querysub 0.2.0

package/src/-a-auth/node-forge-ed25519.d.ts

@@ -0,0 +1,17 @@
+
+
+declare module "node-forge" {
+    declare type Ed25519PublicKey = {
+        publicKeyBytes: Buffer;
+    } & Buffer;
+    declare type Ed25519PrivateKey = {
+        privateKeyBytes: Buffer;
+    } & Buffer;
+    class ed25519 {
+        static generateKeyPair(): { publicKey: Ed25519PublicKey, privateKey: Ed25519PrivateKey };
+        static privateKeyToPem(key: Ed25519PrivateKey): string;
+        static privateKeyFromPem(pem: string): Ed25519PrivateKey;
+        static publicKeyToPem(key: Ed25519PublicKey): string;
+        static publicKeyFromPem(pem: string): Ed25519PublicKey;
+    }
+}

package/src/-b-authorities/dnsAuthority.ts

@@ -0,0 +1,203 @@
+import os from "os";
+import * as fs from "fs";
+import { cache, lazy } from "socket-function/src/caching";
+import { isNode } from "socket-function/src/misc";
+import { httpsRequest } from "../https";
+import { getStorageDir } from "../fs";
+import { SocketFunction } from "socket-function/SocketFunction";
+import { delay } from "socket-function/src/batching";
+import debugbreak from "debugbreak";
+import { isClient } from "../config2";
+import { getArchives } from "../-a-archives/archives";
+
+const DNS_TTLSeconds = {
+    "TXT": 60,
+    "A": 60,
+};
+
+export const keys = getArchives("keys");
+
+export const getDNSCreds = lazy(async (): Promise<{ key: string; email: string }> => {
+    let credsJSON = await keys.get("cloudflare.json");
+    if (!credsJSON) throw new Error(`b2:/keys/cloudflare.json is missing. It should contain { "key": "your-key", "email": "your-email" }`);
+    return JSON.parse(credsJSON.toString());
+});
+
+export const hasDNSWritePermissions = lazy(async () => {
+    if (!isNode()) return false;
+    if (isClient()) return false;
+    try {
+        await getDNSCreds();
+        return true;
+    } catch {
+        return false;
+    }
+});
+
+const getZoneId = cache(async (rootDomain: string): Promise<string> => {
+    let zones = await cloudflareGETCall<{ id: string; name: string }[]>("/zones", {});
+    let selected = zones.find(x => x.name === rootDomain);
+    if (!selected) {
+        throw new Error(`Could not find zone for ${rootDomain}. Found ${zones.map(x => x.name).join(", ")}`);
+    }
+    return selected.id;
+});
+
+function getRootDomain(key: string) {
+    if (key.endsWith(".")) {
+        key = key.slice(0, -1);
+    }
+    return key.split(".").slice(-2).join(".");
+}
+
+export async function getRecordsRaw(type: string, key: string) {
+    if (key.endsWith(".")) key = key.slice(0, -1);
+    let zoneId = await getZoneId(getRootDomain(key));
+    let results = await cloudflareGETCall<{ id: string; type: string; name: string; content: string }[]>(`/zones/${zoneId}/dns_records`);
+    return results.filter(x => x.type === type && x.name === key);
+}
+export async function getRecords(type: string, key: string) {
+    if (key.endsWith(".")) key = key.slice(0, -1);
+    let raw = await getRecordsRaw(type, key);
+    return raw.map(x => x.content);
+}
+export async function deleteRecord(type: string, key: string, value: string) {
+    if (key.endsWith(".")) key = key.slice(0, -1);
+    let zoneId = await getZoneId(getRootDomain(key));
+    let prevValues = await getRecordsRaw(type, key);
+    prevValues = prevValues.filter(x => x.content === value);
+    if (prevValues.length === 0) {
+        if (!SocketFunction.silent) {
+            console.log(`No need to delete record, it was not found. ${JSON.stringify(value)} value was not in ${type} for ${key}, values ${JSON.stringify(prevValues.map(x => x.content))}`);
+        }
+        return;
+    }
+
+    console.log(`Removing records of ${type} for ${key}, values ${JSON.stringify(prevValues.map(x => x.content))}`);
+    for (let value of prevValues) {
+        await cloudflareCall(`/zones/${zoneId}/dns_records/${value.id}`, Buffer.from([]), "DELETE");
+    }
+}
+/** Removes all existing records (unless the record is already present) */
+export async function setRecord(type: string, key: string, value: string, proxied?: "proxied") {
+    let stack = new Error();
+    if (key.endsWith(".")) key = key.slice(0, -1);
+    let zoneId = await getZoneId(getRootDomain(key));
+    let prevValues = await getRecordsRaw(type, key);
