Add NapiClient.disableVerify() and use NAPI tokio runtime

[kixelated]

Summary

• Add NapiClient.disableVerify() factory method that skips TLS certificate verification, for testing with self-signed certs
• Use napi::within_runtime_if_available for sync methods that need a tokio context (quinn binds UDP sockets to the current runtime)
• Add SessionOptions.serverCertificateDisableVerify to the JS polyfill
• Rename ts/ → src/ in @moq/web-transport
• Fix build script to use --manifest-path + --output-dir

Test plan

• bun run build compiles successfully
• Smoke tested against https://cdn.moq.dev/anon — setup-only and 5/6 interop tests pass (announce-subscribe is a pre-existing timing issue)
• Test with self-signed certs using serverCertificateDisableVerify: true

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@kixelated has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 10 minutes and 38 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 13c0085a-fb97-4bb9-b080-e8ef858e4221

📥 Commits

Reviewing files that changed from the base of the PR and between 4ddaf1f and 51265e1.

📒 Files selected for processing (1)

• rs/qmux/src/ws.rs

Walkthrough

Package metadata and build targets were moved from ./ts to ./src (exports, types, files, tsconfig). The napi build command was changed to use an explicit --manifest-path and --output-dir. A new SessionOptions interface (with serverCertificateDisableVerify?: boolean) replaces prior option types in constructors. Rust additions include NapiClient::disable_verify() and multiple client/server/session builder and method paths now executing inside a runtime context via within_runtime_if_available; bind returns a Mutex-wrapped server.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: adding NapiClient.disableVerify() method and implementing NAPI tokio runtime usage, which are the primary objectives of this pull request.
Description check	✅ Passed	The description is directly related to the changeset, providing a clear summary of all major changes including the new disableVerify() method, NAPI runtime changes, SessionOptions updates, and directory restructuring.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch napi-disable-verify

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch napi-disable-verify

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

js/web-transport/src/session.ts (1)

50-50: Update constructor signature to expose SessionOptions in the public API.

The constructor overload uses WebTransportOptions, but the implementation accepts SessionOptions. TypeScript consumers won't see serverCertificateDisableVerify in IDE autocomplete.

♻️ Proposed fix

 	// Construct from URL (client-side polyfill)
-	constructor(url: string | URL, options?: WebTransportOptions);
+	constructor(url: string | URL, options?: SessionOptions);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@js/web-transport/src/session.ts` at line 50, The constructor overload
currently declares (constructor(url: string | URL, options?:
WebTransportOptions)) but the implementation expects SessionOptions, so update
the public constructor signature to accept SessionOptions (e.g.,
constructor(url: string | URL, options?: SessionOptions)) so consumers see
serverCertificateDisableVerify in autocomplete; ensure the exported type
SessionOptions is imported/visible where the constructor is declared and remove
or reconcile any leftover WebTransportOptions overloads to match the
implementation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@js/web-transport/src/session.ts`:
- Line 50: The constructor overload currently declares (constructor(url: string
| URL, options?: WebTransportOptions)) but the implementation expects
SessionOptions, so update the public constructor signature to accept
SessionOptions (e.g., constructor(url: string | URL, options?: SessionOptions))
so consumers see serverCertificateDisableVerify in autocomplete; ensure the
exported type SessionOptions is imported/visible where the constructor is
declared and remove or reconcile any leftover WebTransportOptions overloads to
match the implementation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bcb53745-b223-49b2-840a-8df7eb9ce1ed

📥 Commits

Reviewing files that changed from the base of the PR and between 479f8d0 and 90fb673.

📒 Files selected for processing (6)

• js/web-transport/package.json
• js/web-transport/src/datagrams.ts
• js/web-transport/src/index.ts
• js/web-transport/src/session.ts
• js/web-transport/tsconfig.json
• rs/web-transport-node/src/lib.rs

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@js/web-transport/src/session.ts`:
- Around line 79-81: Reject configurations that enable
serverCertificateDisableVerify while also providing serverCertificateHashes: in
session.ts, before calling NapiClient.disableVerify() or processing hashes,
check options.serverCertificateDisableVerify and whether
hashes/serverCertificateHashes (the variable used in the diff) is non-empty; if
both are set, throw or return an explicit configuration error (e.g., throw new
Error or reject the promise) explaining that disableVerify and certificate
pinning cannot be used together so the caller must choose one, otherwise proceed
with the existing logic (either disableVerify via NapiClient.disableVerify() or
pinning via the hashes path).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bb6face8-c201-48fe-a080-ebab02d274bf

📥 Commits

Reviewing files that changed from the base of the PR and between 90fb673 and 463baaf.

📒 Files selected for processing (1)

• js/web-transport/src/session.ts