yakmesh 2.9.0 → 3.0.0

package/mesh/sherpa-discovery.js

@@ -22,6 +22,7 @@
 import { sha3_256 } from '@noble/hashes/sha3.js';
 import { bytesToHex, randomBytes, utf8ToBytes } from '@noble/hashes/utils.js';
 import { EventEmitter } from 'events';
+const peerTag = (id) => id?.split('-pq-').pop() || id?.slice?.(-8) || String(id);
 
 // v2.7.0 Ternary Math Integration (TRIBHUJ)
 import { Trit, TritState, calculatePathBalance, POSITIVE, NEUTRAL, NEGATIVE } from '../oracle/tribhuj.js';
@@ -257,6 +258,11 @@ class BeaconMessage {
     this.timestamp = options.timestamp || Date.now();
     this.ttl = options.ttl || 3600;  // 1 hour default TTL
     
+    // Explicit reachable endpoints (override auto-constructed from ports)
+    // These let nodes behind firewalls/NAT advertise their actual connectable URLs
+    this.wsEndpoint = options.wsEndpoint || null;       // e.g., "wss://mesh.yakmesh.dev"
+    this.relayEndpoint = options.relayEndpoint || null;  // e.g., "https://yakmesh.dev/mesh/relay"
+
     // Node capabilities
     this.capabilities = {
       wsPort: options.wsPort || null,
@@ -336,6 +342,7 @@ class BeaconMessage {
       nodeId: peerInfo.nodeId,
       endpoint: peerInfo.endpoint,        // e.g., "https://example.com"
       wsEndpoint: peerInfo.wsEndpoint,    // e.g., "wss://example.com:9001"
+      relayEndpoint: peerInfo.relayEndpoint || null,  // e.g., "https://example.com/mesh/relay"
       lastSeen: peerInfo.lastSeen || Date.now(),
       score: peerInfo.score || 1.0,
       networkName: peerInfo.networkName,
@@ -363,7 +370,7 @@ class BeaconMessage {
    * Serialize beacon for HTTP response
    */
   serialize() {
-    return {
+    const data = {
       version: this.version,
       nodeId: this.nodeId,
       networkName: this.networkName,
@@ -376,6 +383,12 @@ class BeaconMessage {
       publicKey: this.publicKey,
       signature: this.signature,
     };
+
+    // Include explicit endpoints if configured (firewall/NAT traversal)
+    if (this.wsEndpoint) data.wsEndpoint = this.wsEndpoint;
+    if (this.relayEndpoint) data.relayEndpoint = this.relayEndpoint;
+
+    return data;
   }
 
   /**
@@ -390,6 +403,9 @@ class BeaconMessage {
       capabilities: this.capabilities,
       geo: this.geo,          // v2.5.0 include geo in signature
       namche: this.namche,    // Include NAMCHE in signature
+      // Include endpoints in signature to prevent tampering
+      wsEndpoint: this.wsEndpoint || undefined,
+      relayEndpoint: this.relayEndpoint || undefined,
     });
   }
 
@@ -402,6 +418,9 @@ class BeaconMessage {
       networkName: data.networkName,
       timestamp: data.timestamp,
       ttl: data.ttl,
+      // Explicit reachable endpoints (must match what was signed)
+      wsEndpoint: data.wsEndpoint || null,
+      relayEndpoint: data.relayEndpoint || null,
       wsPort: data.capabilities?.wsPort,
       httpPort: data.capabilities?.httpPort,
       supportsAnnex: data.capabilities?.supportsAnnex,
@@ -466,6 +485,8 @@ class PeerRegistry {
       // Update existing peer
       existing.endpoint = peerInfo.endpoint || existing.endpoint;
       existing.wsEndpoint = peerInfo.wsEndpoint || existing.wsEndpoint;
+      existing.relayEndpoint = peerInfo.relayEndpoint || existing.relayEndpoint;
+      existing.publicKey = peerInfo.publicKey || existing.publicKey;
       existing.lastSeen = Math.max(existing.lastSeen, peerInfo.lastSeen || Date.now());
       existing.score = Math.min(1.0, existing.score + SHERPA_CONFIG.successBonus);
       existing.capabilities = peerInfo.capabilities || existing.capabilities;
@@ -479,6 +500,8 @@ class PeerRegistry {
         nodeId: peerInfo.nodeId,
         endpoint: peerInfo.endpoint,
         wsEndpoint: peerInfo.wsEndpoint,
+        relayEndpoint: peerInfo.relayEndpoint || null,
+        publicKey: peerInfo.publicKey || null,
         lastSeen: peerInfo.lastSeen || Date.now(),
         score: peerInfo.score || 1.0,
         networkName: peerInfo.networkName,
@@ -595,6 +618,7 @@ class SherpaDiscovery extends EventEmitter {
     // Our own endpoint info
     this.selfEndpoint = options.selfEndpoint || null;  // e.g., "https://mynode.com"
     this.wsEndpoint = options.wsEndpoint || null;
+    this.relayEndpoint = options.relayEndpoint || null;  // e.g., "https://mynode.com/mesh/relay"
     this.capabilities = options.capabilities || {};
     
     // v2.5.0 Geographic proof configuration
@@ -688,6 +712,9 @@ class SherpaDiscovery extends EventEmitter {
       supportsNakpak: this.capabilities.supportsNakpak ?? true,
       supportsGossip: this.capabilities.supportsGossip ?? true,
       publicKey: this.publicKey,
+      // Explicit reachable endpoints (firewall/NAT traversal)
+      wsEndpoint: this.wsEndpoint,
+      relayEndpoint: this.relayEndpoint,
       // v2.5.0 Geographic coordinates (if configured)
       supportsGeoProof: this.geoConfig.enabled,
       geoLat: this.geoConfig.lat,
@@ -745,12 +772,16 @@ class SherpaDiscovery extends EventEmitter {
             
             // Add the beacon source as a peer
             if (beacon.nodeId && beacon.nodeId !== this.nodeId) {
+              // Prefer explicit wsEndpoint from beacon (firewall/NAT aware)
+              // Fall back to auto-constructed from hostname:wsPort
+              const autoWsEndpoint = beacon.capabilities?.wsPort 
+                  ? `wss://${new URL(endpoint).hostname}:${beacon.capabilities.wsPort}`
+                  : null;
               this.registry.upsert({
                 nodeId: beacon.nodeId,
                 endpoint: endpoint,
-                wsEndpoint: beacon.capabilities?.wsPort 
-                  ? `wss://${new URL(endpoint).hostname}:${beacon.capabilities.wsPort}`
-                  : null,
+                wsEndpoint: beacon.wsEndpoint || autoWsEndpoint,
+                relayEndpoint: beacon.relayEndpoint || null,
                 networkName: beacon.networkName,
                 capabilities: beacon.capabilities,
               });
@@ -769,6 +800,7 @@ class SherpaDiscovery extends EventEmitter {
                   nodeId: peer.nodeId,
                   endpoint: peer.endpoint,
                   wsEndpoint: peer.wsEndpoint,
+                  relayEndpoint: peer.relayEndpoint,
                   networkName: peer.networkName,
                   lastSeen: peer.lastSeen,
                 });
@@ -807,7 +839,54 @@ class SherpaDiscovery extends EventEmitter {
    * v2.5.0: Also measures RTT for geographic proof
    */
   async _fetchBeacon(endpoint) {
-    const url = new URL(SHERPA_CONFIG.beaconPath, endpoint).toString();
+    // ── SSRF Protection: Validate endpoint URL before fetching ──
+    // Peer-supplied endpoints could target internal services, cloud metadata,
+    // or private networks. Block anything that isn't public HTTP(S).
+    let parsedUrl;
+    try {
+      parsedUrl = new URL(SHERPA_CONFIG.beaconPath, endpoint);
+    } catch {
+      throw new Error(`Invalid beacon endpoint URL: ${endpoint}`);
+    }
+
+    // Only allow HTTP and HTTPS schemes
+    if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
+      throw new Error(`Blocked beacon fetch: disallowed scheme ${parsedUrl.protocol}`);
+    }
+
+    // Block private/reserved IP ranges and cloud metadata endpoints
+    const hostname = parsedUrl.hostname.toLowerCase();
+    const BLOCKED_HOSTS = [
+      'localhost', '127.0.0.1', '::1', '[::1]', '0.0.0.0',
+      '169.254.169.254',       // AWS/GCP/Azure metadata
+      'metadata.google.internal',
+      'metadata.google',
+    ];
+    if (BLOCKED_HOSTS.includes(hostname)) {
+      throw new Error(`Blocked beacon fetch: reserved host ${hostname}`);
+    }
+
+    // Block private IP ranges: 10.x, 172.16-31.x, 192.168.x, fc00::/7, fe80::/10
+    const ipv4Match = hostname.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+    if (ipv4Match) {
+      const [, a, b] = ipv4Match.map(Number);
+      if (a === 10 ||                           // 10.0.0.0/8
+          (a === 172 && b >= 16 && b <= 31) ||  // 172.16.0.0/12
+          (a === 192 && b === 168) ||            // 192.168.0.0/16
+          a === 127 ||                           // 127.0.0.0/8
+          a === 0 ||                             // 0.0.0.0/8
+          (a === 169 && b === 254)) {            // 169.254.0.0/16 (link-local)
+        throw new Error(`Blocked beacon fetch: private IP ${hostname}`);
+      }
+    }
+
+    // Block IPv6 private: starts with fc, fd, or fe80
+    const bareV6 = hostname.replace(/^\[|\]$/g, '');
+    if (bareV6.startsWith('fc') || bareV6.startsWith('fd') || bareV6.startsWith('fe80')) {
+      throw new Error(`Blocked beacon fetch: private IPv6 ${hostname}`);
+    }
+
+    const url = parsedUrl.toString();
     
