@abndnce/pulsar-client 0.0.10 → 0.0.12

package/dist/index.d.mts

@@ -22,21 +22,6 @@ interface PulsarClientConnection {
 declare function connectDirect(host: string, port: number): Promise<PulsarClientConnection>;
 //#endregion
 //#region lib/connection/nostr.d.ts
-/**
- * Establish a Pulsar tunnel via Nostr relay signaling.
- *
- * 1. Connects to a Nostr relay (tries nostr.data.haus first,
- *    then kotukonostr.onrender.com)
- * 2. Looks up the tunnel's discovery event (Kind 38000, d="pulsar-tunnel").
- *    If `tunnelCode` is given (e.g. "a3f2"), filters to the tunnel
- *    whose pubkey begins with those 4 hex characters.
- * 3. Generates an ephemeral client keypair
- * 4. Creates a WebRTC offer
- * 5. Encrypts the offer and sends via a Kind 28000 ephemeral event
- * 6. Waits for the encrypted answer
- * 7. Sets the answer as remote description
- * 8. Returns the connected PulsarClientConnection
- */
 declare function connectNostr(tunnelCode?: string): Promise<PulsarClientConnection>;
 //#endregion
 //#region lib/socket-channel.d.ts

package/dist/index.mjs

@@ -1,12 +1,164 @@
 import { schnorr, secp256k1 } from "@noble/curves/secp256k1";
 //#region ../core/constants.ts
+const SOCKET_PREFIX = "socket/";
+const KEEPALIVE_LABEL = "keepalive";
 const PULSAR_UFRAG = "pulsar";
 const PULSAR_PWD = "pulsarpulsarpulsarpuls";
 const PULSAR_FINGERPRINT = "F1:85:10:8F:36:FF:58:D8:D0:4B:52:D7:ED:DC:5C:28:AE:7D:DB:54:0E:2A:DD:C7:C3:94:EA:A1:27:D0:4E:78";
-/** Label prefix for socket tunnel data channels. */
-const SOCKET_PREFIX = "socket/";
-/** Label for the mandatory keepalive data channel. */
-const KEEPALIVE_LABEL = "keepalive";
+//#endregion
+//#region ../core/webrtc.ts
+const DEFAULT_ICE_SERVERS = [{ urls: "stun:stun.l.google.com:19302" }, { urls: "stun:global.stun.twilio.com:3478" }];
+const ICE_GATHER_TIMEOUT_MS = 3e3;
+const CONNECTION_TIMEOUT_MS = 3e4;
+async function waitForIceGathering(pc, timeoutMs = ICE_GATHER_TIMEOUT_MS) {
+	if (pc.iceGatheringState === "complete") return;
+	if (pc.connectionState === "failed" || pc.connectionState === "closed") throw new Error(`Peer connection ${pc.connectionState}`);
+	await new Promise((resolve, reject) => {
+		const cleanup = () => {
+			clearTimeout(timeout);
+			pc.removeEventListener("icegatheringstatechange", onStateChange);
+			pc.removeEventListener("icecandidate", onCandidate);
+			pc.removeEventListener("connectionstatechange", onConnectionStateChange);
+		};
+		const timeout = setTimeout(() => {
+			cleanup();
+			resolve();
+		}, timeoutMs);
+		const onStateChange = () => {
+			if (pc.iceGatheringState === "complete") {
+				cleanup();
+				resolve();
+			}
+		};
+		const onCandidate = (event) => {
+			if (!("candidate" in event) || !event.candidate) {
+				cleanup();
+				resolve();
+			}
+		};
+		const onConnectionStateChange = () => {
+			if (pc.connectionState === "failed" || pc.connectionState === "closed") {
+				cleanup();
+				reject(/* @__PURE__ */ new Error(`Peer connection ${pc.connectionState}`));
+			}
+		};
+		pc.addEventListener("icegatheringstatechange", onStateChange);
+		pc.addEventListener("icecandidate", onCandidate);
+		pc.addEventListener("connectionstatechange", onConnectionStateChange);
+	});
+}
+async function waitForPeerConnectionConnected(pc, timeoutMs = CONNECTION_TIMEOUT_MS) {
+	if (pc.connectionState === "connected") return;
+	if (pc.connectionState === "failed" || pc.connectionState === "disconnected" || pc.connectionState === "closed") throw new Error(`Connection failed: ${pc.connectionState}`);
+	await new Promise((resolve, reject) => {
+		const cleanup = () => {
+			clearTimeout(timeout);
+			pc.removeEventListener("connectionstatechange", onStateChange);
+		};
+		const timeout = setTimeout(() => {
+			cleanup();
+			reject(/* @__PURE__ */ new Error(`WebRTC connection timed out after ${timeoutMs}ms`));
+		}, timeoutMs);
+		const onStateChange = () => {
+			if (pc.connectionState === "connected") {
+				cleanup();
+				resolve();
+			} else if (pc.connectionState === "failed" || pc.connectionState === "disconnected" || pc.connectionState === "closed") {
+				cleanup();
+				reject(/* @__PURE__ */ new Error(`Connection failed: ${pc.connectionState}`));
+			}
+		};
+		pc.addEventListener("connectionstatechange", onStateChange);
+	});
+}
+//#endregion
+//#region ../core/socket.ts
+function socketChannelLabel(hostname, port) {
+	return `${SOCKET_PREFIX}${formatSocketDestination(hostname, port)}`;
+}
+function formatSocketDestination(hostname, port) {
+	return `${hostname.includes(":") && !hostname.startsWith("[") ? `[${hostname}]` : hostname}:${port}`;
+}
+//#endregion
+//#region lib/socket-channel.ts
+/**
+* Shared utilities for opening Pulsar socket tunnel data channels.
