@abndnce/pulsar-client 0.0.9 → 0.0.11

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/index.d.mts

@@ -22,13 +22,7 @@ interface PulsarClientConnection {
 declare function connectDirect(host: string, port: number): Promise<PulsarClientConnection>;
 //#endregion
 //#region lib/connection/nostr.d.ts
-/**
- * Connect via a Nostr relay (placeholder).
- *
- * In the future, this will implement a Nostr-based signaling layer for
- * establishing peer connections through a Nostr relay.
- */
-declare function connectNostr(_relay: string, _pubkey: string): Promise<PulsarClientConnection>;
+declare function connectNostr(tunnelCode?: string): Promise<PulsarClientConnection>;
 //#endregion
 //#region lib/socket-channel.d.ts
 /**
@@ -105,14 +99,13 @@ declare class DataChannelSocket extends EventTarget {
  * import { connectDirect, libcurlTransport } from '@abndnce/pulsar-client';
  * import { libcurl } from 'libcurl.js';
  *
- * const tunnel = await connectDirect('216.250.119.217', 42069);
+ * const tunnel = await connectDirect('1.2.3.4', 1234);
  * libcurl.transport = libcurlTransport(tunnel.pc);
  * libcurl.set_websocket('wss://pulsar-tunnel.local/');
  * ```
  *
  * libcurl.js calls the factory with URLs like:
  *   `wss://pulsar-tunnel.local/example.com:80`
- *   `wss://pulsar-tunnel.local/216.250.119.217:443`
  *
  * The factory parses `<hostname>:<port>` from the URL path, opens a
  * Pulsar socket data channel, and returns a WebSocket-like adapter.

package/dist/index.mjs

@@ -1,85 +1,83 @@
+import { schnorr, secp256k1 } from "@noble/curves/secp256k1";
 //#region ../core/constants.ts
+const SOCKET_PREFIX = "socket/";
+const KEEPALIVE_LABEL = "keepalive";
 const PULSAR_UFRAG = "pulsar";
 const PULSAR_PWD = "pulsarpulsarpulsarpuls";
 const PULSAR_FINGERPRINT = "F1:85:10:8F:36:FF:58:D8:D0:4B:52:D7:ED:DC:5C:28:AE:7D:DB:54:0E:2A:DD:C7:C3:94:EA:A1:27:D0:4E:78";
-/** Label prefix for socket tunnel data channels. */
-const SOCKET_PREFIX = "socket/";
-/** Label for the mandatory keepalive data channel. */
-const KEEPALIVE_LABEL = "keepalive";
 //#endregion
-//#region lib/connection/direct.ts
-/**
-* Connect to a remote Pulsar server in direct mode.
-*
-* Designed for browsers, using the native `RTCPeerConnection` API.
-*
-* @param host  Server IP address
-* @param port  Server UDP port
-* @returns A connected PulsarClientConnection with an open keepalive channel
-*          and a `connect()` helper for opening socket tunnels.
