@ebowwa/mcp-nm 2.0.2 → 2.1.0

package/dist/index.js

@@ -13640,10 +13640,13 @@ class StdioServerTransport {
 // src/index.ts
 import { exec } from "child_process";
 import { promisify } from "util";
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
 var execAsync = promisify(exec);
 var server = new Server({
   name: "@ebowwa/mcp-nm",
-  version: "2.0.0"
+  version: "2.1.0"
 }, {
   capabilities: {
     tools: {}
@@ -14977,6 +14980,953 @@ async function handleHexEditor(args) {
     throw new Error(`Hex editor failed: ${error2 instanceof Error ? error2.message : error2}`);
   }
 }
+function isMacOS() {
+  return process.platform === "darwin";
+}
+async function handleCodesignInfo(args) {
+  if (!isMacOS()) {
+    return {
+      content: [{
+        type: "text",
+        text: "Error: Code signing tools are only available on macOS. This tool requires the 'codesign' utility."
+      }],
+      isError: true
+    };
+  }
+  try {
+    const results = [];
+    results.push(`Code Signature Info: ${args.filePath}`);
+    results.push("");
+    const { stdout: fileInfo } = await execAsync(`file "${args.filePath}"`);
+    if (!fileInfo.toLowerCase().includes("mach-o")) {
+      results.push("Warning: File does not appear to be a Mach-O binary");
+      results.push(`File type: ${fileInfo.trim()}`);
+    }
+    try {
+      const { stdout: signInfo } = await execAsync(`codesign -dv "${args.filePath}" 2>&1`);
+      results.push("Signature Details:");
+      results.push(signInfo.split(`
+`).map((line) => `  ${line}`).join(`
+`));
+    } catch (e) {
+      const output = e instanceof Error ? e.message : String(e);
+      if (output.includes("no signature") || output.includes("code object is not signed")) {
+        results.push("Status: NOT SIGNED");
+        results.push("  The binary has no code signature");
+      } else {
+        results.push(`Signature check: ${output}`);
+      }
+    }
+    try {
+      await execAsync(`codesign -v "${args.filePath}" 2>&1`);
+      results.push("");
+      results.push("Validity: VALID - Signature is intact");
+    } catch (e) {
+      const output = e instanceof Error ? e.message : String(e);
+      if (output.includes("not signed")) {
+        results.push("");
+        results.push("Validity: NOT SIGNED");
+      } else {
+        results.push("");
+        results.push(`Validity: INVALID - ${output}`);
+      }
+    }
+    try {
+      const { stdout: reqs } = await execAsync(`codesign -dr - "${args.filePath}" 2>&1`);
+      if (reqs.trim() && !reqs.includes("no signature")) {
+        results.push("");
+        results.push("Designated Requirements:");
+        results.push(reqs.split(`
+`).map((line) => `  ${line}`).join(`
+`));
+      }
+    } catch {}
+    return { content: [{ type: "text", text: results.join(`
+`) }] };
+  } catch (error2) {
+    return {
+      content: [{ type: "text", text: `Error: ${error2 instanceof Error ? error2.message : String(error2)}` }],
+      isError: true
+    };
+  }
+}
+async function handleCodesignRemove(args) {
+  if (!isMacOS()) {
+    return {
+      content: [{
+        type: "text",
+        text: "Error: Code signing tools are only available on macOS."
+      }],
+      isError: true
+    };
+  }
+  const createBackup = args.createBackup !== false;
+  try {
+    const results = [];
+    results.push(`Remove Code Signature: ${args.filePath}`);
+    results.push("");
+    if (createBackup) {
+      const backupPath = `${args.filePath}.bak`;
+      await execAsync(`cp "${args.filePath}" "${backupPath}"`);
+      results.push(`Backup created: ${backupPath}`);
+    }
+    try {
+      const { stdout: signInfo } = await execAsync(`codesign -dv "${args.filePath}" 2>&1`);
+      results.push(`Previous signature: ${signInfo.split(`
+`)[0] || "signed"}`);
+    } catch {
+      results.push("Previous signature: not signed or invalid");
+    }
+    try {
+      await execAsync(`codesign --remove-signature "${args.filePath}"`);
+      results.push("Status: SUCCESS - Code signature removed");
+    } catch (e) {
+      const output = e instanceof Error ? e.message : String(e);
+      if (output.includes("no signature")) {
+        results.push("Status: NO ACTION - Binary was not signed");
+      } else {
+        throw new Error(`Failed to remove signature: ${output}`);
+      }
+    }
+    try {
+      await execAsync(`codesign -v "${args.filePath}" 2>&1`);
+      results.push("Warning: Signature still present after removal");
+    } catch (e) {
+      if (e instanceof Error && e.message.includes("not signed")) {
+        results.push("Verification: Confirmed - Binary is now unsigned");
+      }
+    }
+    return { content: [{ type: "text", text: results.join(`
+`) }] };
+  } catch (error2) {
+    return {
+      content: [{ type: "text", text: `Error: ${error2 instanceof Error ? error2.message : String(error2)}` }],
+      isError: true
+    };
+  }
+}
+async function handleCodesignSign(args) {
+  if (!isMacOS()) {
+    return {
+      content: [{
+        type: "text",
+        text: "Error: Code signing tools are only available on macOS."
