@ruvector/edge-net 0.4.1 → 0.4.2

package/firebase-signaling.js

@@ -4,9 +4,15 @@
  * Uses Google Firebase as bootstrap infrastructure for WebRTC signaling
  * with migration path to full P2P DHT network.
  *
+ * Security Model (WASM-based, no Firebase Auth needed):
+ * 1. Each node generates cryptographic identity in WASM (PiKey)
+ * 2. All messages are signed with Ed25519 keys
+ * 3. Peers verify signatures before accepting connections
+ * 4. AdaptiveSecurity provides self-learning attack detection
+ *
  * Architecture:
  * 1. Firebase Firestore for signaling (offer/answer/ICE)
- * 2. Firebase Realtime DB for presence (who's online)
+ * 2. WASM cryptographic identity (no Firebase Auth)
  * 3. Gradual migration to DHT as network grows
  *
  * @module @ruvector/edge-net/firebase-signaling
@@ -19,23 +25,32 @@ import { EventEmitter } from 'events';
 // ============================================
 
 /**
- * Get Firebase config from environment variables or saved config
+ * Edge-Net Public Firebase Configuration
  *
- * Configuration sources (in order of priority):
- * 1. Environment variables: FIREBASE_API_KEY, FIREBASE_PROJECT_ID
- * 2. Saved config from: ~/.edge-net/firebase.json (via firebase-setup.js)
- * 3. Application Default Credentials (for server-side via gcloud)
+ * This is the PUBLIC Firebase project for edge-net P2P network.
+ * API keys for Firebase web apps are designed to be public - security is via:
+ * 1. Firestore Security Rules (only authenticated users can write)
+ * 2. Anonymous Authentication (anyone can join, tracked by UID)
+ * 3. API restrictions in Google Cloud Console
  *
- * SECURITY:
- * - Never hardcode API keys
- * - Use `gcloud auth application-default login` for server-side
- * - Restrict API keys by domain in Google Cloud Console for browser-side
+ * Contributors automatically join the network - no setup required!
+ */
+export const EDGE_NET_FIREBASE_CONFIG = {
+    apiKey: "AIzaSyAZAJhathdnKZGzBQ8iDBFG8_OQsvb2QvA",
+    projectId: "ruv-dev",
+    authDomain: "ruv-dev.firebaseapp.com",
+    storageBucket: "ruv-dev.appspot.com",
+};
+
+/**
+ * Get Firebase config
  *
- * Setup:
- *   npx edge-net-firebase-setup --project YOUR_PROJECT_ID
+ * Priority:
+ * 1. Environment variables (for custom Firebase projects)
+ * 2. Built-in edge-net public config (no setup required)
  */
 export function getFirebaseConfig() {
-    // Try environment variables first (highest priority)
+    // Allow override via environment variables for custom projects
     const apiKey = process.env.FIREBASE_API_KEY;
     const projectId = process.env.FIREBASE_PROJECT_ID;
 
@@ -44,13 +59,12 @@ export function getFirebaseConfig() {
             apiKey,
             projectId,
             authDomain: process.env.FIREBASE_AUTH_DOMAIN || `${projectId}.firebaseapp.com`,
-            databaseURL: process.env.FIREBASE_DATABASE_URL || `https://${projectId}-default-rtdb.firebaseio.com`,
             storageBucket: process.env.FIREBASE_STORAGE_BUCKET || `${projectId}.appspot.com`,
         };
     }
 
-    // Sync version only uses env vars - use getFirebaseConfigAsync for file config
-    return null;
+    // Use built-in public edge-net config (no setup required!)
+    return EDGE_NET_FIREBASE_CONFIG;
 }
 
 /**
@@ -137,6 +151,11 @@ export class FirebaseSignaling extends EventEmitter {
         this.db = null;
         this.rtdb = null;
 
+        // WASM Security (replaces Firebase Auth)
+        /** @type {import('./secure-access.js').SecureAccessManager|null} */
+        this.secureAccess = options.secureAccess || null;
+        this.verifySignatures = options.verifySignatures !== false;
+
         // State
         this.isConnected = false;
         this.peers = new Map();
@@ -150,27 +169,49 @@ export class FirebaseSignaling extends EventEmitter {
             firebaseSignals: 0,
             dhtSignals: 0,
             p2pSignals: 0,
+            verifiedSignals: 0,
+            rejectedSignals: 0,
         };
     }
 
