@decentnetwork/lan 0.1.0

package/dist/cli/commands.js

@@ -0,0 +1,932 @@
+/**
+ * CLI command handlers
+ */
+import { resolve, dirname } from "path";
+import { existsSync, mkdirSync, readFileSync } from "fs";
+import { createConnection } from "net";
+import { ConfigLoader } from "../config/loader.js";
+import { ipcSocketPath } from "../daemon/ipc.js";
+import { DaemonServer } from "../daemon/server.js";
+import { Ipam } from "../ipam/ipam.js";
+import { Policy } from "../acl/policy.js";
+import { AclEngine } from "../acl/acl-engine.js";
+import { AuditLog } from "../acl/audit.js";
+import { DnsResolver } from "../dns/resolver.js";
+/**
+ * Refuse to open a second Carrier peer with this identity if the
+ * daemon is already running with the same keypair. Two peers sharing
+ * a keyfile race on session establishment, scramble each other's
+ * cookie/handshake state, and produce a stream of "Replacing stale
+ * session" log lines — the equivalent of two processes binding the
+ * same TCP port. Daemon-side commands (friend-request, friend-accept,
+ * friends-list) all must call this before importing the SDK.
+ */
+/** Returns the live daemon's PID if one is running for this config,
+ *  or null when the pidfile is missing/stale. Used by both the
+ *  "refuse second peer" guard and the IPC-routing path. */
+function daemonPid(config) {
+    const pidFile = resolve(config.carrier.dataDir, "daemon.pid");
+    if (!existsSync(pidFile))
+        return null;
+    let pid;
+    try {
+        pid = parseInt(readFileSync(pidFile, "utf-8").trim(), 10);
+    }
+    catch {
+        return null;
+    }
+    if (!pid || pid === process.pid)
+        return null;
+    // process.kill(pid, 0) throws with .code === "ESRCH" if the process
+    // is gone, OR "EPERM" if it's alive but owned by another user
+    // (e.g. daemon started via sudo, CLI run as the operator's user).
+    // EPERM means ALIVE — the earlier version caught both ESRCH and
+    // EPERM as "stale", which let CLI commands sneak past the guard
+    // and open a second Carrier peer with the same identity.
+    try {
+        process.kill(pid, 0);
+        return pid;
+    }
+    catch (err) {
+        const code = err.code;
+        if (code === "EPERM")
+            return pid;
+        return null;
+    }
+}
+function assertDaemonNotRunning(config, commandName) {
+    const pid = daemonPid(config);
+    if (pid === null)
+        return;
+    throw new Error(`'agentnet ${commandName}' would open a second Carrier peer using the same identity ` +
+        `as the running daemon (pid ${pid}). That stomps on the daemon's Carrier session. ` +
+        `Stop the daemon first, or use the IPC-routed equivalent (e.g. 'agentnet friend-request' ` +
+        `now talks to the running daemon when it's up).`);
+}
+/**
+ * Send a single IPC request to the running daemon and await its
+ * response. Throws with the daemon's error message on failure, or
+ * if the socket isn't there / hangs up.
+ */
+async function ipcCall(config, req, timeoutMs = 30_000) {
+    const sockPath = ipcSocketPath(config.carrier.dataDir);
+    if (!existsSync(sockPath)) {
+        throw new Error(`Daemon socket not found at ${sockPath} — is the daemon running?`);
+    }
+    return new Promise((resolve, reject) => {
+        const sock = createConnection(sockPath);
+        let buf = "";
+        const timer = setTimeout(() => {
+            sock.destroy();
+            reject(new Error(`IPC timed out after ${timeoutMs}ms`));
+        }, timeoutMs);
+        sock.on("connect", () => {
+            sock.write(JSON.stringify(req) + "\n");
+        });
+        sock.on("data", (chunk) => {
+            buf += chunk.toString("utf-8");
+            const nl = buf.indexOf("\n");
+            if (nl < 0)
+                return;
+            clearTimeout(timer);
+            sock.end();
+            try {
+                const res = JSON.parse(buf.slice(0, nl));
+                resolve(res);
+            }
+            catch (err) {
+                reject(new Error(`malformed IPC response: ${err.message}`));
+            }
+        });
+        sock.on("error", (err) => {
+            clearTimeout(timer);
+            reject(err);
+        });
+    });
+}
+/**
+ * Initialize ~/.agentnet directory and config
+ */
+export async function cmdInit(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const nodeName = args.name || `node-${Math.floor(Math.random() * 10000)}`;
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+        console.log(`Created config directory: ${dir}`);
+    }
+    const configPath = resolve(dir, "config.yaml");
+    if (existsSync(configPath)) {
+        console.log(`Config already exists: ${configPath}`);
+        return;
+    }
+    const config = ConfigLoader.createDefault(nodeName, dir);
+    await ConfigLoader.save(config, configPath);
+    console.log(`Created config: ${configPath}`);
+    // Create empty IPAM and policy files
+    await Ipam.loadOrCreate(config.paths.ipamFile, config.node.namespace);
+    await Policy.loadOrCreate(config.paths.policyFile);
+    console.log(`\nDecent AgentNet initialized:`);
+    console.log(`  Node name: ${nodeName}`);
+    console.log(`  Config dir: ${dir}`);
+    console.log(`  Subnet: ${config.network.subnet}`);
+    console.log(`  Interface: ${config.network.interface}`);
+    console.log(`\nNext: agentnet up --name ${nodeName}`);
+}
+/**
+ * Show identity information.
