ant_quic/

nat_traversal_api.rs

//! High-level NAT Traversal API for Autonomi P2P Networks
//!
//! This module provides a simple, high-level interface for establishing
//! QUIC connections through NATs using sophisticated hole punching and
//! coordination protocols.

use std::{
    collections::HashMap,
    fmt,
    net::SocketAddr,
    sync::Arc,
    time::Duration,
};

use tracing::{debug, info, warn};

#[cfg(feature = "production-ready")]
use std::sync::atomic::{AtomicBool, Ordering};

#[cfg(feature = "production-ready")]
use tokio::{
    net::UdpSocket,
    sync::mpsc,
    time::{sleep, timeout},
};

#[cfg(feature = "runtime-tokio")]
use crate::quinn_high_level::TokioRuntime;

use crate::{
    candidate_discovery::{CandidateDiscoveryManager, DiscoveryConfig, DiscoveryEvent},
    connection::nat_traversal::{CandidateSource, CandidateState, NatTraversalRole},
    VarInt,
};

#[cfg(feature = "production-ready")]
use crate::{
    quinn_high_level::{Endpoint as QuinnEndpoint, Connection as QuinnConnection},
    EndpointConfig,
    ServerConfig,
    ClientConfig,
    ConnectionError,
    TransportConfig,
    crypto::rustls::QuicServerConfig,
    crypto::rustls::QuicClientConfig,
};


#[cfg(feature = "production-ready")]
use crate::config::validation::{ConfigValidator, ValidationResult};

#[cfg(feature = "production-ready")]
use crate::crypto::certificate_manager::{CertificateManager, CertificateConfig};

/// High-level NAT traversal endpoint for Autonomi P2P networks
pub struct NatTraversalEndpoint {
    /// Underlying Quinn endpoint
    #[cfg(feature = "production-ready")]
    quinn_endpoint: Option<QuinnEndpoint>,
    /// Fallback internal endpoint for non-production builds
    #[cfg(not(feature = "production-ready"))]
    internal_endpoint: Endpoint,
    /// NAT traversal configuration
    config: NatTraversalConfig,
    /// Known bootstrap/coordinator nodes
    bootstrap_nodes: Arc<std::sync::RwLock<Vec<BootstrapNode>>>,
    /// Active NAT traversal sessions
    active_sessions: Arc<std::sync::RwLock<HashMap<PeerId, NatTraversalSession>>>,
    /// Candidate discovery manager
    discovery_manager: Arc<std::sync::Mutex<CandidateDiscoveryManager>>,
    /// Event callback for coordination (simplified without async channels)
    event_callback: Option<Box<dyn Fn(NatTraversalEvent) + Send + Sync>>,
    /// Shutdown flag for async operations
    #[cfg(feature = "production-ready")]
    shutdown: Arc<AtomicBool>,
    /// Channel for internal communication
    #[cfg(feature = "production-ready")]
    event_tx: Option<mpsc::UnboundedSender<NatTraversalEvent>>,
    /// Active connections by peer ID
    #[cfg(feature = "production-ready")]
    connections: Arc<std::sync::RwLock<HashMap<PeerId, QuinnConnection>>>,
    /// Local peer ID
    local_peer_id: PeerId,
}

/// Configuration for NAT traversal behavior
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
pub struct NatTraversalConfig {
    /// Role of this endpoint in the network
    pub role: EndpointRole,
    /// Bootstrap nodes for coordination and candidate discovery
    pub bootstrap_nodes: Vec<SocketAddr>,
    /// Maximum number of address candidates to maintain
    pub max_candidates: usize,
    /// Timeout for coordination rounds
    pub coordination_timeout: Duration,
    /// Enable symmetric NAT prediction algorithms
    pub enable_symmetric_nat: bool,
    /// Enable automatic relay fallback
    pub enable_relay_fallback: bool,
    /// Maximum concurrent NAT traversal attempts
    pub max_concurrent_attempts: usize,
}

/// Role of an endpoint in the Autonomi network
#[derive(Debug, Clone, Copy, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
pub enum EndpointRole {
    /// Regular client node (most common)
    Client,
    /// Server node (always reachable, can coordinate)
    Server { can_coordinate: bool },
    /// Bootstrap node (public, coordinates NAT traversal)
    Bootstrap,
}

impl EndpointRole {
    /// Get a string representation of the role for use in certificate common names
    pub fn name(&self) -> &'static str {
        match self {
            EndpointRole::Client => "client",
            EndpointRole::Server { .. } => "server",
            EndpointRole::Bootstrap => "bootstrap",
        }
    }
}

/// Unique identifier for a peer in the network
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, PartialOrd, Ord, serde::Serialize, serde::Deserialize)]
pub struct PeerId(pub [u8; 32]);

/// Information about a bootstrap/coordinator node
#[derive(Debug, Clone)]
pub struct BootstrapNode {
    /// Network address of the bootstrap node
    pub address: SocketAddr,
    /// Last successful contact time
    pub last_seen: std::time::Instant,
    /// Whether this node can coordinate NAT traversal
    pub can_coordinate: bool,
    /// RTT to this bootstrap node
    pub rtt: Option<Duration>,
    /// Number of successful coordinations via this node
    pub coordination_count: u32,
}

impl BootstrapNode {
    /// Create a new bootstrap node
    pub fn new(address: SocketAddr) -> Self {
        Self {
            address,
            last_seen: std::time::Instant::now(),
            can_coordinate: true,
            rtt: None,
            coordination_count: 0,
        }
    }
}

/// A candidate pair for hole punching (ICE-like)
#[derive(Debug, Clone)]
pub struct CandidatePair {
    /// Local candidate address
    pub local_candidate: CandidateAddress,
    /// Remote candidate address
    pub remote_candidate: CandidateAddress,
    /// Combined priority for this pair
    pub priority: u64,
    /// Current state of this candidate pair
    pub state: CandidatePairState,
}

/// State of a candidate pair during hole punching
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum CandidatePairState {
    /// Waiting to be checked
    Waiting,
    /// Currently being checked
    InProgress,
    /// Check succeeded
    Succeeded,
    /// Check failed
    Failed,
    /// Cancelled due to higher priority success
    Cancelled,
}

/// Active NAT traversal session state
#[derive(Debug)]
struct NatTraversalSession {
    /// Target peer we're trying to connect to
    peer_id: PeerId,
    /// Coordinator being used for this session
    coordinator: SocketAddr,
    /// Current attempt number
    attempt: u32,
    /// Session start time
    started_at: std::time::Instant,
    /// Current phase of traversal
    phase: TraversalPhase,
    /// Discovered candidate addresses
    candidates: Vec<CandidateAddress>,
}

/// Phases of NAT traversal process
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
enum TraversalPhase {
    /// Discovering local candidates
    Discovery,
    /// Requesting coordination from bootstrap
    Coordination,
    /// Waiting for peer coordination
    Synchronization,
    /// Active hole punching
    Punching,
    /// Validating established paths
    Validation,
    /// Successfully connected
    Connected,
    /// Failed, may retry or fallback
    Failed,
}

/// Address candidate discovered during NAT traversal
#[derive(Debug, Clone)]
pub struct CandidateAddress {
    /// The candidate address
    pub address: SocketAddr,
    /// Priority for ICE-like selection
    pub priority: u32,
    /// How this candidate was discovered
    pub source: CandidateSource,
    /// Current validation state
    pub state: CandidateState,
}


/// Events generated during NAT traversal process
#[derive(Debug, Clone)]
pub enum NatTraversalEvent {
    /// New candidate address discovered
    CandidateDiscovered {
        peer_id: PeerId,
        candidate: CandidateAddress,
    },
    /// Coordination request sent to bootstrap
    CoordinationRequested {
        peer_id: PeerId,
        coordinator: SocketAddr,
    },
    /// Peer coordination synchronized
    CoordinationSynchronized {
        peer_id: PeerId,
        round_id: VarInt,
    },
    /// Hole punching started
    HolePunchingStarted {
        peer_id: PeerId,
        targets: Vec<SocketAddr>,
    },
    /// Path validated successfully
    PathValidated {
        peer_id: PeerId,
        address: SocketAddr,
        rtt: Duration,
    },
    /// Candidate validated successfully
    CandidateValidated {
        peer_id: PeerId,
        candidate_address: SocketAddr,
    },
    /// NAT traversal completed successfully
    TraversalSucceeded {
        peer_id: PeerId,
        final_address: SocketAddr,
        total_time: Duration,
    },
    /// Connection established after NAT traversal
    ConnectionEstablished {
        peer_id: PeerId,
        /// The socket address where the connection was established
        remote_address: SocketAddr,
    },
    /// NAT traversal failed
    TraversalFailed {
        peer_id: PeerId,
        error: NatTraversalError,
        fallback_available: bool,
    },
    /// Connection lost
    ConnectionLost {
        peer_id: PeerId,
        reason: String,
    },
}

/// Errors that can occur during NAT traversal
#[derive(Debug, Clone)]
pub enum NatTraversalError {
    /// No bootstrap nodes available
    NoBootstrapNodes,
    /// Failed to discover any candidates
    NoCandidatesFound,
    /// Candidate discovery failed
    CandidateDiscoveryFailed(String),
    /// Coordination with bootstrap failed
    CoordinationFailed(String),
    /// All hole punching attempts failed
    HolePunchingFailed,
    /// Connection validation timed out
    ValidationTimeout,
    /// Network error during traversal
    NetworkError(String),
    /// Configuration error
    ConfigError(String),
    /// Internal protocol error
    ProtocolError(String),
    /// NAT traversal timed out
    Timeout,
    /// Connection failed after successful traversal
    ConnectionFailed(String),
    /// General traversal failure
    TraversalFailed(String),
    /// Peer not connected
    PeerNotConnected,
}

impl Default for NatTraversalConfig {
    fn default() -> Self {
        Self {
            role: EndpointRole::Client,
            bootstrap_nodes: Vec::new(),
            max_candidates: 8,
            coordination_timeout: Duration::from_secs(10),
            enable_symmetric_nat: true,
            enable_relay_fallback: true,
            max_concurrent_attempts: 3,
        }
    }
}

#[cfg(feature = "production-ready")]
impl ConfigValidator for NatTraversalConfig {
    fn validate(&self) -> ValidationResult<()> {
        use crate::config::validation::*;
        
        // Validate role-specific requirements
        match self.role {
            EndpointRole::Client => {
                if self.bootstrap_nodes.is_empty() {
                    return Err(ConfigValidationError::InvalidRole(
                        "Client endpoints require at least one bootstrap node".to_string()
                    ));
                }
            }
            EndpointRole::Server { can_coordinate } => {
                if can_coordinate && self.bootstrap_nodes.is_empty() {
                    return Err(ConfigValidationError::InvalidRole(
                        "Server endpoints with coordination capability require bootstrap nodes".to_string()
                    ));
                }
            }
            EndpointRole::Bootstrap => {
                // Bootstrap nodes don't need other bootstrap nodes
            }
        }
        
        // Validate bootstrap nodes
        if !self.bootstrap_nodes.is_empty() {
            validate_bootstrap_nodes(&self.bootstrap_nodes)?;
        }
        
        // Validate candidate limits
        validate_range(
            self.max_candidates,
            1,
            256,
            "max_candidates"
        )?;
        
        // Validate coordination timeout
        validate_duration(
            self.coordination_timeout,
            Duration::from_millis(100),
            Duration::from_secs(300),
            "coordination_timeout"
        )?;
        
        // Validate concurrent attempts
        validate_range(
            self.max_concurrent_attempts,
            1,
            16,
            "max_concurrent_attempts"
        )?;
        