-*/
-async function connectDirect(host, port) {
-	const pc = new RTCPeerConnection();
-	const keepalive = pc.createDataChannel(KEEPALIVE_LABEL, { ordered: true });
-	const offer = await pc.createOffer();
-	await pc.setLocalDescription(offer);
-	const remoteSdp = [
-		"v=0",
-		"o=- 111 222 IN IP4 0.0.0.0",
-		"s=-",
-		"t=0 0",
-		`m=application ${port} UDP/DTLS/SCTP webrtc-datachannel`,
-		`c=IN IP4 ${host}`,
-		`a=ice-ufrag:${PULSAR_UFRAG}`,
-		`a=ice-pwd:${PULSAR_PWD}`,
-		`a=fingerprint:sha-256 ${PULSAR_FINGERPRINT}`,
-		"a=setup:active",
-		"a=mid:0",
-		"a=sctp-port:5000",
-		""
-	].join("\r\n");
-	await pc.setRemoteDescription({
-		type: "answer",
-		sdp: remoteSdp
-	});
-	await pc.addIceCandidate({
-		candidate: `candidate:1 1 UDP 2130706431 ${host} ${port} typ host`,
-		sdpMid: "0",
-		sdpMLineIndex: 0
+//#region ../core/webrtc.ts
+const DEFAULT_ICE_SERVERS = [{ urls: "stun:stun.l.google.com:19302" }, { urls: "stun:global.stun.twilio.com:3478" }];
+const ICE_GATHER_TIMEOUT_MS = 3e3;
+const CONNECTION_TIMEOUT_MS = 3e4;
+async function waitForIceGathering(pc, timeoutMs = ICE_GATHER_TIMEOUT_MS) {
+	if (pc.iceGatheringState === "complete") return;
+	if (pc.connectionState === "failed" || pc.connectionState === "closed") throw new Error(`Peer connection ${pc.connectionState}`);
+	await new Promise((resolve, reject) => {
+		const cleanup = () => {
+			clearTimeout(timeout);
+			pc.removeEventListener("icegatheringstatechange", onStateChange);
+			pc.removeEventListener("icecandidate", onCandidate);
+			pc.removeEventListener("connectionstatechange", onConnectionStateChange);
+		};
+		const timeout = setTimeout(() => {
+			cleanup();
+			resolve();
+		}, timeoutMs);
+		const onStateChange = () => {
+			if (pc.iceGatheringState === "complete") {
+				cleanup();
+				resolve();
+			}
+		};
+		const onCandidate = (event) => {
+			if (!("candidate" in event) || !event.candidate) {
+				cleanup();
+				resolve();
+			}
+		};
+		const onConnectionStateChange = () => {
+			if (pc.connectionState === "failed" || pc.connectionState === "closed") {
+				cleanup();
+				reject(/* @__PURE__ */ new Error(`Peer connection ${pc.connectionState}`));
+			}
+		};
+		pc.addEventListener("icegatheringstatechange", onStateChange);
+		pc.addEventListener("icecandidate", onCandidate);
+		pc.addEventListener("connectionstatechange", onConnectionStateChange);
 	});
+}
+async function waitForPeerConnectionConnected(pc, timeoutMs = CONNECTION_TIMEOUT_MS) {
+	if (pc.connectionState === "connected") return;
+	if (pc.connectionState === "failed" || pc.connectionState === "disconnected" || pc.connectionState === "closed") throw new Error(`Connection failed: ${pc.connectionState}`);
 	await new Promise((resolve, reject) => {
+		const cleanup = () => {
+			clearTimeout(timeout);
+			pc.removeEventListener("connectionstatechange", onStateChange);
+		};
 		const timeout = setTimeout(() => {
-			reject(/* @__PURE__ */ new Error("Connection timed out after 30s"));
-		}, 3e4);
-		pc.onconnectionstatechange = () => {
+			cleanup();
+			reject(/* @__PURE__ */ new Error(`WebRTC connection timed out after ${timeoutMs}ms`));
+		}, timeoutMs);
+		const onStateChange = () => {
 			if (pc.connectionState === "connected") {
-				clearTimeout(timeout);
+				cleanup();
 				resolve();
-			} else if (pc.connectionState === "failed" || pc.connectionState === "disconnected") {
-				clearTimeout(timeout);
+			} else if (pc.connectionState === "failed" || pc.connectionState === "disconnected" || pc.connectionState === "closed") {
+				cleanup();
 				reject(/* @__PURE__ */ new Error(`Connection failed: ${pc.connectionState}`));
 			}
 		};
+		pc.addEventListener("connectionstatechange", onStateChange);
 	});
-	return {
-		keepalive,
-		pc,
-		async close() {
-			keepalive.close();
-			pc.close();
-		}
-	};
 }
 //#endregion
-//#region lib/connection/nostr.ts
-/**
-* Connect via a Nostr relay (placeholder).
-*
-* In the future, this will implement a Nostr-based signaling layer for
-* establishing peer connections through a Nostr relay.
