@aria-cli/wireguard 1.0.38 → 1.0.39

package/dist/index.js

@@ -0,0 +1,100 @@
+"use strict";
+/**
+ * @aria/wireguard — WireGuard native addon for ARIA secure networking.
+ *
+ * Wraps Cloudflare's boringtun (BSD-3) via napi-rs for userspace
+ * encrypted tunnels. Three hot-path functions: encrypt, decrypt, tick.
+ *
+ * @packageDocumentation
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DerpRelay = exports.PeerDiscoveryService = exports.ensureSecureNetwork = exports.decodeInviteToken = exports.createInviteToken = exports.generateSigningKeypair = exports.generateKeyPair = exports.PeerRegistry = exports.NetworkManager = exports.detectNatType = exports.discoverEndpoint = exports.StunClient = exports.ResilientTunnel = exports.SecureTunnel = void 0;
+exports.assertNativeAddonAvailable = assertNativeAddonAvailable;
+exports.createTunnel = createTunnel;
+exports.generateKeypair = generateKeypair;
+const path = __importStar(require("node:path"));
+/** Lazy-loaded native addon */
+let _native = null;
+function loadNative() {
+    if (_native)
+        return _native;
+    try {
+        // The package-root napi loader resolves the platform-specific native addon.
+        // The dist/ runtime must not depend on a copied dist/wireguard.node shim.
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        _native = require("../index.js");
+        return _native;
+    }
+    catch (err) {
+        const reason = err instanceof Error ? err.message : String(err);
+        throw new Error(`@aria/wireguard: Failed to load native addon via ${path.join(__dirname, "../index.js")} (${process.platform}-${process.arch}). ${reason}`);
+    }
+}
+/** Validate that the native addon can be loaded in the current runtime. */
+function assertNativeAddonAvailable() {
+    loadNative();
+}
+/** Create a new WireGuard tunnel */
+function createTunnel(options) {
+    const native = loadNative();
+    return new native.WireGuardTunnel(options.privateKey, options.peerPublicKey, options.presharedKey ?? null, options.keepalive ?? 0, options.index ?? null);
+}
+/** Generate a new X25519 keypair for WireGuard */
+function generateKeypair() {
+    const native = loadNative();
+    return native.generateKeypair();
+}
+var tunnel_js_1 = require("./tunnel.js");
+Object.defineProperty(exports, "SecureTunnel", { enumerable: true, get: function () { return tunnel_js_1.SecureTunnel; } });
+var resilient_tunnel_js_1 = require("./resilient-tunnel.js");
+Object.defineProperty(exports, "ResilientTunnel", { enumerable: true, get: function () { return resilient_tunnel_js_1.ResilientTunnel; } });
+var nat_js_1 = require("./nat.js");
+Object.defineProperty(exports, "StunClient", { enumerable: true, get: function () { return nat_js_1.StunClient; } });
+Object.defineProperty(exports, "discoverEndpoint", { enumerable: true, get: function () { return nat_js_1.discoverEndpoint; } });
+Object.defineProperty(exports, "detectNatType", { enumerable: true, get: function () { return nat_js_1.detectNatType; } });
+var network_js_1 = require("./network.js");
+Object.defineProperty(exports, "NetworkManager", { enumerable: true, get: function () { return network_js_1.NetworkManager; } });
+Object.defineProperty(exports, "PeerRegistry", { enumerable: true, get: function () { return network_js_1.PeerRegistry; } });
+Object.defineProperty(exports, "generateKeyPair", { enumerable: true, get: function () { return network_js_1.generateKeyPair; } });
+Object.defineProperty(exports, "generateSigningKeypair", { enumerable: true, get: function () { return network_js_1.generateSigningKeypair; } });
+Object.defineProperty(exports, "createInviteToken", { enumerable: true, get: function () { return network_js_1.createInviteToken; } });
+Object.defineProperty(exports, "decodeInviteToken", { enumerable: true, get: function () { return network_js_1.decodeInviteToken; } });
+Object.defineProperty(exports, "ensureSecureNetwork", { enumerable: true, get: function () { return network_js_1.ensureSecureNetwork; } });
+var peer_discovery_js_1 = require("./peer-discovery.js");
+Object.defineProperty(exports, "PeerDiscoveryService", { enumerable: true, get: function () { return peer_discovery_js_1.PeerDiscoveryService; } });
+var derp_relay_js_1 = require("./derp-relay.js");
+Object.defineProperty(exports, "DerpRelay", { enumerable: true, get: function () { return derp_relay_js_1.DerpRelay; } });
+//# sourceMappingURL=index.js.map

package/dist/nat.d.ts

@@ -0,0 +1,84 @@
+/**
+ * STUN client + NAT traversal for ARIA secure networking.
