Integrate BACKBEAT SDK and resolve KACHING license validation

Major integrations and fixes: - Added BACKBEAT SDK integration for P2P operation timing - Implemented beat-aware status tracking for distributed operations - Added Docker secrets support for secure license management - Resolved KACHING license validation via HTTPS/TLS - Updated docker-compose configuration for clean stack deployment - Disabled rollback policies to prevent deployment failures - Added license credential storage (CHORUS-DEV-MULTI-001) Technical improvements: - BACKBEAT P2P operation tracking with phase management - Enhanced configuration system with file-based secrets - Improved error handling for license validation - Clean separation of KACHING and CHORUS deployment stacks 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-06 07:56:26 +10:00
parent 543ab216f9
commit 9bdcbe0447
4730 changed files with 1480093 additions and 1916 deletions
--- a/vendor/github.com/libp2p/go-libp2p/p2p/transport/websocket/LICENSE-APACHE
+++ b/vendor/github.com/libp2p/go-libp2p/p2p/transport/websocket/LICENSE-APACHE
@@ -0,0 +1,5 @@
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
--- a/vendor/github.com/libp2p/go-libp2p/p2p/transport/websocket/LICENSE-MIT
+++ b/vendor/github.com/libp2p/go-libp2p/p2p/transport/websocket/LICENSE-MIT
@@ -0,0 +1,19 @@
+The MIT License (MIT)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
--- a/vendor/github.com/libp2p/go-libp2p/p2p/transport/websocket/addrs.go
+++ b/vendor/github.com/libp2p/go-libp2p/p2p/transport/websocket/addrs.go
@@ -0,0 +1,175 @@
+package websocket
+
+import (
+	"fmt"
+	"net"
+	"net/url"
+	"strconv"
+
+	ma "github.com/multiformats/go-multiaddr"
+	manet "github.com/multiformats/go-multiaddr/net"
+)
+
+// Addr is an implementation of net.Addr for WebSocket.
+type Addr struct {
+	*url.URL
+}
+
+var _ net.Addr = (*Addr)(nil)
+
+// Network returns the network type for a WebSocket, "websocket".
+func (addr *Addr) Network() string {
+	return "websocket"
+}
+
+// NewAddr creates an Addr with `ws` scheme (insecure).
+//
+// Deprecated. Use NewAddrWithScheme.
+func NewAddr(host string) *Addr {
+	// Older versions of the transport only supported insecure connections (i.e.
+	// WS instead of WSS). Assume that is the case here.
+	return NewAddrWithScheme(host, false)
+}
+
+// NewAddrWithScheme creates a new Addr using the given host string. isSecure
+// should be true for WSS connections and false for WS.
+func NewAddrWithScheme(host string, isSecure bool) *Addr {
+	scheme := "ws"
+	if isSecure {
+		scheme = "wss"
+	}
+	return &Addr{
+		URL: &url.URL{
+			Scheme: scheme,
+			Host:   host,
+		},
+	}
+}
+
+func ConvertWebsocketMultiaddrToNetAddr(maddr ma.Multiaddr) (net.Addr, error) {
+	url, err := parseMultiaddr(maddr)
+	if err != nil {
+		return nil, err
+	}
+	return &Addr{URL: url}, nil
+}
+
+func ParseWebsocketNetAddr(a net.Addr) (ma.Multiaddr, error) {
+	wsa, ok := a.(*Addr)
+	if !ok {
+		return nil, fmt.Errorf("not a websocket address")
+	}
+
+	var (
+		tcpma ma.Multiaddr
+		err   error
+		port  int
+		host  = wsa.Hostname()
+	)
+
+	// Get the port
+	if portStr := wsa.Port(); portStr != "" {
+		port, err = strconv.Atoi(portStr)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse port '%q': %s", portStr, err)
+		}
+	} else {
+		return nil, fmt.Errorf("invalid port in url: '%q'", wsa.URL)
+	}
+
+	// NOTE: Ignoring IPv6 zones...
