@aria-cli/wireguard 1.0.37 → 1.0.39

package/dist/bootstrap-authority.d.ts

@@ -0,0 +1,2 @@
+export declare function loadStoredBootstrapCaCert(ariaDir: string): string | undefined;
+//# sourceMappingURL=bootstrap-authority.d.ts.map

package/dist/bootstrap-tls.d.ts

@@ -0,0 +1,14 @@
+export interface BootstrapTlsRequestOptions {
+    method?: string;
+    body?: string;
+    headers?: Record<string, string>;
+    timeoutMs?: number;
+    caCert: string;
+    expectedTlsIdentity: string;
+}
+export interface BootstrapTlsResponse {
+    status: number;
+    body: string;
+}
+export declare function bootstrapTlsRequest(url: string, options: BootstrapTlsRequestOptions): Promise<BootstrapTlsResponse>;
+//# sourceMappingURL=bootstrap-tls.d.ts.map

package/dist/db-owner-fencing.d.ts

@@ -0,0 +1,10 @@
+import type Database from "better-sqlite3";
+export declare class StaleOwnerError extends Error {
+    readonly kind: "StaleOwnerError";
+    readonly claimedGeneration: number;
+    readonly currentGeneration: number;
+    constructor(claimed: number, current: number);
+}
+export declare function ensureOwnerEpochTable(db: Database.Database): void;
+export declare function claimDbOwnerEpoch(db: Database.Database, generation: number): void;
+//# sourceMappingURL=db-owner-fencing.d.ts.map

package/dist/derp-relay.d.ts

@@ -0,0 +1,75 @@
+/**
+ * DerpRelay — DERP relay client for NAT traversal.
+ *
+ * When both peers are behind symmetric NAT, direct WireGuard tunnels fail.
+ * DerpRelay connects to a relay server via WebSocket and forwards encrypted
+ * WireGuard packets through it. The relay CANNOT read the content (WireGuard
+ * encryption is end-to-end).
+ *
+ * Implements the same { send(data: Buffer): void } interface as tunnel transports,
+ * so it plugs into Mailbox.registerTunnel() transparently.
+ *
+ * Authentication: Ed25519 signature challenge on connect to prevent impersonation.
+ * Auto-reconnect: Exponential backoff, matching ResilientTunnel's pattern.
+ */
+import { EventEmitter } from "node:events";
+import { type NodeId } from "@aria-cli/tools";
+export interface DerpRelayOptions {
+    /** Relay server URL (e.g., wss://relay.example.com/api/v1/relay) */
+    relayUrl: string;
+    /** Our durable node identity for relay auth */
+    nodeId: NodeId;
+    /** Optional display snapshot for local logs/debug output */
+    displayNameSnapshot?: string;
+    /** Ed25519 private key (base64 PKCS#8 DER) for authentication */
+    signingPrivateKey: string;
+    /** Ed25519 public key (base64 SPKI DER) for identification */
+    signingPublicKey: string;
+    /** Target node identity to communicate with */
+    targetNodeId: NodeId;
+    /** AbortSignal for clean shutdown */
+    signal?: AbortSignal;
+}
+export type DerpRelayState = "disconnected" | "connecting" | "authenticating" | "connected" | "dead";
+/**
+ * DERP relay client.
+ *
+ * Emits: "plaintext" (data: Buffer, fromNodeId: NodeId, displayNameSnapshot?: string), "connected", "disconnected",
+ *        "dead", "error" (Error), "stateChange" (newState, prevState)
+ */
+export declare class DerpRelay extends EventEmitter {
+    private ws;
+    private _state;
+    private reconnectAttempts;
+    private reconnectTimer;
+    private stopped;
+    private closing;
+    private readonly relayUrl;
+    private readonly nodeId;
+    private readonly displayNameSnapshot?;
+    private readonly signingPrivateKey;
+    private readonly signingPublicKey;
+    private readonly targetNodeId;
+    private readonly signal?;
+    /** Queued messages while not connected */
+    private queue;
+    private static readonly MAX_QUEUE;
+    constructor(options: DerpRelayOptions);
+    /** Connect to the relay server */
+    connect(): Promise<void>;
+    /** Send data through the relay to the target peer */
+    send(data: Buffer): void;
+    /** Disconnect from the relay server */
+    disconnect(): void;
+    /** Get current relay state */
+    getState(): DerpRelayState;
+    /** Whether the relay is actively connected */
+    get isConnected(): boolean;
+    private setState;
+    private signChallenge;
+    private attemptReconnect;
+    private clearReconnectTimer;
+    private enqueue;
+    private flushQueue;
+}
+//# sourceMappingURL=derp-relay.d.ts.map

