@vantaloom/runtime-win32-x64 0.3.0 → 0.5.0

package/cli/src/cli.mjs

@@ -1,5 +1,6 @@
 import { execFileSync, spawnSync } from "node:child_process"
 import {
+  appendFileSync,
   chmodSync,
   existsSync,
   mkdirSync,
@@ -10,21 +11,61 @@ import {
   writeFileSync,
 } from "node:fs"
 import { cp, writeFile } from "node:fs/promises"
+import { createHash } from "node:crypto"
 import os from "node:os"
 import path from "node:path"
 import { fileURLToPath } from "node:url"
 
+// The mesh binaries the privileged service holds open while running. On Windows
+// a file copy can't overwrite them in place, so the lock-safe `apply` path swaps
+// them after stopping the service.
+const WINDOWS_MESH_BINARIES = ["easytier-core.exe", "easytier-cli.exe", "wintun.dll", "Packet.dll", "WinDivert64.sys", "vantaloom-mesh.exe"]
+
 const cliRoot = path.resolve(fileURLToPath(import.meta.url), "..", "..")
 const repoCandidate = path.resolve(cliRoot, "..", "..")
 const installedConfigPath = path.join(cliRoot, "config.json")
 const defaultReleaseTag = "runtime-latest"
 const defaultRepo = "Timefiles404/Vantaloom-next"
 const defaultNpmRegistry = "https://registry.npmjs.org"
+const fallbackNpmRegistries = [
+  "https://registry.npmmirror.com",
+]
+
+// Inherit strict-ssl=false from npm/npx config, or respect NODE_TLS_REJECT_UNAUTHORIZED.
+// When npm runs us via npx with strict-ssl disabled, it sets npm_config_strict_ssl="false".
+// Also check user .npmrc for strict-ssl=false (common in China behind proxies).
+function shouldDisableTLS() {
+  if (process.env.NODE_TLS_REJECT_UNAUTHORIZED === "0") return true
+  if (process.env.npm_config_strict_ssl === "false") return true
+  if (process.env.npm_config_strict_ssl === "") return true
+  try {
+    const npmrcPath = path.join(os.homedir(), ".npmrc")
+    if (existsSync(npmrcPath)) {
+      const content = readFileSync(npmrcPath, "utf8")
+      if (/^\s*strict-ssl\s*=\s*false/m.test(content)) return true
+    }
+  } catch {}
+  return false
+}
+if (shouldDisableTLS()) {
+  process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"
+}
+
+const cliVersion = readJSONIfExists(path.join(cliRoot, "package.json")).version ?? "unknown"
 
 export async function main(argv) {
   const command = argv[0] ?? "help"
   const options = parseOptions(argv.slice(1))
 
+  // --no-strict-ssl flag disables TLS certificate verification for fetch calls
+  if (options.noStrictSsl) {
+    process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"
+  }
+
+  if (command === "install" || command === "update") {
+    console.log(`vantaloom-cli v${cliVersion} (${platformId()})`)
+  }
+
   switch (command) {
     case "install":
       if (options.package) {
@@ -64,6 +105,9 @@ export async function main(argv) {
     case "path":
       printPaths(options)
       return
+    case "uninstall":
+      await uninstallRuntime(options)
+      return
     case "help":
     case "-h":
     case "--help":
@@ -87,10 +131,13 @@ async function installFromSource(options) {
     noStart: options.noStart,
     sourceRoot,
     update: options.update,
+    withMesh: options.withMesh,
+    skipMesh: options.skipMesh,
   })
 
   console.log(`${options.update ? "updated" : "installed"} Vantaloom: ${prefix}`)
   console.log(`version: ${version}`)
+  ensureInPath(prefix)
   console.log(`run: ${displayCommand(prefix)} status`)
 }
 
@@ -100,10 +147,13 @@ async function installFromPackage(options) {
   const version = await applyPackage(packageRoot, prefix, {
     noStart: options.noStart,
     update: options.update,
+    withMesh: options.withMesh,
+    skipMesh: options.skipMesh,
   })
 
   console.log(`${options.update ? "updated" : "installed"} Vantaloom: ${prefix}`)
   console.log(`version: ${version}`)
+  ensureInPath(prefix)
   console.log(`run: ${displayCommand(prefix)} status`)
 }
 
@@ -152,6 +202,9 @@ async function buildRuntimePackage(sourceRoot, packageRoot, options) {
   buildGo(sourceRoot, buildBin, "vantaloom-api", platform)
   buildGo(sourceRoot, buildBin, "vantaloom-agent", platform)
   buildGo(sourceRoot, buildBin, "vantaloomctl", platform)
+  // Privileged EasyTier sidecar (runs the mesh node as a service on Windows/macOS).
+  // Pure-Go (no CGO), so it cross-compiles cleanly for every target.
+  buildGo(sourceRoot, buildBin, "vantaloom-mesh", platform)
   // Tray app requires CGO (systray), only buildable natively on Windows.
   if (platform.startsWith("win32") && process.platform === "win32") {
     try {
@@ -159,6 +212,9 @@ async function buildRuntimePackage(sourceRoot, packageRoot, options) {
     } catch { /* optional: skip if systray build fails */ }
   }
 
+  // Bundle the EasyTier mesh binaries (P2P virtual network) for the target platform.
+  await copyEasyTier(sourceRoot, buildBin, platform)
+
   if (options.buildWeb) {
     runPnpm(["--filter", "vantaloom-app", "build"], { cwd: sourceRoot })
   }
@@ -170,6 +226,45 @@ async function buildRuntimePackage(sourceRoot, packageRoot, options) {
   return { platform, version }
 }
 
