@aria-cli/wireguard 1.0.38 → 1.0.40

package/dist/network.d.ts

@@ -0,0 +1,590 @@
+/**
+ * Network manager — auto-setup, peer management, and invite flow for ARIA.
+ *
+ * Creates a secure WireGuard network on first run with zero user configuration.
+ * Manages peer lifecycle (invite, revoke, list) through the manage_network tool.
+ * Persists peer registry in Memoria DB (network_peers table).
+ *
+ * Architecture:
+ *   NetworkManager owns a SecureTunnel per peer. On startup it loads peers from
+ *   the DB, creates tunnels, and starts them. New peers join via invite tokens
+ *   that encode the leader's public key + endpoint + PSK.
+ */
+import type Database from "better-sqlite3";
+import { type NetworkPeerRepairFailureRef, type NetworkPeerRepairResultRef, type NetworkPeerRevocationFailureRef, type NetworkPeerRevocationResultRef, type NetworkPeerRegistrationFailureRef, type NetworkPeerRegistrationResultRef, type NodeId, type ControlEndpointAdvertisement, type DeliveryAck, type LegacyPeerRegistryStatus, type TlsCaFingerprint, type TransportInviteToken, type PrincipalFingerprint, type PeerTransportId, type TransportEndpointAdvertisement } from "@aria-cli/tools";
+import { ResilientTunnel } from "./resilient-tunnel.js";
+/** Network configuration persisted to disk */
+export interface NetworkConfig {
+    /** Durable node identity for this local peer */
+    nodeId: NodeId;
+    /** X25519 public key (base64) */
+    publicKey: PeerTransportId;
+    /** X25519 private key (base64) — stored only in config, never transmitted */
+    privateKey: string;
+    /** Ed25519 public key for message signing (base64 SPKI DER) */
+    signingPublicKey: string;
+    /** Ed25519 private key for message signing (base64 PKCS#8 DER) — stored only in config, never transmitted */
+    signingPrivateKey: string;
+    /** UDP listen port for WireGuard */
+    listenPort: number;
+    /** External endpoint discovered via STUN */
+    externalEndpoint?: {
+        address: string;
+        port: number;
+    };
+    /** Monotonic revision for the published external endpoint advertisement. */
+    endpointRevision?: number;
+    /** When the network was created */
+    createdAt: number;
+    /** Coordination server URL for peer discovery and endpoint propagation */
+    coordinationUrl?: string;
+    /** DERP relay server URL for symmetric NAT fallback */
+    relayUrl?: string;
+    /** Public display snapshot used by bootstrap/publication surfaces. */
+    localDisplayNameSnapshot?: string;
+}
+/** Peer information from the database */
+export interface PeerInfo {
+    publicKey: PeerTransportId;
+    nodeId: NodeId | null;
+    name: string;
+    endpointHost: string | null;
+    endpointPort: number | null;
+    endpointRevision: number;
+    controlEndpointHost: string | null;
+    controlEndpointPort: number | null;
+    controlTlsCaFingerprint: TlsCaFingerprint | null;
+    controlEndpoint: {
+        host: string | null;
+        port: number | null;
+        tlsCaFingerprint?: TlsCaFingerprint | null;
+        tlsServerIdentity?: PrincipalFingerprint | null;
+        protocolVersion: number;
+        endpointRevision?: number;
+    } | null;
+    status: LegacyPeerRegistryStatus;
+    membershipStatus?: LegacyPeerRegistryStatus;
+    routeOwnership?: "current" | "superseded";
+    routeOwnerNodeId?: NodeId | null;
+    sessionState?: "none" | "handshaking" | "connected" | "reconnecting" | "dead";
+    deliveryReadiness?: "cannot_address" | "can_queue_only" | "can_send_now";
+    lastHandshake: number | null;
+    createdAt: number;
+    updatedAt: number | null;
+    /** Ed25519 signing public key (base64 SPKI DER) */
+    signingPublicKey?: string | null;
+}
+/** Decoded invite token */
+export type InviteToken = TransportInviteToken;
+/**
+ * Peer registry — wraps the network_peers table.
