Skip to content

feat(ios): local proxy, async API, URLProtocol, mobile DLP, expanded tool mappings#86

Merged
chen-zichen merged 3 commits intomainfrom
ios_more2
Mar 14, 2026
Merged

feat(ios): local proxy, async API, URLProtocol, mobile DLP, expanded tool mappings#86
chen-zichen merged 3 commits intomainfrom
ios_more2

Conversation

@cyyever
Copy link
Collaborator

@cyyever cyyever commented Mar 14, 2026

Summary

  • Local reverse proxy (pkg/libcrust/proxy.go): in-process HTTP reverse proxy for iOS β€” intercepts API calls without PacketTunnelProvider or TLS MITM. Reuses the existing security.Interceptor.
  • Async Swift API: evaluateAsync(), interceptResponseAsync(), validateYAMLAsync() β€” off-main-thread wrappers around gomobile-bound Go calls.
  • CrustURLProtocol: URLProtocol subclass for zero-config URLSession interception β€” register once, all requests to configured hosts are automatically proxied through the rule engine.
  • Mobile DLP patterns (4 new, 42β†’46 total): vCard, iCalendar, Apple Configuration Profile (mobileconfig), HL7 FHIR health data bundle.
  • Expanded mobile tool mappings (6 new categories): camera, microphone, Bluetooth, NFC, biometric auth, in-app purchases, call log, SMS.
  • 3 new locked security rules (30β†’33 total): protect-mobile-hardware, protect-mobile-biometric, protect-mobile-purchases.
  • CI: added ios job in release workflow for xcframework build + SHA-256 checksum artifact.
  • Docs: updated README (iOS integration section, rule/DLP counts), cli.md, how-it-works.md.

Test plan

  • All existing tests pass (go test ./...)
  • 14 new extractor tests for mobile tool mappings
  • 8 new proxy tests (start/stop, blocked/allowed tool calls, edge cases)
  • Async API tests, URLProtocol tests, mobile rule tests in CrustKitTests
  • Doc consistency tests updated and passing
  • Fuzz coverage for new rules
  • All pre-commit hooks pass (gofmt, golangci-lint, nilaway, gitleaks, govulncheck, shellcheck, rule coverage, doc consistency)

cyyever added 3 commits March 14, 2026 10:18
@cyyever
feat(ios): local proxy, async API, URLProtocol, mobile DLP, expanded …
1997c9a 
…tool mappings

- Add local reverse proxy (pkg/libcrust/proxy.go) for on-device AI API
  response interception β€” replaces impractical PacketTunnelProvider approach
- Add async Swift API (evaluateAsync, interceptResponseAsync) to avoid
  blocking the main thread
- Add CrustURLProtocol for zero-config URLSession interception with
  URLSessionConfiguration.crustProtected convenience
- Add 6 new mobile tool categories: camera, microphone, Bluetooth, NFC,
  biometric auth, in-app purchases, call log, SMS (30+ tool aliases)
- Add 3 new builtin security rules: protect-mobile-hardware,
  protect-mobile-biometric, protect-mobile-purchases (27β†’30 locked)
- Add 4 mobile DLP patterns: vCard, iCalendar, Apple mobileconfig,
  FHIR health bundles (42β†’46 patterns)
- Add iOS xcframework build to release workflow for remote SPM distribution
- Update README iOS section with three integration paths and protection table
- Update docs and verify checksums for new rule/DLP counts
@cyyever
docs: align pipeline step numbering (1-indexed) across code and docs
fef73a3 
Unified step numbering to 1-indexed (steps 1-13) across engine.go,
how-it-works.md diagram, and all code/test comments. Added mobile DLP
patterns (vCard, iCalendar, mobileconfig, FHIR) to provider table and
attack scenario matrix. Updated mobile protection categories in docs.
@cyyever
fix(ci): suppress semgrep false positive on reverse proxy w.Write()
ee23aaa 
The proxy forwards JSON API responses, not HTML β€” XSS via
ResponseWriter.Write is not applicable here.
@chen-zichen chen-zichen merged commit 29a0115 into main Mar 14, 2026
29 of 30 checks passed
@chen-zichen chen-zichen deleted the ios_more2 branch March 14, 2026 04:50
cyyever added a commit that referenced this pull request Mar 14, 2026
@cyyever
feat(ios): local proxy, async API, URLProtocol, mobile DLP, expanded …
29a934c 
…tool mappings (#86)

* feat(ios): local proxy, async API, URLProtocol, mobile DLP, expanded tool mappings

- Add local reverse proxy (pkg/libcrust/proxy.go) for on-device AI API
  response interception β€” replaces impractical PacketTunnelProvider approach
- Add async Swift API (evaluateAsync, interceptResponseAsync) to avoid
  blocking the main thread
- Add CrustURLProtocol for zero-config URLSession interception with
  URLSessionConfiguration.crustProtected convenience
- Add 6 new mobile tool categories: camera, microphone, Bluetooth, NFC,
  biometric auth, in-app purchases, call log, SMS (30+ tool aliases)
- Add 3 new builtin security rules: protect-mobile-hardware,
  protect-mobile-biometric, protect-mobile-purchases (27β†’30 locked)
- Add 4 mobile DLP patterns: vCard, iCalendar, Apple mobileconfig,
  FHIR health bundles (42β†’46 patterns)
- Add iOS xcframework build to release workflow for remote SPM distribution
- Update README iOS section with three integration paths and protection table
- Update docs and verify checksums for new rule/DLP counts

* docs: align pipeline step numbering (1-indexed) across code and docs

Unified step numbering to 1-indexed (steps 1-13) across engine.go,
how-it-works.md diagram, and all code/test comments. Added mobile DLP
patterns (vCard, iCalendar, mobileconfig, FHIR) to provider table and
attack scenario matrix. Updated mobile protection categories in docs.

* fix(ci): suppress semgrep false positive on reverse proxy w.Write()

The proxy forwards JSON API responses, not HTML β€” XSS via
ResponseWriter.Write is not applicable here.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cyyever @chen-zichen