yakmesh 2.8.2 → 3.0.0

package/mesh/sherpa-discovery.js

@@ -22,6 +22,7 @@
 import { sha3_256 } from '@noble/hashes/sha3.js';
 import { bytesToHex, randomBytes, utf8ToBytes } from '@noble/hashes/utils.js';
 import { EventEmitter } from 'events';
+const peerTag = (id) => id?.split('-pq-').pop() || id?.slice?.(-8) || String(id);
 
 // v2.7.0 Ternary Math Integration (TRIBHUJ)
 import { Trit, TritState, calculatePathBalance, POSITIVE, NEUTRAL, NEGATIVE } from '../oracle/tribhuj.js';
@@ -257,6 +258,11 @@ class BeaconMessage {
     this.timestamp = options.timestamp || Date.now();
     this.ttl = options.ttl || 3600;  // 1 hour default TTL
     
+    // Explicit reachable endpoints (override auto-constructed from ports)
+    // These let nodes behind firewalls/NAT advertise their actual connectable URLs
+    this.wsEndpoint = options.wsEndpoint || null;       // e.g., "wss://mesh.yakmesh.dev"
+    this.relayEndpoint = options.relayEndpoint || null;  // e.g., "https://yakmesh.dev/mesh/relay"
+
     // Node capabilities
     this.capabilities = {
       wsPort: options.wsPort || null,
@@ -336,6 +342,7 @@ class BeaconMessage {
       nodeId: peerInfo.nodeId,
       endpoint: peerInfo.endpoint,        // e.g., "https://example.com"
       wsEndpoint: peerInfo.wsEndpoint,    // e.g., "wss://example.com:9001"
+      relayEndpoint: peerInfo.relayEndpoint || null,  // e.g., "https://example.com/mesh/relay"
       lastSeen: peerInfo.lastSeen || Date.now(),
       score: peerInfo.score || 1.0,
       networkName: peerInfo.networkName,
@@ -363,7 +370,7 @@ class BeaconMessage {
    * Serialize beacon for HTTP response
    */
   serialize() {
-    return {
+    const data = {
       version: this.version,
       nodeId: this.nodeId,
       networkName: this.networkName,
@@ -376,6 +383,12 @@ class BeaconMessage {
       publicKey: this.publicKey,
       signature: this.signature,
     };
+
+    // Include explicit endpoints if configured (firewall/NAT traversal)
+    if (this.wsEndpoint) data.wsEndpoint = this.wsEndpoint;
+    if (this.relayEndpoint) data.relayEndpoint = this.relayEndpoint;
+
+    return data;
   }
 
   /**
@@ -390,6 +403,9 @@ class BeaconMessage {
       capabilities: this.capabilities,
       geo: this.geo,          // v2.5.0 include geo in signature
       namche: this.namche,    // Include NAMCHE in signature
+      // Include endpoints in signature to prevent tampering
+      wsEndpoint: this.wsEndpoint || undefined,
+      relayEndpoint: this.relayEndpoint || undefined,
     });
   }
 
@@ -402,6 +418,9 @@ class BeaconMessage {
       networkName: data.networkName,
       timestamp: data.timestamp,
       ttl: data.ttl,
+      // Explicit reachable endpoints (must match what was signed)
+      wsEndpoint: data.wsEndpoint || null,
+      relayEndpoint: data.relayEndpoint || null,
       wsPort: data.capabilities?.wsPort,
       httpPort: data.capabilities?.httpPort,
       supportsAnnex: data.capabilities?.supportsAnnex,
@@ -466,6 +485,8 @@ class PeerRegistry {
       // Update existing peer
       existing.endpoint = peerInfo.endpoint || existing.endpoint;
       existing.wsEndpoint = peerInfo.wsEndpoint || existing.wsEndpoint;
+      existing.relayEndpoint = peerInfo.relayEndpoint || existing.relayEndpoint;
+      existing.publicKey = peerInfo.publicKey || existing.publicKey;
       existing.lastSeen = Math.max(existing.lastSeen, peerInfo.lastSeen || Date.now());
       existing.score = Math.min(1.0, existing.score + SHERPA_CONFIG.successBonus);
       existing.capabilities = peerInfo.capabilities || existing.capabilities;
@@ -479,6 +500,8 @@ class PeerRegistry {
         nodeId: peerInfo.nodeId,
         endpoint: peerInfo.endpoint,
         wsEndpoint: peerInfo.wsEndpoint,
+        relayEndpoint: peerInfo.relayEndpoint || null,
+        publicKey: peerInfo.publicKey || null,
         lastSeen: peerInfo.lastSeen || Date.now(),
         score: peerInfo.score || 1.0,
         networkName: peerInfo.networkName,
@@ -595,6 +618,7 @@ class SherpaDiscovery extends EventEmitter {
     // Our own endpoint info
     this.selfEndpoint = options.selfEndpoint || null;  // e.g., "https://mynode.com"
     this.wsEndpoint = options.wsEndpoint || null;
+    this.relayEndpoint = options.relayEndpoint || null;  // e.g., "https://mynode.com/mesh/relay"
     this.capabilities = options.capabilities || {};
     