+      }],
+      isError: true
+    };
+  }
+  const force = args.force !== false;
+  const createBackup = args.createBackup === true;
+  const deep = args.deep === true;
+  const certificate = args.certificate || "-";
+  try {
+    const results = [];
+    results.push(`Sign Binary: ${args.filePath}`);
+    results.push("");
+    if (createBackup) {
+      const backupPath = `${args.filePath}.bak`;
+      await execAsync(`cp "${args.filePath}" "${backupPath}"`);
+      results.push(`Backup created: ${backupPath}`);
+    }
+    const forceFlag = force ? "--force" : "";
+    const deepFlag = deep ? "--deep" : "";
+    const optionsFlag = args.options ? `--options ${args.options}` : "";
+    const cmd = `codesign -s ${certificate} ${forceFlag} ${deepFlag} ${optionsFlag} "${args.filePath}"`.replace(/\s+/g, " ").trim();
+    results.push(`Command: ${cmd}`);
+    results.push(`Signing with: ${certificate === "-" ? "ad-hoc signature" : certificate}`);
+    await execAsync(cmd);
+    results.push("Status: SUCCESS - Binary signed");
+    try {
+      await execAsync(`codesign -v "${args.filePath}" 2>&1`);
+      results.push("Verification: VALID - Signature is intact");
+    } catch (e) {
+      results.push(`Verification: WARNING - ${e instanceof Error ? e.message : String(e)}`);
+    }
+    try {
+      const { stdout: signInfo } = await execAsync(`codesign -dv "${args.filePath}" 2>&1`);
+      const infoLine = signInfo.split(`
+`).find((l) => l.includes("Identifier") || l.includes("Authority"));
+      if (infoLine) {
+        results.push(`New signature: ${infoLine.trim()}`);
+      }
+    } catch {}
+    return { content: [{ type: "text", text: results.join(`
+`) }] };
+  } catch (error2) {
+    return {
+      content: [{ type: "text", text: `Error: ${error2 instanceof Error ? error2.message : String(error2)}` }],
+      isError: true
+    };
+  }
+}
+async function handleQuarantineCheck(args) {
+  if (!isMacOS()) {
+    return {
+      content: [{
+        type: "text",
+        text: "Error: Quarantine tools are only available on macOS."
+      }],
+      isError: true
+    };
+  }
+  try {
+    const results = [];
+    results.push(`Quarantine Check: ${args.filePath}`);
+    results.push("");
+    try {
+      const { stdout: quarantine } = await execAsync(`xattr -p com.apple.quarantine "${args.filePath}" 2>&1`);
+      if (quarantine.trim()) {
+        results.push("Status: QUARANTINED");
+        results.push("");
+        results.push("Quarantine data:");
+        results.push(`  ${quarantine.trim()}`);
+        try {
+          const { stdout: details } = await execAsync(`xattr -l "${args.filePath}" 2>&1`);
+          const quarantineSection = details.split(`
+`).filter((l) => l.includes("quarantine") || l.includes("provenance"));
+          if (quarantineSection.length > 0) {
+            results.push("");
+            results.push("Extended attributes:");
+            quarantineSection.forEach((l) => results.push(`  ${l}`));
+          }
+        } catch {}
+        results.push("");
+        results.push("Note: Quarantine prevents execution of downloaded files.");
+        results.push("Use bin_quarantine_remove to allow execution.");
+      } else {
+        results.push("Status: NOT QUARANTINED");
+        results.push("The file has no quarantine attribute.");
+      }
+    } catch (e) {
+      const output = e instanceof Error ? e.message : String(e);
+      if (output.includes("No such xattr") || output.includes("not found")) {
+        results.push("Status: NOT QUARANTINED");
+        results.push("The file has no quarantine attribute.");
+      } else {
+        throw new Error(`Failed to check quarantine: ${output}`);
+      }
+    }
+    try {
+      const { stdout: provenance } = await execAsync(`xattr -p com.apple.provenance "${args.filePath}" 2>&1`);
+      if (provenance.trim()) {
+        results.push("");
+        results.push("Provenance: PRESENT");
+        results.push("  File has provenance metadata (tracks download source)");
+      }
+    } catch {}
+    return { content: [{ type: "text", text: results.join(`
+`) }] };
+  } catch (error2) {
+    return {
+      content: [{ type: "text", text: `Error: ${error2 instanceof Error ? error2.message : String(error2)}` }],
+      isError: true
+    };
+  }
+}
+async function handleQuarantineRemove(args) {
+  if (!isMacOS()) {
+    return {
+      content: [{
+        type: "text",
+        text: "Error: Quarantine tools are only available on macOS."
+      }],
+      isError: true
+    };
+  }
+  try {
+    const results = [];
+    results.push(`Remove Quarantine: ${args.filePath}`);
+    results.push("");
+    let removedAny = false;
+    try {
+      await execAsync(`xattr -d com.apple.quarantine "${args.filePath}" 2>&1`);
+      results.push("Removed: com.apple.quarantine");
+      removedAny = true;
+    } catch (e) {
+      const output = e instanceof Error ? e.message : String(e);
+      if (output.includes("No such xattr") || output.includes("not found")) {
+        results.push("Skipped: com.apple.quarantine (not present)");
+      } else {
+        results.push(`Warning: Could not remove quarantine - ${output}`);
+      }
+    }
+    try {
+      await execAsync(`xattr -d com.apple.provenance "${args.filePath}" 2>&1`);
+      results.push("Removed: com.apple.provenance");
+      removedAny = true;
+    } catch {}
+    try {
+      await execAsync(`xattr -d com.apple.metadata:kMDItemWhereFroms "${args.filePath}" 2>&1`);
+      results.push("Removed: com.apple.metadata:kMDItemWhereFroms");
+      removedAny = true;
+    } catch {}
+    if (removedAny) {
+      results.push("");
+      results.push("Status: SUCCESS - Quarantine attributes removed");
+      results.push("The file should now be able to execute without quarantine warnings.");
+    } else {
+      results.push("");
+      results.push("Status: NO ACTION - No quarantine attributes found");
+    }
+    return { content: [{ type: "text", text: results.join(`
+`) }] };
+  } catch (error2) {
+    return {
+      content: [{ type: "text", text: `Error: ${error2 instanceof Error ? error2.message : String(error2)}` }],
+      isError: true
+    };
+  }
+}
+async function handleSafePatch(args) {
+  if (!isMacOS()) {
+    return {
+      content: [{
+        type: "text",
+        text: "Error: Safe patching tools are only available on macOS."
