feat(direct): CDN fronting group editor + upstream-proxy UX

Author: dazzling-no-more

.gitignore

@@ -4,3 +4,4 @@
 /config.json
 .DS_Store
 /SCR-*.png
+.claude/

android/app/build.gradle.kts

@@ -142,6 +142,35 @@ dependencies {
 
     debugImplementation("androidx.compose.ui:ui-tooling")
     debugImplementation("androidx.compose.ui:ui-test-manifest")
+
+    // ---- JVM unit tests (app/src/test) -----------------------------------
+    // Pure-JVM tests run on the host without an emulator. The Android
+    // SDK ships `android.jar` with method stubs that throw at runtime
+    // ("Method ... not mocked.") — for code that uses `JSONObject`
+    // (everything in ConfigStore) we'd otherwise need Robolectric.
+    // Pulling the real `org.json` artifact instead is much lighter
+    // (~70 KB vs Robolectric's ~30 MB classpath) and the API is
+    // bit-for-bit identical to android.jar's, so the production code
+    // runs unchanged under test.
+    //
+    // Tests covered by this scaffold:
+    //   - ConfigStore round-trip with fronting_groups + draft-drop
+    //   - Discover-front JNI JSON parser
+    // Adding more tests just needs a new file under
+    // `app/src/test/java/com/therealaleph/mhrv/`.
+    testImplementation("junit:junit:4.13.2")
+    testImplementation("org.json:json:20231013")
+}
+
+// Pick the JUnit 4 runner for all unit-test tasks. AGP doesn't
+// auto-select between JUnit 4 and 5 — without this the test task
+// will compile but report `No tests found` because no runner is
+// registered. (Unit tests don't pull in the cargo/JNI chain on
+// their own: `testDebugUnitTest` doesn't depend on
+// `mergeDebugJniLibFolders`, so the Rust crate isn't built for
+// the host JVM test loop — keeps the test cycle fast.)
+tasks.withType<org.gradle.api.tasks.testing.Test>().configureEach {
+    useJUnit()
 }
 
 // --------------------------------------------------------------------------

android/app/src/main/java/com/therealaleph/mhrv/ConfigStore.kt

@@ -77,6 +77,36 @@ enum class UiLang { AUTO, FA, EN }
  */
 enum class Mode { APPS_SCRIPT, DIRECT, FULL }
 
+/**
+ * One multi-edge fronting group. Mirrors the Rust-side `FrontingGroup`
+ * in [`src/config.rs`](../../../../../../src/config.rs).
+ *
+ * Tells the proxy: when a CONNECT to one of [domains] arrives, dial
+ * [ip]:443, send the TLS handshake with `SNI=`[sni], then forward the
+ * inner HTTP `Host` to that edge. Picking a benign edge-hosted [sni]
+ * lets DPI see only that hostname while the real target stays inside
+ * the encrypted tunnel.
+ */
+data class FrontingGroup(
+    /** Human-readable label used in log lines. Free-form. */
+    val name: String,
+    /** Edge IP to dial. Today a single IP per group. */
+    val ip: String,
+    /**
+     * SNI on the outbound TLS handshake. Must be served by the same
+     * edge as [domains] or the edge will refuse / 404. Auto-populated
+     * from the hostname the user typed when discovering via
+     * `Native.discoverFront`.
+     */
+    val sni: String,
+    /**
+     * Domains routed through this edge. Case-insensitive; an entry
+     * matches the host exactly OR as a dot-anchored suffix (entry
+     * `vercel.com` matches `app.vercel.com` too).
+     */
+    val domains: List<String>,
+)
+
 data class MhrvConfig(
     val mode: Mode = Mode.APPS_SCRIPT,
 
@@ -161,6 +191,14 @@ data class MhrvConfig(
 
     /** UI language toggle. Non-Rust; honoured only by the Android wrapper. */
     val uiLang: UiLang = UiLang.AUTO,
+
+    /**
+     * Multi-edge fronting groups. Each group routes a list of target
+     * domains via a chosen CDN edge IP + SNI. See [FrontingGroup] and
+     * `src/config.rs` for semantics. Today populated from the in-app
+     * "Discover front by hostname" flow.
+     */
+    val frontingGroups: List<FrontingGroup> = emptyList(),
 ) {
     /**
      * Extract just the deployment ID from either a full
@@ -258,6 +296,41 @@ data class MhrvConfig(
             put("fetch_ips_from_api", false)
             put("max_ips_to_scan", 20)
 