+ * Loads (or creates) keypair without joining network — fast and offline.
+ */
+export async function cmdIdentityShow(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    const { Peer } = await import("@decentnetwork/peer");
+    const keyFile = resolve(config.carrier.dataDir, "keypair.json");
+    // Ensure carrier data dir exists (Peer.create won't create parent dirs)
+    mkdirSync(dirname(keyFile), { recursive: true });
+    const wasExisting = existsSync(keyFile);
+    const peer = await Peer.create({
+        keyFile,
+        compatibilityMode: "legacy",
+        bootstrapNodes: config.carrier.bootstrapNodes,
+        expressNodes: config.carrier.expressNodes,
+    });
+    await peer.start();
+    if (!wasExisting) {
+        console.log(`(generated new identity at ${keyFile})`);
+    }
+    console.log(`Address:    ${peer.address()}`);
+    console.log(`Public Key: ${peer.pubkey()}`);
+    console.log(`User ID:    ${peer.userid()}`);
+    await peer.stop();
+}
+/**
+ * List peers from IPAM
+ */
+export async function cmdPeersList(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    const ipam = await Ipam.loadOrCreate(config.paths.ipamFile, config.node.namespace);
+    const peers = ipam.getPeers();
+    if (peers.length === 0) {
+        console.log("No peers configured. Use 'agentnet ipam assign' to add peers.");
+        return;
+    }
+    console.log(`Peers (${peers.length}):`);
+    console.log("");
+    for (const peer of peers) {
+        const expires = peer.expiresAt
+            ? ` (expires ${new Date(peer.expiresAt).toISOString()})`
+            : "";
+        console.log(`  ${peer.name}.${config.network.dnsDomain}`);
+        console.log(`    Virtual IP: ${peer.virtualIp}`);
+        console.log(`    Carrier ID: ${peer.carrierId.slice(0, 32)}...`);
+        if (peer.services.length > 0) {
+            console.log(`    Services: ${peer.services.map((s) => `${s.name}:${s.port}`).join(", ")}`);
+        }
+        if (expires)
+            console.log(`    ${expires.trim()}`);
+        console.log("");
+    }
+}
+/**
+ * Assign a virtual IP to a Carrier ID
+ */
+export async function cmdIpamAssign(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    const ipam = await Ipam.loadOrCreate(config.paths.ipamFile, config.node.namespace);
+    // Auto-allocate IP if not provided
+    const virtualIp = args.ip || ipam.findNextAvailableIp(config.network.subnet);
+    // Parse services (format: "name:proto:port", e.g. "ssh:tcp:22")
+    const services = args.services?.map((s) => {
+        const parts = s.split(":");
+        return {
+            name: parts[0],
+            proto: (parts[1] || "tcp"),
+            port: parseInt(parts[2] || "0", 10),
+        };
+    }) || [];
+    ipam.assignPeer({
+        name: args.name,
+        carrierId: args.peer,
+        virtualIp,
+        services,
+    });
+    await ipam.save();
+    console.log(`Assigned: ${args.name}.${config.network.dnsDomain} -> ${virtualIp}`);
+    console.log(`Carrier ID: ${args.peer}`);
+    if (services.length > 0) {
+        console.log(`Services: ${services.map((s) => `${s.name}:${s.port}`).join(", ")}`);
+    }
+}
+/**
+ * Grant access to a peer.
+ * Default direction is "both" so TCP return packets are allowed.