     /**
-     * Initialize Firebase connection
+     * Initialize Firebase connection with WASM cryptographic security
      */
     async connect() {
-        // SECURITY: Require valid config
+        // Use built-in config if not provided
+        if (!this.config) {
+            this.config = getFirebaseConfig();
+        }
+
         if (!this.config || !this.config.apiKey || !this.config.projectId) {
-            console.log('   ⚠️  Firebase not configured (no credentials)');
-            console.log('   💡 Set environment variables: FIREBASE_API_KEY, FIREBASE_PROJECT_ID');
+            console.log('   ⚠️  Firebase not configured');
             this.emit('not-configured');
             return false;
         }
 
         try {
+            // Initialize WASM security if not provided
+            if (!this.secureAccess) {
+                try {
+                    const { createSecureAccess } = await import('./secure-access.js');
+                    this.secureAccess = await createSecureAccess({
+                        siteId: this.room,
+                        persistIdentity: true
+                    });
+                    // Use WASM-generated node ID if peerId not set
+                    if (!this.peerId) {
+                        this.peerId = this.secureAccess.getShortId();
+                    }
+                } catch (err) {
+                    console.log('   ⚠️  WASM security unavailable, using basic mode');
+                }
+            }
+
             // Dynamic import Firebase (tree-shakeable)
             const { initializeApp, getApps } = await import('firebase/app');
             const { getFirestore, collection, doc, setDoc, onSnapshot, deleteDoc, query, where, orderBy, limit, serverTimestamp } = await import('firebase/firestore');
 
-            // Store Firebase methods for later use (Firestore only - no RTDB)
+            // Store Firebase methods for later use
             this.firebase = {
                 collection, doc, setDoc, onSnapshot, deleteDoc, query, where, orderBy, limit, serverTimestamp
             };
@@ -179,9 +220,19 @@ export class FirebaseSignaling extends EventEmitter {
             const apps = getApps();
             this.app = apps.length ? apps[0] : initializeApp(this.config);
 
-            // Initialize Firestore (for signaling AND presence - no RTDB needed)
+            // Initialize Firestore
             this.db = getFirestore(this.app);
 
+            // WASM cryptographic identity (replaces Firebase Auth)
+            if (this.secureAccess) {
+                this.uid = this.secureAccess.getNodeId();
+                console.log(`   🔐 WASM crypto identity: ${this.secureAccess.getShortId()}`);
+                console.log(`   📦 Public key: ${this.secureAccess.getPublicKeyHex().slice(0, 16)}...`);
+            } else {
+                this.uid = this.peerId;
+                console.log(`   ⚠️  No WASM security, using peerId: ${this.peerId?.slice(0, 8)}...`);
+            }
+
             // Register presence in Firestore
             await this.registerPresence();
 
@@ -192,7 +243,7 @@ export class FirebaseSignaling extends EventEmitter {
             this.subscribeToSignals();
 
             this.isConnected = true;
-            console.log('   ✅ Firebase signaling connected (Firestore)');
+            console.log('   ✅ Firebase connected with WASM security');
 
             this.emit('connected');
             return true;
@@ -205,32 +256,54 @@ export class FirebaseSignaling extends EventEmitter {
     }
 
     /**
-     * Register this peer's presence in Firestore
+     * Register this peer's presence in Firestore with WASM-signed data
      */
     async registerPresence() {
         const { doc, setDoc, serverTimestamp } = this.firebase;
 
         const presenceRef = doc(this.db, SIGNALING_PATHS.peers, this.peerId);
 
-        // Set online status in Firestore
-        await setDoc(presenceRef, {
+        // Build presence data
+        const presenceData = {
             peerId: this.peerId,
             room: this.room,
             online: true,
             lastSeen: serverTimestamp(),
             capabilities: ['compute', 'storage', 'verify'],
-        }, { merge: true });
+        };
+
+        // Add WASM cryptographic identity if available
+        if (this.secureAccess) {
+            presenceData.publicKey = this.secureAccess.getPublicKeyHex();
+            // Sign the presence announcement
+            const signed = this.secureAccess.signMessage({
+                peerId: this.peerId,
+                room: this.room,
+                capabilities: presenceData.capabilities
+            });
+            presenceData.signature = signed.signature;
+            presenceData.signedAt = signed.timestamp;
+        }
+
+        // Set online status in Firestore
+        await setDoc(presenceRef, presenceData, { merge: true });
 
         // Set up heartbeat to maintain presence (Firestore doesn't have onDisconnect)
         this._heartbeatInterval = setInterval(async () => {
             try {
-                await setDoc(presenceRef, { lastSeen: serverTimestamp() }, { merge: true });
+                const heartbeat = { lastSeen: serverTimestamp() };
+                // Sign heartbeat if security available
+                if (this.secureAccess) {
+                    const signed = this.secureAccess.signMessage({ heartbeat: Date.now() });
+                    heartbeat.heartbeatSig = signed.signature;
+                }
+                await setDoc(presenceRef, heartbeat, { merge: true });
             } catch (e) {
                 // Ignore heartbeat errors
             }
         }, 30000);
 
-        console.log(`   📡 Registered presence: ${this.peerId.slice(0, 8)}...`);
+        console.log(`   📡 Registered presence: ${this.peerId.slice(0, 8)}... (WASM-signed)`);
     }
 
     /**
@@ -303,7 +376,7 @@ export class FirebaseSignaling extends EventEmitter {
     }
 
     /**
-     * Handle incoming signal
+     * Handle incoming signal with WASM signature verification
      */
     async handleSignal(signal, docId) {
         this.stats.firebaseSignals++;
@@ -312,19 +385,46 @@ export class FirebaseSignaling extends EventEmitter {
         const { doc, deleteDoc } = this.firebase;
         await deleteDoc(doc(this.db, SIGNALING_PATHS.signals, docId));
 