-*/
-async function connectNostr(_relay, _pubkey) {
-	throw new Error("Nostr mode not yet implemented");
+//#region ../core/socket.ts
+function socketChannelLabel(hostname, port) {
+	return `${SOCKET_PREFIX}${formatSocketDestination(hostname, port)}`;
+}
+function formatSocketDestination(hostname, port) {
+	return `${hostname.includes(":") && !hostname.startsWith("[") ? `[${hostname}]` : hostname}:${port}`;
 }
 //#endregion
 //#region lib/socket-channel.ts
@@ -157,11 +155,423 @@ function waitForDataChannelOpen(channel, pc, timeoutMs = 1e4, signal) {
 * `libcurlTransport()`.
 */
 function openSocketChannel(pc, hostname, port, timeoutMs, signal) {
-	const label = `${SOCKET_PREFIX}${hostname}:${port}`;
+	const label = socketChannelLabel(hostname, port);
 	const channel = pc.createDataChannel(label, { ordered: true });
 	return waitForDataChannelOpen(channel, pc, timeoutMs, signal).then(() => channel);
 }
 //#endregion
+//#region lib/connection/direct.ts
+/**
+* Connect to a remote Pulsar server in direct mode.
+*
+* Designed for browsers, using the native `RTCPeerConnection` API.
+*
+* @param host  Server IP address
+* @param port  Server UDP port
+* @returns A connected PulsarClientConnection with an open keepalive channel
+*          and a `connect()` helper for opening socket tunnels.
+*/
+async function connectDirect(host, port) {
+	const pc = new RTCPeerConnection();
+	const keepalive = pc.createDataChannel(KEEPALIVE_LABEL, { ordered: true });
+	const offer = await pc.createOffer();
+	await pc.setLocalDescription(offer);
+	const remoteSdp = [
+		"v=0",
+		"o=- 111 222 IN IP4 0.0.0.0",
+		"s=-",
+		"t=0 0",
+		`m=application ${port} UDP/DTLS/SCTP webrtc-datachannel`,
+		`c=IN IP4 ${host}`,
+		`a=ice-ufrag:${PULSAR_UFRAG}`,
+		`a=ice-pwd:${PULSAR_PWD}`,
+		`a=fingerprint:sha-256 ${PULSAR_FINGERPRINT}`,
+		"a=setup:active",
+		"a=mid:0",
+		"a=sctp-port:5000",
+		""
+	].join("\r\n");
+	await pc.setRemoteDescription({
+		type: "answer",
+		sdp: remoteSdp
+	});
+	await pc.addIceCandidate({
+		candidate: `candidate:1 1 UDP 2130706431 ${host} ${port} typ host`,
+		sdpMid: "0",
+		sdpMLineIndex: 0
+	});
+	await waitForPeerConnectionConnected(pc);
+	await waitForDataChannelOpen(keepalive, pc);
+	return {
+		keepalive,
+		pc,
+		async close() {
+			keepalive.close();
+			pc.close();
+		}
+	};
+}
+//#endregion
+//#region ../core/nostr.ts
+const NOSTR_RELAYS = ["wss://nostr.data.haus", "wss://kotukonostr.onrender.com"];
+const SIGNALING_KIND = 28e3;
+const DISCOVERY_KIND = 38e3;
+const D_TAG_ID = "pulsar-tunnel";
+const textEncoder = new TextEncoder();
+const textDecoder = new TextDecoder();
+function nowSeconds() {
+	return Math.floor(Date.now() / 1e3);
+}
+function bytesToHex(bytes) {
+	return Array.from(bytes).map((byte) => byte.toString(16).padStart(2, "0")).join("");
+}
+function hexToBytes(hex) {
+	if (hex.length % 2 !== 0 || /[^0-9a-f]/i.test(hex)) throw new Error("Invalid hex string");
+	const bytes = new Uint8Array(hex.length / 2);
+	for (let i = 0; i < hex.length; i += 2) bytes[i / 2] = Number.parseInt(hex.slice(i, i + 2), 16);
+	return bytes;
+}
