@aria-cli/wireguard 1.0.38 → 1.0.40

package/dist/bootstrap-authority.d.ts

@@ -0,0 +1,2 @@
+export declare function loadStoredBootstrapCaCert(ariaDir: string): string | undefined;
+//# sourceMappingURL=bootstrap-authority.d.ts.map

package/dist/bootstrap-authority.js

@@ -0,0 +1,47 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadStoredBootstrapCaCert = loadStoredBootstrapCaCert;
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+function loadStoredBootstrapCaCert(ariaDir) {
+    const caPath = path.join(ariaDir, "network", "tls", "ca.pem");
+    if (!fs.existsSync(caPath)) {
+        return undefined;
+    }
+    const caCert = fs.readFileSync(caPath, "utf8").trim();
+    return caCert.length > 0 ? caCert : undefined;
+}
+//# sourceMappingURL=bootstrap-authority.js.map

package/dist/bootstrap-tls.d.ts

@@ -0,0 +1,14 @@
+export interface BootstrapTlsRequestOptions {
+    method?: string;
+    body?: string;
+    headers?: Record<string, string>;
+    timeoutMs?: number;
+    caCert: string;
+    expectedTlsIdentity: string;
+}
+export interface BootstrapTlsResponse {
+    status: number;
+    body: string;
+}
+export declare function bootstrapTlsRequest(url: string, options: BootstrapTlsRequestOptions): Promise<BootstrapTlsResponse>;
+//# sourceMappingURL=bootstrap-tls.d.ts.map

package/dist/bootstrap-tls.js

@@ -0,0 +1,69 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.bootstrapTlsRequest = bootstrapTlsRequest;
+const https = __importStar(require("node:https"));
+const tls = __importStar(require("node:tls"));
+function bootstrapTlsRequest(url, options) {
+    return new Promise((resolve, reject) => {
+        const parsed = new URL(url);
+        const req = https.request({
+            hostname: parsed.hostname,
+            port: parsed.port,
+            path: parsed.pathname + parsed.search,
+            method: options.method ?? "GET",
+            headers: options.headers,
+            ca: options.caCert,
+            rejectUnauthorized: true,
+            checkServerIdentity: (_hostname, cert) => tls.checkServerIdentity(options.expectedTlsIdentity, cert),
+            timeout: options.timeoutMs ?? 5_000,
+        }, (res) => {
+            let data = "";
+            res.on("data", (chunk) => {
+                data += chunk.toString();
+            });
+            res.on("end", () => resolve({ status: res.statusCode ?? 0, body: data }));
+        });
+        req.on("error", reject);
+        req.on("timeout", () => {
+            req.destroy();
+            reject(new Error("Request timeout"));
+        });
+        if (options.body)
+            req.write(options.body);
+        req.end();
+    });
+}
+//# sourceMappingURL=bootstrap-tls.js.map

package/dist/db-owner-fencing.d.ts

@@ -0,0 +1,10 @@
+import type Database from "better-sqlite3";
+export declare class StaleOwnerError extends Error {
+    readonly kind: "StaleOwnerError";
+    readonly claimedGeneration: number;
+    readonly currentGeneration: number;
+    constructor(claimed: number, current: number);
+}
+export declare function ensureOwnerEpochTable(db: Database.Database): void;
+export declare function claimDbOwnerEpoch(db: Database.Database, generation: number): void;
+//# sourceMappingURL=db-owner-fencing.d.ts.map

