Replace python:3.12-slim (Debian) with python:3.12-alpine to reduce
image size and eliminate 68 Debian-inherited CVEs. Upgrade pip to
resolve CVE-2025-8869. Build deps installed temporarily for native
extensions (cryptography) and removed after pip install.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Install deps from requirements.txt for better layer caching and COPY
src/ into the image so pushed artifacts are self-contained. Remove
VOLUME /app/src -- runtime config mount (/data) is sufficient.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Docker buildx with docker-container driver doesn't load images
into the local daemon. Use --push to push directly during build.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Resolve gitleaks version dynamically via GitHub redirect.
Add .gitleaks.toml to allowlist dummy hCaptcha sitekeys in
test_captcha.py (false positives on test UUIDs).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The /releases/latest/download/ URL doesn't expand version in
the filename. Query the redirect to resolve actual version first.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The linux runner has no git/node on host and rootless podman
lacks namespace privileges. Use container: directive for every
job: alpine for secrets (gitleaks binary), docker:latest for
build (docker socket mounted by runner).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The linux runner has podman but no git. Clone repos via
alpine/git container for secrets and build host jobs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The linux runner (anvil) has no Node.js, so actions/checkout@v4
fails on every job. Use manual git clone consistently across
all jobs — container and host alike.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The gitleaks image lacks a shell compatible with the runner's
script injection. Use podman run with volume mount on the host
instead, matching the proven s5p pattern.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Multiline run with backslash continuation gets corrupted inside
the gitleaks container. Collapse to single line.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The alpine and gitleaks container images lack Node.js, which
actions/checkout@v4 requires. Use manual git clone instead.
Build job stays on host where actions/checkout works natively.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace manual podman run invocations with the runner's container:
directive for lint, test, and secrets jobs. Cleaner step definitions,
no volume mounts needed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Lint, test, secrets scan, and Harbor build/push jobs running
on linux runner using ephemeral podman containers. Adds
requirements.txt for container-based pip installs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Exponential backoff up to 300s made no sense with rotating Tor exits
where each reconnect gets a fresh IP. Single 1s delay is sufficient.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Block all non-ACTION CTCP/DCC from client-to-server (outbound) and add
security logging when inbound CTCP/DCC is stripped. Hard boundary with
no config toggle -- DCC exposes the client's real IP which defeats the
stealth proxy architecture.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Hardened unit with ProtectSystem/ProtectHome, auto-restart on failure,
and ExecReload for SIGHUP hot config reload. Docs updated with setup,
management, and enable-linger instructions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix E501 line-too-long in backlog.py, network.py, test_network.py.
Fix F541 f-string-without-placeholders in network.py.
Fix I001 unsorted imports in network.py.
Remove unused datetime import in test_cert.py (F401).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add signal handler that calls rehash() on SIGHUP, logging results
instead of sending to a client. Useful for systemd and container
environments where no IRC client is attached. Update docs with
channel key config, hot reload section, and roadmap checkoffs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add channel_keys dict to NetworkConfig for storing per-channel keys.
Keys are used in KICK rejoin, passed via AUTOJOIN +#channel key syntax,
supported in ADDNETWORK channel_keys= parameter, and propagated through
REHASH. Extract rehash() as reusable async function for SIGHUP reuse.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Accept TLS-encrypted connections from IRC clients. Auto-generates a
self-signed EC P-256 listener certificate (bouncer.pem) when no custom
cert is provided. Remove CTCP response items from roadmap (stealth by
design -- router already suppresses all CTCP except ACTION).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
_on_verify_success() was missing _nickserv_complete() call, causing
_go_ready() to hang at _nickserv_done.wait() when registration
completed immediately (no email verification needed).
get_pending_registration() was not returning verify_url from the DB,
so _resume_pending_verification() never restored self._verify_url --
breaking cross-session captcha resume for OFTC-style networks.
Four regression tests added.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
PING watchdog sends PING after configurable silence interval and
disconnects on timeout, detecting stale connections that TCP alone
misses. IRCv3 server-time capability is requested on every connection;
timestamps are injected on dispatch and backlog replay for clients
that support message tags. Push notifications via ntfy or generic
webhook fire on highlights and PMs when no clients are attached,
with configurable cooldown and optional SOCKS5 routing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Cover state machine, markov nick generation, SASL negotiation,
NickServ/Q-bot auth flows, probation timer, reconnection backoff,
read loop buffering, and IRC message handling.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Writes cProfile stats to a file on shutdown for performance analysis.
Enable in compose.yaml for container profiling.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace hardcoded values across network, captcha, email, and cert
modules with BouncerConfig fields. All values have safe defaults
and are overridable in the [bouncer] section of the config file.