+        // Verify signature if WASM security is enabled
+        if (this.verifySignatures && this.secureAccess && signal.signature && signal.publicKey) {
+            const isValid = this.secureAccess.verifyMessage({
+                payload: JSON.stringify({
+                    from: signal.from,
+                    to: signal.to,
+                    type: signal.type,
+                    data: typeof signal.data === 'object' ? JSON.stringify(signal.data) : signal.data,
+                    timestamp: signal.timestamp
+                }),
+                signature: signal.signature,
+                publicKey: signal.publicKey,
+                timestamp: signal.timestamp
+            });
+
+            if (!isValid) {
+                console.warn(`   ⚠️  Invalid signature from ${signal.from?.slice(0, 8)}...`);
+                this.stats.rejectedSignals++;
+                this.emit('invalid-signature', { from: signal.from, type: signal.type });
+                return; // Reject the signal
+            }
+
+            // Register verified peer
+            this.secureAccess.registerPeer(signal.from, signal.publicKey);
+            this.stats.verifiedSignals++;
+        }
+
         // Emit appropriate event
         switch (signal.type) {
             case 'offer':
-                this.emit('offer', { from: signal.from, offer: signal.data });
+                this.emit('offer', { from: signal.from, offer: signal.data, verified: !!signal.signature });
                 break;
             case 'answer':
-                this.emit('answer', { from: signal.from, answer: signal.data });
+                this.emit('answer', { from: signal.from, answer: signal.data, verified: !!signal.signature });
                 break;
             case 'ice-candidate':
-                this.emit('ice-candidate', { from: signal.from, candidate: signal.data });
+                this.emit('ice-candidate', { from: signal.from, candidate: signal.data, verified: !!signal.signature });
                 break;
             default:
-                this.emit('signal', signal);
+                this.emit('signal', { ...signal, verified: !!signal.signature });
         }
     }
 
@@ -350,7 +450,7 @@ export class FirebaseSignaling extends EventEmitter {
     }
 
     /**
-     * Send signal via Firebase
+     * Send signal via Firebase with WASM signature
      */
     async sendSignal(toPeerId, type, data) {
         if (!this.isConnected) {
@@ -362,14 +462,30 @@ export class FirebaseSignaling extends EventEmitter {
         const signalId = `${this.peerId}-${toPeerId}-${Date.now()}`;
         const signalRef = doc(this.db, SIGNALING_PATHS.signals, signalId);
 
-        await setDoc(signalRef, {
+        const timestamp = Date.now();
+        const signalData = {
             from: this.peerId,
             to: toPeerId,
             type,
             data,
-            timestamp: Date.now(),
+            timestamp,
             room: this.room,
-        });
+        };
+
+        // Sign the signal with WASM cryptography
+        if (this.secureAccess) {
+            const signed = this.secureAccess.signMessage({
+                from: this.peerId,
+                to: toPeerId,
+                type,
+                data: typeof data === 'object' ? JSON.stringify(data) : data,
+                timestamp
+            });
+            signalData.signature = signed.signature;
+            signalData.publicKey = signed.publicKey;
+        }
+
+        await setDoc(signalRef, signalData);
 
         return true;
     }
@@ -597,6 +713,10 @@ export class HybridBootstrap extends EventEmitter {
         this.peerId = options.peerId;
         this.config = options.firebaseConfig || DEFAULT_FIREBASE_CONFIG;
 
+        // WASM Security
+        /** @type {import('./secure-access.js').SecureAccessManager|null} */
+        this.secureAccess = options.secureAccess || null;
+
         // Components
         this.firebase = null;
         this.dht = null;
@@ -614,25 +734,63 @@ export class HybridBootstrap extends EventEmitter {
             directConnections: 0,
             firebaseSignals: 0,
             p2pSignals: 0,
+            verifiedPeers: 0,
         };
     }
 
     /**
-     * Start hybrid bootstrap
+     * Start hybrid bootstrap with WASM security
      */
     async start(webrtc, dht) {
         this.webrtc = webrtc;
         this.dht = dht;
 
-        // Start with Firebase
+        // Initialize WASM security if not provided
+        if (!this.secureAccess) {
+            try {
+                const { createSecureAccess } = await import('./secure-access.js');
+                this.secureAccess = await createSecureAccess({
+                    siteId: 'edge-net',
+                    persistIdentity: true
+                });
+                // Use WASM node ID if peerId not set
+                if (!this.peerId) {
+                    this.peerId = this.secureAccess.getShortId();
+                }
+            } catch (err) {
+                console.log('   ⚠️  WASM security unavailable for bootstrap');
+            }
+        }
+
+        // Start with Firebase, passing WASM security
         this.firebase = new FirebaseSignaling({
             peerId: this.peerId,
             firebaseConfig: this.config,
+            secureAccess: this.secureAccess,
         });
 
         // Wire up events
         this.setupFirebaseEvents();
 