package/dist/db-owner-fencing.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.StaleOwnerError = void 0;
+exports.ensureOwnerEpochTable = ensureOwnerEpochTable;
+exports.claimDbOwnerEpoch = claimDbOwnerEpoch;
+class StaleOwnerError extends Error {
+    kind = "StaleOwnerError";
+    claimedGeneration;
+    currentGeneration;
+    constructor(claimed, current) {
+        super(`StaleOwnerError: runtime claims generation ${claimed} but store is at generation ${current}. ` +
+            `This runtime has been superseded and must shut down immediately.`);
+        this.name = "StaleOwnerError";
+        this.claimedGeneration = claimed;
+        this.currentGeneration = current;
+    }
+}
+exports.StaleOwnerError = StaleOwnerError;
+function ensureOwnerEpochTable(db) {
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS owner_epoch (
+      scope TEXT PRIMARY KEY DEFAULT 'runtime',
+      owner_generation INTEGER NOT NULL
+    )
+  `);
+}
+function claimDbOwnerEpoch(db, generation) {
+    ensureOwnerEpochTable(db);
+    const result = db
+        .prepare(`INSERT INTO owner_epoch (scope, owner_generation) VALUES ('runtime', ?)
+       ON CONFLICT(scope) DO UPDATE SET owner_generation = excluded.owner_generation
+       WHERE excluded.owner_generation > owner_epoch.owner_generation`)
+        .run(generation);
+    if (result.changes === 0) {
+        const row = db
+            .prepare("SELECT owner_generation FROM owner_epoch WHERE scope = 'runtime'")
+            .get();
+        const current = row?.owner_generation ?? 0;
+        if (current > generation) {
+            throw new StaleOwnerError(generation, current);
+        }
+    }
+}
+//# sourceMappingURL=db-owner-fencing.js.map

package/dist/derp-relay.d.ts

@@ -0,0 +1,75 @@
+/**
+ * DerpRelay — DERP relay client for NAT traversal.
+ *
+ * When both peers are behind symmetric NAT, direct WireGuard tunnels fail.
+ * DerpRelay connects to a relay server via WebSocket and forwards encrypted
+ * WireGuard packets through it. The relay CANNOT read the content (WireGuard
+ * encryption is end-to-end).
+ *
+ * Implements the same { send(data: Buffer): void } interface as tunnel transports,
+ * so it plugs into Mailbox.registerTunnel() transparently.
+ *
+ * Authentication: Ed25519 signature challenge on connect to prevent impersonation.
+ * Auto-reconnect: Exponential backoff, matching ResilientTunnel's pattern.
+ */
+import { EventEmitter } from "node:events";
+import { type NodeId } from "@aria-cli/tools";
+export interface DerpRelayOptions {
+    /** Relay server URL (e.g., wss://relay.example.com/api/v1/relay) */
+    relayUrl: string;
+    /** Our durable node identity for relay auth */
+    nodeId: NodeId;
+    /** Optional display snapshot for local logs/debug output */
+    displayNameSnapshot?: string;
+    /** Ed25519 private key (base64 PKCS#8 DER) for authentication */
+    signingPrivateKey: string;
+    /** Ed25519 public key (base64 SPKI DER) for identification */
+    signingPublicKey: string;
+    /** Target node identity to communicate with */
+    targetNodeId: NodeId;
+    /** AbortSignal for clean shutdown */
+    signal?: AbortSignal;
+}
+export type DerpRelayState = "disconnected" | "connecting" | "authenticating" | "connected" | "dead";
+/**
+ * DERP relay client.
+ *
+ * Emits: "plaintext" (data: Buffer, fromNodeId: NodeId, displayNameSnapshot?: string), "connected", "disconnected",
+ *        "dead", "error" (Error), "stateChange" (newState, prevState)
+ */
+export declare class DerpRelay extends EventEmitter {
+    private ws;
+    private _state;
+    private reconnectAttempts;
+    private reconnectTimer;
+    private stopped;
+    private closing;
+    private readonly relayUrl;
+    private readonly nodeId;
+    private readonly displayNameSnapshot?;
+    private readonly signingPrivateKey;
+    private readonly signingPublicKey;
+    private readonly targetNodeId;
+    private readonly signal?;
+    /** Queued messages while not connected */
+    private queue;
+    private static readonly MAX_QUEUE;
+    constructor(options: DerpRelayOptions);
+    /** Connect to the relay server */
+    connect(): Promise<void>;
+    /** Send data through the relay to the target peer */
+    send(data: Buffer): void;
+    /** Disconnect from the relay server */
+    disconnect(): void;
+    /** Get current relay state */
+    getState(): DerpRelayState;
+    /** Whether the relay is actively connected */
+    get isConnected(): boolean;
+    private setState;
+    private signChallenge;
+    private attemptReconnect;
+    private clearReconnectTimer;
+    private enqueue;
+    private flushQueue;
+}
+//# sourceMappingURL=derp-relay.d.ts.map