        // Validate configuration compatibility
        if self.max_concurrent_attempts > self.max_candidates {
            return Err(ConfigValidationError::IncompatibleConfiguration(
                "max_concurrent_attempts cannot exceed max_candidates".to_string()
            ));
        }
        
        if self.role == EndpointRole::Bootstrap && self.enable_relay_fallback {
            return Err(ConfigValidationError::IncompatibleConfiguration(
                "Bootstrap nodes should not enable relay fallback".to_string()
            ));
        }
        
        Ok(())
    }
}

impl NatTraversalEndpoint {
    /// Create a new NAT traversal endpoint with optional event callback
    pub async fn new(
        config: NatTraversalConfig,
        event_callback: Option<Box<dyn Fn(NatTraversalEvent) + Send + Sync>>,
    ) -> Result<Self, NatTraversalError> {
        #[cfg(feature = "production-ready")]
        {
            Self::new_impl(config, event_callback).await
        }
        #[cfg(not(feature = "production-ready"))]
        {
            // For non-production builds, we wrap the sync version in async
            Ok(Self::new_fallback(config, event_callback)?)
        }
    }
    
    /// Internal async implementation for production builds
    #[cfg(feature = "production-ready")]
    async fn new_impl(
        config: NatTraversalConfig,
        event_callback: Option<Box<dyn Fn(NatTraversalEvent) + Send + Sync>>,
    ) -> Result<Self, NatTraversalError> {
        Self::new_common(config, event_callback).await
    }
    
    /// Internal fallback implementation for non-production builds
    #[cfg(not(feature = "production-ready"))]
    fn new_fallback(
        config: NatTraversalConfig,
        event_callback: Option<Box<dyn Fn(NatTraversalEvent) + Send + Sync>>,
    ) -> Result<Self, NatTraversalError> {
        Self::new_common_sync(config, event_callback)
    }
    
    /// Common implementation for both async and sync versions
    #[cfg(feature = "production-ready")]
    async fn new_common(
        config: NatTraversalConfig,
        event_callback: Option<Box<dyn Fn(NatTraversalEvent) + Send + Sync>>,
    ) -> Result<Self, NatTraversalError> {
        // Existing implementation with async support
        Self::new_shared_logic(config, event_callback).await
    }
    
    /// Common implementation for sync versions
    #[cfg(not(feature = "production-ready"))]
    fn new_common_sync(
        config: NatTraversalConfig,
        event_callback: Option<Box<dyn Fn(NatTraversalEvent) + Send + Sync>>,
    ) -> Result<Self, NatTraversalError> {
        // Existing implementation without async support
        Self::new_shared_logic_sync(config, event_callback)
    }
    
    /// Shared logic for endpoint creation (async version)
    #[cfg(feature = "production-ready")]
    async fn new_shared_logic(
        config: NatTraversalConfig,
        event_callback: Option<Box<dyn Fn(NatTraversalEvent) + Send + Sync>>,
    ) -> Result<Self, NatTraversalError> {
        // Validate configuration using production-ready validation
        #[cfg(feature = "production-ready")]
        {
            config.validate()
                .map_err(|e| NatTraversalError::ConfigError(e.to_string()))?;
        }
        
        // Fallback validation for non-production builds
        #[cfg(not(feature = "production-ready"))]
        {
            if config.bootstrap_nodes.is_empty() && config.role != EndpointRole::Bootstrap {
                return Err(NatTraversalError::ConfigError(
                    "At least one bootstrap node required for non-bootstrap endpoints".to_string(),
                ));
            }
        }

        // Initialize bootstrap nodes
        let bootstrap_nodes = Arc::new(std::sync::RwLock::new(
            config
                .bootstrap_nodes
                .iter()
                .map(|&address| BootstrapNode {
                    address,
                    last_seen: std::time::Instant::now(),
                    can_coordinate: true, // Assume true initially
                    rtt: None,
                    coordination_count: 0,
                })
                .collect(),
        ));

        // Create candidate discovery manager
        let discovery_config = DiscoveryConfig {
            total_timeout: config.coordination_timeout,
            max_candidates: config.max_candidates,
            enable_symmetric_prediction: config.enable_symmetric_nat,
            ..DiscoveryConfig::default()
        };

        let nat_traversal_role = match config.role {
            EndpointRole::Client => NatTraversalRole::Client,
            EndpointRole::Server { can_coordinate } => NatTraversalRole::Server { can_relay: can_coordinate },
            EndpointRole::Bootstrap => NatTraversalRole::Bootstrap,
        };

        let discovery_manager = Arc::new(std::sync::Mutex::new(
            CandidateDiscoveryManager::new(discovery_config, nat_traversal_role)
        ));

        // Create QUIC endpoint with NAT traversal enabled
        // Create QUIC endpoint with NAT traversal enabled
        let (quinn_endpoint, event_tx) = Self::create_quinn_endpoint(&config, nat_traversal_role).await?;

        Ok(Self {
            quinn_endpoint: Some(quinn_endpoint),
            config,
            bootstrap_nodes,
            active_sessions: Arc::new(std::sync::RwLock::new(HashMap::new())),
            discovery_manager,
            event_callback,
            shutdown: Arc::new(AtomicBool::new(false)),
            event_tx: Some(event_tx),
            connections: Arc::new(std::sync::RwLock::new(HashMap::new())),
            local_peer_id: Self::generate_local_peer_id(),
        })
    }
    
    /// Shared logic for endpoint creation (sync version)
    #[cfg(not(feature = "production-ready"))]
    fn new_shared_logic_sync(
        config: NatTraversalConfig,
        event_callback: Option<Box<dyn Fn(NatTraversalEvent) + Send + Sync>>,
    ) -> Result<Self, NatTraversalError> {
        // Validate configuration using production-ready validation
        config.validate()
            .map_err(|e| NatTraversalError::ConfigError(e.to_string()))?;
        
        // Initialize bootstrap nodes
        let bootstrap_nodes = Arc::new(std::sync::RwLock::new(
            config
                .bootstrap_nodes
                .iter()
                .map(|&address| BootstrapNode {
                    address,
                    last_seen: std::time::Instant::now(),
                    can_coordinate: true,
                    rtt: None,
                    coordination_count: 0,
                })
                .collect(),
        ));
        
        // Create candidate discovery manager
        let discovery_config = DiscoveryConfig {
            total_timeout: config.coordination_timeout,
            max_candidates: config.max_candidates,
            enable_symmetric_prediction: config.enable_symmetric_nat,
            ..DiscoveryConfig::default()
        };
        
        let nat_traversal_role = match config.role {
            EndpointRole::Client => NatTraversalRole::Client,
            EndpointRole::Server { can_coordinate } => NatTraversalRole::Server { can_relay: can_coordinate },
            EndpointRole::Bootstrap => NatTraversalRole::Bootstrap,
        };
        
        let discovery_manager = Arc::new(std::sync::Mutex::new(
            CandidateDiscoveryManager::new(discovery_config, nat_traversal_role)
        ));
        
        // Create fallback endpoint
        let internal_endpoint = Self::create_fallback_endpoint(&config, nat_traversal_role)?;
        
        Ok(Self {
            internal_endpoint,
            config,
            bootstrap_nodes,
            active_sessions: Arc::new(std::sync::RwLock::new(HashMap::new())),
            discovery_manager,
            event_callback,
            local_peer_id: Self::generate_local_peer_id(),
        })
    }

    /// Initiate NAT traversal to a peer (returns immediately, progress via events)
    pub fn initiate_nat_traversal(
        &self,
        peer_id: PeerId,
        coordinator: SocketAddr,
    ) -> Result<(), NatTraversalError> {
        info!("Starting NAT traversal to peer {:?} via coordinator {}", peer_id, coordinator);

        // Create new session
        let session = NatTraversalSession {
            peer_id,
            coordinator,
            attempt: 1,
            started_at: std::time::Instant::now(),
            phase: TraversalPhase::Discovery,
            candidates: Vec::new(),
        };

        // Store session
        {
            let mut sessions = self.active_sessions.write()
                .map_err(|_| NatTraversalError::ProtocolError("Lock poisoned".to_string()))?;
            sessions.insert(peer_id, session);
        }

        // Start candidate discovery
        let bootstrap_nodes_vec = {
            let bootstrap_nodes = self.bootstrap_nodes.read()
                .map_err(|_| NatTraversalError::ProtocolError("Lock poisoned".to_string()))?;
            bootstrap_nodes.clone()
        };

        {
            let mut discovery = self.discovery_manager.lock()
                .map_err(|_| NatTraversalError::ProtocolError("Discovery manager lock poisoned".to_string()))?;
            
            discovery.start_discovery(peer_id, bootstrap_nodes_vec)
                .map_err(|e| NatTraversalError::CandidateDiscoveryFailed(e.to_string()))?;
        }

        // Emit event
        if let Some(ref callback) = self.event_callback {
            callback(NatTraversalEvent::CoordinationRequested {
                peer_id,
                coordinator,
            });
        }

        // NAT traversal will proceed via poll() calls and state machine updates
        Ok(())
    }

    /// Get current NAT traversal statistics
    pub fn get_statistics(&self) -> Result<NatTraversalStatistics, NatTraversalError> {
        let sessions = self.active_sessions.read()
            .map_err(|_| NatTraversalError::ProtocolError("Lock poisoned".to_string()))?;
        let bootstrap_nodes = self.bootstrap_nodes.read()
            .map_err(|_| NatTraversalError::ProtocolError("Lock poisoned".to_string()))?;

        Ok(NatTraversalStatistics {
            active_sessions: sessions.len(),
            total_bootstrap_nodes: bootstrap_nodes.len(),
            successful_coordinations: bootstrap_nodes.iter().map(|b| b.coordination_count).sum(),
            average_coordination_time: Duration::from_millis(500), // TODO: Calculate real average
        })
    }

    /// Add a new bootstrap node
    pub fn add_bootstrap_node(&self, address: SocketAddr) -> Result<(), NatTraversalError> {
        let mut bootstrap_nodes = self.bootstrap_nodes.write()
            .map_err(|_| NatTraversalError::ProtocolError("Lock poisoned".to_string()))?;
        
        // Check if already exists
        if !bootstrap_nodes.iter().any(|b| b.address == address) {
            bootstrap_nodes.push(BootstrapNode {
                address,
                last_seen: std::time::Instant::now(),
                can_coordinate: true,
                rtt: None,
                coordination_count: 0,
            });
            info!("Added bootstrap node: {}", address);
        }
        Ok(())
    }

    /// Remove a bootstrap node
    pub fn remove_bootstrap_node(&self, address: SocketAddr) -> Result<(), NatTraversalError> {
        let mut bootstrap_nodes = self.bootstrap_nodes.write()
            .map_err(|_| NatTraversalError::ProtocolError("Lock poisoned".to_string()))?;
        bootstrap_nodes.retain(|b| b.address != address);
        info!("Removed bootstrap node: {}", address);
        Ok(())
    }

    // Private implementation methods

    /// Create a Quinn endpoint with NAT traversal configured (async version)
    #[cfg(feature = "production-ready")]
    async fn create_quinn_endpoint(
        config: &NatTraversalConfig,
        _nat_role: NatTraversalRole,
    ) -> Result<(QuinnEndpoint, mpsc::UnboundedSender<NatTraversalEvent>), NatTraversalError> {
        use std::sync::Arc;
        
