npm - @nordbyte/nordrelay - Versions diffs - 0.8.1 → 0.8.3 - Mend

@nordbyte/nordrelay 0.8.1 → 0.8.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (179) hide show

package/dist/peers/peer-discovery.js ADDED Viewed

@@ -0,0 +1,223 @@
+import dns from "node:dns/promises";
+import net from "node:net";
+import os from "node:os";
+import { checkPeerIdentityEndpoint } from "./peer-client.js";
+export async function discoverLanPeers(config, options = {}) {
+    const warnings = [];
+    const targets = await buildDiscoveryTargets(config, options.maxHosts ?? 512, warnings, options.targets ?? []);
+    const candidates = [];
+    const concurrency = Math.max(1, Math.min(options.concurrency ?? 32, 128));
+    let index = 0;
+    let scanned = 0;
+    async function worker() {
+        while (index < targets.length) {
+            if (options.signal?.aborted) {
+                return;
+            }
+            const target = targets[index++];
+            const startedAt = Date.now();
+            const probe = await checkPeerIdentityEndpoint(target.url, { timeoutMs: options.timeoutMs ?? config.peerDiscoveryTimeoutMs });
+            scanned += 1;
+            if (!probe.ok || !probe.identity) {
+                options.onProgress?.({ scanned, total: targets.length, target: target.url });
+                continue;
+            }
+            const candidate = {
+                url: target.url,
+                host: target.host,
+                port: target.port,
+                scheme: target.scheme,
+                nodeId: probe.identity.nodeId,
+                name: probe.identity.name,
+                fingerprint: probe.identity.fingerprint,
+                tlsFingerprint: probe.tlsFingerprint,
+                latencyMs: probe.latencyMs ?? Date.now() - startedAt,
+            };
+            candidates.push(candidate);
+            options.onProgress?.({ scanned, total: targets.length, candidate, target: target.url });
+        }
+    }
+    await Promise.all(Array.from({ length: Math.min(concurrency, targets.length) }, () => worker()));
+    return {
+        scanned,
+        candidates: dedupeCandidates(candidates),
+        warnings: options.signal?.aborted ? [...warnings, "Discovery was cancelled."] : warnings,
+    };
+}
+export async function countDiscoveryTargets(config, options = {}) {
+    return (await buildDiscoveryTargets(config, options.maxHosts ?? 512, [], options.targets ?? [])).length;
+}
+async function buildDiscoveryTargets(config, maxHosts, warnings, requestedTargets) {
+    const schemes = config.peerTlsEnabled ? ["https"] : ["http", "https"];
+    const explicitTargets = await customDiscoveryTargets(requestedTargets, config.peerPort, schemes, maxHosts, warnings);
+    if (explicitTargets.length > 0) {
+        return dedupeTargets(explicitTargets);
+    }
+    const targets = [];
+    const hosts = localSubnetHosts(maxHosts, warnings);
+    const mdnsHosts = await mdnsCandidateHosts(warnings);
+    if (hosts.length === 0 && mdnsHosts.length === 0) {
+        warnings.push("No private IPv4 LAN interface was found for peer discovery.");
+    }
+    for (const host of [...hosts, ...mdnsHosts]) {
+        for (const scheme of schemes) {
+            targets.push({ host, scheme, port: config.peerPort, url: formatDiscoveryUrl(scheme, host, config.peerPort) });
+        }
+    }
+    return dedupeTargets(targets);
+}
+async function customDiscoveryTargets(requested, port, schemes, maxHosts, warnings) {
+    const targets = [];
+    for (const raw of requested.flatMap((value) => value.split(/[\n, ]/)).map((value) => value.trim()).filter(Boolean)) {
+        if (/^https?:\/\//i.test(raw)) {
+            try {
+                const url = new URL(raw);
+                const scheme = url.protocol === "http:" ? "http" : "https";
+                const targetPort = Number(url.port || port);
+                targets.push({ host: url.hostname, scheme, port: targetPort, url: formatDiscoveryUrl(scheme, url.hostname, targetPort) });
+            }
+            catch {
+                warnings.push(`Ignored invalid discovery URL: ${raw}`);
+            }
+            continue;
+        }
+        for (const host of expandHostPattern(raw, maxHosts, warnings)) {
+            for (const scheme of schemes) {
+                targets.push({ host, scheme, port, url: formatDiscoveryUrl(scheme, host, port) });
+            }
+        }
+    }
+    return targets;
+}
+function expandHostPattern(raw, maxHosts, warnings) {
+    if (raw.includes("/")) {
+        return expandIpv4Cidr(raw, maxHosts, warnings);
+    }
+    const range = raw.match(/^(\d+\.\d+\.\d+\.)(\d+)-(\d+)$/);
+    if (range) {
+        const start = Number(range[2]);
+        const end = Number(range[3]);
