(feat) quota management, transport security, and system resilience#1333
Open
maybeknott wants to merge 3 commits into
Open
(feat) quota management, transport security, and system resilience#1333maybeknott wants to merge 3 commits into
maybeknott wants to merge 3 commits into
Conversation
… features
- Dynamic SNI Selection Engine
Modified 'src/domain_fronter.rs' to include a destination-aware SNI mapping matrix. This engine intercepts the target host before connection establishment and selects a Google SNI hostname that mimics legitimate productivity traffic based on the request type. For example, high-bandwidth media streams (googlevideo.com) are cloaked as 'docs.google.com', while API-heavy traffic is mapped to 'developers.google.com'. Other requests are randomized across a rotation pool of common services (mail, drive, maps) to prevent the emergence of a predictable SNI fingerprint that could be flagged by DPI.
- Upstream Request Fragmentation (Reverse Chunking)
Developed a fragmentation pipeline in 'src/domain_fronter.rs' to handle outbound payloads exceeding 5 MiB. Given the ~50 MiB inbound body limit on Google Apps Script, large uploads (POST/PUT) are split into sequential fragments. Each fragment is wrapped in an envelope containing a unique 'X-MHRV-Upload-ID' and sequencing headers ('X-MHRV-Chunk-Index', 'X-MHRV-Chunk-Total'). On the backend, fragments are temporarily stored in Google Drive and reassembled once the final chunk arrives, allowing the system to support massive uploads that would otherwise exceed script execution boundaries.
- Rolling 24-Hour Quota Ledger
Implemented a thread-safe sliding-window ledger using 'Vec<Instant>' for each script ID in 'src/domain_fronter.rs'. Unlike a fixed daily reset, this logic prunes expired timestamps older than 24 hours during every script selection event. This precisely mirrors Google's rolling quota reset cadence, ensuring the round-robin selector only routes traffic to scripts with verifiable capacity. This prevents the "thundering herd" problem where scripts are hit immediately after a hard reset while still being rate-limited by the backend.
- Granular Failure Classification and Quarantine
Enhanced the 'do_relay_once_with' logic to perform deep inspection of failure responses. The system now differentiates between transient network timeouts and authoritative account limits. Hard failures (HTTP 429, 403, or responses containing "Quota Exceeded") trigger a strict 24-hour quarantine window for the affected script. Transient socket errors or 5xx responses from the Google frontend trigger a brief 10-minute cooldown. This intelligent classification maximizes pool utilization by ensuring that scripts are only blacklisted for durations that match their specific failure recovery window.
- Remote DNS Enforcement and Isolation
Enforced SOCKS5 remote DNS resolution (Address Type 0x03) within 'src/proxy_server.rs' to eliminate domain leakage. The proxy intercepts connection attempts and passes the raw hostname directly to the encrypted tunnel, bypassing 'std::net::ToSocketAddrs' and other local resolution bindings. This ensures that destination metadata is never exposed via plaintext DNS queries to local ISP servers, maintaining full end-to-end privacy for the target hostnames.
- System Proxy Self-Healing and Watchdog
Established a dual-layer preservation strategy for Windows system proxy settings in 'src/main.rs'. A global panic hook using 'std::panic::set_hook' is registered to forcefully clear the 'ProxyEnable' and 'ProxyServer' registry keys during any unhandled exception. Complementing this, a boot-initialization routine flushes orphaned proxy settings from previous ungraceful exits. This self-healing architecture prevents the system's network configuration from being left in a broken state if the process is terminated via power loss or task termination.
- WinINet System Proxy Synchronization
Integrated direct Win32 FFI bindings to 'InternetSetOptionW' in 'src/bin/ui.rs' to ensure registry changes are propagated instantly. By broadcasting the 'INTERNET_OPTION_SETTINGS_CHANGED' and 'INTERNET_OPTION_REFRESH' flags, the OS network subsystem notifies active applications (such as Chrome, Edge, and background services) to flush their proxy caches. This provides seamless, real-time toggling of the system proxy state without requiring browser restarts or waiting for OS-level cache timeouts.
- Local Traffic Filtering (block_hosts)
Added a local interception gate in 'src/proxy_server.rs' that matches destination hosts against a 'block_hosts' configuration. Requests to trackers, ads, and telemetry endpoints (identified by exact match or suffix) are short-circuited with a 204 No Content response locally. This proactive filtering preserves the user's limited Apps Script execution quota for meaningful content and reduces overall latency by eliminating unnecessary remote round-trips for non-essential traffic.
- UI Modernization and Live Progress Tracking
Overhauled 'src/bin/ui.rs' with a high-contrast 'Obsidian' theme and real-time operational metrics. The interface now features a live 'ProgressBar' bound to the sliding-window ledger to visualize quota consumption. Status indicators were updated with sine-wave-driven alpha pulsing to provide interactive feedback on background connection states, while informational blocks were added to provide technical context on local loopback decryption and certificate sandboxing.
- Technical Fixes and Maintenance
Resolved a compatibility issue in 'src/main.rs' and 'src/bin/ui.rs' by migrating 'RegKey::predefined' calls to the modern 'RegKey::predef' API as required by the latest 'winreg' library. Fixed a '#[warn(unused_variables)]' warning by removing the unused variable 'n' in the 'next_script_id' implementation in 'src/domain_fronter.rs'.
…, and prefix-spliced tunnel routing This change addresses a critical data transmission issue where large mutating request payloads (> 5 MiB) under Apps Script relay mode were fragmented in an unsafe, un-reassembled manner. This fragmentation led to downstream corruption and potential data loss, as well as the propagation of non-standard upload headers. To resolve this while preserving high-bandwidth connection support for Full mode, we introduce a dual-path routing and rejection mechanism based on target operation mode: 1. Prefix-Spliced Tunneling Pipeline (src/tunnel_client.rs): - Developed `tunnel_connection_with_prefix` to accept a pre-read request head buffer and any leftover body bytes. - Slices the buffered prefix directly into the `TunnelMux` multiplexer. This bypasses the typical client-first handshake block, allowing the backend to consume the request seamlessly. 2. Elimination of Apps Script Body Fragmentation (src/domain_fronter.rs): - Removed the reverse-chunking loop from the Apps Script relay request pathway. - Eliminated the injection and transmission of all `X-MHRV-Upload-ID`, `X-MHRV-Chunk-Index`, and `X-MHRV-Chunk-Total` headers to prevent downstream validation errors. 3. Local HTTP 413 Short-Circuiting (src/proxy_server.rs): - Defined `APPS_SCRIPT_UPLOAD_MAX_BYTES` at a strict 5 MiB threshold. - Added content-size inspection for mutating HTTP methods (POST, PUT, PATCH) inside `do_plain_http` and `handle_mitm_request` prior to full body consumption. - For Apps Script relay mode: Requests exceeding the 5 MiB limit are short-circuited locally with a `413 Payload Too Large` response. This protects the Apps Script quota from useless execution time and data-cap depletion. - For Full mode: Large mutating requests are dynamically upgraded and routed through the prefix-spliced tunnel without consuming the body locally. 4. UI Diagnostics and JNI Model Serialization (src/domain_fronter.rs, src/bin/ui.rs): - Added atomic execution counters: `large_upload_full_route` and `large_upload_rejected_413`. - Serialized these fields alphabetically in `StatsSnapshot::to_json` to guarantee compatibility with Android Kotlin JNI deserialization models. - Extended the desktop user interface with a diagnostic dashboard card displaying upload policy information and live counters. Verification: - Added `test_large_upload_policy_no_unsafe_headers` in `src/domain_fronter.rs` for header safety and JSON serialization checks. - Added `test_handle_mitm_request_rejects_large_mutating_requests` in `src/proxy_server.rs` employing a duplex stream to test local HTTP 413 rejection. - Confirmed all existing and new unit/integration tests compile and run green.
…lidation guard This change introduces local inbound authentication and security gating to protect proxy interfaces from unauthorized usage and resource exhaustion (quota theft) when exposed on local networks or the public internet. 1. Secure Configuration Defaults & Redaction (src/config.rs): - Changed the default `listen_host` from `0.0.0.0` to `127.0.0.1` (loopback only) to ensure secure-by-default behavior upon initial deployment. - Changed the default `block_stun` value to `true` to block WebRTC IP address discovery probes. - Implemented a custom `std::fmt::Debug` implementation for the `Config` struct that automatically hides the `inbound_password` field with `"[REDACTED]"`. - Exposed `Config::validate` as a public method so that UI saving operations can inspect config safety before serialization. 2. Non-Loopback Bind Validation Guard (src/config.rs): - Extended `Config::validate` to inspect the listen address. - If the address binds to any non-loopback interface (such as wildcards `0.0.0.0` and `::`, or external LAN/WAN interfaces) and `inbound_username` or `inbound_password` is empty, validation is rejected with a descriptive security error warning of quota theft and unauthorized usage risks. 3. SOCKS5 Inbound Authentication (src/proxy_server.rs): - In SOCKS5 client negotiation, if inbound credentials are set, the proxy advertises Username/Password authentication (Method 0x02). If the client does not support it, it rejects the handshake with 0xFF. - Implemented RFC 1929 authentication subnegotiation: parses sub-protocol version 1, reads the length-prefixed username and password, performs validation, and returns status 0x00 on success or 0x01 on failure (terminating the connection). - If no inbound credentials are set, it defaults to the standard no-authentication (0x00) method. 4. HTTP Inbound Proxy Authentication (src/proxy_server.rs): - In HTTP/HTTPS client handling, if inbound credentials are set, the proxy inspects the `Proxy-Authorization` header (checked case-insensitively). - Parses the authentication token in `Basic <Base64>` format, decodes it using the STANDARD base64 engine, and verifies the credentials. - If credentials are missing or incorrect, it returns a local `407 Proxy Authentication Required` status with `Proxy-Authenticate: Basic realm="mhrv-rs"` and terminates the socket connection. 5. UI Access Controls & Badge System (src/bin/ui.rs): - Added an Obsidian-themed UI panel for "Inbound Access Control" containing username/password input fields, visibility toggles, and a secure random credentials generator. - Rendered dynamic security status badges based on the bind configuration: a green "Local Only" badge when bound to loopback interfaces, and an orange/yellow "LAN Exposed" warning badge with security warning copy when bound to non-loopback interfaces. - Plumbed `Config::validate` into UI save routines to present configuration safety warnings to the user via toast notifications. Verification: - Added `test_non_loopback_bind_requires_credentials` in `src/config.rs` to verify validation of local loopback hosts (IPv4, IPv6, bracketed IPv6) and wildcards. - Added `test_handle_http_client_auth` in `src/proxy_server.rs` to verify local 407 response behavior and successful credentials passage. - Added `test_handle_socks5_client_auth` in `src/proxy_server.rs` to verify SOCKS5 RFC 1929 method negotiation, subnegotiation failure, and subnegotiation success. - Verified that all unit and integration tests compile and run green.
therealaleph
requested changes
May 22, 2026
Owner
therealaleph
left a comment
therealaleph
left a comment
There was a problem hiding this comment.
Thanks for putting this together, but I cannot accept this as one combined PR.
This bundles too many high-risk changes at once: quota accounting, transport security behavior, dynamic SNI selection, remote DNS/proxy behavior, Windows proxy integration, failure quarantine, block_hosts, UI redesign, dependency changes, and .gitattributes churn. Several of those are security- or transport-sensitive, and they need to be reviewed and tested independently.
Please split this into small PRs with one behavioral change each. A good first slice would be either quota accounting or one clearly bounded transport improvement, with focused tests and a short explanation of the failure mode it fixes. Also note that main is now on TOML config as of v1.9.34, so any config-facing change needs TOML examples and migration coverage.
Requesting changes for now so this does not accidentally move forward as an unreviewable bundle.
Answered via LLM, Supervised @therealaleph
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implement quota management, transport security, and system resilience features
- Dynamic SNI Selection Engine
Modified 'src/domain_fronter.rs' to include a destination-aware SNI mapping matrix. This engine intercepts the target host before connection establishment and selects a Google SNI hostname that mimics legitimate productivity traffic based on the request type. For example, high-bandwidth media streams (googlevideo.com) are cloaked as 'docs.google.com', while API-heavy traffic is mapped to 'developers.google.com'. Other requests are randomized across a rotation pool of common services (mail, drive, maps) to prevent the emergence of a predictable SNI fingerprint that could be flagged by DPI.
