@aria-cli/wireguard 1.0.36 → 1.0.38

package/dist/db-owner-fencing.js

@@ -1,44 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.StaleOwnerError = void 0;
-exports.ensureOwnerEpochTable = ensureOwnerEpochTable;
-exports.claimDbOwnerEpoch = claimDbOwnerEpoch;
-class StaleOwnerError extends Error {
-    kind = "StaleOwnerError";
-    claimedGeneration;
-    currentGeneration;
-    constructor(claimed, current) {
-        super(`StaleOwnerError: runtime claims generation ${claimed} but store is at generation ${current}. ` +
-            `This runtime has been superseded and must shut down immediately.`);
-        this.name = "StaleOwnerError";
-        this.claimedGeneration = claimed;
-        this.currentGeneration = current;
-    }
-}
-exports.StaleOwnerError = StaleOwnerError;
-function ensureOwnerEpochTable(db) {
-    db.exec(`
-    CREATE TABLE IF NOT EXISTS owner_epoch (
-      scope TEXT PRIMARY KEY DEFAULT 'runtime',
-      owner_generation INTEGER NOT NULL
-    )
-  `);
-}
-function claimDbOwnerEpoch(db, generation) {
-    ensureOwnerEpochTable(db);
-    const result = db
-        .prepare(`INSERT INTO owner_epoch (scope, owner_generation) VALUES ('runtime', ?)
-       ON CONFLICT(scope) DO UPDATE SET owner_generation = excluded.owner_generation
-       WHERE excluded.owner_generation > owner_epoch.owner_generation`)
-        .run(generation);
-    if (result.changes === 0) {
-        const row = db
-            .prepare("SELECT owner_generation FROM owner_epoch WHERE scope = 'runtime'")
-            .get();
-        const current = row?.owner_generation ?? 0;
-        if (current > generation) {
-            throw new StaleOwnerError(generation, current);
-        }
-    }
-}
-//# sourceMappingURL=db-owner-fencing.js.map

package/dist/derp-relay.js

@@ -1,311 +0,0 @@
-"use strict";
-/**
- * DerpRelay — DERP relay client for NAT traversal.
- *
- * When both peers are behind symmetric NAT, direct WireGuard tunnels fail.
- * DerpRelay connects to a relay server via WebSocket and forwards encrypted
- * WireGuard packets through it. The relay CANNOT read the content (WireGuard
- * encryption is end-to-end).
- *
- * Implements the same { send(data: Buffer): void } interface as tunnel transports,
- * so it plugs into Mailbox.registerTunnel() transparently.
- *
- * Authentication: Ed25519 signature challenge on connect to prevent impersonation.
- * Auto-reconnect: Exponential backoff, matching ResilientTunnel's pattern.
- */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DerpRelay = void 0;
-const node_events_1 = require("node:events");
-const crypto = __importStar(require("node:crypto"));
-const ws_1 = __importDefault(require("ws"));
-const tools_1 = require("@aria-cli/tools");
-/** Max payload size matching WireGuard MTU */
-const MAX_PAYLOAD_BYTES = 65535;
-/** Max reconnection attempts before declaring dead */
-const MAX_RECONNECT_ATTEMPTS = 10;
-/** Base backoff interval */
-const BASE_BACKOFF_MS = 1_000;
-/** Max backoff interval */
-const MAX_BACKOFF_MS = 60_000;
-/**
- * DERP relay client.