+function generateNostrKeypair() {
+	const seckey = secp256k1.utils.randomPrivateKey();
+	return {
+		seckey: bytesToHex(seckey),
+		pubkey: bytesToHex(schnorr.getPublicKey(seckey))
+	};
+}
+function hasTag(event, name, value) {
+	return event.tags.some((tag) => tag[0] === name && tag[1] === value);
+}
+function isAddressedTo(event, pubkey) {
+	return hasTag(event, "p", pubkey);
+}
+function serializeEvent(event) {
+	return JSON.stringify([
+		0,
+		event.pubkey,
+		event.created_at,
+		event.kind,
+		event.tags,
+		event.content
+	]);
+}
+async function computeEventId(event) {
+	const hash = await crypto.subtle.digest("SHA-256", textEncoder.encode(serializeEvent(event)));
+	return bytesToHex(new Uint8Array(hash));
+}
+async function signNostrEvent(event, seckeyHex) {
+	const id = await computeEventId(event);
+	const sig = schnorr.sign(hexToBytes(id), hexToBytes(seckeyHex));
+	return {
+		...event,
+		id,
+		sig: bytesToHex(sig)
+	};
+}
+async function verifyNostrEvent(event) {
+	try {
+		if (event.id !== await computeEventId(event)) return false;
+		return schnorr.verify(hexToBytes(event.sig), hexToBytes(event.id), hexToBytes(event.pubkey));
+	} catch {
+		return false;
+	}
+}
+function makeSignalEvent(pubkey, peerPubkey, content) {
+	return {
+		pubkey,
+		created_at: nowSeconds(),
+		kind: SIGNALING_KIND,
+		tags: [["p", peerPubkey]],
+		content
+	};
+}
+function makeSignalingFilter(pubkey) {
+	return {
+		kinds: [SIGNALING_KIND],
+		"#p": [pubkey],
+		since: nowSeconds() - 5
+	};
+}
+function makeDiscoveryFilter() {
+	return {
+		kinds: [DISCOVERY_KIND],
+		"#d": [D_TAG_ID],
+		limit: 20
+	};
+}
+function sendNostrEvent(ws, event) {
+	const msg = ["EVENT", event];
+	ws.send(JSON.stringify(msg));
+}
+function sendNostrReq(ws, subId, filter) {
+	const msg = [
+		"REQ",
+		subId,
+		filter
+	];
+	ws.send(JSON.stringify(msg));
+}
+function closeNostrReq(ws, subId) {
+	const msg = ["CLOSE", subId];
+	try {
+		ws.send(JSON.stringify(msg));
+	} catch {}
+}
+function parseNostrMessage(data) {
+	if (typeof data !== "string") return null;
+	try {
+		const msg = JSON.parse(data);
+		if (!Array.isArray(msg) || typeof msg[0] !== "string") return null;
+		return msg;
+	} catch {
+		return null;
+	}
+}
+async function encryptSignal(plaintext, seckeyHex, pubkeyHex) {
+	const key = await getSignalKey(hexToBytes(seckeyHex), hexToBytes(pubkeyHex));
+	const nonce = crypto.getRandomValues(new Uint8Array(12));
+	const encrypted = await crypto.subtle.encrypt({
+		name: "AES-GCM",
+		iv: nonce,
+		tagLength: 128
+	}, key, toArrayBuffer(textEncoder.encode(plaintext)));
+	const bytes = new Uint8Array(1 + nonce.byteLength + encrypted.byteLength);
+	bytes[0] = 1;
+	bytes.set(nonce, 1);
+	bytes.set(new Uint8Array(encrypted), 1 + nonce.byteLength);
+	return bytesToBase64(bytes);
+}
+async function decryptSignal(ciphertextB64, seckeyHex, pubkeyHex) {
+	const raw = base64ToBytes(ciphertextB64);
+	if (raw.length < 13) throw new Error("Ciphertext too short");
+	if (raw[0] !== 1) throw new Error(`Unsupported signal encryption version ${raw[0]}`);
+	const key = await getSignalKey(hexToBytes(seckeyHex), hexToBytes(pubkeyHex));
