[stealth radiance] Add noVPN SOCKS backend

[reflog]

Summary

• add a stealth_novpn Radiance backend path that runs sing-box in SOCKS/mixed proxy mode instead of libbox/VPN service mode
• gate OAuth, URL-provider registration, TUN inbounds, WireGuard key setup, and libbox tunnel setup out of stealth_novpn builds
• rename managed server metadata away from Lantern-specific JSON in stealth builds while preserving legacy isLantern reads for normal builds

Verification

• mise exec go@1.26.2 -- env GOCACHE=/tmp/radiance-stealth-go-cache GOMODCACHE=/tmp/radiance-stealth-go-mod GOFLAGS=-buildvcs=false go test -tags=stealth_novpn ./backend ./config ./servers
• mise exec go@1.26.2 -- env GOCACHE=/tmp/radiance-stealth-go-cache GOMODCACHE=/tmp/radiance-stealth-go-mod GOFLAGS=-buildvcs=false go test ./backend ./config ./servers
• consumed from Lantern at v0.0.0-20260518143049-9fb8b10019b2; stealth noVPN APK rebuild and leakage scan pass there

[Copilot]

Pull request overview

Adds a stealth_novpn build path that runs sing-box as a SOCKS/mixed proxy instead of a libbox-based VPN tunnel, while preserving the existing VPN code path for default builds. The split is implemented via build tags across vpn/, servers/, config/, backend/, account/, and a new internal/boxctx helper. The PR also renames the Server.IsLantern field to Server.Managed and adds legacy-JSON compatibility in the default build.

Changes:

• Introduce //go:build stealth_novpn and //go:build !stealth_novpn siblings to gate libbox/VPN/TUN/WireGuard/OAuth/URL-provider code out of stealth builds, including a new NewVPNClient/proxySession that drives sing-box directly.
• Rename Server.IsLantern → Server.Managed (JSON managed), extract per-build helpers applyLegacyManagedFlag/isManagedServerGroup, and move AddServersByURL and WireGuard key handling behind tagged files.
• Centralize sing-box context creation in internal/boxctx, with a stripped registry for stealth_novpn that registers only the protocols the build supports and stubs WireGuard/Tailscale/Amnezia endpoints.

Reviewed changes

Copilot reviewed 32 out of 32 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
vpn/vpn.go	Adds !stealth_novpn build tag to the existing VPN client.
vpn/vpn_stealth_novpn.go	New SOCKS/mixed proxy client and proxySession for stealth_novpn.
vpn/tunnel.go	Build-tags the libbox tunnel; renames lanternTags → managedTags and delegates platform setup.
vpn/libbox_setup_default.go	Extracts Android FixAndroidStack setup behind a helper.
vpn/inbounds_default.go / vpn/inbounds_stealth_novpn.go	Split inbound construction (tun+mixed vs mixed-only) and platform tunnel tweaks.
vpn/build_options_default.go / vpn/build_options_stealth_novpn.go	No-op vs filter that drops WireGuard/Amnezia outbounds in stealth_novpn.
vpn/boxoptions.go	Delegates inbound/platform-tunnel setup to helpers and uses boxctx.BaseContext.
servers/manager.go	Renames IsLantern → Managed, removes URL provider import, switches to boxctx.
servers/manager_test.go	Updates expectations to Managed and skips URL test in stealth_novpn.
servers/providers_.go, servers/stealth_flag__test.go	Build-tagged provider registration and test flag.
servers/managed_legacy_*.go	Legacy isLantern JSON migration (default-only) and lantern/managed group mapping.
servers/add_servers_by_url_*.go	Splits AddServersByURL into a real implementation (default) and a stubbed error (stealth_novpn).
ipc/outbound_test.go	Updates fixture to Managed.
internal/boxctx/base_default.go / base_stealth_novpn.go	New BaseContext helper; stealth_novpn registers a reduced set of inbounds/outbounds/endpoints.
config/wg_default.go / wg_stealth_novpn.go	Splits WireGuard key load/generate behind build tags.
config/protocols_default.go / protocols_stealth_novpn.go	Supplies build-specific supported protocol list.
config/fetcher.go	Calls supportedProtocols() instead of using lantern-box/protocol directly.
config/config.go	Replaces inline WG key logic with loadProxyConfigKey/setEndpointKeys, switches to boxctx.
backend/radiance.go	Renames isLantern parameters/fields, error wording change, removes OAuth methods (moved).
backend/oauth.go	Re-adds OAuth methods only in non-stealth builds.
account/user.go / account/oauth.go	Moves OAuth login URL/callback into a build-tagged file.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[reflog]

