@decentnetwork/lan 0.1.0

package/dist/ipam/ipam.js

@@ -0,0 +1,254 @@
+/**
+ * IPAM - IP Address Management
+ * Maps Carrier IDs to virtual IPs, hostnames, and services
+ */
+import { readFileSync, writeFileSync, mkdirSync } from "fs";
+import { dirname } from "path";
+import { createHash } from "crypto";
+import yaml from "js-yaml";
+import { Logger } from "../utils/logger.js";
+export class Ipam {
+    config;
+    filePath;
+    logger;
+    ipCache = new Map(); // IP -> Record
+    idCache = new Map(); // Carrier ID -> Record
+    nameCache = new Map(); // Name -> Record
+    constructor(config, filePath) {
+        this.config = config;
+        this.filePath = filePath;
+        this.logger = new Logger({ prefix: "IPAM" });
+        this.rebuildCache();
+    }
+    static async load(filePath) {
+        try {
+            const content = readFileSync(filePath, "utf-8");
+            const config = yaml.load(content);
+            return new Ipam(config, filePath);
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes("ENOENT")) {
+                throw new Error(`IPAM file not found: ${filePath}`);
+            }
+            throw error;
+        }
+    }
+    static async loadOrCreate(filePath, namespace = "agentnet-main") {
+        try {
+            return await Ipam.load(filePath);
+        }
+        catch (error) {
+            const logger = new Logger({ prefix: "IPAM" });
+            logger.info(`Creating new IPAM file: ${filePath}`);
+            const config = {
+                namespace,
+                peers: [],
+            };
+            const ipam = new Ipam(config, filePath);
+            await ipam.save();
+            return ipam;
+        }
+    }
+    /**
+     * Resolve hostname to virtual IP
+     */
+    resolveName(name) {
+        const record = this.nameCache.get(name);
+        return record ? record.virtualIp : null;
+    }
+    /**
+     * Resolve virtual IP to IpamRecord
+     */
+    resolveIp(ip) {
+        return this.ipCache.get(ip) || null;
+    }
+    /**
+     * Resolve Carrier ID to IpamRecord
+     */
+    resolveCarrierId(carrierId) {
+        return this.idCache.get(carrierId) || null;
+    }
+    /**
+     * Get all peers
+     */
+    getPeers() {
+        return this.config.peers;
+    }
+    /**
+     * Add or update a peer
+     */
+    assignPeer(record) {
+        // Remove existing peer with same name or ID
+        this.config.peers = this.config.peers.filter((p) => p.name !== record.name && p.carrierId !== record.carrierId);
+        // Add new record
+        this.config.peers.push(record);
+        this.rebuildCache();
+        this.logger.info(`Assigned peer: ${record.name} (${record.virtualIp}) -> ${record.carrierId}`);
+    }
+    /**
+     * Remove a peer by name or Carrier ID
+     */
+    removePeer(identifier) {
+        const initialLength = this.config.peers.length;
+        this.config.peers = this.config.peers.filter((p) => p.name !== identifier && p.carrierId !== identifier);
+        if (this.config.peers.length < initialLength) {
+            this.rebuildCache();
+            this.logger.info(`Removed peer: ${identifier}`);
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Check if IP is allocated
+     */
+    isIpAllocated(ip) {
+        return this.ipCache.has(ip);
+    }
+    /**
+     * Find next available IP in subnet
+     * Assumes subnet like "10.86.0.0/16"
+     */
+    findNextAvailableIp(subnet, start = "10.86.1.0") {
+        const allocated = new Set(Array.from(this.ipCache.keys()));
+        // Parse start IP
+        const parts = start.split(".");
+        let octet4 = parseInt(parts[3], 10);
+        let octet3 = parseInt(parts[2], 10);
+        while (octet3 < 255) {
+            while (octet4 < 255) {
+                octet4++;
+                const candidate = `${parts[0]}.${parts[1]}.${octet3}.${octet4}`;
+                if (!allocated.has(candidate)) {
+                    return candidate;
+                }
+            }
+            octet3++;
+            octet4 = 0;
+        }
+        throw new Error(`No available IPs in subnet ${subnet}`);
+    }
+    /**
+     * Get service port for peer
+     */
+    getServicePort(peerName, serviceName) {
+        const record = this.nameCache.get(peerName);
+        if (!record) {
+            return null;
+        }
