@decentnetwork/lan 0.1.0 → 0.1.3

package/dist/cli/commands.d.ts

@@ -104,6 +104,31 @@ export declare function cmdFriendAccept(args: {
 export declare function cmdFriendsList(args: {
     configDir?: string;
 }): Promise<void>;
+/**
+ * List queued friend-requests held by the running daemon (the ones
+ * received while `friends.autoAccept` was false). Goes over IPC —
+ * the daemon must be up.
+ */
+export declare function cmdFriendsPending(args: {
+    configDir?: string;
+}): Promise<void>;
+/**
+ * Accept a queued friend-request by userid. Routes through IPC;
+ * the daemon's own Carrier peer does the actual acceptFriendRequest
+ * call and drops the entry from disk. No daemon shutdown needed.
+ */
+export declare function cmdFriendsAccept(args: {
+    userid: string;
+    configDir?: string;
+}): Promise<void>;
+/**
+ * Drop a queued friend-request without accepting. Sender doesn't
+ * get a notification — they just see no acceptance.
+ */
+export declare function cmdFriendsReject(args: {
+    userid: string;
+    configDir?: string;
+}): Promise<void>;
 /**
  * Show audit log
  */
@@ -198,12 +223,20 @@ export declare function cmdDiag(args: {
     configDir?: string;
 }): Promise<void>;
 /**
- * Enable dora integration and add a dora server's userid to the
- * registry list. Subsequent `agentnet up` runs will register with
- * dora to get a virtual IP and fetch the peer roster automatically.
+ * Enable dora integration. Accepts either `--address` (preferred — the
+ * full Carrier address of the dora server; we derive its userid and
+ * also send the one-time friend-request automatically) or `--userid`
+ * (legacy — expects the operator to have already friended the server).
+ *
+ * The one-shot `--address` path is the right UX: an operator setting
+ * up a fresh node only knows "use this dora server, here's its
+ * address" — they shouldn't have to know that dora is also a Carrier
+ * peer, that they need to friend it first, or what the difference
+ * between userid and address is.
  */
 export declare function cmdDoraEnable(args: {
-    userid: string;
+    address?: string;
+    userid?: string;
     configDir?: string;
 }): Promise<void>;
 /**