+    if (prevValues.some(x => x.content === value)) return;
+
+    console.log(`Removing previous records of ${type} for ${key} ${JSON.stringify(prevValues.map(x => x.content))}`);
+    let didDeletions = false;
+    for (let value of prevValues) {
+        didDeletions = true;
+        await cloudflareCall(`/zones/${zoneId}/dns_records/${value.id}`, Buffer.from([]), "DELETE");
+    }
+
+    console.log(`Setting ${type} record for ${key} to ${value} (previously had ${JSON.stringify(prevValues.map(x => x.content))})`);
+    const ttl = DNS_TTLSeconds[type as "A"] || 60;
+    await cloudflarePOSTCall(`/zones/${zoneId}/dns_records`, {
+        type: type,
+        name: key,
+        content: value,
+        ttl,
+        proxied: proxied === "proxied",
+    });
+    // NOTE: Apparently... even if the record didn't exist, we still have to wait...
+    console.log(`Waiting ${ttl} seconds for DNS to propagate...`);
+    await delay(ttl * 1000);
+    console.log(`Done waiting for DNS to update.`);
+
+}
+/** Keeps existing records */
+export async function addRecord(type: string, key: string, value: string, proxied?: "proxied") {
+    if (key.endsWith(".")) key = key.slice(0, -1);
+    let zoneId = await getZoneId(getRootDomain(key));
+    let prevValues = await getRecords(type, key);
+    if (prevValues.includes(value)) return;
+    console.log(`Adding ${type} record for ${key} to ${value} (previously had ${JSON.stringify(prevValues)})`);
+    const ttl = DNS_TTLSeconds[type as "A"] || 60;
+    await cloudflarePOSTCall(`/zones/${zoneId}/dns_records`, {
+        type: type,
+        name: key,
+        content: value,
+        ttl,
+        proxied: proxied === "proxied",
+    });
+    console.log(`Waiting ${ttl} seconds for DNS to propagate...`);
+    await delay(ttl * 1000);
+    console.log(`Done waiting for DNS to update.`);
+}
+
+
+async function cloudflareGETCall<T>(path: string, params?: { [key: string]: string }): Promise<T> {
+    let url = new URL(`https://api.cloudflare.com/client/v4` + path);
+    for (let key in params) {
+        url.searchParams.set(key, params[key]);
+    }
+    let creds = await getDNSCreds();
+    let result = await httpsRequest(url.toString(), [], "GET", undefined, {
+        headers: {
+            "Content-Type": "application/json",
+            "X-Auth-Email": creds.email,
+            "X-Auth-User-Service-Key": creds.key,
+            "X-Auth-Key": creds.key,
+        }
+    });
+    let result2 = JSON.parse(result.toString()) as { result: unknown; success: boolean; errors: { code: number; message: string }[] };
+    if (!result2.success) {
+        throw new Error(`Cloudflare call failed: ${result2.errors.map(x => x.message).join(", ")}`);
+    }
+    return result2.result as T;
+}
+async function cloudflarePOSTCall<T>(path: string, params: { [key: string]: unknown }): Promise<T> {
+    return await cloudflareCall(path, Buffer.from(JSON.stringify(params)), "POST");
+}
+async function cloudflareCall<T>(path: string, payload: Buffer, method: string): Promise<T> {
+    let url = new URL(`https://api.cloudflare.com/client/v4` + path);
+    let creds = await getDNSCreds();
+    let result = await httpsRequest(url.toString(), payload, method, undefined, {
+        headers: {
+            "Content-Type": "application/json",
+            "X-Auth-Email": creds.email,
+            "X-Auth-User-Service-Key": creds.key,
+            "X-Auth-Key": creds.key,
+        }
+    });
+    let result2 = JSON.parse(result.toString()) as { result: unknown; success: boolean; errors: { code: number; message: string }[] };
+    if (!result2.success) {
+        throw new Error(`Cloudflare call failed: ${result2.errors.map(x => x.message).join(", ")}`);
+    }
+    return result2.result as T;
+}
+
+
+/*
+async function setRecord(googleDns: googleCloud.DNS, zone: googleCloud.Zone, type: string, key: string, value: unknown) {
+    let recordsResponse = await zone.getRecords();
+    let prevValue = recordsResponse[0].filter(x => x.metadata.name === key && x.type === type);
+
+    // NOTE: It seems like the data is ALWAYS an array, even if we set a value? So... just assume it is an array,
+    //  and take the first entry. If we ever need to actually support arrays this will change, but... I don't
+    //  think we will...
