@aria-cli/wireguard 0.1.0

package/dist/derp-relay.js

@@ -0,0 +1,311 @@
+"use strict";
+/**
+ * DerpRelay — DERP relay client for NAT traversal.
+ *
+ * When both peers are behind symmetric NAT, direct WireGuard tunnels fail.
+ * DerpRelay connects to a relay server via WebSocket and forwards encrypted
+ * WireGuard packets through it. The relay CANNOT read the content (WireGuard
+ * encryption is end-to-end).
+ *
+ * Implements the same { send(data: Buffer): void } interface as tunnel transports,
+ * so it plugs into Mailbox.registerTunnel() transparently.
+ *
+ * Authentication: Ed25519 signature challenge on connect to prevent impersonation.
+ * Auto-reconnect: Exponential backoff, matching ResilientTunnel's pattern.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DerpRelay = void 0;
+const node_events_1 = require("node:events");
+const crypto = __importStar(require("node:crypto"));
+const ws_1 = __importDefault(require("ws"));
+const tools_1 = require("@aria/tools");
+/** Max payload size matching WireGuard MTU */
+const MAX_PAYLOAD_BYTES = 65535;
+/** Max reconnection attempts before declaring dead */
+const MAX_RECONNECT_ATTEMPTS = 10;
+/** Base backoff interval */
+const BASE_BACKOFF_MS = 1_000;
+/** Max backoff interval */
+const MAX_BACKOFF_MS = 60_000;
+/**
+ * DERP relay client.
+ *
+ * Emits: "plaintext" (data: Buffer, fromNodeId: NodeId, displayNameSnapshot?: string), "connected", "disconnected",
+ *        "dead", "error" (Error), "stateChange" (newState, prevState)
+ */
+class DerpRelay extends node_events_1.EventEmitter {
+    ws = null;
+    _state = "disconnected";
+    reconnectAttempts = 0;
+    reconnectTimer = null;
+    stopped = false;
+    closing = false;
+    relayUrl;
+    nodeId;
+    displayNameSnapshot;
+    signingPrivateKey;
+    signingPublicKey;
+    targetNodeId;
+    signal;
+    /** Queued messages while not connected */
+    queue = [];
+    static MAX_QUEUE = 200;
+    constructor(options) {
+        super();
+        this.relayUrl = options.relayUrl;
+        this.nodeId = options.nodeId;
+        this.displayNameSnapshot = options.displayNameSnapshot;
+        this.signingPrivateKey = options.signingPrivateKey;
+        this.signingPublicKey = options.signingPublicKey;
+        this.targetNodeId = options.targetNodeId;
+        this.signal = options.signal;
+        if (this.signal) {
+            this.signal.addEventListener("abort", () => this.disconnect(), { once: true });
+        }
+    }
+    /** Connect to the relay server */
+    async connect() {
+        if (this.stopped || this._state === "connected" || this._state === "connecting")
+            return;
+        this.closing = false;
+        this.setState("connecting");
+        return new Promise((resolve, reject) => {
+            try {
+                const ws = new ws_1.default(this.relayUrl);
+                this.ws = ws;
+                const timeout = setTimeout(() => {
+                    ws.close();
+                    reject(new Error("Relay connection timeout"));
+                }, 15_000);
+                ws.on("open", () => {
+                    clearTimeout(timeout);
+                    if (this.closing) {
+                        ws.close();
+                        reject(new Error("Relay connection aborted: disconnect() called during connect"));
+                        return;
+                    }
+                    this.setState("authenticating");
+                    // Send auth message with our identity
+                    ws.send(JSON.stringify({
+                        type: "auth",
+                        nodeId: this.nodeId,
+                        signingPublicKey: this.signingPublicKey,
+                    }));
+                });
+                ws.on("message", (rawData) => {
+                    try {
+                        const data = typeof rawData === "string" ? rawData : rawData.toString();
+                        const msg = JSON.parse(data);
+                        if (msg.type === "challenge" && this._state === "authenticating") {
+                            // Sign the challenge to prove identity
+                            const signature = this.signChallenge(msg.nonce);
+                            ws.send(JSON.stringify({ type: "challenge_response", signature }));
+                        }
+                        else if (msg.type === "auth_ok") {
+                            if (this.closing) {
+                                ws.close();
+                                reject(new Error("Relay connection aborted: disconnect() called during auth"));
+                                return;
+                            }
+                            this.setState("connected");