- *
- * Emits: "plaintext" (data: Buffer, fromNodeId: NodeId, displayNameSnapshot?: string), "connected", "disconnected",
- *        "dead", "error" (Error), "stateChange" (newState, prevState)
- */
-class DerpRelay extends node_events_1.EventEmitter {
-    ws = null;
-    _state = "disconnected";
-    reconnectAttempts = 0;
-    reconnectTimer = null;
-    stopped = false;
-    closing = false;
-    relayUrl;
-    nodeId;
-    displayNameSnapshot;
-    signingPrivateKey;
-    signingPublicKey;
-    targetNodeId;
-    signal;
-    /** Queued messages while not connected */
-    queue = [];
-    static MAX_QUEUE = 200;
-    constructor(options) {
-        super();
-        this.relayUrl = options.relayUrl;
-        this.nodeId = options.nodeId;
-        this.displayNameSnapshot = options.displayNameSnapshot;
-        this.signingPrivateKey = options.signingPrivateKey;
-        this.signingPublicKey = options.signingPublicKey;
-        this.targetNodeId = options.targetNodeId;
-        this.signal = options.signal;
-        if (this.signal) {
-            this.signal.addEventListener("abort", () => this.disconnect(), { once: true });
-        }
-    }
-    /** Connect to the relay server */
-    async connect() {
-        if (this.stopped || this._state === "connected" || this._state === "connecting")
-            return;
-        this.closing = false;
-        this.setState("connecting");
-        return new Promise((resolve, reject) => {
-            try {
-                const ws = new ws_1.default(this.relayUrl);
-                this.ws = ws;
-                const timeout = setTimeout(() => {
-                    ws.close();
-                    reject(new Error("Relay connection timeout"));
-                }, 15_000);
-                ws.on("open", () => {
-                    clearTimeout(timeout);
-                    if (this.closing) {
-                        ws.close();
-                        reject(new Error("Relay connection aborted: disconnect() called during connect"));
-                        return;
-                    }
-                    this.setState("authenticating");
-                    // Send auth message with our identity
-                    ws.send(JSON.stringify({
-                        type: "auth",
-                        nodeId: this.nodeId,
-                        signingPublicKey: this.signingPublicKey,
-                    }));
-                });
-                ws.on("message", (rawData) => {
-                    try {
-                        const data = typeof rawData === "string" ? rawData : rawData.toString();
-                        const msg = JSON.parse(data);
-                        if (msg.type === "challenge" && this._state === "authenticating") {
-                            // Sign the challenge to prove identity
-                            const signature = this.signChallenge(msg.nonce);
-                            ws.send(JSON.stringify({ type: "challenge_response", signature }));
-                        }
-                        else if (msg.type === "auth_ok") {
-                            if (this.closing) {
-                                ws.close();
-                                reject(new Error("Relay connection aborted: disconnect() called during auth"));
-                                return;
-                            }
-                            this.setState("connected");
-                            this.reconnectAttempts = 0;
-                            this.flushQueue();
-                            this.emit("connected");
-                            resolve();
-                        }
-                        else if (msg.type === "auth_error") {
-                            ws.close();
-                            reject(new Error(`Relay auth failed: ${msg.error}`));
-                        }
-                        else if (msg.type === "relay" && this._state === "connected") {
-                            // Incoming relayed data from another peer
-                            const fromNodeId = tools_1.NodeIdSchema.parse(msg.fromNodeId);
-                            const payload = Buffer.from(msg.data, "base64");
-                            this.emit("plaintext", payload, fromNodeId, msg.displayNameSnapshot);
-                        }
-                        else if (msg.type === "peer_offline") {
-                            // Target peer is not connected to relay
-                            const peerLabel = typeof msg.displayNameSnapshot === "string" && msg.displayNameSnapshot.length > 0
-                                ? msg.displayNameSnapshot
-                                : typeof msg.nodeId === "string" && msg.nodeId.length > 0
-                                    ? msg.nodeId
-                                    : this.targetNodeId;
-                            this.emit("error", new Error(`Peer ${peerLabel} is offline on relay`));
-                        }
-                    }
-                    catch (err) {