+      }],
+      isError: true
+    };
+  }
+  const createBackup = args.createBackup !== false;
+  try {
+    const results = [];
+    results.push(`Safe Patch Workflow: ${args.filePath}`);
+    results.push(`  Offset: 0x${args.offset.toString(16)} (${args.offset})`);
+    results.push(`  Data: ${args.hexData}`);
+    results.push("");
+    if (createBackup) {
+      const backupPath = `${args.filePath}.bak`;
+      await execAsync(`cp "${args.filePath}" "${backupPath}"`);
+      results.push(`[1/4] Backup created: ${backupPath}`);
+    } else {
+      results.push("[1/4] Backup: SKIPPED (createBackup=false)");
+    }
+    results.push("[2/4] Applying binary patch...");
+    const hexBytes = args.hexData.replace(/\s+/g, "");
+    const byteCount = hexBytes.length / 2;
+    const patchCmd = `printf '${hexBytes}' | dd of="${args.filePath}" bs=1 seek=${args.offset} count=${byteCount} conv=notrunc 2>/dev/null`;
+    await execAsync(patchCmd);
+    results.push(`      Patched ${byteCount} bytes at offset 0x${args.offset.toString(16)}`);
+    results.push("[3/4] Removing old code signature...");
+    try {
+      await execAsync(`codesign --remove-signature "${args.filePath}" 2>&1`);
+      results.push("      Old signature removed");
+    } catch (e) {
+      if (e instanceof Error && e.message.includes("no signature")) {
+        results.push("      No previous signature to remove");
+      } else {
+        results.push(`      Warning: ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
+    results.push("[4/4] Applying ad-hoc signature...");
+    await execAsync(`codesign --force --sign - "${args.filePath}"`);
+    results.push("      Ad-hoc signature applied");
+    results.push("[5/5] Removing quarantine attributes...");
+    try {
+      await execAsync(`xattr -d com.apple.quarantine "${args.filePath}" 2>&1`);
+      results.push("      Quarantine attribute removed");
+    } catch {
+      results.push("      No quarantine attribute present");
+    }
+    try {
+      await execAsync(`xattr -d com.apple.provenance "${args.filePath}" 2>&1`);
+      results.push("      Provenance attribute removed");
+    } catch {}
+    results.push("");
+    results.push("Verification:");
+    try {
+      await execAsync(`codesign -v "${args.filePath}" 2>&1`);
+      results.push("  Code signature: VALID");
+    } catch (e) {
+      results.push(`  Code signature: WARNING - ${e instanceof Error ? e.message : String(e)}`);
+    }
+    try {
+      const { stdout: fileInfo } = await execAsync(`file "${args.filePath}"`);
+      if (fileInfo.includes("executable")) {
+        results.push("  File type: Executable");
+      }
+    } catch {}
+    results.push("");
+    results.push("Status: SUCCESS - Binary patched and ready to run");
+    results.push("Note: The binary is now signed with an ad-hoc signature.");
+    results.push("      Some apps may require proper code signing for full functionality.");
+    return { content: [{ type: "text", text: results.join(`
+`) }] };
+  } catch (error2) {
+    return {
+      content: [{ type: "text", text: `Error: ${error2 instanceof Error ? error2.message : String(error2)}` }],
+      isError: true
+    };
+  }
+}
+async function handleBinVerify(args) {
+  if (!isMacOS()) {
+    return {
+      content: [{
+        type: "text",
+        text: "Error: Binary verification tools are only available on macOS."
