Skip to content

feat: bundle NaïveProxy client (no external plugin required)#23

Merged
hawkff merged 1 commit into
mainfrom
feature/native-naive
Jun 17, 2026
Merged

feat: bundle NaïveProxy client (no external plugin required)#23
hawkff merged 1 commit into
mainfrom
feature/native-naive

Conversation

@hawkff

@hawkff hawkff commented Jun 17, 2026

Copy link
Copy Markdown
Owner

Summary

Bundle the official NaïveProxy client binary so NaïveProxy profiles work without
installing the separate external plugin (moe.matsuri.exe.naive) — the same
"native / bundled sidecar" approach already used for Mieru and Hysteria.

Why not a sing-box native outbound?

sing-box has no native NaïveProxy outbound — it only implements a Naïve
inbound (server). The real NaïveProxy client is Cronet (Chromium's C++ network
stack), so there is no pure-Go outbound to enable. Bundling the official client
binary is the correct "native, no separate plugin" path, consistent with the
other bundled sidecars.

Changes

  • buildScript/lib/naive.sh: download the klzgrad/naiveproxy plugin APKs
    (pinned v149.0.7827.114-1) and extract libnaive.so for all 4 ABIs
    (./run lib naive).
  • PluginManager.initNativeInternal: resolve naive-plugin → bundled
    libnaive.so from nativeLibraryDir, falling back to the external APK plugin
    when the bundled binary is absent.
  • CI (build/ci/preview/release): add NAIVE_VERSION, build + cache the naive
    binary, and verify libnaive.so across all 4 ABIs.
  • README: NaïveProxy is now bundled.

libnaive.so is already in Executable.EXECUTABLES, and BoxInstance already
launches naive-plugin as a sidecar, so no launch-path changes were needed.

Verification

  • ./run lib naive extracts libnaive.so for arm64-v8a / armeabi-v7a / x86 / x86_64.
  • Built and installed on a physical arm64 device: libnaive.so is bundled in the
    APK and runs (naive 149.0.7827.114).

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Summary by CodeRabbit

  • New Features
    • NaïveProxy protocol support is now bundled with the application, removing the need for separate native plugin installation.
  • Documentation
    • Updated the “Supported Proxy Protocols” list and the “full proxy support” note to reflect NaïveProxy’s bundled behavior.
  • Chores
    • Enhanced release and CI pipelines to download, cache, and verify the NaïveProxy native library, ensuring it’s included consistently across build targets.

Walkthrough

NaïveProxy is converted from an external plugin to a bundled native library. A new build script downloads ABI-specific APKs from GitHub releases and extracts libnaive.so per architecture. All four CI/CD workflows add NAIVE_VERSION, update sidecar cache keys, add a "Naive Download" build step, and verify libnaive.so. PluginManager gains a "naive-plugin" case, and the README is updated accordingly.

Changes

NaïveProxy Native Bundling

Layer / File(s) Summary
Download script and runtime plugin registration
buildScript/lib/naive.sh, app/src/main/java/.../plugin/PluginManager.kt, README.md
buildScript/lib/naive.sh downloads ABI-specific APKs from GitHub releases, extracts libnaive.so into app/executableSo/<abi>/, validates it, and marks it executable. PluginManager.initNativeInternal adds "naive-plugin"libnaive.so resolution. README marks NaïveProxy as bundled and drops it from the external-plugin note.
CI/CD workflow versioning, caching, and verification
.github/workflows/build.yml, .github/workflows/ci.yml, .github/workflows/preview.yml, .github/workflows/release.yml
All four workflows add NAIVE_VERSION to env, extend sidecars cache keys to include NAIVE_VERSION (and buildScript/lib/naive.sh in status hashes), insert a conditional "Naive Download" step on cache miss, and add libnaive.so to the sidecar artifact verification loop.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

  • hawkff/NekoBoxForAndroid#12: Applies the structurally identical bundling pattern for mieru/libmieru.so — same PluginManager.initNativeInternal extension, same workflow cache/verify/download-step pattern, and a parallel buildScript/lib/ download script.
  • hawkff/NekoBoxForAndroid#20: Also updates the README's "Supported Proxy Protocols" section to reflect NaïveProxy's bundled vs. external-plugin status, directly overlapping with the documentation changes in this PR.