-                        this.emit("error", err instanceof Error ? err : new Error(String(err)));
-                    }
-                });
-                ws.on("close", () => {
-                    clearTimeout(timeout);
-                    const wasConnecting = this._state === "connecting" || this._state === "authenticating";
-                    this.setState("disconnected");
-                    if (this.stopped || this.closing) {
-                        // Reject the pending connect promise so callers don't hang
-                        if (wasConnecting) {
-                            reject(new Error("Relay connection closed during setup"));
-                        }
-                    }
-                    else {
-                        this.emit("disconnected");
-                        this.attemptReconnect();
-                    }
-                });
-                ws.on("error", (err) => {
-                    clearTimeout(timeout);
-                    this.emit("error", err);
-                    if (this._state === "connecting" || this._state === "authenticating") {
-                        reject(err);
-                    }
-                });
-            }
-            catch (err) {
-                this.setState("disconnected");
-                reject(err);
-            }
-        });
-    }
-    /** Send data through the relay to the target peer */
-    send(data) {
-        if (this.stopped)
-            throw new Error("Relay is stopped");
-        if (data.length > MAX_PAYLOAD_BYTES) {
-            throw new Error(`Payload exceeds max size (${data.length} > ${MAX_PAYLOAD_BYTES})`);
-        }
-        if (this._state !== "connected" || !this.ws) {
-            this.enqueue(data);
-            return;
-        }
-        this.ws.send(JSON.stringify({
-            type: "relay",
-            toNodeId: this.targetNodeId,
-            data: data.toString("base64"),
-        }));
-    }
-    /** Disconnect from the relay server */
-    disconnect() {
-        this.closing = true;
-        this.stopped = true;
-        this.clearReconnectTimer();
-        if (this.ws) {
-            try {
-                this.ws.close();
-            }
-            catch {
-                // ignore close errors
-            }
-            this.ws = null;
-        }
-        this.queue = [];
-        this.setState("disconnected");
-    }
-    /** Get current relay state */
-    getState() {
-        return this._state;
-    }
-    /** Whether the relay is actively connected */
-    get isConnected() {
-        return this._state === "connected";
-    }
-    // ── Internal ─────────────────────────────────────────────────────
-    setState(newState) {
-        const prev = this._state;
-        if (prev === newState)
-            return;
-        this._state = newState;
-        this.emit("stateChange", newState, prev);
-    }
-    signChallenge(nonce) {
-        const keyDer = Buffer.from(this.signingPrivateKey, "base64");
-        const privateKey = crypto.createPrivateKey({
-            key: keyDer,
-            format: "der",
-            type: "pkcs8",
-        });
-        const signature = crypto.sign(null, Buffer.from(nonce), privateKey);
-        return signature.toString("base64");
-    }
-    attemptReconnect() {
-        if (this.stopped)
-            return;
-        if (this.reconnectAttempts >= MAX_RECONNECT_ATTEMPTS) {
-            this.setState("dead");
-            this.emit("dead");
-            return;
-        }
-        const backoff = Math.min(BASE_BACKOFF_MS * Math.pow(2, this.reconnectAttempts), MAX_BACKOFF_MS);
-        this.reconnectAttempts++;
-        this.reconnectTimer = setTimeout(() => {
-            if (this.stopped)
-                return;
-            void this.connect().catch((err) => {
-                this.emit("error", err instanceof Error ? err : new Error(String(err)));
-            });
-        }, backoff);
-    }
-    clearReconnectTimer() {
-        if (this.reconnectTimer) {
-            clearTimeout(this.reconnectTimer);
-            this.reconnectTimer = null;
-        }
-    }
-    enqueue(data) {
-        if (this.queue.length >= DerpRelay.MAX_QUEUE) {
-            // Drop oldest to make room
-            this.queue.shift();
-        }
-        this.queue.push(data);
-    }
-    flushQueue() {
-        if (this._state !== "connected" || !this.ws)
-            return;
-        const pending = this.queue.splice(0);
-        for (const data of pending) {
-            try {
-                this.send(data);
-            }
-            catch {
-                // Drop on failure during flush
-            }
-        }
-    }
-}
-exports.DerpRelay = DerpRelay;
-//# sourceMappingURL=derp-relay.js.map

package/dist/index.js

@@ -1,100 +0,0 @@
-"use strict";
-/**
- * @aria/wireguard — WireGuard native addon for ARIA secure networking.
- *
- * Wraps Cloudflare's boringtun (BSD-3) via napi-rs for userspace
- * encrypted tunnels. Three hot-path functions: encrypt, decrypt, tick.