+    if (prevValue.some(x => JSON.stringify((x.data as any)?.[0]) === JSON.stringify(value))) {
+        console.log(`Record already set, (${type} ${zone.metadata.dnsName}) ${key} === ${JSON.stringify(value)}`);
+        return;
+    }
+
+    for (let record of prevValue) {
+        console.log(`Deleting record (${type} ${zone.metadata.dnsName}) ${key} = ${JSON.stringify(record.data)}`);
+        await record.delete();
+    }
+
+    console.log((`Setting record (${type} in ${zone.metadata.dnsName}) ${key} = ${JSON.stringify(value)}`));
+    const TTL = DNS_TTLSeconds[type as "A"] || 60;
+    await zone.addRecords(zone.record(type, {
+        name: key,
+        data: value as any,
+        ttl: TTL,
+    }));
+
+    // Wait for the record to propagate
+    await delay(TTL * 1000 * 2);
+}
+*/

package/src/-b-authorities/emailAuthority.ts

@@ -0,0 +1,57 @@
+import fs from "fs";
+import os from "os";
+import { lazy } from "socket-function/src/caching";
+import { isNode } from "socket-function/src/misc";
+import sendGrid from "@sendgrid/mail";
+import { addRecord } from "./dnsAuthority";
+import debugbreak from "debugbreak";
+import { getStorageDir } from "../fs";
+import { red } from "socket-function/src/formatting/logColors";
+
+let sendGridPath = lazy(() => {
+    return getStorageDir() + "sendgrid.txt";
+});
+
+export const hasEmailSendPermissions = lazy(() => {
+    if (!isNode()) return undefined;
+    let path = sendGridPath();
+    if (!fs.existsSync(path)) return undefined;
+    let sendGridKey = fs.readFileSync(path, "utf8");
+    sendGrid.setApiKey(sendGridKey);
+    return sendGrid;
+});
+
+export async function sendEmail(config: {
+    from: string;
+    to: string[];
+    subject: string;
+    html: string;
+}) {
+    console.log(red(`!!! Sending email to ${config.to.join(", ")}, from ${config.from}, subject: ${JSON.stringify(config.subject)}`));
+    const sendGrid = hasEmailSendPermissions();
+    if (!sendGrid) {
+        throw new Error(`Sendgrid get not found at ${sendGridPath()}`);
+    }
+    await sendGrid.send(config);
+}
+
+// NOTE: Sending SMTP yourself is actually easy, but... the port will be blocked by all ISPs, and many
+//  hosting providing, including digital ocean. So... we're just going to have to use a service to do it...
+// SPF
+//  - Just adding a DNS entry for our IP?
+//  Ah, so... add a TXT record to point to a subdomain
+//  - Ex: "v=spf1 redirect=_spf.google.com"
+//      - With the subdomain record looking like: "v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 -all"
+//          - Maybe ~all, but, -all seems safer?
