@decentnetwork/lan 0.1.0

package/dist/cli/index.d.ts

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+/**
+ * CLI entry point — yargs setup.
+ * EventEmitter.defaultMaxListeners is raised in src/index.ts BEFORE any
+ * imports here, so it's already in effect by the time the SDK loads.
+ */
+export {};

package/dist/cli/index.js

@@ -0,0 +1,196 @@
+#!/usr/bin/env node
+/**
+ * CLI entry point — yargs setup.
+ * EventEmitter.defaultMaxListeners is raised in src/index.ts BEFORE any
+ * imports here, so it's already in effect by the time the SDK loads.
+ */
+import { EventEmitter } from "events";
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+// Belt-and-braces — also raise it here in case the CLI is run directly
+// (e.g. `node dist/cli/index.js` rather than via dist/index.js).
+EventEmitter.defaultMaxListeners = 100;
+import { cmdInit, cmdIdentityShow, cmdPeersList, cmdIpamAssign, cmdGrant, cmdRevoke, cmdResolve, cmdStatus, cmdUp, cmdAuditLog, cmdFriendRequest, cmdFriendAccept, cmdFriendsList, cmdProxyEnable, cmdProxyDisable, cmdProxyStatus, cmdProxyAllowHost, cmdProxyRevokeHost, cmdProxyListHosts, cmdProxyUse, cmdDoraEnable, cmdDoraDisable, cmdDoraStatus, cmdDiag, cmdDnsInstall, cmdDnsHosts, } from "./commands.js";
+async function main() {
+    await yargs(hideBin(process.argv))
+        .scriptName("agentnet")
+        .usage("Usage: $0 <command> [options]")
+        .command("init", "Initialize ~/.agentnet directory", (y) => y
+        .option("name", { type: "string", describe: "Node name" })
+        .option("config-dir", { type: "string", describe: "Config directory" }), async (argv) => {
+        await cmdInit({ name: argv.name, configDir: argv["config-dir"] });
+    })
+        .command("identity show", "Display Carrier identity", (y) => y.option("config-dir", { type: "string" }), async (argv) => {
+        await cmdIdentityShow({ configDir: argv["config-dir"] });
+    })
+        .command("peers list", "List configured peers", (y) => y.option("config-dir", { type: "string" }), async (argv) => {
+        await cmdPeersList({ configDir: argv["config-dir"] });
+    })
+        .command("ipam assign", "Register peer with virtual IP", (y) => y
+        .option("peer", { type: "string", demandOption: true, describe: "Carrier ID" })
+        .option("ip", { type: "string", describe: "Virtual IP (auto if omitted)" })
+        .option("name", { type: "string", demandOption: true, describe: "Hostname" })
+        .option("service", {
+        type: "array",
+        string: true,
+        describe: "Service spec (name:proto:port)",
+    })
+        .option("config-dir", { type: "string" }), async (argv) => {
+        await cmdIpamAssign({
+            peer: argv.peer,
+            ip: argv.ip,
+            name: argv.name,
+            services: argv.service,
+            configDir: argv["config-dir"],
+        });
+    })
+        .command("grant", "Grant access to a peer", (y) => y
+        .option("peer", { type: "string", demandOption: true })
+        .option("tcp", { type: "array", number: true, describe: "TCP ports" })
+        .option("udp", { type: "array", number: true, describe: "UDP ports" })
+        .option("expires", { type: "string", describe: "Duration (1h, 24h, 7d)" })
+        .option("purpose", { type: "string" })
+        .option("config-dir", { type: "string" }), async (argv) => {
+        await cmdGrant({
+            peer: argv.peer,
+            tcp: argv.tcp,
+            udp: argv.udp,
+            expires: argv.expires,
+            purpose: argv.purpose,
+            configDir: argv["config-dir"],
+        });
+    })
+        .command("revoke", "Revoke access from a peer", (y) => y
+        .option("peer", { type: "string", demandOption: true })
+        .option("config-dir", { type: "string" }), async (argv) => {
+        await cmdRevoke({ peer: argv.peer, configDir: argv["config-dir"] });
+    })
+        .command("resolve <name>", "Resolve hostname to virtual IP", (y) => y
+        .positional("name", { type: "string", demandOption: true })
+        .option("config-dir", { type: "string" }), async (argv) => {
+        await cmdResolve({ name: argv.name, configDir: argv["config-dir"] });
+    })
+        .command("status", "Show daemon status", (y) => y.option("config-dir", { type: "string" }), async (argv) => {
+        await cmdStatus({ configDir: argv["config-dir"] });
+    })
+        .command("diag", "Query the running daemon over IPC for a JSON snapshot of its runtime state (stats, friends, IPAM)", (y) => y.option("config-dir", { type: "string" }), async (argv) => {
+        await cmdDiag({ configDir: argv["config-dir"] });
+    })
+        .command("dns", "Manage OS-side DNS resolver wiring for the .decent zone", (y) => y
+        .command("install", "Route .decent queries to the local daemon (writes /etc/resolver on macOS or resolvectl on Linux)", (yy) => yy
+        .option("uninstall", { type: "boolean", default: false, describe: "Remove the resolver config" })
+        .option("config-dir", { type: "string" }), async (argv) => {
+        await cmdDnsInstall({ uninstall: argv.uninstall, configDir: argv["config-dir"] });
+    })
+        .command("hosts", "Print /etc/hosts-format entries for the current peer roster", (yy) => yy.option("config-dir", { type: "string" }), async (argv) => {
+        await cmdDnsHosts({ configDir: argv["config-dir"] });
+    })
+        .demandCommand(1, "Specify a dns subcommand (run 'agentnet dns --help')"), () => {
+        // parent handler — never invoked because demandCommand
+    })
+        .command("up", "Start the daemon", (y) => y
+        .option("name", { type: "string" })
+        .option("real-tun", {
+        type: "boolean",
+        default: false,
+        describe: "Use real TUN (needs root)",
+    })
+        .option("config-dir", { type: "string" }), async (argv) => {
+        await cmdUp({