- *
- * @packageDocumentation
- */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DerpRelay = exports.PeerDiscoveryService = exports.ensureSecureNetwork = exports.decodeInviteToken = exports.createInviteToken = exports.generateSigningKeypair = exports.generateKeyPair = exports.PeerRegistry = exports.NetworkManager = exports.detectNatType = exports.discoverEndpoint = exports.StunClient = exports.ResilientTunnel = exports.SecureTunnel = void 0;
-exports.assertNativeAddonAvailable = assertNativeAddonAvailable;
-exports.createTunnel = createTunnel;
-exports.generateKeypair = generateKeypair;
-const path = __importStar(require("node:path"));
-/** Lazy-loaded native addon */
-let _native = null;
-function loadNative() {
-    if (_native)
-        return _native;
-    try {
-        // The package-root napi loader resolves the platform-specific native addon.
-        // The dist/ runtime must not depend on a copied dist/wireguard.node shim.
-        // eslint-disable-next-line @typescript-eslint/no-require-imports
-        _native = require("../index.js");
-        return _native;
-    }
-    catch (err) {
-        const reason = err instanceof Error ? err.message : String(err);
-        throw new Error(`@aria/wireguard: Failed to load native addon via ${path.join(__dirname, "../index.js")} (${process.platform}-${process.arch}). ${reason}`);
-    }
-}
-/** Validate that the native addon can be loaded in the current runtime. */
-function assertNativeAddonAvailable() {
-    loadNative();
-}
-/** Create a new WireGuard tunnel */
-function createTunnel(options) {
-    const native = loadNative();
-    return new native.WireGuardTunnel(options.privateKey, options.peerPublicKey, options.presharedKey ?? null, options.keepalive ?? 0, options.index ?? null);
-}
-/** Generate a new X25519 keypair for WireGuard */
-function generateKeypair() {
-    const native = loadNative();
-    return native.generateKeypair();
-}
-var tunnel_js_1 = require("./tunnel.js");
-Object.defineProperty(exports, "SecureTunnel", { enumerable: true, get: function () { return tunnel_js_1.SecureTunnel; } });
-var resilient_tunnel_js_1 = require("./resilient-tunnel.js");
-Object.defineProperty(exports, "ResilientTunnel", { enumerable: true, get: function () { return resilient_tunnel_js_1.ResilientTunnel; } });
-var nat_js_1 = require("./nat.js");
-Object.defineProperty(exports, "StunClient", { enumerable: true, get: function () { return nat_js_1.StunClient; } });
-Object.defineProperty(exports, "discoverEndpoint", { enumerable: true, get: function () { return nat_js_1.discoverEndpoint; } });
-Object.defineProperty(exports, "detectNatType", { enumerable: true, get: function () { return nat_js_1.detectNatType; } });
-var network_js_1 = require("./network.js");
-Object.defineProperty(exports, "NetworkManager", { enumerable: true, get: function () { return network_js_1.NetworkManager; } });
-Object.defineProperty(exports, "PeerRegistry", { enumerable: true, get: function () { return network_js_1.PeerRegistry; } });
-Object.defineProperty(exports, "generateKeyPair", { enumerable: true, get: function () { return network_js_1.generateKeyPair; } });
-Object.defineProperty(exports, "generateSigningKeypair", { enumerable: true, get: function () { return network_js_1.generateSigningKeypair; } });
-Object.defineProperty(exports, "createInviteToken", { enumerable: true, get: function () { return network_js_1.createInviteToken; } });
-Object.defineProperty(exports, "decodeInviteToken", { enumerable: true, get: function () { return network_js_1.decodeInviteToken; } });
-Object.defineProperty(exports, "ensureSecureNetwork", { enumerable: true, get: function () { return network_js_1.ensureSecureNetwork; } });
-var peer_discovery_js_1 = require("./peer-discovery.js");
-Object.defineProperty(exports, "PeerDiscoveryService", { enumerable: true, get: function () { return peer_discovery_js_1.PeerDiscoveryService; } });
-var derp_relay_js_1 = require("./derp-relay.js");
-Object.defineProperty(exports, "DerpRelay", { enumerable: true, get: function () { return derp_relay_js_1.DerpRelay; } });
-//# sourceMappingURL=index.js.map