+      }],
+      isError: true
+    };
+  }
+  try {
+    const results = [];
+    const issues = [];
+    results.push(`Binary Verification: ${args.filePath}`);
+    results.push("");
+    let isMachO = false;
+    try {
+      const { stdout: fileInfo } = await execAsync(`file "${args.filePath}"`);
+      results.push(`File type: ${fileInfo.trim()}`);
+      isMachO = fileInfo.toLowerCase().includes("mach-o");
+    } catch (e) {
+      return {
+        content: [{ type: "text", text: `Error: Cannot read file - ${e instanceof Error ? e.message : String(e)}` }],
+        isError: true
+      };
+    }
+    try {
+      const { stdout: perms } = await execAsync(`ls -la "${args.filePath}"`);
+      const permLine = perms.split(`
+`).find((l) => l.includes(args.filePath.split("/").pop() || ""));
+      if (permLine) {
+        results.push(`Permissions: ${permLine.split(/\s+/)[0]}`);
+        if (!permLine.includes("x")) {
+          issues.push("File is not executable (no execute permission)");
+        }
+      }
+    } catch {
+      results.push("Permissions: Unable to check");
+    }
+    results.push("");
+    if (isMachO) {
+      results.push("Code Signature:");
+      try {
+        const { stdout: signInfo } = await execAsync(`codesign -dv "${args.filePath}" 2>&1`);
+        const authority = signInfo.split(`
+`).find((l) => l.includes("Authority"));
+        if (authority) {
+          results.push(`  Status: SIGNED (${authority.split(":")[1]?.trim() || "unknown authority"})`);
+        } else {
+          results.push("  Status: SIGNED (ad-hoc or unknown)");
+        }
+      } catch (e) {
+        const output = e instanceof Error ? e.message : String(e);
+        if (output.includes("not signed")) {
+          results.push("  Status: UNSIGNED");
+          issues.push("Binary is not code signed");
+        } else {
+          results.push(`  Status: INVALID - ${output}`);
+          issues.push("Code signature is invalid");
+        }
+      }
+      try {
+        await execAsync(`codesign -v "${args.filePath}" 2>&1`);
+        results.push("  Validity: VALID");
+      } catch (e) {
+        const output = e instanceof Error ? e.message : String(e);
+        if (!output.includes("not signed")) {
+          results.push(`  Validity: INVALID - ${output}`);
+          issues.push("Code signature verification failed");
+        }
+      }
+    }
+    results.push("");
+    results.push("Quarantine:");
+    try {
+      const { stdout: quar } = await execAsync(`xattr -p com.apple.quarantine "${args.filePath}" 2>&1`);
+      if (quar.trim()) {
+        results.push("  Status: QUARANTINED");
+        issues.push("File is quarantined and may be blocked from running");
+      } else {
+        results.push("  Status: NOT QUARANTINED");
+      }
+    } catch {
+      results.push("  Status: NOT QUARANTINED");
+    }
+    if (isMachO) {
+      results.push("");
+      results.push("Architecture:");
+      try {
+        const { stdout: arch } = await execAsync(`lipo -info "${args.filePath}" 2>&1`);
+        results.push(`  ${arch.trim()}`);
+        try {
+          const { stdout: currentArch } = await execAsync(`uname -m`);
+          if (!arch.includes(currentArch.trim()) && !arch.includes("universal")) {
+            issues.push(`Binary may not be compatible with current architecture (${currentArch.trim()})`);
+          }
+        } catch {}
+      } catch (e) {
+        results.push(`  Unable to determine: ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
+    results.push("");
+    results.push("=== SUMMARY ===");
+    if (issues.length === 0) {
+      results.push("Status: READY TO RUN");
+      results.push("The binary should execute without issues.");
+    } else {
+      results.push("Status: ISSUES DETECTED");
+      results.push("");
+      results.push("Issues:");
+      issues.forEach((issue2, i) => results.push(`  ${i + 1}. ${issue2}`));
+      results.push("");
+      results.push("Suggested fixes:");
+      if (issues.some((i) => i.includes("quarantined"))) {
+        results.push("  - Run: xattr -d com.apple.quarantine <file>");
+      }
+      if (issues.some((i) => i.includes("not code signed") || i.includes("signature"))) {
+        results.push("  - Run: codesign --force --sign - <file>");
+      }
+      if (issues.some((i) => i.includes("not executable"))) {
+        results.push("  - Run: chmod +x <file>");
+      }
+    }
+    return { content: [{ type: "text", text: results.join(`
+`) }] };
+  } catch (error2) {
+    return {
+      content: [{ type: "text", text: `Error: ${error2 instanceof Error ? error2.message : String(error2)}` }],
+      isError: true
+    };
+  }
+}
+var PATCH_DIR = path.join(os.homedir(), ".claude", "patches");
+var MANIFEST_PATH = path.join(PATCH_DIR, "manifest.json");
+var BACKUPS_DIR = path.join(PATCH_DIR, "backups");
+var MANIFEST_VERSION = "1.0.0";
+function ensurePatchDir() {
+  if (!fs.existsSync(PATCH_DIR)) {
+    fs.mkdirSync(PATCH_DIR, { recursive: true });
+  }
+  if (!fs.existsSync(BACKUPS_DIR)) {
+    fs.mkdirSync(BACKUPS_DIR, { recursive: true });
+  }
+}
+function loadManifest() {
+  ensurePatchDir();
+  if (fs.existsSync(MANIFEST_PATH)) {
+    try {
+      const data = fs.readFileSync(MANIFEST_PATH, "utf-8");
+      return JSON.parse(data);
+    } catch {}
+  }
+  return {
+    version: MANIFEST_VERSION,
+    createdAt: new Date().toISOString(),
+    updatedAt: new Date().toISOString(),
+    binaries: {}
+  };
+}
+function saveManifest(manifest) {
+  ensurePatchDir();
+  manifest.updatedAt = new Date().toISOString();
+  fs.writeFileSync(MANIFEST_PATH, JSON.stringify(manifest, null, 2));
+}
+async function getFileChecksum(filePath) {
+  try {
+    const { stdout } = await execAsync(`shasum -a 256 "${filePath}" | cut -d' ' -f1`);
+    return stdout.trim();
+  } catch {
