@decentnetwork/lan 0.1.69 → 0.1.71

package/config/routes.example.yaml

@@ -0,0 +1,34 @@
+# routes.yaml — multi-region domain routing for `agentnet proxy router`.
+#
+# Copy to ~/.agentnet/routes.yaml (or pass --routes <path>) and the router
+# sends each hostname to the right region's exits, load-balancing across the
+# exits in a region for bandwidth and failing over instantly if one drops.
+#
+# This is what beats a single Tailscale-style exit node: Tailscale routes ALL
+# traffic through ONE exit; here .cn rides your China exits, .jp rides Japan,
+# US streaming rides the US exit, and everything else stays DIRECT.
+#
+# Each exit is named by its IPAM peer name (see `agentnet peers`), or written
+# as host[:port] / label=host[:port]. Port defaults to your proxy.port (8888).
+
+regions:
+  - name: china
+    # Several exits → traffic spreads across them for more bandwidth.
+    exits: [cn, node-5123, node-9595]
+    # `domains` omitted → uses the built-in China list (.cn, bilibili, qq, …).
+    # Add your own to extend it:
+    # domains: [".cn", ".bilibili.com", ".some-cn-only-site.com"]
+
+  - name: japan
+    exits: [tokyo]            # the exit node you run in Japan
+    # domains omitted → built-in Japan list (.jp, nicovideo, abema, dmm, …)
+
+  - name: us
+    exits: [sjc]             # the exit node you run in the US
+    # domains omitted → built-in US list (hulu, peacock, max, …)
+
+# Where hosts that match no region go:
+#   direct   — connect straight from this machine (recommended; keeps Google
+#              and other global sites fast and unproxied)
+#   <region> — a region name, to force everything else through that region
+default: direct

package/dist/carrier/peer-manager.d.ts

@@ -11,6 +11,8 @@ export interface PeerManagerOptions {
     keyFile: string;
     bootstrapNodes: BootstrapNode[];
     expressNodes?: BootstrapNode[];
+    /** Use express only for friend-request bootstrap, never for data-plane sendText. */
+    expressControlPlaneOnly?: boolean;
 }
 export declare class PeerManager extends EventEmitter {
     private peer;

package/dist/carrier/peer-manager.js

@@ -30,6 +30,7 @@ export class PeerManager extends EventEmitter {
             compatibilityMode: "legacy",
             bootstrapNodes: opts.bootstrapNodes,
             expressNodes: opts.expressNodes,
+            expressControlPlaneOnly: opts.expressControlPlaneOnly,
         });
         this.setupEventHandlers();
         this.logger.info("Peer instance created (not yet started)");

package/dist/cli/commands.d.ts

@@ -214,23 +214,13 @@ export declare function cmdProxyUse(args: {
     peer: string;
     configDir?: string;
 }): Promise<void>;
-/**
- * Run the multi-exit client router: a local HTTPS (CONNECT) proxy that
- * load-balances / fails over across several exit nodes, sending only China
- * traffic through them and everything else direct. This is the client-side
- * counterpart to `agentnet proxy enable` (which is the per-exit server).
- *
- * Exits come from --exit (repeatable, "host[:port]" or "name=host[:port]").
- * If none are given we auto-discover them from the daemon's live IPAM (every
- * known peer becomes a candidate exit on its proxy port; health checks drop
- * the ones that aren't actually serving a proxy).
- */
 export declare function cmdProxyRouter(args: {
     exit?: string[];
     port?: number;
     listen?: string;
     mode?: string;
     all?: boolean;
+    routes?: string;
     configDir?: string;
 }): Promise<void>;
 /**
@@ -353,6 +343,16 @@ export declare function cmdServiceInstall(args: {
 export declare function cmdServiceStatus(_args: {
     configDir?: string;
 }): Promise<void>;
+/**
+ * Restart the system-service-managed daemon (systemd on Linux, launchd on
+ * macOS). Needs root, same as install. Distinct from the top-level
+ * `agentnet restart`, which re-execs an already-running daemon over IPC with
+ * no sudo — use that for picking up an upgrade; use this when the service
+ * itself is wedged/stopped and you want launchd/systemd to bring it back.
+ */
+export declare function cmdServiceRestart(_args: {
+    configDir?: string;
+}): Promise<void>;
 /**
  * Ask the running daemon to re-exec itself. Used after
  * `npm install -g @decentnetwork/lan@<new>` so the daemon picks up

