Skip to content

fix(policy): use engine default verdict for QUIC#29

Merged
nnemirovsky merged 22 commits intomainfrom
fix-quic-default-verdict
Apr 13, 2026
Merged

fix(policy): use engine default verdict for QUIC#29
nnemirovsky merged 22 commits intomainfrom
fix-quic-default-verdict

Conversation

@nnemirovsky
Copy link
Copy Markdown
Owner

@nnemirovsky nnemirovsky commented Apr 12, 2026

EvaluateQUICDetailed was hardcoded to return Deny as the default verdict, ignoring the engine's configured default. When default is "ask", QUIC traffic to unmatched destinations was silently dropped instead of triggering approval.

@nnemirovsky
fix(policy): use engine default verdict for QUIC instead of hardcoded…
d1cb52a 
… deny

EvaluateQUICDetailed was hardcoded to return Deny as the default
verdict, ignoring the engine's configured default. When default is
"ask", QUIC traffic to unmatched destinations was silently dropped
instead of triggering approval. Now uses e.Default so QUIC respects
the same default as TCP.
@nnemirovsky
docs: add QUIC full flow fixes plan
4fc9557
@nnemirovsky
feat(proxy): extract SNI from QUIC Initial packets for hostname-based…
a493edf 
… policy
@nnemirovsky
feat(proxy): deduplicate QUIC broker requests with bounded packet buffer
8eb9fc4
@nnemirovsky
fix(proxy): verify and document QUIC response relay path
aed6748
@nnemirovsky
fix(test): use IPv4-only listeners in httptest servers
605f710
@nnemirovsky
test(e2e): add comprehensive protocol coverage for WebSocket, gRPC, Q…
8a9e1fe 
…UIC, DNS, IMAP/SMTP
@nnemirovsky
chore: mark Task 6 acceptance criteria verified
c927672
@nnemirovsky
docs: update CLAUDE.md with QUIC SNI extraction and move plan to comp…
0f95363 
…leted
@nnemirovsky
fix: address review phase 1 findings
e493dcc
@nnemirovsky
fix: address review phase 2 code smell findings
dd71ec4
@nnemirovsky
fix(proxy): address review phase 4 critical findings
23b61eb
@nnemirovsky
fix(proxy): handle real-world QUIC Initial packets in SNI extraction
aa92ae2
@nnemirovsky
fix(proxy): handle real-world QUIC frame parsing and document SNI fra…
fe19aff 
…gmentation
@nnemirovsky
feat(cli): add --protocols flag to policy add command
0e04e33
@nnemirovsky
feat(proxy): accumulate CRYPTO data across QUIC Initial packets to ex…
72de030 
…tract SNI
@nnemirovsky
fix(policy): unify UDP policy with TCP, fix QUIC shared-IP dedup
c2dadf8
@nnemirovsky
style: fix golangci-lint issues in QUIC SNI code
fc68024
@nnemirovsky
fix(e2e): remove broken WS credential injection test (upstream limita…
7a4b5e7 
…tion)
@nnemirovsky
fix(proxy): forward modified headers on WebSocket upgrade
7b13873 
Bumps go-mitmproxy fork to include the header forwarding fix so that
addon-modified headers (credential injection, custom headers) reach the
upstream WS server during the handshake.

Restores TestWebSocket_CredentialInjectionInUpgradeHeaders which now
passes end-to-end.
@nnemirovsky
chore: bump go-mitmproxy fork to drop Chinese comment
d612ce6
@nnemirovsky
fix(test): address SSH jump host test flakiness
256e199
@nnemirovsky nnemirovsky merged commit 421579e into main Apr 13, 2026
6 checks passed
@nnemirovsky nnemirovsky deleted the fix-quic-default-verdict branch April 13, 2026 02:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nnemirovsky