+// copyEasyTier bundles the vendored EasyTier binaries (easytier-core/easytier-cli,
+// plus wintun.dll on Windows) for the target platform into the package bin/ dir.
+async function copyEasyTier(sourceRoot, buildBin, platform) {
+  const vendorMap = {
+    "win32-x64": "windows-x86_64",
+    "darwin-arm64": "macos-aarch64",
+    "linux-x64": "linux-x86_64",
+  }
+  const vendorName = vendorMap[platform]
+  if (!vendorName) {
+    console.warn(`  warning: no EasyTier mapping for ${platform}; mesh disabled for this platform`)
+    return
+  }
+  const srcDir = path.join(sourceRoot, "vendor", "easytier", vendorName, `easytier-${vendorName}`)
+  if (!existsSync(srcDir)) {
+    console.warn(`  warning: EasyTier binaries not found at ${srcDir}; run vendor download first`)
+    return
+  }
+  const isWin = platform.startsWith("win32")
+  // Packet.dll + WinDivert64.sys are REQUIRED: easytier-core.exe statically
+  // imports Packet.dll, so without it the process dies at launch with
+  // STATUS_DLL_NOT_FOUND (0xC0000135) before writing any log. wintun.dll is the
+  // TUN backend. easytier-cli.exe does not need Packet.dll (it still launches).
+  const files = isWin
+    ? ["easytier-core.exe", "easytier-cli.exe", "wintun.dll", "Packet.dll", "WinDivert64.sys"]
+    : ["easytier-core", "easytier-cli"]
+  let copied = 0
+  for (const f of files) {
+    const src = path.join(srcDir, f)
+    if (!existsSync(src)) {
+      console.warn(`  warning: EasyTier file missing: ${f}`)
+      continue
+    }
+    await cp(src, path.join(buildBin, f), { force: true })
+    copied++
+  }
+  console.log(`  bundled EasyTier ${vendorName} (${copied} files)`)
+}
+
 async function applyPackage(packageRoot, prefix, options) {
   assertRuntimePackage(packageRoot)
 
@@ -186,15 +281,82 @@ async function applyPackage(packageRoot, prefix, options) {
     spawnSync(existingCtl, ["stop", "--prefix", prefix], { stdio: "inherit" })
   }
 
+  // Kill lingering tray process that may hold locks on bin/ (older versions
+  // don't write tray.pid, so vantaloomctl stop won't find them).
+  killTrayProcess(prefix)
+
+  // On Windows the privileged mesh service holds its binaries open, so we can't
+  // wipe or overwrite them with a plain copy. Detect that up front: if the
+  // service is running, skip those files in the bin/ copy (the elevated `apply`
+  // swaps them after stopping the service).
+  const meshLocked =
+    process.platform === "win32" &&
+    meshServiceRunning(path.join(packageRoot, "bin"), "win32")
+
+  // Copy package contents to install prefix
   for (const name of ["bin", "web", "cli"]) {
-    removeKnownPath(path.join(prefix, name), prefix)
-    await cp(path.join(packageRoot, name), path.join(prefix, name), {
-      recursive: true,
-      force: true,
-      dereference: false,
+    const src = path.join(packageRoot, name)
+    const dst = path.join(prefix, name)
+    if (!existsSync(src)) {
+      console.error(`  warning: package missing ${name}/ directory`)
+      continue
+    }
+    const copyOpts = { recursive: true, force: true, dereference: false }
+    if (name === "bin" && meshLocked) {
+      // Overwrite in place (don't wipe — that would fail on the locked files) and
+      // skip the mesh binaries the running service holds open.
+      copyOpts.filter = (s) => !WINDOWS_MESH_BINARIES.includes(path.basename(s))
+    } else {
+      removeKnownPath(dst, prefix)
+    }
+    await cp(src, dst, copyOpts)
+  }
+
+  // Ensure binaries are executable on Unix (cross-compiled from Windows they lose +x)
+  const binDir = path.join(prefix, "bin")
+  if (process.platform !== "win32" && existsSync(binDir)) {
+    for (const entry of readdirSync(binDir)) {
+      const binPath = path.join(binDir, entry)
+      try { chmodSync(binPath, 0o755) } catch {}
+    }
+  }
+
+  // Linux: grant easytier-core the TUN capability so the unprivileged runtime can
+  // bring up the mesh virtual network. This is the one privileged step of the
+  // install (a single sudo); the app itself stays unprivileged.
+  ensureLinuxMeshCapabilities(binDir)
+
+  // Windows/macOS: register (or lock-safely update) the privileged mesh service
+  // that runs easytier-core. This is the one elevation of the install on those
+  // platforms. Skipped for --no-start and gated to avoid prompting on every
+  // source rebuild (see ensureMeshService).
+  if (!options.noStart) {
+    ensureMeshService(packageRoot, prefix, {
+      sourceInstall: Boolean(options.sourceRoot),
+      withMesh: Boolean(options.withMesh),
+      skipMesh: Boolean(options.skipMesh),
     })
   }
 
+  // Make the runtime start at login/boot (per-user, no elevation). Idempotent.
+  if (!options.noStart && !options.skipAutostart) {
+    enableRuntimeAutostart(prefix)
+  }
+
+  // Verify vantaloomctl binary exists before trying to run it
+  const ctlBin = path.join(prefix, "bin", binaryName("vantaloomctl"))
+  if (!existsSync(ctlBin)) {
+    const binContents = existsSync(binDir) ? readdirSync(binDir) : []
+    const srcBinContents = existsSync(path.join(packageRoot, "bin")) ? readdirSync(path.join(packageRoot, "bin")) : []
+    throw new Error(
+      `vantaloomctl binary not found at ${ctlBin}\n` +
+      `  installed bin/: [${binContents.join(", ")}]\n` +
+      `  package bin/:   [${srcBinContents.join(", ")}]\n` +
+      `  platform: ${platformId()}\n` +
+      `  This may indicate a corrupt download. Try again or install from source.`
+    )
+  }
+
   await writeLauncher(prefix)
   await writeText(path.join(prefix, "cli", "config.json"), `${JSON.stringify(mergedConfig, null, 2)}\n`)
   await writeText(path.join(prefix, "VERSION"), `${version}\n`)
@@ -202,7 +364,7 @@ async function applyPackage(packageRoot, prefix, options) {
     force: true,
   })
 