+ */
+export async function cmdGrant(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    const policy = await Policy.loadOrCreate(config.paths.policyFile);
+    const auditLog = new AuditLog(config.paths.auditLog);
+    const engine = new AclEngine({ policy, auditLog });
+    const expiresMs = args.expires ? parseDuration(args.expires) : undefined;
+    const direction = args.direction || "both";
+    if (args.tcp && args.tcp.length > 0) {
+        engine.grant({
+            peer: args.peer,
+            ports: args.tcp,
+            proto: "tcp",
+            expiresMs,
+            purpose: args.purpose,
+            direction,
+        });
+    }
+    if (args.udp && args.udp.length > 0) {
+        engine.grant({
+            peer: args.peer,
+            ports: args.udp,
+            proto: "udp",
+            expiresMs,
+            purpose: args.purpose,
+            direction,
+        });
+    }
+    await policy.save();
+    const ports = [
+        ...(args.tcp?.map((p) => `tcp:${p}`) || []),
+        ...(args.udp?.map((p) => `udp:${p}`) || []),
+    ].join(", ");
+    console.log(`Granted ${args.peer} (${direction}): ${ports}${expiresMs ? ` (expires in ${args.expires})` : ""}`);
+}
+/**
+ * Revoke access from a peer
+ */
+export async function cmdRevoke(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    const policy = await Policy.loadOrCreate(config.paths.policyFile);
+    const auditLog = new AuditLog(config.paths.auditLog);
+    const engine = new AclEngine({ policy, auditLog });
+    const removed = engine.revoke(args.peer);
+    await policy.save();
+    if (removed) {
+        console.log(`Revoked all access for ${args.peer}`);
+    }
+    else {
+        console.log(`No rules found for ${args.peer}`);
+    }
+}
+/**
+ * Resolve a hostname to a virtual IP
+ */
+export async function cmdResolve(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    const ipam = await Ipam.loadOrCreate(config.paths.ipamFile, config.node.namespace);
+    const resolver = new DnsResolver(ipam, config.network.dnsDomain);
+    const ip = resolver.resolve(args.name);
+    if (ip) {
+        console.log(`${args.name} -> ${ip}`);
+    }
+    else {
+        console.log(`Cannot resolve: ${args.name}`);
+        process.exit(1);
+    }
+}
+/**
+ * Show daemon status (must be run while daemon is up — placeholder for now)
+ */
+export async function cmdStatus(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const configPath = resolve(dir, "config.yaml");
+    if (!existsSync(configPath)) {
+        console.log("Not initialized. Run 'agentnet init' first.");
+        return;
+    }
+    const config = await ConfigLoader.load(configPath);
+    console.log(`Decent AgentNet`);
+    console.log(`Node: ${config.node.name}`);
+    console.log(`Namespace: ${config.node.namespace}`);
+    console.log(`Subnet: ${config.network.subnet}`);
+    console.log(`Interface: ${config.network.interface}`);
+    console.log(`Virtual IP: ${config.network.ip}`);
+    console.log(`Bootstrap: ${config.carrier.bootstrapNodes.join(", ")}`);
+    // Show IPAM peers count
+    const ipam = await Ipam.loadOrCreate(config.paths.ipamFile, config.node.namespace);
+    console.log(`Peers configured: ${ipam.getPeers().length}`);
+    // Show ACL rules count
+    const policy = await Policy.loadOrCreate(config.paths.policyFile);
+    console.log(`ACL rules: ${policy.getRules().length}`);
+}
+/**
+ * Start the daemon (foreground)
+ */
+export async function cmdUp(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const configPath = resolve(dir, "config.yaml");
+    if (!existsSync(configPath)) {
+        console.log("Not initialized. Run 'agentnet init' first.");
+        process.exit(1);
+    }
+    const config = await ConfigLoader.load(configPath);
+    if (args.name) {
+        config.node.name = args.name;
+    }
+    const daemon = new DaemonServer({
+        config,
+        configDir: dir,
+        useMockTun: !args.realTun,
+    });
+    // Graceful shutdown
+    const shutdown = async () => {
+        console.log("\nShutting down...");
+        await daemon.stop();
+        process.exit(0);
+    };
+    process.on("SIGINT", shutdown);
+    process.on("SIGTERM", shutdown);
+    await daemon.start();
+    const status = daemon.getStatus();
+    console.log(`Daemon started. Identity: ${status.identity?.address}`);
+    console.log(`Press Ctrl+C to stop.`);
+    // Keep alive
+    await new Promise(() => { });
+}
+/**
+ * Send a friend request to another peer's address.
+ * Run while daemon is DOWN — opens a temporary peer, sends request, exits.
+ * The request is delivered via Carrier express relay (HTTP store-and-forward)
+ * AND via onion routing if recipient is announced on the DHT.
+ */
+export async function cmdFriendRequest(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    // If the daemon is running, route through IPC instead of spawning a
+    // second Carrier peer. The daemon's existing Peer instance sends the
+    // request — no session conflict, no second DHT announce, no race.
+    const livePid = daemonPid(config);
+    if (livePid !== null) {
+        console.log(`Daemon is running (pid ${livePid}); routing friend-request via IPC...`);
+        const res = await ipcCall(config, {
+            op: "friend-request",
+            address: args.address,
+            hello: args.hello,
+        });
+        if (!res.ok) {
+            throw new Error(`Daemon refused friend-request: ${res.error}`);
+        }
+        console.log(`Friend request sent via daemon. The recipient (if running decentlan with autoAccept) will accept automatically.`);
+        return;
+    }
+    // Daemon is down — fall through to the standalone-Peer path, which
+    // generates/loads the keypair, announces, sends, and exits.
