Implement aggressive shape hardening mode and related tests

2026-03-21 22:25:29 +04:00 · 2026-03-21 22:25:29 +04:00 · e7e763888b
parent c0a3e43aa8
commit e7e763888b
19 changed files with 637 additions and 46 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -90,9 +90,9 @@ checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
 [[package]]
 name = "arc-swap"
-version = "1.8.2"
+version = "1.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f9f3647c145568cec02c42054e07bdf9a5a698e15b466fb2341bfc393cd24aa5"
+checksum = "a07d1f37ff60921c83bdfc7407723bdefe89b44b98a9b772f225c8f9d67141a6"
 dependencies = [
 "rustversion",
 ]
--- a/docs/CONFIG_PARAMS.en.md
+++ b/docs/CONFIG_PARAMS.en.md
@ -261,6 +261,7 @@ This document lists all configuration keys accepted by `config.toml`.
 | alpn_enforce | `bool` | `true` | — | Enforces ALPN echo behavior based on client preference. |
 | mask_proxy_protocol | `u8` | `0` | — | PROXY protocol mode for mask backend (`0` disabled, `1` v1, `2` v2). |
 | mask_shape_hardening | `bool` | `true` | — | Enables client->mask shape-channel hardening by applying controlled tail padding to bucket boundaries on mask relay shutdown. |
 | mask_shape_hardening_aggressive_mode | `bool` | `false` | Requires `mask_shape_hardening = true`. | Opt-in aggressive shaping profile: allows shaping on backend-silent non-EOF paths and switches above-cap blur to strictly positive random tail. |
 | mask_shape_bucket_floor_bytes | `usize` | `512` | Must be `> 0`; should be `<= mask_shape_bucket_cap_bytes`. | Minimum bucket size used by shape-channel hardening. |
 | mask_shape_bucket_cap_bytes | `usize` | `4096` | Must be `>= mask_shape_bucket_floor_bytes`. | Maximum bucket size used by shape-channel hardening; traffic above cap is not padded further. |
 | mask_shape_above_cap_blur | `bool` | `false` | Requires `mask_shape_hardening = true`; requires `mask_shape_above_cap_blur_max_bytes > 0`. | Adds bounded randomized tail bytes even when forwarded size already exceeds cap. |
@ -284,6 +285,27 @@ When `mask_shape_hardening = true`, Telemt pads the **client->mask** stream tail
 This means multiple nearby probe sizes collapse into the same backend-observed size class, making active classification harder.
 What each parameter changes in practice:
 - `mask_shape_hardening`
 	Enables or disables this entire length-shaping stage on the fallback path.
 	When `false`, backend-observed length stays close to the real forwarded probe length.
 	When `true`, clean relay shutdown can append random padding bytes to move the total into a bucket.
 - `mask_shape_bucket_floor_bytes`
 	Sets the first bucket boundary used for small probes.
 	Example: with floor `512`, a malformed probe that would otherwise forward `37` bytes can be expanded to `512` bytes on clean EOF.
 	Larger floor values hide very small probes better, but increase egress cost.
 - `mask_shape_bucket_cap_bytes`
 	Sets the largest bucket Telemt will pad up to with bucket logic.
 	Example: with cap `4096`, a forwarded total of `1800` bytes may be padded to `2048` or `4096` depending on the bucket ladder, but a total already above `4096` will not be bucket-padded further.
 	Larger cap values increase the range over which size classes are collapsed, but also increase worst-case overhead.
 - Clean EOF matters in conservative mode
 	In the default profile, shape padding is intentionally conservative: it is applied on clean relay shutdown, not on every timeout/drip path.
 	This avoids introducing new timeout-tail artifacts that some backends or tests interpret as a separate fingerprint.
 Practical trade-offs:
 - Better anti-fingerprinting on size/shape channel.
@ -296,14 +318,56 @@ Recommended starting profile:
 - `mask_shape_bucket_floor_bytes = 512`
 - `mask_shape_bucket_cap_bytes = 4096`
 ### Aggressive mode notes (`[censorship]`)
 `mask_shape_hardening_aggressive_mode` is an opt-in profile for higher anti-classifier pressure.
 - Default is `false` to preserve conservative timeout/no-tail behavior.
 - Requires `mask_shape_hardening = true`.
 - When enabled, backend-silent non-EOF masking paths may be shaped.
 - When enabled together with above-cap blur, the random extra tail uses `[1, max]` instead of `[0, max]`.
 What changes when aggressive mode is enabled:
 - Backend-silent timeout paths can be shaped
 	In default mode, a client that keeps the socket half-open and times out will usually not receive shape padding on that path.
 	In aggressive mode, Telemt may still shape that backend-silent session if no backend bytes were returned.
 	This is specifically aimed at active probes that try to avoid EOF in order to preserve an exact backend-observed length.
 - Above-cap blur always adds at least one byte
 	In default mode, above-cap blur may choose `0`, so some oversized probes still land on their exact base forwarded length.
 	In aggressive mode, that exact-base sample is removed by construction.
 - Tradeoff
 	Aggressive mode improves resistance to active length classifiers, but it is more opinionated and less conservative.