+            name: argv.name,
+            realTun: argv["real-tun"],
+            configDir: argv["config-dir"],
+        });
+    })
+        .command("friend-request", "Send a friend request (run while daemon is down)", (y) => y
+        .option("address", { type: "string", demandOption: true, describe: "Recipient Carrier address" })
+        .option("hello", { type: "string", describe: "Greeting message" })
+        .option("wait-ms", { type: "number", default: 8000, describe: "Wait time for relay delivery" })
+        .option("config-dir", { type: "string" }), async (argv) => {
+        await cmdFriendRequest({
+            address: argv.address,
+            hello: argv.hello,
+            waitMs: argv["wait-ms"],
+            configDir: argv["config-dir"],
+        });
+    })
+        .command("friend-accept", "Accept a friend request (run while daemon is down)", (y) => y
+        .option("pubkey", { type: "string", describe: "Sender pubkey (omit with --wait to receive interactively)" })
+        .option("wait", { type: "boolean", default: false, describe: "Wait for incoming request" })
+        .option("wait-ms", { type: "number", default: 120000, describe: "Time to wait for request (ms)" })
+        .option("config-dir", { type: "string" }), async (argv) => {
+        await cmdFriendAccept({
+            pubkey: argv.pubkey,
+            waitForRequest: argv.wait,
+            waitMs: argv["wait-ms"],
+            configDir: argv["config-dir"],
+        });
+    })
+        .command("friends list", "List Carrier friends", (y) => y.option("config-dir", { type: "string" }), async (argv) => {
+        await cmdFriendsList({ configDir: argv["config-dir"] });
+    })
+        .command("audit log", "View audit log", (y) => y.option("tail", { type: "number", default: 50 }).option("config-dir", { type: "string" }), async (argv) => {
+        await cmdAuditLog({ tail: argv.tail, configDir: argv["config-dir"] });
+    })
+        // Proxy commands — nested under a single `proxy` command so yargs
+        // builds a proper subcommand tree. Without nesting, the dotted form
+        // "proxy enable" / "proxy use" collides and the last-registered
+        // subcommand swallows the others.
+        .command("proxy", "Manage the built-in CONNECT proxy (run 'agentnet proxy --help')", (y) => y
+        .command("enable", "Enable the built-in CONNECT proxy on this node", (yy) => yy
+        .option("port", { type: "number", default: 8888, describe: "Listener TCP port" })
+        .option("config-dir", { type: "string" }), async (argv) => {
+        await cmdProxyEnable({ port: argv.port, configDir: argv["config-dir"] });
+    })
+        .command("disable", "Disable the built-in CONNECT proxy on this node", (yy) => yy.option("config-dir", { type: "string" }), async (argv) => {
+        await cmdProxyDisable({ configDir: argv["config-dir"] });
+    })
+        .command("status", "Show proxy configuration", (yy) => yy.option("config-dir", { type: "string" }), async (argv) => {
+        await cmdProxyStatus({ configDir: argv["config-dir"] });
+    })
+        .command("allow-host <host>", "Add a host glob to the CONNECT allowlist (e.g. '*.binance.com')", (yy) => yy
+        .positional("host", { type: "string", demandOption: true })
+        .option("config-dir", { type: "string" }), async (argv) => {
+        await cmdProxyAllowHost({ host: argv.host, configDir: argv["config-dir"] });
+    })
+        .command("revoke-host <host>", "Remove a host glob from the CONNECT allowlist", (yy) => yy
+        .positional("host", { type: "string", demandOption: true })
+        .option("config-dir", { type: "string" }), async (argv) => {
+        await cmdProxyRevokeHost({ host: argv.host, configDir: argv["config-dir"] });
+    })
+        .command("list-hosts", "List the CONNECT host allowlist", (yy) => yy.option("config-dir", { type: "string" }), async (argv) => {
+        await cmdProxyListHosts({ configDir: argv["config-dir"] });
+    })
+        .command("use", "Print env vars to route HTTPS via a peer's proxy node", (yy) => yy
+        .option("peer", { type: "string", demandOption: true, describe: "Peer name or carrier ID" })
+        .option("config-dir", { type: "string" }), async (argv) => {
+        await cmdProxyUse({ peer: argv.peer, configDir: argv["config-dir"] });
+    })
+        .demandCommand(1, "Specify a proxy subcommand (run 'agentnet proxy --help')"), () => {
+        // parent handler — never invoked because demandCommand above
+    })
+        .command("dora", "Manage the dora (DHCP-style) registry integration (run 'agentnet dora --help')", (y) => y
+        .command("enable", "Enable dora and register a server's Carrier userid", (yy) => yy
+        .option("userid", { type: "string", demandOption: true, describe: "Dora server's Carrier userid" })
+        .option("config-dir", { type: "string" }), async (argv) => {
+        await cmdDoraEnable({ userid: argv.userid, configDir: argv["config-dir"] });
+    })
+        .command("disable", "Disable dora integration (keep configured server list)", (yy) => yy.option("config-dir", { type: "string" }), async (argv) => {
+        await cmdDoraDisable({ configDir: argv["config-dir"] });
+    })
+        .command("status", "Show dora configuration", (yy) => yy.option("config-dir", { type: "string" }), async (argv) => {
+        await cmdDoraStatus({ configDir: argv["config-dir"] });
+    })
+        .demandCommand(1, "Specify a dora subcommand (run 'agentnet dora --help')"), () => {
+        // parent handler — never invoked because demandCommand above
+    })
+        .demandCommand(1, "Please specify a command. Run with --help for usage.")
+        .help()
+        .alias("help", "h")
+        .strict()
+        .parse();
+}
+main().catch((error) => {
+    console.error("Error:", error.message);
+    process.exit(1);
+});

