merge with upstream

Author: cristeigabriela

ADOPTERS.md

@@ -17,6 +17,7 @@ We're proud to be used by the most innovative teams around the world! If you're
 | [BforeAI](https://bfore.ai) | [User Story](https://metalbear.com/mirrord/stories/bfore-ai/) |
 | [Utila](https://utila.io) | [User Story](https://metalbear.com/mirrord/stories/utila/) |
 | [Savvy Security](https://www.savvy.security) | [User Story](https://metalbear.com/mirrord/stories/savvy/) |
+| [HM Courts & Tribunal Service](https://www.gov.uk/government/organisations/hm-courts-and-tribunals-service) | [Use Case](https://github.com/hmcts/civil-citizen-ui/blob/master/README.md#development--debugging-environment---preview-with-mirrord) | 
 
 \* Optional: link to a blog post, tweet, internal write-up, or leave blank.
 

CHANGELOG.md

@@ -8,6 +8,70 @@ This project uses [*towncrier*](https://towncrier.readthedocs.io/) and the chang
 
 <!-- towncrier release notes start -->
 
+## [3.174.0](https://github.com/metalbear-co/mirrord/tree/3.174.0) - 2025-11-20
+
+
+### Added
+
+- Added HM Courts & Tribunal Service to ADOPTERS.md.
+- Added a new option under `mirrord ci start` to run the binary and wait for it
+  to complete.
+
+
+### Changed
+
+- Allow an overlap in the configuration for `incoming.ports` and
+  `incoming.http_filter.ports`.
+
+
+### Fixed
+
+- Fixed minor edge case where intproxy might hit code that's supposed to be
+  unreachable and panic
+  [#intproxy-panic](https://github.com/metalbear-co/mirrord/issues/intproxy-panic)
+- Fixed a DNS regression that happens when user's DNS library bind their
+  outgoing
+  socket to unspecified address before send UDP message to the nameserver.
+
+## [3.173.2](https://github.com/metalbear-co/mirrord/tree/3.173.2) - 2025-11-18
+
+
+### Changed
+
+- Exclude `GOPATH` and `GOMODCACHE` from env fetched
+
+## [3.173.1](https://github.com/metalbear-co/mirrord/tree/3.173.1) - 2025-11-16
+
+
+### Internal
+
+- Add cleanup of unnecessary items in CI builder for docker builds.
+  [#add-cleanup-before-docker-build](https://github.com/metalbear-co/mirrord/issues/add-cleanup-before-docker-build)
+
+## [3.173.0](https://github.com/metalbear-co/mirrord/tree/3.173.0) - 2025-11-16
+
+
+### Changed
+
+- Update `experimental.non_blocking_tcp_connect` config default to `false`.
+
+
+### Fixed
+
+- Fixed the security advisories of the config's template engine by updating it
+  to the newest version
+  [#3657](https://github.com/metalbear-co/mirrord/issues/3657)
+
+
+### Internal
+
+- Fix the way release script gets workspace version.
+- Kubernetes-related packages have been removed from the devshell, they should
+  be installed system-wide instead.
+- Use the pip from the setup action, not the one preinstalled on the runner.
+- make CI workflow trigger for PRs targeted to `windows-support` branch
+  (windows main)
+
 ## [3.172.0](https://github.com/metalbear-co/mirrord/tree/3.172.0) - 2025-11-06
 
 

CONTRIBUTING.md

@@ -17,6 +17,7 @@ Make sure to take a look at the project's [style guide](STYLE.md).
 - [Adding new target types](#adding-new-target-types)
 - [Testing the release workflow](#testing-the-release-workflow)
 - [Architecture](#architecture)
+- [Release mirrord](#release-mirrord)
 
 # Getting Started
 
@@ -660,7 +661,7 @@ Add a changelog file in `changelog.d/` named `<identifier>.<category>.md`
 **Category:**
 Check `towncrier.toml` for available categories (`added`, `changed`, `fixed`, etc.) and choose the one that fits your change.
 
