transparent-tor-proxy 0.1.1__tar.gz

transparent_tor_proxy-0.1.1/.dockerignore

@@ -0,0 +1,20 @@
+# Ignore git directory
+.git/
+.github/
+
+# Ignore virtual environments
+.venv/
+venv/
+__pycache__/
+*.pyc
+.pytest_cache/
+
+# Ignore massive VM files and snapshots
+**/*.iso
+**/*.qcow2
+**/*.img
+**/vms/
+
+# Ignore lock files and logs
+*.lock
+*.log

transparent_tor_proxy-0.1.1/.github/workflows/ci.yml

@@ -0,0 +1,56 @@
+name: TTP CI
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+jobs:
+  lint:
+    name: Lint & Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: "pip"
+
+      - name: Install Linting Tools
+        run: |
+          python -m pip install --upgrade pip
+          pip install ruff
+
+      - name: Run Ruff (Python Linting)
+        run: ruff check ttp/ tests/
+
+      - name: Run ShellCheck (Script Linting)
+        run: find scripts -name "*.sh" -exec shellcheck {} +
+
+  unit-tests:
+    name: Unit Tests (Python ${{ matrix.python-version }})
+    needs: lint
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "pip"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Run unit tests
+        run: pytest tests/ -v -m "not integration"

transparent_tor_proxy-0.1.1/.gitignore

@@ -0,0 +1,221 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[codz]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py.cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+#poetry.toml
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#   pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
+#   https://pdm-project.org/en/latest/usage/project/#working-with-version-control
+#pdm.lock
+#pdm.toml
+.pdm-python
+.pdm-build/
+
+# pixi
+#   Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
+#pixi.lock
+#   Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
+#   in the .venv directory. It is recommended not to include this directory in version control.
+.pixi
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Package artifacts
+packaging/*.deb
+packaging/*.rpm
+packaging/*.pkg.tar.*
+packaging/*.tar.gz
+packaging/SHA256SUMS.txt
+
+# SELinux
+**/*.pp
+
+# Other
+.vscode
+tmp
+vms
+
+# Environments
+.env
+.envrc
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+
+# Abstra
+# Abstra is an AI-powered process automation framework.
+# Ignore directories containing user credentials, local state, and settings.
+# Learn more at https://abstra.io/docs
+.abstra/
+
+# Visual Studio Code
+#  Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore 
+#  that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
+#  and can be added to the global gitignore or merged into this file. However, if you prefer, 
+#  you could uncomment the following to ignore the entire vscode folder
+# .vscode/
+
+# Ruff stuff:
+.ruff_cache/
+
+# PyPI configuration file
+.pypirc
+
+# Cursor
+#  Cursor is an AI-powered code editor. `.cursorignore` specifies files/directories to
+#  exclude from AI features like autocomplete and code analysis. Recommended for sensitive data
+#  refer to https://docs.cursor.com/context/ignore-files
+.cursorignore
+.cursorindexingignore
+
+# Marimo
+marimo/_static/
+marimo/_lsp/
+__marimo__/

