@decentnetwork/lan 0.1.105 → 0.1.107

package/dist/carrier/peer-manager.d.ts

@@ -53,6 +53,10 @@ export declare class PeerManager extends EventEmitter {
         name?: string;
         description?: string;
     }): void;
+    /** Sign a message with this identity's private key (XEdDSA over the X25519
+     *  Carrier key). The signature verifies against the userid. Used by "Sign in
+     *  with Decent" to prove key possession to a website. Returns 64-byte sig. */
+    sign(message: Uint8Array): Uint8Array;
     /** Offer a file to a friend (toxcore-standard transfer). Returns the fileId. */
     sendFile(userid: string, data: Uint8Array, name: string): string | null;
     /** Accept an incoming file offer. */

package/dist/carrier/peer-manager.js

@@ -106,6 +106,14 @@ export class PeerManager extends EventEmitter {
         this.peer.setUserInfo(info);
         this.logger.info(`Profile updated (name="${info.name ?? "(unchanged)"}")`);
     }
+    /** Sign a message with this identity's private key (XEdDSA over the X25519
+     *  Carrier key). The signature verifies against the userid. Used by "Sign in
+     *  with Decent" to prove key possession to a website. Returns 64-byte sig. */
+    sign(message) {
+        if (!this.peer)
+            throw new Error("Peer not created. Call create() first.");
+        return this.peer.sign(message);
+    }
     /** Offer a file to a friend (toxcore-standard transfer). Returns the fileId. */
     sendFile(userid, data, name) {
         if (!this.peer)

package/dist/daemon/ipc.d.ts

@@ -56,6 +56,14 @@ export interface IpcHandlers {
         name?: string;
         description?: string;
     }) => Promise<void>;
+    /** Sign `text` (UTF-8) with this node's Carrier identity key and return the
+     *  detached signature (hex) plus our userid. Backs "Sign in with Decent":
+     *  the UI server's local-only /connect flow calls this on Approve. Reachable
+     *  ONLY over this Unix socket — never exposed on a TCP interface. */
+    sign: (text: string) => Promise<{
+        sig: string;
+        userid: string;
+    }>;
     /** Subscribe to daemon push events (chat / presence / friend-request). The
      *  IPC server keeps the connection open and calls `emit` for each event;
      *  the returned function unsubscribes (called on socket close). Optional —
@@ -82,7 +90,7 @@ export interface IpcHandlers {
     selfRestart: () => Promise<Record<string, unknown>>;
 }
 export interface IpcRequest {
-    op: "friend-request" | "ping" | "diag" | "friends-pending" | "friends-accept" | "friends-reject" | "chat-send" | "chat-history" | "friends-list" | "friend-remove" | "friend-set-alias" | "set-profile" | "file-send" | "chat-mark-read" | "subscribe" | "proxy-reload" | "self-restart";
+    op: "friend-request" | "ping" | "diag" | "friends-pending" | "friends-accept" | "friends-reject" | "chat-send" | "chat-history" | "friends-list" | "friend-remove" | "friend-set-alias" | "set-profile" | "file-send" | "chat-mark-read" | "subscribe" | "sign" | "proxy-reload" | "self-restart";
     address?: string;
     hello?: string;
     userid?: string;

package/dist/daemon/ipc.js

@@ -221,6 +221,11 @@ export class IpcServer {
                 await this.handlers.chatMarkRead(req.userid, req.ts);
                 return;
             }
+            case "sign": {
+                if (typeof req.text !== "string")
+                    throw new Error("text is required");
+                return await this.handlers.sign(req.text);
+            }
             case "proxy-reload":
                 return await this.handlers.proxyReload();
             case "self-restart":

package/dist/daemon/server.js

@@ -320,6 +320,13 @@ export class DaemonServer {
                     this.ipcEvents.on("event", onEvent);
                     return () => this.ipcEvents.off("event", onEvent);
                 },
+                sign: async (text) => {
+                    const sig = this.peerManager.sign(new TextEncoder().encode(text));
+                    return {
+                        sig: Buffer.from(sig).toString("hex"),
+                        userid: this.peerManager.getIdentity().userid,
+                    };
+                },
                 proxyReload: async () => {
                     // Re-read the proxy allowlist from disk and push it into the
                     // running proxy without a daemon restart (which would drop