-## Architecture
+# Architecture
 
 A high level view of mirrord.
 
@@ -755,3 +756,27 @@ flowchart TB
     style Pod fill:#e6ffe6,stroke:#006600,stroke-width:2px
     style Binary fill:#f9f9f9,stroke:#333,stroke-width:2px
 ```
+
+# Release mirrord
+
+## Release PR
+
+1. Create a new branch named after the new version, e.g. `3.333.0`. This will trigger additional CI jobs.
+2. On the new branch, bump the workspace version in `Cargo.toml` and run `cargo update -w` to update `Cargo.lock`.
+3. Generate the changelog with: `towncrier build --version <new-version>`.
+4. Review the generated changelog and fix any issues or typos.
+5. Push the release branch and open a PR.
+
+**Note:** All the steps above can also be completed by running: `./scripts/release.sh 3.333.0`.
+Before running the script, ensure there are no uncommitted changes in your repository.
+
+## Create a new GitHub release
+
+1. After the release PR is merged, create a new GitHub release with a new tag. Use the new version for both 
+   the tag name and the release title. Use the changelog from the release PR as the release description, 
+   excluding the `Internal` section if present.
+
+   **Note**: Ensure the tag is attached to the release commit.
+
+2. Creating the release will trigger the `Release` workflow, which builds and publishes all artifacts, including images.
+3. When the `Release` workflow completes successfully, update the relevant environment variables in the analytics server.

Cargo.toml

@@ -36,7 +36,7 @@ resolver = "2"
 # latest commits on rustls suppress certificate verification
 [workspace.package]
 edition = "2024"
-version = "3.173.1"
+version = "3.174.0"
 license = "MIT"
 readme = "README.md"
 repository = "https://github.com/metalbear/mirrord"
@@ -116,6 +116,10 @@ fancy-regex = { version = "0.14" }
 enum_dispatch = "0.3"
 dotenvy = "0.15"
 
+# Used by `agent`, `protocol`
+serde_json_path = "0.7.2"
+serde_json_path_macros = "0.1.6"
+
 # If you update `hyper`, check that `h2` version is compatible in `intproxy/Cargo.toml`.
 # There is a test for this: `cargo test -p mirrord-intproxy hyper_and_h2_versions_in_sync`
 hyper = { version = "1", features = ["full"] }
@@ -203,7 +207,7 @@ fs4 = { version = "0.13", features = ["tokio"], default-features = false }
 # Used by `cli`, `sip`
 hex = "0.4"
 
-# Used by `config`, `protocol`.
+# Used by `config`, `protocol`, `agent`
 strum = "0.27.1"
 strum_macros = "0.27.1"
 

changelog.d/+dont-ansi-console-log-output.changed.md

@@ -0,0 +1 @@
+Change tracing to not emit ansi format logs in the terminal

changelog.d/+json-body-filters.added.md

@@ -0,0 +1 @@
+Added support for filtering incoming HTTP requests by running JSONPath queries on the body and matching the results against a regex.

changelog.d/+release-doc.internal.md

@@ -0,0 +1 @@
+Added release guide in CONTRIBUTING.md.

mirrord-schema.json

@@ -306,7 +306,7 @@
       "additionalProperties": false
     },
     "AgentFileConfig": {
-      "description": "Configuration for the mirrord-agent pod that is spawned in the Kubernetes cluster.\n\n**Note:** this configuration is ignored when using the mirrord Operator. Agent configuration is done by the cluster admin.\n\nWe provide sane defaults for this option, so you don't have to set up anything here.\n\n```json { \"agent\": { \"log_level\": \"info\", \"json_log\": false, \"namespace\": \"default\", \"image\": \"ghcr.io/metalbear-co/mirrord:latest\", \"image_pull_policy\": \"IfNotPresent\", \"image_pull_secrets\": [ { \"secret-key\": \"secret\" } ], \"ttl\": 30, \"ephemeral\": false, \"communication_timeout\": 30, \"startup_timeout\": 360, \"network_interface\": \"eth0\", \"flush_connections\": false, \"exclude_from_mesh\": false \"inject_headers\": false, } } ```",