package/dist/cli/commands.js

@@ -405,8 +405,15 @@ export async function cmdFriendRequest(args) {
     const waitMs = args.waitMs ?? 30000;
     console.log(`Waiting ${waitMs}ms for relay delivery...`);
     await new Promise((r) => setTimeout(r, waitMs));
+    const myPubkey = peer.pubkey();
+    const myUserid = peer.userid();
     await peer.stop();
-    console.log(`Friend request sent. The recipient must run 'agentnet friend-accept --pubkey ${peer.pubkey()}'.`);
+    console.log(`Friend request sent.`);
+    console.log(`If the recipient's daemon is running with friends.autoAccept (the default), it has already accepted —`);
+    console.log(`no action needed on their side. They can confirm with 'agentnet diag' and look for userid ${myUserid}.`);
+    console.log(`If their daemon was offline, the request is queued via the express relay; their daemon will`);
+    console.log(`pick it up on next start (and still auto-accept). Only run 'agentnet friend-accept --pubkey ${myPubkey}'`);
+    console.log(`manually if their daemon is down AND they've disabled autoAccept.`);
 }
 /**
  * Accept a pending friend request.
@@ -500,10 +507,10 @@ export async function cmdFriendsList(args) {
     for (const friend of friends) {
         console.log(``);
         console.log(`  ${friend.name || "(unnamed)"}  status=${friend.status}`);
-        console.log(`    pubkey:  ${friend.pubkey}`);
-        if (friend.userid && friend.userid !== friend.pubkey) {
-            console.log(`    userid:  ${friend.userid}`);
-        }
+        // userid is Carrier's first-class identifier; show that, hide
+        // the raw hex pubkey unless someone explicitly needs it.
+        const userid = friend.userid && friend.userid !== friend.pubkey ? friend.userid : friend.pubkey;
+        console.log(`    userid:  ${userid}`);
         if (friend.address)
             console.log(`    address: ${friend.address}`);
         if (friend.acceptedAt)
@@ -511,6 +518,69 @@ export async function cmdFriendsList(args) {
     }
     await peer.stop();
 }
+/**
+ * List queued friend-requests held by the running daemon (the ones
+ * received while `friends.autoAccept` was false). Goes over IPC —
+ * the daemon must be up.
+ */
+export async function cmdFriendsPending(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    if (daemonPid(config) === null) {
+        throw new Error("Daemon not running — pending friend-requests are held by the daemon. Start it with 'agentnet up' first.");
+    }
+    const res = await ipcCall(config, { op: "friends-pending" });
+    if (!res.ok)
+        throw new Error(`Daemon refused: ${res.error}`);
+    const list = res.data?.pending ?? [];
+    if (list.length === 0) {
+        console.log("No pending friend-requests.");
+        return;
+    }
+    console.log(`Pending friend-requests (${list.length}):`);
+    for (const e of list) {
+        console.log("");
+        console.log(`  ${e.name || "(unnamed)"}`);
+        console.log(`    userid:  ${e.userid}`);
+        if (e.hello)
+            console.log(`    hello:   ${e.hello}`);
+        console.log(`    arrived: ${e.arrivedAt}`);
+    }
+    console.log("");
+    console.log("Accept with:  agentnet friends accept --userid <USERID>");
+    console.log("Reject with:  agentnet friends reject --userid <USERID>");
+}
+/**
+ * Accept a queued friend-request by userid. Routes through IPC;
+ * the daemon's own Carrier peer does the actual acceptFriendRequest
+ * call and drops the entry from disk. No daemon shutdown needed.
+ */
+export async function cmdFriendsAccept(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    if (daemonPid(config) === null) {
+        throw new Error("Daemon not running. Start it with 'agentnet up' first — pending friend-requests are managed by the live daemon.");
+    }
+    const res = await ipcCall(config, { op: "friends-accept", userid: args.userid });
+    if (!res.ok)
+        throw new Error(`Daemon refused: ${res.error}`);
+    console.log(`Accepted ${args.userid}.`);
+}
+/**
+ * Drop a queued friend-request without accepting. Sender doesn't
+ * get a notification — they just see no acceptance.
+ */
+export async function cmdFriendsReject(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    if (daemonPid(config) === null) {
+        throw new Error("Daemon not running. Start it with 'agentnet up' first.");
+    }
