[feature] Portals! (#1484)

* initial stubbing and renaming

* feat: implement tavern/portals/stream package (#1462)

This commit introduces a new package `stream` in `tavern/portals` which provides utilities for handling ordered streams of `portalpb.Mote` messages.

Key features:
- `payloadSequencer`: Handles atomic sequence ID generation and mote creation.
- `OrderedWriter`: Wraps a sender function (like a gRPC stream Send) to automatically sequence and write messages.
- `OrderedReader`: Wraps a receiver function (like a gRPC stream Recv) to reorder incoming messages, handling out-of-order delivery with configurable buffering and stale stream detection.

This package is designed to support both client and server sides of the portal stream.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

* refactor reader to use functional API

* Implement PubSub Multiplexer (Mux) (#1466)

* Implement PubSub Multiplexer (Mux) for Portals

- Created `Mux` package in `tavern/internal/portals/mux`.
- Implemented dual-mode operation: In-Memory (for dev) and GCP PubSub (for prod).
- Implemented `CreatePortal` and `OpenPortal` lifecycle methods with resource provisioning.
- Implemented `Publish` and `Subscribe` logic with local broadcasting (fast path) and global PubSub (slow path).
- Added `HistoryBuffer` for message replay.
- Added intelligent topic caching to handle `mempubsub` quirks and improve performance.
- Added Prometheus metrics for observability.
- Verified with comprehensive unit tests using `enttest` and `mempubsub`.

* Implement PubSub Multiplexer (Mux) for Portals

- **Mux Package:** Created `tavern/internal/portals/mux` to route messages between local streams and global PubSub.
- **Dual-Mode Operation:** Implemented support for In-Memory (dev) and GCP PubSub (prod) drivers via `gocloud.dev/pubsub`.
- **Portal Lifecycle:** Added `CreatePortal` and `OpenPortal` methods managing resource provisioning, database records, and subscription lifecycles.
- **Message Routing:** Implemented `Publish` (fast-path local dispatch, slow-path global send) and `Subscribe` (local channel registration).
- **History Management:** Added `HistoryBuffer` in `history.go` for message replay to new subscribers.
- **Concurrency & Robustness:**
    - Handled race conditions in shared subscription creation (`OpenPortal`).
    - Managed `receiveLoop` lifecycle using stored `cancelFuncs`.
    - Added `AlreadyExists` error handling for resource creation.
    - Used `sync.RWMutex` for thread safety (`activeSubs`, `subscribers`, `histMu`).
- **Observability:** Added Prometheus metrics for message counts.
- **Testing:** Comprehensive unit tests covering In-Memory flow, Portal creation, and Portal opening.

* Refactor Mux and Address PR Feedback

- **Structure:** Refactored `Mux` to use composed structs (`SubscriptionManager`, `SubscriberRegistry`, `TopicManager`, `HistoryManager`) for clearer locking semantics.
- **Safety:**
    - Handled race conditions in `CreatePortal` and `OpenPortal` by re-checking state after lock acquisition.
    - Updated `teardown` logic to use `client.Portal.UpdateOneID` for reliability.
    - Standardized on `context.Background()` for shutdown operations to prevent context leaks.
- **Features:**
    - Added `WithSubscriberBufferSize` to configure channel buffers.
    - Added `WithHistoryReplay` option to `Subscribe` for optional history.
    - Added `mux_messages_dropped_total` metric.
- **Concurrency:** Moved global lock handling into granular manager structs to reduce contention.
- **Correctness:** Fixed `CreatePortal` to use task-based lookup for dependencies and removed invalid `portalID` parameter usage in logic (though kept signature for now as per instructions).

Tests passed.

* Implement PubSub Multiplexer (Mux) for Portals

- **Mux Package:** Created `tavern/internal/portals/mux` to route messages between local streams and global PubSub.
- **Dual-Mode Operation:** Implemented support for In-Memory (dev) and GCP PubSub (prod) drivers via `gocloud.dev/pubsub`.
- **Portal Lifecycle:** Added `CreatePortal` and `OpenPortal` methods managing resource provisioning, database records, and subscription lifecycles.
- **Message Routing:** Implemented `Publish` (fast-path local dispatch, slow-path global send) and `Subscribe` (local channel registration).
- **History Management:** Added `HistoryBuffer` in `history.go` for message replay to new subscribers.
- **Concurrency & Robustness:**
    - Handled race conditions in shared subscription creation (`OpenPortal`).
    - Managed `receiveLoop` lifecycle using stored `cancelFuncs`.
    - Added `AlreadyExists` error handling for resource creation.
    - Used composed structs (`SubscriptionManager`, `SubscriberRegistry`) for granular locking.
- **Observability:** Added Prometheus metrics for message counts and dropped messages.
- **Testing:** Comprehensive unit tests covering In-Memory flow, Portal creation, Portal opening, and Benchmarks.