+        // Set up WebRTC to use Firebase for signaling
+        if (this.webrtc) {
+            this.webrtc.setExternalSignaling(async (type, toPeerId, data) => {
+                // Route signaling through Firebase
+                switch (type) {
+                    case 'offer':
+                        await this.firebase.sendOffer(toPeerId, data);
+                        break;
+                    case 'answer':
+                        await this.firebase.sendAnswer(toPeerId, data);
+                        break;
+                    case 'ice-candidate':
+                        await this.firebase.sendIceCandidate(toPeerId, data);
+                        break;
+                }
+                this.stats.firebaseSignals++;
+            });
+        }
+
         // Connect to Firebase
         const connected = await this.firebase.connect();
 
@@ -693,18 +851,10 @@ export class HybridBootstrap extends EventEmitter {
         if (!this.webrtc) return;
 
         try {
-            // Create offer
-            const offer = await this.webrtc.createOffer(peerId);
-
-            // Try P2P signaling first (if peer is directly connected)
-            if (this.mode === 'p2p' && this.webrtc.isConnected(peerId)) {
-                this.webrtc.sendToPeer(peerId, { type: 'offer', offer });
-                this.stats.p2pSignals++;
-            } else {
-                // Fall back to Firebase
-                await this.firebase.sendOffer(peerId, offer);
-                this.stats.firebaseSignals++;
-            }
+            // Use WebRTCPeerManager's connectToPeer method
+            // This handles offer creation and signaling internally
+            await this.webrtc.connectToPeer(peerId);
+            this.stats.directConnections++;
 
         } catch (error) {
             console.warn(`[HybridBootstrap] Connect to ${peerId.slice(0, 8)} failed:`, error.message);

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@ruvector/edge-net",
-  "version": "0.4.1",
+  "version": "0.4.2",
   "type": "module",
-  "description": "Distributed compute intelligence network with AI agents and workers - contribute browser compute, spawn distributed AI agents, earn credits. Features Time Crystal coordination, Neural DAG attention, P2P swarm intelligence, ONNX inference, WebRTC signaling, CRDT ledger, and multi-agent workflows.",
+  "description": "Distributed compute intelligence network with WASM cryptographic security - contribute browser compute, spawn distributed AI agents, earn credits. Features Ed25519 signing, PiKey identity, Time Crystal coordination, Neural DAG attention, P2P swarm intelligence, ONNX inference, WebRTC signaling, CRDT ledger, and multi-agent workflows.",
   "main": "ruvector_edge_net.js",
   "module": "ruvector_edge_net.js",
   "types": "ruvector_edge_net.d.ts",
@@ -55,7 +55,11 @@
     "firebase",
     "gcloud",
     "firestore",
-    "realtime-database"
+    "realtime-database",
+    "ed25519",
+    "wasm-cryptography",
+    "pikey",
+    "secure-access"
   ],
   "author": "RuVector Team <team@ruvector.dev>",
   "license": "MIT",
@@ -96,6 +100,7 @@
     "p2p.js",
     "firebase-signaling.js",
     "firebase-setup.js",
+    "secure-access.js",
     "README.md",
     "LICENSE"
   ],
@@ -160,6 +165,9 @@
     },
     "./firebase-setup": {
       "import": "./firebase-setup.js"
+    },
+    "./secure-access": {
+      "import": "./secure-access.js"
     }
   },
   "sideEffects": [
@@ -190,6 +198,7 @@
     "@ruvector/ruvllm": "^0.2.3",
     "@xenova/transformers": "^2.17.2",
     "firebase": "^10.14.1",
+    "wrtc": "^0.4.7",
     "ws": "^8.18.3"
   }
 }

