 }
 func (g *gateway) createRoom(req createRoomReq) (roomWire, error) {
 	subject := strings.TrimSpace(req.Subject)
 	if subject == "" {
 		return roomWire{}, fmt.Errorf("webgw: subject required")
 	}
 	p := req.policy()
 	roomID, err := g.cli.CreateRoom(subject, p)
 	if err != nil {
 		return roomWire{}, err
 	}
 	// Under a per-subject ACL the operator's frozen NATS permissions do not yet
 	// cover the new room's subject; refresh so subsequent data-plane use works. On
 	// a plaintext/non-ACL dev bus this is unnecessary and would needlessly drop any
 	// live SSE subscriptions, so it is gated on the secured posture.
 	if g.refreshACL {
 		_ = g.cli.RefreshSession()
 	}
 	return roomWire{
 		ID:       roomID,
 		Subject:  subject,
 		Name:     subjectName(subject),
 		Epoch:    1,
 		Encrypt:  p.Encrypt,
 		Persist:  p.Persist,
 		SignMsgs: p.SignMsgs,
 		Role:     "owner",
 	}, nil
 }
 // join resolves room metadata and (for encrypted rooms) fetches the room key so
 // the gateway can later open payloads. Idempotent.
 func (g *gateway) join(roomID string) error {
 	if err := g.cli.Join(roomID); err != nil {
 		return err
 	}
 	if g.refreshACL {
 		_ = g.cli.RefreshSession()
 	}
 	return nil
 }
 // send publishes plaintext to a room. The unibus client seals it with the room
 // key (encrypted rooms) and signs it (signed rooms) before it leaves the process.
 func (g *gateway) send(roomID, body string) error {
 	return g.cli.Publish(roomID, []byte(body))
 }
@@ -1,140 +0,0 @@
 package main
 import (
 	"sync"
 	"github.com/enmanuel/unibus/pkg/client"
 	"github.com/enmanuel/unibus/pkg/frame"
 	"github.com/oklog/ulid/v2"
 )
 // roomHub multiplexes ONE unibus room subscription to MANY SSE clients. The
 // unibus client derives a per-(room, endpoint) durable consumer name, so a
 // second Subscribe for the same room from the same operator would contend for
 // the same durable (load-balanced delivery) rather than each browser receiving
 // every message. The hub holds a single subscription per room and fans each
 // decrypted frame out to every connected browser, which also means the gateway
 // opens at most one bus subscription per room regardless of how many tabs watch
 // it.
 type roomHub struct {
 	roomID     string
 	myEndpoint string
 	sub        *client.Sub
 	mu      sync.Mutex
 	clients map[chan msgWire]struct{}
 }
 // frameTS decodes the millisecond timestamp embedded in a frame's ULID id. A
 // malformed id (should not happen for bus-produced frames) yields 0, which the
 // browser renders without crashing.
 func frameTS(msgID string) int64 {
 	id, err := ulid.Parse(msgID)
 	if err != nil {
 		return 0
 	}
 	return int64(id.Time())
 }
 // newRoomHub opens the single bus subscription for roomID and starts fanning
 // decrypted frames out to registered clients. The room must already be joined
 // (so the gateway holds the room key) before this is called.
 func newRoomHub(cli *client.Client, roomID, myEndpoint string) (*roomHub, error) {
 	h := &roomHub{
 		roomID:     roomID,
 		myEndpoint: myEndpoint,
 		clients:    map[chan msgWire]struct{}{},
 	}
 	sub, err := cli.Subscribe(roomID, func(f frame.Frame, plaintext []byte) {
 		m := msgWire{
 			ID:     f.MsgID,
 			Sender: f.Sender,
 			Body:   string(plaintext),
 			TS:     frameTS(f.MsgID),
 			Mine:   f.Sender == myEndpoint,
 		}
 		h.broadcast(m)
 	})
 	if err != nil {
 		return nil, err
 	}
 	h.sub = sub
 	return h, nil
 }
 // broadcast delivers a message to every registered client without blocking the
 // NATS delivery goroutine: a client whose buffer is full (a stalled browser)
 // drops this frame rather than stalling the whole room.
 func (h *roomHub) broadcast(m msgWire) {
 	h.mu.Lock()
 	defer h.mu.Unlock()
 	for ch := range h.clients {
 		select {
 		case ch <- m:
 		default:
 		}
 	}
 }
 // add registers a new SSE client channel.
 func (h *roomHub) add(ch chan msgWire) {
 	h.mu.Lock()
 	defer h.mu.Unlock()
 	h.clients[ch] = struct{}{}
 }
 // stop unsubscribes from the bus. Local delivery ends; for a persisted room the
 // durable consumer's ack position stays on the server, so a later subscription
 // with the same operator resumes from where it left off.
 func (h *roomHub) stop() {
 	if h.sub != nil {
 		_ = h.sub.Unsubscribe()
 	}
 }
 // openStream joins the room (idempotent; fetches the room key for encrypted
 // rooms), attaches an SSE client to the room's hub (creating it on first watcher),
 // and returns the client's message channel plus a cleanup func. The cleanup
 // detaches the client and, when it was the last watcher, tears down the room's
 // single bus subscription.
 func (g *gateway) openStream(roomID string) (chan msgWire, func(), error) {
 	if err := g.join(roomID); err != nil {
 		return nil, nil, err
 	}
 	g.mu.Lock()
 	h := g.hubs[roomID]
 	if h == nil {
 		var err error
 		h, err = newRoomHub(g.cli, roomID, g.endpoint)
 		if err != nil {
 			g.mu.Unlock()
 			return nil, nil, err
 		}
 		g.hubs[roomID] = h
 	}
 	g.mu.Unlock()
 	// Buffer so a brief render hitch in the browser does not drop live frames; a
 	// sustained stall still drops (broadcast is non-blocking) rather than wedging
 	// the room.
 	ch := make(chan msgWire, 64)
 	h.add(ch)
 	// cleanup takes g.mu before h.mu (the single, consistent lock order) so a
 	// concurrent openStream that re-creates the hub cannot race the teardown.
 	cleanup := func() {
 		g.mu.Lock()
 		defer g.mu.Unlock()
 		h.mu.Lock()
 		delete(h.clients, ch)
 		empty := len(h.clients) == 0
 		h.mu.Unlock()
 		if empty {
 			if cur := g.hubs[roomID]; cur == h {
 				delete(g.hubs, roomID)
 				h.stop()
 			}
 		}
 	}
 	return ch, cleanup, nil
 }
@@ -1,98 +0,0 @@
 package main
 import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"os"
 	"os/exec"
 	cs "fn-registry/functions/cybersecurity"
 )
 // identityJSON mirrors the on-disk / pass-stored identity format shared across
 // the unibus tooling: the four keypair halves, each std-base64. It is the SAME
 // shape the bus client persists (pkg/client identity file) and the operator's
 // `pass` entry unibus/operator-identity, so the web gateway loads the operator's
 // identity without a divergent serialization. Kept in lockstep with
 // unibus_admin/internal/admin/identity.go.
 type identityJSON struct {
 	SignPub  string `json:"sign_pub"`
 	SignPriv string `json:"sign_priv"`
 	KexPub   string `json:"kex_pub"`
 	KexPriv  string `json:"kex_priv"`
 }
 // decodeIdentity turns the JSON identity bytes into a cs.Identity. The private
 // halves stay only in memory; this never writes them anywhere.
 func decodeIdentity(raw []byte) (cs.Identity, error) {
 	var f identityJSON
 	if err := json.Unmarshal(raw, &f); err != nil {
 		return cs.Identity{}, fmt.Errorf("webgw: parse identity json: %w", err)
 	}
 	dec := base64.StdEncoding.DecodeString
 	signPub, err := dec(f.SignPub)
 	if err != nil {
 		return cs.Identity{}, fmt.Errorf("webgw: decode sign_pub: %w", err)
 	}
 	signPriv, err := dec(f.SignPriv)
 	if err != nil {
 		return cs.Identity{}, fmt.Errorf("webgw: decode sign_priv: %w", err)
 	}
 	kexPub, err := dec(f.KexPub)
 	if err != nil {
 		return cs.Identity{}, fmt.Errorf("webgw: decode kex_pub: %w", err)
 	}
 	kexPriv, err := dec(f.KexPriv)
 	if err != nil {
 		return cs.Identity{}, fmt.Errorf("webgw: decode kex_priv: %w", err)
 	}
 	if len(signPub) != 32 || len(signPriv) != 64 || len(kexPub) != 32 || len(kexPriv) != 32 {
 		return cs.Identity{}, fmt.Errorf("webgw: identity has wrong key sizes (sign_pub=%d sign_priv=%d kex_pub=%d kex_priv=%d)",
 			len(signPub), len(signPriv), len(kexPub), len(kexPriv))
 	}
 	return cs.Identity{SignPub: signPub, SignPriv: signPriv, KexPub: kexPub, KexPriv: kexPriv}, nil
 }
 // loadIdentityFromFile reads a 0600 identity JSON file (the same format the bus
 // client writes) and decodes it. Used on a deploy host where `pass` is not
 // available and the operator identity is delivered as a protected file.
 func loadIdentityFromFile(path string) (cs.Identity, error) {
 	raw, err := os.ReadFile(path)
 	if err != nil {
 		return cs.Identity{}, fmt.Errorf("webgw: read identity file %q: %w", path, err)
 	}
 	return decodeIdentity(raw)
 }
 // loadIdentityFromPass shells out to `pass show <entry>` and decodes the JSON
 // identity it returns. The secret is held only in memory; this process never
 // writes it to disk or argv. Used in local operator workflows where the GNU
 // password store holds unibus/operator-identity.
 func loadIdentityFromPass(entry string) (cs.Identity, error) {
 	out, err := exec.Command("pass", "show", entry).Output()
 	if err != nil {
 		return cs.Identity{}, fmt.Errorf("webgw: pass show %q: %w", entry, err)
 	}
 	return decodeIdentity(out)
 }
 // loadPassValue returns the first line of a `pass show <entry>` for non-identity
 // secrets (e.g. the unlock passphrase). Empty entry yields an empty string and
 // no error, so callers can treat "no pass entry configured" as "not set".
 func loadPassValue(entry string) (string, error) {
 	if entry == "" {
 		return "", nil
 	}
 	out, err := exec.Command("pass", "show", entry).Output()
 	if err != nil {
 		return "", fmt.Errorf("webgw: pass show %q: %w", entry, err)
 	}
 	s := string(out)
 	for i := 0; i < len(s); i++ {
 		if s[i] == '\n' || s[i] == '\r' {
 			return s[:i], nil
 		}
 	}
 	return s, nil
 }
@@ -1,199 +0,0 @@
 // Command webgw is the web gateway for the unibus chat SPA. It is a single Go
 // binary that holds the operator's bus identity, connects to the bus as a real
 // authenticated peer (pkg/client), and exposes a small REST + SSE API the
 // browser consumes. The browser never signs, never speaks NATS, and never sees a
 // private key: it authenticates to the gateway with a passphrase and thereafter
 // holds only an opaque session cookie.
 //
 // TRUST MODEL (MVP, single operator): room content stays end-to-end encrypted on
 // the bus. The gateway can read plaintext because it acts AS the operator's
 // client — a legitimate member of each room holding the room key. Decryption
 // happens server-side in this process; cleartext then crosses an authenticated
 // (loopback or TLS-fronted) SSE channel to the browser. The wallet phase (issue:
 // per-browser WebCrypto identity) can move decryption into the browser; see the
 // report for the FASE 2 plan.
 //
 //	# local dev against a loopback membershipd (plaintext), operator from pass:
 //	webgw --identity-pass unibus/operator-identity \
 //	  --ctrl-url http://127.0.0.1:8470 --nats-url nats://127.0.0.1:4250
 //
 //	# secured cluster (TLS + nkey on both planes), identity from a 0600 file:
 //	webgw --ca ca.crt --identity-file operator.id \
 //	  --ctrl-url https://node-a:8470 --nats-url nats://node-a:4250 \
 //	  --ctrl-urls https://node-b:8470,https://node-c:8470 \
 //	  --nats-urls nats://node-b:4250,nats://node-c:4250
 package main
 import (
 	"context"
 	"flag"
 	"log"
 	"net/http"
 	"os"
 	"os/signal"
 	"path/filepath"
 	"strings"
 	"syscall"
 	"time"
 	cs "fn-registry/functions/cybersecurity"
 )
 func main() {
 	var (
 		bind         = flag.String("bind", "127.0.0.1", "interface to bind the gateway HTTP server to (loopback by default)")
 		port         = flag.String("port", "8481", "gateway HTTP port")
 		ctrlURL      = flag.String("ctrl-url", "http://127.0.0.1:8470", "primary unibus control-plane base URL")
 		ctrlURLs     = flag.String("ctrl-urls", "", "comma-separated ADDITIONAL control-plane base URLs (cluster failover)")
 		natsURL      = flag.String("nats-url", "nats://127.0.0.1:4250", "primary NATS URL")
 		natsURLs     = flag.String("nats-urls", "", "comma-separated ADDITIONAL NATS seed URLs (cluster failover)")
 		caPath       = flag.String("ca", "", "bus CA cert path; set to talk TLS+nkey to a secured bus (empty = plaintext dev)")
 		identityFile = flag.String("identity-file", "", "path to the operator identity JSON file (0600). Mutually exclusive with --identity-pass")
 		identityPass = flag.String("identity-pass", "", "pass(1) entry holding the operator identity JSON, e.g. unibus/operator-identity")
 		unlockPass   = flag.String("unlock-pass", "", "literal passphrase the browser must send to unlock a LEGACY operator session (dev). Prefer --unlock-pass-entry")
 		unlockEntry  = flag.String("unlock-pass-entry", "unibus/admin-panel-password", "pass(1) entry holding the operator unlock passphrase (used when --unlock-pass is empty)")
 		registerURL  = flag.String("register-url", "", "bus POST /register URL for wallet onboarding. Empty = derive from --ctrl-url (<ctrl-url>/register)")
 		mockTokens   = flag.String("mock-tokens", "", "DEV ONLY: comma-separated one-shot invite tokens for local testing, 'token=handle:role'. Empty in production (real invites come from the bus). Example: demo=demo:member")
 		webDir       = flag.String("web-dir", "", "OPTIONAL path to the built SPA (web/dist) to serve. Empty = API only (use vite dev server)")
 	)
 	flag.Parse()
 	log.SetFlags(log.LstdFlags | log.Lmsgprefix)
 	log.SetPrefix("[webgw] ")
 	id, err := loadIdentity(*identityFile, *identityPass)
 	if err != nil {
 		log.Fatalf("%v", err)
 	}
 	unlock := *unlockPass
 	if unlock == "" {
 		unlock, err = loadPassValue(*unlockEntry)
 		if err != nil {
 			log.Fatalf("resolve unlock passphrase: %v", err)
 		}
 	}
 	if unlock == "" {
 		log.Fatalf("an unlock passphrase is required: set --unlock-pass or a non-empty --unlock-pass-entry (default unibus/admin-panel-password)")
 	}
 	resolvedWebDir := resolveWebDir(*webDir)
 	// busTemplate is the connection config every bus client uses. The operator
 	// gateway uses it as-is; each wallet session clones it and overrides Identity
 	// with the logged-in user's keypair.
 	busTemplate := gatewayConfig{
 		Identity: id,
 		NatsURL:  *natsURL,
 		CtrlURL:  *ctrlURL,
 		CtrlURLs: splitCSV(*ctrlURLs),
 		NatsURLs: splitCSV(*natsURLs),
 		CAPath:   *caPath,
 	}
 	gw, err := newGateway(busTemplate)
 	if err != nil {
 		log.Fatalf("%v", err)
 	}
 	defer gw.Close()
 	// Wallet onboarding backend: POST /api/register targets the bus's /register
 	// (added by the user-accounts work). When --register-url is empty we derive it
 	// from --ctrl-url; --mock-tokens supplies one-shot invites for local testing
 	// before that endpoint is deployed.
 	regURL := *registerURL
 	if regURL == "" {
 		regURL = strings.TrimRight(*ctrlURL, "/") + "/register"
 	}
 	registrar := newRegistrar(regURL, *mockTokens)
 	log.Printf("operator endpoint: %s", gw.endpoint)
 	log.Printf("control plane: %s (+%d failover)", *ctrlURL, len(splitCSV(*ctrlURLs)))
 	tls := "OFF (plaintext dev)"
 	if *caPath != "" {
 		tls = "ON (CA " + *caPath + ")"
 	}
 	log.Printf("bus TLS+nkey: %s", tls)
 	if resolvedWebDir != "" {
 		log.Printf("serving SPA from: %s", resolvedWebDir)
 	} else {
 		log.Printf("API only (no --web-dir): use the vite dev server with a /api+stream proxy")
 	}
 	log.Printf("wallet register: %s (mock tokens: %d)", regURL, mockTokenCount(*mockTokens))
 	srv := newServer(gw, busTemplate, registrar, unlock, resolvedWebDir)
 	addr := *bind + ":" + *port
 	httpSrv := &http.Server{
 		Addr:    addr,
 		Handler: srv,
 		// No global write timeout: SSE streams are long-lived. Header timeout still
 		// bounds slowloris on the request line/headers.
 		ReadHeaderTimeout: 10 * time.Second,
 	}
 	go func() {
 		log.Printf("web gateway: http://%s", addr)
 		if err := httpSrv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
 			log.Fatalf("http server: %v", err)
 		}
 	}()
 	stop := make(chan os.Signal, 1)
 	signal.Notify(stop, syscall.SIGINT, syscall.SIGTERM)
 	<-stop
 	log.Printf("shutting down...")
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	_ = httpSrv.Shutdown(ctx)
 	log.Printf("bye")
 }
 // loadIdentity resolves the operator identity from exactly one of --identity-file
 // or --identity-pass.
 func loadIdentity(file, passEntry string) (cs.Identity, error) {
 	switch {
 	case file != "" && passEntry != "":
 		return cs.Identity{}, errFlag("set only one of --identity-file or --identity-pass")
 	case file != "":
 		return loadIdentityFromFile(file)
 	case passEntry != "":
 		return loadIdentityFromPass(passEntry)
 	default:
 		return cs.Identity{}, errFlag("an identity is required: pass --identity-file <path> or --identity-pass <entry>")
 	}
 }
 // resolveWebDir validates the --web-dir flag. An empty flag means API-only. A
 // non-empty dir is kept only if it actually holds an index.html, so a typo logs
 // "API only" rather than serving 404s.
 func resolveWebDir(dir string) string {
 	if dir == "" {
 		return ""
 	}
 	abs, err := filepath.Abs(dir)
 	if err != nil {
 		log.Printf("WARN --web-dir %q: %v; serving API only", dir, err)
 		return ""
 	}
 	if !statFile(filepath.Join(abs, "index.html")) {
 		log.Printf("WARN --web-dir %q has no index.html; serving API only", abs)
 		return ""
 	}
 	return abs
 }
 type flagErr string
 func (e flagErr) Error() string { return string(e) }
 func errFlag(s string) error    { return flagErr("webgw: " + s) }
 func splitCSV(s string) []string {
 	var out []string
 	for _, p := range strings.Split(s, ",") {
 		if p = strings.TrimSpace(p); p != "" {
 			out = append(out, p)
 		}
 	}
 	return out
 }
@@ -1,193 +0,0 @@
 package main
 import (
 	"bytes"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"strings"
 	"sync"
 	"time"
 )
 // registerReq is the POST /api/register body. It mirrors the bus contract exactly
 // (token + the two PUBLIC key halves, each 64 hex chars). The private key never
 // appears here — registration only publishes the public identity. The handle and
 // role are NOT accepted from the client; they are fixed by the invite the token
 // belongs to (no privilege escalation).
 type registerReq struct {
 	Token   string `json:"token"`
 	SignPub string `json:"sign_pub"`
 	KexPub  string `json:"kex_pub"`
 }
 // registerResp is what we return to the browser on success. The bus's /register
 // (issue: user-accounts) decides handle/role from the invite; in mock mode the
 // gateway echoes the configured pair so the SPA can greet the new user.
 type registerResp struct {
 	Handle string `json:"handle"`
 	Role   string `json:"role"`
 }
 // registrar fulfils POST /api/register. It targets the bus's POST /register
 // endpoint (added by the user-accounts work, bus >= 0.12.0). Until that endpoint
 // is rolled out, a built-in mock validates against a configured set of one-shot
 // tokens so the whole wallet flow is testable locally. Mock tokens are checked
 // first; anything else is proxied to the real bus when --register-url is set.
 type registrar struct {
 	mu sync.Mutex
 	registerURL string                // bus POST /register; empty => mock-only
 	httpc       *http.Client          // for proxying to the bus
 	mockTokens  map[string]*mockToken // configured one-shot invites for local testing
 }
 // mockToken is a local stand-in for a bus invite: a token that maps to a fixed
 // handle+role and can be consumed exactly once.
 type mockToken struct {
 	handle string
 	role   string
 	used   bool
 }
 // newRegistrar parses the --mock-tokens spec ("tok=handle:role,tok2=h2:role2")
 // and configures the optional proxy target.
 func newRegistrar(registerURL, mockSpec string) *registrar {
 	r := &registrar{
 		registerURL: strings.TrimSpace(registerURL),
 		httpc:       &http.Client{Timeout: 10 * time.Second},
 		mockTokens:  map[string]*mockToken{},
 	}
 	for _, part := range strings.Split(mockSpec, ",") {
 		part = strings.TrimSpace(part)
 		if part == "" {
 			continue
 		}
 		// tok=handle:role  (role optional, defaults to member)
 		eq := strings.IndexByte(part, '=')
 		if eq < 0 {
 			continue
 		}
 		tok := strings.TrimSpace(part[:eq])
 		hr := strings.TrimSpace(part[eq+1:])
 		handle, role := hr, "member"
 		if c := strings.IndexByte(hr, ':'); c >= 0 {
 			handle, role = strings.TrimSpace(hr[:c]), strings.TrimSpace(hr[c+1:])
 		}
 		if tok != "" && handle != "" {
 			r.mockTokens[tok] = &mockToken{handle: handle, role: role}
 		}
 	}
 	return r
 }
 // mockTokenCount counts configured mock tokens in a --mock-tokens spec (for the
 // startup log line).
 func mockTokenCount(spec string) int {
 	n := 0
 	for _, part := range strings.Split(spec, ",") {
 		if p := strings.TrimSpace(part); p != "" && strings.ContainsRune(p, '=') {
 			n++
 		}
 	}
 	return n
 }
 // validHexKey reports whether s is exactly 64 lowercase/uppercase hex chars (a
 // 32-byte key). Both sign_pub and kex_pub are 32-byte keys.
 func validHexKey(s string) bool {
 	if len(s) != 64 {
 		return false
 	}
 	_, err := hex.DecodeString(s)
 	return err == nil
 }
 // handleRegister validates the keys and consumes the token. Order of resolution:
 //  1. strict validation of the public keys (defends both mock and proxy paths);
 //  2. mock token (one-shot) if configured;
 //  3. proxy to the bus /register if --register-url is set;
 //  4. otherwise reject with a clear error.
 func (s *server) handleRegister(w http.ResponseWriter, r *http.Request) {
 	var req registerReq
 	if !decode(w, r, &req) {
 		return
 	}
 	req.Token = strings.TrimSpace(req.Token)
 	if req.Token == "" {
 		writeErr(w, http.StatusBadRequest, "token required")
 		return
 	}
 	if !validHexKey(req.SignPub) {
 		writeErr(w, http.StatusBadRequest, "sign_pub must be 64 hex chars (32 bytes)")
 		return
 	}
 	if !validHexKey(req.KexPub) {
 		writeErr(w, http.StatusBadRequest, "kex_pub must be 64 hex chars (32 bytes)")
 		return
 	}
 	reg := s.registrar
 	// 2) mock one-shot token.
 	reg.mu.Lock()
 	mt, isMock := reg.mockTokens[req.Token]
 	if isMock {
 		if mt.used {
 			reg.mu.Unlock()
 			writeErr(w, http.StatusConflict, "invite already used")
 			return
 		}
 		mt.used = true
 		handle, role := mt.handle, mt.role
 		reg.mu.Unlock()
 		writeJSON(w, http.StatusCreated, registerResp{Handle: handle, Role: role})
 		return
 	}
 	reg.mu.Unlock()
 	// 3) proxy to the real bus /register when configured.
 	if reg.registerURL != "" {
 		s.proxyRegister(w, req)
 		return
 	}
 	// 4) no mock match, no proxy target.
 	writeErr(w, http.StatusBadRequest, "invalid or unknown token (and no bus /register configured)")
 }
 // proxyRegister forwards the registration to the bus's POST /register. The bus
 // validates the invite (existence, not-used, not-expired) and adds the public
 // identity to the allowlist with the invite's handle+role. This is unsigned by
 // design: the TOKEN authorizes the call, not an admin signature.
 func (s *server) proxyRegister(w http.ResponseWriter, req registerReq) {
 	body, _ := json.Marshal(req)
 	resp, err := s.registrar.httpc.Post(
 		s.registrar.registerURL,
 		"application/json",
 		bytes.NewReader(body),
 	)
 	if err != nil {
 		writeErr(w, http.StatusBadGateway, "bus register unreachable: "+err.Error())
 		return
 	}
 	defer resp.Body.Close()
 	raw, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
 	// On success, try to pass through the bus's handle/role if it returned them;
 	// otherwise a bare 201 is still success.
 	if resp.StatusCode == http.StatusCreated || resp.StatusCode == http.StatusOK {
 		var rr registerResp
 		_ = json.Unmarshal(raw, &rr)
 		writeJSON(w, http.StatusCreated, rr)
 		return
 	}
 	// Forward the bus's error verbatim where possible.
 	msg := strings.TrimSpace(string(raw))
 	if msg == "" {
 		msg = fmt.Sprintf("bus register failed (HTTP %d)", resp.StatusCode)
 	}
 	writeErr(w, resp.StatusCode, msg)
 }
@@ -1,327 +0,0 @@
 package main
 import (
 	"crypto/rand"
 	"crypto/subtle"
 	"encoding/hex"
 	"encoding/json"
 	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 )
 // sessionCookie is the name of the gateway's session cookie. The browser sends
 // it automatically on same-origin fetches AND on EventSource (SSE) connections —
 // EventSource cannot set custom headers, so a cookie is the only way to
 // authenticate the stream. It is HttpOnly so page JS can never read the token.
 const sessionCookie = "unibus_session"
 // server is the gateway's HTTP surface: a small REST/SSE API under /api plus an
 // optional static file server for the built SPA.
 //
 // Two ways to get a session:
 //   - POST /api/session — the WALLET model. The browser hands its own bus
 //     identity (unlocked from its local encrypted key) and the gateway connects a
 //     dedicated bus client AS that user. Per-user, the primary path.
 //   - POST /api/login — the legacy operator passphrase. Binds the session to the
 //     single shared operator gateway. Kept for backward compatibility.
 //   - POST /api/register — the WALLET onboarding. Unauthenticated (the invite
 //     token authorizes), it consumes a token and publishes the new user's PUBLIC
 //     identity to the bus allowlist.
 type server struct {
 	operatorGW  *gateway      // shared operator client (legacy passphrase login)
 	busTemplate gatewayConfig // bus connection config; Identity is overridden per user session
 	registrar   *registrar    // POST /api/register backend (mock + proxy)
 	unlock      string        // passphrase that unlocks an operator session (constant-time compare)
 	webDir      string        // optional path to the built SPA (web/dist); empty = API only
 	mux         *http.ServeMux
 	sessions    *sessionStore
 }
 func newServer(operatorGW *gateway, busTemplate gatewayConfig, registrar *registrar, unlock, webDir string) *server {
 	s := &server{
 		operatorGW:  operatorGW,
 		busTemplate: busTemplate,
 		registrar:   registrar,
 		unlock:      unlock,
 		webDir:      webDir,
 		mux:         http.NewServeMux(),
 		sessions:    newSessionStore(),
 	}
 	s.routes()
 	return s
 }
 func (s *server) ServeHTTP(w http.ResponseWriter, r *http.Request) { s.mux.ServeHTTP(w, r) }
 func (s *server) routes() {
 	// Liveness, unauthenticated (systemd / deploy smoke).
 	s.mux.HandleFunc("GET /healthz", func(w http.ResponseWriter, _ *http.Request) {
 		writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
 	})
 	// Unauthenticated onboarding / auth routes.
 	s.mux.HandleFunc("POST /api/register", s.handleRegister) // invite token authorizes
 	s.mux.HandleFunc("POST /api/session", s.handleSession)   // wallet: per-user identity
 	s.mux.HandleFunc("POST /api/login", s.handleLogin)       // legacy operator passphrase
 	// Session-gated routes.
 	s.mux.HandleFunc("POST /api/logout", s.auth(s.handleLogout))
 	s.mux.HandleFunc("GET /api/me", s.auth(s.handleMe))
 	s.mux.HandleFunc("GET /api/rooms", s.auth(s.handleListRooms))
 	s.mux.HandleFunc("POST /api/rooms", s.auth(s.handleCreateRoom))
 	s.mux.HandleFunc("POST /api/rooms/{id}/join", s.auth(s.handleJoin))
 	s.mux.HandleFunc("POST /api/rooms/{id}/send", s.auth(s.handleSend))
 	s.mux.HandleFunc("GET /api/rooms/{id}/stream", s.auth(s.handleStream))
 	// Everything else is the SPA (when --web-dir is set). Registered last.
 	if s.webDir != "" {
 		s.mux.Handle("/", s.spaHandler())
 	}
 }
 // meResp is the identity view returned by /api/session, /api/login and /api/me:
 // the bus endpoint the session acts as, its signing public key, and the display
 // handle.
 type meResp struct {
 	Endpoint string `json:"endpoint"`
 	SignPub  string `json:"sign_pub"`
 	Handle   string `json:"handle"`
 }
 // ---- auth -----------------------------------------------------------------
 // auth wraps a handler so it runs only with a valid session cookie, resolving the
 // session (and thus the per-user gateway) it belongs to. A missing or unknown
 // token yields 401, which the SPA treats as "show the login screen".
 func (s *server) auth(next func(http.ResponseWriter, *http.Request, *session)) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		c, err := r.Cookie(sessionCookie)
 		if err != nil {
 			writeErr(w, http.StatusUnauthorized, "not authenticated")
 			return
 		}
 		sess, ok := s.sessions.get(c.Value)
 		if !ok {
 			writeErr(w, http.StatusUnauthorized, "not authenticated")
 			return
 		}
 		next(w, r, sess)
 	}
 }
 // handleLogin is the legacy operator passphrase login: it unlocks a session bound
 // to the shared operator gateway. The wallet path (POST /api/session) is
 // preferred; this remains for backward compatibility with the single-operator MVP.
 func (s *server) handleLogin(w http.ResponseWriter, r *http.Request) {
 	var req struct {
 		Passphrase string `json:"passphrase"`
 	}
 	if !decode(w, r, &req) {
 		return
 	}
 	// Constant-time compare so a wrong passphrase cannot be timed character by
 	// character. An empty configured passphrase never matches.
 	if s.unlock == "" || subtle.ConstantTimeCompare([]byte(req.Passphrase), []byte(s.unlock)) != 1 {
 		writeErr(w, http.StatusUnauthorized, "wrong passphrase")
 		return
 	}
 	tok := newToken()
 	handle := s.operatorGW.endpoint
 	if len(handle) > 8 {
 		handle = handle[:8]
 	}
 	s.sessions.put(tok, &session{gw: s.operatorGW, owned: false, handle: handle, issuedAt: time.Now()})
 	http.SetCookie(w, &http.Cookie{
 		Name:     sessionCookie,
 		Value:    tok,
 		Path:     "/",
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
 	})
 	writeJSON(w, http.StatusOK, meResp{Endpoint: s.operatorGW.endpoint, SignPub: hex.EncodeToString(s.operatorGW.id.SignPub), Handle: handle})
 }
 func (s *server) handleLogout(w http.ResponseWriter, r *http.Request, _ *session) {
 	if c, err := r.Cookie(sessionCookie); err == nil {
 		if sess, ok := s.sessions.drop(c.Value); ok && sess.owned && sess.gw != nil {
 			// Per-user session: tear down its bus client so the private key and the
 			// NATS connection do not outlive the session.
 			_ = sess.gw.Close()
 		}
 	}
 	http.SetCookie(w, &http.Cookie{Name: sessionCookie, Value: "", Path: "/", MaxAge: -1, HttpOnly: true})
 	writeJSON(w, http.StatusOK, map[string]string{"status": "logged_out"})
 }
 func (s *server) handleMe(w http.ResponseWriter, _ *http.Request, sess *session) {
 	writeJSON(w, http.StatusOK, meResp{
 		Endpoint: sess.gw.endpoint,
 		SignPub:  hex.EncodeToString(sess.gw.id.SignPub),
 		Handle:   sess.handle,
 	})
 }
 // ---- rooms ----------------------------------------------------------------
 func (s *server) handleListRooms(w http.ResponseWriter, _ *http.Request, sess *session) {
 	rooms, err := sess.gw.listRooms()
 	if err != nil {
 		writeErr(w, http.StatusBadGateway, err.Error())
 		return
 	}
 	writeJSON(w, http.StatusOK, rooms)
 }
 func (s *server) handleCreateRoom(w http.ResponseWriter, r *http.Request, sess *session) {
 	var req createRoomReq
 	if !decode(w, r, &req) {
 		return
 	}
 	rv, err := sess.gw.createRoom(req)
 	if err != nil {
 		writeErr(w, http.StatusBadGateway, err.Error())
 		return
 	}
 	writeJSON(w, http.StatusCreated, rv)
 }
 func (s *server) handleJoin(w http.ResponseWriter, r *http.Request, sess *session) {
 	if err := sess.gw.join(r.PathValue("id")); err != nil {
 		writeErr(w, http.StatusBadGateway, err.Error())
 		return
 	}
 	writeJSON(w, http.StatusOK, map[string]string{"status": "joined"})
 }
 func (s *server) handleSend(w http.ResponseWriter, r *http.Request, sess *session) {
 	var req sendReq
 	if !decode(w, r, &req) {
 		return
 	}
 	if strings.TrimSpace(req.Body) == "" {
 		writeErr(w, http.StatusBadRequest, "body required")
 		return
 	}
 	if err := sess.gw.send(r.PathValue("id"), req.Body); err != nil {
 		writeErr(w, http.StatusBadGateway, err.Error())
 		return
 	}
 	writeJSON(w, http.StatusOK, map[string]string{"status": "sent"})
 }
 // handleStream is the SSE endpoint: it joins the room, attaches to the session's
 // fan-out hub, and streams each decrypted message as a `data:` event. For a
 // persisted room the hub's underlying subscription delivers history first
 // (scrollback) and then live messages; for an ephemeral room only live messages
 // flow. The stream ends when the browser disconnects (ctx cancelled).
 func (s *server) handleStream(w http.ResponseWriter, r *http.Request, sess *session) {
 	flusher, ok := w.(http.Flusher)
 	if !ok {
 		writeErr(w, http.StatusInternalServerError, "streaming unsupported")
 		return
 	}
 	ch, cleanup, err := sess.gw.openStream(r.PathValue("id"))
 	if err != nil {
 		writeErr(w, http.StatusBadGateway, err.Error())
 		return
 	}
 	defer cleanup()
 	w.Header().Set("Content-Type", "text/event-stream")
 	w.Header().Set("Cache-Control", "no-cache")
 	w.Header().Set("Connection", "keep-alive")
 	w.Header().Set("X-Accel-Buffering", "no") // disable proxy buffering (nginx/caddy)
 	w.WriteHeader(http.StatusOK)
 	// An initial comment opens the stream immediately so the browser's
 	// EventSource fires `onopen` without waiting for the first message.
 	_, _ = w.Write([]byte(": connected\n\n"))
 	flusher.Flush()
 	ctx := r.Context()
 	ping := time.NewTicker(25 * time.Second)
 	defer ping.Stop()
 	for {
 		select {
 		case <-ctx.Done():
 			return
 		case <-ping.C:
 			// Comment line keeps idle proxies from closing the connection.
 			if _, err := w.Write([]byte(": ping\n\n")); err != nil {
 				return
 			}
 			flusher.Flush()
 		case m := <-ch:
 			b, err := json.Marshal(m)
 			if err != nil {
 				continue
 			}
 			if _, err := w.Write([]byte("data: " + string(b) + "\n\n")); err != nil {
 				return
 			}
 			flusher.Flush()
 		}
 	}
 }
 // ---- SPA serving (optional) -----------------------------------------------
 // spaHandler serves the built SPA from s.webDir. A request for an existing asset
 // is served directly; any other path (a client-side route) falls back to
 // index.html so the SPA router can take over. /api and /healthz are matched first.
 func (s *server) spaHandler() http.Handler {
 	root := http.Dir(s.webDir)
 	fileServer := http.FileServer(root)
 	index := filepath.Join(s.webDir, "index.html")
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		p := strings.TrimPrefix(r.URL.Path, "/")
 		if p == "" {
 			http.ServeFile(w, r, index)
 			return
 		}
 		if f, err := root.Open(p); err == nil {
 			_ = f.Close()
 			fileServer.ServeHTTP(w, r)
 			return
 		}
 		http.ServeFile(w, r, index) // unknown path -> SPA client-side routing
 	})
 }
 // ---- helpers --------------------------------------------------------------
 func newToken() string {
 	b := make([]byte, 32)
 	_, _ = rand.Read(b)
 	return hex.EncodeToString(b)
 }
 func writeJSON(w http.ResponseWriter, code int, v any) {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(code)
 	_ = json.NewEncoder(w).Encode(v)
 }
 func writeErr(w http.ResponseWriter, code int, msg string) {
 	writeJSON(w, code, map[string]string{"error": msg})
 }
 // decode reads a JSON body into v, writing a 400 and returning false on failure.
 func decode(w http.ResponseWriter, r *http.Request, v any) bool {
 	defer r.Body.Close()
 	if err := json.NewDecoder(http.MaxBytesReader(w, r.Body, 1<<20)).Decode(v); err != nil {
 		writeErr(w, http.StatusBadRequest, "bad json: "+err.Error())
 		return false
 	}
 	return true
 }
 // statFile reports whether path exists and is a regular file (used to validate
 // --web-dir at startup so a typo surfaces as a clear log line, not 404s later).
 func statFile(path string) bool {
 	fi, err := os.Stat(path)
 	return err == nil && !fi.IsDir()
 }
@@ -1,146 +0,0 @@
 package main
 import (
 	"encoding/hex"
 	"fmt"
 	"net/http"
 	"sync"
 	"time"
 	cs "fn-registry/functions/cybersecurity"
 )
 // session is one logged-in browser. In the wallet model each session carries the
 // user's OWN bus identity: the browser unlocks its locally-encrypted private key
 // and hands the full keypair to the gateway over TLS, and the gateway spins up a
 // dedicated bus client (a *gateway) that acts AS that user. The private key lives
 // only in this process's memory for the life of the session — it is never written
 // to disk and is dropped when the session ends.