        // Create server config if this is a coordinator/bootstrap node
        let server_config = match config.role {
            EndpointRole::Bootstrap | EndpointRole::Server { .. } => {
                // Production certificate management
                let cert_config = CertificateConfig {
                    common_name: format!("ant-quic-{}", config.role.name()),
                    subject_alt_names: vec![
                        "localhost".to_string(),
                        "ant-quic-node".to_string(),
                    ],
                    self_signed: true, // Use self-signed for P2P networks
                    ..CertificateConfig::default()
                };
                
                let cert_manager = CertificateManager::new(cert_config)
                    .map_err(|e| NatTraversalError::ConfigError(format!("Certificate manager creation failed: {}", e)))?;
                
                let cert_bundle = cert_manager.generate_certificate()
                    .map_err(|e| NatTraversalError::ConfigError(format!("Certificate generation failed: {}", e)))?;
                
                let rustls_config = cert_manager.create_server_config(&cert_bundle)
                    .map_err(|e| NatTraversalError::ConfigError(format!("Server config creation failed: {}", e)))?;
                
                let server_crypto = QuicServerConfig::try_from(rustls_config.as_ref().clone())
                    .map_err(|e| NatTraversalError::ConfigError(e.to_string()))?;
                
                let mut server_config = ServerConfig::with_crypto(Arc::new(server_crypto));
                
                // Configure transport parameters for NAT traversal
                let mut transport_config = TransportConfig::default();
                transport_config.keep_alive_interval(Some(Duration::from_secs(5)));
                transport_config.max_idle_timeout(Some(crate::VarInt::from_u32(30000).into()));
                
                // Enable NAT traversal in transport parameters
                let nat_config = crate::transport_parameters::NatTraversalConfig {
                    role: match config.role {
                        EndpointRole::Bootstrap => crate::transport_parameters::NatTraversalRole::Bootstrap,
                        EndpointRole::Server { can_coordinate } => crate::transport_parameters::NatTraversalRole::Server { can_relay: can_coordinate },
                        EndpointRole::Client => crate::transport_parameters::NatTraversalRole::Client,
                    },
                    max_candidates: VarInt::from_u32(config.max_candidates as u32),
                    coordination_timeout: VarInt::from_u64(config.coordination_timeout.as_millis() as u64).unwrap(),
                    max_concurrent_attempts: VarInt::from_u32(config.max_concurrent_attempts as u32),
                    peer_id: None, // Will be set per connection
                };
                transport_config.nat_traversal_config(Some(nat_config));
                
                server_config.transport_config(Arc::new(transport_config));
                
                Some(server_config)
            }
            _ => None,
        };
        
        // Create client config for outgoing connections
        let client_config = {
            let cert_config = CertificateConfig {
                common_name: format!("ant-quic-{}", config.role.name()),
                subject_alt_names: vec![
                    "localhost".to_string(),
                    "ant-quic-node".to_string(),
                ],
                self_signed: true,
                ..CertificateConfig::default()
            };
            
            let cert_manager = CertificateManager::new(cert_config)
                .map_err(|e| NatTraversalError::ConfigError(format!("Certificate manager creation failed: {}", e)))?;
            
            let _cert_bundle = cert_manager.generate_certificate()
                .map_err(|e| NatTraversalError::ConfigError(format!("Certificate generation failed: {}", e)))?;
            
            let rustls_config = cert_manager.create_client_config()
                .map_err(|e| NatTraversalError::ConfigError(format!("Client config creation failed: {}", e)))?;
            
            let client_crypto = QuicClientConfig::try_from(rustls_config.as_ref().clone())
                .map_err(|e| NatTraversalError::ConfigError(e.to_string()))?;
            
            let mut client_config = ClientConfig::new(Arc::new(client_crypto));
            
            // Configure transport parameters for NAT traversal
            let mut transport_config = TransportConfig::default();
            transport_config.keep_alive_interval(Some(Duration::from_secs(5)));
            transport_config.max_idle_timeout(Some(crate::VarInt::from_u32(30000).into()));
            
            // Enable NAT traversal in transport parameters
            let nat_config = crate::transport_parameters::NatTraversalConfig {
                role: match config.role {
                    EndpointRole::Bootstrap => crate::transport_parameters::NatTraversalRole::Bootstrap,
                    EndpointRole::Server { can_coordinate } => crate::transport_parameters::NatTraversalRole::Server { can_relay: can_coordinate },
                    EndpointRole::Client => crate::transport_parameters::NatTraversalRole::Client,
                },
                max_candidates: VarInt::from_u32(config.max_candidates as u32),
                coordination_timeout: VarInt::from_u64(config.coordination_timeout.as_millis() as u64).unwrap(),
                max_concurrent_attempts: VarInt::from_u32(config.max_concurrent_attempts as u32),
                peer_id: None, // Will be set per connection
            };
            transport_config.nat_traversal_config(Some(nat_config));
            
            client_config.transport_config(Arc::new(transport_config));
            
            client_config
        };
        
        // Create UDP socket
        let socket = UdpSocket::bind("0.0.0.0:0").await
            .map_err(|e| NatTraversalError::NetworkError(format!("Failed to bind UDP socket: {}", e)))?;
        
        // Convert tokio socket to std socket
        let std_socket = socket.into_std()
            .map_err(|e| NatTraversalError::NetworkError(format!("Failed to convert socket: {}", e)))?;
        
        // Create Quinn endpoint
        let mut endpoint = QuinnEndpoint::new(
            EndpointConfig::default(),
            server_config,
            std_socket,
            Arc::new(TokioRuntime),
        ).map_err(|e| NatTraversalError::ConfigError(format!("Failed to create Quinn endpoint: {}", e)))?;
        
        // Set default client config
        endpoint.set_default_client_config(client_config);
        
        // Create event channel
        let (event_tx, _event_rx) = mpsc::unbounded_channel();
        
        Ok((endpoint, event_tx))
    }
    
    /// Create a fallback endpoint for non-production builds
    #[cfg(not(feature = "production-ready"))]
    fn create_fallback_endpoint(
        config: &NatTraversalConfig,
        nat_role: NatTraversalRole,
    ) -> Result<Endpoint, NatTraversalError> {
        use crate::{
            EndpointConfig, TransportConfig,
            transport_parameters::NatTraversalConfig as TPNatConfig,
            transport_parameters::NatTraversalRole as TPRole,
        };
        
        #[cfg(any(feature = "rustls-aws-lc-rs", feature = "rustls-ring"))]
        use crate::crypto::rustls::QuicServerConfig;
        
        // Configure transport with NAT traversal
        let mut transport_config = TransportConfig::default();
        
        // Convert role for transport parameters
        let tp_role = match nat_role {
            NatTraversalRole::Client => TPRole::Client,
            NatTraversalRole::Server { can_relay } => TPRole::Server { can_relay },
            NatTraversalRole::Bootstrap => TPRole::Bootstrap,
        };
        
        // Enable NAT traversal in transport parameters
        transport_config.nat_traversal_config = Some(TPNatConfig {
            role: tp_role,
            max_candidates: VarInt::from_u32(config.max_candidates as u32),
            coordination_timeout: VarInt::from_u32(config.coordination_timeout.as_millis() as u32),
            max_concurrent_attempts: VarInt::from_u32(config.max_concurrent_attempts as u32),
            peer_id: None, // Will be set dynamically when peer ID is determined
        });
        
        // Create endpoint configuration
        let endpoint_config = Arc::new(EndpointConfig::default());
        
        // Create server config if this is a coordinator/bootstrap node
        let server_config = match config.role {
            EndpointRole::Bootstrap | EndpointRole::Server { .. } => {
                #[cfg(feature = "production-ready")]
                {
                    // Production certificate management
                    let cert_config = CertificateConfig {
                        common_name: format!("ant-quic-{}", config.role.name()),
                        subject_alt_names: vec![
                            "localhost".to_string(),
                            "ant-quic-node".to_string(),
                        ],
                        self_signed: true, // Use self-signed for P2P networks
                        ..CertificateConfig::default()
                    };
                    
                    let cert_manager = CertificateManager::new(cert_config)
                        .map_err(|e| NatTraversalError::ConfigError(format!("Certificate manager creation failed: {}", e)))?;
                    
                    let _cert_bundle = cert_manager.generate_certificate()
                        .map_err(|e| NatTraversalError::ConfigError(format!("Certificate generation failed: {}", e)))?;
                    
                    #[cfg(any(feature = "rustls-aws-lc-rs", feature = "rustls-ring"))]
                    {
                        let rustls_config = cert_manager.create_server_config(&cert_bundle)
                            .map_err(|e| NatTraversalError::ConfigError(format!("Server config creation failed: {}", e)))?;
                        
                        let server_config = QuicServerConfig::try_from(rustls_config.as_ref().clone())
                            .map_err(|e| NatTraversalError::ConfigError(e.to_string()))?;
                        
                        Some(Arc::new(crate::ServerConfig::with_crypto(Arc::new(server_config))))
                    }
                    #[cfg(not(any(feature = "rustls-aws-lc-rs", feature = "rustls-ring")))]
                    {
                        None
                    }
                }
                #[cfg(not(feature = "production-ready"))]
                {
                    // Fallback to dummy certificates for development
                    let cert = rustls::pki_types::CertificateDer::from(vec![0; 32]);
                    let key = rustls::pki_types::PrivateKeyDer::try_from(vec![0; 32]).ok();
                    
                    if let Some(key) = key {
                        #[cfg(any(feature = "rustls-aws-lc-rs", feature = "rustls-ring"))]
                        {
                            let server_config = QuicServerConfig::try_from(
                                rustls::ServerConfig::builder()
                                    .with_no_client_auth()
                                    .with_single_cert(vec![cert], key)
                                    .map_err(|e| NatTraversalError::ConfigError(e.to_string()))?
                            ).map_err(|e| NatTraversalError::ConfigError(e.to_string()))?;
                            
                            Some(Arc::new(crate::ServerConfig::with_crypto(Arc::new(server_config))))
                        }
                        #[cfg(not(any(feature = "rustls-aws-lc-rs", feature = "rustls-ring")))]
                        {
                            None
                        }
                    } else {
                        None
                    }
                }
            }
            _ => None,
        };
        
        // Create the endpoint
        let endpoint = Endpoint::new(
            endpoint_config,
            server_config,
            true, // allow_mtud
            None, // rng_seed
        );
        
        // NOTE: Client configuration would need to be set when connecting to peers
        // The Endpoint doesn't have a set_default_client_config method
        
        Ok(endpoint)
    }
    
    /// Start listening for incoming connections (async version)
    #[cfg(feature = "production-ready")]
    pub async fn start_listening(&self, bind_addr: SocketAddr) -> Result<(), NatTraversalError> {
        let endpoint = self.quinn_endpoint.as_ref()
            .ok_or_else(|| NatTraversalError::ConfigError("Quinn endpoint not initialized".to_string()))?;
        
        // Rebind the endpoint to the specified address
        let _socket = UdpSocket::bind(bind_addr).await
            .map_err(|e| NatTraversalError::NetworkError(format!("Failed to bind to {}: {}", bind_addr, e)))?;
        
        info!("Started listening on {}", bind_addr);
        
        // Start accepting connections in a background task
        let endpoint_clone = endpoint.clone();
        let shutdown_clone = self.shutdown.clone();
        let event_tx = self.event_tx.as_ref().unwrap().clone();
        
        tokio::spawn(async move {
            Self::accept_connections(endpoint_clone, shutdown_clone, event_tx).await;
        });
        