+//  - This just makes it easier to update the record, as the redirect will be constant,
+//      and then the subdomain value can be clobbered every time (as it will only have 1 TXT record)
+// DKIM
+//  - Public key published in DNS
+//      - Under [selector]._domainkey.[domain]
+//          - Where selector is specified in the email
+//      - And then we sign the email, and pass the signature with it (somehow)
+// DMARC
+//  - A DNS entry specifying that we are using SPF and DKIM
+//      - Fairly simple, even constant, but I'm not sure why I can't see it in gmail.com or perspectanalytics.com
+//          TXT records. Oh well, we can probably just publish it ourselves
+//      - https://www.cloudflare.com/learning/dns/dns-records/dns-dmarc-record/

package/src/-c-identity/IdentityController.ts

@@ -0,0 +1,200 @@
+/**
+ *      Allows clients to set their certificate, as long as it meets our strict schema requirements.
+ *      - Our requirements ensure that even though the certificates are self signed, they can't
+ *          be impersonated by other users (because their common name contains their public key).
+ */
+
+import debugbreak from "debugbreak";
+import { SocketFunction } from "socket-function/SocketFunction";
+import { CallerContext } from "socket-function/SocketFunctionTypes";
+import { cache, lazy } from "socket-function/src/caching";
+import { getClientNodeId, getNodeId, getNodeIdDomain, getNodeIdIP, getNodeIdLocation, isClientNodeId } from "socket-function/src/nodeCache";
+import { getCommonName, getIdentityCA, getMachineId, getPublicIdentifier, getThreadKeyCert, parseCert, sign, validateCertificate, verify } from "../-a-auth/certs";
+import { getShortNumber } from "../bits";
+import { measureFnc, measureWrap } from "socket-function/src/profiling/measure";
+import { timeoutToError } from "../errors";
+import { delay } from "socket-function/src/batching";
+
+let callerInfo = new Map<CallerContext, {
+    reconnectNodeId: string | undefined;
+    machineId: string;
+    cert: CertInfo;
+    pubKey: Buffer;
+    pubKeyShort: number;
+}>();
+const callerInfoErrorString = `Internal error, caller did not updated their identity. Is this an HTTPS call (instead of a websocket call)? The caller should import the server controller, which imports this function, which will add a client hook to always update the identity`;
+
+/** Gets the nodeId of the caller suitable for reconnecting (to the same process).
+ *  - Also useful for logs, to identify a node on the network.
+ *  - Is global, so can be passed between nodes (although, the chance of the other process
+ *      staying alive for a long period of time is low).
+*/
+export function IdentityController_getReconnectNodeId(callerContext: CallerContext, allowUndefined?: "allowUndefined"): string | undefined {
+    if (!isClientNodeId(callerContext.nodeId)) {
+        return callerContext.nodeId;
+    }
+    let info = callerInfo.get(callerContext);
+    if (!info) {
+        if (allowUndefined) return undefined;
+        throw new Error(callerInfoErrorString);
+    }
+    return info.reconnectNodeId;
+}
+export function IdentityController_getReconnectNodeIdAssert(callerContext: CallerContext): string {
+    if (!isClientNodeId(callerContext.nodeId)) {
+        return callerContext.nodeId;
+    }
+    let reconnectId = IdentityController_getReconnectNodeId(callerContext);
+    if (!reconnectId) throw new Error(`Caller did not mount before connecting. This call requires the caller to be listening.`);
+    return reconnectId;
+}
+export function IdentityController_getSecureIP(callerContext: CallerContext): string {
+    return getNodeIdIP(callerContext.nodeId);
+}
+export function IdentityController_getCurrentReconnectNodeIdAssert(): string {
+    return IdentityController_getReconnectNodeIdAssert(SocketFunction.getCaller());
+}
+export function IdentityController_getCurrentReconnectNodeId(): string | undefined {
+    return IdentityController_getReconnectNodeId(SocketFunction.getCaller());
+}
+
+export function debugNodeId(nodeId: string) {
+    let info = Array.from(callerInfo.entries()).find(x => x[0].nodeId === nodeId);
+    return info?.[1].reconnectNodeId || nodeId;
+};
+(globalThis as any).debugNodeId = debugNodeId;
+
+/** Gets the nodeId of the machine, which should be consistent. When deciding to trust a node
+ *      this should be used instead of the reconnectId (otherwise you will have to trust
+ *      every single process individually, which will take forever!)