+ *
+ * Discovers external IP:port via STUN (RFC 5389), enabling WireGuard
+ * peers to find each other through NAT. Falls back to a UDP relay
+ * when symmetric NAT prevents direct connectivity.
+ *
+ * No external dependencies — implements STUN binding request/response
+ * directly using node:dgram.
+ */
+import * as dgram from "node:dgram";
+/** Result of STUN endpoint discovery */
+export interface StunResult {
+    /** External (public) IP address */
+    address: string;
+    /** External (public) port */
+    port: number;
+    /** STUN server used for discovery */
+    server: string;
+}
+/**
+ * Discover our external endpoint by sending a STUN Binding Request.
+ *
+ * Tries multiple STUN servers in parallel, returns the first successful response.
+ * Timeout: 3 seconds per server, 5 second total.
+ */
+/**
+ * Discover external endpoint via STUN.
+ *
+ * @param server STUN server hostname:port (or undefined to try defaults)
+ * @param timeoutMs Timeout in milliseconds
+ * @param existingSocket Optional: use this socket for STUN instead of creating
+ *   ephemeral ones. This is critical for the shared-socket WG model — STUN must
+ *   discover the NAT mapping of the ACTUAL listening socket, not a throwaway one.
+ *   When provided, the socket is NOT closed after discovery.
+ */
+export declare function discoverEndpoint(server?: string, timeoutMs?: number, existingSocket?: dgram.Socket): Promise<StunResult>;
+/**
+ * NAT type classification.
+ *
+ * Detected by comparing mapped ports from two different STUN servers:
+ * - Same port from both servers → Full Cone or Restricted Cone (direct tunnel works)
+ * - Different port from each server → Symmetric NAT (needs relay)
+ */
+export type NatType = "full_cone" | "restricted" | "symmetric" | "unknown";
+/**
+ * Detect NAT type by querying two STUN servers and comparing mapped ports.
+ *
+ * Symmetric NAT allocates a new external port for each destination,
+ * so mapped ports will differ across STUN servers. Cone NATs reuse
+ * the same external port, so mapped ports will match.
+ *
+ * Returns "unknown" if fewer than 2 STUN servers respond.
+ */
+export declare function detectNatType(servers?: string[], timeoutMs?: number): Promise<{
+    natType: NatType;
+    results: StunResult[];
+}>;
+/**
+ * STUN client for periodic endpoint discovery.
+ *
+ * Use for ongoing NAT traversal — discovers and tracks endpoint changes.
+ */
+export declare class StunClient {
+    private servers;
+    private pollIntervalMs;
+    private interval;
+    private lastResult;
+    private _natType;
+    /** Number of consecutive discovery failures (reset to 0 on success) */
+    consecutiveFailures: number;
+    constructor(servers?: string[], pollIntervalMs?: number);
+    /** Get the detected NAT type (null if not yet detected) */
+    getNatType(): NatType | null;
+    /** Get the last discovered endpoint */
+    getEndpoint(): StunResult | null;
+    /** Discover endpoint once — uses first configured server (or defaults) */
+    discover(): Promise<StunResult>;
+    /** Start periodic endpoint discovery. Detects NAT type on first call. */
+    start(onUpdate?: (result: StunResult) => void): void;
+    /** Stop periodic discovery */
+    stop(): void;
+}
+//# sourceMappingURL=nat.d.ts.map

package/dist/nat.js

@@ -0,0 +1,397 @@
+"use strict";
+/**
+ * STUN client + NAT traversal for ARIA secure networking.