+    const res = await ipcCall(config, { op: "friends-reject", userid: args.userid });
+    if (!res.ok)
+        throw new Error(`Daemon refused: ${res.error}`);
+    console.log(`Rejected ${args.userid}.`);
+}
 /**
  * Show audit log
  */
@@ -861,27 +931,75 @@ export async function cmdDiag(args) {
     console.log(JSON.stringify(res.data, null, 2));
 }
 /**
- * Enable dora integration and add a dora server's userid to the
- * registry list. Subsequent `agentnet up` runs will register with
- * dora to get a virtual IP and fetch the peer roster automatically.
+ * Enable dora integration. Accepts either `--address` (preferred — the
+ * full Carrier address of the dora server; we derive its userid and
+ * also send the one-time friend-request automatically) or `--userid`
+ * (legacy — expects the operator to have already friended the server).
+ *
+ * The one-shot `--address` path is the right UX: an operator setting
+ * up a fresh node only knows "use this dora server, here's its
+ * address" — they shouldn't have to know that dora is also a Carrier
+ * peer, that they need to friend it first, or what the difference
+ * between userid and address is.
  */
 export async function cmdDoraEnable(args) {
+    if (!args.address && !args.userid) {
+        throw new Error("Need one of --address (preferred) or --userid");
+    }
+    // Derive userid from address when given an address. Address format:
+    // base58(pubkey || nospam || checksum); userid: base58(pubkey).
+    let userid = args.userid;
+    if (args.address) {
+        const { carrierIdFromAddress } = await import("@decentnetwork/peer");
+        try {
+            userid = carrierIdFromAddress(args.address);
+        }
+        catch (err) {
+            throw new Error(`--address didn't parse as a Carrier address: ${err instanceof Error ? err.message : err}`);
+        }
+    }
     const dir = args.configDir || ConfigLoader.defaultConfigDir();
     const configPath = resolve(dir, "config.yaml");
     const config = await ConfigLoader.load(configPath);
+    // Send the friend-request first when we have an address. We route
+    // it via the daemon's IPC if it's running, or fall back to a
+    // standalone short-lived Peer when it isn't (same logic as
+    // cmdFriendRequest).
+    if (args.address) {
+        console.log(`Friending dora server at ${args.address.slice(0, 24)}...`);
+        try {
+            await cmdFriendRequest({
+                address: args.address,
+                hello: "decentlan: enable dora",
+                waitMs: 8000,
+                configDir: args.configDir,
+            });
+        }
+        catch (err) {
+            // If the SDK already knows this address as an accepted friend
+            // it short-circuits — treat that as success, not failure.
+            const msg = err instanceof Error ? err.message : String(err);
+            if (!/already (accepted|a friend|friend)/i.test(msg)) {
+                console.warn(`(friend-request had a warning: ${msg})`);
+                console.warn(`Proceeding with config update anyway — re-run 'agentnet friend-request' later if you see "friend offline" in the daemon log.`);
+            }
+        }
+    }
     const existing = config.dora ?? { enabled: false, userids: [], refreshIntervalMs: 60_000 };
     const userids = new Set(existing.userids ?? []);
-    userids.add(args.userid);
+    userids.add(userid);
     config.dora = {
         enabled: true,
         userids: [...userids],
         refreshIntervalMs: existing.refreshIntervalMs ?? 60_000,
     };
     await ConfigLoader.save(config, configPath);
-    console.log(`Dora enabled. Server userid added: ${args.userid}`);
+    console.log(`Dora enabled. Server userid added: ${userid}`);
     console.log(`Total dora servers configured: ${config.dora.userids?.length}`);
-    console.log(`The dora server must be a Carrier friend — add it with 'agentnet friend-request' if you haven't.`);
-    console.log(`Restart the daemon to take effect.`);
+    if (!args.address) {
+        console.log(`Heads-up: passed --userid only; if you haven't friended the dora server, run 'agentnet friend-request --address <ADDRESS>' before starting the daemon.`);
+    }
+    console.log(`Restart the daemon (or just 'agentnet up') to take effect.`);
 }
 /**
  * Disable dora integration without losing the configured server list.