+        const service = record.services.find((s) => s.name === serviceName);
+        return service ? service.port : null;
+    }
+    /**
+     * Get all services for peer
+     */
+    getServices(peerName) {
+        const record = this.nameCache.get(peerName);
+        return record ? record.services : [];
+    }
+    /**
+     * Save IPAM config to file
+     */
+    async save() {
+        try {
+            const dir = dirname(this.filePath);
+            mkdirSync(dir, { recursive: true });
+            const content = yaml.dump(this.config, { lineWidth: -1 });
+            writeFileSync(this.filePath, content, "utf-8");
+            this.logger.info(`IPAM saved to ${this.filePath}`);
+        }
+        catch (error) {
+            this.logger.error(`Failed to save IPAM: ${error}`);
+            throw error;
+        }
+    }
+    /**
+     * Check if peer is expired
+     */
+    isExpired(peerName) {
+        const record = this.nameCache.get(peerName);
+        if (!record || !record.expiresAt) {
+            return false;
+        }
+        return Date.now() > record.expiresAt;
+    }
+    /**
+     * Deterministically derive a virtual IP from a Carrier userid, in the
+     * same style as ARP/DHCP-by-MAC: every peer computes the same IP for the
+     * same userid, so the network is consistent without manual coordination.
+     *
+     * Hash(userid)[0..1] → last two octets of 10.86.X.Y. Avoids x.0 and x.255.
+     * Returns the IP regardless of whether it's already in the IPAM.
+     */
+    static deterministicIpForUserid(userid) {
+        const hash = createHash("sha256").update(userid).digest();
+        // Avoid the .0 and .255 endpoints in each octet.
+        const octet3 = (hash[0] % 254) + 1; // 1..254
+        const octet4 = (hash[1] % 254) + 1; // 1..254
+        return `10.86.${octet3}.${octet4}`;
+    }
+    /**
+     * Ensure each friend has an IPAM record. Returns the number of new
+     * records added. Existing entries (manual or previously auto-assigned)
+     * are preserved.
+     *
+     * On collision (different userid hashes to an already-taken IP), walks
+     * the 4th octet until a free slot is found.
+     */
+    autoAssignFriends(friends, selfUserid) {
+        let added = 0;
+        for (const friend of friends) {
+            if (friend.pubkey === selfUserid)
+                continue; // skip ourselves
+            if (this.idCache.has(friend.pubkey))
+                continue; // already in IPAM
+            const baseIp = Ipam.deterministicIpForUserid(friend.pubkey);
+            let ip = baseIp;
+            const [, , o3str] = baseIp.split(".");
+            const o3 = parseInt(o3str, 10);
+            for (let attempt = 0; attempt < 254 && this.ipCache.has(ip); attempt++) {
+                const o4 = ((parseInt(baseIp.split(".")[3], 10) - 1 + attempt + 1) % 254) + 1;
+                ip = `10.86.${o3}.${o4}`;
+            }
+            this.config.peers.push({
+                // Use the short userid prefix as a stable, human-recognizable name.
+                // The operator can rename later via ipam assign.
+                name: friend.name && friend.name.trim() ? friend.name : `peer-${friend.pubkey.slice(0, 8)}`,
+                carrierId: friend.pubkey,
+                virtualIp: ip,
+                services: [],
+            });
+            added += 1;
+            this.logger.info(`Auto-assigned ${friend.pubkey.slice(0, 16)}... -> ${ip}`);
+        }
+        if (added > 0)
+            this.rebuildCache();
+        return added;
+    }
+    /**
+     * Get config
+     */
+    getConfig() {
+        return this.config;
+    }
+    /**
+     * Get namespace
+     */
+    getNamespace() {
+        return this.config.namespace;
+    }
+    rebuildCache() {
+        this.ipCache.clear();
+        this.idCache.clear();
+        this.nameCache.clear();
+        for (const peer of this.config.peers) {
+            // Skip expired peers
+            if (peer.expiresAt && Date.now() > peer.expiresAt) {
+                continue;
+            }
+            this.ipCache.set(peer.virtualIp, peer);
+            this.idCache.set(peer.carrierId, peer);
+            this.nameCache.set(peer.name, peer);
+        }
+        this.logger.debug(`IPAM cache rebuilt: ${this.config.peers.length} peers`);
+    }
+}

