9router 0.3.28 → 0.3.30

package/app/src/mitm/manager.js

@@ -5,7 +5,7 @@ const os = require("os");
 const net = require("net");
 const https = require("https");
 const crypto = require("crypto");
-const { addDNSEntry, removeDNSEntry, checkDNSEntry } = require("./dns/dnsConfig");
+const { addDNSEntry, removeDNSEntry, removeAllDNSEntries, checkAllDNSStatus } = require("./dns/dnsConfig");
 
 const IS_WIN = process.platform === "win32";
 const { generateCert } = require("./cert/generate");
@@ -13,45 +13,27 @@ const { installCert } = require("./cert/install");
 const { MITM_DIR } = require("./paths");
 
 const MITM_PORT = 443;
-// Windows: node listens on 8443, netsh portproxy forwards 443→8443
 const MITM_WIN_NODE_PORT = 8443;
 const PID_FILE = path.join(MITM_DIR, ".mitm.pid");
 
-// Resolve server.js path robustly:
-// __dirname is unreliable inside Next.js bundles, so we use DATA_DIR env or
-// fall back to locating the file relative to the app's source root.
 function resolveServerPath() {
-  // 1. Explicit override via env (useful for packaged/standalone builds)
   if (process.env.MITM_SERVER_PATH) return process.env.MITM_SERVER_PATH;
-
-  // 2. Try sibling of this file (works in dev where __dirname is real)
   const sibling = path.join(__dirname, "server.js");
   if (fs.existsSync(sibling)) return sibling;
-
-  // 3. Fallback: resolve from process.cwd() → src/mitm/server.js
   const fromCwd = path.join(process.cwd(), "src", "mitm", "server.js");
   if (fs.existsSync(fromCwd)) return fromCwd;
-
-  // 4. Standalone build: app root is parent of .next
   const fromNext = path.join(process.cwd(), "..", "src", "mitm", "server.js");
   if (fs.existsSync(fromNext)) return fromNext;
-
-  return fromCwd; // best guess
+  return fromCwd;
 }
 
 const SERVER_PATH = resolveServerPath();
-
 const ENCRYPT_ALGO = "aes-256-gcm";
 const ENCRYPT_SALT = "9router-mitm-pwd";
 
-/**
- * Get process name using port 443
- * @returns {string|null} Process name or null if not found
- */
 function getProcessUsingPort443() {
   try {
     if (IS_WIN) {
-      // Use PowerShell for precise port 443 owner lookup
       const psCmd = `powershell -NonInteractive -WindowStyle Hidden -Command ` +
         `"$c = Get-NetTCPConnection -LocalPort 443 -State Listen -ErrorAction SilentlyContinue | Select-Object -First 1; if ($c) { $c.OwningProcess } else { 0 }"`;
       const pidStr = execSync(psCmd, { encoding: "utf8", windowsHide: true }).trim();
@@ -62,31 +44,22 @@ function getProcessUsingPort443() {
         if (processMatch) return processMatch[1].replace(".exe", "");
       }
     } else {
-      // macOS/Linux: use lsof
       const result = execSync("lsof -i :443", { encoding: "utf8" });
       const lines = result.trim().split("\n");
-      if (lines.length > 1) {
-        const processName = lines[1].split(/\s+/)[0];
-        return processName;
-      }
+      if (lines.length > 1) return lines[1].split(/\s+/)[0];
     }
-  } catch (error) {
+  } catch {
     return null;
   }
   return null;
 }
 
-// Store server process in-memory
 let serverProcess = null;
 let serverPid = null;
 
-// Persist sudo password across Next.js hot reloads (in-memory only)
 function getCachedPassword() { return globalThis.__mitmSudoPassword || null; }
 function setCachedPassword(pwd) { globalThis.__mitmSudoPassword = pwd; }
 
-// Check if a PID is alive
-// EACCES = process exists but no permission (e.g. root process) → still alive
-// ESRCH  = process does not exist → dead
 function isProcessAlive(pid) {
   try {
     process.kill(pid, 0);
@@ -96,42 +69,41 @@ function isProcessAlive(pid) {
   }
 }
 