package/dist/cli/commands.js

@@ -11,6 +11,7 @@ import { Ipam } from "../ipam/ipam.js";
 import { Policy } from "../acl/policy.js";
 import { AclEngine } from "../acl/acl-engine.js";
 import { AuditLog } from "../acl/audit.js";
+import yaml from "js-yaml";
 import { startMultiExitRouter } from "../proxy/multi-exit-router.js";
 /**
  * Refuse to open a second Carrier peer with this identity if the
@@ -1029,55 +1030,106 @@ export async function cmdProxyUse(args) {
     console.log(`#   agentnet proxy enable`);
     console.log(`#   agentnet grant --peer <your-userid> --tcp ${port}`);
 }
-/**
- * Run the multi-exit client router: a local HTTPS (CONNECT) proxy that
- * load-balances / fails over across several exit nodes, sending only China
- * traffic through them and everything else direct. This is the client-side
- * counterpart to `agentnet proxy enable` (which is the per-exit server).
- *
- * Exits come from --exit (repeatable, "host[:port]" or "name=host[:port]").
- * If none are given we auto-discover them from the daemon's live IPAM (every
- * known peer becomes a candidate exit on its proxy port; health checks drop
- * the ones that aren't actually serving a proxy).
- */
 export async function cmdProxyRouter(args) {
     const dir = args.configDir || ConfigLoader.defaultConfigDir();
     const config = await ConfigLoader.load(resolve(dir, "config.yaml"));
     const defaultExitPort = config.proxy?.port ?? 8888;
-    const parseExit = (spec) => {
-        let name;
-        let rest = spec;
-        const eq = spec.indexOf("=");
+    // Resolve a live name→IP map so routes.yaml / --exit can name exits by their
+    // IPAM peer name instead of hard-coding virtual IPs.
+    const { peers, source } = await fetchLiveIpam(config);
+    const ipamByName = new Map(peers.filter((p) => p.virtualIp).map((p) => [p.name, p.virtualIp]));
+    // Turn one exit token into an ExitTarget. A token is either an IPAM peer
+    // name ("cn"), a host[:port] ("10.86.1.15:8888"), or "label=host[:port]".
+    // IPAM names win, so "15-MacBook-Pro.local" resolves as a name, not a host.
+    const resolveExit = (token, region) => {
+        let label;
+        let rest = token.trim();
+        const eq = rest.indexOf("=");
         if (eq !== -1) {
-            name = spec.slice(0, eq);
-            rest = spec.slice(eq + 1);
+            label = rest.slice(0, eq);
+            rest = rest.slice(eq + 1);
+        }
+        if (ipamByName.has(rest)) {
+            return { name: label || rest, host: ipamByName.get(rest), port: defaultExitPort, region };
         }
         const [host, portStr] = rest.split(":");
-        return { name: name || host, host, port: Number(portStr) || defaultExitPort };
+        if (!host)
+            return null;
+        return { name: label || host, host, port: Number(portStr) || defaultExitPort, region };
     };
-    let exits = (args.exit ?? []).map(parseExit);
-    if (exits.length === 0) {
-        // Auto-discover from the daemon's live IPAM.
-        const { peers, source } = await fetchLiveIpam(config);
-        exits = peers
+    const mode = args.mode === "failover" ? "failover" : "loadbalance";
+    const exits = [];
+    const regions = [];
+    let defaultRegion = "direct";
+    const cliExits = args.exit ?? [];
+    const routesPath = args.routes ?? resolve(dir, "routes.yaml");
+    const routesFile = existsSync(routesPath) ? (yaml.load(readFileSync(routesPath, "utf-8")) ?? null) : null;
+    if (cliExits.length > 0) {
+        // ---- CLI-driven: --exit name=host:port@region (region optional) --------
+        // Bare exits (no @region) default to the "china" region, preserving the
+        // original China-split behavior. --all overrides: one "all" region that
+        // every host falls into.
+        const seenRegions = new Set();
+        for (const tok of cliExits) {
+            const at = tok.lastIndexOf("@");
+            const region = args.all ? "all" : at !== -1 ? tok.slice(at + 1) : "china";
+            const spec = at !== -1 ? tok.slice(0, at) : tok;
+            const ex = resolveExit(spec, region);
+            if (!ex) {
+                console.error(`Could not resolve exit '${tok}' (not an IPAM name and not host[:port])`);
+                process.exit(1);
+            }
+            exits.push(ex);
+            seenRegions.add(region);
+        }
+        // Empty domains → the router fills in BUILTIN_REGION_DOMAINS for known
+        // region names (china/japan/us); "all" stays empty and is the default.
+        for (const name of seenRegions)
+            regions.push({ name, domains: [] });
+        defaultRegion = args.all ? "all" : "direct";
+    }
+    else if (routesFile?.regions?.length) {
+        // ---- File-driven: routes.yaml -----------------------------------------
+        for (const r of routesFile.regions) {
+            regions.push({ name: r.name, domains: r.domains ?? [] });
+            for (const tok of r.exits ?? []) {
+                const ex = resolveExit(tok, r.name);
+                if (!ex) {
+                    console.error(`routes.yaml region '${r.name}': could not resolve exit '${tok}'`);
+                    process.exit(1);
+                }
+                exits.push(ex);
+            }
+        }
+        defaultRegion = routesFile.default ?? "direct";
+        console.log(`Loaded ${regions.length} region(s) from ${routesPath}`);
+    }
+    else {
+        // ---- Legacy auto-discovery: all IPAM peers as China exits -------------
+        const discovered = peers
             .filter((p) => p.virtualIp)
-            .map((p) => ({ name: p.name || p.virtualIp, host: p.virtualIp, port: defaultExitPort }));
-        if (exits.length === 0) {
+            .map((p) => resolveExit(p.name || p.virtualIp, args.all ? "all" : "china"))
+            .filter(Boolean);
+        if (discovered.length === 0) {
             console.error(`No exits given and none discovered from IPAM (${source}).`);
             console.error(`Pass exits explicitly, e.g.:`);
-            console.error(`  agentnet proxy router --exit 10.86.1.15 --exit 10.86.1.16 --exit 10.86.1.17`);
+            console.error(`  agentnet proxy router --exit cn --exit node-5123`);
+            console.error(`Or define regions in ${routesPath} (see docs/INSTALL-NODES.md).`);
             process.exit(1);
         }