package/dist/proxy/connect-proxy.d.ts

@@ -0,0 +1,78 @@
+/**
+ * HTTP CONNECT proxy server.
+ *
+ * Folded into the decentlan daemon so a peer can act as an egress proxy for
+ * other peers without depending on tinyproxy + Homebrew + launchd. Listens on
+ * the daemon's virtual IP (or any address the caller provides), accepts only
+ * the CONNECT method, and pipes bytes between client and upstream.
+ *
+ * What this is NOT:
+ *  - Not a forward proxy for plain HTTP. CONNECT only — TLS is end-to-end past
+ *    the proxy, which keeps us out of the request-rewriting / cert-bumping
+ *    business.
+ *  - Not authenticated at the HTTP layer. Auth is "you reached the listener,
+ *    so the decentlan ACL already let you through."
+ *  - Not load-balanced or HA. One proxy node, one upstream connection per
+ *    CONNECT.
+ *
+ * Audit and host-allowlist live here; ACL gating happens upstream in
+ * PacketRouter (the TCP connection cannot even reach this listener unless the
+ * peer is granted port 8888).
+ */
+export interface ConnectProxyOptions {
+    /** IP to bind on. Pass the daemon's virtual IP (e.g. "10.86.1.20"). */
+    bindIp: string;
+    /** TCP port to bind. */
+    port: number;
+    /**
+     * Globs allowed as CONNECT targets. `*` matches any segment. Empty list
+     * means "allow any host." Examples: `["*.binance.com", "api.coingecko.com"]`.
+     */
+    allowHosts?: string[];
+    /** TCP ports the proxy will dial upstream. Defaults to [443, 80]. */
+    allowConnectPorts?: number[];
+    /** Hook for resolving a source IP to a friendly peer name (audit/log). */
+    resolvePeerName?: (sourceIp: string) => string | undefined;
+    /** Called when a tunnel opens. */
+    onTunnelOpen?: (info: {
+        src: string;
+        srcName?: string;
+        target: string;
+    }) => void;
+    /** Called when a tunnel closes. */
+    onTunnelClose?: (info: {
+        src: string;
+        srcName?: string;
+        target: string;
+        bytesTransferred: number;
+    }) => void;
+}
+export interface ConnectProxyStats {
+    bindIp: string;
+    port: number;
+    startedAt: number;
+    active: number;
+    totalOpened: number;
+    totalRefused: number;
+    bytesTransferred: number;
+}
+export declare class ConnectProxy {
+    private opts;
+    private server;
+    private logger;
+    private stats;
+    constructor(opts: ConnectProxyOptions);
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    getStats(): ConnectProxyStats;
+    private handleConnect;
+    private refuse;
+}
+/**
+ * Glob match where `*` matches any sequence of characters (including dots).
+ * `*.binance.com` matches `api.binance.com` and `data-api.binance.com` but
+ * NOT `binance.com` (literal — must include the leading subdomain). To allow
+ * the bare domain too, use a second glob `binance.com`.
+ */
+export declare function matchesGlob(glob: string, host: string): boolean;
+export declare function matchesAnyGlob(globs: string[], host: string): boolean;

