[stealth 05/11] Add stealth direct-connection app exclusions by reflog · Pull Request #8783 · getlantern/lantern

reflog · 2026-05-15T14:14:18Z

Summary

adds an opt-in STEALTH_DIRECT_CONNECTION_APPS build flag shared by Flutter and Android
ships RKS/Airtable-based Android package defaults and local editable storage for additions/removals
applies selected packages with VpnService.Builder.addDisallowedApplication on each tunnel start
reuses the app split-tunnel picker with neutral direct-connection wording in stealth builds

Closes getlantern/engineering#3568

Validation

dart format --set-exit-if-changed lib/core/common/app_build_info.dart lib/features/split_tunneling/apps_split_tunneling.dart lib/features/split_tunneling/split_tunneling.dart test/features/split_tunneling/default_exclusions_asset_test.dart
python3 JSON/schema validation for assets/stealth/default_exclusions.json
dart test test/features/split_tunneling/default_exclusions_asset_test.dart passed after allowing SDK cache writes; local resolver lockfile churn was reverted
git diff --cached --check

Not run

Android Gradle compile/unit tests: this checkout has no Gradle wrapper and no system gradle.
flutter test bundle path: local checkout has no app.env, so Flutter asset bundling fails before reaching this asset.

Copilot

Pull request overview

Adds an opt-in “stealth direct-connection apps” mode that reuses the existing split-tunneling UI to manage an Android-only, user-editable package denylist that is applied via VpnService.Builder.addDisallowedApplication, backed by shipped JSON defaults plus SharedPreferences edits.

Changes:

Introduces STEALTH_DIRECT_CONNECTION_APPS build flag in both Flutter (bool.fromEnvironment) and Android (BuildConfig field parsed from Flutter dart-defines / env / Gradle properties).
Adds default exclusions asset (assets/stealth/default_exclusions.json) and a Dart test to validate schema/package-name correctness.
Adds Android storage + builder-application logic, and routes split-tunnel method-channel operations to the new store when the flag is enabled (package-name filter type).

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
test/features/split_tunneling/default_exclusions_asset_test.dart	Validates the shipped stealth default exclusions JSON structure and package-name validity.
pubspec.yaml	Ensures stealth assets directory is bundled.
lib/features/split_tunneling/split_tunneling.dart	Adds stealth UI mode that rewords/hides split-tunnel elements (websites hidden, apps wording made neutral).
lib/features/split_tunneling/apps_split_tunneling.dart	Rewords titles/section label for stealth direct-connection mode.
lib/core/common/app_build_info.dart	Adds compile-time flag `stealthDirectConnectionApps`.
docs/stealth-direct-connection-apps.md	Documents behavior, build inputs, and default asset update workflow.
assets/stealth/default_exclusions.json	Ships the initial default disallowed package list with metadata.
assets/locales/en.po	Adds new English strings for stealth direct-connection wording.
android/app/src/main/kotlin/org/getlantern/lantern/stealth/DirectConnectionAppExclusionStore.kt	Implements defaults loading, user edits storage, and applying exclusions to `VpnService.Builder`.
android/app/src/main/kotlin/org/getlantern/lantern/stealth/DirectConnectionAppExclusions.kt	Parses defaults JSON and computes effective package sets with validation/normalization.
android/app/src/main/kotlin/org/getlantern/lantern/service/LanternVpnService.kt	Applies configured direct-connection exclusions during tunnel build.
android/app/src/main/kotlin/org/getlantern/lantern/handler/MethodHandler.kt	Routes split-tunnel add/remove/get calls to the new exclusion store in stealth mode.
android/app/build.gradle	Adds parsing for Flutter `dart-defines` and emits `BuildConfig.STEALTH_DIRECT_CONNECTION_APPS`.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated 1 comment.

Copilot

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated 2 comments.

Copilot

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated 5 comments.

Copilot

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated 5 comments.

Copilot

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated no new comments.

Copilot

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated 1 comment.

Copilot

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated no new comments.

reflog · 2026-06-11T11:12:39Z

Integration wiring note (for #8794 integrator + dev1/#8784)

STEALTH_DIRECT_CONNECTION_APPS is currently a standalone build flag (dart-defines → env → Gradle property). Two things need reconciling at integration time:

Profile-driven activation: For stealth-vpn builds this flag should be true automatically, derived from the profile mode via #8784's loadStealthProfile(), so a stealth-vpn release can never accidentally ship with VPN-detection bypass disabled.
Parser dedup: This PR's build.gradle contains its own dart-defines base64 decoder + buildConfigBoolean helper that parallel #8784's profile loading. At integration time these should be collapsed into the foundation's single config path.

Neither item blocks this PR (normal-build safe: applyToBuilder early-returns when !enabled(), defaults to false). Tracking per reviewer + team-lead.

…-D JNI gate - generate_profile.py: emit directConnectionAppsEnabled in profile JSON and dart-defines (STEALTH_DIRECT_CONNECTION_APPS=true by default for both stealth modes; false for normal). Addresses #3568 under-protection gap flagged in reviewer item #4. - android/app/build.gradle: read STEALTH_DIRECT_CONNECTION_APPS from stealthProfile.directConnectionAppsEnabled (loaded via loadStealthProfile()) instead of the standalone buildConfigBoolean() dart-defines fallback. Remove the now-redundant dart-defines parser block and buildConfigBoolean closure added by #8783. A stealth-vpn build can no longer ship without the RKS denylist unless the profile explicitly sets directConnectionAppsEnabled=false. - Makefile: add verify-stealth-jni target that extracts arm64-v8a/libgojni.so from the built AAR and hard-fails if Java_lantern_io_* is present or Java_foundation_engine_* is absent. Called automatically from build-android-obfuscated when STEALTH_ENABLED is set. Also add STEALTH_VPN_BUILD_VARS and android-stealth-vpn-{apk,aab,release} targets parallel to the existing novpn variants. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

reflog · 2026-06-15T15:20:20Z

Superseded — the 11 per-issue stealth PRs were consolidated into a 6-PR stack for epic getlantern/engineering#3569. This work now lives in #8863.

Copilot AI review requested due to automatic review settings May 15, 2026 14:14

reflog self-assigned this May 15, 2026

Copilot started reviewing on behalf of reflog May 15, 2026 14:14 View session

Copilot AI reviewed May 15, 2026

View reviewed changes

reflog requested a review from Copilot May 15, 2026 15:54

Copilot started reviewing on behalf of reflog May 15, 2026 15:55 View session

Copilot AI reviewed May 15, 2026

View reviewed changes

Comment thread test/features/split_tunneling/default_exclusions_asset_test.dart

reflog requested a review from Copilot May 15, 2026 16:24

Copilot started reviewing on behalf of reflog May 15, 2026 16:24 View session

Copilot AI reviewed May 15, 2026

View reviewed changes

Comment thread lib/features/split_tunneling/split_tunneling.dart Outdated

Comment thread lib/features/split_tunneling/apps_split_tunneling.dart Outdated

reflog requested a review from Copilot May 16, 2026 10:38

Copilot started reviewing on behalf of reflog May 16, 2026 10:38 View session