package/dist/cli/index.js

@@ -10,7 +10,7 @@ import { hideBin } from "yargs/helpers";
 // Belt-and-braces — also raise it here in case the CLI is run directly
 // (e.g. `node dist/cli/index.js` rather than via dist/index.js).
 EventEmitter.defaultMaxListeners = 100;
-import { cmdInit, cmdIdentityShow, cmdPeersList, cmdIpamAssign, cmdGrant, cmdRevoke, cmdResolve, cmdStatus, cmdUp, cmdAuditLog, cmdFriendRequest, cmdFriendAccept, cmdFriendsList, cmdProxyEnable, cmdProxyDisable, cmdProxyStatus, cmdProxyAllowHost, cmdProxyRevokeHost, cmdProxyListHosts, cmdProxyUse, cmdDoraEnable, cmdDoraDisable, cmdDoraStatus, cmdDiag, cmdDnsInstall, cmdDnsHosts, } from "./commands.js";
+import { cmdInit, cmdIdentityShow, cmdPeersList, cmdIpamAssign, cmdGrant, cmdRevoke, cmdResolve, cmdStatus, cmdUp, cmdAuditLog, cmdFriendRequest, cmdFriendAccept, cmdFriendsList, cmdFriendsPending, cmdFriendsAccept, cmdFriendsReject, cmdProxyEnable, cmdProxyDisable, cmdProxyStatus, cmdProxyAllowHost, cmdProxyRevokeHost, cmdProxyListHosts, cmdProxyUse, cmdDoraEnable, cmdDoraDisable, cmdDoraStatus, cmdDiag, cmdDnsInstall, cmdDnsHosts, } from "./commands.js";
 async function main() {
     await yargs(hideBin(process.argv))
         .scriptName("agentnet")
@@ -126,8 +126,21 @@ async function main() {
             configDir: argv["config-dir"],
         });
     })
-        .command("friends list", "List Carrier friends", (y) => y.option("config-dir", { type: "string" }), async (argv) => {
+        .command("friends list", "List Carrier friends (daemon must be down)", (y) => y.option("config-dir", { type: "string" }), async (argv) => {
         await cmdFriendsList({ configDir: argv["config-dir"] });
+    })
+        .command("friends pending", "List queued friend-requests (over IPC; daemon must be up)", (y) => y.option("config-dir", { type: "string" }), async (argv) => {
+        await cmdFriendsPending({ configDir: argv["config-dir"] });
+    })
+        .command("friends accept", "Accept a queued friend-request by userid (over IPC; daemon stays up)", (y) => y
+        .option("userid", { type: "string", demandOption: true, describe: "Sender's Carrier userid (base58)" })
+        .option("config-dir", { type: "string" }), async (argv) => {
+        await cmdFriendsAccept({ userid: argv.userid, configDir: argv["config-dir"] });
+    })
+        .command("friends reject", "Drop a queued friend-request by userid (over IPC; daemon stays up)", (y) => y
+        .option("userid", { type: "string", demandOption: true })
+        .option("config-dir", { type: "string" }), async (argv) => {
+        await cmdFriendsReject({ userid: argv.userid, configDir: argv["config-dir"] });
     })
         .command("audit log", "View audit log", (y) => y.option("tail", { type: "number", default: 50 }).option("config-dir", { type: "string" }), async (argv) => {
         await cmdAuditLog({ tail: argv.tail, configDir: argv["config-dir"] });
@@ -170,10 +183,21 @@ async function main() {
         // parent handler — never invoked because demandCommand above
     })
         .command("dora", "Manage the dora (DHCP-style) registry integration (run 'agentnet dora --help')", (y) => y
-        .command("enable", "Enable dora and register a server's Carrier userid", (yy) => yy
-        .option("userid", { type: "string", demandOption: true, describe: "Dora server's Carrier userid" })
-        .option("config-dir", { type: "string" }), async (argv) => {
-        await cmdDoraEnable({ userid: argv.userid, configDir: argv["config-dir"] });
+        .command("enable", "Enable dora — preferred: --address <addr> (we friend + derive userid); legacy: --userid <id>", (yy) => yy
+        .option("address", { type: "string", describe: "Dora server's full Carrier address — friends it and derives the userid for you" })
+        .option("userid", { type: "string", describe: "Legacy: server's userid; only use if you've already friended it separately" })
+        .option("config-dir", { type: "string" })
+        .check((argv) => {
+        if (!argv.address && !argv.userid) {
+            throw new Error("Need one of --address (preferred) or --userid");
+        }
+        return true;
+    }), async (argv) => {
+        await cmdDoraEnable({
+            address: argv.address,
+            userid: argv.userid,
+            configDir: argv["config-dir"],
+        });
     })
         .command("disable", "Disable dora integration (keep configured server list)", (yy) => yy.option("config-dir", { type: "string" }), async (argv) => {
         await cmdDoraDisable({ configDir: argv["config-dir"] });

package/dist/daemon/ipc.d.ts

@@ -29,11 +29,22 @@ export interface IpcHandlers {
      *  Used by `agentnet diag` to inspect a live daemon without
      *  restarting it with AGENTNET_LOG_LEVEL=debug. */
     diag: () => Promise<Record<string, unknown>>;
+    /** List queued friend-requests that arrived while autoAccept was
+     *  off. Returns an array of {userid, name, hello, arrivedAt}. */
+    friendsPending: () => Promise<Record<string, unknown>>;
+    /** Accept a queued friend-request by userid. Drops it from the
+     *  queue and calls peer.acceptFriendRequest. Idempotent — no-op
+     *  if userid isn't in the queue. */
+    friendsAccept: (userid: string) => Promise<void>;
+    /** Reject (drop) a queued friend-request by userid. Doesn't
+     *  notify the sender — they'll just see no acceptance. */
+    friendsReject: (userid: string) => Promise<void>;
 }
 export interface IpcRequest {
-    op: "friend-request" | "ping" | "diag";
+    op: "friend-request" | "ping" | "diag" | "friends-pending" | "friends-accept" | "friends-reject";
     address?: string;
     hello?: string;
+    userid?: string;
 }
 export interface IpcResponseOk {
     ok: true;

