@nordbyte/nordrelay 0.8.0 → 0.8.1

package/README.md

@@ -378,6 +378,15 @@ nordrelay peer invite --name workstation --scopes inspect,sessions.read,sessions
 nordrelay peer add https://workstation.example:31979 --code one-time-code
 ```
 
+If the controlling host should also be reachable by the remote peer, enable its peer server and set
+`NORDRELAY_PEER_PUBLIC_URL` before running `peer add`, or pass it explicitly:
+
+```bash
+nordrelay peer add https://workstation.example:31979 --code one-time-code --public-url https://controller.example:31979
+```
+
+NordRelay validates the advertised public URL against the peer identity endpoint during pairing and stores the current TLS certificate fingerprint for later reachability probes.
+
 7. Confirm the connection:
 
 ```bash

package/dist/peer-client.js

@@ -35,6 +35,42 @@ export async function checkPeerEndpoint(url, options = {}) {
         };
     }
 }
+export async function checkPeerIdentityEndpoint(url, options = {}) {
+    const target = joinPeerUrl(url, "/peer/identity");
+    const startedAt = Date.now();
+    try {
+        const result = await requestJson({
+            url: target,
+            method: "GET",
+            expectedTlsFingerprint: options.expectedTlsFingerprint,
+            allowSelfSigned: true,
+            timeoutMs: options.timeoutMs ?? 4_000,
+        });
+        const identity = parsePeerIdentity(result.data?.identity);
+        const protocolVersion = result.data?.protocolVersion;
+        return {
+            ok: Boolean(identity) && protocolVersion === PEER_PROTOCOL_VERSION,
+            status: "reachable",
+            url: target,
+            latencyMs: Date.now() - startedAt,
+            statusCode: result.statusCode,
+            tlsFingerprint: result.tlsFingerprint,
+            identity,
+            detail: identity && protocolVersion === PEER_PROTOCOL_VERSION
+                ? "Peer identity endpoint is reachable."
+                : "Endpoint responded, but did not return the expected peer identity payload.",
+        };
+    }
+    catch (error) {
+        return {
+            ok: false,
+            status: "unreachable",
+            url: target,
+            latencyMs: Date.now() - startedAt,
+            detail: error instanceof Error ? error.message : String(error),
+        };
+    }
+}
 export async function pairPeer(options, identity, store = new PeerStore()) {
     const timestamp = new Date().toISOString();
     const payload = createPairingSignaturePayload(identity.public.nodeId, timestamp, options.code);
@@ -65,7 +101,7 @@ export async function pairPeer(options, identity, store = new PeerStore()) {
         nodeId: result.data.identity.nodeId,
         publicKey: result.data.identity.publicKey,
         fingerprint: result.data.identity.fingerprint,
-        tlsFingerprint: result.tlsFingerprint,
+        tlsFingerprint: result.tlsFingerprint ?? null,
         secret: result.data.secret,
         enabled: true,
         direction: "outbound",
@@ -286,3 +322,23 @@ function normalizePeerUrl(value) {
 function normalizeFingerprint(value) {
     return value?.trim().toLowerCase();
 }
+function parsePeerIdentity(value) {
+    if (!value || typeof value !== "object") {
+        return undefined;
+    }
+    const record = value;
+    if (typeof record.nodeId !== "string" ||
+        typeof record.name !== "string" ||
+        typeof record.publicKey !== "string" ||
+        typeof record.fingerprint !== "string" ||
+        typeof record.createdAt !== "string") {
+        return undefined;
+    }
+    return {
+        nodeId: record.nodeId,
+        name: record.name,
+        publicKey: record.publicKey,
+        fingerprint: record.fingerprint,
+        createdAt: record.createdAt,
+    };
+}

package/dist/peer-server.js

@@ -4,6 +4,7 @@ import { URL } from "node:url";
 import { friendlyErrorText } from "./error-messages.js";
 import { createPairingSignaturePayload, createSharedSecret, ensurePeerTlsFiles, fingerprintForPublicKey, loadOrCreatePeerIdentity, verifyPeerPayload, } from "./peer-identity.js";
 import { header, PeerNonceCache, verifyPeerRequest } from "./peer-auth.js";
+import { checkPeerIdentityEndpoint } from "./peer-client.js";
 import { peerRuntimeContextKey } from "./peer-context.js";
 import { PeerStore } from "./peer-store.js";
 import { PeerRuntimeService, peerError } from "./peer-runtime-service.js";
@@ -78,7 +79,7 @@ export async function startPeerServer(options) {
             if (req.method === "POST" && url.pathname === "/peer/pair") {
                 const bodyText = await readBody(req, 128 * 1024);
                 const body = parseJson(bodyText);
-                const response = handlePair(body);
+                const response = await handlePair(body);
                 sendJson(res, 201, response);
                 return;
             }
@@ -123,7 +124,7 @@ export async function startPeerServer(options) {
             sendJson(res, status, { error: friendlyErrorText(error) });
         }
     }
-    function handlePair(body) {
+    async function handlePair(body) {
         if (!body?.identity?.nodeId || !body.identity.publicKey || !body.code || !body.signature || !body.timestamp) {
             throw new Error("Invalid peer pairing request.");
         }
@@ -140,17 +141,20 @@ export async function startPeerServer(options) {
         if (!verifyPeerPayload(body.identity.publicKey, signaturePayload, body.signature)) {
             throw new Error("Invalid peer pairing signature.");
         }
+        const publicUrl = body.publicUrl?.trim() || undefined;
+        const publicUrlTlsFingerprint = publicUrl ? await verifyPairingPublicUrl(publicUrl, body.identity) : undefined;
         const invitation = store.consumeInvitation(body.code, body.identity.nodeId);
         const secret = createSharedSecret();
         const peer = store.upsertPeer({
             name: body.name?.trim() || body.identity.name || invitation.name,
-            url: body.publicUrl,
+            url: publicUrl,
             nodeId: body.identity.nodeId,
             publicKey: body.identity.publicKey,
             fingerprint: body.identity.fingerprint,
+            tlsFingerprint: publicUrl ? publicUrlTlsFingerprint ?? null : undefined,
             secret,
             enabled: true,
-            direction: body.publicUrl ? "bidirectional" : "inbound",
+            direction: publicUrl ? "bidirectional" : "inbound",
             scopes: invitation.scopes,
             allowedAgents: invitation.allowedAgents,
             allowedWorkspaceRoots: invitation.allowedWorkspaceRoots,
@@ -167,6 +171,18 @@ export async function startPeerServer(options) {
             workspaceAliases: peer.workspaceAliases,
         };
     }
+    async function verifyPairingPublicUrl(publicUrl, expectedIdentity) {
+        const probe = await checkPeerIdentityEndpoint(publicUrl, { timeoutMs: 4_000 });
+        if (!probe.ok || !probe.identity) {
+            throw new Error(`Peer public URL is not reachable or does not expose a valid NordRelay identity: ${probe.detail}`);
+        }
+        if (probe.identity.nodeId !== expectedIdentity.nodeId ||
+            probe.identity.publicKey !== expectedIdentity.publicKey ||
+            probe.identity.fingerprint !== expectedIdentity.fingerprint) {
+            throw new Error("Peer public URL identity does not match the pairing identity.");
+        }
+        return probe.tlsFingerprint;
+    }
     function authenticate(req, method, pathname, body) {
         const peerId = header(req, "x-nordrelay-peer-id");
         const peer = peerId ? store.get(peerId) : null;

package/dist/peer-store.js

@@ -91,7 +91,9 @@ export class PeerStore {
                 existing.url = input.url ?? existing.url;
                 existing.publicKey = input.publicKey;
                 existing.fingerprint = input.fingerprint;
-                existing.tlsFingerprint = input.tlsFingerprint ?? existing.tlsFingerprint;
+                if (input.tlsFingerprint !== undefined) {
+                    existing.tlsFingerprint = input.tlsFingerprint || undefined;
+                }
                 existing.secret = input.secret;
                 existing.enabled = input.enabled ?? existing.enabled;
                 existing.direction = mergeDirection(existing.direction, input.direction ?? existing.direction);
@@ -111,7 +113,7 @@ export class PeerStore {
                 nodeId: input.nodeId,
                 publicKey: input.publicKey,
                 fingerprint: input.fingerprint,
-                tlsFingerprint: input.tlsFingerprint,
+                tlsFingerprint: input.tlsFingerprint || undefined,
                 secret: input.secret,
                 enabled: input.enabled ?? true,
                 direction: input.direction ?? "outbound",

package/dist/webui-assets/dashboard.js

@@ -2166,7 +2166,8 @@
     applyPermissions();
   }
   function openPeerAddDialog() {
-    adminDialog("Add peer", '<label>Peer URL<input id="dlgPeerAddUrl" placeholder="https://host:31979"></label><label>Pairing code<input id="dlgPeerAddCode"></label><label>Name<input id="dlgPeerAddName" placeholder="optional local label"></label><label>Public URL for this node<input id="dlgPeerAddPublicUrl" placeholder="optional"></label>', async () => {
+    const publicUrl = state.peers?.enabled ? state.peers?.listenUrl || "" : "";
+    adminDialog("Add peer", '<label>Peer URL<input id="dlgPeerAddUrl" placeholder="https://host:31979"></label><label>Pairing code<input id="dlgPeerAddCode"></label><label>Name<input id="dlgPeerAddName" placeholder="optional local label"></label><label>Public URL for this node<input id="dlgPeerAddPublicUrl" placeholder="optional" value="' + attr(publicUrl) + '"></label>', async () => {
       const r = await api("/api/peers/pair", { method: "POST", body: JSON.stringify({ url: val("dlgPeerAddUrl"), code: val("dlgPeerAddCode"), name: val("dlgPeerAddName") || void 0, publicUrl: val("dlgPeerAddPublicUrl") || void 0 }), local: true });
       toast("Added peer " + (r.peer?.name || ""));
       await loadPeers();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nordbyte/nordrelay",
-  "version": "0.8.0",
+  "version": "0.8.1",
   "description": "Remote control plane for coding agents across messaging channels.",
   "type": "module",
   "author": "Ricardo",

package/plugins/nordrelay/scripts/nordrelay.mjs

@@ -915,16 +915,19 @@ async function commandPeer(options) {
   if (flags.subcommand === "add") {
     const url = flags.url || await ask(null, "Peer URL", "");
     const code = flags.code || await ask(null, "Pairing code", "");
+    const configuredPublicUrl = process.env.NORDRELAY_PEER_ENABLED === "true" ? process.env.NORDRELAY_PEER_PUBLIC_URL : undefined;
+    const publicUrl = flags.publicUrl || configuredPublicUrl;
     const result = await clientMod.pairPeer({
       url,
       code,
       name: flags.name,
-      publicUrl: flags.publicUrl,
+      publicUrl,
     }, identity, store);
     console.log(`Added peer ${result.peer.name} (${result.peer.id}).`);
     console.log(`Node: ${result.peer.nodeId}`);
     console.log(`Fingerprint: ${result.peer.fingerprint}`);
     if (result.tlsFingerprint) console.log(`TLS fingerprint: ${result.tlsFingerprint}`);
+    if (publicUrl) console.log(`Shared public URL: ${publicUrl}`);
     return;
   }