package/secure-access.js

@@ -0,0 +1,595 @@
+/**
+ * @ruvector/edge-net Secure Access Layer
+ *
+ * Uses WASM cryptographic primitives for secure network access.
+ * No external authentication needed - cryptographic proof of identity.
+ *
+ * Security Model:
+ * 1. Each node generates a PiKey (Ed25519-based) in WASM
+ * 2. All messages are signed with the node's private key
+ * 3. Other nodes verify signatures with public keys
+ * 4. AdaptiveSecurity provides self-learning attack detection
+ *
+ * @module @ruvector/edge-net/secure-access
+ */
+
+import { EventEmitter } from 'events';
+
+/**
+ * Secure Access Manager
+ *
+ * Provides WASM-based cryptographic identity and message signing
+ * for secure P2P network access without external auth providers.
+ */
+export class SecureAccessManager extends EventEmitter {
+    constructor(options = {}) {
+        super();
+
+        /** @type {import('./ruvector_edge_net').PiKey|null} */
+        this.piKey = null;
+
+        /** @type {import('./ruvector_edge_net').SessionKey|null} */
+        this.sessionKey = null;
+
+        /** @type {import('./ruvector_edge_net').WasmNodeIdentity|null} */
+        this.nodeIdentity = null;
+
+        /** @type {import('./ruvector_edge_net').AdaptiveSecurity|null} */
+        this.security = null;
+
+        /** @type {Map<string, Uint8Array>} Known peer public keys */
+        this.knownPeers = new Map();
+
+        /** @type {Map<string, number>} Peer reputation scores */
+        this.peerReputation = new Map();
+
+        this.options = {
+            siteId: options.siteId || 'edge-net',
+            sessionTTL: options.sessionTTL || 3600, // 1 hour
+            backupPassword: options.backupPassword || null,
+            persistIdentity: options.persistIdentity !== false,
+            ...options
+        };
+
+        this.wasm = null;
+        this.initialized = false;
+    }
+
+    /**
+     * Initialize secure access with WASM cryptography
+     */
+    async initialize() {
+        if (this.initialized) return this;
+
+        console.log('🔐 Initializing WASM Secure Access...');
+
+        // Load WASM module
+        try {
+            // For Node.js, use the node-specific CJS module which auto-loads WASM
+            const isNode = typeof process !== 'undefined' && process.versions?.node;
+            if (isNode) {
+                // Node.js: CJS module loads WASM synchronously on import
+                this.wasm = await import('./node/ruvector_edge_net.cjs');
+            } else {
+                // Browser: Use ES module with WASM init
+                const wasmModule = await import('./ruvector_edge_net.js');
+                // Call default init to load WASM binary
+                if (wasmModule.default && typeof wasmModule.default === 'function') {
+                    await wasmModule.default();
+                }
+                this.wasm = wasmModule;
+            }
+        } catch (err) {
+            console.error('   ❌ WASM load error:', err.message);
+            throw err;
+        }
+
+        // Try to restore existing identity
+        const restored = await this._tryRestoreIdentity();
+
+        if (!restored) {
+            // Generate new cryptographic identity
+            await this._generateIdentity();
+        }
+
+        // Initialize adaptive security
+        this.security = new this.wasm.AdaptiveSecurity();
+
+        // Create session key for encrypted communications
+        this.sessionKey = new this.wasm.SessionKey(this.piKey, this.options.sessionTTL);
+
+        this.initialized = true;
+
+        console.log(`   🔑 Node ID: ${this.getShortId()}`);
+        console.log(`   📦 Public Key: ${this.getPublicKeyHex().slice(0, 16)}...`);
+        console.log(`   ⏱️  Session expires: ${new Date(Date.now() + this.options.sessionTTL * 1000).toISOString()}`);
+
+        this.emit('initialized', {
+            nodeId: this.getNodeId(),
+            publicKey: this.getPublicKeyHex()
+        });
+
+        return this;
+    }
+
+    /**
+     * Try to restore identity from localStorage or backup
+     */
+    async _tryRestoreIdentity() {
+        if (!this.options.persistIdentity) return false;
+
+        try {
+            // Check localStorage (browser) or file (Node.js)
+            let stored = null;
+
+            if (typeof localStorage !== 'undefined') {
+                stored = localStorage.getItem('edge-net-identity');
+            } else if (typeof process !== 'undefined') {
+                const fs = await import('fs');
+                const path = await import('path');
+                const identityPath = path.join(process.cwd(), '.edge-net-identity');
+                if (fs.existsSync(identityPath)) {
+                    stored = fs.readFileSync(identityPath, 'utf8');
+                }
+            }
+
+            if (stored) {
+                const data = JSON.parse(stored);
+                const encrypted = new Uint8Array(data.encrypted);
+
+                // Use default password if none provided
+                const password = this.options.backupPassword || 'edge-net-default-key';
+
+                this.piKey = this.wasm.PiKey.restoreFromBackup(encrypted, password);
+                this.nodeIdentity = this.wasm.WasmNodeIdentity.fromSecretKey(
+                    encrypted, // Same key derivation
+                    this.options.siteId
+                );
+
+                console.log('   ♻️  Restored existing identity');
+                return true;
+            }
+        } catch (err) {
+            console.log('   ⚡ Creating new identity (no backup found)');
+        }
+
+        return false;
+    }
+
+    /**
+     * Generate new cryptographic identity
+     */
+    async _generateIdentity() {
+        // Generate Pi-Key (Ed25519-based with Pi magic)
+        // Constructor takes optional genesis_seed (Uint8Array or null)
+        const genesisSeed = this.options.genesisSeed || null;
+        this.piKey = new this.wasm.PiKey(genesisSeed);
+
+        // Create node identity from same site
+        this.nodeIdentity = new this.wasm.WasmNodeIdentity(this.options.siteId);
+
+        // Persist identity if enabled
+        if (this.options.persistIdentity) {
+            await this._persistIdentity();
+        }
+
+        console.log('   ✨ Generated new cryptographic identity');
+    }
+
+    /**
+     * Persist identity to storage
+     */
+    async _persistIdentity() {
+        const password = this.options.backupPassword || 'edge-net-default-key';
+        const backup = this.piKey.createEncryptedBackup(password);
+        const data = JSON.stringify({
+            encrypted: Array.from(backup),
+            created: Date.now(),
+            siteId: this.options.siteId
+        });
+
+        try {
+            if (typeof localStorage !== 'undefined') {
+                localStorage.setItem('edge-net-identity', data);
+            } else if (typeof process !== 'undefined') {
+                const fs = await import('fs');
+                const path = await import('path');
+                const identityPath = path.join(process.cwd(), '.edge-net-identity');
+                fs.writeFileSync(identityPath, data);
+            }
+        } catch (err) {
+            console.warn('   ⚠️  Could not persist identity:', err.message);
+        }
+    }
+
+    // ============================================
+    // IDENTITY & KEYS
+    // ============================================
+
+    /**
+     * Get node ID (full)
+     */
+    getNodeId() {
+        return this.piKey?.getIdentityHex() || this.nodeIdentity?.getId?.() || 'unknown';
+    }
+
+    /**
+     * Get short node ID for display
+     */
+    getShortId() {
+        return this.piKey?.getShortId() || this.getNodeId().slice(0, 8);
+    }
+
+    /**
+     * Get public key as hex string
+     */
+    getPublicKeyHex() {
+        return Array.from(this.piKey?.getPublicKey() || new Uint8Array(32))
+            .map(b => b.toString(16).padStart(2, '0'))
+            .join('');
+    }
+
+    /**
+     * Get public key as bytes
+     */
+    getPublicKeyBytes() {
+        return this.piKey?.getPublicKey() || new Uint8Array(32);
+    }
+
+    // ============================================
+    // MESSAGE SIGNING & VERIFICATION
+    // ============================================
+
+    /**
+     * Sign a message/object
+     * @param {object|string|Uint8Array} message - Message to sign
+     * @returns {{ payload: string, signature: string, publicKey: string, timestamp: number }}
+     */
+    signMessage(message) {
+        const payload = typeof message === 'string' ? message :
+                        message instanceof Uint8Array ? new TextDecoder().decode(message) :
+                        JSON.stringify(message);
+
+        const timestamp = Date.now();
+        const dataToSign = `${payload}|${timestamp}`;
+        const dataBytes = new TextEncoder().encode(dataToSign);
+
+        const signature = this.piKey.sign(dataBytes);
+
+        return {
+            payload,
+            signature: Array.from(signature).map(b => b.toString(16).padStart(2, '0')).join(''),
+            publicKey: this.getPublicKeyHex(),
+            timestamp,
+            nodeId: this.getShortId()
+        };
+    }
+
+    /**
+     * Verify a signed message
+     * @param {object} signed - Signed message object
+     * @returns {boolean} Whether signature is valid
+     */
+    verifyMessage(signed) {
+        try {
+            const { payload, signature, publicKey, timestamp } = signed;
+
+            // Check timestamp (reject messages older than 5 minutes)
+            const age = Date.now() - timestamp;
+            if (age > 5 * 60 * 1000) {
+                console.warn('⚠️ Message too old:', age, 'ms');
+                return false;
+            }
+
+            // Convert hex strings back to bytes
+            const dataToVerify = `${payload}|${timestamp}`;
+            const dataBytes = new TextEncoder().encode(dataToVerify);
+            const sigBytes = new Uint8Array(signature.match(/.{2}/g).map(h => parseInt(h, 16)));
+            const pubKeyBytes = new Uint8Array(publicKey.match(/.{2}/g).map(h => parseInt(h, 16)));
+
+            // Verify using WASM
+            const valid = this.piKey.verify(dataBytes, sigBytes, pubKeyBytes);
+
+            // Update peer reputation based on verification
+            if (valid) {
+                this._updateReputation(signed.nodeId || publicKey.slice(0, 16), 0.01);
+            } else {
+                this._updateReputation(signed.nodeId || publicKey.slice(0, 16), -0.1);
+                this._recordSuspicious(signed.nodeId, 'invalid_signature');
+            }
+
+            return valid;
+        } catch (err) {
+            console.warn('⚠️ Signature verification error:', err.message);
+            return false;
+        }
+    }
+
+    // ============================================
+    // PEER MANAGEMENT
+    // ============================================
+
+    /**
+     * Register a known peer's public key
+     */
+    registerPeer(peerId, publicKey) {
+        const pubKeyBytes = typeof publicKey === 'string' ?
+            new Uint8Array(publicKey.match(/.{2}/g).map(h => parseInt(h, 16))) :
+            publicKey;
+
+        this.knownPeers.set(peerId, pubKeyBytes);
+        this.peerReputation.set(peerId, this.peerReputation.get(peerId) || 0.5);
+
+        this.emit('peer-registered', { peerId, publicKey: this.getPublicKeyHex() });
+    }
+
+    /**
+     * Get reputation score for a peer (0-1)
+     */
+    getPeerReputation(peerId) {
+        return this.peerReputation.get(peerId) || 0.5;
+    }
+
+    /**
+     * Update peer reputation
+     */
+    _updateReputation(peerId, delta) {
+        const current = this.peerReputation.get(peerId) || 0.5;
+        const newScore = Math.max(0, Math.min(1, current + delta));
+        this.peerReputation.set(peerId, newScore);
+
+        // Emit warning if reputation drops too low
+        if (newScore < 0.2) {
+            this.emit('peer-suspicious', { peerId, reputation: newScore });
+        }
+    }
+
+    /**
+     * Record suspicious activity for learning
+     */
+    _recordSuspicious(peerId, reason) {
+        if (this.security) {
+            // Record for adaptive security learning
+            const features = new Float32Array([
+                Date.now() / 1e12,
+                this.getPeerReputation(peerId),
+                reason === 'invalid_signature' ? 1 : 0,
+                reason === 'replay_attack' ? 1 : 0,
+                0, 0, 0, 0 // Padding
+            ]);
+            this.security.recordAttackPattern(reason, features, 0.5);
+        }
+    }
+
+    // ============================================
+    // ENCRYPTION (SESSION-BASED)
+    // ============================================
+
+    /**
+     * Encrypt data for secure transmission
+     */
+    encrypt(data) {
+        if (!this.sessionKey || this.sessionKey.isExpired()) {
+            // Refresh session key
+            this.sessionKey = new this.wasm.SessionKey(this.piKey, this.options.sessionTTL);
+        }
+
+        const dataBytes = typeof data === 'string' ?
+            new TextEncoder().encode(data) :
+            data instanceof Uint8Array ? data :
+            new TextEncoder().encode(JSON.stringify(data));
+
+        return this.sessionKey.encrypt(dataBytes);
+    }
+
+    /**
+     * Decrypt received data
+     */