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), SHERPA_CONFIG.crawlTimeout);
@@ -877,14 +956,16 @@ class SherpaDiscovery extends EventEmitter {
   }
 
   /**
-   * Get connection candidates for mesh networking
+   * Get connection candidates for mesh networking.
+   * Returns peers that have either a wsEndpoint or relayEndpoint.
    */
   getConnectionCandidates(count = 5) {
     return this.registry.getBestPeers(count)
-      .filter(p => p.wsEndpoint)
+      .filter(p => p.wsEndpoint || p.relayEndpoint)
       .map(p => ({
         nodeId: p.nodeId,
         wsEndpoint: p.wsEndpoint,
+        relayEndpoint: p.relayEndpoint || null,
         score: p.score,
       }));
   }
@@ -979,7 +1060,7 @@ class SherpaDiscovery extends EventEmitter {
           beacon.geo.lat,
           beacon.geo.lon,
           {
-            name: beacon.geo.name || `SHERPA Beacon ${beacon.nodeId.slice(0, 8)}`,
+            name: beacon.geo.name || `SHERPA Beacon ${peerTag(beacon.nodeId)}`,
             endpoint: beacon._endpoint,
             timeTier: beacon.geo.timeTier,
             accuracyKm: beacon.geo.accuracyKm,

package/mesh/sybil-defense.js

@@ -1,11 +1,20 @@
 /**
  * Sybil Attack Protection Module
+ * 
+ * Uses TRIBHUJ balanced ternary for connection evaluation:
+ *   POSITIVE (+1): Accept — node is trusted or verified
+ *   NEUTRAL  ( 0): Challenge — node must prove itself (NAVR required)
+ *   NEGATIVE (-1): Reject — node is banned or subnet saturated
+ * 
  * @module mesh/sybil-defense.js
  */
 
 import { sha3_256 } from '@noble/hashes/sha3.js';
 import { bytesToHex, utf8ToBytes } from '@noble/hashes/utils.js';
 
+// ═══ TRIBHUJ — Balanced ternary for connection decisions ═══
+import { POSITIVE, NEUTRAL, NEGATIVE } from '../oracle/tribhuj.js';
+
 export class NAVR {
   constructor(options = {}) {
     this.difficulty = options.difficulty || 16;
@@ -125,16 +134,21 @@ export class SybilDefense {
     this.diversity = new SubnetDiversity(options.diversity || {});
   }
 
