@ruvector/edge-net 0.4.1 → 0.4.3

package/firebase-signaling.js

@@ -4,9 +4,15 @@
  * Uses Google Firebase as bootstrap infrastructure for WebRTC signaling
  * with migration path to full P2P DHT network.
  *
+ * Security Model (WASM-based, no Firebase Auth needed):
+ * 1. Each node generates cryptographic identity in WASM (PiKey)
+ * 2. All messages are signed with Ed25519 keys
+ * 3. Peers verify signatures before accepting connections
+ * 4. AdaptiveSecurity provides self-learning attack detection
+ *
  * Architecture:
  * 1. Firebase Firestore for signaling (offer/answer/ICE)
- * 2. Firebase Realtime DB for presence (who's online)
+ * 2. WASM cryptographic identity (no Firebase Auth)
  * 3. Gradual migration to DHT as network grows
  *
  * @module @ruvector/edge-net/firebase-signaling
@@ -19,23 +25,32 @@ import { EventEmitter } from 'events';
 // ============================================
 
 /**
- * Get Firebase config from environment variables or saved config
+ * Edge-Net Public Firebase Configuration
  *
- * Configuration sources (in order of priority):
- * 1. Environment variables: FIREBASE_API_KEY, FIREBASE_PROJECT_ID
- * 2. Saved config from: ~/.edge-net/firebase.json (via firebase-setup.js)
- * 3. Application Default Credentials (for server-side via gcloud)
+ * This is the PUBLIC Firebase project for edge-net P2P network.
+ * API keys for Firebase web apps are designed to be public - security is via:
+ * 1. Firestore Security Rules (only authenticated users can write)
+ * 2. Anonymous Authentication (anyone can join, tracked by UID)
+ * 3. API restrictions in Google Cloud Console
  *
- * SECURITY:
- * - Never hardcode API keys
- * - Use `gcloud auth application-default login` for server-side
- * - Restrict API keys by domain in Google Cloud Console for browser-side
+ * Contributors automatically join the network - no setup required!
+ */
+export const EDGE_NET_FIREBASE_CONFIG = {
+    apiKey: "AIzaSyAZAJhathdnKZGzBQ8iDBFG8_OQsvb2QvA",
+    projectId: "ruv-dev",
+    authDomain: "ruv-dev.firebaseapp.com",
+    storageBucket: "ruv-dev.appspot.com",
+};
+
+/**
+ * Get Firebase config
  *
- * Setup:
- *   npx edge-net-firebase-setup --project YOUR_PROJECT_ID
+ * Priority:
+ * 1. Environment variables (for custom Firebase projects)
+ * 2. Built-in edge-net public config (no setup required)
  */
 export function getFirebaseConfig() {
-    // Try environment variables first (highest priority)
+    // Allow override via environment variables for custom projects
     const apiKey = process.env.FIREBASE_API_KEY;
     const projectId = process.env.FIREBASE_PROJECT_ID;
 
@@ -44,13 +59,12 @@ export function getFirebaseConfig() {
             apiKey,
             projectId,
             authDomain: process.env.FIREBASE_AUTH_DOMAIN || `${projectId}.firebaseapp.com`,
-            databaseURL: process.env.FIREBASE_DATABASE_URL || `https://${projectId}-default-rtdb.firebaseio.com`,
             storageBucket: process.env.FIREBASE_STORAGE_BUCKET || `${projectId}.appspot.com`,
         };
     }
 
-    // Sync version only uses env vars - use getFirebaseConfigAsync for file config
-    return null;
+    // Use built-in public edge-net config (no setup required!)
+    return EDGE_NET_FIREBASE_CONFIG;
 }
 
 /**
@@ -137,6 +151,11 @@ export class FirebaseSignaling extends EventEmitter {
         this.db = null;
         this.rtdb = null;
 
