feat(stealth): adaptive runtime profile rotation + iOS release-grade lane (handoff wired)#22
Open
ichmagmaus111 wants to merge 2 commits into
Open
feat(stealth): adaptive runtime profile rotation + iOS release-grade lane (handoff wired)#22ichmagmaus111 wants to merge 2 commits into
ichmagmaus111 wants to merge 2 commits into
Conversation
…lane Implements docs/Plans/ADAPTIVE_RUNTIME_PROFILE_ROTATION_PLAN_2026-06-12.md. - Close the iOS/default release-grade gap: new verified browser-capture AppleIosTls lane (TlsOnly + release_gating + Verified), iOS-share weight carve so it has non-zero effective weight and IOS14 is no longer the only Unknown-confidence iOS lane; loader + validation updates. - Bounded, failure-driven runtime profile rotation (in-memory, opt-in, default-off): RuntimeProfileRotationPolicy + strict `profile_rotation` loader schema; quarantine keyed by (normalized destination, BrowserProfile, hello_uses_ech); conservative typed failure attribution (only wire-shape rejections; never wrong-regime / response-hash-mismatch / pre-hello); fail-closed all-blocked path; counters. - TlsInit wire-path single selection via pick_runtime_profile_adaptive (one snapshot, ECH computed once) with per-wire-variant failure/success accounting and operator-facing log fields; explicit-profile StealthConfig construction path. - Compile-time alignment guard (static_assert) tying the BrowserProfile enum to the positional PROFILE_SPECS / PROFILE_FIXTURES / ALL_PROFILES arrays, plus a profile_index bounds check. - Tests: new contract/positive/negative/edge/adversarial/stress/fuzz suites for rotation; updated existing iOS-Unknown tests for the new AppleIosTls lane. - Audit findings doc (HIGH..LOW); M1 resolved, H1 deferred. Known follow-up before enabling rotation in prod: the cross-actor single-selection handoff (ConnectionCreator -> create_transport) so the transport-shaping config and the emitted ClientHello share one profile. Not built/run on this macOS host (pre-existing zlib / tl-parser / libc++ portability gaps unrelated to this change); verify on the Linux CI. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Closes the deferred audit findings so failure-driven profile rotation can be safely enabled. See docs/Plans/ADAPTIVE_RUNTIME_PROFILE_ROTATION_DEFERRED_FIXES_PLAN_2026-06-12.md. H1 (split-profile wire incoherence) — single-selection cross-actor handoff: - TransportType gains an optional `selected_profile`. - ConnectionCreator computes one pick_runtime_profile_adaptive per emulate_tls attempt and stamps it onto the transport_type before the connection promise copies it, across all three connection paths (client, request-by-ip, ping). - TlsInit accepts the pre-selected profile and uses it for the emitted ClientHello (still computing ECH and recording per-wire-variant accounting at send time) instead of running a second independent selection. - create_transport uses the explicit-profile make_transport_stealth_config overload when the profile is set, so the transport-shaping config and the ClientHello carry one profile. No split profile state when rotation is enabled. M2 (tiny ios14 policy zeros the verified iOS lanes) — validate_runtime_profile_ selection_policy now requires policy.mobile.ios14 == 0 || >= 7, so the integer carve cannot truncate both verified iOS lanes to 0. Flat profile_weights configs are unaffected. M3 / M4 — documented decisions (no code change): a prior-success gate for transport-reject quarantine would forbid rotating away from a fingerprint blocked from the first attempt (the common DPI case), so the existing fail-safe bound + failure_threshold knob is kept; the rotation order is kept deterministic for anti-churn and H1 coherence, with per-install salt as the population-level de-correlation. Tests: test_runtime_profile_rotation_handoff.cpp pins the explicit-profile StealthConfig coherence and the M2 policy floor. All touched sources verified via clang -fsyntax-only. The connection-path changes still need a Linux-CI integration run before profile_rotation.enabled is flipped on. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
ichmagmaus111
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adaptive runtime profile rotation + iOS release-grade lane
Implements
docs/Plans/ADAPTIVE_RUNTIME_PROFILE_ROTATION_PLAN_2026-06-12.mdand closes the audit findings from
ADAPTIVE_RUNTIME_PROFILE_ROTATION_AUDIT_FINDINGS_2026-06-12.md(plan:
..._DEFERRED_FIXES_PLAN_...).What's in here
1. Close the iOS/default release-grade gap
AppleIosTlslane:BrowserCapture+Verified+has_independent_network_provenance+release_gating=true+TlsOnly. Wire image mirrors the reviewed iOS Apple TLS family; added last in the enum soprofile_indexpositional arrays stay stable.IOS14is no longer the onlyUnknown-confidence iOS lane. iOS +Unknown+release_mode_profile_gatingis now valid and resolves toAppleIosTls, never advisoryIOS14.2. Bounded, failure-driven runtime profile rotation (in-memory, opt-in, default-off)
RuntimeProfileRotationPolicy+ strictprofile_rotationloader schema +[2,8]/[30,3600]validation.(normalized destination, BrowserProfile, hello_uses_ech), dedicated mutex, TTL;pick_runtime_profile_adaptive,note_runtime_profile_failure/success, reset hooks, counters.MalformedHelloResponse,TransportRejectionAfterHello) quarantine;WrongRegime/ResponseHashMismatch/ pre-hello / out-of-enum fail closed.pick_runtime_profilerefactored into a thin wrapper over the sharedresolve_runtime_profilecore (no double-selection divergence).3. Single-selection cross-actor handoff (audit H1 — wired)
TransportTypegains an optionalselected_profile.ConnectionCreatorcomputes onepick_runtime_profile_adaptiveperemulate_tlsattempt and stamps it ontotransport_typebefore the connection promise copies it, across all three connection paths (client / request-by-ip / ping).TlsInituses the pre-selected profile for the emitted ClientHello (still computing ECH + per-wire-variant accounting at send time);create_transportuses the explicit-profilemake_transport_stealth_configoverload. The transport-shaping config and the ClientHello now carry one profile — no split profile state when rotation is enabled.4. Hardening (audit M1, M2)
static_asserttying theBrowserProfileenum to the positionalPROFILE_SPECS/PROFILE_FIXTURES/ALL_PROFILESarrays, plus aprofile_indexbounds check (M1).validate_runtime_profile_selection_policyrequirespolicy.mobile.ios14 == 0 || >= 7so the integer carve cannot truncate both verified iOS lanes to 0 (M2).5. Tests
test_runtime_profile_rotation_{contract,positive,negative,edge,adversarial,stress,fuzz,handoff}.cpp+RuntimeProfileRotationTestSupport.h.Unknowntests for the newAppleIosTlslane (intended behaviour change).6. Audit docs
..._AUDIT_FINDINGS_...(HIGH..LOW) and..._DEFERRED_FIXES_PLAN_.... H1, M1, M2 resolved; M3, M4 are documented decisions (a prior-success gate would forbid rotating away from a fingerprint blocked on the first attempt — the common DPI case — so the fail-safe bound +failure_thresholdknob is kept; the rotation order is kept deterministic for anti-churn + H1 coherence, with the per-install salt as population-level de-correlation).Before enabling
profile_rotation.enabled=trueThe handoff (H1) is now wired and
clang -fsyntax-only-clean, but the connection-path changes touch the core connection lifecycle and were not run on this dev host (see below). Run the fullctestplus a connection-path integration check (one attempt uses one profile in both the emitted hello and the shaping config) on the Linux CI before flipping the flag on. Rotation staysdefault-offin this PR.Verification status
All modified sources and new tests are verified compiling via
clang -fsyntax-onlyagainst the real include graph. The full build +ctestwere not run — this dev host has three pre-existing macOS portability gaps unrelated to this change (zlib>=1.3.2gate, vendoredtl-parser.cglibchtole32/64,logging.cppstd::atomic<std::shared_ptr<>>). Please run the fullcteston the Linux CI; a few additional cascade tests beyond the ones updated here may surface there.🤖 Generated with Claude Code