-        console.log(`Auto-discovered ${exits.length} exit(s) from IPAM (${source}): ${exits.map((e) => e.name).join(", ")}`);
+        exits.push(...discovered);
+        regions.push({ name: args.all ? "all" : "china", domains: [] });
+        defaultRegion = args.all ? "all" : "direct";
+        console.log(`Auto-discovered ${discovered.length} exit(s) from IPAM (${source}): ${discovered.map((e) => e.name).join(", ")}`);
         console.log(`(health checks will drop any that aren't actually running a proxy)\n`);
     }
-    const mode = args.mode === "failover" ? "failover" : "loadbalance";
     startMultiExitRouter({
         exits,
+        regions,
+        defaultRegion,
         listenHost: args.listen ?? "127.0.0.1",
         listenPort: args.port ?? 8889,
         mode,
-        routeAll: args.all ?? false,
     });
     // Keep the process alive; the router runs until Ctrl-C / signal.
     await new Promise(() => { });
@@ -1557,8 +1609,10 @@ export async function cmdServiceInstall(args) {
     else if (process.env.SUDO_USER && process.env.SUDO_USER !== "root") {
         const { execSync } = await import("child_process");
         try {
-            const sudoHome = execSync(`getent passwd ${process.env.SUDO_USER} | cut -d: -f6`, { encoding: "utf-8" }).trim();
-            dir = sudoHome
+            // Resolve SUDO_USER's home without getent (absent on macOS). `echo ~user`
+            // tilde-expands to the home dir in sh on both Linux and macOS.
+            const sudoHome = execSync(`echo ~${process.env.SUDO_USER}`, { encoding: "utf-8", shell: "/bin/sh" }).trim();
+            dir = sudoHome && sudoHome.startsWith("/") && !sudoHome.startsWith("~")
                 ? `${sudoHome}/.agentnet`
                 : ConfigLoader.defaultConfigDir();
             console.log(`[service install] sudo detected — using ${dir} (override with --config-dir)`);
@@ -1571,6 +1625,16 @@ export async function cmdServiceInstall(args) {
         dir = ConfigLoader.defaultConfigDir();
     }
     const { spawnSync, execSync } = await import("child_process");
+    // System services (systemd/launchd) run with a minimal PATH that does NOT
+    // include a node installed via nvm/homebrew/an unofficial build. Relying on
+    // the `agentnet` shebang (#!/usr/bin/env node) then fails with
+    // "env: node: No such file or directory" and the daemon never starts.
+    // Invoke node by ABSOLUTE path — process.execPath is the node running this
+    // very install, so it's guaranteed to exist — and add its dir to the
+    // service's PATH for any child tools (ifconfig/route/etc.).
+    const nodeBin = process.execPath;
+    const nodeDir = dirname(nodeBin);
+    const servicePath = `${nodeDir}:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin`;
     if (process.platform === "linux") {
         const unitPath = "/etc/systemd/system/agentnet.service";
         if (args.uninstall) {
@@ -1609,7 +1673,8 @@ Wants=network-online.target
 [Service]
 Type=simple
 User=root
-ExecStart=${agentnetBin} up --real-tun --config-dir ${dir}
+Environment=PATH=${servicePath}
+ExecStart=${nodeBin} ${agentnetBin} up --real-tun --config-dir ${dir}
 Restart=on-failure
 RestartSec=5
 # Log to the journal so the intuitive 'journalctl -u agentnet -f' just works.
@@ -1667,12 +1732,16 @@ WantedBy=multi-user.target
   <key>Label</key><string>com.decentlan.agentnet</string>
   <key>UserName</key><string>root</string>
   <key>ProgramArguments</key><array>
+    <string>${nodeBin}</string>
     <string>${agentnetBin}</string>
     <string>up</string>
     <string>--real-tun</string>
     <string>--config-dir</string>
     <string>${dir}</string>
   </array>
+  <key>EnvironmentVariables</key><dict>
+    <key>PATH</key><string>${servicePath}</string>
+  </dict>
   <key>RunAtLoad</key><true/>
   <key>KeepAlive</key><true/>
   <key>StandardOutPath</key><string>/var/log/agentnet.log</string>
@@ -1719,6 +1788,47 @@ export async function cmdServiceStatus(_args) {
     }
     console.log(`'service status' isn't wired up for ${process.platform}.`);
 }
+/**
+ * Restart the system-service-managed daemon (systemd on Linux, launchd on
+ * macOS). Needs root, same as install. Distinct from the top-level
+ * `agentnet restart`, which re-execs an already-running daemon over IPC with
+ * no sudo — use that for picking up an upgrade; use this when the service
+ * itself is wedged/stopped and you want launchd/systemd to bring it back.
+ */
+export async function cmdServiceRestart(_args) {
+    const { spawnSync } = await import("child_process");
+    if (process.platform === "linux") {
+        const r = spawnSync("systemctl", ["restart", "agentnet"], { stdio: "inherit" });
+        if ((r.status ?? 0) !== 0) {
+            throw new Error(`'systemctl restart agentnet' failed (need root? try 'sudo agentnet service restart'). ` +
+                `If the service isn't installed, run 'sudo agentnet service install' first.`);
+        }
+        console.log("Restarted agentnet.service. Logs: journalctl -u agentnet -f");
+        return;
+    }
+    if (process.platform === "darwin") {
+        const label = "com.decentlan.agentnet";
+        // kickstart -k restarts the (loaded) daemon in one call. Falls back to
+        // unload+load if kickstart isn't available (older launchctl).
+        const kick = spawnSync("launchctl", ["kickstart", "-k", `system/${label}`], { stdio: "inherit" });
+        if ((kick.status ?? 0) === 0) {
+            console.log(`Restarted ${label}. Logs: tail -f /var/log/agentnet.log`);
+            return;
+        }
+        const plistPath = "/Library/LaunchDaemons/com.decentlan.agentnet.plist";
+        if (!existsSync(plistPath)) {
+            throw new Error(`${plistPath} not found — run 'sudo agentnet service install' first.`);
+        }
+        spawnSync("launchctl", ["unload", plistPath], { stdio: "inherit" });
+        const load = spawnSync("launchctl", ["load", plistPath], { stdio: "inherit" });
+        if ((load.status ?? 0) !== 0) {
+            throw new Error(`launchctl reload failed (need root? try 'sudo agentnet service restart').`);
+        }
+        console.log(`Restarted ${label}. Logs: tail -f /var/log/agentnet.log`);
+        return;
+    }
+    throw new Error(`'service restart' isn't wired up for ${process.platform}.`);
+}
 /**
  * Ask the running daemon to re-exec itself. Used after
  * `npm install -g @decentnetwork/lan@<new>` so the daemon picks up