- Upstream Request Fragmentation (Reverse Chunking)
Developed a fragmentation pipeline in 'src/domain_fronter.rs' to handle outbound payloads exceeding 5 MiB. Given the ~50 MiB inbound body limit on Google Apps Script, large uploads (POST/PUT) are split into sequential fragments. Each fragment is wrapped in an envelope containing a unique 'X-MHRV-Upload-ID' and sequencing headers ('X-MHRV-Chunk-Index', 'X-MHRV-Chunk-Total'). On the backend, fragments are temporarily stored in Google Drive and reassembled once the final chunk arrives, allowing the system to support massive uploads that would otherwise exceed script execution boundaries.
- Rolling 24-Hour Quota Ledger
Implemented a thread-safe sliding-window ledger using 'Vec' for each script ID in 'src/domain_fronter.rs'. Unlike a fixed daily reset, this logic prunes expired timestamps older than 24 hours during every script selection event. This precisely mirrors Google's rolling quota reset cadence, ensuring the round-robin selector only routes traffic to scripts with verifiable capacity. This prevents the "thundering herd" problem where scripts are hit immediately after a hard reset while still being rate-limited by the backend.
- Granular Failure Classification and Quarantine
Enhanced the 'do_relay_once_with' logic to perform deep inspection of failure responses. The system now differentiates between transient network timeouts and authoritative account limits. Hard failures (HTTP 429, 403, or responses containing "Quota Exceeded") trigger a strict 24-hour quarantine window for the affected script. Transient socket errors or 5xx responses from the Google frontend trigger a brief 10-minute cooldown. This intelligent classification maximizes pool utilization by ensuring that scripts are only blacklisted for durations that match their specific failure recovery window.
- Remote DNS Enforcement and Isolation
Enforced SOCKS5 remote DNS resolution (Address Type 0x03) within 'src/proxy_server.rs' to eliminate domain leakage. The proxy intercepts connection attempts and passes the raw hostname directly to the encrypted tunnel, bypassing 'std::net::ToSocketAddrs' and other local resolution bindings. This ensures that destination metadata is never exposed via plaintext DNS queries to local ISP servers, maintaining full end-to-end privacy for the target hostnames.
- System Proxy Self-Healing and Watchdog
Established a dual-layer preservation strategy for Windows system proxy settings in 'src/main.rs'. A global panic hook using 'std::panic::set_hook' is registered to forcefully clear the 'ProxyEnable' and 'ProxyServer' registry keys during any unhandled exception. Complementing this, a boot-initialization routine flushes orphaned proxy settings from previous ungraceful exits. This self-healing architecture prevents the system's network configuration from being left in a broken state if the process is terminated via power loss or task termination.
- WinINet System Proxy Synchronization
Integrated direct Win32 FFI bindings to 'InternetSetOptionW' in 'src/bin/ui.rs' to ensure registry changes are propagated instantly. By broadcasting the 'INTERNET_OPTION_SETTINGS_CHANGED' and 'INTERNET_OPTION_REFRESH' flags, the OS network subsystem notifies active applications (such as Chrome, Edge, and background services) to flush their proxy caches. This provides seamless, real-time toggling of the system proxy state without requiring browser restarts or waiting for OS-level cache timeouts.
- Local Traffic Filtering (block_hosts)
Added a local interception gate in 'src/proxy_server.rs' that matches destination hosts against a 'block_hosts' configuration. Requests to trackers, ads, and telemetry endpoints (identified by exact match or suffix) are short-circuited with a 204 No Content response locally. This proactive filtering preserves the user's limited Apps Script execution quota for meaningful content and reduces overall latency by eliminating unnecessary remote round-trips for non-essential traffic.
- UI Modernization and Live Progress Tracking
Overhauled 'src/bin/ui.rs' with a high-contrast 'Obsidian' theme and real-time operational metrics. The interface now features a live 'ProgressBar' bound to the sliding-window ledger to visualize quota consumption. Status indicators were updated with sine-wave-driven alpha pulsing to provide interactive feedback on background connection states, while informational blocks were added to provide technical context on local loopback decryption and certificate sandboxing.
- Technical Fixes and Maintenance
Resolved a compatibility issue in 'src/main.rs' and 'src/bin/ui.rs' by migrating 'RegKey::predefined' calls to the modern 'RegKey::predef' API as required by the latest 'winreg' library. Fixed a '#[warn(unused_variables)]' warning by removing the unused variable 'n' in the 'next_script_id' implementation in 'src/domain_fronter.rs'.