package/dist/daemon/ipc.js

@@ -130,6 +130,20 @@ export class IpcServer {
             }
             case "diag":
                 return await this.handlers.diag();
+            case "friends-pending":
+                return await this.handlers.friendsPending();
+            case "friends-accept": {
+                if (!req.userid)
+                    throw new Error("userid is required");
+                await this.handlers.friendsAccept(req.userid);
+                return;
+            }
+            case "friends-reject": {
+                if (!req.userid)
+                    throw new Error("userid is required");
+                await this.handlers.friendsReject(req.userid);
+                return;
+            }
             default:
                 throw new Error(`unknown op: ${req.op}`);
         }

package/dist/daemon/pending-friends.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Pending-friend-request store.
+ *
+ * When `friends.autoAccept` is false (or for any other reason the
+ * operator wants to gate inbound friend requests), the daemon must
+ * NOT block the running session waiting for a CLI dance. It buffers
+ * each incoming request to disk and exposes IPC ops so an operator
+ * can list / accept / reject them on their own time, without
+ * stopping the daemon. Lost-on-restart pending requests would be
+ * frustrating, so the queue is persisted.
+ *
+ * File format: a single JSON array under
+ * `<configDir>/pending-friends.json`. Each entry is the same shape
+ * the SDK emits in the friend-request event, plus an arrivedAt
+ * timestamp.
+ */
+export interface PendingFriendEntry {
+    /** Carrier userid (base58, same 32 pubkey bytes as the hex form
+     *  the SDK emits — we store the userid form because that's what
+     *  every user-facing surface uses). */
+    userid: string;
+    /** Hex pubkey, kept for compatibility with SDK calls that expect
+     *  that form (acceptFriendRequest takes the pubkey/userid string
+     *  the original event carried). */
+    pubkey: string;
+    name?: string;
+    hello?: string;
+    /** ISO 8601 timestamp; helps operators triage queues of pending
+     *  requests. */
+    arrivedAt: string;
+}
+export declare class PendingFriendsStore {
+    private filePath;
+    private logger;
+    private entries;
+    constructor(filePath: string);
+    private load;
+    private save;
+    list(): PendingFriendEntry[];
+    /**
+     * Add (or replace) a pending request. The same userid arriving
+     * twice replaces the older entry — operators see the latest
+     * `hello` / `name` / `arrivedAt`, never a stale duplicate.
+     */
+    add(entry: PendingFriendEntry): void;
+    /**
+     * Drop an entry by userid. Returns the removed entry (so the
+     * caller has the original pubkey to pass to the SDK's
+     * acceptFriendRequest), or null if not present.
+     */
+    remove(userid: string): PendingFriendEntry | null;
+}

package/dist/daemon/pending-friends.js

@@ -0,0 +1,80 @@
+/**
+ * Pending-friend-request store.
+ *
+ * When `friends.autoAccept` is false (or for any other reason the
+ * operator wants to gate inbound friend requests), the daemon must
+ * NOT block the running session waiting for a CLI dance. It buffers
+ * each incoming request to disk and exposes IPC ops so an operator
+ * can list / accept / reject them on their own time, without
+ * stopping the daemon. Lost-on-restart pending requests would be
+ * frustrating, so the queue is persisted.
+ *
+ * File format: a single JSON array under
+ * `<configDir>/pending-friends.json`. Each entry is the same shape
+ * the SDK emits in the friend-request event, plus an arrivedAt
+ * timestamp.
+ */
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { dirname } from "path";
+import { Logger } from "../utils/logger.js";
+export class PendingFriendsStore {
+    filePath;
+    logger;
+    entries = [];
+    constructor(filePath) {
+        this.filePath = filePath;
+        this.logger = new Logger({ prefix: "PendingFriends" });
+        this.load();
+    }
+    load() {
+        if (!existsSync(this.filePath))
+            return;
+        try {
+            const raw = readFileSync(this.filePath, "utf-8");
+            const parsed = JSON.parse(raw);
+            if (Array.isArray(parsed)) {
+                this.entries = parsed.filter((e) => typeof e === "object" &&
+                    e !== null &&
+                    typeof e.userid === "string");
+            }
+        }
+        catch (err) {
+            this.logger.warn(`Could not parse ${this.filePath}: ${err}`);
+        }
+    }
+    save() {
+        try {
+            mkdirSync(dirname(this.filePath), { recursive: true });
+            writeFileSync(this.filePath, JSON.stringify(this.entries, null, 2), "utf-8");
+        }
+        catch (err) {
+            this.logger.warn(`Could not write ${this.filePath}: ${err}`);
+        }
+    }
+    list() {
+        return [...this.entries];
+    }
+    /**
+     * Add (or replace) a pending request. The same userid arriving
+     * twice replaces the older entry — operators see the latest
+     * `hello` / `name` / `arrivedAt`, never a stale duplicate.
+     */
+    add(entry) {
+        this.entries = this.entries.filter((e) => e.userid !== entry.userid);
+        this.entries.push(entry);
+        this.save();
+    }
+    /**
+     * Drop an entry by userid. Returns the removed entry (so the
+     * caller has the original pubkey to pass to the SDK's
+     * acceptFriendRequest), or null if not present.
+     */
+    remove(userid) {
+        const idx = this.entries.findIndex((e) => e.userid === userid);
+        if (idx < 0)
+            return null;
+        const [removed] = this.entries.splice(idx, 1);
+        this.save();
+        return removed;
+    }
+}