+    decrypt(encrypted) {
+        if (!this.sessionKey) {
+            throw new Error('No session key available');
+        }
+
+        return this.sessionKey.decrypt(encrypted);
+    }
+
+    // ============================================
+    // SECURITY ANALYSIS
+    // ============================================
+
+    /**
+     * Analyze request for potential attacks
+     * @returns {number} Threat score (0-1, higher = more suspicious)
+     */
+    analyzeRequest(features) {
+        if (!this.security) return 0;
+
+        const featureArray = features instanceof Float32Array ?
+            features :
+            new Float32Array(Array.isArray(features) ? features : Object.values(features));
+
+        return this.security.detectAttack(featureArray);
+    }
+
+    /**
+     * Get security statistics
+     */
+    getSecurityStats() {
+        if (!this.security) return null;
+
+        return JSON.parse(this.security.getStats());
+    }
+
+    /**
+     * Export security patterns for persistence
+     */
+    exportSecurityPatterns() {
+        if (!this.security) return null;
+        return this.security.exportPatterns();
+    }
+
+    /**
+     * Import previously learned security patterns
+     */
+    importSecurityPatterns(patterns) {
+        if (!this.security) return;
+        this.security.importPatterns(patterns);
+    }
+
+    // ============================================
+    // CHALLENGE-RESPONSE
+    // ============================================
+
+    /**
+     * Create a challenge for peer verification
+     */
+    createChallenge() {
+        const challenge = crypto.getRandomValues(new Uint8Array(32));
+        const timestamp = Date.now();
+
+        return {
+            challenge: Array.from(challenge).map(b => b.toString(16).padStart(2, '0')).join(''),
+            timestamp,
+            issuer: this.getShortId()
+        };
+    }
+
+    /**
+     * Respond to a challenge (proves identity)
+     */
+    respondToChallenge(challengeData) {
+        const challengeBytes = new Uint8Array(
+            challengeData.challenge.match(/.{2}/g).map(h => parseInt(h, 16))
+        );
+
+        const responseData = new Uint8Array([
+            ...challengeBytes,
+            ...new TextEncoder().encode(`|${challengeData.timestamp}|${this.getShortId()}`)
+        ]);
+
+        const signature = this.piKey.sign(responseData);
+
+        return {
+            ...challengeData,
+            response: Array.from(signature).map(b => b.toString(16).padStart(2, '0')).join(''),
+            responder: this.getShortId(),
+            publicKey: this.getPublicKeyHex()
+        };
+    }
+
+    /**
+     * Verify a challenge response
+     */
+    verifyChallengeResponse(response) {
+        try {
+            const challengeBytes = new Uint8Array(
+                response.challenge.match(/.{2}/g).map(h => parseInt(h, 16))
+            );
+
+            const responseData = new Uint8Array([
+                ...challengeBytes,
+                ...new TextEncoder().encode(`|${response.timestamp}|${response.responder}`)
+            ]);
+
+            const sigBytes = new Uint8Array(
+                response.response.match(/.{2}/g).map(h => parseInt(h, 16))
+            );
+            const pubKeyBytes = new Uint8Array(
+                response.publicKey.match(/.{2}/g).map(h => parseInt(h, 16))
+            );
+
+            const valid = this.piKey.verify(responseData, sigBytes, pubKeyBytes);
+
+            if (valid) {
+                // Register this peer as verified
+                this.registerPeer(response.responder, response.publicKey);
+                this._updateReputation(response.responder, 0.05);
+            }
+
+            return valid;
+        } catch (err) {
+            console.warn('Challenge verification failed:', err.message);
+            return false;
+        }
+    }
+
+    /**
+     * Clean up resources
+     */
+    dispose() {
+        try { this.piKey?.free?.(); } catch (e) { /* already freed */ }
+        try { this.sessionKey?.free?.(); } catch (e) { /* already freed */ }
+        try { this.nodeIdentity?.free?.(); } catch (e) { /* already freed */ }
+        try { this.security?.free?.(); } catch (e) { /* already freed */ }
+        this.piKey = null;
+        this.sessionKey = null;
+        this.nodeIdentity = null;
+        this.security = null;
+        this.knownPeers.clear();
+        this.peerReputation.clear();
+        this.initialized = false;
+    }
+}
+
+/**
+ * Create a secure access manager
+ */
+export async function createSecureAccess(options = {}) {
+    const manager = new SecureAccessManager(options);
+    await manager.initialize();
+    return manager;
+}
+
+/**
+ * Wrap Firebase signaling with WASM security
+ */
+export function wrapWithSecurity(firebaseSignaling, secureAccess) {
+    const originalAnnounce = firebaseSignaling.announcePeer?.bind(firebaseSignaling);
+    const originalSendOffer = firebaseSignaling.sendOffer?.bind(firebaseSignaling);
+    const originalSendAnswer = firebaseSignaling.sendAnswer?.bind(firebaseSignaling);
+    const originalSendIceCandidate = firebaseSignaling.sendIceCandidate?.bind(firebaseSignaling);
+
+    // Wrap peer announcement with signature
+    if (originalAnnounce) {
+        firebaseSignaling.announcePeer = async (peerId, metadata = {}) => {
+            const signedMetadata = secureAccess.signMessage({
+                ...metadata,
+                publicKey: secureAccess.getPublicKeyHex()
+            });
+            return originalAnnounce(peerId, signedMetadata);
+        };
+    }
+
+    // Wrap signaling messages with signatures
+    if (originalSendOffer) {
+        firebaseSignaling.sendOffer = async (toPeerId, offer) => {
+            const signed = secureAccess.signMessage({ type: 'offer', offer });
+            return originalSendOffer(toPeerId, signed);
+        };
+    }
+
+    if (originalSendAnswer) {
+        firebaseSignaling.sendAnswer = async (toPeerId, answer) => {
+            const signed = secureAccess.signMessage({ type: 'answer', answer });
+            return originalSendAnswer(toPeerId, signed);
+        };
+    }
+
+    if (originalSendIceCandidate) {
+        firebaseSignaling.sendIceCandidate = async (toPeerId, candidate) => {
+            const signed = secureAccess.signMessage({ type: 'ice', candidate });
+            return originalSendIceCandidate(toPeerId, signed);
+        };
+    }
+
+    // Add verification method
+    firebaseSignaling.verifySignedMessage = (signed) => {
+        return secureAccess.verifyMessage(signed);
+    };
+
+    firebaseSignaling.secureAccess = secureAccess;
+
+    return firebaseSignaling;
+}
+
+export default SecureAccessManager;