+	// Detect if host is IP address or DNS
+	if ip := net.ParseIP(host); ip != nil {
+		// Assume IP address
+		tcpma, err = manet.FromNetAddr(&net.TCPAddr{
+			IP:   ip,
+			Port: port,
+		})
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// Assume DNS name
+		tcpma, err = ma.NewMultiaddr(fmt.Sprintf("/dns/%s/tcp/%d", host, port))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	wsma, err := ma.NewMultiaddr("/" + wsa.Scheme)
+	if err != nil {
+		return nil, err
+	}
+
+	return tcpma.Encapsulate(wsma), nil
+}
+
+func parseMultiaddr(maddr ma.Multiaddr) (*url.URL, error) {
+	parsed, err := parseWebsocketMultiaddr(maddr)
+	if err != nil {
+		return nil, err
+	}
+
+	scheme := "ws"
+	if parsed.isWSS {
+		scheme = "wss"
+	}
+
+	network, host, err := manet.DialArgs(parsed.restMultiaddr)
+	if err != nil {
+		return nil, err
+	}
+	switch network {
+	case "tcp", "tcp4", "tcp6":
+	default:
+		return nil, fmt.Errorf("unsupported websocket network %s", network)
+	}
+	return &url.URL{
+		Scheme: scheme,
+		Host:   host,
+	}, nil
+}
+
+type parsedWebsocketMultiaddr struct {
+	isWSS bool
+	// sni is the SNI value for the TLS handshake, and for setting HTTP Host header
+	sni *ma.Component
+	// the rest of the multiaddr before the /tls/sni/example.com/ws or /ws or /wss
+	restMultiaddr ma.Multiaddr
+}
+
+func parseWebsocketMultiaddr(a ma.Multiaddr) (parsedWebsocketMultiaddr, error) {
+	out := parsedWebsocketMultiaddr{}
+	// First check if we have a WSS component. If so we'll canonicalize it into a /tls/ws
+	withoutWss := a.Decapsulate(wssComponent)
+	if !withoutWss.Equal(a) {
+		a = withoutWss.Encapsulate(tlsWsComponent)
+	}
+
+	// Remove the ws component
+	withoutWs := a.Decapsulate(wsComponent)
+	if withoutWs.Equal(a) {
+		return out, fmt.Errorf("not a websocket multiaddr")
+	}
+
+	rest := withoutWs
+	// If this is not a wss then withoutWs is the rest of the multiaddr
+	out.restMultiaddr = withoutWs
+	for {
+		var head *ma.Component
+		rest, head = ma.SplitLast(rest)
+		if head == nil || rest == nil {
+			break
+		}
+
+		if head.Protocol().Code == ma.P_SNI {
+			out.sni = head
+		} else if head.Protocol().Code == ma.P_TLS {
+			out.isWSS = true
+			out.restMultiaddr = rest
+			break
+		}
+	}
+
+	return out, nil
+}
--- a/vendor/github.com/libp2p/go-libp2p/p2p/transport/websocket/conn.go
+++ b/vendor/github.com/libp2p/go-libp2p/p2p/transport/websocket/conn.go
@@ -0,0 +1,164 @@
+package websocket
+
+import (
+	"io"
+	"net"
+	"sync"
+	"time"
+
+	"github.com/libp2p/go-libp2p/core/network"
+	"github.com/libp2p/go-libp2p/core/transport"
+
+	ws "github.com/gorilla/websocket"
+)
+
+// GracefulCloseTimeout is the time to wait trying to gracefully close a
+// connection before simply cutting it.
+var GracefulCloseTimeout = 100 * time.Millisecond
+
+// Conn implements net.Conn interface for gorilla/websocket.
+type Conn struct {
+	*ws.Conn
+	secure             bool
+	DefaultMessageType int
+	reader             io.Reader
+	closeOnce          sync.Once
+
+	readLock, writeLock sync.Mutex
+}
+
+var _ net.Conn = (*Conn)(nil)
+
+// NewConn creates a Conn given a regular gorilla/websocket Conn.