-  run(path.join(prefix, "bin", binaryName("vantaloomctl")), [
+  run(ctlBin, [
     "install",
     "--prefix",
     prefix,
@@ -211,7 +373,7 @@ async function applyPackage(packageRoot, prefix, options) {
   ])
 
   if (!options.noStart) {
-    run(path.join(prefix, "bin", binaryName("vantaloomctl")), [
+    run(ctlBin, [
       "start",
       "--prefix",
       prefix,
@@ -221,12 +383,350 @@ async function applyPackage(packageRoot, prefix, options) {
   return version
 }
 
+// ensureLinuxMeshCapabilities grants easytier-core the network capabilities it
+// needs to create a TUN device, so the unprivileged Vantaloom runtime can bring
+// up the EasyTier mesh without running as root. Re-run on every update because
+// replacing the binary clears file capabilities. Non-fatal: if it can't elevate
+// or setcap is missing, mesh just falls back to the Hub relay.
+function ensureLinuxMeshCapabilities(binDir) {
+  if (process.platform !== "linux") {
+    return
+  }
+  const core = path.join(binDir, "easytier-core")
+  if (!existsSync(core)) {
+    console.warn("  mesh: easytier-core not bundled; skipping TUN capability setup")
+    return
+  }
+  const caps = "cap_net_admin,cap_net_bind_service+ep"
+  const isRoot = typeof process.getuid === "function" && process.getuid() === 0
+  console.log(`  mesh: granting TUN capability to easytier-core${isRoot ? "" : " (sudo)"} ...`)
+  const result = isRoot
+    ? spawnSync("setcap", [caps, core], { stdio: "inherit" })
+    : spawnSync("sudo", ["setcap", caps, core], { stdio: "inherit" })
+  if (result.error || result.status !== 0) {
+    console.warn(
+      "  mesh: could not set capabilities (P2P will fall back to the Hub relay).\n" +
+      `        enable it manually with:  sudo setcap ${caps} ${core}\n` +
+      "        (needs the 'setcap' tool, e.g. apt install libcap2-bin)"
+    )
+  }
+}
+
+// ensureMeshService registers (or lock-safely updates) the privileged EasyTier
+// sidecar service on Windows/macOS — the one elevation of the install on those
+// platforms. Linux uses setcap instead (see ensureLinuxMeshCapabilities).
+//
+// To keep the source/dev rebuild loop frictionless it only elevates when the
+// work is actually needed (service missing, or the mesh binaries changed) and,
+// for source installs, defers to a printed one-liner unless --with-mesh is set.
+function ensureMeshService(packageRoot, prefix, opts) {
+  const platform = process.platform
+  if (platform !== "win32" && platform !== "darwin") return // Linux: setcap path
+  if (opts.skipMesh) return
+
+  const pkgBin = path.join(packageRoot, "bin")
+  const meshExe = path.join(pkgBin, binaryName("vantaloom-mesh"))
+  if (!existsSync(meshExe)) return // sidecar not bundled
+
+  if (!meshServiceNeedsApply(pkgBin, path.join(prefix, "bin"), platform)) {
+    return // installed binaries current and service already managing them
+  }
+
+  if (opts.sourceInstall && !opts.withMesh) {
+    printMeshManualHint(prefix, platform)
+    return
+  }
+
+  if (platform === "win32") {
+    elevateWindowsMeshApply(pkgBin, prefix)
+  } else {
+    elevateDarwinMeshInstall(prefix)
+  }
+}
+
+// meshServiceNeedsApply reports whether the privileged service has to be
+// (re)applied: true if the installed mesh binaries are missing/outdated, or if
+// the service isn't currently up.
+function meshServiceNeedsApply(pkgBin, installBin, platform) {
+  // On Windows compare every lockable mesh file (incl. Packet.dll/WinDivert/wintun)
+  // so a missing or changed support DLL also triggers a (re)apply.
+  const names = platform === "win32"
+    ? WINDOWS_MESH_BINARIES
+    : [binaryName("vantaloom-mesh"), binaryName("easytier-core")]
+  for (const name of names) {
+    const installed = path.join(installBin, name)
+    if (!existsSync(installed)) return true
+    const staged = path.join(pkgBin, name)
+    if (existsSync(staged) && fileSha(staged) !== fileSha(installed)) return true
+  }
+  return !meshServiceRunning(pkgBin, platform)
+}
+
+// meshServiceRunning queries the OS service state via the (unprivileged) mesh
+// `status` command. binDir is where to find the vantaloom-mesh binary to run.
+function meshServiceRunning(binDir, platform) {
+  const exe = path.join(binDir, binaryName("vantaloom-mesh"))
+  if (!existsSync(exe)) return false
+  const r = spawnSync(exe, ["status"], { encoding: "utf8" })
+  if (r.error || typeof r.stdout !== "string") return false
+  const out = r.stdout.toLowerCase()
+  if (platform === "win32") return out.includes("running")
+  return r.status === 0 && !out.includes("not loaded") && !out.includes("not installed")
+}
+
+function fileSha(file) {
+  return createHash("sha256").update(readFileSync(file)).digest("hex")
+}
+
+// elevateWindowsMeshApply runs the lock-safe `apply` elevated (one UAC prompt).
+// It launches from the package copy so it can overwrite the installed binary.
+function elevateWindowsMeshApply(pkgBin, prefix) {
+  const exe = path.join(pkgBin, "vantaloom-mesh.exe")
+  console.log("  mesh: registering privileged P2P service (UAC prompt) ...")
+  const argList = ["apply", "--pkg-bin", pkgBin, "--install-dir", prefix].map(psQuote).join(",")
+  const ps = `$ErrorActionPreference='Stop'; $p = Start-Process -FilePath ${psQuote(exe)} -ArgumentList ${argList} -Verb RunAs -Wait -PassThru; exit $p.ExitCode`
+  const r = spawnSync("powershell", ["-NoProfile", "-NonInteractive", "-Command", ps], { stdio: "inherit" })
+  if (r.error || r.status !== 0) {
+    const installed = path.join(prefix, "bin", "vantaloom-mesh.exe")
