From 8b3d93ba9f69ec700da5a6dc1af0ad7c7a758f5e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=9Cramfox=E2=80=9D?= <“kasey@n0.computer”>
Date: Wed, 10 Dec 2025 00:46:28 -0500
Subject: [PATCH 1/2] refactor(iroh)!: make net-report private

we no longer use net-report in `iroh-doctor`, so we can make this private now
---
 iroh/src/endpoint.rs           | 8 ++++----
 iroh/src/lib.rs                | 3 ++-
 iroh/src/net_report/options.rs | 2 ++
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/iroh/src/endpoint.rs b/iroh/src/endpoint.rs
index 54b622b694e..15e8006c3f1 100644
--- a/iroh/src/endpoint.rs
+++ b/iroh/src/endpoint.rs
@@ -33,11 +33,11 @@ use crate::discovery::pkarr::PkarrResolver;
 #[cfg(not(wasm_browser))]
 use crate::dns::DnsResolver;
 use crate::{
+    NetReport,
     discovery::{ConcurrentDiscovery, DiscoveryError, DynIntoDiscovery, IntoDiscovery, UserData},
     endpoint::presets::Preset,
     magicsock::{self, Handle, RemoteStateActorStoppedError, mapped_addrs::MappedAddr},
     metrics::EndpointMetrics,
-    net_report::Report,
     tls::{self, DEFAULT_MAX_TLS_TICKETS},
 };
 
@@ -867,8 +867,8 @@ impl Endpoint {
     ///
     /// This has no timeout, so if that is needed, you need to wrap it in a
     /// timeout. We recommend using a timeout close to
-    /// [`crate::net_report::TIMEOUT`], so you can be sure that at least one
-    /// [`crate::net_report::Report`] has been attempted.
+    /// [`crate::NET_REPORT_TIMEOUT`]s, so you can be sure that at least one
+    /// [`crate::NetReport`] has been attempted.
     ///
     /// To understand if the endpoint has gone back "offline",
     /// you must use the [`Endpoint::watch_addr`] method, to
@@ -906,7 +906,7 @@ impl Endpoint {
     /// # });
     /// ```
     #[doc(hidden)]
-    pub fn net_report(&self) -> impl Watcher<Value = Option<Report>> + use<> {
+    pub fn net_report(&self) -> impl Watcher<Value = Option<NetReport>> + use<> {
         self.msock.net_report()
     }
 
diff --git a/iroh/src/lib.rs b/iroh/src/lib.rs
index a2be352d20b..20524c898fb 100644
--- a/iroh/src/lib.rs
+++ b/iroh/src/lib.rs
@@ -266,7 +266,7 @@ pub mod discovery;
 pub mod dns;
 pub mod endpoint;
 pub mod metrics;
-pub mod net_report;
+mod net_report;
 pub mod protocol;
 
 pub use endpoint::{Endpoint, RelayMode};
@@ -276,6 +276,7 @@ pub use iroh_base::{
 };
 pub use iroh_relay::{RelayConfig, RelayMap, endpoint_info};
 pub use n0_watcher::Watcher;
+pub use net_report::{Report as NetReport, TIMEOUT as NET_REPORT_TIMEOUT};
 
 #[cfg(any(test, feature = "test-utils"))]
 pub mod test_utils;
diff --git a/iroh/src/net_report/options.rs b/iroh/src/net_report/options.rs
index db1ef221b19..336bedd45e9 100644
--- a/iroh/src/net_report/options.rs
+++ b/iroh/src/net_report/options.rs
@@ -41,6 +41,7 @@ mod imp {
 
     impl Options {
         /// Create an [`Options`] that disables all probes
+        #[allow(dead_code)]
         pub fn disabled() -> Self {
             Self {
                 quic_config: None,
@@ -57,6 +58,7 @@ mod imp {
         }
 
         /// Enable or disable https probe
+        #[allow(dead_code)]
         pub fn https(mut self, enable: bool) -> Self {
             self.https = enable;
             self

From 56115f7559468194468fa3eeefdf82cdf1a7ed13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=9Cramfox=E2=80=9D?= <“kasey@n0.computer”>
Date: Wed, 10 Dec 2025 20:19:15 -0500
Subject: [PATCH 2/2] refactor: restrict visibility within the `net_report`
 crate itself

---
 iroh/src/net_report.rs           |  3 +--
 iroh/src/net_report/options.rs   | 34 ++++++++------------------------
 iroh/src/net_report/reportgen.rs | 24 +++++++++++-----------
 3 files changed, 21 insertions(+), 40 deletions(-)

diff --git a/iroh/src/net_report.rs b/iroh/src/net_report.rs
index a6eb05cd4e7..d10dc191acc 100644
--- a/iroh/src/net_report.rs
+++ b/iroh/src/net_report.rs
@@ -99,11 +99,10 @@ enum QadProbeError {
 use self::reportgen::SocketState;
 pub use self::{
     metrics::Metrics,
-    options::Options,
     probes::Probe,
     report::{RelayLatencies, Report},
-    reportgen::QuicConfig,
 };
+pub(crate) use self::{options::Options, reportgen::QuicConfig};
 
 const FULL_REPORT_INTERVAL: Duration = Duration::from_secs(5 * 60);
 const ENOUGH_ENDPOINTS: usize = 3;
diff --git a/iroh/src/net_report/options.rs b/iroh/src/net_report/options.rs
index 336bedd45e9..f299849429b 100644
--- a/iroh/src/net_report/options.rs
+++ b/iroh/src/net_report/options.rs
@@ -1,6 +1,6 @@
 //! Options for creating a report gen client.
 