+        if (!Number.isInteger(start) || !Number.isInteger(end) || start < 0 || end > 255 || start > end) {
+            warnings.push(`Ignored invalid IPv4 range: ${raw}`);
+            return [];
+        }
+        return Array.from({ length: Math.min(maxHosts, end - start + 1) }, (_, index) => `${range[1]}${start + index}`);
+    }
+    if (net.isIP(raw) || /^[a-z0-9_.-]+$/i.test(raw)) {
+        return [raw];
+    }
+    warnings.push(`Ignored invalid discovery target: ${raw}`);
+    return [];
+}
+function expandIpv4Cidr(raw, maxHosts, warnings) {
+    const [address, prefixText] = raw.split("/");
+    const prefix = Number(prefixText);
+    if (net.isIP(address) !== 4 || !Number.isInteger(prefix) || prefix < 16 || prefix > 32) {
+        warnings.push(`Ignored unsupported discovery CIDR: ${raw}. Use IPv4 /16 through /32.`);
+        return [];
+    }
+    const base = ipv4ToNumber(address);
+    const hostBits = 32 - prefix;
+    const mask = hostBits === 32 ? 0 : (0xffffffff << hostBits) >>> 0;
+    const network = base & mask;
+    const total = prefix === 32 ? 1 : Math.max(0, (2 ** hostBits) - 2);
+    const count = Math.min(total, maxHosts);
+    if (total > maxHosts) {
+        warnings.push(`CIDR ${raw} was limited to ${maxHosts} host candidates.`);
+    }
+    return Array.from({ length: count }, (_, index) => numberToIpv4(network + (prefix === 32 ? index : index + 1)));
+}
+async function mdnsCandidateHosts(warnings) {
+    const names = [`${os.hostname()}.local`, "nordrelay.local"];
+    const found = [];
+    for (const name of names) {
+        try {
+            await withTimeout(dns.lookup(name), 250);
+            found.push(name);
+        }
+        catch {
+            // mDNS support depends on the host resolver; absence is normal.
+        }
+    }
+    return found;
+}
+async function withTimeout(promise, timeoutMs) {
+    let timeout;
+    try {
+        return await Promise.race([
+            promise,
+            new Promise((_, reject) => {
+                timeout = setTimeout(() => reject(new Error("mDNS lookup timed out.")), timeoutMs);
+                timeout.unref?.();
+            }),
+        ]);
+    }
+    finally {
+        if (timeout)
+            clearTimeout(timeout);
+    }
+}
+function formatDiscoveryUrl(scheme, host, port) {
+    const displayHost = net.isIP(host) === 6 && !host.startsWith("[") ? `[${host}]` : host;
+    return `${scheme}://${displayHost}:${port}`;
+}
+function dedupeTargets(targets) {
+    const seen = new Set();
+    return targets.filter((target) => {
+        const key = target.url.toLowerCase();
+        if (seen.has(key))
+            return false;
+        seen.add(key);
+        return true;
+    });
+}
+function localSubnetHosts(maxHosts, warnings) {
+    const interfaces = os.networkInterfaces();
+    const hosts = new Set();
+    for (const items of Object.values(interfaces)) {
+        for (const item of items ?? []) {
+            if (item.family !== "IPv4" || item.internal || !isPrivateIPv4(item.address)) {
+                continue;
+            }
+            const parts = item.address.split(".").map(Number);
+            if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part))) {
+                continue;
+            }
+            const prefix = parts.slice(0, 3).join(".");
+            for (let last = 1; last <= 254; last += 1) {
+                const host = `${prefix}.${last}`;
+                if (host !== item.address) {
+                    hosts.add(host);
+                }
+                if (hosts.size >= maxHosts) {
+                    warnings.push(`LAN discovery was limited to ${maxHosts} host candidates.`);
+                    return [...hosts];
+                }
+            }
+        }
+    }
+    return [...hosts];
+}
+function isPrivateIPv4(address) {
+    const [a, b] = address.split(".").map(Number);
+    return a === 10 ||
+        (a === 172 && b >= 16 && b <= 31) ||
+        (a === 192 && b === 168) ||
+        (a === 169 && b === 254);
+}
+function ipv4ToNumber(address) {
+    return address.split(".").map(Number).reduce((sum, part) => ((sum << 8) + part) >>> 0, 0);
+}
+function numberToIpv4(value) {
+    return [24, 16, 8, 0].map((shift) => (value >>> shift) & 255).join(".");
+}
+function dedupeCandidates(candidates) {
+    const byNode = new Map();
+    for (const candidate of candidates) {
+        const existing = byNode.get(candidate.nodeId);
+        if (!existing || (candidate.latencyMs ?? Number.MAX_SAFE_INTEGER) < (existing.latencyMs ?? Number.MAX_SAFE_INTEGER)) {
+            byNode.set(candidate.nodeId, candidate);
+        }
+    }
+    return [...byNode.values()].sort((a, b) => (a.name || a.host).localeCompare(b.name || b.host));
+}

