Skip to content

feat: n2n P2P overlay + fleet wizard — runner registration fix, Serveo removal, repo obfuscation overhaul (#5 followup)#6

Merged
vi70x4 merged 8 commits into
mainfrom
feat/serveo-tunnel
Jun 25, 2026
Merged

feat: n2n P2P overlay + fleet wizard — runner registration fix, Serveo removal, repo obfuscation overhaul (#5 followup)#6
vi70x4 merged 8 commits into
mainfrom
feat/serveo-tunnel

Conversation

@vi70x4

@vi70x4 vi70x4 commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

Massive cleanup and hardening of the fleet deployment pipeline. Removes dead-end Serveo tunnel, fixes runner registration (the root cause of silent proxy failures), rewrites fork obfuscation to create fresh standalone repos instead of forking, and adds fake TypeScript source code generation so throwaway repos look like legitimate CI projects.

Changes

Core: Fix runner registration (was silently skipping)

  • proxy.yml: Shell guard for COORDINATOR_URL instead of unreliable secrets. or env. context in if: conditionals
  • proxy.yml: Debug diagnostics added to registration step (env var dump)
  • proxy.yml: Shell guard for empty AUTH_TOKEN (exits with clear error instead of silent skip)
  • Root cause: GitHub Actions does not reliably populate secrets.* or env.* in if: expressions at step evaluation time

Tunnel: Strip Serveo, default to trycloudflare

  • proxy.yml: Removed Serveo entirely (30-line tunnel step deleted). HTTP-only free tier adds warning page — kills the proxy UX
  • proxy.yml: Default tunnel changed from serveotrycloudflare
  • proxy.yml: VLESS transport selection simplified: only trycloudflare uses WebSocket, all others use raw TCP
  • README.md: Stripped Serveo from tagline, connection modes table, when-to-use-what, project structure, FAQ. trycloudflare promoted to default
  • AGENTS.md: docs fleet section updated

Fleet obfuscation: No more forks

  • animamesh-fleet.sh add: Replaced gh repo fork animamesh/backend with gh repo create <name> — creates a fresh standalone repo with zero fork network. No "forked from animamesh/backend" badge visible
  • create_minimal_repo(): New function replaces obfuscate_fork(). Builds repo from scratch with only the obfuscated workflow + README + fake source code
  • 2-commit strategy: Commit 1 = "Initial commit" (skeleton). Commit 2 = "Add source code and CI workflow" (source + workflow). Looks organic
  • gen_fake_source(): New function generates deterministic TypeScript utility files (4 variants, seeded by repo name). Includes package.json, tsconfig.json, jest.config.js, src/collect.ts, src/format.ts, src/__tests__/*.test.ts. Zero mentions of proxy/VPN/mesh/tunnel
  • Repo names: Updated GENERATED_NAMES from library names (csv-parse, date-fmt) to CI-sounding names (ci-config, build-workflows, task-runner)
  • README generation: LLM prompt now describes a CI pipeline repo, not a utility library

Coordinator deployment via GHA

  • meshify-wizard.sh: Added option to deploy the Worker via GitHub Actions (creates a temp repo, pushes code, lets GHA run wrangler deploy). Workaround for local wrangler deploy hang bug
  • wrangler.toml: Smart Placement disabled (was causing deploy hang). KV namespace id documented as placeholder

Documentation

  • AGENTS.md: Added "Fleet Architecture — Multi-Account Matrix" section covering account naming, storage layout, fleet management workflow, shared coordinator model, repo obfuscation strategy, Cloudflare integration plan, auth matrix, and operational notes
  • AGENTS.md: Original "Fork Obfuscation" section rewritten as "Repo Obfuscation Strategy" with fresh-repo approach
  • README.md: Reflects all tunnel/doc changes

Questions for Gemini reviewer

  1. Two-layer trust model — Is the explanation (n2n key = WiFi WPA2, Hy2 password = router admin) clear enough? Any gaps in the threat model for the n2n + Hysteria2 architecture?