-// Cross-platform process kill
-function killProcess(pid, force = false) {
+function killProcess(pid, force = false, sudoPassword = null) {
   if (IS_WIN) {
     const flag = force ? "/F " : "";
     exec(`taskkill ${flag}/PID ${pid}`, () => { });
   } else {
-    // Use pkill to kill entire process group (catches sudo + child node process)
     const sig = force ? "SIGKILL" : "SIGTERM";
-    exec(`pkill -${sig} -P ${pid} 2>/dev/null; kill -${sig} ${pid} 2>/dev/null`, () => { });
+    const cmd = `pkill -${sig} -P ${pid} 2>/dev/null; kill -${sig} ${pid} 2>/dev/null`;
+    if (sudoPassword) {
+      const { execWithPassword } = require("./dns/dnsConfig");
+      execWithPassword(cmd, sudoPassword).catch(() => exec(cmd, () => { }));
+    } else {
+      exec(cmd, () => { });
+    }
   }
 }
 
-/** Derive a 32-byte encryption key from machineId */
 function deriveKey() {
   try {
     const { machineIdSync } = require("node-machine-id");
     const raw = machineIdSync();
     return crypto.createHash("sha256").update(raw + ENCRYPT_SALT).digest();
   } catch {
-    // Fallback: fixed key derived from salt (less secure but functional)
     return crypto.createHash("sha256").update(ENCRYPT_SALT).digest();
   }
 }
 
-/** Encrypt sudo password with AES-256-GCM */
 function encryptPassword(plaintext) {
   const key = deriveKey();
   const iv = crypto.randomBytes(12);
   const cipher = crypto.createCipheriv(ENCRYPT_ALGO, key, iv);
   const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
   const tag = cipher.getAuthTag();
-  // Store as hex: iv:tag:ciphertext
   return `${iv.toString("hex")}:${tag.toString("hex")}:${encrypted.toString("hex")}`;
 }
 
-/** Decrypt sudo password */
 function decryptPassword(stored) {
   try {
     const [ivHex, tagHex, dataHex] = stored.split(":");
@@ -145,23 +117,16 @@ function decryptPassword(stored) {
   }
 }
 
-// DB hooks — injected from ESM context (initializeApp / route handlers)
-// to avoid webpack bundling issues with dynamic imports in CJS modules.
 let _getSettings = null;
 let _updateSettings = null;
 
-/** Called once from ESM context to inject DB access functions */
 function initDbHooks(getSettingsFn, updateSettingsFn) {
   _getSettings = getSettingsFn;
   _updateSettings = updateSettingsFn;
 }
 
-/** Save encrypted sudo password + mitmEnabled to db */
 async function saveMitmSettings(enabled, password) {
-  if (!_updateSettings) {
-    console.log("[MITM] DB hooks not initialized, skipping save");
-    return;
-  }
+  if (!_updateSettings) return;
   try {
     const updates = { mitmEnabled: enabled };
     if (password) updates.mitmSudoEncrypted = encryptPassword(password);
@@ -171,7 +136,6 @@ async function saveMitmSettings(enabled, password) {
   }
 }
 
-/** Load and decrypt sudo password from db */
 async function loadEncryptedPassword() {
   if (!_getSettings) return null;
   try {
@@ -183,37 +147,27 @@ async function loadEncryptedPassword() {
   }
 }
 
-/**
- * Check if port 443 is available
- * Returns: "free" | "in-use" | "no-permission"
- */
 function checkPort443Free() {
   return new Promise((resolve) => {
     const tester = net.createServer();
     tester.once("error", (err) => {
       if (err.code === "EADDRINUSE") resolve("in-use");
-      else resolve("no-permission"); // EACCES or other → port free but needs sudo
+      else resolve("no-permission");
     });
     tester.once("listening", () => { tester.close(() => resolve("free")); });
     tester.listen(MITM_PORT, "127.0.0.1");
   });
 }
 
