npm - @decentnetwork/lan - Versions diffs - 0.1.43 → 0.1.45 - Mend

@decentnetwork/lan 0.1.43 → 0.1.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/config/default-doras.yaml +35 -0
package/dist/acl/audit.d.ts +14 -1
package/dist/acl/audit.js +60 -3
package/dist/config/loader.d.ts +10 -5
package/dist/config/loader.js +18 -16
package/dist/daemon/server.js +13 -6
package/dist/types.d.ts +1 -0
package/package.json +2 -1

package/config/default-doras.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+# Default dora registries shipped with @decentnetwork/lan.
+#
+# `agentnet init` seeds these into a new client's ~/.agentnet/config.yaml
+# (dora.userids) and sends each a one-time friend-request, so a fresh
+# install auto-joins the shared network with zero extra commands.
+#
+# They are FEDERATED with NON-OVERLAPPING IP segments: the client merges
+# every roster, and any single registry staying up is enough to get an IP
+# allocation — redundancy against any one dora being down.
+#
+# To add/replace a registry, edit this file (data, not code) and republish,
+# or override locally with `agentnet dora enable --userid <id> --address <addr>`.
+#
+# Each entry needs:
+#   userid   — to talk to the registry over Carrier (goes into dora.userids)
+#   address  — so `agentnet init` can send the one-time friend-request
+#   name     — label only (logs / comments)
+#   segment  — informational: the IP band this registry allocates from
+doras:
+  - name: dora-mac
+    userid: 98rsHv17h8G6AP9RagyrBiT1kmw4cn8MFPEembS6ZVjv
+    address: Jt7w1pKkyLT5GVue9h6ZPkjg1EeuuTbD6JVSLycXLsdm6nvBGSUd
+    segment: 10.86.1.10-10.86.63.254
+  - name: dora-beagle
+    userid: AxKFEZFLDi23EmnJFNP6gjUM4CaNMPfWUvbFR9ixtMBN
+    address: NsuN81dZdEoyvwEFgWaHkT8SPJB6UWeRmdYcCGFV5CdbbPXoK2RM
+    segment: 10.86.64.10-10.86.127.254
+  - name: dora-sh
+    userid: GMEMLmCWLMBK6BJiMkbLPNkEjF4S2xRf1SqR9hM8fWV3
+    address: ajg1ZMBw86UyujmEJzqKSCbi3wwEtg6tdGFTdESakyqujyxmqJZK
+    segment: 10.86.128.10-10.86.191.254
+  - name: dora-tokyo
+    userid: AB6BZfbrTFWw9eUoVpHdJqhhRnY8bTttp4CHTZ2Xfzxi
+    address: MAW2eBqBuQ6SmaXTrnZRRayQjAj3aLatwPy4xmBp7spnJeV569op
+    segment: 10.86.192.10-10.86.254.254

package/dist/acl/audit.d.ts CHANGED Viewed

@@ -8,7 +8,13 @@ export declare class AuditLog {
     private logger;
     private buffer;
     private bufferLimit;
-    constructor(filePath: string);
+    private maxBytes;
+    private keepFiles;
+    private curBytes;
+    constructor(filePath: string, opts?: {
+        maxBytes?: number;
+        keepFiles?: number;
+    });
     /**
      * Log an access attempt (allowed or denied)
      */
@@ -67,4 +73,11 @@ export declare class AuditLog {
      */
     readSince(timestamp: number): AuditEntry[];
     private write;
+    /**
+     * Size-based rotation: audit.log -> audit.log.1 -> ... -> audit.log.N,
+     * dropping the oldest. Bounds total on-disk audit data to
+     * maxBytes * (keepFiles + 1). Best-effort — a failure here must never
+     * break the daemon, so errors are logged and writing continues.
+     */
+    private rotate;
 }

