docs: update CHANGELOG

Signed-off-by: Xe Iaso <me@xeiaso.net>

.github/actions/spelling/excludes.txt

@@ -88,6 +88,7 @@
 ^docs/manifest/.*$
 ^docs/static/\.nojekyll$
 ^lib/policy/config/testdata/bad/unparseable\.json$
+^internal/glob/glob_test.go$
 ignore$
 robots.txt
 ^lib/localization/locales/.*\.json$

.github/workflows/smoke-tests.yml

@@ -14,6 +14,7 @@ jobs:
     strategy:
       matrix:
         test:
+          - forced-language
           - git-clone
           - git-push
           - healthcheck

docs/docs/CHANGELOG.md

@@ -13,47 +13,67 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- This changes the project to: -->
 
-- Add a "proof of React" challenge to prove that the client is able to run a simple JSX app.
-- Added possibility to disable HTTP keep-alive to support backends not properly
-  handling it.
-- Add a server-side check for the meta-refresh challenge that makes sure clients have waited for at least 95% of the time that they should.
-- Added a missing link to the Caddy installation environment in the installation documentation.
-- Downstream consumers can change the default [log/slog#Logger](https://pkg.go.dev/log/slog#Logger) instance that Anubis uses by setting `opts.Logger` to your slog instance of choice ([#864](https://github.com/TecharoHQ/anubis/issues/864)).
-- The [Thoth client](https://anubis.techaro.lol/docs/admin/thoth) is now public in the repo instead of being an internal package.
-- [Custom-AsyncHttpClient](https://github.com/AsyncHttpClient/async-http-client)'s default User-Agent has an increased weight by default ([#852](https://github.com/TecharoHQ/anubis/issues/852)).
+## v1.22.0: Yda Hext
+
+> Someone has to make an effort at reconciliation if these conflicts are ever going to end.
+
+In this release, we finally fix the odd number of CPU cores bug, pave the way for lighter weight challenges, make Anubis more adaptable, and more.
+
+### Big ticket items
+
+#### Proof of React challenge
+
+A new ["proof of React"](./admin/configuration/challenges/preact.mdx) has been added. It runs a simple app in React that has several chained hooks. It is much more lightweight than the proof of work check.
+
+#### Smaller features
+
 - The [`segments`](./admin/configuration/expressions.mdx#segments) function was added for splitting a path into its slash-separated segments.
+- Added possibility to disable HTTP keep-alive to support backends not properly handling it.
 - When issuing a challenge, Anubis stores information about that challenge into the store. That stored information is later used to validate challenge responses. This works around nondeterminism in bot rules. ([#917](https://github.com/TecharoHQ/anubis/issues/917))
-- When parsing [Open Graph tags](./admin/configuration/open-graph.mdx), add any URLs found in the responses to a temporary "allow cache" so that social preview images work.
-- Proof of work solving has had a complete overhaul and rethink based on feedback from browser engine developers, frontend experts, and overall performance profiling.
 - One of the biggest sources of lag in Firefox has been eliminated: the use of WebCrypto. Now whenever Anubis detects the client is using Firefox (or Pale Moon), it will swap over to a pure-JS implementation of SHA-256 for speed.
+- Proof of work solving has had a complete overhaul and rethink based on feedback from browser engine developers, frontend experts, and overall performance profiling.
 - Optimize the performance of the pure-JS Anubis solver.
 - Web Workers are stored as dedicated JavaScript files in `static/js/workers/*.mjs`.
 - Pave the way for non-SHA256 solver methods and eventually one that uses WebAssembly (or WebAssembly code compiled to JS for those that disable WebAssembly).
 - Legacy JavaScript code has been eliminated.
+- When parsing [Open Graph tags](./admin/configuration/open-graph.mdx), add any URLs found in the responses to a temporary "allow cache" so that social preview images work.
+- The hard dependency on WebCrypto has been removed, allowing a proof of work challenge to work over plain (unencrypted) HTTP.
+- The Anubis version number is put in the footer of every page.
+- Add a default block rule for Huawei Cloud.
+- Add a default block rule for Alibaba Cloud.
+- Added support to use Traefik forwardAuth middleware.
+- Add X-Request-URI support so that Subrequest Authentication has path support.
+- Added glob matching for `REDIRECT_DOMAINS`. You can pass `*.bugs.techaro.lol` to allow redirecting to anything ending with `.bugs.techaro.lol`. There is a limit of 4 wildcards.
+
+### Fixes
