# Changelog

All notable changes to PeerNet are documented here. The format is
based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and
this project follows [Semantic Versioning](https://semver.org/) once
it reaches `1.0.0`.

## [Unreleased]

### Added

- **Credo** added as a dev/test dependency with `--strict` cleanliness.
  Configuration in `.credo.exs` (default + a few project-specific
  refinements). All current source passes `mix credo --strict` with
  zero issues.

### Added

- **`PeerNet.NetworkMonitor`** behaviour + **`Polling`** default
  implementation. Notices when local IP set changes (e.g. WiFi
  switch) and notifies subscribers. Wires into Registry so a
  network change triggers immediate teardown of all live connections
  — much faster than waiting for TCP keepalive or app-level
  Liveness to time out the dead links.
- **Noise XX handshake** — full
  `Noise_XX_25519_ChaChaPoly_SHA256` implementation in pure Elixir
  on `:crypto`. SymmetricState, CipherState, HandshakeState, all
  message-pattern processing per the Noise spec.
- **`PeerNet.Channel`** — post-handshake AEAD wrapper. ChaCha20-
  Poly1305 with the Noise nonce format, per-direction
  CipherStates, counter-exhaustion protection.
- **`PeerNet.BeamDist`** — convenience module for asymmetric-trust
  RPC. The "phone controlling Nerves" use case in 5 lines on each
  side.
- **`PeerNet.Discovery.UDP`** — LAN broadcast discovery. Compact
  39-byte announce frame, configurable cadence and listen port,
  pluggable transport for testability.
- **Auto-reconnect** — Registry redials trusted peers with
  exponential backoff (500ms → 1s → 2s → ... → 30s cap) when their
  connection drops.
- **`PeerNet.Liveness`** — app-level heartbeat. Per-ping check
  timers detect dead peers in seconds rather than waiting for TCP
  keepalive.
- **`PeerNet.Discovery`** behaviour with **`Manual`** and **`UDP`**
  reference implementations.
- **`PeerNet.Registry`** — pubkey-keyed peer state with auto-
  connect on discovery and reconnect on disconnect.
- **`PeerNet.Frame.encode_raw/1` and `decode_raw/1`** — bypass ETF
  for already-encoded bytes (used by Channel for AEAD ciphertexts).

### Changed

- **`PeerNet.Identity` migrated from Ed25519 to X25519** — Noise's
  DH primitive is X25519. The keyfile magic bumped from `0x01` →
  `0x02`; old keyfiles return `{:error, :invalid_keyfile}` on load
  rather than silently misbehaving. Apps must regenerate identities
  after upgrading.

### Removed

- `PeerNet.PeerIndex` — replaced by `PeerNet.Registry`, which
  subsumes its responsibilities and adds discovery / reconnect.
- `PeerNet.Identity.sign/2` and `verify/3` — Noise XX cryptographic-
  ally binds peer identity into the transcript hash; explicit
  per-message signatures are no longer used. Apps that need long-
  term-key sigs for app-level data should layer that themselves.

### Security

- The wire is now end-to-end AEAD-encrypted. Previous milestones
  (M2 POC) shipped plaintext over TCP — never use a v0.0 build for
  anything beyond local-network testing.
- Frame and Channel both use `:erlang.binary_to_term/2` with
  `:safe` to defend against atom-table exhaustion from malformed
  or hostile peers.

## [0.0.1] — 2026-05-05 (POC)

Initial walkable POC. Identity, Trust, Frame, Handlers (pure layer);
Connection, Acceptor, Handshake (transport layer with plaintext +
Ed25519 challenge-response). Not released to Hex.