package/dist/config/loader.d.ts

@@ -0,0 +1,10 @@
+import type { DecentAgentNetConfig } from "../types.js";
+export declare class ConfigLoader {
+    static defaultConfigPath(): string;
+    static defaultConfigDir(): string;
+    static load(filePath?: string): Promise<DecentAgentNetConfig>;
+    static loadOrCreateDefault(nodeName: string, configDir?: string): Promise<DecentAgentNetConfig>;
+    static createDefault(nodeName: string, configDir?: string): DecentAgentNetConfig;
+    static save(config: DecentAgentNetConfig, filePath?: string): Promise<void>;
+    private static normalizeConfig;
+}

package/dist/config/loader.js

@@ -0,0 +1,152 @@
+import { readFileSync } from "fs";
+import { resolve, dirname } from "path";
+import { mkdirSync } from "fs";
+import { homedir } from "os";
+import yaml from "js-yaml";
+const DEFAULT_CONFIG_DIR = resolve(homedir(), ".agentnet");
+const DEFAULT_CONFIG_FILE = resolve(DEFAULT_CONFIG_DIR, "config.yaml");
+// Production bootstrap nodes (Carrier Native SDK 1.8.x compatible)
+// Mirrored from peer SDK's legacy-bootstraps.mjs
+// 45.207.220.155 omitted — observed timing out repeatedly during testing,
+// causing relay#2 to flap which knocks the friend connection offline.
+const DEFAULT_BOOTSTRAP_NODES = [
+    { host: "47.100.103.201", port: 33445, pk: "CX1XH419p4xJ5SV4KvDxBeKYSRdMJW9QpdWJY8owUxHd" },
+    { host: "154.64.235.176", port: 33445, pk: "GdNtV2N74fZnLjhH7NhQ18nGdxb1k8jRM9dQaK7WnxmL" },
+    { host: "52.83.171.135", port: 443, pk: "5tuHgK1Q4CYf4K5PutsEPK5E3Z7cbtEBdx7LwmdzqXHL" },
+    { host: "52.83.191.228", port: 33445, pk: "3khtxZo89SBScAMaHhTvD68pPHiKxgZT6hTCSZZVgNEm" },
+    { host: "13.58.208.50", port: 33445, pk: "89vny8MrKdDKs7Uta9RdVmspPjnRMdwMmaiEW27pZ7gh" },
+    { host: "18.216.102.47", port: 33445, pk: "G5z8MqiNDFTadFUPfMdYsYtkUDbX5mNCMVHMZtsCnFeb" },
+    { host: "18.216.6.197", port: 33445, pk: "H8sqhRrQuJZ6iLtP2wanxt4LzdNrN2NNFnpPdq1uJ9n2" },
+    { host: "54.193.141.205", port: 33445, pk: "7TfZWZNV8vnBxxWzJXuvKgX2QyKkLpg2oXx3LQ5tg8LW" },
+    { host: "52.74.215.181", port: 33445, pk: "Xv6d34WaUw9bPn7YihzVAFw7D2igbQJZ3jwmzzfYVFV" },
+];
+const DEFAULT_EXPRESS_NODES = [
+    { host: "lens.beagle.chat", port: 443, pk: "ECbs4GxwGzxGerNkmqDJFibEmevu8jAXqAZtikccvD95" },
+];
+export class ConfigLoader {
+    static defaultConfigPath() {
+        return DEFAULT_CONFIG_FILE;
+    }
+    static defaultConfigDir() {
+        return DEFAULT_CONFIG_DIR;
+    }
+    static async load(filePath) {
+        const path = filePath || DEFAULT_CONFIG_FILE;
+        try {
+            const content = readFileSync(path, "utf-8");
+            const config = yaml.load(content);
+            return this.normalizeConfig(config);
+        }
+        catch (error) {
+            if (error instanceof Error &&
+                error.message.includes("ENOENT")) {
+                throw new Error(`Config file not found: ${path}. Run 'agentnet init' first.`);
+            }
+            throw error;
+        }
+    }
+    static async loadOrCreateDefault(nodeName, configDir) {
+        const dir = configDir || DEFAULT_CONFIG_DIR;
+        const filePath = resolve(dir, "config.yaml");
+        try {
+            return await this.load(filePath);
+        }
+        catch {
+            return this.createDefault(nodeName, dir);
+        }
+    }
+    static createDefault(nodeName, configDir) {
+        const dir = configDir || DEFAULT_CONFIG_DIR;
+        return {
+            node: {
+                name: nodeName,
+                namespace: "agentnet-main",
+            },
+            carrier: {
+                // Isolated from other Carrier-using apps (Beagle, OpenClaw, etc.)
+                // by default. User can point at a shared identity by editing the config.
+                dataDir: resolve(dir, "carrier"),
+                bootstrapNodes: DEFAULT_BOOTSTRAP_NODES,