+    return "unknown";
+  }
+}
+function readBytesAtOffset(filePath, offset, length) {
+  const fd = fs.openSync(filePath, "r");
+  const buffer = Buffer.alloc(length);
+  fs.readSync(fd, buffer, 0, length, offset);
+  fs.closeSync(fd);
+  return buffer.toString("hex").match(/.{2}/g)?.join(" ").toUpperCase() || "";
+}
+function writeBytesAtOffset(filePath, offset, hexData) {
+  const bytes = Buffer.from(hexData.replace(/\s+/g, ""), "hex");
+  const fd = fs.openSync(filePath, "r+");
+  fs.writeSync(fd, bytes, 0, bytes.length, offset);
+  fs.closeSync(fd);
+}
+async function handlePatchRegister(args) {
+  try {
+    const results = [];
+    results.push(`Register Patch: ${args.patchId}`);
+    results.push(`Binary: ${args.filePath}`);
+    results.push(`Offset: 0x${args.offset.toString(16)} (${args.offset})`);
+    results.push("");
+    if (!fs.existsSync(args.filePath)) {
+      return {
+        content: [{ type: "text", text: `Error: File not found: ${args.filePath}` }],
+        isError: true
+      };
+    }
+    const patchedBytes = args.patchedBytes.replace(/\s+/g, "").toUpperCase();
+    const byteLength = patchedBytes.length / 2;
+    let originalBytes = "";
+    if (args.captureOriginal !== false) {
+      try {
+        originalBytes = readBytesAtOffset(args.filePath, args.offset, byteLength);
+        results.push(`Original bytes: ${originalBytes}`);
+      } catch (e) {
+        return {
+          content: [{ type: "text", text: `Error: Could not read original bytes - ${e instanceof Error ? e.message : String(e)}` }],
+          isError: true
+        };
+      }
+    }
+    const backupFileName = `${path.basename(args.filePath)}.offset_${args.offset}.bin`;
+    const backupPath = path.join(BACKUPS_DIR, backupFileName);
+    if (originalBytes) {
+      fs.writeFileSync(backupPath, Buffer.from(originalBytes.replace(/\s+/g, ""), "hex"));
+      results.push(`Backup saved: ${backupPath}`);
+    }
+    const manifest = loadManifest();
+    const checksum = await getFileChecksum(args.filePath);
+    if (!manifest.binaries[args.filePath]) {
+      manifest.binaries[args.filePath] = {
+        binaryPath: args.filePath,
+        binaryName: path.basename(args.filePath),
+        lastPatchedChecksum: checksum,
+        lastAppliedAt: new Date().toISOString(),
+        patches: []
+      };
+    }
+    const existingIndex = manifest.binaries[args.filePath].patches.findIndex((p) => p.id === args.patchId);
+    const newPatch = {
+      id: args.patchId,
+      offset: args.offset,
+      originalBytes: originalBytes || "UNKNOWN",
+      patchedBytes: patchedBytes.match(/.{2}/g)?.join(" ") || patchedBytes,
+      description: args.description,
+      createdAt: new Date().toISOString()
+    };
+    if (existingIndex >= 0) {
+      manifest.binaries[args.filePath].patches[existingIndex] = newPatch;
+      results.push(`Updated existing patch: ${args.patchId}`);
+    } else {
+      manifest.binaries[args.filePath].patches.push(newPatch);
+      results.push(`Registered new patch: ${args.patchId}`);
+    }
+    saveManifest(manifest);
+    results.push("");
+    results.push("Patch registered successfully!");
+    results.push(`Manifest: ${MANIFEST_PATH}`);
+    results.push("");
+    results.push("To apply this patch, use: bin_patch_apply");
+    return { content: [{ type: "text", text: results.join(`
+`) }] };
+  } catch (error2) {
+    return {
+      content: [{ type: "text", text: `Error: ${error2 instanceof Error ? error2.message : String(error2)}` }],
+      isError: true
+    };
+  }
+}
+async function handlePatchApply(args) {
+  const isMac = isMacOS();
+  const resign = args.resign !== false && isMac;
+  const removeQuarantine = args.removeQuarantine !== false && isMac;
+  try {
+    const results = [];
+    results.push(`Apply Patches: ${args.filePath}`);
+    results.push("");
+    const manifest = loadManifest();
+    const record3 = manifest.binaries[args.filePath];
+    if (!record3 || record3.patches.length === 0) {
+      results.push("No registered patches found for this binary.");
+      results.push("");
+      results.push("To register a patch, use: bin_patch_register");
+      return { content: [{ type: "text", text: results.join(`
+`) }] };
+    }
+    const currentChecksum = await getFileChecksum(args.filePath);
+    results.push(`Current checksum: ${currentChecksum.substring(0, 16)}...`);
+    results.push(`Last patched checksum: ${record3.lastPatchedChecksum.substring(0, 16)}...`);
+    if (currentChecksum === record3.lastPatchedChecksum) {
+      results.push("Status: Binary appears to already have patches applied.");
+      results.push("Use force=true to re-apply anyway.");
+      return { content: [{ type: "text", text: results.join(`
+`) }] };
+    }
+    results.push("Binary has been updated - applying patches...");
+    results.push("");
+    const backupPath = `${args.filePath}.prepatch`;
+    fs.copyFileSync(args.filePath, backupPath);
+    results.push(`Backup: ${backupPath}`);
+    let appliedCount = 0;
+    for (const patch of record3.patches) {
+      try {
+        results.push(`Applying: ${patch.id}`);
+        results.push(`  Offset: 0x${patch.offset.toString(16)}`);
+        results.push(`  Bytes: ${patch.patchedBytes}`);
+        writeBytesAtOffset(args.filePath, patch.offset, patch.patchedBytes);
+        appliedCount++;
+        results.push("  Status: Applied");
+      } catch (e) {
+        results.push(`  Status: FAILED - ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
+    if (isMac && appliedCount > 0) {
+      results.push("");
+      if (resign) {
+        results.push("Re-signing binary...");
+        try {
+          await execAsync(`codesign --remove-signature "${args.filePath}" 2>&1`);
+          await execAsync(`codesign --force --sign - "${args.filePath}"`);