package/dist/dora/dora-integration.js

@@ -119,16 +119,26 @@ export class DoraIntegration {
                 record = await this.tryRegister(myUserid, myAddress, this.opts.preferredIp);
             }
             catch (err) {
-                // Common case: the preferred IP from config.yaml collides
-                // with another peer's reservation (every fresh `agentnet
-                // init` defaults to 10.86.1.10, so the second peer to
-                // register always loses the race). Retry once without
-                // requestedIp so dora picks any free slot. Errors that
-                // aren't IP-collision flavored fall through to the outer
-                // catch and trigger the fallback path.
+                // Two recoverable cases, both fixed by retrying without a preferred
+                // IP so dora assigns any free in-segment slot:
+                //  1. Collision — the preferred IP from config.yaml is already taken
+                //     (every fresh `agentnet init` defaults to 10.86.1.10, so the
+                //     second peer to register loses the race).
+                //  2. Out-of-range — the preferred IP belongs to a federated
+                //     registry's segment whose dora is currently DOWN, so only
+                //     sibling registries answered and they reject the IP. The dora
+                //     client already walks siblings to find the owning registry when
+                //     it IS up (keeping our stable IP); this branch only triggers
+                //     when the owner is unreachable. Without it we'd fall back to the
+                //     UNREGISTERED config IP and drop every packet to peers we never
+                //     learned from the roster (the observed CCTV outage). A temp
+                //     in-segment IP that's actually registered beats a stable IP
+                //     that isn't.
+                // Anything else (e.g. malformed request) falls through to the outer
+                // catch and the config-IP fallback.
                 const msg = err instanceof Error ? err.message : String(err);
-                const looksLikeIpCollision = /held by|in use|already taken|already in use/i.test(msg);
-                if (!looksLikeIpCollision)
+                const retryWithoutPreferredIp = /held by|in use|already taken|already in use|out of range/i.test(msg);
+                if (!retryWithoutPreferredIp)
                     throw err;
                 this.logger.warn(`Preferred IP ${this.opts.preferredIp} not available (${msg}) — requesting any free IP`);
                 record = await this.tryRegister(myUserid, myAddress);

package/dist/ui/server.js

@@ -21,6 +21,115 @@ import { DEFAULT_EXITS } from "../config/loader.js";
 // Directory holding the built desktop UI bundle (index.html, app.js, vendor/).
 // scripts/build-ui.mjs emits it next to this compiled module at dist/ui/desktop/.
 const DESKTOP_DIR = join(dirname(fileURLToPath(import.meta.url)), "desktop");
+/** True only when the request came from the local machine. Used to gate the
+ *  "Sign in with Decent" routes so binding the UI to a LAN IP can't expose
+ *  identity signing to other hosts. The popup always runs in the local user's
+ *  browser, so it connects over the loopback interface. */
+function isLocalRequest(req) {
+    const a = req.socket.remoteAddress ?? "";
+    return a === "127.0.0.1" || a === "::1" || a === "::ffff:127.0.0.1";
+}
+/** Validate and normalize a website origin (scheme://host[:port], no path).
+ *  Returns the canonical origin string or null if malformed. Only http/https
+ *  are accepted. */
+function validateOrigin(raw) {
+    if (typeof raw !== "string" || raw.length === 0 || raw.length > 256)
+        return null;
+    try {
+        const u = new URL(raw);
+        if (u.protocol !== "http:" && u.protocol !== "https:")
+            return null;
+        // u.origin drops any path/query/hash and lowercases the host.
+        if (u.origin === "null" || !u.origin)
+            return null;
+        return u.origin;
+    }
+    catch {
+        return null;
+    }
+}
+// The "Sign in with Decent" consent popup. Self-contained (no external assets),
+// dark theme matching the desktop UI. Reads origin+nonce from its own query,
+// shows the requesting site and this node's identity, and on Approve calls the
+// local /api/connect-approve to sign, then postMessages the result to the
+// opener at the exact requesting origin. Mandatory explicit consent — never
+// returns identity without an Approve click.
+const CONNECT_PAGE = `<!doctype html>
+<html lang="en"><head><meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Sign in with Decent</title>
+<style>
+  :root{--bg:#0c0d11;--panel:#14161d;--line:#262a35;--text:#e7e9ef;--faint:#8b91a3;
+        --accent:#5b8cff;--good:#46a758;--bad:#e5604d;--mono:ui-monospace,SFMono-Regular,Menlo,monospace}
+  *{box-sizing:border-box}
+  html,body{margin:0;height:100%}
+  body{background:var(--bg);color:var(--text);font:14px/1.5 system-ui,-apple-system,Segoe UI,sans-serif;
+       display:flex;align-items:center;justify-content:center;padding:18px}
+  .card{width:100%;max-width:380px;background:var(--panel);border:1px solid var(--line);
+        border-radius:14px;padding:22px 20px}
+  .brand{font-weight:600;letter-spacing:.2px;color:var(--accent);font-size:13px;display:flex;align-items:center;gap:7px}
+  .brand .d{width:11px;height:11px;background:var(--accent);transform:rotate(45deg);border-radius:2px}
+  h1{font-size:18px;margin:14px 0 6px}
+  .sub{color:var(--faint);margin:0 0 16px}
+  .origin{color:var(--text);font-weight:600;word-break:break-all}
+  .id{background:#0e1016;border:1px solid var(--line);border-radius:10px;padding:11px 12px;margin-bottom:14px}
+  .lbl{font-size:11px;text-transform:uppercase;letter-spacing:.6px;color:var(--faint);margin-bottom:4px}
+  .userid{font-family:var(--mono);font-size:12.5px;color:var(--text);word-break:break-all}
+  .err{background:rgba(229,96,77,.12);border:1px solid rgba(229,96,77,.4);color:#ffb4a8;
+       border-radius:9px;padding:9px 11px;font-size:12.5px;margin-bottom:13px}
+  .row{display:flex;gap:10px;margin-top:4px}
+  .btn{flex:1;border:0;border-radius:9px;padding:11px;font-size:14px;font-weight:600;cursor:pointer}
+  .ghost{background:transparent;border:1px solid var(--line);color:var(--text)}
+  .ghost:hover{border-color:#3a4050}
+  .solid{background:var(--accent);color:#fff}
+  .solid:disabled{opacity:.45;cursor:not-allowed}
+  .note{color:var(--faint);font-size:11.5px;margin:15px 0 0;line-height:1.45}
+</style></head>
+<body>
+  <div class="card">
+    <div class="brand"><span class="d"></span>Decent</div>
+    <h1>Sign in</h1>
+    <p class="sub"><span id="origin" class="origin">…</span> wants to sign you in with your Decent identity.</p>
+    <div class="id"><div class="lbl">Your identity</div><div id="userid" class="userid">loading…</div></div>
+    <div id="err" class="err" hidden></div>
+    <div class="row">
+      <button id="deny" class="btn ghost">Deny</button>
+      <button id="approve" class="btn solid" disabled>Approve</button>
+    </div>
+    <p class="note">Approving sends the site a signature bound to that site, proving you control this identity. Your private key never leaves this device.</p>
+  </div>
+<script>
+(function(){
+  var qs=new URLSearchParams(location.search);
+  var origin=qs.get("origin")||"", nonce=qs.get("nonce")||"";
+  var oEl=document.getElementById("origin"), errEl=document.getElementById("err");
+  var approve=document.getElementById("approve"), deny=document.getElementById("deny");
+  oEl.textContent=origin||"(unknown site)";
+  function fail(m){errEl.textContent=m;errEl.hidden=false;}
+  function reply(data){ if(window.opener&&validOrigin){ window.opener.postMessage(Object.assign({type:"decent-auth",nonce:nonce},data),origin);} }
+  var validOrigin=false;
+  try{var u=new URL(origin); validOrigin=(u.protocol==="http:"||u.protocol==="https:")&&u.origin===origin;}catch(e){}
+  if(!validOrigin) fail("This sign-in request has an invalid origin and was blocked.");
+  if(nonce.length===0||nonce.length>512){ validOrigin=false; fail("This sign-in request is missing a valid nonce."); }
+  fetch("/api/state").then(function(r){return r.json();}).then(function(s){
+    var uid=(s.me&&s.me.userid)||"";
+    document.getElementById("userid").textContent=uid||"(no identity)";
+    if(uid&&validOrigin) approve.disabled=false;
+    else if(!uid) fail("No local Decent identity found — is the daemon running?");
+  }).catch(function(){ fail("Could not reach the local agentnet daemon."); });
+  deny.onclick=function(){ reply({error:"denied"}); setTimeout(function(){window.close();},60); };
+  approve.onclick=function(){
+    approve.disabled=true; approve.textContent="Signing…";
+    fetch("/api/connect-approve",{method:"POST",headers:{"content-type":"application/json"},
+      body:JSON.stringify({origin:origin,nonce:nonce})})
+      .then(function(r){return r.json();})
+      .then(function(j){ if(!j.ok) throw new Error(j.error||"sign failed");
+        reply({userid:j.userid,sig:j.sig}); setTimeout(function(){window.close();},60); })
+      .catch(function(e){ approve.disabled=false; approve.textContent="Approve"; fail("Signing failed: "+e.message); });
+  };
+})();
+</script>
+</body></html>`;
 // ---- shapes the desktop UI (src/ui/desktop) consumes (DK_* in the design) ----
 const fmtTime = (ts) => {
     if (!ts)
@@ -94,6 +203,53 @@ export function startFriendUi(opts) {
                 res.end("not found");
                 return;
             }
+            // ── Sign in with Decent ────────────────────────────────────────────
+            // A website opens http://localhost:8765/connect?origin=…&nonce=… in a
+            // popup; on Approve we sign "decent-auth\n<origin>\n<nonce>" with this
+            // node's Carrier identity and postMessage {userid,nonce,sig} back to the
+            // site, which verifies the signature against the userid. BOTH routes are
+            // LOCALHOST-ONLY: the popup always runs in the local user's browser
+            // (localhost), so binding the UI to a LAN IP must never let a remote
+            // host request signatures with this identity.
+            if (url === "/connect" || url === "/api/connect-approve") {
+                if (!isLocalRequest(req)) {
+                    res.writeHead(403, { "content-type": "text/plain" });
+                    res.end("Sign in with Decent is available only on this machine (localhost).");
+                    return;
+                }
+            }
+            if (req.method === "GET" && url === "/connect") {
+                res.writeHead(200, { "content-type": "text/html; charset=utf-8" });
+                res.end(CONNECT_PAGE);
+                return;
+            }
+            if (req.method === "POST" && url === "/api/connect-approve") {
+                const body = await readBody(req);
+                const origin = validateOrigin(body.origin);
+                const nonce = typeof body.nonce === "string" ? body.nonce : "";
+                if (!origin) {
+                    sendJson(res, 400, { ok: false, error: "invalid origin" });
+                    return;
+                }
+                if (!nonce || nonce.length > 512) {
+                    sendJson(res, 400, { ok: false, error: "invalid nonce" });
+                    return;
+                }
+                // Bind BOTH the origin and the nonce into the signed message so a
+                // signature minted for site A can't be replayed at site B.
+                const message = `decent-auth\n${origin}\n${nonce}`;
+                const r = await opts.call({ op: "sign", text: message });
+                if (!r.ok) {
+                    sendJson(res, 502, { ok: false, error: r.error || "sign failed" });
+                    return;
+                }
+                sendJson(res, 200, {
+                    ok: true,
+                    userid: r.data?.userid ?? "",
+                    sig: r.data?.sig ?? "",
+                });
+                return;
+            }
             if (req.method === "GET" && url === "/api/state") {
                 const [diag, pending] = await Promise.all([
                     opts.call({ op: "diag" }),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@decentnetwork/lan",
-  "version": "0.1.105",
+  "version": "0.1.107",
   "description": "Private virtual LAN for self-hosted services and AI agents, built on Elastos Carrier. NAT-traversal, name service, ACL, all over a peer-to-peer mesh — no public IP required.",
   "type": "module",
   "main": "./dist/index.js",
@@ -78,8 +78,8 @@
     "build:console": "node scripts/build-console.mjs"
   },
   "dependencies": {
-    "@decentnetwork/dora": "^0.1.6",
-    "@decentnetwork/peer": "^0.1.46",
+    "@decentnetwork/dora": "^0.1.11",
+    "@decentnetwork/peer": "^0.1.47",
     "ink": "^5.2.1",
     "js-yaml": "^4.1.0",
     "react": "^18.3.1",