@aria-cli/wireguard 1.0.38 → 1.0.40

package/dist/network-state-store.js

@@ -0,0 +1,248 @@
+"use strict";
+/**
+ * NetworkStateStore — canonical, machine-scoped persistence for network control-plane state.
+ *
+ * All network-adjacent durable state (peers, signing keys, revocations, nonces, trust)
+ * lives in ONE canonical store at ARIA_HOME/network/state.db, independent of any
+ * arion-specific Memoria DB. This eliminates the split-brain where peer state could
+ * drift across multiple DB paths.
+ *
+ * PeerRegistry, RevocationStore, and other network stores all use the Database
+ * returned by getDatabase().
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NetworkStateStore = void 0;
+exports.canonicalNetworkStatePath = canonicalNetworkStatePath;
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const network_runtime_1 = require("@aria-cli/tools/network-runtime");
+/**
+ * Canonical schema for the network state DB.
+ *
+ * Only creates tables that PeerRegistry depends on (it does NO schema creation).
+ * Other stores (RevocationStore, PeerTrustStore, PeerSigningKeyStore,
+ * InviteConsumeLedger, DurableReplayGuard, etc.) create their own tables
+ * via ensureTable() in their constructors — they're self-managing.
+ */
+const NETWORK_PEERS_TABLE_SQL = `
+CREATE TABLE IF NOT EXISTS network_peers (
+  node_id TEXT PRIMARY KEY,
+  public_key TEXT NOT NULL,
+  name TEXT NOT NULL,
+  endpoint_host TEXT,
+  endpoint_port INTEGER,
+  endpoint_revision INTEGER NOT NULL DEFAULT 0,
+  control_endpoint_host TEXT,
+  control_endpoint_port INTEGER,
+  control_tls_ca_fingerprint TEXT,
+  preshared_key TEXT,
+  allowed_ips TEXT DEFAULT '0.0.0.0/0',
+  invite_token TEXT,
+  status TEXT DEFAULT 'active',
+  last_handshake INTEGER,
+  created_at INTEGER,
+  updated_at INTEGER,
+  signing_public_key TEXT
+);`;
+const NETWORK_PEERS_INDEX_SQL = `
+CREATE INDEX IF NOT EXISTS idx_network_peers_name ON network_peers(name);
+CREATE INDEX IF NOT EXISTS idx_network_peers_status ON network_peers(status);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_network_peers_public_key
+ON network_peers(public_key);
+`;
+const SCHEMA_SQL = `
+-- Peer registry canonical hard-cut schema
+${NETWORK_PEERS_TABLE_SQL}
+
+-- Token replay protection (used by PeerRegistry.claimToken/releaseToken)
+CREATE TABLE IF NOT EXISTS token_claims (
+  nonce TEXT PRIMARY KEY,
+  claimed_at INTEGER NOT NULL
+);
+
+-- Pending tunnel/pair requests (used by PeerRegistry.listByStatus)
+CREATE TABLE IF NOT EXISTS pending_tunnel (
+  id TEXT PRIMARY KEY,
+  peer_name TEXT NOT NULL,
+  peer_public_key TEXT NOT NULL,
+  status TEXT DEFAULT 'pending',
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER
+);
+
+-- Schema version tracking
+CREATE TABLE IF NOT EXISTS network_schema_version (
+  version INTEGER NOT NULL
+);
+`;
+const CURRENT_SCHEMA_VERSION = 6;
+class NetworkStateStore {
+    options;
+    db = null;
+    dbPath;
+    constructor(options) {
+        this.options = options;
+        this.dbPath = options.dbPath ?? path.join(options.ariaHome, "network", "state.db");
+    }
+    /** Canonical path to the network state DB */
+    get path() {
+        return this.dbPath;
+    }
+    /** Whether the store has been opened */
+    get isOpen() {
+        return this.db !== null;
+    }
+    /** Open the database, creating schema if needed */
+    open() {
+        if (this.db)
+            return this.db;
+        // Ensure directory exists
+        const dir = path.dirname(this.dbPath);
+        fs.mkdirSync(dir, { recursive: true });
+        // Dynamic import better-sqlite3 (same pattern as PeerRegistry)
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        const BetterSqlite3 = require("better-sqlite3");
+        this.db = new BetterSqlite3(this.dbPath);
+        try {
+            this.db.pragma("journal_mode = WAL");
+            this.db.pragma("busy_timeout = 5000");
+            // Create schema
+            this.db.exec(SCHEMA_SQL);
+            this.reconcilePeerTableSchema(this.db);
+            this.db.exec(NETWORK_PEERS_INDEX_SQL);
+            // Track schema version
+            const versionRow = this.db
+                .prepare("SELECT version FROM network_schema_version LIMIT 1")
+                .get();
+            if (!versionRow) {
+                this.db
+                    .prepare("INSERT INTO network_schema_version (version) VALUES (?)")