+	const nonce = raw.slice(1, 13);
+	const ciphertext = raw.slice(13);
+	const decrypted = await crypto.subtle.decrypt({
+		name: "AES-GCM",
+		iv: nonce,
+		tagLength: 128
+	}, key, toArrayBuffer(ciphertext));
+	return textDecoder.decode(decrypted);
+}
+function getSharedXOnly(seckey, pubkeyXOnly) {
+	const compressed = new Uint8Array(33);
+	compressed[0] = 2;
+	compressed.set(pubkeyXOnly, 1);
+	const sharedPoint = secp256k1.ProjectivePoint.fromHex(compressed).multiply(bytesToBigInt(seckey));
+	return new Uint8Array(sharedPoint.toRawBytes(false).slice(1, 33));
+}
+async function getSignalKey(seckeyBytes, pubkeyBytes) {
+	const hkdfKey = await crypto.subtle.importKey("raw", toArrayBuffer(getSharedXOnly(seckeyBytes, pubkeyBytes)), "HKDF", false, ["deriveKey"]);
+	return crypto.subtle.deriveKey({
+		name: "HKDF",
+		hash: "SHA-256",
+		salt: /* @__PURE__ */ new ArrayBuffer(0),
+		info: toArrayBuffer(textEncoder.encode("pulsar-nostr-signal-v1"))
+	}, hkdfKey, {
+		name: "AES-GCM",
+		length: 256
+	}, false, ["encrypt", "decrypt"]);
+}
+function bytesToBigInt(bytes) {
+	let hex = "";
+	for (const byte of bytes) hex += byte.toString(16).padStart(2, "0");
+	return BigInt(`0x${hex}`);
+}
+function toArrayBuffer(bytes) {
+	const buffer = new ArrayBuffer(bytes.byteLength);
+	new Uint8Array(buffer).set(bytes);
+	return buffer;
+}
+function bytesToBase64(bytes) {
+	let binary = "";
+	const chunkSize = 32768;
+	for (let i = 0; i < bytes.length; i += chunkSize) binary += String.fromCharCode(...bytes.subarray(i, i + chunkSize));
+	return btoa(binary);
+}
+function base64ToBytes(base64) {
+	const binary = atob(base64);
+	const bytes = new Uint8Array(binary.length);
+	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+	return bytes;
+}
+//#endregion
+//#region lib/connection/nostr.ts
+function connectRelay(url, timeoutMs = 1e4) {
+	return new Promise((resolve, reject) => {
+		const ws = new WebSocket(url);
+		const timeout = setTimeout(() => {
+			ws.close();
+			reject(/* @__PURE__ */ new Error(`Connection to ${url} timed out`));
+		}, timeoutMs);
+		ws.addEventListener("open", () => {
+			clearTimeout(timeout);
+			resolve(ws);
+		});
+		ws.addEventListener("error", () => {
+			clearTimeout(timeout);
+			reject(/* @__PURE__ */ new Error(`Failed to connect to ${url}`));
+		});
+	});
+}
+async function connectToServerRelay(pubkeyPrefix) {
+	const errors = [];
+	for (const relayUrl of NOSTR_RELAYS) {
+		let ws;
+		try {
+			ws = await connectRelay(relayUrl);
+			console.log(`[nostr] Connected to ${relayUrl}`);
+			const serverPubkey = await findServer(ws, pubkeyPrefix);
+			return {
+				ws,
+				serverPubkey
+			};
+		} catch (err) {
+			const message = err instanceof Error ? err.message : String(err);
+			errors.push(`${relayUrl}: ${message}`);
+			console.warn(`[nostr] ${relayUrl}: ${message}`);
+			try {
+				ws?.close();
+			} catch {}
+		}
+	}
+	throw new Error(`Failed to find a Pulsar server: ${errors.join("; ")}`);
+}
+function makeSubId(prefix) {
+	return `${prefix}-${typeof crypto.randomUUID === "function" ? crypto.randomUUID() : Math.random().toString(16).slice(2)}`;
