@decentnetwork/lan 0.1.0

package/dist/daemon/server.js

@@ -0,0 +1,510 @@
+/**
+ * Daemon Server — wires together all components
+ */
+import { resolve } from "path";
+import { existsSync, readFileSync, writeFileSync, unlinkSync } from "fs";
+import { PeerManager } from "../carrier/peer-manager.js";
+import { TunDevice } from "../tun/tun-device.js";
+import { RouteManager } from "../tun/route-manager.js";
+import { Ipam } from "../ipam/ipam.js";
+import { DnsResolver } from "../dns/resolver.js";
+import { Policy } from "../acl/policy.js";
+import { AuditLog } from "../acl/audit.js";
+import { AclEngine } from "../acl/acl-engine.js";
+import { PacketRouter } from "../router/packet-router.js";
+import { ConnectProxy } from "../proxy/connect-proxy.js";
+import { DoraIntegration } from "../dora/dora-integration.js";
+import { DnsServer } from "../dns/server.js";
+import { IpcServer, ipcSocketPath } from "./ipc.js";
+import { Logger } from "../utils/logger.js";
+export class DaemonServer {
+    config;
+    useMockTun;
+    logger;
+    // Components
+    peerManager;
+    tunDevice;
+    routeManager;
+    ipam;
+    dnsResolver;
+    policy;
+    auditLog;
+    aclEngine;
+    packetRouter;
+    connectProxy;
+    doraIntegration;
+    ipcServer;
+    dnsServer;
+    startedAt = 0;
+    isRunning = false;
+    pidFile;
+    constructor(opts) {
+        this.config = opts.config;
+        this.useMockTun = opts.useMockTun ?? true; // Default to mock; override for production
+        this.logger = new Logger({ prefix: "Daemon" });
+    }
+    async start() {
+        if (this.isRunning) {
+            throw new Error("Daemon already running");
+        }
+        // Reject a second instance for the same identity. Two daemons using
+        // the same keypair race on Carrier session establishment, fight over
+        // the TUN interface, and produce a stream of "Replacing stale session"
+        // messages with no useful outcome. Use a pidfile next to the keypair
+        // so the check is keyed by identity, not by config dir.
+        this.pidFile = resolve(this.config.carrier.dataDir, "daemon.pid");
+        if (existsSync(this.pidFile)) {
+            const oldPid = parseInt(readFileSync(this.pidFile, "utf-8").trim(), 10);
+            if (oldPid && oldPid !== process.pid && isProcessAlive(oldPid)) {
+                throw new Error(`Another decentlan daemon (pid ${oldPid}) is already running for this identity ` +
+                    `(${this.pidFile}). Stop it first, or remove the pidfile if you're sure it's stale.`);
+            }
+            // Stale pidfile (process gone) — clear it.
+        }
+        try {
+            writeFileSync(this.pidFile, String(process.pid), "utf-8");
+        }
+        catch (err) {
+            this.logger.warn(`Could not write pidfile ${this.pidFile}: ${err}`);
+        }
+        this.logger.info(`Starting daemon (node: ${this.config.node.name})`);
+        this.startedAt = Date.now();
+        try {
+            // 1. Load IPAM
+            this.ipam = await Ipam.loadOrCreate(this.config.paths.ipamFile, this.config.node.namespace);
+            this.logger.info(`IPAM loaded: ${this.ipam.getPeers().length} peers`);
+            // 2. Load DNS resolver
+            this.dnsResolver = new DnsResolver(this.ipam, this.config.network.dnsDomain);
+            // 3. Load policy + audit
+            this.policy = await Policy.loadOrCreate(this.config.paths.policyFile);
+            this.auditLog = new AuditLog(this.config.paths.auditLog);
+            // 4. ACL engine
+            this.aclEngine = new AclEngine({
+                policy: this.policy,
+                ipam: this.ipam,
+                auditLog: this.auditLog,
+            });
+            // 5. Carrier peer manager — started BEFORE TUN so that an
+            // optional dora registration can decide our IP.
+            const keyFile = resolve(this.config.carrier.dataDir, "keypair.json");
+            this.peerManager = new PeerManager();
+            // Daemon does NOT use express nodes. Express is the offline-message
+            // store-and-forward relay — appropriate for friend-request delivery
+            // (peer might be offline) but not for live packet forwarding (peer
+            // must be online; we drop packets via SessionManager.isFriendOnline).