+                            this.reconnectAttempts = 0;
+                            this.flushQueue();
+                            this.emit("connected");
+                            resolve();
+                        }
+                        else if (msg.type === "auth_error") {
+                            ws.close();
+                            reject(new Error(`Relay auth failed: ${msg.error}`));
+                        }
+                        else if (msg.type === "relay" && this._state === "connected") {
+                            // Incoming relayed data from another peer
+                            const fromNodeId = tools_1.NodeIdSchema.parse(msg.fromNodeId);
+                            const payload = Buffer.from(msg.data, "base64");
+                            this.emit("plaintext", payload, fromNodeId, msg.displayNameSnapshot);
+                        }
+                        else if (msg.type === "peer_offline") {
+                            // Target peer is not connected to relay
+                            const peerLabel = typeof msg.displayNameSnapshot === "string" && msg.displayNameSnapshot.length > 0
+                                ? msg.displayNameSnapshot
+                                : typeof msg.nodeId === "string" && msg.nodeId.length > 0
+                                    ? msg.nodeId
+                                    : this.targetNodeId;
+                            this.emit("error", new Error(`Peer ${peerLabel} is offline on relay`));
+                        }
+                    }
+                    catch (err) {
+                        this.emit("error", err instanceof Error ? err : new Error(String(err)));
+                    }
+                });
+                ws.on("close", () => {
+                    clearTimeout(timeout);
+                    const wasConnecting = this._state === "connecting" || this._state === "authenticating";
+                    this.setState("disconnected");
+                    if (this.stopped || this.closing) {
+                        // Reject the pending connect promise so callers don't hang
+                        if (wasConnecting) {
+                            reject(new Error("Relay connection closed during setup"));
+                        }
+                    }
+                    else {
+                        this.emit("disconnected");
+                        this.attemptReconnect();
+                    }
+                });
+                ws.on("error", (err) => {
+                    clearTimeout(timeout);
+                    this.emit("error", err);
+                    if (this._state === "connecting" || this._state === "authenticating") {
+                        reject(err);
+                    }
+                });
+            }
+            catch (err) {
+                this.setState("disconnected");
+                reject(err);
+            }
+        });
+    }
+    /** Send data through the relay to the target peer */
+    send(data) {
+        if (this.stopped)
+            throw new Error("Relay is stopped");
+        if (data.length > MAX_PAYLOAD_BYTES) {
+            throw new Error(`Payload exceeds max size (${data.length} > ${MAX_PAYLOAD_BYTES})`);
+        }
+        if (this._state !== "connected" || !this.ws) {
+            this.enqueue(data);
+            return;
+        }
+        this.ws.send(JSON.stringify({
+            type: "relay",
+            toNodeId: this.targetNodeId,
+            data: data.toString("base64"),
+        }));
+    }
+    /** Disconnect from the relay server */
+    disconnect() {
+        this.closing = true;
+        this.stopped = true;
+        this.clearReconnectTimer();
+        if (this.ws) {
+            try {
+                this.ws.close();
+            }
+            catch {
+                // ignore close errors
+            }
+            this.ws = null;
+        }
+        this.queue = [];
+        this.setState("disconnected");
+    }
+    /** Get current relay state */
+    getState() {
+        return this._state;
+    }
+    /** Whether the relay is actively connected */
+    get isConnected() {
+        return this._state === "connected";
+    }
+    // ── Internal ─────────────────────────────────────────────────────
+    setState(newState) {
+        const prev = this._state;
+        if (prev === newState)
+            return;
+        this._state = newState;
+        this.emit("stateChange", newState, prev);
+    }
+    signChallenge(nonce) {
+        const keyDer = Buffer.from(this.signingPrivateKey, "base64");
+        const privateKey = crypto.createPrivateKey({
+            key: keyDer,
+            format: "der",
+            type: "pkcs8",
