fix: rewrite HNS resolver to use wire-format DoH (RFC 8484)

The default HDNS gateway (query.hdns.io) only supports wire-format DoH
(?dns=<base64url>), not the JSON API format (?name=&type=) that the
resolver was using. Encode DNS queries as RFC 1035 wire format, base64url
them, and parse binary responses. Tested live against namebase/ and
handshake/ HNS names.

Also adds multi-transport example script demonstrating the full
onion > hns > https > http fallback chain.

Author: TheCryptoDonkey

examples/multi-transport.ts

@@ -0,0 +1,148 @@
+/**
+ * Multi-transport fallback demo.
+ *
+ * Demonstrates the onion → hns → https → http transport selection
+ * and fallback chain. Run with:
+ *
+ *   npx tsx examples/multi-transport.ts          # mock demo (no network)
+ *   npx tsx examples/multi-transport.ts --live    # also try real HNS + onion resolution
+ */
+
+import { selectTransports } from '402-mcp/fetch/transport'
+import { withTransportFallback } from '402-mcp/fetch/resilient-fetch'
+import { resolveHns } from '402-mcp/fetch/hns-resolve'
+import { TransportUnavailableError } from '402-mcp/fetch/errors'
+
+// ── 1. Transport classification & selection ─────────────────────────
+
+const urls = [
+  'https://api.example.com/weather',               // https (clearnet)
+  'https://api.exampleonion.onion/weather',         // onion (Tor)
+  'https://weather.satoshi/weather',                // hns  (Handshake TLD)
+  'http://api.example.com/weather',                 // http (plain)
+]
+
+const preference = ['onion', 'hns', 'https', 'http']
+
+console.log('=== Transport Selection ===\n')
+console.log('URLs:', urls)
+console.log('Preference:', preference.join(' > '))
+
+// With Tor proxy available - .onion URLs are included
+const withTor = selectTransports(urls, preference, { hasTorProxy: true })
+console.log('\nWith Tor proxy:')
+withTor.forEach((u: string, i: number) => console.log(`  ${i + 1}. ${u}`))
+
+// Without Tor proxy - .onion URLs are filtered out
+const withoutTor = selectTransports(urls, preference, { hasTorProxy: false })
+console.log('\nWithout Tor proxy:')
+withoutTor.forEach((u: string, i: number) => console.log(`  ${i + 1}. ${u}`))
+
+// ── 2. Fallback chain ───────────────────────────────────────────────
+
+console.log('\n=== Fallback Chain ===\n')
+console.log('Simulating: onion fails (no proxy) -> HNS fails (ECONNREFUSED) -> clearnet succeeds\n')
+
+const orderedUrls = [
+  'https://api.exampleonion.onion/weather',    // will fail - no Tor
+  'https://weather.satoshi/weather',            // will fail - ECONNREFUSED
+  'https://api.example.com/weather',            // will succeed
+]
+
+const attempts: string[] = []
+
+const mockFetch = async (url: string | URL): Promise<Response> => {
+  const urlStr = url.toString()
+  attempts.push(urlStr)
+
+  if (urlStr.includes('.onion')) {
+    console.log(`  [FAIL] ${urlStr}`)
+    console.log('         TransportUnavailableError: no Tor proxy')
+    throw new TransportUnavailableError(urlStr, 'no Tor proxy configured')
+  }
+
+  if (urlStr.includes('.satoshi')) {
+    console.log(`  [FAIL] ${urlStr}`)
+    console.log('         ECONNREFUSED: HNS host unreachable')
+    const err = new Error('connect ECONNREFUSED') as NodeJS.ErrnoException
+    err.code = 'ECONNREFUSED'
+    throw err
+  }
+
+  console.log(`  [ OK ] ${urlStr}`)
+  console.log('         200 - {"temp": 18, "unit": "celsius", "city": "London"}')