+*
+* These work with any RTCPeerConnection, regardless of how it was
+* established (direct, nostr, etc.).
+*/
+/**
+* Wait for an RTCDataChannel to enter the "open" state.
+*
+* Also monitors the RTCPeerConnection for failure/closure, and
+* accepts an optional AbortSignal for cancellation.
+*
+* Rejects if the channel closes, the peer connection fails, or
+* the timeout elapses before the channel opens.
+*/
+function waitForDataChannelOpen(channel, pc, timeoutMs = 1e4, signal) {
+	return new Promise((resolve, reject) => {
+		if (signal?.aborted) {
+			reject(new DOMException("The operation was aborted.", "AbortError"));
+			return;
+		}
+		if (channel.readyState === "open") {
+			resolve();
+			return;
+		}
+		const timeout = setTimeout(() => {
+			cleanup();
+			reject(/* @__PURE__ */ new Error(`DataChannel open timed out after ${timeoutMs}ms`));
+		}, timeoutMs);
+		const cleanup = () => {
+			clearTimeout(timeout);
+			channel.removeEventListener("open", onOpen);
+			channel.removeEventListener("close", onClose);
+			channel.removeEventListener("error", onError);
+			pc.removeEventListener("connectionstatechange", onStateChange);
+			signal?.removeEventListener("abort", onAbort);
+		};
+		const onOpen = () => {
+			cleanup();
+			resolve();
+		};
+		const onClose = () => {
+			cleanup();
+			reject(/* @__PURE__ */ new Error("DataChannel closed before opening"));
+		};
+		const onError = () => {
+			cleanup();
+			reject(/* @__PURE__ */ new Error("DataChannel error before opening"));
+		};
+		const onStateChange = () => {
+			if (pc.connectionState === "failed" || pc.connectionState === "closed") {
+				cleanup();
+				reject(/* @__PURE__ */ new Error(`Peer connection ${pc.connectionState}`));
+			}
+		};
+		const onAbort = () => {
+			cleanup();
+			reject(new DOMException("The operation was aborted.", "AbortError"));
+		};
+		channel.addEventListener("open", onOpen, { once: true });
+		channel.addEventListener("close", onClose, { once: true });
+		channel.addEventListener("error", onError, { once: true });
+		pc.addEventListener("connectionstatechange", onStateChange);
+		signal?.addEventListener("abort", onAbort, { once: true });
+	});
+}
+/**
+* Create a data channel on the given `pc` with the Pulsar socket label
+* convention (`socket/<hostname>:<port>`) and wait for it to open.
+*
+* This is the low-level primitive used by `connect()` and
+* `libcurlTransport()`.
+*/
+function openSocketChannel(pc, hostname, port, timeoutMs, signal) {
+	const label = socketChannelLabel(hostname, port);
+	const channel = pc.createDataChannel(label, { ordered: true });
+	return waitForDataChannelOpen(channel, pc, timeoutMs, signal).then(() => channel);
+}
 //#endregion
 //#region lib/connection/direct.ts
 /**
@@ -48,20 +200,8 @@ async function connectDirect(host, port) {
 		sdpMid: "0",
 		sdpMLineIndex: 0
 	});
-	await new Promise((resolve, reject) => {
-		const timeout = setTimeout(() => {
-			reject(/* @__PURE__ */ new Error("Connection timed out after 30s"));
-		}, 3e4);
-		pc.onconnectionstatechange = () => {
-			if (pc.connectionState === "connected") {
-				clearTimeout(timeout);
-				resolve();
-			} else if (pc.connectionState === "failed" || pc.connectionState === "disconnected") {
-				clearTimeout(timeout);
-				reject(/* @__PURE__ */ new Error(`Connection failed: ${pc.connectionState}`));
-			}
-		};
-	});
+	await waitForPeerConnectionConnected(pc);
+	await waitForDataChannelOpen(keepalive, pc);
 	return {
 		keepalive,
 		pc,
@@ -74,115 +214,189 @@ async function connectDirect(host, port) {
 //#endregion
 //#region ../core/nostr.ts
 const NOSTR_RELAYS = ["wss://nostr.data.haus", "wss://kotukonostr.onrender.com"];
-/** Ephemeral event kind used for encrypted WebRTC signaling. */
-const SIGNALING_KIND = 28e3;
-/** Parameterized replaceable event kind used for server discovery. */
-const DISCOVERY_KIND = 38e3;
-/** The `d` tag identifier for the Pulsar tunnel discovery event. */
+const SIGNALING_KIND = 24393;
+const DISCOVERY_KIND = 34393;
 const D_TAG_ID = "pulsar-tunnel";
-//#endregion
-//#region lib/connection/nostr.ts
+const textEncoder = new TextEncoder();
+const textDecoder = new TextDecoder();
+function nowSeconds() {