+                    .run(CURRENT_SCHEMA_VERSION);
+            }
+            else if (versionRow.version < CURRENT_SCHEMA_VERSION) {
+                this.db
+                    .prepare("UPDATE network_schema_version SET version = ?")
+                    .run(CURRENT_SCHEMA_VERSION);
+            }
+        }
+        catch (error) {
+            this.db.close();
+            this.db = null;
+            throw error;
+        }
+        return this.db;
+    }
+    reconcilePeerTableSchema(db) {
+        const tableRow = db
+            .prepare("SELECT sql FROM sqlite_master WHERE type='table' AND name='network_peers'")
+            .get();
+        if (!tableRow?.sql)
+            return;
+        const tableSql = tableRow.sql.toLowerCase();
+        const hasLegacyStatusCheck = tableSql.includes("check") && !tableSql.includes("pending_verification");
+        const columns = db.prepare("PRAGMA table_info(network_peers)").all();
+        const columnNames = new Set(columns.map((column) => column.name));
+        const primaryKey = columns.find((column) => column.pk === 1)?.name;
+        const requiredColumns = [
+            "public_key",
+            "node_id",
+            "name",
+            "endpoint_host",
+            "endpoint_port",
+            "endpoint_revision",
+            "control_endpoint_host",
+            "control_endpoint_port",
+            "control_tls_ca_fingerprint",
+            "preshared_key",
+            "allowed_ips",
+            "invite_token",
+            "status",
+            "last_handshake",
+            "created_at",
+            "updated_at",
+            "signing_public_key",
+        ];
+        const missingColumns = requiredColumns.filter((column) => !columnNames.has(column));
+        const legacySchemaProblems = [];
+        if (hasLegacyStatusCheck) {
+            legacySchemaProblems.push("legacy status check");
+        }
+        if (columnNames.has("message_port")) {
+            legacySchemaProblems.push("message_port column");
+        }
+        if (columnNames.has("peer_id")) {
+            legacySchemaProblems.push("legacy peer_id column");
+        }
+        if (primaryKey !== "node_id") {
+            legacySchemaProblems.push(`primary key is ${primaryKey ?? "missing"}`);
+        }
+        if (missingColumns.length > 0) {
+            legacySchemaProblems.push(`missing columns: ${missingColumns.join(", ")}`);
+        }
+        if (legacySchemaProblems.length === 0) {
+            return;
+        }
+        throw new Error(`Legacy network_peers schema requires hard reset: ${legacySchemaProblems.join(", ")}`);
+    }
+    /** Get the underlying Database handle (opens if needed) */
+    getDatabase() {
+        return this.open();
+    }
+    /**
+     * Claim the owner epoch for this runtime on the shared network state DB.
+     * Must be called after open() and before any durable writes.
+     * Throws StaleOwnerError if a newer generation already owns the DB.
+     */
+    claimOwnerEpoch(generation) {
+        const db = this.open();
+        (0, network_runtime_1.claimDbOwnerEpoch)(db, generation);
+    }
+    /** Close the database */
+    close() {
+        if (this.db) {
+            this.db.close();
+            this.db = null;
+        }
+    }
+}
+exports.NetworkStateStore = NetworkStateStore;
+/**
+ * Resolve the canonical network state DB path for a given ARIA home.
+ */
+function canonicalNetworkStatePath(ariaHome) {
+    return path.join(ariaHome, "network", "state.db");
+}
+//# sourceMappingURL=network-state-store.js.map