fix(ui,ops): TransportPrefsCard import path + fleet unpair script

- TransportPrefsCard.vue: import from '@/api/rpc-client' (not '@/api/rpc') so vue-tsc resolves the module during build. - scripts/fleet-fips-unpair.sh: companion to the fleet-pair script — rewrites each node's fips.yaml to anchor-only (fips.v0l.io) so we can prove the general-case deployment works without the LAN fast-path. Prints per-node peer counts + DHT AAAA resolution for every cross-node pair after the change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 02:08:32 -04:00 · 2026-04-19 02:08:32 -04:00 · 2f327183eb
commit 2f327183eb
parent 6ddce90e45
2 changed files with 136 additions and 1 deletions
--- a/neode-ui/src/views/settings/TransportPrefsCard.vue
+++ b/neode-ui/src/views/settings/TransportPrefsCard.vue
@ -44,7 +44,7 @@

 <script setup lang="ts">
 import { onMounted, ref } from 'vue'
-import { rpcClient } from '@/api/rpc'
+import { rpcClient } from '@/api/rpc-client'

 type Pref = 'auto' | 'fips' | 'tor'
 type Service = 'federation' | 'peers' | 'peer_files' | 'messaging' | 'mesh_file_sharing'
--- a/scripts/fleet-fips-unpair.sh
+++ b/scripts/fleet-fips-unpair.sh
@ -0,0 +1,135 @@
+#!/bin/bash
+# Strip the LAN fast-path peers from all 4 fleet nodes' fips.yaml,
+# leaving only the public anchor (fips.v0l.io). Restart fips.service
+# on each node.
+#
+# Purpose: verify that the general-case deployment (nodes anywhere in
+# the world, no LAN between them) actually works — i.e. that two
+# paired archipelago peers can reach each other purely through the
+# FIPS DHT bootstrapped from the anchor.
+#
+# After running this, test with:
+#   scripts/fleet-fips-pair.sh --verify        (peer state per node)
+#   for ip in 116 198 228 253; do
+#     ssh archipelago@192.168.1.$ip "dig @127.0.0.1 -p 5354 +short \
+#       <other-node-npub>.fips AAAA"
+#   done
+#
+# To restore the LAN fast-path: re-run scripts/fleet-fips-pair.sh.
+#
+# Usage: scripts/fleet-fips-unpair.sh
+
+set -eo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+. "$SCRIPT_DIR/lib/common.sh"
+
+# Roster — only need NIC names to preserve them in the yaml.
+NODES=(
+  "116 enp0s25"
+  "198 enp2s0"
+  "228 enp2s0"
+  "253 enx9cbf0d0129f9"
+)
+
+TMP_ROOT=$(mktemp -d)
+trap 'rm -rf "$TMP_ROOT"' EXIT
+
+for row in "${NODES[@]}"; do
+    read -r node nic <<< "$row"
+    out="$TMP_ROOT/fips.yaml.$node"
+    cat > "$out" <<YAML
+# FIPS Node Configuration — anchor-only (managed by fleet-fips-unpair.sh)
+# This is the shape a general archipelago install ships with: fleet
+# nodes are NOT pre-paired; discovery happens via the anchor DHT.
+
+node:
+  identity:
+    persistent: true
+
+tun:
+  enabled: true
+  name: fips0
+  mtu: 1280
+
+dns:
+  enabled: true
+  bind_addr: "127.0.0.1"
+  port: 5354
+
+transports:
+  udp:
+    bind_addr: "0.0.0.0:2121"
+  tcp:
+    bind_addr: "0.0.0.0:8443"
+
+ethernet:
+  interface: "$nic"
+  discovery: true
+  announce: true
+  auto_connect: true
+  accept_connections: true
+
+peers:
+  - npub: "npub1zv58cn7v83mxvttl70w5fwjwuclfmntv9cnmv5wmz2nzz88u5urqvdx96n"
+    alias: "fips.v0l.io"
+    addresses:
+      - transport: tcp
+        addr: "fips.v0l.io:8443"
+      - transport: udp
+        addr: "fips.v0l.io:2121"
+    connect_policy: auto_connect
+YAML
+
+    ip="192.168.1.$node"
+    log_info "[.${node}] uploading anchor-only fips.yaml"
+    scp_cmd "$out" "archipelago@${ip}:/tmp/fips.yaml.new"
+    log_info "[.${node}] installing + restarting fips.service"
+    ssh_cmd "$ip" '
+        set -e
+        sudo install -o root -g root -m 0600 /tmp/fips.yaml.new /etc/fips/fips.yaml
+        rm -f /tmp/fips.yaml.new
+        sudo systemctl restart fips.service
+        for i in $(seq 1 10); do
+            if sudo systemctl is-active fips.service >/dev/null 2>&1; then break; fi
+            sleep 0.5
+        done
+        sudo systemctl is-active fips.service
+    '
+done
+
+echo
+log_info "Waiting 20s for anchor handshake + DHT propagation…"
+sleep 20
+
+echo
+log_info "Post-unpair state (should show only fips.v0l.io as an authenticated peer):"
+for row in "${NODES[@]}"; do
+    read -r node _nic <<< "$row"
+    ip="192.168.1.$node"
+    count=$(ssh_cmd "$ip" "sudo fipsctl show peers 2>/dev/null | grep -c '\"npub\"' || echo 0")
+    log_info "  .$node: $count authenticated peers"
+done
+
+echo
+log_info "DHT resolution test — each node resolves the other 3 by npub:"
+declare -A NPUBS=(
+  [116]="npub1mxavs6scfgl056k6lm4mk73ddnrhjewg78zlyzfn2lmr0rfyrs5qhcr03g"
+  [198]="npub13cy4lml94cj4rdu8runrr945z2muszuvr5tql8mr9m063d7xzpqqu3k8se"
+  [228]="npub1a0xxcqce2tsv8ulwastep23jtf3h4wvvry8r8nklnl36jtrdnefqh5qn6h"
+  [253]="npub1dl0m0yfzfw6467c3z6q63s7ggzd77yg97j90ptfrheprxeypt3msj0mq4g"
+)
+for row in "${NODES[@]}"; do
+    read -r self_node _ <<< "$row"
+    ip="192.168.1.$self_node"
+    echo ".${self_node}:"
+    for other in 116 198 228 253; do
+        [ "$other" = "$self_node" ] && continue
+        r=$(ssh_cmd "$ip" "dig @127.0.0.1 -p 5354 +short +time=3 +tries=1 ${NPUBS[$other]}.fips AAAA" 2>&1)
+        if [ -z "$r" ]; then
+            echo "  .${other} → unresolved (DHT route not found)"
+        else
+            echo "  .${other} → $r"
+        fi
+    done
+done