transparent_tor_proxy-0.1.1/CHANGELOG.md

@@ -0,0 +1,59 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.1] - 2026-05-01
+
+### Added
+
+- **CI/CD Automation (Makefile)**: Introduced a root-level `Makefile` to provide a unified entry point for unit tests and multi-distro Docker integration tests (`make verify`).
+- **Call for Contributors**: Added a dedicated section in README.md to attract new developers and experts to the project.
+
+### Changed
+
+- **Repository Reorganization**: Professionalized the project structure:
+  - Moved system scripts (`install.sh`, `uninstall.sh`, `restore-network.sh`) to `scripts/`.
+  - Consolidated QEMU VM and Docker testing assets into `scripts/vm/`.
+  - Integrated internal assets into the Python package namespace under `ttp/resources/`.
+- **Modern Asset Management**: Transitioned from manual path manipulation to `importlib.resources` for accessing the SELinux policy source, ensuring compatibility with all installation methods (pip, venv, native packages).
+- **Documentation Overhaul**: Renamed `TDD.md` to `architecture.md` and updated all documentation to reflect the new architecture and modern packaging standards.
+
+### Fixed
+
+- **Path Robustness**: All shell scripts and Makefiles now resolve the project root absolutely, allowing execution from any working directory without breaking relative paths.
+- **CLI Help Accuracy**: Updated internal CLI help messages to point to the new script locations.
+
+## [0.1.0] - 2026-04-27
+
+### Added
+
+- **Exception Hierarchy**: Introduced `TTPError` base class and specialized exceptions (`FirewallError`, `DNSError`, `StateError`, `TorError`) for professional error handling and selective recovery.
+- **CI/CD Pipeline**: Integrated GitHub Actions for automated quality assurance:
+  - **Ruff**: Static analysis and linting for Python.
+  - **ShellCheck**: Security and syntax auditing for shell scripts.
+  - **Pytest**: Automated testing across Python 3.10, 3.11, 3.12, and 3.13.
+- **Resilient Verification**: Tor verification now queries multiple endpoints (`check.torproject.org`, `ipify`, `ifconfig.me`) to prevent failures if one service is down.
+- **Settling Delay**: Added a tactical 2-second delay between Tor reaching 100% bootstrap and the initial IP verification to allow circuits to stabilize.
+- **Native Packaging**: Fully automated build scripts (`build_deb.sh`, `build_rpm.sh`) and PKGBUILD for Arch Linux, including complete metadata and license files.
+
+### Changed
+
+- **Transparent SELinux Compilation**: TTP no longer ships pre-compiled opaque `.pp` binaries. The custom `ttp_tor_policy` module for RHEL/Fedora families is now compiled on-the-fly from its `.te` source during installation.
+- **Hardened DNS Logic**: Transitioned from "best-effort" execution to strict verification. DNS configuration failures now trigger immediate alerts and automatic rollback to prevent IP leaks.
+- **Stateless Firewall Architecture**: Transitioned to a dedicated `inet ttp` table. This eliminates the need for complex system ruleset backups and ensures atomic, risk-free cleanup via `nft destroy`.
+- **Crash-Safe State Management**: Hardened session locking to handle read-only filesystems and unexpected process terminations.
+
+### Fixed
+
+- Fixed a bug where the emergency recovery script `restore-network.sh` was deployed without content.
+- Resolved multiple ShellCheck warnings related to word splitting and unquoted variables in `install.sh` and `uninstall.sh`.
+- Corrected unused imports and linting errors identified by the new CI pipeline.
+
+## [0.0.1] - 2026-04-10
+
+- Initial internal release candidate.
+- Core logic for firewall redirection (nftables) and DNS management (resolvectl).
+- Basic Typer CLI interface.

transparent_tor_proxy-0.1.1/CONTRIBUTING.md

@@ -0,0 +1,70 @@
+# Contributing to TTP
+
+First off, thank you for considering contributing to TTP! It's people like you who make TTP such a great tool for the privacy community.
+
+## 📜 Code of Conduct
+
+By participating in this project, you agree to maintain a professional and respectful environment. Please be kind to others.
+
+## 🐛 How to Report Bugs
+
+- **Check existing issues**: Someone might have already reported it.
+- **Use the template**: Provide as much detail as possible.
+- **Diagnostics**: Always include the output of `sudo ttp diagnose` if the bug is related to connectivity or system configuration.
+
+## 💡 How to Propose Features
+
+- Open an issue titled `[Feature Request] Your idea`.
+- Explain why this feature is needed and how it fits the project's goal of simplicity and crash-safety.
+
+## 🛠️ Development Setup
+
+1. **Clone the repo**:
+
+   ```bash
+   git clone https://github.com/onyks-os/TransparentTorProxy.git
+   cd TransparentTorProxy
+   ```
+
+2. **Create a virtual environment**:
+
+   ```bash
+   python -m venv venv
+   source venv/bin/activate
+   ```
+
+3. **Install in editable mode with dev dependencies**:
+
+   ```bash
+   pip install -e ".[dev]"
+   ```
+
+4. **Run tests**:
+
+   ```bash
+   pytest tests/ -v
+   ```
+
+## 🏗️ Architectural Principles
+
+When writing code for TTP, please adhere to these core principles:
+
+1. **Single Responsibility Principle (SRP)**: Each module should do one thing. Keep UI logic (`rich`/`typer`) in `cli.py` and system logic in dedicated modules.
+2. **No UI Coupling**: Modules like `tor_control.py` or `firewall.py` should NOT import `rich` or `typer`. Use callbacks or return raw data.
+3. **Atomic Operations**: System changes (like firewall rules) must be atomic. We use `nft -f` to ensure the firewall is never in a half-configured state.
+4. **Crash-Safety**: Always consider what happens if the power goes out mid-operation. Use the lock file system in `state.py` to track changes that need rolling back.
+5. **TDD (Test Driven Development)**: Every new feature or bug fix should include a corresponding unit test in `tests/`.
+
+## 🧪 Testing
+
+- **Unit Tests**: Must pass on every PR. They are fully mocked and run without root.
+- **Integration Tests**: Should be run in a VM (see `README.md`) to verify actual network behavior.
+
+## 🚀 Pull Request Process
+
+1. Create a branch from `main`.
+2. Ensure all tests pass.
+3. Update the documentation (`README.md`, `TDD.md`) if needed.
+4. Submit the PR and wait for review.
+
+Thank you for your help! 🛡️