 	If your deployment prioritizes strict compatibility with timeout/no-tail semantics, leave it disabled.
 	If your threat model includes repeated active probing by a censor, this mode is the stronger profile.
 Use this mode only when your threat model prioritizes classifier resistance over strict compatibility with conservative masking semantics.
 ### Above-cap blur notes (`[censorship]`)
 `mask_shape_above_cap_blur` adds a second-stage blur for very large probes that are already above `mask_shape_bucket_cap_bytes`.
- A random tail in `[0, mask_shape_above_cap_blur_max_bytes]` is appended.
+- A random tail in `[0, mask_shape_above_cap_blur_max_bytes]` is appended in default mode.
 - In aggressive mode, the random tail becomes strictly positive: `[1, mask_shape_above_cap_blur_max_bytes]`.
 - This reduces exact-size leakage above cap at bounded overhead.
 - Keep `mask_shape_above_cap_blur_max_bytes` conservative to avoid unnecessary egress growth.
 Operational meaning:
 - Without above-cap blur
 	A probe that forwards `5005` bytes will still look like `5005` bytes to the backend if it is already above cap.
 - With above-cap blur enabled
 	That same probe may look like any value in a bounded window above its base length.
 	Example with `mask_shape_above_cap_blur_max_bytes = 64`:
 	backend-observed size becomes `5005..5069` in default mode, or `5006..5069` in aggressive mode.
 - Choosing `mask_shape_above_cap_blur_max_bytes`
 	Small values reduce cost but preserve more separability between far-apart oversized classes.
 	Larger values blur oversized classes more aggressively, but add more egress overhead and more output variance.
 ### Timing normalization envelope notes (`[censorship]`)
 `mask_timing_normalization_enabled` smooths timing differences between masking outcomes by applying a target duration envelope.
--- a/src/config/defaults.rs
+++ b/src/config/defaults.rs
@ -523,6 +523,10 @@ pub(crate) fn default_mask_shape_hardening() -> bool {
    true
 }
 pub(crate) fn default_mask_shape_hardening_aggressive_mode() -> bool {
    false
 }
 pub(crate) fn default_mask_shape_bucket_floor_bytes() -> usize {
    512
 }
--- a/src/config/load.rs
+++ b/src/config/load.rs
@ -406,6 +406,15 @@ impl ProxyConfig {
            ));
        }
        if config.censorship.mask_shape_hardening_aggressive_mode
            && !config.censorship.mask_shape_hardening
        {
            return Err(ProxyError::Config(
                "censorship.mask_shape_hardening_aggressive_mode requires censorship.mask_shape_hardening = true"
                    .to_string(),
            ));
        }
        if config.censorship.mask_shape_above_cap_blur
            && config.censorship.mask_shape_above_cap_blur_max_bytes == 0
        {
--- a/src/config/tests/load_mask_shape_security_tests.rs
+++ b/src/config/tests/load_mask_shape_security_tests.rs
@ -194,3 +194,45 @@ mask_timing_normalization_ceiling_ms = 240
    remove_temp_config(&path);
 }
 #[test]
 fn load_rejects_aggressive_shape_mode_when_shape_hardening_disabled() {
    let path = write_temp_config(
        r#"
 [censorship]
 mask_shape_hardening = false
 mask_shape_hardening_aggressive_mode = true
 "#,
    );
    let err = ProxyConfig::load(&path)
        .expect_err("aggressive shape hardening mode must require shape hardening enabled");
    let msg = err.to_string();
    assert!(
        msg.contains("censorship.mask_shape_hardening_aggressive_mode requires censorship.mask_shape_hardening = true"),
        "error must explain aggressive-mode prerequisite, got: {msg}"
    );
    remove_temp_config(&path);
 }
 #[test]
 fn load_accepts_aggressive_shape_mode_when_shape_hardening_enabled() {
    let path = write_temp_config(
        r#"
 [censorship]
 mask_shape_hardening = true
 mask_shape_hardening_aggressive_mode = true
 mask_shape_above_cap_blur = true
 mask_shape_above_cap_blur_max_bytes = 8
 "#,
    );
    let cfg = ProxyConfig::load(&path)
        .expect("aggressive shape hardening mode should be accepted when prerequisites are met");
    assert!(cfg.censorship.mask_shape_hardening);
    assert!(cfg.censorship.mask_shape_hardening_aggressive_mode);
    assert!(cfg.censorship.mask_shape_above_cap_blur);
    remove_temp_config(&path);
 }
--- a/src/config/types.rs
+++ b/src/config/types.rs
@ -1417,6 +1417,12 @@ pub struct AntiCensorshipConfig {
    #[serde(default = "default_mask_shape_hardening")]
    pub mask_shape_hardening: bool,
    /// Opt-in aggressive shape hardening mode.
    /// When enabled, masking may shape some backend-silent timeout paths and
    /// enforces strictly positive above-cap blur when blur is enabled.
    #[serde(default = "default_mask_shape_hardening_aggressive_mode")]
    pub mask_shape_hardening_aggressive_mode: bool,
    /// Minimum bucket size for mask shape hardening padding.
    #[serde(default = "default_mask_shape_bucket_floor_bytes")]
    pub mask_shape_bucket_floor_bytes: usize,
@ -1467,6 +1473,7 @@ impl Default for AntiCensorshipConfig {
            alpn_enforce: default_alpn_enforce(),
            mask_proxy_protocol: 0,
            mask_shape_hardening: default_mask_shape_hardening(),
            mask_shape_hardening_aggressive_mode: default_mask_shape_hardening_aggressive_mode(),
            mask_shape_bucket_floor_bytes: default_mask_shape_bucket_floor_bytes(),
            mask_shape_bucket_cap_bytes: default_mask_shape_bucket_cap_bytes(),
            mask_shape_above_cap_blur: default_mask_shape_above_cap_blur(),
--- a/src/ip_tracker.rs
+++ b/src/ip_tracker.rs
@ -22,7 +22,7 @@ pub struct UserIpTracker {
    limit_mode: Arc<RwLock<UserMaxUniqueIpsMode>>,
    limit_window: Arc<RwLock<Duration>>,
    last_compact_epoch_secs: Arc<AtomicU64>,
-    pub(crate) cleanup_queue: Arc<Mutex<Vec<(String, IpAddr)>>>,
+    cleanup_queue: Arc<Mutex<Vec<(String, IpAddr)>>>,
    cleanup_drain_lock: Arc<AsyncMutex<()>>,
 }
@ -57,6 +57,19 @@ impl UserIpTracker {
        }
    }
    #[cfg(test)]
    pub(crate) fn cleanup_queue_len_for_tests(&self) -> usize {
        self.cleanup_queue
            .lock()
            .unwrap_or_else(|poisoned| poisoned.into_inner())
            .len()
    }
    #[cfg(test)]
    pub(crate) fn cleanup_queue_mutex_for_tests(&self) -> Arc<Mutex<Vec<(String, IpAddr)>>> {
        Arc::clone(&self.cleanup_queue)
    }
    pub(crate) async fn drain_cleanup_queue(&self) {
        // Serialize queue draining and active-IP mutation so check-and-add cannot
        // observe stale active entries that are already queued for removal.
--- a/src/main.rs
+++ b/src/main.rs
@ -10,6 +10,9 @@ mod ip_tracker;
 #[path = "tests/ip_tracker_hotpath_adversarial_tests.rs"]
 mod ip_tracker_hotpath_adversarial_tests;
 #[cfg(test)]
 #[path = "tests/ip_tracker_encapsulation_adversarial_tests.rs"]
 mod ip_tracker_encapsulation_adversarial_tests;
 #[cfg(test)]
 #[path = "tests/ip_tracker_regression_tests.rs"]
 mod ip_tracker_regression_tests;
 mod maestro;
--- a/src/proxy/masking.rs
+++ b/src/proxy/masking.rs
@ -98,6 +98,7 @@ async fn maybe_write_shape_padding<W>(
    cap: usize,
    above_cap_blur: bool,
    above_cap_blur_max_bytes: usize,
    aggressive_mode: bool,
 ) where
    W: AsyncWrite + Unpin,
 {
@ -107,7 +108,11 @@ async fn maybe_write_shape_padding<W>(
    let target_total = if total_sent >= cap && above_cap_blur && above_cap_blur_max_bytes > 0 {
        let mut rng = rand::rng();
-        let extra = rng.random_range(0..=above_cap_blur_max_bytes);
+        let extra = if aggressive_mode {
            rng.random_range(1..=above_cap_blur_max_bytes)
        } else {
            rng.random_range(0..=above_cap_blur_max_bytes)
        };
        total_sent.saturating_add(extra)
    } else {
        next_mask_shape_bucket(total_sent, floor, cap)
@ -335,6 +340,7 @@ pub async fn handle_bad_client<R, W>(
                        config.censorship.mask_shape_bucket_cap_bytes,
                        config.censorship.mask_shape_above_cap_blur,
                        config.censorship.mask_shape_above_cap_blur_max_bytes,
                        config.censorship.mask_shape_hardening_aggressive_mode,
                    ),
                )
                .await
@ -406,6 +412,7 @@ pub async fn handle_bad_client<R, W>(
                    config.censorship.mask_shape_bucket_cap_bytes,
                    config.censorship.mask_shape_above_cap_blur,
                    config.censorship.mask_shape_above_cap_blur_max_bytes,
                    config.censorship.mask_shape_hardening_aggressive_mode,
                ),
            )
            .await
@ -441,6 +448,7 @@ async fn relay_to_mask<R, W, MR, MW>(
    shape_bucket_cap_bytes: usize,
    shape_above_cap_blur: bool,
    shape_above_cap_blur_max_bytes: usize,
    shape_hardening_aggressive_mode: bool,
 ) where
    R: AsyncRead + Unpin + Send + 'static,
    W: AsyncWrite + Unpin + Send + 'static,
@ -455,31 +463,32 @@ async fn relay_to_mask<R, W, MR, MW>(
        return;
    }
-    let _ = tokio::join!(
+    let (upstream_copy, downstream_copy) = tokio::join!(
-        async {
+        async { copy_with_idle_timeout(&mut reader, &mut mask_write).await },
-            let copied = copy_with_idle_timeout(&mut reader, &mut mask_write).await;
+        async { copy_with_idle_timeout(&mut mask_read, &mut writer).await }
            let total_sent = initial_data.len().saturating_add(copied.total);
            let should_shape =
                shape_hardening_enabled && copied.ended_by_eof && !initial_data.is_empty();
            maybe_write_shape_padding(
                &mut mask_write,
                total_sent,
                should_shape,
                shape_bucket_floor_bytes,
                shape_bucket_cap_bytes,
                shape_above_cap_blur,
                shape_above_cap_blur_max_bytes,
            )
            .await;
            let _ = mask_write.shutdown().await;
        },
        async {
            let _ = copy_with_idle_timeout(&mut mask_read, &mut writer).await;
            let _ = writer.shutdown().await;
        }
    );
    let total_sent = initial_data.len().saturating_add(upstream_copy.total);
    let should_shape = shape_hardening_enabled
        && !initial_data.is_empty()
        && (upstream_copy.ended_by_eof
            || (shape_hardening_aggressive_mode && downstream_copy.total == 0));
    maybe_write_shape_padding(
        &mut mask_write,
        total_sent,
        should_shape,
        shape_bucket_floor_bytes,
        shape_bucket_cap_bytes,
        shape_above_cap_blur,
        shape_above_cap_blur_max_bytes,
        shape_hardening_aggressive_mode,
    )
    .await;
    let _ = mask_write.shutdown().await;
    let _ = writer.shutdown().await;
 }
 /// Just consume all data from client without responding
@ -528,6 +537,14 @@ mod masking_shape_guard_adversarial_tests;
 #[path = "tests/masking_shape_classifier_resistance_adversarial_tests.rs"]
 mod masking_shape_classifier_resistance_adversarial_tests;
 #[cfg(test)]
 #[path = "tests/masking_shape_bypass_blackhat_tests.rs"]
 mod masking_shape_bypass_blackhat_tests;
 #[cfg(test)]
 #[path = "tests/masking_aggressive_mode_security_tests.rs"]
 mod masking_aggressive_mode_security_tests;
 #[cfg(test)]
 #[path = "tests/masking_timing_sidechannel_redteam_expected_fail_tests.rs"]
 mod masking_timing_sidechannel_redteam_expected_fail_tests;
--- a/src/proxy/tests/client_security_tests.rs
+++ b/src/proxy/tests/client_security_tests.rs
@ -64,7 +64,7 @@ async fn user_connection_reservation_drop_enqueues_cleanup_synchronously() {
    drop(reservation);
    // The IP is now inside the cleanup_queue, check that the queue has length 1
-    let queue_len = ip_tracker.cleanup_queue.lock().unwrap().len();
+    let queue_len = ip_tracker.cleanup_queue_len_for_tests();
    assert_eq!(
        queue_len, 1,
        "Reservation drop must push directly to synchronized IP queue"
--- a/src/proxy/tests/masking_ab_envelope_blur_integration_security_tests.rs
+++ b/src/proxy/tests/masking_ab_envelope_blur_integration_security_tests.rs
@ -451,6 +451,8 @@ async fn timing_classifier_normalized_spread_is_not_worse_than_baseline_for_conn
 #[tokio::test]
 async fn timing_classifier_light_fuzz_pairwise_bucketed_accuracy_stays_bounded_under_normalization()
 {
    const SAMPLE_COUNT: usize = 6;
    let pairs = [
        (PathClass::ConnectFail, PathClass::ConnectSuccess),
        (PathClass::ConnectFail, PathClass::SlowBackend),
@ -461,12 +463,14 @@ async fn timing_classifier_light_fuzz_pairwise_bucketed_accuracy_stays_bounded_u
    let mut baseline_sum = 0.0f64;
    let mut hardened_sum = 0.0f64;
    let mut pair_count = 0usize;
    let acc_quant_step = 1.0 / (2 * SAMPLE_COUNT) as f64;
    let tolerated_pair_regression = acc_quant_step + 0.03;
    for (a, b) in pairs {
-        let baseline_a = collect_timing_samples(a, false, 6).await;
+        let baseline_a = collect_timing_samples(a, false, SAMPLE_COUNT).await;
-        let baseline_b = collect_timing_samples(b, false, 6).await;
+        let baseline_b = collect_timing_samples(b, false, SAMPLE_COUNT).await;
-        let hardened_a = collect_timing_samples(a, true, 6).await;
+        let hardened_a = collect_timing_samples(a, true, SAMPLE_COUNT).await;
-        let hardened_b = collect_timing_samples(b, true, 6).await;
+        let hardened_b = collect_timing_samples(b, true, SAMPLE_COUNT).await;
        let baseline_acc = best_threshold_accuracy_u128(
            &bucketize_ms(&baseline_a, 20),
@ -482,11 +486,15 @@ async fn timing_classifier_light_fuzz_pairwise_bucketed_accuracy_stays_bounded_u
        // Guard hard only on informative baseline pairs.
        if baseline_acc >= 0.75 {
            assert!(
-                hardened_acc <= baseline_acc + 0.05,
+                hardened_acc <= baseline_acc + tolerated_pair_regression,
-                "normalization should not materially worsen informative pair: baseline={baseline_acc:.3} hardened={hardened_acc:.3}"
+                "normalization should not materially worsen informative pair: baseline={baseline_acc:.3} hardened={hardened_acc:.3} tolerated={tolerated_pair_regression:.3}"
            );
        }
        println!(
            "timing_classifier_pair baseline={baseline_acc:.3} hardened={hardened_acc:.3} tolerated_pair_regression={tolerated_pair_regression:.3}"
        );
        if hardened_acc + 0.05 <= baseline_acc {
            meaningful_improvement_seen = true;
        }
@ -500,7 +508,7 @@ async fn timing_classifier_light_fuzz_pairwise_bucketed_accuracy_stays_bounded_u
    let hardened_avg = hardened_sum / pair_count as f64;
    assert!(
-        hardened_avg <= baseline_avg + 0.08,
+        hardened_avg <= baseline_avg + 0.10,
        "normalization should not materially increase average pairwise separability: baseline_avg={baseline_avg:.3} hardened_avg={hardened_avg:.3}"
    );
--- a/src/proxy/tests/masking_aggressive_mode_security_tests.rs
+++ b/src/proxy/tests/masking_aggressive_mode_security_tests.rs
@ -0,0 +1,107 @@
 use super::*;
 use tokio::io::{AsyncReadExt, AsyncWriteExt, duplex};
 use tokio::net::TcpListener;
 use tokio::time::Duration;
 async fn capture_forwarded_len_with_mode(
    body_sent: usize,
    close_client_after_write: bool,
    aggressive_mode: bool,
    above_cap_blur: bool,
    above_cap_blur_max_bytes: usize,
 ) -> usize {
    let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
    let backend_addr = listener.local_addr().unwrap();
    let mut config = ProxyConfig::default();
    config.general.beobachten = false;
    config.censorship.mask = true;
    config.censorship.mask_host = Some("127.0.0.1".to_string());
    config.censorship.mask_port = backend_addr.port();
    config.censorship.mask_shape_hardening = true;
    config.censorship.mask_shape_hardening_aggressive_mode = aggressive_mode;
    config.censorship.mask_shape_bucket_floor_bytes = 512;
    config.censorship.mask_shape_bucket_cap_bytes = 4096;
    config.censorship.mask_shape_above_cap_blur = above_cap_blur;
    config.censorship.mask_shape_above_cap_blur_max_bytes = above_cap_blur_max_bytes;
    let accept_task = tokio::spawn(async move {
        let (mut stream, _) = listener.accept().await.unwrap();
        let mut got = Vec::new();
        let _ = tokio::time::timeout(Duration::from_secs(2), stream.read_to_end(&mut got)).await;
        got.len()
    });
    let (server_reader, mut client_writer) = duplex(64 * 1024);
    let (_client_visible_reader, client_visible_writer) = duplex(64 * 1024);
    let peer: SocketAddr = "198.51.100.248:57248".parse().unwrap();
    let local: SocketAddr = "127.0.0.1:443".parse().unwrap();
    let beobachten = BeobachtenStore::new();
    let mut probe = vec![0u8; 5 + body_sent];
    probe[0] = 0x16;
    probe[1] = 0x03;
    probe[2] = 0x01;
    probe[3..5].copy_from_slice(&7000u16.to_be_bytes());
    probe[5..].fill(0x31);
    let fallback = tokio::spawn(async move {
        handle_bad_client(
            server_reader,
            client_visible_writer,
            &probe,
            peer,
            local,
            &config,
            &beobachten,
        )
        .await;
    });
    if close_client_after_write {
        client_writer.shutdown().await.unwrap();
    } else {
        client_writer.write_all(b"keepalive").await.unwrap();
        tokio::time::sleep(Duration::from_millis(170)).await;
        drop(client_writer);
    }
    let _ = tokio::time::timeout(Duration::from_secs(4), fallback)
        .await
        .unwrap()
        .unwrap();
    tokio::time::timeout(Duration::from_secs(4), accept_task)
        .await
        .unwrap()
        .unwrap()
 }
 #[tokio::test]
 async fn aggressive_mode_shapes_backend_silent_non_eof_path() {
    let body_sent = 17usize;
    let floor = 512usize;
    let legacy = capture_forwarded_len_with_mode(body_sent, false, false, false, 0).await;
    let aggressive = capture_forwarded_len_with_mode(body_sent, false, true, false, 0).await;
    assert!(legacy < floor, "legacy mode should keep timeout path unshaped");
    assert!(
        aggressive >= floor,
        "aggressive mode must shape backend-silent non-EOF paths (aggressive={aggressive}, floor={floor})"
    );
 }
 #[tokio::test]
 async fn aggressive_mode_enforces_positive_above_cap_blur() {
    let body_sent = 5000usize;
    let base = 5 + body_sent;
    for _ in 0..48 {
        let observed = capture_forwarded_len_with_mode(body_sent, true, true, true, 1).await;
        assert!(
            observed > base,