+        });
+        const signature = crypto.sign(null, Buffer.from(nonce), privateKey);
+        return signature.toString("base64");
+    }
+    attemptReconnect() {
+        if (this.stopped)
+            return;
+        if (this.reconnectAttempts >= MAX_RECONNECT_ATTEMPTS) {
+            this.setState("dead");
+            this.emit("dead");
+            return;
+        }
+        const backoff = Math.min(BASE_BACKOFF_MS * Math.pow(2, this.reconnectAttempts), MAX_BACKOFF_MS);
+        this.reconnectAttempts++;
+        this.reconnectTimer = setTimeout(() => {
+            if (this.stopped)
+                return;
+            void this.connect().catch((err) => {
+                this.emit("error", err instanceof Error ? err : new Error(String(err)));
+            });
+        }, backoff);
+    }
+    clearReconnectTimer() {
+        if (this.reconnectTimer) {
+            clearTimeout(this.reconnectTimer);
+            this.reconnectTimer = null;
+        }
+    }
+    enqueue(data) {
+        if (this.queue.length >= DerpRelay.MAX_QUEUE) {
+            // Drop oldest to make room
+            this.queue.shift();
+        }
+        this.queue.push(data);
+    }
+    flushQueue() {
+        if (this._state !== "connected" || !this.ws)
+            return;
+        const pending = this.queue.splice(0);
+        for (const data of pending) {
+            try {
+                this.send(data);
+            }
+            catch {
+                // Drop on failure during flush
+            }
+        }
+    }
+}
+exports.DerpRelay = DerpRelay;
+//# sourceMappingURL=derp-relay.js.map

package/dist/derp-relay.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"derp-relay.js","sourceRoot":"","sources":["../derp-relay.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,6CAA2C;AAC3C,oDAAsC;AACtC,4CAA2B;AAC3B,uCAAwD;AA0BxD,8CAA8C;AAC9C,MAAM,iBAAiB,GAAG,KAAK,CAAC;AAChC,sDAAsD;AACtD,MAAM,sBAAsB,GAAG,EAAE,CAAC;AAClC,4BAA4B;AAC5B,MAAM,eAAe,GAAG,KAAK,CAAC;AAC9B,2BAA2B;AAC3B,MAAM,cAAc,GAAG,MAAM,CAAC;AAE9B;;;;;GAKG;AACH,MAAa,SAAU,SAAQ,0BAAY;IACjC,EAAE,GAAqB,IAAI,CAAC;IAC5B,MAAM,GAAmB,cAAc,CAAC;IACxC,iBAAiB,GAAG,CAAC,CAAC;IACtB,cAAc,GAAyC,IAAI,CAAC;IAC5D,OAAO,GAAG,KAAK,CAAC;IAChB,OAAO,GAAG,KAAK,CAAC;IACP,QAAQ,CAAS;IACjB,MAAM,CAAS;IACf,mBAAmB,CAAU;IAC7B,iBAAiB,CAAS;IAC1B,gBAAgB,CAAS;IACzB,YAAY,CAAS;IACrB,MAAM,CAAe;IACtC,0CAA0C;IAClC,KAAK,GAAa,EAAE,CAAC;IACrB,MAAM,CAAU,SAAS,GAAG,GAAG,CAAC;IAExC,YAAY,OAAyB;QACnC,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACjC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC;QACvD,IAAI,CAAC,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAC;QACnD,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACjD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QACzC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAE7B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QACjF,CAAC;IACH,CAAC;IAED,kCAAkC;IAClC,KAAK,CAAC,OAAO;QACX,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW,IAAI,IAAI,CAAC,MAAM,KAAK,YAAY;YAAE,OAAO;QACxF,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;QACrB,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QAE5B,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC3C,IAAI,CAAC;gBACH,MAAM,EAAE,GAAG,IAAI,YAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACxC,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;gBAEb,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;oBAC9B,EAAE,CAAC,KAAK,EAAE,CAAC;oBACX,MAAM,CAAC,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC,CAAC;gBAChD,CAAC,EAAE,MAAM,CAAC,CAAC;gBAEX,EAAE,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;oBACjB,YAAY,CAAC,OAAO,CAAC,CAAC;oBACtB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;wBACjB,EAAE,CAAC,KAAK,EAAE,CAAC;wBACX,MAAM,CAAC,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC,CAAC;wBAClF,OAAO;oBACT,CAAC;oBACD,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;oBAChC,sCAAsC;oBACtC,EAAE,CAAC,IAAI,CACL,IAAI,CAAC,SAAS,CAAC;wBACb,IAAI,EAAE,MAAM;wBACZ,MAAM,EAAE,IAAI,CAAC,MAAM;wBACnB,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;qBACxC,CAAC,CACH,CAAC;gBACJ,CAAC,CAAC,CAAC;gBAEH,EAAE,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,OAAwB,EAAE,EAAE;oBAC5C,IAAI,CAAC;wBACH,MAAM,IAAI,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;wBACxE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;wBAE7B,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW,IAAI,IAAI,CAAC,MAAM,KAAK,gBAAgB,EAAE,CAAC;4BACjE,uCAAuC;4BACvC,MAAM,SAAS,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;4BAChD,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,oBAAoB,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;wBACrE,CAAC;6BAAM,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;4BAClC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gCACjB,EAAE,CAAC,KAAK,EAAE,CAAC;gCACX,MAAM,CAAC,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC,CAAC;gCAC/E,OAAO;4BACT,CAAC;4BACD,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;4BAC3B,IAAI,CAAC,iBAAiB,GAAG,CAAC,CAAC;4BAC3B,IAAI,CAAC,UAAU,EAAE,CAAC;4BAClB,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;4BACvB,OAAO,EAAE,CAAC;wBACZ,CAAC;6BAAM,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;4BACrC,EAAE,CAAC,KAAK,EAAE,CAAC;4BACX,MAAM,CAAC,IAAI,KAAK,CAAC,sBAAsB,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;wBACvD,CAAC;6BAAM,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;4BAC/D,0CAA0C;4BAC1C,MAAM,UAAU,GAAG,oBAAY,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;4BACtD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;4BAChD,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,CAAC,mBAAmB,CAAC,CAAC;wBACvE,CAAC;6BAAM,IAAI,GAAG,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;4BACvC,wCAAwC;4BACxC,MAAM,SAAS,GACb,OAAO,GAAG,CAAC,mBAAmB,KAAK,QAAQ,IAAI,GAAG,CAAC,mBAAmB,CAAC,MAAM,GAAG,CAAC;gCAC/E,CAAC,CAAC,GAAG,CAAC,mBAAmB;gCACzB,CAAC,CAAC,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;oCACvD,CAAC,CAAC,GAAG,CAAC,MAAM;oCACZ,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC;4BAC1B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,KAAK,CAAC,QAAQ,SAAS,sBAAsB,CAAC,CAAC,CAAC;wBACzE,CAAC;oBACH,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;oBAC1E,CAAC;gBACH,CAAC,CAAC,CAAC;gBAEH,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;oBAClB,YAAY,CAAC,OAAO,CAAC,CAAC;oBACtB,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,KAAK,YAAY,IAAI,IAAI,CAAC,MAAM,KAAK,gBAAgB,CAAC;oBACvF,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;oBAC9B,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;wBACjC,2DAA2D;wBAC3D,IAAI,aAAa,EAAE,CAAC;4BAClB,MAAM,CAAC,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC,CAAC;wBAC5D,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;wBAC1B,IAAI,CAAC,gBAAgB,EAAE,CAAC;oBAC1B,CAAC;gBACH,CAAC,CAAC,CAAC;gBAEH,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;oBAC5B,YAAY,CAAC,OAAO,CAAC,CAAC;oBACtB,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;oBACxB,IAAI,IAAI,CAAC,MAAM,KAAK,YAAY,IAAI,IAAI,CAAC,MAAM,KAAK,gBAAgB,EAAE,CAAC;wBACrE,MAAM,CAAC,GAAG,CAAC,CAAC;oBACd,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;gBAC9B,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED,qDAAqD;IACrD,IAAI,CAAC,IAAY;QACf,IAAI,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAEtD,IAAI,IAAI,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,CAAC,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC;QACtF,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YAC5C,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACnB,OAAO;QACT,CAAC;QAED,IAAI,CAAC,EAAE,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CAAC;YACb,IAAI,EAAE,OAAO;YACb,QAAQ,EAAE,IAAI,CAAC,YAAY;YAC3B,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;SAC9B,CAAC,CACH,CAAC;IACJ,CAAC;IAED,uCAAuC;IACvC,UAAU;QACR,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAC3B,IAAI,IAAI,CAAC,EAAE,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClB,CAAC;YAAC,MAAM,CAAC;gBACP,sBAAsB;YACxB,CAAC;YACD,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC;QACjB,CAAC;QACD,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;QAChB,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;IAChC,CAAC;IAED,8BAA8B;IAC9B,QAAQ;QACN,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,8CAA8C;IAC9C,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,MAAM,KAAK,WAAW,CAAC;IACrC,CAAC;IAED,oEAAoE;IAE5D,QAAQ,CAAC,QAAwB;QACvC,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC;QACzB,IAAI,IAAI,KAAK,QAAQ;YAAE,OAAO;QAC9B,IAAI,CAAC,MAAM,GAAG,QAAQ,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC3C,CAAC;IAEO,aAAa,CAAC,KAAa;QACjC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,QAAQ,CAAC,CAAC;QAC7D,MAAM,UAAU,GAAG,MAAM,CAAC,gBAAgB,CAAC;YACzC,GAAG,EAAE,MAAM;YACX,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,UAAU,CAAC,CAAC;QACpE,OAAO,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAEO,gBAAgB;QACtB,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO;QAEzB,IAAI,IAAI,CAAC,iBAAiB,IAAI,sBAAsB,EAAE,CAAC;YACrD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACtB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAClB,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,iBAAiB,CAAC,EAAE,cAAc,CAAC,CAAC;QAChG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEzB,IAAI,CAAC,cAAc,GAAG,UAAU,CAAC,GAAG,EAAE;YACpC,IAAI,IAAI,CAAC,OAAO;gBAAE,OAAO;YACzB,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBAChC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC1E,CAAC,CAAC,CAAC;QACL,CAAC,EAAE,OAAO,CAAC,CAAC;IACd,CAAC;IAEO,mBAAmB;QACzB,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,YAAY,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YAClC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,CAAC;IACH,CAAC;IAEO,OAAO,CAAC,IAAY;QAC1B,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,SAAS,CAAC,SAAS,EAAE,CAAC;YAC7C,2BAA2B;YAC3B,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxB,CAAC;IAEO,UAAU;QAChB,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW,IAAI,CAAC,IAAI,CAAC,EAAE;YAAE,OAAO;QACpD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACrC,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;YAC3B,IAAI,CAAC;gBACH,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClB,CAAC;YAAC,MAAM,CAAC;gBACP,+BAA+B;YACjC,CAAC;QACH,CAAC;IACH,CAAC;;AA7PH,8BA8PC"}

package/dist/index.d.ts

@@ -0,0 +1,53 @@
+/**
+ * @aria/wireguard — WireGuard native addon for ARIA secure networking.
+ *
+ * Wraps Cloudflare's boringtun (BSD-3) via napi-rs for userspace
+ * encrypted tunnels. Three hot-path functions: encrypt, decrypt, tick.
+ *
+ * @packageDocumentation
+ */
+export interface WireGuardResult {
+    /** "done" | "write_to_network" | "write_to_tunnel" | "error" */
+    op: string;
+    /** Output data (if any) */
+    data?: Buffer;
+}
+export interface KeyPair {
+    publicKey: string;
+    privateKey: string;
+}
+export interface WireGuardTunnelOptions {
+    /** Base64-encoded X25519 private key */
+    privateKey: string;
+    /** Base64-encoded X25519 peer public key */
+    peerPublicKey: string;
+    /** Optional base64-encoded preshared key */
+    presharedKey?: string;
+    /** Persistent keepalive interval in seconds (0 = disabled) */
+    keepalive?: number;
+    /** Tunnel index for session disambiguation (random if not provided) */
+    index?: number;
+}
+/** Validate that the native addon can be loaded in the current runtime. */
+export declare function assertNativeAddonAvailable(): void;
+/** Create a new WireGuard tunnel */
+export declare function createTunnel(options: WireGuardTunnelOptions): {
+    encrypt(src: Buffer): WireGuardResult;
+    decrypt(src: Buffer, srcAddr?: string | undefined | null): WireGuardResult;
+    tick(): WireGuardResult;
+};
+/** Generate a new X25519 keypair for WireGuard */
+export declare function generateKeypair(): KeyPair;
+export { SecureTunnel } from "./tunnel.js";
+export type { SecureTunnelOptions, TunnelStats } from "./tunnel.js";
+export { ResilientTunnel } from "./resilient-tunnel.js";
+export type { TunnelState, ResilientTunnelStats } from "./resilient-tunnel.js";
+export { StunClient, discoverEndpoint, detectNatType } from "./nat.js";
+export type { StunResult, NatType } from "./nat.js";
+export { NetworkManager, PeerRegistry, generateKeyPair, generateSigningKeypair, createInviteToken, decodeInviteToken, ensureSecureNetwork, } from "./network.js";
+export type { NetworkConfig, PeerInfo, InviteToken } from "./network.js";
+export { PeerDiscoveryService } from "./peer-discovery.js";
+export type { PeerDiscoveryOptions, DiscoveredPeer, PeerDiscoveryNetworkManager, } from "./peer-discovery.js";
+export { DerpRelay } from "./derp-relay.js";
+export type { DerpRelayOptions, DerpRelayState } from "./derp-relay.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,MAAM,WAAW,eAAe;IAC9B,gEAAgE;IAChE,EAAE,EAAE,MAAM,CAAC;IACX,2BAA2B;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,OAAO;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,sBAAsB;IACrC,wCAAwC;IACxC,UAAU,EAAE,MAAM,CAAC;IACnB,4CAA4C;IAC5C,aAAa,EAAE,MAAM,CAAC;IACtB,4CAA4C;IAC5C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uEAAuE;IACvE,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAkCD,2EAA2E;AAC3E,wBAAgB,0BAA0B,IAAI,IAAI,CAEjD;AAED,oCAAoC;AACpC,wBAAgB,YAAY,CAAC,OAAO,EAAE,sBAAsB;iBA7B3C,MAAM,GAAG,eAAe;iBACxB,MAAM,YAAY,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,eAAe;YAClE,eAAe;EAoC1B;AAED,kDAAkD;AAClD,wBAAgB,eAAe,IAAI,OAAO,CAGzC;AAED,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,YAAY,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACpE,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC/E,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACvE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AACpD,OAAO,EACL,cAAc,EACd,YAAY,EACZ,eAAe,EACf,sBAAsB,EACtB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,cAAc,CAAC;AACtB,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AACzE,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,YAAY,EACV,oBAAoB,EACpB,cAAc,EACd,2BAA2B,GAC5B,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/index.js

@@ -0,0 +1,100 @@
+"use strict";
+/**
+ * @aria/wireguard — WireGuard native addon for ARIA secure networking.
+ *
+ * Wraps Cloudflare's boringtun (BSD-3) via napi-rs for userspace
+ * encrypted tunnels. Three hot-path functions: encrypt, decrypt, tick.
+ *
+ * @packageDocumentation
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DerpRelay = exports.PeerDiscoveryService = exports.ensureSecureNetwork = exports.decodeInviteToken = exports.createInviteToken = exports.generateSigningKeypair = exports.generateKeyPair = exports.PeerRegistry = exports.NetworkManager = exports.detectNatType = exports.discoverEndpoint = exports.StunClient = exports.ResilientTunnel = exports.SecureTunnel = void 0;
+exports.assertNativeAddonAvailable = assertNativeAddonAvailable;
+exports.createTunnel = createTunnel;
+exports.generateKeypair = generateKeypair;
+const path = __importStar(require("node:path"));
+/** Lazy-loaded native addon */
+let _native = null;
+function loadNative() {
+    if (_native)
+        return _native;
+    try {
+        // The package-root napi loader resolves the platform-specific native addon.
+        // The dist/ runtime must not depend on a copied dist/wireguard.node shim.
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        _native = require("../index.js");
+        return _native;
+    }
+    catch (err) {
+        const reason = err instanceof Error ? err.message : String(err);
+        throw new Error(`@aria/wireguard: Failed to load native addon via ${path.join(__dirname, "../index.js")} (${process.platform}-${process.arch}). ${reason}`);
+    }
+}
+/** Validate that the native addon can be loaded in the current runtime. */
+function assertNativeAddonAvailable() {
+    loadNative();
+}
+/** Create a new WireGuard tunnel */
+function createTunnel(options) {
+    const native = loadNative();
+    return new native.WireGuardTunnel(options.privateKey, options.peerPublicKey, options.presharedKey ?? null, options.keepalive ?? 0, options.index ?? null);
+}
+/** Generate a new X25519 keypair for WireGuard */
+function generateKeypair() {
+    const native = loadNative();
+    return native.generateKeypair();
+}
+var tunnel_js_1 = require("./tunnel.js");
+Object.defineProperty(exports, "SecureTunnel", { enumerable: true, get: function () { return tunnel_js_1.SecureTunnel; } });
+var resilient_tunnel_js_1 = require("./resilient-tunnel.js");
+Object.defineProperty(exports, "ResilientTunnel", { enumerable: true, get: function () { return resilient_tunnel_js_1.ResilientTunnel; } });
+var nat_js_1 = require("./nat.js");
+Object.defineProperty(exports, "StunClient", { enumerable: true, get: function () { return nat_js_1.StunClient; } });
+Object.defineProperty(exports, "discoverEndpoint", { enumerable: true, get: function () { return nat_js_1.discoverEndpoint; } });
+Object.defineProperty(exports, "detectNatType", { enumerable: true, get: function () { return nat_js_1.detectNatType; } });
+var network_js_1 = require("./network.js");
+Object.defineProperty(exports, "NetworkManager", { enumerable: true, get: function () { return network_js_1.NetworkManager; } });
+Object.defineProperty(exports, "PeerRegistry", { enumerable: true, get: function () { return network_js_1.PeerRegistry; } });
+Object.defineProperty(exports, "generateKeyPair", { enumerable: true, get: function () { return network_js_1.generateKeyPair; } });