-/**
- * Get PID and process name currently holding port 443
- * Returns { pid, name } or null if port is free / cannot determine
- */
 function getPort443Owner(sudoPassword) {
   return new Promise((resolve) => {
     if (IS_WIN) {
-      // Use PowerShell Get-NetTCPConnection for precise port 443 owner lookup
       const psCmd = `powershell -NonInteractive -WindowStyle Hidden -Command "` +
         `$c = Get-NetTCPConnection -LocalPort 443 -State Listen -ErrorAction SilentlyContinue | Select-Object -First 1; ` +
         `if ($c) { $c.OwningProcess } else { 0 }"`;
       exec(psCmd, { windowsHide: true }, (err, stdout) => {
         if (err) return resolve(null);
         const pid = parseInt(stdout.trim(), 10);
-        // 0 = no owner, <=4 = System/Idle — not real port owners
         if (!pid || pid <= 4) return resolve(null);
         exec(`tasklist /FI "PID eq ${pid}" /FO CSV /NH`, { windowsHide: true }, (e2, out2) => {
           const m = out2?.match(/"([^"]+)"/);
@@ -221,7 +175,6 @@ function getPort443Owner(sudoPassword) {
         });
       });
     } else {
-      // Use ps to find node process running server.js (no sudo needed)
       exec(`ps aux | grep "[s]erver.js"`, (err, stdout) => {
         if (!stdout?.trim()) return resolve(null);
         for (const line of stdout.split("\n")) {
@@ -235,31 +188,22 @@ function getPort443Owner(sudoPassword) {
   });
 }
 
-/**
- * Kill any leftover MITM server process (from previous failed start)
- * Uses sudo to kill the node process that was spawned with sudo
- */
 async function killLeftoverMitm(sudoPassword) {
-  // Kill in-memory process if still alive
   if (serverProcess && !serverProcess.killed) {
     try { serverProcess.kill("SIGKILL"); } catch { /* ignore */ }
     serverProcess = null;
     serverPid = null;
   }
-
-  // Kill from PID file
   try {
     if (fs.existsSync(PID_FILE)) {
       const savedPid = parseInt(fs.readFileSync(PID_FILE, "utf-8").trim(), 10);
       if (savedPid && isProcessAlive(savedPid)) {
-        killProcess(savedPid, true);
+        killProcess(savedPid, true, sudoPassword);
         await new Promise(r => setTimeout(r, 500));
       }
       fs.unlinkSync(PID_FILE);
     }
   } catch { /* ignore */ }
-
-  // Also kill any node process running server.js via sudo (belt-and-suspenders)
   if (!IS_WIN && SERVER_PATH) {
     try {
       const escaped = SERVER_PATH.replace(/'/g, "'\\''");
@@ -274,10 +218,6 @@ async function killLeftoverMitm(sudoPassword) {
   }
 }
 
-/**
- * Poll MITM health endpoint until server is up or timeout.
- * Returns { ok, pid } on success, null on timeout.
- */
 function pollMitmHealth(timeoutMs, port = MITM_PORT) {
   return new Promise((resolve) => {
     const deadline = Date.now() + timeoutMs;
@@ -306,7 +246,38 @@ function pollMitmHealth(timeoutMs, port = MITM_PORT) {
 }
 
 /**
- * Get MITM status
+ * Check which tools have their domains covered by the installed cert SAN.
+ * Uses built-in crypto.X509Certificate (Node 15.6+).
+ */
+function getCertToolCoverage(certPath) {
+  try {
+    const pem = fs.readFileSync(certPath, "utf8");
+    const cert = new crypto.X509Certificate(pem);
+    const san = cert.subjectAltName || "";
+    // Extract all DNS SANs
+    const sans = san.split(",").map(s => s.trim().replace(/^DNS:/, ""));
+    const matchesSan = (domain) => sans.some(s => {
+      if (s === domain) return true;
+      // Wildcard: *.foo.com matches bar.foo.com
+      if (s.startsWith("*.")) {
+        const suffix = s.slice(1); // .foo.com
+        return domain.endsWith(suffix) && !domain.slice(0, -suffix.length).includes(".");
+      }
+      return false;
+    });
+    const { TOOL_HOSTS } = require("./dns/dnsConfig");
+    const coverage = {};
+    for (const [tool, hosts] of Object.entries(TOOL_HOSTS)) {
+      coverage[tool] = hosts.every(matchesSan);
+    }
+    return coverage;
+  } catch {
+    return {};
+  }
+}
+
+/**
+ * Get full MITM status including per-tool DNS status
  */
 async function getMitmStatus() {
   let running = serverProcess !== null && !serverProcess.killed;
@@ -323,30 +294,26 @@ async function getMitmStatus() {
           fs.unlinkSync(PID_FILE);
         }
       }
-    } catch {
-      // Ignore
-    }
+    } catch { /* ignore */ }
   }
 