 //
 // A session may instead point at the shared operator gateway (the legacy
 // passphrase login); `owned` distinguishes the two so logout only closes the bus
 // client it created.
 type session struct {
 	gw       *gateway
 	owned    bool // true => gw was built for this session and must be Closed on logout
 	handle   string
 	issuedAt time.Time
 }
 // sessionStore is the gateway's set of live browser sessions, keyed by the opaque
 // cookie token. It is independent of any single bus identity.
 type sessionStore struct {
 	mu sync.Mutex
 	m  map[string]*session
 }
 func newSessionStore() *sessionStore { return &sessionStore{m: map[string]*session{}} }
 func (st *sessionStore) put(token string, s *session) {
 	st.mu.Lock()
 	st.m[token] = s
 	st.mu.Unlock()
 }
 func (st *sessionStore) get(token string) (*session, bool) {
 	st.mu.Lock()
 	defer st.mu.Unlock()
 	s, ok := st.m[token]
 	return s, ok
 }
 // drop removes a session and returns it so the caller can close an owned gateway.
 func (st *sessionStore) drop(token string) (*session, bool) {
 	st.mu.Lock()
 	defer st.mu.Unlock()
 	s, ok := st.m[token]
 	if ok {
 		delete(st.m, token)
 	}
 	return s, ok
 }
 // closeAll closes every owned per-user gateway (used at shutdown). The shared
 // operator gateway is owned by main and closed separately.
 func (st *sessionStore) closeAll() {
 	st.mu.Lock()
 	defer st.mu.Unlock()
 	for tok, s := range st.m {
 		if s.owned && s.gw != nil {
 			_ = s.gw.Close()
 		}
 		delete(st.m, tok)
 	}
 }
 // identityFromHex builds a cs.Identity from the four hex halves the browser sends
 // on POST /api/session. It enforces the exact key sizes (sign_pub 32, sign_priv
 // 64, kex_pub 32, kex_priv 32) so a malformed body cannot produce a half-built
 // identity that fails opaquely deep in the bus client.
 func identityFromHex(signPub, signPriv, kexPub, kexPriv string) (cs.Identity, error) {
 	sp, err := hex.DecodeString(signPub)
 	if err != nil {
 		return cs.Identity{}, fmt.Errorf("sign_pub: %w", err)
 	}
 	spriv, err := hex.DecodeString(signPriv)
 	if err != nil {
 		return cs.Identity{}, fmt.Errorf("sign_priv: %w", err)
 	}
 	kp, err := hex.DecodeString(kexPub)
 	if err != nil {
 		return cs.Identity{}, fmt.Errorf("kex_pub: %w", err)
 	}
 	kpriv, err := hex.DecodeString(kexPriv)
 	if err != nil {
 		return cs.Identity{}, fmt.Errorf("kex_priv: %w", err)
 	}
 	if len(sp) != 32 || len(spriv) != 64 || len(kp) != 32 || len(kpriv) != 32 {
 		return cs.Identity{}, fmt.Errorf("wrong key sizes (sign_pub=%d sign_priv=%d kex_pub=%d kex_priv=%d; want 32/64/32/32)",
 			len(sp), len(spriv), len(kp), len(kpriv))
 	}
 	return cs.Identity{SignPub: sp, SignPriv: spriv, KexPub: kp, KexPriv: kpriv}, nil
 }
 // sessionReq is the POST /api/session body: the user's full wallet identity (hex)
 // plus a display handle. The private halves arrive only over TLS and are held in
 // memory for the session; they are never persisted server-side.
 type sessionReq struct {
 	Handle   string `json:"handle"`
 	SignPub  string `json:"sign_pub"`
 	SignPriv string `json:"sign_priv"`
 	KexPub   string `json:"kex_pub"`
 	KexPriv  string `json:"kex_priv"`
 }
 // handleSession opens a per-user session. It builds the user's bus identity from
 // the posted keypair, connects a dedicated bus client as that user, and issues a
 // session cookie bound to it. This is the wallet-model replacement for the
 // operator passphrase login.
 func (s *server) handleSession(w http.ResponseWriter, r *http.Request) {
 	var req sessionReq
 	if !decode(w, r, &req) {
 		return
 	}
 	id, err := identityFromHex(req.SignPub, req.SignPriv, req.KexPub, req.KexPriv)
 	if err != nil {
 		writeErr(w, http.StatusBadRequest, "bad identity: "+err.Error())
 		return
 	}
 	cfg := s.busTemplate
 	cfg.Identity = id
 	gw, err := newGateway(cfg)
 	if err != nil {
 		writeErr(w, http.StatusBadGateway, "connect bus as user: "+err.Error())
 		return
 	}
 	tok := newToken()
 	s.sessions.put(tok, &session{gw: gw, owned: true, handle: req.Handle, issuedAt: time.Now()})
 	http.SetCookie(w, &http.Cookie{
 		Name:     sessionCookie,
 		Value:    tok,
 		Path:     "/",
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
 	})
 	writeJSON(w, http.StatusOK, meResp{Endpoint: gw.endpoint, SignPub: req.SignPub, Handle: req.Handle})
 }
@@ -1,114 +0,0 @@
 package main
 import (
 	"encoding/json"
 	"net/http/httptest"
 	"strings"
 	"testing"
 )
 // fixed wallet vector derived in the browser from the mnemonic
 // "legal winner thank year wave sausage worth useful legal winner thank yellow"
 // using the unibus-sign-v1 / unibus-kex-v1 HKDF scheme. Used to assert the Go
 // side accepts the browser-derived key sizes.
 const (
 	fixSignPub  = "3d594317212e53a3685b305539f6789eb8c538579e350ca795278b180ebb53db"
 	fixSignPriv = "94485d66ac958e23546be2e3b7575a47e1264bdf082e09abb7ad02ab32fcd55e3d594317212e53a3685b305539f6789eb8c538579e350ca795278b180ebb53db"
 	fixKexPub   = "f3561ca116e4444b8880b8c0a35f2c9e85804d8628006facd84b1a6146208257"
 	fixKexPriv  = "f6ffdf15e5ee2af0494897ff43e61a06d632af425a0372cb53a7c3e0f84c2bb2"
 )
 func TestIdentityFromHex(t *testing.T) {
 	id, err := identityFromHex(fixSignPub, fixSignPriv, fixKexPub, fixKexPriv)
 	if err != nil {
 		t.Fatalf("identityFromHex valid vector: %v", err)
 	}
 	if len(id.SignPub) != 32 || len(id.SignPriv) != 64 || len(id.KexPub) != 32 || len(id.KexPriv) != 32 {
 		t.Fatalf("wrong sizes: %d/%d/%d/%d", len(id.SignPub), len(id.SignPriv), len(id.KexPub), len(id.KexPriv))
 	}
 	// Wrong sign_priv size (32 instead of 64) must be rejected.
 	if _, err := identityFromHex(fixSignPub, fixSignPub, fixKexPub, fixKexPriv); err == nil {
 		t.Fatalf("expected error for short sign_priv")
 	}
 	// Non-hex must be rejected.
 	if _, err := identityFromHex("zz", fixSignPriv, fixKexPub, fixKexPriv); err == nil {
 		t.Fatalf("expected error for non-hex sign_pub")
 	}
 }
 func TestValidHexKey(t *testing.T) {
 	if !validHexKey(fixSignPub) {
 		t.Fatalf("fixSignPub should be a valid 32-byte hex key")
 	}
 	if validHexKey("abcd") {
 		t.Fatalf("short key should be invalid")
 	}
 	if validHexKey(strings.Repeat("z", 64)) {
 		t.Fatalf("non-hex key should be invalid")
 	}
 }
 func TestNewRegistrarParsesMockTokens(t *testing.T) {
 	r := newRegistrar("", "demo=demo:member, bob=bob, alice=alice:admin")
 	if len(r.mockTokens) != 3 {
 		t.Fatalf("want 3 mock tokens, got %d", len(r.mockTokens))
 	}
 	if r.mockTokens["demo"].role != "member" || r.mockTokens["demo"].handle != "demo" {
 		t.Fatalf("demo token parsed wrong: %+v", r.mockTokens["demo"])
 	}
 	if r.mockTokens["bob"].role != "member" {
 		t.Fatalf("bob should default to role member, got %q", r.mockTokens["bob"].role)
 	}
 	if r.mockTokens["alice"].role != "admin" {
 		t.Fatalf("alice should be admin, got %q", r.mockTokens["alice"].role)
 	}
 }
 // post builds a server with only a registrar (the register path does not touch a
 // gateway) and runs one POST /api/register, returning status + decoded body.
 func postRegister(t *testing.T, s *server, body string) (int, map[string]string) {
 	t.Helper()
 	req := httptest.NewRequest("POST", "/api/register", strings.NewReader(body))
 	w := httptest.NewRecorder()
 	s.handleRegister(w, req)
 	var m map[string]string
 	_ = json.Unmarshal(w.Body.Bytes(), &m)
 	return w.Code, m
 }
 func TestHandleRegisterMockSingleUse(t *testing.T) {
 	s := &server{registrar: newRegistrar("", "demo=demo:member")}
 	// 1) valid token + valid keys => 201 with the invite's handle/role.
 	code, body := postRegister(t, s, `{"token":"demo","sign_pub":"`+fixSignPub+`","kex_pub":"`+fixKexPub+`"}`)
 	if code != 201 {
 		t.Fatalf("first register: want 201, got %d (%v)", code, body)
 	}
 	if body["handle"] != "demo" || body["role"] != "member" {
 		t.Fatalf("first register body: %v", body)
 	}
 	// 2) same token again => 409 (single-use consumed).
 	code, _ = postRegister(t, s, `{"token":"demo","sign_pub":"`+fixSignPub+`","kex_pub":"`+fixKexPub+`"}`)
 	if code != 409 {
 		t.Fatalf("reused token: want 409, got %d", code)
 	}
 }
 func TestHandleRegisterValidation(t *testing.T) {
 	s := &server{registrar: newRegistrar("", "demo=demo:member")}
 	// bad sign_pub (too short) => 400
 	if code, _ := postRegister(t, s, `{"token":"demo","sign_pub":"abcd","kex_pub":"`+fixKexPub+`"}`); code != 400 {
 		t.Fatalf("short sign_pub: want 400, got %d", code)
 	}
 	// missing token => 400
 	if code, _ := postRegister(t, s, `{"sign_pub":"`+fixSignPub+`","kex_pub":"`+fixKexPub+`"}`); code != 400 {
 		t.Fatalf("missing token: want 400, got %d", code)
 	}
 	// unknown token with no mock match and no register-url => 400
 	if code, _ := postRegister(t, s, `{"token":"nope","sign_pub":"`+fixSignPub+`","kex_pub":"`+fixKexPub+`"}`); code != 400 {
 		t.Fatalf("unknown token: want 400, got %d", code)
 	}
 }
@@ -0,0 +1,84 @@
 # Same-origin reverse proxy for the browser-native uniweb chat client.
 #
 # This is the self-contained fragment that exposes uniweb on magnus
 # (organic-machine.com). It is merged into magnus's /etc/caddy/Caddyfile, which
 # also hosts unrelated services; only this service's blocks are versioned here
 # (the other vhosts carry basic-auth secrets that do not belong in git). The live
 # file imports the shared (security_headers) snippet that is duplicated below so
 # this fragment validates on its own.
 #
 # One origin fronts the whole app so the SPA and the bus share an origin: no CORS,
 # and the unibus cluster node IPs stay hidden behind this proxy. Caddy obtains and
 # renews the Let's Encrypt certificate automatically (the *.organic-machine.com
 # wildcard A record points here).
 #
 #   /        -> the static SPA (uniweb web/dist) with a single-page-app fallback
 #   /api/*   -> the signed HTTPS control plane (membershipd :8470), prefix stripped
 #   /nats    -> the NATS-over-WebSocket data plane (:8485 magnus / :8480 peers)
 #
 # Upstreams speak TLS with the bus's own self-signed CA, so Caddy skips upstream
 # verification (the hop is still encrypted). The control plane signs requests over
 # the UNPREFIXED path, so /api MUST be stripped (handle_path) or signatures fail.
 #
 # The membershipd nodes must run with the same-origin host in --cors-origins (so
 # the NATS WebSocket Origin check accepts it) and with --trusted-proxies naming
 # this Caddy node (127.0.0.1,::1,135.125.201.30) so the per-IP rate limit keys on
 # the real client behind the proxy instead of collapsing to the proxy's one IP.
 (security_headers) {
 	header {
 		Strict-Transport-Security "max-age=31536000"
 		X-Content-Type-Options "nosniff"
 		X-Frame-Options "DENY"
 		Referrer-Policy "no-referrer"
 		-Server
 	}
 }
 chat-c200aa64c3125ce8b5f068e0.organic-machine.com {
 	import security_headers
 	# Control plane: strip /api so /api/rooms reaches membershipd as /rooms (the
 	# path the client signs). Prefer the local node; lb_try_duration retries the
 	# next node within the request on a dial error (safe: a refused connection sent
 	# no bytes, so even a POST cannot double-apply), and fail_duration plus the
 	# active /healthz check take a down node out of rotation.
 	handle_path /api/* {
 		reverse_proxy https://127.0.0.1:8470 https://141.94.69.66:8470 https://51.91.100.142:8470 {
 			transport http {
 				tls_insecure_skip_verify
 			}
 			lb_policy first
 			lb_try_duration 5s
 			lb_try_interval 250ms
 			fail_duration 10s
 			health_uri /healthz
 			health_interval 10s
 			health_timeout 5s
 		}
 	}
 	# Data plane: NATS over WebSocket. Strip /nats so the upgrade reaches the ws
 	# listener at its root. Caddy proxies the WebSocket upgrade natively. The ws
 	# listener speaks TLS on :8485 (magnus; :8480 is taken by unibus_admin there)
 	# and :8480 on the peers. Passive failover only (an HTTP health probe would be
 	# rejected by the NATS ws endpoint).
 	handle_path /nats* {
 		reverse_proxy https://127.0.0.1:8485 https://141.94.69.66:8480 https://51.91.100.142:8480 {
 			transport http {
 				tls_insecure_skip_verify
 			}
 			lb_policy first
 			lb_try_duration 5s
 			lb_try_interval 250ms
 			fail_duration 30s
 		}
 	}
 	# SPA: static files with a client-side-routing fallback to index.html.
 	handle {
 		root * /opt/uniweb/dist
 		try_files {path} /index.html
 		file_server
 	}
 }
@@ -283,3 +283,61 @@ ssh dd 'sudo systemctl start membershipd-cluster'   # rejoins, catches up
 the unit and start it without `--store kv`/`--cluster-name`; the KV buckets remain
 for a later retry. To rotate the cluster CA, re-run `generate-cluster-certs.sh
 --force` and re-stage (every node must get the new `cluster-ca.crt` together).
 ## NATS server metrics (loopback monitoring — optional)
 The embedded NATS server can expose its own monitoring HTTP endpoint so a local
 scraper reads server-level metrics that `/healthz` does not surface: msgs/s,
 connections, slow consumers, memory, KV bucket message counts, the RAFT leader per
 stream and per-stream restarts. This feeds the `unibus-nats` dashboard in
 `fleet_monitoring` (the scraper hits `127.0.0.1:8222/varz|/connz|/jsz` over
 loopback and pushes to VictoriaMetrics).
 The endpoint is opened by the **dedicated** environment toggle `UNIBUS_NATS_MONITOR=1`
 (0.11.0+ binary). It is **decoupled** from `UNIBUS_NATS_DEBUG`: it opens the
 monitoring endpoint WITHOUT enabling the verbose nats-server debug log, so no room
 subjects or routing metadata leak to journald (keeps the hardened posture, issue
 0007). The endpoint binds `127.0.0.1:8222` **only** — the binary hardcodes the
 loopback bind, so it is never reachable from the network and needs no auth. Never
 use `UNIBUS_NATS_DEBUG` in production just to get the endpoint.
 ### Enable it (HUMAN — requires the 0.11.0+ binary on the node)
 The clean way is the additive systemd drop-in in this directory:
 ```bash
 # On each node, AFTER the 0.11.0+ binary is in /opt/unibus/membershipd:
 ssh <node> 'sudo mkdir -p /etc/systemd/system/membershipd-cluster.service.d'
 scp membershipd-cluster.service.d/nats-monitor.conf <node>:/tmp/nats-monitor.conf
 ssh <node> 'sudo cp /tmp/nats-monitor.conf /etc/systemd/system/membershipd-cluster.service.d/ \
  && sudo systemctl daemon-reload && sudo systemctl restart membershipd-cluster'
 ```
 (Equivalently, add `UNIBUS_NATS_MONITOR=1` to `/opt/unibus/cluster.env`, which the
 unit already sources via `EnvironmentFile`; the drop-in is preferred because it is
 self-documenting and does not edit the generated env file.)
 ### Rolling restart with the R3 reconvergence gate (CRITICAL)
 `systemctl restart membershipd-cluster` restarts that node's JetStream RAFT member.
 **Never restart two nodes at once** — that would drop the cluster below quorum
 (2/3) and fail the control plane closed. Roll **one node at a time**, in the order
 `magnus → homer → datardos`, and between each node wait until the cluster has
 reconverged to R3 (every control-plane bucket back to `followers_current=2/2`):
 ```bash
 # After restarting ONE node, gate on R3 reconvergence before touching the next:
 ssh root@magnus 'for s in KV_UNIBUS_users KV_UNIBUS_rooms KV_UNIBUS_members \
  KV_UNIBUS_room_keys KV_UNIBUS_rooms_by_member KV_UNIBUS_nonces; do
    nats --server nats://127.0.0.1:4250 stream info "$s" -j \
      | jq -r --arg s "$s" \"\\($s): replicas=\\(.cluster.replicas|length) leader=\\(.cluster.leader)\"
  done'
 # Proceed to the next node ONLY when all six show 3 replicas with a leader
 # (i.e. 2/2 followers current). Also confirm healthz is green on the just-restarted
 # node first:
 ssh <node> 'curl -fsS https://127.0.0.1:8470/healthz --cacert /opt/unibus/tls/ca.crt'
 ```
 This restart is normally **not** done as a standalone step: the 0.11.0 binary that
 carries the flag is rolled to the three nodes in the consolidated rollout, and the
 drop-in is installed during that same rolling restart.
@@ -69,6 +69,12 @@ routes_for() {
 echo "==> [2/3] stage each node (REMOTE_DIR=$REMOTE_DIR)"
 for row in "${CLUSTER_NODES[@]}"; do
  read -r name ssh _pub _wg <<<"$row"
  # Rolling deploy: DEPLOY_ONLY=<name> stages just that node, so a new binary can be
  # rolled out one node at a time (the other nodes keep the cluster quorum). Empty =
  # stage every node (the original behavior).
  if [[ -n "${DEPLOY_ONLY:-}" && "$name" != "$DEPLOY_ONLY" ]]; then
    continue
  fi
  target="${SSH_USER}@${ssh}"
  nodedir="out/${name}"
  if [[ ! -d "$nodedir" ]]; then
@@ -79,6 +85,13 @@ for row in "${CLUSTER_NODES[@]}"; do
  echo "-- node ${name} (ssh ${ssh}) routes=${routes}"
  # Resolve this node's WebSocket port. magnus runs unibus_admin on 127.0.0.1:8480,
  # so the bus WS cannot bind 0.0.0.0:8480 there (it crash-loops). A per-node
  # override (WS_PORT_<NAME> in nodes.env) lets magnus use a free port while the
  # rest share the default — keeping the deploy reproducible (issue uniweb/0001).
  node_ws_var="WS_PORT_${name^^}"
  node_ws="${!node_ws_var:-$WS_PORT}"
  # Generate this node's cluster.env locally, then ship it.
  envfile="build/cluster-${name}.env"
  mkdir -p build
@@ -90,6 +103,8 @@ KV_REPLICAS=${KV_REPLICAS}
 HTTP_PORT=${HTTP_PORT}
 NATS_CLIENT_PORT=${NATS_CLIENT_PORT}
 NATS_ROUTE_PORT=${NATS_ROUTE_PORT}
 WS_PORT=${node_ws}
 CORS_ORIGINS=${CORS_ORIGINS}
 ROUTES=${routes}
 CLUSTER_PASS_FILE=${REMOTE_DIR}/secrets/cluster.pass
 TLS_CERT=${REMOTE_DIR}/tls/server-${name}.crt
@@ -35,7 +35,9 @@ ExecStart=/opt/unibus/membershipd \
  --route-tls-ca ${ROUTE_TLS_CA} \
  --internal-id-file ${INTERNAL_ID_FILE} \
  --store kv \
-  --kv-replicas ${KV_REPLICAS}
+  --kv-replicas ${KV_REPLICAS} \
  --ws-port ${WS_PORT} \
  --cors-origins ${CORS_ORIGINS}
 # Restart=always (NOT on-failure): a clean SIGTERM exits success, and on-failure
 # would then NOT restart, leaving the node silently dead (see function_tags.md).
 Restart=always
@@ -0,0 +1,27 @@
 # Drop-in: enable the embedded NATS server monitoring HTTP endpoint so a local
 # metrics scraper can read /varz, /connz and /jsz for server-level metrics
 # (msgs/s, connections, KV bucket msgs, RAFT leader per stream, restarts).
 #
 # ADDITIVE and minimal: it only sets one environment variable; the base unit
 # (membershipd-cluster.service) is otherwise unchanged.
 #
 # UNIBUS_NATS_MONITOR is DECOUPLED from UNIBUS_NATS_DEBUG: it opens the monitoring
 # endpoint WITHOUT enabling the verbose nats-server debug log, so no room subjects
 # or routing metadata are written to journald (keeps the hardened posture, issue
 # 0007). Do NOT use UNIBUS_NATS_DEBUG in production just to get the endpoint.
 #
 # The endpoint binds 127.0.0.1:8222 ONLY — the binary hardcodes the loopback bind,
 # so it is never reachable from the network and needs no auth. The scraper runs on
 # the same host and reads it over loopback.
 #
 # Requires the 0.11.0+ membershipd binary (the one that honors UNIBUS_NATS_MONITOR).
 # Install on a node:
 #   sudo mkdir -p /etc/systemd/system/membershipd-cluster.service.d
 #   sudo cp nats-monitor.conf /etc/systemd/system/membershipd-cluster.service.d/
 #   sudo systemctl daemon-reload && sudo systemctl restart membershipd-cluster
 #
 # Restarting a node restarts its JetStream RAFT member, so roll ONE node at a time
 # and wait for R3 reconvergence (followers 2/2) before touching the next. See the
 # "NATS server metrics" section of this directory's README for the full runbook.
 [Service]
 Environment=UNIBUS_NATS_MONITOR=1
@@ -23,6 +23,19 @@ NATS_CLIENT_PORT=4250
 NATS_ROUTE_PORT=6250
 HTTP_PORT=8470
 # Browser data-plane: WebSocket listener so the browser-native uniweb client
 # (nats.ws) reaches NATS, and the CORS allowlist for its calls to the control
 # plane. WS reuses the data-plane TLS, so it serves wss:// (the cluster runs with
 # TLS). CORS_ORIGINS is a comma-separated list of allowed browser origins (no
 # spaces). Issue uniweb/0001. The node's firewall must allow WS_PORT.
 WS_PORT=8480
 # Per-node WS port override (WS_PORT_<NAME>). magnus runs unibus_admin on
 # 127.0.0.1:8480, so the bus WebSocket cannot bind 0.0.0.0:8480 there — it would
 # crash-loop. magnus therefore serves the browser WS on 8485; homer and datardos
 # keep 8480 (no admin panel). Verified during the 2026-06-13 rollout.
 WS_PORT_MAGNUS=8485
 CORS_ORIGINS="http://localhost:5173"
 # Remote install layout and SSH login user.
 REMOTE_DIR="/opt/unibus"
 SSH_USER="root"
@@ -75,6 +75,22 @@ func LoadOrCreateIdentity(path string) (cs.Identity, error) {
 	return id, nil
 }
 // WriteNewIdentity writes id to path in the canonical identity-file format read
 // by LoadIdentity, but REFUSES to overwrite an existing file: provisioning a new
 // identity must never silently clobber another process's private keys. The file
 // is created 0600 (it holds private keys). It is the write half of one-command
 // bot provisioning (`membershipd bot add --out <path>`): the freshly minted
 // identity it writes is exactly what LoadIdentity reconstructs, so a bot binary
 // (worker/clientcheck) consumes the credentials with no extra conversion step.
 func WriteNewIdentity(path string, id cs.Identity) error {
 	if _, err := os.Stat(path); err == nil {
 		return fmt.Errorf("client: identity file %q already exists; refusing to overwrite", path)
 	} else if !os.IsNotExist(err) {
 		return fmt.Errorf("client: stat identity %q: %w", path, err)
 	}
 	return saveIdentity(path, id)
 }
 func saveIdentity(path string, id cs.Identity) error {
 	if dir := filepath.Dir(path); dir != "" {
 		if err := os.MkdirAll(dir, 0o755); err != nil {
@@ -79,6 +79,42 @@ type ServerConfig struct {
 	// availability (issue 0003a). Nil keeps the server standalone (the legacy
 	// single-node behavior).
 	Cluster *ClusterConfig
 	// Websocket, when non-nil, opens an ADDITIONAL WebSocket listener on the
 	// embedded nats-server so browser clients (nats.ws) can reach the data plane
 	// directly, the same way native TCP peers (Go, Kotlin) do (issue uniweb/0001).
 	// Native TCP clients are unaffected: the WebSocket listener is a separate port
 	// layered on top of the existing TCP listener, and the client authenticator
 	// (Auth) applies to both. Nil keeps the server TCP-only (legacy behavior).
 	Websocket *WebsocketConfig
 }
 // WebsocketConfig configures the embedded nats-server's WebSocket listener so a
 // browser can speak the NATS protocol over ws://. A browser cannot open a raw TCP
 // socket, so this is the only way the SPA reaches the data plane without a Go
 // gateway in between.
 //
 // Security: off loopback a browser requires wss:// (TLS) — set TLS with a
 // certificate the browser trusts. NoTLS plain ws:// is acceptable only for a
 // loopback dev stack. The WebSocket upgrade also enforces an Origin allowlist
 // (browser same-origin policy); AllowedOrigins must list the SPA's origins or the
 // browser handshake is refused.
 type WebsocketConfig struct {
 	// Host is the bind interface for the WebSocket listener; "" lets nats-server
 	// pick its default. Use "127.0.0.1" to keep it loopback-only in dev.
 	Host string
 	// Port is the WebSocket listen port (e.g. 8480). Required (non-zero) for the
 	// listener to open.
 	Port int
 	// NoTLS serves plain ws:// instead of wss://. Loopback/dev only: browsers refuse
 	// ws:// to a non-loopback origin. Ignored when TLS is set (TLS implies wss://).
 	NoTLS bool
 	// TLS, when set, serves wss:// with this certificate. Required for any browser
 	// origin that is not loopback.
 	TLS *tls.Config
 	// AllowedOrigins is the allowlist of browser Origin headers permitted to upgrade
 	// the WebSocket. Empty = same-origin only (nats-server SameOrigin). Never use a
 	// wildcard in production; list the exact SPA origins.
 	AllowedOrigins []string
 }
 // Start is a thin backward-compatible wrapper: embedded JetStream server on the
@@ -103,17 +139,38 @@ func StartHostAuth(storeDir, host string, port int, auth server.Authentication)
 	return StartServer(ServerConfig{StoreDir: storeDir, Host: host, Port: port, Auth: auth})
 }
 // natsLogOpts maps the two independent environment toggles to the embedded
 // nats-server logging and monitoring flags. It is a pure function (no I/O) so the
 // decoupling between the two toggles can be unit-tested directly.
 //
 //   - UNIBUS_NATS_DEBUG="1" enables the nats-server logger (route/RAFT/JetStream
 //     errors); "2" additionally enables protocol tracing. Off by default so the
 //     server stays silent (NoLog) and production behavior is unchanged.
 //   - UNIBUS_NATS_MONITOR="1" opens the monitoring HTTP endpoint (loopback only)
 //     for a local metrics scraper to read /varz, /connz and /jsz.
 //
 // The two are DECOUPLED on purpose: enabling the monitoring endpoint must NOT turn
 // on the verbose debug log, which would write room subjects and routing metadata
 // to journald in clear and regress the hardened posture (issue 0007). The reverse
 // coupling is kept for backward compatibility: debug mode still exposes the
 // monitoring endpoint as well (debug implies monitor), so existing debugging
 // workflows are unchanged.
 func natsLogOpts(debugEnv, monitorEnv string) (noLog, debug, trace, monitor bool) {
 	debug = debugEnv == "1" || debugEnv == "2"
 	trace = debugEnv == "2"
 	monitor = monitorEnv == "1" || debug
 	noLog = !debug
 	return noLog, debug, trace, monitor
 }
 // StartServer launches an embedded nats-server with JetStream from cfg. It
 // blocks until the server is ready to accept connections (up to 5s) and returns
 // the running server; the caller must Shutdown it.
 func StartServer(cfg ServerConfig) (*server.Server, error) {
-	// Diagnostic toggle: UNIBUS_NATS_DEBUG=1 enables the embedded nats-server's own
+	// Map the two independent env toggles to the nats-server logging + monitoring
-	// logger (route/RAFT/JetStream errors), which is otherwise silenced. Off by
+	// flags. See natsLogOpts for the decoupling rationale (issue 0007).
-	// default so production behavior is unchanged; only set it when debugging the
+	noLog, debugNATS, traceNATS, monitorNATS := natsLogOpts(
-	// cluster route layer.
+		os.Getenv("UNIBUS_NATS_DEBUG"), os.Getenv("UNIBUS_NATS_MONITOR"))
 	debugLevel := os.Getenv("UNIBUS_NATS_DEBUG")
 	debugNATS := debugLevel == "1" || debugLevel == "2"
 	traceNATS := debugLevel == "2"
 	opts := &server.Options{
 		JetStream:  true,
 		StoreDir:   cfg.StoreDir,
@@ -122,15 +179,17 @@ func StartServer(cfg ServerConfig) (*server.Server, error) {
 		ServerName: cfg.ServerName,
 		DontListen: false,
 		// Keep the embedded server quiet by default; the host app logs the URLs.
-		NoLog:   !debugNATS,
+		NoLog:   noLog,
 		Debug:   debugNATS,
 		Trace:   traceNATS,
 		Logtime: true,
 		NoSigs:  true,
 	}
-	if debugNATS {
+	if monitorNATS {
-		// Expose the nats-server monitoring endpoint (loopback) so the operator can
+		// Expose the nats-server monitoring endpoint on LOOPBACK ONLY (never public):
-		// inspect /jsz, /routez, /varz while debugging the cluster meta-group.
+		// the operator (or a local metrics scraper) inspects /varz, /connz, /jsz,
 		// /routez. The 127.0.0.1 bind is mandatory because this endpoint has no auth;
 		// it must stay unreachable from the network.
 		opts.HTTPHost = "127.0.0.1"
 		opts.HTTPPort = 8222
 	}
@@ -147,6 +206,29 @@ func StartServer(cfg ServerConfig) (*server.Server, error) {
 		opts.TLS = true
 	}
 	if cfg.Websocket != nil {
 		// Layer a WebSocket listener on top of the TCP data plane so browser
 		// clients (nats.ws) can connect. The client authenticator (opts.*Auth above)
 		// applies to WebSocket connections too, so a browser still has to pass the
 		// nkey + allowlist check; this only adds a transport, not a trust bypass.
 		ws := server.WebsocketOpts{
 			Host:           cfg.Websocket.Host,
 			Port:           cfg.Websocket.Port,
 			AllowedOrigins: cfg.Websocket.AllowedOrigins,
 		}
 		if cfg.Websocket.TLS != nil {
 			ws.TLSConfig = cfg.Websocket.TLS
 		} else {
 			// No certificate: plain ws:// (loopback/dev only). Browsers refuse this
 			// off-loopback, which is the intended guard rail.
 			ws.NoTLS = true
 		}
 		// Empty AllowedOrigins means "same-origin only": tell nats-server to enforce
 		// it rather than defaulting to accept-any-origin.
 		ws.SameOrigin = len(cfg.Websocket.AllowedOrigins) == 0
 		opts.Websocket = ws
 	}
 	if cfg.Cluster != nil {
 		if err := applyClusterOpts(opts, cfg.Cluster); err != nil {
 			return nil, err
@@ -0,0 +1,134 @@
 package embeddednats
 import (
 	"io"
 	"net"
 	"net/http"
 	"testing"
 	"time"
 )
 // TestNatsLogOptsDecoupled is the core regression guard for issue 0007: turning
 // on the monitoring endpoint must NEVER turn on the verbose nats-server debug log
 // (which would leak room subjects/routing metadata to journald). It also checks
 // the backward-compatible coupling (debug still implies monitoring) and the quiet
 // default.
 func TestNatsLogOptsDecoupled(t *testing.T) {
 	cases := []struct {
 		name                         string
 		debugEnv, monitorEnv         string
 		noLog, debug, trace, monitor bool
 	}{
 		{"default off — quiet, no monitor", "", "", true, false, false, false},
 		{"monitor only — endpoint on, log stays quiet", "", "1", true, false, false, true},
 		{"debug implies monitor", "1", "", false, true, false, true},
 		{"trace implies debug+monitor", "2", "", false, true, true, true},
 		{"both set", "1", "1", false, true, false, true},
 		{"monitor garbage value ignored", "", "yes", true, false, false, false},
 		{"debug garbage value ignored", "true", "", true, false, false, false},
 	}
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
 			noLog, debug, trace, monitor := natsLogOpts(c.debugEnv, c.monitorEnv)
 			if noLog != c.noLog || debug != c.debug || trace != c.trace || monitor != c.monitor {
 				t.Fatalf("natsLogOpts(%q,%q) = (noLog=%v debug=%v trace=%v monitor=%v), want (noLog=%v debug=%v trace=%v monitor=%v)",
 					c.debugEnv, c.monitorEnv, noLog, debug, trace, monitor,
 					c.noLog, c.debug, c.trace, c.monitor)
 			}
 		})
 	}
 	// Explicit golden assertion of the security property: monitor on, log off.
 	noLog, debug, _, monitor := natsLogOpts("", "1")
 	if !monitor {
 		t.Fatal("UNIBUS_NATS_MONITOR=1 must open the monitoring endpoint")
 	}
 	if debug || !noLog {
 		t.Fatalf("UNIBUS_NATS_MONITOR=1 must NOT enable the debug log (got debug=%v noLog=%v)", debug, noLog)
 	}
 }
 // TestMonitorEndpointLoopback boots a real embedded server with
 // UNIBUS_NATS_MONITOR=1 (and DEBUG explicitly off) and proves the monitoring HTTP
 // endpoint answers on loopback only — the exact contract the metrics scraper
 // relies on. The pure decoupling check above already guarantees the log stays out
 // of debug mode for this same env combination.
 func TestMonitorEndpointLoopback(t *testing.T) {
 	t.Setenv("UNIBUS_NATS_DEBUG", "")
 	t.Setenv("UNIBUS_NATS_MONITOR", "1")
 	ns, err := StartServer(ServerConfig{
 		StoreDir: t.TempDir(),
 		Host:     "127.0.0.1",
 		Port:     freeLoopbackPort(t),
 	})
 	if err != nil {
 		t.Fatalf("start server with monitoring: %v", err)
 	}
 	defer func() { ns.Shutdown(); ns.WaitForShutdown() }()
 	addr := ns.MonitorAddr()
 	if addr == nil {
 		t.Fatal("monitoring endpoint not open with UNIBUS_NATS_MONITOR=1 (MonitorAddr is nil)")
 	}
 	if !addr.IP.IsLoopback() {
 		t.Fatalf("monitoring endpoint bound to %s, must be loopback only", addr.IP)
 	}
 	if addr.Port != 8222 {
 		t.Fatalf("monitoring endpoint on port %d, want the fixed loopback port 8222", addr.Port)
 	}
 	// /varz must answer 200 with a non-empty body on loopback.
 	url := "http://" + addr.String() + "/varz"
 	var resp *http.Response
 	deadline := time.Now().Add(3 * time.Second)
 	for time.Now().Before(deadline) {
 		resp, err = http.Get(url) //nolint:gosec // loopback monitoring endpoint, no auth by design
 		if err == nil {
 			break
 		}
 		time.Sleep(50 * time.Millisecond)
 	}
 	if err != nil {
 		t.Fatalf("GET %s: %v", url, err)
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
 		t.Fatalf("GET %s -> %d, want 200", url, resp.StatusCode)
 	}
 	body, _ := io.ReadAll(resp.Body)
 	if len(body) == 0 {
 		t.Fatalf("GET %s returned an empty body", url)
 	}
 }
 // TestMonitorDisabledByDefault proves a server started without either toggle does
 // NOT open the monitoring endpoint, so production stays closed unless opted in.
 func TestMonitorDisabledByDefault(t *testing.T) {
 	t.Setenv("UNIBUS_NATS_DEBUG", "")
 	t.Setenv("UNIBUS_NATS_MONITOR", "")
 	ns, err := StartServer(ServerConfig{
 		StoreDir: t.TempDir(),
 		Host:     "127.0.0.1",
 		Port:     freeLoopbackPort(t),
 	})
 	if err != nil {
 		t.Fatalf("start server: %v", err)
 	}
 	defer func() { ns.Shutdown(); ns.WaitForShutdown() }()
 	if addr := ns.MonitorAddr(); addr != nil {
 		t.Fatalf("monitoring endpoint open (%s) without UNIBUS_NATS_MONITOR — must stay closed by default", addr)
 	}
 }
 func freeLoopbackPort(t *testing.T) int {
 	t.Helper()
 	l, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		t.Fatalf("free port: %v", err)
 	}
 	defer l.Close()
 	return l.Addr().(*net.TCPAddr).Port
 }
@@ -0,0 +1,108 @@
 package embeddednats_test
 import (
 	"fmt"
 	"net"
 	"net/http"
 	"strings"
 	"testing"
 	"time"
 	"github.com/enmanuel/unibus/pkg/embeddednats"
 )
 // wsFreePort returns an OS-assigned free TCP port on loopback. Kept local to this
 // file so the WebSocket tests do not depend on the cluster test helpers.
 func wsFreePort(t *testing.T) int {
 	t.Helper()
 	l, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		t.Fatalf("reserve free port: %v", err)
 	}
 	defer l.Close()
 	return l.Addr().(*net.TCPAddr).Port
 }
 // TestWebsocketListenerOpens verifies that when a ServerConfig carries a
 // WebsocketConfig the embedded nats-server opens the additional WebSocket port and
 // accepts a connection there, while the regular TCP client port keeps working. A
 // browser cannot speak raw TCP, so this WebSocket listener is the only path the SPA
 // has to the data plane (issue uniweb/0001).
 func TestWebsocketListenerOpens(t *testing.T) {
 	clientPort := wsFreePort(t)
 	wsPort := wsFreePort(t)
 	ns, err := embeddednats.StartServer(embeddednats.ServerConfig{
 		StoreDir: t.TempDir(),
 		Host:     "127.0.0.1",
 		Port:     clientPort,
 		Websocket: &embeddednats.WebsocketConfig{
 			Host:  "127.0.0.1",
 			Port:  wsPort,
 			NoTLS: true, // loopback dev: plain ws://
 		},
 	})
 	if err != nil {
 		t.Fatalf("StartServer with websocket: %v", err)
 	}
 	t.Cleanup(func() { ns.Shutdown(); ns.WaitForShutdown() })
 	// The WebSocket listener must accept a TCP connection on its dedicated port.
 	addr := fmt.Sprintf("127.0.0.1:%d", wsPort)
 	conn, err := net.DialTimeout("tcp", addr, 2*time.Second)
 	if err != nil {
 		t.Fatalf("websocket port %d not accepting connections: %v", wsPort, err)
 	}
 	conn.Close()
 	// And it must speak the WebSocket upgrade handshake: a GET with the upgrade
 	// headers should get a 101 Switching Protocols (nats-server's ws endpoint),
 	// proving it is a real WebSocket listener, not just an open socket.
 	req, err := http.NewRequest(http.MethodGet, "http://"+addr+"/", nil)
 	if err != nil {
 		t.Fatalf("build upgrade request: %v", err)
 	}
 	req.Header.Set("Upgrade", "websocket")
 	req.Header.Set("Connection", "Upgrade")
 	req.Header.Set("Sec-WebSocket-Version", "13")
 	req.Header.Set("Sec-WebSocket-Key", "dGhlIHNhbXBsZSBub25jZQ==")
 	client := &http.Client{Timeout: 2 * time.Second}
 	resp, err := client.Do(req)
 	if err != nil {
 		t.Fatalf("websocket upgrade request: %v", err)
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusSwitchingProtocols {
 		t.Fatalf("websocket upgrade: got status %d, want 101 Switching Protocols", resp.StatusCode)
 	}
 }
 // TestNoWebsocketByDefault verifies the listener stays TCP-only when WebsocketConfig
 // is nil: opening the browser transport must be an explicit opt-in so existing
 // single-node and cluster deployments are unchanged.
 func TestNoWebsocketByDefault(t *testing.T) {
 	clientPort := wsFreePort(t)
 	// Reserve a port, then free it, so we can assert nothing is listening there.
 	maybeWSPort := wsFreePort(t)
 	ns, err := embeddednats.StartServer(embeddednats.ServerConfig{
 		StoreDir: t.TempDir(),
 		Host:     "127.0.0.1",
 		Port:     clientPort,
 		// Websocket intentionally nil.
