@decentnetwork/lan 0.1.71 → 0.1.73

package/config/default-exits.yaml

@@ -0,0 +1,55 @@
+# Official exit / infrastructure nodes shipped with @decentnetwork/lan.
+#
+# A fresh install auto-friends ONLY the dora registries (config/default-doras.yaml)
+# and the exits listed here — NOT every machine that happens to be in the dora
+# roster. This keeps a new client's friend list to infrastructure (doras + exits)
+# instead of filling up with other people's personal/compute boxes.
+#
+# Each exit carries a `region`, so `agentnet proxy router` (with no routes.yaml)
+# auto-builds the routing table: China sites → china exits, Japan/Binance →
+# japan exit, Google/YouTube/GitHub/etc → us exits, everything else direct.
+#
+# Mechanism: these userids (plus the dora userids) become the default
+# `dora.autoFriend` whitelist for a freshly-initialised config. The client
+# still LEARNS every roster entry into IPAM (so names/IPs resolve), but only
+# proactively friends infrastructure. Exits still serve arbitrary clients
+# because the daemon auto-ACCEPTS incoming friend-requests — so hub-and-spoke
+# works without meshing every personal machine.
+#
+# To run a full mesh instead (friend everyone in the roster):
+#   agentnet dora autofriend all
+# To add/replace an exit: edit this file (data, not code) and republish, or
+# locally: agentnet dora autofriend allow <name|userid> ...
+#
+# `region` is one of: china | japan | us  (matches the router's built-in
+# domain lists; see BUILTIN_REGION_DOMAINS in src/proxy/multi-exit-router.ts).
+exits:
+  # --- China (China-only / GFW-blocked-from-outside sites) ---
+  - name: cn
+    userid: 5Aj6uQMd1cNRb9cGT4AwHCN4RdVZjfaGLtgKGhdP1LzN
+    virtual_ip: 10.86.1.15
+    region: china
+  - name: sh
+    userid: 6D1PLSVqbSpcxnDMAd8ZXLWycYveeP2hU4g3igDQEqA7
+    virtual_ip: 10.86.1.16
+    region: china
+  - name: callpass
+    userid: DZN2L9RV1YkHjqGHMTA6juZhskKA65AD2RyPt4umZVc7
+    virtual_ip: 10.86.1.17
+    region: china
+  # --- Japan (host "lico", dora name node-91) — Binance routes here ---
+  - name: tokyo
+    userid: 4uNnLnAQHVJ7td657MDaz4UnEuhnTW9sRAPSVeAEEQe4
+    virtual_ip: 10.86.68.90
+    region: japan
+  # --- US (Google, YouTube, GitHub, X/Twitter, LinkedIn, OpenAI) ---
+  - name: gojipower
+    userid: 2wErj1XreXt1UchE3FGhuvkZ4GoBpo8JGMn8X49nm2ec
+    virtual_ip: 10.86.166.16
+    region: us
+  # snoopy has NO public IP (LAN 10.0.0.115) — proves a NAT'd node can serve
+  # as an exit purely over the Carrier tunnel.
+  - name: snoopy
+    userid: BeMbuKf1poh3U4rjw3eeUAKZsbN2qBSjVZdPSvehmHsw
+    virtual_ip: 10.86.156.164
+    region: us

