test(lib): ensure CookieDynamicDomain works

Signed-off-by: Xe Iaso <me@xeiaso.net>

.github/actions/spelling/allow.txt

@@ -8,4 +8,3 @@ msgbox
 xeact
 ABee
 tencent
-maintnotifications

.github/workflows/asset-verification.yml

@@ -22,11 +22,11 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: latest
 
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: stable
 

.github/workflows/docker-pr.yml

@@ -26,11 +26,11 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: latest
 
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: stable
 
@@ -38,7 +38,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
         with:
           images: ghcr.io/${{ github.repository }}
 

.github/workflows/docker.yml

@@ -36,11 +36,11 @@ jobs:
         run: |
           echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV
 
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: latest
 
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: stable
 
@@ -55,7 +55,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
         with:
           images: ${{ env.IMAGE }}
 

.github/workflows/docs-deploy.yml

@@ -33,7 +33,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
         with:
           images: ghcr.io/techarohq/anubis/docs
           tags: |

.github/workflows/docs-test.yml

@@ -22,7 +22,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
         with:
           images: ghcr.io/techarohq/anubis/docs
           tags: |

.github/workflows/go.yml

@@ -24,11 +24,11 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: latest
 
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: stable
 

.github/workflows/package-builds-stable.yml

@@ -25,11 +25,11 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: latest
 
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: stable
 

.github/workflows/package-builds-unstable.yml

@@ -26,11 +26,11 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: latest
 
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: stable
 

cmd/anubis/main.go

@@ -83,7 +83,7 @@ var (
 	versionFlag              = flag.Bool("version", false, "print Anubis version")
 	publicUrl                = flag.String("public-url", "", "the externally accessible URL for this Anubis instance, used for constructing redirect URLs (e.g., for forwardAuth).")
 	xffStripPrivate          = flag.Bool("xff-strip-private", true, "if set, strip private addresses from X-Forwarded-For")
-	customRealIPHeader       = flag.String("custom-real-ip-header", "", "if set, read remote IP from header of this name (in case your environment doesn't set X-Real-IP header)")
+	customRealIPHeader      = flag.String("custom-real-ip-header", "", "if set, read remote IP from header of this name (in case your environment doesn't set X-Real-IP header)")
 
 	thothInsecure        = flag.Bool("thoth-insecure", false, "if set, connect to Thoth over plain HTTP/2, don't enable this unless support told you to")
 	thothURL             = flag.String("thoth-url", "", "if set, URL for Thoth, the IP reputation database for Anubis")
@@ -145,19 +145,19 @@ func parseBindNetFromAddr(address string) (string, string) {
 	return "", address
 }
 
-func parseSameSite(s string) http.SameSite {
-	switch strings.ToLower(s) {
-	case "none":
-		return http.SameSiteNoneMode
-	case "lax":
-		return http.SameSiteLaxMode
-	case "strict":
-		return http.SameSiteStrictMode
+func parseSameSite(s string) (http.SameSite) {
+    switch strings.ToLower(s) {
+    case "none":
+        return http.SameSiteNoneMode
+    case "lax":
+        return http.SameSiteLaxMode
+    case "strict":
+        return http.SameSiteStrictMode
 	case "default":
 		return http.SameSiteDefaultMode
-	default:
-		log.Fatalf("invalid cookie same-site mode: %s, valid values are None, Lax, Strict, and Default", s)
-	}
+    default:
+        log.Fatalf("invalid cookie same-site mode: %s, valid values are None, Lax, Strict, and Default", s)
+    }
 	return http.SameSiteDefaultMode
 }
 

data/clients/docker-client.yaml

@@ -51,10 +51,3 @@
     all:
       - path.startsWith("/v2/")
       - userAgent.contains("containerd/")
-
-- name: allow-renovate
-  action: ALLOW
-  expression:
-    all:
-      - path.startsWith("/v2/")
-      - userAgent.contains("Renovate/")

docs/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/library/node:lts AS build
+FROM docker.io/library/node AS build
 
 WORKDIR /app
 COPY . .

docs/docs/CHANGELOG.md

@@ -13,14 +13,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- This changes the project to: -->
 