+  return new Response(
+    JSON.stringify({ temp: 18, unit: 'celsius', city: 'London' }),
+    { status: 200, headers: { 'Content-Type': 'application/json' } },
+  )
+}
+
+const response = await withTransportFallback(orderedUrls, {}, mockFetch)
+const body = await response.json()
+
+console.log(`\nResult: ${response.status} OK`)
+console.log('Body:', body)
+console.log(`Attempts: ${attempts.length} (${attempts.length - 1} transport failures before success)`)
+
+// ── 3. Credential keying by pubkey ──────────────────────────────────
+
+console.log('\n=== Credential Keying ===\n')
+
+const servicePubkey = 'abcd1234'.repeat(8) // 64-char hex pubkey
+const origins = orderedUrls.map(u => new URL(u).origin)
+
+console.log('Service pubkey:', servicePubkey.slice(0, 16) + '...')
+console.log('Transport origins:')
+origins.forEach(o => console.log(`  - ${o}`))
+console.log('\nAll three origins are different, but credentials are keyed by')
+console.log('pubkey - so a macaroon obtained via onion works over clearnet.')
+
+// ── 4. Live resolution (optional) ───────────────────────────────────
+
+if (process.argv.includes('--live')) {
+  // ── 4a. HNS resolution via HDNS gateway ─────────────────────────
+  console.log('\n=== Live HNS Resolution (query.hdns.io) ===\n')
+
+  const hnsNames = ['namebase', 'handshake', 'forever']
+  const gateway = 'https://query.hdns.io/'
+
+  for (const name of hnsNames) {
+    try {
+      const resolved = await resolveHns(name, gateway, 5000)
+      console.log(`  ${name}/ -> ${resolved.address} (IPv${resolved.family})`)
+    } catch (err) {
+      console.log(`  ${name}/ -> ${(err as Error).message}`)
+    }
+  }
+
+  // ── 4b. Onion connectivity check ─────────────────────────────────
+  console.log('\n=== Onion Transport Check ===\n')
+
+  const torProxy = process.env.TOR_PROXY || process.env.SOCKS_PROXY
+  if (torProxy) {
+    console.log(`  Tor SOCKS proxy configured: ${torProxy}`)
+    console.log('  .onion URLs will be routed through the proxy.')
+
+    // Test connectivity to Tor network via a known onion service
+    const testOnion = 'http://2gzyxa5ihm7nsber64sieskb3r4zgbz2uho0vwqqmdxpcokbaurxuca.onion/'
+    console.log(`\n  Testing: ${testOnion}`)
+    try {
+      const ctrl = new AbortController()
+      setTimeout(() => ctrl.abort(), 10_000)
+      const resp = await fetch(testOnion, { signal: ctrl.signal })
+      console.log(`  Result: ${resp.status} ${resp.statusText}`)
+    } catch (err) {
+      console.log(`  Result: ${(err as Error).message}`)
+      console.log('  (This is expected without a SOCKS-aware fetch implementation)')
+    }
+  } else {
+    console.log('  No TOR_PROXY or SOCKS_PROXY configured.')
+    console.log('  .onion URLs will be filtered out by selectTransports().')
+    console.log('\n  To enable onion transport:')
+    console.log('    1. Install Tor:  brew install tor && brew services start tor')
+    console.log('    2. Set proxy:    export TOR_PROXY=socks5://127.0.0.1:9050')
+    console.log('    3. Re-run:       npx tsx examples/multi-transport.ts --live')
+  }
+} else {
+  console.log('\nRun with --live to test real HNS resolution and onion transport.')
+}

src/fetch/hns-resolve.ts

@@ -22,37 +22,162 @@ function isValidIpFormat(address: string, family: 4 | 6): boolean {
   return IPV6_RE.test(address) && address.includes(':')
 }
 