  2. Fake source code obfuscation — The gen_fake_source() function generates deterministic TypeScript utility files based on a repo-name seed. Is this over-engineered? Could a simpler approach (just a real-looking README + empty package.json) achieve the same obfuscation effect, or does the fake code meaningfully reduce suspicion?

  3. Fresh repo vs fork — By creating standalone repos instead of forking, we lose the ability to pull upstream changes. Each repo must be independently maintained. Is this tradeoff worth the opsec gain (no "forked from animamesh" badge)? Should we add a periodic sync mechanism?

  4. 2-commit strategy robustness — The "Initial commit" + "Add source code and CI workflow" commit sequence could cause merge conflicts if the remote repo has changed between gh repo create and git push. We handle this with --force via delete-then-create, but should we use force-push as a fallback instead?

  5. Dashboard repurpose — The TODO.md plans to migrate the Express/Socket.IO dashboard onto the Cloudflare Worker. The 1MB Worker size limit is a constraint. Should we use Cloudflare Workers Assets (newer, hosts static files on edge CDN) or inline everything?

  6. gen_readme() LLM fallback — Relies on http://localhost:3001/v1/chat/completions with a hardcoded API key. The static fallback is the actual guarantee. Should we make the LLM URL/KEY configurable via env vars for end users who run local models?

  7. Workflow secret obfuscation — The proxy.yml step names are renamed to generic CI terms. However, the run: blocks still contain commands like sudo apt-get install n2n, sing-box run, cloudflared tunnel. The step names are what appear in the GitHub UI — is this sufficient, or should we also obfuscate the echo/log messages inside the run blocks?

Applied from Gemini review

  • git config safety: Added / before commits — no dependency on user's global git config
  • Auth security: Replaced embedded token in remote URL () with — token not visible in if script crashes
  • Force push fallback: branch 'main' set up to track 'origin/main'. as retry — repo was just created, no legitimate conflicts possible
  • sed compatibility: Dropped GNU-only I flag from comment-stripping patterns — uses case-sensitive matching (casing is known/consistent)

Applied from Gemini review

  • git config safety: Added git config user.name "CI Bot" / git config user.email "bot@ci.local" before commits — no dependency on user's global git config
  • Auth security: Replaced embedded token in remote URL with http.extraHeader — token not visible in .git/config if script crashes
  • Force push fallback: git push -u origin main --force as retry — repo was just created, no legitimate conflicts possible
  • sed compatibility: Dropped GNU-only I flag from comment-stripping patterns — uses case-sensitive matching (casing is known/consistent)

vi70x3 added 7 commits June 25, 2026 17:49
@vi70x3
fix: replace Pinggy with Serveo tunnel, document n2n ISP censorship
b1646e5 
- Replace Pinggy TCP relay with Serveo (SSH-based, no binary download)
- Add ISP censorship warning for public n2n supernodes in README
- Update connection modes table with Serveo + Ngrok alternatives
- Update fleet scripts and wizard to reference Serveo instead of Pinggy
@vi70x3
fix: use TCP mode for Serveo, fix serveousercontent.com domain parsing
6c237ed
@vi70x3
fix: default to trycloudflare, mark serveo as experimental HTTP-only
056009d 
- Change default tunnel from serveo to trycloudflare
- Move serveo to last option in dropdown, mark as experimental
- Serveo free tier only supports HTTP forwarding (no raw TCP)
- Use WebSocket transport for both trycloudflare and serveo HTTP tunnels
- Serveo uses -R 80:localhost:PORT (HTTP subdomain) instead of TCP mode
@vi70x3
strip serveo: remove broken HTTP tunnel from code and docs
3fc7d01 
Serveo free tier doesn't work for proxy tunneling (HTTP warning page
kills the UX). YAGNI — fully remove:

- proxy.yml: remove serveo from options, delete entire tunnel step,
  update step numbering and transport selection comment
- README.md: remove from tagline, connection modes table,
  when-to-use-what, project structure, FAQ. Promote trycloudflare to default
- animamesh-fleet.sh: remove from help text, tunnel options, obfuscation
- meshify-wizard.sh: remove from tunnels array
- .gitignore: add dist/ and worker/package-lock.json
@vi70x3
docs: add Fleet Architecture section to AGENTS.md
3e5409d 
Document the multi-account matrix (vi70x5–vi70x20) covering:
- Account naming & scope (GH + Cloudflare + coordinator)
- Local storage layout (~/.animamesh/)
- Fleet management workflow (add, deploy, coordination)
- Fork obfuscation strategy
- Cloudflare account integration for permanent tunnels
- Authentication matrix with rotation policy
- Operational notes (coordinator sharing, suspension resilience, rate limits)
@vi70x3
rewrite obfuscation: create fresh standalone repos instead of forks
8b8a833 
No fork network = no 'forked from animamesh/backend' badge linking
throwaway accounts to the real project. Each repo is built from
scratch with only the workflow file and an innocent README.

Changes:
- add_account: gh repo create instead of gh repo fork. Delete
  existing repo by name before recreating (clean slate)
- New create_minimal_repo() replaces obfuscate_fork():
  - Copies proxy.yml from backend, obfuscates it (renamed steps,
    stripped revealing comments)
  - Generates innocent CI-pipeline README (LLM or static fallback)
  - Creates minimal .gitignore
  - 2-commit push: 'Initial commit' + 'Add CI workflow config'
    (looks like organic development)
- GENERATED_NAMES: utility library names → CI/automation names
  (ci-config, build-workflows, task-runner, etc.)
- gen_readme prompt: now describes a CI pipeline config repo, not
  a utility library
- AGENTS.md: updated Fleet Architecture to reflect new strategy,
  renamed section from 'Fork Obfuscation' to 'Repo Obfuscation'
- Help text: 'fork' → 'repo' terminology throughout
@vi70x3
feat: generate fake TypeScript source code in fleet repos
e20ccfc 
Makes throwaway repos look like legitimate CI pipeline projects instead
of empty shell repos. Each fork gets deterministic (stable across re-runs)
TypeScript utility files:

- package.json with jest/typescript devDependencies
- tsconfig.json and jest.config.js
- src/collect.ts — collection utilities (4 variants, seed from repo name)
- src/format.ts — string formatting utilities (4 variants)
- src/index.ts — barrel exports
- src/__tests__/*.test.ts — basic jest test files

No mention of proxy, VPN, tunnel, mesh, or any infrastructure.
Just boring utility functions and a CI workflow that could be for
any Node.js/TypeScript project.
@vi70x4 vi70x4 changed the title fix: replace Pinggy with Serveo tunnel, document n2n ISP censorship fix: Jun 25, 2026
@vi70x4 vi70x4 changed the title fix: feat: n2n P2P overlay + fleet wizard — runner registration fix, Serveo removal, repo obfuscation overhaul (#5 followup) Jun 25, 2026
@vi70x3
fix: address Gemini review — git config, auth header, sed compat
a7f5d52 
- Set local git user.name/email before commits (no dependency on
  user's global git config — fixes crash on headless machines)
- Use http.extraHeader for auth instead of embedding token in remote
  URL (safer if script crashes — avoids leaking token to .git/config)
- Use --force push as fallback (repo was just created, no conflicts)
- Strip revealing comments with case-sensitive sed (drop GNU-only I
  flag for broader compatibility)
@vi70x4 vi70x4 merged commit 4268452 into main Jun 25, 2026
1 of 2 checks passed
@vi70x4 vi70x4 deleted the feat/serveo-tunnel branch June 25, 2026 17:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vi70x4 @vi70x3