+ */
+export declare class PeerRegistry {
+    private db;
+    constructor(db: Database.Database);
+    private reconcileSchema;
+    /** Add or update a peer */
+    upsert(peer: {
+        publicKey: string;
+        nodeId?: NodeId;
+        name: string;
+        endpointHost?: string;
+        endpointPort?: number;
+        endpointRevision?: number;
+        controlEndpointHost?: string;
+        controlEndpointPort?: number;
+        controlTlsCaFingerprint?: TlsCaFingerprint;
+        presharedKey?: string;
+        allowedIps?: string;
+        inviteToken?: string;
+        status?: string;
+        signingPublicKey?: string;
+    }): void;
+    /** Get all active peers */
+    listActive(): PeerInfo[];
+    /** Get all peers (any status) */
+    listAll(): PeerInfo[];
+    /** List peers by display name. Display names are not unique principals. */
+    listByName(name: string): PeerInfo[];
+    /** Get a peer by name */
+    getByName(name: string): PeerInfo | undefined;
+    /** Get a peer by durable node identity */
+    getByNodeId(nodeId: NodeId): PeerInfo | undefined;
+    /** Get a peer by durable transport identity */
+    getByPublicKey(publicKey: string): PeerInfo | undefined;
+    /** Update peer signing key by durable peer identity */
+    setSigningKeyByPublicKey(publicKey: string, signingPublicKey: string): void;
+    /** Revoke a peer by durable node identity. */
+    revokeByNodeId(nodeId: NodeId): void;
+    /** Revoke a peer's access while preserving durable audit state for restart and introspection. */
+    revoke(publicKey: string): void;
+    /** Delete a superseded transport binding by its public key. */
+    delete(publicKey: string): void;
+    /** Check if a token nonce was already consumed */
+    isTokenConsumed(nonce: string): boolean;
+    /**
+     * P0-3: Atomically claim a token nonce. Returns true if this call claimed it
+     * (first use), false if already claimed. Uses a SQLite transaction to eliminate
+     * the race window between check and mark in acceptInvite.
+     */
+    claimToken(nonce: string): boolean;
+    /** Release a previously claimed token (on error rollback). */
+    releaseToken(nonce: string): void;
+    /** Remove stale token claims older than maxAge (default 24h). Returns count of removed claims. */
+    cleanupStaleClaims(maxAgeMs?: number): number;
+    /**
+     * Delete disposable invite stubs that can never become active again.
+     * Revoked peers stay durable so restart reconciliation, audits, and operator
+     * surfaces can still explain why a peer disappeared from active routing.
+     * Returns count of removed rows.
+     */
+    pruneTerminalPeers(): number;
+    /** Update last handshake timestamp */
+    updateHandshake(publicKey: string): void;
+    /** Update last handshake timestamp by durable node identity. */
+    updateHandshakeByNodeId(nodeId: NodeId): void;
+    /** Get peers by status */
+    listByStatus(status: LegacyPeerRegistryStatus): PeerInfo[];
+    /** Get a pending peer by invite token nonce */
+    getPendingByInviteToken(inviteTokenNonce: string): PeerInfo | undefined;
+    /** Count active peers */
+    activeCount(): number;
+    /** Get a peer by public key with PSK for tunnel reconstruction */
+    getWithPsk(publicKey: string): {
+        publicKey: string;
+        nodeId: NodeId | null;
+        name: string;
+        presharedKey: string | null;
+        inviteToken: string | null;
+        endpointHost: string | null;
+        endpointPort: number | null;
+        endpointRevision: number;
+        status: LegacyPeerRegistryStatus;
+        signingPublicKey: string | null;
+    } | undefined;
+}
+/**
+ * Generate an Ed25519 keypair for message signing.
+ * Returns base64-encoded SPKI DER (public) and PKCS#8 DER (private).
+ */
+export declare function generateSigningKeypair(): {
+    publicKey: string;
+    privateKey: string;
+};
+/**
+ * Generate a new X25519 keypair using node:crypto.
+ */
+export declare function generateKeyPair(): {
+    publicKey: string;
+    privateKey: string;
+};
+/**
+ * Create an invite token for a new peer.
+ * Encodes: leader's public key + endpoint + PSK + display snapshots.
+ *
+ * Token format: aria-net-v4-<base64url(JSON{payload,signature})>
+ * The payload is always signed with Ed25519.
+ */
+export declare function createInviteToken(params: {
+    leaderPublicKey: string;
+    nodeId: NodeId;
+    audienceNodeId?: NodeId;
+    leaderDisplayNameSnapshot?: string;
+    host: string;
+    port: number;
+    controlEndpoint: ControlEndpointAdvertisement;
+    displayNameSnapshot?: string;
+    durationMs?: number;
+    signingPublicKey?: string;
+    caCert?: string;
+    coordinationUrl?: string;
+    networkId?: string;
+    /** Ed25519 private key (base64 PKCS#8 DER) — required for signed v4 token */
+    signingPrivateKey?: string;
+}): {
+    token: string;
+    psk: string;
+};
+/**
+ * Decode an invite token.