package/dist/cli/index.js

@@ -10,7 +10,7 @@ import { hideBin } from "yargs/helpers";
 // Belt-and-braces — also raise it here in case the CLI is run directly
 // (e.g. `node dist/cli/index.js` rather than via dist/index.js).
 EventEmitter.defaultMaxListeners = 100;
-import { cmdInit, cmdIdentityShow, cmdPeersList, cmdIpamAssign, cmdGrant, cmdRevoke, cmdResolve, cmdStatus, cmdUp, cmdAuditLog, cmdFriendRequest, cmdFriendAccept, cmdFriendsList, cmdFriendsPending, cmdFriendsAccept, cmdFriendsReject, cmdProxyEnable, cmdProxyDisable, cmdProxyStatus, cmdProxyAllowHost, cmdProxyRevokeHost, cmdProxyListHosts, cmdProxyUse, cmdProxyRouter, cmdDoraEnable, cmdDoraDisable, cmdDoraStatus, cmdDoraAutofriend, cmdDiag, cmdDoctor, cmdDnsInstall, cmdDnsHosts, cmdServiceInstall, cmdRestart, cmdServiceStatus, } from "./commands.js";
+import { cmdInit, cmdIdentityShow, cmdPeersList, cmdIpamAssign, cmdGrant, cmdRevoke, cmdResolve, cmdStatus, cmdUp, cmdAuditLog, cmdFriendRequest, cmdFriendAccept, cmdFriendsList, cmdFriendsPending, cmdFriendsAccept, cmdFriendsReject, cmdProxyEnable, cmdProxyDisable, cmdProxyStatus, cmdProxyAllowHost, cmdProxyRevokeHost, cmdProxyListHosts, cmdProxyUse, cmdProxyRouter, cmdDoraEnable, cmdDoraDisable, cmdDoraStatus, cmdDoraAutofriend, cmdDiag, cmdDoctor, cmdDnsInstall, cmdDnsHosts, cmdServiceInstall, cmdRestart, cmdServiceStatus, cmdServiceRestart, } from "./commands.js";
 async function main() {
     await yargs(hideBin(process.argv))
         .scriptName("agentnet")
@@ -118,6 +118,9 @@ async function main() {
     })
         .command("status", "Show service status (systemctl status / launchctl list)", (yy) => yy.option("config-dir", { type: "string" }), async (argv) => {
         await cmdServiceStatus({ configDir: argv["config-dir"] });
+    })
+        .command("restart", "Restart the service via systemd/launchd (needs sudo)", (yy) => yy.option("config-dir", { type: "string" }), async (argv) => {
+        await cmdServiceRestart({ configDir: argv["config-dir"] });
     })
         .demandCommand(1, "Specify a service subcommand (run 'agentnet service --help')"), () => {
         // parent handler — never invoked because demandCommand above
@@ -266,8 +269,9 @@ async function main() {
         .option("exit", {
         type: "string",
         array: true,
-        describe: "Exit as 'host[:port]' or 'name=host[:port]' (repeatable). Default: auto-discover from IPAM",
+        describe: "Exit as 'name', 'host[:port]', or 'label=host[:port]', optionally '...@region' (repeatable). Default: auto-discover from IPAM",
     })
+        .option("routes", { type: "string", describe: "Path to a routes.yaml (domain→region table). Default: ~/.agentnet/routes.yaml if present" })
         .option("port", { type: "number", default: 8889, describe: "Local listen port" })
         .option("listen", { type: "string", default: "127.0.0.1", describe: "Listen host (use 0.0.0.0 to reach from Windows → WSL)" })
         .option("mode", { choices: ["loadbalance", "failover"], default: "loadbalance" })
@@ -275,6 +279,7 @@ async function main() {
         .option("config-dir", { type: "string" }), async (argv) => {
         await cmdProxyRouter({
             exit: argv.exit,
+            routes: argv.routes,
             port: argv.port,
             listen: argv.listen,
             mode: argv.mode,

