docs(exit_node): ship wrapper.ts for VPS users (#912)

@BehroozAmoozad reported the docs reference a wrapper.ts file that
doesn't exist in the repo — the README.md / README.fa.md "Your own VPS"
row pointed at a wrapper.ts the user was supposed to write themselves.
For non-JavaScript users, this was a hard blocker.

Adds assets/exit_node/wrapper.ts that:
- Imports the handler from exit_node.ts directly (so editing the PSK in
  exit_node.ts is the only setup step).
- Auto-detects Deno, Bun, or Node 22+ at runtime and uses the matching
  HTTP server primitive (Deno.serve / Bun.serve / node:http).
- Reads PORT, HOST, CERT_FILE, KEY_FILE from env.
- Defaults to plain HTTP on port 8443 and recommends a reverse proxy
  (Caddy / nginx / Cloudflare Tunnel) for TLS termination — the path
  most VPS setups already have.
- Optional standalone TLS via CERT_FILE + KEY_FILE for users without
  a reverse proxy.

README.md + README.fa.md updated to link the file directly and adjust
the deno run command to include the new --allow-env / --allow-read
permissions the wrapper needs.

No code changes — assets-only.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

assets/exit_node/README.fa.md

@@ -94,7 +94,7 @@ config مثال کامل در
 |---|---|
 | **Deno Deploy** ([deno.com/deploy](https://deno.com/deploy)) | free tier برای personal use کافی است. با `deployctl deploy --prod exit_node.ts` یا GitHub Actions deploy کنید. همان web-standard API. |
 | **fly.io** | free tier با محدودیت. handler رو در یک server thin بسته‌بندی کنید (`Deno.serve(handler)` برای Deno یا یک Express wrapper برای Node) + Dockerfile اضافه کنید. IP دائم، region جغرافیایی قابل انتخاب. |
-| **VPS شخصی خودت** | `deno run --allow-net wrapper.ts` که `wrapper.ts` کارش `Deno.serve({ port: 8443 }, handler)` است. حداکثر کنترل، ~۳-۵ دلار در ماه. |
+| **VPS شخصی خودت** | از فایل آماده [`wrapper.ts`](wrapper.ts) استفاده کن: `deno run --allow-net --allow-env --allow-read wrapper.ts`. خودکار Deno / Bun / Node 22+ تشخیص می‌ده. حداکثر کنترل، ~۳-۵ دلار در ماه. |
 | **Cloudflare Workers** | **کمک نمی‌کنه.** CF Workers از IP space خود CF خروج می‌کنن، که CF anti-bot هنوز به‌عنوان worker-internal flag می‌کنه. |
 
 برای اکثر کاربرانی که مسیر local رو اجرا می‌کنن، Deno Deploy

assets/exit_node/README.md

@@ -94,7 +94,7 @@ sign up for and trust:
 |---|---|
 | **Deno Deploy** ([deno.com/deploy](https://deno.com/deploy)) | Free tier covers personal use. Deploy via `deployctl deploy --prod exit_node.ts` or via GitHub Actions. Same web-standard API as the script expects. |
 | **fly.io** | Free tier with limits. Wrap the handler in a thin server (`Deno.serve(handler)` for Deno or an Express wrapper for Node) + add a Dockerfile. Persistent IPs, picks geographic region. |
-| **Your own VPS** | Run `deno run --allow-net wrapper.ts` where `wrapper.ts` does `Deno.serve({ port: 8443 }, handler)`. Most control, ~$3-5/mo. |
+| **Your own VPS** | Use the included [`wrapper.ts`](wrapper.ts): `deno run --allow-net --allow-env --allow-read wrapper.ts`. Auto-detects Deno / Bun / Node 22+. Most control, ~$3-5/mo. |
 | **Cloudflare Workers** | **Doesn't help.** CF Workers exit through CF's own IP space, which CF anti-bot still flags as worker-internal traffic. |
 