Poem

🐇 Hoppy news from the warren today,
No more plugin to fetch and install away!
libnaive.so is bundled right in,
Each ABI extracted — let the proxy begin!
One cache key rules them all, so neat,
NaïveProxy's now a built-in treat. 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly describes the main change: bundling NaïveProxy client so it no longer requires an external plugin, which is the core objective of this PR.
Description check ✅ Passed The description thoroughly explains the bundling of NaïveProxy client, the rationale for not using sing-box native implementation, and lists all relevant changes and verification steps.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch

Comment @coderabbitai help to get the list of available commands and usage tips.

@hawkff

hawkff commented Jun 17, 2026

Copy link
Copy Markdown
Owner Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Extract the official klzgrad/naiveproxy client binary from the upstream plugin
APKs and bundle it as app/executableSo/<abi>/libnaive.so for all 4 ABIs, so
NaïveProxy profiles work without installing the separate moe.matsuri.exe.naive
plugin.

- buildScript/lib/naive.sh: download the naiveproxy plugin APKs (v149.0.7827.114-1)
  and extract libnaive.so per ABI (./run lib naive).
- PluginManager.initNativeInternal: resolve naive-plugin -> libnaive.so from
  nativeLibraryDir, mirroring the bundled Mieru/Hysteria mechanism, falling back
  to the external APK plugin when the bundled binary is absent.
- CI: build + cache the naive binary and verify it across the 4 workflows.
- libnaive.so is already in Executable.EXECUTABLES, and BoxInstance already
  launches naive-plugin as a sidecar, so no launch changes are needed.

There is no native sing-box Naïve outbound (sing-box only implements a Naïve
inbound), and the real client is Cronet/C++; bundling the official binary is the
native-without-plugin path, consistent with the other bundled sidecars.
@hawkff hawkff force-pushed the feature/native-naive branch from 718c006 to aa56f53 Compare June 17, 2026 22:19

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Around line 49-55: Pin the actions/cache action to immutable commit SHAs
instead of mutable version tags across all five cache steps in the workflow (at
lines 28, 51, 84, 93, and 109). For each occurrence of uses: actions/cache@v5,
replace it with uses: actions/cache@<full-commit-sha>, optionally adding a
comment with the version tag (e.g., # v5) for maintainability. This applies to
all cache step instances including the Sidecars Cache step, to eliminate
supply-chain security vulnerabilities from mutable action references.

In @.github/workflows/ci.yml:
- Around line 54-60: The Sidecars Cache step and other cache steps in the
workflow are vulnerable to cache poisoning on pull_request events because they
use actions/cache in write-capable mode by default. Split the cache step into
two separate steps: use actions/cache/restore to read the cache (which should
run on all events), and use actions/cache/save to write the cache (which should
only run on push events by adding a conditional `if: github.event_name ==
'push'`). Additionally, pin both the restore and save actions to specific commit
SHAs instead of using the `@v5` version tag for supply chain security. Apply this
pattern to all four cache steps mentioned: LibCore Cache at 31-37, Sidecars
Cache at 54-60, LibCore Cache at 93-98, and the cache step at 101-107.

In @.github/workflows/release.yml:
- Around line 51-57: All instances of actions/cache in the release workflow are
using mutable version references (e.g., `@v5`) which violates security hardening
policies. Replace every occurrence of actions/cache@v5 with the full-length
commit SHA for that version, and include the version tag in a comment for
readability (format: actions/cache@<commit-sha> # v5). This needs to be done at
all five locations where actions/cache appears in the workflow file: the
instances at the Sidecars Cache step, and the other four locations mentioned in
the comment at lines 30, 86, 95, and 111.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f1a3ea73-eaf7-4c71-8ad8-871ca0db7a1b

📥 Commits

Reviewing files that changed from the base of the PR and between 718c006 and aa56f53.

📒 Files selected for processing (7)
  • .github/workflows/build.yml
  • .github/workflows/ci.yml
  • .github/workflows/preview.yml
  • .github/workflows/release.yml
  • README.md
  • app/src/main/java/io/nekohasekai/sagernet/plugin/PluginManager.kt
  • buildScript/lib/naive.sh
✅ Files skipped from review due to trivial changes (1)
  • README.md
🚧 Files skipped from review as they are similar to previous changes (3)
  • app/src/main/java/io/nekohasekai/sagernet/plugin/PluginManager.kt
  • .github/workflows/preview.yml
  • buildScript/lib/naive.sh

Comment thread .github/workflows/build.yml
Comment thread .github/workflows/ci.yml
Comment thread .github/workflows/release.yml
@hawkff

hawkff commented Jun 17, 2026

Copy link
Copy Markdown
Owner Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@hawkff hawkff merged commit 276d84b into main Jun 17, 2026
4 checks passed
@hawkff hawkff deleted the feature/native-naive branch June 17, 2026 22:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant