Skip to content

Add tor routing, toggle, icons #1205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Add tor routing, toggle, icons #1205

wants to merge 8 commits into from

Conversation

@alltheseas
Copy link
Contributor

@alltheseas alltheseas commented Nov 11, 2025
edited
Loading

🧅 Experimental Tor Branch 🧅

Built with rust Arti
https://github.com/zydou/arti

image image

Puffin profile + top right icon showing Tor is disconnected

image

Puffin profile + top right icon showing Tor is connected

image

OS limitations

Linus, macOS + Windows run the full TorManager (crates/notedeck/src/tor.rs:1-
259), so the desktop builds spawn the bundled Arti runtime in a background
thread, expose the SOCKS proxy on 127.0.0.1:, and toggle the VPN-style
badge plus relay transport automatically. No platform gating is in place for
those OSes.

  • The only platform-specific blocker today is Android (plus wasm, which shares
    that stub module). On macOS/Windows/Linux the Tor toggle, status polling,
    and WebSocket transport switching all operate the same way.

Summary

  • Add a native Tor manager (Arti runtime + SOCKS proxy) and persist its state
    in Settings → Network, wiring the toggle through SettingsAction so enabling/
    disabling Tor reconfigures relay sockets without restarting the app.
  • Teach RelayPool/Relay to carry customized ewebsock::Options, and vendor a
    patched ewebsock that supports SOCKS5 handshakes—enabling all relay traffic
    to transparently route through Tor when the toggle is on.
  • Surface Tor routing state in the chrome UI: Always display a Tor onion badge
    in the top-right corner with color/iconography for “connected,” “starting,”
    “disabled,” and “error,” mirroring the official Tor palette to make the
    state immediately visible.

Testing

  • cargo check
  • Manually toggled Tor in Settings → Network (watching badge transition
    through Connected → Disabled and verifying relays flip between direct &
    SOCKS options).

@alltheseas
Copy link
Contributor Author

alltheseas commented Nov 11, 2025

Review of code:

Risk-Ordered Findings

  • Tor toggle desync (settings stays “on” even when runtime failed): high
    severity × high probability—users think they’re protected while relays run
    direct; needs automatic revert or retriable state. crates/notedeck_columns/
    src/ui/settings.rs:514-555
  • No automatic retry/backoff for Tor bootstrap: high severity × medium
    probability—transient network issues leave Tor permanently failed until
    manual toggle; implement bounded retry with jitter. crates/notedeck/src/
    tor.rs:120-187
  • Fixed SOCKS port with no conflict detection: medium-high severity × medium
    probability—collides with Tor Browser/system Tor leading to silent failure;
    probe/auto-select open port or surface clearer error. crates/notedeck/src/
    tor.rs:20, 139-153
  • Transport switch leaves existing relay sockets direct: medium severity ×
    medium probability—some relays stay outside Tor after enabling; pool should
    reconnect or warn. crates/notedeck/src/app.rs:433-451
  • Missing circuit isolation: medium severity × medium probability—shared
    circuits allow cross-relay correlation; enable Arti isolation per
    destination. crates/notedeck/src/tor.rs:208-233
  • Lack of bootstrap progress feedback: medium severity × medium probability—
    users assume hang/failure during long connect; expose Arti bootstrap events
    to UI. crates/notedeck/src/tor.rs:200-233, crates/notedeck_chrome/src/
    chrome.rs:900-968
  • Error copy surfaces internal strings: low-medium severity × high probability
    —raw Arti errors leak jargon and confuse users; map to friendly text
    while logging details. crates/notedeck/src/tor.rs:150-180, crates/
    notedeck_columns/src/ui/settings.rs:524-555
  • Badge/action affordance gaps (no click for info/retry): low severity ×
    medium probability—users can’t recover from failure via badge though they
    notice it. crates/notedeck_chrome/src/chrome.rs:901-968
  • Android “unsupported” lacks guidance: low severity × medium probability
    —status just says unsupported without pointing to alternatives (e.g.,
    Orbot). crates/notedeck/src/tor.rs:266-307, crates/notedeck_columns/src/ui/
    settings.rs:550-555
  • Thread shutdown watchdog: low severity × low probability—handle.join() waits
    forever only if runtime ignores shutdown; unlikely but could add timeout.
    crates/notedeck/src/tor.rs:44-71

(Note: dependency mismatch/derive-deftly conflict is already fixed by pinning
Arti commit; DNS leak, SOCKS auth length, and badge visibility critiques were
incorrect per current code.)

@alltheseas alltheseas mentioned this pull request Nov 12, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alltheseas