        Ok(())
    }
    
    /// Accept incoming connections
    #[cfg(feature = "production-ready")]
    async fn accept_connections(
        endpoint: QuinnEndpoint,
        shutdown: Arc<AtomicBool>,
        event_tx: mpsc::UnboundedSender<NatTraversalEvent>,
    ) {
        while !shutdown.load(Ordering::Relaxed) {
            match endpoint.accept().await {
                Some(connecting) => {
                    let event_tx = event_tx.clone();
                    tokio::spawn(async move {
                        match connecting.await {
                            Ok(connection) => {
                                info!("Accepted connection from {}", connection.remote_address());
                                
                                // Generate peer ID from connection address
                                let peer_id = Self::generate_peer_id_from_address(connection.remote_address());
                                
                                let _ = event_tx.send(NatTraversalEvent::ConnectionEstablished {
                                    peer_id,
                                    remote_address: connection.remote_address(),
                                });
                                
                                // Handle connection streams
                                Self::handle_connection(connection, event_tx).await;
                            }
                            Err(e) => {
                                debug!("Connection failed: {}", e);
                            }
                        }
                    });
                }
                None => {
                    // Endpoint closed
                    break;
                }
            }
        }
    }
    
    /// Handle an established connection
    #[cfg(feature = "production-ready")]
    async fn handle_connection(
        _connection: QuinnConnection,
        _event_tx: mpsc::UnboundedSender<NatTraversalEvent>,
    ) {
        // TODO: This function needs to be rewritten to work with low-level Quinn API
        // The high-level accept_bi() and accept_uni() methods are not available
        
        /* Original code that uses high-level API:
        let peer_id = Self::generate_peer_id_from_address(connection.remote_address());
        let remote_address = connection.remote_address();
        
        debug!("Handling connection from peer {:?} at {}", peer_id, remote_address);
        // Handle bidirectional and unidirectional streams
        loop {
            tokio::select! {
                stream = connection.accept_bi() => {
                    match stream {
                        Ok((send, recv)) => {
                            tokio::spawn(async move {
                                Self::handle_bi_stream(send, recv).await;
                            });
                        }
                        Err(e) => {
                            debug!("Error accepting bidirectional stream: {}", e);
                            let _ = event_tx.send(NatTraversalEvent::ConnectionLost {
                                peer_id,
                                reason: format!("Stream error: {}", e),
                            });
                            break;
                        }
                    }
                }
                stream = connection.accept_uni() => {
                    match stream {
                        Ok(recv) => {
                            tokio::spawn(async move {
                                Self::handle_uni_stream(recv).await;
                            });
                        }
                        Err(e) => {
                            debug!("Error accepting unidirectional stream: {}", e);
                            let _ = event_tx.send(NatTraversalEvent::ConnectionLost {
                                peer_id,
                                reason: format!("Stream error: {}", e),
                            });
                            break;
                        }
                    }
                }
            }
        }
        */
    }
    
    /// Handle a bidirectional stream
    #[cfg(feature = "production-ready")]
    async fn handle_bi_stream(
        _send: crate::quinn_high_level::SendStream,
        _recv: crate::quinn_high_level::RecvStream,
    ) {
        // TODO: This function needs to be rewritten to work with low-level Quinn API
        // The high-level read() and write_all() methods are not available
        
        /* Original code that uses high-level API:
        let mut buffer = vec![0u8; 1024];
        
        loop {
            match recv.read(&mut buffer).await {
                Ok(Some(size)) => {
                    debug!("Received {} bytes on bidirectional stream", size);
                    
                    // Echo back the data for now
                    if let Err(e) = send.write_all(&buffer[..size]).await {
                        debug!("Failed to write to stream: {}", e);
                        break;
                    }
                }
                Ok(None) => {
                    debug!("Bidirectional stream closed by peer");
                    break;
                }
                Err(e) => {
                    debug!("Error reading from bidirectional stream: {}", e);
                    break;
                }
            }
        }
        */
    }
    
    /// Handle a unidirectional stream
    #[cfg(feature = "production-ready")]
    async fn handle_uni_stream(mut recv: crate::quinn_high_level::RecvStream) {
        let mut buffer = vec![0u8; 1024];
        
        loop {
            match recv.read(&mut buffer).await {
                Ok(Some(size)) => {
                    debug!("Received {} bytes on unidirectional stream", size);
                    // Process the data
                }
                Ok(None) => {
                    debug!("Unidirectional stream closed by peer");
                    break;
                }
                Err(e) => {
                    debug!("Error reading from unidirectional stream: {}", e);
                    break;
                }
            }
        }
    }
    
    /// Connect to a peer using NAT traversal
    #[cfg(feature = "production-ready")]
    pub async fn connect_to_peer(
        &self,
        peer_id: PeerId,
        server_name: &str,
        remote_addr: SocketAddr,
    ) -> Result<QuinnConnection, NatTraversalError> {
        let endpoint = self.quinn_endpoint.as_ref()
            .ok_or_else(|| NatTraversalError::ConfigError("Quinn endpoint not initialized".to_string()))?;
        
        info!("Connecting to peer {:?} at {}", peer_id, remote_addr);
        
        // Attempt connection with timeout
        let connecting = endpoint.connect(remote_addr, server_name)
            .map_err(|e| NatTraversalError::ConnectionFailed(format!("Failed to initiate connection: {}", e)))?;
        
        let connection = timeout(Duration::from_secs(10), connecting)
            .await
            .map_err(|_| NatTraversalError::Timeout)?
            .map_err(|e| NatTraversalError::ConnectionFailed(format!("Connection failed: {}", e)))?;
        
        info!("Successfully connected to peer {:?} at {}", peer_id, remote_addr);
        
        // Send event notification
        if let Some(ref event_tx) = self.event_tx {
            let _ = event_tx.send(NatTraversalEvent::ConnectionEstablished {
                peer_id,
                remote_address: remote_addr,
            });
        }
        
        Ok(connection)
    }
    
    /// Accept incoming connections on the endpoint
    #[cfg(feature = "production-ready")]
    pub async fn accept_connection(&self) -> Result<(PeerId, QuinnConnection), NatTraversalError> {
        let endpoint = self.quinn_endpoint.as_ref()
            .ok_or_else(|| NatTraversalError::ConfigError("Quinn endpoint not initialized".to_string()))?;
        
        // Accept incoming connection
        let incoming = endpoint.accept().await
            .ok_or_else(|| NatTraversalError::NetworkError("Endpoint closed".to_string()))?;
        
        let remote_addr = incoming.remote_address();
        info!("Accepting connection from {}", remote_addr);
        
        // Accept the connection
        let connection = incoming.await
            .map_err(|e| NatTraversalError::ConnectionFailed(format!("Failed to accept connection: {}", e)))?;
        
        // Generate or extract peer ID from connection
        let peer_id = self.extract_peer_id_from_connection(&connection).await
            .unwrap_or_else(|| Self::generate_peer_id_from_address(remote_addr));
        
        // Store the connection
        {
            let mut connections = self.connections.write()
                .map_err(|_| NatTraversalError::ProtocolError("Connections lock poisoned".to_string()))?;
            connections.insert(peer_id, connection.clone());
        }
        
        info!("Connection accepted from peer {:?} at {}", peer_id, remote_addr);
        
        // Send event notification
        if let Some(ref event_tx) = self.event_tx {
            let _ = event_tx.send(NatTraversalEvent::ConnectionEstablished {
                peer_id,
                remote_address: remote_addr,
            });
        }
        
        Ok((peer_id, connection))
    }
    
    /// Get the local peer ID
    pub fn local_peer_id(&self) -> PeerId {
        self.local_peer_id
    }
    
    /// Get an active connection by peer ID
    #[cfg(feature = "production-ready")]
    pub fn get_connection(&self, peer_id: &PeerId) -> Result<Option<QuinnConnection>, NatTraversalError> {
        let connections = self.connections.read()
            .map_err(|_| NatTraversalError::ProtocolError("Connections lock poisoned".to_string()))?;
        Ok(connections.get(peer_id).cloned())
    }
    
    /// Accept incoming connections on the endpoint (stub for non-production builds)
    #[cfg(not(feature = "production-ready"))]
    pub async fn accept_connection(&self) -> Result<(PeerId, crate::quinn_high_level::Connection), NatTraversalError> {
        Err(NatTraversalError::ConfigError("accept_connection requires production-ready feature".to_string()))
    }
    
    /// Get an active connection by peer ID (stub for non-production builds)
    #[cfg(not(feature = "production-ready"))]
    pub fn get_connection(&self, _peer_id: &PeerId) -> Result<Option<crate::quinn_high_level::Connection>, NatTraversalError> {
        Err(NatTraversalError::ConfigError("get_connection requires production-ready feature".to_string()))
    }
    
    /// Remove a connection by peer ID
    #[cfg(feature = "production-ready")]
    pub fn remove_connection(&self, peer_id: &PeerId) -> Result<Option<QuinnConnection>, NatTraversalError> {
        let mut connections = self.connections.write()
            .map_err(|_| NatTraversalError::ProtocolError("Connections lock poisoned".to_string()))?;
        Ok(connections.remove(peer_id))
    }
    
    /// List all active connections
    #[cfg(feature = "production-ready")]
    pub fn list_connections(&self) -> Result<Vec<(PeerId, SocketAddr)>, NatTraversalError> {
        let connections = self.connections.read()
            .map_err(|_| NatTraversalError::ProtocolError("Connections lock poisoned".to_string()))?;
        let mut result = Vec::new();
        for (peer_id, connection) in connections.iter() {
            result.push((*peer_id, connection.remote_address()));
        }
        Ok(result)
    }
    
    /// Handle incoming data from a connection
    #[cfg(feature = "production-ready")]
    pub async fn handle_connection_data(
        &self,
        peer_id: PeerId,
        connection: &QuinnConnection,
    ) -> Result<(), NatTraversalError> {
        info!("Handling connection data from peer {:?}", peer_id);
        
        // Spawn task to handle bidirectional streams
        let connection_clone = connection.clone();
        let peer_id_clone = peer_id;
        tokio::spawn(async move {
            loop {
                match connection_clone.accept_bi().await {
                    Ok((send, recv)) => {
                        debug!("Accepted bidirectional stream from peer {:?}", peer_id_clone);
                        tokio::spawn(Self::handle_bi_stream(send, recv));
                    }
                    Err(ConnectionError::ApplicationClosed(_)) => {
                        debug!("Connection closed by peer {:?}", peer_id_clone);
                        break;
                    }
                    Err(e) => {
                        debug!("Error accepting bidirectional stream from peer {:?}: {}", peer_id_clone, e);
                        break;
                    }
                }
            }
        });
        
        // Spawn task to handle unidirectional streams
        let connection_clone = connection.clone();
        let peer_id_clone = peer_id;
        tokio::spawn(async move {
            loop {
                match connection_clone.accept_uni().await {
                    Ok(recv) => {
                        debug!("Accepted unidirectional stream from peer {:?}", peer_id_clone);
                        tokio::spawn(Self::handle_uni_stream(recv));
                    }
                    Err(ConnectionError::ApplicationClosed(_)) => {
                        debug!("Connection closed by peer {:?}", peer_id_clone);
                        break;
                    }
                    Err(e) => {
                        debug!("Error accepting unidirectional stream from peer {:?}: {}", peer_id_clone, e);
                        break;
                    }
                }
            }
        });
        
        Ok(())
    }
    
    /// Generate a local peer ID
    fn generate_local_peer_id() -> PeerId {
        use std::time::SystemTime;
        use std::collections::hash_map::DefaultHasher;
        use std::hash::{Hash, Hasher};
        
        let mut hasher = DefaultHasher::new();
        SystemTime::now().hash(&mut hasher);
        std::process::id().hash(&mut hasher);
        
        let hash = hasher.finish();
        let mut peer_id = [0u8; 32];
        peer_id[0..8].copy_from_slice(&hash.to_be_bytes());
        