+            // Passing empty array prevents the SDK from falling back to express.
+            await this.peerManager.create({
+                keyFile,
+                bootstrapNodes: this.config.carrier.bootstrapNodes,
+                expressNodes: [],
+            });
+            await this.peerManager.start();
+            this.logger.info(`Identity: ${this.peerManager.getAddress()}`);
+            // Start IPC as soon as the peer is up. The CLI uses it to drive
+            // operations that need the daemon's Carrier identity (e.g.
+            // friend-request) without spawning a competing Peer instance.
+            this.ipcServer = new IpcServer(ipcSocketPath(this.config.carrier.dataDir), {
+                friendRequest: async (address, hello) => {
+                    await this.peerManager.sendFriendRequest(address, hello);
+                },
+                diag: async () => {
+                    // Snapshot of everything an operator needs to debug why
+                    // packets aren't moving: forwarding counters, friend
+                    // connectivity, IPAM-resolved peers, dora-allocated IP.
+                    const router = this.packetRouter;
+                    const stats = router ? router.getStats() : null;
+                    const peers = this.peerManager?.getFriends() ?? [];
+                    const ipamPeers = (this.ipam?.getPeers() ?? []).map((p) => ({
+                        name: p.name,
+                        virtualIp: p.virtualIp,
+                        carrierId: p.carrierId,
+                    }));
+                    return {
+                        identity: this.peerManager?.getIdentity(),
+                        tun: this.tunDevice?.getConfig(),
+                        allocatedIp: this.doraIntegration?.getAllocatedIp() ?? this.config.network.ip,
+                        dns: this.dnsServer
+                            ? { domain: this.dnsServer.getDomain(), port: this.dnsServer.getBoundPort() }
+                            : null,
+                        stats,
+                        friends: peers.map((f) => ({
+                            pubkey: f.pubkey,
+                            carrierId: f.carrierId,
+                            name: f.name,
+                            status: f.status,
+                        })),
+                        ipam: ipamPeers,
+                    };
+                },
+            });
+            await this.ipcServer.start();
+            // 6. Optional dora (DHCP-style) registration. When enabled and the
+            // server is reachable, dora hands us a virtual IP and tells us
+            // who else is on the network — eliminating the manual ipam.yaml
+            // sync between operators. On any failure we fall through to the
+            // IP already loaded from config + ipam.yaml.
+            let tunIp = this.config.network.ip;
+            if (this.config.dora?.enabled && (this.config.dora.userids?.length ?? 0) > 0) {
+                // Need to be on the Carrier network before dora can talk to its
+                // server. Wait synchronously here — without joinNetwork the
+                // first sendText will fail with "no transport".
+                await this.peerManager.joinNetwork();
+                await this.peerManager.announceSelf(15000).catch((err) => {
+                    this.logger.warn(`announceSelf during dora bootstrap failed: ${err}`);
+                });
+                this.doraIntegration = new DoraIntegration({
+                    config: this.config.dora,
+                    peerManager: this.peerManager,
+                    ipam: this.ipam,
+                    nodeName: this.config.node.name,
+                    preferredIp: this.config.network.ip,
+                });
+                const doraIp = await this.doraIntegration.bootstrap();
+                if (doraIp && doraIp !== tunIp) {
+                    this.logger.info(`Dora-allocated IP ${doraIp} (was ${tunIp})`);
+                    tunIp = doraIp;
+                }
+            }
+            // 7. Setup TUN device + routing using the (possibly dora-allocated) IP.
+            this.routeManager = new RouteManager();
+            this.tunDevice = new TunDevice({
+                config: {
+                    name: this.config.network.interface,
+                    ip: tunIp,
+                    subnet: this.config.network.subnet,
+                },
+                mockMode: this.useMockTun,
+            });
+            // In real mode: helper creates the TUN, then we configure IP + route on it.
+            // In mock mode: just open the mock device.
+            await this.tunDevice.open();
+            if (!this.useMockTun) {
+                // Use the actual device name from the helper (e.g. utun12 on macOS,
+                // agentnet0 on Linux) — different from the configured name.
