Add private/backend DNS FQDNs and route SDK via HTTPS over WG tunnel

DNS records for encrypted private API access over WireGuard:
- private.<id>.<region>.seip.<domain> → server tunnel IP (client→server HTTPS)
- backend.<id>.<region>.seip.<domain> → server backbone IP (server→server mesh)
- private.<id>.ep.<domain> → client tunnel IP (registered on join)

SDK: after join, stores server_private_fqdn from response and routes
all private API calls (tree, IPAM, mesh, relay, certs) through
HTTPS to the private FQDN over the WG tunnel. Falls back to public
API if tunnel is not available.

Server: registers private + backend DNS A records on startup and
client private DNS on join. Passes dns + server_private_fqdn to
ApiContext for use by request handlers.

Author: Geramy

projects/LemonadeNexus/include/LemonadeNexus/Api/IRequestHandler.hpp

@@ -33,6 +33,7 @@ namespace nexus::acme { class AcmeService; }
 namespace nexus::network {
     class HttpServer;
     class DdnsService;
+    class DnsService;
 }
 namespace nexus::relay {
     class RelayService;
@@ -65,7 +66,9 @@ struct ApiContext {
     core::TrustPolicyService&         trust_policy;
     core::GovernanceService&          governance;
     wireguard::WireGuardService*      wireguard{nullptr};
+    network::DnsService*              dns{nullptr};
     std::string                       server_fqdn;
+    std::string                       server_private_fqdn;  // private.<id>.<region>.seip.<domain>
     std::string                       server_public_ip;
     std::string                       tunnel_bind_ip;
 };

projects/LemonadeNexus/src/Api/TreeApiHandler.cpp

@@ -10,6 +10,7 @@
 #include <LemonadeNexus/Crypto/SodiumCryptoService.hpp>
 #include <LemonadeNexus/Core/ServerConfig.hpp>
 #include <LemonadeNexus/WireGuard/WireGuardService.hpp>
+#include <LemonadeNexus/Network/DnsService.hpp>
 #include <LemonadeNexus/ACL/Permission.hpp>
 
 #include <spdlog/spdlog.h>
@@ -177,20 +178,35 @@ void TreeApiHandler::do_register_routes(httplib::Server& pub, httplib::Server& p
             wg_endpoint = ctx_.server_public_ip + ":" + std::to_string(ctx_.config.udp_port);
         }
 
+        // Register private DNS for this client: private.<node_id>.ep.<domain> -> tunnel IP
+        std::string client_tunnel_ip_bare = alloc.base_network;
+        if (auto slash = client_tunnel_ip_bare.find('/'); slash != std::string::npos) {
+            client_tunnel_ip_bare = client_tunnel_ip_bare.substr(0, slash);
+        }
+        std::string client_private_fqdn;
+        if (ctx_.dns && !client_tunnel_ip_bare.empty()) {
+            client_private_fqdn = "private." + node_id + ".ep." + ctx_.config.dns_base_domain;
+            ctx_.dns->set_record(client_private_fqdn, "A", client_tunnel_ip_bare, 300);
+            spdlog::info("[Join] registered DNS: {} -> {}", client_private_fqdn, client_tunnel_ip_bare);
+        }
+
         nlohmann::json resp = {
             {"token",            auth_result.session_token},
             {"node_id",          node_id},
             {"tunnel_ip",        alloc.base_network},
             {"tunnel_subnet",    "10.64.0.0/10"},
             {"server_tunnel_ip", server_tunnel},
+            {"server_private_fqdn", ctx_.server_private_fqdn},
+            {"client_private_fqdn", client_private_fqdn},
             {"private_api_port", !ctx_.tunnel_bind_ip.empty()
                                      ? ctx_.config.private_http_port
                                      : ctx_.config.http_port},
             {"wg_server_pubkey", wg_server_pubkey},
             {"wg_endpoint",      wg_endpoint},
             {"dns_servers",      nlohmann::json::array({server_tunnel})},
         };
-        spdlog::info("[Join] node={} tunnel_ip={} wg_endpoint={}", node_id, alloc.base_network, wg_endpoint);
+        spdlog::info("[Join] node={} tunnel_ip={} wg_endpoint={} private_fqdn={}",
+                      node_id, alloc.base_network, wg_endpoint, client_private_fqdn);
         json_response(res, resp);
     });
 