package/dist/daemon/server.d.ts

@@ -32,6 +32,7 @@ export declare class DaemonServer {
     private doraIntegration?;
     private ipcServer?;
     private dnsServer?;
+    private pendingFriends?;
     private startedAt;
     private isRunning;
     private pidFile?;

package/dist/daemon/server.js

@@ -16,6 +16,7 @@ import { ConnectProxy } from "../proxy/connect-proxy.js";
 import { DoraIntegration } from "../dora/dora-integration.js";
 import { DnsServer } from "../dns/server.js";
 import { IpcServer, ipcSocketPath } from "./ipc.js";
+import { PendingFriendsStore } from "./pending-friends.js";
 import { Logger } from "../utils/logger.js";
 export class DaemonServer {
     config;
@@ -35,6 +36,7 @@ export class DaemonServer {
     doraIntegration;
     ipcServer;
     dnsServer;
+    pendingFriends;
     startedAt = 0;
     isRunning = false;
     pidFile;
@@ -107,6 +109,31 @@ export class DaemonServer {
                 friendRequest: async (address, hello) => {
                     await this.peerManager.sendFriendRequest(address, hello);
                 },
+                friendsPending: async () => {
+                    const entries = this.pendingFriends?.list() ?? [];
+                    // Hide the legacy hex `pubkey` field from the wire — the
+                    // CLI side only needs userid + metadata to display + accept.
+                    return {
+                        pending: entries.map((e) => ({
+                            userid: e.userid,
+                            name: e.name,
+                            hello: e.hello,
+                            arrivedAt: e.arrivedAt,
+                        })),
+                    };
+                },
+                friendsAccept: async (userid) => {
+                    const entry = this.pendingFriends?.remove(userid);
+                    if (!entry)
+                        throw new Error(`No pending friend-request for userid ${userid}`);
+                    await this.peerManager.acceptFriendRequest(entry.pubkey);
+                },
+                friendsReject: async (userid) => {
+                    const entry = this.pendingFriends?.remove(userid);
+                    if (!entry)
+                        throw new Error(`No pending friend-request for userid ${userid}`);
+                    // No-op at the Carrier level — sender just sees no acceptance.
+                },
                 diag: async () => {
                     // Snapshot of everything an operator needs to debug why
                     // packets aren't moving: forwarding counters, friend
@@ -188,24 +215,49 @@ export class DaemonServer {
                 });
             }
             // Live friend-request handling. The daemon stays up and accepts
-            // (or just logs) incoming requests — no more `friend-accept --wait`
-            // ceremony where the operator has to stop the daemon. Default is
-            // auto-accept; the Carrier friend store IS the trust boundary, and
-            // requests only reach a peer whose address was deliberately shared.
+            // (or queues) every incoming request — no `friend-accept --wait`
+            // ceremony where the operator has to stop the daemon. Default
+            // is auto-accept; the Carrier friend store IS the trust
+            // boundary, and requests only reach a peer whose address was
+            // deliberately shared.
+            //
+            // When autoAccept is off, the request is persisted to
+            // pending-friends.json on disk. The operator inspects/handles
+            // it later via the IPC-routed CLI:
+            //   agentnet friends pending
+            //   agentnet friends accept --userid <userid>
+            //   agentnet friends reject --userid <userid>
+            // Pending requests survive daemon restarts.
             const autoAcceptFriends = this.config.friends?.autoAccept ?? true;
+            const pendingPath = resolve(this.config.carrier.dataDir, "..", "pending-friends.json");
+            this.pendingFriends = new PendingFriendsStore(pendingPath);
+            const pubkeyHexToUserid = async (pubkeyHex) => {
+                const { carrierIdFromPublicKey } = await import("@decentnetwork/peer");
+                const bytes = Buffer.from(pubkeyHex, "hex");
+                return carrierIdFromPublicKey(new Uint8Array(bytes));
+            };
             this.peerManager.on("friend-request", (req) => {
-                const who = `${req.name || "(unnamed)"} ${req.pubkey.slice(0, 16)}...`;
-                const hello = req.hello ? ` hello="${req.hello.slice(0, 60)}"` : "";
-                if (autoAcceptFriends) {
-                    this.logger.info(`Friend request from ${who}${hello} — auto-accepting`);
-                    this.peerManager?.acceptFriendRequest(req.pubkey).catch((err) => {
-                        this.logger.warn(`Auto-accept failed for ${who}: ${err}`);
-                    });
-                }
-                else {
-                    this.logger.info(`Friend request from ${who}${hello} — NOT auto-accepting ` +
-                        `(friends.autoAccept=false; accept manually later)`);
-                }
+                void pubkeyHexToUserid(req.pubkey).then((userid) => {
+                    const who = `${req.name || "(unnamed)"} ${userid}`;
+                    const hello = req.hello ? ` hello="${req.hello.slice(0, 60)}"` : "";
+                    if (autoAcceptFriends) {
+                        this.logger.info(`Friend request from ${who}${hello} — auto-accepting`);
+                        this.peerManager?.acceptFriendRequest(req.pubkey).catch((err) => {
+                            this.logger.warn(`Auto-accept failed for ${who}: ${err}`);
+                        });
+                    }
+                    else {
+                        this.logger.info(`Friend request from ${who}${hello} — queued (friends.autoAccept=false). ` +
+                            `Run 'agentnet friends pending' to triage.`);
+                        this.pendingFriends?.add({
+                            userid,
+                            pubkey: req.pubkey,
+                            name: req.name,
+                            hello: req.hello,
+                            arrivedAt: new Date().toISOString(),
+                        });
+                    }
+                });
             });
             // NOTE: auto-IPAM (hash-derived virtual IP per userid) was tried and
             // reverted — it produced IPs like 10.86.175.35 that conflicted with