        // Add some randomness
        for i in 8..32 {
            peer_id[i] = rand::random();
        }
        
        PeerId(peer_id)
    }
    
    /// Generate a peer ID from a socket address
    /// 
    /// WARNING: This is a fallback method that should only be used when
    /// we cannot extract the peer's actual ID from their Ed25519 public key.
    /// This generates a non-persistent ID that will change on each connection.
    fn generate_peer_id_from_address(addr: SocketAddr) -> PeerId {
        use std::collections::hash_map::DefaultHasher;
        use std::hash::{Hash, Hasher};
        
        let mut hasher = DefaultHasher::new();
        addr.hash(&mut hasher);
        
        let hash = hasher.finish();
        let mut peer_id = [0u8; 32];
        peer_id[0..8].copy_from_slice(&hash.to_be_bytes());
        
        // Add some randomness to avoid collisions
        // NOTE: This makes the peer ID non-persistent across connections
        for i in 8..32 {
            peer_id[i] = rand::random();
        }
        
        warn!("Generated temporary peer ID from address {}. This ID is not persistent!", addr);
        PeerId(peer_id)
    }
    
    /// Extract peer ID from connection by deriving it from the peer's public key
    #[cfg(feature = "production-ready")]
    async fn extract_peer_id_from_connection(&self, connection: &QuinnConnection) -> Option<PeerId> {
        // Get the peer's identity from the TLS handshake
        if let Some(identity) = connection.peer_identity() {
            // Check if we have an Ed25519 public key from raw public key authentication
            if let Some(public_key_bytes) = identity.downcast_ref::<[u8; 32]>() {
                // Derive peer ID from the public key
                match crate::derive_peer_id_from_key_bytes(public_key_bytes) {
                    Ok(peer_id) => {
                        debug!("Derived peer ID from Ed25519 public key");
                        return Some(peer_id);
                    }
                    Err(e) => {
                        warn!("Failed to derive peer ID from public key: {}", e);
                    }
                }
            }
            // TODO: Handle X.509 certificate case if needed
        }
        
        None
    }
    
    /// Shutdown the endpoint
    #[cfg(feature = "production-ready")]
    pub async fn shutdown(&self) -> Result<(), NatTraversalError> {
        // Set shutdown flag
        self.shutdown.store(true, Ordering::Relaxed);
        
        // Close all active connections
        {
            let mut connections = self.connections.write()
                .map_err(|_| NatTraversalError::ProtocolError("Connections lock poisoned".to_string()))?;
            for (peer_id, connection) in connections.drain() {
                info!("Closing connection to peer {:?}", peer_id);
                connection.close(crate::VarInt::from_u32(0), b"Shutdown");
            }
        }
        
        // Wait for connection to be closed
        if let Some(ref endpoint) = self.quinn_endpoint {
            endpoint.wait_idle().await;
        }
        
        info!("NAT traversal endpoint shutdown completed");
        Ok(())
    }

    /// Discover address candidates for a peer
    #[cfg(feature = "production-ready")]
    pub async fn discover_candidates(&self, peer_id: PeerId) -> Result<Vec<CandidateAddress>, NatTraversalError> {
        debug!("Discovering address candidates for peer {:?}", peer_id);
        
        let mut candidates = Vec::new();
        
        // Get bootstrap nodes
        let bootstrap_nodes = {
            let nodes = self.bootstrap_nodes.read()
                .map_err(|_| NatTraversalError::ProtocolError("Lock poisoned".to_string()))?;
            nodes.clone()
        };
        
        // Start discovery process
        {
            let mut discovery = self.discovery_manager.lock()
                .map_err(|_| NatTraversalError::ProtocolError("Discovery manager lock poisoned".to_string()))?;
            
            discovery.start_discovery(peer_id, bootstrap_nodes)
                .map_err(|e| NatTraversalError::CandidateDiscoveryFailed(e.to_string()))?;
        }
        
        // Poll for discovery results with timeout
        let timeout_duration = self.config.coordination_timeout;
        let start_time = std::time::Instant::now();
        
        while start_time.elapsed() < timeout_duration {
            let discovery_events = {
                let mut discovery = self.discovery_manager.lock()
                    .map_err(|_| NatTraversalError::ProtocolError("Discovery manager lock poisoned".to_string()))?;
                discovery.poll(std::time::Instant::now())
            };
            
            for event in discovery_events {
                match event {
                    DiscoveryEvent::LocalCandidateDiscovered { candidate } => {
                        candidates.push(candidate.clone());
                        
                        // Send ADD_ADDRESS frame to advertise this candidate to the peer
                        self.send_candidate_advertisement(peer_id, &candidate).await
                            .unwrap_or_else(|e| debug!("Failed to send candidate advertisement: {}", e));
                    }
                    DiscoveryEvent::ServerReflexiveCandidateDiscovered { candidate, .. } => {
                        candidates.push(candidate.clone());
                        
                        // Send ADD_ADDRESS frame to advertise this candidate to the peer
                        self.send_candidate_advertisement(peer_id, &candidate).await
                            .unwrap_or_else(|e| debug!("Failed to send candidate advertisement: {}", e));
                    }
                    DiscoveryEvent::PredictedCandidateGenerated { candidate, .. } => {
                        candidates.push(candidate.clone());
                        
                        // Send ADD_ADDRESS frame to advertise this candidate to the peer
                        self.send_candidate_advertisement(peer_id, &candidate).await
                            .unwrap_or_else(|e| debug!("Failed to send candidate advertisement: {}", e));
                    }
                    DiscoveryEvent::DiscoveryCompleted { .. } => {
                        // Discovery complete, return candidates
                        return Ok(candidates);
                    }
                    DiscoveryEvent::DiscoveryFailed { error, partial_results } => {
                        // Use partial results if available
                        candidates.extend(partial_results);
                        if candidates.is_empty() {
                            return Err(NatTraversalError::CandidateDiscoveryFailed(error.to_string()));
                        }
                        return Ok(candidates);
                    }
                    _ => {}
                }
            }
            
            // Brief delay before next poll
            sleep(Duration::from_millis(10)).await;
        }
        
        if candidates.is_empty() {
            Err(NatTraversalError::NoCandidatesFound)
        } else {
            Ok(candidates)
        }
    }
    
    /// Fallback candidate discovery for non-production builds
    #[cfg(not(feature = "production-ready"))]
    fn discover_candidates(&self, peer_id: PeerId) -> Result<Vec<CandidateAddress>, NatTraversalError> {
        debug!("Discovering address candidates for peer {:?}", peer_id);
        
        let mut candidates = Vec::new();
        
        // Get bootstrap nodes
        let bootstrap_nodes = {
            let nodes = self.bootstrap_nodes.read()
                .map_err(|_| NatTraversalError::ProtocolError("Lock poisoned".to_string()))?;
            nodes.clone()
        };
        
        // Start discovery process using the discovery manager
        {
            let mut discovery = self.discovery_manager.lock()
                .map_err(|_| NatTraversalError::ProtocolError("Discovery manager lock poisoned".to_string()))?;
            
            discovery.start_discovery(peer_id, bootstrap_nodes)
                .map_err(|e| NatTraversalError::CandidateDiscoveryFailed(e.to_string()))?;
        }
        
        // Poll for discovery results with timeout
        let timeout_duration = self.config.coordination_timeout;
        let start_time = std::time::Instant::now();
        
        while start_time.elapsed() < timeout_duration {
            let discovery_events = {
                let mut discovery = self.discovery_manager.lock()
                    .map_err(|_| NatTraversalError::ProtocolError("Discovery manager lock poisoned".to_string()))?;
                discovery.poll(std::time::Instant::now())
            };
            
            for event in discovery_events {
                match event {
                    DiscoveryEvent::LocalCandidateDiscovered { candidate } => {
                        candidates.push(candidate.clone());
                        debug!("Discovered local candidate: {}", candidate.address);
                    }
                    DiscoveryEvent::ServerReflexiveCandidateDiscovered { candidate, .. } => {
                        candidates.push(candidate.clone());
                        debug!("Discovered server-reflexive candidate: {}", candidate.address);
                    }
                    DiscoveryEvent::PredictedCandidateGenerated { candidate, .. } => {
                        candidates.push(candidate.clone());
                        debug!("Generated predicted candidate: {}", candidate.address);
                    }
                    DiscoveryEvent::DiscoveryCompleted { .. } => {
                        info!("Candidate discovery completed for peer {:?}, found {} candidates", 
                              peer_id, candidates.len());
                        return Ok(candidates);
                    }
                    DiscoveryEvent::DiscoveryFailed { error, partial_results } => {
                        warn!("Candidate discovery failed for peer {:?}: {}", peer_id, error);
                        candidates.extend(partial_results);
                        if candidates.is_empty() {
                            return Err(NatTraversalError::CandidateDiscoveryFailed(error.to_string()));
                        }
                        return Ok(candidates);
                    }
                    _ => {}
                }
            }
            
            // Brief delay before next poll
            std::thread::sleep(Duration::from_millis(10));
        }
        
        if candidates.is_empty() {
            Err(NatTraversalError::NoCandidatesFound)
        } else {
            info!("Candidate discovery timed out for peer {:?}, returning {} partial candidates", 
                  peer_id, candidates.len());
            Ok(candidates)
        }
    }

    #[cfg(feature = "production-ready")]
    async fn coordinate_with_bootstrap_async(
        &self,
        peer_id: PeerId,
        coordinator: SocketAddr,
    ) -> Result<(), NatTraversalError> {
        debug!("Coordinating with bootstrap {} for peer {:?}", coordinator, peer_id);
        
        let endpoint = self.quinn_endpoint.as_ref()
            .ok_or_else(|| NatTraversalError::ConfigError("Quinn endpoint not initialized".to_string()))?;
        
        // Connect to coordinator bootstrap node
        let server_name = "bootstrap-coordinator";
        let connecting = endpoint.connect(coordinator, server_name)
            .map_err(|e| NatTraversalError::ConnectionFailed(format!("Failed to connect to coordinator: {}", e)))?;
        
        let connection = tokio::time::timeout(Duration::from_secs(5), connecting)
            .await
            .map_err(|_| NatTraversalError::Timeout)?
            .map_err(|e| NatTraversalError::ConnectionFailed(format!("Coordinator connection failed: {}", e)))?;
        
        // Send coordination request
        let mut send_stream = connection.open_uni()
            .await
            .map_err(|e| NatTraversalError::NetworkError(format!("Failed to open stream: {}", e)))?;
        
        // Create PUNCH_ME_NOW message (NAT traversal extension frame)
        let coordination_msg = self.create_punch_me_now_frame(peer_id)?;
        
        send_stream.write_all(&coordination_msg)
            .await
            .map_err(|e| NatTraversalError::NetworkError(format!("Failed to send coordination: {}", e)))?;
        
        send_stream.finish();
        // Note: finish() is not async in Quinn, it returns Result immediately
        
        info!("Coordination request sent to bootstrap {} for peer {:?}", coordinator, peer_id);
        
        // In a complete implementation, we would wait for coordination confirmation
        // For now, we assume coordination succeeds
        
        Ok(())
    }
    
    /// Fallback coordination for non-production builds
    #[cfg(not(feature = "production-ready"))]
    fn coordinate_with_bootstrap(
        &self,
        peer_id: PeerId,
        coordinator: SocketAddr,
    ) -> Result<(), NatTraversalError> {
        debug!("Coordinating with bootstrap {} for peer {:?}", coordinator, peer_id);
        