 	})
 	if err != nil {
 		t.Fatalf("StartServer: %v", err)
 	}
 	t.Cleanup(func() { ns.Shutdown(); ns.WaitForShutdown() })
 	conn, err := net.DialTimeout("tcp", fmt.Sprintf("127.0.0.1:%d", maybeWSPort), 300*time.Millisecond)
 	if err == nil {
 		conn.Close()
 		t.Fatalf("a listener is unexpectedly open on %d with no WebsocketConfig", maybeWSPort)
 	}
 	if !strings.Contains(err.Error(), "refused") && !strings.Contains(err.Error(), "timeout") {
 		t.Logf("dial error (acceptable, port closed): %v", err)
 	}
 }
@@ -0,0 +1,157 @@
 package membership_test
 import (
 	"net/http"
 	"net/http/httptest"
 	"path/filepath"
 	"strings"
 	"testing"
 	"github.com/enmanuel/unibus/pkg/blobstore"
 	"github.com/enmanuel/unibus/pkg/membership"
 )
 // newCORSServer builds a control-plane server with the given CORS allowlist over a
 // throwaway store, and returns a live httptest server. /healthz is auth-exempt, so
 // the CORS tests can exercise the cross-origin pipeline without signing requests.
 func newCORSServer(t *testing.T, origins ...string) *httptest.Server {
 	t.Helper()
 	dir := t.TempDir()
 	store, err := membership.Open(filepath.Join(dir, "unibus.db"))
 	if err != nil {
 		t.Fatalf("store: %v", err)
 	}
 	t.Cleanup(func() { store.Close() })
 	blobs, _ := blobstore.New(filepath.Join(dir, "blobs"))
 	srv := membership.NewServer(store, blobs, membership.AuthOff)
 	srv.AllowedOrigins = origins
 	ts := httptest.NewServer(srv)
 	t.Cleanup(ts.Close)
 	return ts
 }
 // TestCORSPreflightAllowedOrigin: a preflight (OPTIONS) from an allow-listed origin
 // is answered 204 with the Access-Control headers, and never reaches auth. This is
 // what lets the browser-native uniweb client call the control plane (issue
 // uniweb/0001).
 func TestCORSPreflightAllowedOrigin(t *testing.T) {
 	const origin = "http://localhost:5173"
 	ts := newCORSServer(t, origin)
 	req, _ := http.NewRequest(http.MethodOptions, ts.URL+"/rooms", nil)
 	req.Header.Set("Origin", origin)
 	req.Header.Set("Access-Control-Request-Method", "POST")
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		t.Fatalf("preflight: %v", err)
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusNoContent {
 		t.Fatalf("preflight status = %d, want 204", resp.StatusCode)
 	}
 	if got := resp.Header.Get("Access-Control-Allow-Origin"); got != origin {
 		t.Fatalf("Allow-Origin = %q, want %q", got, origin)
 	}
 	if got := resp.Header.Get("Access-Control-Allow-Methods"); got == "" {
 		t.Fatalf("Allow-Methods missing on preflight")
 	}
 	// The control-plane request-auth headers a browser signs every request with must
 	// be allow-listed, or the browser's preflight blocks the real request (the bug a
 	// live browser surfaced: listRooms failed with "Failed to fetch").
 	if got := resp.Header.Get("Access-Control-Allow-Headers"); !strings.Contains(got, "X-Unibus-Sig") {
 		t.Fatalf("Allow-Headers must include the X-Unibus-* auth headers, got %q", got)
 	}
 }
 // TestCORSPreflightDisallowedOrigin: a preflight from an origin NOT in the allowlist
 // gets 403 and no Access-Control headers, so the browser blocks the real request.
 func TestCORSPreflightDisallowedOrigin(t *testing.T) {
 	ts := newCORSServer(t, "http://localhost:5173")
 	req, _ := http.NewRequest(http.MethodOptions, ts.URL+"/rooms", nil)
 	req.Header.Set("Origin", "https://evil.example.com")
 	req.Header.Set("Access-Control-Request-Method", "POST")
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		t.Fatalf("preflight: %v", err)
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusForbidden {
 		t.Fatalf("disallowed preflight status = %d, want 403", resp.StatusCode)
 	}
 	if got := resp.Header.Get("Access-Control-Allow-Origin"); got != "" {
 		t.Fatalf("Allow-Origin leaked for disallowed origin: %q", got)
 	}
 }
 // TestCORSActualRequestCarriesHeader: a real GET from an allow-listed origin is
 // served normally AND carries the Allow-Origin header so the browser accepts the
 // response.
 func TestCORSActualRequestCarriesHeader(t *testing.T) {
 	const origin = "http://localhost:5173"
 	ts := newCORSServer(t, origin)
 	req, _ := http.NewRequest(http.MethodGet, ts.URL+"/healthz", nil)
 	req.Header.Set("Origin", origin)
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		t.Fatalf("get: %v", err)
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
 		t.Fatalf("healthz status = %d, want 200", resp.StatusCode)
 	}
 	if got := resp.Header.Get("Access-Control-Allow-Origin"); got != origin {
 		t.Fatalf("Allow-Origin = %q, want %q", got, origin)
 	}
 }
 // TestCORSDisabledByDefault: with an empty allowlist no Access-Control header is
 // ever emitted (CORS off) and requests behave exactly as before. This guards the
 // opt-in invariant: untouched deployments are unaffected.
 func TestCORSDisabledByDefault(t *testing.T) {
 	ts := newCORSServer(t) // no origins
 	req, _ := http.NewRequest(http.MethodGet, ts.URL+"/healthz", nil)
 	req.Header.Set("Origin", "http://localhost:5173")
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		t.Fatalf("get: %v", err)
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
 		t.Fatalf("healthz status = %d, want 200", resp.StatusCode)
 	}
 	if got := resp.Header.Get("Access-Control-Allow-Origin"); got != "" {
 		t.Fatalf("Allow-Origin emitted with CORS off: %q", got)
 	}
 }
 // TestCORSNativeClientUnaffected: a request with no Origin header (a native Go/Kotlin
 // client) is processed normally and gets no CORS headers, even when an allowlist is
 // configured.
 func TestCORSNativeClientUnaffected(t *testing.T) {
 	ts := newCORSServer(t, "http://localhost:5173")
 	resp, err := http.Get(ts.URL + "/healthz") // no Origin header
 	if err != nil {
 		t.Fatalf("get: %v", err)
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
 		t.Fatalf("healthz status = %d, want 200", resp.StatusCode)
 	}
 	if got := resp.Header.Get("Access-Control-Allow-Origin"); got != "" {
 		t.Fatalf("Allow-Origin set for a no-Origin native client: %q", got)
 	}
 }
@@ -0,0 +1,155 @@
 package membership
 import (
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
 	"net/http"
 	"testing"
 	cs "fn-registry/functions/cybersecurity"
 	"github.com/enmanuel/unibus/pkg/frame"
 )
 // directory signs a GET /directory as id and decodes the response envelope. The
 // path has no /api prefix: Caddy strips /api before forwarding to membershipd, so
 // the route is registered (and hit here) as /directory, matching production.
 func directory(t *testing.T, h *authHarness, id cs.Identity, n int) (int, directoryResp) {
 	t.Helper()
 	code, body := signedJSON(t, h, "GET", "/directory", nil, id, n)
 	var resp directoryResp
 	if code == http.StatusOK {
 		if err := json.Unmarshal([]byte(body), &resp); err != nil {
 			t.Fatalf("decode directory: %v (%s)", err, body)
 		}
 	}
 	return code, resp
 }
 // findMember returns the directory entry for a signing key (case-insensitive).
 func findMember(members []directoryMember, signPub string) (directoryMember, bool) {
 	want := normalizeSignPub(signPub)
 	for _, m := range members {
 		if normalizeSignPub(m.SignPub) == want {
 			return m, true
 		}
 	}
 	return directoryMember{}, false
 }
 // TestDirectoryGolden is the happy path: an authenticated bus user (here the seed
 // admin alice, plus a registered member bob) reads the directory and gets every
 // active user's handle, role, and an endpoint derived server-side from the
 // sign_pub with the bus's own construction (frame.EndpointID). Two users in ->
 // 200 with both handles and correct endpoints.
 func TestDirectoryGolden(t *testing.T) {
 	h := newAuthHarness(t, AuthEnforce)
 	bob, _ := cs.GenerateIdentity()
 	register(t, h, bob, "bob") // role member
 	bobPub := hex.EncodeToString(bob.SignPub)
 	code, resp := directory(t, h, h.alice, 1)
 	if code != http.StatusOK {
 		t.Fatalf("directory should be 200 for an authenticated user, got %d", code)
 	}
 	aliceRow, ok := findMember(resp.Members, h.alicePub)
 	if !ok {
 		t.Fatalf("seed admin alice missing from directory: %+v", resp.Members)
 	}
 	if aliceRow.Handle != "alice" || aliceRow.Role != RoleAdmin {
 		t.Fatalf("alice row wrong: %+v", aliceRow)
 	}
 	if want := frame.EndpointID(h.alice.SignPub); aliceRow.Endpoint != want {
 		t.Fatalf("alice endpoint = %q, want %q", aliceRow.Endpoint, want)
 	}
 	bobRow, ok := findMember(resp.Members, bobPub)
 	if !ok {
 		t.Fatalf("registered member bob missing from directory: %+v", resp.Members)
 	}
 	if bobRow.Handle != "bob" || bobRow.Role != RoleMember {
 		t.Fatalf("bob row wrong: %+v", bobRow)
 	}
 	if want := frame.EndpointID(bob.SignPub); bobRow.Endpoint != want {
 		t.Fatalf("bob endpoint = %q, want %q", bobRow.Endpoint, want)
 	}
 }
 // TestDirectoryUnauthenticatedRejected is the auth contract: under enforce an
 // unsigned GET /directory is rejected with 401 by the middleware, before the
 // handler ever runs — the directory is not public.
 func TestDirectoryUnauthenticatedRejected(t *testing.T) {
 	h := newAuthHarness(t, AuthEnforce)
 	req, _ := http.NewRequest("GET", h.ts.URL+"/directory", nil)
 	code, _ := do(t, req)
 	if code != http.StatusUnauthorized {
 		t.Fatalf("unsigned directory request under enforce should be 401, got %d", code)
 	}
 }
 // TestDirectoryExcludesRevoked: a revoked user must not appear in the directory
 // (status=active filter), while active users still do.
 func TestDirectoryExcludesRevoked(t *testing.T) {
 	h := newAuthHarness(t, AuthEnforce)
 	gone, _ := cs.GenerateIdentity()
 	register(t, h, gone, "gone")
 	gonePub := hex.EncodeToString(gone.SignPub)
 	if err := h.store.RevokeUser(gonePub); err != nil {
 		t.Fatalf("revoke gone: %v", err)
 	}
 	code, resp := directory(t, h, h.alice, 1)
 	if code != http.StatusOK {
 		t.Fatalf("directory should be 200, got %d", code)
 	}
 	if _, ok := findMember(resp.Members, gonePub); ok {
 		t.Fatalf("revoked user must not appear in directory: %+v", resp.Members)
 	}
 	if _, ok := findMember(resp.Members, h.alicePub); !ok {
 		t.Fatalf("active admin alice should still appear: %+v", resp.Members)
 	}
 }
 // TestDirectoryEndpointParity pins the server-side endpoint derivation to the
 // cross-language parity vector emitted by cmd/busvectors (and consumed by the
 // uniweb crypto.ts endpointID test): for a FIXED sign_pub the directory must
 // return the exact base64url(sha256(signPub)) endpoint, byte-for-byte. The
 // expected value is recomputed here independently of frame.EndpointID so the test
 // fails if the handler ever diverges from the canonical construction.
 func TestDirectoryEndpointParity(t *testing.T) {
 	// Vector from cmd/busvectors (seed 000102..1f -> Ed25519 public key).
 	const vectorSignPub = "03a107bff3ce10be1d70dd18e74bc09967e4d6309ba50d5f1ddc8664125531b8"
 	const vectorEndpoint = "Vkdap1RjR0wChd9dvyvKtz2mUTWIOem3dIGy6rEHcIw"
 	// Independent recomputation: base64url(sha256(raw signPub bytes)), unpadded.
 	raw, err := hex.DecodeString(vectorSignPub)
 	if err != nil {
 		t.Fatalf("decode vector sign_pub: %v", err)
 	}
 	sum := sha256.Sum256(raw)
 	if got := base64.RawURLEncoding.EncodeToString(sum[:]); got != vectorEndpoint {
 		t.Fatalf("vector self-check: recomputed endpoint %q != pinned %q", got, vectorEndpoint)
 	}
 	h := newAuthHarness(t, AuthEnforce)
 	if err := h.store.AddUser(vectorSignPub, "vectorbot", RoleMember); err != nil {
 		t.Fatalf("add vector user: %v", err)
 	}
 	code, resp := directory(t, h, h.alice, 1)
 	if code != http.StatusOK {
 		t.Fatalf("directory should be 200, got %d", code)
 	}
 	row, ok := findMember(resp.Members, vectorSignPub)
 	if !ok {
 		t.Fatalf("vector user missing from directory: %+v", resp.Members)
 	}
 	if row.Endpoint != vectorEndpoint {
 		t.Fatalf("endpoint parity broken: directory returned %q, want %q", row.Endpoint, vectorEndpoint)
 	}
 }
@@ -0,0 +1,198 @@
 package membership
 // Server-side durable history for persisted rooms (room.ModeMatrix / Persist).
 //
 // A persisted room's messages ride a file-backed JetStream stream named
 // "UNIBUS_<roomID>" (roomStreamName, identical to pkg/client.streamName). Until
 // now that stream was created only by the Go client's first publish/subscribe; a
 // client that speaks only core NATS (the browser client uniweb, which has no
 // JetStream) therefore never created it, so its messages were captured nowhere and
 // vanished on reload. This file moves stream ownership to the server: the control
 // plane ensures the stream when a persisted room is created (so capture starts at
 // minute zero whoever publishes) and exposes GET /rooms/{id}/history so a
 // JetStream-less client can read the backlog over plain HTTP.
 //
 // The server never decrypts: each stored message is the E2E frame exactly as it
 // was published (ciphertext for an encrypted room). The history endpoint returns
 // those bytes verbatim (base64-encoded for JSON safety), so end-to-end encryption
 // is preserved — the server only relays the bytes it already holds.
 import (
 	"context"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"net/http"
 	"strconv"
 	"time"
 	"github.com/nats-io/nats.go/jetstream"
 )
 const (
 	// defaultHistoryLimit is the number of most-recent messages returned when the
 	// caller does not specify ?limit.
 	defaultHistoryLimit = 200
 	// maxHistoryLimit is the hard ceiling on a single history response, so a caller
 	// cannot ask the server to buffer an unbounded backlog into one JSON payload.
 	maxHistoryLimit = 1000
 	// historyOpTimeout bounds each JetStream operation the history path performs
 	// (stream lookup/ensure, info, per-message get) so a stalled data plane cannot
 	// hang a control-plane request indefinitely.
 	historyOpTimeout = 5 * time.Second
 )
 // historyResp is the GET /rooms/{id}/history response envelope. messages is the
 // ordered (oldest→newest) list of the room's most recent frames, each the base64
 // (standard encoding) of the marshaled, still-encrypted frame as it was published.
 // The key is a stable contract consumed by the browser client; do not rename it.
 type historyResp struct {
 	Messages []string `json:"messages"`
 }
 // streamConfigForRoom builds the JetStream stream config for a persisted room.
 //
 // It MUST stay byte-for-byte compatible with pkg/client/persist.go's ensureStream
 // (the original owner of this format): same name derivation (roomStreamName ==
 // pkg/client.streamName), same single subject, LimitsPolicy retention, file
 // storage. pkg/client is the source of truth for the format; we copy it here
 // rather than import it because pkg/client imports pkg/membership and importing it
 // back would be a cycle. The only addition is Replicas, matched to the cluster's
 // control-plane replication so a persisted room's history is as available as its
 // metadata (1 standalone, up to 3 in an HA cluster). CreateOrUpdateStream treats a
 // matching config as a no-op, so the client's later ensureStream is harmless.
 func streamConfigForRoom(roomID, subject string, replicas int) jetstream.StreamConfig {
 	if replicas < 1 {
 		replicas = 1
 	}
 	return jetstream.StreamConfig{
 		Name:      roomStreamName(roomID),
 		Subjects:  []string{subject},
 		Retention: jetstream.LimitsPolicy,
 		Storage:   jetstream.FileStorage,
 		Replicas:  replicas,
 	}
 }
 // ensureRoomStream idempotently creates (or no-ops on) the durable stream that
 // captures a persisted room's subject. CreateOrUpdateStream returns the existing
 // stream unchanged when the config matches, so this is safe to call on every room
 // creation and on every history read (lazy backfill of pre-existing rooms).
 func ensureRoomStream(ctx context.Context, js jetstream.JetStream, roomID, subject string, replicas int) error {
 	if _, err := js.CreateOrUpdateStream(ctx, streamConfigForRoom(roomID, subject, replicas)); err != nil {
 		return fmt.Errorf("membership: ensure stream for room %s: %w", roomID, err)
 	}
 	return nil
 }
 // readRoomHistory returns the last `limit` messages of a room's durable stream in
 // chronological order (oldest→newest), each base64-encoded (standard encoding). A
 // stream that does not exist yet, or that holds no messages, yields an empty slice
 // (not an error): a freshly created or never-used room simply has no history. It
 // reads by sequence via the stream MSG.GET API rather than binding a consumer, so
 // it has no side effects on any peer's durable ack position. A gap in the sequence
 // range (a purged/deleted message) is skipped rather than failing the whole read,
 // so the result length is bounded by `limit` but may be smaller.
 func readRoomHistory(ctx context.Context, js jetstream.JetStream, roomID string, limit int) ([]string, error) {
 	out := []string{}
 	stream, err := js.Stream(ctx, roomStreamName(roomID))
 	if err != nil {
 		if errors.Is(err, jetstream.ErrStreamNotFound) {
 			return out, nil
 		}
 		return nil, fmt.Errorf("membership: lookup stream for room %s: %w", roomID, err)
 	}
 	si, err := stream.Info(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("membership: stream info for room %s: %w", roomID, err)
 	}
 	first, last := si.State.FirstSeq, si.State.LastSeq
 	if si.State.Msgs == 0 || last == 0 {
 		return out, nil
 	}
 	// Window of the last `limit` sequence numbers, clamped to the first stored seq.
 	// last >= limit guards the unsigned subtraction against underflow.
 	start := first
 	if last >= uint64(limit) {
 		if cand := last - uint64(limit) + 1; cand > start {
 			start = cand
 		}
 	}
 	for seq := start; seq <= last; seq++ {
 		raw, err := stream.GetMsg(ctx, seq)
 		if err != nil {
 			// A purged/deleted sequence leaves a gap; skip it rather than abort.
 			continue
 		}
 		out = append(out, base64.StdEncoding.EncodeToString(raw.Data))
 	}
 	return out, nil
 }
 // parseHistoryLimit reads the ?limit query value, applying the default when it is
 // absent and clamping out-of-range / malformed values to [1, maxHistoryLimit].
 func parseHistoryLimit(q string) int {
 	if q == "" {
 		return defaultHistoryLimit
 	}
 	n, err := strconv.Atoi(q)
 	if err != nil || n <= 0 {
 		return defaultHistoryLimit
 	}
 	if n > maxHistoryLimit {
 		return maxHistoryLimit
 	}
 	return n
 }
 // handleRoomHistory serves GET /rooms/{id}/history: the last ?limit (default 200,
 // hard cap 1000) messages of a persisted room, oldest→newest, each the base64 of
 // the still-encrypted frame as published. The server never decrypts — it relays
 // the ciphertext bytes the stream already holds, preserving E2E.
 //
 // Authorization mirrors the sibling room reads (/key, /members): the request must
 // be a member of the room (requireMember; allowed under AuthOff/dev where no signer
 // is verified). A missing room is 404; a non-member is 403; an unsigned request
 // under enforce is rejected with 401 by the auth middleware before this runs.
 //
 // For a persisted room the stream is ensured first (lazy backfill): a room created
 // before the server managed streams begins capturing from now on. Messages sent
 // before the stream existed were never captured and are unrecoverable — only
 // messages from stream creation onward appear here.
 func (s *Server) handleRoomHistory(w http.ResponseWriter, r *http.Request) {
 	roomID := r.PathValue("id")
 	// Existence first so a missing room is a clean 404 (the documented contract),
 	// distinct from a 403 for an existing room the caller is not a member of.
 	info, err := s.store.GetRoom(roomID)
 	if err != nil {
 		writeErr(w, http.StatusNotFound, "room not found")
 		return
 	}
 	if _, ok := s.requireMember(w, r, roomID); !ok {
 		return
 	}
 	limit := parseHistoryLimit(r.URL.Query().Get("limit"))
 	// No JetStream wired (e.g. an external-NATS deployment without a cluster/KV
 	// feature): there is no durable stream to read, so report an empty history
 	// rather than 500 — a client degrades to "no backlog" gracefully.
 	if s.js == nil {
 		writeJSON(w, http.StatusOK, historyResp{Messages: []string{}})
 		return
 	}
 	ctx, cancel := context.WithTimeout(r.Context(), historyOpTimeout)
 	defer cancel()
 	if info.Persist {
 		if err := ensureRoomStream(ctx, s.js, roomID, info.Subject, s.streamReplicas); err != nil {
 			writeServerErr(w, r, http.StatusInternalServerError, "internal error", err)
 			return
 		}
 	}
 	msgs, err := readRoomHistory(ctx, s.js, roomID, limit)
 	if err != nil {
 		writeServerErr(w, r, http.StatusInternalServerError, "internal error", err)
 		return
 	}
 	writeJSON(w, http.StatusOK, historyResp{Messages: msgs})
 }
@@ -0,0 +1,400 @@
 package membership
 import (
 	"context"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"path/filepath"
 	"testing"
 	"time"
 	cs "fn-registry/functions/cybersecurity"
 	"github.com/enmanuel/unibus/pkg/blobstore"
 	"github.com/enmanuel/unibus/pkg/embeddednats"
 	"github.com/enmanuel/unibus/pkg/frame"
 	"github.com/nats-io/nats.go"
 	"github.com/nats-io/nats.go/jetstream"
 )
 // historyHarness is an enforce-mode control plane wired to a real embedded NATS
 // JetStream, so the history path exercises the production code: the server ensures
 // and reads actual durable streams. alice is a seeded admin (and any room's owner),
 // bob is a registered user added as a room member, and carol is a registered user
 // that is NOT a member of the test room (to exercise the 403 path).
 type historyHarness struct {
 	ts    *httptest.Server
 	store Store
 	js    jetstream.JetStream
 	nc    *nats.Conn
 	alice cs.Identity // admin + room owner
 	bob   cs.Identity // room member
 	carol cs.Identity // registered, non-member
 }
 func newHistoryHarness(t *testing.T) *historyHarness {
 	t.Helper()
 	dir := t.TempDir()
 	ns, err := embeddednats.StartServer(embeddednats.ServerConfig{
 		StoreDir: filepath.Join(dir, "jetstream"),
 		Host:     "127.0.0.1",
 		Port:     kvFreePort(t),
 	})
 	if err != nil {
 		t.Fatalf("embedded nats: %v", err)
 	}
 	nc, err := nats.Connect(ns.ClientURL())
 	if err != nil {
 		ns.Shutdown()
 		t.Fatalf("nats connect: %v", err)
 	}
 	js, err := jetstream.New(nc)
 	if err != nil {
 		nc.Close()
 		ns.Shutdown()
 		t.Fatalf("jetstream: %v", err)
 	}
 	store, err := Open(filepath.Join(dir, "unibus.db"))
 	if err != nil {
 		nc.Close()
 		ns.Shutdown()
 		t.Fatalf("open store: %v", err)
 	}
 	blobs, err := blobstore.New(filepath.Join(dir, "blobs"))
 	if err != nil {
 		store.Close()
 		nc.Close()
 		ns.Shutdown()
 		t.Fatalf("open blobs: %v", err)
 	}
 	mustID := func(name string) cs.Identity {
 		id, err := cs.GenerateIdentity()
 		if err != nil {
 			t.Fatalf("identity %s: %v", name, err)
 		}
 		return id
 	}
 	alice, bob, carol := mustID("alice"), mustID("bob"), mustID("carol")
 	if err := store.AddUser(hex.EncodeToString(alice.SignPub), "alice", RoleAdmin); err != nil {
 		t.Fatalf("seed admin: %v", err)
 	}
 	for _, u := range []struct {
 		id     cs.Identity
 		handle string
 	}{{bob, "bob"}, {carol, "carol"}} {
 		if err := store.AddUser(hex.EncodeToString(u.id.SignPub), u.handle, RoleMember); err != nil {
 			t.Fatalf("register %s: %v", u.handle, err)
 		}
 	}
 	srv := NewServer(store, blobs, AuthEnforce)
 	srv.SetJetStream(js, 1)
 	ts := httptest.NewServer(srv)
 	t.Cleanup(func() {
 		ts.Close()
 		store.Close()
 		nc.Close()
 		ns.Shutdown()
 		ns.WaitForShutdown()
 	})
 	return &historyHarness{ts: ts, store: store, js: js, nc: nc, alice: alice, bob: bob, carol: carol}
 }
 // seedPersistRoom creates a persisted (Matrix-policy) room directly in the store
 // with alice as owner and bob as a member, returning its id and subject. It does
 // NOT create the stream — that is left to the code under test (handleCreateRoom or
 // the lazy ensure in the history endpoint), which is exactly what we want to verify.
 func (h *historyHarness) seedPersistRoom(t *testing.T) (roomID, subject string) {
 	t.Helper()
 	roomID = newULID()
 	subject = "unibus.room." + roomID
 	aliceEp := frame.EndpointID(h.alice.SignPub)
 	info := RoomInfo{RoomID: roomID, Subject: subject, OwnerEndpoint: aliceEp, Encrypt: true, Persist: true}
 	if err := h.store.CreateRoom(info, h.alice.SignPub, h.alice.KexPub, []byte("alice-sealed")); err != nil {
 		t.Fatalf("seed room: %v", err)
 	}
 	bobEp := frame.EndpointID(h.bob.SignPub)
 	bobM := Member{Endpoint: bobEp, Role: RoleMember, SignPub: h.bob.SignPub, KexPub: h.bob.KexPub}
 	if err := h.store.AddMember(roomID, bobM, 0, []byte("bob-sealed")); err != nil {
 		t.Fatalf("add member bob: %v", err)
 	}
 	return roomID, subject
 }
 // makeFrame builds a marshaled PUB frame whose payload identifies it, so a test can
 // assert exact bytes and ordering after a round trip through the stream + endpoint.
 func makeFrame(t *testing.T, subject, sender string, i int) []byte {
 	t.Helper()
 	f := frame.Frame{
 		Type:    frame.PUB,
 		Subject: subject,
 		Sender:  sender,
 		MsgID:   fmt.Sprintf("msg-%02d", i),
 		Payload: []byte(fmt.Sprintf("ciphertext-%02d", i)),
 	}
 	b, err := f.Marshal()
 	if err != nil {
 		t.Fatalf("marshal frame %d: %v", i, err)
 	}
 	return b
 }
 // getHistory signs a GET /rooms/{id}/history request as id and returns the status,
 // the raw body, and the decoded envelope. query is the raw query string (e.g.
 // "limit=2") or "". The signed path includes the query because the server verifies
 // the signature over r.URL.RequestURI(), which carries it.
 func (h *historyHarness) getHistory(t *testing.T, id cs.Identity, roomID, query string, n int) (int, string, historyResp) {
 	t.Helper()
 	path := "/rooms/" + roomID + "/history"
 	if query != "" {
 		path += "?" + query
 	}
 	req := signedReq(t, h.ts.URL, "GET", path, nil, id, time.Now().Unix(), nonceN(n))
 	code, body := do(t, req)
 	var out historyResp
 	if code == 200 {
 		if err := json.Unmarshal([]byte(body), &out); err != nil {
 			t.Fatalf("decode history: %v (%s)", err, body)
 		}
 	}
 	return code, body, out
 }
 // TestCreateRoomEnsuresStream verifies handleCreateRoom creates the durable stream
 // for a persisted room before responding, so capture starts at room creation.
 func TestCreateRoomEnsuresStream(t *testing.T) {
 	h := newHistoryHarness(t)
 	aliceEp := frame.EndpointID(h.alice.SignPub)
 	reqBody := createRoomReq{
 		Subject:       "unibus.room.created",
 		Policy:        policyJSON{Encrypt: true, Persist: true},
 		Owner:         endpointJSON{Endpoint: aliceEp, SignPub: h.alice.SignPub, KexPub: h.alice.KexPub},
 		SealedKeySelf: []byte("alice-sealed"),
 	}
 	body, _ := json.Marshal(reqBody)
 	req := signedReq(t, h.ts.URL, "POST", "/rooms", body, h.alice, time.Now().Unix(), nonceN(1))
 	code, respBody := do(t, req)
 	if code != 201 {
 		t.Fatalf("create room: want 201, got %d (%s)", code, respBody)
 	}
 	var cr createRoomResp
 	if err := json.Unmarshal([]byte(respBody), &cr); err != nil {
 		t.Fatalf("decode create resp: %v (%s)", err, respBody)
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
 	defer cancel()
 	if _, err := h.js.Stream(ctx, roomStreamName(cr.RoomID)); err != nil {
 		t.Fatalf("stream for created persist room should exist: %v", err)
 	}
 }
 // TestRoomHistoryGolden is the golden path: three frames published to a persisted
 // room's stream come back from the endpoint base64-encoded, in chronological order,
 // and decode to the exact frames that were published.
 func TestRoomHistoryGolden(t *testing.T) {
 	h := newHistoryHarness(t)
 	roomID, subject := h.seedPersistRoom(t)
 	bobEp := frame.EndpointID(h.bob.SignPub)
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	if err := ensureRoomStream(ctx, h.js, roomID, subject, 1); err != nil {
 		t.Fatalf("ensure stream: %v", err)
 	}
 	want := make([][]byte, 3)
 	for i := 0; i < 3; i++ {
 		want[i] = makeFrame(t, subject, bobEp, i)
 		// js.Publish waits for the stream ack, so the message is durably stored before
 		// the next iteration — no sleeps, deterministic ordering.
 		if _, err := h.js.Publish(ctx, subject, want[i]); err != nil {
 			t.Fatalf("publish %d: %v", i, err)
 		}
 	}
 	code, raw, hr := h.getHistory(t, h.bob, roomID, "", 10)
 	if code != 200 {
 		t.Fatalf("history: want 200, got %d (%s)", code, raw)
 	}
 	if len(hr.Messages) != 3 {
 		t.Fatalf("want 3 messages, got %d (%s)", len(hr.Messages), raw)
 	}
 	for i, m := range hr.Messages {
 		decoded, err := base64.StdEncoding.DecodeString(m)
 		if err != nil {
 			t.Fatalf("message %d not valid base64: %v", i, err)
 		}
 		if string(decoded) != string(want[i]) {
 			t.Fatalf("message %d bytes mismatch (order or content)", i)
 		}
 		f, err := frame.Unmarshal(decoded)
 		if err != nil {
 			t.Fatalf("message %d does not decode to a frame: %v", i, err)
 		}
 		if f.MsgID != fmt.Sprintf("msg-%02d", i) {
 			t.Fatalf("message %d: want MsgID msg-%02d, got %q", i, i, f.MsgID)
 		}
 	}
 }
 // TestRoomHistoryCapturesCoreNATSPublish proves the central fix: a message
 // published over PLAIN core NATS (as the JetStream-less browser client uniweb does)
 // is captured by the server-owned stream and served by the endpoint. Without the
 // server ensuring the stream, this message would be captured nowhere.
 func TestRoomHistoryCapturesCoreNATSPublish(t *testing.T) {
 	h := newHistoryHarness(t)
 	roomID, subject := h.seedPersistRoom(t)
 	bobEp := frame.EndpointID(h.bob.SignPub)
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	if err := ensureRoomStream(ctx, h.js, roomID, subject, 1); err != nil {
 		t.Fatalf("ensure stream: %v", err)
 	}
 	sent := makeFrame(t, subject, bobEp, 7)
 	if err := h.nc.Publish(subject, sent); err != nil {
 		t.Fatalf("core publish: %v", err)
 	}
 	if err := h.nc.Flush(); err != nil {
 		t.Fatalf("flush: %v", err)
 	}
 	// Core NATS publish has no stream ack; poll the stream until the message lands.
 	h.waitMsgs(t, roomID, 1)
 	code, raw, hr := h.getHistory(t, h.bob, roomID, "", 11)
 	if code != 200 {
 		t.Fatalf("history: want 200, got %d (%s)", code, raw)
 	}
 	if len(hr.Messages) != 1 {
 		t.Fatalf("want 1 captured message, got %d (%s)", len(hr.Messages), raw)
 	}
 	decoded, err := base64.StdEncoding.DecodeString(hr.Messages[0])
 	if err != nil || string(decoded) != string(sent) {
 		t.Fatalf("captured core-NATS message round-trip mismatch (err=%v)", err)
 	}
 }
 // TestRoomHistoryLimit verifies ?limit caps the response to the most recent N
 // messages, oldest→newest within the window.
 func TestRoomHistoryLimit(t *testing.T) {
 	h := newHistoryHarness(t)
 	roomID, subject := h.seedPersistRoom(t)
 	bobEp := frame.EndpointID(h.bob.SignPub)
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	if err := ensureRoomStream(ctx, h.js, roomID, subject, 1); err != nil {
 		t.Fatalf("ensure stream: %v", err)
 	}
 	for i := 0; i < 5; i++ {
 		if _, err := h.js.Publish(ctx, subject, makeFrame(t, subject, bobEp, i)); err != nil {
 			t.Fatalf("publish %d: %v", i, err)
 		}
 	}
 	code, raw, hr := h.getHistory(t, h.bob, roomID, "limit=2", 12)
 	if code != 200 {
 		t.Fatalf("history: want 200, got %d (%s)", code, raw)
 	}
 	if len(hr.Messages) != 2 {
 		t.Fatalf("limit=2 over 5 messages: want 2, got %d", len(hr.Messages))
 	}
 	// The window is the last two messages (indices 3 and 4), in order.
 	for off, m := range hr.Messages {
 		decoded, _ := base64.StdEncoding.DecodeString(m)
 		f, err := frame.Unmarshal(decoded)
 		if err != nil {
 			t.Fatalf("limited message %d does not decode: %v", off, err)
 		}
 		want := fmt.Sprintf("msg-%02d", off+3)
 		if f.MsgID != want {
 			t.Fatalf("limited message %d: want MsgID %s, got %q", off, want, f.MsgID)
 		}
 	}
 }
 // TestRoomHistoryEmptyRoom verifies a persisted room with no messages returns an
 // empty (non-null) array, lazily ensuring the stream on the way.
 func TestRoomHistoryEmptyRoom(t *testing.T) {
 	h := newHistoryHarness(t)
 	roomID, _ := h.seedPersistRoom(t)
 	code, raw, hr := h.getHistory(t, h.bob, roomID, "", 13)
 	if code != 200 {
 		t.Fatalf("history: want 200, got %d (%s)", code, raw)
 	}
 	if hr.Messages == nil {
 		t.Fatalf("empty room must return [] not null (%s)", raw)
 	}
 	if len(hr.Messages) != 0 {
 		t.Fatalf("empty room: want 0 messages, got %d", len(hr.Messages))
 	}
 	// The lazy ensure should have created the stream even though no message exists.
 	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
 	defer cancel()
 	if _, err := h.js.Stream(ctx, roomStreamName(roomID)); err != nil {
 		t.Fatalf("lazy ensure should have created the stream: %v", err)
 	}
 }
 // TestRoomHistoryUnauthenticated verifies an unsigned request is rejected with 401
 // under enforce, before the handler runs.
 func TestRoomHistoryUnauthenticated(t *testing.T) {
 	h := newHistoryHarness(t)
 	roomID, _ := h.seedPersistRoom(t)
 	// No signing headers: plain GET against the enforce-mode control plane.
 	req, err := http.NewRequest("GET", h.ts.URL+"/rooms/"+roomID+"/history", nil)
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
 	code, body := do(t, req)
 	if code != 401 {
 		t.Fatalf("unauthenticated history: want 401, got %d (%s)", code, body)
 	}
 }
 // TestRoomHistoryNonMember verifies a registered user who is NOT a member of the
 // room is rejected with 403.
 func TestRoomHistoryNonMember(t *testing.T) {
 	h := newHistoryHarness(t)
 	roomID, _ := h.seedPersistRoom(t)
 	code, body, _ := h.getHistory(t, h.carol, roomID, "", 14)
 	if code != 403 {
 		t.Fatalf("non-member history: want 403, got %d (%s)", code, body)
 	}
 }
 // TestRoomHistoryRoomNotFound verifies a request for a non-existent room is a 404,
 // distinct from the 403 a non-member of an existing room gets.
 func TestRoomHistoryRoomNotFound(t *testing.T) {
 	h := newHistoryHarness(t)
 	code, body, _ := h.getHistory(t, h.alice, newULID(), "", 15)
 	if code != 404 {
 		t.Fatalf("missing room history: want 404, got %d (%s)", code, body)
 	}
 }
 // waitMsgs polls the room's stream until it holds at least want messages or a short
 // deadline elapses, so a core-NATS publish (which carries no stream ack) is observed
 // deterministically without a fixed sleep.
 func (h *historyHarness) waitMsgs(t *testing.T, roomID string, want uint64) {
 	t.Helper()
 	deadline := time.Now().Add(3 * time.Second)
 	for time.Now().Before(deadline) {
 		ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 		st, err := h.js.Stream(ctx, roomStreamName(roomID))
 		if err == nil {
 			si, ierr := st.Info(ctx)
 			if ierr == nil && si.State.Msgs >= want {
 				cancel()
 				return
 			}
 		}
 		cancel()
 		time.Sleep(20 * time.Millisecond)
 	}
 	t.Fatalf("stream for room %s never reached %d message(s)", roomID, want)
 }
@@ -1,8 +1,10 @@
 package membership
 import (
 	"fmt"
 	"net"
 	"net/http"
 	"strings"
 	"sync"
 	"time"
@@ -78,16 +80,117 @@ func (l *ipRateLimiter) reapLocked(now time.Time) {
 	}
 }
-// clientIP extracts the source IP of an HTTP request, stripping the port. It
+// clientIP extracts the rate-limit key for a request: the source IP, with the
-// trusts the transport's RemoteAddr only (no X-Forwarded-For parsing): a public
+// port stripped. By default it trusts the transport's RemoteAddr ONLY (no
-// deployment terminates TLS at this process or behind a proxy that the operator
+// X-Forwarded-For parsing): honoring an attacker-supplied header would let a
-// controls, and honoring an attacker-supplied header would let a single IP fan
+// single IP fan its quota across forged identities. When the operator runs the
-// its quota across forged identities. If parsing fails the whole RemoteAddr is
+// control plane behind a reverse proxy they control (the same-origin Caddy
-// used as the key (still a stable per-connection bucket).