+                expressNodes: DEFAULT_EXPRESS_NODES,
+            },
+            network: {
+                interface: "agentnet0",
+                ip: "10.86.1.10",
+                subnet: "10.86.0.0/16",
+                // .decent is the canonical TLD for the Decent Network's
+                // private virtual LAN. Existing configs with `dnsDomain:
+                // agentnet` keep working since `ConfigLoader.load` preserves
+                // whatever's on disk — only new `agentnet init` runs pick
+                // this up.
+                dnsDomain: "decent",
+                // 5353 is the mDNS convention and collides with avahi /
+                // mDNSResponder / openclaw-gateway on a lot of boxes. 5354
+                // is adjacent and routinely free.
+                dnsPort: 5354,
+            },
+            paths: {
+                ipamFile: resolve(dir, "ipam.yaml"),
+                policyFile: resolve(dir, "policy.yaml"),
+                auditLog: resolve(dir, "audit.log"),
+            },
+            // Proxy is opt-in. Off by default; `agentnet proxy enable` flips it on.
+            proxy: {
+                enabled: false,
+                port: 8888,
+            },
+            // Auto-accept incoming friend requests by default. The Carrier
+            // network is already a friend network — if you don't want a peer,
+            // don't share your address with them. Disable with
+            // `friends.autoAccept: false` for stricter control.
+            friends: {
+                autoAccept: true,
+            },
+            // Dora integration is opt-in. Leave userids empty to fall back to
+            // manual ipam.yaml mode. Once a dora server's userid is added,
+            // the daemon registers itself on startup and pulls the roster.
+            dora: {
+                enabled: false,
+                userids: [],
+                refreshIntervalMs: 60_000,
+            },
+        };
+    }
+    static async save(config, filePath) {
+        const path = filePath || DEFAULT_CONFIG_FILE;
+        const dir = dirname(path);
+        // Create directory if it doesn't exist
+        mkdirSync(dir, { recursive: true });
+        const content = yaml.dump(config, { lineWidth: -1 });
+        const fs = await import("fs/promises");
+        await fs.writeFile(path, content, "utf-8");
+    }
+    static normalizeConfig(config) {
+        const defaults = this.createDefault("unnamed-node");
+        return {
+            node: {
+                name: config.node?.name || defaults.node.name,
+                namespace: config.node?.namespace || defaults.node.namespace,
+            },
+            carrier: {
+                dataDir: config.carrier?.dataDir || defaults.carrier.dataDir,
+                bootstrapNodes: config.carrier?.bootstrapNodes || defaults.carrier.bootstrapNodes,
+                expressNodes: config.carrier?.expressNodes || defaults.carrier.expressNodes,
+            },
+            network: {
+                interface: config.network?.interface || defaults.network.interface,
+                ip: config.network?.ip || defaults.network.ip,
+                subnet: config.network?.subnet || defaults.network.subnet,
+                dnsDomain: config.network?.dnsDomain || defaults.network.dnsDomain,
+                dnsPort: config.network?.dnsPort || defaults.network.dnsPort,
+            },
+            paths: {
+                ipamFile: config.paths?.ipamFile || defaults.paths.ipamFile,
+                policyFile: config.paths?.policyFile || defaults.paths.policyFile,
+                auditLog: config.paths?.auditLog || defaults.paths.auditLog,
+            },
+            proxy: config.proxy ?? defaults.proxy,
+            friends: config.friends ?? defaults.friends,
+            dora: config.dora ?? defaults.dora,
+        };
+    }
+}