package/dist/cli/commands.js

@@ -4,7 +4,7 @@
 import { resolve, dirname } from "path";
 import { existsSync, mkdirSync, readFileSync } from "fs";
 import { createConnection } from "net";
-import { ConfigLoader, DEFAULT_DORAS } from "../config/loader.js";
+import { ConfigLoader, DEFAULT_DORAS, DEFAULT_EXITS } from "../config/loader.js";
 import { ipcSocketPath } from "../daemon/ipc.js";
 import { DaemonServer } from "../daemon/server.js";
 import { Ipam } from "../ipam/ipam.js";
@@ -1104,24 +1104,63 @@ export async function cmdProxyRouter(args) {
         defaultRegion = routesFile.default ?? "direct";
         console.log(`Loaded ${regions.length} region(s) from ${routesPath}`);
     }
-    else {
-        // ---- Legacy auto-discovery: all IPAM peers as China exits -------------
-        const discovered = peers
-            .filter((p) => p.virtualIp)
-            .map((p) => resolveExit(p.name || p.virtualIp, args.all ? "all" : "china"))
-            .filter(Boolean);
-        if (discovered.length === 0) {
-            console.error(`No exits given and none discovered from IPAM (${source}).`);
-            console.error(`Pass exits explicitly, e.g.:`);
-            console.error(`  agentnet proxy router --exit cn --exit node-5123`);
-            console.error(`Or define regions in ${routesPath} (see docs/INSTALL-NODES.md).`);
+    else if (args.all) {
+        // ---- --all: every discovered peer through exits, single region --------
+        const discovered = peers.filter((p) => p.virtualIp);
+        for (const p of discovered) {
+            exits.push({ name: p.name || p.virtualIp, host: p.virtualIp, port: defaultExitPort, region: "all" });
+        }
+        if (exits.length === 0) {
+            console.error(`No exits discovered from IPAM (${source}). Is the daemon up?`);
             process.exit(1);
         }
-        exits.push(...discovered);
-        regions.push({ name: args.all ? "all" : "china", domains: [] });
-        defaultRegion = args.all ? "all" : "direct";
-        console.log(`Auto-discovered ${discovered.length} exit(s) from IPAM (${source}): ${discovered.map((e) => e.name).join(", ")}`);
-        console.log(`(health checks will drop any that aren't actually running a proxy)\n`);
+        regions.push({ name: "all", domains: [] });
+        defaultRegion = "all";
+        console.log(`Auto-discovered ${exits.length} exit(s) from IPAM (${source}); routing ALL hosts through them.\n`);
+    }
+    else {
+        // ---- Auto-discovery: curated exits, each in its OWN region -----------
+        // Match live IPAM peers against the shipped exit list (by userid, then
+        // name) and assign each its region (china/japan/us). Non-exit peers
+        // (personal machines) are skipped, so the router never sends traffic
+        // through someone's laptop.
+        const exitByUserid = new Map(DEFAULT_EXITS.map((e) => [e.userid, e]));
+        const exitByName = new Map(DEFAULT_EXITS.map((e) => [e.name, e]));
+        const regionsSeen = new Set();
+        for (const p of peers) {
+            if (!p.virtualIp)
+                continue;
+            const curated = exitByUserid.get(p.carrierId) ?? exitByName.get(p.name);
+            if (!curated)
+                continue;
+            const region = curated.region ?? "china";
+            exits.push({ name: curated.name, host: p.virtualIp, port: defaultExitPort, region });
+            regionsSeen.add(region);
+        }
+        if (exits.length > 0) {
+            for (const r of regionsSeen)
+                regions.push({ name: r, domains: [] });
+            console.log(`Auto-discovered ${exits.length} curated exit(s) from IPAM (${source}): ` +
+                [...regionsSeen].map((r) => `${r}=[${exits.filter((e) => e.region === r).map((e) => e.name).join(",")}]`).join(" "));
+            console.log(`(China→china exits, Japan/Binance→japan, Google/YouTube/etc→us, rest→direct)\n`);
+        }
+        else {
+            // No curated exits in this roster (a different/private network) — fall
+            // back to treating every discovered peer as a China exit.
+            const discovered = peers
+                .filter((p) => p.virtualIp)
+                .map((p) => ({ name: p.name || p.virtualIp, host: p.virtualIp, port: defaultExitPort, region: "china" }));
+            if (discovered.length === 0) {
+                console.error(`No exits given and none discovered from IPAM (${source}).`);
+                console.error(`Pass exits explicitly, e.g.:  agentnet proxy router --exit cn --exit sh`);
+                console.error(`Or define regions in ${routesPath} (see docs/INSTALL-NODES.md).`);
+                process.exit(1);
+            }
+            exits.push(...discovered);
+            regions.push({ name: "china", domains: [] });
+            console.log(`Auto-discovered ${discovered.length} exit(s) from IPAM (${source}); none curated, routing China-split.\n`);
+        }
+        defaultRegion = "direct";
     }
     startMultiExitRouter({
         exits,

package/dist/config/loader.d.ts

@@ -26,6 +26,28 @@ export interface DefaultDora {
 export declare const DEFAULT_DORAS: DefaultDora[];
 export declare const DEFAULT_DORA_USERID: string;
 export declare const DEFAULT_DORA_ADDRESS: string;
+/**
+ * Official exit / infrastructure nodes (config/default-exits.yaml). These,
+ * together with the dora userids, form the default `autoFriend` whitelist so
+ * a fresh install only friends infrastructure — not every personal/compute
+ * box that shows up in the dora roster. Editable data, not code.
+ */
+export interface DefaultExit {
+    name: string;
+    userid: string;
+    virtual_ip?: string;
+    /** Routing region: china | japan | us. Used by `agentnet proxy router` to
+     *  auto-build the domain→region table with zero config. */
+    region?: string;
+}
+export declare const DEFAULT_EXITS: DefaultExit[];
+/**
+ * The default `dora.autoFriend` whitelist for a fresh config: every dora plus
+ * every official exit, by userid. A new client friends only these (the dora
+ * roster is still fully learned into IPAM for name/IP resolution). Override
+ * with `agentnet dora autofriend all` for a full mesh.
+ */
+export declare const DEFAULT_AUTOFRIEND: string[];
 export declare class ConfigLoader {
     static defaultConfigPath(): string;
     static defaultConfigDir(): string;

package/dist/config/loader.js

@@ -72,6 +72,27 @@ export const DEFAULT_DORAS = loadDefaultDoras();
 // Back-compat single-value exports (first/primary dora).
 export const DEFAULT_DORA_USERID = DEFAULT_DORAS[0].userid;
 export const DEFAULT_DORA_ADDRESS = DEFAULT_DORAS[0].address;
+function loadDefaultExits() {
+    try {
+        const file = resolve(dirname(new URL(import.meta.url).pathname), "../../config/default-exits.yaml");
+        const parsed = yaml.load(readFileSync(file, "utf-8"));
+        return (parsed?.exits ?? []).filter((e) => e && e.userid);
+    }
+    catch {
+        return [];
+    }
+}
+export const DEFAULT_EXITS = loadDefaultExits();
+/**
+ * The default `dora.autoFriend` whitelist for a fresh config: every dora plus
+ * every official exit, by userid. A new client friends only these (the dora
+ * roster is still fully learned into IPAM for name/IP resolution). Override
+ * with `agentnet dora autofriend all` for a full mesh.
+ */
+export const DEFAULT_AUTOFRIEND = [
+    ...DEFAULT_DORAS.map((d) => d.userid),
+    ...DEFAULT_EXITS.map((e) => e.userid),
+];
 export class ConfigLoader {
     static defaultConfigPath() {
         return resolve(this.defaultConfigDir(), "config.yaml");
@@ -174,13 +195,15 @@ export class ConfigLoader {
                 enabled: true,
                 userids: DEFAULT_DORAS.map((d) => d.userid),
                 refreshIntervalMs: 60_000,
-                // Default: auto-friend every peer in the dora roster. Dora
-                // membership IS the trust statement — joining a dora means
-                // "I want to be on this network", and a single-tenant lab is
-                // the common case. Operators on a multi-tenant / public
-                // dora opt out with `agentnet dora autofriend none` or
-                // whitelist via `agentnet dora autofriend allow <peer>...`.
-                autoFriend: "all",
+                // Default: auto-friend ONLY infrastructure — the dora registries and
+                // the official exit nodes (config/default-exits.yaml) — not every
+                // personal/compute box in the roster. Hub-and-spoke: a client connects
+                // to doras + exits; exits still serve arbitrary clients because the
+                // daemon auto-ACCEPTS incoming friend-requests. The full roster is
+                // still learned into IPAM for name/IP resolution. Run a full mesh with
+                // `agentnet dora autofriend all`, lock down with `... none`, or curate
+                // with `agentnet dora autofriend allow <peer>...`.
+                autoFriend: DEFAULT_AUTOFRIEND,
             },
         };
     }

package/dist/proxy/multi-exit-router.js

@@ -33,15 +33,33 @@ export const BUILTIN_REGION_DOMAINS = {
         ".volcfcdn.com", ".volccdn.com", ".byteimg.com", ".bytedance.com",
         ".weibo.com", ".weibocdn.com", ".sinaimg.cn", ".youku.cn",
     ],
-    // Japan-region sites / services that geo-fence to a JP IP.
+    // Japan-region sites / services that geo-fence to a JP IP, plus Binance
+    // (routed through the Japan exit — it's blocked/geo-restricted on many
+    // other paths). .bnbstatic.com is Binance's asset CDN; without it the
+    // site loads blank.
     japan: [
         ".jp",
         ".nicovideo.jp", ".nimg.jp", ".dmm.com", ".dmm.co.jp",
         ".abema.tv", ".abema.io", ".tver.jp", ".unext.jp",
         ".radiko.jp", ".pixiv.net", ".pximg.net",
+        ".binance.com", ".binance.org", ".bnbstatic.com", ".binancecnt.com",
     ],
-    // US-region streaming / services that geo-fence to a US IP.
+    // US region: Western sites commonly blocked/throttled from China (route via
+    // a US exit), plus US-geo-fenced streaming.
     us: [
+        // Google / YouTube
+        ".google.com", ".google.com.hk", ".gstatic.com", ".googleapis.com",
+        ".googleusercontent.com", ".googlevideo.com", ".ggpht.com", ".withgoogle.com", ".goo.gl",
+        ".youtube.com", ".youtu.be", ".ytimg.com",
+        // GitHub
+        ".github.com", ".github.io", ".githubusercontent.com", ".githubassets.com", ".ghcr.io",
+        // X / Twitter
+        ".twitter.com", ".x.com", ".twimg.com", ".t.co",
+        // LinkedIn
+        ".linkedin.com", ".licdn.com",
+        // OpenAI / ChatGPT
+        ".openai.com", ".chatgpt.com", ".oaistatic.com", ".oaiusercontent.com",
+        // US-geo-fenced streaming
         ".hulu.com", ".huluim.com", ".hulustream.com",
         ".peacocktv.com", ".max.com", ".hbomax.com",
         ".pluto.tv", ".tubi.tv", ".tubitv.com",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@decentnetwork/lan",
-  "version": "0.1.71",
+  "version": "0.1.73",
   "description": "Private virtual LAN for self-hosted services and AI agents, built on Elastos Carrier. NAT-traversal, name service, ACL, all over a peer-to-peer mesh — no public IP required.",
   "type": "module",
   "main": "./dist/index.js",
@@ -19,6 +19,7 @@
     "dist",
     "bin",
     "config/default-doras.yaml",
+    "config/default-exits.yaml",
     "config/routes.example.yaml",
     "README.md",
     "LICENSE",