+func NewConn(raw *ws.Conn, secure bool) *Conn {
+	return &Conn{
+		Conn:               raw,
+		secure:             secure,
+		DefaultMessageType: ws.BinaryMessage,
+	}
+}
+
+func (c *Conn) Read(b []byte) (int, error) {
+	c.readLock.Lock()
+	defer c.readLock.Unlock()
+
+	if c.reader == nil {
+		if err := c.prepNextReader(); err != nil {
+			return 0, err
+		}
+	}
+
+	for {
+		n, err := c.reader.Read(b)
+		switch err {
+		case io.EOF:
+			c.reader = nil
+
+			if n > 0 {
+				return n, nil
+			}
+
+			if err := c.prepNextReader(); err != nil {
+				return 0, err
+			}
+
+			// explicitly looping
+		default:
+			return n, err
+		}
+	}
+}
+
+func (c *Conn) prepNextReader() error {
+	t, r, err := c.Conn.NextReader()
+	if err != nil {
+		if wserr, ok := err.(*ws.CloseError); ok {
+			if wserr.Code == 1000 || wserr.Code == 1005 {
+				return io.EOF
+			}
+		}
+		return err
+	}
+
+	if t == ws.CloseMessage {
+		return io.EOF
+	}
+
+	c.reader = r
+	return nil
+}
+
+func (c *Conn) Write(b []byte) (n int, err error) {
+	c.writeLock.Lock()
+	defer c.writeLock.Unlock()
+
+	if err := c.Conn.WriteMessage(c.DefaultMessageType, b); err != nil {
+		return 0, err
+	}
+
+	return len(b), nil
+}
+
+// Close closes the connection. Only the first call to Close will receive the
+// close error, subsequent and concurrent calls will return nil.
+// This method is thread-safe.
+func (c *Conn) Close() error {
+	var err error
+	c.closeOnce.Do(func() {
+		err1 := c.Conn.WriteControl(
+			ws.CloseMessage,
+			ws.FormatCloseMessage(ws.CloseNormalClosure, "closed"),
+			time.Now().Add(GracefulCloseTimeout),
+		)
+		err2 := c.Conn.Close()
+		switch {
+		case err1 != nil:
+			err = err1
+		case err2 != nil:
+			err = err2
+		}
+	})
+	return err
+}
+
+func (c *Conn) LocalAddr() net.Addr {
+	return NewAddrWithScheme(c.Conn.LocalAddr().String(), c.secure)
+}
+
+func (c *Conn) RemoteAddr() net.Addr {
+	return NewAddrWithScheme(c.Conn.RemoteAddr().String(), c.secure)
+}
+
+func (c *Conn) SetDeadline(t time.Time) error {
+	if err := c.SetReadDeadline(t); err != nil {
+		return err
+	}
+
+	return c.SetWriteDeadline(t)
+}
+
+func (c *Conn) SetReadDeadline(t time.Time) error {
+	// Don't lock when setting the read deadline. That would prevent us from
+	// interrupting an in-progress read.
+	return c.Conn.SetReadDeadline(t)
+}
+
+func (c *Conn) SetWriteDeadline(t time.Time) error {
+	// Unlike the read deadline, we need to lock when setting the write
+	// deadline.
+
+	c.writeLock.Lock()
+	defer c.writeLock.Unlock()
+
+	return c.Conn.SetWriteDeadline(t)
+}
+
+type capableConn struct {
+	transport.CapableConn
+}
+
+func (c *capableConn) ConnState() network.ConnectionState {
+	cs := c.CapableConn.ConnState()
+	cs.Transport = "websocket"
+	return cs
+}
--- a/vendor/github.com/libp2p/go-libp2p/p2p/transport/websocket/listener.go
+++ b/vendor/github.com/libp2p/go-libp2p/p2p/transport/websocket/listener.go
@@ -0,0 +1,160 @@
+package websocket
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net"
+	"net/http"
+	"strings"
+
+	"github.com/libp2p/go-libp2p/core/transport"
+
+	ma "github.com/multiformats/go-multiaddr"
+	manet "github.com/multiformats/go-multiaddr/net"
+)
+
+type listener struct {
+	nl     net.Listener
+	server http.Server
+	// The Go standard library sets the http.Server.TLSConfig no matter if this is a WS or WSS,
+	// so we can't rely on checking if server.TLSConfig is set.
