alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Decompose architecture into 35 atomic tasks across 10 generations for implementation

Browse Source
This commit is contained in:
glm-5.1
2026-06-02 09:02:55 +00:00
parent b5c59ef3bc
commit 14dbd81195
35 changed files with 1636 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
tasks/server/stealth-mode.md Normal file
View File

@@ -0,0 +1,50 @@
---
id: server/stealth-mode
name: Implement stealth mode — protocol multiplexing on port 443 (ADR-017)
status: pending
depends_on:
- transport/tls-transport
- server/handler
scope: narrow
risk: medium
impact: component
level: implementation
---
## Description
Implement stealth mode per ADR-017. When `--stealth` is enabled alongside TLS transport on port 443:
1. After completing the TLS handshake, peek at the first bytes of the connection
2. If the connection starts with `SSH-2.0-`, proceed with `russh::server::run_stream()`
3. If the connection starts with anything else (HTTP, random data), respond with `HTTP/1.1 404 Not Found\r\nServer: nginx\r\n\r\n` and close
This makes the server appear as an nginx web server returning 404 errors to non-SSH connections, making it indistinguishable from a regular HTTPS site to port scanners and DPI systems.
Stealth mode requires TLS transport. The CLI should reject or warn if `--stealth` is used without `--transport tls`.
## Acceptance Criteria
- [ ] `crates/wraith-core/src/server/stealth.rs` exports stealth mode protocol detection
- [ ] `detect_protocol(stream: TlsStream) -> ProtocolDetection` — peeks at first bytes to determine SSH vs HTTP
- [ ] `ProtocolDetection` enum: `Ssh`, `Http` (or `Unknown`)
- [ ] If SSH detected: pass stream to `russh::server::run_stream()`
- [ ] If HTTP/unknown detected: write `HTTP/1.1 404 Not Found\r\nServer: nginx\r\n\r\n` then close
- [ ] Peek uses `tokio::io::BufReader` or similar buffered read to avoid consuming the SSH banner bytes
- [ ] Integration with `TlsAcceptor` flow: after accept + TLS handshake, optionally run protocol detection before passing to russh
- [ ] Stealth mode flag validated: requires TLS transport, warn/reject otherwise
- [ ] Unit tests: SSH banner detection, HTTP request detection, random data → fake nginx 404
- [ ] Integration test: stealth server responds to HTTP scanner with 404, SSH client connects successfully
## References
- docs/architecture/server.md — Stealth Mode section
- docs/architecture/decisions/017-stealth-mode-protocol-multiplexing.md — protocol multiplexing design
## Notes
> To be filled by implementation agent
## Summary
> To be filled on completion