package/dist/daemon/index.d.ts

@@ -0,0 +1 @@
+export { DaemonServer, type DaemonOptions } from "./server.js";

package/dist/daemon/index.js

@@ -0,0 +1 @@
+export { DaemonServer } from "./server.js";

package/dist/daemon/ipc.d.ts

@@ -0,0 +1,60 @@
+/**
+ * IPC server — Unix-domain-socket bridge so the CLI can drive the
+ * running daemon's Carrier identity without spawning a second Peer.
+ *
+ * Why: the daemon owns the keypair while it's up. A `node dist/cli
+ * friend-request` call from the same user previously opened its own
+ * Peer with the same keyfile, which stomped on the daemon's Carrier
+ * session (racy session-establishment, duplicate handshake bursts,
+ * and "Replacing stale session" cascades). The CLI guard now
+ * refuses, but that leaves the operator with no way to ask the
+ * running daemon "please send a friend-request to <address>" — this
+ * IPC closes that loop.
+ *
+ * Protocol: newline-delimited JSON. One request per connection, one
+ * response, then both sides close. Keeping it one-shot avoids
+ * dealing with multiplexing or reconnect logic for v0.1.
+ *
+ * Socket location: <dataDir>/daemon.sock — same directory as the
+ * pidfile. Permissions are loosened to 0666 so the user's CLI can
+ * connect when the daemon ran via sudo (otherwise the socket is
+ * root-owned). That's acceptable for a single-user box; multi-user
+ * hardening can come later via SO_PEERCRED filtering.
+ */
+export interface IpcHandlers {
+    /** Send a friend-request via the daemon's Carrier peer. Returns
+     *  void on success or throws on failure (CLI surfaces the message). */
+    friendRequest: (address: string, hello?: string) => Promise<void>;
+    /** Return a JSON-friendly snapshot of the daemon's runtime state.
+     *  Used by `agentnet diag` to inspect a live daemon without
+     *  restarting it with AGENTNET_LOG_LEVEL=debug. */
+    diag: () => Promise<Record<string, unknown>>;
+}
+export interface IpcRequest {
+    op: "friend-request" | "ping" | "diag";
+    address?: string;
+    hello?: string;
+}
+export interface IpcResponseOk {
+    ok: true;
+    data?: Record<string, unknown>;
+}
+export interface IpcResponseErr {
+    ok: false;
+    error: string;
+}
+export type IpcResponse = IpcResponseOk | IpcResponseErr;
+export declare class IpcServer {
+    private socketPath;
+    private handlers;
+    private server?;
+    private logger;
+    constructor(socketPath: string, handlers: IpcHandlers);
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    private handleConnection;
+    private dispatch;
+}
+/** Derive the socket path that pairs with a given carrier data dir.
+ *  Kept as a one-liner helper so daemon and client agree. */
+export declare function ipcSocketPath(dataDir: string): string;