-pub use imp::Options;
+pub(crate) use imp::Options;
 
 #[cfg(not(wasm_browser))]
 mod imp {
@@ -14,7 +14,7 @@ mod imp {
     ///
     /// Use [`Options::quic_config`] to enable  QUIC address discovery.
     #[derive(Debug, Clone)]
-    pub struct Options {
+    pub(crate) struct Options {
         /// The configuration needed to launch QUIC address discovery probes.
         ///
         /// If not provided, will not run QUIC address discovery.
@@ -40,39 +40,21 @@ mod imp {
     }
 
     impl Options {
-        /// Create an [`Options`] that disables all probes
-        #[allow(dead_code)]
-        pub fn disabled() -> Self {
-            Self {
-                quic_config: None,
-                https: false,
-                #[cfg(any(test, feature = "test-utils"))]
-                insecure_skip_relay_cert_verify: false,
-            }
-        }
-
         /// Enable quic probes
-        pub fn quic_config(mut self, quic_config: Option<QuicConfig>) -> Self {
+        pub(crate) fn quic_config(mut self, quic_config: Option<QuicConfig>) -> Self {
             self.quic_config = quic_config;
             self
         }
 
-        /// Enable or disable https probe
-        #[allow(dead_code)]
-        pub fn https(mut self, enable: bool) -> Self {
-            self.https = enable;
-            self
-        }
-
         /// Skip cert verification
         #[cfg(any(test, feature = "test-utils"))]
-        pub fn insecure_skip_relay_cert_verify(mut self, skip: bool) -> Self {
+        pub(crate) fn insecure_skip_relay_cert_verify(mut self, skip: bool) -> Self {
             self.insecure_skip_relay_cert_verify = skip;
             self
         }
 
         /// Turn the options into set of valid protocols
-        pub fn as_protocols(&self) -> BTreeSet<Probe> {
+        pub(crate) fn as_protocols(&self) -> BTreeSet<Probe> {
             let mut protocols = BTreeSet::new();
             if let Some(ref quic) = self.quic_config {
                 if quic.ipv4 {
@@ -101,7 +83,7 @@ mod imp {
     /// Only HTTPS probes are supported in browsers.
     /// These are run by default.
     #[derive(Debug, Clone)]
-    pub struct Options {
+    pub(crate) struct Options {
         /// Enable https probes
         ///
         /// On by default
@@ -116,12 +98,12 @@ mod imp {
 
     impl Options {
         /// Create an [`Options`] that disables all probes
-        pub fn disabled() -> Self {
+        pub(crate) fn disabled() -> Self {
             Self { https: false }
         }
 
         /// Enable or disable https probe
-        pub fn https(mut self, enable: bool) -> Self {
+        pub(crate) fn https(mut self, enable: bool) -> Self {
             self.https = enable;
             self
         }
diff --git a/iroh/src/net_report/reportgen.rs b/iroh/src/net_report/reportgen.rs
index 60f7436f1fe..0507d5e86a6 100644
--- a/iroh/src/net_report/reportgen.rs
+++ b/iroh/src/net_report/reportgen.rs
@@ -76,9 +76,9 @@ pub(super) struct Client {
 #[derive(Debug, Clone, Default)]
 pub(crate) struct IfStateDetails {
     /// Do we have IPv4 capbilities
-    pub have_v4: bool,
+    pub(crate) have_v4: bool,
     /// Do we have IPv6 capbilities
-    pub have_v6: bool,
+    pub(crate) have_v6: bool,
 }
 
 impl IfStateDetails {
@@ -105,11 +105,11 @@ impl From<netwatch::netmon::State> for IfStateDetails {
 /// Factored out so it can be disabled easily in browsers.
 #[cfg(not(wasm_browser))]
 #[derive(Debug, Clone)]
-pub(crate) struct SocketState {
+pub(super) struct SocketState {
     /// QUIC client to do QUIC address Discovery
-    pub(crate) quic_client: Option<QuicClient>,
+    pub(super) quic_client: Option<QuicClient>,
     /// The DNS resolver to use for probes that need to resolve DNS records.
-    pub(crate) dns_resolver: DnsResolver,
+    pub(super) dns_resolver: DnsResolver,
 }
 
 impl Client {
@@ -468,16 +468,16 @@ pub(super) enum QuicError {
 
 /// Pieces needed to do QUIC address discovery.
 #[derive(derive_more::Debug, Clone)]
-pub struct QuicConfig {
+pub(crate) struct QuicConfig {
     /// A QUIC Endpoint
     #[debug("quinn::Endpoint")]
-    pub ep: quinn::Endpoint,
+    pub(crate) ep: quinn::Endpoint,
     /// A client config.
-    pub client_config: rustls::ClientConfig,
+    pub(crate) client_config: rustls::ClientConfig,
     /// Enable ipv4 QUIC address discovery probes
-    pub ipv4: bool,
+    pub(crate) ipv4: bool,
     /// Enable ipv6 QUIC address discovery probes
-    pub ipv6: bool,
+    pub(crate) ipv6: bool,
 }
 
 impl Probe {
@@ -638,7 +638,7 @@ fn get_quic_port(relay: &RelayConfig) -> Option<u16> {
 #[cfg(not(wasm_browser))]
 #[stack_error(derive, add_meta)]
 #[non_exhaustive]
-pub enum GetRelayAddrError {
+pub(super) enum GetRelayAddrError {
     #[error("No valid hostname in the relay URL")]
     InvalidHostname,
     #[error("No suitable relay address found for {url} ({addr_type})")]
@@ -758,7 +758,7 @@ async fn relay_lookup_ipv6_staggered(
 
 #[stack_error(derive, add_meta)]
 #[non_exhaustive]
-pub enum MeasureHttpsLatencyError {
+pub(super) enum MeasureHttpsLatencyError {
     #[error(transparent)]
     InvalidUrl {
         #[error(std_err, from)]