package/dist/peers/peer-health-monitor.js ADDED Viewed

@@ -0,0 +1,49 @@
+import { RemoteRelayClient } from "./peer-client.js";
+import { PeerStore } from "./peer-store.js";
+export function startPeerHealthMonitor(options) {
+    const store = new PeerStore(options.home);
+    const client = new RemoteRelayClient(store);
+    let running = false;
+    let timer;
+    async function checkNow() {
+        if (running) {
+            return;
+        }
+        running = true;
+        try {
+            const peers = store.list().filter((peer) => peer.enabled && peer.url);
+            await Promise.all(peers.map(async (peer) => {
+                try {
+                    const startedAt = Date.now();
+                    const result = await client.rpc(peer.id, "peer.ping");
+                    const record = result && typeof result === "object" ? result : {};
+                    store.markSeen(peer.id, {
+                        latencyMs: Date.now() - startedAt,
+                        remoteVersion: typeof record.version === "string" ? record.version : undefined,
+                        remoteStatus: typeof record.status === "string" ? record.status : "online",
+                    });
+                }
+                catch (error) {
+                    store.markError(peer.id, error instanceof Error ? error.message : String(error));
+                }
+            }));
+        }
+        finally {
+            running = false;
+        }
+    }
+    if (options.config.peerHealthCheckMs > 0) {
+        timer = setInterval(() => void checkNow().catch(() => { }), options.config.peerHealthCheckMs);
+        timer.unref?.();
+        setTimeout(() => void checkNow().catch(() => { }), 2_000).unref?.();
+    }
+    return {
+        checkNow,
+        close() {
+            if (timer) {
+                clearInterval(timer);
+                timer = undefined;
+            }
+        },
+    };
+}

