fix: proxy direct APNs HTTP2 sessions (#74905)

Summary: - This PR routes direct APNs HTTP/2 sends through an APNs allowlisted managed-proxy CONNECT wrapper, adds APNs proxy validation/docs/guardrails, and expands regression and live-test coverage. - Reproducibility: yes. source-reproducible: current main `sendApnsRequest()` still uses raw `http2.connect(au ... nly covers HTTP/global-agent/Undici hooks. I did not run a live APNs reproduction in this read-only review. Automerge notes: - PR branch already contained follow-up commit before automerge: test: guard raw HTTP2 APNs connections - PR branch already contained follow-up commit before automerge: test: guard raw HTTP2 with OpenGrep - PR branch already contained follow-up commit before automerge: lint: ban raw HTTP2 imports - PR branch already contained follow-up commit before automerge: fix: use managed proxy state for APNs - PR branch already contained follow-up commit before automerge: test: exercise APNs active proxy state - PR branch already contained follow-up commit before automerge: fix: reject conflicting managed proxy activation Validation: - ClawSweeper review passed for head dab7c86a75. - Required merge gates passed before the squash merge. Prepared head SHA: dab7c86a75 Review: https://github.com/openclaw/openclaw/pull/74905#issuecomment-4350181159 Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com> Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
2026-05-06 06:30:42 +00:00 · 2026-05-04 21:04:17 +10:00
parent 5efbb3078a
commit d5b0083300
30 changed files with 2159 additions and 89 deletions
--- a/scripts/check-no-raw-http2-imports.mjs
+++ b/scripts/check-no-raw-http2-imports.mjs
@@ -0,0 +1,120 @@
+import fs from "node:fs";
+import path from "node:path";
+const SOURCE_ROOTS = ["src", "extensions"];
+const DEFAULT_SKIPPED_DIR_NAMES = new Set(["node_modules", "dist", "coverage", ".generated"]);
+
+function isCodeFile(filePath) {
+  if (filePath.endsWith(".d.ts")) {
+    return false;
+  }
+  return /\.(?:[cm]?ts|[cm]?js|tsx|jsx)$/u.test(filePath);
+}
+
+function collectFilesSync(rootDir, options) {
+  const skipDirNames = options.skipDirNames ?? DEFAULT_SKIPPED_DIR_NAMES;
+  const files = [];
+  const stack = [rootDir];
+
+  while (stack.length > 0) {
+    const current = stack.pop();
+    if (!current) {
+      continue;
+    }
+    let entries = [];
+    try {
+      entries = fs.readdirSync(current, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      const fullPath = path.join(current, entry.name);
+      if (entry.isDirectory()) {
+        if (!skipDirNames.has(entry.name)) {
+          stack.push(fullPath);
+        }
+        continue;
+      }
+      if (entry.isFile() && options.includeFile(fullPath)) {
+        files.push(fullPath);
+      }
+    }
+  }
+
+  return files;
+}
+
+function toPosixPath(filePath) {
+  return filePath.replaceAll("\\", "/");
+}
+
+const FORBIDDEN_HTTP2_MODULES = new Set(["node:http2", "http2"]);
+const ALLOWED_PRODUCTION_FILES = new Set(["src/infra/push-apns-http2.ts"]);
+
+function isTestFile(relativePath) {
+  return (
+    /(?:^|\/)(?:test|test-fixtures)\//u.test(relativePath) ||
+    /\.test\.[cm]?[jt]sx?$/u.test(relativePath)
+  );
+}
+
+function lineNumberForOffset(content, offset) {
+  return content.slice(0, offset).split(/\r?\n/u).length;