+        // WASM Security (replaces Firebase Auth)
+        /** @type {import('./secure-access.js').SecureAccessManager|null} */
+        this.secureAccess = options.secureAccess || null;
+        this.verifySignatures = options.verifySignatures !== false;
+
         // State
         this.isConnected = false;
         this.peers = new Map();
@@ -150,27 +169,49 @@ export class FirebaseSignaling extends EventEmitter {
             firebaseSignals: 0,
             dhtSignals: 0,
             p2pSignals: 0,
+            verifiedSignals: 0,
+            rejectedSignals: 0,
         };
     }
 
     /**
-     * Initialize Firebase connection
+     * Initialize Firebase connection with WASM cryptographic security
      */
     async connect() {
-        // SECURITY: Require valid config
+        // Use built-in config if not provided
+        if (!this.config) {
+            this.config = getFirebaseConfig();
+        }
+
         if (!this.config || !this.config.apiKey || !this.config.projectId) {
-            console.log('   ⚠️  Firebase not configured (no credentials)');
-            console.log('   💡 Set environment variables: FIREBASE_API_KEY, FIREBASE_PROJECT_ID');
+            console.log('   ⚠️  Firebase not configured');
             this.emit('not-configured');
             return false;
         }
 
         try {
+            // Initialize WASM security if not provided
+            if (!this.secureAccess) {
+                try {
+                    const { createSecureAccess } = await import('./secure-access.js');
+                    this.secureAccess = await createSecureAccess({
+                        siteId: this.room,
+                        persistIdentity: true
+                    });
+                    // Use WASM-generated node ID if peerId not set
+                    if (!this.peerId) {
+                        this.peerId = this.secureAccess.getShortId();
+                    }
+                } catch (err) {
+                    console.log('   ⚠️  WASM security unavailable, using basic mode');
+                }
+            }
+
             // Dynamic import Firebase (tree-shakeable)
             const { initializeApp, getApps } = await import('firebase/app');
             const { getFirestore, collection, doc, setDoc, onSnapshot, deleteDoc, query, where, orderBy, limit, serverTimestamp } = await import('firebase/firestore');
 
-            // Store Firebase methods for later use (Firestore only - no RTDB)
+            // Store Firebase methods for later use
             this.firebase = {
                 collection, doc, setDoc, onSnapshot, deleteDoc, query, where, orderBy, limit, serverTimestamp
             };
@@ -179,9 +220,19 @@ export class FirebaseSignaling extends EventEmitter {
             const apps = getApps();
             this.app = apps.length ? apps[0] : initializeApp(this.config);
 
-            // Initialize Firestore (for signaling AND presence - no RTDB needed)
+            // Initialize Firestore
             this.db = getFirestore(this.app);
 
+            // WASM cryptographic identity (replaces Firebase Auth)
+            if (this.secureAccess) {
+                this.uid = this.secureAccess.getNodeId();
+                console.log(`   🔐 WASM crypto identity: ${this.secureAccess.getShortId()}`);
+                console.log(`   📦 Public key: ${this.secureAccess.getPublicKeyHex().slice(0, 16)}...`);
+            } else {
+                this.uid = this.peerId;
+                console.log(`   ⚠️  No WASM security, using peerId: ${this.peerId?.slice(0, 8)}...`);
+            }
+
             // Register presence in Firestore
             await this.registerPresence();
 
@@ -192,7 +243,7 @@ export class FirebaseSignaling extends EventEmitter {
             this.subscribeToSignals();
 
             this.isConnected = true;
-            console.log('   ✅ Firebase signaling connected (Firestore)');
+            console.log('   ✅ Firebase connected with WASM security');
 
             this.emit('connected');
             return true;
@@ -205,32 +256,54 @@ export class FirebaseSignaling extends EventEmitter {
     }
 
     /**
-     * Register this peer's presence in Firestore
+     * Register this peer's presence in Firestore with WASM-signed data
      */
     async registerPresence() {
         const { doc, setDoc, serverTimestamp } = this.firebase;
 
         const presenceRef = doc(this.db, SIGNALING_PATHS.peers, this.peerId);
 