+
+#### Odd numbers of CPU cores are properly supported
+
+Some phones have an odd number of CPU cores. This caused [interesting issues](https://anubis.techaro.lol/blog/2025/cpu-core-odd). This was fixed by [using `Math.trunc` to convert the number of CPU cores back into an integer](https://github.com/TecharoHQ/anubis/issues/1043).
+
+#### Smaller fixes
+
+- A standard library HTTP server log message about HTTP pipelining not working has been filtered out of Anubis' logs. There is no action that can be taken about it.
+- Added a missing link to the Caddy installation environment in the installation documentation.
+- Downstream consumers can change the default [log/slog#Logger](https://pkg.go.dev/log/slog#Logger) instance that Anubis uses by setting `opts.Logger` to your slog instance of choice ([#864](https://github.com/TecharoHQ/anubis/issues/864)).
+- The [Thoth client](https://anubis.techaro.lol/docs/admin/thoth) is now public in the repo instead of being an internal package.
+- [Custom-AsyncHttpClient](https://github.com/AsyncHttpClient/async-http-client)'s default User-Agent has an increased weight by default ([#852](https://github.com/TecharoHQ/anubis/issues/852)).
 - Add option for replacing the default explanation text with a custom one ([#747](https://github.com/TecharoHQ/anubis/pull/747))
 - The contact email in the LibreJS header has been changed.
-- The hard dependency on WebCrypto has been removed, allowing a proof of work challenge to work over plain (unencrypted) HTTP.
 - Firefox for Android support has been fixed by embedding the challenge ID into the pass-challenge route. This also fixes some inconsistent issues with other mobile browsers.
-- The Anubis version number is put in the footer of every page.
-- Prevent the proof of work nonce from being a decimal value by using Math.trunc to coerce it back to an integer if it happens ([#1043](https://github.com/TecharoHQ/anubis/issues/1043)).
-- The legacy JSON based policy file example has been removed and all documentation for how to write a policy file in JSON has been deleted. JSON based policy files will still work, but YAML is the superior option for Anubis configuration.
-- A standard library HTTP server log message about HTTP pipelining not working has been filtered out of Anubis' logs. There is no action that can be taken about it.
 - The default `favicon` pattern in `data/common/keep-internet-working.yaml` has been updated to permit requests for png/gif/jpg/svg files as well as ico.
 - The `--cookie-prefix` flag has been fixed so that it is fully respected.
 - The default patterns in `data/common/keep-internet-working.yaml` have been updated to appropriately escape the '.' character in the regular expression patterns.
 - Add optional restrictions for JWT based on the value of a header ([#697](https://github.com/TecharoHQ/anubis/pull/697))
 - The word "hack" has been removed from the translation strings for Anubis due to incidents involving people misunderstanding that word and sending particularly horrible things to the project lead over email.
 - Bump AI-robots.txt to version 1.39
-- Add a default block rule for Huawei Cloud.
-- Add a default block rule for Alibaba Cloud.
-- Add X-Request-URI support so that Subrequest Authentication has path support.
-- Add better logging when using Subrequest Authentication.
-- Two of Slackware's community git repository servers are now poxied by Anubis.
-- Added support to use Traefik forwardAuth middleware.
 - Inject adversarial input to break AI coding assistants.
+- Add better logging when using Subrequest Authentication.
 
 ### Security-relevant changes
 
+- Add a server-side check for the meta-refresh challenge that makes sure clients have waited for at least 95% of the time that they should.
+
 #### Fix potential double-spend for challenges
 
 Anubis operates by issuing a challenge and having the client present a solution for that challenge. Challenges are identified by a unique UUID, which is stored in the database.
@@ -71,15 +91,11 @@ Thanks to [@taviso](https://github.com/taviso) for reporting this issue.
 ### Breaking changes
 
 - The "slow" frontend solver has been removed in order to reduce maintenance burden. Any existing uses of it will still work, but issue a warning upon startup asking administrators to upgrade to the "fast" frontend solver.
+- The legacy JSON based policy file example has been removed and all documentation for how to write a policy file in JSON has been deleted. JSON based policy files will still work, but YAML is the superior option for Anubis configuration.
 
