The `Session.newAndroid` constructor can throw an exception.
Unfortunately, the Kotlin compiler didn't warn us about that and thus,
any errors when creating a new session caused the service process to
crash.
We fix this by wrapping the entire thing in a `try-catch-finally` block.
Resolves: #10289
As far as I can tell, the `async_runtime` config option doesn't exist in
UniFFI, hence we remove that.
Whilst going through the UniFFI docs, I also noticed that there is a
specific flag about Android that we can toggle on. Effectively, this
uses the shared
[`SystemCleaner`](https://developer.android.com/reference/android/system/SystemCleaner)
instead of a per-thread one which is supposed to be more performant.
Finally, using immutable records seems like a good idea as mutating any
FFI-originated field is not going to be reflected in connlib's state.
Preventing that at compile-time has a good chance of reducing bugs.
This code appears to be configured out in CI and thus we don't run
clippy there. My IDE pointed these out however so it seems fair enough
to fix them. It is just unnecessary references, doesn't actually have an
impact on the functionality.
First in a series of new monthly devlog posts to summarize what we've
shipped over the previous month.
Intentionally detailed and engineering focused - added a new
`Engineering` section to the blog.
---------
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
For working on the Android app, we need an installation of the JDK.
Currently, that is being installed separately in CI. We already have
`.tool-versions` which is designed to take care of this so we add
OpenJDK 17 to the list of required tools and remove the dedicated CI
step.
Bumps [framer-motion](https://github.com/motiondivision/motion) from
12.23.12 to 12.23.18.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/motiondivision/motion/blob/main/CHANGELOG.md">framer-motion's
changelog</a>.</em></p>
<blockquote>
<h2>[12.23.18] 2025-09-19</h2>
<h3>Fixed</h3>
<ul>
<li><code><motion /></code> components now support changing
<code>ref</code> prop.</li>
</ul>
<h2>[12.23.17] 2025-09-19</h2>
<h3>Fixed</h3>
<ul>
<li>Ensure <code>animate()</code> <code>onComplete</code> only fires
once, when all values are complete.</li>
</ul>
<h2>[12.23.16] 2025-09-19</h2>
<h3>Fixed</h3>
<ul>
<li>Fixing <code>ref</code> when passed to a child of
<code>AnimatePresence</code> in <code>"popLayout"</code>
mode.</li>
</ul>
<h2>[12.23.15] 2025-09-18</h2>
<h3>Fixed</h3>
<ul>
<li>Fixing <code>export *</code> error in RSC.</li>
</ul>
<h2>[12.23.14] 2025-09-17</h2>
<h3>Fixed</h3>
<ul>
<li>Fixing types of <code>Reorder.Item</code> and
<code>Reorder.Group</code> so incorrect HTML props are correctly
flagged.</li>
<li>Reverting rehydration of <code>externalRef</code> when it
switches.</li>
</ul>
<h2>[12.23.13] 2025-09-16</h2>
<h3>Fixed</h3>
<ul>
<li>Fixed issue where motion components don't update refs when
externalRef changes. The <code>useMotionRef</code> function now properly
includes <code>externalRef</code> in the dependency array to ensure ref
callbacks update when the external ref changes.</li>
</ul>
<h3>Changed</h3>
<ul>
<li>Stopped tracking yarn cache in the repo.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="ffe5182684"><code>ffe5182</code></a>
v12.23.18</li>
<li><a
href="b4f71424c0"><code>b4f7142</code></a>
Adding changelog csv script</li>
<li><a
href="4c3cc17b37"><code>4c3cc17</code></a>
Merge pull request <a
href="https://redirect.github.com/motiondivision/motion/issues/3374">#3374</a>
from motiondivision/fix/handle-external-ref</li>
<li><a
href="1800f34159"><code>1800f34</code></a>
Fixing changed external ref</li>
<li><a
href="7d11517d3a"><code>7d11517</code></a>
v12.23.17</li>
<li><a
href="b2e348812f"><code>b2e3488</code></a>
Updating changelog</li>
<li><a
href="990686d31c"><code>990686d</code></a>
Refactor</li>
<li><a
href="9182d2c5dd"><code>9182d2c</code></a>
Merge pull request <a
href="https://redirect.github.com/motiondivision/motion/issues/3343">#3343</a>
from rortan134/fix-3337</li>
<li><a
href="063d9b1158"><code>063d9b1</code></a>
Merge branch 'main' into fix-3337</li>
<li><a
href="13129dad58"><code>13129da</code></a>
v12.23.16</li>
<li>Additional commits viewable in <a
href="https://github.com/motiondivision/motion/compare/v12.23.12...v12.23.18">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)
from 24.3.0 to 24.5.2.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[@next/mdx](https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx)
from 15.3.3 to 15.5.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vercel/next.js/releases"><code>@next/mdx</code>'s
releases</a>.</em></p>
<blockquote>
<h2>v15.5.3</h2>
<blockquote>
<p>[!NOTE]<br />
This release is backporting bug fixes. It does <strong>not</strong>
include all pending features/changes on canary.</p>
</blockquote>
<h3>Core Changes</h3>
<ul>
<li>fix: validation return types of pages API routes (<a
href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83069">#83069</a>)</li>
<li>fix: relative paths in dev in validator.ts (<a
href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83073">#83073</a>)</li>
<li>fix: remove satisfies keyword from type validation to preserve old
TS compatibility (<a
href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83071">#83071</a>)</li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/bgub"><code>@bgub</code></a> for helping!</p>
<h2>v15.5.1-canary.39</h2>
<h3>Core Changes</h3>
<ul>
<li>[metadata] change the metadata routes params to promises: <a
href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83560">#83560</a></li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/huozhi"><code>@huozhi</code></a> for
helping!</p>
<h2>v15.5.1-canary.38</h2>
<h3>Core Changes</h3>
<ul>
<li>Ignore unhandledRejection events for promises that reject after a
React render aborts: <a
href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83590">#83590</a></li>
<li>Update font data: <a
href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83631">#83631</a></li>
<li>[dev] Serve static metadata from filesystem: <a
href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83460">#83460</a></li>
</ul>
<h3>Misc Changes</h3>
<ul>
<li>Turbopack: run NFT unit test: <a
href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83233">#83233</a></li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/gnoff"><code>@gnoff</code></a>, <a
href="https://github.com/vercel-release-bot"><code>@vercel-release-bot</code></a>,
<a
href="https://github.com/devjiwonchoi"><code>@devjiwonchoi</code></a>,
and <a href="https://github.com/mischnic"><code>@mischnic</code></a>
for helping!</p>
<h2>v15.5.1-canary.37</h2>
<h3>Core Changes</h3>
<ul>
<li>Development: Make 'ready in' 195ms faster: <a
href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83628">#83628</a></li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/timneutkens"><code>@timneutkens</code></a> for
helping!</p>
<h2>v15.5.1-canary.36</h2>
<h3>Core Changes</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="07d1cbc9c6"><code>07d1cbc</code></a>
v15.5.3</li>
<li><a
href="497ec6aa08"><code>497ec6a</code></a>
v15.5.2</li>
<li><a
href="cc68ced552"><code>cc68ced</code></a>
v15.5.1</li>
<li><a
href="7e08c8223d"><code>7e08c82</code></a>
v15.5.0</li>
<li><a
href="8f6d345d2d"><code>8f6d345</code></a>
v15.4.2-canary.56</li>
<li><a
href="e3e21977ed"><code>e3e2197</code></a>
v15.4.2-canary.55</li>
<li><a
href="a745826b2c"><code>a745826</code></a>
v15.4.2-canary.54</li>
<li><a
href="bec38efdb6"><code>bec38ef</code></a>
v15.4.2-canary.53</li>
<li><a
href="97dbf5f2e1"><code>97dbf5f</code></a>
v15.4.2-canary.52</li>
<li><a
href="9934b3788a"><code>9934b37</code></a>
v15.4.2-canary.51</li>
<li>Additional commits viewable in <a
href="https://github.com/vercel/next.js/commits/v15.5.3/packages/next-mdx">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
In the spirit of making Firezone as robust as possible, we make the FFI
calls infallible and complete as much of the task as possible. For
example, we don't fail `setDns` entirely just because we cannot parse a
single DNS server's IP.
Resolves: #10611
Why:
* In previous commits, the portal code had been updated to use hard
deletion rather than soft deletion of data. The fields used in the soft
deletion were still kept in the DB and the code to allow for zero
downtime rollout and an easy rollback if necessary. To continue with
that work the portal code has now been updated to remove any reference
to the soft deleted fields (e.g. deleted_at, persistent_id, etc...).
While the code has been updated the actual data in the DB will need to
remain for now, to once again allow for a zero downtime rollout. Once
this commit has been deployed to production another PR can follow to
remove the columns from the necessary tables in the DB.
Related: #8187
This is a follow-up from #10368 where we revise the forwarding logic in
`runSessionEventLoop`. Redundant logs are removed and the only exit
conditions from the event-loop are now the closing of either the event
or the command stream. The event-stream will only close once `connlib`
has successfully shut down and the command stream will only close of the
adapter shuts down (and thus drops the sender-side of the channel).
With the introduction of the DNS cache for Clients in #10533, we now
enable a behaviour where we don't necessarily need to establish a
connection to a Gateway to resolve a DNS query if we still have a valid
entry in the DNS cache. In particular, the proptests discovered that:
- a DNS query for an upstream resolver
- which happens to be a resource
- and has a valid entry in the DNS cache
- but (no longer) a connection to the corresponding Gateway
will now serve the cached DNS records instead of establishing a new
connection to the Gateway. As a result, the site status which we assert
in the proptests remains in "unknown" instead of the expected "online".
Modelling the caching behaviour in the tests is rather tedious. To avoid
that, we set the TTL of all simulated upstream DNS responses to 1 which
effectively bypasses the cache. Whilst not an ideal solution, it ensures
that CI is consistently green without flaky tests. The DNS cache itself
is already unit-tested.
Apple's [docs
state](https://developer.apple.com/documentation/networkextension/nepackettunnelprovider/starttunnel(options:completionhandler:)#Discussion)
that we should only call the PacketTunnelProvider's `completionHandler`
once the tunnel is ready to route packets. Calling it prematurely, while
shouldn't cause packets to get routed to us (we haven't added the routes
yet), will however cause the system to think our VPN is "online", which
disconnects other VPNs and communicates to the user Firezone is
"connected".
If the portal is then slow to send us the init, we will be stuck in this
quasi-connected state for more than a brief moment of time.
To fix this, we thread `completionHandler` through to `Adapter` and call
this if we are configuring the tun interface for the first time. This
way, we remain in the `connecting` state until the tunnel is fully
configured.
On macOS, because it uses the System Extension packaging type, the
lifecycle of the tunnel provider process is not tied directly to
connlib's session start and end, but rather managed by the system. The
process is likely running at all times, even when the GUI is not open or
signed in.
The system will start the provider process upon the first IPC call to
it, which allocates a `utun` interface. The tricky part is ensuring this
interface gets removed when the GUI app quits. Otherwise, it's likely
that upon the next launch of the GUI app, the system will allocate a
_new_ utun interface, and the old one will linger until the next system
reboot.
Here's where things get strange. The system will only remove the `utun`
interface when stopping the tunnel under the following conditions:
- The provider is currently not in a `disconnected` state (so it needs
to be in `reasserting`, `connecting`, or `connected`
- The GUI side has called `stopTunnel`, thereby invoking the provider's
`stopTunnel` override function, or
- The provider side has called `cancelTunnelWithError`, or
- The `startTunnel`'s completionHandler is called with an `Error`
The problem we had is that we make various IPC calls throughout the
lifecycle of the GUI app, for example, to gather logs, set tunnel
configuration, and the like. If the GUI app was _not_ in a connected
state when the user quit, the `utun` would linger, even though we were
issuing a final `stopTunnel` upon quit in all circumstances.
To fix the issue, we update the dry run `startTunnel` code path we added
previously in two ways:
1. We add a `dryRun` error type to the `startTunnel`'s completionHandler
2. We implement the GUI app `applicationShouldTerminate` handler in
order to trigger one final dryRun which briefly moves the provider to a
connected state so the system will clean us up when its
completionHandler is invoked.
Tested under the following conditions:
- Launch app in a signed-out state -> quit
- Launch app in a signed-out state -> sign in -> quit
- Launch app in a signed-out state -> sign in -> sign out -> quit
- Launch app in a signed-in state -> quit
- Launch app in a signed-in state -> sign out -> quit
Notably, if the GUI app is killed with `SIGKILL`, our terminate hook is
_not_ called, and the utun lingers. We'll have to accept this edge case
for now.
Along with the above, the janky `consumeStopReason` mechanism has been
removed in favor of NE's `cancelTunnelWithError` to pass the error back
to the GUI we can then use to show the signed out alert.
Fixes#10580
Similar to how resources can be edited to change their address, IP stack
or other properties, they can also be moved between different sites.
Currently, `connlib` requires the portal to explicitly remove the
resource and then re-add it for this to work.
Our system gets more robust if we also detect that the sites of a
resource have changed and handle it like other addressability changes.
To ensure that this works correctly, we also extend the proptests to
simulate addressability changes of resources.
Resolves: #9881
Related: #10593
To generate the UniFFI bindings, we don't actually need to be on an
Apple device. To make cross-platform development a bit easier, we
extract the binding generation step into the Makefile.
Bumps the firebase-bom from 33.16.0 to 34.4.0 and fixes an issue due to
some of the bundled libraries changing. Namely, all of the `ktx`
libraries (representing Kotlin versions) have been included in the core
libraries and `ktx` is no longer a thing.
Supersedes #10558
---------
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
This PR creates the necessary CI infrastructure to copy `.deb` packages
from releases to our APT repository. Re-generation of the index is
separated out into a dedicated workflow to avoid concurrency issues and
so we can re-generate it without making a release.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
When Okta returned a 4xx status code from the API, we had updated error
handler to grab the errors from body or headers and return these.
However, the caller was expecting an explicit empty string for 401 and
403 errors in order to trigger the email send behavior.
Since that wasn't being matched, we were logging the error internally
only, and continuing to retry the sync indefinitely without sending the
user an email.
Fixes#8744Fixes#9825
In order to support flow logs, we need to associate each IP packet that
gets routed with its corresponding resource ID. Currently, we only track
what is necessary for the actual routing behaviour: The IP addresses and
the filters. Therefore, we extend the data structures in `peer` to also
track the `ResourceId` now.
The entire code within `peer` became a bit hard to manage so I took this
opportunity to split it out into two dedicated modules.
This PR forms the base for recording flows logs in #10576.
Jitter causes packets to get re-ordered which makes it really hard to
get predictable performance results. With jitter disabled, we get more
consistent performance numbers.
In #10554, we added a syncing mechanism that would copy all link-scoped
routes of the `main` routing table over to the Firezone routing table.
Routes for interfaces that are currently offline cannot be added and
cause a netlink error of "Invalid argument".
To prevent unnecessary warnings from being logged to Sentry, we retrieve
the link state of each interface and skip routes for interfaces are not
online.
This PR eliminates JSON-based communication across the FFI boundary,
replacing it with proper
uniffi-generated types for improved type safety, performance, and
reliability. We replace JSON string parameters with native uniffi types
for:
- Resources (DNS, CIDR, Internet)
- Device information
- DNS server lists
- Network routes (CIDR representation)
Also, get rid of JSON serialisation in Swift client IPC in favour of
PropertyList based serialisation.
Fixes: https://github.com/firezone/firezone/issues/9548
---------
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
Apparently if we set the CFBundleDisplayName we hint by default that
we *do* want to show it on newer macOS versions.
This seems to have been uncovered by Xcode 26 build recently.
Fixes#10579
We'll be using a consistent `artifacts` storage account for these built
binaries, so we've renamed the container to `binaries`.
The apt packages would be under the `apt` container at
`artifacts.firezone.dev/apt/` accordingly.
Related: firezone/infra#182