+// deployment), SetTrustedProxies names that proxy's address(es); only then, and
-func clientIP(r *http.Request) string {
+// only when the immediate peer is one of them, is the forwarded client IP
 // believed. This keeps the per-IP rate limit meaningful behind the proxy, where
 // every request would otherwise share the proxy's single IP. If parsing fails the
 // whole RemoteAddr is used as the key (still a stable per-connection bucket).
 func (s *Server) clientIP(r *http.Request) string {
 	host, _, err := net.SplitHostPort(r.RemoteAddr)
 	if err != nil {
-		return r.RemoteAddr
+		host = r.RemoteAddr
 	}
 	if !s.trustedProxies.has(host) {
 		return host
 	}
 	if fwd := forwardedClientIP(r, s.trustedProxies); fwd != "" {
 		return fwd
 	}
 	return host
 }
 // forwardedClientIP returns the real client IP a trusted proxy reported, or "" if
 // none is present. X-Forwarded-For is read RIGHT-TO-LEFT: the rightmost entry is
 // the one our immediate (trusted) proxy appended and therefore cannot be spoofed
 // by the client, which can only prepend entries to the left. Trusted-proxy hops
 // are skipped so a chain of proxies we own resolves to the first address none of
 // them owns — the actual external client. X-Real-IP is a single-value fallback for
 // proxies that set it instead. A non-trusted immediate peer never reaches here, so
 // a direct attacker's forged header is ignored entirely.
 func forwardedClientIP(r *http.Request, trusted trustedProxyMatcher) string {
 	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
 		parts := strings.Split(xff, ",")
 		for i := len(parts) - 1; i >= 0; i-- {
 			ip := strings.TrimSpace(parts[i])
 			if ip == "" || trusted.has(ip) {
 				continue
 			}
 			if net.ParseIP(ip) != nil {
 				return ip
 			}
 		}
 	}
 	if xrip := strings.TrimSpace(r.Header.Get("X-Real-IP")); xrip != "" {
 		if net.ParseIP(xrip) != nil {
 			return xrip
 		}
 	}
 	return ""
 }
 // trustedProxyMatcher is the set of reverse-proxy addresses whose forwarding
 // headers may be honored. The zero value (nil) matches nothing, so the default
 // behavior is RemoteAddr-only.
 type trustedProxyMatcher []*net.IPNet
 // SetTrustedProxies configures the proxies whose X-Forwarded-For / X-Real-IP this
 // server trusts for the per-IP rate limit. Each entry is an IP (treated as a /32
 // or /128) or a CIDR. It returns an error on the first unparseable entry and
 // leaves the previous configuration unchanged. Passing no entries clears the set.
 func (s *Server) SetTrustedProxies(entries []string) error {
 	m, err := parseTrustedProxies(entries)
 	if err != nil {
 		return err
 	}
 	s.trustedProxies = m
 	return nil
 }
 // parseTrustedProxies turns a list of IPs/CIDRs into a matcher. A bare IP becomes
 // a host route (/32 for IPv4, /128 for IPv6); blanks are skipped.
 func parseTrustedProxies(entries []string) (trustedProxyMatcher, error) {
 	var m trustedProxyMatcher
 	for _, e := range entries {
 		e = strings.TrimSpace(e)
 		if e == "" {
 			continue
 		}
 		if _, ipnet, err := net.ParseCIDR(e); err == nil {
 			m = append(m, ipnet)
 			continue
 		}
 		ip := net.ParseIP(e)
 		if ip == nil {
 			return nil, fmt.Errorf("trusted proxy %q is not an IP or CIDR", e)
 		}
 		bits := 32
 		if ip.To4() == nil {
 			bits = 128
 		}
 		m = append(m, &net.IPNet{IP: ip, Mask: net.CIDRMask(bits, bits)})
 	}
 	return m, nil
 }
 // has reports whether host (an IP string with no port) falls inside any trusted
 // range. A nil matcher and an unparseable host both report false.
 func (m trustedProxyMatcher) has(host string) bool {
 	if len(m) == 0 {
 		return false
 	}
 	ip := net.ParseIP(host)
 	if ip == nil {
 		return false
 	}
 	for _, n := range m {
 		if n.Contains(ip) {
 			return true
 		}
 	}
 	return false
 }
@@ -0,0 +1,113 @@
 package membership
 import (
 	"net/http"
 	"testing"
 )
 // TestClientIPTrustedProxy covers the rate-limit key extraction behind a reverse
 // proxy: forwarding headers are believed ONLY when the immediate peer is a
 // configured trusted proxy, and never otherwise. This is what keeps the per-IP
 // rate limit per-client once the control plane runs behind the same-origin Caddy
 // proxy, without opening a quota-fanning hole for a direct attacker.
 func TestClientIPTrustedProxy(t *testing.T) {
 	const caddy = "135.125.201.30"
 	cases := []struct {
 		name    string
 		proxies []string
 		remote  string
 		xff     string
 		xRealIP string
 		want    string
 	}{
 		{
 			name:   "no trusted proxies ignores XFF",
 			remote: "203.0.113.7:5000",
 			xff:    "1.2.3.4",
 			want:   "203.0.113.7",
 		},
 		{
 			name:    "trusted proxy honors XFF client",
 			proxies: []string{caddy},
 			remote:  caddy + ":4451",
 			xff:     "198.51.100.23",
 			want:    "198.51.100.23",
 		},
 		{
 			name:    "loopback proxy honors XFF (magnus-local hop)",
 			proxies: []string{"127.0.0.1/32", "::1/128"},
 			remote:  "127.0.0.1:33344",
 			xff:     "198.51.100.99",
 			want:    "198.51.100.99",
 		},
 		{
 			name:    "untrusted peer cannot spoof XFF",
 			proxies: []string{caddy},
 			remote:  "203.0.113.7:5000",
 			xff:     "10.0.0.1",
 			want:    "203.0.113.7",
 		},
 		{
 			name:    "XFF read right-to-left, trusted hops skipped",
 			proxies: []string{caddy},
 			remote:  caddy + ":4451",
 			xff:     "198.51.100.23, " + caddy,
 			want:    "198.51.100.23",
 		},
 		{
 			name:    "client-prepended forgery is skipped, real appended wins",
 			proxies: []string{caddy},
 			remote:  caddy + ":4451",
 			xff:     "9.9.9.9, 198.51.100.23",
 			want:    "198.51.100.23",
 		},
 		{
 			name:    "X-Real-IP fallback when no XFF",
 			proxies: []string{caddy},
 			remote:  caddy + ":4451",
 			xRealIP: "198.51.100.77",
 			want:    "198.51.100.77",
 		},
 		{
 			name:    "trusted peer but no forwarding header falls back to peer",
 			proxies: []string{caddy},
 			remote:  caddy + ":4451",
 			want:    caddy,
 		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			s := &Server{}
 			if len(tc.proxies) > 0 {
 				if err := s.SetTrustedProxies(tc.proxies); err != nil {
 					t.Fatalf("SetTrustedProxies(%v): %v", tc.proxies, err)
 				}
 			}
 			r, _ := http.NewRequest(http.MethodGet, "/rooms", nil)
 			r.RemoteAddr = tc.remote
 			if tc.xff != "" {
 				r.Header.Set("X-Forwarded-For", tc.xff)
 			}
 			if tc.xRealIP != "" {
 				r.Header.Set("X-Real-IP", tc.xRealIP)
 			}
 			if got := s.clientIP(r); got != tc.want {
 				t.Fatalf("clientIP = %q, want %q", got, tc.want)
 			}
 		})
 	}
 }
 // TestParseTrustedProxiesRejectsGarbage proves a malformed entry is a hard error
 // (the command turns it into a startup failure) rather than a silently ignored
 // misconfiguration that would leave the rate limit collapsed behind the proxy.
 func TestParseTrustedProxiesRejectsGarbage(t *testing.T) {
 	if _, err := parseTrustedProxies([]string{"not-an-ip"}); err == nil {
 		t.Fatal("expected error for non-IP/CIDR entry, got nil")
 	}
 	if _, err := parseTrustedProxies([]string{"10.0.0.0/8", "127.0.0.1"}); err != nil {
 		t.Fatalf("valid entries rejected: %v", err)
 	}
 }
@@ -3,6 +3,7 @@ package membership
 import (
 	"bytes"
 	"context"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -87,6 +88,42 @@ type Server struct {
 	// posture a secure cluster requires (audit 0008 N1). It is set by the command;
 	// the zero value (all false) reflects an unsecured dev node.
 	Posture Posture
 	// AllowedOrigins is the CORS allowlist of browser Origin headers permitted to
 	// call the control plane cross-origin. It exists so a browser-native client
 	// (uniweb) can talk to membershipd directly, the way the Go/Kotlin clients
 	// already do over a non-browser transport (issue uniweb/0001). Native clients
 	// send no Origin header and are unaffected. The zero value (empty) keeps CORS
 	// OFF — no Access-Control headers are emitted and the server behaves exactly as
 	// before — so this is opt-in per deployment. Entries are matched exactly (scheme
 	// + host + port); never use "*" with credentials. Set by the command from a flag.
 	AllowedOrigins []string
 	// trustedProxies names the reverse proxies whose forwarding headers
 	// (X-Forwarded-For / X-Real-IP) the rate limiter is allowed to believe. It
 	// exists for the same-origin deployment where a single proxy (Caddy) fronts
 	// the control plane: without it every proxied request would share the proxy's
 	// one IP and collapse the per-IP rate limit into a single bucket for the whole
 	// world. Only when the immediate peer is one of these addresses is the
 	// forwarded client IP trusted; the zero value (nil) trusts nobody, preserving
 	// the RemoteAddr-only behavior that predates the flag. Set by the command via
 	// SetTrustedProxies. See clientIP.
 	trustedProxies trustedProxyMatcher
 	// js is the privileged JetStream context the server uses to own the durable
 	// per-room streams of persisted rooms: it ensures a room's stream on creation
 	// so the room's subject is captured from the first message — even from a
 	// JetStream-less browser client (uniweb) that speaks only core NATS — and reads
 	// it back for GET /rooms/{id}/history. It is wired by the command via
 	// SetJetStream whenever a JetStream-capable data plane is available (always for
 	// the embedded server). nil leaves history empty and stream-ensure a no-op,
 	// preserving the pre-feature behavior for a deployment without JetStream.
 	js jetstream.JetStream
 	// streamReplicas is the replication factor for the room streams the server
 	// creates, matched to the cluster's control-plane (KV) replication — 1 for a
 	// standalone node, up to 3 in an HA cluster — so a persisted room's history is
 	// as available as its metadata. Used only when js != nil. See SetJetStream.
 	streamReplicas int
 }
 // Posture describes the security posture a membershipd node runs with. It is
@@ -121,6 +158,19 @@ func NewServer(store Store, blobs blobstore.Store, authMode AuthMode) *Server {
 	return s
 }
 // SetJetStream wires the privileged JetStream context (and the room-stream
 // replication factor) the server uses to ensure and read the durable streams of
 // persisted rooms. replicas below 1 is clamped to 1. It must be called once at
 // startup, before the server begins serving; leaving it unset keeps history empty
 // and stream-ensure a no-op, the behavior for a deployment without JetStream.
 func (s *Server) SetJetStream(js jetstream.JetStream, replicas int) {
 	if replicas < 1 {
 		replicas = 1
 	}
 	s.js = js
 	s.streamReplicas = replicas
 }
 // UseReplicatedNonces switches the server's anti-replay store from the
 // per-process in-memory cache to a JetStream KV bucket shared across the cluster
 // (issue 0003e). It MUST be called on every node of a multi-node deployment:
@@ -143,10 +193,19 @@ func (s *Server) UseReplicatedNonces(js jetstream.JetStream, replicas int) error
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	now := time.Now()
 	// CORS runs before everything else so a browser preflight never pays the rate
 	// limit or auth cost. When the request carries an allowed Origin we echo the
 	// Access-Control headers; a preflight (OPTIONS) is answered here and short-
 	// circuits the pipeline. With an empty allowlist this is a no-op, so non-browser
 	// clients and untouched deployments behave exactly as before (issue uniweb/0001).
 	if s.applyCORS(w, r) {
 		return // preflight handled
 	}
 	// Per-IP rate limit runs first, ahead of auth and body reads, so a flood is
 	// shed at the cheapest possible point. The health probe is exempt so liveness
 	// checks are never throttled.
-	if !isAuthExempt(r) && !s.limiter.allow(clientIP(r), now) {
+	if !isAuthExempt(r) && !s.limiter.allow(s.clientIP(r), now) {
 		writeErr(w, http.StatusTooManyRequests, "rate limit exceeded")
 		return
 	}
@@ -221,6 +280,57 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	s.mux.ServeHTTP(w, r.WithContext(withSigner(r.Context(), res.endpoint, res.pubHex)))
 }
 // applyCORS handles cross-origin requests for the control plane. When the request
 // carries an Origin in the allowlist it sets the Access-Control-Allow-* response
 // headers so the browser accepts the eventual response; when the request is a CORS
 // preflight (OPTIONS) it writes the preflight reply and returns true so ServeHTTP
 // short-circuits before the rate limiter and auth ever run. It returns false for
 // every non-preflight request — including same-origin and native clients that send
 // no Origin header — leaving the normal pipeline to run unchanged. With an empty
 // AllowedOrigins it never sets a header (CORS is off): the opt-in default.
 func (s *Server) applyCORS(w http.ResponseWriter, r *http.Request) (preflight bool) {
 	origin := r.Header.Get("Origin")
 	allowed := origin != "" && s.originAllowed(origin)
 	if allowed {
 		h := w.Header()
 		h.Set("Access-Control-Allow-Origin", origin)
 		// Vary: Origin so a cache never serves an allow-listed response to another
 		// origin. Add (not Set) to preserve any Vary the handler may add later.
 		h.Add("Vary", "Origin")
 		h.Set("Access-Control-Allow-Methods", "GET, POST, OPTIONS")
 		// Allow the control-plane request-auth headers a browser client signs every
 		// request with (busauth.signedHeaders), or the browser's CORS preflight blocks
 		// the real request. Content-Type/Authorization stay for JSON bodies.
 		h.Set("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Unibus-Pub, X-Unibus-Ts, X-Unibus-Nonce, X-Unibus-Sig")
 		h.Set("Access-Control-Max-Age", "600")
 	}
 	if r.Method == http.MethodOptions {
 		// Answer the preflight here so it never reaches the rate limiter or auth. An
 		// allowed origin gets 204 with the headers above; a disallowed or missing
 		// origin gets 403 with no Access-Control headers, so the browser blocks the
 		// real cross-origin request.
 		if allowed {
 			w.WriteHeader(http.StatusNoContent)
 		} else {
 			w.WriteHeader(http.StatusForbidden)
 		}
 		return true
 	}
 	return false
 }
 // originAllowed reports whether origin is in the CORS allowlist. Matching is exact
 // (scheme + host + port): a browser Origin is an opaque string, so an exact compare
 // is both correct and the safest policy (no wildcard, no suffix tricks).
 func (s *Server) originAllowed(origin string) bool {
 	for _, o := range s.AllowedOrigins {
 		if o == origin {
 			return true
 		}
 	}
 	return false
 }
 // isBodyTooLarge reports whether err is the sentinel returned by MaxBytesReader
 // when the body exceeds its limit, so the middleware can map it to 413.
 func isBodyTooLarge(err error) bool {
@@ -321,6 +431,13 @@ func (s *Server) routes() {
 	s.mux.HandleFunc("POST /rooms/{id}/invite", s.handleInvite)
 	s.mux.HandleFunc("GET /rooms/{id}/key", s.handleGetKey)
 	s.mux.HandleFunc("GET /rooms/{id}/members", s.handleListMembers)
 	// Durable message history for a persisted room, read server-side from the room's
 	// JetStream stream so a client without JetStream (the browser client uniweb) can
 	// load the backlog over plain HTTP. Member-only, like /key and /members.
 	// Registered without the /api prefix like every other control-plane route: Caddy
 	// strips /api via handle_path /api/* before forwarding, so the SPA's
 	// GET /api/rooms/{id}/history arrives here as GET /rooms/{id}/history.
 	s.mux.HandleFunc("GET /rooms/{id}/history", s.handleRoomHistory)
 	s.mux.HandleFunc("GET /members/{endpoint}/rooms", s.handleListMemberRooms)
 	s.mux.HandleFunc("POST /rooms/{id}/rekey", s.handleRekey)
 	s.mux.HandleFunc("GET /rooms/{id}", s.handleGetRoom)
@@ -333,6 +450,15 @@ func (s *Server) routes() {
 	s.mux.HandleFunc("GET /users", s.handleListUsers)
 	s.mux.HandleFunc("POST /users", s.handleAddUser)
 	s.mux.HandleFunc("POST /users/{signpub}/revoke", s.handleRevokeUser)
 	// Member directory — any authenticated bus user (member or admin) may map an
 	// endpoint id back to its human handle, so clients can render readable sender
 	// names instead of raw endpoint hashes. Unlike /users it is NOT admin-only and
 	// returns only active users; under enforce the auth middleware already rejects
 	// an unauthenticated caller with 401 before this handler runs (uniweb/0002).
 	// Registered without the /api prefix like every other control-plane route:
 	// Caddy strips /api via handle_path /api/* before forwarding to membershipd,
 	// so the SPA's GET /api/directory arrives here as GET /directory.
 	s.mux.HandleFunc("GET /directory", s.handleDirectory)
 }
 // ---- wire types -----------------------------------------------------------
@@ -431,6 +557,24 @@ type addUserReq struct {
 	Role    string `json:"role"`
 }
 // directoryMember is one entry of the GET /directory response: enough for a
 // client to map a message's endpoint id (which the bus stamps on every frame)
 // back to a readable handle. endpoint is derived server-side from sign_pub with
 // the SAME construction the bus uses (frame.EndpointID = base64url(sha256(signPub)),
 // unpadded), so it matches the sender id a client already has byte-for-byte.
 type directoryMember struct {
 	SignPub  string `json:"sign_pub"`
 	Endpoint string `json:"endpoint"`
 	Handle   string `json:"handle"`
 	Role     string `json:"role"`
 }
 // directoryResp is the GET /directory response envelope. The members key is a
 // stable contract consumed by the browser client; do not rename it.
 type directoryResp struct {
 	Members []directoryMember `json:"members"`
 }
 // ---- helpers --------------------------------------------------------------
 func writeJSON(w http.ResponseWriter, code int, v any) {
@@ -523,6 +667,21 @@ func (s *Server) handleCreateRoom(w http.ResponseWriter, r *http.Request) {
 		SignMsgs:      req.Policy.SignMsgs,
 		OwnerEndpoint: req.Owner.Endpoint,
 	}
 	// Own the durable stream for a persisted room (issue room-history): ensure it
 	// BEFORE the room row is written so the subject is captured from the very first
 	// message whoever publishes it — a Go client OR a JetStream-less browser client.
 	// Done first so a stream failure aborts cleanly with no orphan room row (the
 	// rare orphan empty stream it can leave is harmless and idempotently reused).
 	// Skipped when no JetStream is wired: the room still works, just without history.
 	if info.Persist && s.js != nil {
 		ctx, cancel := context.WithTimeout(r.Context(), historyOpTimeout)
 		err := ensureRoomStream(ctx, s.js, roomID, info.Subject, s.streamReplicas)
 		cancel()
 		if err != nil {
 			writeServerErr(w, r, http.StatusInternalServerError, "internal error", err)
 			return
 		}
 	}
 	if err := s.store.CreateRoom(info, req.Owner.SignPub, req.Owner.KexPub, req.SealedKeySelf); err != nil {
 		writeServerErr(w, r, http.StatusInternalServerError, "internal error", err)
 		return
@@ -776,6 +935,41 @@ func (s *Server) handleListUsers(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusOK, out)
 }
 // handleDirectory returns the active bus user directory so a client can resolve a
 // sender's endpoint id to a readable handle. Unlike handleListUsers it is NOT
 // admin-only: every authenticated bus user may read it (the auth middleware has
 // already verified the caller is an active user under enforce, and rejected an
 // unauthenticated one with 401). Only active users are listed, and each endpoint
 // is computed server-side from the user's sign_pub with frame.EndpointID — the
 // exact derivation the bus stamps on every frame, so the returned endpoint matches
 // the sender id a client already holds. A user with a malformed sign_pub (which
 // the add path rejects, so this is defensive) is skipped rather than failing the
 // whole listing.
 func (s *Server) handleDirectory(w http.ResponseWriter, r *http.Request) {
 	users, err := s.store.ListUsers()
 	if err != nil {
 		writeServerErr(w, r, http.StatusInternalServerError, "internal error", err)
 		return
 	}
 	out := make([]directoryMember, 0, len(users))
 	for _, u := range users {
 		if u.Status != StatusActive {
 			continue
 		}
 		signPub, err := hex.DecodeString(u.SignPub)
 		if err != nil || len(signPub) != 32 {
 			continue
 		}
 		out = append(out, directoryMember{
 			SignPub:  u.SignPub,
 			Endpoint: frame.EndpointID(signPub),
 			Handle:   u.Handle,
 			Role:     u.Role,
 		})
 	}
 	writeJSON(w, http.StatusOK, directoryResp{Members: out})
 }
 // handleAddUser registers a new bus user from an admin-supplied Ed25519 signing
 // key. It mirrors the `membershipd user add` CLI: the key must be 64-hex, the
 // role must be admin or member (empty defaults to member), and re-adding an
@@ -1,5 +0,0 @@
 node_modules/
 dist/
 *.local
 .vite/
 *.tsbuildinfo
@@ -0,0 +1,13 @@
 <!doctype html>
 <html lang="es">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>unibus</title>
    <script type="module" crossorigin src="/assets/index-Mo3n05uO.js"></script>
    <link rel="stylesheet" crossorigin href="/assets/index-BNbOx14c.css">
  </head>
  <body>
    <div id="root"></div>
  </body>
 </html>
@@ -1,12 +0,0 @@
 <!doctype html>
 <html lang="es">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>unibus</title>
  </head>
  <body>
    <div id="root"></div>
    <script type="module" src="/src/main.tsx"></script>
  </body>
 </html>
@@ -0,0 +1,22 @@
 #!/bin/sh
 basedir=$(dirname "$(echo "$0" | sed -e 's,\\,/,g')")
 case `uname` in
    *CYGWIN*|*MINGW*|*MSYS*)
        if command -v cygpath > /dev/null 2>&1; then
            basedir=`cygpath -w "$basedir"`
        fi
    ;;
 esac
 if [ -z "$NODE_PATH" ]; then
  export NODE_PATH="/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/browserslist@4.28.2/node_modules/browserslist/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/browserslist@4.28.2/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/node_modules"
 else
  export NODE_PATH="/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/browserslist@4.28.2/node_modules/browserslist/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/browserslist@4.28.2/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/node_modules:$NODE_PATH"
 fi
 if [ -x "$basedir/node" ]; then
  exec "$basedir/node"  "$basedir/../.pnpm/browserslist@4.28.2/node_modules/browserslist/cli.js" "$@"
 else
  exec node  "$basedir/../.pnpm/browserslist@4.28.2/node_modules/browserslist/cli.js" "$@"
 fi
 # cmd-shim-target=/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/browserslist@4.28.2/node_modules/browserslist/cli.js
@@ -0,0 +1,22 @@
 #!/bin/sh
 basedir=$(dirname "$(echo "$0" | sed -e 's,\\,/,g')")
 case `uname` in
    *CYGWIN*|*MINGW*|*MSYS*)
        if command -v cygpath > /dev/null 2>&1; then
            basedir=`cygpath -w "$basedir"`
        fi
    ;;
 esac
 if [ -z "$NODE_PATH" ]; then
  export NODE_PATH="/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/typescript@5.6.3/node_modules/typescript/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/typescript@5.6.3/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/node_modules"
 else
  export NODE_PATH="/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/typescript@5.6.3/node_modules/typescript/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/typescript@5.6.3/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/node_modules:$NODE_PATH"
 fi
 if [ -x "$basedir/node" ]; then
  exec "$basedir/node"  "$basedir/../typescript/bin/tsc" "$@"
 else
  exec node  "$basedir/../typescript/bin/tsc" "$@"
 fi
 # cmd-shim-target=/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/typescript/bin/tsc
@@ -0,0 +1,22 @@
 #!/bin/sh
 basedir=$(dirname "$(echo "$0" | sed -e 's,\\,/,g')")
 case `uname` in
    *CYGWIN*|*MINGW*|*MSYS*)
        if command -v cygpath > /dev/null 2>&1; then
            basedir=`cygpath -w "$basedir"`
        fi
    ;;
 esac
 if [ -z "$NODE_PATH" ]; then
  export NODE_PATH="/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/typescript@5.6.3/node_modules/typescript/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/typescript@5.6.3/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/node_modules"
 else
  export NODE_PATH="/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/typescript@5.6.3/node_modules/typescript/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/typescript@5.6.3/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/node_modules:$NODE_PATH"
 fi
 if [ -x "$basedir/node" ]; then
  exec "$basedir/node"  "$basedir/../typescript/bin/tsserver" "$@"
 else
  exec node  "$basedir/../typescript/bin/tsserver" "$@"
 fi
 # cmd-shim-target=/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/typescript/bin/tsserver
@@ -0,0 +1,22 @@
 #!/bin/sh
 basedir=$(dirname "$(echo "$0" | sed -e 's,\\,/,g')")
 case `uname` in
    *CYGWIN*|*MINGW*|*MSYS*)
        if command -v cygpath > /dev/null 2>&1; then
            basedir=`cygpath -w "$basedir"`
        fi
    ;;
 esac
 if [ -z "$NODE_PATH" ]; then
  export NODE_PATH="/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/vite@6.4.3_sugarss@5.0.1_postcss@8.5.15_/node_modules/vite/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/vite@6.4.3_sugarss@5.0.1_postcss@8.5.15_/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/node_modules"
 else
  export NODE_PATH="/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/vite@6.4.3_sugarss@5.0.1_postcss@8.5.15_/node_modules/vite/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/vite@6.4.3_sugarss@5.0.1_postcss@8.5.15_/node_modules:/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/.pnpm/node_modules:$NODE_PATH"
 fi
 if [ -x "$basedir/node" ]; then
  exec "$basedir/node"  "$basedir/../vite/bin/vite.js" "$@"
 else
  exec node  "$basedir/../vite/bin/vite.js" "$@"
 fi
 # cmd-shim-target=/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web/node_modules/vite/bin/vite.js
@@ -0,0 +1,345 @@
 {
  "hoistedDependencies": {
    "@floating-ui/react@0.27.19(react-dom@19.2.7(react@19.2.7))(react@19.2.7)": {
      "@floating-ui/react": "private"
    },
    "clsx@2.1.1": {
      "clsx": "private"
    },
    "react-number-format@5.4.5(react-dom@19.2.7(react@19.2.7))(react@19.2.7)": {
      "react-number-format": "private"
    },
    "react-remove-scroll@2.7.2(@types/react@19.2.17)(react@19.2.7)": {
      "react-remove-scroll": "private"
    },
    "type-fest@5.7.0": {
      "type-fest": "private"
    },
    "@tabler/icons@3.44.0": {
      "@tabler/icons": "private"
    },
    "csstype@3.2.3": {
      "csstype": "private"
    },
    "@babel/core@7.29.7": {
      "@babel/core": "private"
    },
    "react-refresh@0.17.0": {
      "react-refresh": "private"
    },
    "@types/babel__core@7.20.5": {
      "@types/babel__core": "private"
    },
    "@rolldown/pluginutils@1.0.0-beta.27": {
      "@rolldown/pluginutils": "private"
    },
    "@babel/plugin-transform-react-jsx-self@7.29.7(@babel/core@7.29.7)": {
      "@babel/plugin-transform-react-jsx-self": "private"
    },
    "@babel/plugin-transform-react-jsx-source@7.29.7(@babel/core@7.29.7)": {
      "@babel/plugin-transform-react-jsx-source": "private"
    },
    "postcss-mixins@12.1.2(postcss@8.5.15)": {
      "postcss-mixins": "private"
    },
    "postcss-nested@7.0.2(postcss@8.5.15)": {
      "postcss-nested": "private"
    },
    "nanoid@3.3.12": {
      "nanoid": "private"
    },
    "picocolors@1.1.1": {
      "picocolors": "private"
    },
    "source-map-js@1.2.1": {
      "source-map-js": "private"
    },
    "scheduler@0.27.0": {
      "scheduler": "private"
    },
    "esbuild@0.25.12": {
      "esbuild": "private"
    },
    "fdir@6.5.0(picomatch@4.0.4)": {
      "fdir": "private"
    },
    "picomatch@4.0.4": {
      "picomatch": "private"
    },
    "rollup@4.61.1": {
      "rollup": "private"
    },
    "tinyglobby@0.2.17": {
      "tinyglobby": "private"
    },
    "sugarss@5.0.1(postcss@8.5.15)": {
      "sugarss": "private"
    },
    "@babel/code-frame@7.29.7": {
      "@babel/code-frame": "private"
    },
    "@babel/generator@7.29.7": {
      "@babel/generator": "private"
    },
    "@babel/helper-compilation-targets@7.29.7": {
      "@babel/helper-compilation-targets": "private"
    },
    "@babel/helper-module-transforms@7.29.7(@babel/core@7.29.7)": {
      "@babel/helper-module-transforms": "private"
    },
    "@babel/helpers@7.29.7": {
      "@babel/helpers": "private"
    },
    "@babel/parser@7.29.7": {
      "@babel/parser": "private"
    },
    "@babel/template@7.29.7": {
      "@babel/template": "private"
    },
    "@babel/traverse@7.29.7": {
      "@babel/traverse": "private"
    },
    "@babel/types@7.29.7": {
      "@babel/types": "private"
    },
    "@jridgewell/remapping@2.3.5": {
      "@jridgewell/remapping": "private"
    },
    "convert-source-map@2.0.0": {
      "convert-source-map": "private"
    },
    "debug@4.4.3": {
      "debug": "private"
    },
    "gensync@1.0.0-beta.2": {
      "gensync": "private"
    },
    "json5@2.2.3": {
      "json5": "private"
    },
    "semver@6.3.1": {
      "semver": "private"
    },
    "@babel/helper-plugin-utils@7.29.7": {
      "@babel/helper-plugin-utils": "private"
    },
    "tabbable@6.4.0": {
      "tabbable": "private"
    },
    "@floating-ui/react-dom@2.1.8(react-dom@19.2.7(react@19.2.7))(react@19.2.7)": {
      "@floating-ui/react-dom": "private"
    },
    "@floating-ui/utils@0.2.11": {
      "@floating-ui/utils": "private"
    },
    "@types/babel__template@7.4.4": {
      "@types/babel__template": "private"
    },
    "@types/babel__traverse@7.28.0": {
      "@types/babel__traverse": "private"
    },
    "@types/babel__generator@7.27.0": {
      "@types/babel__generator": "private"
    },
    "@esbuild/linux-x64@0.25.12": {
      "@esbuild/linux-x64": "private"
    },
    "postcss-js@4.1.0(postcss@8.5.15)": {
      "postcss-js": "private"
    },
    "postcss-selector-parser@7.1.1": {
      "postcss-selector-parser": "private"
    },
    "react-remove-scroll-bar@2.3.8(@types/react@19.2.17)(react@19.2.7)": {
      "react-remove-scroll-bar": "private"
    },
    "react-style-singleton@2.2.3(@types/react@19.2.17)(react@19.2.7)": {
      "react-style-singleton": "private"
    },
    "tslib@2.8.1": {
      "tslib": "private"
    },
    "use-callback-ref@1.3.3(@types/react@19.2.17)(react@19.2.7)": {
      "use-callback-ref": "private"
    },
    "use-sidecar@1.1.3(@types/react@19.2.17)(react@19.2.7)": {
      "use-sidecar": "private"
    },
    "@rollup/rollup-linux-x64-gnu@4.61.1": {
      "@rollup/rollup-linux-x64-gnu": "private"
    },
    "@types/estree@1.0.9": {
      "@types/estree": "private"
    },
    "tagged-tag@1.0.0": {
      "tagged-tag": "private"
    },
    "@babel/helper-validator-identifier@7.29.7": {
      "@babel/helper-validator-identifier": "private"
    },
    "js-tokens@4.0.0": {
      "js-tokens": "private"
    },
    "@jridgewell/gen-mapping@0.3.13": {
      "@jridgewell/gen-mapping": "private"
    },
    "@jridgewell/trace-mapping@0.3.31": {
      "@jridgewell/trace-mapping": "private"
    },
    "jsesc@3.1.0": {
      "jsesc": "private"
    },
    "@babel/compat-data@7.29.7": {
      "@babel/compat-data": "private"
    },
    "@babel/helper-validator-option@7.29.7": {
      "@babel/helper-validator-option": "private"
    },
    "browserslist@4.28.2": {
      "browserslist": "private"
    },
    "lru-cache@5.1.1": {
      "lru-cache": "private"
    },
    "@babel/helper-module-imports@7.29.7": {
      "@babel/helper-module-imports": "private"
    },
    "@babel/helper-globals@7.29.7": {
      "@babel/helper-globals": "private"
    },
    "@babel/helper-string-parser@7.29.7": {
      "@babel/helper-string-parser": "private"
    },
    "@floating-ui/dom@1.7.6": {
      "@floating-ui/dom": "private"
    },
    "ms@2.1.3": {
      "ms": "private"
    },
    "camelcase-css@2.0.1": {
      "camelcase-css": "private"
    },
    "cssesc@3.0.0": {
      "cssesc": "private"
    },
    "util-deprecate@1.0.2": {
      "util-deprecate": "private"
    },
    "get-nonce@1.0.1": {
      "get-nonce": "private"
    },
    "detect-node-es@1.1.0": {
      "detect-node-es": "private"
    },
    "@floating-ui/core@1.7.5": {
      "@floating-ui/core": "private"
    },
    "@jridgewell/sourcemap-codec@1.5.5": {
      "@jridgewell/sourcemap-codec": "private"
    },
    "@jridgewell/resolve-uri@3.1.2": {
      "@jridgewell/resolve-uri": "private"
    },
    "baseline-browser-mapping@2.10.34": {
      "baseline-browser-mapping": "private"
    },
    "caniuse-lite@1.0.30001797": {
      "caniuse-lite": "private"
    },
    "electron-to-chromium@1.5.368": {
      "electron-to-chromium": "private"
    },
    "node-releases@2.0.47": {
      "node-releases": "private"
    },
    "update-browserslist-db@1.2.3(browserslist@4.28.2)": {
      "update-browserslist-db": "private"
    },
    "yallist@3.1.1": {
      "yallist": "private"
    },
    "escalade@3.2.0": {
      "escalade": "private"
    },
    "@scure/base@2.2.0": {
      "@scure/base": "private"
    }
  },
  "hoistPattern": [
    "*"
  ],
  "included": {
    "dependencies": true,
    "devDependencies": true,
    "optionalDependencies": true
  },
  "injectedDeps": {},
  "layoutVersion": 5,
  "nodeLinker": "isolated",
  "packageManager": "pnpm@11.5.0",
  "pendingBuilds": [],
  "publicHoistPattern": [],
  "prunedAt": "Sun, 07 Jun 2026 15:50:34 GMT",
  "registries": {
    "default": "https://registry.npmjs.org/",
    "@jsr": "https://npm.jsr.io/"
  },
  "skipped": [
    "@esbuild/aix-ppc64@0.25.12",
    "@esbuild/android-arm64@0.25.12",
    "@esbuild/android-arm@0.25.12",
    "@esbuild/android-x64@0.25.12",
    "@esbuild/darwin-arm64@0.25.12",
    "@esbuild/darwin-x64@0.25.12",
    "@esbuild/freebsd-arm64@0.25.12",
    "@esbuild/freebsd-x64@0.25.12",
    "@esbuild/linux-arm64@0.25.12",
    "@esbuild/linux-arm@0.25.12",
    "@esbuild/linux-ia32@0.25.12",
    "@esbuild/linux-loong64@0.25.12",
    "@esbuild/linux-mips64el@0.25.12",
    "@esbuild/linux-ppc64@0.25.12",
    "@esbuild/linux-riscv64@0.25.12",
    "@esbuild/linux-s390x@0.25.12",
    "@esbuild/netbsd-arm64@0.25.12",
    "@esbuild/netbsd-x64@0.25.12",
    "@esbuild/openbsd-arm64@0.25.12",
    "@esbuild/openbsd-x64@0.25.12",
    "@esbuild/openharmony-arm64@0.25.12",
    "@esbuild/sunos-x64@0.25.12",
    "@esbuild/win32-arm64@0.25.12",
    "@esbuild/win32-ia32@0.25.12",
    "@esbuild/win32-x64@0.25.12",
    "@rollup/rollup-android-arm-eabi@4.61.1",
    "@rollup/rollup-android-arm64@4.61.1",
    "@rollup/rollup-darwin-arm64@4.61.1",
    "@rollup/rollup-darwin-x64@4.61.1",
    "@rollup/rollup-freebsd-arm64@4.61.1",
    "@rollup/rollup-freebsd-x64@4.61.1",
    "@rollup/rollup-linux-arm-gnueabihf@4.61.1",
    "@rollup/rollup-linux-arm-musleabihf@4.61.1",
    "@rollup/rollup-linux-arm64-gnu@4.61.1",
    "@rollup/rollup-linux-arm64-musl@4.61.1",
    "@rollup/rollup-linux-loong64-gnu@4.61.1",
    "@rollup/rollup-linux-loong64-musl@4.61.1",
    "@rollup/rollup-linux-ppc64-gnu@4.61.1",
    "@rollup/rollup-linux-ppc64-musl@4.61.1",
    "@rollup/rollup-linux-riscv64-gnu@4.61.1",
    "@rollup/rollup-linux-riscv64-musl@4.61.1",
    "@rollup/rollup-linux-s390x-gnu@4.61.1",
    "@rollup/rollup-linux-x64-musl@4.61.1",
    "@rollup/rollup-openbsd-x64@4.61.1",
    "@rollup/rollup-openharmony-arm64@4.61.1",
    "@rollup/rollup-win32-arm64-msvc@4.61.1",
    "@rollup/rollup-win32-ia32-msvc@4.61.1",
    "@rollup/rollup-win32-x64-gnu@4.61.1",
    "@rollup/rollup-win32-x64-msvc@4.61.1",
    "fsevents@2.3.3"
  ],
  "storeDir": "/home/enmanuel/.local/share/pnpm/store/v11",
  "virtualStoreDir": ".pnpm",
  "virtualStoreDirMaxLength": 120,
  "allowBuilds": {
    "esbuild": true
  }
 }
@@ -0,0 +1,41 @@
 {
  "lastValidatedTimestamp": 1781378216062,
  "projects": {
    "/home/enmanuel/fn_registry/projects/message_bus/apps/unibus/web": {
      "name": "unibus-web",
      "version": "0.1.0"
    }
  },
  "pnpmfiles": [],
  "settings": {
    "allowBuilds": {
      "esbuild": true
    },
    "autoInstallPeers": true,
    "catalogs": {},
    "dedupeDirectDeps": false,
    "dedupeInjectedDeps": true,
    "dedupePeerDependents": true,
    "dedupePeers": false,
    "dev": true,
    "excludeLinksFromLockfile": false,
    "hoistPattern": [
      "*"
    ],
    "hoistWorkspacePackages": true,
    "injectWorkspacePackages": false,
    "linkWorkspacePackages": false,
    "minimumReleaseAge": 1440,
    "minimumReleaseAgeIgnoreMissingTime": true,
    "nodeLinker": "isolated",
    "optional": true,
    "peersSuffixMaxLength": 1000,
    "preferWorkspacePackages": false,
    "production": true,
    "publicHoistPattern": [],
    "workspacePackagePatterns": [
      "."
    ]
  },
  "filteredInstall": false
 }
@@ -0,0 +1,22 @@
 MIT License
 Copyright (c) 2014-present Sebastian McKenzie and other contributors
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the
 "Software"), to deal in the Software without restriction, including
 without limitation the rights to use, copy, modify, merge, publish,
 distribute, sublicense, and/or sell copies of the Software, and to
 permit persons to whom the Software is furnished to do so, subject to
 the following conditions:
 The above copyright notice and this permission notice shall be
 included in all copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@@ -0,0 +1,19 @@
 # @babel/code-frame
 > Generate errors that contain a code frame that point to source locations.
 See our website [@babel/code-frame](https://babeljs.io/docs/babel-code-frame) for more information.
 ## Install
 Using npm:
 ```sh
 npm install --save-dev @babel/code-frame
 ```
 or using yarn:
 ```sh
 yarn add @babel/code-frame --dev
 ```
@@ -0,0 +1,217 @@
 'use strict';
 Object.defineProperty(exports, '__esModule', { value: true });
 var picocolors = require('picocolors');
 var jsTokens = require('js-tokens');
 var helperValidatorIdentifier = require('@babel/helper-validator-identifier');
 function isColorSupported() {
  return (typeof process === "object" && (process.env.FORCE_COLOR === "0" || process.env.FORCE_COLOR === "false") ? false : picocolors.isColorSupported
  );
 }
 const compose = (f, g) => v => f(g(v));
 function buildDefs(colors) {
  return {
    keyword: colors.cyan,
    capitalized: colors.yellow,
    jsxIdentifier: colors.yellow,
    punctuator: colors.yellow,
    number: colors.magenta,
    string: colors.green,
    regex: colors.magenta,
    comment: colors.gray,
    invalid: compose(compose(colors.white, colors.bgRed), colors.bold),
    gutter: colors.gray,
    marker: compose(colors.red, colors.bold),
    message: compose(colors.red, colors.bold),
    reset: colors.reset
  };
 }
 const defsOn = buildDefs(picocolors.createColors(true));
 const defsOff = buildDefs(picocolors.createColors(false));
 function getDefs(enabled) {
  return enabled ? defsOn : defsOff;
 }
 const sometimesKeywords = new Set(["as", "async", "from", "get", "of", "set"]);
 const NEWLINE$1 = /\r\n|[\n\r\u2028\u2029]/;
 const BRACKET = /^[()[\]{}]$/;
 let tokenize;
 const JSX_TAG = /^[a-z][\w-]*$/i;
 const getTokenType = function (token, offset, text) {
  if (token.type === "name") {
    const tokenValue = token.value;
    if (helperValidatorIdentifier.isKeyword(tokenValue) || helperValidatorIdentifier.isStrictReservedWord(tokenValue, true) || sometimesKeywords.has(tokenValue)) {
      return "keyword";
    }
    if (JSX_TAG.test(tokenValue) && (text[offset - 1] === "<" || text.slice(offset - 2, offset) === "</")) {
      return "jsxIdentifier";
    }
    const firstChar = String.fromCodePoint(tokenValue.codePointAt(0));
    if (firstChar !== firstChar.toLowerCase()) {
      return "capitalized";
    }
  }
  if (token.type === "punctuator" && BRACKET.test(token.value)) {
    return "bracket";
  }
  if (token.type === "invalid" && (token.value === "@" || token.value === "#")) {
    return "punctuator";
  }
  return token.type;
 };
 tokenize = function* (text) {
  let match;
  while (match = jsTokens.default.exec(text)) {
    const token = jsTokens.matchToToken(match);
    yield {
      type: getTokenType(token, match.index, text),
      value: token.value
    };
  }
 };
 function highlight(text) {
  if (text === "") return "";
  const defs = getDefs(true);
  let highlighted = "";
  for (const {
    type,
    value
  } of tokenize(text)) {
    if (type in defs) {
      highlighted += value.split(NEWLINE$1).map(str => defs[type](str)).join("\n");
    } else {
      highlighted += value;
    }
  }
  return highlighted;
 }
 let deprecationWarningShown = false;
 const NEWLINE = /\r\n|[\n\r\u2028\u2029]/;
 function getMarkerLines(loc, source, opts, startLineBaseZero) {
  const startLoc = Object.assign({
    column: 0,
    line: -1
  }, loc.start);
  const endLoc = Object.assign({}, startLoc, loc.end);
  const {
    linesAbove = 2,
    linesBelow = 3
  } = opts || {};
  const startLine = startLoc.line - startLineBaseZero;
  const startColumn = startLoc.column;
  const endLine = endLoc.line - startLineBaseZero;
  const endColumn = endLoc.column;
  let start = Math.max(startLine - (linesAbove + 1), 0);
  let end = Math.min(source.length, endLine + linesBelow);
  if (startLine === -1) {
    start = 0;
  }
  if (endLine === -1) {
    end = source.length;
  }
  const lineDiff = endLine - startLine;
  const markerLines = {};
  if (lineDiff) {
    for (let i = 0; i <= lineDiff; i++) {
      const lineNumber = i + startLine;
      if (!startColumn) {
        markerLines[lineNumber] = true;
      } else if (i === 0) {
        const sourceLength = source[lineNumber - 1].length;
        markerLines[lineNumber] = [startColumn, sourceLength - startColumn + 1];
      } else if (i === lineDiff) {
        markerLines[lineNumber] = [0, endColumn];
      } else {
        const sourceLength = source[lineNumber - i].length;
        markerLines[lineNumber] = [0, sourceLength];
      }
    }
  } else {
    if (startColumn === endColumn) {
      if (startColumn) {
        markerLines[startLine] = [startColumn, 0];
      } else {
        markerLines[startLine] = true;
      }
    } else {
      markerLines[startLine] = [startColumn, endColumn - startColumn];
    }
  }
  return {
    start,
    end,
    markerLines
  };
 }
 function codeFrameColumns(rawLines, loc, opts = {}) {
  const shouldHighlight = opts.forceColor || isColorSupported() && opts.highlightCode;
  const startLineBaseZero = (opts.startLine || 1) - 1;
  const defs = getDefs(shouldHighlight);
  const lines = rawLines.split(NEWLINE);
  const {
    start,
    end,
    markerLines
  } = getMarkerLines(loc, lines, opts, startLineBaseZero);
  const hasColumns = loc.start && typeof loc.start.column === "number";
  const numberMaxWidth = String(end + startLineBaseZero).length;
  const highlightedLines = shouldHighlight ? highlight(rawLines) : rawLines;
  let frame = highlightedLines.split(NEWLINE, end).slice(start, end).map((line, index) => {
    const number = start + 1 + index;
    const paddedNumber = ` ${number + startLineBaseZero}`.slice(-numberMaxWidth);
    const gutter = ` ${paddedNumber} |`;
    const hasMarker = markerLines[number];
    const lastMarkerLine = !markerLines[number + 1];
    if (hasMarker) {
      let markerLine = "";
      if (Array.isArray(hasMarker)) {
        const markerSpacing = line.slice(0, Math.max(hasMarker[0] - 1, 0)).replace(/[^\t]/g, " ");
        const numberOfMarkers = hasMarker[1] || 1;
        markerLine = ["\n ", defs.gutter(gutter.replace(/\d/g, " ")), " ", markerSpacing, defs.marker("^").repeat(numberOfMarkers)].join("");
        if (lastMarkerLine && opts.message) {
          markerLine += " " + defs.message(opts.message);
        }
      }
      return [defs.marker(">"), defs.gutter(gutter), line.length > 0 ? ` ${line}` : "", markerLine].join("");
    } else {
      return ` ${defs.gutter(gutter)}${line.length > 0 ? ` ${line}` : ""}`;
    }
  }).join("\n");
  if (opts.message && !hasColumns) {
    frame = `${" ".repeat(numberMaxWidth + 1)}${opts.message}\n${frame}`;
  }
  if (shouldHighlight) {
    return defs.reset(frame);
  } else {
    return frame;
  }
 }
 function index (rawLines, lineNumber, colNumber, opts = {}) {
  if (!deprecationWarningShown) {
    deprecationWarningShown = true;
    const message = "Passing lineNumber and colNumber is deprecated to @babel/code-frame. Please use `codeFrameColumns`.";
    if (process.emitWarning) {
      process.emitWarning(message, "DeprecationWarning");
    } else {
      const deprecationError = new Error(message);
      deprecationError.name = "DeprecationWarning";
      console.warn(new Error(message));
    }
  }
  colNumber = Math.max(colNumber, 0);
  const location = {
    start: {
      column: colNumber,
      line: lineNumber
    }
  };
  return codeFrameColumns(rawLines, location, opts);
 }
 exports.codeFrameColumns = codeFrameColumns;
 exports.default = index;
 exports.highlight = highlight;
 //# sourceMappingURL=index.js.map
@@ -0,0 +1,32 @@
 {
  "name": "@babel/code-frame",
  "version": "7.29.7",
  "description": "Generate errors that contain a code frame that point to source locations.",
  "author": "The Babel Team (https://babel.dev/team)",
  "homepage": "https://babel.dev/docs/en/next/babel-code-frame",
  "bugs": "https://github.com/babel/babel/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen",
  "license": "MIT",
  "publishConfig": {
    "access": "public"
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/babel/babel.git",
    "directory": "packages/babel-code-frame"
  },
  "main": "./lib/index.js",
  "dependencies": {
    "@babel/helper-validator-identifier": "^7.29.7",
    "js-tokens": "^4.0.0",
    "picocolors": "^1.1.1"
  },
  "devDependencies": {
    "charcodes": "^0.2.0",
    "import-meta-resolve": "^4.1.0",
    "strip-ansi": "^4.0.0"
  },
  "engines": {
    "node": ">=6.9.0"
  },
  "type": "commonjs"
 }
@@ -0,0 +1 @@
 ../../../@babel+helper-validator-identifier@7.29.7/node_modules/@babel/helper-validator-identifier
@@ -0,0 +1 @@
 ../../js-tokens@4.0.0/node_modules/js-tokens
@@ -0,0 +1 @@
 ../../picocolors@1.1.1/node_modules/picocolors
@@ -0,0 +1,22 @@
 MIT License
 Copyright (c) 2014-present Sebastian McKenzie and other contributors
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the
 "Software"), to deal in the Software without restriction, including
 without limitation the rights to use, copy, modify, merge, publish,
 distribute, sublicense, and/or sell copies of the Software, and to
 permit persons to whom the Software is furnished to do so, subject to
 the following conditions:
 The above copyright notice and this permission notice shall be
 included in all copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@@ -0,0 +1,19 @@
 # @babel/compat-data
 > The compat-data to determine required Babel plugins
 See our website [@babel/compat-data](https://babeljs.io/docs/babel-compat-data) for more information.
 ## Install
 Using npm:
 ```sh
 npm install --save @babel/compat-data
 ```
 or using yarn:
 ```sh
 yarn add @babel/compat-data
 ```
@@ -0,0 +1,2 @@
 // Todo (Babel 8): remove this file as Babel 8 drop support of core-js 2
 module.exports = require("./data/corejs2-built-ins.json");
@@ -0,0 +1,2 @@
 // Todo (Babel 8): remove this file now that it is included in babel-plugin-polyfill-corejs3
 module.exports = require("./data/corejs3-shipped-proposals.json");
@@ -0,0 +1,5 @@
 [
  "esnext.promise.all-settled",
  "esnext.string.match-all",
  "esnext.global-this"
 ]
@@ -0,0 +1,18 @@
 {
  "es6.module": {
    "chrome": "61",
    "and_chr": "61",
    "edge": "16",
    "firefox": "60",
    "and_ff": "60",
    "node": "13.2.0",
    "opera": "48",
    "op_mob": "45",
    "safari": "10.1",
    "ios": "10.3",
    "samsung": "8.2",
    "android": "61",
    "electron": "2.0",
    "ios_saf": "10.3"
  }
 }
@@ -0,0 +1,38 @@
 {
  "transform-async-to-generator": [
    "bugfix/transform-async-arrows-in-class"
  ],
  "transform-parameters": [
    "bugfix/transform-edge-default-parameters",
    "bugfix/transform-safari-id-destructuring-collision-in-function-expression"
  ],
  "transform-function-name": [
    "bugfix/transform-edge-function-name"
  ],
  "transform-block-scoping": [
    "bugfix/transform-safari-block-shadowing",
    "bugfix/transform-safari-for-shadowing"
  ],
  "transform-destructuring": [
    "bugfix/transform-safari-rest-destructuring-rhs-array"
  ],
  "transform-template-literals": [
    "bugfix/transform-tagged-template-caching"
  ],
  "transform-optional-chaining": [
    "bugfix/transform-v8-spread-parameters-in-optional-chaining"
  ],
  "proposal-optional-chaining": [
    "bugfix/transform-v8-spread-parameters-in-optional-chaining"
  ],
  "transform-class-properties": [
    "bugfix/transform-v8-static-class-fields-redefine-readonly",
    "bugfix/transform-firefox-class-in-computed-class-key",
    "bugfix/transform-safari-class-field-initializer-scope"
  ],
  "proposal-class-properties": [
    "bugfix/transform-v8-static-class-fields-redefine-readonly",
    "bugfix/transform-firefox-class-in-computed-class-key",
    "bugfix/transform-safari-class-field-initializer-scope"
  ]
 }
@@ -0,0 +1,231 @@
 {
  "bugfix/transform-async-arrows-in-class": {
    "chrome": "55",
    "opera": "42",
    "edge": "15",
    "firefox": "52",
    "safari": "11",
    "node": "7.6",
    "deno": "1",
    "ios": "11",
    "samsung": "6",
    "opera_mobile": "42",
    "electron": "1.6"
  },
  "bugfix/transform-edge-default-parameters": {
    "chrome": "49",
    "opera": "36",
    "edge": "18",
    "firefox": "52",
    "safari": "10",
    "node": "6",
    "deno": "1",
    "ios": "10",
    "samsung": "5",
    "opera_mobile": "36",
    "electron": "0.37"
  },
  "bugfix/transform-edge-function-name": {
    "chrome": "51",
    "opera": "38",
    "edge": "79",
    "firefox": "53",
    "safari": "10",
    "node": "6.5",
    "deno": "1",
    "ios": "10",
    "samsung": "5",
    "rhino": "1.9",
    "opera_mobile": "41",
    "electron": "1.2"
  },
  "bugfix/transform-safari-block-shadowing": {
    "chrome": "49",
    "opera": "36",
    "edge": "12",
    "firefox": "44",
    "safari": "11",
    "node": "6",
    "deno": "1",
    "ie": "11",
    "ios": "11",
    "samsung": "5",
    "opera_mobile": "36",
    "electron": "0.37"
  },
  "bugfix/transform-safari-for-shadowing": {
    "chrome": "49",
    "opera": "36",
    "edge": "12",
    "firefox": "4",
    "safari": "11",
    "node": "6",
    "deno": "1",
    "ie": "11",
    "ios": "11",
    "samsung": "5",
    "rhino": "1.7.13",
    "opera_mobile": "36",
    "electron": "0.37"
  },
  "bugfix/transform-safari-id-destructuring-collision-in-function-expression": {
    "chrome": "49",
    "opera": "36",
    "edge": "14",
    "firefox": "2",
    "safari": "16.3",
    "node": "6",
    "deno": "1",
    "ios": "16.3",
    "samsung": "5",
    "opera_mobile": "36",
    "electron": "0.37"
  },
  "bugfix/transform-safari-rest-destructuring-rhs-array": {
    "chrome": "49",
    "opera": "36",
    "edge": "14",
    "firefox": "34",
    "safari": "14.1",
    "node": "6",
    "deno": "1",
    "ios": "14.5",
    "samsung": "5",
    "opera_mobile": "36",
    "electron": "0.37"
  },
  "bugfix/transform-tagged-template-caching": {
    "chrome": "41",
    "opera": "28",
    "edge": "12",
    "firefox": "34",
    "safari": "13",
    "node": "4",
    "deno": "1",
    "ios": "13",
    "samsung": "3.4",
    "rhino": "1.7.14",
    "opera_mobile": "28",
    "electron": "0.21"
  },
  "bugfix/transform-v8-spread-parameters-in-optional-chaining": {
    "chrome": "91",
    "opera": "77",
    "edge": "91",
    "firefox": "74",
    "safari": "13.1",
    "node": "16.9",
    "deno": "1.9",
    "ios": "13.4",
    "samsung": "16",
    "opera_mobile": "64",
    "electron": "13.0"
  },
  "transform-optional-chaining": {
    "chrome": "80",
    "opera": "67",
    "edge": "80",
    "firefox": "74",
    "safari": "13.1",
    "node": "14",
    "deno": "1",
    "ios": "13.4",
    "samsung": "13",
    "rhino": "1.8",
    "opera_mobile": "57",
    "electron": "8.0"
  },
  "proposal-optional-chaining": {
    "chrome": "80",
    "opera": "67",
    "edge": "80",
    "firefox": "74",
    "safari": "13.1",
    "node": "14",
    "deno": "1",
    "ios": "13.4",
    "samsung": "13",
    "rhino": "1.8",
    "opera_mobile": "57",
    "electron": "8.0"
  },
  "transform-parameters": {
    "chrome": "49",
    "opera": "36",
    "edge": "15",
    "firefox": "52",
    "safari": "10",
    "node": "6",
    "deno": "1",
    "ios": "10",
    "samsung": "5",
    "opera_mobile": "36",
    "electron": "0.37"
  },
  "transform-async-to-generator": {
    "chrome": "55",
    "opera": "42",
    "edge": "15",
    "firefox": "52",
    "safari": "10.1",
    "node": "7.6",
    "deno": "1",
    "ios": "10.3",
    "samsung": "6",
    "opera_mobile": "42",
    "electron": "1.6"
  },
  "transform-template-literals": {
    "chrome": "41",
    "opera": "28",
    "edge": "13",
    "firefox": "34",
    "safari": "9",
    "node": "4",
    "deno": "1",
    "ios": "9",
    "samsung": "3.4",
    "rhino": "1.9",
    "opera_mobile": "28",
    "electron": "0.21"
  },
  "transform-function-name": {
    "chrome": "51",
    "opera": "38",
    "edge": "14",
    "firefox": "53",
    "safari": "10",
    "node": "6.5",
    "deno": "1",
    "ios": "10",
    "samsung": "5",
    "opera_mobile": "41",
    "electron": "1.2"
  },
  "transform-destructuring": {
    "chrome": "51",
    "opera": "38",
    "edge": "15",
    "firefox": "53",
    "safari": "10",
    "node": "6.5",
    "deno": "1",
    "ios": "10",
    "samsung": "5",
    "opera_mobile": "41",
    "electron": "1.2"
  },
  "transform-block-scoping": {
    "chrome": "50",
    "opera": "37",
    "edge": "14",
    "firefox": "53",
    "safari": "10",
    "node": "6",
    "deno": "1",
    "ios": "10",
    "samsung": "5",
    "opera_mobile": "37",
    "electron": "1.1"
  }
 }
@@ -0,0 +1,843 @@
 {
  "transform-explicit-resource-management": {
    "chrome": "141",
    "edge": "141",
    "firefox": "141",
    "node": "25",
    "electron": "39.0"
  },
  "transform-duplicate-named-capturing-groups-regex": {
    "chrome": "126",
    "opera": "112",
    "edge": "126",
    "firefox": "129",
    "safari": "17.4",
    "node": "23",
    "ios": "17.4",
    "rhino": "1.9",
    "electron": "31.0"
  },
  "transform-regexp-modifiers": {
    "chrome": "125",
    "opera": "111",
    "edge": "125",
    "firefox": "132",
    "node": "23",
    "samsung": "27",
    "electron": "31.0"
  },
  "transform-unicode-sets-regex": {
    "chrome": "112",
    "opera": "98",
    "edge": "112",
    "firefox": "116",
    "safari": "17",
    "node": "20",
    "deno": "1.32",
    "ios": "17",
    "samsung": "23",
    "opera_mobile": "75",
    "electron": "24.0"
  },
  "bugfix/transform-v8-static-class-fields-redefine-readonly": {
    "chrome": "98",
    "opera": "84",
    "edge": "98",
    "firefox": "75",
    "safari": "15",
    "node": "12",
    "deno": "1.18",
    "ios": "15",
    "samsung": "11",
    "opera_mobile": "52",
    "electron": "17.0"
  },
  "bugfix/transform-firefox-class-in-computed-class-key": {
    "chrome": "74",
    "opera": "62",
    "edge": "79",
    "firefox": "126",
    "safari": "16",
    "node": "12",
    "deno": "1",
    "ios": "16",
    "samsung": "11",
    "opera_mobile": "53",
    "electron": "6.0"
  },
  "bugfix/transform-safari-class-field-initializer-scope": {
    "chrome": "74",
    "opera": "62",
    "edge": "79",
    "firefox": "69",
    "safari": "16",
    "node": "12",
    "deno": "1",
    "ios": "16",
    "samsung": "11",
    "opera_mobile": "53",
    "electron": "6.0"
  },
  "transform-class-static-block": {
    "chrome": "94",
    "opera": "80",
    "edge": "94",
    "firefox": "93",
    "safari": "16.4",
    "node": "16.11",
    "deno": "1.14",
    "ios": "16.4",
    "samsung": "17",
    "opera_mobile": "66",
    "electron": "15.0"
  },
  "proposal-class-static-block": {
    "chrome": "94",
    "opera": "80",
    "edge": "94",
    "firefox": "93",
    "safari": "16.4",
    "node": "16.11",
    "deno": "1.14",
    "ios": "16.4",
    "samsung": "17",
    "opera_mobile": "66",
    "electron": "15.0"
  },
  "transform-private-property-in-object": {
    "chrome": "91",
    "opera": "77",
    "edge": "91",
    "firefox": "90",
    "safari": "15",
    "node": "16.9",
    "deno": "1.9",
    "ios": "15",
    "samsung": "16",
    "opera_mobile": "64",
    "electron": "13.0"
  },
  "proposal-private-property-in-object": {
    "chrome": "91",
    "opera": "77",
    "edge": "91",
    "firefox": "90",
    "safari": "15",
    "node": "16.9",
    "deno": "1.9",
    "ios": "15",
    "samsung": "16",
    "opera_mobile": "64",
    "electron": "13.0"
  },
  "transform-class-properties": {
    "chrome": "74",
    "opera": "62",
    "edge": "79",
    "firefox": "90",
    "safari": "14.1",
    "node": "12",
    "deno": "1",
    "ios": "14.5",
    "samsung": "11",
    "opera_mobile": "53",
    "electron": "6.0"
  },
  "proposal-class-properties": {
    "chrome": "74",
    "opera": "62",
    "edge": "79",
    "firefox": "90",
    "safari": "14.1",
    "node": "12",
    "deno": "1",
    "ios": "14.5",
    "samsung": "11",
    "opera_mobile": "53",
    "electron": "6.0"
  },
  "transform-private-methods": {
    "chrome": "84",
    "opera": "70",
    "edge": "84",
    "firefox": "90",
    "safari": "15",
    "node": "14.6",
    "deno": "1",
    "ios": "15",
    "samsung": "14",
    "opera_mobile": "60",
    "electron": "10.0"
  },
  "proposal-private-methods": {
    "chrome": "84",
    "opera": "70",
    "edge": "84",
    "firefox": "90",
    "safari": "15",
    "node": "14.6",
    "deno": "1",
    "ios": "15",
    "samsung": "14",
    "opera_mobile": "60",
    "electron": "10.0"
  },
  "transform-numeric-separator": {
    "chrome": "75",
    "opera": "62",
    "edge": "79",
    "firefox": "70",
    "safari": "13",
    "node": "12.5",
    "deno": "1",
    "ios": "13",
    "samsung": "11",
    "rhino": "1.7.14",
    "opera_mobile": "54",
    "electron": "6.0"
  },
  "proposal-numeric-separator": {
    "chrome": "75",
    "opera": "62",
    "edge": "79",
    "firefox": "70",
    "safari": "13",
    "node": "12.5",
    "deno": "1",
    "ios": "13",
    "samsung": "11",
    "rhino": "1.7.14",
    "opera_mobile": "54",
    "electron": "6.0"
  },
  "transform-logical-assignment-operators": {
    "chrome": "85",
    "opera": "71",
    "edge": "85",
    "firefox": "79",
    "safari": "14",
    "node": "15",
    "deno": "1.2",
    "ios": "14",
    "samsung": "14",
    "opera_mobile": "60",
    "electron": "10.0"
  },
  "proposal-logical-assignment-operators": {
    "chrome": "85",
    "opera": "71",
    "edge": "85",
    "firefox": "79",
    "safari": "14",
    "node": "15",
    "deno": "1.2",
    "ios": "14",
    "samsung": "14",
    "opera_mobile": "60",
    "electron": "10.0"
  },
  "transform-nullish-coalescing-operator": {
    "chrome": "80",
    "opera": "67",
    "edge": "80",
    "firefox": "72",
    "safari": "13.1",
    "node": "14",
    "deno": "1",
    "ios": "13.4",
    "samsung": "13",
    "rhino": "1.8",
    "opera_mobile": "57",
    "electron": "8.0"
  },
  "proposal-nullish-coalescing-operator": {
    "chrome": "80",
    "opera": "67",
    "edge": "80",
    "firefox": "72",
    "safari": "13.1",
    "node": "14",
    "deno": "1",
    "ios": "13.4",
    "samsung": "13",
    "rhino": "1.8",
    "opera_mobile": "57",
    "electron": "8.0"
  },
  "transform-optional-chaining": {
    "chrome": "91",
    "opera": "77",
    "edge": "91",
    "firefox": "74",
    "safari": "13.1",
    "node": "16.9",
    "deno": "1.9",
    "ios": "13.4",
    "samsung": "16",
    "opera_mobile": "64",
    "electron": "13.0"
  },
  "proposal-optional-chaining": {
    "chrome": "91",
    "opera": "77",
    "edge": "91",
    "firefox": "74",
    "safari": "13.1",
    "node": "16.9",
    "deno": "1.9",
    "ios": "13.4",
    "samsung": "16",
    "opera_mobile": "64",
    "electron": "13.0"
  },
  "transform-json-strings": {
    "chrome": "66",
    "opera": "53",
    "edge": "79",
    "firefox": "62",
    "safari": "12",
    "node": "10",
    "deno": "1",
    "ios": "12",
    "samsung": "9",
    "rhino": "1.7.14",
    "opera_mobile": "47",
    "electron": "3.0"
  },
  "proposal-json-strings": {
    "chrome": "66",
    "opera": "53",
    "edge": "79",
    "firefox": "62",
    "safari": "12",
    "node": "10",
    "deno": "1",
    "ios": "12",
    "samsung": "9",
    "rhino": "1.7.14",
    "opera_mobile": "47",
    "electron": "3.0"
  },
  "transform-optional-catch-binding": {
    "chrome": "66",
    "opera": "53",
    "edge": "79",
    "firefox": "58",
    "safari": "11.1",
    "node": "10",
    "deno": "1",
    "ios": "11.3",
    "samsung": "9",
    "opera_mobile": "47",
    "electron": "3.0"
  },
  "proposal-optional-catch-binding": {
    "chrome": "66",
    "opera": "53",
    "edge": "79",
    "firefox": "58",
    "safari": "11.1",
    "node": "10",
    "deno": "1",
    "ios": "11.3",
    "samsung": "9",
    "opera_mobile": "47",
    "electron": "3.0"
  },
  "transform-parameters": {
    "chrome": "49",
    "opera": "36",
    "edge": "18",
    "firefox": "52",
    "safari": "16.3",
    "node": "6",
    "deno": "1",
    "ios": "16.3",
    "samsung": "5",
    "opera_mobile": "36",
    "electron": "0.37"
  },
  "transform-async-generator-functions": {
    "chrome": "63",
    "opera": "50",
    "edge": "79",
    "firefox": "57",
    "safari": "12",
    "node": "10",
    "deno": "1",
    "ios": "12",
    "samsung": "8",
    "opera_mobile": "46",
    "electron": "3.0"
  },
  "proposal-async-generator-functions": {
    "chrome": "63",
    "opera": "50",
    "edge": "79",
    "firefox": "57",
    "safari": "12",
    "node": "10",
    "deno": "1",
    "ios": "12",
    "samsung": "8",
    "opera_mobile": "46",
    "electron": "3.0"
  },
  "transform-object-rest-spread": {
    "chrome": "60",
    "opera": "47",
    "edge": "79",
    "firefox": "55",
    "safari": "11.1",
    "node": "8.3",
    "deno": "1",
    "ios": "11.3",
    "samsung": "8",
    "opera_mobile": "44",
    "electron": "2.0"
  },
  "proposal-object-rest-spread": {
    "chrome": "60",
    "opera": "47",
    "edge": "79",
    "firefox": "55",
    "safari": "11.1",
    "node": "8.3",
    "deno": "1",
    "ios": "11.3",
    "samsung": "8",
    "opera_mobile": "44",
    "electron": "2.0"
  },
  "transform-dotall-regex": {
    "chrome": "62",
    "opera": "49",
    "edge": "79",
    "firefox": "78",
    "safari": "11.1",
    "node": "8.10",
    "deno": "1",
    "ios": "11.3",
    "samsung": "8",
    "rhino": "1.7.15",
    "opera_mobile": "46",
    "electron": "3.0"
  },
  "transform-unicode-property-regex": {
    "chrome": "64",
    "opera": "51",
    "edge": "79",
    "firefox": "78",
    "safari": "11.1",
    "node": "10",
    "deno": "1",
    "ios": "11.3",
    "samsung": "9",
    "rhino": "1.9",
    "opera_mobile": "47",
    "electron": "3.0"
  },
  "proposal-unicode-property-regex": {
    "chrome": "64",
    "opera": "51",
    "edge": "79",
    "firefox": "78",
    "safari": "11.1",
    "node": "10",
    "deno": "1",
    "ios": "11.3",
    "samsung": "9",
    "rhino": "1.9",
    "opera_mobile": "47",
    "electron": "3.0"
  },
  "transform-named-capturing-groups-regex": {
    "chrome": "64",
    "opera": "51",
    "edge": "79",
    "firefox": "78",
    "safari": "11.1",
    "node": "10",
    "deno": "1",
    "ios": "11.3",
    "samsung": "9",
    "rhino": "1.9",
    "opera_mobile": "47",
    "electron": "3.0"
  },
  "transform-async-to-generator": {
    "chrome": "55",
    "opera": "42",
    "edge": "15",
    "firefox": "52",
    "safari": "11",
    "node": "7.6",
    "deno": "1",
    "ios": "11",
    "samsung": "6",
    "opera_mobile": "42",
    "electron": "1.6"
  },
  "transform-exponentiation-operator": {
    "chrome": "52",
    "opera": "39",
    "edge": "14",
    "firefox": "52",
    "safari": "10.1",
    "node": "7",
    "deno": "1",
    "ios": "10.3",
    "samsung": "6",
    "rhino": "1.7.14",
    "opera_mobile": "41",
    "electron": "1.3"
  },
  "transform-template-literals": {
    "chrome": "41",
    "opera": "28",
    "edge": "13",
    "firefox": "34",
    "safari": "13",
    "node": "4",
    "deno": "1",
    "ios": "13",
    "samsung": "3.4",
    "rhino": "1.9",
    "opera_mobile": "28",
    "electron": "0.21"
  },
  "transform-literals": {
    "chrome": "44",
    "opera": "31",
    "edge": "12",
    "firefox": "53",
    "safari": "9",
    "node": "4",
    "deno": "1",
    "ios": "9",
    "samsung": "4",
    "rhino": "1.7.15",
    "opera_mobile": "32",
    "electron": "0.30"
  },
  "transform-function-name": {
    "chrome": "51",
    "opera": "38",
    "edge": "79",
    "firefox": "53",
    "safari": "10",
    "node": "6.5",
    "deno": "1",
    "ios": "10",
    "samsung": "5",
    "opera_mobile": "41",
    "electron": "1.2"
  },
  "transform-arrow-functions": {
    "chrome": "47",
    "opera": "34",
    "edge": "13",
    "firefox": "43",
    "safari": "10",
    "node": "6",
    "deno": "1",
    "ios": "10",
    "samsung": "5",
    "rhino": "1.7.13",
    "opera_mobile": "34",
    "electron": "0.36"
  },
  "transform-block-scoped-functions": {
    "chrome": "41",
    "opera": "28",
    "edge": "12",
    "firefox": "46",
    "safari": "10",
    "node": "4",
    "deno": "1",
    "ie": "11",
    "ios": "10",
    "samsung": "3.4",
    "opera_mobile": "28",
    "electron": "0.21"
  },
  "transform-classes": {
    "chrome": "46",
    "opera": "33",
    "edge": "13",
    "firefox": "45",
    "safari": "10",
    "node": "5",
    "deno": "1",
    "ios": "10",
    "samsung": "5",
    "opera_mobile": "33",
    "electron": "0.36"
  },
  "transform-object-super": {
    "chrome": "46",
    "opera": "33",
    "edge": "13",
    "firefox": "45",
    "safari": "10",
    "node": "5",
    "deno": "1",
    "ios": "10",
    "samsung": "5",
    "opera_mobile": "33",
    "electron": "0.36"
  },
  "transform-shorthand-properties": {
    "chrome": "43",
    "opera": "30",
    "edge": "12",
    "firefox": "33",
    "safari": "9",
    "node": "4",
    "deno": "1",
    "ios": "9",
    "samsung": "4",
    "rhino": "1.7.14",
    "opera_mobile": "30",
    "electron": "0.27"
  },
  "transform-duplicate-keys": {
    "chrome": "42",
    "opera": "29",
    "edge": "12",
    "firefox": "34",
    "safari": "9",
    "node": "4",
    "deno": "1",
    "ios": "9",
    "samsung": "3.4",
    "opera_mobile": "29",
    "electron": "0.25"
  },
  "transform-computed-properties": {
    "chrome": "44",
    "opera": "31",
    "edge": "12",
    "firefox": "34",
    "safari": "7.1",
    "node": "4",
    "deno": "1",
    "ios": "8",
    "samsung": "4",
    "rhino": "1.8",
    "opera_mobile": "32",
    "electron": "0.30"
  },
  "transform-for-of": {
    "chrome": "51",
    "opera": "38",
    "edge": "15",
    "firefox": "53",
    "safari": "10",
    "node": "6.5",
    "deno": "1",
    "ios": "10",
    "samsung": "5",
    "opera_mobile": "41",
    "electron": "1.2"
  },
  "transform-sticky-regex": {
    "chrome": "49",
    "opera": "36",
    "edge": "13",
    "firefox": "3",
    "safari": "10",
    "node": "6",
    "deno": "1",
    "ios": "10",
    "samsung": "5",
    "rhino": "1.7.15",
    "opera_mobile": "36",
    "electron": "0.37"
  },
  "transform-unicode-escapes": {
    "chrome": "44",
    "opera": "31",
    "edge": "12",
    "firefox": "53",
    "safari": "9",
    "node": "4",
    "deno": "1",
    "ios": "9",
    "samsung": "4",
    "rhino": "1.7.15",
    "opera_mobile": "32",
    "electron": "0.30"
  },
  "transform-unicode-regex": {
    "chrome": "50",
    "opera": "37",
    "edge": "13",
    "firefox": "46",
    "safari": "12",
    "node": "6",
    "deno": "1",
    "ios": "12",
    "samsung": "5",
    "opera_mobile": "37",
    "electron": "1.1"
  },
  "transform-spread": {
    "chrome": "46",
    "opera": "33",
    "edge": "13",
    "firefox": "45",
    "safari": "10",
    "node": "5",
    "deno": "1",
    "ios": "10",
    "samsung": "5",
    "opera_mobile": "33",
    "electron": "0.36"
  },
  "transform-destructuring": {
    "chrome": "51",
    "opera": "38",
    "edge": "15",
    "firefox": "53",
    "safari": "14.1",
    "node": "6.5",
    "deno": "1",
    "ios": "14.5",
    "samsung": "5",
    "opera_mobile": "41",
    "electron": "1.2"
  },
  "transform-block-scoping": {
    "chrome": "50",
    "opera": "37",
    "edge": "14",
    "firefox": "53",
    "safari": "11",
    "node": "6",
    "deno": "1",
    "ios": "11",
    "samsung": "5",
    "opera_mobile": "37",
    "electron": "1.1"
  },
  "transform-typeof-symbol": {
    "chrome": "48",
    "opera": "35",
    "edge": "12",
    "firefox": "36",
    "safari": "9",
    "node": "6",
    "deno": "1",
    "ios": "9",
    "samsung": "5",
    "rhino": "1.8",
    "opera_mobile": "35",
    "electron": "0.37"
  },
  "transform-new-target": {
    "chrome": "46",
    "opera": "33",
    "edge": "14",
    "firefox": "41",
    "safari": "10",
    "node": "5",
    "deno": "1",
    "ios": "10",
    "samsung": "5",
    "opera_mobile": "33",
    "electron": "0.36"
  },
  "transform-regenerator": {
    "chrome": "50",
    "opera": "37",
    "edge": "13",
    "firefox": "53",
    "safari": "10",
    "node": "6",
    "deno": "1",
    "ios": "10",
    "samsung": "5",
    "opera_mobile": "37",
    "electron": "1.1"
  },
  "transform-member-expression-literals": {
    "chrome": "7",
    "opera": "12",
    "edge": "12",
    "firefox": "2",
    "safari": "5.1",
    "node": "0.4",
    "deno": "1",
    "ie": "9",
    "android": "4",
    "ios": "6",
    "phantom": "1.9",
    "samsung": "1",
    "rhino": "1.7.13",
    "opera_mobile": "12",
    "electron": "0.20"
  },
  "transform-property-literals": {
    "chrome": "7",
    "opera": "12",
    "edge": "12",
    "firefox": "2",
    "safari": "5.1",
    "node": "0.4",
    "deno": "1",
    "ie": "9",
    "android": "4",
    "ios": "6",
    "phantom": "1.9",
    "samsung": "1",
    "rhino": "1.7.13",
    "opera_mobile": "12",
    "electron": "0.20"
  },
  "transform-reserved-words": {
    "chrome": "13",
    "opera": "10.50",
    "edge": "12",
    "firefox": "2",
    "safari": "3.1",
    "node": "0.6",
    "deno": "1",
    "ie": "9",
    "android": "4.4",
    "ios": "6",
    "phantom": "1.9",
    "samsung": "1",
    "rhino": "1.7.13",
    "opera_mobile": "10.1",
    "electron": "0.20"
  },
  "transform-export-namespace-from": {
    "chrome": "72",
    "deno": "1.0",
    "edge": "79",
    "firefox": "80",
    "node": "13.2.0",
    "opera": "60",
    "opera_mobile": "51",
    "safari": "14.1",
    "ios": "14.5",
    "samsung": "11.0",
    "android": "72",
    "electron": "5.0"
  },
  "proposal-export-namespace-from": {
    "chrome": "72",
    "deno": "1.0",
    "edge": "79",
    "firefox": "80",
    "node": "13.2.0",
    "opera": "60",
    "opera_mobile": "51",
    "safari": "14.1",
    "ios": "14.5",
    "samsung": "11.0",
    "android": "72",
    "electron": "5.0"
  }
 }
@@ -0,0 +1,2 @@
 // Todo (Babel 8): remove this file, in Babel 8 users import the .json directly
 module.exports = require("./data/native-modules.json");
@@ -0,0 +1,2 @@
 // Todo (Babel 8): remove this file, in Babel 8 users import the .json directly
 module.exports = require("./data/overlapping-plugins.json");
@@ -0,0 +1,40 @@
 {
  "name": "@babel/compat-data",
  "version": "7.29.7",
  "author": "The Babel Team (https://babel.dev/team)",
  "license": "MIT",
  "description": "The compat-data to determine required Babel plugins",
  "repository": {
    "type": "git",
    "url": "https://github.com/babel/babel.git",
    "directory": "packages/babel-compat-data"
  },
  "publishConfig": {
    "access": "public"
  },
  "exports": {
    "./plugins": "./plugins.js",
    "./native-modules": "./native-modules.js",
    "./corejs2-built-ins": "./corejs2-built-ins.js",
    "./corejs3-shipped-proposals": "./corejs3-shipped-proposals.js",
    "./overlapping-plugins": "./overlapping-plugins.js",
    "./plugin-bugfixes": "./plugin-bugfixes.js"
  },
  "scripts": {
    "build-data": "./scripts/download-compat-table.sh && node ./scripts/build-data.mjs && node ./scripts/build-modules-support.mjs && node ./scripts/build-bugfixes-targets.mjs"
  },
  "keywords": [
    "babel",
    "compat-table",
    "compat-data"
  ],
  "devDependencies": {
    "@mdn/browser-compat-data": "^6.0.8",
    "core-js-compat": "^3.48.0",
    "electron-to-chromium": "^1.5.278"
  },
  "engines": {
    "node": ">=6.9.0"
  },
  "type": "commonjs"
 }
@@ -0,0 +1,2 @@
 // Todo (Babel 8): remove this file, in Babel 8 users import the .json directly
 module.exports = require("./data/plugin-bugfixes.json");
@@ -0,0 +1,2 @@
 // Todo (Babel 8): remove this file, in Babel 8 users import the .json directly
 module.exports = require("./data/plugins.json");
@@ -0,0 +1 @@
 ../../../@babel+code-frame@7.29.7/node_modules/@babel/code-frame
@@ -0,0 +1,22 @@
 MIT License
 Copyright (c) 2014-present Sebastian McKenzie and other contributors
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the
 "Software"), to deal in the Software without restriction, including
 without limitation the rights to use, copy, modify, merge, publish,
 distribute, sublicense, and/or sell copies of the Software, and to
 permit persons to whom the Software is furnished to do so, subject to
 the following conditions:
 The above copyright notice and this permission notice shall be
 included in all copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@@ -0,0 +1,19 @@
 # @babel/core
 > Babel compiler core.
 See our website [@babel/core](https://babeljs.io/docs/babel-core) for more information or the [issues](https://github.com/babel/babel/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3A%22pkg%3A%20core%22+is%3Aopen) associated with this package.
 ## Install
 Using npm:
 ```sh
 npm install --save-dev @babel/core
 ```
 or using yarn:
 ```sh
 yarn add @babel/core --dev
 ```
@@ -0,0 +1,5 @@
 "use strict";
 0 && 0;
 //# sourceMappingURL=cache-contexts.js.map
@@ -0,0 +1 @@
 {"version":3,"names":[],"sources":["../../src/config/cache-contexts.ts"],"sourcesContent":["import type { ConfigContext } from \"./config-chain.ts\";\nimport type {\n  CallerMetadata,\n  TargetsListOrObject,\n} from \"./validation/options.ts\";\n\nexport type { ConfigContext as FullConfig };\n\nexport type FullPreset = {\n  targets: TargetsListOrObject;\n} & ConfigContext;\nexport type FullPlugin = {\n  assumptions: Record<string, boolean>;\n} & FullPreset;\n\n// Context not including filename since it is used in places that cannot\n// process 'ignore'/'only' and other filename-based logic.\nexport type SimpleConfig = {\n  envName: string;\n  caller: CallerMetadata | undefined;\n};\nexport type SimplePreset = {\n  targets: TargetsListOrObject;\n} & SimpleConfig;\nexport type SimplePlugin = {\n  assumptions: Record<string, boolean>;\n} & SimplePreset;\n"],"mappings":"","ignoreList":[]}
@@ -0,0 +1,261 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", {
  value: true
 });
 exports.assertSimpleType = assertSimpleType;
 exports.makeStrongCache = makeStrongCache;
 exports.makeStrongCacheSync = makeStrongCacheSync;
 exports.makeWeakCache = makeWeakCache;
 exports.makeWeakCacheSync = makeWeakCacheSync;
 function _gensync() {
  const data = require("gensync");
  _gensync = function () {
    return data;
  };
  return data;
 }
 var _async = require("../gensync-utils/async.js");
 var _util = require("./util.js");
 const synchronize = gen => {
  return _gensync()(gen).sync;
 };
 function* genTrue() {
  return true;
 }
 function makeWeakCache(handler) {
  return makeCachedFunction(WeakMap, handler);
 }
 function makeWeakCacheSync(handler) {
  return synchronize(makeWeakCache(handler));
 }
 function makeStrongCache(handler) {
  return makeCachedFunction(Map, handler);
 }
 function makeStrongCacheSync(handler) {
  return synchronize(makeStrongCache(handler));
 }
 function makeCachedFunction(CallCache, handler) {
  const callCacheSync = new CallCache();
  const callCacheAsync = new CallCache();
  const futureCache = new CallCache();
  return function* cachedFunction(arg, data) {
    const asyncContext = yield* (0, _async.isAsync)();
    const callCache = asyncContext ? callCacheAsync : callCacheSync;
    const cached = yield* getCachedValueOrWait(asyncContext, callCache, futureCache, arg, data);
    if (cached.valid) return cached.value;
    const cache = new CacheConfigurator(data);
    const handlerResult = handler(arg, cache);
    let finishLock;
    let value;
    if ((0, _util.isIterableIterator)(handlerResult)) {
      value = yield* (0, _async.onFirstPause)(handlerResult, () => {
        finishLock = setupAsyncLocks(cache, futureCache, arg);
      });
    } else {
      value = handlerResult;
    }
    updateFunctionCache(callCache, cache, arg, value);
    if (finishLock) {
      futureCache.delete(arg);
      finishLock.release(value);
    }
    return value;
  };
 }
 function* getCachedValue(cache, arg, data) {
  const cachedValue = cache.get(arg);
  if (cachedValue) {
    for (const {
      value,
      valid
    } of cachedValue) {
      if (yield* valid(data)) return {
        valid: true,
        value
      };
    }
  }
  return {
    valid: false,
    value: null
  };
 }
 function* getCachedValueOrWait(asyncContext, callCache, futureCache, arg, data) {
  const cached = yield* getCachedValue(callCache, arg, data);
  if (cached.valid) {
    return cached;
  }
  if (asyncContext) {
    const cached = yield* getCachedValue(futureCache, arg, data);
    if (cached.valid) {
      const value = yield* (0, _async.waitFor)(cached.value.promise);
      return {
        valid: true,
        value
      };
    }
  }
  return {
    valid: false,
    value: null
  };
 }
 function setupAsyncLocks(config, futureCache, arg) {
  const finishLock = new Lock();
  updateFunctionCache(futureCache, config, arg, finishLock);
  return finishLock;
 }
 function updateFunctionCache(cache, config, arg, value) {
  if (!config.configured()) config.forever();
  let cachedValue = cache.get(arg);
  config.deactivate();
  switch (config.mode()) {
    case "forever":
      cachedValue = [{
        value,
        valid: genTrue
      }];
      cache.set(arg, cachedValue);
      break;
    case "invalidate":
      cachedValue = [{
        value,
        valid: config.validator()
      }];
      cache.set(arg, cachedValue);
      break;
    case "valid":
      if (cachedValue) {
        cachedValue.push({
          value,
          valid: config.validator()
        });
      } else {
        cachedValue = [{
          value,
          valid: config.validator()
        }];
        cache.set(arg, cachedValue);
      }
  }
 }
 class CacheConfigurator {
  constructor(data) {
    this._active = true;
    this._never = false;
    this._forever = false;
    this._invalidate = false;
    this._configured = false;
    this._pairs = [];
    this._data = void 0;
    this._data = data;
  }
  simple() {
    return makeSimpleConfigurator(this);
  }
  mode() {
    if (this._never) return "never";
    if (this._forever) return "forever";
    if (this._invalidate) return "invalidate";
    return "valid";
  }
  forever() {
    if (!this._active) {
      throw new Error("Cannot change caching after evaluation has completed.");
    }
    if (this._never) {
      throw new Error("Caching has already been configured with .never()");
    }
    this._forever = true;
    this._configured = true;
  }
  never() {
    if (!this._active) {
      throw new Error("Cannot change caching after evaluation has completed.");
    }
    if (this._forever) {
      throw new Error("Caching has already been configured with .forever()");
    }
    this._never = true;
    this._configured = true;
  }
  using(handler) {
    if (!this._active) {
      throw new Error("Cannot change caching after evaluation has completed.");
    }
    if (this._never || this._forever) {
      throw new Error("Caching has already been configured with .never or .forever()");
    }
    this._configured = true;
    const key = handler(this._data);
    const fn = (0, _async.maybeAsync)(handler, `You appear to be using an async cache handler, but Babel has been called synchronously`);
    if ((0, _async.isThenable)(key)) {
      return key.then(key => {
        this._pairs.push([key, fn]);
        return key;
      });
    }
    this._pairs.push([key, fn]);
    return key;
  }
  invalidate(handler) {
    this._invalidate = true;
    return this.using(handler);
  }
  validator() {
    const pairs = this._pairs;
    return function* (data) {
      for (const [key, fn] of pairs) {
        if (key !== (yield* fn(data))) return false;
      }
      return true;
    };
  }
  deactivate() {
    this._active = false;
  }
  configured() {
    return this._configured;
  }
 }
 function makeSimpleConfigurator(cache) {
  function cacheFn(val) {
    if (typeof val === "boolean") {
      if (val) cache.forever();else cache.never();
      return;
    }
    return cache.using(() => assertSimpleType(val()));
  }
  cacheFn.forever = () => cache.forever();
  cacheFn.never = () => cache.never();
  cacheFn.using = cb => cache.using(() => assertSimpleType(cb()));
  cacheFn.invalidate = cb => cache.invalidate(() => assertSimpleType(cb()));
  return cacheFn;
 }
 function assertSimpleType(value) {
  if ((0, _async.isThenable)(value)) {
    throw new Error(`You appear to be using an async cache handler, ` + `which your current version of Babel does not support. ` + `We may add support for this in the future, ` + `but if you're on the most recent version of @babel/core and still ` + `seeing this error, then you'll need to synchronously handle your caching logic.`);
  }
  if (value != null && typeof value !== "string" && typeof value !== "boolean" && typeof value !== "number") {
    throw new Error("Cache keys must be either string, boolean, number, null, or undefined.");
  }
  return value;
 }
 class Lock {
  constructor() {
    this.released = false;
    this.promise = void 0;
    this._resolve = void 0;
    this.promise = new Promise(resolve => {
      this._resolve = resolve;
    });
  }
  release(value) {
    this.released = true;
    this._resolve(value);
  }
 }
 0 && 0;
 //# sourceMappingURL=caching.js.map
@@ -0,0 +1,469 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", {
  value: true
 });
 exports.buildPresetChain = buildPresetChain;
 exports.buildPresetChainWalker = void 0;
 exports.buildRootChain = buildRootChain;
 function _path() {
  const data = require("path");
  _path = function () {
    return data;
  };
  return data;
 }
 function _debug() {
  const data = require("debug");
  _debug = function () {
    return data;
  };
  return data;
 }
 var _options = require("./validation/options.js");
 var _patternToRegex = require("./pattern-to-regex.js");
 var _printer = require("./printer.js");
 var _rewriteStackTrace = require("../errors/rewrite-stack-trace.js");
 var _configError = require("../errors/config-error.js");
 var _index = require("./files/index.js");
 var _caching = require("./caching.js");
 var _configDescriptors = require("./config-descriptors.js");
 const debug = _debug()("babel:config:config-chain");
 function* buildPresetChain(arg, context) {
  const chain = yield* buildPresetChainWalker(arg, context);
  if (!chain) return null;
  return {
    plugins: dedupDescriptors(chain.plugins),
    presets: dedupDescriptors(chain.presets),
    options: chain.options.map(o => createConfigChainOptions(o)),
    files: new Set()
  };
 }
 const buildPresetChainWalker = exports.buildPresetChainWalker = makeChainWalker({
  root: preset => loadPresetDescriptors(preset),
  env: (preset, envName) => loadPresetEnvDescriptors(preset)(envName),
  overrides: (preset, index) => loadPresetOverridesDescriptors(preset)(index),
  overridesEnv: (preset, index, envName) => loadPresetOverridesEnvDescriptors(preset)(index)(envName),
  createLogger: () => () => {}
 });
 const loadPresetDescriptors = (0, _caching.makeWeakCacheSync)(preset => buildRootDescriptors(preset, preset.alias, _configDescriptors.createUncachedDescriptors));
 const loadPresetEnvDescriptors = (0, _caching.makeWeakCacheSync)(preset => (0, _caching.makeStrongCacheSync)(envName => buildEnvDescriptors(preset, preset.alias, _configDescriptors.createUncachedDescriptors, envName)));
 const loadPresetOverridesDescriptors = (0, _caching.makeWeakCacheSync)(preset => (0, _caching.makeStrongCacheSync)(index => buildOverrideDescriptors(preset, preset.alias, _configDescriptors.createUncachedDescriptors, index)));
 const loadPresetOverridesEnvDescriptors = (0, _caching.makeWeakCacheSync)(preset => (0, _caching.makeStrongCacheSync)(index => (0, _caching.makeStrongCacheSync)(envName => buildOverrideEnvDescriptors(preset, preset.alias, _configDescriptors.createUncachedDescriptors, index, envName))));
 function* buildRootChain(opts, context) {
  let configReport, babelRcReport;
  const programmaticLogger = new _printer.ConfigPrinter();
  const programmaticChain = yield* loadProgrammaticChain({
    options: opts,
    dirname: context.cwd
  }, context, undefined, programmaticLogger);
  if (!programmaticChain) return null;
  const programmaticReport = yield* programmaticLogger.output();
  let configFile;
  if (typeof opts.configFile === "string") {
    configFile = yield* (0, _index.loadConfig)(opts.configFile, context.cwd, context.envName, context.caller);
  } else if (opts.configFile !== false) {
    configFile = yield* (0, _index.findRootConfig)(context.root, context.envName, context.caller);
  }
  let {
    babelrc,
    babelrcRoots
  } = opts;
  let babelrcRootsDirectory = context.cwd;
  const configFileChain = emptyChain();
  const configFileLogger = new _printer.ConfigPrinter();
  if (configFile) {
    const validatedFile = validateConfigFile(configFile);
    const result = yield* loadFileChain(validatedFile, context, undefined, configFileLogger);
    if (!result) return null;
    configReport = yield* configFileLogger.output();
    if (babelrc === undefined) {
      babelrc = validatedFile.options.babelrc;
    }
    if (babelrcRoots === undefined) {
      babelrcRootsDirectory = validatedFile.dirname;
      babelrcRoots = validatedFile.options.babelrcRoots;
    }
    mergeChain(configFileChain, result);
  }
  let ignoreFile, babelrcFile;
  let isIgnored = false;
  const fileChain = emptyChain();
  if ((babelrc === true || babelrc === undefined) && typeof context.filename === "string") {
    const pkgData = yield* (0, _index.findPackageData)(context.filename);
    if (pkgData && babelrcLoadEnabled(context, pkgData, babelrcRoots, babelrcRootsDirectory)) {
      ({
        ignore: ignoreFile,
        config: babelrcFile
      } = yield* (0, _index.findRelativeConfig)(pkgData, context.envName, context.caller));
      if (ignoreFile) {
        fileChain.files.add(ignoreFile.filepath);
      }
      if (ignoreFile && shouldIgnore(context, ignoreFile.ignore, null, ignoreFile.dirname)) {
        isIgnored = true;
      }
      if (babelrcFile && !isIgnored) {
        const validatedFile = validateBabelrcFile(babelrcFile);
        const babelrcLogger = new _printer.ConfigPrinter();
        const result = yield* loadFileChain(validatedFile, context, undefined, babelrcLogger);
        if (!result) {
          isIgnored = true;
        } else {
          babelRcReport = yield* babelrcLogger.output();
          mergeChain(fileChain, result);
        }
      }
      if (babelrcFile && isIgnored) {
        fileChain.files.add(babelrcFile.filepath);
      }
    }
  }
  if (context.showConfig) {
    console.log(`Babel configs on "${context.filename}" (ascending priority):\n` + [configReport, babelRcReport, programmaticReport].filter(x => !!x).join("\n\n") + "\n-----End Babel configs-----");
  }
  const chain = mergeChain(mergeChain(mergeChain(emptyChain(), configFileChain), fileChain), programmaticChain);
  return {
    plugins: isIgnored ? [] : dedupDescriptors(chain.plugins),
    presets: isIgnored ? [] : dedupDescriptors(chain.presets),
    options: isIgnored ? [] : chain.options.map(o => createConfigChainOptions(o)),
    fileHandling: isIgnored ? "ignored" : "transpile",
    ignore: ignoreFile || undefined,
    babelrc: babelrcFile || undefined,
    config: configFile || undefined,
    files: chain.files
  };
 }
 function babelrcLoadEnabled(context, pkgData, babelrcRoots, babelrcRootsDirectory) {
  if (typeof babelrcRoots === "boolean") return babelrcRoots;
  const absoluteRoot = context.root;
  if (babelrcRoots === undefined) {
    return pkgData.directories.includes(absoluteRoot);
  }
  let babelrcPatterns = babelrcRoots;
  if (!Array.isArray(babelrcPatterns)) {
    babelrcPatterns = [babelrcPatterns];
  }
  babelrcPatterns = babelrcPatterns.map(pat => {
    return typeof pat === "string" ? _path().resolve(babelrcRootsDirectory, pat) : pat;
  });
  if (babelrcPatterns.length === 1 && babelrcPatterns[0] === absoluteRoot) {
    return pkgData.directories.includes(absoluteRoot);
  }
  return babelrcPatterns.some(pat => {
    if (typeof pat === "string") {
      pat = (0, _patternToRegex.default)(pat, babelrcRootsDirectory);
    }
    return pkgData.directories.some(directory => {
      return matchPattern(pat, babelrcRootsDirectory, directory, context);
    });
  });
 }
 const validateConfigFile = (0, _caching.makeWeakCacheSync)(file => ({
  filepath: file.filepath,
  dirname: file.dirname,
  options: (0, _options.validate)("configfile", file.options, file.filepath)
 }));
 const validateBabelrcFile = (0, _caching.makeWeakCacheSync)(file => ({
  filepath: file.filepath,
  dirname: file.dirname,
  options: (0, _options.validate)("babelrcfile", file.options, file.filepath)
 }));
 const validateExtendFile = (0, _caching.makeWeakCacheSync)(file => ({
  filepath: file.filepath,
  dirname: file.dirname,
  options: (0, _options.validate)("extendsfile", file.options, file.filepath)
 }));
 const loadProgrammaticChain = makeChainWalker({
  root: input => buildRootDescriptors(input, "base", _configDescriptors.createCachedDescriptors),
  env: (input, envName) => buildEnvDescriptors(input, "base", _configDescriptors.createCachedDescriptors, envName),
  overrides: (input, index) => buildOverrideDescriptors(input, "base", _configDescriptors.createCachedDescriptors, index),
  overridesEnv: (input, index, envName) => buildOverrideEnvDescriptors(input, "base", _configDescriptors.createCachedDescriptors, index, envName),
  createLogger: (input, context, baseLogger) => buildProgrammaticLogger(input, context, baseLogger)
 });
 const loadFileChainWalker = makeChainWalker({
  root: file => loadFileDescriptors(file),
  env: (file, envName) => loadFileEnvDescriptors(file)(envName),
  overrides: (file, index) => loadFileOverridesDescriptors(file)(index),
  overridesEnv: (file, index, envName) => loadFileOverridesEnvDescriptors(file)(index)(envName),
  createLogger: (file, context, baseLogger) => buildFileLogger(file.filepath, context, baseLogger)
 });
 function* loadFileChain(input, context, files, baseLogger) {
  const chain = yield* loadFileChainWalker(input, context, files, baseLogger);
  chain == null || chain.files.add(input.filepath);
  return chain;
 }
 const loadFileDescriptors = (0, _caching.makeWeakCacheSync)(file => buildRootDescriptors(file, file.filepath, _configDescriptors.createUncachedDescriptors));
 const loadFileEnvDescriptors = (0, _caching.makeWeakCacheSync)(file => (0, _caching.makeStrongCacheSync)(envName => buildEnvDescriptors(file, file.filepath, _configDescriptors.createUncachedDescriptors, envName)));
 const loadFileOverridesDescriptors = (0, _caching.makeWeakCacheSync)(file => (0, _caching.makeStrongCacheSync)(index => buildOverrideDescriptors(file, file.filepath, _configDescriptors.createUncachedDescriptors, index)));
 const loadFileOverridesEnvDescriptors = (0, _caching.makeWeakCacheSync)(file => (0, _caching.makeStrongCacheSync)(index => (0, _caching.makeStrongCacheSync)(envName => buildOverrideEnvDescriptors(file, file.filepath, _configDescriptors.createUncachedDescriptors, index, envName))));
 function buildFileLogger(filepath, context, baseLogger) {
  if (!baseLogger) {
    return () => {};
  }
  return baseLogger.configure(context.showConfig, _printer.ChainFormatter.Config, {
    filepath
  });
 }
 function buildRootDescriptors({
  dirname,
  options
 }, alias, descriptors) {
  return descriptors(dirname, options, alias);
 }
 function buildProgrammaticLogger(_, context, baseLogger) {
  var _context$caller;
  if (!baseLogger) {
    return () => {};
  }
  return baseLogger.configure(context.showConfig, _printer.ChainFormatter.Programmatic, {
    callerName: (_context$caller = context.caller) == null ? void 0 : _context$caller.name
  });
 }
 function buildEnvDescriptors({
  dirname,
  options
 }, alias, descriptors, envName) {
  var _options$env;
  const opts = (_options$env = options.env) == null ? void 0 : _options$env[envName];
  return opts ? descriptors(dirname, opts, `${alias}.env["${envName}"]`) : null;
 }
 function buildOverrideDescriptors({
  dirname,
  options
 }, alias, descriptors, index) {
  var _options$overrides;
  const opts = (_options$overrides = options.overrides) == null ? void 0 : _options$overrides[index];
  if (!opts) throw new Error("Assertion failure - missing override");
  return descriptors(dirname, opts, `${alias}.overrides[${index}]`);
 }
 function buildOverrideEnvDescriptors({
  dirname,
  options
 }, alias, descriptors, index, envName) {
  var _options$overrides2, _override$env;
  const override = (_options$overrides2 = options.overrides) == null ? void 0 : _options$overrides2[index];
  if (!override) throw new Error("Assertion failure - missing override");
  const opts = (_override$env = override.env) == null ? void 0 : _override$env[envName];
  return opts ? descriptors(dirname, opts, `${alias}.overrides[${index}].env["${envName}"]`) : null;
 }
 function makeChainWalker({
  root,
  env,
  overrides,
  overridesEnv,
  createLogger
 }) {
  return function* chainWalker(input, context, files = new Set(), baseLogger) {
    const {
      dirname
    } = input;
    const flattenedConfigs = [];
    const rootOpts = root(input);
    if (configIsApplicable(rootOpts, dirname, context, input.filepath)) {
      flattenedConfigs.push({
        config: rootOpts,
        envName: undefined,
        index: undefined
      });
      const envOpts = env(input, context.envName);
      if (envOpts && configIsApplicable(envOpts, dirname, context, input.filepath)) {
        flattenedConfigs.push({
          config: envOpts,
          envName: context.envName,
          index: undefined
        });
      }
      (rootOpts.options.overrides || []).forEach((_, index) => {
        const overrideOps = overrides(input, index);
        if (configIsApplicable(overrideOps, dirname, context, input.filepath)) {
          flattenedConfigs.push({
            config: overrideOps,
            index,
            envName: undefined
          });
          const overrideEnvOpts = overridesEnv(input, index, context.envName);
          if (overrideEnvOpts && configIsApplicable(overrideEnvOpts, dirname, context, input.filepath)) {
            flattenedConfigs.push({
              config: overrideEnvOpts,
              index,
              envName: context.envName
            });
          }
        }
      });
    }
    if (flattenedConfigs.some(({
      config: {
        options: {
          ignore,
          only
        }
      }
    }) => shouldIgnore(context, ignore, only, dirname))) {
      return null;
    }
    const chain = emptyChain();
    const logger = createLogger(input, context, baseLogger);
    for (const {
      config,
      index,
      envName
    } of flattenedConfigs) {
      if (!(yield* mergeExtendsChain(chain, config.options, dirname, context, files, baseLogger))) {
        return null;
      }
      logger(config, index, envName);
      yield* mergeChainOpts(chain, config);
    }
    return chain;
  };
 }
 function* mergeExtendsChain(chain, opts, dirname, context, files, baseLogger) {
  if (opts.extends === undefined) return true;
  const file = yield* (0, _index.loadConfig)(opts.extends, dirname, context.envName, context.caller);
  if (files.has(file)) {
    throw new Error(`Configuration cycle detected loading ${file.filepath}.\n` + `File already loaded following the config chain:\n` + Array.from(files, file => ` - ${file.filepath}`).join("\n"));
  }
  files.add(file);
  const fileChain = yield* loadFileChain(validateExtendFile(file), context, files, baseLogger);
  files.delete(file);
  if (!fileChain) return false;
  mergeChain(chain, fileChain);
  return true;
 }
 function mergeChain(target, source) {
  target.options.push(...source.options);
  target.plugins.push(...source.plugins);
  target.presets.push(...source.presets);
  for (const file of source.files) {
    target.files.add(file);
  }
  return target;
 }
 function* mergeChainOpts(target, {
  options,
  plugins,
  presets
 }) {
  target.options.push(options);
  target.plugins.push(...(yield* plugins()));
  target.presets.push(...(yield* presets()));
  return target;
 }
 function emptyChain() {
  return {
    options: [],
    presets: [],
    plugins: [],
    files: new Set()
  };
 }
 function createConfigChainOptions(opts) {
  const options = Object.assign({}, opts);
  delete options.extends;
  delete options.env;
  delete options.overrides;
  delete options.plugins;
  delete options.presets;
  delete options.passPerPreset;
  delete options.ignore;
  delete options.only;
  delete options.test;
  delete options.include;
  delete options.exclude;
  if (hasOwnProperty.call(options, "sourceMap")) {
    options.sourceMaps = options.sourceMap;
    delete options.sourceMap;
  }
  return options;
 }
 function dedupDescriptors(items) {
  const map = new Map();
  const descriptors = [];
  for (const item of items) {
    if (typeof item.value === "function") {
      const fnKey = item.value;
      let nameMap = map.get(fnKey);
      if (!nameMap) {
        nameMap = new Map();
        map.set(fnKey, nameMap);
      }
      let desc = nameMap.get(item.name);
      if (!desc) {
        desc = {
          value: item
        };
        descriptors.push(desc);
        if (!item.ownPass) nameMap.set(item.name, desc);
      } else {
        desc.value = item;
      }
    } else {
      descriptors.push({
        value: item
      });
    }
  }
  return descriptors.reduce((acc, desc) => {
    acc.push(desc.value);
    return acc;
  }, []);
 }
 function configIsApplicable({
  options
 }, dirname, context, configName) {
  return (options.test === undefined || configFieldIsApplicable(context, options.test, dirname, configName)) && (options.include === undefined || configFieldIsApplicable(context, options.include, dirname, configName)) && (options.exclude === undefined || !configFieldIsApplicable(context, options.exclude, dirname, configName));
 }
 function configFieldIsApplicable(context, test, dirname, configName) {
  const patterns = Array.isArray(test) ? test : [test];
  return matchesPatterns(context, patterns, dirname, configName);
 }
 function ignoreListReplacer(_key, value) {
  if (value instanceof RegExp) {
    return String(value);
  }
  return value;
 }
 function shouldIgnore(context, ignore, only, dirname) {
  if (ignore && matchesPatterns(context, ignore, dirname)) {
    var _context$filename;
    const message = `No config is applied to "${(_context$filename = context.filename) != null ? _context$filename : "(unknown)"}" because it matches one of \`ignore: ${JSON.stringify(ignore, ignoreListReplacer)}\` from "${dirname}"`;
    debug(message);
    if (context.showConfig) {
      console.log(message);
    }
    return true;
  }
  if (only && !matchesPatterns(context, only, dirname)) {
    var _context$filename2;
    const message = `No config is applied to "${(_context$filename2 = context.filename) != null ? _context$filename2 : "(unknown)"}" because it fails to match one of \`only: ${JSON.stringify(only, ignoreListReplacer)}\` from "${dirname}"`;
    debug(message);
    if (context.showConfig) {
      console.log(message);
    }
    return true;
  }
  return false;
 }
 function matchesPatterns(context, patterns, dirname, configName) {
  return patterns.some(pattern => matchPattern(pattern, dirname, context.filename, context, configName));
 }
 function matchPattern(pattern, dirname, pathToTest, context, configName) {
  if (typeof pattern === "function") {
    return !!(0, _rewriteStackTrace.endHiddenCallStack)(pattern)(pathToTest, {
      dirname,
      envName: context.envName,
      caller: context.caller
    });
  }
  if (typeof pathToTest !== "string") {
    throw new _configError.default(`Configuration contains string/RegExp pattern, but no filename was passed to Babel`, configName);
  }
  if (typeof pattern === "string") {
    pattern = (0, _patternToRegex.default)(pattern, dirname);
  }
  return pattern.test(pathToTest);
 }
 0 && 0;
 //# sourceMappingURL=config-chain.js.map
@@ -0,0 +1,190 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", {
  value: true
 });
 exports.createCachedDescriptors = createCachedDescriptors;
 exports.createDescriptor = createDescriptor;
 exports.createUncachedDescriptors = createUncachedDescriptors;
 function _gensync() {
  const data = require("gensync");
  _gensync = function () {
    return data;
  };
  return data;
 }
 var _functional = require("../gensync-utils/functional.js");
 var _index = require("./files/index.js");
 var _item = require("./item.js");
 var _caching = require("./caching.js");
 var _resolveTargets = require("./resolve-targets.js");
 function isEqualDescriptor(a, b) {
  var _a$file, _b$file, _a$file2, _b$file2;
  return a.name === b.name && a.value === b.value && a.options === b.options && a.dirname === b.dirname && a.alias === b.alias && a.ownPass === b.ownPass && ((_a$file = a.file) == null ? void 0 : _a$file.request) === ((_b$file = b.file) == null ? void 0 : _b$file.request) && ((_a$file2 = a.file) == null ? void 0 : _a$file2.resolved) === ((_b$file2 = b.file) == null ? void 0 : _b$file2.resolved);
 }
 function* handlerOf(value) {
  return value;
 }
 function optionsWithResolvedBrowserslistConfigFile(options, dirname) {
  if (typeof options.browserslistConfigFile === "string") {
    options.browserslistConfigFile = (0, _resolveTargets.resolveBrowserslistConfigFile)(options.browserslistConfigFile, dirname);
  }
  return options;
 }
 function createCachedDescriptors(dirname, options, alias) {
  const {
    plugins,
    presets,
    passPerPreset
  } = options;
  return {
    options: optionsWithResolvedBrowserslistConfigFile(options, dirname),
    plugins: plugins ? () => createCachedPluginDescriptors(plugins, dirname)(alias) : () => handlerOf([]),
    presets: presets ? () => createCachedPresetDescriptors(presets, dirname)(alias)(!!passPerPreset) : () => handlerOf([])
  };
 }
 function createUncachedDescriptors(dirname, options, alias) {
  return {
    options: optionsWithResolvedBrowserslistConfigFile(options, dirname),
    plugins: (0, _functional.once)(() => createPluginDescriptors(options.plugins || [], dirname, alias)),
    presets: (0, _functional.once)(() => createPresetDescriptors(options.presets || [], dirname, alias, !!options.passPerPreset))
  };
 }
 const PRESET_DESCRIPTOR_CACHE = new WeakMap();
 const createCachedPresetDescriptors = (0, _caching.makeWeakCacheSync)((items, cache) => {
  const dirname = cache.using(dir => dir);
  return (0, _caching.makeStrongCacheSync)(alias => (0, _caching.makeStrongCache)(function* (passPerPreset) {
    const descriptors = yield* createPresetDescriptors(items, dirname, alias, passPerPreset);
    return descriptors.map(desc => loadCachedDescriptor(PRESET_DESCRIPTOR_CACHE, desc));
  }));
 });
 const PLUGIN_DESCRIPTOR_CACHE = new WeakMap();
 const createCachedPluginDescriptors = (0, _caching.makeWeakCacheSync)((items, cache) => {
  const dirname = cache.using(dir => dir);
  return (0, _caching.makeStrongCache)(function* (alias) {
    const descriptors = yield* createPluginDescriptors(items, dirname, alias);
    return descriptors.map(desc => loadCachedDescriptor(PLUGIN_DESCRIPTOR_CACHE, desc));
  });
 });
 const DEFAULT_OPTIONS = {};
 function loadCachedDescriptor(cache, desc) {
  const {
    value,
    options = DEFAULT_OPTIONS
  } = desc;
  if (options === false) return desc;
  let cacheByOptions = cache.get(value);
  if (!cacheByOptions) {
    cacheByOptions = new WeakMap();
    cache.set(value, cacheByOptions);
  }
  let possibilities = cacheByOptions.get(options);
  if (!possibilities) {
    possibilities = [];
    cacheByOptions.set(options, possibilities);
  }
  if (!possibilities.includes(desc)) {
    const matches = possibilities.filter(possibility => isEqualDescriptor(possibility, desc));
    if (matches.length > 0) {
      return matches[0];
    }
    possibilities.push(desc);
  }
  return desc;
 }
 function* createPresetDescriptors(items, dirname, alias, passPerPreset) {
  return yield* createDescriptors("preset", items, dirname, alias, passPerPreset);
 }
 function* createPluginDescriptors(items, dirname, alias) {
  return yield* createDescriptors("plugin", items, dirname, alias);
 }
 function* createDescriptors(type, items, dirname, alias, ownPass) {
  const descriptors = yield* _gensync().all(items.map((item, index) => createDescriptor(item, dirname, {
    type,
    alias: `${alias}$${index}`,
    ownPass: !!ownPass
  })));
  assertNoDuplicates(descriptors);
  return descriptors;
 }
 function* createDescriptor(pair, dirname, {
  type,
  alias,
  ownPass
 }) {
  const desc = (0, _item.getItemDescriptor)(pair);
  if (desc) {
    return desc;
  }
  let name;
  let options;
  let value = pair;
  if (Array.isArray(value)) {
    if (value.length === 3) {
      [value, options, name] = value;
    } else {
      [value, options] = value;
    }
  }
  let file = undefined;
  let filepath = null;
  if (typeof value === "string") {
    if (typeof type !== "string") {
      throw new Error("To resolve a string-based item, the type of item must be given");
    }
    const resolver = type === "plugin" ? _index.loadPlugin : _index.loadPreset;
    const request = value;
    ({
      filepath,
      value
    } = yield* resolver(value, dirname));
    file = {
      request,
      resolved: filepath
    };
  }
  if (!value) {
    throw new Error(`Unexpected falsy value: ${String(value)}`);
  }
  if (typeof value === "object" && value.__esModule) {
    if (value.default) {
      value = value.default;
    } else {
      throw new Error("Must export a default export when using ES6 modules.");
    }
  }
  if (typeof value !== "object" && typeof value !== "function") {
    throw new Error(`Unsupported format: ${typeof value}. Expected an object or a function.`);
  }
  if (filepath !== null && typeof value === "object" && value) {
    throw new Error(`Plugin/Preset files are not allowed to export objects, only functions. In ${filepath}`);
  }
  return {
    name,
    alias: filepath || alias,
    value,
    options,
    dirname,
    ownPass,
    file
  };
 }
 function assertNoDuplicates(items) {
  const map = new Map();
  for (const item of items) {
    if (typeof item.value !== "function") continue;
    let nameMap = map.get(item.value);
    if (!nameMap) {
      nameMap = new Set();
      map.set(item.value, nameMap);
    }
    if (nameMap.has(item.name)) {
      const conflicts = items.filter(i => i.value === item.value);
      throw new Error([`Duplicate plugin/preset detected.`, `If you'd like to use two separate instances of a plugin,`, `they need separate names, e.g.`, ``, `  plugins: [`, `    ['some-plugin', {}],`, `    ['some-plugin', {}, 'some unique name'],`, `  ]`, ``, `Duplicates detected are:`, `${JSON.stringify(conflicts, null, 2)}`].join("\n"));
    }
    nameMap.add(item.name);
  }
 }
 0 && 0;
 //# sourceMappingURL=config-descriptors.js.map
@@ -0,0 +1,290 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", {
  value: true
 });
 exports.ROOT_CONFIG_FILENAMES = void 0;
 exports.findConfigUpwards = findConfigUpwards;
 exports.findRelativeConfig = findRelativeConfig;
 exports.findRootConfig = findRootConfig;
 exports.loadConfig = loadConfig;
 exports.resolveShowConfigPath = resolveShowConfigPath;
 function _debug() {
  const data = require("debug");
  _debug = function () {
    return data;
  };
  return data;
 }
 function _fs() {
  const data = require("fs");
  _fs = function () {
    return data;
  };
  return data;
 }
 function _path() {
  const data = require("path");
  _path = function () {
    return data;
  };
  return data;
 }
 function _json() {
  const data = require("json5");
  _json = function () {
    return data;
  };
  return data;
 }
 function _gensync() {
  const data = require("gensync");
  _gensync = function () {
    return data;
  };
  return data;
 }
 var _caching = require("../caching.js");
 var _configApi = require("../helpers/config-api.js");
 var _utils = require("./utils.js");
 var _moduleTypes = require("./module-types.js");
 var _patternToRegex = require("../pattern-to-regex.js");
 var _configError = require("../../errors/config-error.js");
 var fs = require("../../gensync-utils/fs.js");
 require("module");
 var _rewriteStackTrace = require("../../errors/rewrite-stack-trace.js");
 var _async = require("../../gensync-utils/async.js");
 const debug = _debug()("babel:config:loading:files:configuration");
 const ROOT_CONFIG_FILENAMES = exports.ROOT_CONFIG_FILENAMES = ["babel.config.js", "babel.config.cjs", "babel.config.mjs", "babel.config.json", "babel.config.cts", "babel.config.ts", "babel.config.mts"];
 const RELATIVE_CONFIG_FILENAMES = [".babelrc", ".babelrc.js", ".babelrc.cjs", ".babelrc.mjs", ".babelrc.json", ".babelrc.cts"];
 const BABELIGNORE_FILENAME = ".babelignore";
 const runConfig = (0, _caching.makeWeakCache)(function* runConfig(options, cache) {
  yield* [];
  return {
    options: (0, _rewriteStackTrace.endHiddenCallStack)(options)((0, _configApi.makeConfigAPI)(cache)),
    cacheNeedsConfiguration: !cache.configured()
  };
 });
 function* readConfigCode(filepath, data) {
  if (!_fs().existsSync(filepath)) return null;
  let options = yield* (0, _moduleTypes.default)(filepath, (yield* (0, _async.isAsync)()) ? "auto" : "require", "You appear to be using a native ECMAScript module configuration " + "file, which is only supported when running Babel asynchronously " + "or when using the Node.js `--experimental-require-module` flag.", "You appear to be using a configuration file that contains top-level " + "await, which is only supported when running Babel asynchronously.");
  let cacheNeedsConfiguration = false;
  if (typeof options === "function") {
    ({
      options,
      cacheNeedsConfiguration
    } = yield* runConfig(options, data));
  }
  if (!options || typeof options !== "object" || Array.isArray(options)) {
    throw new _configError.default(`Configuration should be an exported JavaScript object.`, filepath);
  }
  if (typeof options.then === "function") {
    options.catch == null || options.catch(() => {});
    throw new _configError.default(`You appear to be using an async configuration, ` + `which your current version of Babel does not support. ` + `We may add support for this in the future, ` + `but if you're on the most recent version of @babel/core and still ` + `seeing this error, then you'll need to synchronously return your config.`, filepath);
  }
  if (cacheNeedsConfiguration) throwConfigError(filepath);
  return buildConfigFileObject(options, filepath);
 }
 const cfboaf = new WeakMap();
 function buildConfigFileObject(options, filepath) {
  let configFilesByFilepath = cfboaf.get(options);
  if (!configFilesByFilepath) {
    cfboaf.set(options, configFilesByFilepath = new Map());
  }
  let configFile = configFilesByFilepath.get(filepath);
  if (!configFile) {
    configFile = {
      filepath,
      dirname: _path().dirname(filepath),
      options
    };
    configFilesByFilepath.set(filepath, configFile);
  }
  return configFile;
 }
 const packageToBabelConfig = (0, _caching.makeWeakCacheSync)(file => {
  const babel = file.options.babel;
  if (babel === undefined) return null;
  if (typeof babel !== "object" || Array.isArray(babel) || babel === null) {
    throw new _configError.default(`.babel property must be an object`, file.filepath);
  }
  return {
    filepath: file.filepath,
    dirname: file.dirname,
    options: babel
  };
 });
 const readConfigJSON5 = (0, _utils.makeStaticFileCache)((filepath, content) => {
  let options;
  try {
    options = _json().parse(content);
  } catch (err) {
    throw new _configError.default(`Error while parsing config - ${err.message}`, filepath);
  }
  if (!options) throw new _configError.default(`No config detected`, filepath);
  if (typeof options !== "object") {
    throw new _configError.default(`Config returned typeof ${typeof options}`, filepath);
  }
  if (Array.isArray(options)) {
    throw new _configError.default(`Expected config object but found array`, filepath);
  }
  delete options.$schema;
  return {
    filepath,
    dirname: _path().dirname(filepath),
    options
  };
 });
 const readIgnoreConfig = (0, _utils.makeStaticFileCache)((filepath, content) => {
  const ignoreDir = _path().dirname(filepath);
  const ignorePatterns = content.split("\n").map(line => line.replace(/#.*$/, "").trim()).filter(Boolean);
  for (const pattern of ignorePatterns) {
    if (pattern.startsWith("!")) {
      throw new _configError.default(`Negation of file paths is not supported.`, filepath);
    }
  }
  return {
    filepath,
    dirname: _path().dirname(filepath),
    ignore: ignorePatterns.map(pattern => (0, _patternToRegex.default)(pattern, ignoreDir))
  };
 });
 function findConfigUpwards(rootDir) {
  let dirname = rootDir;
  for (;;) {
    for (const filename of ROOT_CONFIG_FILENAMES) {
      if (_fs().existsSync(_path().join(dirname, filename))) {
        return dirname;
      }
    }
    const nextDir = _path().dirname(dirname);
    if (dirname === nextDir) break;
    dirname = nextDir;
  }
  return null;
 }
 function* findRelativeConfig(packageData, envName, caller) {
  let config = null;
  let ignore = null;
  const dirname = _path().dirname(packageData.filepath);
  for (const loc of packageData.directories) {
    if (!config) {
      var _packageData$pkg;
      config = yield* loadOneConfig(RELATIVE_CONFIG_FILENAMES, loc, envName, caller, ((_packageData$pkg = packageData.pkg) == null ? void 0 : _packageData$pkg.dirname) === loc ? packageToBabelConfig(packageData.pkg) : null);
    }
    if (!ignore) {
      const ignoreLoc = _path().join(loc, BABELIGNORE_FILENAME);
      ignore = yield* readIgnoreConfig(ignoreLoc);
      if (ignore) {
        debug("Found ignore %o from %o.", ignore.filepath, dirname);
      }
    }
  }
  return {
    config,
    ignore
  };
 }
 function findRootConfig(dirname, envName, caller) {
  return loadOneConfig(ROOT_CONFIG_FILENAMES, dirname, envName, caller);
 }
 function* loadOneConfig(names, dirname, envName, caller, previousConfig = null) {
  const configs = yield* _gensync().all(names.map(filename => readConfig(_path().join(dirname, filename), envName, caller)));
  const config = configs.reduce((previousConfig, config) => {
    if (config && previousConfig) {
      throw new _configError.default(`Multiple configuration files found. Please remove one:\n` + ` - ${_path().basename(previousConfig.filepath)}\n` + ` - ${config.filepath}\n` + `from ${dirname}`);
    }
    return config || previousConfig;
  }, previousConfig);
  if (config) {
    debug("Found configuration %o from %o.", config.filepath, dirname);
  }
  return config;
 }
 function* loadConfig(name, dirname, envName, caller) {
  const filepath = (((v, w) => (v = v.split("."), w = w.split("."), +v[0] > +w[0] || v[0] == w[0] && +v[1] >= +w[1]))(process.versions.node, "8.9") ? require.resolve : (r, {
    paths: [b]
  }, M = require("module")) => {
    let f = M._findPath(r, M._nodeModulePaths(b).concat(b));
    if (f) return f;
    f = new Error(`Cannot resolve module '${r}'`);
    f.code = "MODULE_NOT_FOUND";
    throw f;
  })(name, {
    paths: [dirname]
  });
  const conf = yield* readConfig(filepath, envName, caller);
  if (!conf) {
    throw new _configError.default(`Config file contains no configuration data`, filepath);
  }
  debug("Loaded config %o from %o.", name, dirname);
  return conf;
 }
 function readConfig(filepath, envName, caller) {
  const ext = _path().extname(filepath);
  switch (ext) {
    case ".js":
    case ".cjs":
    case ".mjs":
    case ".ts":
    case ".cts":
    case ".mts":
      return readConfigCode(filepath, {
        envName,
        caller
      });
    default:
      return readConfigJSON5(filepath);
  }
 }
 function* resolveShowConfigPath(dirname) {
  const targetPath = process.env.BABEL_SHOW_CONFIG_FOR;
  if (targetPath != null) {
    const absolutePath = _path().resolve(dirname, targetPath);
    const stats = yield* fs.stat(absolutePath);
    if (!stats.isFile()) {
      throw new Error(`${absolutePath}: BABEL_SHOW_CONFIG_FOR must refer to a regular file, directories are not supported.`);
    }
    return absolutePath;
  }
  return null;
 }
 function throwConfigError(filepath) {
  throw new _configError.default(`\
 Caching was left unconfigured. Babel's plugins, presets, and .babelrc.js files can be configured
 for various types of caching, using the first param of their handler functions:
 module.exports = function(api) {
  // The API exposes the following:
  // Cache the returned value forever and don't call this function again.