Configurable: probation_seconds, backoff_steps, nick_timeout,
rejoin_delay, http_timeout, captcha_poll_interval/timeout,
email_poll_interval/max_polls/request_timeout, cert_validity_days.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Detect /verify/ URLs in NickServ notices and attempt automated
verification via SOCKS proxy (POST with token). If the page requires
a captcha, save creds as pending and log the URL for manual visit.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add auth_service config field ("nickserv", "qbot", "none") to support
networks with non-standard auth systems. QuakeNet uses Q bot AUTH
instead of NickServ. Also bumps NickServ timeout from 15s to 30s.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
config: add optional proxy_host/proxy_port to NetworkConfig
router: resolve per-network proxy via _proxy_for() helper
commands: trigger REHASH reconnect on proxy config changes
network: send CERT ADD before CAP END to beat K-line race
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
proxy.py:
- Refactor connection logic into _connect_once() helper
- Fall back to remote DNS via SOCKS5 when local resolution fails
(enables .onion and proxy-only hostnames)
- Skip TLS hostname verification for .onion addresses (Tor routing
provides authentication)
network.py:
- Fall back from SASL EXTERNAL to PLAIN on 904 (same connection)
- Auto-register cert fingerprint with NickServ CERT ADD immediately
after SASL PLAIN success (903) and after RPL_WELCOME (001)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All three registration commands are now explicitly intercepted after
the client has authenticated. NICK gets a notice pointing to the
bouncer command; PASS and USER are silently dropped.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Clients sending /nick are intercepted with a NOTICE pointing them
to /msg *bouncer NICK <network> <nick> instead. Prevents unmanaged
nick changes that bypass the bouncer's identity tracking.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Users can now inspect bouncer state and manage it from their IRC client
by sending PRIVMSG to *bouncer (or bouncer). Supported commands:
HELP, STATUS, INFO, UPTIME, NETWORKS, CREDS. Responses arrive as
NOTICE messages. All commands are case-insensitive.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Reconnect backoff sleeps (up to 300s) were not cancellable, causing
SIGKILL on container stop. Now _schedule_reconnect spawns a tracked
task that stop() cancels, enabling graceful shutdown within the
podman timeout.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Filter out messages that are useless to bouncer clients:
- Server notices (prefix without !, NOTICE to */AUTH)
- MOTD numerics (375, 372, 376, 422)
- Welcome/stats numerics (001-005, 042, 250-255, 265-266)
- User mode changes (MODE to non-channel targets)
- CTCP queries and DCC requests (PRIVMSG with \x01, except ACTION)
- CTCP replies in NOTICE
Filter applies to both live dispatch and backlog replay. Purged
existing noise from the backlog database.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
irssi (and other IRC clients) only open a channel window when they see
a JOIN from their own nick. The synthetic JOINs were using the network
nick (e.g. pagumowa) but the client registered as tester -- mismatch.
Three changes:
- Synthetic JOIN prefix is now client_nick!user@bouncer
- 001 welcome uses the client's registered nick
- encode_nick/encode_message accept client_nick param to rewrite own
nicks from any network to the client's nick, so irssi recognizes
all self-actions consistently
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Multiplex all networks onto a single client connection using /network
suffixes on channels and nicks. PASS is now just the password (no
network prefix). Channels appear as #channel/network, foreign nicks as
nick/network, own nicks stay bare.
New namespace.py module with pure encode/decode functions. Router
tracks clients globally (not per-network), namespaces messages before
delivery. Client attaches to all networks on connect, sends synthetic
JOIN/TOPIC/NAMES for every channel across all networks.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Send NICK and wait for server confirmation (up to 10s) before
issuing JOIN commands, ensuring channels are joined under the
correct identity.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Nick is now deterministically generated from the exit endpoint
hostname via seeded markov chain. Same exit IP always produces the
same nick. Config nick field is optional fallback only.
Registration uses generic ident (user/ident) and realname
(realname/unknown) instead of random markov words.
Also fixes compose env vars and build target to use podman-compose.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Preserve original server bytes in IRCMessage.raw and forward those
to clients, avoiding parse/format round-trip that altered messages.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New docs/DEPLOY.md covering container image, compose config, volume
mounts, host networking, operations, and troubleshooting. Updated
README, INSTALL, CHEATSHEET, and DEBUG to reference it.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Containerfile now only installs dependencies; source code and config
are mounted at runtime via compose volumes. Adds k8s-file log driver
and PYTHONUNBUFFERED for reliable container logging.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Host network mode for direct access to SOCKS5 proxy on localhost.
Config volume mounted from ./config. Makefile targets: build, up,
down, logs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update README, PROJECT, ROADMAP, TASKS, TODO, USAGE, CHEATSHEET,
INSTALL, and DEBUG to reflect stealth connect, probation window,
markov nick generation, local DNS resolution, and multi-IP failover.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace uniform random chars with English bigram frequency table.
Enforces max 2 consecutive consonants for pronounceability. Nicks,
idents, and realnames now look like plausible human-chosen words.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Register with a fully random nick, user, and realname (no fixed
pattern) to avoid fingerprinting. Enter a 15s probation period
after registration -- if the server k-lines, reconnect with a
fresh identity. Only after surviving probation: switch to the
configured nick and join channels.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Many SOCKS5 proxies cannot resolve hostnames reliably. Resolve
locally and iterate through all returned addresses until one
succeeds. Also exclude personal config from git.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Async Python IRC bouncer with SOCKS5 proxy support, multi-network
connections, password auth, and persistent SQLite backlog with replay.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