+ */
+export function IdentityController_getMachineId(callerContext: CallerContext, allowEmpty?: "allowEmpty"): string {
+    let location = getNodeIdLocation(callerContext.nodeId);
+    if (location) {
+        return getMachineId(location.address);
+    }
+    let info = callerInfo.get(callerContext);
+    if (!info) {
+        if (allowEmpty) return "";
+        throw new Error(callerInfoErrorString);
+    }
+    return info.machineId;
+}
+
+export type CertInfo = { certPEM: Buffer | string; issuerPEM: Buffer | string; };
+export function IdentityController_getCertInfo(callerContext: CallerContext): CertInfo {
+    let info = callerInfo.get(callerContext);
+    if (!info) throw new Error(callerInfoErrorString);
+    return info.cert;
+}
+
+export function IdentityController_getPubKeyShort(callerContext: CallerContext): number {
+    let info = callerInfo.get(callerContext);
+    if (!info) throw new Error(callerInfoErrorString);
+    return info.pubKeyShort;
+}
+export const IdentityController_getOwnPubKeyShort = lazy((): number => {
+    let cert = getThreadKeyCert();
+    let pubKey = getPublicIdentifier(cert.cert);
+    return getShortNumber(pubKey);
+});
+
+export interface ChangeIdentityPayload {
+    time: number;
+    cert: string;
+    certIssuer: string;
+    serverId: string;
+    mountedPort: number | undefined;
+}
+class IdentityControllerBase {
+    // IMPORTANT! We HAVE to call changeIdentity NOT JUST because we can't use peer certificates in the browser, BUT, also
+    //  because this removes the need to load peer certificates into the trust store. This greatly simplifies
+    //  a lot of the trust system and the trust call order, allowing us to use connections to determine
+    //  if we want to trust a node (instead of having to trust a node before it can connect to us, because
+    //  NodeJS will throw/ignore the peer cert if it isn't trusted).
+    @measureFnc
+    public async changeIdentity(signature: string, payload: ChangeIdentityPayload) {
+        const caller = SocketFunction.getCaller();
+        // Verify it wasn't signed too long ago (to make signature stealing WAY more difficult).
+        const signedThreshold = Date.now() - 1000 * 30;
+        if (payload.time < signedThreshold) {
+            throw new Error(`Signed payload too old, ${payload.time} < ${signedThreshold} from ${caller.localNodeId} (${caller.nodeId})`);
+        }
+
+        // Verify the signature is meant for us, otherwise any other site can hijack the login!
+        //  (We don't have to worry about other servers on the same domain, as all servers
+        //      on the same domain should be the same!)
+        let localNodeId = caller.localNodeId;
+        if (payload.serverId !== localNodeId) {
+            throw new Error(`Identity is for another server! The connection is calling us ${localNodeId}, but signature is for ${payload.serverId}`);
+        }
+
+        // Verify the caller can sign as the cert
+        verify(payload.cert, signature, payload);
+
+        // Verify we even trust the issuer/cert pair
+        validateCertificate(payload.cert, payload.certIssuer);
+
+        let reconnectNodeId: string | undefined;
+        if (payload.mountedPort) {
+            // NOTE: We use the common name, and not getNodeIdIP... because anything connecting will need
+            //  to use HTTPS, so connecting over the IP won't work! (unless they turn off certificate validation,
+            //  which we shouldn't do...)
+            reconnectNodeId = getNodeId(getCommonName(payload.cert), payload.mountedPort);
+        }
+
+        let pubKey = getPublicIdentifier(payload.cert);
+
+        callerInfo.set(caller, {
+            cert: { certPEM: payload.cert, issuerPEM: payload.certIssuer },
+            machineId: getCommonName(payload.certIssuer),
+            reconnectNodeId,
+            pubKey,
+            pubKeyShort: getShortNumber(pubKey),
+        });
+    }
+}
+
+const IdentityController = SocketFunction.register(
+    "IdentityController-4a1b77d7-2825-433e-a27c-e2b8a2e74457",
+    new IdentityControllerBase(),
+    () => ({
+        changeIdentity: {
+            // If we use hooks here, it can cause an infinite loop (which SocketFunction just turns into
+            //  a deadlock). So... we just don't use any hooks for this call.
