fix(release): update release config schema, bump dependencies, and refresh runtime documentation

2026-05-12 22:22:14 +00:00
parent f8bdb991c8
commit c520220df2
5 changed files with 2183 additions and 2854 deletions
@@ -26,6 +26,8 @@
      ]
    },
    "release": {
      "targets": {
        "npm": {
          "registries": [
            "https://verdaccio.lossless.digital",
            "https://registry.npmjs.org"
@@ -33,4 +35,8 @@
          "accessLevel": "public"
        }
      }
    },
    "schemaVersion": 2
  },
  "@ship.zone/szci": {}
 }
@@ -1,5 +1,14 @@
 # Changelog
 ## Pending
 ### Fixes
 - update release config schema, bump dependencies, and refresh runtime documentation (release)
  - migrates .smartconfig.json release settings to the targets-based schema with schemaVersion 2
  - bumps runtime and development dependencies including smartnftables and smartrust
  - clarifies README details for custom Rust binaries, transport behavior, runtime events, and protocol frame types
 ## 2026-04-06 - 1.19.2 - fix(server)
 clean up bridge and hybrid shutdown handling
@@ -29,16 +29,16 @@
  ],
  "license": "MIT",
  "dependencies": {
-    "@push.rocks/smartnftables": "1.1.0",
+    "@push.rocks/smartnftables": "1.2.0",
    "@push.rocks/smartpath": "^6.0.0",
-    "@push.rocks/smartrust": "^1.3.2"
+    "@push.rocks/smartrust": "^1.4.0"
  },
  "devDependencies": {
-    "@git.zone/tsbuild": "^4.4.0",
+    "@git.zone/tsbuild": "^4.4.1",
-    "@git.zone/tsrun": "^2.0.2",
+    "@git.zone/tsrun": "^2.0.4",
-    "@git.zone/tsrust": "^1.3.2",
+    "@git.zone/tsrust": "^1.3.4",
-    "@git.zone/tstest": "^3.6.3",
+    "@git.zone/tstest": "^3.6.6",
-    "@types/node": "^25.5.0"
+    "@types/node": "^25.7.0"
  },
  "files": [
    "ts/**/*",
@@ -24,11 +24,9 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 ```bash
 pnpm install @push.rocks/smartvpn
 # or
 npm install @push.rocks/smartvpn
 ```
-The package ships with pre-compiled Rust binaries for **linux/amd64** and **linux/arm64**. No Rust toolchain required at runtime.
+The package ships with pre-compiled Rust binaries for **linux/amd64** and **linux/arm64**. No Rust toolchain is required at runtime. Set `SMARTVPN_RUST_BINARY` if you want the TypeScript bridge to use a custom daemon binary.
 ## Architecture 🏗️
@@ -37,7 +35,7 @@ The package ships with pre-compiled Rust binaries for **linux/amd64** and **linu
 │    TypeScript Control Plane  │ ◄─────────────────────► │     Rust Data Plane Daemon    │
 │                              │   stdio  or  Unix sock  │                               │
 │  VpnServer / VpnClient      │                          │  Noise IK handshake           │
-│  Typed IPC commands          │                          │  XChaCha20-Poly1305           │
+│  Typed IPC commands          │                          │  Noise transport encryption   │
 │  Config validation           │                          │  WS + QUIC + WireGuard        │
 │  Hub: client management      │                          │  TUN device, IP pool, NAT     │
 │  WireGuard .conf generation  │                          │  Rate limiting, ACLs, QoS     │
@@ -45,7 +43,7 @@ The package ships with pre-compiled Rust binaries for **linux/amd64** and **linu
 └──────────────────────────────┘                          └───────────────────────────────┘
 ```
-**Split-plane design** — TypeScript handles orchestration, config, and DX; Rust handles every hot-path byte with zero-copy async I/O (tokio, mimalloc).
+**Split-plane design** — TypeScript handles orchestration, config, and DX; Rust handles the hot path with async I/O, framed packet codecs, and the Noise transport state after authentication.
 ### IPC Transport Modes
@@ -142,7 +140,7 @@ Every client authenticates with a **Noise IK handshake** (`Noise_IK_25519_ChaCha
 | **QUIC** | UDP (via quinn) | Low latency, datagram support for IP packets |
 | **WireGuard** | UDP (via boringtun) | Standard WG clients (iOS, Android, wg-quick) |
-The server runs **all three simultaneously** by default with `transportMode: 'all'`. All transports share the same unified forwarding pipeline (`ForwardingEngine`), IP pool, client registry, and stats — so WireGuard peers get the same userspace NAT, rate limiting, and monitoring as WS/QUIC clients. Clients auto-negotiate with `transport: 'auto'` (tries QUIC first, falls back to WS).
+The server runs with `transportMode: 'all'` by default: WebSocket and QUIC are enabled, and WireGuard joins the same server when `wgPrivateKey` is configured. All server transports share the same forwarding pipeline (`ForwardingEngine`), IP pool, client registry, and statistics, so WireGuard peers can use the same userspace NAT, bridge/hybrid routing, and monitoring model as WS/QUIC clients. Native SmartVPN clients auto-negotiate with `transport: 'auto'` (tries QUIC first, falls back to WS).