-  const dnsConfigured = checkDNSEntry();
-  const certExists = fs.existsSync(path.join(MITM_DIR, "server.crt"));
+  const dnsStatus = checkAllDNSStatus();
+  const certPath = path.join(MITM_DIR, "server.crt");
+  const certExists = fs.existsSync(certPath);
+  const certCoversTools = certExists ? getCertToolCoverage(certPath) : {};
 
-  return { running, pid, dnsConfigured, certExists };
+  return { running, pid, certExists, dnsStatus, certCoversTools };
 }
 
 /**
- * Start MITM proxy
- * @param {string} apiKey - 9Router API key
- * @param {string} sudoPassword - Sudo password for DNS/cert operations
+ * Start MITM server only (cert + server, no DNS)
  */
-async function startMitm(apiKey, sudoPassword) {
-  // Check orphan process from PID file before spawning
+async function startServer(apiKey, sudoPassword) {
   if (!serverProcess || serverProcess.killed) {
     try {
       if (fs.existsSync(PID_FILE)) {
         const savedPid = parseInt(fs.readFileSync(PID_FILE, "utf-8").trim(), 10);
         if (savedPid && isProcessAlive(savedPid)) {
-          // Orphan MITM process still alive — reuse it
           serverPid = savedPid;
           console.log(`[MITM] Reusing existing process PID ${savedPid}`);
           await saveMitmSettings(true, sudoPassword);
@@ -356,25 +323,20 @@ async function startMitm(apiKey, sudoPassword) {
           fs.unlinkSync(PID_FILE);
         }
       }
-    } catch {
-      // Ignore stale PID file errors
-    }
+    } catch { /* ignore */ }
   }
 
   if (serverProcess && !serverProcess.killed) {
-    throw new Error("MITM proxy is already running");
+    throw new Error("MITM server is already running");
   }
 
-  // Kill any leftover MITM server from a previous failed start attempt
   await killLeftoverMitm(sudoPassword);
 
   if (!IS_WIN) {
-    // Check port 443 availability — Windows handles this inside elevated script
     const portStatus = await checkPort443Free();
     if (portStatus === "in-use" || portStatus === "no-permission") {
       const owner = await getPort443Owner(sudoPassword);
       if (owner && owner.name === "node") {
-        // Orphan MITM node process — kill it and continue
         console.log(`[MITM] Killing orphan node process on port 443 (PID ${owner.pid})...`);
         try {
           const { execWithPassword } = require("./dns/dnsConfig");
@@ -385,74 +347,61 @@ async function startMitm(apiKey, sudoPassword) {
         const shortName = owner.name.includes("/")
           ? owner.name.split("/").filter(Boolean).pop()
           : owner.name;
-        throw new Error(
-          `Port 443 is already in use by "${shortName}" (PID ${owner.pid}). Stop that process first, then retry.`
-        );
+        throw new Error(`Port 443 is already in use by "${shortName}" (PID ${owner.pid}). Stop that process first.`);
       }
     }
   }
 
-  // 1. Generate SSL certificate if not exists (no elevation needed)
+  // Step 1: Generate SSL certificate if not exists or missing domain coverage
   const certPath = path.join(MITM_DIR, "server.crt");
+  const keyPath = path.join(MITM_DIR, "server.key");
+  let needsRegenerate = false;
+
   if (!fs.existsSync(certPath)) {
-    console.log("Generating SSL certificate...");
-    await generateCert();
+    console.log("[MITM] Generating SSL certificate...");
+    needsRegenerate = true;
+  } else {
+    // Check if cert covers all tool domains
+    const coverage = getCertToolCoverage(certPath);
+    const { TOOL_HOSTS } = require("./dns/dnsConfig");
+    const allCovered = Object.keys(TOOL_HOSTS).every(tool => coverage[tool] === true);
+    if (!allCovered) {
+      console.log("[MITM] Certificate missing domain coverage — regenerating...");
+      needsRegenerate = true;
+      try {
+        fs.unlinkSync(certPath);
+        if (fs.existsSync(keyPath)) fs.unlinkSync(keyPath);
+      } catch { /* ignore */ }
+    }
   }
 
-  // 4. Spawn MITM server
-  console.log("Starting MITM server...");
+  if (needsRegenerate) {
+    await generateCert();
+  }
 