-        // Set online status in Firestore
-        await setDoc(presenceRef, {
+        // Build presence data
+        const presenceData = {
             peerId: this.peerId,
             room: this.room,
             online: true,
             lastSeen: serverTimestamp(),
             capabilities: ['compute', 'storage', 'verify'],
-        }, { merge: true });
+        };
+
+        // Add WASM cryptographic identity if available
+        if (this.secureAccess) {
+            presenceData.publicKey = this.secureAccess.getPublicKeyHex();
+            // Sign the presence announcement
+            const signed = this.secureAccess.signMessage({
+                peerId: this.peerId,
+                room: this.room,
+                capabilities: presenceData.capabilities
+            });
+            presenceData.signature = signed.signature;
+            presenceData.signedAt = signed.timestamp;
+        }
+
+        // Set online status in Firestore
+        await setDoc(presenceRef, presenceData, { merge: true });
 
         // Set up heartbeat to maintain presence (Firestore doesn't have onDisconnect)
         this._heartbeatInterval = setInterval(async () => {
             try {
-                await setDoc(presenceRef, { lastSeen: serverTimestamp() }, { merge: true });
+                const heartbeat = { lastSeen: serverTimestamp() };
+                // Sign heartbeat if security available
+                if (this.secureAccess) {
+                    const signed = this.secureAccess.signMessage({ heartbeat: Date.now() });
+                    heartbeat.heartbeatSig = signed.signature;
+                }
+                await setDoc(presenceRef, heartbeat, { merge: true });
             } catch (e) {
                 // Ignore heartbeat errors
             }
         }, 30000);
 
-        console.log(`   📡 Registered presence: ${this.peerId.slice(0, 8)}...`);
+        console.log(`   📡 Registered presence: ${this.peerId.slice(0, 8)}... (WASM-signed)`);
     }
 
     /**
@@ -303,7 +376,7 @@ export class FirebaseSignaling extends EventEmitter {
     }
 
     /**
-     * Handle incoming signal
+     * Handle incoming signal with WASM signature verification
      */
     async handleSignal(signal, docId) {
         this.stats.firebaseSignals++;
@@ -312,19 +385,46 @@ export class FirebaseSignaling extends EventEmitter {
         const { doc, deleteDoc } = this.firebase;
         await deleteDoc(doc(this.db, SIGNALING_PATHS.signals, docId));
 
+        // Verify signature if WASM security is enabled
+        if (this.verifySignatures && this.secureAccess && signal.signature && signal.publicKey) {
+            const isValid = this.secureAccess.verifyMessage({
+                payload: JSON.stringify({
+                    from: signal.from,
+                    to: signal.to,
+                    type: signal.type,
+                    data: typeof signal.data === 'object' ? JSON.stringify(signal.data) : signal.data,
+                    timestamp: signal.timestamp
+                }),
+                signature: signal.signature,
+                publicKey: signal.publicKey,
+                timestamp: signal.timestamp
+            });
+
+            if (!isValid) {
+                console.warn(`   ⚠️  Invalid signature from ${signal.from?.slice(0, 8)}...`);
+                this.stats.rejectedSignals++;
+                this.emit('invalid-signature', { from: signal.from, type: signal.type });
+                return; // Reject the signal
+            }
+
+            // Register verified peer
+            this.secureAccess.registerPeer(signal.from, signal.publicKey);
+            this.stats.verifiedSignals++;
+        }
+
         // Emit appropriate event
         switch (signal.type) {
             case 'offer':
-                this.emit('offer', { from: signal.from, offer: signal.data });
+                this.emit('offer', { from: signal.from, offer: signal.data, verified: !!signal.signature });
                 break;
             case 'answer':
-                this.emit('answer', { from: signal.from, answer: signal.data });
+                this.emit('answer', { from: signal.from, answer: signal.data, verified: !!signal.signature });
                 break;
             case 'ice-candidate':
-                this.emit('ice-candidate', { from: signal.from, candidate: signal.data });
+                this.emit('ice-candidate', { from: signal.from, candidate: signal.data, verified: !!signal.signature });
                 break;
             default:
-                this.emit('signal', signal);
+                this.emit('signal', { ...signal, verified: !!signal.signature });
         }
     }
 
@@ -350,7 +450,43 @@ export class FirebaseSignaling extends EventEmitter {
     }
 
     /**
-     * Send signal via Firebase
+     * Serialize WebRTC objects to plain JSON for Firebase storage
+     * RTCIceCandidate and RTCSessionDescription are not directly storable
+     */
+    _serializeWebRTCData(data) {
+        if (!data || typeof data !== 'object') {
+            return data;
+        }
+
+        // Handle RTCIceCandidate
+        if (data.candidate !== undefined && data.sdpMid !== undefined) {
+            return {
+                candidate: data.candidate,
+                sdpMid: data.sdpMid,
+                sdpMLineIndex: data.sdpMLineIndex,
+                usernameFragment: data.usernameFragment || null,
+            };
+        }
+
+        // Handle RTCSessionDescription (offer/answer)
+        if (data.type !== undefined && data.sdp !== undefined) {
+            return {
+                type: data.type,
+                sdp: data.sdp,
+            };
+        }
+
+        // Try to convert any object with toJSON method
+        if (typeof data.toJSON === 'function') {
+            return data.toJSON();
+        }
+
+        // Return as-is if already plain object
+        return data;
+    }
+
+    /**
+     * Send signal via Firebase with WASM signature
      */
     async sendSignal(toPeerId, type, data) {
         if (!this.isConnected) {
@@ -362,14 +498,33 @@ export class FirebaseSignaling extends EventEmitter {
         const signalId = `${this.peerId}-${toPeerId}-${Date.now()}`;
         const signalRef = doc(this.db, SIGNALING_PATHS.signals, signalId);
 
-        await setDoc(signalRef, {
+        // Serialize WebRTC objects to plain JSON
+        const serializedData = this._serializeWebRTCData(data);
+
+        const timestamp = Date.now();
+        const signalData = {
             from: this.peerId,
             to: toPeerId,
             type,
-            data,
-            timestamp: Date.now(),
+            data: serializedData,
+            timestamp,
             room: this.room,
-        });
+        };
+
+        // Sign the signal with WASM cryptography
+        if (this.secureAccess) {
+            const signed = this.secureAccess.signMessage({
+                from: this.peerId,
+                to: toPeerId,
+                type,
+                data: typeof serializedData === 'object' ? JSON.stringify(serializedData) : serializedData,
+                timestamp
+            });
+            signalData.signature = signed.signature;
+            signalData.publicKey = signed.publicKey;
+        }
+
+        await setDoc(signalRef, signalData);
 
         return true;
     }
@@ -597,6 +752,10 @@ export class HybridBootstrap extends EventEmitter {
         this.peerId = options.peerId;
         this.config = options.firebaseConfig || DEFAULT_FIREBASE_CONFIG;
 
+        // WASM Security
+        /** @type {import('./secure-access.js').SecureAccessManager|null} */
+        this.secureAccess = options.secureAccess || null;
+
         // Components
         this.firebase = null;
         this.dht = null;
@@ -614,25 +773,63 @@ export class HybridBootstrap extends EventEmitter {
             directConnections: 0,
             firebaseSignals: 0,
             p2pSignals: 0,
+            verifiedPeers: 0,
         };
     }
 
     /**
-     * Start hybrid bootstrap
+     * Start hybrid bootstrap with WASM security
      */
     async start(webrtc, dht) {
         this.webrtc = webrtc;
         this.dht = dht;
 
