feat(proxy,telegram): SNI policy evaluation, approval UX improvements, Docker API negotiation

- Add SNI-based policy evaluation as happy path for IP-only SOCKS5
  CONNECT requests on TLS ports. Peeks TLS ClientHello after CONNECT
  success to recover hostname, re-evaluates policy with it, and
  populates DNS reverse cache for future connections. Falls back to
  DNS reverse cache for non-TLS or missing SNI.

- Fix timeout message format: CancelApproval now preserves the
  original approval message text and appends the reason instead of
  replacing the entire message. Timed-out requests now show what
  destination was being requested.

- Add "Always Deny" button to Telegram approval prompts. Saves a
  persistent deny rule to the store, same as "Always Allow" does
  for allow rules.

- Reorganize approval buttons into two rows to prevent truncation
  on narrow screens: [Allow | Deny] / [Always Allow | Always Deny].

- Add /start command handler and register bot commands via
  setMyCommands API so they appear in Telegram's command menu.

- Replace hardcoded Docker API v1.25 with version negotiation.
  Queries /version on the daemon at startup and uses the reported
  API version.

- Document DNS approval flow design in CLAUDE.md: DNS intentionally
  only blocks denied domains so ask destinations can reach SOCKS5
  approval.

Author: nnemirovsky

CLAUDE.md

@@ -142,7 +142,7 @@ Extends phantom swap to handle OAuth credentials bidirectionally. Static credent
 | WebSocket | Handshake headers + text frame phantom swap | Text frame deny + redact rules |
 | SSH | Jump host, key from vault | N/A |
 | IMAP/SMTP | AUTH command proxy, phantom password swap | N/A |
-| DNS | N/A | Domain-level policy (NXDOMAIN for denied) |
+| DNS | N/A | Deny-only (NXDOMAIN). See DNS design note below. |
 | QUIC/HTTP3 | HTTP/3 MITM via quic-go | Full HTTP/3 request/response |
 | APNS | Connection-level allow/deny (port 5223) | N/A |
 
@@ -162,6 +162,8 @@ Two-phase detection: port-based guess first, then byte-level for non-standard po
 
 `CouldBeAllowed(dest, includeAsk)`: when broker configured, Ask-matching destinations resolve via DNS for approval flow. When no broker, Ask treated as Deny at DNS stage to prevent leaking queries.
 
+**DNS approval design**: The DNS interceptor intentionally only blocks explicitly denied domains (returns NXDOMAIN). All other queries (allow, ask, default) are forwarded to the upstream resolver. This is by design. Policy enforcement for "ask" destinations happens at the SOCKS5 CONNECT layer, not at DNS. Blocking DNS for "ask" destinations would prevent the TCP connection from ever reaching the SOCKS5 handler where the approval flow triggers. The DNS layer populates the reverse DNS cache (IP -> hostname) so the SOCKS5 handler can recover hostnames from IP-only CONNECT requests.
+
 ### Audit logger
 
 Optional. JSON lines with blake3 hash chain (`prev_hash` field). Genesis hash: blake3(""). Recovers chain across restarts by reading last line. `sluice audit verify` walks log and reports broken links.

internal/channel/channel.go

@@ -40,6 +40,8 @@ const (
 	ResponseAlwaysAllow
 	// ResponseDeny rejects the connection request.
 	ResponseDeny
+	// ResponseAlwaysDeny rejects the connection and adds a persistent deny rule.
+	ResponseAlwaysDeny
 )
 
 func (r Response) String() string {
@@ -50,6 +52,8 @@ func (r Response) String() string {
 		return "always_allow"
 	case ResponseDeny:
 		return "deny"
+	case ResponseAlwaysDeny:
+		return "always_deny"
 	default:
 		return "unknown"
 	}

internal/container/docker_socket.go

@@ -11,23 +11,25 @@ import (
 	"net/url"
 	"strconv"
 	"strings"
+	"time"
 )
 
-// dockerAPIVersion is the minimum Docker Engine API version required.
-// v1.25 (Docker 1.13+) supports all operations used here.
-const dockerAPIVersion = "v1.25"
+// defaultAPIVersion is used when version negotiation fails.
+const defaultAPIVersion = "v1.47"
 
 // SocketClient implements ContainerClient using the Docker Engine API
 // over a Unix socket. It uses only stdlib net/http with no Docker SDK
 // dependency.
 type SocketClient struct {
-	client *http.Client
+	client     *http.Client
+	apiVersion string
 }
 
 // NewSocketClient creates a ContainerClient that communicates with Docker
 // over the given Unix socket path (typically /var/run/docker.sock).
+// It negotiates the API version with the daemon on creation.
 func NewSocketClient(socketPath string) *SocketClient {
-	return &SocketClient{
+	c := &SocketClient{
 		client: &http.Client{
 			Transport: &http.Transport{
 				DialContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
@@ -36,11 +38,44 @@ func NewSocketClient(socketPath string) *SocketClient {
 				},
 			},
 		},
+		apiVersion: defaultAPIVersion,
 	}
+	c.negotiateVersion()
+	return c
+}
+
+// negotiateVersion queries the Docker daemon for its API version and uses
+// the lesser of the daemon's version and our default version.
+func (c *SocketClient) negotiateVersion() {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	// /version works without a version prefix.
+	req, err := http.NewRequestWithContext(ctx, "GET", "http://localhost/version", nil)
+	if err != nil {
+		return
+	}
+	resp, err := c.client.Do(req)
+	if err != nil {
+		return
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode != http.StatusOK {
+		return
+	}
+
+	var ver struct {
+		APIVersion string `json:"ApiVersion"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&ver); err != nil || ver.APIVersion == "" {
+		return
+	}
+	c.apiVersion = "v" + ver.APIVersion
 }
 
 func (c *SocketClient) apiURL(path string) string {
-	return "http://localhost/" + dockerAPIVersion + path
+	return "http://localhost/" + c.apiVersion + path
 }
 
 // InspectContainer returns the state of a container by name.

internal/container/docker_socket_test.go

@@ -24,6 +24,11 @@ func newTestServer(t *testing.T) (*SocketClient, *http.ServeMux, func()) {
 	sock := filepath.Join(dir, "d.sock")
 
 	mux := http.NewServeMux()
+	// Serve /version so the client can negotiate the API version.
+	mux.HandleFunc("/version", func(w http.ResponseWriter, _ *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(map[string]string{"ApiVersion": "1.25"}) //nolint:errcheck
+	})
 	listener, err := net.Listen("unix", sock)
 	if err != nil {
 		t.Fatalf("listen unix: %v", err)

internal/proxy/dns.go

@@ -48,6 +48,12 @@ func (d *DNSInterceptor) ReverseLookup(ip string) string {
 	return d.reverse.Lookup(ip)
 }
 
+// StoreReverse manually adds an IP -> hostname mapping to the reverse cache.
+// Used by the SNI recovery path to populate the cache for future connections.
+func (d *DNSInterceptor) StoreReverse(ip, hostname string) {
+	d.reverse.Store(ip, hostname)
+}
+
 // dnsTimeout bounds how long a single upstream DNS query can block.
 const dnsQueryTimeout = 5 * time.Second