+                const actualName = this.tunDevice.getInterface();
+                await this.routeManager.configureTun({
+                    ...this.tunDevice.getConfig(),
+                    name: actualName,
+                });
+            }
+            // Live friend-request handling. The daemon stays up and accepts
+            // (or just logs) incoming requests — no more `friend-accept --wait`
+            // ceremony where the operator has to stop the daemon. Default is
+            // auto-accept; the Carrier friend store IS the trust boundary, and
+            // requests only reach a peer whose address was deliberately shared.
+            const autoAcceptFriends = this.config.friends?.autoAccept ?? true;
+            this.peerManager.on("friend-request", (req) => {
+                const who = `${req.name || "(unnamed)"} ${req.pubkey.slice(0, 16)}...`;
+                const hello = req.hello ? ` hello="${req.hello.slice(0, 60)}"` : "";
+                if (autoAcceptFriends) {
+                    this.logger.info(`Friend request from ${who}${hello} — auto-accepting`);
+                    this.peerManager?.acceptFriendRequest(req.pubkey).catch((err) => {
+                        this.logger.warn(`Auto-accept failed for ${who}: ${err}`);
+                    });
+                }
+                else {
+                    this.logger.info(`Friend request from ${who}${hello} — NOT auto-accepting ` +
+                        `(friends.autoAccept=false; accept manually later)`);
+                }
+            });
+            // NOTE: auto-IPAM (hash-derived virtual IP per userid) was tried and
+            // reverted — it produced IPs like 10.86.175.35 that conflicted with
+            // peers' own config.network.ip and silently broke the return path
+            // (the original peer kept routing for its configured IP, not the
+            // hash-derived one). A proper fix needs peers to *announce* their
+            // chosen IP over Carrier; until that's built, IPAM stays manual.
+            // Network bootstrap runs in the background so we don't block startup.
+            // Steps: joinNetwork -> announceSelf -> waitForFriendConnected(...) for
+            // each known IPAM peer. The waitForFriendConnected call is what tells
+            // the SDK to actively pursue UDP holepunching for that friend.
+            //
+            // When dora is enabled, joinNetwork + announceSelf already ran
+            // synchronously during dora bootstrap; skip the duplicate calls.
+            const networkAlreadyJoined = !!this.doraIntegration;
+            (async () => {
+                try {
+                    if (!networkAlreadyJoined) {
+                        await this.peerManager.joinNetwork();
+                        this.logger.info("Announcing self on DHT");
+                        await this.peerManager.announceSelf(15000);
+                        this.logger.info("Self-announce complete");
+                    }
+                    // Trigger friend connection for every known peer in IPAM —
+                    // but skip our own entry (operators ship a single canonical
+                    // IPAM file to every node, so self appears in the list).
+                    // Probing yourself loops forever logging "self is OFFLINE".
+                    const myUserid = this.peerManager.getPubkey();
+                    const peers = this.ipam.getPeers().filter((p) => p.carrierId !== myUserid);
+                    if (peers.length > 0) {
+                        this.logger.info(`Probing ${peers.length} IPAM peer(s) for online status...`);
+                        for (const p of peers) {
+                            this.kickSessionForever(p.carrierId, p.name);
+                            this.probeFriendForever(p.carrierId, p.name, p.virtualIp);
+                        }
+                    }
+                }
+                catch (err) {
+                    this.logger.warn("Network bootstrap failed:", err);
+                }
+            })();
+            // 7. Packet router
+            this.packetRouter = new PacketRouter({
+                tunDevice: this.tunDevice,
+                peerManager: this.peerManager,
+                ipam: this.ipam,
+                acl: this.aclEngine,
+            });
+            await this.packetRouter.start();
+            // 7b. In-process DNS server. Answers A/PTR for *.{dnsDomain}
+            // (default .decent) from the same IPAM dora populates; forwards
+            // everything else to the system upstream.
+            //
+            // Bind address: 0.0.0.0 (all interfaces). A socket bound to a
+            // specific interface IP only sees packets that arrive on that
+            // interface; on macOS the kernel routes 10.86.1.11 → lo0 for
+            // self-queries, so /etc/resolver/<domain> pointed at the TUN
+            // IP would NXDOMAIN locally. Binding on 0.0.0.0 makes the
+            // resolver work both for local queries (via 127.0.0.1 / TUN
+            // IP from the same host) and for peers on the virtual LAN.
+            // Auto-fallback in DnsServer dodges port collisions
+            // (mDNSResponder, Bonjour, openclaw-gateway all hold :5353 on
+            // 0.0.0.0; we land on 5354 in practice).
+            if (!this.useMockTun) {
+                this.dnsServer = new DnsServer({
+                    ipam: this.ipam,
+                    domain: this.config.network.dnsDomain,
+                    port: this.config.network.dnsPort,
+                    bindAddress: "0.0.0.0",
+                });
+                try {
+                    await this.dnsServer.start();
+                }
+                catch (err) {
+                    this.logger.warn(`DNS server failed to start on 0.0.0.0:${this.config.network.dnsPort}: ${err instanceof Error ? err.message : err}`);
+                    this.dnsServer = undefined;
+                }
+            }
+            // 8. Optional CONNECT proxy. Only spawned when the operator has
+            // explicitly enabled it via `agentnet proxy enable`. Binds to the
+            // virtual IP so reach is gated by the existing per-peer ACL — we
+            // don't add a second auth layer at the HTTP level.
+            if (this.config.proxy?.enabled) {
+                if (this.useMockTun) {
+                    this.logger.warn("Proxy enabled but daemon is in mock-TUN mode; skipping proxy listener");
+                }
+                else {
+                    this.connectProxy = new ConnectProxy({
+                        bindIp: this.config.network.ip,
+                        port: this.config.proxy.port,
+                        allowHosts: this.config.proxy.allowHosts ?? [],
+                        allowConnectPorts: this.config.proxy.allowConnectPorts,
+                        resolvePeerName: (srcIp) => this.ipam.resolveIp(srcIp)?.name,
+                        onTunnelOpen: ({ src, srcName, target }) => {
+                            this.auditLog.logProxyOpen({ srcIp: src, srcName, target });
+                        },
+                        onTunnelClose: ({ src, srcName, target, bytesTransferred }) => {
+                            this.auditLog.logProxyClose({ srcIp: src, srcName, target, bytesTransferred });
+                        },
+                    });
+                    await this.connectProxy.start();
+                    this.logger.info(`Proxy listening on ${this.config.network.ip}:${this.config.proxy.port}`);
+                }
+            }
+            this.isRunning = true;
+            this.logger.info("Daemon started successfully");
+        }
+        catch (error) {
+            this.logger.error("Failed to start daemon:", error);
+            await this.cleanup();
+            throw error;
+        }
+    }
+    async stop() {
+        if (!this.isRunning)
+            return;
+        this.logger.info("Stopping daemon");
+        this.isRunning = false;
+        await this.cleanup();
+        this.logger.info("Daemon stopped");
+    }
+    getStatus() {
+        return {
+            isRunning: this.isRunning,
+            uptime: this.isRunning ? Date.now() - this.startedAt : 0,
+            version: "0.1.0",
+            identity: this.peerManager?.getIdentity(),
+            tunInterface: this.tunDevice?.getConfig(),
+            peers: this.peerManager?.getFriends() || [],
+            activeSessions: this.packetRouter?.getStats().activeSessions || 0,
+        };
+    }
+    /**
+     * Periodically poke the SDK to (re-)initiate a session with the friend.
+     * This works around the asymmetric friendOnline issue: without this,
+     * one side may never spontaneously try to talk to the other and the
+     * friend stays perpetually offline.
+     */
+    async kickSessionForever(carrierId, name) {
+        while (this.isRunning) {
+            try {
+                await this.peerManager.kickSessionEstablishment(carrierId);
+            }
+            catch (err) {
+                this.logger.debug(`kickSessionEstablishment ${name}: ${err}`);
+            }
+            // 8s cadence — fast enough to retry across cookie/handshake
+            // round-trips, slow enough to avoid hammering the SDK
+            await new Promise((r) => setTimeout(r, 8000));
+        }
+    }
+    /**
+     * Repeatedly call waitForFriendConnected for the given peer until the
+     * daemon is stopped. Logs ONLINE/OFFLINE transitions.