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

* both grpc endpoints

* stub out portal-stream package

* Implement portal-stream crate (#1470)

* Implement portal-stream crate with sequencer, reader, and writer logic

- Added `implants/lib/portals/portal-stream` crate.
- Implemented `PayloadSequencer` for atomic sequence ID generation.
- Implemented `OrderedReader` for reordering incoming messages with timeout and buffer handling.
- Implemented `OrderedWriter` for sequencing outgoing messages.
- Added comprehensive unit tests for all components.
- Added crate to `implants` workspace.

* Switch to anyhow for error handling in portal-stream

- Replaced `thiserror` with `anyhow` in `portal-stream`.
- Updated `Cargo.toml` to use `anyhow` from workspace.
- Updated `reader.rs` and tests to use `anyhow::Result` and `anyhow!`.

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

* Implement SOCKS5 Proxy using tavern/portals/stream (#1467)

* Implement SOCKS5 proxy with gRPC tunneling

- Added bin/socks5/proxy.go implementing a SOCKS5 proxy server.
- Implemented tunneling over stream.OrderedWriter/Reader.
- Supported TCP CONNECT and UDP ASSOCIATE commands.
- Implemented robust lifecycle management and cleanup.
- Added benchmarks in bin/socks5/proxy_test.go demonstrating high throughput.

* Address PR comments: Refactor writes, defaults, and shutdown tracking

- Refactored raw `conn.Write` calls into named helper functions.
- Changed default upstream port to 8000.
- Added `sync.WaitGroup` to track connection lifecycle.
- Added logging for dropped motes in dispatcher.
- Defined `maxStreamBufferedMessages` constant.

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

* Implement Portal Infrastructure in ImixV2 (#1471)

* Implement portal infrastructure in imixv2

- Added `portal-stream` dependency to `imixv2`.
- Updated `Transport` trait to include `create_portal` (async).
- Implemented `create_portal` in `grpc` transport.
- Updated `Agent` trait to include `create_portal`.
- Created `imixv2/src/portal/` module with TCP, UDP, and Bytes support using `portal-stream`.
- Implemented `create_portal` in `ImixAgent`.
- Exposed `create_portal` via `eldritch-libpivot`.
- Updated `portal-stream` to support async writers.

* Implement portal infrastructure in imixv2

- Added `portal-stream` dependency to `imixv2`.
- Updated `Transport` trait to include `create_portal` (async).
- Implemented `create_portal` in `grpc` transport.
- Updated `Agent` trait to include `create_portal`.
- Created `imixv2/src/portal/` module with TCP, UDP, and Bytes support using `portal-stream`.
- Implemented `create_portal` in `ImixAgent`.
- Exposed `create_portal` via `eldritch-libpivot`.
- Updated `portal-stream` to support async writers.
- Updated `run_create_portal` to send initial registration message.

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

* some changes

* Add integration test

* Added TRACE Bytes kind

* added trace protos

* Implement Trace Motes for Portals (#1473)

* feat: implement end-to-end trace motes

Implements application-level tracing for Portals infrastructure using the new `tracepb` definitions.

*   **CLI (`bin/socks5`)**:
    *   Added `trace` subcommand to generate trace motes, send them to the server, and print a latency report.
    *   Refactored `proxy.go` to support subcommands.
    *   Added `addTraceEvent` helper for modifying trace motes.

*   **Server (`tavern`)**:
    *   Instrumented `api_open_portal.go` and `api_create_portal.go` to inject trace events at key checkpoints (Recv, Pub, Sub, Send).
    *   Created `trace_helper.go` to share event injection logic.