package/dist/{peer-identity.js → peers/peer-identity.js} RENAMED Viewed

@@ -3,7 +3,7 @@ import { chmodSync, existsSync, mkdirSync, readFileSync } from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import selfsigned from "selfsigned";
-import { readJsonFileWithBackup, writeJsonFileAtomic, writeTextFileAtomic } from "./persistence.js";
+import { readJsonFileWithBackup, writeJsonFileAtomic, writeTextFileAtomic } from "../state/persistence.js";
 const DEFAULT_HOME = path.join(os.homedir(), ".nordrelay");
 export function loadOrCreatePeerIdentity(home = process.env.NORDRELAY_HOME || DEFAULT_HOME, name) {
     const filePath = path.join(home, "identity.json");
@@ -48,6 +48,55 @@ export function loadOrCreatePeerIdentity(home = process.env.NORDRELAY_HOME || DE
         privateKey: identity.privateKey,
     };
 }
+export function exportPeerIdentityBackup(home = process.env.NORDRELAY_HOME || DEFAULT_HOME, name) {
+    const identity = loadOrCreatePeerIdentity(home, name);
+    const tls = existsSync(path.join(home, "tls", "peer.crt"))
+        ? ensurePeerTlsFiles(home, identity.public)
+        : undefined;
+    return {
+        version: 1,
+        exportedAt: new Date().toISOString(),
+        identity: identity.public,
+        privateKey: identity.privateKey,
+        tlsFingerprint: tls?.fingerprint,
+    };
+}
+export function restorePeerIdentityBackup(backup, home = process.env.NORDRELAY_HOME || DEFAULT_HOME) {
+    if (!backup || backup.version !== 1 || !backup.identity?.publicKey || !backup.privateKey) {
+        throw new Error("Invalid peer identity backup.");
+    }
+    const fingerprint = fingerprintForPublicKey(backup.identity.publicKey);
+    if (fingerprint !== backup.identity.fingerprint) {
+        throw new Error("Peer identity backup fingerprint does not match the public key.");
+    }
+    const probe = `nordrelay-identity-restore:${Date.now()}`;
+    const signature = signPeerPayload(backup.privateKey, probe);
+    if (!verifyPeerPayload(backup.identity.publicKey, probe, signature)) {
+        throw new Error("Peer identity backup private key does not match the public key.");
+    }
+    const payload = {
+        nodeId: backup.identity.nodeId,
+        name: backup.identity.name || defaultNodeName(),
+        publicKey: backup.identity.publicKey,
+        privateKey: backup.privateKey,
+        fingerprint,
+        createdAt: backup.identity.createdAt || new Date().toISOString(),
+    };
+    const filePath = path.join(home, "identity.json");
+    mkdirSync(path.dirname(filePath), { recursive: true });
+    writeJsonFileAtomic(filePath, payload);
+    chmodSync(filePath, 0o600);
+    return {
+        public: {
+            nodeId: payload.nodeId,
+            name: payload.name,
+            publicKey: payload.publicKey,
+            fingerprint: payload.fingerprint,
+            createdAt: payload.createdAt,
+        },
+        privateKey: payload.privateKey,
+    };
+}
 export function ensurePeerTlsFiles(home = process.env.NORDRELAY_HOME || DEFAULT_HOME, identity) {
     const certDir = path.join(home, "tls");
     const certPath = path.join(certDir, "peer.crt");

package/dist/{peer-runtime-service.js → peers/peer-runtime-service.js} RENAMED Viewed

@@ -1,11 +1,12 @@
 import { readFileSync } from "node:fs";
-import { enabledAgents } from "./agent-factory.js";
-import { listAgentAdapterDescriptors } from "./agent-adapter.js";
-import { isAgentId } from "./agent.js";
-import { permissionForWebRequest } from "./access-control.js";
-import { listChannelDescriptors } from "./channel-adapter.js";
-import { friendlyErrorText } from "./error-messages.js";
-import { getPackageVersion } from "./operations.js";
+import { enabledAgents } from "../agents/shared/agent-factory.js";
+import { listAgentAdapterDescriptors } from "../agents/shared/agent-adapter.js";
+import { buildAdapterConformanceMatrix } from "../agents/shared/adapter-conformance.js";
+import { isAgentId } from "../agents/shared/agent.js";
+import { permissionForWebRequest } from "../access/access-control.js";
+import { listChannelDescriptors } from "../channels/shared/channel-adapter.js";
+import { friendlyErrorText } from "../core/error-messages.js";
+import { getPackageVersion } from "../support/operations.js";
 import { checkPeerEndpoint } from "./peer-client.js";
 export class PeerRuntimeService {
     config;
@@ -147,6 +148,12 @@ export class PeerRuntimeService {
         if (method === "GET" && path === "/api/adapters/health") {
             return { adapters: (await runtime.adapterHealth()).filter((adapter) => this.canUseAgent(peer, adapter.id)) };
         }
+        if (method === "GET" && path === "/api/adapters/conformance") {
+            return buildAdapterConformanceMatrix({
+                agents: listAgentAdapterDescriptors().filter((adapter) => this.canUseAgent(peer, adapter.id)),
+                channels: listChannelDescriptors(),
+            });
+        }
         if (method === "GET" && path === "/api/diagnostics")
             return this.scopedDiagnostics(peer, await runtime.diagnostics());
         if (method === "GET" && path === "/api/diagnostics/bundle") {
@@ -163,6 +170,13 @@ export class PeerRuntimeService {
             this.assertAgentScope(peer, agentId);
             return this.scopedControlOptions(peer, await runtime.controlOptions(agentId));
         }
+        if (method === "GET" && path === "/api/locks")
+            return { locks: runtime.locks() };
+        if (method === "POST" && path === "/api/locks") {
+            return { lock: runtime.lockWebSession(stringValue(body.ownerName) || `Peer ${peer.name}`, remoteActor), locks: runtime.locks() };
+        }
+        if (method === "DELETE" && path === "/api/locks")
+            return runtime.unlockWebSession(remoteActor);
         if (method === "GET" && path === "/api/auth/status") {
             const agentId = parseAgentId(query.agent);
             this.assertAgentScope(peer, agentId);
@@ -281,6 +295,14 @@ export class PeerRuntimeService {
             await this.assertCurrentSessionScope(peer, runtime);
             return { messages: await runtime.chatHistory(numberValue(query.limit, 200)) };
         }
+        if (method === "GET" && path === "/api/chat/mirror") {
+            await this.assertCurrentSessionScope(peer, runtime);
+            return runtime.webMirrorPreference("");
+        }
+        if (method === "POST" && path === "/api/chat/mirror") {
+            await this.assertCurrentSessionScope(peer, runtime);
+            return runtime.webMirrorPreference(stringValue(body.argument) || stringValue(body.mode) || "", remoteActor);
+        }
         if (method === "DELETE" && path === "/api/chat/history") {
             await this.assertCurrentSessionScope(peer, runtime);
             return runtime.clearChatHistory(remoteActor);