package/dist/index.d.ts

@@ -0,0 +1,53 @@
+/**
+ * @aria/wireguard — WireGuard native addon for ARIA secure networking.
+ *
+ * Wraps Cloudflare's boringtun (BSD-3) via napi-rs for userspace
+ * encrypted tunnels. Three hot-path functions: encrypt, decrypt, tick.
+ *
+ * @packageDocumentation
+ */
+export interface WireGuardResult {
+    /** "done" | "write_to_network" | "write_to_tunnel" | "error" */
+    op: string;
+    /** Output data (if any) */
+    data?: Buffer;
+}
+export interface KeyPair {
+    publicKey: string;
+    privateKey: string;
+}
+export interface WireGuardTunnelOptions {
+    /** Base64-encoded X25519 private key */
+    privateKey: string;
+    /** Base64-encoded X25519 peer public key */
+    peerPublicKey: string;
+    /** Optional base64-encoded preshared key */
+    presharedKey?: string;
+    /** Persistent keepalive interval in seconds (0 = disabled) */
+    keepalive?: number;
+    /** Tunnel index for session disambiguation (random if not provided) */
+    index?: number;
+}
+/** Validate that the native addon can be loaded in the current runtime. */
+export declare function assertNativeAddonAvailable(): void;
+/** Create a new WireGuard tunnel */
+export declare function createTunnel(options: WireGuardTunnelOptions): {
+    encrypt(src: Buffer): WireGuardResult;
+    decrypt(src: Buffer, srcAddr?: string | undefined | null): WireGuardResult;
+    tick(): WireGuardResult;
+};
+/** Generate a new X25519 keypair for WireGuard */
+export declare function generateKeypair(): KeyPair;
+export { SecureTunnel } from "./tunnel.js";
+export type { SecureTunnelOptions, TunnelStats } from "./tunnel.js";
+export { ResilientTunnel } from "./resilient-tunnel.js";
+export type { TunnelState, ResilientTunnelStats } from "./resilient-tunnel.js";
+export { StunClient, discoverEndpoint, detectNatType } from "./nat.js";
+export type { StunResult, NatType } from "./nat.js";
+export { NetworkManager, PeerRegistry, generateKeyPair, generateSigningKeypair, createInviteToken, decodeInviteToken, ensureSecureNetwork, } from "./network.js";
+export type { NetworkConfig, PeerInfo, InviteToken } from "./network.js";
+export { PeerDiscoveryService } from "./peer-discovery.js";
+export type { PeerDiscoveryOptions, DiscoveredPeer, PeerDiscoveryNetworkManager, } from "./peer-discovery.js";
+export { DerpRelay } from "./derp-relay.js";
+export type { DerpRelayOptions, DerpRelayState } from "./derp-relay.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/nat.d.ts