+     */
+    async probeFriendForever(carrierId, name, virtualIp) {
+        let lastState = "unknown";
+        while (this.isRunning) {
+            try {
+                const online = await this.peerManager.waitForFriendConnected(carrierId, 60000);
+                const state = online ? "online" : "offline";
+                if (state !== lastState) {
+                    if (online) {
+                        this.logger.info(`Peer ${name} (${virtualIp}) is ONLINE`);
+                    }
+                    else {
+                        this.logger.info(`Peer ${name} (${virtualIp}) is OFFLINE — will keep probing`);
+                    }
+                    lastState = state;
+                }
+                if (!online) {
+                    // Brief pause before re-probing to avoid tight loop
+                    await new Promise((r) => setTimeout(r, 5000));
+                }
+                else {
+                    // Once online, poll status less aggressively
+                    await new Promise((r) => setTimeout(r, 30000));
+                }
+            }
+            catch (err) {
+                this.logger.debug(`probeFriendForever ${name}: ${err}`);
+                await new Promise((r) => setTimeout(r, 5000));
+            }
+        }
+    }
+    // Component accessors for CLI
+    getPeerManager() {
+        return this.peerManager;
+    }
+    getIpam() {
+        return this.ipam;
+    }
+    getDnsResolver() {
+        return this.dnsResolver;
+    }
+    getAclEngine() {
+        return this.aclEngine;
+    }
+    getAuditLog() {
+        return this.auditLog;
+    }
+    getPacketRouter() {
+        return this.packetRouter;
+    }
+    getConnectProxy() {
+        return this.connectProxy;
+    }
+    getDoraIntegration() {
+        return this.doraIntegration;
+    }
+    async cleanup() {
+        try {
+            if (this.dnsServer) {
+                await this.dnsServer.stop();
+            }
+        }
+        catch (e) {
+            this.logger.warn("Error stopping DNS server:", e);
+        }
+        try {
+            if (this.ipcServer) {
+                await this.ipcServer.stop();
+            }
+        }
+        catch (e) {
+            this.logger.warn("Error stopping IPC server:", e);
+        }
+        try {
+            if (this.doraIntegration) {
+                this.doraIntegration.stop();
+            }
+        }
+        catch (e) {
+            this.logger.warn("Error stopping dora integration:", e);
+        }
+        try {
+            if (this.connectProxy) {
+                await this.connectProxy.stop();
+            }
+        }
+        catch (e) {
+            this.logger.warn("Error stopping proxy:", e);
+        }
+        try {
+            if (this.packetRouter) {
+                await this.packetRouter.stop();
+            }
+        }
+        catch (e) {
+            this.logger.warn("Error stopping router:", e);
+        }
+        try {
+            if (this.peerManager) {
+                await this.peerManager.stop();
+            }
+        }
+        catch (e) {
+            this.logger.warn("Error stopping peer:", e);
+        }
+        try {
+            if (this.tunDevice) {
+                await this.tunDevice.close();
+            }
+        }
+        catch (e) {
+            this.logger.warn("Error closing TUN:", e);
+        }
+        try {
+            if (this.routeManager && !this.useMockTun) {
+                // Use the configured name on Linux (where we created the device),
+                // or the actual utun name on macOS (no-op cleanup since helper exit
+                // handles it). Pass the TUN IP so macOS cleanup also removes
+                // the lo0 self-alias.
+                const ifname = this.tunDevice?.getInterface() || this.config.network.interface;
+                const ip = this.doraIntegration?.getAllocatedIp() ?? this.config.network.ip;
+                await this.routeManager.cleanup(ifname, this.config.network.subnet, ip);
+            }
+        }
+        catch (e) {
+            this.logger.warn("Error cleaning routes:", e);
+        }
+        try {
+            if (this.pidFile && existsSync(this.pidFile)) {
+                unlinkSync(this.pidFile);
+            }
+        }
+        catch {
+            // best-effort; a stale pidfile will be detected on next start
+        }
+    }
+}
+function isProcessAlive(pid) {
+    try {
+        // Signal 0 doesn't actually send anything — it only performs the
+        // permission/existence check. Throws ESRCH if the process is gone.
