feat(#274): standing no-clearnet-leak egress gate in the harness#288
Merged
Conversation
Promote the #256 egress verifier into the live harness as a standing privacy assertion (the runtime proof of #270): the --check phase now FAILs if any app container holds a persistent direct public connection — what config-level checks miss (it caught the #165 stale-image p2pool leak and the #271 Tari direct-dial). Refine bench-verify-egress.sh: poll N times (default 4×10s) and flag only IPs seen in >= --min-hits polls, so post-restart startup transients (a brief direct dial before Tor circuits build) don't false-positive — only sustained leaks fail. Validated on gouda: caught a grandfathered Tari leak (2 persistent IPs → FAIL), then a clean PASS (all 4 apps via Tor) after a restart cleared it. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
30 tasks
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #274. The permanent proof of #270 — turns "we verified all-Tor once" into "every harness run gates on it."
What
bench-verify-egress.sh(the Benchmark Tor vs clearnet while mining (p2pool / monerod / Tari) — does steady-state mining lose yield over Tor? #256 verifier) into the harness:tests/integration/run.sh's--checkphase now runsassert_egress_posture, which FAILs if any app container holds a persistent direct public connection (i.e. isn't dialing via the Tor SOCKS). Skipped when a clearnet initial sync is active (Feature: optional clearnet initial sync (Monero + Tari) then switch to Tor — default off, privacy-first #183). This catches what config checks miss — the p2pool: route outbound sidechain P2P through Tor by default (--socks5), documented clearnet opt-out #165 stale-image p2pool leak and the Tari (minotari) dials some peers over clearnet despite transport type = "tor" #271 Tari direct-dial both slipped past config-level assertions.--pollstimes (default 4 ×--interval10s) and flag only foreign IPs seen in--min-hits(default 2) polls, so startup transients (a brief direct dial before Tor circuits build / before p2pool's--socks5connects) clear within a poll and don't false-positive — only sustained leaks fail.Validation (gouda, live)
tari: 2 PERSISTENT PUBLIC connection(s)(78.80.36.112, 94.130.70.185, 3/3 polls) →[verify-egress] FAIL.proxy_bypass=false), all four apps clean →[verify-egress] OK. Confirms Tari (minotari) dials some peers over clearnet despite transport type = "tor" #271 holds.Note: the verifier stays at
tests/integration/benchmarks/bench-verify-egress.sh(shared with the #256 benchmark gate, PR #268 — which will rebase onto this refined copy).🤖 Generated with Claude Code