The first hop in each listener's chain is replaced at connection time
by round-robin selection from tor_nodes. Added comments in both the
example config and the server code to make this precedence explicit.
Accommodate HTTP CONNECT proxies through Tor (p99 latency >8s) and
reduce pool erosion when the upstream proxy count is low.
- test_timeout: 8 -> 12 (Tor + HTTP CONNECT overhead)
- max_fails: 3 -> 5 (10 min tolerance vs 6 min)
Building images inside an unprivileged container fails on remount.
Use podman --remote with the runner-mounted podman socket to
delegate builds to the host engine.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Runner ignores --privileged, so overlay mounts fail inside the
container. Switch to vfs storage driver via containers config.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All 11 findings are API endpoint URLs (http://api:8081/...) in
documentation and test files, not actual secrets.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Use container: directive per job instead of nested podman run.
Each job specifies its execution image directly:
- test: python:3.13-alpine
- secrets: ghcr.io/gitleaks/gitleaks:latest
- build: quay.io/podman/stable (--privileged for nested builds)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The linux runner has no Node.js, so actions/checkout@v4 fails.
Use manual git clone with token auth instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace ubuntu-latest runner with linux label and migrate all
container operations from docker to podman. Add requirements.txt
as single source of truth for runtime dependencies.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Returns {count, sum, 0.5, 0.95, 0.99} in seconds for Prometheus
summary exposition. Companion to the existing stats() (milliseconds).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Per-listener `retries` overrides global default (0 = inherit)
- Pool-level `allowed_protos` filters proxies during merge
- Connection pooling documented in CHEATSHEET.md
- Both features exposed in /config and /status API responses
- 12 new tests (config parsing, API exposure, merge filtering)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Bump version 0.1.0 -> 0.3.0
- Add systemd service unit (config/s5p.service) and install-service
Makefile target
- Add CLI argument parsing tests (tests/test_cli.py, 27 tests)
- Expand protocol tests with SOCKS5/4/HTTP handshake, error, and auth
coverage (tests/test_proto.py, 30 tests)
- Add full API reference to docs/USAGE.md with response schemas for
all GET/POST endpoints
- Update INSTALL.md, CHEATSHEET.md with systemd section
- Update ROADMAP.md, TASKS.md for v0.3.0
Runner uses buildx with docker-container driver which doesn't
populate the local image store. --push builds and pushes directly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Docker credential helper on the runner may interfere with login.
Write base64 credentials to ~/.docker/config.json directly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Multiline shell continuation in YAML was causing literal \n in the
command. Single-line pipe also avoids the CLI password warning.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Runs gitleaks detect with full history before the build job.
Both test and secrets jobs must pass to gate image push.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
python:3.13-slim lacks node, which actions/checkout@v4 requires.
Run test job on bare runner with setup-python instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Bake source into the image (COPY src/) so production containers
run without volume mounts. CI pipeline runs ruff + pytest then
builds and pushes harbor.mymx.me/s5p/s5p:latest on push to main.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Per-listener username/password auth via `auth:` config key. When set,
clients must negotiate method 0x02 and pass RFC 1929 subnegotiation;
no-auth (0x00) is rejected to prevent downgrade. Listeners without
`auth` keep current no-auth behavior.
Includes auth_failures metric, API integration (/status auth flag,
/config auth_users count without exposing passwords), config parsing
with YAML int coercion, integration tests (success, failure, method
rejection, no-auth unchanged), and documentation updates.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
srv.wait_closed() blocked indefinitely on active relay connections,
preventing serve() from returning and prof.dump_stats() from running.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Onion addresses require Tor to resolve, so pool proxies after Tor
would break connectivity. Detect .onion targets and use the static
chain only (Tor), skipping pool selection and retries.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Per-listener bypass rules skip the chain for local/private destinations
(CIDR, exact IP/hostname, domain suffix). Weighted multi-candidate pool
selection biases toward pools with more alive proxies. End-to-end
integration tests validate the full client->s5p->hop->target path using
mock SOCKS5 proxies.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Allow listeners to mix named pools in a single chain using pool:name
syntax. Bare "pool" continues to use the listener's default pool.
Replaces pool_hops field with pool_seq list; pool_hops is now a
backward-compatible property. Each hop draws from its own pool and
failure reporting targets the correct source pool.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add proxy_pools: top-level config (dict of name -> pool config) so
listeners can draw from different proxy sources. Each pool has
independent sources, health testing, state persistence, and refresh
cycles.
- PoolSourceConfig gains mitm: bool|None for API ?mitm=0/1 filtering
- ListenerConfig gains pool_name for named pool assignment
- ProxyPool gains name param with prefixed log messages and
per-name state file derivation (pool-{name}.json)
- server.py replaces single proxy_pool with proxy_pools dict,
validates listener pool references at startup, per-listener closure
- API /pool merges all pools (with pool field on multi-pool entries),
/status and /config expose per-pool summaries
- Backward compat: singular proxy_pool: registers as "default"
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New top-level tor_nodes list distributes traffic across multiple Tor
SOCKS proxies. First hop is replaced at connection time by round-robin
selection; health tests also rotate across all nodes. FirstHopPools
are created for each node when pool_size > 0.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Auto-scale test concurrency to ~10% of proxy count, capped by
test_concurrency config ceiling (default raised from 5 to 25).
Prevents saturating upstream Tor when pool size varies.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Each listener now tracks chain setup latency independently via a
dict[str, LatencyTracker] on Metrics. The global aggregate stays for
summary output. /status embeds per-listener latency on each listener
entry; /metrics includes a listener_latency map keyed by host:port.
Add RateTracker (rolling deque, events/sec) and LatencyTracker (circular
buffer, p50/p95/p99 in ms) to the Metrics class. Both are recorded in
_handle_client and exposed via summary(), to_dict(), /status, and /metrics.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Each listener binds to its own port with an independent chain.
The "pool" keyword in a chain appends a random alive proxy from
the shared pool; multiple pool entries = multiple hops.
:1080 -> Tor only (0 pool hops)
:1081 -> Tor + 1 pool proxy
:1082 -> Tor + 2 pool proxies
Shared resources (ProxyPool, Tor, metrics, semaphore, API) are
reused across listeners. FirstHopPool is shared per unique first
hop. Backward compatible: old listen/chain format still works.
Proxies that pass the TLS handshake are now immediately added to the
alive list instead of waiting for the entire batch to complete. On
cold start with large pools, this means proxies become available
within seconds rather than waiting 30+ minutes.
Cold start with large pools blocked the server for the entire test
duration. Now start() always defers health testing so the server
listens immediately. Proxies become available as tests complete.
Replace _http_check (HTTP GET to httpbin.org) with _tls_check that
performs a TLS handshake through the proxy chain. Multiple targets
(google, cloudflare, amazon) rotated round-robin eliminate the single
point of failure. Lighter, faster, harder to block than HTTP.
- Add test_targets config field (replaces test_url)
- Backward compat: legacy test_url extracts hostname automatically
- Add ssl.create_default_context() and round-robin index to ProxyPool
- Update docs (example.yaml, USAGE.md, CHEATSHEET.md)
TimeoutError.__str__() returns '' in Python, causing truncated log
lines like "source ... failed: ". Fall back to the class name.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