+    console.warn("  mesh: service registration was cancelled or failed; P2P falls back to the Hub relay.")
+    console.warn(`        enable it later (as Administrator):  "${installed}" install --install-dir "${prefix}"`)
+  } else {
+    console.log("  mesh: privileged P2P service active")
+  }
+}
+
+// elevateDarwinMeshInstall registers the LaunchDaemon via sudo (one prompt). The
+// runtime already copied the fresh binary into place; install reloads the daemon.
+function elevateDarwinMeshInstall(prefix) {
+  const exe = path.join(prefix, "bin", "vantaloom-mesh")
+  console.log("  mesh: registering privileged P2P service (sudo) ...")
+  const r = spawnSync("sudo", [exe, "install", "--install-dir", prefix], { stdio: "inherit" })
+  if (r.error || r.status !== 0) {
+    console.warn("  mesh: LaunchDaemon registration failed; P2P falls back to the Hub relay.")
+    console.warn(`        enable it later:  sudo "${exe}" install --install-dir "${prefix}"`)
+  } else {
+    console.log("  mesh: privileged P2P service active")
+  }
+}
+
+function printMeshManualHint(prefix, platform) {
+  console.log("  mesh: P2P service not auto-registered for source installs.")
+  if (platform === "win32") {
+    const exe = path.join(prefix, "bin", "vantaloom-mesh.exe")
+    console.log(`        enable it once (as Administrator):  "${exe}" install --install-dir "${prefix}"`)
+    console.log("        or re-run install/update with --with-mesh")
+  } else {
+    const exe = path.join(prefix, "bin", "vantaloom-mesh")
+    console.log(`        enable it once:  sudo "${exe}" install --install-dir "${prefix}"`)
+    console.log("        or re-run install/update with --with-mesh")
+  }
+}
+
+// psQuote wraps a value as a PowerShell single-quoted string literal.
+function psQuote(value) {
+  return "'" + String(value).replace(/'/g, "''") + "'"
+}
+
+// uninstallRuntime tears down a local install: stop the runtime, remove the
+// privileged mesh service (elevated), then delete the install directory.
+async function uninstallRuntime(options) {
+  const prefix = safeDirectory(options.prefix ?? defaultPrefix())
+  if (!existsSync(prefix)) {
+    console.log(`Vantaloom is not installed at ${prefix}`)
+    return
+  }
+  console.log(`Uninstalling Vantaloom from ${prefix} ...`)
+
+  // 1. Stop the runtime (api/agent/web/tray). Best-effort.
+  const ctlBin = path.join(prefix, "bin", binaryName("vantaloomctl"))
+  if (existsSync(ctlBin)) {
+    spawnSync(ctlBin, ["stop", "--prefix", prefix], { stdio: "inherit" })
+  }
+  killTrayProcess(prefix)
+
+  // 2. Remove the privileged mesh service (releases TUN adapter + file locks).
+  removeMeshService(prefix, options)
+
+  // 2b. Remove the login-autostart entry (lives outside the install dir).
+  disableRuntimeAutostart()
+
+  // 3. Delete the install directory.
+  try {
+    const parent = path.dirname(prefix)
+    removeKnownPath(prefix, parent)
+    console.log(`removed ${prefix}`)
+  } catch (error) {
+    console.warn(`  could not remove ${prefix}: ${error.message}`)
+    console.warn("  some files may still be locked; re-run after closing Vantaloom processes.")
+  }
+
+  console.log("Vantaloom uninstalled.")
+  console.log("note: the install dir was left out of PATH edits; remove the bin/ entry from your shell profile if you added it.")
+}
+
+function removeMeshService(prefix, options) {
+  const platform = process.platform
+  if (platform !== "win32" && platform !== "darwin") return // Linux: nothing registered
+  const exe = path.join(prefix, "bin", binaryName("vantaloom-mesh"))
+  if (!existsSync(exe)) return
+  if (options.skipMesh) return
+
+  if (platform === "win32") {
+    if (!meshServiceRunningOrInstalled(path.join(prefix, "bin"))) return
+    console.log("  mesh: removing privileged P2P service (UAC prompt) ...")
+    const ps = `$ErrorActionPreference='Stop'; $p = Start-Process -FilePath ${psQuote(exe)} -ArgumentList 'uninstall' -Verb RunAs -Wait -PassThru; exit $p.ExitCode`
+    const r = spawnSync("powershell", ["-NoProfile", "-NonInteractive", "-Command", ps], { stdio: "inherit" })
+    if (r.error || r.status !== 0) {
+      console.warn(`  mesh: could not remove service; run manually (as Administrator):  "${exe}" uninstall`)
+    }
+  } else {
+    console.log("  mesh: removing privileged P2P service (sudo) ...")
+    const r = spawnSync("sudo", [exe, "uninstall"], { stdio: "inherit" })
+    if (r.error || r.status !== 0) {
+      console.warn(`  mesh: could not remove service; run manually:  sudo "${exe}" uninstall`)
+    }
+  }
+}
+
+// meshServiceRunningOrInstalled reports whether the Windows service exists at
+// all (running or stopped), so uninstall only prompts for elevation when there
+// is actually something to remove.
+function meshServiceRunningOrInstalled(binDir) {
+  const exe = path.join(binDir, "vantaloom-mesh.exe")
+  if (!existsSync(exe)) return false
+  const r = spawnSync(exe, ["status"], { encoding: "utf8" })
+  if (r.error || typeof r.stdout !== "string") return false
+  return !r.stdout.toLowerCase().includes("not installed")
+}
+
+// ── Runtime login-autostart (no elevation) ──
+// Start the local runtime (api/agent/web/tray) at login/boot using only
+// per-user mechanisms — no UAC/sudo. This is separate from the privileged mesh
+// service: the mesh sidecar autostarts via the OS service manager; this brings
+// up the unprivileged runtime that joins the mesh and serves the local API.
+
+const AUTOSTART_LABEL = "online.timefiles.vantaloom.runtime"
+// PowerShell HKCU: drive path. Set-ItemProperty handles values with spaces and
+// embedded quotes cleanly (reg.exe's /d escaping is brittle), and the Run key is
+// not blocked by Controlled Folder Access the way the Startup folder is.
+const WINDOWS_RUN_KEY = "HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
+const WINDOWS_RUN_VALUE = "Vantaloom"
+
+function enableRuntimeAutostart(prefix) {
+  try {
+    if (process.platform === "win32") {
+      // A .vbs launches the runtime with a hidden window (no console flash); the
+      // HKCU Run key runs it at login without elevation.
+      const launcher = path.join(prefix, "vantaloom.cmd")
+      const vbsPath = path.join(prefix, "autostart.vbs")
+      const vbs = `' Vantaloom runtime autostart (hidden)\r\nCreateObject("WScript.Shell").Run """${launcher}"" start", 0, False\r\n`
+      writeFileSync(vbsPath, vbs)
+      const result = spawnSync(
+        "powershell",
+        [
+          "-NoProfile",
+          "-NonInteractive",
+          "-Command",
+          `Set-ItemProperty -Path '${WINDOWS_RUN_KEY}' -Name '${WINDOWS_RUN_VALUE}' -Value 'wscript.exe "${vbsPath}"'`,
+        ],
+        { stdio: "ignore" }
+      )
+      if (result.error || result.status !== 0) {
+        console.warn("  autostart: could not register login entry (HKCU Run)")
+      } else {
+        console.log("  autostart: enabled (login Run key)")
+      }
+      return
+    }
+    if (process.platform === "darwin") {
+      const launcher = path.join(prefix, "vantaloom")
+      const dir = path.join(os.homedir(), "Library", "LaunchAgents")
+      mkdirSync(dir, { recursive: true })
+      const plistPath = path.join(dir, `${AUTOSTART_LABEL}.plist`)
+      // RunAtLoad only (no KeepAlive): `vantaloom start` spawns detached and exits.
+      const plist = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0"><dict>
+  <key>Label</key><string>${AUTOSTART_LABEL}</string>
+  <key>ProgramArguments</key><array><string>${launcher}</string><string>start</string></array>
+  <key>RunAtLoad</key><true/>
+</dict></plist>
+`
+      writeFileSync(plistPath, plist)
+      spawnSync("launchctl", ["unload", plistPath], { stdio: "ignore" })
+      spawnSync("launchctl", ["load", "-w", plistPath], { stdio: "ignore" })
+      console.log("  autostart: enabled (LaunchAgent)")
+      return
+    }
+    // Linux: user systemd unit + linger (no root).
+    const launcher = path.join(prefix, "vantaloom")
+    const dir = path.join(os.homedir(), ".config", "systemd", "user")
+    mkdirSync(dir, { recursive: true })
+    const unit = `[Unit]
+Description=Vantaloom local runtime
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=${launcher} start
+ExecStop=${launcher} stop
+
+[Install]
+WantedBy=default.target
+`
+    writeFileSync(path.join(dir, "vantaloom-runtime.service"), unit)
+    spawnSync("loginctl", ["enable-linger"], { stdio: "ignore" })
+    spawnSync("systemctl", ["--user", "daemon-reload"], { stdio: "ignore" })
+    spawnSync("systemctl", ["--user", "enable", "vantaloom-runtime.service"], { stdio: "ignore" })
+    console.log("  autostart: enabled (systemd user unit)")
+  } catch (error) {
+    console.warn(`  autostart: could not enable (${error.message})`)
+  }
+}
+
+function disableRuntimeAutostart() {
+  try {
+    if (process.platform === "win32") {
+      // Remove the Run-key entry; the autostart.vbs lives in the install dir and
+      // is deleted with it.
+      spawnSync(
+        "powershell",
+        ["-NoProfile", "-NonInteractive", "-Command", `Remove-ItemProperty -Path '${WINDOWS_RUN_KEY}' -Name '${WINDOWS_RUN_VALUE}' -ErrorAction SilentlyContinue`],
+        { stdio: "ignore" }
+      )
+      return
+    }
+    if (process.platform === "darwin") {
+      const plistPath = path.join(os.homedir(), "Library", "LaunchAgents", `${AUTOSTART_LABEL}.plist`)
+      if (existsSync(plistPath)) {
+        spawnSync("launchctl", ["unload", "-w", plistPath], { stdio: "ignore" })
+        rmSync(plistPath, { force: true })
+      }
+      return
+    }
+    const unit = path.join(os.homedir(), ".config", "systemd", "user", "vantaloom-runtime.service")
+    if (existsSync(unit)) {
+      spawnSync("systemctl", ["--user", "disable", "vantaloom-runtime.service"], { stdio: "ignore" })
+      rmSync(unit, { force: true })
+      spawnSync("systemctl", ["--user", "daemon-reload"], { stdio: "ignore" })
+    }
+  } catch (error) {
+    console.warn(`  autostart: could not disable (${error.message})`)
+  }
+}
+
 async function syncFromNpmRegistry(options, action) {
   const prefix = safeDirectory(options.prefix ?? defaultPrefix())
   const installedConfig = readInstalledConfig(prefix)
-  const runtimePackage = options.runtimePackage || installedConfig.runtimePackage || runtimePackageName(platformId())
+  // Always derive runtimePackage from current platform — never trust stale config
+  // from a different platform (e.g. win32 config baked into a darwin package).
+  // Only explicit --runtime-package flag can override.
+  const runtimePackage = options.runtimePackage || runtimePackageName(platformId())
   const runtimeVersion = options.runtimeVersion || installedConfig.runtimeVersion || "latest"
-  const registry = normalizeRegistry(options.npmRegistry || installedConfig.npmRegistry || defaultNpmRegistry)
+  const explicitRegistry = options.npmRegistry || installedConfig.npmRegistry
+  const registry = normalizeRegistry(explicitRegistry || detectNpmRegistry() || defaultNpmRegistry)
   const tempRoot = mkdtempSync(path.join(os.tmpdir(), "vantaloom-npm-"))
 
   try {
@@ -234,7 +734,11 @@ async function syncFromNpmRegistry(options, action) {
     const archive = path.join(tempRoot, `${packageBasename(runtimePackage)}-${runtimeVersion}.tgz`)
     mkdirSync(extractRoot, { recursive: true })
 
-    const resolved = await resolveNpmPackage({ registry, name: runtimePackage, version: runtimeVersion })
+    const resolved = await resolveNpmPackageWithFallback({
+      registries: explicitRegistry ? [registry] : [registry, ...fallbackNpmRegistries.map(normalizeRegistry)],
+      name: runtimePackage,
+      version: runtimeVersion,
+    })
     await downloadNpmTarball({
       tarballUrl: resolved.tarball,
       target: archive,
@@ -248,13 +752,17 @@ async function syncFromNpmRegistry(options, action) {
       noStart: options.noStart,
       runtimePackage,
       runtimeVersion: options.runtimeVersion ? resolved.version : "latest",
-      npmRegistry: registry,
+      npmRegistry: resolved.registry,
       update: action === "update",
+      withMesh: options.withMesh,
+      skipMesh: options.skipMesh,
     })
 
     console.log(`${action === "update" ? "updated" : "installed"} Vantaloom: ${prefix}`)
     console.log(`version: ${version}`)
     console.log(`source: ${runtimePackage}@${resolved.version}`)
+    console.log(`registry: ${resolved.registry}`)
+    ensureInPath(prefix)
     console.log(`run: ${displayCommand(prefix)} status`)
   } finally {
     removeKnownPath(tempRoot, os.tmpdir())
@@ -291,11 +799,14 @@ async function syncFromRelease(options, action) {
       noStart: options.noStart,
       sourceRoot: installedConfig.sourceRoot,
       update: action === "update",
+      withMesh: options.withMesh,
+      skipMesh: options.skipMesh,
     })
 
     console.log(`${action === "update" ? "updated" : "installed"} Vantaloom: ${prefix}`)
     console.log(`version: ${version}`)
     console.log(`source: ${repo}@${releaseTag}`)
+    ensureInPath(prefix)
     console.log(`run: ${displayCommand(prefix)} status`)
   } finally {
     removeKnownPath(tempRoot, os.tmpdir())
@@ -346,14 +857,114 @@ async function downloadReleaseAsset({ repo, releaseTag, assetName, target, token
   await writeFile(target, buffer)
 }
 
+function detectNpmRegistry() {
+  // 1. NPM_CONFIG_REGISTRY env var (highest priority, set by npm/npx when running)
+  if (process.env.NPM_CONFIG_REGISTRY) {
+    return process.env.npm_config_registry || process.env.NPM_CONFIG_REGISTRY
+  }
+  // npm also sets the lowercase variant
+  if (process.env.npm_config_registry) {
+    return process.env.npm_config_registry
+  }
+
+  // 2. Read user .npmrc
+  try {
+    const npmrcPaths = [
+      path.join(os.homedir(), ".npmrc"),
+    ]
+    // Also check project-level .npmrc
+    const localNpmrc = path.resolve(".npmrc")
+    if (localNpmrc !== npmrcPaths[0]) {
+      npmrcPaths.unshift(localNpmrc)
+    }
+    for (const npmrcPath of npmrcPaths) {
+      if (existsSync(npmrcPath)) {
+        const content = readFileSync(npmrcPath, "utf8")
+        const match = content.match(/^\s*registry\s*=\s*(.+)/m)
+        if (match) {
+          return match[1].trim()
+        }
+      }
+    }
+  } catch {
+    // Ignore .npmrc read errors
+  }
+
+  return ""
+}
+
+async function resolveNpmPackageWithFallback({ registries, name, version }) {
+  const errors = []
+  for (const registry of registries) {
+    try {
+      const result = await resolveNpmPackage({ registry, name, version })
+      return { ...result, registry }
+    } catch (error) {
+      const causeCode = error?.cause?.code || ""
+      const isNetworkError = causeCode === "ECONNREFUSED"
+        || causeCode === "ENOTFOUND"
+        || causeCode === "ETIMEDOUT"
+        || causeCode === "ECONNRESET"
+        || causeCode === "UND_ERR_CONNECT_TIMEOUT"
+        || (error instanceof TypeError && error.message === "fetch failed")
+      const isSslError = causeCode === "UNABLE_TO_GET_ISSUER_CERT_LOCALLY"
+        || causeCode === "CERT_HAS_EXPIRED"
+        || causeCode === "DEPTH_ZERO_SELF_SIGNED_CERT"
+        || causeCode === "SELF_SIGNED_CERT_IN_CHAIN"
+        || causeCode === "ERR_TLS_CERT_ALTNAME_INVALID"
+      const isRetryable = isNetworkError || isSslError
+      errors.push({ registry, error, isRetryable, isSslError })
+
+      if (isRetryable && registries.length > 1) {
+        const hint = isSslError ? " (SSL certificate error)" : ""
+        console.error(`vantaloom: ${registry} unreachable${hint}, trying next registry...`)
+        continue
+      }
+      if (isSslError) {
+        throw new Error(
+          `SSL certificate error connecting to ${registry}: ${causeCode}\n` +
+          `  Fix: run with --no-strict-ssl, or set npm config: npm config set strict-ssl false`
+        )
+      }
+      // Non-network error (404, parse error, etc.) — don't try fallbacks
+      throw error
+    }
+  }
+
+  // All registries failed
+  const hasSslError = errors.some((e) => e.isSslError)
+  const tried = errors.map((e) => e.registry).join(", ")
+  const sslHint = hasSslError
+    ? `\n  SSL fix: run with --no-strict-ssl, or set npm config: npm config set strict-ssl false`
+    : ""
+  throw new Error(
+    `all registries unreachable (tried: ${tried}). ` +
+    `Check your network or specify --npm-registry <url>${sslHint}`
+  )
+}
+
 async function resolveNpmPackage({ registry, name, version }) {
   const metadataUrl = `${registry}/${encodeURIComponent(name).replace("%2F", "%2f")}`
-  const response = await fetch(metadataUrl, {
-    headers: {
-      Accept: "application/vnd.npm.install-v1+json",
-      "User-Agent": "vantaloom-cli",
-    },
-  })
+  let response
+  try {
+    response = await fetch(metadataUrl, {
+      headers: {
+        Accept: "application/vnd.npm.install-v1+json",
+        "User-Agent": "vantaloom-cli",
+      },
+      signal: AbortSignal.timeout(15000),
+    })
+  } catch (error) {
+    if (error instanceof TypeError && error.message === "fetch failed") {
+      const causeCode = error.cause?.code || ""
+      const causeMsg = causeCode || error.cause?.message || String(error.cause || "")
+      throw Object.assign(
+        new Error(`cannot reach registry ${registry} (${causeMsg})`),
+        { cause: error.cause }
+      )
+    }
+    throw error
+  }
   if (!response.ok) {
     const detail = await response.text().catch(() => "")
     throw new Error(`failed to inspect npm package ${name}: HTTP ${response.status}${detail ? ` ${detail.slice(0, 200)}` : ""}`)
@@ -373,11 +984,22 @@ async function resolveNpmPackage({ registry, name, version }) {
 }
 