+            // Actually.. I think we were seeing a different issue. And client hooks are required,
+            //  so we can trust the remote cert correctly.
+            // noClientHooks: true,
+            // noDefaultHooks: true,
+        },
+    })
+);
+
+const changeIdentityOnce = cache(measureWrap(async function changeIdentityOnce(connectionId: { nodeId: string }) {
+    let nodeId = connectionId.nodeId;
+    let threadKeyCert = getThreadKeyCert();
+    let issuer = getIdentityCA();
+    let payload: ChangeIdentityPayload = {
+        time: Date.now(),
+        serverId: nodeId,
+        cert: threadKeyCert.cert.toString(),
+        certIssuer: issuer.cert.toString(),
+        mountedPort: getNodeIdLocation(SocketFunction.mountedNodeId)?.port,
+    };
+    let signature = sign(threadKeyCert, payload);
+    await measureWrap(async function callChangeIdentity() {
+        await timeoutToError(
+            10 * 1000,
+            IdentityController.nodes[nodeId].changeIdentity(signature, payload),
+            () => new Error(`Timeout calling changeIdentity for ${nodeId}`)
+        );
+    }, `callChangeIdentity|${nodeId}`)();
+}));
+SocketFunction.addGlobalClientHook(async function identityHook(context) {
+    if (context.call.classGuid === IdentityController._classGuid) return;
+    // If we are talking to a client they should already know who we are (they established the connection!)
+    if (isClientNodeId(context.call.nodeId)) {
+        return;
+    }
+    await changeIdentityOnce(context.connectionId);
+});

package/src/-d-trust/NetworkTrust2.ts

@@ -0,0 +1,150 @@
+import { measureWrap } from "socket-function/src/profiling/measure";
+import { getCommonName, getIdentityCA, getMachineId, getOwnMachineId } from "../-a-auth/certs";
+import { getArchives } from "../-a-archives/archives";
+import { isNode, timeInSecond } from "socket-function/src/misc";
+import { SocketFunctionHook } from "socket-function/SocketFunctionTypes";
+import { SocketFunction } from "socket-function/SocketFunction";
+import { IdentityController_getMachineId } from "../-c-identity/IdentityController";
+import { cache, lazy } from "socket-function/src/caching";
+import { getNodeIdDomainMaybeUndefined, getNodeIdLocation } from "socket-function/src/nodeCache";
+import { trustCertificate } from "socket-function/src/certStore";
+import { isClient, isServer } from "../config2";
+import debugbreak from "debugbreak";
+import { devDebugbreak, getDomain, isDevDebugbreak } from "../config";
+
+// Cache the untrust list, to prevent bugs from causing too many backend reads (while also allowing
+//  bad servers which make request before their trust is verified from staying broken).
+const UNTRUST_CACHE_TIME = 30 * timeInSecond;
+
+const archives = lazy(() => getArchives("trust/"));
+
+export const requiresNetworkTrustHook: SocketFunctionHook = async config => {
+    // HACK: On the clientside we strip the domain process and machine id, so we can no longer determine
+    //  who it is. So... we trust anyone. This isn't so bad, as:
+    //  1) They have to at least have an HTTPS certificate, which... most nodes should have?
+    //  2) We only really talk to nodes we discovery, and only network trusted nodes can register themselves,
+    //      so... they are probably already trusted.
+    //  ALSO, if in NodeJS, but acting as a client, we only connect to remote servers via
+    //      HTTPS, so we know we can trust them, as their certificates are verified.
+    //      - Also, if we are a client we don't really have any privileged data, except
+    //          the data we send servers, which we explicitly connect to.
+    // NOTE: This also exists in isTrusted.
+    if (isClient()) {
+        return;
+    }
+    let machineId = IdentityController_getMachineId(SocketFunction.getCaller());
+    let trusted = await isTrusted(machineId);
+    if (!trusted) {
+        devDebugbreak();
+        throw new Error(`Calling machine is not trusted. Caller ${machineId} is not trusted by ${SocketFunction.mountedNodeId} to make call ${config.call.classGuid}.${config.call.functionName}. To gain trust add backblaze permissions (see hasBackblazePermissions) or set --nonetwork.`);
+    }
+};
+export const assertIsNetworkTrusted = requiresNetworkTrustHook;
+
+
+let trustedCache = new Set<string>();
+let untrustedCache = new Map<string, number>();
+export async function isTrusted(machineId: string) {
+    // See the comment in requiresNetworkTrustHook for why clients have to trust all callers.