package/dist/daemon/server.js

@@ -108,26 +108,30 @@ export class DaemonServer {
             // optional dora registration can decide our IP.
             const keyFile = resolve(this.config.carrier.dataDir, "keypair.json");
             this.peerManager = new PeerManager();
-            // Daemon does NOT use express nodes. decentlan is a virtual
-            // LAN — peers must be ONLINE for IP packets to flow. Express
-            // is an offline-message store-and-forward relay for chat-style
-            // apps; if we enable it, sendText silently falls back to a
-            // queue when a friend is offline. That creates the illusion of
-            // connectivity ("the daemon says X is reachable") while
-            // packets actually pile up in HTTPS storage and never get
-            // forwarded in real time. For a VPN-like data plane, that's
-            // wrong — better to fail fast and let the operator see the
-            // peer as offline.
+            // The daemon enables express in CONTROL-PLANE-ONLY mode. Two
+            // distinct concerns were previously conflated:
             //
-            // Friend-request bootstrap is the only thing that benefits
-            // from express; for that case use the standalone CLI
-            // `agentnet friend-request` (which DOES use express via its
-            // own short-lived Peer instance) and accept the request on
-            // both ends before bringing the daemon up.
+            //  - DATA plane (sendText / IP packets): express must NEVER be a
+            //    fallback. decentlan is a virtual LAN — if `sendText` silently
+            //    queued to HTTPS store-and-forward when a friend is offline, the
+            //    daemon would report "reachable" while packets piled up undelivered.
+            //    A VPN-like data plane must fail fast and surface the peer as
+            //    offline. `expressControlPlaneOnly: true` enforces exactly that.
+            //
+            //  - CONTROL plane (friend-request bootstrap): express IS needed. The
+            //    dora-registration friend-request (and the 30s re-send loop in
+            //    dora-integration) runs INSIDE this daemon. With express disabled
+            //    here, a node whose onion announce hasn't propagated — e.g. callpass
+            //    behind a strict NAT — could NEVER deliver its friend-request to the
+            //    dora, so it never registered and never got a virtual IP. Routing
+            //    operators through the standalone `agentnet friend-request` CLI was a
+            //    manual workaround, not a fix. Giving the daemon express for the
+            //    one-time handshake closes that gap without touching the data plane.
             await this.peerManager.create({
                 keyFile,
                 bootstrapNodes: this.config.carrier.bootstrapNodes,
-                expressNodes: [],
+                expressNodes: this.config.carrier.expressNodes ?? [],
+                expressControlPlaneOnly: true,
             });
             await this.peerManager.start();
             this.logger.info(`Identity: ${this.peerManager.getAddress()}`);