     // v2.5.0 Geographic proof configuration
@@ -688,6 +712,9 @@ class SherpaDiscovery extends EventEmitter {
       supportsNakpak: this.capabilities.supportsNakpak ?? true,
       supportsGossip: this.capabilities.supportsGossip ?? true,
       publicKey: this.publicKey,
+      // Explicit reachable endpoints (firewall/NAT traversal)
+      wsEndpoint: this.wsEndpoint,
+      relayEndpoint: this.relayEndpoint,
       // v2.5.0 Geographic coordinates (if configured)
       supportsGeoProof: this.geoConfig.enabled,
       geoLat: this.geoConfig.lat,
@@ -745,12 +772,16 @@ class SherpaDiscovery extends EventEmitter {
             
             // Add the beacon source as a peer
             if (beacon.nodeId && beacon.nodeId !== this.nodeId) {
+              // Prefer explicit wsEndpoint from beacon (firewall/NAT aware)
+              // Fall back to auto-constructed from hostname:wsPort
+              const autoWsEndpoint = beacon.capabilities?.wsPort 
+                  ? `wss://${new URL(endpoint).hostname}:${beacon.capabilities.wsPort}`
+                  : null;
               this.registry.upsert({
                 nodeId: beacon.nodeId,
                 endpoint: endpoint,
-                wsEndpoint: beacon.capabilities?.wsPort 
-                  ? `wss://${new URL(endpoint).hostname}:${beacon.capabilities.wsPort}`
-                  : null,
+                wsEndpoint: beacon.wsEndpoint || autoWsEndpoint,
+                relayEndpoint: beacon.relayEndpoint || null,
                 networkName: beacon.networkName,
                 capabilities: beacon.capabilities,
               });
@@ -769,6 +800,7 @@ class SherpaDiscovery extends EventEmitter {
                   nodeId: peer.nodeId,
                   endpoint: peer.endpoint,
                   wsEndpoint: peer.wsEndpoint,
+                  relayEndpoint: peer.relayEndpoint,
                   networkName: peer.networkName,
                   lastSeen: peer.lastSeen,
                 });
@@ -807,7 +839,54 @@ class SherpaDiscovery extends EventEmitter {
    * v2.5.0: Also measures RTT for geographic proof
    */
   async _fetchBeacon(endpoint) {
-    const url = new URL(SHERPA_CONFIG.beaconPath, endpoint).toString();
+    // ── SSRF Protection: Validate endpoint URL before fetching ──
+    // Peer-supplied endpoints could target internal services, cloud metadata,
+    // or private networks. Block anything that isn't public HTTP(S).
+    let parsedUrl;
+    try {
+      parsedUrl = new URL(SHERPA_CONFIG.beaconPath, endpoint);
+    } catch {
+      throw new Error(`Invalid beacon endpoint URL: ${endpoint}`);
+    }
+
+    // Only allow HTTP and HTTPS schemes
+    if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
+      throw new Error(`Blocked beacon fetch: disallowed scheme ${parsedUrl.protocol}`);
+    }
+
+    // Block private/reserved IP ranges and cloud metadata endpoints
+    const hostname = parsedUrl.hostname.toLowerCase();
+    const BLOCKED_HOSTS = [
+      'localhost', '127.0.0.1', '::1', '[::1]', '0.0.0.0',
+      '169.254.169.254',       // AWS/GCP/Azure metadata
+      'metadata.google.internal',
+      'metadata.google',
+    ];
+    if (BLOCKED_HOSTS.includes(hostname)) {
+      throw new Error(`Blocked beacon fetch: reserved host ${hostname}`);
+    }
+
+    // Block private IP ranges: 10.x, 172.16-31.x, 192.168.x, fc00::/7, fe80::/10
+    const ipv4Match = hostname.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+    if (ipv4Match) {
+      const [, a, b] = ipv4Match.map(Number);
+      if (a === 10 ||                           // 10.0.0.0/8
+          (a === 172 && b >= 16 && b <= 31) ||  // 172.16.0.0/12
+          (a === 192 && b === 168) ||            // 192.168.0.0/16
+          a === 127 ||                           // 127.0.0.0/8
+          a === 0 ||                             // 0.0.0.0/8
+          (a === 169 && b === 254)) {            // 169.254.0.0/16 (link-local)
+        throw new Error(`Blocked beacon fetch: private IP ${hostname}`);
+      }
+    }
+
+    // Block IPv6 private: starts with fc, fd, or fe80
+    const bareV6 = hostname.replace(/^\[|\]$/g, '');
+    if (bareV6.startsWith('fc') || bareV6.startsWith('fd') || bareV6.startsWith('fe80')) {
+      throw new Error(`Blocked beacon fetch: private IPv6 ${hostname}`);
+    }
+
+    const url = parsedUrl.toString();
     
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), SHERPA_CONFIG.crawlTimeout);
@@ -877,14 +956,16 @@ class SherpaDiscovery extends EventEmitter {
   }
 