package/dist/proxy/connect-proxy.js

@@ -0,0 +1,204 @@
+/**
+ * HTTP CONNECT proxy server.
+ *
+ * Folded into the decentlan daemon so a peer can act as an egress proxy for
+ * other peers without depending on tinyproxy + Homebrew + launchd. Listens on
+ * the daemon's virtual IP (or any address the caller provides), accepts only
+ * the CONNECT method, and pipes bytes between client and upstream.
+ *
+ * What this is NOT:
+ *  - Not a forward proxy for plain HTTP. CONNECT only — TLS is end-to-end past
+ *    the proxy, which keeps us out of the request-rewriting / cert-bumping
+ *    business.
+ *  - Not authenticated at the HTTP layer. Auth is "you reached the listener,
+ *    so the decentlan ACL already let you through."
+ *  - Not load-balanced or HA. One proxy node, one upstream connection per
+ *    CONNECT.
+ *
+ * Audit and host-allowlist live here; ACL gating happens upstream in
+ * PacketRouter (the TCP connection cannot even reach this listener unless the
+ * peer is granted port 8888).
+ */
+import http from "http";
+import net from "net";
+import { Logger } from "../utils/logger.js";
+export class ConnectProxy {
+    opts;
+    server = null;
+    logger;
+    stats;
+    constructor(opts) {
+        this.opts = opts;
+        this.logger = new Logger({ prefix: "ConnectProxy" });
+        this.stats = {
+            bindIp: opts.bindIp,
+            port: opts.port,
+            startedAt: 0,
+            active: 0,
+            totalOpened: 0,
+            totalRefused: 0,
+            bytesTransferred: 0,
+        };
+    }
+    async start() {
+        if (this.server) {
+            throw new Error("ConnectProxy already started");
+        }
+        this.server = http.createServer();
+        this.server.on("connect", (req, clientSocket, head) => {
+            this.handleConnect(req, clientSocket, head);
+        });
+        // Reject anything that isn't CONNECT — we don't forward HTTP/1.1.
+        this.server.on("request", (_req, res) => {
+            res.writeHead(405, { Allow: "CONNECT", "Content-Type": "text/plain" });
+            res.end("Only HTTP CONNECT is supported.\n");
+        });
+        this.server.on("clientError", (err, socket) => {
+            this.logger.debug(`clientError: ${err.message}`);
+            try {
+                socket.end("HTTP/1.1 400 Bad Request\r\n\r\n");
+            }
+            catch {
+                // socket already gone
+            }
+        });
+        await new Promise((res, rej) => {
+            const onErr = (err) => rej(err);
+            this.server.once("error", onErr);
+            this.server.listen(this.opts.port, this.opts.bindIp, () => {
+                this.server.removeListener("error", onErr);
+                res();
+            });
+        });
+        this.stats.startedAt = Date.now();
+        this.logger.info(`Listening on ${this.opts.bindIp}:${this.opts.port}`);
+    }
+    async stop() {
+        if (!this.server)
+            return;
+        const srv = this.server;
+        this.server = null;
+        await new Promise((res) => {
+            srv.close(() => res());
+        });
+        this.logger.info("Stopped");
+    }
+    getStats() {
+        return { ...this.stats };
+    }
+    handleConnect(req, clientSocket, head) {
+        const src = clientSocket.remoteAddress ?? "?";
+        const srcName = this.opts.resolvePeerName?.(src);
+        const targetSpec = req.url ?? "";
+        const m = targetSpec.match(/^([^:]+):(\d+)$/);
+        if (!m) {
+            this.refuse(clientSocket, src, srcName, targetSpec, 400, "malformed CONNECT target");
+            return;
+        }
+        const host = m[1];
+        const port = Number(m[2]);
+        const allowedPorts = this.opts.allowConnectPorts ?? [443, 80];
+        if (!allowedPorts.includes(port)) {
+            this.refuse(clientSocket, src, srcName, `${host}:${port}`, 403, `port ${port} not in allowConnectPorts`);
+            return;
+        }
+        const allowHosts = this.opts.allowHosts ?? [];
+        if (allowHosts.length > 0 && !matchesAnyGlob(allowHosts, host)) {
+            this.refuse(clientSocket, src, srcName, `${host}:${port}`, 403, "host not in allowHosts");
+            return;
+        }
+        let bytes = 0;
+        let closed = false;
+        const upstream = net.connect(port, host);
+        const tearDown = (reason) => {
+            if (closed)
+                return;
+            closed = true;
+            upstream.destroy();
+            clientSocket.destroy();
+            this.stats.active = Math.max(0, this.stats.active - 1);
+            this.stats.bytesTransferred += bytes;
+            this.opts.onTunnelClose?.({
+                src,
+                srcName,
+                target: `${host}:${port}`,
+                bytesTransferred: bytes,
+            });
+            this.logger.debug(`tunnel closed ${src} -> ${host}:${port} bytes=${bytes} (${reason})`);
+        };
+        upstream.on("connect", () => {
+            try {
+                clientSocket.write("HTTP/1.1 200 Connection Established\r\nProxy-Agent: decentlan\r\n\r\n");
+                if (head.length > 0)
+                    upstream.write(head);
+                clientSocket.pipe(upstream);
+                upstream.pipe(clientSocket);
+            }
+            catch (err) {
+                tearDown(`pipe-setup failed: ${err.message}`);
+                return;
+            }
+            this.stats.active += 1;
+            this.stats.totalOpened += 1;
+            this.opts.onTunnelOpen?.({ src, srcName, target: `${host}:${port}` });
+            this.logger.info(`tunnel open  ${src}${srcName ? ` (${srcName})` : ""} -> ${host}:${port}`);
+        });
+        const onData = (chunk) => {
+            bytes += chunk.length;
+        };
+        upstream.on("data", onData);
+        clientSocket.on("data", onData);
+        upstream.on("error", (err) => {
+            // Pre-tunnel: send an HTTP error back so the client gets a useful message.
+            // Post-tunnel: just tear down silently.
+            if (!closed && !clientSocket.destroyed) {
+                try {
+                    clientSocket.write(`HTTP/1.1 502 Bad Gateway\r\nProxy-Agent: decentlan\r\n\r\nupstream error: ${err.message}\n`);
+                }
+                catch {
+                    // ignore
+                }
+            }
+            tearDown(`upstream error: ${err.message}`);
+        });
+        upstream.on("end", () => tearDown("upstream end"));
+        clientSocket.on("error", (err) => tearDown(`client error: ${err.message}`));
+        clientSocket.on("end", () => tearDown("client end"));
+    }
+    refuse(clientSocket, src, srcName, target, code, reason) {
+        this.stats.totalRefused += 1;
+        this.logger.info(`tunnel refused ${src}${srcName ? ` (${srcName})` : ""} -> ${target}: ${reason}`);
+        try {
+            const statusText = code === 400 ? "Bad Request" : "Forbidden";
+            clientSocket.write(`HTTP/1.1 ${code} ${statusText}\r\nProxy-Agent: decentlan\r\nContent-Type: text/plain\r\nConnection: close\r\n\r\n${reason}\n`);
+        }
+        catch {
+            // ignore
+        }
+        clientSocket.end();
+    }
+}
+/**
+ * Glob match where `*` matches any sequence of characters (including dots).
+ * `*.binance.com` matches `api.binance.com` and `data-api.binance.com` but
+ * NOT `binance.com` (literal — must include the leading subdomain). To allow
+ * the bare domain too, use a second glob `binance.com`.
+ */
+export function matchesGlob(glob, host) {
+    const re = new RegExp("^" +
+        glob
+            .split("")
+            .map((ch) => {
+            if (ch === "*")
+                return ".*";
+            if (/[.+?^${}()|[\]\\]/.test(ch))
+                return "\\" + ch;
+            return ch;
+        })
+            .join("") +
+        "$", "i");
+    return re.test(host);
+}
+export function matchesAnyGlob(globs, host) {
+    return globs.some((g) => matchesGlob(g, host));
+}