-        // Start with Firebase
+        // Initialize WASM security if not provided
+        if (!this.secureAccess) {
+            try {
+                const { createSecureAccess } = await import('./secure-access.js');
+                this.secureAccess = await createSecureAccess({
+                    siteId: 'edge-net',
+                    persistIdentity: true
+                });
+                // Use WASM node ID if peerId not set
+                if (!this.peerId) {
+                    this.peerId = this.secureAccess.getShortId();
+                }
+            } catch (err) {
+                console.log('   ⚠️  WASM security unavailable for bootstrap');
+            }
+        }
+
+        // Start with Firebase, passing WASM security
         this.firebase = new FirebaseSignaling({
             peerId: this.peerId,
             firebaseConfig: this.config,
+            secureAccess: this.secureAccess,
         });
 
         // Wire up events
         this.setupFirebaseEvents();
 
+        // Set up WebRTC to use Firebase for signaling
+        if (this.webrtc) {
+            this.webrtc.setExternalSignaling(async (type, toPeerId, data) => {
+                // Route signaling through Firebase
+                switch (type) {
+                    case 'offer':
+                        await this.firebase.sendOffer(toPeerId, data);
+                        break;
+                    case 'answer':
+                        await this.firebase.sendAnswer(toPeerId, data);
+                        break;
+                    case 'ice-candidate':
+                        await this.firebase.sendIceCandidate(toPeerId, data);
+                        break;
+                }
+                this.stats.firebaseSignals++;
+            });
+        }
+
         // Connect to Firebase
         const connected = await this.firebase.connect();
 
@@ -693,18 +890,10 @@ export class HybridBootstrap extends EventEmitter {
         if (!this.webrtc) return;
 
         try {
-            // Create offer
-            const offer = await this.webrtc.createOffer(peerId);
-
-            // Try P2P signaling first (if peer is directly connected)
-            if (this.mode === 'p2p' && this.webrtc.isConnected(peerId)) {
-                this.webrtc.sendToPeer(peerId, { type: 'offer', offer });
-                this.stats.p2pSignals++;
-            } else {
-                // Fall back to Firebase
-                await this.firebase.sendOffer(peerId, offer);
-                this.stats.firebaseSignals++;
-            }
+            // Use WebRTCPeerManager's connectToPeer method
+            // This handles offer creation and signaling internally
+            await this.webrtc.connectToPeer(peerId);
+            this.stats.directConnections++;
 
         } catch (error) {
             console.warn(`[HybridBootstrap] Connect to ${peerId.slice(0, 8)} failed:`, error.message);

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@ruvector/edge-net",
-  "version": "0.4.1",
+  "version": "0.4.3",
   "type": "module",
-  "description": "Distributed compute intelligence network with AI agents and workers - contribute browser compute, spawn distributed AI agents, earn credits. Features Time Crystal coordination, Neural DAG attention, P2P swarm intelligence, ONNX inference, WebRTC signaling, CRDT ledger, and multi-agent workflows.",
+  "description": "Distributed compute intelligence network with WASM cryptographic security - contribute browser compute, spawn distributed AI agents, earn credits. Features Ed25519 signing, PiKey identity, Time Crystal coordination, Neural DAG attention, P2P swarm intelligence, ONNX inference, WebRTC signaling, CRDT ledger, and multi-agent workflows.",
   "main": "ruvector_edge_net.js",
   "module": "ruvector_edge_net.js",
   "types": "ruvector_edge_net.d.ts",
@@ -55,7 +55,11 @@
     "firebase",
     "gcloud",
     "firestore",
-    "realtime-database"
+    "realtime-database",
+    "ed25519",
+    "wasm-cryptography",
+    "pikey",
+    "secure-access"
   ],
   "author": "RuVector Team <team@ruvector.dev>",
   "license": "MIT",
@@ -73,6 +77,8 @@
     "ruvector_edge_net.d.ts",
     "ruvector_edge_net_bg.wasm.d.ts",
     "node/",
+    "deploy/",
+    "tests/",
     "index.js",
     "cli.js",
     "join.js",
@@ -96,6 +102,7 @@
     "p2p.js",
     "firebase-signaling.js",
     "firebase-setup.js",
+    "secure-access.js",
     "README.md",
     "LICENSE"
   ],
@@ -160,6 +167,9 @@
     },
     "./firebase-setup": {
       "import": "./firebase-setup.js"
+    },
+    "./secure-access": {
+      "import": "./secure-access.js"
     }
   },
   "sideEffects": [
@@ -181,6 +191,11 @@
     "signaling": "node -e \"import('./signaling.js').then(m => new m.SignalingServer().start())\"",
     "genesis": "node genesis.js",
     "genesis:start": "node genesis.js --port 8787",
+    "genesis:prod": "NODE_ENV=production node deploy/genesis-prod.js",
+    "genesis:docker": "docker-compose -f deploy/docker-compose.yml up -d",
+    "genesis:docker:logs": "docker-compose -f deploy/docker-compose.yml logs -f genesis",
+    "genesis:docker:stop": "docker-compose -f deploy/docker-compose.yml down",
+    "genesis:docker:build": "docker build -t ruvector/edge-net-genesis:latest -f deploy/Dockerfile .",
     "p2p": "node -e \"import('./p2p.js').then(m => m.createP2PNetwork({ nodeId: 'test' }))\"",
     "monitor": "node -e \"import('./monitor.js').then(m => { const mon = new m.Monitor(); mon.start(); setInterval(() => console.log(JSON.stringify(mon.generateReport(), null, 2)), 5000); })\"",
     "firebase:setup": "node firebase-setup.js",
@@ -190,6 +205,7 @@
     "@ruvector/ruvllm": "^0.2.3",
     "@xenova/transformers": "^2.17.2",
     "firebase": "^10.14.1",
+    "wrtc": "^0.4.7",
     "ws": "^8.18.3"
   }
 }