+  // Step 2: Install cert + spawn server
   if (IS_WIN) {
-    // Windows: single UAC via VBScript → elevated PowerShell script that:
-    // 1. Installs SSL cert  2. Adds DNS entries  3. Starts node server.js (elevated → can bind 443)  4. Writes flag
-    // Node polls flag file to know when server is ready, then health-checks port 443
     const hostsFile = path.join(process.env.SystemRoot || "C:\\Windows", "System32", "drivers", "etc", "hosts");
-    const TARGET_HOSTS_WIN = ["daily-cloudcode-pa.googleapis.com", "cloudcode-pa.googleapis.com"];
-
-    // Use Chr(34) in VBScript for quotes — avoid escaping issues
     const flagFile = path.join(os.tmpdir(), `mitm_ready_${Date.now()}.flag`);
-
-    // PowerShell uses single-quoted strings — escape single quotes only
     const psSQ = (s) => s.replace(/'/g, "''");
     const certPs = psSQ(certPath);
-    const hostsPs = psSQ(hostsFile);
     const nodePs = psSQ(process.execPath);
     const serverPs = psSQ(SERVER_PATH);
     const flagPs = psSQ(flagFile);
 
-    const dnsLines = TARGET_HOSTS_WIN.map(h =>
-      `$hc = Get-Content -Path '${hostsPs}' -Raw -ErrorAction SilentlyContinue\n` +
-      `if ($hc -notmatch [regex]::Escape('${h}')) { Add-Content -Path '${hostsPs}' -Value '127.0.0.1 ${h}' -Encoding UTF8 }`
-    ).join("\n");
-
     const psScript = [
-      `# 0. Kill any orphan node process on port 443`,
       `$conn = Get-NetTCPConnection -LocalPort 443 -State Listen -ErrorAction SilentlyContinue | Select-Object -First 1`,
       `if ($conn -and $conn.OwningProcess -gt 4) { Stop-Process -Id $conn.OwningProcess -Force -ErrorAction SilentlyContinue }`,
       `Start-Sleep -Milliseconds 500`,
-      ``,
-      `# 1. Install SSL cert to Windows Root store (always run to ensure trust)`,
       `& certutil -addstore Root '${certPs}' | Out-Null`,
-      ``,
-      `# 2. Add DNS entries to hosts file`,
-      dnsLines,
-      `& ipconfig /flushdns | Out-Null`,
-      ``,
-      `# 3. Start node MITM server elevated (required to bind port 443)`,
-      `# Use cmd /c to pass env vars inline — Start-Process does not inherit current env`,
       `$nodeCmd = 'set ROUTER_API_KEY=${psSQ(apiKey)}&& set NODE_ENV=production&& "${nodePs}" "${serverPs}"'`,
       `Start-Process cmd -ArgumentList '/c',$nodeCmd -WindowStyle Hidden`,
-      ``,
-      `# 4. Signal ready`,
       `Start-Sleep -Milliseconds 500`,
       `Set-Content -Path '${flagPs}' -Value 'ready' -Encoding UTF8`,
     ].join("\n");
 
     const tmpPs1 = path.join(os.tmpdir(), `mitm_start_${Date.now()}.ps1`);
     fs.writeFileSync(tmpPs1, psScript, "utf8");
-
-    // VBScript uses Shell.Application.ShellExecute to trigger UAC from any context
-    // Chr(34) = double-quote, avoids VBScript string escaping issues
     const vbs = [
       `Set oShell = CreateObject("Shell.Application")`,
       `Dim ps`,
@@ -463,19 +412,16 @@ async function startMitm(apiKey, sudoPassword) {
     ].join("\r\n");
     const tmpVbs = path.join(os.tmpdir(), `mitm_uac_${Date.now()}.vbs`);
     fs.writeFileSync(tmpVbs, vbs, "utf8");
-
-    // Launch VBScript — shows UAC dialog, user confirms, script runs elevated
     spawn("wscript.exe", [tmpVbs], { stdio: "ignore", windowsHide: false, detached: true }).unref();
 