  api.cache(true);
  // Don't cache at all. Not recommended because it will be very slow.
  api.cache(false);
  // Cached based on the value of some function. If this function returns a value different from
  // a previously-encountered value, the plugins will re-evaluate.
  var env = api.cache(() => process.env.NODE_ENV);
  // If testing for a specific env, we recommend specifics to avoid instantiating a plugin for
  // any possible NODE_ENV value that might come up during plugin execution.
  var isProd = api.cache(() => process.env.NODE_ENV === "production");
  // .cache(fn) will perform a linear search though instances to find the matching plugin based
  // based on previous instantiated plugins. If you want to recreate the plugin and discard the
  // previous instance whenever something changes, you may use:
  var isProd = api.cache.invalidate(() => process.env.NODE_ENV === "production");
  // Note, we also expose the following more-verbose versions of the above examples:
  api.cache.forever(); // api.cache(true)
  api.cache.never();   // api.cache(false)
  api.cache.using(fn); // api.cache(fn)
  // Return the value that will be cached.
  return { };
 };`, filepath);
 }
 0 && 0;
 //# sourceMappingURL=configuration.js.map
@@ -0,0 +1,6 @@
 module.exports = function import_(filepath) {
  return import(filepath);
 };
 0 && 0;
 //# sourceMappingURL=import.cjs.map
@@ -0,0 +1 @@
 {"version":3,"names":["module","exports","import_","filepath"],"sources":["../../../src/config/files/import.cjs"],"sourcesContent":["// We keep this in a separate file so that in older node versions, where\n// import() isn't supported, we can try/catch around the require() call\n// when loading this file.\n\nmodule.exports = function import_(filepath) {\n  return import(filepath);\n};\n"],"mappings":"AAIAA,MAAM,CAACC,OAAO,GAAG,SAASC,OAAOA,CAACC,QAAQ,EAAE;EAC1C,OAAO,OAAOA,QAAQ,CAAC;AACzB,CAAC;AAAC","ignoreList":[]}
@@ -0,0 +1,58 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", {
  value: true
 });
 exports.ROOT_CONFIG_FILENAMES = void 0;
 exports.findConfigUpwards = findConfigUpwards;
 exports.findPackageData = findPackageData;
 exports.findRelativeConfig = findRelativeConfig;
 exports.findRootConfig = findRootConfig;
 exports.loadConfig = loadConfig;
 exports.loadPlugin = loadPlugin;
 exports.loadPreset = loadPreset;
 exports.resolvePlugin = resolvePlugin;
 exports.resolvePreset = resolvePreset;
 exports.resolveShowConfigPath = resolveShowConfigPath;
 function findConfigUpwards(rootDir) {
  return null;
 }
 function* findPackageData(filepath) {
  return {
    filepath,
    directories: [],
    pkg: null,
    isPackage: false
  };
 }
 function* findRelativeConfig(pkgData, envName, caller) {
  return {
    config: null,
    ignore: null
  };
 }
 function* findRootConfig(dirname, envName, caller) {
  return null;
 }
 function* loadConfig(name, dirname, envName, caller) {
  throw new Error(`Cannot load ${name} relative to ${dirname} in a browser`);
 }
 function* resolveShowConfigPath(dirname) {
  return null;
 }
 const ROOT_CONFIG_FILENAMES = exports.ROOT_CONFIG_FILENAMES = [];
 function resolvePlugin(name, dirname) {
  return null;
 }
 function resolvePreset(name, dirname) {
  return null;
 }
 function loadPlugin(name, dirname) {
  throw new Error(`Cannot load plugin ${name} relative to ${dirname} in a browser`);
 }
 function loadPreset(name, dirname) {
  throw new Error(`Cannot load preset ${name} relative to ${dirname} in a browser`);
 }
 0 && 0;
 //# sourceMappingURL=index-browser.js.map
@@ -0,0 +1 @@
 {"version":3,"names":["findConfigUpwards","rootDir","findPackageData","filepath","directories","pkg","isPackage","findRelativeConfig","pkgData","envName","caller","config","ignore","findRootConfig","dirname","loadConfig","name","Error","resolveShowConfigPath","ROOT_CONFIG_FILENAMES","exports","resolvePlugin","resolvePreset","loadPlugin","loadPreset"],"sources":["../../../src/config/files/index-browser.ts"],"sourcesContent":["/* c8 ignore start */\n\nimport type { Handler } from \"gensync\";\n\nimport type {\n  ConfigFile,\n  IgnoreFile,\n  RelativeConfig,\n  FilePackageData,\n} from \"./types.ts\";\n\nimport type { CallerMetadata } from \"../validation/options.ts\";\n\nexport type { ConfigFile, IgnoreFile, RelativeConfig, FilePackageData };\n\nexport function findConfigUpwards(\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  rootDir: string,\n): string | null {\n  return null;\n}\n\n// eslint-disable-next-line require-yield\nexport function* findPackageData(filepath: string): Handler<FilePackageData> {\n  return {\n    filepath,\n    directories: [],\n    pkg: null,\n    isPackage: false,\n  };\n}\n\n// eslint-disable-next-line require-yield\nexport function* findRelativeConfig(\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  pkgData: FilePackageData,\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  envName: string,\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  caller: CallerMetadata | undefined,\n): Handler<RelativeConfig> {\n  return { config: null, ignore: null };\n}\n\n// eslint-disable-next-line require-yield\nexport function* findRootConfig(\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  dirname: string,\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  envName: string,\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  caller: CallerMetadata | undefined,\n): Handler<ConfigFile | null> {\n  return null;\n}\n\n// eslint-disable-next-line require-yield\nexport function* loadConfig(\n  name: string,\n  dirname: string,\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  envName: string,\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  caller: CallerMetadata | undefined,\n): Handler<ConfigFile> {\n  throw new Error(`Cannot load ${name} relative to ${dirname} in a browser`);\n}\n\n// eslint-disable-next-line require-yield\nexport function* resolveShowConfigPath(\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  dirname: string,\n): Handler<string | null> {\n  return null;\n}\n\nexport const ROOT_CONFIG_FILENAMES: string[] = [];\n\ntype Resolved =\n  | { loader: \"require\"; filepath: string }\n  | { loader: \"import\"; filepath: string };\n\n// eslint-disable-next-line @typescript-eslint/no-unused-vars\nexport function resolvePlugin(name: string, dirname: string): Resolved | null {\n  return null;\n}\n\n// eslint-disable-next-line @typescript-eslint/no-unused-vars\nexport function resolvePreset(name: string, dirname: string): Resolved | null {\n  return null;\n}\n\nexport function loadPlugin(\n  name: string,\n  dirname: string,\n): Handler<{\n  filepath: string;\n  value: unknown;\n}> {\n  throw new Error(\n    `Cannot load plugin ${name} relative to ${dirname} in a browser`,\n  );\n}\n\nexport function loadPreset(\n  name: string,\n  dirname: string,\n): Handler<{\n  filepath: string;\n  value: unknown;\n}> {\n  throw new Error(\n    `Cannot load preset ${name} relative to ${dirname} in a browser`,\n  );\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAeO,SAASA,iBAAiBA,CAE/BC,OAAe,EACA;EACf,OAAO,IAAI;AACb;AAGO,UAAUC,eAAeA,CAACC,QAAgB,EAA4B;EAC3E,OAAO;IACLA,QAAQ;IACRC,WAAW,EAAE,EAAE;IACfC,GAAG,EAAE,IAAI;IACTC,SAAS,EAAE;EACb,CAAC;AACH;AAGO,UAAUC,kBAAkBA,CAEjCC,OAAwB,EAExBC,OAAe,EAEfC,MAAkC,EACT;EACzB,OAAO;IAAEC,MAAM,EAAE,IAAI;IAAEC,MAAM,EAAE;EAAK,CAAC;AACvC;AAGO,UAAUC,cAAcA,CAE7BC,OAAe,EAEfL,OAAe,EAEfC,MAAkC,EACN;EAC5B,OAAO,IAAI;AACb;AAGO,UAAUK,UAAUA,CACzBC,IAAY,EACZF,OAAe,EAEfL,OAAe,EAEfC,MAAkC,EACb;EACrB,MAAM,IAAIO,KAAK,CAAC,eAAeD,IAAI,gBAAgBF,OAAO,eAAe,CAAC;AAC5E;AAGO,UAAUI,qBAAqBA,CAEpCJ,OAAe,EACS;EACxB,OAAO,IAAI;AACb;AAEO,MAAMK,qBAA+B,GAAAC,OAAA,CAAAD,qBAAA,GAAG,EAAE;AAO1C,SAASE,aAAaA,CAACL,IAAY,EAAEF,OAAe,EAAmB;EAC5E,OAAO,IAAI;AACb;AAGO,SAASQ,aAAaA,CAACN,IAAY,EAAEF,OAAe,EAAmB;EAC5E,OAAO,IAAI;AACb;AAEO,SAASS,UAAUA,CACxBP,IAAY,EACZF,OAAe,EAId;EACD,MAAM,IAAIG,KAAK,CACb,sBAAsBD,IAAI,gBAAgBF,OAAO,eACnD,CAAC;AACH;AAEO,SAASU,UAAUA,CACxBR,IAAY,EACZF,OAAe,EAId;EACD,MAAM,IAAIG,KAAK,CACb,sBAAsBD,IAAI,gBAAgBF,OAAO,eACnD,CAAC;AACH;AAAC","ignoreList":[]}
@@ -0,0 +1,78 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", {
  value: true
 });
 Object.defineProperty(exports, "ROOT_CONFIG_FILENAMES", {
  enumerable: true,
  get: function () {
    return _configuration.ROOT_CONFIG_FILENAMES;
  }
 });
 Object.defineProperty(exports, "findConfigUpwards", {
  enumerable: true,
  get: function () {
    return _configuration.findConfigUpwards;
  }
 });
 Object.defineProperty(exports, "findPackageData", {
  enumerable: true,
  get: function () {
    return _package.findPackageData;
  }
 });
 Object.defineProperty(exports, "findRelativeConfig", {
  enumerable: true,
  get: function () {
    return _configuration.findRelativeConfig;
  }
 });
 Object.defineProperty(exports, "findRootConfig", {
  enumerable: true,
  get: function () {
    return _configuration.findRootConfig;
  }
 });
 Object.defineProperty(exports, "loadConfig", {
  enumerable: true,
  get: function () {
    return _configuration.loadConfig;
  }
 });
 Object.defineProperty(exports, "loadPlugin", {
  enumerable: true,
  get: function () {
    return _plugins.loadPlugin;
  }
 });
 Object.defineProperty(exports, "loadPreset", {
  enumerable: true,
  get: function () {
    return _plugins.loadPreset;
  }
 });
 Object.defineProperty(exports, "resolvePlugin", {
  enumerable: true,
  get: function () {
    return _plugins.resolvePlugin;
  }
 });
 Object.defineProperty(exports, "resolvePreset", {
  enumerable: true,
  get: function () {
    return _plugins.resolvePreset;
  }
 });
 Object.defineProperty(exports, "resolveShowConfigPath", {
  enumerable: true,
  get: function () {
    return _configuration.resolveShowConfigPath;
  }
 });
 var _package = require("./package.js");
 var _configuration = require("./configuration.js");
 var _plugins = require("./plugins.js");
 ({});
 0 && 0;
 //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
 {"version":3,"names":["_package","require","_configuration","_plugins"],"sources":["../../../src/config/files/index.ts"],"sourcesContent":["type indexBrowserType = typeof import(\"./index-browser\");\ntype indexType = typeof import(\"./index\");\n\n// Kind of gross, but essentially asserting that the exports of this module are the same as the\n// exports of index-browser, since this file may be replaced at bundle time with index-browser.\n// eslint-disable-next-line @typescript-eslint/no-unused-expressions\n({}) as any as indexBrowserType as indexType;\n\nexport { findPackageData } from \"./package.ts\";\n\nexport {\n  findConfigUpwards,\n  findRelativeConfig,\n  findRootConfig,\n  loadConfig,\n  resolveShowConfigPath,\n  ROOT_CONFIG_FILENAMES,\n} from \"./configuration.ts\";\nexport type {\n  ConfigFile,\n  IgnoreFile,\n  RelativeConfig,\n  FilePackageData,\n} from \"./types.ts\";\nexport {\n  loadPlugin,\n  loadPreset,\n  resolvePlugin,\n  resolvePreset,\n} from \"./plugins.ts\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAQA,IAAAA,QAAA,GAAAC,OAAA;AAEA,IAAAC,cAAA,GAAAD,OAAA;AAcA,IAAAE,QAAA,GAAAF,OAAA;AAlBA,CAAC,CAAC,CAAC;AAA0C","ignoreList":[]}
@@ -0,0 +1,203 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", {
  value: true
 });
 exports.default = loadCodeDefault;
 exports.supportsESM = void 0;
 var _async = require("../../gensync-utils/async.js");
 function _path() {
  const data = require("path");
  _path = function () {
    return data;
  };
  return data;
 }
 function _url() {
  const data = require("url");
  _url = function () {
    return data;
  };
  return data;
 }
 require("module");
 function _semver() {
  const data = require("semver");
  _semver = function () {
    return data;
  };
  return data;
 }
 function _debug() {
  const data = require("debug");
  _debug = function () {
    return data;
  };
  return data;
 }
 var _rewriteStackTrace = require("../../errors/rewrite-stack-trace.js");
 var _configError = require("../../errors/config-error.js");
 var _transformFile = require("../../transform-file.js");
 function asyncGeneratorStep(n, t, e, r, o, a, c) { try { var i = n[a](c), u = i.value; } catch (n) { return void e(n); } i.done ? t(u) : Promise.resolve(u).then(r, o); }
 function _asyncToGenerator(n) { return function () { var t = this, e = arguments; return new Promise(function (r, o) { var a = n.apply(t, e); function _next(n) { asyncGeneratorStep(a, r, o, _next, _throw, "next", n); } function _throw(n) { asyncGeneratorStep(a, r, o, _next, _throw, "throw", n); } _next(void 0); }); }; }
 const debug = _debug()("babel:config:loading:files:module-types");
 try {
  var import_ = require("./import.cjs");
 } catch (_unused) {}
 const supportsESM = exports.supportsESM = _semver().satisfies(process.versions.node, "^12.17 || >=13.2");
 const LOADING_CJS_FILES = new Set();
 function loadCjsDefault(filepath) {
  if (LOADING_CJS_FILES.has(filepath)) {
    debug("Auto-ignoring usage of config %o.", filepath);
    return {};
  }
  let module;
  try {
    LOADING_CJS_FILES.add(filepath);
    module = (0, _rewriteStackTrace.endHiddenCallStack)(require)(filepath);
  } finally {
    LOADING_CJS_FILES.delete(filepath);
  }
  return module != null && (module.__esModule || module[Symbol.toStringTag] === "Module") ? module.default || (arguments[1] ? module : undefined) : module;
 }
 const loadMjsFromPath = (0, _rewriteStackTrace.endHiddenCallStack)(function () {
  var _loadMjsFromPath = _asyncToGenerator(function* (filepath) {
    const url = (0, _url().pathToFileURL)(filepath).toString() + "?import";
    if (!import_) {
      throw new _configError.default("Internal error: Native ECMAScript modules aren't supported by this platform.\n", filepath);
    }
    return yield import_(url);
  });
  function loadMjsFromPath(_x) {
    return _loadMjsFromPath.apply(this, arguments);
  }
  return loadMjsFromPath;
 }());
 const tsNotSupportedError = ext => `\
 You are using a ${ext} config file, but Babel only supports transpiling .cts configs. Either:
 - Use a .cts config file
 - Update to Node.js 23.6.0, which has native TypeScript support
 - Install tsx to transpile ${ext} files on the fly\
 `;
 const SUPPORTED_EXTENSIONS = {
  ".js": "unknown",
  ".mjs": "esm",
  ".cjs": "cjs",
  ".ts": "unknown",
  ".mts": "esm",
  ".cts": "cjs"
 };
 const asyncModules = new Set();
 function* loadCodeDefault(filepath, loader, esmError, tlaError) {
  let async;
  const ext = _path().extname(filepath);
  const isTS = ext === ".ts" || ext === ".cts" || ext === ".mts";
  const type = SUPPORTED_EXTENSIONS[hasOwnProperty.call(SUPPORTED_EXTENSIONS, ext) ? ext : ".js"];
  const pattern = `${loader} ${type}`;
  switch (pattern) {
    case "require cjs":
    case "auto cjs":
      if (isTS) {
        return ensureTsSupport(filepath, ext, () => loadCjsDefault(filepath));
      } else {
        return loadCjsDefault(filepath, arguments[2]);
      }
    case "auto unknown":
    case "require unknown":
    case "require esm":
      try {
        if (isTS) {
          return ensureTsSupport(filepath, ext, () => loadCjsDefault(filepath));
        } else {
          return loadCjsDefault(filepath, arguments[2]);
        }
      } catch (e) {
        if (e.code === "ERR_REQUIRE_ASYNC_MODULE" || e.code === "ERR_REQUIRE_CYCLE_MODULE" && asyncModules.has(filepath)) {
          asyncModules.add(filepath);
          if (!(async != null ? async : async = yield* (0, _async.isAsync)())) {
            throw new _configError.default(tlaError, filepath);
          }
        } else if (e.code === "ERR_REQUIRE_ESM" || type === "esm") {} else {
          throw e;
        }
      }
    case "auto esm":
      if (async != null ? async : async = yield* (0, _async.isAsync)()) {
        const promise = isTS ? ensureTsSupport(filepath, ext, () => loadMjsFromPath(filepath)) : loadMjsFromPath(filepath);
        return (yield* (0, _async.waitFor)(promise)).default;
      }
      if (isTS) {
        throw new _configError.default(tsNotSupportedError(ext), filepath);
      } else {
        throw new _configError.default(esmError, filepath);
      }
    default:
      throw new Error("Internal Babel error: unreachable code.");
  }
 }
 function ensureTsSupport(filepath, ext, callback) {
  if (process.features.typescript || require.extensions[".ts"] || require.extensions[".cts"] || require.extensions[".mts"]) {
    return callback();
  }
  if (ext !== ".cts") {
    throw new _configError.default(tsNotSupportedError(ext), filepath);
  }
  const opts = {
    babelrc: false,
    configFile: false,
    sourceType: "unambiguous",
    sourceMaps: "inline",
    sourceFileName: _path().basename(filepath),
    presets: [[getTSPreset(filepath), Object.assign({
      onlyRemoveTypeImports: true,
      optimizeConstEnums: true
    }, {
      allowDeclareFields: true
    })]]
  };
  let handler = function (m, filename) {
    if (handler && filename.endsWith(".cts")) {
      try {
        return m._compile((0, _transformFile.transformFileSync)(filename, Object.assign({}, opts, {
          filename
        })).code, filename);
      } catch (error) {
        const packageJson = require("@babel/preset-typescript/package.json");
        if (_semver().lt(packageJson.version, "7.21.4")) {
          console.error("`.cts` configuration file failed to load, please try to update `@babel/preset-typescript`.");
        }
        throw error;
      }
    }
    return require.extensions[".js"](m, filename);
  };
  require.extensions[ext] = handler;
  try {
    return callback();
  } finally {
    if (require.extensions[ext] === handler) delete require.extensions[ext];
    handler = undefined;
  }
 }
 function getTSPreset(filepath) {
  try {
    return require("@babel/preset-typescript");
  } catch (error) {
    if (error.code !== "MODULE_NOT_FOUND") throw error;
    let message = "You appear to be using a .cts file as Babel configuration, but the `@babel/preset-typescript` package was not found: please install it!";
    if (process.versions.pnp) {
      message += `
 If you are using Yarn Plug'n'Play, you may also need to add the following configuration to your .yarnrc.yml file:
 packageExtensions:
 \t"@babel/core@*":
 \t\tpeerDependencies:
 \t\t\t"@babel/preset-typescript": "*"
 `;
    }
    throw new _configError.default(message, filepath);
  }
 }
 0 && 0;
 //# sourceMappingURL=module-types.js.map
@@ -0,0 +1,61 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", {
  value: true
 });
 exports.findPackageData = findPackageData;
 function _path() {
  const data = require("path");
  _path = function () {
    return data;
  };
  return data;
 }
 var _utils = require("./utils.js");
 var _configError = require("../../errors/config-error.js");
 const PACKAGE_FILENAME = "package.json";
 const readConfigPackage = (0, _utils.makeStaticFileCache)((filepath, content) => {
  let options;
  try {
    options = JSON.parse(content);
  } catch (err) {
    throw new _configError.default(`Error while parsing JSON - ${err.message}`, filepath);
  }
  if (!options) throw new Error(`${filepath}: No config detected`);
  if (typeof options !== "object") {
    throw new _configError.default(`Config returned typeof ${typeof options}`, filepath);
  }
  if (Array.isArray(options)) {
    throw new _configError.default(`Expected config object but found array`, filepath);
  }
  return {
    filepath,
    dirname: _path().dirname(filepath),
    options
  };
 });
 function* findPackageData(filepath) {
  let pkg = null;
  const directories = [];
  let isPackage = true;
  let dirname = _path().dirname(filepath);
  while (!pkg && _path().basename(dirname) !== "node_modules") {
    directories.push(dirname);
    pkg = yield* readConfigPackage(_path().join(dirname, PACKAGE_FILENAME));
    const nextLoc = _path().dirname(dirname);
    if (dirname === nextLoc) {
      isPackage = false;
      break;
    }
    dirname = nextLoc;
  }
  return {
    filepath,
    directories,
    pkg,
    isPackage
  };
 }
 0 && 0;
 //# sourceMappingURL=package.js.map
@@ -0,0 +1 @@
 {"version":3,"names":["_path","data","require","_utils","_configError","PACKAGE_FILENAME","readConfigPackage","makeStaticFileCache","filepath","content","options","JSON","parse","err","ConfigError","message","Error","Array","isArray","dirname","path","findPackageData","pkg","directories","isPackage","basename","push","join","nextLoc"],"sources":["../../../src/config/files/package.ts"],"sourcesContent":["import path from \"node:path\";\nimport type { Handler } from \"gensync\";\nimport { makeStaticFileCache } from \"./utils.ts\";\n\nimport type { ConfigFile, FilePackageData } from \"./types.ts\";\n\nimport ConfigError from \"../../errors/config-error.ts\";\n\nconst PACKAGE_FILENAME = \"package.json\";\n\nconst readConfigPackage = makeStaticFileCache(\n  (filepath, content): ConfigFile => {\n    let options;\n    try {\n      options = JSON.parse(content) as unknown;\n    } catch (err) {\n      throw new ConfigError(\n        `Error while parsing JSON - ${err.message}`,\n        filepath,\n      );\n    }\n\n    if (!options) throw new Error(`${filepath}: No config detected`);\n\n    if (typeof options !== \"object\") {\n      throw new ConfigError(\n        `Config returned typeof ${typeof options}`,\n        filepath,\n      );\n    }\n    if (Array.isArray(options)) {\n      throw new ConfigError(`Expected config object but found array`, filepath);\n    }\n\n    return {\n      filepath,\n      dirname: path.dirname(filepath),\n      options,\n    };\n  },\n);\n\n/**\n * Find metadata about the package that this file is inside of. Resolution\n * of Babel's config requires general package information to decide when to\n * search for .babelrc files\n */\nexport function* findPackageData(filepath: string): Handler<FilePackageData> {\n  let pkg = null;\n  const directories = [];\n  let isPackage = true;\n\n  let dirname = path.dirname(filepath);\n  while (!pkg && path.basename(dirname) !== \"node_modules\") {\n    directories.push(dirname);\n\n    pkg = yield* readConfigPackage(path.join(dirname, PACKAGE_FILENAME));\n\n    const nextLoc = path.dirname(dirname);\n    if (dirname === nextLoc) {\n      isPackage = false;\n      break;\n    }\n    dirname = nextLoc;\n  }\n\n  return { filepath, directories, pkg, isPackage };\n}\n"],"mappings":";;;;;;AAAA,SAAAA,MAAA;EAAA,MAAAC,IAAA,GAAAC,OAAA;EAAAF,KAAA,YAAAA,CAAA;IAAA,OAAAC,IAAA;EAAA;EAAA,OAAAA,IAAA;AAAA;AAEA,IAAAE,MAAA,GAAAD,OAAA;AAIA,IAAAE,YAAA,GAAAF,OAAA;AAEA,MAAMG,gBAAgB,GAAG,cAAc;AAEvC,MAAMC,iBAAiB,GAAG,IAAAC,0BAAmB,EAC3C,CAACC,QAAQ,EAAEC,OAAO,KAAiB;EACjC,IAAIC,OAAO;EACX,IAAI;IACFA,OAAO,GAAGC,IAAI,CAACC,KAAK,CAACH,OAAO,CAAY;EAC1C,CAAC,CAAC,OAAOI,GAAG,EAAE;IACZ,MAAM,IAAIC,oBAAW,CACnB,8BAA8BD,GAAG,CAACE,OAAO,EAAE,EAC3CP,QACF,CAAC;EACH;EAEA,IAAI,CAACE,OAAO,EAAE,MAAM,IAAIM,KAAK,CAAC,GAAGR,QAAQ,sBAAsB,CAAC;EAEhE,IAAI,OAAOE,OAAO,KAAK,QAAQ,EAAE;IAC/B,MAAM,IAAII,oBAAW,CACnB,0BAA0B,OAAOJ,OAAO,EAAE,EAC1CF,QACF,CAAC;EACH;EACA,IAAIS,KAAK,CAACC,OAAO,CAACR,OAAO,CAAC,EAAE;IAC1B,MAAM,IAAII,oBAAW,CAAC,wCAAwC,EAAEN,QAAQ,CAAC;EAC3E;EAEA,OAAO;IACLA,QAAQ;IACRW,OAAO,EAAEC,MAAGA,CAAC,CAACD,OAAO,CAACX,QAAQ,CAAC;IAC/BE;EACF,CAAC;AACH,CACF,CAAC;AAOM,UAAUW,eAAeA,CAACb,QAAgB,EAA4B;EAC3E,IAAIc,GAAG,GAAG,IAAI;EACd,MAAMC,WAAW,GAAG,EAAE;EACtB,IAAIC,SAAS,GAAG,IAAI;EAEpB,IAAIL,OAAO,GAAGC,MAAGA,CAAC,CAACD,OAAO,CAACX,QAAQ,CAAC;EACpC,OAAO,CAACc,GAAG,IAAIF,MAAGA,CAAC,CAACK,QAAQ,CAACN,OAAO,CAAC,KAAK,cAAc,EAAE;IACxDI,WAAW,CAACG,IAAI,CAACP,OAAO,CAAC;IAEzBG,GAAG,GAAG,OAAOhB,iBAAiB,CAACc,MAAGA,CAAC,CAACO,IAAI,CAACR,OAAO,EAAEd,gBAAgB,CAAC,CAAC;IAEpE,MAAMuB,OAAO,GAAGR,MAAGA,CAAC,CAACD,OAAO,CAACA,OAAO,CAAC;IACrC,IAAIA,OAAO,KAAKS,OAAO,EAAE;MACvBJ,SAAS,GAAG,KAAK;MACjB;IACF;IACAL,OAAO,GAAGS,OAAO;EACnB;EAEA,OAAO;IAAEpB,QAAQ;IAAEe,WAAW;IAAED,GAAG;IAAEE;EAAU,CAAC;AAClD;AAAC","ignoreList":[]}
@@ -0,0 +1,220 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", {
  value: true
 });
 exports.loadPlugin = loadPlugin;
 exports.loadPreset = loadPreset;
 exports.resolvePreset = exports.resolvePlugin = void 0;
 function _debug() {
  const data = require("debug");
  _debug = function () {
    return data;
  };
  return data;
 }
 function _path() {
  const data = require("path");
  _path = function () {
    return data;
  };
  return data;
 }
 var _async = require("../../gensync-utils/async.js");
 var _moduleTypes = require("./module-types.js");
 function _url() {
  const data = require("url");
  _url = function () {
    return data;
  };
  return data;
 }
 var _importMetaResolve = require("../../vendor/import-meta-resolve.js");
 require("module");
 function _fs() {
  const data = require("fs");
  _fs = function () {
    return data;
  };
  return data;
 }
 const debug = _debug()("babel:config:loading:files:plugins");
 const EXACT_RE = /^module:/;
 const BABEL_PLUGIN_PREFIX_RE = /^(?!@|module:|[^/]+\/|babel-plugin-)/;
 const BABEL_PRESET_PREFIX_RE = /^(?!@|module:|[^/]+\/|babel-preset-)/;
 const BABEL_PLUGIN_ORG_RE = /^(@babel\/)(?!plugin-|[^/]+\/)/;
 const BABEL_PRESET_ORG_RE = /^(@babel\/)(?!preset-|[^/]+\/)/;
 const OTHER_PLUGIN_ORG_RE = /^(@(?!babel\/)[^/]+\/)(?![^/]*babel-plugin(?:-|\/|$)|[^/]+\/)/;
 const OTHER_PRESET_ORG_RE = /^(@(?!babel\/)[^/]+\/)(?![^/]*babel-preset(?:-|\/|$)|[^/]+\/)/;
 const OTHER_ORG_DEFAULT_RE = /^(@(?!babel$)[^/]+)$/;
 const resolvePlugin = exports.resolvePlugin = resolveStandardizedName.bind(null, "plugin");
 const resolvePreset = exports.resolvePreset = resolveStandardizedName.bind(null, "preset");
 function* loadPlugin(name, dirname) {
  const {
    filepath,
    loader
  } = resolvePlugin(name, dirname, yield* (0, _async.isAsync)());
  const value = yield* requireModule("plugin", loader, filepath);
  debug("Loaded plugin %o from %o.", name, dirname);
  return {
    filepath,
    value
  };
 }
 function* loadPreset(name, dirname) {
  const {
    filepath,
    loader
  } = resolvePreset(name, dirname, yield* (0, _async.isAsync)());
  const value = yield* requireModule("preset", loader, filepath);
  debug("Loaded preset %o from %o.", name, dirname);
  return {
    filepath,
    value
  };
 }
 function standardizeName(type, name) {
  if (_path().isAbsolute(name)) return name;
  const isPreset = type === "preset";
  return name.replace(isPreset ? BABEL_PRESET_PREFIX_RE : BABEL_PLUGIN_PREFIX_RE, `babel-${type}-`).replace(isPreset ? BABEL_PRESET_ORG_RE : BABEL_PLUGIN_ORG_RE, `$1${type}-`).replace(isPreset ? OTHER_PRESET_ORG_RE : OTHER_PLUGIN_ORG_RE, `$1babel-${type}-`).replace(OTHER_ORG_DEFAULT_RE, `$1/babel-${type}`).replace(EXACT_RE, "");
 }
 function* resolveAlternativesHelper(type, name) {
  const standardizedName = standardizeName(type, name);
  const {
    error,
    value
  } = yield standardizedName;
  if (!error) return value;
  if (error.code !== "MODULE_NOT_FOUND") throw error;
  if (standardizedName !== name && !(yield name).error) {
    error.message += `\n- If you want to resolve "${name}", use "module:${name}"`;
  }
  if (!(yield standardizeName(type, "@babel/" + name)).error) {
    error.message += `\n- Did you mean "@babel/${name}"?`;
  }
  const oppositeType = type === "preset" ? "plugin" : "preset";
  if (!(yield standardizeName(oppositeType, name)).error) {
    error.message += `\n- Did you accidentally pass a ${oppositeType} as a ${type}?`;
  }
  if (type === "plugin") {
    const transformName = standardizedName.replace("-proposal-", "-transform-");
    if (transformName !== standardizedName && !(yield transformName).error) {
      error.message += `\n- Did you mean "${transformName}"?`;
    }
  }
  error.message += `\n
 Make sure that all the Babel plugins and presets you are using
 are defined as dependencies or devDependencies in your package.json
 file. It's possible that the missing plugin is loaded by a preset
 you are using that forgot to add the plugin to its dependencies: you
 can workaround this problem by explicitly adding the missing package
 to your top-level package.json.