+      "description": "Configuration for the mirrord-agent pod that is spawned in the Kubernetes cluster.\n\n**Note:** this configuration is ignored when using the mirrord Operator. Agent configuration is done by the cluster admin.\n\nWe provide sane defaults for this option, so you don't have to set up anything here.\n\n```json { \"agent\": { \"log_level\": \"info\", \"json_log\": false, \"namespace\": \"default\", \"image\": \"ghcr.io/metalbear-co/mirrord:latest\", \"image_pull_policy\": \"IfNotPresent\", \"image_pull_secrets\": [ { \"secret-key\": \"secret\" } ], \"ttl\": 30, \"ephemeral\": false, \"communication_timeout\": 30, \"startup_timeout\": 360, \"network_interface\": \"eth0\", \"flush_connections\": false, \"exclude_from_mesh\": false \"inject_headers\": false, \"max_body_buffer_size\": 65535, \"max_body_buffer_timeout\": 1000 } } ```",
       "type": "object",
       "properties": {
         "annotations": {
@@ -450,6 +450,26 @@
             "null"
           ]
         },
+        "max_body_buffer_size": {
+          "title": "agent.max_body_buffer_size {#agent-max_body_buffer_size}",
+          "description": "Maximum size, in bytes, of HTTP request body buffers. Used for temporarily storing bodies of incoming HTTP requests to run body filters. HTTP body filters will not match any requests with bodies larger than this.",
+          "type": [
+            "integer",
+            "null"
+          ],
+          "format": "uint32",
+          "minimum": 0.0
+        },
+        "max_body_buffer_timeout": {
+          "title": "agent.max_body_buffer_timeout {#agent-max_body_buffer_timeout}",
+          "description": "Maximum timeout, in milliseconds, for receiving HTTP request bodies. HTTP body filters will not match any requests whose bodies do not arrive within this timeout.",
+          "type": [
+            "integer",
+            "null"
+          ],
+          "format": "uint32",
+          "minimum": 0.0
+        },
         "metrics": {
           "title": "agent.metrics {#agent-metrics}",
           "description": "Enables prometheus metrics for the agent pod.\n\nYou might need to add annotations to the agent pod depending on how prometheus is configured to scrape for metrics.\n\n```json { \"agent\": { \"metrics\": \"0.0.0.0:9000\" } } ```",
@@ -615,6 +635,34 @@
         }
       }
     },
+    "BodyFilter": {
+      "oneOf": [
+        {
+          "title": "feature.network.incoming.inner_filter.body_filter.json {#feature-network-incoming-inner-body-filter-json}",
+          "description": "Tries to parse the body as a JSON object and find (a) matching subobjects(s).\n\n`query` should be a valid JSONPath (RFC 9535) query string. `matches` should be a regex. Supports regexes validated by the [`fancy-regex`](https://docs.rs/fancy-regex/latest/fancy_regex/) crate\n\nExample: ```json \"http_filter\": { \"body_filter\": { \"body\": \"json\", \"query\": \"$.library.books[*]\", \"matches\": \"^\\\\d{3,5}$\" } } ``` will match ```json { \"library\": { \"books\": [ 34555, 1233, 234 23432 ] } } ```\n\nThe filter will match if there is at least one query result.\n\nNon-string matches are stringified before being compared to the regex. To filter query results by type, the `typeof` [function extension](https://www.rfc-editor.org/rfc/rfc9535.html#name-function-extensions) is provided. It takes in a single `NodesType` parameter and returns `\"null\" | \"bool\" | \"number\" | \"string\" | \"array\" | \"object\"`, depending on the type of the argument. If not all nodes in the argument have the same type, it returns `nothing`.\n\nExample:\n\n```json \"body_filter\": { \"body\": \"json\", \"query\": \"$.books[?(typeof(@) == 'number')]\", \"matches\": \"4$\" } ``` will match\n\n```json { \"books\": [ 1111, 2222, 4444 ] } ```\n\nbut not\n\n```json { \"books\": [ \"1111\", \"2222\", \"4444\" ] } ```\n\nTo use with with `all_of` or `any_of`, use the following syntax: ```json \"http_filter\": { \"all_of\": [ { \"path\": \"/buildings\" }, { \"body\": \"json\", \"query\": \"$.library.books[*]\", \"matches\": \"^\\\\d{3,5}$\" } ] } ```",
+          "type": "object",
+          "required": [
+            "body",
+            "matches",
+            "query"
+          ],
+          "properties": {
+            "body": {
+              "type": "string",
+              "enum": [
+                "json"
+              ]
+            },
+            "matches": {
+              "type": "string"
+            },
+            "query": {
+              "type": "string"
+            }
+          }
+        }
+      ]
+    },
     "CiFileConfig": {
       "description": "Configuration for mirrord for CI.\n\n```json { \"ci\": { \"output_dir\": \"/tmp/mirrord/\", } } ```",
       "type": "object",
@@ -1493,6 +1541,18 @@
             "$ref": "#/definitions/InnerFilter"
           }
         },
+        "body_filter": {
+          "title": "feature.network.incoming.http_filter.body_filter {#feature-network-incoming-http-body-filter}",
+          "description": "Matches the request based on the contents of its body. Currently only JSON body filtering is supported.",
+          "anyOf": [
+            {
+              "$ref": "#/definitions/BodyFilter"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        },
         "header_filter": {
           "title": "feature.network.incoming.http_filter.header_filter {#feature-network-incoming-http-header-filter}",
           "description": "Supports regexes validated by the [`fancy-regex`](https://docs.rs/fancy-regex/latest/fancy_regex/) crate.\n\nThe HTTP traffic feature converts the HTTP headers to `HeaderKey: HeaderValue`, case-insensitive.",
@@ -1767,6 +1827,15 @@
               "type": "string"
             }
           }
+        },
+        {
+          "title": "feature.network.incoming.inner_filter.body_filter {#feature-network-incoming-inner-body-filter}",
+          "description": "Matches the request based on the contents of its body. Currently only JSON body filtering is supported.",
+          "allOf": [
+            {
+              "$ref": "#/definitions/BodyFilter"
+            }
+          ]
         }
       ]
     },

mirrord/agent/Cargo.toml

@@ -74,10 +74,14 @@ axum = { version = "0.7", features = ["macros"] }
 rawsocket = { git = "https://github.com/metalbear-co/rawsocket.git", rev = "86bba7dbe971e166d5153227dd0099fe47da4489" }
 procfs = "0.17.0"
 rcgen.workspace = true
+serde_json_path.workspace = true
+serde_json_path_macros.workspace = true
+strum_macros.workspace = true
 
 [target.'cfg(target_os = "linux")'.dev-dependencies]
 pem.workspace = true
 rcgen.workspace = true
 reqwest.workspace = true
 rstest.workspace = true
 tempfile.workspace = true
+rand.workspace = true

mirrord/agent/env/src/envs.rs

@@ -83,3 +83,10 @@ pub const IDDLE_TTL: CheckedEnv<u64> = CheckedEnv::new("MIRRORD_AGENT_IDLE_TTL")
 /// Sets whether `Mirrord-Agent` headers are injected into HTTP
 /// responses that went through the agent.
 pub const INJECT_HEADERS: CheckedEnv<bool> = CheckedEnv::new("MIRRORD_AGENT_INJECT_HEADERS");
+
+/// Sets the max size (in bytes) for bodies buffered for body filters.
+pub const MAX_BODY_BUFFER_SIZE: CheckedEnv<u32> = CheckedEnv::new("MIRRORD_MAX_BODY_BUFFER_SIZE");
+
+/// Sets how long to wait (in milliseconds) to receive the entire body for body filters.
+pub const MAX_BODY_BUFFER_TIMEOUT: CheckedEnv<u32> =
+    CheckedEnv::new("MIRRORD_MAX_BODY_BUFFER_TIMEOUT");