+	isWss bool
+
+	laddr ma.Multiaddr
+
+	closed   chan struct{}
+	incoming chan *Conn
+}
+
+func (pwma *parsedWebsocketMultiaddr) toMultiaddr() ma.Multiaddr {
+	if !pwma.isWSS {
+		return pwma.restMultiaddr.Encapsulate(wsComponent)
+	}
+
+	if pwma.sni == nil {
+		return pwma.restMultiaddr.Encapsulate(tlsComponent).Encapsulate(wsComponent)
+	}
+
+	return pwma.restMultiaddr.Encapsulate(tlsComponent).Encapsulate(pwma.sni).Encapsulate(wsComponent)
+}
+
+// newListener creates a new listener from a raw net.Listener.
+// tlsConf may be nil (for unencrypted websockets).
+func newListener(a ma.Multiaddr, tlsConf *tls.Config) (*listener, error) {
+	parsed, err := parseWebsocketMultiaddr(a)
+	if err != nil {
+		return nil, err
+	}
+
+	if parsed.isWSS && tlsConf == nil {
+		return nil, fmt.Errorf("cannot listen on wss address %s without a tls.Config", a)
+	}
+
+	lnet, lnaddr, err := manet.DialArgs(parsed.restMultiaddr)
+	if err != nil {
+		return nil, err
+	}
+	nl, err := net.Listen(lnet, lnaddr)
+	if err != nil {
+		return nil, err
+	}
+
+	laddr, err := manet.FromNetAddr(nl.Addr())
+	if err != nil {
+		return nil, err
+	}
+	first, _ := ma.SplitFirst(a)
+	// Don't resolve dns addresses.
+	// We want to be able to announce domain names, so the peer can validate the TLS certificate.
+	if c := first.Protocol().Code; c == ma.P_DNS || c == ma.P_DNS4 || c == ma.P_DNS6 || c == ma.P_DNSADDR {
+		_, last := ma.SplitFirst(laddr)
+		laddr = first.Encapsulate(last)
+	}
+	parsed.restMultiaddr = laddr
+
+	ln := &listener{
+		nl:       nl,
+		laddr:    parsed.toMultiaddr(),
+		incoming: make(chan *Conn),
+		closed:   make(chan struct{}),
+	}
+	ln.server = http.Server{Handler: ln}
+	if parsed.isWSS {
+		ln.isWss = true
+		ln.server.TLSConfig = tlsConf
+	}
+	return ln, nil
+}
+
+func (l *listener) serve() {
+	defer close(l.closed)
+	if !l.isWss {
+		l.server.Serve(l.nl)
+	} else {
+		l.server.ServeTLS(l.nl, "", "")
+	}
+}
+
+func (l *listener) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	c, err := upgrader.Upgrade(w, r, nil)
+	if err != nil {
+		// The upgrader writes a response for us.
+		return
+	}
+
+	select {
+	case l.incoming <- NewConn(c, l.isWss):
+	case <-l.closed:
+		c.Close()
+	}
+	// The connection has been hijacked, it's safe to return.
+}
+
+func (l *listener) Accept() (manet.Conn, error) {
+	select {
+	case c, ok := <-l.incoming:
+		if !ok {
+			return nil, transport.ErrListenerClosed
+		}
+
+		mnc, err := manet.WrapNetConn(c)
+		if err != nil {
+			c.Close()
+			return nil, err
+		}
+
+		return mnc, nil
+	case <-l.closed:
+		return nil, transport.ErrListenerClosed
+	}
+}
+
+func (l *listener) Addr() net.Addr {
+	return l.nl.Addr()
+}
+
+func (l *listener) Close() error {
+	l.server.Close()
+	err := l.nl.Close()
+	<-l.closed
+	if strings.Contains(err.Error(), "use of closed network connection") {
+		return transport.ErrListenerClosed
+	}
+	return err
+}
+
+func (l *listener) Multiaddr() ma.Multiaddr {
+	return l.laddr
+}
+
+type transportListener struct {
+	transport.Listener
+}
+
+func (l *transportListener) Accept() (transport.CapableConn, error) {
+	conn, err := l.Listener.Accept()
+	if err != nil {
+		return nil, err
+	}
+	return &capableConn{CapableConn: conn}, nil
+}
--- a/vendor/github.com/libp2p/go-libp2p/p2p/transport/websocket/websocket.go
+++ b/vendor/github.com/libp2p/go-libp2p/p2p/transport/websocket/websocket.go
@@ -0,0 +1,246 @@
+// Package websocket implements a websocket based transport for go-libp2p.