+Object.defineProperty(exports, "generateSigningKeypair", { enumerable: true, get: function () { return network_js_1.generateSigningKeypair; } });
+Object.defineProperty(exports, "createInviteToken", { enumerable: true, get: function () { return network_js_1.createInviteToken; } });
+Object.defineProperty(exports, "decodeInviteToken", { enumerable: true, get: function () { return network_js_1.decodeInviteToken; } });
+Object.defineProperty(exports, "ensureSecureNetwork", { enumerable: true, get: function () { return network_js_1.ensureSecureNetwork; } });
+var peer_discovery_js_1 = require("./peer-discovery.js");
+Object.defineProperty(exports, "PeerDiscoveryService", { enumerable: true, get: function () { return peer_discovery_js_1.PeerDiscoveryService; } });
+var derp_relay_js_1 = require("./derp-relay.js");
+Object.defineProperty(exports, "DerpRelay", { enumerable: true, get: function () { return derp_relay_js_1.DerpRelay; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+DH,gEAEC;AAGD,oCASC;AAGD,0CAGC;AAjFD,gDAAkC;AA4BlC,+BAA+B;AAC/B,IAAI,OAAO,GAaA,IAAI,CAAC;AAEhB,SAAS,UAAU;IACjB,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC;IAC5B,IAAI,CAAC;QACH,4EAA4E;QAC5E,0EAA0E;QAC1E,iEAAiE;QACjE,OAAO,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;QACjC,OAAO,OAAQ,CAAC;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,MAAM,IAAI,KAAK,CACb,oDAAoD,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC,KAAK,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,IAAI,MAAM,MAAM,EAAE,CAC3I,CAAC;IACJ,CAAC;AACH,CAAC;AAED,2EAA2E;AAC3E,SAAgB,0BAA0B;IACxC,UAAU,EAAE,CAAC;AACf,CAAC;AAED,oCAAoC;AACpC,SAAgB,YAAY,CAAC,OAA+B;IAC1D,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAC5B,OAAO,IAAI,MAAM,CAAC,eAAe,CAC/B,OAAO,CAAC,UAAU,EAClB,OAAO,CAAC,aAAa,EACrB,OAAO,CAAC,YAAY,IAAI,IAAI,EAC5B,OAAO,CAAC,SAAS,IAAI,CAAC,EACtB,OAAO,CAAC,KAAK,IAAI,IAAI,CACtB,CAAC;AACJ,CAAC;AAED,kDAAkD;AAClD,SAAgB,eAAe;IAC7B,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAC5B,OAAO,MAAM,CAAC,eAAe,EAAE,CAAC;AAClC,CAAC;AAED,yCAA2C;AAAlC,yGAAA,YAAY,OAAA;AAErB,6DAAwD;AAA/C,sHAAA,eAAe,OAAA;AAExB,mCAAuE;AAA9D,oGAAA,UAAU,OAAA;AAAE,0GAAA,gBAAgB,OAAA;AAAE,uGAAA,aAAa,OAAA;AAEpD,2CAQsB;AAPpB,4GAAA,cAAc,OAAA;AACd,0GAAA,YAAY,OAAA;AACZ,6GAAA,eAAe,OAAA;AACf,oHAAA,sBAAsB,OAAA;AACtB,+GAAA,iBAAiB,OAAA;AACjB,+GAAA,iBAAiB,OAAA;AACjB,iHAAA,mBAAmB,OAAA;AAGrB,yDAA2D;AAAlD,yHAAA,oBAAoB,OAAA;AAM7B,iDAA4C;AAAnC,0GAAA,SAAS,OAAA"}

package/dist/nat.d.ts

@@ -0,0 +1,84 @@
+/**
+ * STUN client + NAT traversal for ARIA secure networking.
+ *
+ * Discovers external IP:port via STUN (RFC 5389), enabling WireGuard
+ * peers to find each other through NAT. Falls back to a UDP relay
+ * when symmetric NAT prevents direct connectivity.
+ *
+ * No external dependencies — implements STUN binding request/response
+ * directly using node:dgram.
+ */
+import * as dgram from "node:dgram";
+/** Result of STUN endpoint discovery */
+export interface StunResult {
+    /** External (public) IP address */
+    address: string;
+    /** External (public) port */
+    port: number;
+    /** STUN server used for discovery */
+    server: string;
+}
+/**
+ * Discover our external endpoint by sending a STUN Binding Request.
+ *
+ * Tries multiple STUN servers in parallel, returns the first successful response.
+ * Timeout: 3 seconds per server, 5 second total.
+ */
+/**
+ * Discover external endpoint via STUN.