+	return Math.floor(Date.now() / 1e3);
+}
+function bytesToHex(bytes) {
+	return Array.from(bytes).map((byte) => byte.toString(16).padStart(2, "0")).join("");
+}
 function hexToBytes(hex) {
+	if (hex.length % 2 !== 0 || /[^0-9a-f]/i.test(hex)) throw new Error("Invalid hex string");
 	const bytes = new Uint8Array(hex.length / 2);
-	for (let i = 0; i < hex.length; i += 2) bytes[i / 2] = parseInt(hex.slice(i, i + 2), 16);
+	for (let i = 0; i < hex.length; i += 2) bytes[i / 2] = Number.parseInt(hex.slice(i, i + 2), 16);
 	return bytes;
 }
-function bytesToHex(bytes) {
-	return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-function generateKeypair() {
+function generateNostrKeypair() {
 	const seckey = secp256k1.utils.randomPrivateKey();
-	const pubkey = secp256k1.getPublicKey(seckey, true).slice(1);
 	return {
 		seckey: bytesToHex(seckey),
-		pubkey: bytesToHex(pubkey)
+		pubkey: bytesToHex(schnorr.getPublicKey(seckey))
 	};
 }
-/**
-* Derive a shared ECDH secret between a private key and a peer's
-* 32-byte x-only public key (Nostr format).
-*
-* Schnorr public keys always have even y, so we reconstruct the
-* full point via ProjectivePoint and do scalar multiplication.
-*/
-function getSharedXOnly(seckey, pubkeyXOnly) {
-	const compressed = new Uint8Array(33);
-	compressed[0] = 2;
-	compressed.set(pubkeyXOnly, 1);
-	const pubPoint = secp256k1.ProjectivePoint.fromHex(compressed);
-	const scalar = bytesToBigInt(seckey);
-	const shared = pubPoint.multiply(scalar);
-	return new Uint8Array(shared.toRawBytes(false).slice(1, 33));
+function hasTag(event, name, value) {
+	return event.tags.some((tag) => tag[0] === name && tag[1] === value);
 }
-function bytesToBigInt(bytes) {
-	let hex = "";
-	for (const b of bytes) hex += b.toString(16).padStart(2, "0");
-	return BigInt("0x" + hex);
+function isAddressedTo(event, pubkey) {
+	return hasTag(event, "p", pubkey);
 }
-async function getConversationKey(seckeyBytes, pubkeyBytes) {
-	const sharedSecret = getSharedXOnly(seckeyBytes, pubkeyBytes);
-	const hkdfKey = await crypto.subtle.importKey("raw", sharedSecret, "HKDF", false, ["deriveBits", "deriveKey"]);
-	return crypto.subtle.deriveKey({
-		name: "HKDF",
-		hash: "SHA-256",
-		salt: new Uint8Array(0),
-		info: new TextEncoder().encode("nip44-v2")
-	}, hkdfKey, {
-		name: "AES-GCM",
-		length: 256
-	}, false, ["encrypt", "decrypt"]);
+function serializeEvent(event) {
+	return JSON.stringify([
+		0,
+		event.pubkey,
+		event.created_at,
+		event.kind,
+		event.tags,
+		event.content
+	]);
+}
+async function computeEventId(event) {
+	const hash = await crypto.subtle.digest("SHA-256", textEncoder.encode(serializeEvent(event)));
+	return bytesToHex(new Uint8Array(hash));
+}
+async function signNostrEvent(event, seckeyHex) {
+	const id = await computeEventId(event);
+	const sig = schnorr.sign(hexToBytes(id), hexToBytes(seckeyHex));
+	return {
+		...event,
+		id,
+		sig: bytesToHex(sig)
+	};
+}
+async function verifyNostrEvent(event) {
+	try {
+		if (event.id !== await computeEventId(event)) return false;
+		return schnorr.verify(hexToBytes(event.sig), hexToBytes(event.id), hexToBytes(event.pubkey));
+	} catch {
+		return false;
+	}
+}
+function makeSignalEvent(pubkey, peerPubkey, content) {
+	return {
+		pubkey,
+		created_at: nowSeconds(),
+		kind: SIGNALING_KIND,
+		tags: [["p", peerPubkey]],
+		content
+	};
+}
+function makeSignalingFilter(pubkey) {
+	return {
+		kinds: [SIGNALING_KIND],
+		"#p": [pubkey],
+		since: nowSeconds() - 5
+	};
+}
+function makeDiscoveryFilter() {
+	return {
+		kinds: [DISCOVERY_KIND],
+		"#d": [D_TAG_ID],
+		limit: 20
+	};
+}
+function sendNostrEvent(ws, event) {
+	const msg = ["EVENT", event];
+	ws.send(JSON.stringify(msg));
+}
+function sendNostrReq(ws, subId, filter) {
+	const msg = [
+		"REQ",
+		subId,
+		filter
+	];
+	ws.send(JSON.stringify(msg));
 }
-async function nip44Encrypt(plaintext, seckeyHex, pubkeyHex) {
-	const convKey = await getConversationKey(hexToBytes(seckeyHex), hexToBytes(pubkeyHex));
+function closeNostrReq(ws, subId) {
+	const msg = ["CLOSE", subId];
+	try {
+		ws.send(JSON.stringify(msg));
+	} catch {}
+}
+function parseNostrMessage(data) {
+	if (typeof data !== "string") return null;
+	try {