   /**
-   * Get connection candidates for mesh networking
+   * Get connection candidates for mesh networking.
+   * Returns peers that have either a wsEndpoint or relayEndpoint.
    */
   getConnectionCandidates(count = 5) {
     return this.registry.getBestPeers(count)
-      .filter(p => p.wsEndpoint)
+      .filter(p => p.wsEndpoint || p.relayEndpoint)
       .map(p => ({
         nodeId: p.nodeId,
         wsEndpoint: p.wsEndpoint,
+        relayEndpoint: p.relayEndpoint || null,
         score: p.score,
       }));
   }
@@ -979,7 +1060,7 @@ class SherpaDiscovery extends EventEmitter {
           beacon.geo.lat,
           beacon.geo.lon,
           {
-            name: beacon.geo.name || `SHERPA Beacon ${beacon.nodeId.slice(0, 8)}`,
+            name: beacon.geo.name || `SHERPA Beacon ${peerTag(beacon.nodeId)}`,
             endpoint: beacon._endpoint,
             timeTier: beacon.geo.timeTier,
             accuracyKm: beacon.geo.accuracyKm,

package/mesh/sybil-defense.js

@@ -1,11 +1,20 @@
 /**
  * Sybil Attack Protection Module
+ * 
+ * Uses TRIBHUJ balanced ternary for connection evaluation:
+ *   POSITIVE (+1): Accept — node is trusted or verified
+ *   NEUTRAL  ( 0): Challenge — node must prove itself (NAVR required)
+ *   NEGATIVE (-1): Reject — node is banned or subnet saturated
+ * 
  * @module mesh/sybil-defense.js
  */
 
 import { sha3_256 } from '@noble/hashes/sha3.js';
 import { bytesToHex, utf8ToBytes } from '@noble/hashes/utils.js';
 
+// ═══ TRIBHUJ — Balanced ternary for connection decisions ═══
+import { POSITIVE, NEUTRAL, NEGATIVE } from '../oracle/tribhuj.js';
+
 export class NAVR {
   constructor(options = {}) {
     this.difficulty = options.difficulty || 16;
@@ -125,16 +134,21 @@ export class SybilDefense {
     this.diversity = new SubnetDiversity(options.diversity || {});
   }
 
+  /**
+   * Evaluate a connection request.
+   * Returns `allowed` boolean (backward compat) plus `verdict` trit:
+   *   POSITIVE: accept, NEUTRAL: challenge required, NEGATIVE: reject
+   */
   evaluateConnection(ip, nodeId, NAVRSolution = null) {
     const divCheck = this.diversity.allowConnection(ip);
-    if (!divCheck.allowed) return { allowed: false, reason: divCheck.reason };
+    if (!divCheck.allowed) return { allowed: false, verdict: NEGATIVE, reason: divCheck.reason };
     let record = this.reputation.nodes.get(nodeId);
     if (!record) record = this.reputation.registerNode(nodeId, NAVRSolution);
     const trustLevel = this.reputation.getTrustLevel(nodeId);
-    if (trustLevel === 'banned') return { allowed: false, reason: 'Node is banned' };
-    if (trustLevel === 'unknown' && !NAVRSolution) return { allowed: false, reason: 'NAVR required', challenge: this.NAVR.createChallenge(nodeId) };
+    if (trustLevel === 'banned') return { allowed: false, verdict: NEGATIVE, reason: 'Node is banned' };
+    if (trustLevel === 'unknown' && !NAVRSolution) return { allowed: false, verdict: NEUTRAL, reason: 'NAVR required', challenge: this.NAVR.createChallenge(nodeId) };
     this.diversity.addConnection(ip, nodeId);
-    return { allowed: true, trustLevel, reputation: record.reputation };
+    return { allowed: true, verdict: POSITIVE, trustLevel, reputation: record.reputation };
   }
 
   reportMessage(nodeId, valid) {
@@ -148,4 +162,4 @@ export class SybilDefense {
 }
 
 export default SybilDefense;
-
+

package/mesh/temporal-encoder.js

@@ -20,7 +20,8 @@
  * @copyright 2026 YAKMESH™ Contributors
  */
 
-import { randomBytes, createHash } from 'crypto';
+import { createHash } from 'crypto';
+import { ternaryId } from '../utils/ternary-id.js';
 
 const TME_CONFIG = {
   defaultSliceIntervalNs: 50_000_000,
@@ -112,7 +113,7 @@ class TemporalStream {
   }
 
   _generateStreamId() {
-    return randomBytes(16).toString('hex');
+    return ternaryId(16);
   }
 
   encode(message, meshPosition = [0, 0, 0]) {
@@ -287,7 +288,7 @@ class TemporalReconstructor {
 
 class TemporalMeshEncoder {
   constructor(options = {}) {
-    this.nodeId = options.nodeId || randomBytes(16).toString('hex');
+    this.nodeId = options.nodeId || ternaryId(16);
     this.meshPosition = options.meshPosition || [0, 0, 0];
     this.reconstructor = new TemporalReconstructor();
     this.outboundStreams = new Map();