projects/LemonadeNexus/src/main.cpp

@@ -432,12 +432,17 @@ int main(int argc, char* argv[]) {
 
     // Publish SEIP records: <id>.<region>.seip.<domain> for geo-aware discovery
     dns.set_server_region(config.region);
+    std::string server_private_fqdn;
     {
         auto seip_id = nexus::core::resolve_server_node_id(storage);
         if (!seip_id.empty() && !config.region.empty() && !server_public_ip.empty()) {
             dns.publish_seip_records(seip_id, config.region, server_public_ip);
             spdlog::info("SEIP: published {}.{}.seip.{} -> {}",
                           seip_id, config.region, config.dns_base_domain, server_public_ip);
+
+            // Register private FQDN for HTTPS over WG tunnel
+            server_private_fqdn = "private." + seip_id + "." + config.region +
+                                  ".seip." + config.dns_base_domain;
         }
     }
 
@@ -582,6 +587,32 @@ int main(int argc, char* argv[]) {
         spdlog::warn("Backbone: skipping (no server node ID or WG key)");
     }
 
+    // ========================================================================
+    // Private DNS records: private/backend FQDNs → tunnel/backbone IPs
+    // ========================================================================
+    {
+        auto seip_id = nexus::core::resolve_server_node_id(storage);
+        if (!seip_id.empty() && !config.region.empty()) {
+            // private.<id>.<region>.seip.<domain> → server tunnel IP (for client HTTPS)
+            if (!tunnel_bind_ip.empty()) {
+                server_private_fqdn = "private." + seip_id + "." + config.region +
+                                      ".seip." + config.dns_base_domain;
+                dns.set_record(server_private_fqdn, "A", tunnel_bind_ip, 300);
+                spdlog::info("DNS: private {} -> {}", server_private_fqdn, tunnel_bind_ip);
+            }
+
+            // backend.<id>.<region>.seip.<domain> → server backbone IP (for server-to-server)
+            auto slash = backbone_ip.find('/');
+            auto bb_bare = (slash != std::string::npos) ? backbone_ip.substr(0, slash) : backbone_ip;
+            if (!bb_bare.empty()) {
+                auto backend_fqdn = "backend." + seip_id + "." + config.region +
+                                    ".seip." + config.dns_base_domain;
+                dns.set_record(backend_fqdn, "A", bb_bare, 300);
+                spdlog::info("DNS: backend {} -> {}", backend_fqdn, bb_bare);
+            }
+        }
+    }
+
     // ========================================================================
     // HTTP Control Plane -- Dual-server architecture
     // ========================================================================
@@ -642,7 +673,9 @@ int main(int argc, char* argv[]) {
         .trust_policy     = trust_policy,
         .governance       = governance,
         .wireguard        = &wireguard_service,
+        .dns              = &dns,
         .server_fqdn      = server_fqdn,
+        .server_private_fqdn = server_private_fqdn,
         .server_public_ip = server_public_ip,
         .tunnel_bind_ip   = tunnel_bind_ip,
     };

projects/LemonadeNexusSDK/src/LemonadeNexusClient.cpp

@@ -23,6 +23,8 @@ struct LemonadeNexusClient::Impl {
     Identity     identity;
     std::string  session_token;
     std::string  node_id;
+    std::string  server_private_fqdn;  // e.g. "private.<id>.<region>.seip.lemonade-nexus.io"
+    uint16_t     private_port{9101};
     mutable std::mutex mutex;
 
     // Server pool with health state
@@ -221,6 +223,65 @@ struct LemonadeNexusClient::Impl {
         return std::nullopt;
     }
 