-interface DnsAnswer {
+// ── DNS wire format helpers (RFC 1035 / RFC 8484) ───────────────────
+
+const DNS_HEADER_SIZE = 12
+const DNS_TYPE_A = 1
+const DNS_TYPE_AAAA = 28
+const DNS_CLASS_IN = 1
+const DNS_POINTER_MASK = 0xc0
+
+/** Encode a hostname as DNS wire-format labels (length-prefixed, null-terminated). */
+function encodeLabels(hostname: string): Uint8Array {
+  const labels = hostname.split('.')
+  let totalLen = 1 // null terminator
+  for (const label of labels) totalLen += 1 + label.length
+
+  const buf = new Uint8Array(totalLen)
+  let offset = 0
+  for (const label of labels) {
+    buf[offset++] = label.length
+    for (let i = 0; i < label.length; i++) {
+      buf[offset++] = label.charCodeAt(i)
+    }
+  }
+  buf[offset] = 0 // root label
+  return buf
+}
+
+/** Build a minimal DNS query packet for the given hostname and record type. */
+function buildQuery(hostname: string, qtype: number): Uint8Array {
+  const labels = encodeLabels(hostname)
+  const packet = new Uint8Array(DNS_HEADER_SIZE + labels.length + 4)
+  const view = new DataView(packet.buffer)
+
+  // Header: ID=0, flags=0x0100 (RD=1), QDCOUNT=1
+  view.setUint16(0, 0)       // ID
+  view.setUint16(2, 0x0100)  // Flags: recursion desired
+  view.setUint16(4, 1)       // QDCOUNT
+  view.setUint16(6, 0)       // ANCOUNT
+  view.setUint16(8, 0)       // NSCOUNT
+  view.setUint16(10, 0)      // ARCOUNT
+
+  // Question section
+  packet.set(labels, DNS_HEADER_SIZE)
+  const typeOffset = DNS_HEADER_SIZE + labels.length
+  view.setUint16(typeOffset, qtype)
+  view.setUint16(typeOffset + 2, DNS_CLASS_IN)
+
+  return packet
+}
+
+/** Skip a DNS name in wire format (handles compression pointers). */
+function skipName(data: Uint8Array, offset: number): number {
+  while (offset < data.length) {
+    const len = data[offset]
+    if (len === 0) return offset + 1
+    if ((len & DNS_POINTER_MASK) === DNS_POINTER_MASK) return offset + 2
+    offset += len + 1
+  }
+  throw new Error('Malformed DNS name')
+}
+
+interface ParsedRecord {
   type: number
   data: string
 }
 
-interface DnsResponse {
-  Answer?: DnsAnswer[]
+/** Parse a wire-format DNS response, extracting A and AAAA records. */
+function parseResponse(data: Uint8Array): ParsedRecord[] {
+  if (data.length < DNS_HEADER_SIZE) throw new Error('DNS response too short')
+
+  const view = new DataView(data.buffer, data.byteOffset, data.byteLength)
+  const flags = view.getUint16(2)
+  const rcode = flags & 0xf
+
+  if (rcode !== 0) {
+    const label = rcode === 3 ? 'NXDOMAIN' : rcode === 2 ? 'SERVFAIL' : `RCODE_${rcode}`
+    throw new Error(`DNS resolution failed: ${label}`)
+  }
+
+  const ancount = view.getUint16(6)
+  if (ancount === 0) return []
+
+  // Skip question section
+  let offset = DNS_HEADER_SIZE
+  const qdcount = view.getUint16(4)
+  for (let i = 0; i < qdcount; i++) {
+    offset = skipName(data, offset)
+    offset += 4 // QTYPE + QCLASS
+  }
+
+  // Parse answer section
+  const records: ParsedRecord[] = []
+  for (let i = 0; i < ancount && offset < data.length; i++) {
+    offset = skipName(data, offset)
+    if (offset + 10 > data.length) break
+
+    const rtype = view.getUint16(offset)
+    offset += 4 // TYPE + CLASS
+    offset += 4 // TTL
+    const rdlen = view.getUint16(offset)
+    offset += 2
+
+    if (offset + rdlen > data.length) break
+
+    if (rtype === DNS_TYPE_A && rdlen === 4) {
+      const ip = `${data[offset]}.${data[offset + 1]}.${data[offset + 2]}.${data[offset + 3]}`
+      records.push({ type: DNS_TYPE_A, data: ip })
+    } else if (rtype === DNS_TYPE_AAAA && rdlen === 16) {
+      const groups: string[] = []
+      for (let g = 0; g < 16; g += 2) {
+        groups.push(view.getUint16(offset + g).toString(16))
+      }
+      records.push({ type: DNS_TYPE_AAAA, data: groups.join(':') })
+    }
+
+    offset += rdlen
+  }
+
+  return records
+}
+
+// ── Base64url encoding ──────────────────────────────────────────────
+
+function toBase64url(data: Uint8Array): string {
+  const base64 = Buffer.from(data).toString('base64')
+  return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
 }
 