+    const { Peer } = await import("@decentnetwork/peer");
+    const keyFile = resolve(config.carrier.dataDir, "keypair.json");
+    console.log(`Opening peer with identity at ${keyFile}...`);
+    const peer = await Peer.create({
+        keyFile,
+        compatibilityMode: "legacy",
+        bootstrapNodes: config.carrier.bootstrapNodes,
+        expressNodes: config.carrier.expressNodes,
+    });
+    await peer.start();
+    console.log(`My address: ${peer.address()}`);
+    console.log(`My pubkey: ${peer.pubkey()}`);
+    console.log(`Joining Carrier network...`);
+    const joinResult = await peer.joinNetwork();
+    console.log(`Joined via ${joinResult.respondingNode.host}:${joinResult.respondingNode.port}`);
+    // Brief self-announce so the recipient's reply (via onion) can reach us
+    console.log(`Announcing self (15s)...`);
+    await peer.announceSelf(15000).catch((err) => {
+        console.warn(`Self-announce failed: ${err.message}`);
+    });
+    console.log(`Sending friend request to ${args.address}...`);
+    await peer.sendFriendRequest(args.address, args.hello || "Decent AgentNet friend request");
+    const waitMs = args.waitMs ?? 30000;
+    console.log(`Waiting ${waitMs}ms for relay delivery...`);
+    await new Promise((r) => setTimeout(r, waitMs));
+    await peer.stop();
+    console.log(`Friend request sent. The recipient must run 'agentnet friend-accept --pubkey ${peer.pubkey()}'.`);
+}
+/**
+ * Accept a pending friend request.
+ * Run while daemon is DOWN — opens a temporary peer, accepts, exits.
+ *
+ * IMPORTANT: This must be running for the friend request to be delivered
+ * via onion routing. The peer must announce itself on the DHT first
+ * (this takes ~45s), then wait for the request to arrive.
+ */
+export async function cmdFriendAccept(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    assertDaemonNotRunning(config, "friend-accept");
+    const { Peer } = await import("@decentnetwork/peer");
+    const keyFile = resolve(config.carrier.dataDir, "keypair.json");
+    console.log(`Opening peer with identity at ${keyFile}...`);
+    const peer = await Peer.create({
+        keyFile,
+        compatibilityMode: "legacy",
+        bootstrapNodes: config.carrier.bootstrapNodes,
+        expressNodes: config.carrier.expressNodes,
+    });
+    await peer.start();
+    console.log(`My address: ${peer.address()}`);
+    console.log(`My pubkey: ${peer.pubkey()}`);
+    const joinResult = await peer.joinNetwork();
+    console.log(`Joined via ${joinResult.respondingNode.host}:${joinResult.respondingNode.port}`);
+    // Critical: announce self so requests routed via onion can find us.
+    // Retry up to 3 rounds of 45s each, like the SDK demo script.
+    console.log(`Announcing self (this may take up to 2 minutes)...`);
+    let stored = [];
+    for (let round = 1; round <= 3 && stored.length === 0; round++) {
+        console.log(`  announce round ${round}/3 (45s)...`);
+        stored = await peer.announceSelf(45000).catch(() => []);
+        console.log(`  stored on ${stored.length} nodes`);
+    }
+    if (stored.length === 0) {
+        console.warn(`Self-announce got 0 storage nodes — request may still arrive via express relay`);
+    }
+    let pubkey = args.pubkey;
+    const wait = args.waitForRequest;
+    if (!pubkey || wait) {
+        const waitMs = args.waitMs ?? 120000;
+        console.log(`Waiting up to ${waitMs / 1000}s for incoming friend request...`);
+        try {
+            const request = await peer.waitForFriendRequest(waitMs);
+            pubkey = request.pubkey;
+            console.log(`Got request from ${pubkey} (name: ${request.name || "—"}): "${request.hello || ""}"`);
+        }
+        catch (err) {
+            if (!pubkey)
+                throw err;
+            console.warn(`No incoming request — will try acceptance with provided pubkey ${pubkey}`);
+        }
+    }
+    console.log(`Accepting friend request from ${pubkey}...`);
+    await peer.acceptFriendRequest(pubkey);
+    console.log(`Waiting 10s to flush state...`);
+    await new Promise((r) => setTimeout(r, 10000));
+    await peer.stop();
+    console.log(`Friend accepted: ${pubkey}`);
+}
+/**
+ * List friends in the friend store.