+  /**
+   * Evaluate a connection request.
+   * Returns `allowed` boolean (backward compat) plus `verdict` trit:
+   *   POSITIVE: accept, NEUTRAL: challenge required, NEGATIVE: reject
+   */
   evaluateConnection(ip, nodeId, NAVRSolution = null) {
     const divCheck = this.diversity.allowConnection(ip);
-    if (!divCheck.allowed) return { allowed: false, reason: divCheck.reason };
+    if (!divCheck.allowed) return { allowed: false, verdict: NEGATIVE, reason: divCheck.reason };
     let record = this.reputation.nodes.get(nodeId);
     if (!record) record = this.reputation.registerNode(nodeId, NAVRSolution);
     const trustLevel = this.reputation.getTrustLevel(nodeId);
-    if (trustLevel === 'banned') return { allowed: false, reason: 'Node is banned' };
-    if (trustLevel === 'unknown' && !NAVRSolution) return { allowed: false, reason: 'NAVR required', challenge: this.NAVR.createChallenge(nodeId) };
+    if (trustLevel === 'banned') return { allowed: false, verdict: NEGATIVE, reason: 'Node is banned' };
+    if (trustLevel === 'unknown' && !NAVRSolution) return { allowed: false, verdict: NEUTRAL, reason: 'NAVR required', challenge: this.NAVR.createChallenge(nodeId) };
     this.diversity.addConnection(ip, nodeId);
-    return { allowed: true, trustLevel, reputation: record.reputation };
+    return { allowed: true, verdict: POSITIVE, trustLevel, reputation: record.reputation };
   }
 
   reportMessage(nodeId, valid) {
@@ -148,4 +162,4 @@ export class SybilDefense {
 }
 
 export default SybilDefense;
-
+

package/mesh/temporal-encoder.js

@@ -20,7 +20,8 @@
  * @copyright 2026 YAKMESH™ Contributors
  */
 
-import { randomBytes, createHash } from 'crypto';
+import { createHash } from 'crypto';
+import { ternaryId } from '../utils/ternary-id.js';
 
 const TME_CONFIG = {
   defaultSliceIntervalNs: 50_000_000,
@@ -112,7 +113,7 @@ class TemporalStream {
   }
 
   _generateStreamId() {
-    return randomBytes(16).toString('hex');
+    return ternaryId(16);
   }
 
   encode(message, meshPosition = [0, 0, 0]) {
@@ -287,7 +288,7 @@ class TemporalReconstructor {
 
 class TemporalMeshEncoder {
   constructor(options = {}) {
-    this.nodeId = options.nodeId || randomBytes(16).toString('hex');
+    this.nodeId = options.nodeId || ternaryId(16);
     this.meshPosition = options.meshPosition || [0, 0, 0];
     this.reconstructor = new TemporalReconstructor();
     this.outboundStreams = new Map();

package/mesh/yurt.js

@@ -42,9 +42,11 @@
  */
 
 import { randomBytes, createHash } from 'crypto';
-import { sha3_256 } from '@noble/hashes/sha3.js';
+import { sha3_256 as _nobleSha3 } from '@noble/hashes/sha3.js';
 import { bytesToHex, hexToBytes, utf8ToBytes } from '@noble/hashes/utils.js';
 import { ml_dsa65 } from '@noble/post-quantum/ml-dsa.js';
+// ACCEL: Hardware-accelerated crypto
+import { sha3_256, mlDsa65Sign, mlDsa65Verify } from '../utils/accel.js';
 import { createLogger } from '../utils/logger.js';
 import EventEmitter from 'events';
 
@@ -203,7 +205,8 @@ export class YurtEntry {
    */
   sign(secretKey) {
     const payload = utf8ToBytes(this.getSignablePayload());
-    const signature = ml_dsa65.sign(payload, secretKey);
+    const keyBytes = typeof secretKey === 'string' ? hexToBytes(secretKey) : secretKey;
+    const signature = mlDsa65Sign(payload, keyBytes);
     this.signature = bytesToHex(signature);
     return this;
   }
@@ -221,7 +224,7 @@ export class YurtEntry {
         ? hexToBytes(publicKey) 
         : publicKey;
       