package/dist/acl/audit.js CHANGED Viewed

@@ -2,20 +2,40 @@
  * Audit logger for ACL decisions and connection events
  * Append-only JSONL file format
  */
-import { appendFileSync, readFileSync, mkdirSync, existsSync } from "fs";
+import { appendFileSync, readFileSync, mkdirSync, existsSync, statSync, renameSync, rmSync, } from "fs";
 import { dirname } from "path";
 import { Logger } from "../utils/logger.js";
+// Defaults chosen so a busy exit (proxy_open/proxy_close per CONNECT — can
+// be hundreds/sec for HLS video) can never fill the disk: at most
+// maxBytes * (keepFiles + 1) on disk (~200 MB by default), oldest dropped.
+const DEFAULT_MAX_BYTES = 50 * 1024 * 1024; // rotate when the live file passes 50 MB
+const DEFAULT_KEEP_FILES = 3; // audit.log.1 .. audit.log.3
 export class AuditLog {
     filePath;
     logger;
     buffer = [];
     bufferLimit = 100; // Keep last N entries in memory for fast reads
-    constructor(filePath) {
+    maxBytes;
+    keepFiles;
+    curBytes = 0; // running size of the live file (avoids stat() per write)
+    constructor(filePath, opts) {
         this.filePath = filePath;
         this.logger = new Logger({ prefix: "AuditLog" });
+        this.maxBytes = opts?.maxBytes ?? DEFAULT_MAX_BYTES;
+        this.keepFiles = opts?.keepFiles ?? DEFAULT_KEEP_FILES;
         // Ensure parent dir exists
         const dir = dirname(filePath);
         mkdirSync(dir, { recursive: true });
+        // Seed the byte counter from any existing file so a daemon that
+        // restarts onto an already-large log rotates promptly instead of
+        // letting it grow further.
+        try {
+            if (existsSync(this.filePath))
+                this.curBytes = statSync(this.filePath).size;
+        }
+        catch {
+            this.curBytes = 0;
+        }
     }
     /**
      * Log an access attempt (allowed or denied)
@@ -134,11 +154,48 @@ export class AuditLog {
             this.buffer = this.buffer.slice(-this.bufferLimit);
         }
         // Append to file (JSONL)
+        const line = JSON.stringify(entry) + "\n";
         try {
-            appendFileSync(this.filePath, JSON.stringify(entry) + "\n", "utf-8");
+            // Rotate BEFORE the write that would push us over the cap, so the
+            // live file never exceeds maxBytes by more than one line.
+            if (this.curBytes + Buffer.byteLength(line) > this.maxBytes) {
+                this.rotate();
+            }
+            appendFileSync(this.filePath, line, "utf-8");
+            this.curBytes += Buffer.byteLength(line);
         }
         catch (error) {
             this.logger.error(`Failed to write audit entry: ${error}`);
         }
     }
+    /**
+     * Size-based rotation: audit.log -> audit.log.1 -> ... -> audit.log.N,
+     * dropping the oldest. Bounds total on-disk audit data to
+     * maxBytes * (keepFiles + 1). Best-effort — a failure here must never
+     * break the daemon, so errors are logged and writing continues.
+     */
+    rotate() {
+        try {
+            // Drop the oldest, then shift each backup up by one.
+            const oldest = `${this.filePath}.${this.keepFiles}`;
+            if (existsSync(oldest))
+                rmSync(oldest, { force: true });
+            for (let i = this.keepFiles - 1; i >= 1; i--) {
+                const src = `${this.filePath}.${i}`;
+                if (existsSync(src))
+                    renameSync(src, `${this.filePath}.${i + 1}`);
+            }
+            if (existsSync(this.filePath))
+                renameSync(this.filePath, `${this.filePath}.1`);
+            this.curBytes = 0;
+            this.logger.info(`Rotated audit log (cap ${Math.round(this.maxBytes / 1048576)} MB, keep ${this.keepFiles})`);
+        }
+        catch (error) {
+            // Couldn't rotate (permissions, races). Don't let the file grow
+            // unbounded: reset the counter so we retry on the next write, but
+            // keep the daemon running.
+            this.logger.error(`Audit log rotation failed: ${error}`);
+            this.curBytes = 0;
+        }
+    }
 }

package/dist/config/loader.d.ts CHANGED Viewed

@@ -10,15 +10,20 @@ import type { DecentAgentNetConfig } from "../types.js";
  * merges all their rosters and any one staying up is enough to get an
  * IP allocation — redundancy against any single registry being down.
  *
- * Both fields are required per entry: the daemon needs `userid` to talk
- * to the server over Carrier, and `address` so `agentnet init` can send
- * the one-time friend-request that establishes the Carrier session.
+ * The list is loaded from the data file `config/default-doras.yaml` that
+ * ships in the npm package (servers are config, not code — edit that file
+ * and republish to change the default network). The hardcoded array below
+ * is only a last-resort fallback if the data file is missing/unreadable.
+ *
+ * Each entry needs `userid` (to talk to the server over Carrier) and
+ * `address` (so `agentnet init` can send the one-time friend-request).
  */
-export declare const DEFAULT_DORAS: {
+export interface DefaultDora {
     name: string;
     userid: string;
     address: string;
-}[];
+}
+export declare const DEFAULT_DORAS: DefaultDora[];
 export declare const DEFAULT_DORA_USERID: string;
 export declare const DEFAULT_DORA_ADDRESS: string;
 export declare class ConfigLoader {