+    if (isClient()) return true;
+
+    if (trustedCache.has(machineId)) {
+        return true;
+    }
+    let untrustedTime = untrustedCache.get(machineId);
+    if (untrustedTime !== undefined && untrustedTime > Date.now()) {
+        return false;
+    }
+
+    // Find is faster than get, and usually we don't need the full certificate
+    let trustedMachineIds = await archives().find("");
+    // Always trust ourself
+    trustedMachineIds.push(getOwnMachineId());
+    // IF developing, trust localhost. This allows us to develop without port forwards,
+    //  on our services, which is INCREASES security, and prevents dev machines from being
+    //  connected to by attackers (as dev machines might reveal unfinished content, or even
+    //  have security vulnerabilities).
+    if (isDevDebugbreak()) {
+        trustedMachineIds.push("127-0-0-1." + getDomain());
+    }
+
+    // NOTE: This should be safe from collisions with existing files, because... while there might be a metadata
+    //  file which exists, it will never also be a valid hash/public key, which machineId will always be.
+    for (let trustedMachineId of trustedMachineIds) {
+        trustedCache.add(trustedMachineId);
+    }
+
+    if (!trustedCache.has(machineId)) {
+        untrustedCache.set(machineId, Date.now() + UNTRUST_CACHE_TIME);
+        return false;
+    } else {
+        return true;
+    }
+}
+
+export async function isNodeTrusted(nodeId: string) {
+    let domainName = getNodeIdDomainMaybeUndefined(nodeId);
+    if (!domainName) return false;
+    let machineId = getMachineId(domainName);
+    return await isTrusted(machineId);
+}
+
+const loadServerCert = cache(async (machineId: string) => {
+    // This cert isn't stored in the archives, but... this is fine?
+    if (machineId === "127-0-0-1." + getDomain()) return;
+    let certFile = await archives().get(machineId);
+    if (!certFile) {
+        console.warn(`Could not find certificate in archives for ${machineId}`);
+        return;
+    }
+    trustCertificate(certFile);
+});
+
+const ensureWeAreTrusted = lazy(measureWrap(async () => {
+    let machineKeyCert = getIdentityCA();
+    let machineId = getCommonName(machineKeyCert.cert);
+    let inArchives = await archives().get(machineId);
+    if (!inArchives) {
+        await archives().set(machineId, machineKeyCert.cert);
+    }
+}));
+
+export const isTrustedByNode = cache(async function isTrustedByNode(nodeId: string) {
+    return await TrustedController.nodes[nodeId].isTrusted();
+});
+
+class IsTrustedControllerBase {
+    public async isTrusted() {
+        return await isTrusted(IdentityController_getMachineId(SocketFunction.getCaller()));
+    }
+}
+
+const TrustedController = SocketFunction.register(
+    "IsTrustedController-5d0b8a77-f5f7-4584-96f4-9cd88ce5d59a",
+    new IsTrustedControllerBase(),
+    () => ({
+        isTrusted: {},
+    })
+);
+
+
+if (isNode()) {
+
+    // We have to be trusted if we make calls to a trusted endpoint, OR our mounting
+    //  (really only if we are mounting a trusted endpoint, but we don't actually know that)
+    requiresNetworkTrustHook.clientHook = async config => {
+        await ensureWeAreTrusted();
+    };
+
+    // Load the remote certificate, in the almost certain case it isn't a real certificate, and is just internal
+    SocketFunction.addGlobalClientHook(async config => {
+        await ensureWeAreTrusted();
+        let location = getNodeIdLocation(config.call.nodeId);
+        if (location) {
+            let machineId = getMachineId(location.address);
+            if (await isTrusted(machineId)) {
+                await loadServerCert(machineId);
+            }
+        }
+    });
+}