*   **Agent (`imixv2`)**:
    *   Updated `run.rs` to intercept `BYTES_PAYLOAD_KIND_TRACE` motes.
    *   Implemented logic to add `AGENT_RECV` and `AGENT_SEND` events and immediately echo the mote back.

* added retry to trace

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: KCarretto <[email protected]>

* update flag to --portal

* update buf size

* Update portal API to send keepalive motes (#1472)

- Added keepalive ticker to sendPortalInput loop in api_create_portal.go
- Sends a BYTES_PAYLOAD_KIND_KEEPALIVE mote at regular intervals
- Prevents connection timeouts similar to the reverse shell implementation

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: KCarretto <[email protected]>

* add tokio-console support for imixv2

* Fix SOCKS5 proxy cold start hang by avoiding BiLock on TcpStream (#1476)

Replaced `tokio::io::split(stream)` with `stream.into_split()` in `implants/imixv2/src/portal/tcp.rs`. The former uses a `BiLock` which can cause deadlocks when the read and write halves are accessed concurrently in separate tasks, specifically causing the "cold start" hang where the initial payload might be blocked. `into_split()` returns owned halves that operate independently.

Added a regression test `implants/imixv2/src/tests/repro_issue.rs` to verify the fix.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: KCarretto <[email protected]>

* socks proxy sends registration message now

* socks5 trace must send registration message

* Add E2E Portals Workflow and Playwright Test (#1478)

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: KCarretto <[email protected]>

* cargo fmt

* remove spammy log line

* fix some tests

* add create_portal fake impl

* revert some changes to grpc.rs

* remove grpc explicit sizes

* update socks5 proxy to support auth and portals to support gcp pubsub

* oops

* minor cleanup

* fix tests

* Fix e2e workflow

* use env var for auth

* wait for socks to start before continuing

* Add benchmark tests for cryptocodec (#1485)

Added a new test file `tavern/internal/cryptocodec/cryptocodec_bench_test.go` to measure the throughput of `Encrypt` and `Decrypt` methods in `CryptoSvc`.
Includes benchmarks for both encryption and decryption operations using standard payload sizes.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

* Fix race condition in TestPortalIntegration (#1487)

The `TestPortalIntegration` test was flaky and often hung because the Agent would publish messages to the portal before the User had successfully subscribed to the output topic. This resulted in messages being dropped (as evidenced by "message sent to topic with no subscribers" warnings from the in-memory pubsub) and the User reader blocking indefinitely.

This commit replaces the arbitrary `time.Sleep` with a deterministic synchronization mechanism. The User now sends a "ping" message to the Agent immediately after opening the portal. The Agent waits to receive this ping before proceeding. This ensures that the User's portal connection (and thus the underlying pubsub subscription) is fully established before the Agent attempts to send any data.

This reduces test execution time and eliminates the race condition.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

* fix proxy upstream address parsing

* minor fixes & cleanup

* fix collapsible if

* cargo fmt

* fix portal workflow

* Add Tavern User Guide for Authentication and API Token (#1501)

* Add documentation for TAVERN_API_TOKEN and portal auth flow

This commit adds a new user guide page for Tavern (`docs/_docs/user-guide/tavern.md`) detailing the purpose of `TAVERN_API_TOKEN`. It clarifies the distinction between this token and the web OAuth token and explains the "portal auth flow" for users SSH'd into remote environments (e.g., Kali VMs) where standard auth port forwarding is not feasible.

* Update TAVERN_API_TOKEN docs: remove non-existent Portal Auth Flow

Per code review feedback, the "Portal Auth Flow" feature does not exist yet. This commit removes that section from the documentation, leaving the explanation of what the token is and when to use it (SSH scenarios).

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

* cleanup

* Merge origin/main, resolve conflicts, and fix go generate (#1515)

- Merged changes from origin/main, resolving conflicts in app.go, server.go, and mock transport.
- Updated `golang.org/x/tools` to fix `ent` generation failure ("context without types").
- Re-ran `go generate ./...` to update generated protobuf and ent code.
- Fixed compilation errors in tests due to renamed protobuf enum constants (ActiveTransport_TRANSPORT_HTTP1).

