feat(cloak): wire cloak into the deploy path for windows* deckies

Base containers whose nmap_os has a mangle profile now build the cloak image (FROM the per-decky distro), ship the light decnet subtree, and run 'python -m decnet.cloak' alongside holding the MACVLAN IP — netns-safe (cloak backgrounded behind 'exec sleep infinity' so a cloak crash never tears down the base/netns). composer injects build/command/NET_RAW/env (DECNET_NMAP_OS, DECNET_OPEN_PORTS, DECKY_IP); deployer._sync_cloak_sources syncs the subtree; non-windows deckies are unchanged. Mangler signal-guarded for thread use; entry runs mangler in main thread, responder as daemon. Verified live: real path makes nmap -O read 'Microsoft Windows Server 2012/2016' with handshakes intact.
2026-06-20 00:22:38 -04:00
parent f715ac6bcd
commit 402c1ef7a2
8 changed files with 258 additions and 13 deletions
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -40,6 +40,9 @@ dependencies = [
    # `alembic upgrade head` at boot for managed DBs (see db/migrate.py).
    "alembic>=1.13",
    "scapy>=2.6.1",
+    # cloak egress mangler (NFQUEUE); Linux-only, lazy-imported so absence on
+    # dev/CI/non-Linux is tolerated (decnet.cloak only needs it at run()).
+    "netfilterqueue>=1.1.0 ; sys_platform == 'linux'",
    "orjson>=3.10",
    "cryptography>=48.0.1",
    "python-multipart>=0.0.31",