+ *
+ * Discovers external IP:port via STUN (RFC 5389), enabling WireGuard
+ * peers to find each other through NAT. Falls back to a UDP relay
+ * when symmetric NAT prevents direct connectivity.
+ *
+ * No external dependencies — implements STUN binding request/response
+ * directly using node:dgram.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.StunClient = void 0;
+exports.discoverEndpoint = discoverEndpoint;
+exports.detectNatType = detectNatType;
+const dgram = __importStar(require("node:dgram"));
+const crypto = __importStar(require("node:crypto"));
+const os = __importStar(require("node:os"));
+// STUN message types (RFC 5389)
+const STUN_BINDING_REQUEST = 0x0001;
+const STUN_BINDING_RESPONSE = 0x0101;
+const STUN_MAGIC_COOKIE = 0x2112a442;
+const STUN_ATTR_XOR_MAPPED_ADDRESS = 0x0020;
+const STUN_ATTR_MAPPED_ADDRESS = 0x0001;
+/**
+ * Detect whether the route to a STUN server exits through a tunnel/VPN
+ * interface. If so, STUN results reflect the tunnel exit IP — not the
+ * machine's real public IP — and should be discarded.
+ *
+ * Detection: uses a connected UDP socket to discover the OS-selected source
+ * address, then checks if that address belongs to an interface with a
+ * zero MAC address (00:00:00:00:00:00). Tunnel/VPN interfaces (WireGuard,
+ * OpenVPN, Tailscale, IPSec, ZeroTier, etc.) have no hardware address.
+ * Physical interfaces (Ethernet, WiFi) always have a real MAC.
+ */
+function routeExitsThroughTunnel(host, port) {
+    return new Promise((resolve) => {
+        const probe = dgram.createSocket("udp4");
+        const timer = setTimeout(() => {
+            probe.close();
+            resolve(false);
+        }, 2000);
+        probe.connect(port, host, () => {
+            clearTimeout(timer);
+            try {
+                const sourceAddr = probe.address().address;
+                const ifaces = os.networkInterfaces();
+                for (const addrs of Object.values(ifaces)) {
+                    for (const a of addrs ?? []) {
+                        if (a.address === sourceAddr && a.mac === "00:00:00:00:00:00") {
+                            probe.close();
+                            resolve(true);
+                            return;
+                        }
+                    }
+                }
+            }
+            catch {
+                // ignore
+            }
+            probe.close();
+            resolve(false);
+        });
+        probe.on("error", () => {
+            clearTimeout(timer);
+            probe.close();
+            resolve(false);
+        });
+    });
+}
+// Well-known public STUN servers (no authentication required)
+const DEFAULT_STUN_SERVERS = [
+    "stun.l.google.com:19302",
+    "stun1.l.google.com:19302",
+    "stun.cloudflare.com:3478",
+];
+/**
+ * Build a STUN Binding Request message (RFC 5389).
+ * Header: type (2) + length (2) + magic cookie (4) + transaction ID (12) = 20 bytes.
+ */
+function buildBindingRequest() {
+    const msg = Buffer.alloc(20);
+    msg.writeUInt16BE(STUN_BINDING_REQUEST, 0); // Message type
+    msg.writeUInt16BE(0, 2); // Message length (no attributes)
+    msg.writeUInt32BE(STUN_MAGIC_COOKIE, 4); // Magic cookie
+    const txId = crypto.randomBytes(12);
+    txId.copy(msg, 8); // Transaction ID
+    return { message: msg, transactionId: txId };
+}
+/**
+ * Parse a STUN Binding Response to extract the mapped address.
+ * Handles both XOR-MAPPED-ADDRESS (preferred) and MAPPED-ADDRESS (fallback).