-- Fix panic when validating challenges after privacy-mode browsers strip headers and the follow-up request matches an `ALLOW` threshold.
-- Expose WEIGHT rule matches as Prometheus metrics.
 - Allow more OCI registry clients [based on feedback](https://github.com/TecharoHQ/anubis/pull/1253#issuecomment-3506744184).
 - Expose services directory in the embedded `(data)` filesystem.
-- Add Ukrainian locale ([#1044](https://github.com/TecharoHQ/anubis/pull/1044)).
-- Allow Renovate as an OCI registry client.
-- Properly handle 4in6 addresses so that IP matching works with those addresses.
-- Add support to simple Valkey/Redis cluster mode
+- Add Ukrainian locale ([#1044](https://github.com/TecharoHQ/anubis/pull/1044))
 
 ## v1.23.1: Lyse Hext - Echo 1
 

lib/anubis.go

@@ -117,12 +117,10 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 	}
 
 	chall := challenge.Challenge{
-		ID:             id.String(),
-		Method:         rule.Challenge.Algorithm,
-		RandomData:     fmt.Sprintf("%x", randomData),
-		IssuedAt:       time.Now(),
-		Difficulty:     rule.Challenge.Difficulty,
-		PolicyRuleHash: rule.Hash(),
+		ID:         id.String(),
+		Method:     rule.Challenge.Algorithm,
+		RandomData: fmt.Sprintf("%x", randomData),
+		IssuedAt:   time.Now(),
 		Metadata: map[string]string{
 			"User-Agent": r.Header.Get("User-Agent"),
 			"X-Real-Ip":  r.Header.Get("X-Real-Ip"),
@@ -139,44 +137,6 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 	return &chall, err
 }
 
-func (s *Server) hydrateChallengeRule(rule *policy.Bot, chall *challenge.Challenge, lg *slog.Logger) *policy.Bot {
-	if chall == nil {
-		return rule
-	}
-
-	if rule == nil {
-		rule = &policy.Bot{
-			Rules: &checker.List{},
-		}
-	}
-
-	if chall.Difficulty == 0 {
-		// fall back to whatever the policy currently says or the global default
-		if rule.Challenge != nil && rule.Challenge.Difficulty != 0 {
-			chall.Difficulty = rule.Challenge.Difficulty
-		} else {
-			chall.Difficulty = s.policy.DefaultDifficulty
-		}
-	}
-
-	if rule.Challenge == nil {
-		lg.Warn("rule missing challenge configuration; using stored challenge metadata", "rule", rule.Name)
-		rule.Challenge = &config.ChallengeRules{}
-	}
-
-	if rule.Challenge.Difficulty == 0 {
-		rule.Challenge.Difficulty = chall.Difficulty
-	}
-	if rule.Challenge.ReportAs == 0 {
-		rule.Challenge.ReportAs = chall.Difficulty
-	}
-	if rule.Challenge.Algorithm == "" {
-		rule.Challenge.Algorithm = chall.Method
-	}
-
-	return rule
-}
-
 func (s *Server) maybeReverseProxyHttpStatusOnly(w http.ResponseWriter, r *http.Request) {
 	s.maybeReverseProxy(w, r, true)
 }
@@ -501,8 +461,6 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	rule = s.hydrateChallengeRule(rule, chall, lg)
-
 	impl, ok := challenge.Get(chall.Method)
 	if !ok {
 		lg.Error("check failed", "err", err)
@@ -618,7 +576,6 @@ func (s *Server) check(r *http.Request, lg *slog.Logger) (policy.CheckResult, *p
 				return cr("bot/"+b.Name, b.Action, weight), &b, nil
 			case config.RuleWeigh:
 				lg.Debug("adjusting weight", "name", b.Name, "delta", b.Weight.Adjust)
-				policy.Applications.WithLabelValues("bot/"+b.Name, "WEIGH").Add(1)
 				weight += b.Weight.Adjust
 			}
 		}

lib/anubis_test.go

@@ -2,7 +2,6 @@ package lib
 
 import (
 	"bytes"
-	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -19,10 +18,8 @@ import (
 	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/data"
 	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/TecharoHQ/anubis/lib/policy"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
-	"github.com/TecharoHQ/anubis/lib/store"
 	"github.com/TecharoHQ/anubis/lib/thoth/thothmock"
 )
 
@@ -1030,59 +1027,6 @@ func TestPassChallengeXSS(t *testing.T) {
 	})
 }
 
-func TestPassChallengeNilRuleChallengeFallback(t *testing.T) {
-	pol := loadPolicies(t, "testdata/zero_difficulty.yaml", 0)
-
-	srv := spawnAnubis(t, Options{
-		Next:   http.NewServeMux(),
-		Policy: pol,
-	})
-
-	allowThreshold, err := policy.ParsedThresholdFromConfig(config.Threshold{
-		Name: "allow-all",
-		Expression: &config.ExpressionOrList{
-			Expression: "true",
-		},
-		Action: config.RuleAllow,
-	})
-	if err != nil {
-		t.Fatalf("can't compile test threshold: %v", err)
-	}
-	srv.policy.Thresholds = []*policy.Threshold{allowThreshold}
-	srv.policy.Bots = nil
-
-	chall := challenge.Challenge{
-		ID:         "test-challenge",
-		Method:     "metarefresh",
-		RandomData: "apple cider",
-		IssuedAt:   time.Now().Add(-5 * time.Second),
-		Difficulty: 1,
-	}
-
-	j := store.JSON[challenge.Challenge]{Underlying: srv.store}
-	if err := j.Set(context.Background(), "challenge:"+chall.ID, chall, time.Minute); err != nil {
-		t.Fatalf("can't insert challenge into store: %v", err)
-	}
-
-	req := httptest.NewRequest(http.MethodGet, "https://example.com"+anubis.APIPrefix+"pass-challenge", nil)
-	q := req.URL.Query()
-	q.Set("redir", "/")
-	q.Set("id", chall.ID)
-	q.Set("challenge", chall.RandomData)
-	req.URL.RawQuery = q.Encode()
-	req.Header.Set("X-Real-Ip", "203.0.113.4")
-	req.Header.Set("User-Agent", "NilChallengeTester/1.0")
-	req.AddCookie(&http.Cookie{Name: anubis.TestCookieName, Value: chall.ID})
-
-	rr := httptest.NewRecorder()
-
-	srv.PassChallenge(rr, req)
-
-	if rr.Code != http.StatusFound {
-		t.Fatalf("expected redirect when validating challenge, got %d", rr.Code)
-	}
-}
-
 func TestXForwardedForNoDoubleComma(t *testing.T) {
 	var h http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For"))

lib/challenge/challenge.go

@@ -4,12 +4,10 @@ import "time"
 
 // Challenge is the metadata about a single challenge issuance.
 type Challenge struct {
-	ID             string            `json:"id"`                       // UUID identifying the challenge
-	Method         string            `json:"method"`                   // Challenge method
-	RandomData     string            `json:"randomData"`               // The random data the client processes
-	IssuedAt       time.Time         `json:"issuedAt"`                 // When the challenge was issued
-	Metadata       map[string]string `json:"metadata"`                 // Challenge metadata such as IP address and user agent
-	Spent          bool              `json:"spent"`                    // Has the challenge already been solved?
-	Difficulty     int               `json:"difficulty,omitempty"`     // Difficulty that was in effect when issued
-	PolicyRuleHash string            `json:"policyRuleHash,omitempty"` // Hash of the policy rule that issued this challenge
+	ID         string            `json:"id"`         // UUID identifying the challenge
+	Method     string            `json:"method"`     // Challenge method
+	RandomData string            `json:"randomData"` // The random data the client processes
+	IssuedAt   time.Time         `json:"issuedAt"`   // When the challenge was issued
+	Metadata   map[string]string `json:"metadata"`   // Challenge metadata such as IP address and user agent
+	Spent      bool              `json:"spent"`      // Has the challenge already been solved?
 }

lib/challenge/challengetest/challengetest.go

@@ -4,7 +4,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/internal"
 	"github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/google/uuid"
@@ -20,6 +19,5 @@ func New(t *testing.T) *challenge.Challenge {
 		ID:         id.String(),
 		RandomData: randomData,
 		IssuedAt:   time.Now(),
-		Difficulty: anubis.DefaultDifficulty,
 	}
 }

lib/http_test.go

@@ -173,6 +173,148 @@ func TestRenderIndexRedirect(t *testing.T) {
 	}
 }
 
+func TestClearCookieHostParameterHonorsDynamicDomain(t *testing.T) {
+	// Test that Host parameter is only used when CookieDynamicDomain is enabled
+	testCases := []struct {
+		name                   string
+		options                Options
+		host                   string
+		expectedDomain         string
+		shouldHaveDomainField  bool
+	}{
+		{
+			name:                   "dynamic domain disabled",
+			options:                Options{CookieDynamicDomain: false},
+			host:                   "subdomain.example.com",
+			expectedDomain:         "",
+			shouldHaveDomainField:  false,
+		},
+		{
+			name:                   "dynamic domain enabled with valid host",
+			options:                Options{CookieDynamicDomain: true},
+			host:                   "subdomain.example.com",
+			expectedDomain:         "example.com",
+			shouldHaveDomainField:  true,
+		},
+		{
+			name:                   "dynamic domain enabled with invalid host",
+			options:                Options{CookieDynamicDomain: true},
+			host:                   "invalid-host",
+			expectedDomain:         "",
+			shouldHaveDomainField:  false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			srv := spawnAnubis(t, tc.options)
+			rw := httptest.NewRecorder()
+
+			// Test ClearCookie with Host parameter
+			srv.ClearCookie(rw, CookieOpts{Path: "/", Host: tc.host})
+
+			resp := rw.Result()
+			cookies := resp.Cookies()
+
+			if len(cookies) != 1 {
+				t.Errorf("wanted 1 cookie, got %d cookies", len(cookies))
+			}
+
+			ckie := cookies[0]
+
+			if ckie.Name != anubis.CookieName {
+				t.Errorf("wanted cookie named %q, got cookie named %q", anubis.CookieName, ckie.Name)
+			}
+
+			if ckie.MaxAge != -1 {
+				t.Errorf("wanted cookie max age of -1, got: %d", ckie.MaxAge)
+			}
+
+			// Verify domain handling based on CookieDynamicDomain setting
+			if tc.shouldHaveDomainField {
+				if ckie.Domain != tc.expectedDomain {
+					t.Errorf("wanted cookie domain %q, got cookie domain %q", tc.expectedDomain, ckie.Domain)
+				}
+			} else {
+				if ckie.Domain != tc.expectedDomain {
+					t.Errorf("wanted cookie domain %q, got cookie domain %q", tc.expectedDomain, ckie.Domain)
+				}
+			}
+		})
+	}
+}
+
+func TestSetCookieHostParameterHonorsDynamicDomain(t *testing.T) {
+	// Test that SetCookie Host parameter is only used when CookieDynamicDomain is enabled
+	testCases := []struct {
+		name                   string
+		options                Options
+		host                   string
+		expectedDomain         string
+		shouldHaveDomainField  bool
+	}{
+		{
+			name:                   "dynamic domain disabled",
+			options:                Options{CookieDynamicDomain: false},
+			host:                   "subdomain.example.com",
+			expectedDomain:         "",
+			shouldHaveDomainField:  false,
+		},
+		{
+			name:                   "dynamic domain enabled with valid host",
+			options:                Options{CookieDynamicDomain: true},
+			host:                   "subdomain.example.com",
+			expectedDomain:         "example.com",
+			shouldHaveDomainField:  true,
+		},
+		{
+			name:                   "dynamic domain enabled with invalid host",
+			options:                Options{CookieDynamicDomain: true},
+			host:                   "invalid-host",
+			expectedDomain:         "",
+			shouldHaveDomainField:  false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			srv := spawnAnubis(t, tc.options)
+			rw := httptest.NewRecorder()
+
+			// Test SetCookie with Host parameter
+			srv.SetCookie(rw, CookieOpts{Path: "/", Host: tc.host, Value: "test-value"})
+
+			resp := rw.Result()
+			cookies := resp.Cookies()
+
+			if len(cookies) != 1 {
+				t.Errorf("wanted 1 cookie, got %d cookies", len(cookies))
+			}
+
+			ckie := cookies[0]
+
+			if ckie.Name != anubis.CookieName {
+				t.Errorf("wanted cookie named %q, got cookie named %q", anubis.CookieName, ckie.Name)
+			}
+
+			if ckie.Value != "test-value" {
+				t.Errorf("wanted cookie value %q, got cookie value %q", "test-value", ckie.Value)
+			}
+
+			// Verify domain handling based on CookieDynamicDomain setting
+			if tc.shouldHaveDomainField {
+				if ckie.Domain != tc.expectedDomain {
+					t.Errorf("wanted cookie domain %q, got cookie domain %q", tc.expectedDomain, ckie.Domain)
+				}
+			} else {
+				if ckie.Domain != tc.expectedDomain {
+					t.Errorf("wanted cookie domain %q, got cookie domain %q", tc.expectedDomain, ckie.Domain)
+				}
+			}
+		})
+	}
+}
+
 func TestRenderIndexUnauthorized(t *testing.T) {
 	s := &Server{
 		opts: Options{

lib/localization/localization_test.go

@@ -31,7 +31,7 @@ func TestLocalizationService(t *testing.T) {
 		"vi":    "Đang nạp...",
 		"zh-CN": "加载中...",
 		"zh-TW": "載入中...",
-		"sv":    "Laddar...",
+		"sv" : "Laddar...",
 	}
 
 	var keys []string

lib/policy/checker.go

@@ -51,11 +51,6 @@ func (rac *RemoteAddrChecker) Check(r *http.Request) (bool, error) {
 		return false, fmt.Errorf("%w: %s is not an IP address: %w", ErrMisconfiguration, host, err)
 	}
 
-	// Convert IPv4-mapped IPv6 addresses to IPv4
-	if addr.Is6() && addr.Is4In6() {
-		addr = addr.Unmap()
-	}
-
 	return rac.prefixTable.Contains(addr), nil
 }
 

lib/policy/checker_test.go

@@ -21,20 +21,6 @@ func TestRemoteAddrChecker(t *testing.T) {
 			ok:    true,
 			err:   nil,
 		},
-		{
-			name:  "match_ipv4_in_ipv6",
-			cidrs: []string{"0.0.0.0/0"},
-			ip:    "::ffff:1.1.1.1",
-			ok:    true,
-			err:   nil,
-		},
-		{
-			name:  "match_ipv4_in_ipv6_hex",
-			cidrs: []string{"0.0.0.0/0"},
-			ip:    "::ffff:101:101",
-			ok:    true,
-			err:   nil,
-		},
 		{
 			name:  "match_ipv6",
 			cidrs: []string{"::/0"},

lib/store/valkey/factory.go

@@ -5,98 +5,80 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"time"
 
 	"github.com/TecharoHQ/anubis/lib/store"
 	valkey "github.com/redis/go-redis/v9"
-	"github.com/redis/go-redis/v9/maintnotifications"
+)
+
+var (
+	ErrNoURL  = errors.New("valkey.Config: no URL defined")
+	ErrBadURL = errors.New("valkey.Config: URL is invalid")
 )
 
 func init() {
 	store.Register("valkey", Factory{})
 }
 
-// Errors kept as-is so other code/tests still pass.
-var (
-	ErrNoURL  = errors.New("valkey.Config: no URL defined")
-	ErrBadURL = errors.New("valkey.Config: URL is invalid")
-)
+type Factory struct{}
 
-// Config is what Anubis unmarshals from the "parameters" JSON.
-type Config struct {
-	URL     string `json:"url"`
-	Cluster bool   `json:"cluster,omitempty"`
-}
+func (Factory) Build(ctx context.Context, data json.RawMessage) (store.Interface, error) {
+	var config Config
 
-func (c Config) Valid() error {
-	if c.URL == "" {
-		return ErrNoURL
+	if err := json.Unmarshal([]byte(data), &config); err != nil {
+		return nil, fmt.Errorf("%w: %w", store.ErrBadConfig, err)
 	}
 
-	// Just validate that it's a valid Redis URL.
-	if _, err := valkey.ParseURL(c.URL); err != nil {
-		return fmt.Errorf("%w: %v", ErrBadURL, err)
+	if err := config.Valid(); err != nil {
+		return nil, fmt.Errorf("%w: %w", store.ErrBadConfig, err)
+	}
+
+	opts, err := valkey.ParseURL(config.URL)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %w", store.ErrBadConfig, err)
+	}
+
+	rdb := valkey.NewClient(opts)
+
+	if _, err := rdb.Ping(ctx).Result(); err != nil {
+		return nil, fmt.Errorf("can't ping valkey instance: %w", err)
+	}
+
+	return &Store{
+		rdb: rdb,
+	}, nil
+}
+
+func (Factory) Valid(data json.RawMessage) error {
+	var config Config
+	if err := json.Unmarshal([]byte(data), &config); err != nil {
+		return fmt.Errorf("%w: %w", store.ErrBadConfig, err)
+	}
+
+	if err := config.Valid(); err != nil {
+		return fmt.Errorf("%w: %w", store.ErrBadConfig, err)
 	}
 
 	return nil
 }
 
-// redisClient is satisfied by *valkey.Client and *valkey.ClusterClient.
-type redisClient interface {
-	Get(ctx context.Context, key string) *valkey.StringCmd
-	Set(ctx context.Context, key string, value interface{}, expiration time.Duration) *valkey.StatusCmd
-	Del(ctx context.Context, keys ...string) *valkey.IntCmd
-	Ping(ctx context.Context) *valkey.StatusCmd
+type Config struct {
+	URL string `json:"url"`
 }
 
-type Factory struct{}
+func (c Config) Valid() error {
+	var errs []error
 
-func (Factory) Valid(data json.RawMessage) error {
-	var cfg Config
-	if err := json.Unmarshal(data, &cfg); err != nil {
-		return err
+	if c.URL == "" {
+		errs = append(errs, ErrNoURL)
 	}
-	return cfg.Valid()
-}
-
-func (Factory) Build(ctx context.Context, data json.RawMessage) (store.Interface, error) {
-	var cfg Config
-	if err := json.Unmarshal(data, &cfg); err != nil {
-		return nil, err
-	}
-	if err := cfg.Valid(); err != nil {
-		return nil, err
-	}
-
-	opts, err := valkey.ParseURL(cfg.URL)
-	if err != nil {
-		return nil, fmt.Errorf("valkey.Factory: %w", err)
-	}
-
-	var client redisClient
-
-	if cfg.Cluster {
-		// Cluster mode: use the parsed Addr as the seed node.
-		clusterOpts := &valkey.ClusterOptions{
-			Addrs: []string{opts.Addr},
-			// Explicitly disable maintenance notifications
-			// This prevents the client from sending CLIENT MAINT_NOTIFICATIONS ON
-			MaintNotificationsConfig: &maintnotifications.Config{
-				Mode: maintnotifications.ModeDisabled,
-			},
-		}
-		client = valkey.NewClusterClient(clusterOpts)
-	} else {
-		opts.MaintNotificationsConfig = &maintnotifications.Config{
-			Mode: maintnotifications.ModeDisabled,
-		}
-		client = valkey.NewClient(opts)
-	}
-
-	// Optional but nice: fail fast if the cluster/single node is unreachable.
-	if err := client.Ping(ctx).Err(); err != nil {
-		return nil, fmt.Errorf("valkey.Factory: ping failed: %w", err)
-	}
-
-	return &Store{client: client}, nil
+
+	if _, err := valkey.ParseURL(c.URL); err != nil {
+		errs = append(errs, ErrBadURL)
+	}
+
+	if len(errs) != 0 {
+		return fmt.Errorf("valkey.Config: invalid config: %w", errors.Join(errs...))
+	}
+
+	return nil
 }

lib/store/valkey/valkey.go

@@ -2,46 +2,52 @@ package valkey
 
 import (
 	"context"
+	"fmt"
 	"time"
 
 	"github.com/TecharoHQ/anubis/lib/store"
 	valkey "github.com/redis/go-redis/v9"
 )
 
-// Store implements store.Interface on top of Redis/Valkey.
 type Store struct {
-	client redisClient
-}
-
-var _ store.Interface = (*Store)(nil)
-
-func (s *Store) Get(ctx context.Context, key string) ([]byte, error) {
-	cmd := s.client.Get(ctx, key)
-	if err := cmd.Err(); err != nil {
-		if err == valkey.Nil {
-			return nil, store.ErrNotFound
-		}
-		return nil, err
-	}
-	return cmd.Bytes()
-}
-
-func (s *Store) Set(ctx context.Context, key string, value []byte, expiry time.Duration) error {
-	return s.client.Set(ctx, key, value, expiry).Err()
+	rdb *valkey.Client
 }
 
 func (s *Store) Delete(ctx context.Context, key string) error {
-	res := s.client.Del(ctx, key)
-	if err := res.Err(); err != nil {
-		return err
+	n, err := s.rdb.Del(ctx, key).Result()
+	if err != nil {
+		return fmt.Errorf("can't delete from valkey: %w", err)
 	}
-	if n, _ := res.Result(); n == 0 {
-		return store.ErrNotFound
+
+	switch n {
+	case 0:
+		return fmt.Errorf("%w: %d key(s) deleted", store.ErrNotFound, n)
+	default:
+		return nil
 	}
+}
+
+func (s *Store) Get(ctx context.Context, key string) ([]byte, error) {
+	result, err := s.rdb.Get(ctx, key).Result()
+	if err != nil {
+		if valkey.HasErrorPrefix(err, "redis: nil") {
+			return nil, fmt.Errorf("%w: %w", store.ErrNotFound, err)
+		}
+
+		return nil, fmt.Errorf("can't fetch from valkey: %w", err)
+	}
+
+	return []byte(result), nil
+}
+
+func (s *Store) Set(ctx context.Context, key string, value []byte, expiry time.Duration) error {
+	if _, err := s.rdb.Set(ctx, key, string(value), expiry).Result(); err != nil {
+		return fmt.Errorf("can't set %q in valkey: %w", key, err)
+	}
+
 	return nil
 }
 
-// IsPersistent tells Anubis this backend is “real” storage, not in-memory.
 func (s *Store) IsPersistent() bool {
 	return true
 }