package/dist/derp-relay.js

@@ -0,0 +1,311 @@
+"use strict";
+/**
+ * DerpRelay — DERP relay client for NAT traversal.
+ *
+ * When both peers are behind symmetric NAT, direct WireGuard tunnels fail.
+ * DerpRelay connects to a relay server via WebSocket and forwards encrypted
+ * WireGuard packets through it. The relay CANNOT read the content (WireGuard
+ * encryption is end-to-end).
+ *
+ * Implements the same { send(data: Buffer): void } interface as tunnel transports,
+ * so it plugs into Mailbox.registerTunnel() transparently.
+ *
+ * Authentication: Ed25519 signature challenge on connect to prevent impersonation.
+ * Auto-reconnect: Exponential backoff, matching ResilientTunnel's pattern.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DerpRelay = void 0;
+const node_events_1 = require("node:events");
+const crypto = __importStar(require("node:crypto"));
+const ws_1 = __importDefault(require("ws"));
+const tools_1 = require("@aria-cli/tools");
+/** Max payload size matching WireGuard MTU */
+const MAX_PAYLOAD_BYTES = 65535;
+/** Max reconnection attempts before declaring dead */
+const MAX_RECONNECT_ATTEMPTS = 10;
+/** Base backoff interval */
+const BASE_BACKOFF_MS = 1_000;
+/** Max backoff interval */
+const MAX_BACKOFF_MS = 60_000;
+/**
+ * DERP relay client.
+ *
+ * Emits: "plaintext" (data: Buffer, fromNodeId: NodeId, displayNameSnapshot?: string), "connected", "disconnected",
+ *        "dead", "error" (Error), "stateChange" (newState, prevState)
+ */
+class DerpRelay extends node_events_1.EventEmitter {
+    ws = null;
+    _state = "disconnected";
+    reconnectAttempts = 0;
+    reconnectTimer = null;
+    stopped = false;
+    closing = false;
+    relayUrl;
+    nodeId;
+    displayNameSnapshot;
+    signingPrivateKey;
+    signingPublicKey;
+    targetNodeId;
+    signal;
+    /** Queued messages while not connected */
+    queue = [];
+    static MAX_QUEUE = 200;
+    constructor(options) {
+        super();
+        this.relayUrl = options.relayUrl;
+        this.nodeId = options.nodeId;
+        this.displayNameSnapshot = options.displayNameSnapshot;
+        this.signingPrivateKey = options.signingPrivateKey;
+        this.signingPublicKey = options.signingPublicKey;
+        this.targetNodeId = options.targetNodeId;
+        this.signal = options.signal;
+        if (this.signal) {
+            this.signal.addEventListener("abort", () => this.disconnect(), { once: true });
+        }
+    }
+    /** Connect to the relay server */
+    async connect() {
+        if (this.stopped || this._state === "connected" || this._state === "connecting")
+            return;
+        this.closing = false;
+        this.setState("connecting");
+        return new Promise((resolve, reject) => {
+            try {
+                const ws = new ws_1.default(this.relayUrl);
+                this.ws = ws;
+                const timeout = setTimeout(() => {
+                    ws.close();
+                    reject(new Error("Relay connection timeout"));
+                }, 15_000);
+                ws.on("open", () => {
+                    clearTimeout(timeout);
+                    if (this.closing) {
+                        ws.close();
+                        reject(new Error("Relay connection aborted: disconnect() called during connect"));
+                        return;
+                    }
+                    this.setState("authenticating");
+                    // Send auth message with our identity
+                    ws.send(JSON.stringify({
+                        type: "auth",
+                        nodeId: this.nodeId,
+                        signingPublicKey: this.signingPublicKey,
+                    }));
+                });
+                ws.on("message", (rawData) => {
+                    try {
+                        const data = typeof rawData === "string" ? rawData : rawData.toString();
+                        const msg = JSON.parse(data);
+                        if (msg.type === "challenge" && this._state === "authenticating") {
+                            // Sign the challenge to prove identity
+                            const signature = this.signChallenge(msg.nonce);
+                            ws.send(JSON.stringify({ type: "challenge_response", signature }));
+                        }
+                        else if (msg.type === "auth_ok") {
+                            if (this.closing) {
+                                ws.close();
+                                reject(new Error("Relay connection aborted: disconnect() called during auth"));
+                                return;
+                            }
+                            this.setState("connected");
+                            this.reconnectAttempts = 0;
+                            this.flushQueue();
+                            this.emit("connected");
+                            resolve();
+                        }
+                        else if (msg.type === "auth_error") {
+                            ws.close();
+                            reject(new Error(`Relay auth failed: ${msg.error}`));
+                        }
+                        else if (msg.type === "relay" && this._state === "connected") {
+                            // Incoming relayed data from another peer
+                            const fromNodeId = tools_1.NodeIdSchema.parse(msg.fromNodeId);
+                            const payload = Buffer.from(msg.data, "base64");