+ */
+export async function cmdFriendsList(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    assertDaemonNotRunning(config, "friends list");
+    const { Peer } = await import("@decentnetwork/peer");
+    const keyFile = resolve(config.carrier.dataDir, "keypair.json");
+    if (!existsSync(keyFile)) {
+        console.log("No identity yet. Start the daemon at least once to generate one.");
+        return;
+    }
+    // Open peer and start (start() loads friends from disk)
+    const peer = await Peer.create({
+        keyFile,
+        compatibilityMode: "legacy",
+        bootstrapNodes: config.carrier.bootstrapNodes,
+        expressNodes: config.carrier.expressNodes,
+    });
+    await peer.start();
+    const friends = peer.friends();
+    if (friends.length === 0) {
+        console.log("No friends. Use 'agentnet friend-request --address <addr>' to add one.");
+        await peer.stop();
+        return;
+    }
+    console.log(`Friends (${friends.length}):`);
+    for (const friend of friends) {
+        console.log(``);
+        console.log(`  ${friend.name || "(unnamed)"}  status=${friend.status}`);
+        console.log(`    pubkey:  ${friend.pubkey}`);
+        if (friend.userid && friend.userid !== friend.pubkey) {
+            console.log(`    userid:  ${friend.userid}`);
+        }
+        if (friend.address)
+            console.log(`    address: ${friend.address}`);
+        if (friend.acceptedAt)
+            console.log(`    accepted: ${new Date(friend.acceptedAt).toISOString()}`);
+    }
+    await peer.stop();
+}
+/**
+ * Show audit log
+ */
+export async function cmdAuditLog(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    const auditLog = new AuditLog(config.paths.auditLog);
+    const entries = auditLog.readRecent(args.tail || 50);
+    if (entries.length === 0) {
+        console.log("No audit entries.");
+        return;
+    }
+    for (const entry of entries) {
+        const time = new Date(entry.timestamp).toISOString();
+        const status = entry.allowed === true ? "ALLOW" : entry.allowed === false ? "DENY " : "INFO ";
+        const peer = entry.srcName || entry.srcPubkey?.slice(0, 16) || "—";
+        const dest = entry.dstIp ? `${entry.dstIp}:${entry.dstPort}/${entry.proto}` : "—";
+        const reason = entry.reason || "";
+        console.log(`${time} ${status} ${entry.type.padEnd(10)} ${peer.padEnd(20)} ${dest.padEnd(30)} ${reason}`);
+    }
+}
+/**
+ * Enable the built-in CONNECT proxy.
+ * Persists `proxy.enabled = true` in config.yaml. Takes effect on next
+ * `agentnet up`. If port is provided, updates the listener port.
+ */
+export async function cmdProxyEnable(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const configPath = resolve(dir, "config.yaml");
+    const config = await ConfigLoader.load(configPath);
+    config.proxy = {
+        enabled: true,
+        port: args.port ?? config.proxy?.port ?? 8888,
+        allowHosts: config.proxy?.allowHosts ?? [],
+        allowConnectPorts: config.proxy?.allowConnectPorts,
+    };
+    await ConfigLoader.save(config, configPath);
+    console.log(`Proxy enabled on port ${config.proxy.port}.`);
+    console.log(`Listener will bind to ${config.network.ip}:${config.proxy.port} on next 'agentnet up'.`);
+    if ((config.proxy.allowHosts ?? []).length === 0) {
+        console.log(`(No host allowlist set — any host will be accepted as a CONNECT target.)`);
+        console.log(`To restrict: agentnet proxy allow-host '*.binance.com'`);
+    }
+}
+/**
+ * Disable the built-in CONNECT proxy.
+ * Sets `proxy.enabled = false`. Existing tunnels are torn down on next
+ * daemon restart.
+ */
+export async function cmdProxyDisable(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const configPath = resolve(dir, "config.yaml");
+    const config = await ConfigLoader.load(configPath);
+    config.proxy = {
+        enabled: false,
+        port: config.proxy?.port ?? 8888,
+        allowHosts: config.proxy?.allowHosts ?? [],
+        allowConnectPorts: config.proxy?.allowConnectPorts,
+    };
+    await ConfigLoader.save(config, configPath);
+    console.log(`Proxy disabled. Restart the daemon to take effect.`);
+}
+/**
+ * Show proxy status from config.yaml.
+ */
+export async function cmdProxyStatus(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const configPath = resolve(dir, "config.yaml");
+    const config = await ConfigLoader.load(configPath);
+    const proxy = config.proxy;
+    if (!proxy || !proxy.enabled) {
+        console.log("Proxy: disabled");
+        console.log("Enable with: agentnet proxy enable");
+        return;
+    }
+    console.log("Proxy: enabled");
+    console.log(`  listen:        ${config.network.ip}:${proxy.port}`);
+    console.log(`  protocol:      HTTP CONNECT`);
+    const allowHosts = proxy.allowHosts ?? [];
+    if (allowHosts.length === 0) {
+        console.log(`  allow_hosts:   (any) — recommend running 'agentnet proxy allow-host'`);
+    }
+    else {
+        console.log(`  allow_hosts:`);
+        for (const h of allowHosts)
+            console.log(`    - ${h}`);
+    }
+    const allowPorts = proxy.allowConnectPorts ?? [443, 80];
+    console.log(`  allow_ports:   ${allowPorts.join(", ")}`);
+    console.log(``);
+    console.log(`Note: live counters require querying a running daemon — not yet wired.`);
+}
+/**
+ * Add a host glob to the proxy allowlist.