+// ── Public API ──────────────────────────────────────────────────────
+
 async function queryDns(
   hostname: string,
   gatewayUrl: string,
-  type: 'A' | 'AAAA',
+  qtype: number,
   signal: AbortSignal,
-): Promise<DnsAnswer[]> {
-  const url = `${gatewayUrl}dns-query?name=${encodeURIComponent(hostname)}&type=${type}`
+): Promise<ParsedRecord[]> {
+  const wire = buildQuery(hostname, qtype)
+  const encoded = toBase64url(wire)
+  const url = `${gatewayUrl}dns-query?dns=${encoded}`
   const response = await fetch(url, {
-    headers: { Accept: 'application/dns-json' },
+    headers: { Accept: 'application/dns-message' },
     signal,
-    redirect: 'error', // Prevent gateway redirects to internal services
+    redirect: 'error',
   })
   if (!response.ok) {
-    throw new Error(`DNS query failed: HTTP ${response.status} for ${hostname} (${type})`)
+    throw new Error(`DNS query failed: HTTP ${response.status} for ${hostname}`)
   }
-  const data = (await response.json()) as DnsResponse
-  return data.Answer ?? []
+  const buf = await response.arrayBuffer()
+  return parseResponse(new Uint8Array(buf))
 }
 
 /**
  * Resolve a Handshake (HNS) hostname via a DNS-over-HTTPS gateway.
  *
+ * Uses RFC 8484 wire-format DoH (GET with ?dns= parameter), which is
+ * supported by the default HDNS gateway (query.hdns.io).
+ *
  * Tries an A record first; falls back to AAAA if no A records are returned.
  * Throws if neither resolves, the gateway returns an error, or the request
  * times out.
@@ -67,8 +192,8 @@ export async function resolveHns(
 
   try {
     // Try A record first
-    const aAnswers = await queryDns(hostname, gatewayUrl, 'A', controller.signal)
-    const aRecord = aAnswers.find(a => a.type === 1)
+    const aRecords = await queryDns(hostname, gatewayUrl, DNS_TYPE_A, controller.signal)
+    const aRecord = aRecords.find(r => r.type === DNS_TYPE_A)
     if (aRecord) {
       if (!isValidIpFormat(aRecord.data, 4)) {
         throw new Error(`HNS gateway returned invalid IPv4 address for ${hostname}`)
@@ -77,8 +202,8 @@ export async function resolveHns(
     }
 
     // Fall back to AAAA
-    const aaaaAnswers = await queryDns(hostname, gatewayUrl, 'AAAA', controller.signal)
-    const aaaaRecord = aaaaAnswers.find(a => a.type === 28)
+    const aaaaRecords = await queryDns(hostname, gatewayUrl, DNS_TYPE_AAAA, controller.signal)
+    const aaaaRecord = aaaaRecords.find(r => r.type === DNS_TYPE_AAAA)
     if (aaaaRecord) {
       if (!isValidIpFormat(aaaaRecord.data, 6)) {
         throw new Error(`HNS gateway returned invalid IPv6 address for ${hostname}`)