+ *
+ * Accepts v4 (aria-net-v4-, Ed25519 signed) format only.
+ */
+export declare function decodeInviteToken(token: string): InviteToken;
+/**
+ * Ensure a secure network exists — auto-creates on first run.
+ *
+ * This is the zero-configuration entry point. Called during ARIA startup.
+ * If no network config exists, generates keypair, picks a random port,
+ * discovers external endpoint via STUN, and saves the config.
+ */
+export declare function ensureSecureNetwork(ariaDir: string, arionName?: string, options?: {
+    nodeId?: NodeId;
+}): Promise<NetworkConfig>;
+/**
+ * NetworkManager — manages the lifecycle of all peer tunnels.
+ *
+ * Loads peers from DB on start, creates/destroys tunnels on demand,
+ * handles invite acceptance, and provides status queries.
+ */
+export declare class NetworkManager {
+    private static readonly MAX_PEERS;
+    /** Interval for attempting direct connection upgrade when using relay */
+    private static readonly RELAY_UPGRADE_INTERVAL_MS;
+    private config;
+    private tunnels;
+    /** In-flight tunnel startups keyed by peer public key. */
+    private pendingTunnelStarts;
+    /** Pending starts that must self-cancel before publishing an active tunnel. */
+    private canceledTunnelStarts;
+    /** Relay transports for peers behind symmetric NAT (publicKey -> relay) */
+    private relayTransports;
+    /** Periodic timers for attempting direct connection upgrade from relay */
+    private relayUpgradeTimers;
+    /** Known peer Ed25519 signing public keys keyed by display-name snapshot. */
+    private _peerSigningKeys;
+    /** Public display snapshot surfaced through runtime/publication boundaries. */
+    private _localDisplayNameSnapshot;
+    /** Our durable local node identity projected from the runtime authority. */
+    private _localNodeId;
+    /** Runtime-published local control endpoint advertisement for invite/join flows. */
+    private _localControlEndpoint;
+    /** Cached bootstrap CA authority used to mint pinned invite tokens. */
+    private _localBootstrapCaCert;
+    /** Consecutive failed upgrade attempts per relay (for exponential backoff) */
+    private relayUpgradeAttempts;
+    private appendDiagnostic;
+    /** Callback for relay data received through DERP relay.
+     *  Set by daemon to wire relay-received messages into the EventQueue. */
+    onRelayDataReceived?: (data: Buffer, from: string) => void;
+    private _transportListeners;
+    private _messageListeners;
+    private _deliveryAckListeners;
+    private _peerActivationListeners;
+    /** Subscribe to transport events (tunnel/relay up/down). Returns unsubscribe fn. */
+    addTransportListener(listener: {
+        onTransportUp?: (displayNameSnapshot: string, transport: {
+            sendPlaintext(data: Buffer): void;
+        }, nodeId: NodeId) => void;
+        onRouteBootstrapAvailable?: (displayNameSnapshot: string, transport: {
+            sendPlaintext(data: Buffer): void;
+            routeBootstrapOnly?: boolean;
+        }, nodeId: NodeId) => void;
+        onTransportDown?: (displayNameSnapshot: string, nodeId: NodeId) => void;
+    }): () => void;
+    /** Subscribe to incoming messages. Returns unsubscribe fn. */
+    addMessageListener(listener: (message: unknown) => boolean | void): () => void;
+    /** Subscribe to delivery acknowledgements. Returns unsubscribe fn. */
+    addDeliveryAckListener(listener: (ack: DeliveryAck) => void): () => void;
+    /** Subscribe to verified peer activation events. Returns unsubscribe fn. */
+    addPeerActivationListener(listener: (input: {
+        nodeId: NodeId;
+        displayNameSnapshot: string;
+        signingPublicKey: string;
+    }) => void): () => void;
+    /** Get a snapshot of currently active transports (for late-bind mailbox scenarios). */
+    getActiveTransports(): Array<{
+        type: "tunnel" | "relay";
+        nodeId: NodeId;
+        displayNameSnapshot: string;
+        transport: {
+            sendPlaintext(data: Buffer): void;
+            routeBootstrapOnly?: boolean;
+        };
+    }>;
+    /** Shared UDP socket for all WG tunnels (single-port model like real WireGuard).
+     *  Created in initialize(), bound to config.listenPort. All tunnels send/receive
+     *  through this one socket. Incoming packets are offered to registered tunnel
+     *  handlers until one claims ownership. */
+    private sharedSocket;
+    /** Packet handlers registered by tunnels using the shared socket.
+     *  Each handler returns a disposition object indicating whether it handled the packet. */
+    private sharedSocketHandlers;
+    /** ExternalSocket interface exposed to SecureTunnels */
+    private get externalSocketInterface();
+    private readonly ariaDir;
+    private readonly arionName;
+    private readonly peerRegistry?;
+    constructor(ariaDir: string, arionNameOrPeerRegistry?: string | PeerRegistry, peerRegistry?: PeerRegistry);
+    private isLocalIdentityCandidate;
+    /**
+     * Remote peers and the local machine identity must never share the same registry.
+     * This guard makes the invalid state unrepresentable for all peer-registration paths.
+     */
+    assertRemotePeerIdentity(candidate: {
+        publicKey?: string | null;
+        signingPublicKey?: string | null;
+        name?: string | null;
+    }, context?: string): void;
+    private quarantineCorruptedLocalPeerRows;
+    private resolveUniqueLivePeerPublicKeyByNodeId;
+    private getDirectRouteOwnershipSnapshot;
+    private getDirectRouteOwnershipForPublicKey;
+    private resolveCurrentDirectRoutePeerPublicKeyByNodeId;
+    private ensureCurrentDirectRouteOwner;
+    private reconcileDirectRouteOwnership;
+    private resolvePeerByNodeId;
+    private listSupersededPrincipalRows;
+    private cleanupSupersededPrincipalRows;
+    private getCachedOrDurablePeerSigningKey;
+    ensureNativeRuntimeAvailable(): Promise<void>;
+    private refreshExternalEndpointFromSharedSocket;
+    /**
+     * Resolve a unique peer name — disambiguates if the proposed name collides
+     * with our own identity or an existing peer with a different signing key.
+     * Returns the original name if no collision, or "name-<8hex>" if collision.
+     */
+    resolveUniquePeerName(proposedName: string, signingPublicKey: string): string;
+    private _disambiguateName;
+    private matchesPeerNodeIdClaim;
+    private matchesDeliveryAckNodeId;
+    /** Stage signing-key material through the runtime-owned peer identity boundary. */
+    stagePendingPeerSigningKey(input: {
+        nodeId: NodeId;
+        peerPublicKey: PeerTransportId;
+        displayNameSnapshot: string;
+        signingPublicKey: string;
+    }): void;
+    /** Stage a direct-pair peer through the runtime-owned pending_verification transition. */
+    applyDirectPairActivation(input: {
+        nodeId: NodeId;
+        displayNameSnapshot: string;
+        peerPublicKey: PeerTransportId;
+        signingPublicKey: string;
+        transportEndpoint: TransportEndpointAdvertisement;
+        controlEndpoint: ControlEndpointAdvertisement;
+        presharedKey: string;
+    }): Promise<void>;
+    /** Get all known peer signing keys keyed by durable peer principal id. */
+    getAllPeerSigningKeysByPrincipal(): Map<NodeId, string>;
+    /**
+     * Activate a peer that is in pending_verification status.
+     *
+     * Called after the first successfully verified signed message from the peer.
+     * Updates the peer's status to "active" in PeerRegistry and invokes the
+     * onPeerActivated callback so the runtime can durably persist the peer's
+     * verified signing identity.
+     *
+     * Idempotent: no-op if the peer is already active.
+     */
+    activatePendingPeer(nodeId: NodeId): void;
+    /** Initialize the network — ensure config exists, load peers */
+    initialize(): Promise<NetworkConfig>;
+    /** Get the current network config */
+    getConfig(): NetworkConfig | null;
+    get localNodeId(): NodeId | undefined;
+    get localControlEndpoint(): ControlEndpointAdvertisement | undefined;
+    /** Get our own local display snapshot through the runtime boundary. */
+    getLocalDisplayNameSnapshot(): string | undefined;
+    setLocalDisplayNameSnapshot(name: string): void;
+    setLocalNodeId(nodeId: NodeId): void;
+    setLocalControlEndpoint(controlEndpoint: ControlEndpointAdvertisement | undefined): void;
+    /**
+     * Update the external endpoint (called when STUN refresh detects a change).
+     * Persists to disk so the new endpoint survives restarts.
+     */
+    updateExternalEndpoint(address: string, port: number): void;
+    /**
+     * Set the coordination server URL (persisted to disk).
+     */
+    setCoordinationUrl(url: string): void;
+    /**
+     * Set the DERP relay server URL (persisted to disk).
+     */
+    setRelayUrl(url: string): void;
+    /** Persist current config to disk */
+    private persistConfig;
+    /**
+     * Compute deterministic complementary tunnel IPs from key ordering.
+     *
+     * Both peers must agree on who is .1 and who is .2. We use lexicographic
+     * ordering of public keys: the smaller key gets 10.0.0.1, the larger gets
+     * 10.0.0.2. This ensures Alice.selfIp === Bob.peerIp and vice versa,
+     * making the tunnel functional in both directions.
+     */
+    private computePeerIps;
+    /** Start a SecureTunnel for a registered peer by durable node identity. */
+    startTunnel(nodeId: NodeId): Promise<void>;
+    /** Transport-internal tunnel startup by transport key. */
+    private startTunnelByTransportKey;
+    /** Stop and remove a tunnel for a peer by durable node identity. */
+    stopTunnel(nodeId: NodeId): void;
+    /** Transport-internal tunnel shutdown by transport key. */
+    private stopTunnelByTransportKey;
+    /** Compatibility surface for the typed network manager ref: revoke by durable peer principal. */
+    revokePeer(nodeId: NodeId): boolean;
+    /** Get a tunnel by durable peer identity (for testing/inspection). */
+    getTunnel(nodeId: NodeId): ResilientTunnel | undefined;
+    /** Get the number of active tunnels */
+    get activeTunnelCount(): number;
+    /** Generate an invite token for a new peer */
+    protected resolveLocalInviteEndpoint(): {
+        address: string;
+        port: number;
+    } | null;
+    invite(displayNameSnapshot?: string, options?: number | {
+        durationMs?: number;
+        controlEndpoint: ControlEndpointAdvertisement;
+        nodeId?: NodeId;
+        caCert?: string;
+        transportHostOverride?: string;
+    }): {
+        token: string;
+        psk: string;
+    };
+    /** Accept an invite from another ARIA instance */
+    acceptInvite(token: string, options?: string | {
+        nodeId?: NodeId;
+        displayNameSnapshot?: string;
+        controlEndpoint?: ControlEndpointAdvertisement;
+    }): Promise<PeerInfo>;
+    /**
+     * Complete the join process — upgrade a pending peer to active with real credentials.
+     *
+     * Called by the leader when a peer POSTs its credentials back after accepting an invite.
+     * Removes the pending placeholder entry and registers the real peer with its actual
+     * WireGuard public key, signing key, and endpoint.
+     */
+    completeJoin(params: {
+        nodeId: NodeId;
+        principalFingerprint: PrincipalFingerprint;
+        peerPublicKey: PeerTransportId;
+        peerSigningKey: string;
+        peerTransportEndpoint: TransportEndpointAdvertisement;
+        peerControlEndpoint: ControlEndpointAdvertisement;
+        displayNameSnapshot?: string;
+        inviteTokenNonce: string;
+    }): Promise<{
+        effectiveName: string;
+    }>;
+    /** Record a heartbeat from a peer principal (updates last_handshake timestamp) */
+    heartbeat(nodeId: NodeId): boolean;
+    /**
+     * Apply a register/reconcile mutation by durable peer identity.
+     *
+     * This centralizes the peer-state checks that used to be reimplemented
+     * route-by-route using mutable display names.
+     */
+    applyPeerRegistration(input: {
+        nodeId: NodeId;
+        endpointHost?: string;
+        endpointPort?: number;
+        endpointRevision?: number;
+    }): NetworkPeerRegistrationResultRef | NetworkPeerRegistrationFailureRef;
+    /** Revoke a peer's access */
+    revoke(nodeId: NodeId): boolean;
+    applyPeerRevocation(input: {
+        nodeId: NodeId;
+        fingerprint?: PrincipalFingerprint;
+    }): NetworkPeerRevocationResultRef | NetworkPeerRevocationFailureRef;
+    /** List all peers */
+    listPeers(): PeerInfo[];
+    listPendingInvites(): Array<{
+        inviteId: string;
+        inviteLabel?: string;
+        createdAt: number;
+        expiresAt: number | null;
+    }>;
+    cancelInvite(inviteId: string): boolean;
+    /**
+     * Update a peer's endpoint in the registry by durable peer identity.
+     *
+     * Called when a peer's STUN-discovered IP changes and is reported via
+     * the coordination server's POST /register endpoint.
+     */
+    updatePeerEndpoint(nodeId: NodeId, host: string, port: number, endpointRevision: number): void;
+    /**
+     * Apply a transport-only repair mutation by durable peer identity.
+     *
+     * This is the authoritative mutation boundary for operator-driven endpoint
+     * repair. It shares the same identity-state gate as register/discovery but
+     * does not manufacture a heartbeat side effect.
+     */
+    applyPeerRepair(input: {
+        nodeId: NodeId;
+        endpointHost: string;
+        endpointPort: number;
+        endpointRevision: number;
+    }): NetworkPeerRepairResultRef | NetworkPeerRepairFailureRef;
+    /**
+     * Apply a transport endpoint projection after a NodeId-owned caller has already
+     * resolved the authoritative remote actor. Transport keys stay internal here.
+     */
+    private applyEndpointProjectionByTransportKey;
+    /**
+     * Get the relay transport for a peer (if using DERP relay fallback).
+     * Returns the same { send } interface as tunnel transports for Mailbox compatibility.
+     */
+    getRelayTransport(peerPublicKey: string): {
+        send: (data: Buffer) => void;
+    } | undefined;
+    /**
+     * Set up a DERP relay fallback for a peer.
+     *
+     * Called when a direct tunnel dies (MAX_RECONNECT_ATTEMPTS exhausted).
+     * Creates a DerpRelay connection and registers it as a transport.
+     * Periodically attempts to re-establish the direct tunnel via lightweight probe.
+     */
+    setupRelayFallback(peerPublicKey: string, relay: {
+        send: (data: Buffer) => void;
+        disconnect: () => void;
+    }): Promise<void>;
+    /**
+     * Schedule a lightweight probe to check if direct tunnel is possible.
+     * Uses exponential backoff: 5min → 10min → 20min → cap at 30min.
+     * On success, tears down relay and restores direct tunnel.
+     */
+    private scheduleUpgradeProbe;
+    /**
+     * Lightweight probe: create a temporary SecureTunnel, wait 5s for handshake.
+     * Returns true if peer is directly reachable, false otherwise.
+     * Does NOT create a persistent tunnel — just checks connectivity.
+     */
+    private probeDirectConnection;
+    /** Tear down relay for a peer and notify listeners */
+    private tearDownRelay;
+    /** Reset relay upgrade backoff (call when STUN detects endpoint change) */
+    resetRelayUpgradeBackoff(): void;
+    /** Shut down all tunnels, relays, and clean up resources */
+    shutdown(): Promise<void>;
+    /** Get network status */
+    status(): {
+        configured: boolean;
+        nodeId: NodeId | null;
+        publicKey: PeerTransportId | null;
+        listenPort: number | null;
+        externalEndpoint: {
+            address: string;
+            port: number;
+        } | null;
+        activePeers: number;
+        totalPeers: number;
+        activeTunnels: number;
+        connectedPeers: number;
+        handshakingPeers: number;
+        queueOnlyPeers: number;
+        supersededPeers: number;
+        signingPublicKey: string | null;
+    };
+    /** Handle an incoming control request from a peer through the WG tunnel. */
+    private handleControlRequest;
+    /** Pending peer list responses from control requests we sent, keyed by peer transport identity. */
+    private pendingPeerListCallbacks;
+    /** Handle a control response from a peer (response to our request). */
+    private handleControlResponse;
+    private resolvePeerPrincipalId;
+    private getDurablePeerSigningKey;
+    private getPeerSigningFingerprintByPublicKey;
+    /**
+     * Request the peer list from a remote peer through the WG tunnel.
+     * Returns a promise that resolves with the peer list or rejects on timeout.
+     */
+    requestPeerListViaTunnel(peerPublicKey: string, timeoutMs?: number): Promise<PeerInfo[]>;
+    /**
+     * Send a heartbeat through the WG tunnel to a peer.
+     * This is usually unnecessary — WG handshake timestamps track liveness —
+     * but can be used for application-layer keepalive.
+     */
+    sendHeartbeatViaTunnel(peerPublicKey: string): void;
+}
+//# sourceMappingURL=network.d.ts.map