+ */
+export async function cmdProxyAllowHost(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const configPath = resolve(dir, "config.yaml");
+    const config = await ConfigLoader.load(configPath);
+    const proxy = config.proxy ?? { enabled: false, port: 8888 };
+    const allowHosts = new Set(proxy.allowHosts ?? []);
+    allowHosts.add(args.host);
+    config.proxy = { ...proxy, allowHosts: [...allowHosts] };
+    await ConfigLoader.save(config, configPath);
+    console.log(`Added '${args.host}' to proxy allow-hosts.`);
+    console.log(`Restart the daemon to take effect.`);
+}
+/**
+ * Remove a host glob from the proxy allowlist.
+ */
+export async function cmdProxyRevokeHost(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const configPath = resolve(dir, "config.yaml");
+    const config = await ConfigLoader.load(configPath);
+    const proxy = config.proxy ?? { enabled: false, port: 8888 };
+    const before = (proxy.allowHosts ?? []).length;
+    const filtered = (proxy.allowHosts ?? []).filter((h) => h !== args.host);
+    config.proxy = { ...proxy, allowHosts: filtered };
+    await ConfigLoader.save(config, configPath);
+    if (filtered.length < before) {
+        console.log(`Removed '${args.host}' from proxy allow-hosts.`);
+    }
+    else {
+        console.log(`No exact match for '${args.host}' in allow-hosts.`);
+    }
+}
+/**
+ * List proxy allow-host globs.
+ */
+export async function cmdProxyListHosts(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    const allowHosts = config.proxy?.allowHosts ?? [];
+    if (allowHosts.length === 0) {
+        console.log("No host allowlist set. Proxy will accept any CONNECT target.");
+        return;
+    }
+    console.log(`Proxy allow-hosts (${allowHosts.length}):`);
+    for (const h of allowHosts)
+        console.log(`  ${h}`);
+}
+/**
+ * Print the env-var line for a peer to use this node's proxy.
+ */
+export async function cmdProxyUse(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    const ipam = await Ipam.loadOrCreate(config.paths.ipamFile, config.node.namespace);
+    const record = ipam.resolveCarrierId(args.peer) || ipam.getPeers().find((p) => p.name === args.peer);
+    if (!record) {
+        console.error(`Unknown peer: ${args.peer}. Add it first via 'agentnet ipam assign'.`);
+        process.exit(1);
+    }
+    const port = config.proxy?.port ?? 8888;
+    const proxyUrl = `http://${record.virtualIp}:${port}`;
+    console.log(`# Use these env vars to route HTTPS through ${record.name}:`);
+    console.log(`HTTPS_PROXY=${proxyUrl}`);
+    console.log(`HTTP_PROXY=${proxyUrl}`);
+    console.log(`NO_PROXY=localhost,127.0.0.1,*.local,10.0.0.0/8,172.16.0.0/12`);
+    console.log(``);
+    console.log(`# On the proxy node (${record.name}), make sure the operator has run:`);
+    console.log(`#   agentnet proxy enable`);
+    console.log(`#   agentnet grant --peer <your-userid> --tcp ${port}`);
+}
+/**
+ * Parse duration string like "1h", "24h", "30m"
+ */
+function parseDuration(input) {
+    const match = input.match(/^(\d+)([smhd])$/);
+    if (!match) {
+        throw new Error(`Invalid duration: ${input}. Use format like 1h, 30m, 7d`);
+    }
+    const value = parseInt(match[1], 10);
+    const unit = match[2];
+    const multipliers = {
+        s: 1000,
+        m: 60 * 1000,
+        h: 60 * 60 * 1000,
+        d: 24 * 60 * 60 * 1000,
+    };
+    return value * multipliers[unit];
+}
+export { parseDuration };
+/**
+ * Install (or remove) OS-side resolver config so `<name>.<dnsDomain>`
+ * queries get routed to the daemon's DNS server on
+ * 127.0.0.1:<dnsPort>. macOS uses /etc/resolver/<domain>; Linux uses
+ * systemd-resolved's per-link config via `resolvectl`. Idempotent;
+ * `--uninstall` reverses it.
+ *
+ * Requires root on both platforms (file write to /etc, or root-only
+ * resolvectl). The shipped error tells the operator if so.
+ */
+export async function cmdDnsInstall(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    const domain = config.network.dnsDomain;
+    const port = config.network.dnsPort;
+    const iface = config.network.interface;
+    // The OS resolver runs locally and the daemon binds DNS on
+    // 0.0.0.0, so the right nameserver for /etc/resolver is just
+    // 127.0.0.1 — guaranteed to loopback through lo0 to the socket.