+                            this.emit("plaintext", payload, fromNodeId, msg.displayNameSnapshot);
+                        }
+                        else if (msg.type === "peer_offline") {
+                            // Target peer is not connected to relay
+                            const peerLabel = typeof msg.displayNameSnapshot === "string" && msg.displayNameSnapshot.length > 0
+                                ? msg.displayNameSnapshot
+                                : typeof msg.nodeId === "string" && msg.nodeId.length > 0
+                                    ? msg.nodeId
+                                    : this.targetNodeId;
+                            this.emit("error", new Error(`Peer ${peerLabel} is offline on relay`));
+                        }
+                    }
+                    catch (err) {
+                        this.emit("error", err instanceof Error ? err : new Error(String(err)));
+                    }
+                });
+                ws.on("close", () => {
+                    clearTimeout(timeout);
+                    const wasConnecting = this._state === "connecting" || this._state === "authenticating";
+                    this.setState("disconnected");
+                    if (this.stopped || this.closing) {
+                        // Reject the pending connect promise so callers don't hang
+                        if (wasConnecting) {
+                            reject(new Error("Relay connection closed during setup"));
+                        }
+                    }
+                    else {
+                        this.emit("disconnected");
+                        this.attemptReconnect();
+                    }
+                });
+                ws.on("error", (err) => {
+                    clearTimeout(timeout);
+                    this.emit("error", err);
+                    if (this._state === "connecting" || this._state === "authenticating") {
+                        reject(err);
+                    }
+                });
+            }
+            catch (err) {
+                this.setState("disconnected");
+                reject(err);
+            }
+        });
+    }
+    /** Send data through the relay to the target peer */
+    send(data) {
+        if (this.stopped)
+            throw new Error("Relay is stopped");
+        if (data.length > MAX_PAYLOAD_BYTES) {
+            throw new Error(`Payload exceeds max size (${data.length} > ${MAX_PAYLOAD_BYTES})`);
+        }
+        if (this._state !== "connected" || !this.ws) {
+            this.enqueue(data);
+            return;
+        }
+        this.ws.send(JSON.stringify({
+            type: "relay",
+            toNodeId: this.targetNodeId,
+            data: data.toString("base64"),
+        }));
+    }
+    /** Disconnect from the relay server */
+    disconnect() {
+        this.closing = true;
+        this.stopped = true;
+        this.clearReconnectTimer();
+        if (this.ws) {
+            try {
+                this.ws.close();
+            }
+            catch {
+                // ignore close errors
+            }
+            this.ws = null;
+        }
+        this.queue = [];
+        this.setState("disconnected");
+    }
+    /** Get current relay state */
+    getState() {
+        return this._state;
+    }
+    /** Whether the relay is actively connected */
+    get isConnected() {
+        return this._state === "connected";
+    }
+    // ── Internal ─────────────────────────────────────────────────────
+    setState(newState) {
+        const prev = this._state;
+        if (prev === newState)
+            return;
+        this._state = newState;
+        this.emit("stateChange", newState, prev);
+    }
+    signChallenge(nonce) {
+        const keyDer = Buffer.from(this.signingPrivateKey, "base64");
+        const privateKey = crypto.createPrivateKey({
+            key: keyDer,
+            format: "der",
+            type: "pkcs8",
+        });
+        const signature = crypto.sign(null, Buffer.from(nonce), privateKey);
+        return signature.toString("base64");
+    }
+    attemptReconnect() {
+        if (this.stopped)
+            return;
+        if (this.reconnectAttempts >= MAX_RECONNECT_ATTEMPTS) {
+            this.setState("dead");
+            this.emit("dead");
+            return;
+        }
+        const backoff = Math.min(BASE_BACKOFF_MS * Math.pow(2, this.reconnectAttempts), MAX_BACKOFF_MS);
+        this.reconnectAttempts++;
+        this.reconnectTimer = setTimeout(() => {
+            if (this.stopped)
+                return;
+            void this.connect().catch((err) => {
+                this.emit("error", err instanceof Error ? err : new Error(String(err)));
+            });
+        }, backoff);
+    }
+    clearReconnectTimer() {
+        if (this.reconnectTimer) {
+            clearTimeout(this.reconnectTimer);
+            this.reconnectTimer = null;
+        }
+    }
+    enqueue(data) {
+        if (this.queue.length >= DerpRelay.MAX_QUEUE) {
+            // Drop oldest to make room
+            this.queue.shift();
+        }
+        this.queue.push(data);
+    }
+    flushQueue() {
+        if (this._state !== "connected" || !this.ws)
+            return;
+        const pending = this.queue.splice(0);
+        for (const data of pending) {
+            try {
+                this.send(data);
+            }
+            catch {
+                // Drop on failure during flush
+            }
+        }
+    }
+}
+exports.DerpRelay = DerpRelay;
+//# sourceMappingURL=derp-relay.js.map