        #[cfg(feature = "production-ready")]
        {
            let endpoint = self.quinn_endpoint.as_ref()
                .ok_or_else(|| NatTraversalError::ConfigError("Quinn endpoint not initialized".to_string()))?;
            
            // Connect to coordinator bootstrap node
            let server_name = format!("bootstrap-{}", coordinator.ip());
            let connection = endpoint.connect(coordinator, &server_name)
                .map_err(|e| NatTraversalError::CoordinationFailed(format!("Failed to connect to bootstrap: {}", e)))?;
            
            // Wait for connection to be established (with timeout)
            let connection = match timeout(Duration::from_secs(5), connection).await {
                Ok(Ok(conn)) => conn,
                Ok(Err(e)) => return Err(NatTraversalError::CoordinationFailed(format!("Connection failed: {}", e))),
                Err(_) => return Err(NatTraversalError::CoordinationFailed("Connection timeout".to_string())),
            };
            
            // Open a bidirectional stream for coordination
            let (mut send_stream, _recv_stream) = connection.open_bi().await
                .map_err(|e| NatTraversalError::CoordinationFailed(format!("Failed to open stream: {}", e)))?;
            
            // Send coordination request (simplified protocol)
            let coordination_request = format!("COORDINATE_NAT_TRAVERSAL peer_id={:?}", peer_id);
            send_stream.write_all(coordination_request.as_bytes()).await
                .map_err(|e| NatTraversalError::CoordinationFailed(format!("Failed to send request: {}", e)))?;
            
            send_stream.finish();
            // Note: finish() is not async in Quinn, it returns Result immediately
            
            info!("Coordination request sent to bootstrap {} for peer {:?}", coordinator, peer_id);
        }
        
        #[cfg(not(feature = "production-ready"))]
        {
            // Fallback coordination for non-production builds
            info!("Coordinating with bootstrap {} for peer {:?} (fallback mode)", coordinator, peer_id);
            
            // In fallback mode, we simulate the coordination but still try to validate connectivity
            debug!("Validating bootstrap connectivity to {}", coordinator);
            
            // Simple connectivity check (this could be enhanced with actual UDP probes)
            if coordinator.port() == 0 {
                return Err(NatTraversalError::CoordinationFailed("Invalid bootstrap address".to_string()));
            }
            
            info!("Bootstrap coordination completed for peer {:?}", peer_id);
        }
        
        Ok(())
    }
    
    /// Create PUNCH_ME_NOW extension frame for NAT traversal coordination
    fn create_punch_me_now_frame(&self, peer_id: PeerId) -> Result<Vec<u8>, NatTraversalError> {
        // PUNCH_ME_NOW frame format (IETF QUIC NAT Traversal draft):
        // Frame Type: 0x41 (PUNCH_ME_NOW)
        // Length: Variable
        // Peer ID: 32 bytes
        // Timestamp: 8 bytes
        // Coordination Token: 16 bytes
        
        let mut frame = Vec::new();
        
        // Frame type
        frame.push(0x41);
        
        // Peer ID (32 bytes)
        frame.extend_from_slice(&peer_id.0);
        
        // Timestamp (8 bytes, current time as milliseconds since epoch)
        let timestamp = std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .unwrap_or_default()
            .as_millis() as u64;
        frame.extend_from_slice(&timestamp.to_be_bytes());
        
        // Coordination token (16 random bytes for this session)
        let mut token = [0u8; 16];
        for byte in &mut token {
            *byte = rand::random();
        }
        frame.extend_from_slice(&token);
        
        Ok(frame)
    }

    fn attempt_hole_punching(&self, peer_id: PeerId) -> Result<(), NatTraversalError> {
        debug!("Attempting hole punching for peer {:?}", peer_id);
        
        // Get candidate pairs for this peer
        let candidate_pairs = self.get_candidate_pairs_for_peer(peer_id)?;
        
        if candidate_pairs.is_empty() {
            return Err(NatTraversalError::NoCandidatesFound);
        }
        
        info!("Generated {} candidate pairs for hole punching with peer {:?}", 
              candidate_pairs.len(), peer_id);
        
        // Attempt hole punching with each candidate pair
        #[cfg(feature = "production-ready")]
        {
            self.attempt_quinn_hole_punching(peer_id, candidate_pairs)
        }
        
        #[cfg(not(feature = "production-ready"))]
        {
            self.simulate_hole_punching(peer_id, candidate_pairs)
        }
    }
    
    /// Generate candidate pairs for hole punching based on ICE-like algorithm
    fn get_candidate_pairs_for_peer(&self, peer_id: PeerId) -> Result<Vec<CandidatePair>, NatTraversalError> {
        // Get discovered candidates from the discovery manager
        let discovery_candidates = {
            let discovery = self.discovery_manager.lock()
                .map_err(|_| NatTraversalError::ProtocolError("Discovery manager lock poisoned".to_string()))?;
            
            discovery.get_candidates_for_peer(peer_id)
        };
        
        if discovery_candidates.is_empty() {
            return Err(NatTraversalError::NoCandidatesFound);
        }
        
        // Create candidate pairs with priorities (ICE-like pairing)
        let mut candidate_pairs = Vec::new();
        let local_candidates = discovery_candidates.iter()
            .filter(|c| matches!(c.source, CandidateSource::Local))
            .collect::<Vec<_>>();
        let remote_candidates = discovery_candidates.iter()
            .filter(|c| !matches!(c.source, CandidateSource::Local))
            .collect::<Vec<_>>();
        
        // Pair each local candidate with each remote candidate
        for local in &local_candidates {
            for remote in &remote_candidates {
                let pair_priority = self.calculate_candidate_pair_priority(local, remote);
                candidate_pairs.push(CandidatePair {
                    local_candidate: (*local).clone(),
                    remote_candidate: (*remote).clone(),
                    priority: pair_priority,
                    state: CandidatePairState::Waiting,
                });
            }
        }
        
        // Sort by priority (highest first)
        candidate_pairs.sort_by(|a, b| b.priority.cmp(&a.priority));
        
        // Limit to reasonable number for initial attempts
        candidate_pairs.truncate(8);
        
        Ok(candidate_pairs)
    }
    
    /// Calculate candidate pair priority using ICE algorithm
    fn calculate_candidate_pair_priority(&self, local: &CandidateAddress, remote: &CandidateAddress) -> u64 {
        // ICE candidate pair priority formula: min(G,D) * 2^32 + max(G,D) * 2 + (G>D ? 1 : 0)
        // Where G is controlling agent priority, D is controlled agent priority
        
        let local_type_preference = match local.source {
            CandidateSource::Local => 126,
            CandidateSource::Observed { .. } => 100,
            CandidateSource::Predicted => 75,
            CandidateSource::Peer => 50,
        };
        
        let remote_type_preference = match remote.source {
            CandidateSource::Local => 126,
            CandidateSource::Observed { .. } => 100,
            CandidateSource::Predicted => 75,
            CandidateSource::Peer => 50,
        };
        
        // Simplified priority calculation
        let local_priority = (local_type_preference as u64) << 8 | local.priority as u64;
        let remote_priority = (remote_type_preference as u64) << 8 | remote.priority as u64;
        
        let min_priority = local_priority.min(remote_priority);
        let max_priority = local_priority.max(remote_priority);
        
        (min_priority << 32) | (max_priority << 1) | if local_priority > remote_priority { 1 } else { 0 }
    }
    
    /// Real Quinn-based hole punching implementation
    #[cfg(feature = "production-ready")]
    fn attempt_quinn_hole_punching(&self, peer_id: PeerId, candidate_pairs: Vec<CandidatePair>) -> Result<(), NatTraversalError> {
        
        let _endpoint = self.quinn_endpoint.as_ref()
            .ok_or_else(|| NatTraversalError::ConfigError("Quinn endpoint not initialized".to_string()))?;
        
        for pair in candidate_pairs {
            debug!("Attempting hole punch with candidate pair: {} -> {}", 
                   pair.local_candidate.address, pair.remote_candidate.address);
            
            // Create PATH_CHALLENGE frame data (8 random bytes)
            let mut challenge_data = [0u8; 8];
            for byte in &mut challenge_data {
                *byte = rand::random();
            }
            
            // Create a raw UDP socket bound to the local candidate address
            let local_socket = std::net::UdpSocket::bind(pair.local_candidate.address)
                .map_err(|e| NatTraversalError::NetworkError(format!("Failed to bind to local candidate: {}", e)))?;
            
            // Craft a minimal QUIC packet with PATH_CHALLENGE frame
            let path_challenge_packet = self.create_path_challenge_packet(challenge_data)?;
            
            // Send the packet to the remote candidate address
            match local_socket.send_to(&path_challenge_packet, pair.remote_candidate.address) {
                Ok(bytes_sent) => {
                    debug!("Sent {} bytes for hole punch from {} to {}", 
                           bytes_sent, pair.local_candidate.address, pair.remote_candidate.address);
                    
                    // Set a short timeout for response
                    local_socket.set_read_timeout(Some(Duration::from_millis(100)))
                        .map_err(|e| NatTraversalError::NetworkError(format!("Failed to set timeout: {}", e)))?;
                    
                    // Try to receive a response
                    let mut response_buffer = [0u8; 1024];
                    match local_socket.recv_from(&mut response_buffer) {
                        Ok((_bytes_received, response_addr)) => {
                            if response_addr == pair.remote_candidate.address {
                                info!("Hole punch succeeded for peer {:?}: {} <-> {}", 
                                      peer_id, pair.local_candidate.address, pair.remote_candidate.address);
                                
                                // Store successful candidate pair for connection establishment
                                self.store_successful_candidate_pair(peer_id, pair)?;
                                return Ok(());
                            } else {
                                debug!("Received response from unexpected address: {}", response_addr);
                            }
                        }
                        Err(e) if e.kind() == std::io::ErrorKind::WouldBlock || e.kind() == std::io::ErrorKind::TimedOut => {
                            debug!("No response received for hole punch attempt");
                        }
                        Err(e) => {
                            debug!("Error receiving hole punch response: {}", e);
                        }
                    }
                }
                Err(e) => {
                    debug!("Failed to send hole punch packet: {}", e);
                }
            }
        }
        
        // If we get here, all hole punch attempts failed
        Err(NatTraversalError::HolePunchingFailed)
    }

    /// Create a minimal QUIC packet with PATH_CHALLENGE frame for hole punching
    fn create_path_challenge_packet(&self, challenge_data: [u8; 8]) -> Result<Vec<u8>, NatTraversalError> {
        // Create a minimal QUIC packet structure
        // This is a simplified implementation - in production, you'd use proper QUIC packet construction
        let mut packet = Vec::new();
        
        // QUIC packet header (simplified)
        packet.push(0x40); // Short header, fixed bit set
        packet.extend_from_slice(&[0, 0, 0, 1]); // Connection ID (simplified)
        
        // PATH_CHALLENGE frame
        packet.push(0x1a); // PATH_CHALLENGE frame type
        packet.extend_from_slice(&challenge_data); // 8-byte challenge data
        
        Ok(packet)
    }

    /// Store successful candidate pair for later connection establishment
    fn store_successful_candidate_pair(&self, peer_id: PeerId, pair: CandidatePair) -> Result<(), NatTraversalError> {
        debug!("Storing successful candidate pair for peer {:?}: {} <-> {}", 
               peer_id, pair.local_candidate.address, pair.remote_candidate.address);
        