package/dist/config/loader.js CHANGED Viewed

@@ -39,27 +39,29 @@ const DEFAULT_BOOTSTRAP_NODES = [
 const DEFAULT_EXPRESS_NODES = [
     { host: "lens.beagle.chat", port: 443, pk: "ECbs4GxwGzxGerNkmqDJFibEmevu8jAXqAZtikccvD95" },
 ];
-/**
- * Public dora servers baked into `agentnet init` so an operator can join
- * the canonical Decent AgentNet without first hunting down a registry
- * address. Override by editing `dora.userids` (and re-running
- * `agentnet dora enable --address <yours>`) — or by running a private
- * dora and pointing your own peers at it.
- *
- * These are FEDERATED with NON-OVERLAPPING IP segments, so the client
- * merges all their rosters and any one staying up is enough to get an
- * IP allocation — redundancy against any single registry being down.
- *
- * Both fields are required per entry: the daemon needs `userid` to talk
- * to the server over Carrier, and `address` so `agentnet init` can send
- * the one-time friend-request that establishes the Carrier session.
- */
-export const DEFAULT_DORAS = [
+const DEFAULT_DORAS_FALLBACK = [
     { name: "dora-mac", userid: "98rsHv17h8G6AP9RagyrBiT1kmw4cn8MFPEembS6ZVjv", address: "Jt7w1pKkyLT5GVue9h6ZPkjg1EeuuTbD6JVSLycXLsdm6nvBGSUd" }, // 10.86.1.10–63.254
     { name: "dora-beagle", userid: "AxKFEZFLDi23EmnJFNP6gjUM4CaNMPfWUvbFR9ixtMBN", address: "NsuN81dZdEoyvwEFgWaHkT8SPJB6UWeRmdYcCGFV5CdbbPXoK2RM" }, // 10.86.64.10–127.254
     { name: "dora-sh", userid: "GMEMLmCWLMBK6BJiMkbLPNkEjF4S2xRf1SqR9hM8fWV3", address: "ajg1ZMBw86UyujmEJzqKSCbi3wwEtg6tdGFTdESakyqujyxmqJZK" }, // 10.86.128.10–191.254
     { name: "dora-tokyo", userid: "AB6BZfbrTFWw9eUoVpHdJqhhRnY8bTttp4CHTZ2Xfzxi", address: "MAW2eBqBuQ6SmaXTrnZRRayQjAj3aLatwPy4xmBp7spnJeV569op" }, // 10.86.192.10–254.254
 ];
+function loadDefaultDoras() {
+    // dist/config/loader.js → package root is two levels up; data file ships
+    // at <pkg>/config/default-doras.yaml. Same path holds when running from
+    // src/ in dev. Fall back to the embedded list if it can't be read.
+    try {
+        const file = resolve(dirname(new URL(import.meta.url).pathname), "../../config/default-doras.yaml");
+        const parsed = yaml.load(readFileSync(file, "utf-8"));
+        const doras = (parsed?.doras ?? []).filter((d) => d && d.userid && d.address);
+        if (doras.length > 0)
+            return doras;
+    }
+    catch {
+        // missing/unreadable/malformed — use the fallback below
+    }
+    return DEFAULT_DORAS_FALLBACK;
+}
+export const DEFAULT_DORAS = loadDefaultDoras();
 // Back-compat single-value exports (first/primary dora).
 export const DEFAULT_DORA_USERID = DEFAULT_DORAS[0].userid;
 export const DEFAULT_DORA_ADDRESS = DEFAULT_DORAS[0].address;

package/dist/daemon/server.js CHANGED Viewed

@@ -551,12 +551,19 @@ export class DaemonServer {
                             allowHosts: this.config.proxy.allowHosts ?? [],
                             allowConnectPorts: this.config.proxy.allowConnectPorts,
                             resolvePeerName: (srcIp) => this.ipam.resolveIp(srcIp)?.name,
-                            onTunnelOpen: ({ src, srcName, target }) => {
-                                this.auditLog.logProxyOpen({ srcIp: src, srcName, target });
-                            },
-                            onTunnelClose: ({ src, srcName, target, bytesTransferred }) => {
-                                this.auditLog.logProxyClose({ srcIp: src, srcName, target, bytesTransferred });
-                            },
+                            // Per-tunnel audit is opt-in: on a busy exit it floods the
+                            // log (the 13 GB audit.log bug). Off by default; ACL and
+                            // connect events are still always audited.
+                            onTunnelOpen: this.config.proxy.auditTunnels
+                                ? ({ src, srcName, target }) => {
+                                    this.auditLog.logProxyOpen({ srcIp: src, srcName, target });
+                                }
+                                : undefined,
+                            onTunnelClose: this.config.proxy.auditTunnels
+                                ? ({ src, srcName, target, bytesTransferred }) => {
+                                    this.auditLog.logProxyClose({ srcIp: src, srcName, target, bytesTransferred });
+                                }
+                                : undefined,
                         });
                         await this.connectProxy.start();
                         this.logger.info(`Proxy listening on ${tunIp}:${this.config.proxy.port}`);

package/dist/types.d.ts CHANGED Viewed

@@ -129,6 +129,7 @@ export interface ProxyConfig {
     port: number;
     allowHosts?: string[];
     allowConnectPorts?: number[];
+    auditTunnels?: boolean;
 }
 export interface FriendsConfig {
     /** When true (default), the running daemon auto-accepts incoming

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@decentnetwork/lan",
-  "version": "0.1.43",
+  "version": "0.1.45",
   "description": "Private virtual LAN for self-hosted services and AI agents, built on Elastos Carrier. NAT-traversal, name service, ACL, all over a peer-to-peer mesh — no public IP required.",
   "type": "module",
   "main": "./dist/index.js",
@@ -18,6 +18,7 @@
   "files": [
     "dist",
     "bin",
+    "config/default-doras.yaml",
     "README.md",
     "LICENSE",
     "docs/INSTALL.md",