+package websocket
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/libp2p/go-libp2p/core/network"
+	"github.com/libp2p/go-libp2p/core/peer"
+	"github.com/libp2p/go-libp2p/core/transport"
+
+	ma "github.com/multiformats/go-multiaddr"
+	mafmt "github.com/multiformats/go-multiaddr-fmt"
+	manet "github.com/multiformats/go-multiaddr/net"
+
+	ws "github.com/gorilla/websocket"
+)
+
+// WsFmt is multiaddr formatter for WsProtocol
+var WsFmt = mafmt.And(mafmt.TCP, mafmt.Base(ma.P_WS))
+
+var dialMatcher = mafmt.And(
+	mafmt.Or(mafmt.IP, mafmt.DNS),
+	mafmt.Base(ma.P_TCP),
+	mafmt.Or(
+		mafmt.Base(ma.P_WS),
+		mafmt.And(
+			mafmt.Or(
+				mafmt.And(
+					mafmt.Base(ma.P_TLS),
+					mafmt.Base(ma.P_SNI)),
+				mafmt.Base(ma.P_TLS),
+			),
+			mafmt.Base(ma.P_WS)),
+		mafmt.Base(ma.P_WSS)))
+
+var (
+	wssComponent   = ma.StringCast("/wss")
+	tlsWsComponent = ma.StringCast("/tls/ws")
+	tlsComponent   = ma.StringCast("/tls")
+	wsComponent    = ma.StringCast("/ws")
+)
+
+func init() {
+	manet.RegisterFromNetAddr(ParseWebsocketNetAddr, "websocket")
+	manet.RegisterToNetAddr(ConvertWebsocketMultiaddrToNetAddr, "ws")
+	manet.RegisterToNetAddr(ConvertWebsocketMultiaddrToNetAddr, "wss")
+}
+
+// Default gorilla upgrader
+var upgrader = ws.Upgrader{
+	// Allow requests from *all* origins.
+	CheckOrigin: func(r *http.Request) bool {
+		return true
+	},
+}
+
+type Option func(*WebsocketTransport) error
+
+// WithTLSClientConfig sets a TLS client configuration on the WebSocket Dialer. Only
+// relevant for non-browser usages.
+//
+// Some useful use cases include setting InsecureSkipVerify to `true`, or
+// setting user-defined trusted CA certificates.
+func WithTLSClientConfig(c *tls.Config) Option {
+	return func(t *WebsocketTransport) error {
+		t.tlsClientConf = c
+		return nil
+	}
+}
+
+// WithTLSConfig sets a TLS configuration for the WebSocket listener.
+func WithTLSConfig(conf *tls.Config) Option {
+	return func(t *WebsocketTransport) error {
+		t.tlsConf = conf
+		return nil
+	}
+}
+
+// WebsocketTransport is the actual go-libp2p transport
+type WebsocketTransport struct {
+	upgrader transport.Upgrader
+	rcmgr    network.ResourceManager
+
+	tlsClientConf *tls.Config
+	tlsConf       *tls.Config
+}
+
+var _ transport.Transport = (*WebsocketTransport)(nil)
+
+func New(u transport.Upgrader, rcmgr network.ResourceManager, opts ...Option) (*WebsocketTransport, error) {
+	if rcmgr == nil {
+		rcmgr = &network.NullResourceManager{}
+	}
+	t := &WebsocketTransport{
+		upgrader:      u,
+		rcmgr:         rcmgr,
+		tlsClientConf: &tls.Config{},
+	}
+	for _, opt := range opts {
+		if err := opt(t); err != nil {
+			return nil, err
+		}
+	}
+	return t, nil
+}
+
+func (t *WebsocketTransport) CanDial(a ma.Multiaddr) bool {
+	return dialMatcher.Matches(a)
+}
+
+func (t *WebsocketTransport) Protocols() []int {
+	return []int{ma.P_WS, ma.P_WSS}
+}
+
+func (t *WebsocketTransport) Proxy() bool {
+	return false
+}
+
+func (t *WebsocketTransport) Resolve(_ context.Context, maddr ma.Multiaddr) ([]ma.Multiaddr, error) {
+	parsed, err := parseWebsocketMultiaddr(maddr)
+	if err != nil {
+		return nil, err
+	}
+
+	if !parsed.isWSS {
+		// No /tls/ws component, this isn't a secure websocket multiaddr. We can just return it here
+		return []ma.Multiaddr{maddr}, nil
+	}
+
+	if parsed.sni == nil {
+		var err error
+		// We don't have an sni component, we'll use dns/dnsaddr
+		ma.ForEach(parsed.restMultiaddr, func(c ma.Component) bool {
+			switch c.Protocol().Code {
+			case ma.P_DNS, ma.P_DNS4, ma.P_DNS6:
+				// err shouldn't happen since this means we couldn't parse a dns hostname for an sni value.