package/dist/daemon/ipc.js

@@ -0,0 +1,144 @@
+/**
+ * IPC server — Unix-domain-socket bridge so the CLI can drive the
+ * running daemon's Carrier identity without spawning a second Peer.
+ *
+ * Why: the daemon owns the keypair while it's up. A `node dist/cli
+ * friend-request` call from the same user previously opened its own
+ * Peer with the same keyfile, which stomped on the daemon's Carrier
+ * session (racy session-establishment, duplicate handshake bursts,
+ * and "Replacing stale session" cascades). The CLI guard now
+ * refuses, but that leaves the operator with no way to ask the
+ * running daemon "please send a friend-request to <address>" — this
+ * IPC closes that loop.
+ *
+ * Protocol: newline-delimited JSON. One request per connection, one
+ * response, then both sides close. Keeping it one-shot avoids
+ * dealing with multiplexing or reconnect logic for v0.1.
+ *
+ * Socket location: <dataDir>/daemon.sock — same directory as the
+ * pidfile. Permissions are loosened to 0666 so the user's CLI can
+ * connect when the daemon ran via sudo (otherwise the socket is
+ * root-owned). That's acceptable for a single-user box; multi-user
+ * hardening can come later via SO_PEERCRED filtering.
+ */
+import { createServer } from "net";
+import { chmodSync, existsSync, unlinkSync } from "fs";
+import { Logger } from "../utils/logger.js";
+export class IpcServer {
+    socketPath;
+    handlers;
+    server;
+    logger;
+    constructor(socketPath, handlers) {
+        this.socketPath = socketPath;
+        this.handlers = handlers;
+        this.logger = new Logger({ prefix: "IPC" });
+    }
+    async start() {
+        // A stale socket from a previously-crashed daemon will make
+        // listen() throw EADDRINUSE — unlink it first. Pidfile-guard
+        // already ensures no LIVE daemon is running, so deletion is safe.
+        if (existsSync(this.socketPath)) {
+            try {
+                unlinkSync(this.socketPath);
+            }
+            catch (err) {
+                this.logger.warn(`Could not remove stale socket ${this.socketPath}: ${err}`);
+            }
+        }
+        this.server = createServer((sock) => this.handleConnection(sock));
+        await new Promise((resolve, reject) => {
+            this.server.once("error", reject);
+            this.server.listen(this.socketPath, () => {
+                this.server.off("error", reject);
+                resolve();
+            });
+        });
+        // 0666 so non-root CLI can reach a sudo-launched daemon. SO_PEERCRED
+        // / SO_PEEREID would be a tighter filter, but for v0.1 the trust
+        // boundary is "anyone with shell access to this box".
+        try {
+            chmodSync(this.socketPath, 0o666);
+        }
+        catch (err) {
+            this.logger.warn(`chmod ${this.socketPath}: ${err}`);
+        }
+        this.logger.info(`Listening on ${this.socketPath}`);
+    }
+    async stop() {
+        if (!this.server)
+            return;
+        await new Promise((resolve) => {
+            this.server.close(() => resolve());
+        });
+        this.server = undefined;
+        try {
+            if (existsSync(this.socketPath))
+                unlinkSync(this.socketPath);
+        }
+        catch {
+            // best-effort
+        }
+    }
+    handleConnection(sock) {
+        let buf = "";
+        let handled = false;
+        const reply = (res) => {
+            try {
+                sock.write(JSON.stringify(res) + "\n");
+            }
+            catch {
+                // socket may have closed; nothing to do
+            }
+            sock.end();
+        };
+        sock.on("data", (chunk) => {
+            if (handled)
+                return;
+            buf += chunk.toString("utf-8");
+            const nl = buf.indexOf("\n");
+            if (nl < 0)
+                return; // wait for full line
+            handled = true;
+            const line = buf.slice(0, nl);
+            let req;
+            try {
+                req = JSON.parse(line);
+            }
+            catch {
+                reply({ ok: false, error: "malformed request (not JSON)" });
+                return;
+            }
+            void this.dispatch(req)
+                .then((data) => reply({ ok: true, ...(data ? { data } : {}) }))
+                .catch((err) => reply({ ok: false, error: err instanceof Error ? err.message : String(err) }));
+        });
+        sock.on("error", (err) => {
+            // Common during shutdown — log at debug, don't propagate.
+            this.logger.debug(`socket error: ${err.message}`);
+        });
+    }
+    async dispatch(req) {
+        switch (req.op) {
+            case "ping":
+                return { pong: true };
+            case "friend-request": {
+                if (!req.address)
+                    throw new Error("address is required");
+                await this.handlers.friendRequest(req.address, req.hello);
+                return;
+            }
+            case "diag":
+                return await this.handlers.diag();
+            default:
+                throw new Error(`unknown op: ${req.op}`);
+        }
+    }
+}
+/** Derive the socket path that pairs with a given carrier data dir.
+ *  Kept as a one-liner helper so daemon and client agree. */
+export function ipcSocketPath(dataDir) {
+    // Node's net.listen on Unix sockets supports paths up to ~104 bytes
+    // on macOS; <dataDir>/daemon.sock fits comfortably for sane homedirs.
+    return `${dataDir.replace(/\/+$/, "")}/daemon.sock`;
+}