package/real-workers.js

@@ -295,6 +295,7 @@ export class RealWorkerPool extends EventEmitter {
                     status: 'idle',
                     tasksCompleted: 0,
                     currentTask: null,
+                    terminated: false,  // Track intentional termination
                 };
 
                 worker.on('message', (msg) => {
@@ -307,13 +308,16 @@ export class RealWorkerPool extends EventEmitter {
                 });
 
                 worker.on('exit', (code) => {
-                    if (code !== 0) {
-                        console.error(`[Worker ${index}] Exited with code ${code}`);
+                    // Only respawn if worker crashed unexpectedly (not terminated intentionally)
+                    if (!workerInfo.terminated && this.status === 'ready') {
+                        console.error(`[Worker ${index}] Exited unexpectedly with code ${code}, respawning...`);
                         // Respawn worker
                         const idx = this.workers.indexOf(workerInfo);
-                        if (idx >= 0 && this.status === 'ready') {
+                        if (idx >= 0) {
                             this.spawnWorker(index).then(w => {
                                 this.workers[idx] = w;
+                            }).catch(err => {
+                                console.error(`[Worker ${index}] Failed to respawn:`, err.message);
                             });
                         }
                     }
@@ -537,8 +541,9 @@ export class RealWorkerPool extends EventEmitter {
             await new Promise(r => setTimeout(r, 100));
         }
 
-        // Terminate workers
+        // Terminate workers (mark as intentionally terminated first)
         for (const workerInfo of this.workers) {
+            workerInfo.terminated = true;
             await workerInfo.worker.terminate();
         }
 

package/scheduler.js

@@ -596,11 +596,15 @@ export class TaskScheduler extends EventEmitter {
         worker.allocate(task);
         this.running.set(task.id, task);
 
-        // Calculate wait time
+        // Calculate wait time using running average
         const waitTime = task.startedAt - task.queuedAt;
-        this.stats.avgWaitTime =
-            (this.stats.avgWaitTime * this.stats.submitted + waitTime) /
-            (this.stats.submitted + 1);
+        const assignedCount = this.stats.completed + this.running.size;
+        if (assignedCount <= 1) {
+            this.stats.avgWaitTime = waitTime;
+        } else {
+            this.stats.avgWaitTime =
+                (this.stats.avgWaitTime * (assignedCount - 1) + waitTime) / assignedCount;
+        }
 
         this.emit('task-assigned', {
             taskId: task.id,