+		const msg = JSON.parse(data);
+		if (!Array.isArray(msg) || typeof msg[0] !== "string") return null;
+		return msg;
+	} catch {
+		return null;
+	}
+}
+async function encryptSignal(plaintext, seckeyHex, pubkeyHex) {
+	const key = await getSignalKey(hexToBytes(seckeyHex), hexToBytes(pubkeyHex));
 	const nonce = crypto.getRandomValues(new Uint8Array(12));
-	const encoded = new TextEncoder().encode(plaintext);
 	const encrypted = await crypto.subtle.encrypt({
 		name: "AES-GCM",
 		iv: nonce,
 		tagLength: 128
-	}, convKey, encoded);
-	const result = new Uint8Array(13 + encrypted.byteLength);
-	result[0] = 2;
-	result.set(nonce, 1);
-	result.set(new Uint8Array(encrypted), 13);
-	return btoa(String.fromCharCode(...result));
-}
-async function nip44Decrypt(ciphertextB64, seckeyHex, pubkeyHex) {
-	const convKey = await getConversationKey(hexToBytes(seckeyHex), hexToBytes(pubkeyHex));
-	const raw = Uint8Array.from(atob(ciphertextB64), (c) => c.charCodeAt(0));
+	}, key, toArrayBuffer(textEncoder.encode(plaintext)));
+	const bytes = new Uint8Array(1 + nonce.byteLength + encrypted.byteLength);
+	bytes[0] = 1;
+	bytes.set(nonce, 1);
+	bytes.set(new Uint8Array(encrypted), 1 + nonce.byteLength);
+	return bytesToBase64(bytes);
+}
+async function decryptSignal(ciphertextB64, seckeyHex, pubkeyHex) {
+	const raw = base64ToBytes(ciphertextB64);
 	if (raw.length < 13) throw new Error("Ciphertext too short");
+	if (raw[0] !== 1) throw new Error(`Unsupported signal encryption version ${raw[0]}`);
+	const key = await getSignalKey(hexToBytes(seckeyHex), hexToBytes(pubkeyHex));
 	const nonce = raw.slice(1, 13);
 	const ciphertext = raw.slice(13);
 	const decrypted = await crypto.subtle.decrypt({
 		name: "AES-GCM",
 		iv: nonce,
 		tagLength: 128
-	}, convKey, ciphertext);
-	return new TextDecoder().decode(decrypted);
+	}, key, toArrayBuffer(ciphertext));
+	return textDecoder.decode(decrypted);
 }
-function serializeEvent(ev) {
-	return JSON.stringify([
-		0,
-		ev.pubkey,
-		ev.created_at,
-		ev.kind,
-		ev.tags,
-		ev.content
-	]);
+function getSharedXOnly(seckey, pubkeyXOnly) {
+	const compressed = new Uint8Array(33);
+	compressed[0] = 2;
+	compressed.set(pubkeyXOnly, 1);
+	const sharedPoint = secp256k1.ProjectivePoint.fromHex(compressed).multiply(bytesToBigInt(seckey));
+	return new Uint8Array(sharedPoint.toRawBytes(false).slice(1, 33));
 }
-async function computeEventId(ev) {
-	const hash = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(serializeEvent(ev)));
-	return bytesToHex(new Uint8Array(hash));
+async function getSignalKey(seckeyBytes, pubkeyBytes) {
+	const hkdfKey = await crypto.subtle.importKey("raw", toArrayBuffer(getSharedXOnly(seckeyBytes, pubkeyBytes)), "HKDF", false, ["deriveKey"]);
+	return crypto.subtle.deriveKey({
+		name: "HKDF",
+		hash: "SHA-256",
+		salt: /* @__PURE__ */ new ArrayBuffer(0),
+		info: toArrayBuffer(textEncoder.encode("pulsar-nostr-signal-v1"))
+	}, hkdfKey, {
+		name: "AES-GCM",
+		length: 256
+	}, false, ["encrypt", "decrypt"]);
 }
-async function signEvent(ev, seckey) {
-	const id = await computeEventId(ev);
-	const sig = schnorr.sign(hexToBytes(id), seckey);
-	return {
-		...ev,
-		id,
-		sig: bytesToHex(sig)
-	};
+function bytesToBigInt(bytes) {
+	let hex = "";
+	for (const byte of bytes) hex += byte.toString(16).padStart(2, "0");
+	return BigInt(`0x${hex}`);
+}
+function toArrayBuffer(bytes) {
+	const buffer = new ArrayBuffer(bytes.byteLength);
+	new Uint8Array(buffer).set(bytes);
+	return buffer;
+}
+function bytesToBase64(bytes) {
+	let binary = "";
+	const chunkSize = 32768;
+	for (let i = 0; i < bytes.length; i += chunkSize) binary += String.fromCharCode(...bytes.subarray(i, i + chunkSize));
+	return btoa(binary);
 }
+function base64ToBytes(base64) {
+	const binary = atob(base64);
+	const bytes = new Uint8Array(binary.length);
+	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+	return bytes;
+}
+//#endregion
+//#region lib/connection/nostr.ts
 function connectRelay(url, timeoutMs = 1e4) {
 	return new Promise((resolve, reject) => {
 		const ws = new WebSocket(url);
@@ -200,69 +414,101 @@ function connectRelay(url, timeoutMs = 1e4) {
 		});
 	});
 }
-/**
-* Try each relay in order until one connects successfully.