+				parsed.sni, err = ma.NewComponent("sni", c.Value())
+				return false
+			}
+			return true
+		})
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if parsed.sni == nil {
+		// we didn't find anything to set the sni with. So we just return the given multiaddr
+		return []ma.Multiaddr{maddr}, nil
+	}
+
+	return []ma.Multiaddr{parsed.toMultiaddr()}, nil
+}
+
+func (t *WebsocketTransport) Dial(ctx context.Context, raddr ma.Multiaddr, p peer.ID) (transport.CapableConn, error) {
+	connScope, err := t.rcmgr.OpenConnection(network.DirOutbound, true, raddr)
+	if err != nil {
+		return nil, err
+	}
+	c, err := t.dialWithScope(ctx, raddr, p, connScope)
+	if err != nil {
+		connScope.Done()
+		return nil, err
+	}
+	return c, nil
+}
+
+func (t *WebsocketTransport) dialWithScope(ctx context.Context, raddr ma.Multiaddr, p peer.ID, connScope network.ConnManagementScope) (transport.CapableConn, error) {
+	macon, err := t.maDial(ctx, raddr)
+	if err != nil {
+		return nil, err
+	}
+	conn, err := t.upgrader.Upgrade(ctx, t, macon, network.DirOutbound, p, connScope)
+	if err != nil {
+		return nil, err
+	}
+	return &capableConn{CapableConn: conn}, nil
+}
+
+func (t *WebsocketTransport) maDial(ctx context.Context, raddr ma.Multiaddr) (manet.Conn, error) {
+	wsurl, err := parseMultiaddr(raddr)
+	if err != nil {
+		return nil, err
+	}
+	isWss := wsurl.Scheme == "wss"
+	dialer := ws.Dialer{HandshakeTimeout: 30 * time.Second}
+	if isWss {
+		sni := ""
+		sni, err = raddr.ValueForProtocol(ma.P_SNI)
+		if err != nil {
+			sni = ""
+		}
+
+		if sni != "" {
+			copytlsClientConf := t.tlsClientConf.Clone()
+			copytlsClientConf.ServerName = sni
+			dialer.TLSClientConfig = copytlsClientConf
+			ipAddr := wsurl.Host
+			// Setting the NetDial because we already have the resolved IP address, so we don't want to do another resolution.
+			// We set the `.Host` to the sni field so that the host header gets properly set.
+			dialer.NetDial = func(network, address string) (net.Conn, error) {
+				tcpAddr, err := net.ResolveTCPAddr(network, ipAddr)
+				if err != nil {
+					return nil, err
+				}
+				return net.DialTCP("tcp", nil, tcpAddr)
+			}
+			wsurl.Host = sni + ":" + wsurl.Port()
+		} else {
+			dialer.TLSClientConfig = t.tlsClientConf
+		}
+	}
+
+	wscon, _, err := dialer.DialContext(ctx, wsurl.String(), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	mnc, err := manet.WrapNetConn(NewConn(wscon, isWss))
+	if err != nil {
+		wscon.Close()
+		return nil, err
+	}
+	return mnc, nil
+}
+
+func (t *WebsocketTransport) maListen(a ma.Multiaddr) (manet.Listener, error) {
+	l, err := newListener(a, t.tlsConf)
+	if err != nil {
+		return nil, err
+	}
+	go l.serve()
+	return l, nil
+}
+
+func (t *WebsocketTransport) Listen(a ma.Multiaddr) (transport.Listener, error) {
+	malist, err := t.maListen(a)
+	if err != nil {
+		return nil, err
+	}
+	return &transportListener{Listener: t.upgrader.UpgradeListener(t, malist)}, nil
+}