-      return ml_dsa65.verify(signatureBytes, payload, publicKeyBytes);
+      return mlDsa65Verify(signatureBytes, payload, publicKeyBytes);
     } catch (err) {
       log.warn('Signature verification failed', { error: err.message });
       return false;
@@ -718,6 +721,7 @@ export class YurtGossip extends EventEmitter {
     this.directory = directory;
     this.mesh = mesh;
     this.options = options;
+    this.keyResolver = options.keyResolver || null;
     
     // Track what we've sent to avoid duplicate gossip
     this.sentTo = new Map(); // peerId -> { entryId -> timestamp }
@@ -1032,13 +1036,24 @@ export class YurtGossip extends EventEmitter {
   }
   
   /**
-   * Get public key for a node
+   * Get public key for a node — unified resolution cascade
+   *
+   * Resolution order:
+   *   1. Custom publicKeyLookup callback (backwards compat)
+   *   2. KeyResolver (DOKO cache, peers, SHERPA, etc.)
    */
   _getPublicKey(nodeId) {
-    // TODO: Integrate with KHATA
+    // Legacy callback path
     if (this.options.publicKeyLookup) {
-      return this.options.publicKeyLookup(nodeId);
+      const key = this.options.publicKeyLookup(nodeId);
+      if (key) return key;
     }
+    
+    // KeyResolver: unified key resolution
+    if (this.keyResolver) {
+      return this.keyResolver.resolve(nodeId);
+    }
+    
     return null;
   }
   
@@ -1160,6 +1175,8 @@ export class YurtHub extends EventEmitter {
   
   /**
    * Join a room via yak:// link
+   *
+   * Flow: parse URI → resolve host via mesh → request GUMBA session → return access
    */
   async joinViaLink(uri) {
     const parsed = YurtLink.parse(uri);
@@ -1172,15 +1189,42 @@ export class YurtHub extends EventEmitter {
       bundleId: parsed.bundleId,
     });
     
-    // Connect to host and request access
-    // TODO: Integrate with actual mesh connection
-    return {
-      success: true,
-      parsed,
-      endpoint: parsed.endpoint,
-      bundleId: parsed.bundleId,
-      invite: parsed.invite,
-    };
+    // Look up the room in our directory first
+    const entry = this.directory.getByBundle(parsed.bundleId);
+    
+    // Request a GUMBA session on the target bundle
+    try {
+      const session = await this.gumbaHub.requestSession(
+        parsed.bundleId,
+        this.identity.identity.nodeId,
+        { invite: parsed.invite }
+      );
+      
+      if (session?.error) {
+        return {
+          success: false,
+          error: session.error,
+          parsed,
+        };
+      }
+      
+      return {
+        success: true,
+        parsed,
+        endpoint: entry?.hostEndpoint || parsed.endpoint,
+        bundleId: parsed.bundleId,
+        invite: parsed.invite,
+        sessionId: session?.sessionId || null,
+      };
+    } catch (err) {
+      log.warn('joinViaLink failed', { error: err.message, uri });
+      return {
+        success: false,
+        error: 'CONNECTION_FAILED',
+        details: err.message,
+        parsed,
+      };
+    }
   }
   
   /**
@@ -1236,10 +1280,21 @@ export class YurtHub extends EventEmitter {
   
   /**
    * Get our own endpoint
+   *
+   * Priority: explicit option → mesh advertised address → default
    */
   _getOwnEndpoint() {
-    // TODO: Discover actual endpoint
-    return this.options.endpoint || `localhost:${YURT_CONFIG.defaultPort}`;
+    if (this.options.endpoint) {
+      return this.options.endpoint;
+    }
+    
+    // Ask the mesh for our advertised address
+    if (this.mesh?.getAdvertisedAddress) {
+      const addr = this.mesh.getAdvertisedAddress();
+      if (addr) return addr;
+    }
+    
+    return `localhost:${YURT_CONFIG.defaultPort}`;
   }
   
