datum-cloud
diff --git a/‎Cargo.lock‎
Lines changed: 54 additions & 2 deletions b/‎Cargo.lock‎
Lines changed: 54 additions & 2 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md‎
Lines changed: 148 additions & 0 deletions b/‎README.md‎
Lines changed: 148 additions & 0 deletions
diff --git a/‎cli/Cargo.toml‎
Lines changed: 8 additions & 0 deletions b/‎cli/Cargo.toml‎
Lines changed: 8 additions & 0 deletions
@@ -24,6 +24,7 @@ iroh-base = { version = "0.95" }
 iroh-tickets = "0.2"
 iroh-metrics = "0.38"
 iroh-n0des = { version = "0.8", features = ["tickets"] }
+iroh-relay = { version = "0.95" }
 log = "0.4"
 open = "5"
 openidconnect = "4.0.1"
 
@@ -17,6 +17,154 @@ cd cli
 cargo run -- --help
 ```
 
+### Local forward-proxy demo (no GUI)
+This exercises the CONNECT-based gateway flow that Envoy will use in staging/prod.
+
+#### 1) Start a local DNS dev server (out-of-band)
+Use a non-`.local` origin (e.g. `datumconnect.test`):
+
+```
+cargo run -p datum-connect -- dns-dev serve \
+  --origin datumconnect.test \
+  --bind 127.0.0.1:53535 \
+  --data ./dns-dev.yml
+```
+
+#### 2) Start the listen node (connector side)
+This prints the endpoint id and the iroh UDP bound sockets you must publish:
+
+```
+cargo run -p datum-connect -- serve
+```
+
+Copy the printed `dns-dev upsert` example, but run it via `cargo run -p datum-connect -- ...`
+and make sure the origin matches `datumconnect.test`. Quote IPv6 addresses like `"[::]:1234"`.
+
+#### 3) Verify TXT resolution
+Get the z-base-32 endpoint id:
+
+```
+python - <<'PY'
+import binascii
+ALPH = "ybndrfg8ejkmcpqxot1uwisza345h769"
+def zbase32(data):
+    bits = 0
+    value = 0
+    out = []
+    for b in data:
+        value = (value << 8) | b
+        bits += 8
+        while bits >= 5:
+            out.append(ALPH[(value >> (bits - 5)) & 31])
+            bits -= 5
+    if bits:
+        out.append(ALPH[(value << (5 - bits)) & 31])
+    return "".join(out)
+endpoint="REPLACE_WITH_ENDPOINT_ID"
+print(zbase32(binascii.unhexlify(endpoint)))
+PY
+```
+
+Then query the TXT record:
+
+```
+dig +norecurse @127.0.0.1 -p 53535 TXT _iroh.<z32>.datumconnect.test
+```
+
+#### 4) Start the gateway in forward mode
+
+```
+cargo run -p datum-connect -- gateway \
+  --port 18080 \
+  --mode forward \
+  --discovery dns \
+  --dns-origin datumconnect.test \
+  --dns-resolver 127.0.0.1:53535
+```
+
+#### 5) Send a CONNECT request
+If your target TCP service is on `127.0.0.1:5173`:
+
+```
+printf "CONNECT 127.0.0.1:5173 HTTP/1.1\r\nHost: 127.0.0.1:5173\r\nx-datum-node-id: REPLACE_WITH_ENDPOINT_ID\r\nx-datum-target-protocol: tcp\r\n\r\n" | nc 127.0.0.1 8080
+```
+
+### GUI demo (browser tunnel)
+This mirrors the same flow, but uses the GUI to create the proxy entry.
+
+If you want a one-shot experience, run:
+
+```
+./scripts/try-ui-demo.sh
+```
+
+It starts dns-dev, an HTTPS origin, the gateway, and the GUI, and waits for you to
+create a TCP proxy in the UI before visiting `https://localhost:5173` in the browser.
+
+#### 1) Start `dns-dev`
+```
+cargo run -p datum-connect -- dns-dev serve \
+  --origin datumconnect.test \
+  --bind 127.0.0.1:53535 \
+  --data ./dns-dev.yml
+```
+
+#### 2) Start a local HTTPS origin (so the browser uses CONNECT)
+```
+openssl req -x509 -nodes -newkey rsa:2048 -days 1 \
+  -keyout /tmp/iroh-dev.key -out /tmp/iroh-dev.crt \
+  -subj "/CN=localhost"
+openssl s_server -accept 5173 -cert /tmp/iroh-dev.crt -key /tmp/iroh-dev.key -www
+```
+
+#### 3) Run the GUI (share the repo with CLI)
+```
+export DATUM_CONNECT_REPO=$(pwd)/.datum-connect-dev
+cd ui
+dx serve --platform desktop
+```
+
+#### 4) Create a proxy in the GUI
+Add a TCP proxy for `127.0.0.1:5173`.
+
+#### 5) Start the listen node (uses the same repo)
+```
+cd ..
+export DATUM_CONNECT_REPO=$(pwd)/.datum-connect-dev
+cargo run -p datum-connect -- serve
+```
+Copy the printed `dns-dev upsert` example, but change the origin to `datumconnect.test`
+and run it via `cargo run -p datum-connect -- ...` (quote IPv6 addresses).
+
+#### 6) Start the gateway in forward mode
+```
+export DATUM_CONNECT_REPO=$(pwd)/.datum-connect-dev
+cargo run -p datum-connect -- gateway \
+  --port 18080 \
+  --mode forward \
+  --discovery dns \
+  --dns-origin datumconnect.test \
+  --dns-resolver 127.0.0.1:53535
+```
+
+#### 7) Start a local entrypoint that always tunnels through the gateway
+This avoids any browser proxy configuration. It listens on `127.0.0.1:8888` and
+uses CONNECT under the hood to reach the target:
+```
+cargo run -p datum-connect -- tunnel-dev \
+  --gateway 127.0.0.1:8080 \
+  --node-id REPLACE_WITH_ENDPOINT_ID \
+  --target-host 127.0.0.1 \
+  --target-port 5173
+```
+Now visit:
+```
+https://localhost:8888
+```
+You should see the `openssl s_server` status page (cipher list + handshake info).
+That output is expected and means the CONNECT request tunneled through the gateway
+to the local origin.
+
 ### Running the UI:
 
 to run the UI, make sure you have rust, cargo, and dioxus installed:
 
@@ -12,3 +12,11 @@ tracing-subscriber.workspace = true
 clap = { version = "4.5.50", features = ["derive", "env"] }
 tracing.workspace = true
 tokio-util.workspace = true
+async-trait = "0.1.89"
+humantime = "2.1.0"
+serde.workspace = true
+serde_yml.workspace = true
+hickory-server = "0.25.2"
+hickory-proto = "0.25.2"
+iroh-base.workspace = true
+z32 = "1.0.3"