-*/
-async function connectToAnyRelay() {
+async function connectToServerRelay(pubkeyPrefix) {
 	const errors = [];
-	for (const relayUrl of NOSTR_RELAYS) try {
-		const ws = await connectRelay(relayUrl);
-		console.log(`[nostr] Connected to ${relayUrl}`);
-		return ws;
-	} catch (err) {
-		const msg = err instanceof Error ? err.message : String(err);
-		errors.push(msg);
-		console.warn(`[nostr] ${relayUrl}: ${msg}`);
+	for (const relayUrl of NOSTR_RELAYS) {
+		let ws;
+		try {
+			ws = await connectRelay(relayUrl);
+			console.log(`[nostr] Connected to ${relayUrl}`);
+			const serverPubkey = await findServer(ws, pubkeyPrefix);
+			return {
+				ws,
+				serverPubkey
+			};
+		} catch (err) {
+			const message = err instanceof Error ? err.message : String(err);
+			errors.push(`${relayUrl}: ${message}`);
+			console.warn(`[nostr] ${relayUrl}: ${message}`);
+			try {
+				ws?.close();
+			} catch {}
+		}
 	}
-	throw new Error(`Failed to connect to any Nostr relay: ${errors.join("; ")}`);
+	throw new Error(`Failed to find a Pulsar server: ${errors.join("; ")}`);
 }
-/**
-* Wait for a single event matching a filter, with timeout.
-*/
-function waitForEvent(ws, subId, filter, timeoutMs = 15e3) {
+function makeSubId(prefix) {
+	return `${prefix}-${typeof crypto.randomUUID === "function" ? crypto.randomUUID() : Math.random().toString(16).slice(2)}`;
+}
+async function findServer(ws, pubkeyPrefix, timeoutMs = 15e3) {
+	const subId = makeSubId("pulsar-discover");
 	return new Promise((resolve, reject) => {
+		let done = false;
+		const finish = (fn) => {
+			if (done) return;
+			done = true;
+			clearTimeout(timeout);
+			ws.removeEventListener("message", onMessage);
+			closeNostrReq(ws, subId);
+			fn();
+		};
 		const timeout = setTimeout(() => {
-			ws.send(JSON.stringify(["CLOSE", subId]));
-			reject(/* @__PURE__ */ new Error("Timed out waiting for Nostr event"));
+			finish(() => {
+				reject(/* @__PURE__ */ new Error(pubkeyPrefix ? `No Pulsar server with tunnel code "pulsar${pubkeyPrefix}" found` : "No Pulsar server found on Nostr relay"));
+			});
 		}, timeoutMs);
-		ws.send(JSON.stringify([
-			"REQ",
-			subId,
-			filter
-		]));
 		const onMessage = (event) => {
-			let msg;
-			try {
-				msg = JSON.parse(event.data);
-			} catch {
-				return;
-			}
-			if (msg[0] === "EVENT" && msg[1] === subId) {
-				clearTimeout(timeout);
-				ws.removeEventListener("message", onMessage);
-				ws.send(JSON.stringify(["CLOSE", subId]));
-				resolve(msg[2]);
-			}
+			const msg = parseNostrMessage(event.data);
+			if (!msg || msg[0] !== "EVENT" || msg[1] !== subId) return;
+			(async () => {
+				const relayEvent = msg[2];
+				if (!await verifyNostrEvent(relayEvent)) return;
+				if (pubkeyPrefix && !relayEvent.pubkey.startsWith(pubkeyPrefix)) return;
+				finish(() => resolve(relayEvent.pubkey));
+			})().catch(() => {});
 		};
 		ws.addEventListener("message", onMessage);
+		sendNostrReq(ws, subId, makeDiscoveryFilter());
+	});
+}
+function waitForSignalEvent(ws, recipientPubkey, expectedSenderPubkey, timeoutMs = 3e4) {
+	const subId = makeSubId("pulsar-answer");
+	return new Promise((resolve, reject) => {
+		let done = false;
+		const finish = (fn) => {
+			if (done) return;
+			done = true;
+			clearTimeout(timeout);
+			ws.removeEventListener("message", onMessage);
+			closeNostrReq(ws, subId);
+			fn();
+		};
+		const timeout = setTimeout(() => {
+			finish(() => reject(/* @__PURE__ */ new Error("Timed out waiting for Nostr answer")));
+		}, timeoutMs);
+		const onMessage = (event) => {
+			const msg = parseNostrMessage(event.data);
+			if (!msg || msg[0] !== "EVENT" || msg[1] !== subId) return;
+			(async () => {
+				const relayEvent = msg[2];
+				if (relayEvent.pubkey !== expectedSenderPubkey) return;
+				if (!isAddressedTo(relayEvent, recipientPubkey)) return;
+				if (!await verifyNostrEvent(relayEvent)) return;
+				finish(() => resolve(relayEvent));
+			})().catch(() => {});
+		};
+		ws.addEventListener("message", onMessage);
+		sendNostrReq(ws, subId, makeSignalingFilter(recipientPubkey));
 	});
 }
-const defaultIceServers = [{ urls: "stun:stun.l.google.com:19302" }, { urls: "stun:global.stun.twilio.com:3478" }];
-/**
-* Represents a Pulsar tunnel connection established via Nostr signaling.