 `;
  throw error;
 }
 function tryRequireResolve(id, dirname) {
  try {
    if (dirname) {
      return {
        error: null,
        value: (((v, w) => (v = v.split("."), w = w.split("."), +v[0] > +w[0] || v[0] == w[0] && +v[1] >= +w[1]))(process.versions.node, "8.9") ? require.resolve : (r, {
          paths: [b]
        }, M = require("module")) => {
          let f = M._findPath(r, M._nodeModulePaths(b).concat(b));
          if (f) return f;
          f = new Error(`Cannot resolve module '${r}'`);
          f.code = "MODULE_NOT_FOUND";
          throw f;
        })(id, {
          paths: [dirname]
        })
      };
    } else {
      return {
        error: null,
        value: require.resolve(id)
      };
    }
  } catch (error) {
    return {
      error,
      value: null
    };
  }
 }
 function tryImportMetaResolve(id, options) {
  try {
    return {
      error: null,
      value: (0, _importMetaResolve.resolve)(id, options)
    };
  } catch (error) {
    return {
      error,
      value: null
    };
  }
 }
 function resolveStandardizedNameForRequire(type, name, dirname) {
  const it = resolveAlternativesHelper(type, name);
  let res = it.next();
  while (!res.done) {
    res = it.next(tryRequireResolve(res.value, dirname));
  }
  return {
    loader: "require",
    filepath: res.value
  };
 }
 function resolveStandardizedNameForImport(type, name, dirname) {
  const parentUrl = (0, _url().pathToFileURL)(_path().join(dirname, "./babel-virtual-resolve-base.js")).href;
  const it = resolveAlternativesHelper(type, name);
  let res = it.next();
  while (!res.done) {
    res = it.next(tryImportMetaResolve(res.value, parentUrl));
  }
  return {
    loader: "auto",
    filepath: (0, _url().fileURLToPath)(res.value)
  };
 }
 function resolveStandardizedName(type, name, dirname, allowAsync) {
  if (!_moduleTypes.supportsESM || !allowAsync) {
    return resolveStandardizedNameForRequire(type, name, dirname);
  }
  try {
    const resolved = resolveStandardizedNameForImport(type, name, dirname);
    if (!(0, _fs().existsSync)(resolved.filepath)) {
      throw Object.assign(new Error(`Could not resolve "${name}" in file ${dirname}.`), {
        type: "MODULE_NOT_FOUND"
      });
    }
    return resolved;
  } catch (e) {
    try {
      return resolveStandardizedNameForRequire(type, name, dirname);
    } catch (e2) {
      if (e.type === "MODULE_NOT_FOUND") throw e;
      if (e2.type === "MODULE_NOT_FOUND") throw e2;
      throw e;
    }
  }
 }
 var LOADING_MODULES = new Set();
 function* requireModule(type, loader, name) {
  if (!(yield* (0, _async.isAsync)()) && LOADING_MODULES.has(name)) {
    throw new Error(`Reentrant ${type} detected trying to load "${name}". This module is not ignored ` + "and is trying to load itself while compiling itself, leading to a dependency cycle. " + 'We recommend adding it to your "ignore" list in your babelrc, or to a .babelignore.');
  }
  try {
    LOADING_MODULES.add(name);
    return yield* (0, _moduleTypes.default)(name, loader, `You appear to be using a native ECMAScript module ${type}, ` + "which is only supported when running Babel asynchronously " + "or when using the Node.js `--experimental-require-module` flag.", `You appear to be using a ${type} that contains top-level await, ` + "which is only supported when running Babel asynchronously.", true);
  } catch (err) {
    err.message = `[BABEL]: ${err.message} (While processing: ${name})`;
    throw err;
  } finally {
    LOADING_MODULES.delete(name);
  }
 }
 0 && 0;
 //# sourceMappingURL=plugins.js.map
@@ -0,0 +1,5 @@
 "use strict";
 0 && 0;
 //# sourceMappingURL=types.js.map
@@ -0,0 +1 @@
 {"version":3,"names":[],"sources":["../../../src/config/files/types.ts"],"sourcesContent":["import type { InputOptions } from \"../index.ts\";\n\nexport type ConfigFile = {\n  filepath: string;\n  dirname: string;\n  options: InputOptions & { babel?: unknown };\n};\n\nexport type IgnoreFile = {\n  filepath: string;\n  dirname: string;\n  ignore: RegExp[];\n};\n\nexport type RelativeConfig = {\n  // The actual config, either from package.json#babel, .babelrc, or\n  // .babelrc.js, if there was one.\n  config: ConfigFile | null;\n  // The .babelignore, if there was one.\n  ignore: IgnoreFile | null;\n};\n\nexport type FilePackageData = {\n  // The file in the package.\n  filepath: string;\n  // Any ancestor directories of the file that are within the package.\n  directories: string[];\n  // The contents of the package.json. May not be found if the package just\n  // terminated at a node_modules folder without finding one.\n  pkg: ConfigFile | null;\n  // True if a package.json or node_modules folder was found while traversing\n  // the directory structure.\n  isPackage: boolean;\n};\n"],"mappings":"","ignoreList":[]}
@@ -0,0 +1,36 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", {
  value: true
 });
 exports.makeStaticFileCache = makeStaticFileCache;
 var _caching = require("../caching.js");
 var fs = require("../../gensync-utils/fs.js");
 function _fs2() {
  const data = require("fs");
  _fs2 = function () {
    return data;
  };
  return data;
 }
 function makeStaticFileCache(fn) {
  return (0, _caching.makeStrongCache)(function* (filepath, cache) {
    const cached = cache.invalidate(() => fileMtime(filepath));
    if (cached === null) {
      return null;
    }
    return fn(filepath, yield* fs.readFile(filepath, "utf8"));
  });
 }
 function fileMtime(filepath) {
  if (!_fs2().existsSync(filepath)) return null;
  try {
    return +_fs2().statSync(filepath).mtime;
  } catch (e) {
    if (e.code !== "ENOENT" && e.code !== "ENOTDIR") throw e;
  }
  return null;
 }
 0 && 0;
 //# sourceMappingURL=utils.js.map
@@ -0,0 +1 @@
 {"version":3,"names":["_caching","require","fs","_fs2","data","makeStaticFileCache","fn","makeStrongCache","filepath","cache","cached","invalidate","fileMtime","readFile","nodeFs","existsSync","statSync","mtime","e","code"],"sources":["../../../src/config/files/utils.ts"],"sourcesContent":["import type { Handler } from \"gensync\";\n\nimport { makeStrongCache } from \"../caching.ts\";\nimport type { CacheConfigurator } from \"../caching.ts\";\nimport * as fs from \"../../gensync-utils/fs.ts\";\nimport nodeFs from \"node:fs\";\n\nexport function makeStaticFileCache<T>(\n  fn: (filepath: string, contents: string) => T,\n) {\n  return makeStrongCache(function* (\n    filepath: string,\n    cache: CacheConfigurator<void>,\n  ): Handler<null | T> {\n    const cached = cache.invalidate(() => fileMtime(filepath));\n\n    if (cached === null) {\n      return null;\n    }\n\n    return fn(filepath, yield* fs.readFile(filepath, \"utf8\"));\n  });\n}\n\nfunction fileMtime(filepath: string): number | null {\n  if (!nodeFs.existsSync(filepath)) return null;\n\n  try {\n    return +nodeFs.statSync(filepath).mtime;\n  } catch (e) {\n    if (e.code !== \"ENOENT\" && e.code !== \"ENOTDIR\") throw e;\n  }\n\n  return null;\n}\n"],"mappings":";;;;;;AAEA,IAAAA,QAAA,GAAAC,OAAA;AAEA,IAAAC,EAAA,GAAAD,OAAA;AACA,SAAAE,KAAA;EAAA,MAAAC,IAAA,GAAAH,OAAA;EAAAE,IAAA,YAAAA,CAAA;IAAA,OAAAC,IAAA;EAAA;EAAA,OAAAA,IAAA;AAAA;AAEO,SAASC,mBAAmBA,CACjCC,EAA6C,EAC7C;EACA,OAAO,IAAAC,wBAAe,EAAC,WACrBC,QAAgB,EAChBC,KAA8B,EACX;IACnB,MAAMC,MAAM,GAAGD,KAAK,CAACE,UAAU,CAAC,MAAMC,SAAS,CAACJ,QAAQ,CAAC,CAAC;IAE1D,IAAIE,MAAM,KAAK,IAAI,EAAE;MACnB,OAAO,IAAI;IACb;IAEA,OAAOJ,EAAE,CAACE,QAAQ,EAAE,OAAON,EAAE,CAACW,QAAQ,CAACL,QAAQ,EAAE,MAAM,CAAC,CAAC;EAC3D,CAAC,CAAC;AACJ;AAEA,SAASI,SAASA,CAACJ,QAAgB,EAAiB;EAClD,IAAI,CAACM,KAAKA,CAAC,CAACC,UAAU,CAACP,QAAQ,CAAC,EAAE,OAAO,IAAI;EAE7C,IAAI;IACF,OAAO,CAACM,KAAKA,CAAC,CAACE,QAAQ,CAACR,QAAQ,CAAC,CAACS,KAAK;EACzC,CAAC,CAAC,OAAOC,CAAC,EAAE;IACV,IAAIA,CAAC,CAACC,IAAI,KAAK,QAAQ,IAAID,CAAC,CAACC,IAAI,KAAK,SAAS,EAAE,MAAMD,CAAC;EAC1D;EAEA,OAAO,IAAI;AACb;AAAC","ignoreList":[]}
@@ -0,0 +1,312 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", {
  value: true
 });
 exports.default = void 0;
 function _gensync() {
  const data = require("gensync");
  _gensync = function () {
    return data;
  };
  return data;
 }
 var _async = require("../gensync-utils/async.js");
 var _util = require("./util.js");
 var context = require("../index.js");
 var _plugin = require("./plugin.js");
 var _item = require("./item.js");
 var _configChain = require("./config-chain.js");
 var _deepArray = require("./helpers/deep-array.js");
 function _traverse() {
  const data = require("@babel/traverse");
  _traverse = function () {
    return data;
  };
  return data;
 }
 var _caching = require("./caching.js");
 var _options = require("./validation/options.js");
 var _plugins = require("./validation/plugins.js");
 var _configApi = require("./helpers/config-api.js");
 var _partial = require("./partial.js");
 var _configError = require("../errors/config-error.js");
 var _default = exports.default = _gensync()(function* loadFullConfig(inputOpts) {
  var _opts$assumptions;
  const result = yield* (0, _partial.default)(inputOpts);
  if (!result) {
    return null;
  }
  const {
    options,
    context,
    fileHandling
  } = result;
  if (fileHandling === "ignored") {
    return null;
  }
  const optionDefaults = {};
  const {
    plugins,
    presets
  } = options;
  if (!plugins || !presets) {
    throw new Error("Assertion failure - plugins and presets exist");
  }
  const presetContext = Object.assign({}, context, {
    targets: options.targets
  });
  const toDescriptor = item => {
    const desc = (0, _item.getItemDescriptor)(item);
    if (!desc) {
      throw new Error("Assertion failure - must be config item");
    }
    return desc;
  };
  const presetsDescriptors = presets.map(toDescriptor);
  const initialPluginsDescriptors = plugins.map(toDescriptor);
  const pluginDescriptorsByPass = [[]];
  const passes = [];
  const externalDependencies = [];
  const ignored = yield* enhanceError(context, function* recursePresetDescriptors(rawPresets, pluginDescriptorsPass) {
    const presets = [];
    for (let i = 0; i < rawPresets.length; i++) {
      const descriptor = rawPresets[i];
      if (descriptor.options !== false) {
        try {
          var preset = yield* loadPresetDescriptor(descriptor, presetContext);
        } catch (e) {
          if (e.code === "BABEL_UNKNOWN_OPTION") {
            (0, _options.checkNoUnwrappedItemOptionPairs)(rawPresets, i, "preset", e);
          }
          throw e;
        }
        externalDependencies.push(preset.externalDependencies);
        if (descriptor.ownPass) {
          presets.push({
            preset: preset.chain,
            pass: []
          });
        } else {
          presets.unshift({
            preset: preset.chain,
            pass: pluginDescriptorsPass
          });
        }
      }
    }
    if (presets.length > 0) {
      pluginDescriptorsByPass.splice(1, 0, ...presets.map(o => o.pass).filter(p => p !== pluginDescriptorsPass));
      for (const {
        preset,
        pass
      } of presets) {
        if (!preset) return true;
        pass.push(...preset.plugins);
        const ignored = yield* recursePresetDescriptors(preset.presets, pass);
        if (ignored) return true;
        preset.options.forEach(opts => {
          (0, _util.mergeOptions)(optionDefaults, opts);
        });
      }
    }
  })(presetsDescriptors, pluginDescriptorsByPass[0]);
  if (ignored) return null;
  const opts = optionDefaults;
  (0, _util.mergeOptions)(opts, options);
  const pluginContext = Object.assign({}, presetContext, {
    assumptions: (_opts$assumptions = opts.assumptions) != null ? _opts$assumptions : {}
  });
  yield* enhanceError(context, function* loadPluginDescriptors() {
    pluginDescriptorsByPass[0].unshift(...initialPluginsDescriptors);
    for (const descs of pluginDescriptorsByPass) {
      const pass = [];
      passes.push(pass);
      for (let i = 0; i < descs.length; i++) {
        const descriptor = descs[i];
        if (descriptor.options !== false) {
          try {
            var plugin = yield* loadPluginDescriptor(descriptor, pluginContext);
          } catch (e) {
            if (e.code === "BABEL_UNKNOWN_PLUGIN_PROPERTY") {
              (0, _options.checkNoUnwrappedItemOptionPairs)(descs, i, "plugin", e);
            }
            throw e;
          }
          pass.push(plugin);
          externalDependencies.push(plugin.externalDependencies);
        }
      }
    }
  })();
  opts.plugins = passes[0];
  opts.presets = passes.slice(1).filter(plugins => plugins.length > 0).map(plugins => ({
    plugins
  }));
  opts.passPerPreset = opts.presets.length > 0;
  return {
    options: opts,
    passes: passes,
    externalDependencies: (0, _deepArray.finalize)(externalDependencies)
  };
 });
 function enhanceError(context, fn) {
  return function* (arg1, arg2) {
    try {
      return yield* fn(arg1, arg2);
    } catch (e) {
      if (!e.message.startsWith("[BABEL]")) {
        var _context$filename;
        e.message = `[BABEL] ${(_context$filename = context.filename) != null ? _context$filename : "unknown file"}: ${e.message}`;
      }
      throw e;
    }
  };
 }
 const makeDescriptorLoader = apiFactory => (0, _caching.makeWeakCache)(function* ({
  value,
  options,
  dirname,
  alias
 }, cache) {
  if (options === false) throw new Error("Assertion failure");
  options = options || {};
  const externalDependencies = [];
  let item = value;
  if (typeof value === "function") {
    const factory = (0, _async.maybeAsync)(value, `You appear to be using an async plugin/preset, but Babel has been called synchronously`);
    const api = Object.assign({}, context, apiFactory(cache, externalDependencies));
    try {
      item = yield* factory(api, options, dirname);
    } catch (e) {
      if (alias) {
        e.message += ` (While processing: ${JSON.stringify(alias)})`;
      }
      throw e;
    }
  }
  if (!item || typeof item !== "object") {
    throw new Error("Plugin/Preset did not return an object.");
  }
  if ((0, _async.isThenable)(item)) {
    yield* [];
    throw new Error(`You appear to be using a promise as a plugin, ` + `which your current version of Babel does not support. ` + `If you're using a published plugin, ` + `you may need to upgrade your @babel/core version. ` + `As an alternative, you can prefix the promise with "await". ` + `(While processing: ${JSON.stringify(alias)})`);
  }
  if (externalDependencies.length > 0 && (!cache.configured() || cache.mode() === "forever")) {
    let error = `A plugin/preset has external untracked dependencies ` + `(${externalDependencies[0]}), but the cache `;
    if (!cache.configured()) {
      error += `has not been configured to be invalidated when the external dependencies change. `;
    } else {
      error += ` has been configured to never be invalidated. `;
    }
    error += `Plugins/presets should configure their cache to be invalidated when the external ` + `dependencies change, for example using \`api.cache.invalidate(() => ` + `statSync(filepath).mtimeMs)\` or \`api.cache.never()\`\n` + `(While processing: ${JSON.stringify(alias)})`;
    throw new Error(error);
  }
  return {
    value: item,
    options,
    dirname,
    alias,
    externalDependencies: (0, _deepArray.finalize)(externalDependencies)
  };
 });
 const pluginDescriptorLoader = makeDescriptorLoader(_configApi.makePluginAPI);
 const presetDescriptorLoader = makeDescriptorLoader(_configApi.makePresetAPI);
 const instantiatePlugin = (0, _caching.makeWeakCache)(function* ({
  value,
  options,
  dirname,
  alias,
  externalDependencies
 }, cache) {
  const pluginObj = (0, _plugins.validatePluginObject)(value);
  const plugin = Object.assign({}, pluginObj);
  if (plugin.visitor) {
    plugin.visitor = _traverse().default.explode(Object.assign({}, plugin.visitor));
  }
  if (plugin.inherits) {
    const inheritsDescriptor = {
      name: undefined,
      alias: `${alias}$inherits`,
      value: plugin.inherits,
      options,
      dirname
    };
    const inherits = yield* (0, _async.forwardAsync)(loadPluginDescriptor, run => {
      return cache.invalidate(data => run(inheritsDescriptor, data));
    });
    plugin.pre = chainMaybeAsync(inherits.pre, plugin.pre);
    plugin.post = chainMaybeAsync(inherits.post, plugin.post);
    plugin.manipulateOptions = chainMaybeAsync(inherits.manipulateOptions, plugin.manipulateOptions);
    plugin.visitor = _traverse().default.visitors.merge([inherits.visitor || {}, plugin.visitor || {}]);
    if (inherits.externalDependencies.length > 0) {
      if (externalDependencies.length === 0) {
        externalDependencies = inherits.externalDependencies;
      } else {
        externalDependencies = (0, _deepArray.finalize)([externalDependencies, inherits.externalDependencies]);
      }
    }
  }
  return new _plugin.default(plugin, options, alias, externalDependencies);
 });
 function* loadPluginDescriptor(descriptor, context) {
  if (descriptor.value instanceof _plugin.default) {
    if (descriptor.options) {
      throw new Error("Passed options to an existing Plugin instance will not work.");
    }
    return descriptor.value;
  }
  return yield* instantiatePlugin(yield* pluginDescriptorLoader(descriptor, context), context);
 }
 const needsFilename = val => val && typeof val !== "function";
 const validateIfOptionNeedsFilename = (options, descriptor) => {
  if (needsFilename(options.test) || needsFilename(options.include) || needsFilename(options.exclude)) {
    const formattedPresetName = descriptor.name ? `"${descriptor.name}"` : "/* your preset */";
    throw new _configError.default([`Preset ${formattedPresetName} requires a filename to be set when babel is called directly,`, `\`\`\``, `babel.transformSync(code, { filename: 'file.ts', presets: [${formattedPresetName}] });`, `\`\`\``, `See https://babeljs.io/docs/en/options#filename for more information.`].join("\n"));
  }
 };
 const validatePreset = (preset, context, descriptor) => {
  if (!context.filename) {
    var _options$overrides;
    const {
      options
    } = preset;
    validateIfOptionNeedsFilename(options, descriptor);
    (_options$overrides = options.overrides) == null || _options$overrides.forEach(overrideOptions => validateIfOptionNeedsFilename(overrideOptions, descriptor));
  }
 };
 const instantiatePreset = (0, _caching.makeWeakCacheSync)(({
  value,
  dirname,
  alias,
  externalDependencies
 }) => {
  return {
    options: (0, _options.validate)("preset", value),
    alias,
    dirname,
    externalDependencies
  };
 });
 function* loadPresetDescriptor(descriptor, context) {
  const preset = instantiatePreset(yield* presetDescriptorLoader(descriptor, context));
  validatePreset(preset, context, descriptor);
  return {
    chain: yield* (0, _configChain.buildPresetChain)(preset, context),
    externalDependencies: preset.externalDependencies
  };
 }
 function chainMaybeAsync(a, b) {
  if (!a) return b;
  if (!b) return a;
  return function (...args) {
    const res = a.apply(this, args);
    if (res && typeof res.then === "function") {
      return res.then(() => b.apply(this, args));
    }
    return b.apply(this, args);
  };
 }
 0 && 0;
 //# sourceMappingURL=full.js.map
@@ -0,0 +1,85 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", {
  value: true
 });
 exports.makeConfigAPI = makeConfigAPI;
 exports.makePluginAPI = makePluginAPI;
 exports.makePresetAPI = makePresetAPI;
 function _semver() {
  const data = require("semver");
  _semver = function () {
    return data;
  };
  return data;
 }
 var _index = require("../../index.js");
 var _caching = require("../caching.js");
 function makeConfigAPI(cache) {
  const env = value => cache.using(data => {
    if (value === undefined) return data.envName;
    if (typeof value === "function") {
      return (0, _caching.assertSimpleType)(value(data.envName));
    }
    return (Array.isArray(value) ? value : [value]).some(entry => {
      if (typeof entry !== "string") {
        throw new Error("Unexpected non-string value");
      }
      return entry === data.envName;
    });
  });
  const caller = cb => cache.using(data => (0, _caching.assertSimpleType)(cb(data.caller)));
  return {
    version: _index.version,
    cache: cache.simple(),
    env,
    async: () => false,
    caller,
    assertVersion
  };
 }
 function makePresetAPI(cache, externalDependencies) {
  const targets = () => JSON.parse(cache.using(data => JSON.stringify(data.targets)));
  const addExternalDependency = ref => {
    externalDependencies.push(ref);
  };
  return Object.assign({}, makeConfigAPI(cache), {
    targets,
    addExternalDependency
  });
 }
 function makePluginAPI(cache, externalDependencies) {
  const assumption = name => cache.using(data => data.assumptions[name]);
  return Object.assign({}, makePresetAPI(cache, externalDependencies), {
    assumption
  });
 }
 function assertVersion(range) {
  if (typeof range === "number") {
    if (!Number.isInteger(range)) {
      throw new Error("Expected string or integer value.");
    }
    range = `^${range}.0.0-0`;
  }
  if (typeof range !== "string") {
    throw new Error("Expected string or integer value.");
  }
  if (range === "*" || _semver().satisfies(_index.version, range)) return;
  const message = `Requires Babel "${range}", but was loaded with "${_index.version}". ` + `If you are sure you have a compatible version of @babel/core, ` + `it is likely that something in your build process is loading the ` + `wrong version. Inspect the stack trace of this error to look for ` + `the first entry that doesn't mention "@babel/core" or "babel-core" ` + `to see what is calling Babel.`;
  const limit = Error.stackTraceLimit;
  if (typeof limit === "number" && limit < 25) {
    Error.stackTraceLimit = 25;
  }
  const err = new Error(message);
  if (typeof limit === "number") {
    Error.stackTraceLimit = limit;
  }
  throw Object.assign(err, {
    code: "BABEL_VERSION_UNSUPPORTED",
    version: _index.version,
    range
  });
 }
 0 && 0;
 //# sourceMappingURL=config-api.js.map
@@ -0,0 +1,23 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", {
  value: true
 });
 exports.finalize = finalize;
 exports.flattenToSet = flattenToSet;
 function finalize(deepArr) {
  return Object.freeze(deepArr);
 }
 function flattenToSet(arr) {
  const result = new Set();
  const stack = [arr];
  while (stack.length > 0) {
    for (const el of stack.pop()) {
      if (Array.isArray(el)) stack.push(el);else result.add(el);
    }
  }
  return result;
 }
 0 && 0;
 //# sourceMappingURL=deep-array.js.map
@@ -0,0 +1 @@
 {"version":3,"names":["finalize","deepArr","Object","freeze","flattenToSet","arr","result","Set","stack","length","el","pop","Array","isArray","push","add"],"sources":["../../../src/config/helpers/deep-array.ts"],"sourcesContent":["export type DeepArray<T> = (T | ReadonlyDeepArray<T>)[];\n\n// Just to make sure that DeepArray<T> is not assignable to ReadonlyDeepArray<T>\ndeclare const __marker: unique symbol;\nexport type ReadonlyDeepArray<T> = readonly (T | ReadonlyDeepArray<T>)[] & {\n  [__marker]: true;\n};\n\nexport function finalize<T>(deepArr: DeepArray<T>): ReadonlyDeepArray<T> {\n  return Object.freeze(deepArr) as ReadonlyDeepArray<T>;\n}\n\nexport function flattenToSet<T extends string>(\n  arr: ReadonlyDeepArray<T>,\n): Set<T> {\n  const result = new Set<T>();\n  const stack = [arr];\n  while (stack.length > 0) {\n    for (const el of stack.pop()) {\n      if (Array.isArray(el)) stack.push(el as ReadonlyDeepArray<T>);\n      else result.add(el as T);\n    }\n  }\n  return result;\n}\n"],"mappings":";;;;;;;AAQO,SAASA,QAAQA,CAAIC,OAAqB,EAAwB;EACvE,OAAOC,MAAM,CAACC,MAAM,CAACF,OAAO,CAAC;AAC/B;AAEO,SAASG,YAAYA,CAC1BC,GAAyB,EACjB;EACR,MAAMC,MAAM,GAAG,IAAIC,GAAG,CAAI,CAAC;EAC3B,MAAMC,KAAK,GAAG,CAACH,GAAG,CAAC;EACnB,OAAOG,KAAK,CAACC,MAAM,GAAG,CAAC,EAAE;IACvB,KAAK,MAAMC,EAAE,IAAIF,KAAK,CAACG,GAAG,CAAC,CAAC,EAAE;MAC5B,IAAIC,KAAK,CAACC,OAAO,CAACH,EAAE,CAAC,EAAEF,KAAK,CAACM,IAAI,CAACJ,EAA0B,CAAC,CAAC,KACzDJ,MAAM,CAACS,GAAG,CAACL,EAAO,CAAC;IAC1B;EACF;EACA,OAAOJ,MAAM;AACf;AAAC","ignoreList":[]}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
egutierrez	4dea99a524	chore: auto-commit (1 archivos) - build/ Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-14 23:55:18 +02:00
egutierrez	07978fc697	Merge branch 'issue/room-history-endpoint' Server owns the JetStream stream of persisted rooms + GET /rooms/{id}/history so clients without JetStream (uniweb) can read the backlog over plain HTTP.	2026-06-14 19:47:05 +02:00
egutierrez	bf47511f2a	docs(unibus): bump to 0.16.0; document server stream ownership + history endpoint Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 19:46:56 +02:00
egutierrez	73fd89f0b9	feat(membershipd): open JetStream for the embedded node + wire it into the server The control plane previously opened a privileged JetStream client only when clustered or running --store kv (needJS). It now also opens one for a standalone single-node embedded deployment (openJS = needJS \|\| embedded), because the embedded NATS always ships JetStream and the server needs it to own persisted rooms' durable streams (ensure on create + serve GET /rooms/{id}/history). An external NATS without a cluster/KV feature is unchanged (no JetStream; history degrades to empty). The internal service identity is generated under the same broadened condition so the in-process JetStream connection authenticates under enforce. After NewServer the js context is wired via SetJetStream with the control-plane KV replication factor, so a persisted room's history is as available as its metadata. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 19:46:56 +02:00
egutierrez	e71063b16e	feat(membership): server owns persisted rooms' stream + GET /rooms/{id}/history The durable JetStream stream of a persisted (ModeMatrix) room was created only by the Go client's first publish/subscribe. A client that speaks only core NATS (the browser client uniweb, which has no JetStream) therefore never created it, so its messages were captured nowhere and lost on reload. Move stream ownership to the control plane and expose the backlog over plain HTTP. - handleCreateRoom ensures the room's stream (idempotent CreateOrUpdateStream) BEFORE writing the room row, so the subject is captured from the first message whoever publishes it. Done before the store write so a stream failure leaves no orphan room. Skipped when no JetStream is wired (room still works, no history). - New member-only GET /rooms/{id}/history?limit=N (default 200, hard cap 1000): reads the stream server-side via the modern jetstream API (Stream.Info + GetMsg by sequence, no consumer) and returns the last N frames oldest->newest as {"messages":[<base64-std of the marshaled frame>]}. The server never decrypts — it relays the E2E ciphertext bytes the stream already holds. Existence is checked first (404), then membership (403); enforce rejects an unsigned request with 401 before the handler runs. - Lazy backfill: the history endpoint ensures the stream of a pre-existing persisted room, so it starts capturing from now on. Messages sent before the stream existed were never captured and are unrecoverable. - The stream config (streamConfigForRoom) mirrors pkg/client/persist.go byte-for-byte plus Replicas (matched to the control-plane KV replication). It is copied rather than imported because pkg/client imports pkg/membership and the reverse would be an import cycle; the source of truth is documented in a comment. - Server gains SetJetStream(js, replicas) to wire the privileged JetStream context and the room-stream replication factor. Tests (history_test.go): golden (3 frames round-trip in order, decodable), core-NATS capture (the central fix), handleCreateRoom creates the stream, limit, empty room ([] not null), 401 unsigned, 403 non-member, 404 missing room. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 19:46:45 +02:00
egutierrez	3fdbb54353	Merge branch 'quick/directory-route-path' fix: directory route registered as /directory (Caddy strips /api) — was 404 in prod	2026-06-14 16:05:06 +02:00
egutierrez	8c3ddaa294	fix(membership): register directory route as /directory, not /api/directory Caddy strips /api via `handle_path /api/*` before forwarding to membershipd, so the SPA's GET /api/directory arrives as GET /directory. The route was registered with the /api prefix, so the stripped request hit no route and returned 404 in production: the directory never resolved and uniweb fell back to short ids. Every other control-plane route is registered without the prefix; this aligns directory with them. The unit test passed despite the bug because it requested /api/directory, the same wrong path as the registration. Corrected the request paths to /directory so the test now exercises the real production path (verified: reverting the registration to /api/directory now makes TestDirectoryGolden fail with 404). Bump 0.15.0 -> 0.15.1. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 16:05:00 +02:00
egutierrez	e48b092135	Merge branch 'issue/names-bot-provisioning' Integra GET /api/directory (endpoint->handle resolution) y el provisioning one-command de bots (membershipd bot add).	2026-06-14 15:39:55 +02:00
egutierrez	0b39e86ed6	docs(unibus): bump to 0.15.0; document directory + bot provisioning Add the 'Directorio de nombres (endpoint -> handle)' and 'Provisioning de bots / unibots' sections with an end-to-end snippet, and a capability growth log entry for v0.15.0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 15:32:00 +02:00
egutierrez	669bad52af	feat(membershipd): one-command bot provisioning (bot add) Add `membershipd bot add --handle <name> --out <path> [--role] [--store]` to provision a bus identity for an automated process in a single step: mint a fresh Ed25519+X25519 identity (cs.GenerateIdentity, the same derivation worker/chat use), register its signing key in the allowlist, and write the credentials to a 0600 file. The file is the canonical identity format read by client.LoadIdentity, so a worker/clientcheck binary pointed at --out connects as the new user with no extra conversion. Shares the sqlite/kv store plumbing with `user add`. New exported pkg/client.WriteNewIdentity writes an identity in that format but refuses to overwrite an existing file (never silently clobber private keys). provisionBot ordering guarantees no half-provisioned bot: refuse an existing --out before touching the store, register (an already-registered key is a clear error, not a panic), then write credentials. Tests cover the golden path (register + 0600 file + LoadIdentity round-trip), default role, the already-registered error path (no file written), and the out-exists error path (no orphan user). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 15:30:17 +02:00
egutierrez	2ba40701b2	feat(membership): add GET /api/directory for endpoint->handle resolution Authenticated bus users (member or admin) can now map a sender's endpoint id back to a readable handle. The endpoint is derived server-side from each user's sign_pub with frame.EndpointID (base64url(sha256(signPub)), unpadded), matching the bus's own construction byte-for-byte. Only active users are listed; under enforce the existing auth middleware rejects an unauthenticated caller with 401. Tests cover the golden path (two users -> 200 with handles + endpoints), the auth contract (unsigned -> 401), revoked-user exclusion, and endpoint parity against the cross-language vector from cmd/busvectors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 15:27:38 +02:00
egutierrez	363aa97def	Merge branch 'quick/proxy-ready'	2026-06-14 13:49:24 +02:00
egutierrez	e3f40913bc	chore(deploy): version the same-origin Caddy config for uniweb Capture the reverse-proxy vhost that fronts the browser-native uniweb client on magnus (chat-<hash>.organic-machine.com): the SPA at /, the signed control plane under /api (prefix stripped so request signatures verify), and the NATS-over-WebSocket data plane under /nats. One origin means no CORS and keeps the cluster node IPs hidden behind the proxy. Self-contained fragment (includes the shared security_headers snippet) so it validates with `caddy validate` on its own; the other vhosts on magnus carry basic-auth secrets and are intentionally left out of git. Documents the matching membershipd flags this config requires (--cors-origins with the same-origin host, --trusted-proxies naming the Caddy node). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 12:43:15 +02:00
egutierrez	0b96c114b6	feat(membership): trust reverse-proxy forwarded client IP for rate limit The per-IP rate limiter keys on the transport RemoteAddr. Behind the same-origin Caddy proxy that fronts the control plane, every request arrives with the proxy's single IP, which collapses the limiter into one bucket shared by the whole world — a flood from one client throttles all of them. Add an opt-in `--trusted-proxies` flag (comma-separated IPs/CIDRs). When the immediate peer is one of the named proxies, clientIP now believes its X-Forwarded-For (read right-to-left, skipping trusted hops) or X-Real-IP and keys on the real client. A direct, non-trusted peer's forwarding headers are ignored entirely, so this opens no quota-fanning hole: an attacker connecting straight to the public :8470 cannot spoof a key. The zero value (no flag) preserves the prior RemoteAddr-only behavior exactly. Covered by ratelimit_proxy_test.go: trusted vs untrusted peers, XFF right-to-left precedence, client-prepended forgery, X-Real-IP fallback, and rejection of malformed proxy entries. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 12:29:57 +02:00
egutierrez	294905984c	fix(membership): allow X-Unibus-* auth headers in CORS preflight A browser signs every control-plane request with X-Unibus-Pub/Ts/Nonce/Sig (busauth.signedHeaders). The CORS Allow-Headers only listed Content-Type and Authorization, so the browser's preflight rejected the real request and the SPA failed with 'Failed to fetch' on the first authenticated call (listRooms). Add the four X-Unibus-* headers to Access-Control-Allow-Headers. This was invisible to the Node smoke (fetch in Node does no CORS preflight); only a real browser surfaced it. Verified live: enmanuel logs into uniweb against the cluster and lists rooms. Regression test asserts the header is present.	2026-06-14 12:12:20 +02:00
egutierrez	feb917fc6a	feat(cluster): deploy browser WebSocket + CORS to the 3-node cluster Roll the --ws-port + --cors-origins flags (issue uniweb/0001) out to the unibus cluster so the browser-native uniweb client can reach the data plane (nats.ws) and the control plane (CORS) on every node. The WS reuses the data-plane TLS (wss://) and the same origin allowlist. Per-node WS port override (WS_PORT_<NAME>): magnus runs unibus_admin on 127.0.0.1:8480, so the bus WS binds 8485 there to avoid a crash-loop; homer and datardos keep 8480. deploy-cluster.sh also gains DEPLOY_ONLY=<name> for rolling one node at a time. Rolled out and verified 2026-06-13: all three nodes healthy, WS reachable, CORS 204, cluster quorum (R3) intact throughout.	2026-06-13 23:23:52 +02:00
egutierrez	c0216de766	feat(membershipd): --ws-port wires the embedded NATS WebSocket listener Phase 0 left the WebsocketConfig field unwired; add --ws-port so membershipd can actually expose the browser data-plane transport. It reuses the data-plane TLS (wss:// when TLS is on, ws:// for a loopback dev stack) and the same --cors-origins allowlist that gates the control plane, so one flag pair opens both planes to the browser-native uniweb client (issue uniweb/0001).	2026-06-13 23:05:33 +02:00
egutierrez	0088fb946b	feat(busvectors): add nkey + signed control-request vectors Extend the cross-language vectors with the NATS user nkey derived from the Ed25519 public key, and a signed control-plane request (CanonicalRequest + Ed25519 signature). These let the TypeScript busauth port verify it authenticates on both planes exactly like the Go client (issue uniweb/0001, Phase 1).	2026-06-13 22:49:20 +02:00
egutierrez	e058b324f4	Merge branch 'quick/0001-ws-cors-prep'	2026-06-13 22:21:51 +02:00
egutierrez	a5086ecd18	chore: bump unibus to 0.14.0 (browser-native client prep, Phase 0)	2026-06-13 22:21:51 +02:00
egutierrez	8a51c5cc1f	feat(busvectors): deterministic cross-language test vectors Add cmd/busvectors, a generator that emits stable JSON test vectors for the bus protocol and its E2E crypto (endpoint id, Ed25519 sign, ChaCha20-Poly1305 AEAD with a fixed nonce, sealed-box of a room key, and canonical Frame wire bytes + SigningBytes). It uses the same registry crypto (functions/cybersecurity) the bus uses, so the vectors are the contract the TypeScript port must match byte-for-byte (issue uniweb/0001, Phase 0). Regenerate with: go run ./cmd/busvectors > ../uniweb/web/src/bus/testdata/vectors.json	2026-06-13 22:21:32 +02:00
egutierrez	ec8d34aaa1	feat(membership): opt-in CORS allowlist for the browser-native client Add Server.AllowedOrigins and an applyCORS step at the top of ServeHTTP so a browser SPA (uniweb) can call the control plane cross-origin: an allow-listed Origin gets the Access-Control-Allow-* headers, and a preflight (OPTIONS) is answered 204 before the rate limiter and auth ever run. A disallowed or missing origin gets no headers (preflight 403), so the browser blocks the request. Wire it through membershipd's --cors-origins flag (comma list, reusing splitRoutes as a generic parser). Empty allowlist = CORS off, no headers emitted, behavior identical to before: native Go/Kotlin clients send no Origin and are unaffected. Opt-in per deployment (issue uniweb/0001, Phase 0). Tests: preflight allow/deny, header on the real response, CORS-off default, and no-Origin native client unaffected.	2026-06-13 22:17:44 +02:00
egutierrez	36f4ba0eaf	feat(embeddednats): optional WebSocket listener for browser clients Add WebsocketConfig to ServerConfig so the embedded nats-server can expose an additional WebSocket port (nats.ws) alongside the TCP data plane. This lets a browser SPA speak the NATS protocol directly, the way native TCP peers (Go, Kotlin/android) already do — the first enabler for uniweb becoming a browser-native client with no Go gateway (issue uniweb/0001, Phase 0). The client authenticator applies to WebSocket connections too, so this adds a transport, not a trust bypass. Plain ws:// is used only without TLS (loopback dev); a certificate yields wss://. An empty AllowedOrigins enforces same-origin. Nil WebsocketConfig keeps the server TCP-only, so existing single-node and cluster deployments are unchanged. Tests: WebSocket listener opens and completes the upgrade handshake (101); no listener opens when WebsocketConfig is nil.	2026-06-13 22:11:39 +02:00
egutierrez	9661a5ce1f	refactor: split web frontend + gateway out to uniweb app (bump 0.13.0) The SPA (web/) and the web gateway (cmd/webgw) move to a dedicated app projects/message_bus/apps/uniweb (its own Gitea sub-repo). unibus is now strictly the bus plane: membership/keys, the client library and demo peers. uniweb consumes unibus as a Go module via replace => ../unibus. No capability lost; same SPA and gateway, in their own service folder. go build/vet/test green after extraction.	2026-06-13 21:21:08 +02:00
egutierrez	fadee1a7d0	Merge branch 'integrate/web-join-0.12.0'	2026-06-13 21:17:37 +02:00
egutierrez	9567ff4db9	chore: bump unibus to 0.12.0 (web wallet + per-user gateway)	2026-06-13 21:17:37 +02:00
egutierrez	9e01060931	Merge branch 'master' into integrate/web-join-0.12.0	2026-06-13 21:16:25 +02:00
egutierrez	f31580deec	Merge quick/nats-monitor-flag: UNIBUS_NATS_MONITOR loopback monitoring decoupled from debug log (bump 0.11.0)	2026-06-07 21:18:59 +02:00
Egutierrez	1c9325104c	feat(embeddednats): UNIBUS_NATS_MONITOR flag decoupled from debug log Add a dedicated UNIBUS_NATS_MONITOR=1 toggle that opens the embedded nats-server monitoring HTTP endpoint (127.0.0.1:8222, loopback only) so a local metrics scraper can read /varz, /connz and /jsz for server-level metrics (msgs/s, connections, KV bucket msgs, RAFT leader per stream, restarts). Previously the monitoring endpoint was only reachable via UNIBUS_NATS_DEBUG=1, which is coupled to the verbose nats-server debug log: enabling the endpoint also wrote routes/RAFT/room subjects to journald in clear, which regresses the hardened posture (issue 0007). The two concerns are now decoupled. The toggle computation is extracted to a pure function natsLogOpts(debugEnv, monitorEnv) (noLog, debug, trace, monitor): MONITOR=1 opens the endpoint while keeping the log quiet (NoLog true / Debug false). The inverse coupling is preserved for backward compatibility (DEBUG still implies MONITOR). The 127.0.0.1 bind stays hardcoded — the monitoring endpoint has no auth and must never be reachable from the network. Deploy wiring versioned: additive systemd drop-in membershipd-cluster.service.d/nats-monitor.conf (Environment=UNIBUS_NATS_MONITOR=1) plus a "NATS server metrics" section in the cluster README with the rolling activation runbook (magnus -> homer -> datardos) gated on R3 reconvergence (followers 2/2) between nodes. Tests: pure decoupling table (monitor on => log NOT debug; debug => monitor; default closed) + a real embedded server with MONITOR=1 asserting /varz answers 200 on loopback:8222, and a server without the flag with the endpoint closed. 100% additive: behavior is identical without the flag. Bump app.md 0.10.0 -> 0.11.0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 20:57:46 +02:00
		`@@ -0,0 +1 @@`
							`../../../@babel+helper-validator-identifier@7.29.7/node_modules/@babel/helper-validator-identifier`
		`@@ -0,0 +1 @@`
							`../../js-tokens@4.0.0/node_modules/js-tokens`
		`@@ -0,0 +1 @@`
							`../../picocolors@1.1.1/node_modules/picocolors`
		`@@ -0,0 +1,2 @@`
							`// Todo (Babel 8): remove this file as Babel 8 drop support of core-js 2`
							`module.exports = require("./data/corejs2-built-ins.json");`
		`@@ -0,0 +1,2 @@`
							`// Todo (Babel 8): remove this file now that it is included in babel-plugin-polyfill-corejs3`
							`module.exports = require("./data/corejs3-shipped-proposals.json");`
		`@@ -0,0 +1,2 @@`
							`// Todo (Babel 8): remove this file, in Babel 8 users import the .json directly`
							`module.exports = require("./data/native-modules.json");`
		`@@ -0,0 +1,2 @@`
							`// Todo (Babel 8): remove this file, in Babel 8 users import the .json directly`
							`module.exports = require("./data/overlapping-plugins.json");`
		`@@ -0,0 +1,2 @@`
							`// Todo (Babel 8): remove this file, in Babel 8 users import the .json directly`
							`module.exports = require("./data/plugin-bugfixes.json");`
		`@@ -0,0 +1 @@`
							`../../../@babel+code-frame@7.29.7/node_modules/@babel/code-frame`