 ### New Locales
 
-- [Lithuanian](https://github.com/TecharoHQ/anubis/pull/972)
-
-### Added
-
-Anubis now supports these new languages:
-
+- Lithuanian [#972](https://github.com/TecharoHQ/anubis/pull/972)
 - Vietnamese [#926](https://github.com/TecharoHQ/anubis/pull/926)
 
 ## v1.21.3: Minfilia Warde - Echo 3

internal/glob/glob.go

@@ -0,0 +1,61 @@
+package glob
+
+import "strings"
+
+const GLOB = "*"
+
+const maxGlobParts = 5
+
+// Glob will test a string pattern, potentially containing globs, against a
+// subject string. The result is a simple true/false, determining whether or
+// not the glob pattern matched the subject text.
+func Glob(pattern, subj string) bool {
+	// Empty pattern can only match empty subject
+	if pattern == "" {
+		return subj == pattern
+	}
+
+	// If the pattern _is_ a glob, it matches everything
+	if pattern == GLOB {
+		return true
+	}
+
+	parts := strings.Split(pattern, GLOB)
+
+	if len(parts) > maxGlobParts {
+		return false // Pattern is too complex, reject it.
+	}
+
+	if len(parts) == 1 {
+		// No globs in pattern, so test for equality
+		return subj == pattern
+	}
+
+	leadingGlob := strings.HasPrefix(pattern, GLOB)
+	trailingGlob := strings.HasSuffix(pattern, GLOB)
+	end := len(parts) - 1
+
+	// Go over the leading parts and ensure they match.
+	for i := 0; i < end; i++ {
+		idx := strings.Index(subj, parts[i])
+
+		switch i {
+		case 0:
+			// Check the first section. Requires special handling.
+			if !leadingGlob && idx != 0 {
+				return false
+			}
+		default:
+			// Check that the middle parts match.
+			if idx < 0 {
+				return false
+			}
+		}
+
+		// Trim evaluated text from subj as we loop over the pattern.
+		subj = subj[idx+len(parts[i]):]
+	}
+
+	// Reached the last section. Requires special handling.
+	return trailingGlob || strings.HasSuffix(subj, parts[end])
+}

internal/glob/glob_test.go

@@ -0,0 +1,189 @@
+package glob
+
+import "testing"
+
+func TestGlob_EqualityAndEmpty(t *testing.T) {
+	cases := []struct {
+		name    string
+		pattern string
+		subj    string
+		want    bool
+	}{
+		{"exact match", "hello", "hello", true},
+		{"exact mismatch", "hello", "hell", false},
+		{"empty pattern and subject", "", "", true},
+		{"empty pattern with non-empty subject", "", "x", false},
+		{"pattern star matches empty", "*", "", true},
+		{"pattern star matches anything", "*", "anything at all", true},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := Glob(tc.pattern, tc.subj); got != tc.want {
+				t.Fatalf("Glob(%q,%q) = %v, want %v", tc.pattern, tc.subj, got, tc.want)
+			}
+		})
+	}
+}
+
+func TestGlob_LeadingAndTrailing(t *testing.T) {
+	cases := []struct {
+		name    string
+		pattern string
+		subj    string
+		want    bool
+	}{
+		{"prefix match - minimal", "foo*", "foo", true},
+		{"prefix match - extended", "foo*", "foobar", true},
+		{"prefix mismatch - not at start", "foo*", "xfoo", false},
+		{"suffix match - minimal", "*foo", "foo", true},
+		{"suffix match - extended", "*foo", "xfoo", true},
+		{"suffix mismatch - not at end", "*foo", "foox", false},
+		{"contains match", "*foo*", "barfoobaz", true},
+		{"contains mismatch - missing needle", "*foo*", "f", false},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := Glob(tc.pattern, tc.subj); got != tc.want {
+				t.Fatalf("Glob(%q,%q) = %v, want %v", tc.pattern, tc.subj, got, tc.want)
+			}
+		})
+	}
+}
+
+func TestGlob_MiddleAndOrder(t *testing.T) {
+	cases := []struct {
+		name    string
+		pattern string
+		subj    string
+		want    bool
+	}{
+		{"middle wildcard basic", "f*o", "fo", true},
+		{"middle wildcard gap", "f*o", "fZZZo", true},
+		{"middle wildcard requires start f", "f*o", "xfyo", false},
+		{"order enforced across parts", "a*b*c*d", "axxbxxcxxd", true},
+		{"order mismatch fails", "a*b*c*d", "abdc", false},
+		{"must end with last part when no trailing *", "*foo*bar", "zzfooqqbar", true},
+		{"failing when trailing chars remain", "*foo*bar", "zzfooqqbarzz", false},
+		{"first part must start when no leading *", "foo*bar", "zzfooqqbar", false},
+		{"works with overlapping content", "ab*ba", "ababa", true},
+		{"needle not found fails", "foo*bar", "foobaz", false},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := Glob(tc.pattern, tc.subj); got != tc.want {
+				t.Fatalf("Glob(%q,%q) = %v, want %v", tc.pattern, tc.subj, got, tc.want)
+			}
+		})
+	}
+}
+
+func TestGlob_ConsecutiveStarsAndEmptyParts(t *testing.T) {
+	cases := []struct {
+		name    string
+		pattern string
+		subj    string
+		want    bool
+	}{
+		{"double star matches anything", "**", "", true},
+		{"double star matches anything non-empty", "**", "abc", true},
+		{"consecutive stars behave like single", "a**b", "ab", true},
+		{"consecutive stars with gaps", "a**b", "axxxb", true},
+		{"consecutive stars + trailing star", "a**b*", "axxbzzz", true},
+		{"consecutive stars still enforce anchors", "a**b", "xaBy", false},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := Glob(tc.pattern, tc.subj); got != tc.want {
+				t.Fatalf("Glob(%q,%q) = %v, want %v", tc.pattern, tc.subj, got, tc.want)
+			}
+		})
+	}
+}
+
+func TestGlob_MaxPartsLimit(t *testing.T) {
+	// Allowed: up to 4 '*' (5 parts)
+	allowed := []struct {
+		pattern string
+		subj    string
+		want    bool
+	}{
+		{"a*b*c*d*e", "axxbxxcxxdxxe", true}, // 4 stars -> 5 parts
+		{"*a*b*c*d", "zzzaaaabbbcccddd", true},
+		{"a*b*c*d*e", "abcde", true},
+		{"a*b*c*d*e", "abxdxe", false}, // missing 'c' should fail
+	}
+	for _, tc := range allowed {
+		if got := Glob(tc.pattern, tc.subj); got != tc.want {
+			t.Fatalf("allowed pattern Glob(%q,%q) = %v, want %v", tc.pattern, tc.subj, got, tc.want)
+		}
+	}
+
+	// Disallowed: 5 '*' (6 parts) -> always false by complexity check
+	disallowed := []struct {
+		pattern string
+		subj    string
+	}{
+		{"a*b*c*d*e*f", "aXXbYYcZZdQQeRRf"},
+		{"*a*b*c*d*e*", "abcdef"},
+		{"******", "anything"}, // 6 stars -> 7 parts
+	}
+	for _, tc := range disallowed {
+		if got := Glob(tc.pattern, tc.subj); got {
+			t.Fatalf("disallowed pattern should fail Glob(%q,%q) = %v, want false", tc.pattern, tc.subj, got)
+		}
+	}
+}
+
+func TestGlob_CaseSensitivity(t *testing.T) {
+	cases := []struct {
+		pattern string
+		subj    string
+		want    bool
+	}{
+		{"FOO*", "foo", false},
+		{"*Bar", "bar", false},
+		{"Foo*Bar", "FooZZZBar", true},
+	}
+	for _, tc := range cases {
+		if got := Glob(tc.pattern, tc.subj); got != tc.want {
+			t.Fatalf("Glob(%q,%q) = %v, want %v", tc.pattern, tc.subj, got, tc.want)
+		}
+	}
+}
+
+func TestGlob_EmptySubjectInteractions(t *testing.T) {
+	cases := []struct {
+		pattern string
+		subj    string
+		want    bool
+	}{
+		{"*a", "", false},
+		{"a*", "", false},
+		{"**", "", true},
+		{"*", "", true},
+	}
+	for _, tc := range cases {
+		if got := Glob(tc.pattern, tc.subj); got != tc.want {
+			t.Fatalf("Glob(%q,%q) = %v, want %v", tc.pattern, tc.subj, got, tc.want)
+		}
+	}
+}
+
+func BenchmarkGlob(b *testing.B) {
+	patterns := []string{
+		"*", "*foo*", "foo*bar", "a*b*c*d*e", "a**b*", "*needle*end",
+	}
+	subjects := []string{
+		"", "foo", "barfoo", "foobarbaz", "axxbxxcxxdxxe", "zzfooqqbarzz",
+		"lorem ipsum dolor sit amet, consectetur adipiscing elit",
+	}
+	for _, p := range patterns {
+		for _, s := range subjects {
+			b.Run(p+"::"+s, func(b *testing.B) {
+				for i := 0; i < b.N; i++ {
+					_ = Glob(p, s)
+				}
+			})
+		}
+	}
+}