package/dist/{peer-server.js → peers/peer-server.js} RENAMED Viewed

@@ -1,7 +1,7 @@
 import { createServer as createHttpServer } from "node:http";
 import { createServer as createHttpsServer } from "node:https";
 import { URL } from "node:url";
-import { friendlyErrorText } from "./error-messages.js";
+import { friendlyErrorText } from "../core/error-messages.js";
 import { createPairingSignaturePayload, createSharedSecret, ensurePeerTlsFiles, fingerprintForPublicKey, loadOrCreatePeerIdentity, verifyPeerPayload, } from "./peer-identity.js";
 import { header, PeerNonceCache, verifyPeerRequest } from "./peer-auth.js";
 import { checkPeerIdentityEndpoint } from "./peer-client.js";
@@ -9,7 +9,7 @@ import { peerRuntimeContextKey } from "./peer-context.js";
 import { PeerStore } from "./peer-store.js";
 import { PeerRuntimeService, peerError } from "./peer-runtime-service.js";
 import { PEER_PROTOCOL_VERSION, } from "./peer-types.js";
-import { RelayRuntime } from "./relay-runtime.js";
+import { RelayRuntime } from "../runtime/relay-runtime.js";
 export async function startPeerServer(options) {
     const { config, runtime } = options;
     if (!config.peerEnabled) {
@@ -147,6 +147,7 @@ export async function startPeerServer(options) {
         const secret = createSharedSecret();
         const peer = store.upsertPeer({
             name: body.name?.trim() || body.identity.name || invitation.name,
+            group: invitation.group,
             url: publicUrl,
             nodeId: body.identity.nodeId,
             publicKey: body.identity.publicKey,