   /**

package/models/manifest.json

@@ -0,0 +1,43 @@
+{
+  "generated": "2026-02-25 18:49:50",
+  "random_seed": 144,
+  "models": {
+    "entropy-sentinel": {
+      "inputs": 32,
+      "hidden": [
+        48,
+        32,
+        16
+      ],
+      "outputs": 1,
+      "activation": "sigmoid",
+      "samples": 8000,
+      "size": 15388
+    },
+    "sakshi-anomaly": {
+      "inputs": 12,
+      "hidden": [
+        24,
+        16
+      ],
+      "outputs": 4,
+      "activation": "sigmoid",
+      "samples": 7200,
+      "size": 3634
+    },
+    "karma-trust": {
+      "inputs": 14,
+      "hidden": [
+        24,
+        16
+      ],
+      "outputs": 4,
+      "activation": "softmax",
+      "samples": 9000,
+      "size": 3807
+    }
+  },
+  "total_size": 22829,
+  "total_samples": 24200,
+  "training_time_seconds": 16.6
+}

package/oracle/code-proof-protocol.js

@@ -23,6 +23,7 @@ import { getOracle, contentHash } from './validation-oracle-hardened.js';
 import { createLogger } from '../utils/logger.js';
 
 const log = createLogger('oracle:code-proof');
+const peerTag = (id) => id?.split('-pq-').pop() || id?.slice?.(-8) || String(id);
 
 // Phase modulation imports
 import {
@@ -116,7 +117,7 @@ export class CodeProofProtocol {
           failedAt: Date.now(),
           reason: 'CHALLENGE_TIMEOUT',
         });
-        log.warn('Code proof challenge timed out', { peerId: peerId.slice(0, 16), reason: 'CHALLENGE_TIMEOUT' });
+        log.warn('Code proof challenge timed out', { peerId: peerTag(peerId), reason: 'CHALLENGE_TIMEOUT' });
       }
     }, this.challengeTimeout);
     
@@ -149,7 +150,7 @@ export class CodeProofProtocol {
     if (epoch !== undefined) {
       const validEpochs = getValidEpochs();
       if (!validEpochs.includes(epoch)) {
-        log.warn('Challenge has expired phase', { challengerNodeId: challengerNodeId.slice(0, 16), phase: formatPhaseId(epoch) });
+        log.warn('Challenge has expired phase', { challengerNodeId: peerTag(challengerNodeId), phase: formatPhaseId(epoch) });
         return {
           type: 'CODE_PROOF_RESPONSE',
           challengeId,
@@ -163,7 +164,7 @@ export class CodeProofProtocol {
       
       // Check expiration
       if (expiresAt && Date.now() > expiresAt) {
-        log.warn('Challenge has expired', { challengerNodeId: challengerNodeId.slice(0, 16), expiresAt });
+        log.warn('Challenge has expired', { challengerNodeId: peerTag(challengerNodeId), expiresAt });
         return {
           type: 'CODE_PROOF_RESPONSE',
           challengeId,
@@ -262,7 +263,7 @@ export class CodeProofProtocol {
       this.failedPeers.delete(responderNodeId);
       
       log.info('Code proof verified', {
-        peerId: responderNodeId.slice(0, 16),
+        peerId: peerTag(responderNodeId),
         phaseEpoch: formatPhaseId(epoch || 0),
       });
       
@@ -284,7 +285,7 @@ export class CodeProofProtocol {
       });
       
       log.warn('Code proof FAILED', {
-        peerId: responderNodeId.slice(0, 16),
+        peerId: peerTag(responderNodeId),
         reason: verification.reason,
       });
       
@@ -440,7 +441,7 @@ export async function mutualVerification(localProtocol, peerConnection) {
     peerConnection.send(challenge);
     
     log.debug('Sent phased challenge', {
-      peerId: peerId.slice(0, 16),
+      peerId: peerTag(peerId),
       phaseEpoch: formatPhaseId(currentEpoch.epoch),
     });