fix(transport): dual-route key-exchange for dual-NAT convergence

When two peers are both behind NAT (e.g. Mac home-NAT ↔ GCP VM stateful
conntrack), the direct PILA key-exchange frame never lands, and the
tunnel only reconverges after slow blackhole detection flips the peer to
relay mode — measured 28s–3min on the canonical Mac↔VM rig, far longer
than the dial/send timeouts, so send-file/send-message time out and the
crypto state desyncs.

sendKeyExchangeToNode now ALSO pushes the key-exchange via the beacon
relay whenever the peer is not yet relay-flagged and a beacon is
available. The relay copy converges in ~1 RTT. It is a no-op once the
peer is relay-flagged (the primary send already went via relay), and
relayProbeLoop keeps probing direct so a genuine direct path still
upgrades the peer out of relay. Best-effort: a failed relay copy falls
back to the existing slow path.

Adds routing.SendRelayFrame (forced-relay send primitive, ignores the
per-peer relay flag and blackhole heuristic) and the ClearRekeyGaveUp /
ClearLastRekeyReq rekey-state shims.

Verified on the canonical Mac↔VM dual-NAT rig:
- G2 liveness: idle 5min (and 90min) then small msg arrives, no reset.
- Small msg ACK in ~0.42s (was 28s–3min).
- 64KB send-file byte-perfect (sha256 match), incl. from a cold daemon
  restart (fresh in-memory peer table) — tunnel re-converges in ~12s.
- No regressions: 0 panics, 0 relay-copy failures on either end.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: teovl

pkg/daemon/routing/writeframe.go

@@ -82,3 +82,33 @@ func (m *Manager) WriteFrame(nodeID uint32, addr *net.UDPAddr, frame []byte, cou
 	_, _ = m.HandleSendError(nodeID, err)
 	return SendOutcome{}, err
 }
+
+// SendRelayFrame sends a frame to a peer via the beacon relay path
+// unconditionally — ignoring the per-peer relay flag and the blackhole
+// heuristic. Used by the key-exchange convergence path to guarantee a
+// dual-NAT peer receives the PILA via relay even before its relay flag
+// has been set. Without this, two peers both behind NAT only reconverge
+// after slow blackhole detection flips the direct path to relay
+// (measured 28s–3min on the Mac↔GCP-VM rig). Returns ErrNoAddress if no
+// beacon is configured. Does not bump the per-peer outbound-send
+// timestamp (this is an out-of-band copy, not the primary path).
+func (m *Manager) SendRelayFrame(nodeID uint32, frame []byte) error {
+	m.mu.RLock()
+	bAddr := m.beaconAddr
+	sock := m.sock
+	m.mu.RUnlock()
+	if bAddr == nil {
+		return ErrNoAddress
+	}
+	if sock == nil {
+		return fmt.Errorf("routing: socket not set")
+	}
+	// MsgRelay: [0x05][senderNodeID(4)][destNodeID(4)][frame...]
+	msg := make([]byte, 1+4+4+len(frame))
+	msg[0] = protocol.BeaconMsgRelay
+	binary.BigEndian.PutUint32(msg[1:5], m.localNodeID())
+	binary.BigEndian.PutUint32(msg[5:9], nodeID)
+	copy(msg[9:], frame)
+	_, err := sock.Send(msg, bAddr)
+	return err
+}

pkg/daemon/tunnel.go

@@ -407,6 +407,25 @@ func (tm *TunnelManager) pruneRekeyBudgetLocked(now time.Time) bool {
 	return len(tm.lastRekeyReq) < maxRekeyRequesters
 }
 
+// ClearRekeyGaveUp lifts the per-peer give-up cooldown so a fresh rekey
+// cycle can start immediately. Thin shim over keyexchange.Manager so the
+// IPC layer (pkg/daemon/ipc.go handlePreferDirect) can reach it without
+// importing the keyexchange package directly.
+func (tm *TunnelManager) ClearRekeyGaveUp(peerNodeID uint32) {
+	tm.kx.ClearRekeyGaveUp(peerNodeID)
+}
+
+// ClearLastRekeyReq drops the per-peer rate-limit timestamp recorded by
+// maybeRequestRekey. After a forced reset (pilotctl prefer-direct) the
+// next "encrypted packet but no key" event must be allowed to fire a
+// fresh PILA immediately — without this, the 3-second gate can silently
+// swallow the first packet that would otherwise re-establish the tunnel.
+func (tm *TunnelManager) ClearLastRekeyReq(peerNodeID uint32) {
+	tm.rekeyMu.Lock()
+	delete(tm.lastRekeyReq, peerNodeID)
+	tm.rekeyMu.Unlock()
+}
+
 // maybeRequestRekey conditionally sends a key-exchange to a peer that sent us
 // an encrypted packet we can't decrypt. Rate-limited per peer. Returns true if
 // we actually sent one.
@@ -1419,6 +1438,33 @@ func (tm *TunnelManager) deriveSecret(peerPubKeyBytes []byte) (*peerCrypto, erro
 // BOOTSTRAP-EXCEPTION marker — moved with the function).
 func (tm *TunnelManager) sendKeyExchangeToNode(peerNodeID uint32) {
 	tm.kx.SendKeyExchangeToNode(peerNodeID)
+
+	// Dual-NAT convergence fix: when a peer is not (yet) relay-flagged but
+	// a beacon is available, ALSO push the key-exchange via relay. For two
+	// peers both behind NAT the direct PILA never lands, and the tunnel
+	// only reconverges after slow blackhole detection flips the path to
+	// relay — measured 28s–3min on the Mac↔GCP-VM rig, far longer than the
+	// dial/send timeouts. The relay copy converges in ~1 RTT. This is a
+	// no-op once the peer is relay-flagged (the primary send already went
+	// via relay), and relayProbeLoop keeps probing direct so a genuine
+	// direct path still upgrades the peer out of relay. Best-effort: a
+	// failed relay copy just falls back to the existing slow path.
+	if tm.routing.IsRelayPeer(peerNodeID) || tm.routing.BeaconAddr() == nil {
+		return
+	}
+	var frame []byte
+	if tm.kx.HasIdentity() {
+		frame = tm.kx.BuildAuthFrame()
+	}
+	if frame == nil {
+		frame = tm.kx.BuildUnauthFrame()
+	}
+	if frame == nil {
+		return
+	}
+	if err := tm.routing.SendRelayFrame(peerNodeID, frame); err != nil {
+		slog.Debug("kx relay-copy send failed", "peer_node_id", peerNodeID, "error", err)
+	}
 }
 
 // markPendingRekey is the legacy shim for keyexchange.Manager.MarkPendingRekey.