Do you have exact crypto spec somewhere?

"NaCl library" is not a spec and it's still easy to use/apply it incorrectly.

Crypto is outlined over here: https://github.com/irungentoo/toxcore/blob/master/docs/updat...

Cool. Is this direct connection from peer to peer or does the communication bounce from one node to another as a TOR communication would do ? (I'm guessing direct for obvious latency reasons when using audio / video)

Direct connection when possible.

Connection routed over one TCP node when direct connections are impossible due to NAT issues.

Does only the one-time signalling handshake go to a TCP node (NAT hole punching) or does all traffic? Are these TCP nodes similar to Skype "super-peers" - how are they selected?

Virtually all consumers are behind NAT devices.

The majority of NATs can be hole punched.

If you can't hole punch then you will connect to your friend through a couple TCP nodes. They act like relays.

TCP nodes are pretty much randomly selected by peers and anyone can host them.

Everything is encrypted and TCP nodes are regarded as being possibly hostile so there should not be any security issues.

What if I don't want a direct connection for security/anon reasons?