+    //
+    // Using the TUN IP (e.g. 10.86.1.11) seems intuitive but breaks:
+    // macOS routes the local TUN IP through utun10 itself, so the
+    // UDP query arrives at the packet-router as an IP datagram
+    // instead of hitting the DNS UDP socket. dig @127.0.0.1 works;
+    // dig @<tun-ip> from the same host doesn't.
+    //
+    // We still need the live bound PORT from diag because the
+    // daemon's port-fallback may have nudged us off the configured
+    // value (mDNSResponder / Bonjour hold :5353 on macOS).
+    const nameserverIp = "127.0.0.1";
+    let nameserverPort = port;
+    const pid = daemonPid(config);
+    if (pid !== null) {
+        try {
+            const res = await ipcCall(config, { op: "diag" });
+            if (res.ok) {
+                const data = res.data;
+                if (data.dns?.port)
+                    nameserverPort = data.dns.port;
+            }
+        }
+        catch {
+            // diag failed — stick with config port
+        }
+    }
+    if (process.platform === "darwin") {
+        const file = `/etc/resolver/${domain}`;
+        if (args.uninstall) {
+            const { existsSync, unlinkSync } = await import("fs");
+            if (!existsSync(file)) {
+                console.log(`Nothing to remove — ${file} doesn't exist.`);
+                return;
+            }
+            try {
+                unlinkSync(file);
+                console.log(`Removed ${file}.`);
+            }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : String(err);
+                throw new Error(`Could not remove ${file} (need root?): ${msg}`);
+            }
+            return;
+        }
+        const body = `# Routes *.${domain} queries to the decentlan daemon.\n# Generated by 'agentnet dns install'.\nnameserver ${nameserverIp}\nport ${nameserverPort}\n`;
+        try {
+            const fs = await import("fs/promises");
+            await fs.mkdir("/etc/resolver", { recursive: true });
+            await fs.writeFile(file, body, "utf-8");
+            console.log(`Wrote ${file}.`);
+            console.log(`Test with: dscacheutil -q host -a name <peer>.${domain}`);
+            console.log(`Or just: ping <peer>.${domain}`);
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            throw new Error(`Could not write ${file} (need root? try 'sudo'): ${msg}`);
+        }
+        return;
+    }
+    if (process.platform === "linux") {
+        const { spawnSync } = await import("child_process");
+        if (args.uninstall) {
+            const r = spawnSync("resolvectl", ["revert", iface], { encoding: "utf-8" });
+            if (r.error || r.status !== 0) {
+                throw new Error(`resolvectl revert failed: ${r.stderr || r.error?.message || `exit ${r.status}`}. Try 'sudo'.`);
+            }
+            console.log(`Reverted resolver config on ${iface}.`);
+            return;
+        }
+        // The daemon binds DNS on the TUN IP (avoids the 5353 / mDNS
+        // collision). systemd-resolved sends DNS queries on UDP 53 and
+        // doesn't support a per-link port override, so we'd need a
+        // port-forward of some kind. For now we tell the operator the
+        // limitation and suggest dnsmasq or /etc/hosts as a stopgap.
+        if (nameserverPort !== 53) {
+            console.log("[linux warning] systemd-resolved only talks to upstreams on port 53;");
+            console.log(`  the daemon is on ${nameserverIp}:${nameserverPort}. To bridge, either:`);
+            console.log(`    1) re-init with dnsPort: 53 (needs daemon to run as root)`);
+            console.log(`    2) install dnsmasq + the helper config printed below`);
+            console.log(`    3) use 'agentnet dns hosts | sudo tee -a /etc/hosts'`);
+            console.log(``);
+            console.log(`# dnsmasq snippet (write to /etc/dnsmasq.d/${domain}.conf):`);
+            console.log(`server=/${domain}/${nameserverIp}#${nameserverPort}`);
+            console.log(`# then: sudo systemctl restart dnsmasq`);
+            return;
+        }
+        // dnsPort === 53 path:
+        const set = spawnSync("resolvectl", ["dns", iface, nameserverIp, "domain", iface, `~${domain}`], { encoding: "utf-8" });
+        if (set.error || set.status !== 0) {
+            throw new Error(`resolvectl failed: ${set.stderr || set.error?.message || `exit ${set.status}`}. Try 'sudo'.`);
+        }
+        console.log(`Configured systemd-resolved on ${iface} for *.${domain} -> 127.0.0.1.`);
+        return;
+    }
+    throw new Error(`'dns install' not supported on ${process.platform}. Use /etc/hosts manually.`);
+}
+/**
+ * Print /etc/hosts entries for the current IPAM contents. Stopgap
+ * for OSes / setups where the resolver wiring is awkward — pipe to
+ * `sudo tee -a /etc/hosts`.