 async function downloadNpmTarball({ tarballUrl, target, packageName, version }) {
-  const response = await fetch(tarballUrl, {
-    headers: {
-      "User-Agent": "vantaloom-cli",
-    },
-  })
+  console.log(`  downloading ${packageName}@${version}...`)
+  let response
+  try {
+    response = await fetch(tarballUrl, {
+      headers: {
+        "User-Agent": "vantaloom-cli",
+      },
+      signal: AbortSignal.timeout(120000),
+    })
+  } catch (error) {
+    const causeCode = error?.cause?.code || ""
+    const causeMsg = causeCode || error?.cause?.message || error.message || ""
+    const isSsl = causeCode.includes("CERT") || causeCode === "UNABLE_TO_GET_ISSUER_CERT_LOCALLY"
+    const hint = isSsl ? `\n  Fix: run with --no-strict-ssl` : ""
+    throw new Error(`failed to download ${packageName}@${version} from ${tarballUrl}: ${causeMsg}${hint}`)
+  }
   if (!response.ok) {
     const detail = await response.text().catch(() => "")
     throw new Error(`failed to download ${packageName}@${version}: HTTP ${response.status}${detail ? ` ${detail.slice(0, 200)}` : ""}`)
@@ -385,6 +1007,7 @@ async function downloadNpmTarball({ tarballUrl, target, packageName, version })
 
   const buffer = Buffer.from(await response.arrayBuffer())
   await writeFile(target, buffer)
+  console.log(`  downloaded ${(buffer.length / 1024 / 1024).toFixed(1)} MB`)
 }
 
 function shouldUseSourceInstall(options) {
@@ -448,9 +1071,9 @@ function mergeRuntimeConfig(packageConfig, existingConfig, overrides) {
   if (!merged.releaseTag) {
     merged.releaseTag = defaultReleaseTag
   }
-  if (!merged.runtimePackage) {
-    merged.runtimePackage = runtimePackageName(platformId())
-  }
+  // Always force runtimePackage to match the running platform — a cross-compiled
+  // package may carry a config for a different platform (e.g. win32 inside darwin).
+  merged.runtimePackage = runtimePackageName(platformId())
   if (!merged.runtimeVersion) {
     merged.runtimeVersion = "latest"
   }
@@ -470,7 +1093,7 @@ function runtimeConfigFromSource(sourceRoot) {
     releaseTag: defaultReleaseTag,
     runtimePackage: runtimePackageName(platformId()),
     runtimeVersion: "latest",
-    npmRegistry: defaultNpmRegistry,
+    npmRegistry: detectNpmRegistry() || defaultNpmRegistry,
   }
 }
 
@@ -776,6 +1399,18 @@ function parseOptions(args) {
       case "local":
         options.local = true
         break
+      case "with-mesh":
+        options.withMesh = true
+        break
+      case "skip-mesh":
+        options.skipMesh = true
+        break
+      case "skip-autostart":
+        options.skipAutostart = true
+        break
+      case "no-strict-ssl":
+        options.noStrictSsl = true
+        break
       default:
         throw new Error(`unknown option --${key}`)
     }
@@ -897,21 +1532,113 @@ async function writeText(filePath, content) {
   await writeFile(filePath, content)
 }
 