package/dist/{peer-store.js → peers/peer-store.js} RENAMED Viewed

@@ -2,13 +2,14 @@ import { createHash, randomBytes, randomUUID, timingSafeEqual } from "node:crypt
 import { mkdirSync } from "node:fs";
 import os from "node:os";
 import path from "node:path";
-import { ALL_PERMISSIONS } from "./access-control.js";
-import { AGENT_IDS, isAgentId } from "./agent.js";
-import { readJsonFileWithBackup, writeJsonFileAtomic } from "./persistence.js";
+import { ALL_PERMISSIONS } from "../access/access-control.js";
+import { AGENT_IDS, isAgentId } from "../agents/shared/agent.js";
+import { readJsonFileWithBackup, writeJsonFileAtomic } from "../state/persistence.js";
 import { DEFAULT_PEER_SCOPES, publicInvitation, publicPeer, } from "./peer-types.js";
 const DEFAULT_HOME = path.join(os.homedir(), ".nordrelay");
 const INVITE_CODE_BYTES = 18;
 const MAX_INVITATION_TTL_MS = 24 * 60 * 60 * 1000;
+const MAX_HEALTH_HISTORY = 20;
 export class PeerStore {
     filePath;
     constructor(home = process.env.NORDRELAY_HOME || DEFAULT_HOME) {
@@ -22,6 +23,7 @@ export class PeerStore {
             listenUrl: options.listenUrl,
             requireTls: options.requireTls,
             readiness: options.readiness,
+            groups: listGroups(payload),
             peers: payload.peers.map(publicPeer),
             invitations: payload.invitations.map(publicInvitation),
         };
@@ -44,6 +46,7 @@ export class PeerStore {
         const invitation = {
             id: randomUUID().replace(/-/g, "").slice(0, 12),
             name: options.name?.trim() || "NordRelay peer",
+            group: normalizeGroup(options.group),
             codeHash: hashSecret(code),
             createdAt: now.toISOString(),
             expiresAt: expiresAt.toISOString(),
@@ -58,6 +61,22 @@ export class PeerStore {
         });
         return { invitation: publicInvitation(invitation), code };
     }
+    createRotationInvitation(id, options = {}) {
+        const peer = this.get(id);
+        if (!peer) {
+            throw new Error("Peer not found.");
+        }
+        const created = this.createInvitation({
+            name: `${peer.name} rotation`,
+            group: peer.group,
+            expiresInMs: options.expiresInMs,
+            scopes: peer.scopes,
+            allowedAgents: peer.allowedAgents,
+            allowedWorkspaceRoots: peer.allowedWorkspaceRoots,
+            workspaceAliases: peer.workspaceAliases,
+        });
+        return { peer: publicPeer(peer), ...created };
+    }
     consumeInvitation(code, usedByNodeId) {
         const trimmed = code.trim();
         if (!trimmed) {
@@ -88,6 +107,7 @@ export class PeerStore {
             const existing = payload.peers.find((peer) => peer.nodeId === input.nodeId || (input.id && peer.id === input.id));
             if (existing) {
                 existing.name = input.name.trim() || existing.name;
+                existing.group = normalizeGroup(input.group) ?? existing.group;
                 existing.url = input.url ?? existing.url;
                 existing.publicKey = input.publicKey;
                 existing.fingerprint = input.fingerprint;
@@ -109,6 +129,7 @@ export class PeerStore {
             const record = {
                 id: input.id ?? randomUUID().replace(/-/g, "").slice(0, 12),
                 name: input.name.trim() || "NordRelay peer",
+                group: normalizeGroup(input.group),
                 url: input.url,
                 nodeId: input.nodeId,
                 publicKey: input.publicKey,
@@ -123,6 +144,7 @@ export class PeerStore {
                 workspaceAliases: normalizeWorkspaceAliases(input.workspaceAliases ?? {}),
                 createdAt: now,
                 updatedAt: now,
+                healthHistory: [],
             };
             payload.peers.push(record);
             next = clonePeer(record);
@@ -141,6 +163,8 @@ export class PeerStore {
             }
             if (patch.name !== undefined)
                 peer.name = patch.name.trim() || peer.name;
+            if (patch.group !== undefined)
+                peer.group = normalizeGroup(patch.group);
             if (patch.url !== undefined)
                 peer.url = patch.url.trim() || undefined;
             if (patch.enabled !== undefined)
@@ -161,18 +185,53 @@ export class PeerStore {
         }
         return next;
     }
+    updatePeerTlsFingerprint(id, tlsFingerprint) {
+        let next = null;
+        this.mutatePayload((payload) => {
+            const peer = payload.peers.find((candidate) => candidate.id === id || candidate.nodeId === id);
+            if (!peer) {
+                throw new Error("Peer not found.");
+            }
+            peer.tlsFingerprint = tlsFingerprint || undefined;
+            peer.updatedAt = new Date().toISOString();
+            next = clonePeer(peer);
+        });
+        if (!next) {
+            throw new Error("Peer not found.");
+        }
+        return next;
+    }
     markSeen(id, patch = {}) {
-        this.patchPeer(id, {
-            lastSeenAt: new Date().toISOString(),
-            lastCheckedAt: new Date().toISOString(),
+        const checkedAt = new Date().toISOString();
+        this.patchPeer(id, (peer) => ({
+            lastSeenAt: checkedAt,
+            lastCheckedAt: checkedAt,
             lastLatencyMs: patch.latencyMs,
             remoteVersion: patch.remoteVersion,
             remoteStatus: patch.remoteStatus ?? "online",
             lastError: undefined,
-        });
+            healthHistory: appendHealthSample(peer.healthHistory, {
+                checkedAt,
+                status: "online",
+                latencyMs: patch.latencyMs,
+                remoteVersion: patch.remoteVersion,
+                remoteStatus: patch.remoteStatus ?? "online",
+            }),
+        }));
     }
     markError(id, error) {
-        this.patchPeer(id, { lastError: error, remoteStatus: "offline", lastCheckedAt: new Date().toISOString(), updatedAt: new Date().toISOString() });
+        const checkedAt = new Date().toISOString();
+        this.patchPeer(id, (peer) => ({
+            lastError: error,
+            remoteStatus: "offline",
+            lastCheckedAt: checkedAt,
+            updatedAt: checkedAt,
+            healthHistory: appendHealthSample(peer.healthHistory, {
+                checkedAt,
+                status: "offline",
+                error,
+            }),
+        }));
     }
     revokePeer(id) {
         let removed = false;
@@ -200,7 +259,7 @@ export class PeerStore {
             const peer = payload.peers.find((candidate) => candidate.id === id || candidate.nodeId === id);
             if (!peer)
                 return;
-            Object.assign(peer, patch);
+            Object.assign(peer, typeof patch === "function" ? patch(peer) : patch);
         });
     }
     mutatePayload(mutator) {
@@ -219,13 +278,16 @@ export class PeerStore {
             version: 1,
             peers: payload.peers.filter(isPeerRecord).map((peer) => ({
                 ...peer,
+                group: normalizeGroup(peer.group),
                 scopes: normalizeScopes(peer.scopes),
                 allowedAgents: normalizeAgents(peer.allowedAgents),
                 allowedWorkspaceRoots: normalizeWorkspaceRoots(peer.allowedWorkspaceRoots),
                 workspaceAliases: normalizeWorkspaceAliases(peer.workspaceAliases ?? {}),
+                healthHistory: normalizeHealthHistory(peer.healthHistory),
             })),
             invitations: payload.invitations.filter(isInvitationRecord).map((invitation) => ({
                 ...invitation,
+                group: normalizeGroup(invitation.group),
                 scopes: normalizeScopes(invitation.scopes),
                 allowedAgents: normalizeAgents(invitation.allowedAgents),
                 allowedWorkspaceRoots: normalizeWorkspaceRoots(invitation.allowedWorkspaceRoots),
@@ -272,6 +334,30 @@ function normalizeWorkspaceAliases(value) {
     }
     return aliases;
 }
+function normalizeGroup(value) {
+    const group = typeof value === "string" ? value.trim() : "";
+    return group ? group.slice(0, 80) : undefined;
+}
+function normalizeHealthHistory(value) {
+    if (!Array.isArray(value)) {
+        return [];
+    }
+    return value
+        .filter((item) => {
+        if (!item || typeof item !== "object" || Array.isArray(item))
+            return false;
+        const record = item;
+        return typeof record.checkedAt === "string" && (record.status === "online" || record.status === "offline");
+    })
+        .slice(-MAX_HEALTH_HISTORY)
+        .map((item) => ({ ...item }));
+}
+function appendHealthSample(history, sample) {
+    return [...normalizeHealthHistory(history), sample].slice(-MAX_HEALTH_HISTORY);
+}
+function listGroups(payload) {
+    return [...new Set(payload.peers.map((peer) => normalizeGroup(peer.group)).filter((group) => Boolean(group)))].sort();
+}
 function clonePeer(peer) {
     return {
         ...peer,
@@ -279,6 +365,7 @@ function clonePeer(peer) {
         allowedAgents: [...peer.allowedAgents],
         allowedWorkspaceRoots: [...peer.allowedWorkspaceRoots],
         workspaceAliases: { ...peer.workspaceAliases },
+        healthHistory: normalizeHealthHistory(peer.healthHistory),
     };
 }
 function mergeDirection(left, right) {