package/dist/router/index.d.ts

@@ -0,0 +1,5 @@
+export { PacketRouter, type PacketRouterOptions } from "./packet-router.js";
+export { SessionManager } from "./session-manager.js";
+export { IpParser } from "./ip-parser.js";
+export type { ParsedPacket, ForwardingStats } from "./types.js";
+export { IP_PROTO_TCP, IP_PROTO_UDP, IP_PROTO_ICMP } from "./types.js";

package/dist/router/index.js

@@ -0,0 +1,4 @@
+export { PacketRouter } from "./packet-router.js";
+export { SessionManager } from "./session-manager.js";
+export { IpParser } from "./ip-parser.js";
+export { IP_PROTO_TCP, IP_PROTO_UDP, IP_PROTO_ICMP } from "./types.js";

package/dist/router/ip-parser.d.ts

@@ -0,0 +1,36 @@
+/**
+ * IPv4 packet parser
+ * Extracts source/dest IP, protocol, and (for TCP/UDP) ports
+ */
+import type { ParsedPacket } from "./types.js";
+export declare class IpParser {
+    /**
+     * Parse an IPv4 packet.
+     * Returns null if not a valid IPv4 packet.
+     */
+    static parse(packet: Uint8Array): ParsedPacket | null;
+    /**
+     * Get the protocol name for logging.
+     */
+    static protoName(protocol: number): string;
+    /**
+     * Check if protocol is TCP.
+     */
+    static isTcp(protocol: number): boolean;
+    /**
+     * Check if protocol is UDP.
+     */
+    static isUdp(protocol: number): boolean;
+    /**
+     * Build a minimal IPv4 packet header for testing.
+     * Returns a 20-byte header plus optional payload.
+     */
+    static buildIpv4Header(opts: {
+        srcIp: string;
+        dstIp: string;
+        protocol: number;
+        payload?: Uint8Array;
+        srcPort?: number;
+        dstPort?: number;
+    }): Uint8Array;
+}