        // In a complete implementation, this would store the successful pair
        // for use in establishing the actual QUIC connection
        // For now, we'll emit an event to notify the application
        
        if let Some(ref callback) = self.event_callback {
            callback(NatTraversalEvent::PathValidated {
                peer_id,
                address: pair.remote_candidate.address,
                rtt: Duration::from_millis(50), // Estimated RTT
            });
            
            callback(NatTraversalEvent::TraversalSucceeded {
                peer_id,
                final_address: pair.remote_candidate.address,
                total_time: Duration::from_secs(1), // Estimated total time
            });
        }
        
        Ok(())
    }
    

    
    /// Fallback simulation for non-production builds
    #[cfg(not(feature = "production-ready"))]
    fn simulate_hole_punching(&self, peer_id: PeerId, candidate_pairs: Vec<CandidatePair>) -> Result<(), NatTraversalError> {
        debug!("Attempting hole punching for peer {:?} with {} candidate pairs", 
               peer_id, candidate_pairs.len());
        
        // Try to establish connection with highest priority candidate
        if let Some(best_pair) = candidate_pairs.first() {
            info!("Attempting hole punch for peer {:?} using {}", 
                  peer_id, best_pair.remote_candidate.address);
            
            // In non-production mode, we still try to make a real connection attempt
            // but with simplified logic
            match self.attempt_connection_to_candidate(peer_id, &best_pair.remote_candidate) {
                Ok(_) => {
                    info!("Hole punch succeeded for peer {:?} using {}", 
                          peer_id, best_pair.remote_candidate.address);
                    return Ok(());
                }
                Err(e) => {
                    debug!("Hole punch failed for peer {:?}: {}", peer_id, e);
                }
            }
        }
        
        Err(NatTraversalError::HolePunchingFailed)
    }

    /// Attempt connection to a specific candidate address
    fn attempt_connection_to_candidate(
        &self,
        peer_id: PeerId,
        candidate: &CandidateAddress,
    ) -> Result<(), NatTraversalError> {
        #[cfg(feature = "production-ready")]
        {
            let _endpoint = self.quinn_endpoint.as_ref()
                .ok_or_else(|| NatTraversalError::ConfigError("Quinn endpoint not initialized".to_string()))?;
            
            // Create server name for the connection
            let _server_name = format!("peer-{:x}", peer_id.0[0] as u32);
            
            // Attempt connection (this would be async in real implementation)
            debug!("Attempting Quinn connection to candidate {} for peer {:?}", 
                   candidate.address, peer_id);
            
            // For now, we'll initiate the connection and return success
            // In a full async implementation, this would be handled differently
            info!("Connection attempt initiated to {} for peer {:?}", 
                  candidate.address, peer_id);
            
            Ok(())
        }
        #[cfg(not(feature = "production-ready"))]
        {
            // Fallback: attempt basic connectivity check
            debug!("Checking connectivity to candidate {} for peer {:?}", 
                   candidate.address, peer_id);
            
            // In a real implementation, this might do a basic UDP probe
            // For now, we'll assume success for valid addresses
            if candidate.address.port() > 0 {
                info!("Connectivity check passed for candidate {} (peer {:?})", 
                      candidate.address, peer_id);
                Ok(())
            } else {
                Err(NatTraversalError::NetworkError("Invalid candidate address".to_string()))
            }
        }
    }

    /// Poll for NAT traversal progress and state machine updates
    pub fn poll(&self, now: std::time::Instant) -> Result<Vec<NatTraversalEvent>, NatTraversalError> {
        let mut events = Vec::new();
        
        // Poll candidate discovery manager
        {
            let mut discovery = self.discovery_manager.lock()
                .map_err(|_| NatTraversalError::ProtocolError("Discovery manager lock poisoned".to_string()))?;
            
            let discovery_events = discovery.poll(now);
            
            // Convert discovery events to NAT traversal events
            for discovery_event in discovery_events {
                if let Some(nat_event) = self.convert_discovery_event(discovery_event) {
                    events.push(nat_event.clone());
                    
                    // Emit via callback
                    if let Some(ref callback) = self.event_callback {
                        callback(nat_event);
                    }
                }
            }
        }
        
        // Check active sessions for timeouts and state updates
        let mut sessions = self.active_sessions.write()
            .map_err(|_| NatTraversalError::ProtocolError("Lock poisoned".to_string()))?;
        
        for (_peer_id, session) in sessions.iter_mut() {
            // TODO: Implement session state machine polling
            // 1. Check timeouts
            // 2. Advance state machine
            // 3. Generate events
            let _elapsed = now.duration_since(session.started_at);
        }
        
        Ok(events)
    }

    /// Convert discovery events to NAT traversal events with proper peer ID resolution
    fn convert_discovery_event(&self, discovery_event: DiscoveryEvent) -> Option<NatTraversalEvent> {
        // Get the current active peer ID from sessions
        let current_peer_id = self.get_current_discovery_peer_id();
        
        match discovery_event {
            DiscoveryEvent::LocalCandidateDiscovered { candidate } => {
                Some(NatTraversalEvent::CandidateDiscovered {
                    peer_id: current_peer_id,
                    candidate,
                })
            },
            DiscoveryEvent::ServerReflexiveCandidateDiscovered { candidate, bootstrap_node: _ } => {
                Some(NatTraversalEvent::CandidateDiscovered {
                    peer_id: current_peer_id,
                    candidate,
                })
            },
            DiscoveryEvent::PredictedCandidateGenerated { candidate, confidence: _ } => {
                Some(NatTraversalEvent::CandidateDiscovered {
                    peer_id: current_peer_id,
                    candidate,
                })
            },
            DiscoveryEvent::DiscoveryCompleted { candidate_count: _, total_duration: _, success_rate: _ } => {
                // This could trigger the coordination phase
                None // For now, don't emit specific event
            },
            DiscoveryEvent::DiscoveryFailed { error, partial_results } => {
                Some(NatTraversalEvent::TraversalFailed {
                    peer_id: current_peer_id,
                    error: NatTraversalError::CandidateDiscoveryFailed(error.to_string()),
                    fallback_available: !partial_results.is_empty(),
                })
            },
            _ => None, // Other events don't need to be converted
        }
    }

    /// Get the peer ID for the current discovery session
    fn get_current_discovery_peer_id(&self) -> PeerId {
        // Try to get the peer ID from the most recent active session
        if let Ok(sessions) = self.active_sessions.read() {
            if let Some((peer_id, _session)) = sessions.iter()
                .filter(|(_, s)| matches!(s.phase, TraversalPhase::Discovery))
                .next() {
                return *peer_id;
            }
            
            // If no discovery phase session, get any active session
            if let Some((peer_id, _)) = sessions.iter().next() {
                return *peer_id;
            }
        }
        
        // Fallback: generate a deterministic peer ID based on local endpoint
        self.local_peer_id
    }
    
    /// Handle endpoint events from connection-level NAT traversal state machine
    #[cfg(feature = "production-ready")]
    pub(crate) async fn handle_endpoint_event(&self, event: crate::shared::EndpointEventInner) -> Result<(), NatTraversalError> {
        match event {
            crate::shared::EndpointEventInner::NatCandidateValidated { address, challenge } => {
                info!("NAT candidate validation succeeded for {} with challenge {:016x}", address, challenge);
                
                // Update the active session with validated candidate
                let mut sessions = self.active_sessions.write()
                    .map_err(|_| NatTraversalError::ProtocolError("Sessions lock poisoned".to_string()))?;
                
                // Find the session that had this candidate
                for (peer_id, session) in sessions.iter_mut() {
                    if session.candidates.iter().any(|c| c.address == address) {
                        // Update session phase to indicate successful validation
                        session.phase = TraversalPhase::Connected;
                        
                        // Trigger event callback
                        if let Some(ref callback) = self.event_callback {
                            callback(NatTraversalEvent::CandidateValidated {
                                peer_id: *peer_id,
                                candidate_address: address,
                            });
                        }
                        
                        // Attempt to establish connection using this validated candidate
                        return self.establish_connection_to_validated_candidate(*peer_id, address).await;
                    }
                }
                
                debug!("Validated candidate {} not found in active sessions", address);
                Ok(())
            }
            
            crate::shared::EndpointEventInner::RelayPunchMeNow(target_peer_id, punch_frame) => {
                info!("Relaying PUNCH_ME_NOW to peer {:?}", target_peer_id);
                
                // Convert target_peer_id to PeerId
                let target_peer = PeerId(target_peer_id);
                
                // Find the connection to the target peer and send the coordination frame
                let connections = self.connections.read()
                    .map_err(|_| NatTraversalError::ProtocolError("Connections lock poisoned".to_string()))?;
                
                if let Some(connection) = connections.get(&target_peer) {
                    // Send the PUNCH_ME_NOW frame via a unidirectional stream
                    let mut send_stream = connection.open_uni().await
                        .map_err(|e| NatTraversalError::NetworkError(format!("Failed to open stream: {}", e)))?;
                    
                    // Encode the frame data
                    let mut frame_data = Vec::new();
                    punch_frame.encode(&mut frame_data);
                    
                    send_stream.write_all(&frame_data).await
                        .map_err(|e| NatTraversalError::NetworkError(format!("Failed to send frame: {}", e)))?;
                    
                    send_stream.finish();
                    
                    debug!("Successfully relayed PUNCH_ME_NOW frame to peer {:?}", target_peer);
                    Ok(())
                } else {
                    warn!("No connection found for target peer {:?}", target_peer);
                    Err(NatTraversalError::PeerNotConnected)
                }
            }
            
            crate::shared::EndpointEventInner::SendAddressFrame(add_address_frame) => {
                info!("Sending AddAddress frame for address {}", add_address_frame.address);
                
                // Find all active connections and send the AddAddress frame
                let connections = self.connections.read()
                    .map_err(|_| NatTraversalError::ProtocolError("Connections lock poisoned".to_string()))?;
                
                for (peer_id, connection) in connections.iter() {
                    // Send AddAddress frame via unidirectional stream
                    let mut send_stream = connection.open_uni().await
                        .map_err(|e| NatTraversalError::NetworkError(format!("Failed to open stream: {}", e)))?;
                    
                    // Encode the frame data
                    let mut frame_data = Vec::new();
                    add_address_frame.encode(&mut frame_data);
                    
                    send_stream.write_all(&frame_data).await
                        .map_err(|e| NatTraversalError::NetworkError(format!("Failed to send frame: {}", e)))?;
                    
                    send_stream.finish();
                    
                    debug!("Sent AddAddress frame to peer {:?}", peer_id);
                }
                
                Ok(())
            }
            
            _ => {
                // Other endpoint events not related to NAT traversal
                debug!("Ignoring non-NAT traversal endpoint event: {:?}", event);
                Ok(())
            }
        }
    }
    
    /// Establish connection to a validated candidate address
    #[cfg(feature = "production-ready")]
    async fn establish_connection_to_validated_candidate(
        &self,
        peer_id: PeerId,
        candidate_address: SocketAddr,
    ) -> Result<(), NatTraversalError> {
        info!("Establishing connection to validated candidate {} for peer {:?}", candidate_address, peer_id);
        
        let endpoint = self.quinn_endpoint.as_ref()
            .ok_or_else(|| NatTraversalError::ConfigError("Quinn endpoint not initialized".to_string()))?;
        