package/dist/daemon/server.d.ts

@@ -0,0 +1,63 @@
+/**
+ * Daemon Server — wires together all components
+ */
+import { PeerManager } from "../carrier/peer-manager.js";
+import { Ipam } from "../ipam/ipam.js";
+import { DnsResolver } from "../dns/resolver.js";
+import { AuditLog } from "../acl/audit.js";
+import { AclEngine } from "../acl/acl-engine.js";
+import { PacketRouter } from "../router/packet-router.js";
+import { ConnectProxy } from "../proxy/connect-proxy.js";
+import { DoraIntegration } from "../dora/dora-integration.js";
+import type { DecentAgentNetConfig, DaemonStatus } from "../types.js";
+export interface DaemonOptions {
+    config: DecentAgentNetConfig;
+    configDir?: string;
+    useMockTun?: boolean;
+}
+export declare class DaemonServer {
+    private config;
+    private useMockTun;
+    private logger;
+    private peerManager?;
+    private tunDevice?;
+    private routeManager?;
+    private ipam?;
+    private dnsResolver?;
+    private policy?;
+    private auditLog?;
+    private aclEngine?;
+    private packetRouter?;
+    private connectProxy?;
+    private doraIntegration?;
+    private ipcServer?;
+    private dnsServer?;
+    private startedAt;
+    private isRunning;
+    private pidFile?;
+    constructor(opts: DaemonOptions);
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    getStatus(): DaemonStatus;
+    /**
+     * Periodically poke the SDK to (re-)initiate a session with the friend.
+     * This works around the asymmetric friendOnline issue: without this,
+     * one side may never spontaneously try to talk to the other and the
+     * friend stays perpetually offline.
+     */
+    private kickSessionForever;
+    /**
+     * Repeatedly call waitForFriendConnected for the given peer until the
+     * daemon is stopped. Logs ONLINE/OFFLINE transitions.
+     */
+    private probeFriendForever;
+    getPeerManager(): PeerManager | undefined;
+    getIpam(): Ipam | undefined;
+    getDnsResolver(): DnsResolver | undefined;
+    getAclEngine(): AclEngine | undefined;
+    getAuditLog(): AuditLog | undefined;
+    getPacketRouter(): PacketRouter | undefined;
+    getConnectProxy(): ConnectProxy | undefined;
+    getDoraIntegration(): DoraIntegration | undefined;
+    private cleanup;
+}