transparent_tor_proxy-0.1.1/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 onyks-os
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

transparent_tor_proxy-0.1.1/Makefile

@@ -0,0 +1,60 @@
+# ==============================================================================
+# TTP (Transparent Tor Proxy) - Local CI/CD Pipeline
+# ==============================================================================
+# This Makefile automates the testing process for TTP. 
+# It allows developers to quickly run unit tests and isolated integration tests
+# in Docker containers before committing code.
+#
+# Usage:
+#   make test             - Runs only the fast unit tests locally.
+#   make integration-all  - Runs full system tests inside Docker (Debian, Fedora, Arch).
+#   make verify           - Runs EVERYTHING (Unit tests + All integration tests).
+# ==============================================================================
+
+# .PHONY tells Make that these are command names, not actual files or directories.
+.PHONY: test integration-debian integration-fedora integration-arch integration-all verify
+
+# ------------------------------------------------------------------------------
+# 1. LOCAL UNIT TESTS
+# ------------------------------------------------------------------------------
+# Runs standard Python tests using pytest. This checks the basic logic
+# of the code without needing a real Tor connection or root privileges.
+test:
+	@echo "==> Running local Unit Tests..."
+	pytest tests/ -v
+
+# ------------------------------------------------------------------------------
+# 2. INTEGRATION TESTS (DOCKER)
+# ------------------------------------------------------------------------------
+# These tests run the actual TTP software inside a privileged Docker container.
+# They verify that TTP correctly interacts with systemd, nftables, and Tor.
+#
+# NOTE: Integration tests sometimes fail due to temporary network timeouts 
+# (e.g., Tor bootstrap delays). To prevent false negatives, if a test fails, 
+# it will automatically wait 5 seconds and retry exactly once.
+
+integration-debian:
+	@echo "==> Starting integration tests on Debian..."
+	./scripts/vm/run_integration_tests.sh debian || (sleep 5 && ./scripts/vm/run_integration_tests.sh debian)
+
+integration-fedora:
+	@echo "==> Starting integration tests on Fedora..."
+	./scripts/vm/run_integration_tests.sh fedora || (sleep 5 && ./scripts/vm/run_integration_tests.sh fedora)
+
+integration-arch:
+	@echo "==> Starting integration tests on Arch Linux..."
+	./scripts/vm/run_integration_tests.sh arch || (sleep 5 && ./scripts/vm/run_integration_tests.sh arch)
+
+# A convenience command to run all three integration tests in sequence.
+integration-all: integration-debian integration-fedora integration-arch
+
+# ------------------------------------------------------------------------------
+# 3. FULL VERIFICATION PIPELINE
+# ------------------------------------------------------------------------------
+# The ultimate command to run before a git commit. 
+# It runs local unit tests first. If they pass, it moves on to Docker tests.
+verify: test integration-all
+	@echo "======================================================================"
+	@echo "✅ SUCCESS: All local tests and Docker integration tests passed!"
+	@echo "✅ You can now proceed with QEMU VM testing or safely commit your code."
+	@echo "======================================================================"