        // Attempt connection to the validated address
        let connecting = endpoint.connect(candidate_address, "nat-traversal-peer")
            .map_err(|e| NatTraversalError::ConnectionFailed(format!("Failed to initiate connection: {}", e)))?;
        
        let connection = timeout(Duration::from_secs(10), connecting)
            .await
            .map_err(|_| NatTraversalError::Timeout)?
            .map_err(|e| NatTraversalError::ConnectionFailed(format!("Connection failed: {}", e)))?;
        
        // Store the established connection
        {
            let mut connections = self.connections.write()
                .map_err(|_| NatTraversalError::ProtocolError("Connections lock poisoned".to_string()))?;
            connections.insert(peer_id, connection.clone());
        }
        
        // Update session state to completed
        {
            let mut sessions = self.active_sessions.write()
                .map_err(|_| NatTraversalError::ProtocolError("Sessions lock poisoned".to_string()))?;
            if let Some(session) = sessions.get_mut(&peer_id) {
                session.phase = TraversalPhase::Connected;
            }
        }
        
        // Trigger success callback
        if let Some(ref callback) = self.event_callback {
            callback(NatTraversalEvent::ConnectionEstablished {
                peer_id,
                remote_address: candidate_address,
            });
        }
        
        info!("Successfully established connection to peer {:?} at {}", peer_id, candidate_address);
        Ok(())
    }

    /// Send ADD_ADDRESS frame to advertise a candidate to a peer
    ///
    /// This is the bridge between candidate discovery and actual frame transmission.
    /// It finds the connection to the peer and sends an ADD_ADDRESS frame using
    /// the Quinn extension frame API.
    #[cfg(feature = "production-ready")]
    async fn send_candidate_advertisement(
        &self,
        peer_id: PeerId,
        candidate: &CandidateAddress,
    ) -> Result<(), NatTraversalError> {
        debug!("Sending candidate advertisement to peer {:?}: {}", peer_id, candidate.address);

        // Find the connection to this peer
        let connections = self.connections.read()
            .map_err(|_| NatTraversalError::ProtocolError("Connections lock poisoned".to_string()))?;

        if let Some(_connection) = connections.get(&peer_id) {
            // Send ADD_ADDRESS frame using the ant-quic Connection's NAT traversal method
            debug!("Found connection to peer {:?}, sending ADD_ADDRESS frame", peer_id);
            
            // Extract connection to get a mutable reference
            // Since we're using the ant-quic Connection directly, we can call the NAT traversal methods
            drop(connections); // Release the read lock
            
            // Get a mutable reference to the connection to send the frame
            let connections = self.connections.write()
                .map_err(|_| NatTraversalError::ProtocolError("Connections lock poisoned".to_string()))?;
            
            if let Some(connection) = connections.get(&peer_id) {
                // Send ADD_ADDRESS frame using Quinn's datagram API
                // Frame format: [0x40][sequence][address][priority]
                let mut frame_data = Vec::new();
                frame_data.push(0x40); // ADD_ADDRESS frame type
                
                // Encode sequence number (varint)
                let sequence = candidate.priority as u64; // Use priority as sequence for now
                frame_data.extend_from_slice(&sequence.to_be_bytes());
                
                // Encode address
                match candidate.address {
                    SocketAddr::V4(addr) => {
                        frame_data.push(4); // IPv4 indicator
                        frame_data.extend_from_slice(&addr.ip().octets());
                        frame_data.extend_from_slice(&addr.port().to_be_bytes());
                    }
                    SocketAddr::V6(addr) => {
                        frame_data.push(6); // IPv6 indicator
                        frame_data.extend_from_slice(&addr.ip().octets());
                        frame_data.extend_from_slice(&addr.port().to_be_bytes());
                    }
                }
                
                // Encode priority
                frame_data.extend_from_slice(&candidate.priority.to_be_bytes());
                
                // Send as datagram
                match connection.send_datagram(frame_data.into()) {
                    Ok(()) => {
                        info!("Sent ADD_ADDRESS frame to peer {:?}: addr={}, priority={}", 
                              peer_id, candidate.address, candidate.priority);
                        Ok(())
                    }
                    Err(e) => {
                        warn!("Failed to send ADD_ADDRESS frame to peer {:?}: {}", peer_id, e);
                        Err(NatTraversalError::ProtocolError(format!("Failed to send ADD_ADDRESS frame: {}", e)))
                    }
                }
            } else {
                // Connection disappeared between read and write lock
                debug!("Connection to peer {:?} disappeared during frame sending", peer_id);
                Ok(())
            }
        } else {
            // No connection to this peer yet - this is normal during discovery
            debug!("No connection found for peer {:?} - candidate will be sent when connection is established", peer_id);
            Ok(())
        }
    }

    /// Send PUNCH_ME_NOW frame to coordinate hole punching
    ///
    /// This method sends hole punching coordination frames using the real
    /// Quinn extension frame API instead of application-level streams.
    #[cfg(feature = "production-ready")]
    async fn send_punch_coordination(
        &self,
        peer_id: PeerId,
        target_sequence: u64,
        local_address: SocketAddr,
        round: u32,
    ) -> Result<(), NatTraversalError> {
        debug!("Sending punch coordination to peer {:?}: seq={}, addr={}, round={}", 
               peer_id, target_sequence, local_address, round);

        let connections = self.connections.read()
            .map_err(|_| NatTraversalError::ProtocolError("Connections lock poisoned".to_string()))?;

        if let Some(connection) = connections.get(&peer_id) {
            // Send PUNCH_ME_NOW frame using Quinn's datagram API
            // Frame format: [0x41][round][target_sequence][address]
            let mut frame_data = Vec::new();
            frame_data.push(0x41); // PUNCH_ME_NOW frame type
            
            // Encode round number
            frame_data.extend_from_slice(&round.to_be_bytes());
            
            // Encode target sequence
            frame_data.extend_from_slice(&target_sequence.to_be_bytes());
            
            // Encode local address
            match local_address {
                SocketAddr::V4(addr) => {
                    frame_data.push(4); // IPv4 indicator
                    frame_data.extend_from_slice(&addr.ip().octets());
                    frame_data.extend_from_slice(&addr.port().to_be_bytes());
                }
                SocketAddr::V6(addr) => {
                    frame_data.push(6); // IPv6 indicator
                    frame_data.extend_from_slice(&addr.ip().octets());
                    frame_data.extend_from_slice(&addr.port().to_be_bytes());
                }
            }
            
            // Send as datagram
            match connection.send_datagram(frame_data.into()) {
                Ok(()) => {
                    info!("Sent PUNCH_ME_NOW frame to peer {:?}: target_seq={}, local_addr={}, round={}", 
                          peer_id, target_sequence, local_address, round);
                    Ok(())
                }
                Err(e) => {
                    warn!("Failed to send PUNCH_ME_NOW frame to peer {:?}: {}", peer_id, e);
                    Err(NatTraversalError::ProtocolError(format!("Failed to send PUNCH_ME_NOW frame: {}", e)))
                }
            }
        } else {
            Err(NatTraversalError::PeerNotConnected)
        }
    }
}

impl fmt::Debug for NatTraversalEndpoint {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_struct("NatTraversalEndpoint")
            .field("config", &self.config)
            .field("bootstrap_nodes", &"<RwLock>")
            .field("active_sessions", &"<RwLock>")
            .field("event_callback", &self.event_callback.is_some())
            .finish()
    }
}

/// Statistics about NAT traversal performance
#[derive(Debug, Clone)]
pub struct NatTraversalStatistics {
    /// Number of active NAT traversal sessions
    pub active_sessions: usize,
    /// Total number of known bootstrap nodes
    pub total_bootstrap_nodes: usize,
    /// Total successful coordinations
    pub successful_coordinations: u32,
    /// Average time for coordination
    pub average_coordination_time: Duration,
}

impl fmt::Display for NatTraversalError {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Self::NoBootstrapNodes => write!(f, "no bootstrap nodes available"),
            Self::NoCandidatesFound => write!(f, "no address candidates found"),
            Self::CandidateDiscoveryFailed(msg) => write!(f, "candidate discovery failed: {}", msg),
            Self::CoordinationFailed(msg) => write!(f, "coordination failed: {}", msg),
            Self::HolePunchingFailed => write!(f, "hole punching failed"),
            Self::ValidationTimeout => write!(f, "validation timeout"),
            Self::NetworkError(msg) => write!(f, "network error: {}", msg),
            Self::ConfigError(msg) => write!(f, "configuration error: {}", msg),
            Self::ProtocolError(msg) => write!(f, "protocol error: {}", msg),
            Self::Timeout => write!(f, "operation timed out"),
            Self::ConnectionFailed(msg) => write!(f, "connection failed: {}", msg),
            Self::TraversalFailed(msg) => write!(f, "traversal failed: {}", msg),
            Self::PeerNotConnected => write!(f, "peer not connected"),
        }
    }
}

impl std::error::Error for NatTraversalError {}

impl fmt::Display for PeerId {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        // Display first 8 bytes as hex (16 characters)
        for byte in &self.0[..8] {
            write!(f, "{:02x}", byte)?;
        }
        Ok(())
    }
}

impl From<[u8; 32]> for PeerId {
    fn from(bytes: [u8; 32]) -> Self {
        Self(bytes)
    }
}

/// Dummy certificate verifier that accepts any certificate
/// WARNING: This is only for testing/demo purposes - use proper verification in production!
#[derive(Debug)]
struct SkipServerVerification;

impl SkipServerVerification {
    #[allow(dead_code)]
    fn new() -> Arc<Self> {
        Arc::new(Self)
    }
}

impl rustls::client::danger::ServerCertVerifier for SkipServerVerification {
    fn verify_server_cert(
        &self,
        _end_entity: &rustls::pki_types::CertificateDer<'_>,
        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
        _server_name: &rustls::pki_types::ServerName<'_>,
        _ocsp_response: &[u8],
        _now: rustls::pki_types::UnixTime,
    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
        Ok(rustls::client::danger::ServerCertVerified::assertion())
    }

    fn verify_tls12_signature(
        &self,
        _message: &[u8],
        _cert: &rustls::pki_types::CertificateDer<'_>,
        _dss: &rustls::DigitallySignedStruct,
    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
    }

    fn verify_tls13_signature(
        &self,
        _message: &[u8],
        _cert: &rustls::pki_types::CertificateDer<'_>,
        _dss: &rustls::DigitallySignedStruct,
    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
    }

    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
        vec![
            rustls::SignatureScheme::RSA_PKCS1_SHA256,
            rustls::SignatureScheme::ECDSA_NISTP256_SHA256,
            rustls::SignatureScheme::ED25519,
        ]
    }
}

/// Default token store that accepts all tokens (for demo purposes)
struct DefaultTokenStore;

impl crate::TokenStore for DefaultTokenStore {
    fn insert(&self, _server_name: &str, _token: bytes::Bytes) {
        // Ignore token storage for demo
    }

    fn take(&self, _server_name: &str) -> Option<bytes::Bytes> {
        None
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_nat_traversal_config_default() {
        let config = NatTraversalConfig::default();
        assert_eq!(config.role, EndpointRole::Client);
        assert_eq!(config.max_candidates, 8);
        assert!(config.enable_symmetric_nat);
        assert!(config.enable_relay_fallback);
    }

    #[test]
    fn test_peer_id_display() {
        let peer_id = PeerId([0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77]);
        assert_eq!(format!("{}", peer_id), "0123456789abcdef");
    }

    #[test]
    fn test_bootstrap_node_management() {
        let _config = NatTraversalConfig::default();
        // Note: This will fail due to ServerConfig requirement in new() - for illustration only
        // let endpoint = NatTraversalEndpoint::new(config, None).unwrap();
    }
}