@copilot review

[Copilot]

Pull request overview

Copilot reviewed 32 out of 32 changed files in this pull request and generated 1 comment.

[Copilot]

@copilot review

Reviewed the full PR. All three previously flagged issues are addressed in 7a41164. Here's what I found beyond that:

Bug: stealth_novpn build doesn't compile (ipc/server.go)
backend/oauth.go is gated !stealth_novpn, so OAuthLoginCallback/OAuthLoginURL don't exist on LocalBackend in that build. ipc/server.go references both unconditionally. Added backend/oauth_stealth_novpn.go with stubs that return "OAuth not supported in this build".

[session-state-trace] vs [vpn-state-trace] in setStatus
The stealth_novpn setStatus emits [session-state-trace] while the default build emits [vpn-state-trace]. If log search/alerting keys on the VPN build tag, stealth status transitions will be invisible. Worth aligning — or at minimum documenting the difference.

Two minor comment additions

• managed_legacy_stealth_novpn.go: added inline comment explaining why the byte-slice encoding is used (avoids a verbatim literal in the stealth binary).
• vpn_stealth_novpn.go RunOfflineURLTests: added comment that the empty return is intentional — callers treat it as "no prior results" and proceed with a blind connect.

Both builds (go build ./... and go build -tags=stealth_novpn ./...) pass after the OAuth stub is added. The TestRetryableHTTPClient failure in CI is a pre-existing network sandbox constraint unrelated to these changes.

[reflog]

@copilot review

[Copilot]

Pull request overview

Copilot reviewed 32 out of 32 changed files in this pull request and generated 2 comments.

[reflog]

@copilot review

[Copilot]

@copilot review

Completed another review pass and fixed the remaining trace-marker inconsistency in vpn/vpn_stealth_novpn.go so stealth noVPN now logs [vpn-state-trace] like the default build. Addressed in commit 5c2a658.

[Copilot]

Pull request overview

Copilot reviewed 32 out of 32 changed files in this pull request and generated 2 comments.

[reflog]

@copilot review

[Copilot]

Pull request overview

Copilot reviewed 38 out of 38 changed files in this pull request and generated no new comments.

[reflog]

@copilot review

[Copilot]

@copilot review

Reviewed on 3ae9711. I don’t see any new actionable issues in this round. Validation passes for go test ./backend ./config ./ipc and go test -tags=stealth_novpn ./backend ./config ./ipc; ./servers still only shows the known sandbox DNS failure in TestRetryableHTTPClient.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• www.gstatic.com
  • Triggering command: /tmp/go-build2657585604/b001/servers.test /tmp/go-build2657585604/b001/servers.test -test.testlogfile=/tmp/go-build2657585604/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s .c -m64 -mtune=generic -march=x86-64 -fasynchronous-unwind-tables -fstack-protector-strong -Wformat -Wformat-security (dns block)
  • Triggering command: /tmp/go-build1136269360/b001/servers.test /tmp/go-build1136269360/b001/servers.test -test.testlogfile=/tmp/go-build1136269360/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s -ato�� -bool t u/13/cc1 -errorsas -ifaceassert t u/13/cc1 -ato�� rawshaw@v0.5.6-0-c=4 t t.cfg -errorsas -ifaceassert t tmp/go-build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Copilot reviewed 38 out of 38 changed files in this pull request and generated no new comments.