+ */
+export async function cmdDnsHosts(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    const domain = config.network.dnsDomain;
+    // Use the running daemon if available so we get the live roster.
+    const pid = daemonPid(config);
+    if (pid !== null) {
+        const res = await ipcCall(config, { op: "diag" });
+        if (!res.ok)
+            throw new Error(`Daemon diag failed: ${res.error}`);
+        const data = res.data;
+        console.log(`# decentlan peers — append to /etc/hosts`);
+        for (const r of data.ipam) {
+            console.log(`${r.virtualIp}\t${r.name}\t${r.name}.${domain}`);
+        }
+        return;
+    }
+    // Daemon down — fall back to the on-disk IPAM (likely empty
+    // unless the operator runs with a static ipam.yaml fallback).
+    const { Ipam } = await import("../ipam/ipam.js");
+    const ipam = await Ipam.load(config.paths.ipamFile);
+    console.log(`# decentlan peers (from ${config.paths.ipamFile})`);
+    for (const r of ipam.getPeers()) {
+        console.log(`${r.virtualIp}\t${r.name}\t${r.name}.${domain}`);
+    }
+}
+/**
+ * Query the running daemon for a JSON-formatted snapshot of its state.
+ * Useful when packets aren't moving and you want to see forwarding
+ * counters, friend status, and IPAM contents without restarting the
+ * daemon with AGENTNET_LOG_LEVEL=debug.
+ */
+export async function cmdDiag(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
+    const pid = daemonPid(config);
+    if (pid === null) {
+        console.error("No running daemon found for this config — start it with 'agentnet up'.");
+        process.exit(1);
+    }
+    const res = await ipcCall(config, { op: "diag" });
+    if (!res.ok) {
+        throw new Error(`Daemon diag failed: ${res.error}`);
+    }
+    console.log(JSON.stringify(res.data, null, 2));
+}
+/**
+ * Enable dora integration and add a dora server's userid to the
+ * registry list. Subsequent `agentnet up` runs will register with
+ * dora to get a virtual IP and fetch the peer roster automatically.
+ */
+export async function cmdDoraEnable(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const configPath = resolve(dir, "config.yaml");
+    const config = await ConfigLoader.load(configPath);
+    const existing = config.dora ?? { enabled: false, userids: [], refreshIntervalMs: 60_000 };
+    const userids = new Set(existing.userids ?? []);
+    userids.add(args.userid);
+    config.dora = {
+        enabled: true,
+        userids: [...userids],
+        refreshIntervalMs: existing.refreshIntervalMs ?? 60_000,
+    };
+    await ConfigLoader.save(config, configPath);
+    console.log(`Dora enabled. Server userid added: ${args.userid}`);
+    console.log(`Total dora servers configured: ${config.dora.userids?.length}`);
+    console.log(`The dora server must be a Carrier friend — add it with 'agentnet friend-request' if you haven't.`);
+    console.log(`Restart the daemon to take effect.`);
+}
+/**
+ * Disable dora integration without losing the configured server list.
+ * Daemon falls back to manual ipam.yaml mode.
+ */
+export async function cmdDoraDisable(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const configPath = resolve(dir, "config.yaml");
+    const config = await ConfigLoader.load(configPath);
+    config.dora = {
+        enabled: false,
+        userids: config.dora?.userids ?? [],
+        refreshIntervalMs: config.dora?.refreshIntervalMs ?? 60_000,
+    };
+    await ConfigLoader.save(config, configPath);
+    console.log(`Dora disabled. Restart the daemon to take effect.`);
+    console.log(`(Configured server userids preserved — re-enable with 'agentnet dora enable --userid <id>'.)`);
+}
+/**
+ * Show dora config. Live runtime state (currently-allocated IP,
+ * last roster refresh) would require IPC to the running daemon —
+ * not wired yet.
+ */
+export async function cmdDoraStatus(args) {
+    const dir = args.configDir || ConfigLoader.defaultConfigDir();
+    const configPath = resolve(dir, "config.yaml");
+    const config = await ConfigLoader.load(configPath);
+    const dora = config.dora;
+    if (!dora || !dora.enabled) {
+        console.log("Dora: disabled");
+        console.log("Enable with: agentnet dora enable --userid <server-userid>");
+        return;
+    }
+    console.log("Dora: enabled");
+    const userids = dora.userids ?? [];
+    if (userids.length === 0) {
+        console.log("  servers:       (none configured — add one with 'agentnet dora enable --userid <id>')");
+    }
+    else {
+        console.log("  servers:");
+        for (const id of userids)
+            console.log(`    - ${id}`);
+    }
+    const refresh = dora.refreshIntervalMs ?? 60_000;
+    console.log(`  refresh:       every ${Math.round(refresh / 1000)}s`);
+    console.log("");
+    console.log("Note: live state (allocated IP, last refresh) requires querying a running daemon — not yet wired.");
+}