package/dist/index.d.ts

@@ -0,0 +1,53 @@
+/**
+ * @aria/wireguard — WireGuard native addon for ARIA secure networking.
+ *
+ * Wraps Cloudflare's boringtun (BSD-3) via napi-rs for userspace
+ * encrypted tunnels. Three hot-path functions: encrypt, decrypt, tick.
+ *
+ * @packageDocumentation
+ */
+export interface WireGuardResult {
+    /** "done" | "write_to_network" | "write_to_tunnel" | "error" */
+    op: string;
+    /** Output data (if any) */
+    data?: Buffer;
+}
+export interface KeyPair {
+    publicKey: string;
+    privateKey: string;
+}
+export interface WireGuardTunnelOptions {
+    /** Base64-encoded X25519 private key */
+    privateKey: string;
+    /** Base64-encoded X25519 peer public key */
+    peerPublicKey: string;
+    /** Optional base64-encoded preshared key */
+    presharedKey?: string;
+    /** Persistent keepalive interval in seconds (0 = disabled) */
+    keepalive?: number;
+    /** Tunnel index for session disambiguation (random if not provided) */
+    index?: number;
+}
+/** Validate that the native addon can be loaded in the current runtime. */
+export declare function assertNativeAddonAvailable(): void;
+/** Create a new WireGuard tunnel */
+export declare function createTunnel(options: WireGuardTunnelOptions): {
+    encrypt(src: Buffer): WireGuardResult;
+    decrypt(src: Buffer, srcAddr?: string | undefined | null): WireGuardResult;
+    tick(): WireGuardResult;
+};
+/** Generate a new X25519 keypair for WireGuard */
+export declare function generateKeypair(): KeyPair;
+export { SecureTunnel } from "./tunnel.js";
+export type { SecureTunnelOptions, TunnelStats } from "./tunnel.js";
+export { ResilientTunnel } from "./resilient-tunnel.js";
+export type { TunnelState, ResilientTunnelStats } from "./resilient-tunnel.js";
+export { StunClient, discoverEndpoint, detectNatType } from "./nat.js";
+export type { StunResult, NatType } from "./nat.js";
+export { NetworkManager, PeerRegistry, generateKeyPair, generateSigningKeypair, createInviteToken, decodeInviteToken, ensureSecureNetwork, } from "./network.js";
+export type { NetworkConfig, PeerInfo, InviteToken } from "./network.js";
+export { PeerDiscoveryService } from "./peer-discovery.js";
+export type { PeerDiscoveryOptions, DiscoveredPeer, PeerDiscoveryNetworkManager, } from "./peer-discovery.js";
+export { DerpRelay } from "./derp-relay.js";
+export type { DerpRelayOptions, DerpRelayState } from "./derp-relay.js";
+//# sourceMappingURL=index.d.ts.map