+          results.push("  Status: Re-signed with ad-hoc signature");
+        } catch (e) {
+          results.push(`  Warning: ${e instanceof Error ? e.message : String(e)}`);
+        }
+      }
+      if (removeQuarantine) {
+        results.push("Removing quarantine...");
+        try {
+          await execAsync(`xattr -d com.apple.quarantine "${args.filePath}" 2>&1`);
+          await execAsync(`xattr -d com.apple.provenance "${args.filePath}" 2>&1`);
+          results.push("  Status: Quarantine attributes removed");
+        } catch {
+          results.push("  Status: No quarantine to remove");
+        }
+      }
+    }
+    const newChecksum = await getFileChecksum(args.filePath);
+    record3.lastPatchedChecksum = newChecksum;
+    record3.lastAppliedAt = new Date().toISOString();
+    saveManifest(manifest);
+    results.push("");
+    results.push(`=== SUMMARY ===`);
+    results.push(`Patches applied: ${appliedCount}/${record3.patches.length}`);
+    results.push(`New checksum: ${newChecksum.substring(0, 16)}...`);
+    results.push("Binary is ready to use.");
+    return { content: [{ type: "text", text: results.join(`
+`) }] };
+  } catch (error2) {
+    return {
+      content: [{ type: "text", text: `Error: ${error2 instanceof Error ? error2.message : String(error2)}` }],
+      isError: true
+    };
+  }
+}
+async function handlePatchVerify(args) {
+  try {
+    const results = [];
+    results.push(`Verify Patches: ${args.filePath}`);
+    results.push("");
+    const manifest = loadManifest();
+    const record3 = manifest.binaries[args.filePath];
+    if (!record3 || record3.patches.length === 0) {
+      results.push("No registered patches found for this binary.");
+      return { content: [{ type: "text", text: results.join(`
+`) }] };
+    }
+    const currentChecksum = await getFileChecksum(args.filePath);
+    results.push(`Current checksum: ${currentChecksum.substring(0, 16)}...`);
+    results.push(`Expected checksum: ${record3.lastPatchedChecksum.substring(0, 16)}...`);
+    results.push("");
+    if (currentChecksum !== record3.lastPatchedChecksum) {
+      results.push("⚠️  Binary has been UPDATED since last patch.");
+      results.push("   Run bin_patch_apply to re-apply patches.");
+      results.push("");
+    } else {
+      results.push("✓ Binary checksum matches patched version.");
+      results.push("");
+    }
+    results.push("Patch Status:");
+    let allApplied = true;
+    for (const patch of record3.patches) {
+      try {
+        const byteLength = patch.patchedBytes.replace(/\s+/g, "").length / 2;
+        const currentBytes = readBytesAtOffset(args.filePath, patch.offset, byteLength);
+        const normalizedCurrent = currentBytes.replace(/\s+/g, "").toUpperCase();
+        const normalizedPatched = patch.patchedBytes.replace(/\s+/g, "").toUpperCase();
+        if (normalizedCurrent === normalizedPatched) {
+          results.push(`  ✓ ${patch.id}: APPLIED`);
+        } else if (normalizedCurrent === patch.originalBytes.replace(/\s+/g, "").toUpperCase()) {
+          results.push(`  ✗ ${patch.id}: NOT APPLIED (original bytes present)`);
+          allApplied = false;
+        } else {
+          results.push(`  ? ${patch.id}: UNKNOWN (bytes don't match expected)`);
+          results.push(`      Current: ${currentBytes}`);
+          results.push(`      Expected: ${patch.patchedBytes}`);
+          allApplied = false;
+        }
+      } catch (e) {
+        results.push(`  ✗ ${patch.id}: ERROR - ${e instanceof Error ? e.message : String(e)}`);
+        allApplied = false;
+      }
+    }
+    results.push("");
+    if (allApplied && currentChecksum === record3.lastPatchedChecksum) {
+      results.push("Status: All patches verified and applied.");
+    } else if (!allApplied) {
+      results.push("Status: Some patches need to be applied.");
+      results.push("Action: Run bin_patch_apply");
+    } else {
+      results.push("Status: Binary may have been updated. Re-apply patches.");
+      results.push("Action: Run bin_patch_apply");
+    }
+    return { content: [{ type: "text", text: results.join(`
+`) }] };
+  } catch (error2) {
+    return {
+      content: [{ type: "text", text: `Error: ${error2 instanceof Error ? error2.message : String(error2)}` }],
+      isError: true
+    };
+  }
+}
+async function handlePatchRestore(args) {
+  const isMac = isMacOS();
+  const resign = args.resign !== false && isMac;
+  try {
+    const results = [];
+    results.push(`Restore Patches: ${args.filePath}`);
+    results.push("");
+    const manifest = loadManifest();
+    const record3 = manifest.binaries[args.filePath];
+    if (!record3 || record3.patches.length === 0) {
+      results.push("No registered patches found for this binary.");
+      return { content: [{ type: "text", text: results.join(`
+`) }] };
+    }
+    const patchesToRestore = args.patchId ? record3.patches.filter((p) => p.id === args.patchId) : record3.patches;
+    if (patchesToRestore.length === 0) {
+      results.push(`No patch found with ID: ${args.patchId}`);
+      return { content: [{ type: "text", text: results.join(`
+`) }] };
+    }
+    const backupPath = `${args.filePath}.prerestore`;
+    fs.copyFileSync(args.filePath, backupPath);
+    results.push(`Backup: ${backupPath}`);
+    results.push("");
+    let restoredCount = 0;
+    for (const patch of patchesToRestore) {
+      if (patch.originalBytes === "UNKNOWN") {
+        results.push(`${patch.id}: SKIPPED (no original bytes captured)`);
+        continue;
+      }
+      try {
+        results.push(`Restoring: ${patch.id}`);
+        writeBytesAtOffset(args.filePath, patch.offset, patch.originalBytes);
+        results.push(`  Offset: 0x${patch.offset.toString(16)}`);
+        results.push(`  Bytes: ${patch.originalBytes}`);
+        results.push("  Status: Restored");