-*/
 var NostrClientConnection = class {
 	keepalive;
 	pc;
-	_ws;
-	_seckey;
-	_serverPubkey;
-	constructor(keepalive, pc, _ws, _seckey, _serverPubkey) {
+	ws;
+	constructor(keepalive, pc, ws) {
 		this.keepalive = keepalive;
 		this.pc = pc;
-		this._ws = _ws;
-		this._seckey = _seckey;
-		this._serverPubkey = _serverPubkey;
+		this.ws = ws;
 	}
 	async close() {
 		try {
@@ -272,229 +518,58 @@ var NostrClientConnection = class {
 			this.pc.close();
 		} catch {}
 		try {
-			this._ws.close();
+			this.ws.close();
 		} catch {}
 	}
 };
-/**
-* Find a Pulsar server via discovery events.
-*
-* If `pubkeyPrefix` is given (4 hex chars), returns the first server
-* whose pubkey starts with that prefix. Otherwise returns any server.
-*/
-async function findServer(ws, pubkeyPrefix, timeoutMs = 15e3) {
-	return new Promise((resolve, reject) => {
-		const timeout = setTimeout(() => {
-			ws.send(JSON.stringify(["CLOSE", "pulsar-discover"]));
-			reject(/* @__PURE__ */ new Error(pubkeyPrefix ? `No Pulsar server with tunnel code "pulsar${pubkeyPrefix}" found` : "No Pulsar server found on Nostr relay"));
-		}, timeoutMs);
-		const subId = "pulsar-discover";
-		ws.send(JSON.stringify([
-			"REQ",
-			subId,
-			{
-				kinds: [DISCOVERY_KIND],
-				"#d": [D_TAG_ID],
-				limit: 0
-			}
-		]));
-		const onMessage = (event) => {
-			let msg;
-			try {
-				msg = JSON.parse(event.data);
-			} catch {
-				return;
-			}
-			if (msg[0] === "EVENT" && msg[1] === subId) {
-				const ev = msg[2];
-				if (pubkeyPrefix) {
-					if (ev.pubkey.startsWith(pubkeyPrefix)) {
-						clearTimeout(timeout);
-						ws.removeEventListener("message", onMessage);
-						ws.send(JSON.stringify(["CLOSE", subId]));
-						resolve(ev.pubkey);
-					}
-				} else {
-					clearTimeout(timeout);
-					ws.removeEventListener("message", onMessage);
-					ws.send(JSON.stringify(["CLOSE", subId]));
-					resolve(ev.pubkey);
-				}
-			}
-		};
-		ws.addEventListener("message", onMessage);
-	});
-}
-/**
-* Establish a Pulsar tunnel via Nostr relay signaling.
-*
-* 1. Connects to a Nostr relay (tries nostr.data.haus first,
-*    then kotukonostr.onrender.com)
-* 2. Looks up the tunnel's discovery event (Kind 38000, d="pulsar-tunnel").
-*    If `tunnelCode` is given (e.g. "a3f2"), filters to the tunnel
-*    whose pubkey begins with those 4 hex characters.