+ *
+ * @param server STUN server hostname:port (or undefined to try defaults)
+ * @param timeoutMs Timeout in milliseconds
+ * @param existingSocket Optional: use this socket for STUN instead of creating
+ *   ephemeral ones. This is critical for the shared-socket WG model — STUN must
+ *   discover the NAT mapping of the ACTUAL listening socket, not a throwaway one.
+ *   When provided, the socket is NOT closed after discovery.
+ */
+export declare function discoverEndpoint(server?: string, timeoutMs?: number, existingSocket?: dgram.Socket): Promise<StunResult>;
+/**
+ * NAT type classification.
+ *
+ * Detected by comparing mapped ports from two different STUN servers:
+ * - Same port from both servers → Full Cone or Restricted Cone (direct tunnel works)
+ * - Different port from each server → Symmetric NAT (needs relay)
+ */
+export type NatType = "full_cone" | "restricted" | "symmetric" | "unknown";
+/**
+ * Detect NAT type by querying two STUN servers and comparing mapped ports.
+ *
+ * Symmetric NAT allocates a new external port for each destination,
+ * so mapped ports will differ across STUN servers. Cone NATs reuse
+ * the same external port, so mapped ports will match.
+ *
+ * Returns "unknown" if fewer than 2 STUN servers respond.
+ */
+export declare function detectNatType(servers?: string[], timeoutMs?: number): Promise<{
+    natType: NatType;
+    results: StunResult[];
+}>;
+/**
+ * STUN client for periodic endpoint discovery.
+ *
+ * Use for ongoing NAT traversal — discovers and tracks endpoint changes.
+ */
+export declare class StunClient {
+    private servers;
+    private pollIntervalMs;
+    private interval;
+    private lastResult;
+    private _natType;
+    /** Number of consecutive discovery failures (reset to 0 on success) */
+    consecutiveFailures: number;
+    constructor(servers?: string[], pollIntervalMs?: number);
+    /** Get the detected NAT type (null if not yet detected) */
+    getNatType(): NatType | null;
+    /** Get the last discovered endpoint */
+    getEndpoint(): StunResult | null;
+    /** Discover endpoint once — uses first configured server (or defaults) */
+    discover(): Promise<StunResult>;
+    /** Start periodic endpoint discovery. Detects NAT type on first call. */
+    start(onUpdate?: (result: StunResult) => void): void;
+    /** Stop periodic discovery */
+    stop(): void;
+}
+//# sourceMappingURL=nat.d.ts.map

package/dist/nat.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nat.d.ts","sourceRoot":"","sources":["../nat.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,KAAK,MAAM,YAAY,CAAC;AAIpC,wCAAwC;AACxC,MAAM,WAAW,UAAU;IACzB,mCAAmC;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,6BAA6B;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,qCAAqC;IACrC,MAAM,EAAE,MAAM,CAAC;CAChB;AA6ID;;;;;GAKG;AACH;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,CAAC,EAAE,MAAM,EACf,SAAS,SAAO,EAChB,cAAc,CAAC,EAAE,KAAK,CAAC,MAAM,GAC5B,OAAO,CAAC,UAAU,CAAC,CA2ErB;AAED;;;;;;GAMG;AACH,MAAM,MAAM,OAAO,GAAG,WAAW,GAAG,YAAY,GAAG,WAAW,GAAG,SAAS,CAAC;AAE3E;;;;;;;;GAQG;AACH,wBAAsB,aAAa,CACjC,OAAO,GAAE,MAAM,EAAyB,EACxC,SAAS,SAAO,GACf,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,UAAU,EAAE,CAAA;CAAE,CAAC,CA8BtD;AAED;;;;GAIG;AACH,qBAAa,UAAU;IAQnB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,cAAc;IARxB,OAAO,CAAC,QAAQ,CAA+C;IAC/D,OAAO,CAAC,UAAU,CAA2B;IAC7C,OAAO,CAAC,QAAQ,CAAwB;IACxC,uEAAuE;IACvE,mBAAmB,SAAK;gBAGd,OAAO,GAAE,MAAM,EAAyB,EACxC,cAAc,SAAS;IAGjC,2DAA2D;IAC3D,UAAU,IAAI,OAAO,GAAG,IAAI;IAI5B,uCAAuC;IACvC,WAAW,IAAI,UAAU,GAAG,IAAI;IAIhC,0EAA0E;IACpE,QAAQ,IAAI,OAAO,CAAC,UAAU,CAAC;IAMrC,yEAAyE;IACzE,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,UAAU,KAAK,IAAI,GAAG,IAAI;IA4DpD,8BAA8B;IAC9B,IAAI,IAAI,IAAI;CAMb"}