Merge pull request #652 from CyberMind-FR/feature/651-perf-toolbox-649-follow-up-broaden-splic

perf(toolbox): #649 follow-up — broaden splice seed + trustworthy per-worker stats + admin toggle, flip on

packages/secubox-toolbox/conf/tls-splice-seed.conf

@@ -12,4 +12,29 @@ twimg.com            # Twitter / X media
 licdn.com            # LinkedIn media
 sndcdn.com           # SoundCloud audio
 scdn.co              # Spotify audio
+pscdn.co             # Spotify audio/podcast CDN
+audio-ak-spotify-com.akamaized.net  # Spotify audio (akamai shard)
 mzstatic.com         # Apple media / artwork
+# ── #651 broaden : more clearly-media/asset CDNs (video/image/audio only) ──
+googleusercontent.com  # Google user-uploaded media (photos/drive thumbs)
+gvt1.com             # Google video/large-asset delivery
+ytimg.l.google.com   # YouTube image edge
+pinimg.com           # Pinterest images
+redditstatic.com     # Reddit static assets
+redditmedia.com      # Reddit media
+i.redd.it            # Reddit images (NOT bare redd.it — that 301s to HTML pages)
+v.redd.it            # Reddit video
+i.imgur.com          # Imgur images (NOT apex imgur.com — that's a browse site)
+media.giphy.com      # Giphy media (NOT apex giphy.com — that's the site)
+vimeocdn.com         # Vimeo video/thumbnails
+tiktokcdn.com        # TikTok video/media
+ttwstatic.com        # TikTok static media
+muscdn.com           # TikTok (ByteDance) media CDN
+phinf.pstatic.net    # Naver media shard (NOT broad pstatic.net umbrella)
+twitchcdn.net        # Twitch video
+ttvnw.net            # Twitch video/static
+jtvnw.net            # Twitch emotes/static
+phncdn.com           # large video CDN
+dmcdn.net            # Dailymotion video
+# NOTE: akamaihd.net intentionally NOT seeded — shared multi-tenant edge, not
+# media-guaranteed; let autolearn promote it only if it proves never-HTML.

packages/secubox-toolbox/debian/changelog

@@ -1,3 +1,17 @@
+secubox-toolbox (2.6.55-1~bookworm1) bookworm; urgency=medium
+
+  * perf(#651): broaden the media SNI-splice seed (11 → 35 video/image/audio
+    CDNs: reddit/imgur/giphy/vimeo/tiktok/twitch/dailymotion/pornhub/spotify…,
+    still media-only) so more heavy flows splice once armed.
+  * fix(#651): per-worker stats — the 4 mitm-wg workers each write
+    /run/secubox/splice.<port>.json instead of clobbering one shared file
+    (was undercounting); dropped the dead `mitm` counter.
+  * #651: helpful console feedback — one INFO summary line per ~5 s flush
+    (`tls-splice[<port>] mode=… spliced=N would_splice=M`) + a per-splice DEBUG
+    line, visible in journalctl for the mitm-wg workers.
+
+ -- Gerald KERMA <devel@cybermind.fr>  Thu, 18 Jun 2026 15:30:00 +0200
+
 secubox-toolbox (2.6.54-1~bookworm1) bookworm; urgency=medium
 
   * feat(#649): selective SNI-splice (Lever A). New tls_splice addon (first in

packages/secubox-toolbox/mitmproxy_addons/tls_splice.py

@@ -37,9 +37,14 @@ LEARNED_PATH = os.environ.get("SECUBOX_SPLICE_LEARNED",
                               "/var/lib/secubox/toolbox/splice-learned.txt")
 PURE_PATH = os.environ.get("SECUBOX_PURE_TRACKERS",
                            "/var/lib/secubox/toolbox/pure-trackers.txt")
-STATS = "/run/secubox/splice.json"
+# #651 — per-worker stats file. The 4 mitm-wg workers are separate processes;
+# a single shared splice.json was clobbered last-writer-wins (undercount). Key
+# the file by this worker's listen port so each writes its own, and a reader
+# sums splice.*.json. Falls back to a plain name for the legacy single process.
+_PORT = os.environ.get("MITM_WG_LISTEN_PORT", "")
+STATS = "/run/secubox/splice.%s.json" % _PORT if _PORT else "/run/secubox/splice.json"
 
-_counts = {"spliced": 0, "would_splice": 0, "mitm": 0, "since": int(time.time())}
+_counts = {"spliced": 0, "would_splice": 0, "since": int(time.time())}
 _last_flush = 0.0
 
 # Learning observations are written off the proxy event loop (mirror
@@ -99,6 +104,7 @@ class TlsSplice:
             if mode == "on":
                 data.ignore_connection = True
                 _counts["spliced"] += 1
+                log.debug("tls-splice spliced %s", sni)
             else:  # observe
                 _counts["would_splice"] += 1
                 log.info("tls-splice would-splice %s", sni)
@@ -143,6 +149,15 @@ class TlsSplice:
                 json.dump({**_counts, "updated": int(now)}, f)
         except Exception:
             pass
+        # #651 — helpful, non-spammy console feedback: one INFO line per flush
+        # window (~5 s) showing this worker's running totals + active mode, so
+        # the splice activity is visible in `journalctl -u …mitm-wg-worker@*`.
+        try:
+            log.info("tls-splice[%s] mode=%s spliced=%d would_splice=%d",
+                     _PORT or "single", _gf().get("tls_splice", "observe"),
+                     _counts["spliced"], _counts["would_splice"])
+        except Exception:
+            pass
 
 
 addons = [TlsSplice()]

packages/secubox-toolbox/tests/test_tls_splice_addon.py

@@ -107,3 +107,11 @@ def test_response_off_mode_skips(monkeypatch, tmp_path):
         response=types.SimpleNamespace(headers={"content-type": "text/html"}))
     a.response(f)
     assert calls == []   # off → recorder disabled
+
+
+def test_stats_file_is_per_worker_port(monkeypatch):
+    import importlib
+    monkeypatch.setenv("MITM_WG_LISTEN_PORT", "8083")
+    import tls_splice; importlib.reload(tls_splice)
+    assert tls_splice.STATS == "/run/secubox/splice.8083.json"
+    assert "mitm" not in tls_splice._counts   # dead counter removed