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

* Add offline filters (#1505)

* feat(online-offline): Online Offline in progress

* fix(online-offline): Change text

* fix(query): Simplify query

* fix(build): Build UI

* fix(create-quest): Hide filter from create quest

* Add Link entity and update CDN to use link-based file access (#1444)

* Add Link entity and update CDN to use link-based file access

This commit implements a new Link entity system for the CDN:

- Add Link entity schema with:
  - path (unique, default UUIDv4)
  - active_before (timestamp, default epoch 0)
  - active_clicks (int, default 0)
  - edge to File entity (one-to-many relationship)

- Update CDN upload handler to:
  - Create a new Link entity for each uploaded file
  - Return both file ID and link path in response

- Add new CDN link download handler to:
  - Serve files using Link entity path instead of file name
  - Check active_clicks and active_before before serving
  - Decrement active_clicks when file is served
  - Return 404 if link is not active

- Replace CDN route to use link-based downloads:
  - Changes /cdn/ endpoint from file name access to link path access
  - Removes ability to serve tome assets via direct file name
  - Maintains FetchAsset gRPC API for agent communication

- Update dependencies:
  - Upgrade entgo.io/ent from v0.14.1 to v0.14.5
  - Update related dependencies (atlas, sqlite3, tools)

* go generate

* Add mutations

* Clarify docs

* typeable random short string

* Don't create link on upload

* Resolve feedback

---------

Co-authored-by: Claude <[email protected]>

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: Squidli <[email protected]>
Co-authored-by: Hulto <[email protected]>
Co-authored-by: Claude <[email protected]>

Author: 5 people

.github/workflows/e2e-portals.yml

@@ -0,0 +1,160 @@
+name: E2E Portals Test 🌀
+
+on:
+  workflow_dispatch: ~
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  e2e_portals_test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+    - uses: actions/checkout@v4
+    - name: ⚡ Setup Golang
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: go.mod
+        cache: true
+
+    - name: Setup Rust
+      uses: dtolnay/rust-toolchain@master
+      with:
+        toolchain: 'stable'
+        default: true
+        profile: minimal
+        components: rustfmt, clippy
+
+    - name: ⚡ Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20'
+        cache: 'npm'
+        cache-dependency-path: tests/e2e/package-lock.json
+
+    - name: 📦 Install System Dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y protobuf-compiler libssl-dev jq
+
+    - name: 🔨 Build Tavern & Socks5
+      run: |
+        go mod download
+        go build -v -o tavern_bin ./tavern
+        go build -v -o socks5_bin ./bin/socks5
+
+    - name: 🚀 Run Tavern
+      env:
+        HTTP_LISTEN_ADDR: ":8000"
+      run: |
+        ./tavern_bin > tavern.log 2>&1 &
+        echo "Waiting for Tavern to start..."
+        # Wait for port 8000
+        timeout 30 sh -c 'until nc -z $0 $1; do sleep 1; done' localhost 8000
+
+    - name: 🤖 Build & Run Agent
+      working-directory: implants/imixv2
+      env:
+        IMIX_CALLBACK_URI: "http://localhost:8000"
+        IMIX_CALLBACK_INTERVAL: 1
+      run: |
+        # Fetch the pubkey and verify it's not empty
+        PUBKEY=$(curl -s http://localhost:8000/status | jq -r .Pubkey)
+        if [ -z "$PUBKEY" ] || [ "$PUBKEY" == "null" ]; then
+          echo "Error: Could not fetch Pubkey from Tavern"
+          exit 1
+        fi
+        export IMIX_SERVER_PUBKEY=$PUBKEY
+        echo "Got pubkey: $IMIX_SERVER_PUBKEY"
+
+        echo "Building imixv2..."
+        cargo build --bin imixv2 --target-dir ./build
+        # Run agent and pipe logs to a file
+        ./build/debug/imixv2 > agent.log 2>&1 &
+
+        # Give the agent a moment to perform the initial handshake
+        echo "Agent started. Waiting for initial callback..."
+        sleep 5
+
+    - name: 🎭 Install Playwright
+      working-directory: tests/e2e
+      run: |
+        npm ci
+        npx playwright install --with-deps chromium
+
+    - name: 🧪 Run Portal Provisioning Test
+      working-directory: tests/e2e
+      run: |
+        npx playwright test tests/portal.spec.ts
+
+    - name: 🔍 Retrieve Portal ID
+      id: get_portal_id
+      run: |
+        QUERY='query { portals { edges { node { id } } } }'
+        # Send GraphQL query to Tavern
+        RESPONSE=$(curl -s -X POST -H "Content-Type: application/json" \
+          -d "{\"query\": \"$QUERY\"}" http://localhost:8000/graphql)
+
+        echo "GraphQL Response: $RESPONSE"
+
+        PORTAL_ID=$(echo $RESPONSE | jq -r '.data.portals.edges[0].node.id')
+
+        if [ -z "$PORTAL_ID" ] || [ "$PORTAL_ID" == "null" ]; then
+          echo "Error: Could not retrieve Portal ID"
+          exit 1
+        fi
+
+        echo "PORTAL_ID=$PORTAL_ID" >> $GITHUB_ENV
+        echo "Retrieved Portal ID: $PORTAL_ID"
+
+    - name: 🌐 Start Socks5 Proxy
+      env:
+        TAVERN_API_TOKEN: ${{ secrets.TEST_TAVERN_API_TOKEN }}
+      run: |
+        ./socks5_bin -portal $PORTAL_ID -listen 127.0.0.1:1080 -upstream 127.0.0.1:8000 &
+        echo "Socks5 Proxy started on port 1080"
+        # Wait for port 1080
+        timeout 30 sh -c 'until nc -z $0 $1; do sleep 1; done' localhost 1080
+
+    - name: 📄 Prepare Mock Data & Server
+      run: |
+        # Generate 1MB random file
+        dd if=/dev/urandom of=test_data.bin bs=1M count=1
+        sha256sum test_data.bin > original_checksum.txt
+        echo "Original Checksum:"
+        cat original_checksum.txt
+
+        # Start Python HTTP Server on port 9000
+        python3 -m http.server 9000 &
+        echo "HTTP Server started on port 9000"
+        sleep 2
+
+    - name: 🔄 Transfer & Verification
+      run: |
+        # Download through proxy
+        curl -v -x socks5://127.0.0.1:1080 -o downloaded_data.bin http://127.0.0.1:9000/test_data.bin
+
+        sha256sum downloaded_data.bin > downloaded_checksum.txt
+        echo "Downloaded Checksum:"
+        cat downloaded_checksum.txt
+
+        # Compare hashes
+        ORIGINAL=$(awk '{print $1}' original_checksum.txt)
+        DOWNLOADED=$(awk '{print $1}' downloaded_checksum.txt)
+
+        if [ "$ORIGINAL" != "$DOWNLOADED" ]; then
+          echo "Error: Checksums do not match!"
+          exit 1
+        fi
+        echo "Success: Data integrity verified."
+
+    - name: 📂 Upload Service Logs
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: e2e-portal-logs
+        path: |
+          tavern.log
+          implants/imixv2/agent.log