package/dist/proxy/multi-exit-router.d.ts

@@ -2,15 +2,35 @@ export interface ExitTarget {
     name: string;
     host: string;
     port: number;
+    /** Which region this exit serves (matches a RouteRegion.name). Exits with
+     *  the same region pool together for load-balance/failover. Defaults to
+     *  "default" when unset. */
+    region?: string;
+}
+export interface RouteRegion {
+    /** Region name; exits tag themselves with this to join the pool. */
+    name: string;
+    /** Host suffixes that route to this region, e.g. [".cn", ".bilibili.com"].
+     *  A leading dot matches the domain and all subdomains; an entry without a
+     *  leading dot matches that exact host. Empty list = this region is never
+     *  auto-matched by hostname (only reachable as the explicit `defaultRegion`). */
+    domains: string[];
 }
 export interface MultiExitRouterOptions {
     exits: ExitTarget[];
+    /** Ordered domain→region rules. First region whose `domains` match the
+     *  CONNECT host wins. */
+    regions?: RouteRegion[];
+    /** Where hosts that match NO region go. Either "direct" (connect from this
+     *  machine — the safe default so Google/US sites aren't black-holed through
+     *  a foreign exit) or the name of a region to fall back to. */
+    defaultRegion?: string;
     listenHost?: string;
     listenPort?: number;
     mode?: "loadbalance" | "failover";
-    routeAll?: boolean;
     log?: (msg: string) => void;
 }
+export declare const BUILTIN_REGION_DOMAINS: Record<string, string[]>;
 /**
  * Start the multi-exit router. Returns a stop() that closes the listener.
  * Runs until stopped (the CLI command keeps the process alive).

package/dist/proxy/multi-exit-router.js

@@ -1,31 +1,56 @@
 //
-// Multi-exit client router — load-balance + failover across several exit
-// proxy nodes, with a China/rest split tunnel. This is the CLIENT-side
-// counterpart to the per-node CONNECT proxy (`agentnet proxy enable`):
-// you run ONE of these on your machine abroad and point your browser at it,
-// and it spreads HTTPS (CONNECT) traffic across all your China exits.
+// Multi-exit client router — region-aware domain routing across several exit
+// proxy nodes, with load-balance + failover WITHIN each region. This is the
+// CLIENT-side counterpart to the per-node CONNECT proxy (`agentnet proxy
+// enable`): you run ONE of these on your machine and point your browser at it,
+// and it sends each hostname to the right region's exits.
+//
+// Why this beats a single Tailscale-style exit node:
+//   * Tailscale gives you ONE exit for ALL traffic (all-or-nothing).
+//   * Here, .cn rides your China exits, .jp rides your Japan exit, US
+//     streaming rides your US exit, and everything else goes DIRECT — by
+//     hostname, automatically.
+//   * Each region can have SEVERAL exits; traffic load-balances across them
+//     for bandwidth, and fails over instantly if one drops.
 //
 // Exposed as `agentnet proxy router` so released users get it without
 // cloning the repo (it used to live in scripts/failover-proxy.mjs).
 //
 import http from "node:http";
 import net from "node:net";
-// Split tunnel: ONLY these hosts go through the exits; everything else
-// (Google, US sites, etc.) connects DIRECT. Critical because China-blocked
-// sites FAIL through a China exit, and US sites are faster direct anyway.
-const CHINA_HOSTS = [
-    ".cn",
-    ".cctv.com", ".cctvpic.com", ".cntv.cn", ".cctv.cn",
-    ".bilibili.com", ".biliapi.net", ".bilivideo.com", ".bilivideo.cn", ".hdslb.com",
-    ".youku.com", ".iqiyi.com", ".iq.com", ".mgtv.com", ".hitv.com",
-    ".miguvideo.com", ".cmvideo.cn", ".migu.cn",
-    ".qq.com", ".qcloud.com", ".myqcloud.com", ".qlivecdn.com", ".qpic.cn",
-    ".volcfcdn.com", ".volccdn.com", ".byteimg.com", ".bytedance.com",
-    ".weibo.com", ".weibocdn.com", ".sinaimg.cn", ".youku.cn",
-];
-function isChinaHost(host) {
+// Built-in domain lists, so a user can reference a region by name in
+// routes.yaml without hand-listing every domain. Override by giving the
+// region its own `domains` list.
+export const BUILTIN_REGION_DOMAINS = {
+    // China-only / China-blocked-from-outside sites — must ride a China exit.
+    china: [
+        ".cn",
+        ".cctv.com", ".cctvpic.com", ".cntv.cn", ".cctv.cn",
+        ".bilibili.com", ".biliapi.net", ".bilivideo.com", ".bilivideo.cn", ".hdslb.com",
+        ".youku.com", ".iqiyi.com", ".iq.com", ".mgtv.com", ".hitv.com",
+        ".miguvideo.com", ".cmvideo.cn", ".migu.cn",
+        ".qq.com", ".qcloud.com", ".myqcloud.com", ".qlivecdn.com", ".qpic.cn",
+        ".volcfcdn.com", ".volccdn.com", ".byteimg.com", ".bytedance.com",
+        ".weibo.com", ".weibocdn.com", ".sinaimg.cn", ".youku.cn",
+    ],
+    // Japan-region sites / services that geo-fence to a JP IP.
+    japan: [
+        ".jp",
+        ".nicovideo.jp", ".nimg.jp", ".dmm.com", ".dmm.co.jp",
+        ".abema.tv", ".abema.io", ".tver.jp", ".unext.jp",
+        ".radiko.jp", ".pixiv.net", ".pximg.net",
+    ],
+    // US-region streaming / services that geo-fence to a US IP.
+    us: [
+        ".hulu.com", ".huluim.com", ".hulustream.com",
+        ".peacocktv.com", ".max.com", ".hbomax.com",
+        ".pluto.tv", ".tubi.tv", ".tubitv.com",
+        ".vudu.com", ".espn.com", ".nbc.com", ".cbs.com", ".fox.com",
+    ],
+};
+function hostMatches(host, suffixes) {
     host = (host || "").toLowerCase();
-    return CHINA_HOSTS.some((s) => host === s.slice(1) || host.endsWith(s));
+    return suffixes.some((s) => host === (s.startsWith(".") ? s.slice(1) : s) || host.endsWith(s));
 }
 const HEALTH_INTERVAL_MS = 1000;
 const HEALTH_TIMEOUT_MS = 1500;
@@ -39,11 +64,17 @@ export function startMultiExitRouter(opts) {
     const listenHost = opts.listenHost ?? "127.0.0.1";
     const listenPort = opts.listenPort ?? 8889;
     const mode = opts.mode === "failover" ? "failover" : "loadbalance";
-    const routeAll = opts.routeAll ?? false;
+    const defaultRegion = opts.defaultRegion ?? "direct";
     const ts = () => new Date().toTimeString().slice(0, 8);
     const log = opts.log ?? ((s) => console.log(`${ts()} ${s}`));
+    // Resolve each region's effective domain list (explicit list, else built-in).
+    const regions = (opts.regions ?? []).map((r) => ({
+        name: r.name,
+        domains: r.domains && r.domains.length > 0 ? r.domains : (BUILTIN_REGION_DOMAINS[r.name] ?? []),
+    }));
     const exits = opts.exits.map((e) => ({
         ...e,
+        region: e.region ?? "default",
         healthy: false,
         fails: 0,
         oks: 0,
@@ -51,10 +82,24 @@ export function startMultiExitRouter(opts) {
         served: 0,
         lastRtt: null,
     }));
+    // Per-host routing decision, logged once on first sight so the user can SEE
+    // why a hostname went DIRECT vs through a region (e.g. a CCTV video CDN that
+    // isn't classified as China and silently leaked direct → geo-blocked).
+    const seenHosts = new Set();
     let directActive = 0;
     let directTotal = 0;
     let lastPool = null;
     let stopped = false;
+    // ---- routing decision -----------------------------------------------------
+    // Returns the region name a host should use, or "direct" for a direct
+    // connection from this machine.
+    function routeFor(host) {
+        for (const r of regions) {
+            if (r.domains.length > 0 && hostMatches(host, r.domains))
+                return r.name;
+        }
+        return defaultRegion;
+    }
     // ---- health checks --------------------------------------------------------
     function probe(exit) {
         return new Promise((resolve) => {
@@ -66,10 +111,22 @@ export function startMultiExitRouter(opts) {
         });
     }
     function printPool() {
-        const healthy = exits.filter((e) => e.healthy).map((e) => `${e.name}(${e.lastRtt}ms)`).join(", ") || "NONE";
-        if (healthy !== lastPool) {
-            log(`pool [${mode}]: ${healthy}`);
-            lastPool = healthy;
+        // Group the healthy pool by region so the operator can see each region's
+        // bandwidth at a glance.
+        const byRegion = new Map();
+        for (const e of exits) {
+            if (!e.healthy)
+                continue;
+            const arr = byRegion.get(e.region) ?? [];
+            arr.push(`${e.name}(${e.lastRtt}ms)`);
+            byRegion.set(e.region, arr);
+        }