-* 3. Generates an ephemeral client keypair
-* 4. Creates a WebRTC offer
-* 5. Encrypts the offer and sends via a Kind 28000 ephemeral event
-* 6. Waits for the encrypted answer
-* 7. Sets the answer as remote description
-* 8. Returns the connected PulsarClientConnection
-*/
 async function connectNostr(tunnelCode) {
-	const ws = await connectToAnyRelay();
 	const pubkeyPrefix = tunnelCode ? tunnelCode.replace(/^pulsar/, "").slice(0, 4) : void 0;
 	console.log("[nostr] Looking up Pulsar tunnel" + (pubkeyPrefix ? ` (code ${tunnelCode})` : "") + "...");
-	const serverPubkey = await findServer(ws, pubkeyPrefix);
-	console.log(`[nostr] Found server: ${serverPubkey.slice(0, 16)}...`);
-	const clientKeys = generateKeypair();
-	console.log(`[nostr] Client pubkey: ${clientKeys.pubkey.slice(0, 16)}...`);
-	const pc = new RTCPeerConnection({ iceServers: defaultIceServers });
-	const keepalive = pc.createDataChannel(KEEPALIVE_LABEL, { ordered: true });
-	keepalive.binaryType = "arraybuffer";
-	const offer = await pc.createOffer();
-	await pc.setLocalDescription(offer);
-	await new Promise((resolve) => {
-		const timeout = setTimeout(() => resolve(), 2e3);
-		const onStateChange = () => {
-			if (pc.iceGatheringState === "complete") {
-				clearTimeout(timeout);
-				resolve();
-			}
+	const { ws, serverPubkey } = await connectToServerRelay(pubkeyPrefix);
+	let pc;
+	try {
+		console.log(`[nostr] Found server: ${serverPubkey.slice(0, 16)}...`);
+		const clientKeys = generateNostrKeypair();
+		console.log(`[nostr] Client pubkey: ${clientKeys.pubkey.slice(0, 16)}...`);
+		pc = new RTCPeerConnection({ iceServers: [...DEFAULT_ICE_SERVERS] });
+		const keepalive = pc.createDataChannel(KEEPALIVE_LABEL, { ordered: true });
+		keepalive.binaryType = "arraybuffer";
+		const keepaliveReady = waitForDataChannelOpen(keepalive, pc);
+		const offer = await pc.createOffer();
+		await pc.setLocalDescription(offer);
+		await waitForIceGathering(pc);
+		const localDesc = pc.localDescription;
+		if (!localDesc) throw new Error("Failed to create local offer");
+		const offerPayload = {
+			type: "offer",
+			sdp: localDesc.sdp
 		};
-		const onCandidate = (event) => {
-			if (!event.candidate) {
-				clearTimeout(timeout);
-				resolve();
-			}
-		};
-		pc.addEventListener("icegatheringstatechange", onStateChange);
-		pc.addEventListener("icecandidate", onCandidate);
-	});
-	const localDesc = pc.localDescription;
-	if (!localDesc) throw new Error("Failed to create local offer");
-	const offerPayload = {
-		type: "offer",
-		sdp: localDesc.sdp
-	};
-	const encryptedOffer = await nip44Encrypt(JSON.stringify(offerPayload), clientKeys.seckey, serverPubkey);
-	const offerEvent = await signEvent({
-		pubkey: clientKeys.pubkey,
-		created_at: Math.floor(Date.now() / 1e3),
-		kind: SIGNALING_KIND,
-		tags: [["p", serverPubkey]],
-		content: encryptedOffer
-	}, hexToBytes(clientKeys.seckey));
-	const answerPromise = waitForEvent(ws, "pulsar-answer", {
-		kinds: [SIGNALING_KIND],
-		"#p": [clientKeys.pubkey],
-		limit: 1
-	}, 3e4);
-	ws.send(JSON.stringify(["EVENT", offerEvent]));
-	console.log("[nostr] Sent encrypted offer, waiting for answer...");
-	const answerPlaintext = await nip44Decrypt((await answerPromise).content, clientKeys.seckey, serverPubkey);
-	const answerPayload = JSON.parse(answerPlaintext);
-	if (answerPayload.type !== "answer" || !answerPayload.sdp) throw new Error("Invalid answer from server");
-	console.log("[nostr] Received answer, connecting WebRTC...");
-	await pc.setRemoteDescription({
-		type: "answer",
-		sdp: answerPayload.sdp
-	});
-	await new Promise((resolve, reject) => {
-		const timeout = setTimeout(() => {
-			reject(/* @__PURE__ */ new Error("WebRTC connection timed out after 30s"));
-		}, 3e4);
-		pc.addEventListener("connectionstatechange", () => {
-			if (pc.connectionState === "connected") {
-				clearTimeout(timeout);
-				resolve();
-			} else if (pc.connectionState === "failed" || pc.connectionState === "disconnected") {
-				clearTimeout(timeout);
-				reject(/* @__PURE__ */ new Error(`Connection failed: ${pc.connectionState}`));
-			}
+		const encryptedOffer = await encryptSignal(JSON.stringify(offerPayload), clientKeys.seckey, serverPubkey);
+		const offerEvent = await signNostrEvent(makeSignalEvent(clientKeys.pubkey, serverPubkey, encryptedOffer), clientKeys.seckey);
+		const answerPromise = waitForSignalEvent(ws, clientKeys.pubkey, serverPubkey);
+		sendNostrEvent(ws, offerEvent);
+		console.log("[nostr] Sent encrypted offer, waiting for answer...");
+		const answerPlaintext = await decryptSignal((await answerPromise).content, clientKeys.seckey, serverPubkey);
+		const answerPayload = JSON.parse(answerPlaintext);
+		if (answerPayload.type !== "answer" || !answerPayload.sdp) throw new Error("Invalid answer from server");
+		console.log("[nostr] Received answer, connecting WebRTC...");
+		await pc.setRemoteDescription({
+			type: "answer",
+			sdp: answerPayload.sdp
 		});
-	});
-	console.log("[nostr] WebRTC connected!");
-	return new NostrClientConnection(keepalive, pc, ws, clientKeys.seckey, serverPubkey);
-}
-//#endregion
-//#region lib/socket-channel.ts
-/**
-* Shared utilities for opening Pulsar socket tunnel data channels.