 For most users running locally, Deno Deploy is the fastest setup. For

assets/exit_node/wrapper.ts

@@ -0,0 +1,119 @@
+// VPS wrapper for exit_node.ts — used when you run the exit node on your
+// own server (any platform that can run Deno or Bun) instead of on a
+// platform that auto-invokes the default export (Deno Deploy, Val.town,
+// Cloudflare Workers, etc.).
+//
+// Pick ONE runtime + matching command:
+//
+//   Deno (recommended, comes with HTTPS support out of the box):
+//     deno run --allow-net --allow-env wrapper.ts
+//
+//   Bun (also works, slightly faster cold start):
+//     bun run wrapper.ts
+//
+//   Node 22+ (no extra runtime; needs `--experimental-fetch` only on <22):
+//     node wrapper.ts                # if your Node has fetch + Bun's
+//                                    # global Request/Response (22+)
+//
+// ENV VARS (all optional):
+//   PORT       — TCP port to bind. Default 8443.
+//   HOST       — bind address. Default 0.0.0.0 (all interfaces).
+//   CERT_FILE  — path to TLS cert PEM. Omit for plain HTTP (use a reverse
+//                proxy like Caddy / nginx / Cloudflare Tunnel for TLS).
+//   KEY_FILE   — path to TLS key PEM (must be set together with CERT_FILE).
+//
+// Behind a reverse proxy (Caddy, nginx, Cloudflare Tunnel) you typically
+// run this on plain HTTP and let the proxy terminate TLS — that's the
+// simpler setup if you already have a domain. Set PORT=8443 and point
+// your reverse proxy at http://localhost:8443.
+//
+// Standalone TLS (rare but supported): set CERT_FILE + KEY_FILE to
+// matching PEM-encoded files and Deno will terminate TLS itself. Use
+// Let's Encrypt's certbot / acme.sh to fetch a real cert; self-signed
+// will not work (Apps Script's UrlFetchApp validates the chain).
+//
+// EDIT exit_node.ts FIRST: replace the placeholder PSK with a strong
+// secret. The wrapper imports the handler from exit_node.ts directly,
+// so changing the constant in exit_node.ts is all you need.
+
+import handler from "./exit_node.ts";
+
+// Deno (preferred)
+if (typeof (globalThis as any).Deno !== "undefined") {
+  const Deno = (globalThis as any).Deno;
+  const port = Number(Deno.env.get("PORT") ?? 8443);
+  const hostname = Deno.env.get("HOST") ?? "0.0.0.0";
+  const certFile = Deno.env.get("CERT_FILE");
+  const keyFile = Deno.env.get("KEY_FILE");
+
+  if (certFile && keyFile) {
+    Deno.serve(
+      {
+        port,
+        hostname,
+        cert: Deno.readTextFileSync(certFile),
+        key: Deno.readTextFileSync(keyFile),
+      },
+      handler,
+    );
+    console.log(`exit_node listening on https://${hostname}:${port}`);
+  } else {
+    Deno.serve({ port, hostname }, handler);
+    console.log(
+      `exit_node listening on http://${hostname}:${port} ` +
+        `(no TLS — terminate it with a reverse proxy like Caddy/nginx)`,
+    );
+  }
+}
+// Bun
+else if (typeof (globalThis as any).Bun !== "undefined") {
+  const Bun = (globalThis as any).Bun;
+  const port = Number(process.env.PORT ?? 8443);
+  const hostname = process.env.HOST ?? "0.0.0.0";
+
+  Bun.serve({
+    port,
+    hostname,
+    fetch: handler,
+    tls: process.env.CERT_FILE && process.env.KEY_FILE
+      ? {
+          cert: Bun.file(process.env.CERT_FILE),
+          key: Bun.file(process.env.KEY_FILE),
+        }
+      : undefined,
+  });
+  console.log(`exit_node listening on ${hostname}:${port}`);
+}
+// Node 22+ — uses the built-in `node:http` module + globalThis.Request/Response
+else if (typeof (globalThis as any).process !== "undefined") {
+  const { createServer } = await import("node:http");
+  const port = Number(process.env.PORT ?? 8443);
+  const hostname = process.env.HOST ?? "0.0.0.0";
+
+  createServer(async (req, res) => {
+    // Build a web-standard Request from Node's IncomingMessage.
+    const chunks: Uint8Array[] = [];
+    for await (const c of req) chunks.push(c as Uint8Array);
+    const body = chunks.length ? Buffer.concat(chunks) : undefined;
+
+    const url = `http://${req.headers.host ?? hostname}${req.url ?? "/"}`;
+    const webReq = new Request(url, {
+      method: req.method,
+      headers: req.headers as Record<string, string>,
+      body,
+    });
+
+    const webRes = await handler(webReq);
+
+    res.statusCode = webRes.status;
+    webRes.headers.forEach((v: string, k: string) => res.setHeader(k, v));
+    const buf = new Uint8Array(await webRes.arrayBuffer());
+    res.end(buf);
+  }).listen(port, hostname, () => {
+    console.log(`exit_node listening on http://${hostname}:${port}`);
+  });
+} else {
+  throw new Error(
+    "No supported runtime detected. Run this file with Deno, Bun, or Node 22+.",
+  );
+}