-    // Poll flag file — resolves when elevated script completes
     await new Promise((resolve, reject) => {
-      const deadline = Date.now() + 90000; // 90s: UAC wait + cert install + node start
+      const deadline = Date.now() + 90000;
       const poll = () => {
         if (fs.existsSync(flagFile)) {
           try { fs.unlinkSync(flagFile); fs.unlinkSync(tmpPs1); fs.unlinkSync(tmpVbs); } catch { /* ignore */ }
           return resolve();
         }
-        if (Date.now() > deadline) return reject(new Error("Timed out waiting for UAC confirmation. Please try again."));
+        if (Date.now() > deadline) return reject(new Error("Timed out waiting for UAC confirmation."));
         setTimeout(poll, 500);
       };
       poll();
@@ -483,28 +429,22 @@ async function startMitm(apiKey, sudoPassword) {
 
     if (_updateSettings) await _updateSettings({ mitmCertInstalled: true }).catch(() => { });
   } else {
-    // macOS/Linux: install cert + add DNS (requires sudo), then spawn server
-    const settings = _getSettings ? await _getSettings().catch(() => ({})) : {};
-    const certAlreadyInstalled = settings.mitmCertInstalled && fs.existsSync(certPath);
-    if (!certAlreadyInstalled) {
+    const { checkCertInstalled } = require("./cert/install");
+    const certTrusted = await checkCertInstalled(certPath);
+    if (!certTrusted) {
       await installCert(sudoPassword, certPath);
       if (_updateSettings) await _updateSettings({ mitmCertInstalled: true }).catch(() => { });
     }
-    console.log("Adding DNS entry...");
-    await addDNSEntry(sudoPassword);
 
-    // sudo -S: read password from stdin, -E: preserve env vars
     const inlineCmd = `ROUTER_API_KEY='${apiKey}' NODE_ENV='production' '${process.execPath}' '${SERVER_PATH}'`;
     serverProcess = spawn(
       "sudo", ["-S", "-E", "sh", "-c", inlineCmd],
       { detached: false, stdio: ["pipe", "pipe", "pipe"] }
     );
-    // Write password then close stdin so sudo proceeds
     serverProcess.stdin.write(`${sudoPassword}\n`);
     serverProcess.stdin.end();
   }
 
-  // Windows: node was started by elevated script — PID comes from health check later
   if (!IS_WIN && serverProcess) {
     serverPid = serverProcess.pid;
     fs.writeFileSync(PID_FILE, String(serverPid));
@@ -517,7 +457,6 @@ async function startMitm(apiKey, sudoPassword) {
     });
     serverProcess.stderr.on("data", (data) => {
       const msg = data.toString().trim();
-      // Capture meaningful errors (ignore sudo password prompt noise)
       if (msg && !msg.includes("Password:") && !msg.includes("password for")) {
         console.error(`[MITM Server Error] ${msg}`);
         startError = msg;
@@ -531,22 +470,16 @@ async function startMitm(apiKey, sudoPassword) {
     });
   }
 
-  // Wait for server to be ready by polling health endpoint on port 443
   const health = await pollMitmHealth(IS_WIN ? 15000 : 8000, MITM_PORT);
-
   if (!health) {
     if (IS_WIN) serverProcess = null;
-    try { await removeDNSEntry(sudoPassword); } catch { /* best effort */ }
     const processUsing443 = getProcessUsingPort443();
     const portInfo = processUsing443 ? ` Port 443 already in use by ${processUsing443}.` : "";
     const reason = startError || `Check sudo password or port 443 access.${portInfo}`;
     throw new Error(`MITM server failed to start. ${reason}`);
   }
 
-  // On Windows, mark cert as installed after successful start
   if (IS_WIN && _updateSettings) await _updateSettings({ mitmCertInstalled: true }).catch(() => { });
-
-  // On Windows, use real PID from health check (launcher exits immediately after UAC)
   if (IS_WIN && health.pid) {
     serverPid = health.pid;
     fs.writeFileSync(PID_FILE, String(serverPid));
@@ -559,16 +492,19 @@ async function startMitm(apiKey, sudoPassword) {
 }
 