-*
-* These work with any RTCPeerConnection, regardless of how it was
-* established (direct, nostr, etc.).
-*/
-/**
-* Wait for an RTCDataChannel to enter the "open" state.
-*
-* Also monitors the RTCPeerConnection for failure/closure, and
-* accepts an optional AbortSignal for cancellation.
-*
-* Rejects if the channel closes, the peer connection fails, or
-* the timeout elapses before the channel opens.
-*/
-function waitForDataChannelOpen(channel, pc, timeoutMs = 1e4, signal) {
-	return new Promise((resolve, reject) => {
-		if (signal?.aborted) {
-			reject(new DOMException("The operation was aborted.", "AbortError"));
-			return;
-		}
-		if (channel.readyState === "open") {
-			resolve();
-			return;
-		}
-		const timeout = setTimeout(() => {
-			cleanup();
-			reject(/* @__PURE__ */ new Error(`DataChannel open timed out after ${timeoutMs}ms`));
-		}, timeoutMs);
-		const cleanup = () => {
-			clearTimeout(timeout);
-			channel.removeEventListener("open", onOpen);
-			channel.removeEventListener("close", onClose);
-			channel.removeEventListener("error", onError);
-			pc.removeEventListener("connectionstatechange", onStateChange);
-			signal?.removeEventListener("abort", onAbort);
-		};
-		const onOpen = () => {
-			cleanup();
-			resolve();
-		};
-		const onClose = () => {
-			cleanup();
-			reject(/* @__PURE__ */ new Error("DataChannel closed before opening"));
-		};
-		const onError = () => {
-			cleanup();
-			reject(/* @__PURE__ */ new Error("DataChannel error before opening"));
-		};
-		const onStateChange = () => {
-			if (pc.connectionState === "failed" || pc.connectionState === "closed") {
-				cleanup();
-				reject(/* @__PURE__ */ new Error(`Peer connection ${pc.connectionState}`));
-			}
-		};
-		const onAbort = () => {
-			cleanup();
-			reject(new DOMException("The operation was aborted.", "AbortError"));
-		};
-		channel.addEventListener("open", onOpen, { once: true });
-		channel.addEventListener("close", onClose, { once: true });
-		channel.addEventListener("error", onError, { once: true });
-		pc.addEventListener("connectionstatechange", onStateChange);
-		signal?.addEventListener("abort", onAbort, { once: true });
-	});
-}
-/**
-* Create a data channel on the given `pc` with the Pulsar socket label
-* convention (`socket/<hostname>:<port>`) and wait for it to open.
-*
-* This is the low-level primitive used by `connect()` and
-* `libcurlTransport()`.
-*/
-function openSocketChannel(pc, hostname, port, timeoutMs, signal) {
-	const label = `${SOCKET_PREFIX}${hostname}:${port}`;
-	const channel = pc.createDataChannel(label, { ordered: true });
-	return waitForDataChannelOpen(channel, pc, timeoutMs, signal).then(() => channel);
+		await waitForPeerConnectionConnected(pc);
+		await keepaliveReady;
+		console.log("[nostr] WebRTC connected");
+		return new NostrClientConnection(keepalive, pc, ws);
+	} catch (err) {
+		try {
+			pc?.close();
+		} catch {}
+		try {
+			ws.close();
+		} catch {}
+		throw err;
+	}
 }
 //#endregion
 //#region lib/tunnel.ts

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@abndnce/pulsar-client",
   "type": "module",
-  "version": "0.0.10",
+  "version": "0.0.12",
   "homepage": "https://github.com/abndnce/pulsar",
   "license": "MIT",
   "exports": {
@@ -11,17 +11,16 @@
   "files": [
     "dist"
   ],
+  "scripts": {
+    "build": "tsdown",
+    "dev": "tsdown --watch",
+    "typecheck": "tsc --noEmit",
+    "prepublishOnly": "pnpm run build"
+  },
   "dependencies": {
     "@noble/curves": "^1.8.1"
   },
   "devDependencies": {
-    "tsdown": "^0.22.0",
-    "typescript": "^6.0.3"
-  },
-  "scripts": {
-    "build": "tsdown",
-    "dev": "tsdown --watch",
-    "test": "vitest",
-    "typecheck": "tsc --noEmit"
+    "tsdown": "^0.22.0"
   }
-}
+}

package/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2026
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.