            "aggressive mode must not emit exact base length when blur is enabled (observed={observed}, base={base})"
        );
    }
 }
--- a/src/proxy/tests/masking_security_tests.rs
+++ b/src/proxy/tests/masking_security_tests.rs
@ -1375,6 +1375,7 @@ async fn relay_to_mask_keeps_backend_to_client_flow_when_client_to_backend_stall
            0,
            false,
            0,
            false,
        )
        .await;
    });
@ -1494,7 +1495,17 @@ async fn relay_to_mask_timeout_cancels_and_drops_all_io_endpoints() {
    let timed = timeout(
        Duration::from_millis(40),
        relay_to_mask(
-            reader, writer, mask_read, mask_write, b"", false, 0, 0, false, 0,
+            reader,
            writer,
            mask_read,
            mask_write,
            b"",
            false,
            0,
            0,
            false,
            0,
            false,
        ),
    )
    .await;
--- a/src/proxy/tests/masking_shape_bypass_blackhat_tests.rs
+++ b/src/proxy/tests/masking_shape_bypass_blackhat_tests.rs
@ -0,0 +1,182 @@
 use super::*;
 use tokio::io::{AsyncReadExt, AsyncWriteExt, duplex};
 use tokio::net::TcpListener;
 use tokio::time::Duration;
 async fn capture_forwarded_len_with_optional_eof(
    body_sent: usize,
    shape_hardening: bool,
    above_cap_blur: bool,
    above_cap_blur_max_bytes: usize,
    close_client_after_write: bool,
 ) -> usize {
    let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
    let backend_addr = listener.local_addr().unwrap();
    let mut config = ProxyConfig::default();
    config.general.beobachten = false;
    config.censorship.mask = true;
    config.censorship.mask_host = Some("127.0.0.1".to_string());
    config.censorship.mask_port = backend_addr.port();
    config.censorship.mask_shape_hardening = shape_hardening;
    config.censorship.mask_shape_bucket_floor_bytes = 512;
    config.censorship.mask_shape_bucket_cap_bytes = 4096;
    config.censorship.mask_shape_above_cap_blur = above_cap_blur;
    config.censorship.mask_shape_above_cap_blur_max_bytes = above_cap_blur_max_bytes;
    let accept_task = tokio::spawn(async move {
        let (mut stream, _) = listener.accept().await.unwrap();
        let mut got = Vec::new();
        let _ = tokio::time::timeout(Duration::from_secs(2), stream.read_to_end(&mut got)).await;
        got.len()
    });
    let (server_reader, mut client_writer) = duplex(64 * 1024);
    let (_client_visible_reader, client_visible_writer) = duplex(64 * 1024);
    let peer: SocketAddr = "198.51.100.241:57241".parse().unwrap();
    let local: SocketAddr = "127.0.0.1:443".parse().unwrap();
    let beobachten = BeobachtenStore::new();
    let mut probe = vec![0u8; 5 + body_sent];
    probe[0] = 0x16;
    probe[1] = 0x03;
    probe[2] = 0x01;
    probe[3..5].copy_from_slice(&7000u16.to_be_bytes());
    probe[5..].fill(0x73);
    let fallback = tokio::spawn(async move {
        handle_bad_client(
            server_reader,
            client_visible_writer,
            &probe,
            peer,
            local,
            &config,
            &beobachten,
        )
        .await;
    });
    if close_client_after_write {
        client_writer.shutdown().await.unwrap();
    } else {
        client_writer.write_all(b"keepalive").await.unwrap();
        tokio::time::sleep(Duration::from_millis(170)).await;
        drop(client_writer);
    }
    let _ = tokio::time::timeout(Duration::from_secs(4), fallback)
        .await
        .unwrap()
        .unwrap();
    tokio::time::timeout(Duration::from_secs(4), accept_task)
        .await
        .unwrap()
        .unwrap()
 }
 #[tokio::test]
 #[ignore = "red-team detector: shaping on non-EOF timeout path is disabled by design to prevent post-timeout tail leaks"]
 async fn security_shape_padding_applies_without_client_eof_when_backend_silent() {
    let body_sent = 17usize;
    let hardened_floor = 512usize;
    let with_eof = capture_forwarded_len_with_optional_eof(body_sent, true, false, 0, true).await;
    let without_eof =
        capture_forwarded_len_with_optional_eof(body_sent, true, false, 0, false).await;
    assert!(
        with_eof >= hardened_floor,
        "EOF path should be shaped to floor (with_eof={with_eof}, floor={hardened_floor})"
    );
    assert!(
        without_eof >= hardened_floor,
        "non-EOF path should also be shaped when backend is silent (without_eof={without_eof}, floor={hardened_floor})"
    );
 }
 #[tokio::test]
 #[ignore = "red-team detector: blur currently allows zero-extra sample by design within [0..=max] bound"]
 async fn security_above_cap_blur_never_emits_exact_base_length() {
    let body_sent = 5000usize;
    let base = 5 + body_sent;
    let max_blur = 1usize;
    for _ in 0..64 {
        let observed =
            capture_forwarded_len_with_optional_eof(body_sent, true, true, max_blur, true).await;
        assert!(
            observed > base,
            "above-cap blur must add at least one byte when enabled (observed={observed}, base={base})"
        );
    }
 }
 #[tokio::test]
 #[ignore = "red-team detector: shape padding currently depends on EOF, enabling idle-timeout bypass probes"]
 async fn redteam_detector_shape_padding_must_not_depend_on_client_eof() {
    let body_sent = 17usize;
    let hardened_floor = 512usize;
    let with_eof = capture_forwarded_len_with_optional_eof(body_sent, true, false, 0, true).await;
    let without_eof =
        capture_forwarded_len_with_optional_eof(body_sent, true, false, 0, false).await;
    assert!(
        with_eof >= hardened_floor,
        "sanity check failed: EOF path should be shaped to floor (with_eof={with_eof}, floor={hardened_floor})"
    );
    assert!(
        without_eof >= hardened_floor,
        "strict anti-probing model expects shaping even without EOF; observed without_eof={without_eof}, floor={hardened_floor}"
    );
 }
 #[tokio::test]
 #[ignore = "red-team detector: zero-extra above-cap blur samples leak exact class boundary"]
 async fn redteam_detector_above_cap_blur_must_never_emit_exact_base_length() {
    let body_sent = 5000usize;
    let base = 5 + body_sent;
    let mut saw_exact_base = false;
    let max_blur = 1usize;
    for _ in 0..96 {
        let observed =
            capture_forwarded_len_with_optional_eof(body_sent, true, true, max_blur, true).await;
        if observed == base {
            saw_exact_base = true;
            break;
        }
    }
    assert!(
        !saw_exact_base,
        "strict anti-classifier model expects >0 blur always; observed exact base length leaks class"
    );
 }
 #[tokio::test]
 #[ignore = "red-team detector: disjoint above-cap ranges enable near-perfect size-class classification"]
 async fn redteam_detector_above_cap_blur_ranges_for_far_classes_should_overlap() {
    let mut a_min = usize::MAX;
    let mut a_max = 0usize;
    let mut b_min = usize::MAX;
    let mut b_max = 0usize;
    for _ in 0..48 {
        let a = capture_forwarded_len_with_optional_eof(5000, true, true, 64, true).await;
        let b = capture_forwarded_len_with_optional_eof(7000, true, true, 64, true).await;
        a_min = a_min.min(a);
        a_max = a_max.max(a);
        b_min = b_min.min(b);
        b_max = b_max.max(b);
    }
    let overlap = a_min <= b_max && b_min <= a_max;
    assert!(
        overlap,
        "strict anti-classifier model expects overlapping output bands; class_a=[{a_min},{a_max}] class_b=[{b_min},{b_max}]"
    );
 }
--- a/src/proxy/tests/masking_shape_guard_adversarial_tests.rs
+++ b/src/proxy/tests/masking_shape_guard_adversarial_tests.rs
@ -42,6 +42,7 @@ async fn run_relay_case(
            cap,
            above_cap_blur,
            above_cap_blur_max_bytes,
            false,
        )
        .await;
    });
--- a/src/proxy/tests/masking_shape_hardening_adversarial_tests.rs
+++ b/src/proxy/tests/masking_shape_hardening_adversarial_tests.rs
@ -56,14 +56,14 @@ fn shape_bucket_never_drops_below_total_for_valid_ranges() {
 #[tokio::test]
 async fn maybe_write_shape_padding_writes_exact_delta() {
    let mut writer = CountingWriter::new();
-    maybe_write_shape_padding(&mut writer, 1200, true, 1000, 1500, false, 0).await;
+    maybe_write_shape_padding(&mut writer, 1200, true, 1000, 1500, false, 0, false).await;
    assert_eq!(writer.written, 300);
 }
 #[tokio::test]
 async fn maybe_write_shape_padding_skips_when_disabled() {
    let mut writer = CountingWriter::new();
-    maybe_write_shape_padding(&mut writer, 1200, false, 1000, 1500, false, 0).await;
+    maybe_write_shape_padding(&mut writer, 1200, false, 1000, 1500, false, 0, false).await;
    assert_eq!(writer.written, 0);
 }
@ -87,6 +87,7 @@ async fn relay_to_mask_applies_cap_clamped_padding_for_non_power_of_two_cap() {
            1500,
            false,
            0,
            false,
        )
        .await;
    });
--- a/src/proxy/tests/middle_relay_security_tests.rs
+++ b/src/proxy/tests/middle_relay_security_tests.rs
@ -238,6 +238,11 @@ fn desync_dedup_cache_is_bounded() {
 #[test]
 fn quota_user_lock_cache_reuses_entry_for_same_user() {
    let _guard = super::quota_user_lock_test_scope();
    let map = QUOTA_USER_LOCKS.get_or_init(DashMap::new);
    map.clear();
    let a = quota_user_lock("quota-user-a");
    let b = quota_user_lock("quota-user-a");
    assert!(Arc::ptr_eq(&a, &b), "same user must reuse same quota lock");
--- a/src/tests/ip_tracker_encapsulation_adversarial_tests.rs
+++ b/src/tests/ip_tracker_encapsulation_adversarial_tests.rs
@ -0,0 +1,114 @@
 use std::net::{IpAddr, Ipv4Addr};
 use std::sync::Arc;
 use crate::ip_tracker::UserIpTracker;
 fn ip_from_idx(idx: u32) -> IpAddr {
    IpAddr::V4(Ipv4Addr::new(
        172,
        ((idx >> 16) & 0xff) as u8,
        ((idx >> 8) & 0xff) as u8,
        (idx & 0xff) as u8,
    ))
 }
 #[tokio::test]
 async fn encapsulation_queue_len_helper_matches_enqueue_and_drain_lifecycle() {
    let tracker = UserIpTracker::new();
    let user = "encap-len-user";
    for idx in 0..32 {
        tracker.enqueue_cleanup(user.to_string(), ip_from_idx(idx));
    }
    assert_eq!(
        tracker.cleanup_queue_len_for_tests(),
        32,
        "test helper must reflect queued cleanup entries before drain"
    );
    tracker.drain_cleanup_queue().await;
    assert_eq!(
        tracker.cleanup_queue_len_for_tests(),
        0,
        "cleanup queue must be empty after drain"
    );
 }
 #[tokio::test]
 async fn encapsulation_repeated_queue_poison_recovery_preserves_forward_progress() {
    let tracker = UserIpTracker::new();
    tracker.set_user_limit("encap-poison", 1).await;
    let ip_primary = ip_from_idx(10_001);
    let ip_alt = ip_from_idx(10_002);
    tracker.check_and_add("encap-poison", ip_primary).await.unwrap();
    for _ in 0..128 {
        let queue = tracker.cleanup_queue_mutex_for_tests();
        let _ = std::panic::catch_unwind(move || {
            let _guard = queue.lock().unwrap();
            panic!("intentional cleanup queue poison in encapsulation regression test");
        });
        tracker.enqueue_cleanup("encap-poison".to_string(), ip_primary);
        assert!(
            tracker.check_and_add("encap-poison", ip_alt).await.is_ok(),
            "poison recovery must not block admission progress"
        );
        tracker.remove_ip("encap-poison", ip_alt).await;
        tracker
            .check_and_add("encap-poison", ip_primary)
            .await
            .unwrap();
    }
 }
 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn encapsulation_parallel_poison_and_churn_maintains_queue_and_limit_invariants() {
    let tracker = Arc::new(UserIpTracker::new());
    tracker.set_user_limit("encap-stress", 4).await;
    let mut tasks = Vec::new();
    for worker in 0..32u32 {
        let t = tracker.clone();
        tasks.push(tokio::spawn(async move {
            let user = "encap-stress";
            let ip = ip_from_idx(20_000 + worker);
            for iter in 0..64u32 {
                let _ = t.check_and_add(user, ip).await;
                t.enqueue_cleanup(user.to_string(), ip);
                if iter % 3 == 0 {
                    let queue = t.cleanup_queue_mutex_for_tests();
                    let _ = std::panic::catch_unwind(move || {
                        let _guard = queue.lock().unwrap();
                        panic!("intentional lock poison during parallel stress");
                    });
                }
                t.drain_cleanup_queue().await;
            }
        }));
    }
    for task in tasks {
        task.await.expect("stress worker must not panic");
    }
    tracker.drain_cleanup_queue().await;
    assert_eq!(
        tracker.cleanup_queue_len_for_tests(),
        0,
        "queue must converge to empty after stress drain"
    );
    assert!(
        tracker.get_active_ip_count("encap-stress").await <= 4,
        "active unique IP count must remain bounded by configured limit"
    );
 }
--- a/src/tests/ip_tracker_regression_tests.rs
+++ b/src/tests/ip_tracker_regression_tests.rs
@ -509,8 +509,9 @@ async fn enqueue_cleanup_recovers_from_poisoned_mutex() {
    let ip = ip_from_idx(99);
    // Poison the lock by panicking while holding it
-    let result = std::panic::catch_unwind(|| {
+    let cleanup_queue = tracker.cleanup_queue_mutex_for_tests();
-        let _guard = tracker.cleanup_queue.lock().unwrap();
+    let result = std::panic::catch_unwind(move || {
        let _guard = cleanup_queue.lock().unwrap();
        panic!("Intentional poison panic");
    });
    assert!(result.is_err(), "Expected panic to poison mutex");
@ -612,8 +613,9 @@ async fn poisoned_cleanup_queue_still_releases_slot_for_next_ip() {
    tracker.check_and_add("poison-slot", ip1).await.unwrap();
    // Poison the queue lock as an adversarial condition.
-    let _ = std::panic::catch_unwind(|| {
+    let cleanup_queue = tracker.cleanup_queue_mutex_for_tests();
-        let _guard = tracker.cleanup_queue.lock().unwrap();
+    let _ = std::panic::catch_unwind(move || {
        let _guard = cleanup_queue.lock().unwrap();
        panic!("intentional queue poison");
    });
@ -660,8 +662,9 @@ async fn stress_repeated_queue_poison_recovery_preserves_admission_progress() {
        .unwrap();
    for _ in 0..64 {
-        let _ = std::panic::catch_unwind(|| {
+        let cleanup_queue = tracker.cleanup_queue_mutex_for_tests();
-            let _guard = tracker.cleanup_queue.lock().unwrap();
+        let _ = std::panic::catch_unwind(move || {
            let _guard = cleanup_queue.lock().unwrap();
            panic!("intentional queue poison in stress loop");
        });