package/webrtc.js

@@ -408,6 +408,15 @@ export class WebRTCPeerManager extends EventEmitter {
             failedConnections: 0,
             messagesRouted: 0,
         };
+        // External signaling callback (e.g., Firebase)
+        this.externalSignaling = null;
+    }
+
+    /**
+     * Set external signaling callback for Firebase or other signaling
+     */
+    setExternalSignaling(callback) {
+        this.externalSignaling = callback;
     }
 
     /**
@@ -639,13 +648,23 @@ export class WebRTCPeerManager extends EventEmitter {
 
             const offer = await peerConnection.createOffer();
 
-            // Send offer via signaling
-            this.signalingSocket.send(JSON.stringify({
+            // Send offer via available signaling method
+            const signalData = {
                 type: 'offer',
                 to: peerId,
                 from: this.localIdentity.piKey,
                 offer,
-            }));
+            };
+
+            if (this.signalingSocket?.readyState === 1) {
+                // WebSocket signaling
+                this.signalingSocket.send(JSON.stringify(signalData));
+            } else if (this.externalSignaling) {
+                // External signaling (Firebase, etc.)
+                await this.externalSignaling('offer', peerId, offer);
+            } else {
+                throw new Error('No signaling method available');
+            }
 
             this.peers.set(peerId, peerConnection);
             this.emit('peers-updated', this.getPeerList());
@@ -653,6 +672,7 @@ export class WebRTCPeerManager extends EventEmitter {
         } catch (err) {
             this.stats.failedConnections++;
             console.error(`Failed to connect to ${peerId}:`, err.message);
+            throw err;
         }
     }
 
@@ -678,13 +698,17 @@ export class WebRTCPeerManager extends EventEmitter {
 
             const answer = await peerConnection.handleOffer(offer);
 
-            // Send answer via signaling
-            this.signalingSocket.send(JSON.stringify({
-                type: 'answer',
-                to: from,
-                from: this.localIdentity.piKey,
-                answer,
-            }));
+            // Send answer via available signaling method
+            if (this.signalingSocket?.readyState === 1) {
+                this.signalingSocket.send(JSON.stringify({
+                    type: 'answer',
+                    to: from,
+                    from: this.localIdentity.piKey,
+                    answer,
+                }));
+            } else if (this.externalSignaling) {
+                await this.externalSignaling('answer', from, answer);
+            }
 
             this.peers.set(from, peerConnection);
             this.emit('peers-updated', this.getPeerList());