+}
+async function findServer(ws, pubkeyPrefix, timeoutMs = 15e3) {
+	const subId = makeSubId("pulsar-discover");
+	return new Promise((resolve, reject) => {
+		let done = false;
+		const finish = (fn) => {
+			if (done) return;
+			done = true;
+			clearTimeout(timeout);
+			ws.removeEventListener("message", onMessage);
+			closeNostrReq(ws, subId);
+			fn();
+		};
+		const timeout = setTimeout(() => {
+			finish(() => {
+				reject(/* @__PURE__ */ new Error(pubkeyPrefix ? `No Pulsar server with tunnel code "pulsar${pubkeyPrefix}" found` : "No Pulsar server found on Nostr relay"));
+			});
+		}, timeoutMs);
+		const onMessage = (event) => {
+			const msg = parseNostrMessage(event.data);
+			if (!msg || msg[0] !== "EVENT" || msg[1] !== subId) return;
+			(async () => {
+				const relayEvent = msg[2];
+				if (!await verifyNostrEvent(relayEvent)) return;
+				if (pubkeyPrefix && !relayEvent.pubkey.startsWith(pubkeyPrefix)) return;
+				finish(() => resolve(relayEvent.pubkey));
+			})().catch(() => {});
+		};
+		ws.addEventListener("message", onMessage);
+		sendNostrReq(ws, subId, makeDiscoveryFilter());
+	});
+}
+function waitForSignalEvent(ws, recipientPubkey, expectedSenderPubkey, timeoutMs = 3e4) {
+	const subId = makeSubId("pulsar-answer");
+	return new Promise((resolve, reject) => {
+		let done = false;
+		const finish = (fn) => {
+			if (done) return;
+			done = true;
+			clearTimeout(timeout);
+			ws.removeEventListener("message", onMessage);
+			closeNostrReq(ws, subId);
+			fn();
+		};
+		const timeout = setTimeout(() => {
+			finish(() => reject(/* @__PURE__ */ new Error("Timed out waiting for Nostr answer")));
+		}, timeoutMs);
+		const onMessage = (event) => {
+			const msg = parseNostrMessage(event.data);
+			if (!msg || msg[0] !== "EVENT" || msg[1] !== subId) return;
+			(async () => {
+				const relayEvent = msg[2];
+				if (relayEvent.pubkey !== expectedSenderPubkey) return;
+				if (!isAddressedTo(relayEvent, recipientPubkey)) return;
+				if (!await verifyNostrEvent(relayEvent)) return;
+				finish(() => resolve(relayEvent));
+			})().catch(() => {});
+		};
+		ws.addEventListener("message", onMessage);
+		sendNostrReq(ws, subId, makeSignalingFilter(recipientPubkey));
+	});
+}
+var NostrClientConnection = class {
+	keepalive;
+	pc;
+	ws;
+	constructor(keepalive, pc, ws) {
+		this.keepalive = keepalive;
+		this.pc = pc;
+		this.ws = ws;
+	}
+	async close() {
+		try {
+			this.keepalive.close();
+		} catch {}
+		try {
+			this.pc.close();
+		} catch {}
+		try {
+			this.ws.close();
+		} catch {}
+	}
+};
+async function connectNostr(tunnelCode) {
+	const pubkeyPrefix = tunnelCode ? tunnelCode.replace(/^pulsar/, "").slice(0, 4) : void 0;
+	console.log("[nostr] Looking up Pulsar tunnel" + (pubkeyPrefix ? ` (code ${tunnelCode})` : "") + "...");
+	const { ws, serverPubkey } = await connectToServerRelay(pubkeyPrefix);
+	let pc;
+	try {
+		console.log(`[nostr] Found server: ${serverPubkey.slice(0, 16)}...`);
+		const clientKeys = generateNostrKeypair();
+		console.log(`[nostr] Client pubkey: ${clientKeys.pubkey.slice(0, 16)}...`);