+// ensureInPath adds the Vantaloom install directory to the user's shell PATH
+// on macOS and Linux, so `vantaloom` can be run directly after install.
+// On Windows this is not needed (vantaloom.cmd is run by full path or added via installer).
+function ensureInPath(prefix) {
+  if (process.platform === "win32") return
+
+  // Check if already in PATH
+  const pathDirs = (process.env.PATH || "").split(":")
+  if (pathDirs.includes(prefix)) return
+
+  // Determine shell profile file
+  const home = os.homedir()
+  const shell = process.env.SHELL || ""
+  let profilePath
+  if (shell.endsWith("/zsh") || existsSync(path.join(home, ".zshrc"))) {
+    profilePath = path.join(home, ".zshrc")
+  } else if (shell.endsWith("/bash")) {
+    // On macOS, bash uses .bash_profile; on Linux, .bashrc
+    profilePath = process.platform === "darwin"
+      ? path.join(home, ".bash_profile")
+      : path.join(home, ".bashrc")
+  } else if (existsSync(path.join(home, ".profile"))) {
+    profilePath = path.join(home, ".profile")
+  } else {
+    profilePath = path.join(home, ".profile")
+  }
+
+  // Use $HOME-relative path for portability
+  const homeRelative = prefix.startsWith(home)
+    ? `$HOME${prefix.slice(home.length)}`
+    : prefix
+  const exportLine = `export PATH="${homeRelative}:$PATH"`
+  const marker = "# vantaloom"
+
+  // Check if already added to profile
+  try {
+    if (existsSync(profilePath)) {
+      const content = readFileSync(profilePath, "utf8")
+      if (content.includes("vantaloom") && content.includes("PATH")) return
+    }
+  } catch {}
+
+  // Append to profile
+  try {
+    const entry = `\n${marker}\n${exportLine}\n`
+    appendFileSync(profilePath, entry)
+    console.log(`PATH: added ${prefix} to ${profilePath}`)
+    console.log(`  run: source ${profilePath}  (or open a new terminal)`)
+  } catch (error) {
+    console.log(`PATH: could not update ${profilePath}: ${error.message}`)
+    console.log(`  add manually: ${exportLine}`)
+  }
+}
+
+function killTrayProcess(prefix) {
+  if (process.platform === "win32") {
+    // Try PID file first (new tray versions write runtime/tray.pid).
+    const pidFile = path.join(prefix, "runtime", "tray.pid")
+    if (existsSync(pidFile)) {
+      const pid = readFileSync(pidFile, "utf8").trim()
+      if (pid) {
+        spawnSync("taskkill", ["/PID", pid, "/F"], { stdio: "ignore" })
+        try { rmSync(pidFile, { force: true }) } catch {}
+      }
+    }
+    // Fallback: kill by image name if the binary is inside our prefix.
+    const result = spawnSync("tasklist", ["/FI", "IMAGENAME eq vantaloom-tray.exe", "/FO", "CSV", "/NH"], {
+      encoding: "utf8",
+      windowsHide: true,
+    })
+    if (result.stdout) {
+      for (const line of result.stdout.split("\n")) {
+        const match = line.match(/"vantaloom-tray\.exe","(\d+)"/)
+        if (match) {
+          spawnSync("taskkill", ["/PID", match[1], "/F"], { stdio: "ignore" })
+        }
+      }
+    }
+    // Brief pause to let file handles release.
+    spawnSync("timeout", ["/t", "1", "/nobreak"], { stdio: "ignore", windowsHide: true })
+  } else {
+    // Unix: pkill by name (best-effort).
+    spawnSync("pkill", ["-f", "vantaloom-tray"], { stdio: "ignore" })
+  }
+}
+
 function printHelp() {
   console.log(`Vantaloom CLI
 
 Usage:
-  vantaloom install  [--prefix <dir>] [--runtime-version <version>] [--npm-registry <url>] [--package <dir>] [--no-start]
-  vantaloom install  --local [--prefix <dir>] [--source <repo>] [--build-web] [--no-start]
-  vantaloom update   [--prefix <dir>] [--runtime-version <version>] [--npm-registry <url>] [--no-start]
-  vantaloom update   --local [--prefix <dir>] [--source <repo>] [--build-web] [--no-start]
-  vantaloom package  [--source <repo>] [--output <dir>] [--build-web] [--archive] [--npm-package] [--target <platform>]
-  vantaloom start    [--prefix <dir>] [--component all|api|agent|web]
-  vantaloom stop     [--prefix <dir>] [--component all|api|agent|web]
-  vantaloom restart  [--prefix <dir>] [--component all|api|agent|web]
-  vantaloom status   [--prefix <dir>]
-  vantaloom ports    [--prefix <dir>]
-  vantaloom path     [--prefix <dir>] [--source <repo>]
+  vantaloom install   [--prefix <dir>] [--runtime-version <version>] [--npm-registry <url>] [--package <dir>] [--no-start] [--with-mesh|--skip-mesh]
+  vantaloom install   --local [--prefix <dir>] [--source <repo>] [--build-web] [--no-start] [--with-mesh]
+  vantaloom update    [--prefix <dir>] [--runtime-version <version>] [--npm-registry <url>] [--no-start] [--with-mesh|--skip-mesh]
+  vantaloom update    --local [--prefix <dir>] [--source <repo>] [--build-web] [--no-start] [--with-mesh]
+  vantaloom uninstall [--prefix <dir>] [--skip-mesh]
+  vantaloom package   [--source <repo>] [--output <dir>] [--build-web] [--archive] [--npm-package] [--target <platform>]
+  vantaloom start     [--prefix <dir>] [--component all|api|agent|web]
+  vantaloom stop      [--prefix <dir>] [--component all|api|agent|web]
+  vantaloom restart   [--prefix <dir>] [--component all|api|agent|web]
+  vantaloom status    [--prefix <dir>]
+  vantaloom ports     [--prefix <dir>]
+  vantaloom path      [--prefix <dir>] [--source <repo>]
   vantaloom platform
+
+Mesh (P2P) service:
+  Windows/macOS register a privileged EasyTier service at install (one UAC/sudo prompt).
+  Linux grants TUN capability via setcap instead. Use --skip-mesh to opt out,
+  or --with-mesh to force registration during a --local source install.
 `)
 }