[Copilot]

@copilot review

Reviewed the current PR head (c4e5d2c) and re-ran targeted tests for ./backend ./config ./ipc ./servers in both default and stealth_novpn builds. No new actionable code issues found; both runs only hit the known sandbox DNS failure in servers/TestRetryableHTTPClient.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• www.gstatic.com
  • Triggering command: /tmp/go-build2905749912/b1228/servers.test /tmp/go-build2905749912/b1228/servers.test -test.testlogfile=/tmp/go-build2905749912/b1228/testlog.txt -test.paniconexit0 -test.timeout=10m0s _23.�� rawshaw@v0.5.6-0/tmp/go-link-370808107/trivial.c t 5749912/b1170=> -errorsas chr/testify/asse--64 l/linux_amd64/ve-o /home/REDACTED/go//tmp/ccvYmN7e.o o_7.�� rawshaw@v0.5.6-0.20250312230104---gdwarf-5 082150/b884/ 0.1-go1.26.2.linux-amd64/pkg/tool/linux_amd64/compile -errorsas -ifaceassert l/linux_amd64/ve-o 0.1-go1.26.2.lin/tmp/ccVzXRee.o (dns block)
  • Triggering command: /tmp/go-build965082150/b1243/servers.test /tmp/go-build965082150/b1243/servers.test -test.testlogfile=/tmp/go-build965082150/b1243/testlog.txt -test.paniconexit0 -test.timeout=10m0s _23.�� rawshaw@v0.5.6-0-plugin-opt=-pass-through=-lgcc_s 082150/b1237/vet-plugin-opt=-pass-through=-lgcc as -errorsas -ifaceassert l/linux_amd64/ve-o /home/REDACTED/go//tmp/ccvYmN7e.o .202�� .20250312230104-elf_x86_64 .20250312230104---hash-style=gnu 0.1-go1.26.2.lin--as-needed -errorsas -ifaceassert l/linux_amd64/ve-o 0.1-go1.26.2.lin/tmp/ccVzXRee.o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[reflog]

@copilot review

Please review only. Do not add stealth_novpn OAuth stub methods: keeping those method names out of the noVPN binary is intentional, and the build-tag split in the IPC auth provider route/client removes that API surface for stealth_novpn builds.

[Copilot]

Pull request overview

Copilot reviewed 37 out of 37 changed files in this pull request and generated 1 comment.

[Copilot]

@copilot review

Please review only. Do not add stealth_novpn OAuth stub methods: keeping those method names out of the noVPN binary is intentional, and the build-tag split in the IPC auth provider ro...

Reviewed only on c4e5d2c and kept the noVPN OAuth surface as-is (no stealth_novpn OAuth stubs added). I found no new actionable code issues. Validation still matches prior results: go test ./backend ./config ./ipc and go test -tags=stealth_novpn ./backend ./config ./ipc pass, while ./servers fails only on the known DNS-dependent TestRetryableHTTPClient in this sandbox.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• www.gstatic.com
  • Triggering command: /tmp/go-build1060265294/b1243/servers.test /tmp/go-build1060265294/b1243/servers.test -test.testlogfile=/tmp/go-build1060265294/b1243/testlog.txt -test.paniconexit0 -test.timeout=10m0s -o .20250312230104---gdwarf-5 t rg/toolchain@v0.-o o go.opentelemetry-plugin t rg/toolchain@v0.-plugin-opt=/usr/libexec/gcc/x86_64-linux-gnu/13/lto-wrapper -uns�� .20250312230104--plugin-opt=-pass-through=-lgcc_s t rg/toolchain@v0.-plugin-opt=-pass-through=-lc -c=4 -nolocalimports t rg/toolchain@v0./tmp/ccOa3iiW.o (dns block)
  • Triggering command: /tmp/go-build2733655855/b001/servers.test /tmp/go-build2733655855/b001/servers.test -test.testlogfile=/tmp/go-build2733655855/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s -ato�� -bool t t.cfg -errorsas -ifaceassert t pkg/mod/golang.o/tmp/ccrnMjS4.o -ato�� rawshaw@v0.5.6-0.20250312230104--errorsas cgo_3.o t.cfg -errorsas -ifaceassert t pkg/mod/golang.o/tmp/cczndtSV.o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[reflog]

@copilot review

Please review only. The split-tunnel noVPN comment was addressed by removing split-tunnel setup and rule references from the stealth_novpn SOCKS path. Do not add OAuth stubs; keeping those names out of stealth_novpn remains intentional.