package/docs/INSTALL.md

@@ -41,17 +41,20 @@ agentnet --help
 # 1. Generate this machine's Carrier identity + default config
 agentnet init --name my-laptop
 
-# 2. (Once per network) friend the dora name server.
-#    Get the address from whoever runs dora.
-agentnet friend-request --address Jt7w1pKkyLT5GVue9h6ZPkjg1EeuuTbD6JVSLycXLsdm6nvBGSUd
+# 2. Point at the dora name server. Pass the FULL ADDRESS (whoever
+#    runs dora publishes it). This one command friends dora,
+#    derives its userid, and writes the config — no separate
+#    friend-request step needed.
+agentnet dora enable --address <dora's Carrier address>
 
-# 3. Tell decentlan to use that dora server
-agentnet dora enable --userid 98rsHv17h8G6AP9RagyrBiT1kmw4cn8MFPEembS6ZVjv
-
-# 4. Start the daemon (needs sudo for the TUN device)
+# 3. Start the daemon (needs sudo for the TUN device)
 sudo $(which agentnet) up --real-tun
 ```
 
+Three commands, no "userid vs address" gymnastics. The daemon will
+register with dora, pull the roster, and auto-friend every other
+peer in the network.
+
 The daemon will:
 
 1. Open a Carrier connection

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@decentnetwork/lan",
-  "version": "0.1.0",
+  "version": "0.1.3",
   "description": "Private virtual LAN for self-hosted services and AI agents, built on Elastos Carrier. NAT-traversal, name service, ACL, all over a peer-to-peer mesh — no public IP required.",
   "type": "module",
   "main": "./dist/index.js",