+		pc = new RTCPeerConnection({ iceServers: [...DEFAULT_ICE_SERVERS] });
+		const keepalive = pc.createDataChannel(KEEPALIVE_LABEL, { ordered: true });
+		keepalive.binaryType = "arraybuffer";
+		const keepaliveReady = waitForDataChannelOpen(keepalive, pc);
+		const offer = await pc.createOffer();
+		await pc.setLocalDescription(offer);
+		await waitForIceGathering(pc);
+		const localDesc = pc.localDescription;
+		if (!localDesc) throw new Error("Failed to create local offer");
+		const offerPayload = {
+			type: "offer",
+			sdp: localDesc.sdp
+		};
+		const encryptedOffer = await encryptSignal(JSON.stringify(offerPayload), clientKeys.seckey, serverPubkey);
+		const offerEvent = await signNostrEvent(makeSignalEvent(clientKeys.pubkey, serverPubkey, encryptedOffer), clientKeys.seckey);
+		const answerPromise = waitForSignalEvent(ws, clientKeys.pubkey, serverPubkey);
+		sendNostrEvent(ws, offerEvent);
+		console.log("[nostr] Sent encrypted offer, waiting for answer...");
+		const answerPlaintext = await decryptSignal((await answerPromise).content, clientKeys.seckey, serverPubkey);
+		const answerPayload = JSON.parse(answerPlaintext);
+		if (answerPayload.type !== "answer" || !answerPayload.sdp) throw new Error("Invalid answer from server");
+		console.log("[nostr] Received answer, connecting WebRTC...");
+		await pc.setRemoteDescription({
+			type: "answer",
+			sdp: answerPayload.sdp
+		});
+		await waitForPeerConnectionConnected(pc);
+		await keepaliveReady;
+		console.log("[nostr] WebRTC connected");
+		return new NostrClientConnection(keepalive, pc, ws);
+	} catch (err) {
+		try {
+			pc?.close();
+		} catch {}
+		try {
+			ws.close();
+		} catch {}
+		throw err;
+	}
+}
+//#endregion
 //#region lib/tunnel.ts
 /**
 * WebSocket-compatible wrapper around an RTCDataChannel.
@@ -272,14 +682,13 @@ var DataChannelSocket = class DataChannelSocket extends EventTarget {
 * import { connectDirect, libcurlTransport } from '@abndnce/pulsar-client';
 * import { libcurl } from 'libcurl.js';
 *
-* const tunnel = await connectDirect('216.250.119.217', 42069);
+* const tunnel = await connectDirect('1.2.3.4', 1234);
 * libcurl.transport = libcurlTransport(tunnel.pc);
 * libcurl.set_websocket('wss://pulsar-tunnel.local/');
 * ```
 *
 * libcurl.js calls the factory with URLs like:
 *   `wss://pulsar-tunnel.local/example.com:80`
-*   `wss://pulsar-tunnel.local/216.250.119.217:443`
 *
 * The factory parses `<hostname>:<port>` from the URL path, opens a
 * Pulsar socket data channel, and returns a WebSocket-like adapter.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@abndnce/pulsar-client",
   "type": "module",
-  "version": "0.0.9",
+  "version": "0.0.11",
   "homepage": "https://github.com/abndnce/pulsar",
   "license": "MIT",
   "exports": {
@@ -11,14 +11,15 @@
   "files": [
     "dist"
   ],
+  "dependencies": {
+    "@noble/curves": "^1.8.1"
+  },
   "devDependencies": {
-    "tsdown": "^0.22.0",
-    "typescript": "^6.0.3"
+    "tsdown": "^0.22.0"
   },
   "scripts": {
     "build": "tsdown",
     "dev": "tsdown --watch",
-    "test": "vitest",
     "typecheck": "tsc --noEmit"
   }
 }