feat: introduce 3-tier architecture with relay and exit nodes

BUILD.md

@@ -1,11 +1,12 @@
 # PSK-Proxy-Tunnel Build & Usage Guide
 
-This guide explains how to build single executable binaries and how to run the TLS-PSK tunnel with a local SOCKS5 proxy client (supporting TCP CONNECT and UDP ASSOCIATE).
+This guide explains how to build single executable binaries and how to run the TLS-PSK tunnel with a three-tier architecture: a local SOCKS5 proxy client, a relay node, and an exit node.
 
 Key changes:
-- Local proxy is now SOCKS5 (replaces the previous HTTP proxy).
-- The tunnel supports multiplexed TCP and UDP relaying.
-- Existing frame protocol extended with UDP_* frames for SOCKS5 UDP ASSOCIATE.
+- The architecture is now Client -> Relay -> Exit.
+- `proxy-server.js` is now a relay node (`psk-proxy-relay`).
+- A new `proxy-exit.js` script acts as the exit node (`psk-proxy-exit`).
+- The client connects to the relay, and the relay connects to the exit node.
 
 ## Prerequisites
 
@@ -85,89 +86,119 @@ Executables are created in `dist/`:
 
 ```
 dist/
-├── psk-proxy-server-macos
 ├── psk-proxy-client-macos
-├── psk-proxy-server-linux
+├── psk-proxy-relay-macos
+├── psk-proxy-exit-macos
 ├── psk-proxy-client-linux
-├── psk-proxy-server-windows.exe
-└── psk-proxy-client-windows.exe
+├── psk-proxy-relay-linux
+├── psk-proxy-exit-linux
+├── psk-proxy-client-windows.exe
+├── psk-proxy-relay-windows.exe
+└── psk-proxy-exit-windows.exe
 ```
 
-## Running the Server and Client
+## Running the Servers and Client
 
-The PSK (pre-shared key) file must contain a hex-encoded key string used by both sides. Example (256-bit key):
-```
-0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
-```
+The PSK (pre-shared key) file must contain a hex-encoded key string used by all components.
 
-### Server (Out-Node)
+### 1. Exit Node
 
-- Listens for a single TLS-PSK tunnel connection from the client.
+- Listens for a single TLS-PSK tunnel connection from the relay.
 - Performs outbound TCP connects and UDP sends on behalf of the client.
 
 macOS/Linux:
 ```bash
-./dist/psk-proxy-server-macos \
-  --tunnel-port 8443 \
+./dist/psk-proxy-exit-macos \
+  --relay-port 9000 \
   --host 0.0.0.0 \
   --psk-file /path/to/psk.hex
 ```
 
 Windows:
 ```cmd
-.\dist\psk-proxy-server-windows.exe ^
-  --tunnel-port 8443 ^
+.\dist\psk-proxy-exit-windows.exe ^
+  --relay-port 9000 ^
   --host 0.0.0.0 ^
   --psk-file C:\path\to\psk.hex
 ```
 
 Required options:
-- `--tunnel-port <port>`: TLS-PSK tunnel port
-- `--host <host>`: Bind host (e.g., 0.0.0.0)
-- `--psk-file <path>`: File containing hex PSK
+- `--relay-port <port>`: Port for the relay to connect to.
+- `--host <host>`: Bind host (e.g., 0.0.0.0).
+- `--psk-file <path>`: File containing hex PSK.
 
-Optional:
-- `--connect-timeout <ms>`: Outbound TCP connect timeout (default 10000)
+### 2. Relay Node
 
-### Client (Local SOCKS5 Proxy)
+- Listens for the client and connects to the exit node.
+- Relays traffic between the client and the exit node.
 
-- Runs a local SOCKS5 proxy (TCP CONNECT and UDP ASSOCIATE).
-- Multiplexes many local connections over one TLS-PSK tunnel to the server.
+macOS/Linux:
+```bash
+./dist/psk-proxy-relay-macos \
+  --tunnel-port 8443 \
+  --host 0.0.0.0 \
+  --psk-file /path/to/psk.hex \
+  --exit-host exit.node.com \
+  --exit-port 9000 \
+  --exit-identity relay1
+```
+
+Windows:
+```cmd
+.\dist\psk-proxy-relay-windows.exe ^
+  --tunnel-port 8443 ^
+  --host 0.0.0.0 ^
+  --psk-file C:\path\to\psk.hex ^
+  --exit-host exit.node.com ^
+  --exit-port 9000 ^
+  --exit-identity relay1
+```
+
+Required options:
+- `--tunnel-port <port>`: Port for the client to connect to.
+- `--host <host>`: Bind host.
+- `--psk-file <path>`: File containing hex PSK.
+- `--exit-host <host>`: Exit node host.
+- `--exit-port <port>`: Exit node port.
+- `--exit-identity <id>`: Identity for the relay when connecting to the exit node.
+
+### 3. Client (Local SOCKS5 Proxy)
+
+- Runs a local SOCKS5 proxy.
+- Connects to the relay node.
 
 macOS/Linux:
 ```bash
 ./dist/psk-proxy-client-macos \
-  --server-host server.example.com \
+  --server-host relay.node.com \
   --server-port 8443 \
   --psk-file /path/to/psk.hex \
   --identity client1 \
-  --socks-port 1080 \
-  --bind-host 127.0.0.1
+  --socks-port 1080
 ```
 
 Windows:
 ```cmd
 .\dist\psk-proxy-client-windows.exe ^
-  --server-host server.example.com ^
+  --server-host relay.node.com ^
   --server-port 8443 ^
   --psk-file C:\path\to\psk.hex ^
   --identity client1 ^
-  --socks-port 1080 ^
-  --bind-host 127.0.0.1
+  --socks-port 1080
 ```
 
 Required options:
-- `--server-host <host>`: Remote out-node address
-- `--server-port <port>`: Remote out-node port
-- `--psk-file <path>`: File containing hex PSK
-- `--identity <id>`: Identity string (logged on server)
-- `--socks-port <port>`: Local SOCKS5 proxy port
+- `--server-host <host>`: Relay node address.
+- `--server-port <port>`: Relay node port.
+- `--psk-file <path>`: File containing hex PSK.
+- `--identity <id>`: Identity string (logged on relay).
+- `--socks-port <port>`: Local SOCKS5 proxy port.
 
 Optional:
-- `--bind-host <host>`: Local bind host (default `127.0.0.1`)
-- `--connect-timeout <ms>`: Waiting time for OPEN/UDP_OPEN result (default 10000)
-- `--idle-timeout <ms>`: Idle timeout for TCP sockets (default 60000, 0=disabled)
-- `--udp-idle-timeout <ms>`: Idle timeout for UDP association (default 60000, 0=disabled)
+- `--bind-host <host>`: Local bind host (default `127.0.0.1`).
+- `--connect-timeout <ms>`: Timeout for connection setup (default 10000).
+- `--idle-timeout <ms>`: Idle timeout for TCP sockets (default 60000).
+- `--udp-idle-timeout <ms>`: Idle timeout for UDP association (default 60000).
 
 ## Protocol Summary