 /**
- * Stop MITM proxy
- * @param {string} sudoPassword - Sudo password for DNS cleanup
+ * Stop MITM server — removes ALL tool DNS entries first, then kills server
  */
-async function stopMitm(sudoPassword) {
+async function stopServer(sudoPassword) {
+  // Remove all DNS entries first (before killing server)
+  console.log("[MITM] Removing all DNS entries before stopping server...");
+  await removeAllDNSEntries(sudoPassword);
+
   const proc = serverProcess;
   if (proc && !proc.killed) {
     console.log("Stopping MITM server...");
-    killProcess(proc.pid, false);
+    killProcess(proc.pid, false, sudoPassword);
     await new Promise(resolve => setTimeout(resolve, 1000));
-    if (isProcessAlive(proc.pid)) killProcess(proc.pid, true);
+    if (isProcessAlive(proc.pid)) killProcess(proc.pid, true, sudoPassword);
     serverProcess = null;
     serverPid = null;
   } else {
@@ -577,9 +513,9 @@ async function stopMitm(sudoPassword) {
         const savedPid = parseInt(fs.readFileSync(PID_FILE, "utf-8").trim(), 10);
         if (savedPid && isProcessAlive(savedPid)) {
           console.log(`Killing MITM server (PID: ${savedPid})...`);
-          killProcess(savedPid, false);
+          killProcess(savedPid, false, sudoPassword);
           await new Promise(resolve => setTimeout(resolve, 1000));
-          if (isProcessAlive(savedPid)) killProcess(savedPid, true);
+          if (isProcessAlive(savedPid)) killProcess(savedPid, true, sudoPassword);
         }
       }
     } catch { /* ignore */ }
@@ -588,16 +524,15 @@ async function stopMitm(sudoPassword) {
   }
 
   if (IS_WIN) {
-    // Windows stop: remove DNS entries via elevated VBScript (1 UAC)
     const hostsFile = path.join(process.env.SystemRoot || "C:\\Windows", "System32", "drivers", "etc", "hosts");
-    const TARGET_HOSTS_WIN = ["daily-cloudcode-pa.googleapis.com", "cloudcode-pa.googleapis.com"];
     const psSQ = (s) => s.replace(/'/g, "''");
+    const { TOOL_HOSTS } = require("./dns/dnsConfig");
+    const allHosts = Object.values(TOOL_HOSTS).flat();
 
-    // Filter hosts content in Node (read doesn't need elevation)
     let hostsContent = "";
     try { hostsContent = fs.readFileSync(hostsFile, "utf8"); } catch { /* ignore */ }
     const filtered = hostsContent.split(/\r?\n/)
-      .filter(l => !TARGET_HOSTS_WIN.some(h => l.includes(h)))
+      .filter(l => !allHosts.some(h => l.includes(h)))
       .join("\r\n");
     const tmpHosts = path.join(os.tmpdir(), "mitm_hosts_clean.tmp");
     fs.writeFileSync(tmpHosts, filtered, "utf8");
@@ -622,7 +557,6 @@ async function stopMitm(sudoPassword) {
     fs.writeFileSync(tmpVbs, vbs, "utf8");
     spawn("wscript.exe", [tmpVbs], { stdio: "ignore", windowsHide: false, detached: true }).unref();
 
-    // Poll flag — best effort, don't block UI if user cancels UAC
     await new Promise((resolve) => {
       const deadline = Date.now() + 30000;
       const poll = () => {
@@ -635,20 +569,43 @@ async function stopMitm(sudoPassword) {
       };
       poll();
     });
-  } else {
-    console.log("Removing DNS entry...");
-    await removeDNSEntry(sudoPassword);
   }
 
   try { fs.unlinkSync(PID_FILE); } catch { /* ignore */ }
-
   await saveMitmSettings(false, null);
 
   return { running: false, pid: null };
 }
 
+/**
+ * Enable DNS for a specific tool (requires server running)
+ */
+async function enableToolDNS(tool, sudoPassword) {
+  const status = await getMitmStatus();
+  if (!status.running) throw new Error("MITM server is not running. Start the server first.");
+  await addDNSEntry(tool, sudoPassword);
+  return { success: true };
+}
+
+/**
+ * Disable DNS for a specific tool
+ */
+async function disableToolDNS(tool, sudoPassword) {
+  await removeDNSEntry(tool, sudoPassword);
+  return { success: true };
+}
+
+// Legacy aliases for backward compatibility
+const startMitm = startServer;
+const stopMitm = stopServer;
+
 module.exports = {
   getMitmStatus,
+  startServer,
+  stopServer,
+  enableToolDNS,
+  disableToolDNS,
+  // Legacy
   startMitm,
   stopMitm,
   getCachedPassword,