.github/workflows/e2e-repl-test.yml

@@ -82,7 +82,7 @@ jobs:
     - name: 🧪 Run E2E Tests
       working-directory: tests/e2e
       run: |
-        npx playwright test
+        npx playwright test tests/repl.spec.ts
     - name: 📂 Upload Service Logs
       if: always() # Runs even if tests fail
       uses: actions/upload-artifact@v4

bin/socks5/auth.go

@@ -0,0 +1,65 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"strings"
+
+	"google.golang.org/grpc/metadata"
+	"realm.pub/tavern/cli/auth"
+)
+
+// EnvAPIToken is the name of the environment variable to optionally provide an API token
+const EnvAPIToken = "TAVERN_API_TOKEN"
+
+func getAuthToken(ctx context.Context, tavernURL, cachePath string) (auth.Token, error) {
+	if token := os.Getenv(EnvAPIToken); token != "" {
+		return auth.Token(token), nil
+	}
+
+	tokenData, err := os.ReadFile(cachePath)
+	if os.IsNotExist(err) {
+		token, err := auth.Authenticate(
+			ctx,
+			auth.BrowserFunc(
+				func(url string) error {
+					fmt.Printf("\n\nTavern Authentication URL: %s\n\n", url)
+					return nil
+				},
+			),
+			tavernURL,
+		)
+		if err != nil {
+			return auth.Token(""), err
+		}
+
+		if err := os.WriteFile(cachePath, []byte(token), 0640); err != nil {
+			log.Printf("[WARN] Failed to save token to credential cache (%q): %v", cachePath, err)
+		}
+		return token, nil
+	}
+	if err != nil {
+		return auth.Token(""), fmt.Errorf("failed to read credential cache (%q): %v", cachePath, err)
+	}
+
+	log.Printf("Loaded authentication credentials from %q", cachePath)
+	return auth.Token(tokenData), nil
+}
+
+func authGRPCContext(ctx context.Context, upstream string, authCachePath string) context.Context {
+	// Default to http if no scheme provided
+	if !strings.HasPrefix(upstream, "http://") && !strings.HasPrefix(upstream, "https://") {
+		upstream = fmt.Sprintf("http://%s", upstream)
+	}
+
+	token, err := getAuthToken(ctx, upstream, authCachePath)
+	if err != nil {
+		log.Fatalf("authentication failed: %v", err)
+	}
+
+	return metadata.AppendToOutgoingContext(ctx,
+		auth.HeaderAPIAccessToken, string(token),
+	)
+}