@@ -0,0 +1,84 @@
+/**
+ * STUN client + NAT traversal for ARIA secure networking.
+ *
+ * Discovers external IP:port via STUN (RFC 5389), enabling WireGuard
+ * peers to find each other through NAT. Falls back to a UDP relay
+ * when symmetric NAT prevents direct connectivity.
+ *
+ * No external dependencies — implements STUN binding request/response
+ * directly using node:dgram.
+ */
+import * as dgram from "node:dgram";
+/** Result of STUN endpoint discovery */
+export interface StunResult {
+    /** External (public) IP address */
+    address: string;
+    /** External (public) port */
+    port: number;
+    /** STUN server used for discovery */
+    server: string;
+}
+/**
+ * Discover our external endpoint by sending a STUN Binding Request.
+ *
+ * Tries multiple STUN servers in parallel, returns the first successful response.
+ * Timeout: 3 seconds per server, 5 second total.
+ */
+/**
+ * Discover external endpoint via STUN.
+ *
+ * @param server STUN server hostname:port (or undefined to try defaults)
+ * @param timeoutMs Timeout in milliseconds
+ * @param existingSocket Optional: use this socket for STUN instead of creating
+ *   ephemeral ones. This is critical for the shared-socket WG model — STUN must
+ *   discover the NAT mapping of the ACTUAL listening socket, not a throwaway one.
+ *   When provided, the socket is NOT closed after discovery.
+ */
+export declare function discoverEndpoint(server?: string, timeoutMs?: number, existingSocket?: dgram.Socket): Promise<StunResult>;
+/**
+ * NAT type classification.
+ *
+ * Detected by comparing mapped ports from two different STUN servers:
+ * - Same port from both servers → Full Cone or Restricted Cone (direct tunnel works)
+ * - Different port from each server → Symmetric NAT (needs relay)
+ */
+export type NatType = "full_cone" | "restricted" | "symmetric" | "unknown";
+/**
+ * Detect NAT type by querying two STUN servers and comparing mapped ports.
+ *
+ * Symmetric NAT allocates a new external port for each destination,
+ * so mapped ports will differ across STUN servers. Cone NATs reuse
+ * the same external port, so mapped ports will match.
+ *
+ * Returns "unknown" if fewer than 2 STUN servers respond.
+ */
+export declare function detectNatType(servers?: string[], timeoutMs?: number): Promise<{
+    natType: NatType;
+    results: StunResult[];
+}>;
+/**
+ * STUN client for periodic endpoint discovery.
+ *
+ * Use for ongoing NAT traversal — discovers and tracks endpoint changes.
+ */
+export declare class StunClient {
+    private servers;
+    private pollIntervalMs;
+    private interval;
+    private lastResult;
+    private _natType;
+    /** Number of consecutive discovery failures (reset to 0 on success) */
+    consecutiveFailures: number;
+    constructor(servers?: string[], pollIntervalMs?: number);
+    /** Get the detected NAT type (null if not yet detected) */
+    getNatType(): NatType | null;
+    /** Get the last discovered endpoint */
+    getEndpoint(): StunResult | null;
+    /** Discover endpoint once — uses first configured server (or defaults) */
+    discover(): Promise<StunResult>;
+    /** Start periodic endpoint discovery. Detects NAT type on first call. */
+    start(onUpdate?: (result: StunResult) => void): void;
+    /** Stop periodic discovery */
+    stop(): void;
+}
+//# sourceMappingURL=nat.d.ts.map

package/dist/network-state-store.d.ts

@@ -0,0 +1,46 @@
+/**
+ * NetworkStateStore — canonical, machine-scoped persistence for network control-plane state.
+ *
+ * All network-adjacent durable state (peers, signing keys, revocations, nonces, trust)
+ * lives in ONE canonical store at ARIA_HOME/network/state.db, independent of any
+ * arion-specific Memoria DB. This eliminates the split-brain where peer state could
+ * drift across multiple DB paths.
+ *
+ * PeerRegistry, RevocationStore, and other network stores all use the Database
+ * returned by getDatabase().
+ */
+import type Database from "better-sqlite3";
+export interface NetworkStateStoreOptions {
+    /** Base ARIA home directory (e.g., ~/.aria) */
+    ariaHome: string;
+    /** Override DB path (for testing) */
+    dbPath?: string;
+}
+export declare class NetworkStateStore {
+    private readonly options;
+    private db;
+    private readonly dbPath;
+    constructor(options: NetworkStateStoreOptions);
+    /** Canonical path to the network state DB */
+    get path(): string;
+    /** Whether the store has been opened */
+    get isOpen(): boolean;
+    /** Open the database, creating schema if needed */
+    open(): Database.Database;
+    private reconcilePeerTableSchema;
+    /** Get the underlying Database handle (opens if needed) */
+    getDatabase(): Database.Database;
+    /**
+     * Claim the owner epoch for this runtime on the shared network state DB.
+     * Must be called after open() and before any durable writes.
+     * Throws StaleOwnerError if a newer generation already owns the DB.
+     */
+    claimOwnerEpoch(generation: number): void;
+    /** Close the database */
+    close(): void;
+}
+/**
+ * Resolve the canonical network state DB path for a given ARIA home.
+ */
+export declare function canonicalNetworkStatePath(ariaHome: string): string;
+//# sourceMappingURL=network-state-store.d.ts.map