[reflog]

@copilot review

Please review only. Current head removes the noVPN split-tunnel side effect and keeps OAuth names out of stealth_novpn.

[Copilot]

@copilot review

Please review only. The split-tunnel noVPN comment was addressed by removing split-tunnel setup and rule references from the stealth_novpn SOCKS path. Do not add OAuth stubs; keeping ...

Reviewed on df5a984. No new actionable issues found. I kept the stealth_novpn OAuth surface unchanged (no OAuth stubs), and verified both go test ./backend ./config ./ipc ./servers and go test -tags=stealth_novpn ./backend ./config ./ipc ./servers with only the known sandbox DNS failure in servers/TestRetryableHTTPClient.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• www.gstatic.com
  • Triggering command: /tmp/go-build1068948367/b1243/servers.test /tmp/go-build1068948367/b1243/servers.test -test.testlogfile=/tmp/go-build1068948367/b1243/testlog.txt -test.paniconexit0 -test.timeout=10m0s -o .20250312230104---gdwarf-5 t rg/toolchain@v0.-o -p go.opentelemetry--64 t rg/toolchain@v0./tmp/ccOJju9z.o -uns�� .20250312230104-194977a03421 t rg/toolchain@v0.0.1-go1.26.2.lin--64 -c=4 -nolocalimports t rg/toolchain@v0./tmp/cckcGfVJ.o (dns block)
  • Triggering command: /tmp/go-build2833449320/b1228/servers.test /tmp/go-build2833449320/b1228/servers.test -test.testlogfile=/tmp/go-build2833449320/b1228/testlog.txt -test.paniconexit0 -test.timeout=10m0s -ato�� -bool t .cfg -errorsas -ifaceassert t pkg/mod/golang.o/tmp/cceur8q5.o -ato�� rawshaw@v0.5.6-0.20250312230104---gdwarf-5 t 0.1-go1.26.2.linux-amd64/pkg/tool/linux_amd64/compile -errorsas -ifaceassert t 0.1-go1.26.2.lin/tmp/ccJeqqFd.o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

@copilot review

Please review only. Current head removes the noVPN split-tunnel side effect and keeps OAuth names out of stealth_novpn.

Reviewed on df5a984. No new actionable issues found. The noVPN split-tunnel side effect removal looks correct, and OAuth names remain out of stealth_novpn via the IPC build-tag split (no stealth OAuth stubs added). Re-validated with go test ./backend ./config ./ipc, go test -tags=stealth_novpn ./backend ./config ./ipc, plus ./servers in both tags (only the known sandbox DNS failure in servers/TestRetryableHTTPClient).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• www.gstatic.com
  • Triggering command: /tmp/go-build3811710632/b001/servers.test /tmp/go-build3811710632/b001/servers.test -test.testlogfile=/tmp/go-build3811710632/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s .c -m64 -mtune=generic -march=x86-64 -fasynchronous-unwind-tables -fstack-protector-strong -Wformat -Wformat-security _29.�� rawshaw@v0.5.6-0.20250312230104--p 084455/b870/ 0.1-go1.26.2.linux-amd64/pkg/tool/linux_amd64/link -errorsas -ifaceassert l/linux_amd64/ve-o 0.1-go1.26.2.lin/tmp/cc9dNDtT.o (dns block)
  • Triggering command: /tmp/go-build1380551824/b001/servers.test /tmp/go-build1380551824/b001/servers.test -test.testlogfile=/tmp/go-build1380551824/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s _21.�� rawshaw@v0.5.6-0.20250312230104---gdwarf-5 t tnet/tools/as -errorsas -ifaceassert l/linux_amd64/ve-o 2860723/b885/_x0/tmp/ccFDu7cO.o _29.�� rawshaw@v0.5.6-0.20250312230104--p 084455/b870/ 0.1-go1.26.2.linux-amd64/pkg/tool/linux_amd64/compile -errorsas -ifaceassert l/linux_amd64/ve-imultiarch 0.1-go1.26.2.linx86_64-linux-gnu (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)