+ */
+function parseBindingResponse(msg, expectedTxId) {
+    if (msg.length < 20)
+        return null;
+    const msgType = msg.readUInt16BE(0);
+    if (msgType !== STUN_BINDING_RESPONSE)
+        return null;
+    // Verify magic cookie
+    if (msg.readUInt32BE(4) !== STUN_MAGIC_COOKIE)
+        return null;
+    // Verify transaction ID
+    if (!msg.subarray(8, 20).equals(expectedTxId))
+        return null;
+    const attrLength = msg.readUInt16BE(2);
+    let offset = 20;
+    const end = 20 + attrLength;
+    let mappedAddress = null;
+    while (offset + 4 <= end) {
+        const attrType = msg.readUInt16BE(offset);
+        const attrLen = msg.readUInt16BE(offset + 2);
+        const attrStart = offset + 4;
+        if (attrType === STUN_ATTR_XOR_MAPPED_ADDRESS && attrLen >= 8) {
+            const family = msg.readUInt8(attrStart + 1);
+            if (family === 0x01) {
+                // IPv4
+                const xPort = msg.readUInt16BE(attrStart + 2) ^ (STUN_MAGIC_COOKIE >> 16);
+                const xAddr = msg.readUInt32BE(attrStart + 4) ^ STUN_MAGIC_COOKIE;
+                const a = (xAddr >> 24) & 0xff;
+                const b = (xAddr >> 16) & 0xff;
+                const c = (xAddr >> 8) & 0xff;
+                const d = xAddr & 0xff;
+                return { address: `${a}.${b}.${c}.${d}`, port: xPort };
+            }
+        }
+        if (attrType === STUN_ATTR_MAPPED_ADDRESS && attrLen >= 8) {
+            const family = msg.readUInt8(attrStart + 1);
+            if (family === 0x01) {
+                // IPv4 (not XORed)
+                const port = msg.readUInt16BE(attrStart + 2);
+                const addr = msg.readUInt32BE(attrStart + 4);
+                const a = (addr >> 24) & 0xff;
+                const b = (addr >> 16) & 0xff;
+                const c = (addr >> 8) & 0xff;
+                const d = addr & 0xff;
+                mappedAddress = { address: `${a}.${b}.${c}.${d}`, port };
+            }
+        }
+        // Attribute value is padded to 4-byte boundary
+        offset = attrStart + Math.ceil(attrLen / 4) * 4;
+    }
+    return mappedAddress;
+}
+/**
+ * Discover our external endpoint by sending a STUN Binding Request.
+ *
+ * Tries multiple STUN servers in parallel, returns the first successful response.
+ * Timeout: 3 seconds per server, 5 second total.
+ */
+/**
+ * Discover external endpoint via STUN.
+ *
+ * @param server STUN server hostname:port (or undefined to try defaults)
+ * @param timeoutMs Timeout in milliseconds
+ * @param existingSocket Optional: use this socket for STUN instead of creating
+ *   ephemeral ones. This is critical for the shared-socket WG model — STUN must
+ *   discover the NAT mapping of the ACTUAL listening socket, not a throwaway one.
+ *   When provided, the socket is NOT closed after discovery.
+ */
+async function discoverEndpoint(server, timeoutMs = 5000, existingSocket) {
+    const servers = server ? [server] : DEFAULT_STUN_SERVERS;
+    // Pre-check: if the route to the STUN server exits through a tunnel
+    // interface (VPN), the result will be the VPN exit IP — not our real
+    // public IP. Reject early to prevent advertising a wrong endpoint.
+    const [firstHost, firstPortStr] = servers[0].split(":");
+    const isTunnel = await routeExitsThroughTunnel(firstHost, parseInt(firstPortStr ?? "3478", 10));
+    if (isTunnel) {
+        throw new Error("STUN route exits through a tunnel interface — result would be unreliable");
+    }
+    return new Promise((resolve, reject) => {
+        let resolved = false;
+        const ownedSockets = []; // sockets WE created (will be closed)
+        const timer = setTimeout(() => {
+            if (!resolved) {
+                resolved = true;
+                ownedSockets.forEach((s) => {
+                    try {
+                        s.close();
+                    }
+                    catch {
+                        // ignore
+                    }
+                });
+                reject(new Error(`STUN discovery timed out after ${timeoutMs}ms`));
+            }
+        }, timeoutMs);
+        for (const srv of servers) {
+            const [host, portStr] = srv.split(":");
+            const port = parseInt(portStr ?? "3478", 10);
+            // Use existing socket if provided (shared socket model), else create ephemeral
+            const socket = existingSocket ?? dgram.createSocket("udp4");
+            if (!existingSocket)
+                ownedSockets.push(socket);
+            const { message, transactionId } = buildBindingRequest();
+            const handler = (msg) => {
+                if (resolved)
+                    return;
+                const result = parseBindingResponse(msg, transactionId);
+                if (result) {
+                    resolved = true;
+                    clearTimeout(timer);
+                    // Remove our handler from the existing socket (don't close it)
+                    if (existingSocket) {
+                        existingSocket.off("message", handler);
+                    }
+                    ownedSockets.forEach((s) => {
+                        try {
+                            s.close();
+                        }
+                        catch {
+                            // ignore
+                        }
+                    });
+                    resolve({ ...result, server: srv });
+                }
+            };
+            socket.on("message", handler);
+            socket.on("error", () => {
+                // Individual socket errors are non-fatal — other servers may succeed
+                if (!existingSocket) {
+                    try {
+                        socket.close();
+                    }
+                    catch {
+                        /* already closed */
+                    }
+                }
+            });
+            socket.send(message, port, host);
+        }
+    });
+}
+/**
+ * Detect NAT type by querying two STUN servers and comparing mapped ports.
+ *
+ * Symmetric NAT allocates a new external port for each destination,
+ * so mapped ports will differ across STUN servers. Cone NATs reuse
+ * the same external port, so mapped ports will match.
+ *
+ * Returns "unknown" if fewer than 2 STUN servers respond.
+ */
+async function detectNatType(servers = DEFAULT_STUN_SERVERS, timeoutMs = 5000) {
+    const results = [];
+    // Query each server individually (sequential to avoid port reuse confusion)
+    for (const server of servers.slice(0, 3)) {
+        try {
+            const result = await discoverEndpoint(server, timeoutMs);
+            results.push(result);
+            if (results.length >= 2)
+                break; // Only need 2 for comparison
+        }
+        catch {
+            // Server unreachable — try next
+        }
+    }
+    if (results.length < 2) {
+        return { natType: "unknown", results };
+    }
+    // Compare mapped ports: if different → symmetric NAT
+    const port1 = results[0].port;
+    const port2 = results[1].port;
+    if (port1 !== port2) {
+        return { natType: "symmetric", results };
+    }
+    // Same port → cone or restricted (both allow direct connections)
+    // We can't distinguish full cone from restricted cone with STUN alone
+    // (would need a STUN server that sends from a different IP), but both work for us.
+    return { natType: "full_cone", results };
+}
+/**
+ * STUN client for periodic endpoint discovery.
+ *
+ * Use for ongoing NAT traversal — discovers and tracks endpoint changes.
+ */
+class StunClient {
+    servers;
+    pollIntervalMs;
+    interval = null;
+    lastResult = null;
+    _natType = null;
+    /** Number of consecutive discovery failures (reset to 0 on success) */
+    consecutiveFailures = 0;
+    constructor(servers = DEFAULT_STUN_SERVERS, pollIntervalMs = 60_000) {
+        this.servers = servers;
+        this.pollIntervalMs = pollIntervalMs;
+    }
+    /** Get the detected NAT type (null if not yet detected) */
+    getNatType() {
+        return this._natType;
+    }
+    /** Get the last discovered endpoint */
+    getEndpoint() {
+        return this.lastResult;
+    }
+    /** Discover endpoint once — uses first configured server (or defaults) */
+    async discover() {
+        const result = await discoverEndpoint(this.servers[0], 5000);
+        this.lastResult = result;
+        return result;
+    }
+    /** Start periodic endpoint discovery. Detects NAT type on first call. */
+    start(onUpdate) {
+        if (this.interval)
+            return;
+        // Check once if we're behind a VPN. If so, STUN will always return
+        // the wrong IP — skip the entire poll loop instead of spamming errors.
+        void (async () => {
+            const [firstHost, firstPortStr] = this.servers[0].split(":");
+            const isTunnel = await routeExitsThroughTunnel(firstHost, parseInt(firstPortStr ?? "3478", 10));
+            if (isTunnel) {
+                if (typeof process !== "undefined" && process.stderr) {
+                    process.stderr.write("[wireguard] STUN skipped — route exits through VPN/tunnel interface\n");
+                }
+                return; // Don't start the poll loop
+            }
+            // Initial discovery + NAT type detection
+            try {
+                if (!this._natType) {
+                    const detection = await detectNatType(this.servers);
+                    this._natType = detection.natType;
+                    if (detection.results.length > 0) {
+                        this.lastResult = detection.results[0];
+                        this.consecutiveFailures = 0;
+                        onUpdate?.(detection.results[0]);
+                    }
+                }
+                if (!this.lastResult) {
+                    const r = await this.discover();
+                    this.consecutiveFailures = 0;
+                    onUpdate?.(r);
+                }
+            }
+            catch {
+                this.consecutiveFailures++;
+            }
+            // Start periodic refresh only after confirming STUN works
+            this.interval = setInterval(async () => {
+                try {
+                    const result = await this.discover();
+                    this.consecutiveFailures = 0;
+                    onUpdate?.(result);
+                }
+                catch {
+                    this.consecutiveFailures++;
+                    if (this.consecutiveFailures >= 3) {
+                        if (typeof process !== "undefined" && process.stderr) {
+                            process.stderr.write(`[wireguard] STUN discovery failed ${this.consecutiveFailures} consecutive times\n`);
+                        }
+                    }
+                }
+            }, this.pollIntervalMs);
+        })();
+    }
+    /** Stop periodic discovery */
+    stop() {
+        if (this.interval) {
+            clearInterval(this.interval);
+            this.interval = null;
+        }
+    }
+}
+exports.StunClient = StunClient;
+//# sourceMappingURL=nat.js.map

package/dist/network-state-store.d.ts

@@ -0,0 +1,46 @@
+/**
+ * NetworkStateStore — canonical, machine-scoped persistence for network control-plane state.
+ *
+ * All network-adjacent durable state (peers, signing keys, revocations, nonces, trust)
+ * lives in ONE canonical store at ARIA_HOME/network/state.db, independent of any
+ * arion-specific Memoria DB. This eliminates the split-brain where peer state could
+ * drift across multiple DB paths.
+ *
+ * PeerRegistry, RevocationStore, and other network stores all use the Database
+ * returned by getDatabase().
+ */
+import type Database from "better-sqlite3";
+export interface NetworkStateStoreOptions {
+    /** Base ARIA home directory (e.g., ~/.aria) */
+    ariaHome: string;
+    /** Override DB path (for testing) */
+    dbPath?: string;
+}
+export declare class NetworkStateStore {
+    private readonly options;
+    private db;
+    private readonly dbPath;
+    constructor(options: NetworkStateStoreOptions);
+    /** Canonical path to the network state DB */
+    get path(): string;
+    /** Whether the store has been opened */
+    get isOpen(): boolean;
+    /** Open the database, creating schema if needed */
+    open(): Database.Database;
+    private reconcilePeerTableSchema;
+    /** Get the underlying Database handle (opens if needed) */
+    getDatabase(): Database.Database;
+    /**
+     * Claim the owner epoch for this runtime on the shared network state DB.
+     * Must be called after open() and before any durable writes.
+     * Throws StaleOwnerError if a newer generation already owns the DB.
+     */
+    claimOwnerEpoch(generation: number): void;
+    /** Close the database */
+    close(): void;
+}
+/**
+ * Resolve the canonical network state DB path for a given ARIA home.
+ */
+export declare function canonicalNetworkStatePath(ariaHome: string): string;
+//# sourceMappingURL=network-state-store.d.ts.map