+        process.kill(pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/dns/index.d.ts

@@ -0,0 +1 @@
+export { DnsResolver } from "./resolver.js";

package/dist/dns/index.js

@@ -0,0 +1 @@
+export { DnsResolver } from "./resolver.js";

package/dist/dns/resolver.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Local DNS resolver for AgentNet hostnames
+ * Resolves names like "partner-openclaw.agentnet" to virtual IPs
+ */
+import type { Ipam } from "../ipam/ipam.js";
+import type { IpamRecord } from "../types.js";
+export declare class DnsResolver {
+    private ipam;
+    private logger;
+    private domain;
+    constructor(ipam: Ipam, domain?: string);
+    /**
+     * Resolve hostname to IP
+     * Supports:
+     *   - "partner-openclaw.agentnet" -> "10.86.12.34"
+     *   - "10.86.12.34.agentnet" -> "10.86.12.34" (reverse lookup)
+     *   - Carrier ID as hex string
+     */
+    resolve(hostname: string): string | null;
+    /**
+     * Resolve IP to IpamRecord
+     */
+    resolveToRecord(ip: string): IpamRecord | null;
+    /**
+     * Check if hostname is in our domain
+     */
+    isInDomain(hostname: string): boolean;
+    /**
+     * Get all peer entries for listing
+     */
+    getEntries(): Array<{
+        hostname: string;
+        ip: string;
+        carrierId: string;
+    }>;
+    /**
+     * Format a hostname
+     */
+    formatHostname(peerName: string): string;
+    /**
+     * Get domain name
+     */
+    getDomain(): string;
+}

package/dist/dns/resolver.js

@@ -0,0 +1,82 @@
+/**
+ * Local DNS resolver for AgentNet hostnames
+ * Resolves names like "partner-openclaw.agentnet" to virtual IPs
+ */
+import { Logger } from "../utils/logger.js";
+export class DnsResolver {
+    ipam;
+    logger;
+    domain; // e.g., "agentnet"
+    constructor(ipam, domain = "agentnet") {
+        this.ipam = ipam;
+        this.domain = domain;
+        this.logger = new Logger({ prefix: "DnsResolver" });
+    }
+    /**
+     * Resolve hostname to IP
+     * Supports:
+     *   - "partner-openclaw.agentnet" -> "10.86.12.34"
+     *   - "10.86.12.34.agentnet" -> "10.86.12.34" (reverse lookup)
+     *   - Carrier ID as hex string
+     */
+    resolve(hostname) {
+        // Remove .agentnet suffix if present
+        const name = hostname.replace(new RegExp(`\\.${this.domain}$`), "");
+        // Try to resolve by peer name
+        const ipByName = this.ipam.resolveName(name);
+        if (ipByName) {
+            this.logger.debug(`Resolved ${hostname} -> ${ipByName}`);
+            return ipByName;
+        }
+        // Try to resolve by IP directly (reverse lookup)
+        if (/^\d+\.\d+\.\d+\.\d+$/.test(name)) {
+            const record = this.ipam.resolveIp(name);
+            if (record) {
+                this.logger.debug(`Resolved IP ${name} -> ${record.virtualIp}`);
+                return record.virtualIp;
+            }
+        }
+        // Try to resolve by Carrier ID
+        const record = this.ipam.resolveCarrierId(name);
+        if (record) {
+            this.logger.debug(`Resolved Carrier ID ${name} -> ${record.virtualIp}`);
+            return record.virtualIp;
+        }
+        this.logger.debug(`Failed to resolve: ${hostname}`);
+        return null;
+    }
+    /**
+     * Resolve IP to IpamRecord
+     */
+    resolveToRecord(ip) {
+        return this.ipam.resolveIp(ip);
+    }
+    /**
+     * Check if hostname is in our domain
+     */
+    isInDomain(hostname) {
+        return hostname.endsWith(`.${this.domain}`) || !hostname.includes(".");
+    }
+    /**
+     * Get all peer entries for listing
+     */
+    getEntries() {
+        return this.ipam.getPeers().map((peer) => ({
+            hostname: `${peer.name}.${this.domain}`,
+            ip: peer.virtualIp,
+            carrierId: peer.carrierId,
+        }));
+    }
+    /**
+     * Format a hostname
+     */
+    formatHostname(peerName) {
+        return `${peerName}.${this.domain}`;
+    }
+    /**
+     * Get domain name
+     */
+    getDomain() {
+        return this.domain;
+    }
+}