+            // Fronting groups: the snake_case JSON shape must match the
+            // Rust-side `FrontingGroup` serde format exactly, otherwise
+            // the proxy will refuse to start with "missing field". The
+            // `domains` array is trimmed/de-duped at write time so a
+            // user pasting messy input doesn't poison the persisted
+            // form.
+            //
+            // Drop draft groups (no domains yet) at save time:
+            // `Config::validate()` in src/config.rs rejects empty
+            // `domains` lists with a hard error, so persisting them
+            // would make Native.startProxy() return 0. The UI keeps
+            // them visible so the user can still fill in domains;
+            // they survive into the saved file only once non-empty.
+            val savableGroups = frontingGroups.mapNotNull { g ->
+                val cleaned = g.domains
+                    .map { it.trim() }
+                    .filter { it.isNotEmpty() }
+                    .distinct()
+                if (cleaned.isEmpty()) null else g.copy(domains = cleaned)
+            }
+            if (savableGroups.isNotEmpty()) {
+                put("fronting_groups", JSONArray().apply {
+                    savableGroups.forEach { g ->
+                        put(JSONObject().apply {
+                            put("name", g.name)
+                            put("ip", g.ip)
+                            put("sni", g.sni)
+                            put("domains", JSONArray().apply {
+                                g.domains.forEach { put(it) }
+                            })
+                        })
+                    }
+                })
+            }
+
             // Android-only: surfaced in the UI dropdown. The Rust side
             // doesn't read this key (serde ignores unknown fields), which
             // is intentional — proxy-vs-TUN is a service-layer decision
@@ -356,6 +429,30 @@ object ConfigStore {
         if (cleanBypassDohHosts.isNotEmpty()) {
             obj.put("bypass_doh_hosts", JSONArray().apply { cleanBypassDohHosts.forEach { put(it) } })
         }
+        // Fronting groups: include only fully-populated entries so the QR
+        // receiver doesn't import drafts that the proxy would refuse to
+        // load. Same drop-empty-domains rule as toJson(). Domains are
+        // trimmed + de-duped here so a sharer with messy input doesn't
+        // push that mess across devices.
+        val savableGroups = cfg.frontingGroups.mapNotNull { g ->
+            val cleaned = g.domains
+                .map { it.trim() }
+                .filter { it.isNotEmpty() }
+                .distinct()
+            if (cleaned.isEmpty()) null else g.copy(domains = cleaned)
+        }
+        if (savableGroups.isNotEmpty()) {
+            obj.put("fronting_groups", JSONArray().apply {
+                savableGroups.forEach { g ->
+                    put(JSONObject().apply {
+                        put("name", g.name)
+                        put("ip", g.ip)
+                        put("sni", g.sni)
+                        put("domains", JSONArray().apply { g.domains.forEach { put(it) } })
+                    })
+                }
+            })
+        }
 
         // Compress with DEFLATE then base64.
         val jsonBytes = obj.toString().toByteArray(Charsets.UTF_8)
@@ -476,6 +573,25 @@ object ConfigStore {
                 "en" -> UiLang.EN
                 else -> UiLang.AUTO
             },
+            frontingGroups = obj.optJSONArray("fronting_groups")?.let { arr ->
+                buildList {
+                    for (i in 0 until arr.length()) {
+                        val g = arr.optJSONObject(i) ?: continue
+                        val name = g.optString("name", "").trim()
+                        val ip = g.optString("ip", "").trim()
+                        val sni = g.optString("sni", "").trim()
+                        if (name.isEmpty() || ip.isEmpty() || sni.isEmpty()) continue
+                        val domains = g.optJSONArray("domains")?.let { dArr ->
+                            buildList<String> {
+                                for (j in 0 until dArr.length()) {
+                                    add(dArr.optString(j))
+                                }
+                            }
+                        }?.filter { it.isNotBlank() }.orEmpty()
+                        add(FrontingGroup(name = name, ip = ip, sni = sni, domains = domains))
+                    }
+                }
+            }.orEmpty(),
         )
     }
 }

android/app/src/main/java/com/therealaleph/mhrv/Native.kt

@@ -110,6 +110,31 @@ object Native {
      */
     external fun statsJson(handle: Long): String
 
+    /**
+     * Resolve `hostname` to its A/AAAA records and TLS-probe each
+     * resolved IP with `SNI=hostname`. Returns a JSON blob the UI
+     * can hand into a new fronting group without further parsing.
+     *
+     * Success shape:
+     * ```
+     * {"hostname":"python.org","ips":[
+     *   {"ip":"151.101.0.223","ok":true,"latencyMs":45},
+     *   {"ip":"...","ok":false,"error":"connect timeout"}
+     * ]}
+     * ```
+     *
+     * Failure shape (bad input, DNS timeout, etc.):
+     * ```
+     * {"hostname":"python.org","error":"dns: ..."}
+     * ```
+     *
+     * BLOCKS for up to ~15s in the worst case (3s DNS timeout +
+     * 3 probe waves of 4s each at 8-way concurrency over the
+     * 24-IP cap). Typical case for a healthy CDN is well under 1s.
+     * Always call from a background dispatcher.
+     */
+    external fun discoverFront(hostname: String): String
+
     /**
      * Start tun2proxy via its CLI args C API (`tun2proxy_run_with_cli_args`).
      * Resolved at runtime via dlsym from libtun2proxy.so — no fork needed.