lib/anubis.go

@@ -11,7 +11,6 @@ import (
 	"net"
 	"net/http"
 	"net/url"
-	"slices"
 	"strings"
 	"time"
 
@@ -435,7 +434,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 		s.respondWithError(w, r, localizer.T("redirect_not_parseable"))
 		return
 	}
-	if (len(urlParsed.Host) > 0 && len(s.opts.RedirectDomains) != 0 && !slices.Contains(s.opts.RedirectDomains, urlParsed.Host)) || urlParsed.Host != r.URL.Host {
+	if (len(urlParsed.Host) > 0 && len(s.opts.RedirectDomains) != 0 && !matchRedirectDomain(s.opts.RedirectDomains, urlParsed.Host)) || urlParsed.Host != r.URL.Host {
 		lg.Debug("domain not allowed", "domain", urlParsed.Host)
 		s.respondWithError(w, r, localizer.T("redirect_domain_not_allowed"))
 		return

lib/http.go

@@ -7,12 +7,12 @@ import (
 	"net/http"
 	"net/url"
 	"regexp"
-	"slices"
 	"strings"
 	"time"
 
 	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/internal"
+	"github.com/TecharoHQ/anubis/internal/glob"
 	"github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/TecharoHQ/anubis/lib/localization"
 	"github.com/TecharoHQ/anubis/lib/policy"
@@ -24,6 +24,26 @@ import (
 
 var domainMatchRegexp = regexp.MustCompile(`^((xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$`)
 
+// matchRedirectDomain returns true if host matches any of the allowed redirect
+// domain patterns. Patterns may contain '*' which are matched using the
+// internal glob matcher. Matching is case-insensitive on hostnames.
+func matchRedirectDomain(allowed []string, host string) bool {
+	h := strings.ToLower(strings.TrimSpace(host))
+ 	for _, pat := range allowed {
+ 		p := strings.ToLower(strings.TrimSpace(pat))
+ 		if strings.Contains(p, glob.GLOB) {
+ 			if glob.Glob(p, h) {
+ 				return true
+ 			}
+ 			continue
+ 		}
+ 		if p == h {
+ 			return true
+ 		}
+ 	}
+ 	return false
+}
+
 type CookieOpts struct {
 	Value  string
 	Host   string
@@ -217,8 +237,8 @@ func (s *Server) constructRedirectURL(r *http.Request) (string, error) {
 	if proto == "" || host == "" || uri == "" {
 		return "", errors.New(localizer.T("missing_required_forwarded_headers"))
 	}
-	// Check if host is allowed in RedirectDomains
-	if len(s.opts.RedirectDomains) > 0 && !slices.Contains(s.opts.RedirectDomains, host) {
+	// Check if host is allowed in RedirectDomains (supports '*' via glob)
+	if len(s.opts.RedirectDomains) > 0 && !matchRedirectDomain(s.opts.RedirectDomains, host) {
 		lg := internal.GetRequestLogger(s.logger, r)
 		lg.Debug("domain not allowed", "domain", host)
 		return "", errors.New(localizer.T("redirect_domain_not_allowed"))
@@ -290,7 +310,7 @@ func (s *Server) ServeHTTPNext(w http.ResponseWriter, r *http.Request) {
 
 		hostNotAllowed := len(urlParsed.Host) > 0 &&
 			len(s.opts.RedirectDomains) != 0 &&
-			!slices.Contains(s.opts.RedirectDomains, urlParsed.Host)
+			!matchRedirectDomain(s.opts.RedirectDomains, urlParsed.Host)
 		hostMismatch := r.URL.Host != "" && urlParsed.Host != r.URL.Host
 
 		if hostNotAllowed || hostMismatch {

lib/localization/locales/lt.json

@@ -36,12 +36,12 @@
   "invalid_redirect": "Netinkamas nukreipimas",
   "redirect_not_parseable": "Nukreipimo adreso nepavyko išanalizuoti",
   "redirect_domain_not_allowed": "Nukreipimo domenas neleistinas",
-  "missing_required_forwarded_headers": "Trūksta būtinų X-Forwarded-* antraščių",
+  "missing_required_forwarded_headers": "Trūksta būtinų „X-Forwarded-*“ antraščių",
   "failed_to_sign_jwt": "nepavyko pasirašyti JWT",
   "invalid_invocation": "Netinkamas kreipinys į „MakeChallenge“",
-  "client_error_browser": "Kliento klaida: įsitikinkite, jog jūsų naršyklė pakankamai atšviežinta ir bandykite dar kartą.",
+  "client_error_browser": "Problema klientinėje dalyje: įsitikinkite, jog jūsų naršyklė nepasenusi ir bandykite dar kartą.",
   "oh_noes": "O, ne!",
-  "benchmarking_anubis": "„Anubis“ vertina!",
+  "benchmarking_anubis": "Vertinama „Anubis“ sparta!",
   "you_are_not_a_bot": "Jūs nesate robotas!",
   "making_sure_not_bot": "Stengiamasi užtikrinti, jog jūs nesate robotas!",
   "celphase": "CELPHASE",
@@ -63,4 +63,4 @@
   "js_finished_reading": "Viską perskaičiau, tęskime →",
   "js_calculation_error": "Skaičiavimo klaida!",
   "js_calculation_error_msg": "Nepavyko įveikti iššūkio:"
-}
+}

test/forced-language/anubis.yaml

@@ -0,0 +1,8 @@
+bots:
+  - name: challenge
+    user_agent_regex: CHALLENGE
+    action: CHALLENGE
+
+status_codes:
+  CHALLENGE: 200
+  DENY: 403

test/forced-language/test.mjs

@@ -0,0 +1,27 @@
+async function getChallengePage() {
+  return fetch("http://localhost:8923/reqmeta", {
+    headers: {
+      "Accept-Language": "en",
+      "User-Agent": "CHALLENGE",
+    }
+  })
+    .then(resp => {
+      if (resp.status !== 200) {
+        throw new Error(`wanted status 200, got status: ${resp.status}`);
+      }
+      return resp;
+    })
+    .then(resp => resp.text());
+}
+
+(async () => {
+  const page = await getChallengePage();
+
+  if (!page.includes(`<html lang="de">`)) {
+    console.log(page)
+    throw new Error("force language smoke test failed");
+  }
+
+  console.log("FORCED_LANGUAGE=de caused a page to be rendered in german");
+  process.exit(0);
+})();

test/forced-language/test.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+function cleanup() {
+  pkill -P $$
+}
+
+trap cleanup EXIT SIGINT
+
+# Build static assets
+(cd ../.. && npm ci && npm run assets)
+
+go tool anubis --help 2>/dev/null ||:
+
+go run ../cmd/unixhttpd &
+
+FORCED_LANGUAGE=de go tool anubis \
+  --policy-fname ./anubis.yaml \
+  --use-remote-address \
+  --target=unix://$(pwd)/unixhttpd.sock &
+
+backoff-retry node ./test.mjs

test/forced-language/var/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore