fix: proxy direct APNs HTTP2 sessions (#74905)

Summary: - This PR routes direct APNs HTTP/2 sends through an APNs allowlisted managed-proxy CONNECT wrapper, adds APNs proxy validation/docs/guardrails, and expands regression and live-test coverage. - Reproducibility: yes. source-reproducible: current main `sendApnsRequest()` still uses raw `http2.connect(au ... nly covers HTTP/global-agent/Undici hooks. I did not run a live APNs reproduction in this read-only review. Automerge notes: - PR branch already contained follow-up commit before automerge: test: guard raw HTTP2 APNs connections - PR branch already contained follow-up commit before automerge: test: guard raw HTTP2 with OpenGrep - PR branch already contained follow-up commit before automerge: lint: ban raw HTTP2 imports - PR branch already contained follow-up commit before automerge: fix: use managed proxy state for APNs - PR branch already contained follow-up commit before automerge: test: exercise APNs active proxy state - PR branch already contained follow-up commit before automerge: fix: reject conflicting managed proxy activation Validation: - ClawSweeper review passed for head dab7c86a75. - Required merge gates passed before the squash merge. Prepared head SHA: dab7c86a75 Review: https://github.com/openclaw/openclaw/pull/74905#issuecomment-4350181159 Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com> Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
2026-05-06 17:50:45 +00:00 · 2026-05-04 21:04:17 +10:00
parent 5efbb3078a
commit d5b0083300
30 changed files with 2159 additions and 89 deletions
--- a/security/opengrep/precise.yml
+++ b/security/opengrep/precise.yml
@@ -3,9 +3,9 @@
 # Auto-generated by security/opengrep/compile-rules.mjs.
 # DO NOT EDIT BY HAND. Re-run the compile script after editing source rules.
 #
-# Source rules dir: <unknown>
-# Generated at  : 2026-04-29T07:10:35.427Z
-# Rule count    : 147
+# Source rules dir: security/opengrep/rules/openclaw-policy
+# Generated at    : 2026-04-30T09:09:41.198Z
+# Rule count      : 148
 rules:
  - id: ghsa-25gx-x37c-7pph.openclaw-novnc-x11vnc-missing-auth
    message: x11vnc starts without VNC authentication; avoid -nopw and require password auth when exposing noVNC observer access.
@@ -4976,3 +4976,37 @@ rules:
      - pattern-not-inside: |
          import { resolvePathWithinRoot, ... } from "$X";
          ...
+  - id: openclaw-policy-raw-http2-connect.no-raw-http2-connect
+    languages:
+      - typescript
+      - javascript
+    severity: ERROR
+    message: Use connectApnsHttp2Session() from src/infra/push-apns-http2.ts instead of raw http2.connect() so APNs HTTP/2 honors managed proxy policy.
+    metadata:
+      advisory-id: OPENCLAW-POLICY-RAW-HTTP2-CONNECT
+      advisory-url: https://github.com/openclaw/openclaw/pull/74905
+      cwe:
+        - CWE-441
+      category: security
+      confidence: HIGH
+      detector-bucket: precise
+      source-rule-id: no-raw-http2-connect
+      source-file: security/opengrep/rules/openclaw-policy/no-raw-http2-connect.yml
+    paths:
+      include:
+        - src/**/*.ts
+        - src/**/*.mts
+        - src/**/*.js
+        - src/**/*.mjs
+        - extensions/**/*.ts
+        - extensions/**/*.mts
+        - extensions/**/*.js
+        - extensions/**/*.mjs
+      exclude:
+        - src/infra/push-apns-http2.ts
+        - "**/*.test.ts"
+        - "**/*.test.mts"
+        - "**/*.test.js"
+        - "**/*.test.mjs"
+    patterns:
+      - pattern: http2.connect(...)
--- a/security/opengrep/rules/openclaw-policy/no-raw-http2-connect.yml
+++ b/security/opengrep/rules/openclaw-policy/no-raw-http2-connect.yml
@@ -0,0 +1,32 @@
+rules:
+  - id: no-raw-http2-connect
+    languages:
+      - typescript
+      - javascript
+    severity: ERROR
+    message: Use connectApnsHttp2Session() from src/infra/push-apns-http2.ts instead of raw http2.connect() so APNs HTTP/2 honors managed proxy policy.
+    metadata:
+      advisory-id: OPENCLAW-POLICY-RAW-HTTP2-CONNECT
+      advisory-url: https://github.com/openclaw/openclaw/pull/74905
+      cwe:
+        - "CWE-441"
+      category: security
+      confidence: HIGH
+    paths:
+      include:
+        - "src/**/*.ts"
+        - "src/**/*.mts"
+        - "src/**/*.js"
+        - "src/**/*.mjs"
+        - "extensions/**/*.ts"
+        - "extensions/**/*.mts"
+        - "extensions/**/*.js"
+        - "extensions/**/*.mjs"
+      exclude:
+        - "src/infra/push-apns-http2.ts"
+        - "**/*.test.ts"
+        - "**/*.test.mts"
+        - "**/*.test.js"
+        - "**/*.test.mjs"
+    patterns:
+      - pattern: http2.connect(...)