 ### 📊 Per-Transport Metrics
@@ -481,37 +479,23 @@ const unit = VpnInstaller.generateServiceUnit({
 You can also call `generateSystemdUnit()` or `generateLaunchdPlist()` directly for platform-specific options like custom descriptions.
-### 📢 Events
+### 📢 Runtime Events
-Both `VpnServer` and `VpnClient` extend `EventEmitter` and emit typed events:
+`VpnServer` and `VpnClient` extend `EventEmitter`. The high-level wrappers currently forward bridge lifecycle events:
 ```typescript
 server.on('client-connected', (info: IVpnClientInfo) => {
  console.log(`${info.registeredClientId} connected from ${info.remoteAddr} via ${info.transportType}`);
 });
 server.on('client-disconnected', ({ clientId, reason }) => {
  console.log(`${clientId} disconnected: ${reason}`);
 });
 client.on('status', (status: IVpnStatus) => {
  console.log(`State: ${status.state}, IP: ${status.assignedIp}`);
 });
 // Both server and client emit:
 server.on('exit', ({ code, signal }) => { /* daemon process exited */ });
 server.on('reconnected', () => { /* socket transport reconnected */ });
 client.on('exit', ({ code, signal }) => { /* daemon process exited */ });
 ```
 | Event | Emitted By | Payload |
 |-------|-----------|---------|
 | `status` | Both | `IVpnStatus` — connection state changes |
 | `error` | Both | `{ message, code? }` |
 | `client-connected` | Server | `IVpnClientInfo` — full client info including transport type |
 | `client-disconnected` | Server | `{ clientId, reason? }` |
 | `exit` | Both | `{ code, signal }` — daemon process exited |
 | `reconnected` | Both | `void` — socket transport reconnected |
 For connection state and telemetry, use `getStatus()`, `getStatistics()`, `listClients()`, and `getClientTelemetry()`.
 ## API Reference 📖
 ### Classes
@@ -541,7 +525,7 @@ server.on('reconnected', () => { /* socket transport reconnected */ });
 | `IVpnMtuInfo` | TUN MTU, effective MTU, overhead bytes, oversized packet stats |
 | `IVpnKeypair` | Base64-encoded public/private key pair |
 | `IDestinationPolicy` | Destination routing policy (forceTarget / block / allow with allow/block lists) |
-| `IVpnEventMap` | Typed event map for server and client EventEmitter |
+| `IVpnEventMap` | Exported event payload shapes for lifecycle and daemon event integrations |
 ### Server IPC Commands
@@ -600,8 +584,8 @@ All transport modes share the same `forwardingMode` — WireGuard peers can use
 // Explicit QUIC with certificate pinning
 { transport: 'quic', serverUrl: '1.2.3.4:4433', serverCertHash: '<sha256-base64>' }
-// WireGuard
+// WireGuard clients use the standard .conf returned by createClient()
-{ transport: 'wireguard', wgPrivateKey: '...', wgEndpoint: 'vpn.example.com:51820', ... }
+// or generated via WgConfigGenerator.
 ```
 ## Cryptography 🔑
@@ -610,7 +594,7 @@ All transport modes share the same `forwardingMode` — WireGuard peers can use
 |-------|-----------|---------|
 | **Handshake** | Noise IK (X25519 + ChaChaPoly + BLAKE2s) | Mutual authentication + key exchange |
 | **Transport** | Noise transport state (ChaChaPoly) | All post-handshake data encryption |
-| **Additional** | XChaCha20-Poly1305 | Extended nonce space for data-at-rest |
+| **Utility** | XChaCha20-Poly1305 helper | Nonce-safe symmetric encryption helper in the Rust crypto module |
 | **WireGuard** | X25519 + ChaCha20-Poly1305 (via boringtun) | Standard WireGuard crypto |
 ## Binary Protocol 📡
@@ -624,6 +608,9 @@ All frames use `[type:1B][length:4B][payload:NB]` with a 64KB max payload:
 | IpPacket | `0x10` | Bidirectional | Encrypted tunnel data |
 | Keepalive | `0x20` | Client → Server | App-level keepalive (not WS ping) |
 | KeepaliveAck | `0x21` | Server → Client | Keepalive response with RTT payload |
 | SessionResume | `0x30` | Client → Server | Session resume attempt |
 | SessionResumeOk | `0x31` | Server → Client | Session resume accepted |
 | SessionResumeErr | `0x32` | Server → Client | Session resume rejected |
 | Disconnect | `0x3F` | Bidirectional | Graceful disconnect |
 ## Development 🛠️
@@ -674,6 +661,7 @@ smartvpn/
 │       ├── transport_trait.rs  # Transport abstraction (Sink/Stream)
 │       ├── quic_transport.rs   # QUIC transport
 │       ├── wireguard.rs        # WireGuard (boringtun)
 │       ├── bridge.rs           # Linux bridge/TAP integration
 │       ├── codec.rs            # Binary frame protocol
 │       ├── keepalive.rs        # Adaptive keepalives
 │       ├── ratelimit.rs        # Token bucket
@@ -691,7 +679,7 @@ smartvpn/
 ## License and Legal Information
-This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license.md](./license.md) file.
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.