+}
+
+function collectHttp2ImportOffenders(filePath) {
+  const relativePath = toPosixPath(path.relative(process.cwd(), filePath));
+  if (ALLOWED_PRODUCTION_FILES.has(relativePath) || isTestFile(relativePath)) {
+    return [];
+  }
+
+  const content = fs.readFileSync(filePath, "utf8");
+  const offenders = [];
+  const patterns = [
+    /\bimport\s+(?:type\s+)?[\s\S]*?\bfrom\s*["']([^"']+)["']/gu,
+    /\bexport\s+(?:type\s+)?[\s\S]*?\bfrom\s*["']([^"']+)["']/gu,
+    /\bimport\s*\(\s*["']([^"']+)["']\s*\)/gu,
+    /\brequire\s*\(\s*["']([^"']+)["']\s*\)/gu,
+  ];
+
+  for (const pattern of patterns) {
+    for (const match of content.matchAll(pattern)) {
+      const specifier = match[1];
+      if (specifier && FORBIDDEN_HTTP2_MODULES.has(specifier)) {
+        offenders.push({
+          file: relativePath,
+          line: lineNumberForOffset(content, match.index ?? 0),
+          specifier,
+        });
+      }
+    }
+  }
+
+  return offenders;
+}
+
+function collectSourceFiles() {
+  return SOURCE_ROOTS.flatMap((root) =>
+    collectFilesSync(path.join(process.cwd(), root), {
+      includeFile: isCodeFile,
+    }),
+  );
+}
+
+function main() {
+  const offenders = collectSourceFiles().flatMap(collectHttp2ImportOffenders);
+  if (offenders.length === 0) {
+    console.log("OK: raw node:http2 imports stay behind the APNs proxy wrapper.");
+    return;
+  }
+
+  console.error("Raw node:http2 imports are only allowed in src/infra/push-apns-http2.ts.");
+  for (const offender of offenders.toSorted(
+    (a, b) => a.file.localeCompare(b.file) || a.line - b.line,
+  )) {
+    console.error(`- ${offender.file}:${offender.line} imports ${offender.specifier}`);
+  }
+  console.error("Use connectApnsHttp2Session() so APNs HTTP/2 honors managed proxy policy.");
+  process.exit(1);
+}
+
+main();
--- a/scripts/run-additional-boundary-checks.mjs
+++ b/scripts/run-additional-boundary-checks.mjs
@@ -9,6 +9,7 @@ export const BOUNDARY_CHECKS = [
  ["lint:tmp:channel-agnostic-boundaries", "pnpm", ["run", "lint:tmp:channel-agnostic-boundaries"]],
  ["lint:tmp:tsgo-core-boundary", "pnpm", ["run", "lint:tmp:tsgo-core-boundary"]],
  ["lint:tmp:no-raw-channel-fetch", "pnpm", ["run", "lint:tmp:no-raw-channel-fetch"]],
+  ["lint:tmp:no-raw-http2-imports", "pnpm", ["run", "lint:tmp:no-raw-http2-imports"]],
  ["lint:agent:ingress-owner", "pnpm", ["run", "lint:agent:ingress-owner"]],
  [
    "lint:plugins:no-register-http-handler",
--- a/scripts/test-live-shard.mjs
+++ b/scripts/test-live-shard.mjs
@@ -11,6 +11,7 @@ export const RELEASE_LIVE_TEST_SHARDS = Object.freeze([
  "native-live-src-gateway-core",
  "native-live-src-gateway-profiles",
  "native-live-src-gateway-backends",
+  "native-live-src-infra",
  "native-live-test",
  "native-live-extensions-a-k",
  "native-live-extensions-l-n",
@@ -154,6 +155,8 @@ export function selectLiveShardFiles(shard, files = collectAllLiveTestFiles()) {
      return files.filter(isGatewayProfilesLiveTest);
    case "native-live-src-gateway-backends":
      return files.filter(isGatewayBackendLiveTest);
+    case "native-live-src-infra":
+      return files.filter((file) => file.startsWith("src/infra/"));
    case "native-live-test":
      return files.filter((file) => file.startsWith("test/"));
    case "native-live-extensions-a-k":