bin/socks5/connect.go

@@ -0,0 +1,40 @@
+package main
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net/url"
+	"strings"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+func connect(upstream string) (*grpc.ClientConn, error) {
+	// Default to http if no scheme set
+	if !strings.HasPrefix(upstream, "https://") && !strings.HasPrefix(upstream, "http://") {
+		upstream = fmt.Sprintf("http://%s", upstream)
+	}
+
+	// Parse host:port to determine if TLS should be used
+	url, err := url.Parse(upstream)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse upstream address: %v", err)
+	}
+
+	// Default to TLS on 443
+	tc := credentials.NewTLS(&tls.Config{})
+
+	// If scheme is http or unset, use insecure credentials and default to port 80
+	if url.Scheme == "http" || url.Scheme == "" {
+		tc = insecure.NewCredentials()
+	}
+
+	conn, err := grpc.NewClient(url.Host, grpc.WithTransportCredentials(tc), grpc.WithWriteBufferSize(maxBuffSize), grpc.WithReadBufferSize(maxBuffSize))
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to upstream: %w", err)
+	}
+
+	return conn, nil
+}

bin/socks5/main.go

@@ -0,0 +1,61 @@
+package main
+
+import (
+	"flag"
+	"log"
+	"os"
+
+	"realm.pub/tavern/portals/portalpb"
+)
+
+const (
+	authCachePath = ".tavern-auth"
+)
+
+func main() {
+	if len(os.Args) > 1 && os.Args[1] == "trace" {
+		traceCommand(os.Args[2:])
+		return
+	}
+
+	proxyCommand()
+}
+
+func proxyCommand() {
+	// Re-parse flags for proxy command since flag.Parse() uses os.Args by default
+	// and we might have skipped "trace".
+	// But since we checked os.Args[1] manually, standard flag.Parse() will fail if we don't adjust os.Args
+	// or create a new FlagSet.
+	// Since the original code used the default flag set, let's stick to that but we need to ensure
+	// trace command doesn't interfere.
+
+	// Actually, best to just use a custom FlagSet for proxy too, or reset os.Args?
+	// The original code used global flags.
+
+	// Let's manually define the proxy flags again using a FlagSet to avoid conflict with `trace` flags if we were to define them globally.
+	fs := flag.NewFlagSet("proxy", flag.ExitOnError)
+	portalID := fs.Int64("portal", 0, "Portal ID")
+	listenAddr := fs.String("listen", "127.0.0.1:1080", "SOCKS5 Listen Address")
+	upstreamAddr := fs.String("upstream", "127.0.0.1:8000", "Upstream gRPC Address")
+
+	// Parse remaining args
+	// If main was called without subcommands, os.Args is [prog, flags...]
+	// If called with `trace`, we handled it.
+	// So just parse os.Args[1:]
+	fs.Parse(os.Args[1:])
+
+	if *portalID == 0 {
+		log.Fatal("portal is required")
+	}
+
+	p := &Proxy{
+		portalID:     *portalID,
+		listenAddr:   *listenAddr,
+		upstreamAddr: *upstreamAddr,
+		streams:      make(map[string]chan *portalpb.Mote),
+	}
+
+	if err := p.Run(); err != nil {
+		log.Fatalf("Proxy failed: %v", err)
+	}
+}