+        restoredCount++;
+      } catch (e) {
+        results.push(`  Status: FAILED - ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
+    if (isMac && restoredCount > 0 && resign) {
+      results.push("");
+      results.push("Re-signing binary...");
+      try {
+        await execAsync(`codesign --remove-signature "${args.filePath}" 2>&1`);
+        await execAsync(`codesign --force --sign - "${args.filePath}"`);
+        results.push("  Status: Re-signed with ad-hoc signature");
+      } catch (e) {
+        results.push(`  Warning: ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
+    const newChecksum = await getFileChecksum(args.filePath);
+    record3.lastPatchedChecksum = newChecksum;
+    saveManifest(manifest);
+    results.push("");
+    results.push(`Restored: ${restoredCount}/${patchesToRestore.length} patches`);
+    return { content: [{ type: "text", text: results.join(`
+`) }] };
+  } catch (error2) {
+    return {
+      content: [{ type: "text", text: `Error: ${error2 instanceof Error ? error2.message : String(error2)}` }],
+      isError: true
+    };
+  }
+}
+async function handlePatchList(args) {
+  try {
+    const results = [];
+    results.push("Patch Registry");
+    results.push(`Manifest: ${MANIFEST_PATH}`);
+    results.push("");
+    const manifest = loadManifest();
+    if (Object.keys(manifest.binaries).length === 0) {
+      results.push("No patches registered.");
+      results.push("");
+      results.push("To register a patch, use: bin_patch_register");
+      return { content: [{ type: "text", text: results.join(`
+`) }] };
+    }
+    const binariesToShow = args.filePath ? { [args.filePath]: manifest.binaries[args.filePath] } : manifest.binaries;
+    for (const [binaryPath, record3] of Object.entries(binariesToShow)) {
+      if (!record3)
+        continue;
+      results.push(`═══════════════════════════════════════════════════════════`);
+      results.push(`Binary: ${binaryPath}`);
+      results.push(`Name: ${record3.binaryName}`);
+      results.push(`Patches: ${record3.patches.length}`);
+      results.push(`Last Applied: ${record3.lastAppliedAt}`);
+      results.push(`Checksum: ${record3.lastPatchedChecksum.substring(0, 16)}...`);
+      results.push("");
+      if (record3.patches.length > 0) {
+        results.push("Registered Patches:");
+        for (const patch of record3.patches) {
+          results.push(`  ┌─ ${patch.id} ─────────────────────────────────`);
+          results.push(`  │ Offset: 0x${patch.offset.toString(16)} (${patch.offset})`);
+          results.push(`  │ Original: ${patch.originalBytes}`);
+          results.push(`  │ Patched:  ${patch.patchedBytes}`);
+          results.push(`  │ Description: ${patch.description}`);
+          results.push(`  │ Created: ${patch.createdAt}`);
+          results.push(`  └────────────────────────────────────────────`);
+        }
+      }
+      results.push("");
+    }
+    return { content: [{ type: "text", text: results.join(`
+`) }] };
+  } catch (error2) {
+    return {
+      content: [{ type: "text", text: `Error: ${error2 instanceof Error ? error2.message : String(error2)}` }],
+      isError: true
+    };
+  }
+}
+async function handlePatchRemove(args) {
+  try {
+    const results = [];
+    results.push(`Remove Patch: ${args.patchId}`);
+    results.push("");
+    const manifest = loadManifest();
+    const record3 = manifest.binaries[args.filePath];
+    if (!record3) {
+      results.push("No patches registered for this binary.");
+      return { content: [{ type: "text", text: results.join(`
+`) }] };
+    }
+    const index = record3.patches.findIndex((p) => p.id === args.patchId);
+    if (index < 0) {
+      results.push(`Patch not found: ${args.patchId}`);
+      return { content: [{ type: "text", text: results.join(`
+`) }] };
+    }
+    const removed = record3.patches.splice(index, 1)[0];
+    results.push("Removed patch:");
+    results.push(`  ID: ${removed.id}`);
+    results.push(`  Offset: 0x${removed.offset.toString(16)}`);
+    results.push(`  Description: ${removed.description}`);
+    if (record3.patches.length === 0) {
+      delete manifest.binaries[args.filePath];
+      results.push("");
+      results.push("No more patches for this binary - removed from registry.");
+    }
+    saveManifest(manifest);
+    results.push("");
+    results.push("Patch removed from registry.");
+    results.push("Note: This does NOT undo the patch in the binary.");
+    results.push("Use bin_patch_restore to restore original bytes.");
+    return { content: [{ type: "text", text: results.join(`
+`) }] };
+  } catch (error2) {
+    return {
+      content: [{ type: "text", text: `Error: ${error2 instanceof Error ? error2.message : String(error2)}` }],
+      isError: true
+    };
+  }
+}
 var TOOLS = [
   {
     name: "nm_list_symbols",
@@ -15439,6 +16389,168 @@ var TOOLS = [
       },
       required: ["filePath", "offset", "length"]
     }
+  },
+  {
+    name: "bin_codesign_info",
+    description: "Show code signature details for a macOS binary (macOS only)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" }
+      },
+      required: ["filePath"]
+    }
+  },
+  {
+    name: "bin_codesign_remove",
+    description: "Remove code signature from a macOS binary (DESTRUCTIVE - macOS only)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+        createBackup: { type: "boolean", description: "Create .bak backup (default: true)" }
+      },
+      required: ["filePath"]
+    }
+  },
+  {
+    name: "bin_codesign_sign",
+    description: "Apply ad-hoc or certificate signature to a macOS binary (macOS only)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+        certificate: { type: "string", description: "Certificate identity (default: '-' for ad-hoc signature)" },