+        const summary = byRegion.size === 0
+            ? "NONE"
+            : [...byRegion.entries()].map(([r, ms]) => `${r}: ${ms.join(", ")}`).join("  |  ");
+        if (summary !== lastPool) {
+            log(`pool [${mode}]: ${summary}`);
+            lastPool = summary;
         }
     }
     async function healthLoop() {
@@ -81,7 +138,7 @@ export function startMultiExitRouter(opts) {
                     exit.fails = 0;
                     if (!exit.healthy) {
                         exit.healthy = true;
-                        log(`✓ ${exit.name} UP (${exit.lastRtt}ms)`);
+                        log(`✓ ${exit.name} [${exit.region}] UP (${exit.lastRtt}ms)`);
                         printPool();
                     }
                 }
@@ -90,7 +147,7 @@ export function startMultiExitRouter(opts) {
                     exit.oks = 0;
                     if (exit.healthy && exit.fails >= DOWN_AFTER_FAILS) {
                         exit.healthy = false;
-                        log(`✗ ${exit.name} DOWN`);
+                        log(`✗ ${exit.name} [${exit.region}] DOWN`);
                         printPool();
                     }
                 }
@@ -98,15 +155,20 @@ export function startMultiExitRouter(opts) {
             await new Promise((r) => setTimeout(r, HEALTH_INTERVAL_MS));
         }
     }
-    // ---- exit selection -------------------------------------------------------
-    function pickOrder() {
-        const healthy = exits.filter((e) => e.healthy);
+    // ---- exit selection (scoped to one region) --------------------------------
+    function pickOrder(region) {
+        const healthy = exits.filter((e) => e.healthy && e.region === region);
         if (healthy.length === 0)
             return [];
         if (mode === "failover")
             return healthy; // priority order (input order)
         return [...healthy].sort((a, b) => a.active - b.active || a.served - b.served);
     }
+    // Whether ANY exit is configured for a region (healthy or not). Lets us tell
+    // "region has no exits at all → fall through" from "exits all down → 503".
+    function regionHasExits(region) {
+        return exits.some((e) => e.region === region);
+    }
     // ---- CONNECT through an exit ----------------------------------------------
     function forward(exit, target, client, head, onFail) {
         const up = net.connect(exit.port, exit.host);
@@ -154,8 +216,8 @@ export function startMultiExitRouter(opts) {
         up.on("data", onData);
         up.on("error", () => fail("conn error"));
     }
-    // Direct connection from THIS machine — for non-China hosts so Google etc.
-    // aren't black-holed through a China exit.
+    // Direct connection from THIS machine — for hosts that match no region so
+    // Google etc. aren't black-holed through a foreign exit.
     function directConnect(target, client, head) {
         const [host, portStr] = target.split(":");
         const up = net.connect(Number(portStr) || 443, host);
@@ -181,13 +243,26 @@ export function startMultiExitRouter(opts) {
         const target = req.url || "";
         const host = (target.split(":")[0] || "").toLowerCase();
         client.on("error", () => { });
-        if (!routeAll && !isChinaHost(host)) {
+        let region = routeFor(host);
+        // If the chosen region has no exits configured, fall back to direct rather
+        // than 503 (a misconfigured default shouldn't black-hole everything).
+        if (region !== "direct" && !regionHasExits(region))
+            region = "direct";
+        if (!seenHosts.has(host)) {
+            seenHosts.add(host);
+            log(`route ${host} → ${region === "direct" ? "DIRECT" : `region [${region}]`}`);
+        }
+        if (region === "direct") {
             directConnect(target, client, head);
             return;
         }
-        const order = pickOrder();
+        const order = pickOrder(region);
         if (order.length === 0) {
-            client.end("HTTP/1.1 503 No healthy exit\r\n\r\n");
+            // Region matched but every exit in it is down. Do NOT silently leak to
+            // direct — a .cn host would just fail from abroad, and the operator
+            // should see the region is down.
+            log(`  ${target}: region [${region}] has no healthy exit`);
+            client.end("HTTP/1.1 503 No healthy exit for region\r\n\r\n");
             return;
         }
         let i = 0;
@@ -204,16 +279,20 @@ export function startMultiExitRouter(opts) {
     });
     server.listen(listenPort, listenHost, () => {
         log(`Multi-exit router [${mode}] on http://${listenHost}:${listenPort}`);
-        log(`Exits: ${exits.map((e) => `${e.name}@${e.host}:${e.port}`).join(", ")}`);
-        log(routeAll
-            ? `Routing: ALL hosts through the exits (--all)`
-            : `Routing: China hosts → exits, everything else → DIRECT (so Google/US sites work)`);
+        // One line per region: which exits serve it.
+        for (const r of regions) {
+            if (!regionHasExits(r.name))
+                continue;
+            const members = exits.filter((e) => e.region === r.name).map((e) => `${e.name}@${e.host}:${e.port}`);
+            log(`  region [${r.name}] → ${members.join(", ")}`);
+        }
+        log(`  default (unmatched hosts) → ${defaultRegion === "direct" ? "DIRECT" : `region [${defaultRegion}]`}`);
         log(`Point your browser's HTTPS proxy at ${listenHost}:${listenPort}`);
         void healthLoop();
     });
     if (mode === "loadbalance") {
         const reporter = setInterval(() => {
-            const parts = exits.filter((e) => e.healthy).map((e) => `${e.name}: ${e.active} active / ${e.served} total`);
+            const parts = exits.filter((e) => e.healthy).map((e) => `${e.name}[${e.region}]: ${e.active} active / ${e.served} total`);
             parts.push(`direct: ${directActive} active / ${directTotal} total`);
             log(`load — ${parts.join("  |  ")}`);
         }, 15000);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@decentnetwork/lan",
-  "version": "0.1.69",
+  "version": "0.1.71",
   "description": "Private virtual LAN for self-hosted services and AI agents, built on Elastos Carrier. NAT-traversal, name service, ACL, all over a peer-to-peer mesh — no public IP required.",
   "type": "module",
   "main": "./dist/index.js",
@@ -19,6 +19,7 @@
     "dist",
     "bin",
     "config/default-doras.yaml",
+    "config/routes.example.yaml",
     "README.md",
     "LICENSE",
     "docs/INSTALL.md",
@@ -75,7 +76,7 @@
   },
   "dependencies": {
     "@decentnetwork/dora": "^0.1.6",
-    "@decentnetwork/peer": "^0.1.31",
+    "@decentnetwork/peer": "^0.1.32",
     "js-yaml": "^4.1.0",
     "yargs": "^17.7.2"
   },