+    // --- Private API (HTTPS over WG tunnel via private FQDN) ---
+
+    std::string private_base_url() const {
+        if (!server_private_fqdn.empty()) {
+            return "https://" + server_private_fqdn + ":" + std::to_string(private_port);
+        }
+        return current_base_url();
+    }
+
+    std::optional<json> private_http_get(const std::string& path, int& status_out) {
+        if (server_private_fqdn.empty()) {
+            return http_get(path, status_out);
+        }
+        try {
+            httplib::Client cli(private_base_url());
+            cli.set_connection_timeout(config.connect_timeout_sec);
+            cli.set_read_timeout(config.read_timeout_sec);
+            cli.enable_server_certificate_verification(true);
+            auto res = cli.Get(path, auth_headers());
+            if (!res) {
+                spdlog::debug("[LemonadeNexusClient] private GET {} failed, falling back", path);
+                return http_get(path, status_out);
+            }
+            status_out = res->status;
+            if (res->status < 200 || res->status >= 300) {
+                try { return json::parse(res->body); } catch (...) { return std::nullopt; }
+            }
+            return json::parse(res->body);
+        } catch (...) {
+            return http_get(path, status_out);
+        }
+    }
+
+    std::optional<json> private_http_post(const std::string& path, const json& body, int& status_out) {
+        if (server_private_fqdn.empty()) {
+            return http_post(path, body, status_out);
+        }
+        try {
+            httplib::Client cli(private_base_url());
+            cli.set_connection_timeout(config.connect_timeout_sec);
+            cli.set_read_timeout(config.read_timeout_sec);
+            cli.enable_server_certificate_verification(true);
+            auto res = cli.Post(path, auth_headers(), body.dump(), "application/json");
+            if (!res) {
+                spdlog::debug("[LemonadeNexusClient] private POST {} failed, falling back", path);
+                return http_post(path, body, status_out);
+            }
+            status_out = res->status;
+            if (res->status < 200 || res->status >= 300) {
+                try { return json::parse(res->body); } catch (...) {
+                    json err; err["error"] = "HTTP " + std::to_string(res->status); return err;
+                }
+            }
+            return json::parse(res->body);
+        } catch (...) {
+            return http_post(path, body, status_out);
+        }
+    }
+
     // Discover additional servers via /api/servers
     void discover_servers() {
         if (has_discovered) return;
@@ -767,7 +828,7 @@ Result<AuthResponse> LemonadeNexusClient::register_passkey_credential(const std:
 Result<TreeNode> LemonadeNexusClient::get_tree_node(const std::string& node_id) {
     Result<TreeNode> result;
     int status = 0;
-    auto resp = impl_->http_get("/api/tree/node/" + node_id, status);
+    auto resp = impl_->private_http_get("/api/tree/node/" + node_id, status);
     result.http_status = status;
 
     if (!resp) {
@@ -798,7 +859,7 @@ Result<DeltaResult> LemonadeNexusClient::submit_delta(const TreeDelta& delta) {
     json body = signed_delta;
 
     int status = 0;
-    auto resp = impl_->http_post("/api/tree/delta", body, status);
+    auto resp = impl_->private_http_post("/api/tree/delta", body, status);
     result.http_status = status;
 
     if (!resp) {
@@ -830,7 +891,7 @@ Result<DeltaResult> LemonadeNexusClient::create_child_node(const std::string& pa
     if (!child.hostname.empty()) body["hostname"] = child.hostname;
 
     int status = 0;
-    auto resp = impl_->http_post("/api/tree/node", body, status);
+    auto resp = impl_->private_http_post("/api/tree/node", body, status);
     result.http_status = status;
 
     if (!resp) {
@@ -851,7 +912,7 @@ Result<DeltaResult> LemonadeNexusClient::update_node(const std::string& node_id,
     Result<DeltaResult> result;
 
     int status = 0;
-    auto resp = impl_->http_post("/api/tree/node/update/" + node_id, updates, status);
+    auto resp = impl_->private_http_post("/api/tree/node/update/" + node_id, updates, status);
     result.http_status = status;
 
     if (!resp) {
@@ -872,7 +933,7 @@ Result<DeltaResult> LemonadeNexusClient::delete_node(const std::string& node_id)
 
     int status = 0;
     json body = json::object(); // empty body
-    auto resp = impl_->http_post("/api/tree/node/delete/" + node_id, body, status);
+    auto resp = impl_->private_http_post("/api/tree/node/delete/" + node_id, body, status);
     result.http_status = status;
 
     if (!resp) {
@@ -890,7 +951,7 @@ Result<DeltaResult> LemonadeNexusClient::delete_node(const std::string& node_id)
 Result<std::vector<TreeNode>> LemonadeNexusClient::get_children(const std::string& parent_id) {
     Result<std::vector<TreeNode>> result;
     int status = 0;
-    auto resp = impl_->http_get("/api/tree/children/" + parent_id, status);
+    auto resp = impl_->private_http_get("/api/tree/children/" + parent_id, status);
     result.http_status = status;
 
     if (!resp) {
@@ -930,7 +991,7 @@ Result<AllocationResponse> LemonadeNexusClient::allocate_ip(const AllocationRequ
     }
 
     int status = 0;
-    auto resp = impl_->http_post("/api/ipam/allocate", body, status);
+    auto resp = impl_->private_http_post("/api/ipam/allocate", body, status);
     result.http_status = status;
 
     if (!resp) {
@@ -964,7 +1025,7 @@ Result<std::vector<RelayNodeInfo>> LemonadeNexusClient::list_relays() {
     Result<std::vector<RelayNodeInfo>> result;
 
     int status = 0;
-    auto resp = impl_->http_get("/api/relay/list", status);
+    auto resp = impl_->private_http_get("/api/relay/list", status);
     result.http_status = status;
 
     if (!resp) {
@@ -1001,7 +1062,7 @@ Result<RelayTicket> LemonadeNexusClient::request_relay_ticket(const std::string&
     body["relay_id"] = relay_id;
 
     int status = 0;
-    auto resp = impl_->http_post("/api/relay/ticket", body, status);
+    auto resp = impl_->private_http_post("/api/relay/ticket", body, status);
     result.http_status = status;
 
     if (!resp) {
@@ -1032,7 +1093,7 @@ Result<RelayRegisterResult> LemonadeNexusClient::register_relay(const RelayRegis
     body["supports_relay"]  = reg.supports_relay;
 
     int status = 0;
-    auto resp = impl_->http_post("/api/relay/register", body, status);
+    auto resp = impl_->private_http_post("/api/relay/register", body, status);
     result.http_status = status;
 
     if (!resp) {
@@ -1058,7 +1119,7 @@ Result<CertStatus> LemonadeNexusClient::get_cert_status(const std::string& domai
     Result<CertStatus> result;
 
     int status = 0;
-    auto resp = impl_->http_get("/api/certs/" + domain, status);
+    auto resp = impl_->private_http_get("/api/certs/" + domain, status);
     result.http_status = status;
 
     if (!resp) {
@@ -1340,6 +1401,15 @@ Result<JoinResult> LemonadeNexusClient::join_network(const std::string& username
     {
         std::lock_guard lock(impl_->mutex);
         impl_->node_id = node_id;
+        // Store server private FQDN for HTTPS over WG tunnel
+        auto srv_priv_fqdn = resp->value("server_private_fqdn", std::string{});
+        if (!srv_priv_fqdn.empty()) {
+            impl_->server_private_fqdn = srv_priv_fqdn;
+            impl_->private_port = static_cast<uint16_t>(
+                resp->value("private_api_port", 9101));
+            spdlog::info("[LemonadeNexusClient] private API via HTTPS: {}:{}",
+                          srv_priv_fqdn, impl_->private_port);
+        }
     }
 
     // Step 4: Configure the WireGuard tunnel (bring up if we have a tunnel IP)
@@ -1769,7 +1839,7 @@ void LemonadeNexusClient::set_mesh_callback(MeshStateCallback cb) {
 
 Result<std::vector<MeshPeer>> LemonadeNexusClient::fetch_mesh_peers(const std::string& nid) {
     int status = 0;
-    auto resp = impl_->http_get("/api/mesh/peers/" + nid, status);
+    auto resp = impl_->private_http_get("/api/mesh/peers/" + nid, status);
     if (!resp) {
         return {false, {}, status, "mesh peers request failed"};
     }
@@ -1834,7 +1904,7 @@ StatusResult LemonadeNexusClient::mesh_heartbeat(const std::string& nid,
     body["endpoint"] = endpoint;
 
     int status = 0;
-    auto resp = impl_->http_post("/api/mesh/heartbeat", body, status);
+    auto resp = impl_->private_http_post("/api/mesh/heartbeat", body, status);
     if (!resp) {
         return {false, {}, status, "heartbeat request failed"};
     }