+        force: { type: "boolean", description: "Force replace existing signature (default: true)" },
+        createBackup: { type: "boolean", description: "Create .bak backup before signing" },
+        deep: { type: "boolean", description: "Sign all nested code" },
+        options: { type: "string", description: "Additional signing options (e.g., 'runtime' for hardened runtime)" }
+      },
+      required: ["filePath"]
+    }
+  },
+  {
+    name: "bin_quarantine_check",
+    description: "Check quarantine status of a file on macOS (macOS only)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        filePath: { type: "string", description: "Path to the file" }
+      },
+      required: ["filePath"]
+    }
+  },
+  {
+    name: "bin_quarantine_remove",
+    description: "Remove quarantine attributes from a file on macOS (DESTRUCTIVE - macOS only)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        filePath: { type: "string", description: "Path to the file" }
+      },
+      required: ["filePath"]
+    }
+  },
+  {
+    name: "bin_safe_patch",
+    description: "Safe binary patching workflow for macOS: patch, remove signature, re-sign, remove quarantine (DESTRUCTIVE - macOS only)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+        offset: { type: "number", description: "Byte offset to patch" },
+        hexData: { type: "string", description: "Hex bytes to write (e.g., '90 90 90')" },
+        createBackup: { type: "boolean", description: "Create .bak backup (default: true)" }
+      },
+      required: ["filePath", "offset", "hexData"]
+    }
+  },
+  {
+    name: "bin_verify",
+    description: "Verify if a macOS binary will run: check signature, quarantine, architecture (macOS only)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" }
+      },
+      required: ["filePath"]
+    }
+  },
+  {
+    name: "bin_patch_register",
+    description: "Register a binary patch for persistence across updates. Captures original bytes and stores in manifest.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+        patchId: { type: "string", description: "Unique identifier for this patch (e.g., 'skip-permissions')" },
+        offset: { type: "number", description: "Byte offset to patch" },
+        patchedBytes: { type: "string", description: "Hex bytes to write (e.g., '90 90 90')" },
+        description: { type: "string", description: "Description of what this patch does" },
+        captureOriginal: { type: "boolean", description: "Capture original bytes (default: true)" }
+      },
+      required: ["filePath", "patchId", "offset", "patchedBytes", "description"]
+    }
+  },
+  {
+    name: "bin_patch_apply",
+    description: "Apply all registered patches to a binary. Handles macOS re-signing and quarantine. Detects binary updates.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+        resign: { type: "boolean", description: "Re-sign binary after patching (macOS, default: true)" },
+        removeQuarantine: { type: "boolean", description: "Remove quarantine after patching (macOS, default: true)" }
+      },
+      required: ["filePath"]
+    }
+  },
+  {
+    name: "bin_patch_verify",
+    description: "Verify if registered patches are currently applied to a binary. Detects if binary was updated.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" }
+      },
+      required: ["filePath"]
+    }
+  },
+  {
+    name: "bin_patch_restore",
+    description: "Restore original bytes for registered patches. Undoes patches in the binary.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+        patchId: { type: "string", description: "Specific patch to restore (optional - restores all if omitted)" },
+        resign: { type: "boolean", description: "Re-sign binary after restoring (macOS, default: true)" }
+      },
+      required: ["filePath"]
+    }
+  },
+  {
+    name: "bin_patch_list",
+    description: "List all registered patches in the manifest, optionally filtered by binary.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        filePath: { type: "string", description: "Filter by binary path (optional)" }
+      },
+      required: []
+    }
+  },
+  {
+    name: "bin_patch_remove",
+    description: "Remove a patch from the registry. Does NOT undo the patch in the binary.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+        patchId: { type: "string", description: "ID of the patch to remove from registry" }
+      },
+      required: ["filePath", "patchId"]
+    }
   }
 ];
 server.setRequestHandler(ListToolsRequestSchema, async () => {
@@ -15516,6 +16628,32 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
         return await handleHexEditor(args);
       case "bin_convert":
         return await handleConvertNumber(args);
+      case "bin_codesign_info":
+        return await handleCodesignInfo(args);
+      case "bin_codesign_remove":
+        return await handleCodesignRemove(args);
+      case "bin_codesign_sign":
+        return await handleCodesignSign(args);
+      case "bin_quarantine_check":
+        return await handleQuarantineCheck(args);
+      case "bin_quarantine_remove":
+        return await handleQuarantineRemove(args);
+      case "bin_safe_patch":
+        return await handleSafePatch(args);
+      case "bin_verify":
+        return await handleBinVerify(args);
+      case "bin_patch_register":
+        return await handlePatchRegister(args);
+      case "bin_patch_apply":
+        return await handlePatchApply(args);
+      case "bin_patch_verify":
+        return await handlePatchVerify(args);
+      case "bin_patch_restore":
+        return await handlePatchRestore(args);
+      case "bin_patch_list":
+        return await handlePatchList(args);
+      case "bin_patch_remove":
+        return await handlePatchRemove(args);
       default:
         throw new Error(`Unknown tool: ${name}`);
     }